[gnutls-devel] GnuTLS | x509: support encoding of ML-DSA private keys in CHOICE format (!1973)

Fri Jul 4 11:02:51 CEST 2025

Merge request https://gitlab.com/gnutls/gnutls/-/merge_requests/1973 was reviewed by Alexander Sosedkin

--

Alexander Sosedkin started a new discussion on lib/x509/privkey_pkcs8.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1973#note_2603089825

 > +
 > +	if (flags & GNUTLS_PKCS_MLDSA_SEED)
 > +		format |= 1 << 0;

maybe use enum values instead of magic constants?

--

Alexander Sosedkin started a new discussion on lib/x509/privkey_pkcs8.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1973#note_2603089835

 > +	ML_DSA_PRIVKEY_FORMAT_SEED,
 > +	ML_DSA_PRIVKEY_FORMAT_EXPANDED,
 > +	ML_DSA_PRIVKEY_FORMAT_BOTH

I'd find verifying `ML_DSA_PRIVKEY_FORMAT_BOTH == ML_DSA_PRIVKEY_FORMAT_EXPANDED | ML_DSA_PRIVKEY_FORMAT_SEED` easier if the numbers were spelled out.

--

Alexander Sosedkin started a new discussion on src/certtool-options.json: https://gitlab.com/gnutls/gnutls/-/merge_requests/1973#note_2603089842

 > +          "long-option": "key-format",
 > +          "description": "Specify the key format to use on key generation",
 > +          "detail": "This option can be combined with --generate-privkey, to specify\nthe key format to be generated, when the key type is ML-DSA. Valid options are, 'seed', 'expanded', and 'both'.",

Should it error out when the key type is not ML-DSA? Just to reduce confusion and to not support ignoring it when it's not.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1973
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20250704/0756c8f0/attachment.html>