Enforce using SHA3 for ML-DSA signatures

https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-06.html#name-signature-data-digest
ProtonMail · Nov 6, 2024 · ba3a26a · ba3a26a
1 parent 8c54e04
commit ba3a26a
Show file tree

Hide file tree

Showing 4 changed files with 726 additions and 774 deletions.
diff --git a/src/crypto/public_key/post_quantum/signature/index.js b/src/crypto/public_key/post_quantum/signature/index.js
@@ -1,2 +1,2 @@
-export { generate, sign, verify, validateParams } from './signature';
+export { generate, sign, verify, validateParams, getRequiredHashAlgo } from './signature';
 export { expandSecretSeed as mldsaExpandSecretSeed } from './ml_dsa';
diff --git a/src/crypto/public_key/post_quantum/signature/signature.js b/src/crypto/public_key/post_quantum/signature/signature.js
@@ -15,6 +15,12 @@ export async function generate(algo) {
 }
 
 export async function sign(signatureAlgo, hashAlgo, eccSecretKey, eccPublicKey, mldsaSecretKey, dataDigest) {
+  if (hashAlgo !== getRequiredHashAlgo(signatureAlgo)) {
+    // The signature hash algo MUST be set to the specified algorithm, see
+    // https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc#section-5.2.1.
+    throw new Error('Unexpected hash algorithm for PQC signature');
+  }
+
   switch (signatureAlgo) {
     case enums.publicKey.pqc_mldsa_ed25519: {
       const { eccSignature } = await eccdsa.sign(signatureAlgo, hashAlgo, eccSecretKey, eccPublicKey, dataDigest);
@@ -28,6 +34,12 @@ export async function sign(signatureAlgo, hashAlgo, eccSecretKey, eccPublicKey,
 }
 
 export async function verify(signatureAlgo, hashAlgo, eccPublicKey, mldsaPublicKey, dataDigest, { eccSignature, mldsaSignature }) {
+  if (hashAlgo !== getRequiredHashAlgo(signatureAlgo)) {
+    // The signature hash algo MUST be set to the specified algorithm, see
+    // https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc#section-5.2.1.
+    throw new Error('Unexpected hash algorithm for PQC signature');
+  }
+
   switch (signatureAlgo) {
     case enums.publicKey.pqc_mldsa_ed25519: {
       const eccVerifiedPromise = eccdsa.verify(signatureAlgo, hashAlgo, eccPublicKey, dataDigest, eccSignature);
@@ -40,6 +52,16 @@ export async function verify(signatureAlgo, hashAlgo, eccPublicKey, mldsaPublicK
   }
 }
 
+export function getRequiredHashAlgo(signatureAlgo) {
+  // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc#section-5.2.1.
+  switch (signatureAlgo) {
+    case enums.publicKey.pqc_mldsa_ed25519:
+      return enums.hash.sha3_256;
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
 export async function validateParams(algo, eccPublicKey, eccSecretKey, mldsaPublicKey, mldsaSeed) {
   const eccValidationPromise = eccdsa.validateParams(algo, eccPublicKey, eccSecretKey);
   const mldsaValidationPromise = mldsa.validateParams(algo, mldsaPublicKey, mldsaSeed);

diff --git a/src/key/helper.js b/src/key/helper.js
@@ -117,6 +117,12 @@ export async function createBindingSignature(subkey, primaryKey, options, config
  * @async
  */
 export async function getPreferredHashAlgo(key, keyPacket, date = new Date(), userID = {}, config) {
+  if (keyPacket.algorithm === enums.publicKey.pqc_mldsa_ed25519) {
+    // For PQC, the returned hash algo MUST be set to the specified algorithm, see
+    // https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc#section-5.2.1.
+    return crypto.publicKey.postQuantum.signature.getRequiredHashAlgo(keyPacket.algorithm);
+  }
+
   let hashAlgo = config.preferredHashAlgorithm;
   let prefAlgo = hashAlgo;
   if (key) {