Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-102992

GnuTLS can't derive public keys from private ones in ML-DSA

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: Generate New Ti...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • rhel-10.1
    • gnutls
    • None
    • No
    • Low
    • rhel-security-crypto-spades
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • None
    • None
    • Known Issue
    • Hide
      .GnuTLS cannot convert ML-DSA private keys to public ones

      GnuTLS lacks an algorithm to convert a private ML-DSA key in the expanded form to a public ML-DSA key. Consequently, operations requiring both keys fail when only the expanded private key is provided.

      Workaround: Use the `openssl` command to convert such a private key to a public key: `openssl dsa -in _<private_key>_ -pubout -out _<public_key>_`. As a result, the public key is available for use in other operations.
      Show
      .GnuTLS cannot convert ML-DSA private keys to public ones GnuTLS lacks an algorithm to convert a private ML-DSA key in the expanded form to a public ML-DSA key. Consequently, operations requiring both keys fail when only the expanded private key is provided. Workaround: Use the `openssl` command to convert such a private key to a public key: `openssl dsa -in _<private_key>_ -pubout -out _<public_key>_`. As a result, the public key is available for use in other operations.
    • Done
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      When the private key doesn't include the `seed` parameter, GnuTLS is unable to generate the public key when it's needed.

      Using: gnutls-3.8.10-1.el10.x86_64

      Running:

      openssl genpkey -algorithm mldsa44 -provparam 'ml-dsa.output_formats=priv-only' -out key.pem
cat > template.cfg <<EOF
organization = Example
dns_name = localhost
challenge_password =
EOF'
certtool --generate-request --load-privkey key.pem --outfile request.pem --template template.cfg

      fails with

      Generating a PKCS #10 certificate request...
Could not determine the public key for the operation.
You must specify --load-privkey or --load-pubkey if missing.

      GnuTLS should implement an algorithm to derive the public key from the private key, like the one implemented in OpenSSL or described in https://github.com/aws/aws-lc/pull/2142

              dueno@redhat.com Daiki Ueno
              hkario@redhat.com Alicja Kario
              Malhar Jivrajani
              Daiki Ueno Daiki Ueno
              Alexander Sosedkin Alexander Sosedkin
              Mirek Jahoda Mirek Jahoda
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: