Skip to content

Backport #25857 ([hsmtool] Support SPHINCS+ in CloudKMS) #28861

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pamaury merged 5 commits into from
Dec 8, 2025
Merged

Backport #25857 ([hsmtool] Support SPHINCS+ in CloudKMS) #28861

pamaury merged 5 commits into from
Dec 8, 2025
+2,856 −194

Conversation

@pamaury
Copy link
Contributor

@pamaury pamaury commented Dec 3, 2025

Backport #25857

@pamaury pamaury requested a review from a team as a code owner December 3, 2025 14:45
@pamaury pamaury requested review from a team, AlexJones0, cfrantz, jwnrt and timothytrippel and removed request for a team December 3, 2025 14:45
jwnrt
jwnrt approved these changes Dec 4, 2025
View reviewed changes
Copy link
Contributor

@jwnrt jwnrt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I didn't check against the API but the code looks okay and matches the backport so fine with me.

@pamaury pamaury force-pushed the backport_25857 branch 2 times, most recently from 896f47f to b88af74 Compare December 4, 2025 16:34
@cfrantz @pamaury
[hsmtool] Fix sphincs+ naming error
fe4c0e9 
I typo'ed the formal sphincs+ algorithm names as `SLA-DSA-...` when they
should have been `SLH-DSA-...`.

Signed-off-by: Chris Frantz <[email protected]>
(cherry picked from commit 2df0158)
@cfrantz @pamaury
[hsmtool] Rename the spxef module
49587ba 
Rename the `spxef` module to `extra::spxef` as we'll be adding more
custom backends into the `extra` module.

Signed-off-by: Chris Frantz <[email protected]>
(cherry picked from commit 9603e67)
@cfrantz @pamaury
[rust] Add support for the reqwest crate
7c7f085 
Signed-off-by: Chris Frantz <[email protected]>
(cherry picked from commit 454909f)
@cfrantz @pamaury
[hsmtool] Move domain prepration to the SPX backend
025f22a 
Some HSMs perform the domain preparation as part of their API, and thus
we should not perform domain preparation on the data sent to the HSM.

1. Remove domain prepration from the `SignData` preparation function.
2. Add domain preparation to the acorn backend.
3. Pass the domain parameter to the sphincsplus reference implementation
   sign/verify functions.

Signed-off-by: Chris Frantz <[email protected]>
(cherry picked from commit e7ef7f5)
@cfrantz @pamaury
[hsmtool] Support SPHINCS+ in CloudKMS
b52a814 
1. Use the CloudKMS REST/json API to perform SPHINCS+ signing.

Signed-off-by: Chris Frantz <[email protected]>
(cherry picked from commit 2ce2a91)
@pamaury
Copy link
Contributor Author

pamaury commented Dec 5, 2025

The CI failure on verify FPGA jobs does not make sense, and I couldn't reproduce the problem locally. I have rebased to see if the issue goes away.

@pamaury pamaury added this pull request to the merge queue Dec 8, 2025
Merged via the queue into lowRISC:master with commit 564410e Dec 8, 2025
47 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cfrantz cfrantz cfrantz approved these changes

@jwnrt jwnrt jwnrt approved these changes

@timothytrippel timothytrippel Awaiting requested review from timothytrippel

@AlexJones0 AlexJones0 Awaiting requested review from AlexJones0

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pamaury @cfrantz @jwnrt