Add LMS/HSS (verify only) to wolfCrypt JNI and wolfJCE#233
Conversation
There was a problem hiding this comment.
Pull request overview
This pull request adds verify-only LMS/HSS (RFC 8554) support across the wolfCrypt JNI wrapper and the wolfJCE provider, including public-key (SPKI) handling and tests based on RFC vectors, aligning behavior with the JDK SUN provider’s verify-only posture.
Changes:
- Add
com.wolfssl.wolfcrypt.LmsJNI wrapper + native JNI bindings for LMS/HSS verification and parameter introspection. - Register LMS/HSS
Signature(verify-only) andKeyFactory(public only) services in wolfJCE, including SPKI encode/decode utilities and public key implementation. - Add unit tests (JNI KATs + JCE API tests) and update build/docs/scripts to include LMS artifacts.
Reviewed changes
Copilot reviewed 19 out of 21 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| src/test/java/com/wolfssl/wolfcrypt/test/WolfCryptTestSuite.java | Adds LmsTest to the wolfCrypt JNI test suite. |
| src/test/java/com/wolfssl/wolfcrypt/test/LmsTest.java | Adds JNI-level RFC 8554 / RFC 9858 known-answer verification tests. |
| src/test/java/com/wolfssl/provider/jce/test/WolfSSLKeyStoreTest.java | Adds WKS KeyStore round-trip test for an LMS certificate and public-key import. |
| src/test/java/com/wolfssl/provider/jce/test/WolfJCETestSuite.java | Adds LMS JCE tests to the wolfJCE test suite. |
| src/test/java/com/wolfssl/provider/jce/test/WolfCryptLmsSignatureTest.java | Adds JCE Signature (verify-only) tests for LMS/HSS using SPKI-wrapped RFC vectors. |
| src/test/java/com/wolfssl/provider/jce/test/WolfCryptLmsKeyFactoryTest.java | Adds JCE KeyFactory tests for LMS public key import/round-trip and private-key rejection. |
| src/main/java/com/wolfssl/wolfcrypt/Lms.java | Introduces the JVM wrapper for native verify-only LMS/HSS key operations. |
| src/main/java/com/wolfssl/provider/jce/WolfCryptProvider.java | Registers LMS/HSS Signature and KeyFactory services (gated by native feature detection). |
| src/main/java/com/wolfssl/provider/jce/WolfCryptLmsUtil.java | Adds strict DER parsing + SPKI encoding/decoding helpers for LMS/HSS public keys. |
| src/main/java/com/wolfssl/provider/jce/WolfCryptLmsSignature.java | Adds verify-only SignatureSpi implementation for LMS/HSS. |
| src/main/java/com/wolfssl/provider/jce/WolfCryptLmsPublicKey.java | Adds LMS/HSS PublicKey implementation with canonicalized SPKI encoding and destroy support. |
| src/main/java/com/wolfssl/provider/jce/WolfCryptLmsKeyFactory.java | Adds verify-only LMS/HSS KeyFactorySpi supporting X.509 public keys only. |
| scripts/infer.sh | Adds new LMS Java sources to Infer’s compilation list. |
| README.md | Documents how to enable native LMS and describes verify-only JCE behavior. |
| README_JCE.md | Lists LMS/HSS as supported by wolfJCE (names + OID). |
| makefile.macosx | Links in jni_lms.o. |
| makefile.linux | Links in jni_lms.o. |
| jni/jni_lms.c | Implements JNI bridge to native wc_LmsKey_* verify/import/parameter APIs. |
| jni/include/com_wolfssl_wolfcrypt_Lms.h | Adds generated JNI header for the new Lms class. |
| examples/certs/update-certs.sh | Adds LMS certificate(s) to the cert update script. |
Files not reviewed (1)
- jni/include/com_wolfssl_wolfcrypt_Lms.h: Generated file
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #233
Scan targets checked: wolfcrypt-jni-bugs, wolfcrypt-jni-src
No new issues found in the changed files. ✅
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #233
Scan targets checked: wolfcrypt-jni-bugs, wolfcrypt-jni-src
No new issues found in the changed files. ✅
804814a to
2a5a9ef
Compare
This PR adds verify-only LMS/HSS to the JNI wrapper (
com.wolfssl.wolfcrypt.Lms) and the wolfJCE provider. Verify-only matches the JDK SUN provider. Stateful hash-based signing belongs in hardware (NIST SP 800-208), so key generation, signing, and private keys are intentionally not supported yet.Services
LMS,HSS/LMS, OID1.2.840.113549.1.9.16.3.17(verify,initSignthrowsInvalidKeyException)generatePrivatethrowsInvalidKeySpecException)KeyPairGeneratorNotes
HSS/LMSprovider.Requirements
Native wolfSSL with
--enable-lms(or--enable-lms=verify-only). Add--enable-sha3for SHAKE families.Testing
Added unit tests. JNI and JCE known-answer tests use RFC 8554 (TC1) and RFC 9858 (A.1–A.4) vectors.
Added new GitHub pull request workflows for the following native wolfSSL builds: