Backport #25857 ([hsmtool] Support SPHINCS+ in CloudKMS) #28861
+2,856
−194
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
I typo'ed the formal sphincs+ algorithm names as `SLA-DSA-...` when they should have been `SLH-DSA-...`. Signed-off-by: Chris Frantz <[email protected]> (cherry picked from commit 2df0158)
Rename the `spxef` module to `extra::spxef` as we'll be adding more custom backends into the `extra` module. Signed-off-by: Chris Frantz <[email protected]> (cherry picked from commit 9603e67)
pamaury
requested review from
a team,
AlexJones0,
cfrantz,
jwnrt and
timothytrippel
and removed request for
a team
pamaury
force-pushed
the
backport_25857
branch
from
f7a23b7 to
21eb3b1
Compare
cfrantz
approved these changes
Dec 3, 2025
jwnrt
approved these changes
Dec 4, 2025
Contributor
jwnrt
left a comment
jwnrt
left a comment
There was a problem hiding this comment.
LGTM. I didn't check against the API but the code looks okay and matches the backport so fine with me.
Signed-off-by: Chris Frantz <[email protected]> (cherry picked from commit 454909f)
Some HSMs perform the domain preparation as part of their API, and thus we should not perform domain preparation on the data sent to the HSM. 1. Remove domain prepration from the `SignData` preparation function. 2. Add domain preparation to the acorn backend. 3. Pass the domain parameter to the sphincsplus reference implementation sign/verify functions. Signed-off-by: Chris Frantz <[email protected]> (cherry picked from commit e7ef7f5)
pamaury
force-pushed
the
backport_25857
branch
from
21eb3b1 to
896f47f
Compare
1. Use the CloudKMS REST/json API to perform SPHINCS+ signing. Signed-off-by: Chris Frantz <[email protected]> (cherry picked from commit 2ce2a91)
pamaury
force-pushed
the
backport_25857
branch
from
896f47f to
b88af74
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport #25857