Skip to content

wc_slhdsa.h

Functions

Name
int wc_SlhDsaKey_Init(SlhDsaKey * key, enum SlhDsaParam param, void * heap, int devId)
Initializes an SLH_DSA key object with the specified parameter set. Must be called before any other SLH_DSA operation. Use wc_SlhDsaKey_Free() to release resources when done.
int wc_SlhDsaKey_Init_id(SlhDsaKey * key, enum SlhDsaParam param, const unsigned char * id, int len, void * heap, int devId)
Initializes an SLH_DSA key with a device_side key identifier (id). Equivalent to wc_SlhDsaKey_Init() but also stashes a binary id that a crypto callback can use to look up the underlying key material on the device. Only available when wolfSSL is built with WOLF_PRIVATE_KEY_ID.
int wc_SlhDsaKey_Init_label(SlhDsaKey * key, enum SlhDsaParam param, const char * label, void * heap, int devId)
Initializes an SLH_DSA key with a device_side key label. Equivalent to wc_SlhDsaKey_Init() but also stashes a label string that a crypto callback can use to look up the underlying key material on the device. Only available when wolfSSL is built with WOLF_PRIVATE_KEY_ID.
void wc_SlhDsaKey_Free(SlhDsaKey * key)
Frees resources associated with an SLH-DSA key object.
int wc_SlhDsaKey_MakeKey(SlhDsaKey * key, WC_RNG * rng)
Generates a new SLH_DSA key pair using the RNG for randomness. The key must have been initialized with wc_SlhDsaKey_Init() first.
int wc_SlhDsaKey_MakeKeyWithRandom(SlhDsaKey * key, const byte * sk_seed, word32 sk_seed_len, const byte * sk_prf, word32 sk_prf_len, const byte * pk_seed, word32 pk_seed_len)
Generates an SLH-DSA key pair from caller-provided seed material. This is the deterministic key generation interface — given the same seeds, the same key pair is produced.
int wc_SlhDsaKey_SignDeterministic(SlhDsaKey * key, const byte * ctx, byte ctxSz, const byte * msg, word32 msgSz, byte * sig, word32 * sigSz)
Signs a message using the SLH_DSA external (pure) interface with deterministic randomness. This is FIPS 205 Algorithm 22 with opt_rand set to PK.seed. The message M is wrapped internally as M' = 0x00
int wc_SlhDsaKey_SignWithRandom(SlhDsaKey * key, const byte * ctx, byte ctxSz, const byte * msg, word32 msgSz, byte * sig, word32 * sigSz, const byte * addRnd)
Signs a message using the SLH_DSA external (pure) interface with caller-provided additional randomness. This is FIPS 205 Algorithm 22 with an explicit opt_rand value.
int wc_SlhDsaKey_Sign(SlhDsaKey * key, const byte * ctx, byte ctxSz, const byte * msg, word32 msgSz, byte * sig, word32 * sigSz, WC_RNG * rng)
Signs a message using the SLH_DSA external (pure) interface with RNG-provided randomness. This is the general-purpose signing function that uses the WC_RNG for opt_rand.
int wc_SlhDsaKey_Verify(SlhDsaKey * key, const byte * ctx, byte ctxSz, const byte * msg, word32 msgSz, const byte * sig, word32 sigSz)
Verifies an SLH_DSA signature over a message using the external (pure) interface. This is FIPS 205 Algorithm 24. The message is wrapped internally as M' = 0x00
int wc_SlhDsaKey_SignMsgDeterministic(SlhDsaKey * key, const byte * mprime, word32 mprimeSz, byte * sig, word32 * sigSz)
Signs using the SLH_DSA internal interface with deterministic randomness. Unlike the external interface, M' is provided directly by the caller — no wrapping is performed. This corresponds to FIPS 205 Algorithm 19 (slh_sign_internal) with opt_rand set to PK.seed.
int wc_SlhDsaKey_SignMsgWithRandom(SlhDsaKey * key, const byte * mprime, word32 mprimeSz, byte * sig, word32 * sigSz, const byte * addRnd)
Signs using the SLH_DSA internal interface with caller_provided additional randomness. M' is provided directly — no wrapping is performed. This corresponds to FIPS 205 Algorithm 19 (slh_sign_internal) with an explicit opt_rand value. See wc_SlhDsaKey_SignMsgDeterministic for the M' layout used by HashSLH-DSA.
int wc_SlhDsaKey_VerifyMsg(SlhDsaKey * key, const byte * mprime, word32 mprimeSz, const byte * sig, word32 sigSz)
Verifies an SLH_DSA signature using the internal interface. M' is provided directly — no wrapping is performed. This corresponds to FIPS 205 Algorithm 20 (slh_verify_internal).
int wc_SlhDsaKey_SignHashDeterministic(SlhDsaKey * key, const byte * ctx, byte ctxSz, const byte * hash, word32 hashSz, enum wc_HashType hashType, byte * sig, word32 * sigSz)
Signs a caller_pre_hashed message digest using the SLH_DSA external (HashSLH_DSA) interface with deterministic randomness, per FIPS 205 Algorithm 23 with the pre_hash domain separator (0x01). The caller must hash the application message with hashType first and pass the digest as hash; this function does NOT hash its input.
int wc_SlhDsaKey_SignHashWithRandom(SlhDsaKey * key, const byte * ctx, byte ctxSz, const byte * hash, word32 hashSz, enum wc_HashType hashType, byte * sig, word32 * sigSz, const byte * addRnd)
Signs a caller_pre_hashed message digest using the SLH_DSA external (HashSLH_DSA) interface with caller-provided additional randomness. The caller must hash the application message with hashType first and pass the digest as hash; this function does NOT hash its input.
int wc_SlhDsaKey_SignHash(SlhDsaKey * key, const byte * ctx, byte ctxSz, const byte * hash, word32 hashSz, enum wc_HashType hashType, byte * sig, word32 * sigSz, WC_RNG * rng)
Signs a caller_pre_hashed message digest using the SLH_DSA external (HashSLH_DSA) interface with RNG-provided randomness. The caller must hash the application message with hashType first and pass the digest as hash; this function does NOT hash its input.
int wc_SlhDsaKey_VerifyHash(SlhDsaKey * key, const byte * ctx, byte ctxSz, const byte * hash, word32 hashSz, enum wc_HashType hashType, const byte * sig, word32 sigSz)
Verifies an SLH_DSA signature using the external HashSLH_DSA interface (FIPS 205 Algorithm 25). The caller must hash the application message with hashType first and pass the digest as hash; this function does NOT hash its input.
int wc_SlhDsaKey_ImportPrivate(SlhDsaKey * key, const byte * in, word32 inLen)
Imports an SLH_DSA private key from a raw byte buffer. The buffer must contain the full private key (4*n bytes: SK.seed
int wc_SlhDsaKey_ImportPublic(SlhDsaKey * key, const byte * in, word32 inLen)
Imports an SLH_DSA public key from a raw byte buffer. The buffer must contain PK.seed
int wc_SlhDsaKey_CheckKey(SlhDsaKey * key)
Checks the consistency of an SLH-DSA key. For a key with both private and public components, verifies that the public key matches the private key.
int wc_SlhDsaKey_ExportPrivate(SlhDsaKey * key, byte * out, word32 * outLen)
Exports the private key from an SLH_DSA key object into a raw byte buffer (4*n bytes).
int wc_SlhDsaKey_ExportPublic(SlhDsaKey * key, byte * out, word32 * outLen)
Exports the public key from an SLH_DSA key object into a raw byte buffer (2*n bytes: PK.seed
int wc_SlhDsaKey_PrivateSize(SlhDsaKey * key)
Returns the private key size in bytes for the key's parameter set.
int wc_SlhDsaKey_PublicSize(SlhDsaKey * key)
Returns the public key size in bytes for the key's parameter set.
int wc_SlhDsaKey_SigSize(SlhDsaKey * key)
Returns the signature size in bytes for the key's parameter set.
int wc_SlhDsaKey_PrivateSizeFromParam(enum SlhDsaParam param)
Returns the private key size in bytes for the given parameter set without needing an initialized key object.
int wc_SlhDsaKey_PublicSizeFromParam(enum SlhDsaParam param)
Returns the public key size in bytes for the given parameter set without needing an initialized key object.
int wc_SlhDsaKey_SigSizeFromParam(enum SlhDsaParam param)
Returns the signature size in bytes for the given parameter set without needing an initialized key object.
int wc_SlhDsaKey_PrivateKeyDecode(const byte * input, word32 * inOutIdx, SlhDsaKey * key, word32 inSz)
Decodes a DER_encoded SLH_DSA private key in the PKCS#8 OneAsymmetricKey format defined by RFC 9909. The privateKey OCTET STRING contains the raw concatenation SK.seed
int wc_SlhDsaKey_PublicKeyDecode(const byte * input, word32 * inOutIdx, SlhDsaKey * key, word32 inSz)
Decodes a DER_encoded SLH_DSA public key in the SubjectPublicKeyInfo (SPKI) format. The SLH-DSA parameter set is detected from the AlgorithmIdentifier OID and key->params is updated accordingly.
int wc_SlhDsaKey_KeyToDer(SlhDsaKey * key, byte * output, word32 inLen)
Encodes an SLH_DSA private key to DER in the PKCS#8 OneAsymmetricKey format defined by RFC 9909. The privateKey OCTET STRING contains the raw 4*n bytes (SK.seed
int wc_SlhDsaKey_PrivateKeyToDer(SlhDsaKey * key, byte * output, word32 inLen)
Encodes an SLH-DSA private key to DER. RFC 9909 packs SK.seed
int wc_SlhDsaKey_PublicKeyToDer(SlhDsaKey * key, byte * output, word32 inLen, int withAlg)
Encodes an SLH_DSA public key to DER. When withAlg is non_zero the output is a full SubjectPublicKeyInfo structure (AlgorithmIdentifier plus BIT STRING). When withAlg is zero the output contains the raw public key bytes without the SPKI wrapping.

Functions Documentation

function wc_SlhDsaKey_Init

int wc_SlhDsaKey_Init(
    SlhDsaKey * key,
    enum SlhDsaParam param,
    void * heap,
    int devId
)

Initializes an SLH-DSA key object with the specified parameter set. Must be called before any other SLH-DSA operation. Use wc_SlhDsaKey_Free() to release resources when done.

Parameters:

  • key Pointer to the SlhDsaKey to initialize.
  • param Parameter set to use. One of: SLHDSA_SHAKE128S, SLHDSA_SHAKE128F, SLHDSA_SHAKE192S, SLHDSA_SHAKE192F, SLHDSA_SHAKE256S, SLHDSA_SHAKE256F, SLHDSA_SHA2_128S, SLHDSA_SHA2_128F, SLHDSA_SHA2_192S, SLHDSA_SHA2_192F, SLHDSA_SHA2_256S, SLHDSA_SHA2_256F.
  • heap Pointer to heap hint for dynamic memory allocation. May be NULL.
  • devId Device identifier for hardware crypto callbacks. Use INVALID_DEVID for software-only.

See:

Return:

  • 0 on success.
  • BAD_FUNC_ARG if key is NULL or param is invalid.

SLH-DSA (FIPS 205) is a stateless hash-based digital signature algorithm. Parameter sets control the hash function (SHAKE or SHA2), security level (128, 192, 256), and speed/size tradeoff (s = small signatures, f = fast signing).

Example

SlhDsaKey key;
int ret;

ret = wc_SlhDsaKey_Init(&key, SLHDSA_SHAKE128F, NULL, INVALID_DEVID);
if (ret != 0) {
    // error initializing key
}
// ... use key ...
wc_SlhDsaKey_Free(&key);

function wc_SlhDsaKey_Init_id

int wc_SlhDsaKey_Init_id(
    SlhDsaKey * key,
    enum SlhDsaParam param,
    const unsigned char * id,
    int len,
    void * heap,
    int devId
)

Initializes an SLH-DSA key with a device-side key identifier (id). Equivalent to wc_SlhDsaKey_Init() but also stashes a binary id that a crypto callback can use to look up the underlying key material on the device. Only available when wolfSSL is built with WOLF_PRIVATE_KEY_ID.

Parameters:

  • key Pointer to the SlhDsaKey to initialize.
  • param Parameter set to use (see wc_SlhDsaKey_Init).
  • id Pointer to the device-side key identifier bytes. May be NULL if len is 0.
  • len Number of bytes in id. Must be in [0, SLHDSA_MAX_ID_LEN].
  • heap Pointer to heap hint for dynamic memory allocation. May be NULL.
  • devId Device identifier for the crypto callback. Should be a registered cb devId, not INVALID_DEVID, for the id to be meaningful.

See:

Return:

  • 0 on success.
  • BAD_FUNC_ARG if key is NULL, or if id is NULL while len > 0.
  • BUFFER_E if len is negative or greater than SLHDSA_MAX_ID_LEN.

The id is copied into the key object; the caller may free its buffer immediately after this call returns.

Example

SlhDsaKey key;
unsigned char id[8] = { 0x01, 0x02, 0x03, 0x04,
                        0x05, 0x06, 0x07, 0x08 };
int ret;

ret = wc_SlhDsaKey_Init_id(&key, SLHDSA_SHAKE128F, id, sizeof(id),
    NULL, devId);
if (ret != 0) {
    // error initializing key with id
}
// ... use key, the cb resolves id -> device key ...
wc_SlhDsaKey_Free(&key);

function wc_SlhDsaKey_Init_label

int wc_SlhDsaKey_Init_label(
    SlhDsaKey * key,
    enum SlhDsaParam param,
    const char * label,
    void * heap,
    int devId
)

Initializes an SLH-DSA key with a device-side key label. Equivalent to wc_SlhDsaKey_Init() but also stashes a label string that a crypto callback can use to look up the underlying key material on the device. Only available when wolfSSL is built with WOLF_PRIVATE_KEY_ID.

Parameters:

  • key Pointer to the SlhDsaKey to initialize.
  • param Parameter set to use (see wc_SlhDsaKey_Init).
  • label NUL-terminated device-side key label string.
  • heap Pointer to heap hint for dynamic memory allocation. May be NULL.
  • devId Device identifier for the crypto callback. Should be a registered cb devId, not INVALID_DEVID, for the label to be meaningful.

See:

Return:

  • 0 on success.
  • BAD_FUNC_ARG if key or label is NULL.
  • BUFFER_E if label is empty or longer than SLHDSA_MAX_LABEL_LEN.

The label length is taken via XSTRLEN, so embedded NUL bytes terminate the label. The copy stored in key->label is NOT guaranteed to be NUL-terminated (when the input is exactly SLHDSA_MAX_LABEL_LEN bytes the entire array is consumed). Consumers must read at most key->labelLen bytes — do not pass key->label to C-string APIs.

Example

SlhDsaKey key;
int ret;

ret = wc_SlhDsaKey_Init_label(&key, SLHDSA_SHAKE128F,
    "device-key-1", NULL, devId);
if (ret != 0) {
    // error initializing key with label
}
// ... use key, the cb resolves label -> device key ...
wc_SlhDsaKey_Free(&key);

function wc_SlhDsaKey_Free

void wc_SlhDsaKey_Free(
    SlhDsaKey * key
)

Frees resources associated with an SLH-DSA key object.

Parameters:

  • key Pointer to the SlhDsaKey to free. May be NULL.

See: wc_SlhDsaKey_Init

Example

SlhDsaKey key;
wc_SlhDsaKey_Init(&key, SLHDSA_SHAKE128F, NULL, INVALID_DEVID);
// ... use key ...
wc_SlhDsaKey_Free(&key);

function wc_SlhDsaKey_MakeKey

int wc_SlhDsaKey_MakeKey(
    SlhDsaKey * key,
    WC_RNG * rng
)

Generates a new SLH-DSA key pair using the RNG for randomness. The key must have been initialized with wc_SlhDsaKey_Init() first.

Parameters:

  • key Pointer to an initialized SlhDsaKey.
  • rng Pointer to an initialized WC_RNG.

See:

Return:

  • 0 on success.
  • BAD_FUNC_ARG if key or rng is NULL, or key is not initialized.

Example

SlhDsaKey key;
WC_RNG rng;
int ret;

wc_InitRng(&rng);
wc_SlhDsaKey_Init(&key, SLHDSA_SHAKE128F, NULL, INVALID_DEVID);
ret = wc_SlhDsaKey_MakeKey(&key, &rng);
if (ret != 0) {
    // error generating key
}

function wc_SlhDsaKey_MakeKeyWithRandom

int wc_SlhDsaKey_MakeKeyWithRandom(
    SlhDsaKey * key,
    const byte * sk_seed,
    word32 sk_seed_len,
    const byte * sk_prf,
    word32 sk_prf_len,
    const byte * pk_seed,
    word32 pk_seed_len
)

Generates an SLH-DSA key pair from caller-provided seed material. This is the deterministic key generation interface — given the same seeds, the same key pair is produced.

Parameters:

  • key Pointer to an initialized SlhDsaKey.
  • sk_seed Secret key seed (n bytes).
  • sk_seed_len Length of sk_seed.
  • sk_prf Secret key PRF seed (n bytes).
  • sk_prf_len Length of sk_prf.
  • pk_seed Public key seed (n bytes).
  • pk_seed_len Length of pk_seed.

See: wc_SlhDsaKey_MakeKey

Return:

  • 0 on success.
  • BAD_FUNC_ARG if key or any seed pointer is NULL, or lengths do not match the parameter set's n value.

Example

SlhDsaKey key;
byte sk_seed[16], sk_prf[16], pk_seed[16]; // n=16 for 128-bit params
int ret;

// fill seeds with known values (e.g. from NIST test vectors)
wc_SlhDsaKey_Init(&key, SLHDSA_SHAKE128F, NULL, INVALID_DEVID);
ret = wc_SlhDsaKey_MakeKeyWithRandom(&key,
    sk_seed, sizeof(sk_seed),
    sk_prf, sizeof(sk_prf),
    pk_seed, sizeof(pk_seed));

function wc_SlhDsaKey_SignDeterministic

int wc_SlhDsaKey_SignDeterministic(
    SlhDsaKey * key,
    const byte * ctx,
    byte ctxSz,
    const byte * msg,
    word32 msgSz,
    byte * sig,
    word32 * sigSz
)

Signs a message using the SLH-DSA external (pure) interface with deterministic randomness. This is FIPS 205 Algorithm 22 with opt_rand set to PK.seed. The message M is wrapped internally as M' = 0x00 || len(ctx) || ctx || M before signing.

Parameters:

  • key Pointer to a private SlhDsaKey.
  • ctx Context string for domain separation. May be NULL if ctxSz is 0.
  • ctxSz Length of the context string (0-255).
  • msg Pointer to the message to sign.
  • msgSz Length of the message.
  • sig Buffer to receive the signature.
  • sigSz On input, size of sig buffer. On output, actual signature length.

See:

Return:

  • 0 on success.
  • BAD_FUNC_ARG if key, msg, sig, or sigSz is NULL.
  • BUFFER_E if the output buffer is too small.

Example

SlhDsaKey key;
byte sig[WC_SLHDSA_MAX_SIG_LEN];
word32 sigSz = sizeof(sig);
byte msg[] = "Hello World!";
int ret;

// key already generated via wc_SlhDsaKey_MakeKey()
ret = wc_SlhDsaKey_SignDeterministic(&key, NULL, 0,
    msg, sizeof(msg), sig, &sigSz);

function wc_SlhDsaKey_SignWithRandom

int wc_SlhDsaKey_SignWithRandom(
    SlhDsaKey * key,
    const byte * ctx,
    byte ctxSz,
    const byte * msg,
    word32 msgSz,
    byte * sig,
    word32 * sigSz,
    const byte * addRnd
)

Signs a message using the SLH-DSA external (pure) interface with caller-provided additional randomness. This is FIPS 205 Algorithm 22 with an explicit opt_rand value.

Parameters:

  • key Pointer to a private SlhDsaKey.
  • ctx Context string. May be NULL if ctxSz is 0.
  • ctxSz Length of the context string (0-255).
  • msg Pointer to the message to sign.
  • msgSz Length of the message.
  • sig Buffer to receive the signature.
  • sigSz On input, size of sig buffer. On output, actual signature length.
  • addRnd Additional randomness (n bytes, where n is the parameter set's security parameter).

See:

Return:

  • 0 on success.
  • BAD_FUNC_ARG if key, msg, sig, sigSz, or addRnd is NULL.

Example

SlhDsaKey key;
byte sig[WC_SLHDSA_MAX_SIG_LEN];
word32 sigSz = sizeof(sig);
byte msg[] = "Hello World!";
byte addRnd[16]; // n=16 for 128-bit params
int ret;

wc_RNG_GenerateBlock(&rng, addRnd, sizeof(addRnd));
ret = wc_SlhDsaKey_SignWithRandom(&key, NULL, 0,
    msg, sizeof(msg), sig, &sigSz, addRnd);

function wc_SlhDsaKey_Sign

int wc_SlhDsaKey_Sign(
    SlhDsaKey * key,
    const byte * ctx,
    byte ctxSz,
    const byte * msg,
    word32 msgSz,
    byte * sig,
    word32 * sigSz,
    WC_RNG * rng
)

Signs a message using the SLH-DSA external (pure) interface with RNG-provided randomness. This is the general-purpose signing function that uses the WC_RNG for opt_rand.

Parameters:

  • key Pointer to a private SlhDsaKey.
  • ctx Context string. May be NULL if ctxSz is 0.
  • ctxSz Length of the context string (0-255).
  • msg Pointer to the message to sign.
  • msgSz Length of the message.
  • sig Buffer to receive the signature.
  • sigSz On input, size of sig buffer. On output, actual signature length.
  • rng Pointer to an initialized WC_RNG.

See:

Return:

  • 0 on success.
  • BAD_FUNC_ARG if key, msg, sig, sigSz, or rng is NULL.

Example

SlhDsaKey key;
WC_RNG rng;
byte sig[WC_SLHDSA_MAX_SIG_LEN];
word32 sigSz = sizeof(sig);
byte msg[] = "Hello World!";
int ret;

ret = wc_SlhDsaKey_Sign(&key, NULL, 0,
    msg, sizeof(msg), sig, &sigSz, &rng);

function wc_SlhDsaKey_Verify

int wc_SlhDsaKey_Verify(
    SlhDsaKey * key,
    const byte * ctx,
    byte ctxSz,
    const byte * msg,
    word32 msgSz,
    const byte * sig,
    word32 sigSz
)

Verifies an SLH-DSA signature over a message using the external (pure) interface. This is FIPS 205 Algorithm 24. The message is wrapped internally as M' = 0x00 || len(ctx) || ctx || M before verification.

Parameters:

  • key Pointer to a public SlhDsaKey.
  • ctx Context string. May be NULL if ctxSz is 0.
  • ctxSz Length of the context string (0-255).
  • msg Pointer to the message to verify.
  • msgSz Length of the message.
  • sig Pointer to the signature to verify.
  • sigSz Length of the signature.

See:

Return:

  • 0 on success (signature valid).
  • BAD_FUNC_ARG if key, msg, or sig is NULL, or ctx is NULL but ctxSz is greater than 0.
  • BAD_LENGTH_E if sigSz does not match the parameter set's signature length.
  • MISSING_KEY if the public key has not been set.
  • SIG_VERIFY_E if the signature is invalid.

Example

SlhDsaKey key;
byte sig[...]; // previously generated signature
word32 sigSz;
byte msg[] = "Hello World!";
int ret;

ret = wc_SlhDsaKey_Verify(&key, NULL, 0,
    msg, sizeof(msg), sig, sigSz);
if (ret == 0) {
    // signature is valid
}

function wc_SlhDsaKey_SignMsgDeterministic

int wc_SlhDsaKey_SignMsgDeterministic(
    SlhDsaKey * key,
    const byte * mprime,
    word32 mprimeSz,
    byte * sig,
    word32 * sigSz
)

Signs using the SLH-DSA internal interface with deterministic randomness. Unlike the external interface, M' is provided directly by the caller — no wrapping is performed. This corresponds to FIPS 205 Algorithm 19 (slh_sign_internal) with opt_rand set to PK.seed.

Parameters:

  • key Pointer to a private SlhDsaKey.
  • mprime Pointer to the pre-constructed M' message.
  • mprimeSz Length of M'.
  • sig Buffer to receive the signature.
  • sigSz On input, size of sig buffer. On output, actual signature length.

See:

Return:

  • 0 on success.
  • BAD_FUNC_ARG if key, mprime, sig, or sigSz is NULL.
  • BAD_LENGTH_E if sigSz is less than the parameter set's signature length.
  • MISSING_KEY if the private key has not been set.

Use this when the ACVP signatureInterface=internal test framework or a protocol layer has already constructed M'. For HashSLH-DSA the caller builds M' as 0x01 || ctxSz || ctx || OID(hashType) || PHM and passes it in here, where PHM is the hash of the application message under hashType.

Example

SlhDsaKey key;
byte sig[WC_SLHDSA_MAX_SIG_LEN];
word32 sigSz = sizeof(sig);
byte mprime[] = { ... }; // pre-constructed M'
int ret;

ret = wc_SlhDsaKey_SignMsgDeterministic(&key,
    mprime, sizeof(mprime), sig, &sigSz);

function wc_SlhDsaKey_SignMsgWithRandom

int wc_SlhDsaKey_SignMsgWithRandom(
    SlhDsaKey * key,
    const byte * mprime,
    word32 mprimeSz,
    byte * sig,
    word32 * sigSz,
    const byte * addRnd
)

Signs using the SLH-DSA internal interface with caller-provided additional randomness. M' is provided directly — no wrapping is performed. This corresponds to FIPS 205 Algorithm 19 (slh_sign_internal) with an explicit opt_rand value. See wc_SlhDsaKey_SignMsgDeterministic for the M' layout used by HashSLH-DSA.

Parameters:

  • key Pointer to a private SlhDsaKey.
  • mprime Pointer to the pre-constructed M' message.
  • mprimeSz Length of M'.
  • sig Buffer to receive the signature.
  • sigSz On input, size of sig buffer. On output, actual signature length.
  • addRnd Additional randomness (n bytes).

See:

Return:

  • 0 on success.
  • BAD_FUNC_ARG if key, mprime, sig, sigSz, or addRnd is NULL.
  • BAD_LENGTH_E if sigSz is less than the parameter set's signature length.
  • MISSING_KEY if the private key has not been set.

Example

SlhDsaKey key;
byte sig[WC_SLHDSA_MAX_SIG_LEN];
word32 sigSz = sizeof(sig);
byte mprime[] = { ... };
byte addRnd[16];
int ret;

wc_RNG_GenerateBlock(&rng, addRnd, sizeof(addRnd));
ret = wc_SlhDsaKey_SignMsgWithRandom(&key,
    mprime, sizeof(mprime), sig, &sigSz, addRnd);

function wc_SlhDsaKey_VerifyMsg

int wc_SlhDsaKey_VerifyMsg(
    SlhDsaKey * key,
    const byte * mprime,
    word32 mprimeSz,
    const byte * sig,
    word32 sigSz
)

Verifies an SLH-DSA signature using the internal interface. M' is provided directly — no wrapping is performed. This corresponds to FIPS 205 Algorithm 20 (slh_verify_internal).

Parameters:

  • key Pointer to a public SlhDsaKey.
  • mprime Pointer to the pre-constructed M' message.
  • mprimeSz Length of M'.
  • sig Pointer to the signature to verify.
  • sigSz Length of the signature.

See:

Return:

  • 0 on success (signature valid).
  • BAD_FUNC_ARG if key, mprime, or sig is NULL.
  • BAD_LENGTH_E if sigSz does not match the parameter set's signature length.
  • MISSING_KEY if the public key has not been set.
  • SIG_VERIFY_E if the signature is invalid.

Example

SlhDsaKey key;
byte sig[...]; // previously generated signature
word32 sigSz;
byte mprime[] = { ... };
int ret;

ret = wc_SlhDsaKey_VerifyMsg(&key,
    mprime, sizeof(mprime), sig, sigSz);
if (ret == 0) {
    // signature is valid
}

function wc_SlhDsaKey_SignHashDeterministic

int wc_SlhDsaKey_SignHashDeterministic(
    SlhDsaKey * key,
    const byte * ctx,
    byte ctxSz,
    const byte * hash,
    word32 hashSz,
    enum wc_HashType hashType,
    byte * sig,
    word32 * sigSz
)

Signs a caller-pre-hashed message digest using the SLH-DSA external (HashSLH-DSA) interface with deterministic randomness, per FIPS 205 Algorithm 23 with the pre-hash domain separator (0x01). The caller must hash the application message with hashType first and pass the digest as hash; this function does NOT hash its input.

Parameters:

  • key Pointer to a private SlhDsaKey.
  • ctx Context string. May be NULL if ctxSz is 0.
  • ctxSz Length of the context string (0-255).
  • hash Pointer to the pre-hashed message digest. hashSz must equal the digest size for hashType.
  • hashSz Length of the digest in bytes.
  • hashType Hash algorithm used for pre-hashing (selects OID). Supported: WC_HASH_TYPE_SHA224, WC_HASH_TYPE_SHA256, WC_HASH_TYPE_SHA384, WC_HASH_TYPE_SHA512, WC_HASH_TYPE_SHA512_224, WC_HASH_TYPE_SHA512_256, WC_HASH_TYPE_SHAKE128, WC_HASH_TYPE_SHAKE256, WC_HASH_TYPE_SHA3_224, WC_HASH_TYPE_SHA3_256, WC_HASH_TYPE_SHA3_384, WC_HASH_TYPE_SHA3_512.
  • sig Buffer to receive the signature.
  • sigSz On input, size of sig buffer. On output, actual signature length.

See:

Return:

  • 0 on success.
  • BAD_FUNC_ARG if key, hash, sig, or sigSz is NULL.
  • BAD_LENGTH_E if hashSz does not equal the digest size for hashType (32 for SHAKE128, 64 for SHAKE256 per FIPS 205 Section 10.2.2).
  • NOT_COMPILED_IN if hashType is not supported in this build.
  • MISSING_KEY if the private key has not been set.

Example

SlhDsaKey key;
byte sig[WC_SLHDSA_MAX_SIG_LEN];
word32 sigSz = sizeof(sig);
byte msg[] = "Hello World!";
byte digest[WC_SHA256_DIGEST_SIZE];
int ret;

wc_Sha256Hash(msg, sizeof(msg), digest);
ret = wc_SlhDsaKey_SignHashDeterministic(&key, NULL, 0,
    digest, sizeof(digest), WC_HASH_TYPE_SHA256, sig, &sigSz);

function wc_SlhDsaKey_SignHashWithRandom

int wc_SlhDsaKey_SignHashWithRandom(
    SlhDsaKey * key,
    const byte * ctx,
    byte ctxSz,
    const byte * hash,
    word32 hashSz,
    enum wc_HashType hashType,
    byte * sig,
    word32 * sigSz,
    const byte * addRnd
)

Signs a caller-pre-hashed message digest using the SLH-DSA external (HashSLH-DSA) interface with caller-provided additional randomness. The caller must hash the application message with hashType first and pass the digest as hash; this function does NOT hash its input.

Parameters:

  • key Pointer to a private SlhDsaKey.
  • ctx Context string. May be NULL if ctxSz is 0.
  • ctxSz Length of the context string (0-255).
  • hash Pointer to the pre-hashed message digest. hashSz must equal the digest size for hashType.
  • hashSz Length of the digest in bytes.
  • hashType Hash algorithm used for pre-hashing (selects OID).
  • sig Buffer to receive the signature.
  • sigSz On input, size of sig buffer. On output, actual signature length.
  • addRnd Additional randomness (n bytes).

See:

Return:

  • 0 on success.
  • BAD_FUNC_ARG if key, hash, sig, sigSz, or addRnd is NULL.
  • BAD_LENGTH_E if hashSz does not equal the digest size for hashType (32 for SHAKE128, 64 for SHAKE256 per FIPS 205 Section 10.2.2).
  • NOT_COMPILED_IN if hashType is not supported in this build.

function wc_SlhDsaKey_SignHash

int wc_SlhDsaKey_SignHash(
    SlhDsaKey * key,
    const byte * ctx,
    byte ctxSz,
    const byte * hash,
    word32 hashSz,
    enum wc_HashType hashType,
    byte * sig,
    word32 * sigSz,
    WC_RNG * rng
)

Signs a caller-pre-hashed message digest using the SLH-DSA external (HashSLH-DSA) interface with RNG-provided randomness. The caller must hash the application message with hashType first and pass the digest as hash; this function does NOT hash its input.

Parameters:

  • key Pointer to a private SlhDsaKey.
  • ctx Context string. May be NULL if ctxSz is 0.
  • ctxSz Length of the context string (0-255).
  • hash Pointer to the pre-hashed message digest. hashSz must equal the digest size for hashType.
  • hashSz Length of the digest in bytes.
  • hashType Hash algorithm used for pre-hashing (selects OID).
  • sig Buffer to receive the signature.
  • sigSz On input, size of sig buffer. On output, actual signature length.
  • rng Pointer to an initialized WC_RNG.

See:

Return:

  • 0 on success.
  • BAD_FUNC_ARG if key, hash, sig, sigSz, or rng is NULL.
  • BAD_LENGTH_E if hashSz does not equal the digest size for hashType (32 for SHAKE128, 64 for SHAKE256 per FIPS 205 Section 10.2.2).
  • NOT_COMPILED_IN if hashType is not supported in this build.

function wc_SlhDsaKey_VerifyHash

int wc_SlhDsaKey_VerifyHash(
    SlhDsaKey * key,
    const byte * ctx,
    byte ctxSz,
    const byte * hash,
    word32 hashSz,
    enum wc_HashType hashType,
    const byte * sig,
    word32 sigSz
)

Verifies an SLH-DSA signature using the external HashSLH-DSA interface (FIPS 205 Algorithm 25). The caller must hash the application message with hashType first and pass the digest as hash; this function does NOT hash its input.

Parameters:

  • key Pointer to a public SlhDsaKey.
  • ctx Context string. May be NULL if ctxSz is 0.
  • ctxSz Length of the context string (0-255).
  • hash Pointer to the pre-hashed message digest. hashSz must equal the digest size for hashType.
  • hashSz Length of the digest in bytes.
  • hashType Hash algorithm used for pre-hashing (selects OID). Must match the hash used during signing.
  • sig Pointer to the signature to verify.
  • sigSz Length of the signature.

See:

Return:

  • 0 on success (signature valid).
  • BAD_FUNC_ARG if key, hash, or sig is NULL.
  • BAD_LENGTH_E if sigSz does not match the parameter set, or if hashSz does not equal the digest size for hashType (32 for SHAKE128, 64 for SHAKE256 per FIPS 205 Section 10.2.2).
  • NOT_COMPILED_IN if hashType is not supported in this build.
  • MISSING_KEY if the public key has not been set.
  • SIG_VERIFY_E if the signature is invalid.

Example

SlhDsaKey key;
byte sig[...];
word32 sigSz;
byte msg[] = "Hello World!";
byte digest[WC_SHA256_DIGEST_SIZE];
int ret;

wc_Sha256Hash(msg, sizeof(msg), digest);
ret = wc_SlhDsaKey_VerifyHash(&key, NULL, 0,
    digest, sizeof(digest), WC_HASH_TYPE_SHA256, sig, sigSz);
if (ret == 0) {
    // signature is valid
}

function wc_SlhDsaKey_ImportPrivate

int wc_SlhDsaKey_ImportPrivate(
    SlhDsaKey * key,
    const byte * in,
    word32 inLen
)

Imports an SLH-DSA private key from a raw byte buffer. The buffer must contain the full private key (4*n bytes: SK.seed || SK.prf || PK.seed || PK.root). After import, the key can be used for signing.

Parameters:

  • key Pointer to an initialized SlhDsaKey.
  • in Buffer containing the raw private key bytes.
  • inLen Length of the input buffer.

See:

Return:

  • 0 on success.
  • BAD_FUNC_ARG if key or in is NULL, or inLen does not match the expected private key size for the parameter set.

Example

SlhDsaKey key;
byte privKey[...]; // 4*n bytes
int ret;

wc_SlhDsaKey_Init(&key, SLHDSA_SHAKE128F, NULL, INVALID_DEVID);
ret = wc_SlhDsaKey_ImportPrivate(&key, privKey, sizeof(privKey));

function wc_SlhDsaKey_ImportPublic

int wc_SlhDsaKey_ImportPublic(
    SlhDsaKey * key,
    const byte * in,
    word32 inLen
)

Imports an SLH-DSA public key from a raw byte buffer. The buffer must contain PK.seed || PK.root (2*n bytes). After import, the key can be used for verification.

Parameters:

  • key Pointer to an initialized SlhDsaKey.
  • in Buffer containing the raw public key bytes.
  • inLen Length of the input buffer.

See:

Return:

  • 0 on success.
  • BAD_FUNC_ARG if key or in is NULL, or inLen does not match the expected public key size.

Example

SlhDsaKey key;
byte pubKey[...]; // 2*n bytes
int ret;

wc_SlhDsaKey_Init(&key, SLHDSA_SHAKE128F, NULL, INVALID_DEVID);
ret = wc_SlhDsaKey_ImportPublic(&key, pubKey, sizeof(pubKey));

function wc_SlhDsaKey_CheckKey

int wc_SlhDsaKey_CheckKey(
    SlhDsaKey * key
)

Checks the consistency of an SLH-DSA key. For a key with both private and public components, verifies that the public key matches the private key.

Parameters:

  • key Pointer to the SlhDsaKey to check.

See:

Return:

  • 0 on success (key is valid).
  • BAD_FUNC_ARG if key is NULL.

function wc_SlhDsaKey_ExportPrivate

int wc_SlhDsaKey_ExportPrivate(
    SlhDsaKey * key,
    byte * out,
    word32 * outLen
)

Exports the private key from an SLH-DSA key object into a raw byte buffer (4*n bytes).

Parameters:

  • key Pointer to the SlhDsaKey containing a private key.
  • out Buffer to receive the raw private key bytes.
  • outLen On input, size of out buffer. On output, bytes written.

See:

Return:

  • 0 on success.
  • BAD_FUNC_ARG if key, out, or outLen is NULL.
  • BUFFER_E if the output buffer is too small.

Example

SlhDsaKey key;
byte privKey[4 * 32]; // 4*n for 256-bit params
word32 privKeySz = sizeof(privKey);
int ret;

ret = wc_SlhDsaKey_ExportPrivate(&key, privKey, &privKeySz);

function wc_SlhDsaKey_ExportPublic

int wc_SlhDsaKey_ExportPublic(
    SlhDsaKey * key,
    byte * out,
    word32 * outLen
)

Exports the public key from an SLH-DSA key object into a raw byte buffer (2*n bytes: PK.seed || PK.root).

Parameters:

  • key Pointer to the SlhDsaKey containing a public key.
  • out Buffer to receive the raw public key bytes.
  • outLen On input, size of out buffer. On output, bytes written.

See:

Return:

  • 0 on success.
  • BAD_FUNC_ARG if key, out, or outLen is NULL.
  • BUFFER_E if the output buffer is too small.

Example

SlhDsaKey key;
byte pubKey[2 * 32];
word32 pubKeySz = sizeof(pubKey);
int ret;

ret = wc_SlhDsaKey_ExportPublic(&key, pubKey, &pubKeySz);

function wc_SlhDsaKey_PrivateSize

int wc_SlhDsaKey_PrivateSize(
    SlhDsaKey * key
)

Returns the private key size in bytes for the key's parameter set.

Parameters:

  • key Pointer to an initialized SlhDsaKey.

See:

Return:

  • Private key size in bytes (4*n) on success.
  • BAD_FUNC_ARG if key is NULL or not initialized.

function wc_SlhDsaKey_PublicSize

int wc_SlhDsaKey_PublicSize(
    SlhDsaKey * key
)

Returns the public key size in bytes for the key's parameter set.

Parameters:

  • key Pointer to an initialized SlhDsaKey.

See:

Return:

  • Public key size in bytes (2*n) on success.
  • BAD_FUNC_ARG if key is NULL or not initialized.

function wc_SlhDsaKey_SigSize

int wc_SlhDsaKey_SigSize(
    SlhDsaKey * key
)

Returns the signature size in bytes for the key's parameter set.

Parameters:

  • key Pointer to an initialized SlhDsaKey.

See:

Return:

  • Signature size in bytes on success.
  • BAD_FUNC_ARG if key is NULL or not initialized.

function wc_SlhDsaKey_PrivateSizeFromParam

int wc_SlhDsaKey_PrivateSizeFromParam(
    enum SlhDsaParam param
)

Returns the private key size in bytes for the given parameter set without needing an initialized key object.

Parameters:

  • param The SLH-DSA parameter set.

See: wc_SlhDsaKey_PrivateSize

Return:

  • Private key size in bytes (4*n) on success.
  • BAD_FUNC_ARG if param is invalid.

function wc_SlhDsaKey_PublicSizeFromParam

int wc_SlhDsaKey_PublicSizeFromParam(
    enum SlhDsaParam param
)

Returns the public key size in bytes for the given parameter set without needing an initialized key object.

Parameters:

  • param The SLH-DSA parameter set.

See: wc_SlhDsaKey_PublicSize

Return:

  • Public key size in bytes (2*n) on success.
  • BAD_FUNC_ARG if param is invalid.

function wc_SlhDsaKey_SigSizeFromParam

int wc_SlhDsaKey_SigSizeFromParam(
    enum SlhDsaParam param
)

Returns the signature size in bytes for the given parameter set without needing an initialized key object.

Parameters:

  • param The SLH-DSA parameter set.

See: wc_SlhDsaKey_SigSize

Return:

  • Signature size in bytes on success.
  • BAD_FUNC_ARG if param is invalid.

function wc_SlhDsaKey_PrivateKeyDecode

int wc_SlhDsaKey_PrivateKeyDecode(
    const byte * input,
    word32 * inOutIdx,
    SlhDsaKey * key,
    word32 inSz
)

Decodes a DER-encoded SLH-DSA private key in the PKCS#8 OneAsymmetricKey format defined by RFC 9909. The privateKey OCTET STRING contains the raw concatenation SK.seed || SK.prf || PK.seed || PK.root (4*n bytes) directly, without a nested OCTET STRING wrapper as used by Ed25519/Ed448. The SLH-DSA parameter set is detected from the AlgorithmIdentifier OID and key->params is updated to match. Available only when WOLFSSL_SLHDSA_VERIFY_ONLY is not defined.

Parameters:

  • input DER-encoded key data.
  • inOutIdx On input, starting offset into input. On output, advanced past the parsed key (unchanged on failure).
  • key SLH-DSA key. Parameter set is auto-detected from the encoded OID.
  • inSz Total size of input in bytes.

See:

Return:

  • 0 on success.
  • BAD_FUNC_ARG if input, inOutIdx, or key is NULL, or inSz is 0.
  • ASN_PARSE_E if the DER cannot be parsed as an SLH-DSA private key (malformed input, wrong key size, or trailing-field violation).
  • NOT_COMPILED_IN if the OID names an SLH-DSA variant that is not built into this library.

On a failure that is detected before any write to key->sk (BAD_FUNC_ARG, header/OID parse errors, or wrong privateKey length), the key state is left untouched. On a failure detected after wc_SlhDsaKey_ImportPrivate has populated key->sk (a SHA-2 precompute error, or a trailing-field validation error), key->sk is scrubbed with ForceZero and the WC_SLHDSA_FLAG_PRIVATE/PUBLIC flags are cleared so flags can never claim valid bytes that were zeroed. In both rollback cases, key->params and inOutIdx are restored to their pre-call values.

function wc_SlhDsaKey_PublicKeyDecode

int wc_SlhDsaKey_PublicKeyDecode(
    const byte * input,
    word32 * inOutIdx,
    SlhDsaKey * key,
    word32 inSz
)

Decodes a DER-encoded SLH-DSA public key in the SubjectPublicKeyInfo (SPKI) format. The SLH-DSA parameter set is detected from the AlgorithmIdentifier OID and key->params is updated accordingly.

Parameters:

  • input DER-encoded key data, or a raw 2*n public key when key->params is already set.
  • inOutIdx On input, starting offset into input. On output, advanced past the parsed key (unchanged on failure).
  • key SLH-DSA key. Parameter set is auto-detected from the encoded OID, or honored as-is in the raw fast path.
  • inSz Total size of input in bytes.

See:

Return:

  • 0 on success.
  • BAD_FUNC_ARG if input, inOutIdx, or key is NULL, or inSz is 0.
  • ASN_PARSE_E if the DER cannot be parsed as an SLH-DSA public key.
  • NOT_COMPILED_IN if the OID names an SLH-DSA variant that is not built into this library.

As a fast path, if key->params is already set the function first hands the entire window from inOutIdx to inSz to wc_SlhDsaKey_ImportPublic. ImportPublic's length check is the disambiguator: a window of exactly 2n bytes is accepted as a raw public key (PK.seed || PK.root) and consumed in full; any other length is rejected and the function falls through to SPKI parsing. SPKI input always carries enough AlgorithmIdentifier/BIT STRING overhead that it never collides with the 2n raw length, so it falls through cleanly. The caller does not need to pre-trim the window to 2*n.

On a failure detected before any write (BAD_FUNC_ARG or a malformed SPKI), the key state is left untouched. On a failure detected after ImportPublic has populated the public half of key->sk (a SHA-2 precompute error), the public half sk[2n .. 4n] is scrubbed and WC_SLHDSA_FLAG_PUBLIC is cleared from the flags; the private half is left intact in case the caller imported it earlier. key->params and inOutIdx are restored to their pre-call values.

function wc_SlhDsaKey_KeyToDer

int wc_SlhDsaKey_KeyToDer(
    SlhDsaKey * key,
    byte * output,
    word32 inLen
)

Encodes an SLH-DSA private key to DER in the PKCS#8 OneAsymmetricKey format defined by RFC 9909. The privateKey OCTET STRING contains the raw 4*n bytes (SK.seed || SK.prf || PK.seed || PK.root) directly, without the nested OCTET STRING wrapping used by Ed25519/Ed448.

Parameters:

  • key SLH-DSA key with a populated private key.
  • output Buffer to receive the DER encoding, or NULL to query the required size.
  • inLen Size of output in bytes (ignored when output is NULL).

See:

Return:

  • Size of the encoded DER in bytes on success. Pass NULL as output to query the required buffer size without writing.
  • BAD_FUNC_ARG if key or key->params is NULL.
  • MISSING_KEY if the private key has not been set.
  • BUFFER_E if output is non-NULL and inLen is smaller than the required size.
  • NOT_COMPILED_IN if key->params names an SLH-DSA variant whose parameter set is not built in.

Available only when WOLFSSL_SLHDSA_VERIFY_ONLY is not defined and WC_ENABLE_ASYM_KEY_EXPORT is set.

function wc_SlhDsaKey_PrivateKeyToDer

int wc_SlhDsaKey_PrivateKeyToDer(
    SlhDsaKey * key,
    byte * output,
    word32 inLen
)

Encodes an SLH-DSA private key to DER. RFC 9909 packs SK.seed || SK.prf || PK.seed || PK.root into a single OCTET STRING, so SLH-DSA has no distinct private-only encoding. This function is an intentional alias of wc_SlhDsaKey_KeyToDer, kept for API parity with Ed25519/Ed448 which do have a separate private form.

Parameters:

  • key SLH-DSA key with a populated private key.
  • output Buffer to receive the DER encoding, or NULL to query the required size.
  • inLen Size of output in bytes (ignored when output is NULL).

See:

Return:

  • Size of the encoded DER in bytes on success. Pass NULL as output to query the required buffer size.
  • BAD_FUNC_ARG if key or key->params is NULL.
  • MISSING_KEY if the private key has not been set.
  • BUFFER_E if output is non-NULL and inLen is smaller than the required size.
  • NOT_COMPILED_IN if key->params names an SLH-DSA variant whose parameter set is not built in.

Available only when WOLFSSL_SLHDSA_VERIFY_ONLY is not defined and WC_ENABLE_ASYM_KEY_EXPORT is set.

Return codes are inherited unchanged from wc_SlhDsaKey_KeyToDer.

function wc_SlhDsaKey_PublicKeyToDer

int wc_SlhDsaKey_PublicKeyToDer(
    SlhDsaKey * key,
    byte * output,
    word32 inLen,
    int withAlg
)

Encodes an SLH-DSA public key to DER. When withAlg is non-zero the output is a full SubjectPublicKeyInfo structure (AlgorithmIdentifier plus BIT STRING). When withAlg is zero the output contains the raw public key bytes without the SPKI wrapping.

Parameters:

  • key SLH-DSA key with a populated public key.
  • output Buffer to receive the DER encoding, or NULL to query the required size.
  • inLen Size of output in bytes (ignored when output is NULL).
  • withAlg Non-zero to emit SubjectPublicKeyInfo (with AlgorithmIdentifier); zero to emit the raw public key only.

See:

Return:

  • Size of the encoded DER in bytes on success. Pass NULL as output to query the required buffer size.
  • BAD_FUNC_ARG if key or key->params is NULL.
  • BUFFER_E if output is non-NULL and inLen is smaller than the required size.
  • NOT_COMPILED_IN if key->params names an SLH-DSA variant whose parameter set is not built in.

Available only when WC_ENABLE_ASYM_KEY_EXPORT is set.

Source code


int wc_SlhDsaKey_Init(SlhDsaKey* key, enum SlhDsaParam param,
    void* heap, int devId);

int wc_SlhDsaKey_Init_id(SlhDsaKey* key, enum SlhDsaParam param,
    const unsigned char* id, int len, void* heap, int devId);

int wc_SlhDsaKey_Init_label(SlhDsaKey* key, enum SlhDsaParam param,
    const char* label, void* heap, int devId);

void wc_SlhDsaKey_Free(SlhDsaKey* key);

int wc_SlhDsaKey_MakeKey(SlhDsaKey* key, WC_RNG* rng);

int wc_SlhDsaKey_MakeKeyWithRandom(SlhDsaKey* key,
    const byte* sk_seed, word32 sk_seed_len,
    const byte* sk_prf, word32 sk_prf_len,
    const byte* pk_seed, word32 pk_seed_len);

int wc_SlhDsaKey_SignDeterministic(SlhDsaKey* key, const byte* ctx,
    byte ctxSz, const byte* msg, word32 msgSz, byte* sig, word32* sigSz);

int wc_SlhDsaKey_SignWithRandom(SlhDsaKey* key, const byte* ctx,
    byte ctxSz, const byte* msg, word32 msgSz, byte* sig, word32* sigSz,
    const byte* addRnd);

int wc_SlhDsaKey_Sign(SlhDsaKey* key, const byte* ctx,
    byte ctxSz, const byte* msg, word32 msgSz, byte* sig, word32* sigSz,
    WC_RNG* rng);

int wc_SlhDsaKey_Verify(SlhDsaKey* key, const byte* ctx,
    byte ctxSz, const byte* msg, word32 msgSz, const byte* sig,
    word32 sigSz);

int wc_SlhDsaKey_SignMsgDeterministic(SlhDsaKey* key,
    const byte* mprime, word32 mprimeSz, byte* sig, word32* sigSz);

int wc_SlhDsaKey_SignMsgWithRandom(SlhDsaKey* key,
    const byte* mprime, word32 mprimeSz, byte* sig, word32* sigSz,
    const byte* addRnd);

int wc_SlhDsaKey_VerifyMsg(SlhDsaKey* key, const byte* mprime,
    word32 mprimeSz, const byte* sig, word32 sigSz);

int wc_SlhDsaKey_SignHashDeterministic(SlhDsaKey* key,
    const byte* ctx, byte ctxSz, const byte* hash, word32 hashSz,
    enum wc_HashType hashType, byte* sig, word32* sigSz);

int wc_SlhDsaKey_SignHashWithRandom(SlhDsaKey* key,
    const byte* ctx, byte ctxSz, const byte* hash, word32 hashSz,
    enum wc_HashType hashType, byte* sig, word32* sigSz, const byte* addRnd);

int wc_SlhDsaKey_SignHash(SlhDsaKey* key, const byte* ctx,
    byte ctxSz, const byte* hash, word32 hashSz, enum wc_HashType hashType,
    byte* sig, word32* sigSz, WC_RNG* rng);

int wc_SlhDsaKey_VerifyHash(SlhDsaKey* key, const byte* ctx,
    byte ctxSz, const byte* hash, word32 hashSz, enum wc_HashType hashType,
    const byte* sig, word32 sigSz);

int wc_SlhDsaKey_ImportPrivate(SlhDsaKey* key, const byte* in,
    word32 inLen);

int wc_SlhDsaKey_ImportPublic(SlhDsaKey* key, const byte* in,
    word32 inLen);

int wc_SlhDsaKey_CheckKey(SlhDsaKey* key);

int wc_SlhDsaKey_ExportPrivate(SlhDsaKey* key, byte* out,
    word32* outLen);

int wc_SlhDsaKey_ExportPublic(SlhDsaKey* key, byte* out,
    word32* outLen);

int wc_SlhDsaKey_PrivateSize(SlhDsaKey* key);

int wc_SlhDsaKey_PublicSize(SlhDsaKey* key);

int wc_SlhDsaKey_SigSize(SlhDsaKey* key);

int wc_SlhDsaKey_PrivateSizeFromParam(enum SlhDsaParam param);

int wc_SlhDsaKey_PublicSizeFromParam(enum SlhDsaParam param);

int wc_SlhDsaKey_SigSizeFromParam(enum SlhDsaParam param);

int wc_SlhDsaKey_PrivateKeyDecode(const byte* input, word32* inOutIdx,
    SlhDsaKey* key, word32 inSz);

int wc_SlhDsaKey_PublicKeyDecode(const byte* input, word32* inOutIdx,
    SlhDsaKey* key, word32 inSz);

int wc_SlhDsaKey_KeyToDer(SlhDsaKey* key, byte* output, word32 inLen);

int wc_SlhDsaKey_PrivateKeyToDer(SlhDsaKey* key, byte* output, word32 inLen);

int wc_SlhDsaKey_PublicKeyToDer(SlhDsaKey* key, byte* output, word32 inLen,
    int withAlg);

Updated on 2026-07-16 at 03:12:19 +0000