Add dilithium for signing and verification

This commit adds dilithium as algorithm for signing and verification.

As openssl is not supporting dilithium at the moment, the reference
implementation from the NIST PQC is used (see
https://github.com/pq-crystals/dilithium/).

The crystalls dilithium libraries without avx support are used.

The current version of MoCOCrW uses a EVP_PKEY centric implementation
for asymmetric cryptographic operations. To avoid changes on the
existing classes the relevant classes are cloned for dilithium.

Functionality is added or removed wherever necessary. But the changes
were done with the plan in mind, to be able to change back to the
EVP_PKEY centric implementation once openssl supports dilithium.

The new dilithium feature is OPTIONAL.
To compile MoCOCrW with dilithium support specify -DDILITHIUM_ENABLED
when invoking cmake.
You have to make sure, that the static libraries created by libdilithium
(https://github.com/pq-crystals/dilithium) can be found the linker.
Additionally the compiler needs access to "api.h" from libdilithium.

To be compliant to the current implementation an additional function to 
retrieve the public key from the private key for dilithium is added to 
libdilithium (pq-crystals/dilithium#68). This one is
required for compilation.

If you have problems compiling and installing libdillithium there is another
PR which enhances cmake for libdilithium 
(pq-crystals/dilithium#69).

The following openssl functions are required for the implementation and were
consequently added:
* d2i_X509_PUBKEY (reading ASN.1 pubkey structures)
* X509_PUBKEY_free (freeing the memory)
* ASN1_INTEGER_get_int64 (modern function for ASN1_INTEGER_get)
* d2i_PKCS8_PRIV_KEY_INFO (reading RFC 5958 DER data)
* PKCS8_PRIV_KEY_INFO_free (free it)

.github/workflows/ci.yml

@@ -10,8 +10,9 @@ env:
   DOCKER_TAG: buildenv
   DOCKER_FOLDER_PATH: ./dockerfiles/base
 
-  DOCKER_WITH_HSM_TAG: buildenv_with_hsm
-  DOCKER_WITH_HSM_FOLDER_PATH: ./dockerfiles/hsm-support
+  # This buildenv contains libp11/softhsm and libdilithium
+  DOCKER_WITH_FEATURE_TAG: buildenv_with_features
+  DOCKER_WITH_FEATURE_FOLDER_PATH: ./dockerfiles/feature-support
 
   TOKEN_LABEL: token-label
   USER_PIN: 1234
@@ -45,6 +46,7 @@ jobs:
         compiler: ["g++", "clang++"]
         build_type: ["", "ASAN"]
         hsm_flag: ["HSM_ENABLED=ON", "HSM_ENABLED=OFF"]
+        dilithium_flag: ["DILITHIUM_ENABLED=ON", "DILITHIUM_ENABLED=OFF"]
 
         include:
           - build_type: "ASAN"
@@ -58,11 +60,15 @@ jobs:
             LSAN_OPTIONS: ""
 
           - hsm_flag: "HSM_ENABLED=ON"
-            docker_tag: "buildenv_with_hsm"
+            docker_tag: "buildenv_with_features"
             softhsm2_conf: "/usr/share/softhsm/softhsm2.conf"
             softhsm2_grp: ":softhsm"
 
+          - dilithium_flag: "DILITHIUM_ENABLED=ON"
+            docker_tag: "buildenv_with_features"
+
           - hsm_flag: "HSM_ENABLED=OFF"
+            dilithium_flag: "DILITHIUM_ENABLED=OFF"
             docker_tag: "buildenv"
             softhsm2_conf: ""
             softhsm2_grp:
@@ -78,11 +84,11 @@ jobs:
           docker_folder_path: ${{ env.DOCKER_FOLDER_PATH }}
 
       - name: "Build Docker Image With HSM"
-        if: ${{ matrix.hsm_flag == 'HSM_ENABLED=ON' }}
+        if: ${{ matrix.hsm_flag == 'HSM_ENABLED=ON' || matrix.dilithium_flag == 'DILITHIUM_ENABLED=ON' }}
         uses: ./.github/actions/build-docker
         with:
-          docker_tag: ${{ env.DOCKER_WITH_HSM_TAG }}
-          docker_folder_path: ${{ env.DOCKER_WITH_HSM_FOLDER_PATH }}
+          docker_tag: ${{ env.DOCKER_WITH_FEATURE_TAG }}
+          docker_folder_path: ${{ env.DOCKER_WITH_FEATURE_FOLDER_PATH }}
 
       - name: "Build MoCOCrW"
         run: |
@@ -94,6 +100,7 @@ jobs:
               -DCMAKE_CXX_COMPILER=${{ matrix.compiler }} \
               -DCMAKE_BUILD_TYPE=${{ matrix.build_type }} \
               -D${{ matrix.hsm_flag }} \
+              -D${{ matrix.dilithium_flag }} \
               -DBUILD_TESTING=True \
               -GNinja \
               /src \
@@ -114,4 +121,3 @@ jobs:
             && if [ "${{ matrix.hsm_flag }}" = "HSM_ENABLED=ON" ]; then \
                 softhsm2-util --delete-token --token ${{ env.TOKEN_LABEL }} --pin ${{ env.USER_PIN }} --so-pin ${{ env.SO_PIN  }}; \
             fi'
-

CMakeLists.txt

@@ -31,6 +31,9 @@ set(SECURITY_COMPILER_FLAGS
 # By default, we do not build MoCOCrW with LibP11.
 option(HSM_ENABLED "Enable HSM features" OFF)
 
+# By default, we do not build MoCOCrW with dilithium support.
+option(DILITHIUM_ENABLED "Enable Dilithium features" OFF)
+
 set(CMAKE_POSITION_INDEPENDENT_CODE ON)
 
 # Note that '-pie' needs to be specified as a linker flag to every executable
@@ -93,6 +96,13 @@ if(BUILD_DOCUMENTATION)
     add_subdirectory(doc)
 endif()
 
+if(DILITHIUM_ENABLED)
+    message(STATUS "Dilithium support is enabled. Linking libdilithium statically.")
+    find_package(dilithium 3.1 REQUIRED)
+else()
+    message(WARNING "Dilithium support is disabled.")
+endif()
+
 find_package(OpenSSL REQUIRED)
 if(OPENSSL_FOUND)
     message(STATUS "Using OpenSSL ${OPENSSL_VERSION}")

dockerfiles/feature-support/Dockerfile

@@ -0,0 +1,69 @@
+FROM buildenv
+
+ARG LIBP11_URL=https://github.com/OpenSC/libp11/releases/download/libp11-0.4.12/libp11-0.4.12.tar.gz
+RUN mkdir /tmp/patches
+COPY hsm-patches/0001-Introduce-generic-keypair-generation-interface-and-e.patch \
+     dilithium-patches/0001-CMakeLists.txt-Add-BUILD_TESTING-compile-flag.patch     \
+     dilithium-patches/0002-CMakeLists.txt-Enable-parallel-test-execution.patch     \
+     dilithium-patches/0003-CMakeLists.txt-Enable-PIE-compilation-flag.patch        \
+     dilithium-patches/0004-CMakeLists.txt-Add-UBSAN-and-ASAN-build-types.patch     \
+     dilithium-patches/0005-CMakeLists.txt-Add-cmake-install-target.patch           \
+     dilithium-patches/0006-CMakelists.txt-Add-stack-protector-strong-flag.patch    \
+     dilithium-patches/0007-CMakeLists.txt-Change-target_compile_definition.patch   \
+     dilithium-patches/0008-Add-function-for-pub-key-extraction.patch               \
+     /tmp/patches/
+
+# Install:
+#  * MoCOCrW dependencies (except OpenSSL)
+#  * libp11
+#  * libdilithium
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install \
+    # for pkcs11-tool which we use to create keys in token
+    opensc \
+    # p11-kit-modules allows loading of libp11 engine without having to edit openssl.cnf
+    p11-kit-modules \
+    # softhsm2: includes both softhsm2-util and libsofthsm2
+    softhsm2 \
+    # libp11 needs this
+    libtool && \
+    rm -rf /var/lib/apt/lists/* && \
+
+    # Build libp11
+    mkdir -p /tmp/libp11 && \
+    cd /tmp/libp11 && \
+    wget "${LIBP11_URL}" && \
+    tar xf libp11-0.4.12.tar.gz && \
+    cd libp11-0.4.12 && \
+    git apply /tmp/patches/0001-Introduce-generic-keypair-generation-interface-and-e.patch && \
+    echo "Successfully patched libp11" && \
+    autoreconf --verbose --install --force && \
+    ./configure --enable-strict && \
+    make -j"$(nproc)" && \
+    make check && \
+    make install && \
+    rm -rf /tmp/libp11 && \
+
+    # Build libdilithium
+    mkdir /tmp/libdilithium && \
+    cd /tmp/libdilithium && \
+    git clone https://github.com/pq-crystals/dilithium && \
+    cd dilithium && \
+    git checkout 3e9b9f1412f6c7435dbeb4e10692ea58f181ee51 && \
+    git apply /tmp/patches/0001-CMakeLists.txt-Add-BUILD_TESTING-compile-flag.patch   && \
+    git apply /tmp/patches/0002-CMakeLists.txt-Enable-parallel-test-execution.patch   && \
+    git apply /tmp/patches/0003-CMakeLists.txt-Enable-PIE-compilation-flag.patch      && \
+    git apply /tmp/patches/0004-CMakeLists.txt-Add-UBSAN-and-ASAN-build-types.patch   && \
+    git apply /tmp/patches/0005-CMakeLists.txt-Add-cmake-install-target.patch         && \
+    git apply /tmp/patches/0006-CMakelists.txt-Add-stack-protector-strong-flag.patch  && \
+    git apply /tmp/patches/0007-CMakeLists.txt-Change-target_compile_definition.patch && \
+    git apply /tmp/patches/0008-Add-function-for-pub-key-extraction.patch             && \
+    mkdir build && \
+    cd build && \
+    cmake -GNinja .. -DBUILD_TESTING=ON&& \
+    ninja && \
+    ctest -j"$(nproc)" && \
+    ninja install && \
+    cd / && \
+    rm -rf /tmp/libdilithium && \
+    rm -rf /tmp/patches
+

dockerfiles/feature-support/dilithium-patches/0001-CMakeLists.txt-Add-BUILD_TESTING-compile-flag.patch

@@ -0,0 +1,194 @@
+From 13b5daa777e9ffea85c0b9bb92c6145920a6ced5 Mon Sep 17 00:00:00 2001
+From: Tobias Kaufmann <Tobias.KA.Kaufmann@bmw.de>
+Date: Tue, 13 Dec 2022 14:46:35 +0100
+Subject: [PATCH 1/8] CMakeLists.txt: Add BUILD_TESTING compile flag
+
+Up to now all tests were built automatically when building with cmake.
+
+As tests are not required when just building the library a new cmake
+flag BUILD_TESTING is introduced. Once set the test binaries are build
+and can be executed using ctest.
+---
+ CMakeLists.txt     |   7 ++-
+ ref/CMakeLists.txt | 132 +++++++++++++++++++++++++++++----------------
+ 2 files changed, 90 insertions(+), 49 deletions(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 17b9f75..60cb20e 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -5,10 +5,13 @@ project(dilithium C ASM)
+ set(CMAKE_C_STANDARD 99)
+ set(CMAKE_C_STANDARD_REQUIRED ON)
+
+-enable_testing()
+-
+ #find_package(OpenSSL REQUIRED)
+ #include_directories(${OPENSSL_INCLUDE_DIR})
+
++if(BUILD_TESTING)
++    message(STATUS "Testing enabled.")
++    enable_testing()
++endif()
++
+ add_subdirectory(ref)
+ #add_subdirectory(avx2)
+diff --git a/ref/CMakeLists.txt b/ref/CMakeLists.txt
+index b6f76e0..c246b1e 100644
+--- a/ref/CMakeLists.txt
++++ b/ref/CMakeLists.txt
+@@ -26,14 +26,20 @@ target_compile_definitions(dilithium2aes_ref PUBLIC DILITHIUM_MODE=2 DILITHIUM_U
+ target_link_libraries(dilithium2_ref INTERFACE fips202_ref)
+ target_link_libraries(dilithium2aes_ref INTERFACE fips202_ref aes256ctr_ref)
+
+-add_executable(test_dilithium2_ref ${TEST_DILITHIUM_SRCS})
+-add_executable(test_vectors2_ref ${TEST_VECTORS_SRCS})
+-add_executable(test_dilithium2aes_ref ${TEST_DILITHIUM_SRCS})
+-add_executable(test_vectors2aes_ref ${TEST_VECTORS_SRCS})
+-target_link_libraries(test_dilithium2_ref dilithium2_ref)
+-target_link_libraries(test_vectors2_ref dilithium2_ref)
+-target_link_libraries(test_dilithium2aes_ref dilithium2aes_ref)
+-target_link_libraries(test_vectors2aes_ref dilithium2aes_ref)
++if(BUILD_TESTING)
++  add_executable(test_dilithium2_ref ${TEST_DILITHIUM_SRCS})
++  add_executable(test_vectors2_ref ${TEST_VECTORS_SRCS})
++  add_executable(test_dilithium2aes_ref ${TEST_DILITHIUM_SRCS})
++  add_executable(test_vectors2aes_ref ${TEST_VECTORS_SRCS})
++
++  target_link_libraries(test_dilithium2_ref dilithium2_ref)
++  target_link_libraries(test_vectors2_ref dilithium2_ref)
++  target_link_libraries(test_dilithium2aes_ref dilithium2aes_ref)
++  target_link_libraries(test_vectors2aes_ref dilithium2aes_ref)
++
++  add_test(NAME dilithium2_ref COMMAND test_dilithium2_ref)
++  add_test(NAME dilithium2aes_ref COMMAND test_dilithium2aes_ref)
++endif()
+
+ # Dilithium 3
+ add_library(dilithium3_ref ${DILITHIUM_FIPS202_SRCS})
+@@ -43,14 +49,18 @@ target_compile_definitions(dilithium3aes_ref PUBLIC DILITHIUM_MODE=3 DILITHIUM_U
+ target_link_libraries(dilithium3_ref INTERFACE fips202_ref)
+ target_link_libraries(dilithium3aes_ref INTERFACE fips202_ref aes256ctr_ref)
+
+-add_executable(test_dilithium3_ref ${TEST_DILITHIUM_SRCS})
+-add_executable(test_vectors3_ref ${TEST_VECTORS_SRCS})
+-add_executable(test_dilithium3aes_ref ${TEST_DILITHIUM_SRCS})
+-add_executable(test_vectors3aes_ref ${TEST_VECTORS_SRCS})
+-target_link_libraries(test_dilithium3_ref dilithium3_ref)
+-target_link_libraries(test_vectors3_ref dilithium3_ref)
+-target_link_libraries(test_dilithium3aes_ref dilithium3aes_ref)
+-target_link_libraries(test_vectors3aes_ref dilithium3aes_ref)
++if(BUILD_TESTING)
++  add_executable(test_dilithium3_ref ${TEST_DILITHIUM_SRCS})
++  add_executable(test_vectors3_ref ${TEST_VECTORS_SRCS})
++  add_executable(test_dilithium3aes_ref ${TEST_DILITHIUM_SRCS})
++  add_executable(test_vectors3aes_ref ${TEST_VECTORS_SRCS})
++  target_link_libraries(test_dilithium3_ref dilithium3_ref)
++  target_link_libraries(test_vectors3_ref dilithium3_ref)
++  target_link_libraries(test_dilithium3aes_ref dilithium3aes_ref)
++  target_link_libraries(test_vectors3aes_ref dilithium3aes_ref)
++  add_test(NAME dilithium3_ref COMMAND test_dilithium3_ref)
++  add_test(NAME dilithium3aes_ref COMMAND test_dilithium3aes_ref)
++endif()
+
+ # Dilithium 5
+ add_library(dilithium5_ref ${DILITHIUM_FIPS202_SRCS})
+@@ -60,36 +70,64 @@ target_compile_definitions(dilithium5aes_ref PUBLIC DILITHIUM_MODE=5 DILITHIUM_U
+ target_link_libraries(dilithium5_ref INTERFACE fips202_ref)
+ target_link_libraries(dilithium5aes_ref INTERFACE fips202_ref aes256ctr_ref)
+
+-add_executable(test_dilithium5_ref ${TEST_DILITHIUM_SRCS})
+-add_executable(test_vectors5_ref ${TEST_VECTORS_SRCS})
+-add_executable(test_dilithium5aes_ref ${TEST_DILITHIUM_SRCS})
+-add_executable(test_vectors5aes_ref ${TEST_VECTORS_SRCS})
+-target_link_libraries(test_dilithium5_ref dilithium5_ref)
+-target_link_libraries(test_vectors5_ref dilithium5_ref)
+-target_link_libraries(test_dilithium5aes_ref dilithium5aes_ref)
+-target_link_libraries(test_vectors5aes_ref dilithium5aes_ref)
+-
+-add_test(NAME dilithium2_ref COMMAND test_dilithium2_ref)
+-add_test(NAME dilithium2aes_ref COMMAND test_dilithium2aes_ref)
+-add_test(NAME dilithium3_ref COMMAND test_dilithium3_ref)
+-add_test(NAME dilithium3aes_ref COMMAND test_dilithium3aes_ref)
+-add_test(NAME dilithium5_ref COMMAND test_dilithium5_ref)
+-add_test(NAME dilithium5aes_ref COMMAND test_dilithium5aes_ref)
+-
+-if(WIN32)
+-  add_test(NAME vectors2_ref COMMAND PowerShell -Command "$<TARGET_FILE:test_vectors2_ref> | dos2unix > tvecs2")
+-  add_test(NAME vectors2aes_ref COMMAND PowerShell -Command "$<TARGET_FILE:test_vectors2aes_ref> | dos2unix > tvecs2aes")
+-  add_test(NAME vectors3_ref COMMAND PowerShell -Command "$<TARGET_FILE:test_vectors3_ref> | dos2unix > tvecs3")
+-  add_test(NAME vectors3aes_ref COMMAND PowerShell -Command "$<TARGET_FILE:test_vectors3aes_ref> | dos2unix > tvecs3aes")
+-  add_test(NAME vectors5_ref COMMAND PowerShell -Command "$<TARGET_FILE:test_vectors5_ref> | dos2unix > tvecs5")
+-  add_test(NAME vectors5aes_ref COMMAND PowerShell -Command "$<TARGET_FILE:test_vectors5aes_ref> | dos2unix > tvecs5aes")
+-else()
+-  add_test(NAME vectors2_ref COMMAND sh -c "\"$<TARGET_FILE:test_vectors2_ref>\" > tvecs2")
+-  add_test(NAME vectors2aes_ref COMMAND sh -c "\"$<TARGET_FILE:test_vectors2aes_ref>\" > tvecs2aes")
+-  add_test(NAME vectors3_ref COMMAND sh -c "\"$<TARGET_FILE:test_vectors3_ref>\" > tvecs3")
+-  add_test(NAME vectors3aes_ref COMMAND sh -c "\"$<TARGET_FILE:test_vectors3aes_ref>\" > tvecs3aes")
+-  add_test(NAME vectors5_ref COMMAND sh -c "\"$<TARGET_FILE:test_vectors5_ref>\" > tvecs5")
+-  add_test(NAME vectors5aes_ref COMMAND sh -c "\"$<TARGET_FILE:test_vectors5aes_ref>\" > tvecs5aes")
++
++if(BUILD_TESTING)
++  add_executable(test_dilithium5_ref ${TEST_DILITHIUM_SRCS})
++  add_executable(test_vectors5_ref ${TEST_VECTORS_SRCS})
++  add_executable(test_dilithium5aes_ref ${TEST_DILITHIUM_SRCS})
++  add_executable(test_vectors5aes_ref ${TEST_VECTORS_SRCS})
++  target_link_libraries(test_dilithium5_ref dilithium5_ref)
++  target_link_libraries(test_vectors5_ref dilithium5_ref)
++  target_link_libraries(test_dilithium5aes_ref dilithium5aes_ref)
++  target_link_libraries(test_vectors5aes_ref dilithium5aes_ref)
++
++  add_test(NAME dilithium5_ref COMMAND test_dilithium5_ref)
++  add_test(NAME dilithium5aes_ref COMMAND test_dilithium5aes_ref)
++endif()
++
++
++# Vector Tests
++if(BUILD_TESTING)
++  if(WIN32)
++    add_test(NAME vectors2_ref
++             COMMAND PowerShell -Command
++                     "$<TARGET_FILE:test_vectors2_ref> | dos2unix > tvecs2")
++    add_test(
++      NAME vectors2aes_ref
++      COMMAND PowerShell -Command
++              "$<TARGET_FILE:test_vectors2aes_ref> | dos2unix > tvecs2aes")
++    add_test(NAME vectors3_ref
++             COMMAND PowerShell -Command
++                     "$<TARGET_FILE:test_vectors3_ref> | dos2unix > tvecs3")
++    add_test(
++      NAME vectors3aes_ref
++      COMMAND PowerShell -Command
++              "$<TARGET_FILE:test_vectors3aes_ref> | dos2unix > tvecs3aes")
++    add_test(NAME vectors5_ref
++             COMMAND PowerShell -Command
++                     "$<TARGET_FILE:test_vectors5_ref> | dos2unix > tvecs5")
++    add_test(
++      NAME vectors5aes_ref
++      COMMAND PowerShell -Command
++              "$<TARGET_FILE:test_vectors5aes_ref> | dos2unix > tvecs5aes")
++  else()
++    add_test(NAME vectors2_ref
++             COMMAND sh -c "\"$<TARGET_FILE:test_vectors2_ref>\" > tvecs2")
++    add_test(NAME vectors2aes_ref
++             COMMAND sh -c
++                     "\"$<TARGET_FILE:test_vectors2aes_ref>\" > tvecs2aes")
++    add_test(NAME vectors3_ref
++             COMMAND sh -c "\"$<TARGET_FILE:test_vectors3_ref>\" > tvecs3")
++    add_test(NAME vectors3aes_ref
++             COMMAND sh -c
++                     "\"$<TARGET_FILE:test_vectors3aes_ref>\" > tvecs3aes")
++    add_test(NAME vectors5_ref
++             COMMAND sh -c "\"$<TARGET_FILE:test_vectors5_ref>\" > tvecs5")
++    add_test(NAME vectors5aes_ref
++             COMMAND sh -c
++                     "\"$<TARGET_FILE:test_vectors5aes_ref>\" > tvecs5aes")
++  endif()
++
++  add_test(NAME hashes COMMAND sha256sum -c ../../SHA256SUMS)
+ endif()
+
+-add_test(NAME hashes COMMAND sha256sum -c ../../SHA256SUMS)
+-- 
+2.38.1
+

dockerfiles/feature-support/dilithium-patches/0002-CMakeLists.txt-Enable-parallel-test-execution.patch

@@ -0,0 +1,33 @@
+From 8855c95176ccf5086aa21d2eaa9815f4426e3385 Mon Sep 17 00:00:00 2001
+From: Tobias Kaufmann <Tobias.KA.Kaufmann@bmw.de>
+Date: Tue, 13 Dec 2022 14:55:26 +0100
+Subject: [PATCH 2/8] CMakeLists.txt: Enable parallel test execution
+
+The last test depends on the execution of the previos test_vector*
+tests as these tests create data, which is hashed and compared to an existing
+hash value.
+
+This change adds a dependency for hashes on the test_vector* tests, so that the
+test hashes is executed after all of these test_vector tests have been
+successfully executed.
+---
+ ref/CMakeLists.txt | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/ref/CMakeLists.txt b/ref/CMakeLists.txt
+index c246b1e..9c30fa4 100644
+--- a/ref/CMakeLists.txt
++++ b/ref/CMakeLists.txt
+@@ -129,5 +129,9 @@ if(BUILD_TESTING)
+   endif()
+
+   add_test(NAME hashes COMMAND sha256sum -c ../../SHA256SUMS)
++  set_tests_properties(
++    vectors2_ref vectors2aes_ref vectors3_ref vectors3aes_ref vectors5_ref
++    vectors5aes_ref PROPERTIES FIXTURES_SETUP createVectorFiles)
++  set_tests_properties(hashes PROPERTIES FIXTURES_REQUIRED createVectorFiles)
+ endif()
+
+-- 
+2.38.1
+