Google Git
Sign in
boringssl/boringssl/04eedeb13221efda841076762191dc256a3d58db^!/.
commit
04eedeb13221efda841076762191dc256a3d58db
[log]
author
David Benjamin <davidben@google.com>
Wed Jun 03 21:00:45 2026 -0400
committer
boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>
Thu Jun 04 07:59:20 2026 -0700
tree
720d09c3eedc6563efacae8c573dcc1249225197
parent
ef8c8fc898fa55fd9b5108db5b9b622655827c12 [diff]
draft-ietf-lamps-dilithium-certificates is now RFC 9881

Change-Id: I0e3b96ec8cb3958fd4711a19e948126841e33082
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/96547
Presubmit-BoringSSL-Verified: boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Auto-Submit: David Benjamin <davidben@google.com>

diff --git a/crypto/evp/p_mldsa.cc b/crypto/evp/p_mldsa.cc
index 889e598..6fe3564 100644
--- a/crypto/evp/p_mldsa.cc
+++ b/crypto/evp/p_mldsa.cc

@@ -252,8 +252,7 @@
 
   static evp_decode_result_t DecodePublic(const EVP_PKEY_ALG *alg, EvpPkey *out,
                                           CBS *params, CBS *key) {
-    // The parameters must be omitted. See
-    // draft-ietf-lamps-dilithium-certificates-13, Section 2.
+    // The parameters must be omitted. See RFC 9881, Section 2.
     if (CBS_len(params) != 0) {
       OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
       return evp_decode_error;
@@ -264,7 +263,7 @@
 
   static int EncodePublic(CBB *out, const EvpPkey *pkey) {
     const auto *pub = GetKeyData(pkey)->GetPublicKey();
-    // See draft-ietf-lamps-dilithium-certificates-13, Sections 2 and 4.
+    // See RFC 9881, Sections 2 and 4.
     CBB spki, algorithm, key_bitstring;
     if (!CBB_add_asn1(out, &spki, CBS_ASN1_SEQUENCE) ||
         !CBB_add_asn1(&spki, &algorithm, CBS_ASN1_SEQUENCE) ||
@@ -302,17 +301,16 @@
   static evp_decode_result_t DecodePrivate(const EVP_PKEY_ALG *alg,
                                            EvpPkey *out, CBS *params,
                                            CBS *key) {
-    // The parameters must be omitted. See
-    // draft-ietf-lamps-dilithium-certificates-13, Section 2.
+    // The parameters must be omitted. See RFC 9881, Section 2.
     if (CBS_len(params) != 0) {
       OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);
       return evp_decode_error;
     }
 
-    // See draft-ietf-lamps-dilithium-certificates-13, Section 6. Three
-    // different encodings were specified, adding complexity to the question of
-    // whether a private key is valid. We only implement the "seed"
-    // representation. Give this case a different error for easier diagnostics.
+    // See RFC 9881, Section 6. Three different encodings were specified, adding
+    // complexity to the question of whether a private key is valid. We only
+    // implement the "seed" representation. Give this case a different error for
+    // easier diagnostics.
     //
     // The "expandedKey" representation was a last-minute accommodation for
     // legacy hardware, which should be updated to use seeds. Supporting it
@@ -345,8 +343,7 @@
       OPENSSL_PUT_ERROR(EVP, EVP_R_NOT_A_PRIVATE_KEY);
       return 0;
     }
-    // See draft-ietf-lamps-dilithium-certificates-13, Sections 2 and 6. We
-    // encode only the seed representation.
+    // See RFC 9881, Sections 2 and 6. We encode only the seed representation.
     CBB pkcs8, algorithm, private_key;
     if (!CBB_add_asn1(out, &pkcs8, CBS_ASN1_SEQUENCE) ||
         !CBB_add_asn1_uint64(&pkcs8, 0 /* version */) ||

diff --git a/crypto/evp/test/mldsa_tests.txt b/crypto/evp/test/mldsa_tests.txt
index 7156895..f4f300a 100644
--- a/crypto/evp/test/mldsa_tests.txt
+++ b/crypto/evp/test/mldsa_tests.txt

@@ -1,8 +1,8 @@
 # EVP ML-DSA tests
 
-# Sample keys from draft-ietf-lamps-dilithium-certificates-13, Appendix C, in
-# the various forms. (The sample public and private keys correspond to the same
-# key.) We do not support the "expanded or "both".
+# Sample keys from RFC 9881, Appendix C, in the various forms. (The sample
+# public and private keys correspond to the same key.) We do not support the
+# "expanded" or "both" forms.
 
 # ML-DSA keys are very long. It is recommended to disable line wrapping in your
 # editor to page through it more easily.

diff --git a/docs/references.md b/docs/references.md
index c561975..e36daf7 100644
--- a/docs/references.md
+++ b/docs/references.md

@@ -43,6 +43,8 @@
    * PKCS#1 v1.5 with SHA-2 in X.509
    * RSA-PSS in X.509
 * [Algorithm Identifiers for Ed25519 and X25519 (RFC 8410)](https://www.rfc-editor.org/rfc/rfc8410.html)
+* [Algorithm Identifiers for ML-DSA (RFC 9881)](https://www.rfc-editor.org/rfc/rfc9881.html)
+* [Algorithm Identifiers for ML-KEM (RFC 9935)](https://www.rfc-editor.org/rfc/rfc9935.html)
 
 ## TLS
 

diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index bcfcdc1..45fef4a 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h

@@ -181,10 +181,9 @@
 // The `EVP_PKEY_id` value is `EVP_PKEY_ED25519`.
 OPENSSL_EXPORT const EVP_PKEY_ALG *EVP_pkey_ed25519(void);
 
-// EVP_pkey_ml_dsa_* implement ML-DSA keys, encoded as in
-// draft-ietf-lamps-dilithium-certificates. The `EVP_PKEY_id` values are
-// `EVP_PKEY_ML_DSA_*`. In the private key representation, only the "seed" form
-// is serialized or parsed.
+// EVP_pkey_ml_dsa_* implement ML-DSA keys, encoded as in RFC 9881. The
+// `EVP_PKEY_id` values are `EVP_PKEY_ML_DSA_*`. In the private key
+// representation, only the "seed" form is serialized or parsed.
 //
 // To configure OpenSSL to output the standard "seed" form, configure the
 // "ml-dsa.output_formats" provider parameter so that "seed-only" is first. This