Add ML-DSA-87 support

docs/hazmat/primitives/asymmetric/mldsa.rst

@@ -413,5 +413,191 @@ Key interfaces
             signature cannot be verified.
         :raises ValueError: If the context is longer than 255 bytes.
 
+.. class:: MLDSA87PrivateKey
+
+    .. versionadded:: 47.0
+
+    .. classmethod:: generate()
+
+        Generate an ML-DSA-87 private key.
+
+        :returns: :class:`MLDSA87PrivateKey`
+
+        :raises cryptography.exceptions.UnsupportedAlgorithm: If ML-DSA-87 is
+            not supported by the backend ``cryptography`` is using.
+
+    .. classmethod:: from_seed_bytes(data)
+
+        Load an ML-DSA-87 private key from seed bytes.
+
+        :param data: 32 byte seed.
+        :type data: :term:`bytes-like`
+
+        :returns: :class:`MLDSA87PrivateKey`
+
+        :raises ValueError: If the seed is not 32 bytes.
+
+        :raises cryptography.exceptions.UnsupportedAlgorithm: If ML-DSA-87 is
+            not supported by the backend ``cryptography`` is using.
+
+        .. doctest::
+            :skipif: not _backend.mldsa_supported()
+
+            >>> from cryptography.hazmat.primitives.asymmetric import mldsa
+            >>> private_key = mldsa.MLDSA87PrivateKey.generate()
+            >>> seed = private_key.private_bytes_raw()
+            >>> same_key = mldsa.MLDSA87PrivateKey.from_seed_bytes(seed)
+
+    .. method:: public_key()
+
+        :returns: :class:`MLDSA87PublicKey`
+
+    .. method:: sign(data, context=None)
+
+        Sign the data using ML-DSA-87. An optional context string can be
+        provided.
+
+        :param data: The data to sign.
+        :type data: :term:`bytes-like`
+
+        :param context: An optional context string (up to 255 bytes).
+        :type context: :term:`bytes-like` or ``None``
+
+        :returns bytes: The signature (4627 bytes).
+
+        :raises ValueError: If the context is longer than 255 bytes.
+
+    .. method:: private_bytes(encoding, format, encryption_algorithm)
+
+        Allows serialization of the key to bytes. Encoding (
+        :attr:`~cryptography.hazmat.primitives.serialization.Encoding.PEM`,
+        :attr:`~cryptography.hazmat.primitives.serialization.Encoding.DER`, or
+        :attr:`~cryptography.hazmat.primitives.serialization.Encoding.Raw`) and
+        format (
+        :attr:`~cryptography.hazmat.primitives.serialization.PrivateFormat.PKCS8`
+        or
+        :attr:`~cryptography.hazmat.primitives.serialization.PrivateFormat.Raw`
+        ) are chosen to define the exact serialization.
+
+        This method only returns the serialization of the seed form of the
+        private key, never the expanded one.
+
+        :param encoding: A value from the
+            :class:`~cryptography.hazmat.primitives.serialization.Encoding` enum.
+
+        :param format: A value from the
+            :class:`~cryptography.hazmat.primitives.serialization.PrivateFormat`
+            enum. If the ``encoding`` is
+            :attr:`~cryptography.hazmat.primitives.serialization.Encoding.Raw`
+            then ``format`` must be
+            :attr:`~cryptography.hazmat.primitives.serialization.PrivateFormat.Raw`
+            , otherwise it must be
+            :attr:`~cryptography.hazmat.primitives.serialization.PrivateFormat.PKCS8`.
+
+        :param encryption_algorithm: An instance of an object conforming to the
+            :class:`~cryptography.hazmat.primitives.serialization.KeySerializationEncryption`
+            interface.
+
+        :return bytes: Serialized key.
+
+    .. method:: private_bytes_raw()
+
+        Allows serialization of the key to raw bytes. This method is a
+        convenience shortcut for calling :meth:`private_bytes` with
+        :attr:`~cryptography.hazmat.primitives.serialization.Encoding.Raw`
+        encoding,
+        :attr:`~cryptography.hazmat.primitives.serialization.PrivateFormat.Raw`
+        format, and
+        :class:`~cryptography.hazmat.primitives.serialization.NoEncryption`.
+
+        This method only returns the seed form of the private key (32 bytes).
+
+        :return bytes: Raw key (32-byte seed).
+
+.. class:: MLDSA87PublicKey
+
+    .. versionadded:: 47.0
+
+    .. classmethod:: from_public_bytes(data)
+
+        :param bytes data: 2592 byte public key.
+
+        :returns: :class:`MLDSA87PublicKey`
+
+        :raises ValueError: If the public key is not 2592 bytes.
+
+        :raises cryptography.exceptions.UnsupportedAlgorithm: If ML-DSA-87 is
+            not supported by the backend ``cryptography`` is using.
+
+        .. doctest::
+            :skipif: not _backend.mldsa_supported()
+
+            >>> from cryptography.hazmat.primitives import serialization
+            >>> from cryptography.hazmat.primitives.asymmetric import mldsa
+            >>> private_key = mldsa.MLDSA87PrivateKey.generate()
+            >>> public_key = private_key.public_key()
+            >>> public_bytes = public_key.public_bytes(
+            ...     encoding=serialization.Encoding.Raw,
+            ...     format=serialization.PublicFormat.Raw
+            ... )
+            >>> loaded_public_key = mldsa.MLDSA87PublicKey.from_public_bytes(public_bytes)
+
+    .. method:: public_bytes(encoding, format)
+
+        Allows serialization of the key to bytes. Encoding (
+        :attr:`~cryptography.hazmat.primitives.serialization.Encoding.PEM`,
+        :attr:`~cryptography.hazmat.primitives.serialization.Encoding.DER`, or
+        :attr:`~cryptography.hazmat.primitives.serialization.Encoding.Raw`) and
+        format (
+        :attr:`~cryptography.hazmat.primitives.serialization.PublicFormat.SubjectPublicKeyInfo`
+        or
+        :attr:`~cryptography.hazmat.primitives.serialization.PublicFormat.Raw`
+        ) are chosen to define the exact serialization.
+
+        :param encoding: A value from the
+            :class:`~cryptography.hazmat.primitives.serialization.Encoding` enum.
+
+        :param format: A value from the
+            :class:`~cryptography.hazmat.primitives.serialization.PublicFormat`
+            enum. If the ``encoding`` is
+            :attr:`~cryptography.hazmat.primitives.serialization.Encoding.Raw`
+            then ``format`` must be
+            :attr:`~cryptography.hazmat.primitives.serialization.PublicFormat.Raw`
+            , otherwise it must be
+            :attr:`~cryptography.hazmat.primitives.serialization.PublicFormat.SubjectPublicKeyInfo`.
+
+        :returns bytes: The public key bytes.
+
+    .. method:: public_bytes_raw()
+
+        Allows serialization of the key to raw bytes. This method is a
+        convenience shortcut for calling :meth:`public_bytes` with
+        :attr:`~cryptography.hazmat.primitives.serialization.Encoding.Raw`
+        encoding and
+        :attr:`~cryptography.hazmat.primitives.serialization.PublicFormat.Raw`
+        format.
+
+        :return bytes: 2592-byte raw public key.
+
+    .. method:: verify(signature, data, context=None)
+
+        Verify a signature using ML-DSA-87. If a context string was used during
+        signing, the same context must be provided for verification to succeed.
+
+        :param signature: The signature to verify.
+        :type signature: :term:`bytes-like`
+
+        :param data: The data to verify.
+        :type data: :term:`bytes-like`
+
+        :param context: An optional context string (up to 255 bytes) that was
+            used during signing.
+        :type context: :term:`bytes-like` or ``None``
+
+        :returns: None
+        :raises cryptography.exceptions.InvalidSignature: Raised when the
+            signature cannot be verified.
+        :raises ValueError: If the context is longer than 255 bytes.
+
 
 .. _`FIPS 204`: https://csrc.nist.gov/pubs/fips/204/final

src/cryptography/hazmat/bindings/_rust/openssl/mldsa.pyi

@@ -9,10 +9,15 @@ class MLDSA44PrivateKey: ...
 class MLDSA44PublicKey: ...
 class MLDSA65PrivateKey: ...
 class MLDSA65PublicKey: ...
+class MLDSA87PrivateKey: ...
+class MLDSA87PublicKey: ...
 
 def generate_mldsa44_key() -> mldsa.MLDSA44PrivateKey: ...
 def from_mldsa44_public_bytes(data: bytes) -> mldsa.MLDSA44PublicKey: ...
 def from_mldsa44_seed_bytes(data: Buffer) -> mldsa.MLDSA44PrivateKey: ...
 def generate_mldsa65_key() -> mldsa.MLDSA65PrivateKey: ...
 def from_mldsa65_public_bytes(data: bytes) -> mldsa.MLDSA65PublicKey: ...
 def from_mldsa65_seed_bytes(data: Buffer) -> mldsa.MLDSA65PrivateKey: ...
+def generate_mldsa87_key() -> mldsa.MLDSA87PrivateKey: ...
+def from_mldsa87_public_bytes(data: bytes) -> mldsa.MLDSA87PublicKey: ...
+def from_mldsa87_seed_bytes(data: Buffer) -> mldsa.MLDSA87PrivateKey: ...

src/cryptography/hazmat/primitives/asymmetric/mldsa.py

@@ -296,3 +296,146 @@ def __deepcopy__(self, memo: dict) -> MLDSA65PrivateKey:
 
 if hasattr(rust_openssl, "mldsa"):
     MLDSA65PrivateKey.register(rust_openssl.mldsa.MLDSA65PrivateKey)
+
+
+class MLDSA87PublicKey(metaclass=abc.ABCMeta):
+    @classmethod
+    def from_public_bytes(cls, data: bytes) -> MLDSA87PublicKey:
+        from cryptography.hazmat.backends.openssl.backend import backend
+
+        if not backend.mldsa_supported():
+            raise UnsupportedAlgorithm(
+                "ML-DSA-87 is not supported by this backend.",
+                _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM,
+            )
+
+        return rust_openssl.mldsa.from_mldsa87_public_bytes(data)
+
+    @abc.abstractmethod
+    def public_bytes(
+        self,
+        encoding: _serialization.Encoding,
+        format: _serialization.PublicFormat,
+    ) -> bytes:
+        """
+        The serialized bytes of the public key.
+        """
+
+    @abc.abstractmethod
+    def public_bytes_raw(self) -> bytes:
+        """
+        The raw bytes of the public key.
+        Equivalent to public_bytes(Raw, Raw).
+
+        The public key is 2,592 bytes for MLDSA-87.
+        """
+
+    @abc.abstractmethod
+    def verify(
+        self,
+        signature: Buffer,
+        data: Buffer,
+        context: Buffer | None = None,
+    ) -> None:
+        """
+        Verify the signature.
+        """
+
+    @abc.abstractmethod
+    def __eq__(self, other: object) -> bool:
+        """
+        Checks equality.
+        """
+
+    @abc.abstractmethod
+    def __copy__(self) -> MLDSA87PublicKey:
+        """
+        Returns a copy.
+        """
+
+    @abc.abstractmethod
+    def __deepcopy__(self, memo: dict) -> MLDSA87PublicKey:
+        """
+        Returns a deep copy.
+        """
+
+
+if hasattr(rust_openssl, "mldsa"):
+    MLDSA87PublicKey.register(rust_openssl.mldsa.MLDSA87PublicKey)
+
+
+class MLDSA87PrivateKey(metaclass=abc.ABCMeta):
+    @classmethod
+    def generate(cls) -> MLDSA87PrivateKey:
+        from cryptography.hazmat.backends.openssl.backend import backend
+
+        if not backend.mldsa_supported():
+            raise UnsupportedAlgorithm(
+                "ML-DSA-87 is not supported by this backend.",
+                _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM,
+            )
+
+        return rust_openssl.mldsa.generate_mldsa87_key()
+
+    @classmethod
+    def from_seed_bytes(cls, data: Buffer) -> MLDSA87PrivateKey:
+        from cryptography.hazmat.backends.openssl.backend import backend
+
+        if not backend.mldsa_supported():
+            raise UnsupportedAlgorithm(
+                "ML-DSA-87 is not supported by this backend.",
+                _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM,
+            )
+
+        return rust_openssl.mldsa.from_mldsa87_seed_bytes(data)
+
+    @abc.abstractmethod
+    def public_key(self) -> MLDSA87PublicKey:
+        """
+        The MLDSA87PublicKey derived from the private key.
+        """
+
+    @abc.abstractmethod
+    def private_bytes(
+        self,
+        encoding: _serialization.Encoding,
+        format: _serialization.PrivateFormat,
+        encryption_algorithm: _serialization.KeySerializationEncryption,
+    ) -> bytes:
+        """
+        The serialized bytes of the private key.
+
+        This method only returns the serialization of the seed form of the
+        private key, never the expanded one.
+        """
+
+    @abc.abstractmethod
+    def private_bytes_raw(self) -> bytes:
+        """
+        The raw bytes of the private key.
+        Equivalent to private_bytes(Raw, Raw, NoEncryption()).
+
+        This method only returns the seed form of the private key (32 bytes).
+        """
+
+    @abc.abstractmethod
+    def sign(self, data: Buffer, context: Buffer | None = None) -> bytes:
+        """
+        Signs the data.
+        """
+
+    @abc.abstractmethod
+    def __copy__(self) -> MLDSA87PrivateKey:
+        """
+        Returns a copy.
+        """
+
+    @abc.abstractmethod
+    def __deepcopy__(self, memo: dict) -> MLDSA87PrivateKey:
+        """
+        Returns a deep copy.
+        """
+
+
+if hasattr(rust_openssl, "mldsa"):
+    MLDSA87PrivateKey.register(rust_openssl.mldsa.MLDSA87PrivateKey)

src/rust/cryptography-key-parsing/src/pkcs8.rs

@@ -154,6 +154,17 @@ pub fn parse_private_key(data: &[u8]) -> KeyParsingResult<ParsedPrivateKey> {
             ))
         }
 
+        #[cfg(CRYPTOGRAPHY_IS_AWSLC)]
+        AlgorithmParameters::MlDsa87 => {
+            let MlDsaPrivateKey::Seed(seed) = asn1::parse_single::<MlDsaPrivateKey>(k.private_key)?;
+            Ok(ParsedPrivateKey::Pkey(
+                cryptography_openssl::mldsa::new_raw_private_key(
+                    cryptography_openssl::mldsa::MlDsaVariant::MlDsa87,
+                    &seed,
+                )?,
+            ))
+        }
+
         _ => Err(KeyParsingError::UnsupportedKeyType(
             k.algorithm.oid().clone(),
         )),
@@ -495,6 +506,7 @@ pub fn serialize_private_key(key: &ParsedPrivateKey) -> crate::KeySerializationR
             let params = match cryptography_openssl::mldsa::MlDsaVariant::from_pkey(pkey) {
                 cryptography_openssl::mldsa::MlDsaVariant::MlDsa44 => AlgorithmParameters::MlDsa44,
                 cryptography_openssl::mldsa::MlDsaVariant::MlDsa65 => AlgorithmParameters::MlDsa65,
+                cryptography_openssl::mldsa::MlDsaVariant::MlDsa87 => AlgorithmParameters::MlDsa87,
             };
             (params, private_key_der)
         }