On 12/29/2024 5:29 AM, Blumenthal, Uri - 0553 - MITLL wrote:
could you help me, using the two key-pairs above, create (a) a self-signed certificate for the ML-DSA-87 pubkey with ML-DSA-87 as signature algorithm, and SHA384 as hash, and (b) a certificate for the above ML-KEM-1024 public key signed by the above ML-DSA-87 key?
Some quick thoughts:
To my knowledge, there is no OID for ML-DSA with SHA384 pre-hashing. NIST defines OIDs only for ML-DSA with SHA512 pre-hashing. So, your requirement for SHA384 pre-hash is not possible to implement, at least not in an interoperable standard way.
Thanks for bringing this up. My fault – I should’ve said “SHA384 or SHA512”, because either one is fine for my use case.
ML-KEM is not designed for signing, it is used for key encapsulation and decapsulation.So, it is not possible to use traditional CSR approaches like in RSA/ECDSA.
Yes, I’m aware of this – it was one of the reasons for my asking for help/guidance here.
Instead, alternative methods for proof of possession such as CRMF/CMP protocols must be used. This is for example how EJBCA implements ML-KEM certificates issuance in its latest version 9.1.0 (cf https://docs.keyfactor.com/ejbca/latest/ejbca-9-1-release-notes).
EJBCA used to be an open-source product – it looks like now it’s commercial? I tried to do a quick-and-dirty experiment with it, and couldn’t make heads or tails. If that’s the only working option, I might want to download Keyfactor EJBCA container, as building it from the source turned out much less fun that it used to be several years ago.
OpenSSL do provide cmp command for CMP protocol but I don't know its level of compatibility with the latest RFC4210 (https://www.ietf.org/archive/id/draft-ietf-lamps-rfc4210bis-12.html#name-key-encapsulation-mechanism). Of course, you will still need a CA to request certificate from but I don't know any apart from EJBCA. That being said, it should be possible to implement a demo CA programmatically to issue ML-KEM certificates without the complexity of proof of possession and I'm sure someone has already done this although I cannot find it online.
I see – so, in your opinion my best way would be to use OpenSSL CMP CLI and/or protocol?
Thanks!
