CMS: Add support for hashless signing schemes (ML/SLH-DSA & EdDSA) for no-attributes case

[stefanberger]

Add support for hashless signing schemes, such as ML-DSA, SLH-DSA, and EdDSA, for the case that signed attributes are absent. Add test cases for all newly supported signing schemes.

Enable the ability to sign (verify) with a hashless signing schemes, such as ML-DSA in pure mode, in case no attributes are used in CMS. To support this, pass the BIO with the plain data through to the signing (verification) function so that key's pure mode signing scheme can hash the data itself.

The current implementation relies on a seek'able BIO so that the data stream can be read multiple times for support of multiple keys.

Some signing schemes, such as ML-DSA, support the message_update function when signing data, others, such as EdDSA keys do not support it. The former allows for reading data in smaller chunks and calling EVP_PKEY_sign_message_update() with the data, while the latter requires that all data are all read into memory and then passed for signing. This latter method could run into out-of-memory issue when signing very large files.

Fixes #11915
Fixes #13523 (?)
Fixes #28279

Checklist

• documentation is added or updated
• tests are added or updated

[stefanberger]

@DDvO @danvangeest FYI

[jogme]

would you please sign a CLA? https://openssl-library.org/policies/cla/

[DDvO]

Very nice!
Looks like this will make large part of #22391 obsolete,
which was for EdDSA only, while also trying to cover the legacy PKCS#7 implementation.

[DDvO]

I likely won't have the time for a full review in the next two weeks,
but here are some name/style-wise improvement suggestions at API level.

[stefanberger]

Very nice!
Looks like this will make large part of #22391 obsolete,
which was for EdDSA only, while also trying to cover the legacy PKCS#7 implementation.

I saw that some CMS-related tests were already working for the key types I am extending it for in this PR, but the non-attributes case was not covered. I am not sure what to do about PKCS#7...

One concern I have with the implementation is the BIO of the input data. I am wondering whether to make a copy of the data since the data may have to be read multiple times (for multiple keys in pure mode), even though this may cause issues with very large files but then on the other hand would improve performance.

[DDvO]

Thank you for very swiftly picking up my API suggestions and for adding doc entries.
For now, just spotted some doc nits.

Since this PR also documents the pre-existing functions CMS_dataFinal() and CMS_SignerInfo_verify_content(), you can (well, even should) remove them from util/missingcrypto.txt.

This extension is clearly worth an entry in NEWS.md.

[Copilot]

Pull Request Overview

This PR adds support for hashless signing schemes (ML-DSA, SLH-DSA, and EdDSA) in CMS when no signed attributes are present. The implementation enables these schemes to directly sign raw data instead of pre-computed hashes by passing the original data BIO through to signing and verification functions.

Key changes:

• Added new public APIs CMS_dataFinal_hashless() and CMS_SignerInfo_verify_hashless() to support hashless signing schemes
• Modified internal signing/verification functions to handle both hash-based and hashless signing schemes
• Added comprehensive test coverage for EdDSA (Ed25519, Ed448), ML-DSA-44, and SLH-DSA-SHAKE-256s with the -noattr flag

Reviewed Changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
util/libcrypto.num	Exports new public API functions for hashless signing support
test/recipes/80-test_cms.t	Adds test cases for hashless signing schemes (EdDSA, ML-DSA, SLH-DSA) with -noattr
include/openssl/cms.h.in	Declares new public APIs for hashless signing and verification
doc/man3/CMS_verify.pod	Documents the new verification functions for hashless schemes
doc/man3/CMS_final.pod	Documents the new finalization functions for hashless schemes
crypto/cms/cms_smime.c	Updates high-level CMS functions to use hashless variants
crypto/cms/cms_sd.c	Implements core hashless signing/verification logic with algorithm-specific handling
crypto/cms/cms_local.h	Updates internal function signatures to support data BIO parameter
crypto/cms/cms_lib.c	Implements new public APIs and updates internal routing

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[DDvO]

There was no direct button for triggering the Copilot/AI review bot for some reason
(I guess this is not enabled for PRs from OpenSSL-external people),
but the option was still available for me via the cog wheel above the list of reviewers.

[DDvO]

Please add to the message of the respective commit this line:
Fixes #11915
And if correct (I'm not sure):
Fixes #13523

[DDvO]

CI failures are relevant; please check and fix issues.

[igus68]

Hi Stefan,
Thanks a lot for the fantastic work! I have only some small remarks that I posted as comments to the code.
Your pull request also fixes issue #28279, so could you please add
Fixes #28279
as well

[DDvO]

Two hints how to get rid of the doc-nits CI failure.

Again, since this PR also documents the pre-existing functions CMS_dataFinal() and CMS_SignerInfo_verify_content(), should remove them from util/missingcrypto.txt

And comments regarding minor improvements on the coding style.

[DDvO]

BTW, the only remaining coding style issue reported by the CI is:

  crypto/cms/cms_sd.c:421:function body length = 206 > 200 lines:CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms,

While this PR already downsizes the function body a little bit,
there would be good chances by tweaking some other parts in here to get below the given "limit" ;-)

[stefanberger]

Is removing empty lines allowed?

[t8m]

You can ignore this issue.

[t8m]

The check docs and pre-commit failures are relevant.

[t8m]

I'm interested in the OpenSSL maintainer's opinion here, but I'm not a fan of hardcoding these values. It doesn't cover algorithms which are implemented in a provider but not in OpenSSL. It also doesn't cover 3rd party provider implementations of ML-DSA which support EVP_PKEY_sign but not EVP_PKEY_sign_message_update.

I think we can hardcode some defaults (like this table) and then add a CAPABILITIES entry (as the TLS capabilities are) for the additional entries that could override this default table.

The first issue could be solved by having the provider supply this information, similar to what OSSL_PKEY_PARAM_CMS_KEMRI_KDF_ALGORITHM does for KEMs.

IMO capabilities are better way.

The second could be solved by checking whether sign_message_update is set in EVP_SIGNATURE, although I don't know if people would be keen about this check being done in CMS code.

That would be IMO OK, but it requires adding a public function for that such as EVP_SIGNATURE_has_message_update() or something like that.

[t8m]

You also need to run make update to update the libcrypto.num file.

[t8m]

nit: signature->verify_message_update != NULL && signature->sign_message_update != NULL

[stefanberger]

Done.

[beldmit]

LGTM

[openssl-machine]

This pull request is ready to merge

[t8m]

Merged to the master branch. Thank you for your contribution.