parallaxsecond · wiktor-k · Sep 15, 2025 · Sep 9, 2025 · Sep 9, 2025
diff --git a/cryptoki/src/mechanism/mldsa.rs → cryptoki/src/mechanism/dsa.rs b/cryptoki/src/mechanism/mldsa.rs → cryptoki/src/mechanism/dsa.rs
@@ -1,11 +1,11 @@
-//! ML-DSA mechanism types
+//! ML-DSA and SLH-DSA mechanism parameters
 
 use crate::mechanism::{Mechanism, MechanismType};
 
 use cryptoki_sys::*;
 use std::{convert::TryInto, marker::PhantomData, ptr::null_mut};
 
-/// The hedge type for ML-DSA signature
+/// The hedge type for ML-DSA and SLH-DSA signature
 #[derive(Debug, Clone, Copy, PartialEq, Default)]
 pub enum HedgeType {
     /// Token may create either a hedged signature or a deterministic signature
@@ -33,7 +33,7 @@ impl From<HedgeType> for CK_ULONG {
     }
 }
 
-/// The ML-DSA additional context for signatures
+/// The ML-DSA and SLH-DSA additional context for signatures
 ///
 /// This structure wraps `CK_SIGN_ADDITIONAL_CONTEXT` structure.
 #[derive(Debug, Clone, Copy)]
@@ -44,7 +44,7 @@ pub struct SignAdditionalContext<'a> {
 }
 
 impl SignAdditionalContext<'_> {
-    /// Construct ML-DSA signature parameters.
+    /// Construct ML-DSA and SLH-DSA signature parameters.
     ///
     /// # Arguments
     ///
@@ -94,7 +94,7 @@ impl SignAdditionalContext<'_> {
     }
 }
 
-/// The ML-DSA additional context for signatures with hashing information
+/// The ML-DSA and SLH-DSA additional context for signatures with hashing information
 ///
 /// This structure wraps `CK_HASH_SIGN_ADDITIONAL_CONTEXT` structure.
 #[derive(Debug, Clone, Copy)]
@@ -105,7 +105,7 @@ pub struct HashSignAdditionalContext<'a> {
 }
 
 impl HashSignAdditionalContext<'_> {
-    /// Construct HashML-DSA Signature parameters.
+    /// Construct HashML-DSA or HashSLH-DSA Signature parameters.
     ///
     /// # Arguments
     ///

diff --git a/cryptoki/src/mechanism/mod.rs b/cryptoki/src/mechanism/mod.rs
@@ -3,13 +3,13 @@
 //! Data types for mechanisms
 
 pub mod aead;
+pub mod dsa;
 pub mod eddsa;
 pub mod ekdf;
 pub mod elliptic_curve;
 pub mod hkdf;
 pub mod kbkdf;
 mod mechanism_info;
-pub mod mldsa;
 pub mod rsa;
 pub mod vendor_defined;
 
@@ -402,6 +402,58 @@ impl MechanismType {
         val: CKM_HASH_ML_DSA_SHAKE256,
     };
 
+    // SLH-DSA
+    /// SLH-DSA key pair generation mechanism
+    pub const SLH_DSA_KEY_PAIR_GEN: MechanismType = MechanismType {
+        val: CKM_SLH_DSA_KEY_PAIR_GEN,
+    };
+    /// SLH-DSA signature mechanism
+    pub const SLH_DSA: MechanismType = MechanismType { val: CKM_SLH_DSA };
+    /// HashSLH-DSA signature mechanism
+    pub const HASH_SLH_DSA: MechanismType = MechanismType {
+        val: CKM_HASH_SLH_DSA,
+    };
+    /// HashSLH-DSA signature mechanism with SHA224
+    pub const HASH_SLH_DSA_SHA224: MechanismType = MechanismType {
+        val: CKM_HASH_SLH_DSA_SHA224,
+    };
+    /// HashSLH-DSA signature mechanism with SHA256
+    pub const HASH_SLH_DSA_SHA256: MechanismType = MechanismType {
+        val: CKM_HASH_SLH_DSA_SHA256,
+    };
+    /// HashSLH-DSA signature mechanism with SHA384
+    pub const HASH_SLH_DSA_SHA384: MechanismType = MechanismType {
+        val: CKM_HASH_SLH_DSA_SHA384,
+    };
+    /// HashSLH-DSA signature mechanism with SHA512
+    pub const HASH_SLH_DSA_SHA512: MechanismType = MechanismType {
+        val: CKM_HASH_SLH_DSA_SHA512,
+    };
+    /// HashSLH-DSA signature mechanism with SHA3-224
+    pub const HASH_SLH_DSA_SHA3_224: MechanismType = MechanismType {
+        val: CKM_HASH_SLH_DSA_SHA3_224,
+    };
+    /// HashML-DSA signature mechanism with SHA3-256
+    pub const HASH_SLH_DSA_SHA3_256: MechanismType = MechanismType {
+        val: CKM_HASH_SLH_DSA_SHA3_256,
+    };
+    /// HashML-DSA signature mechanism with SHA3-384
+    pub const HASH_SLH_DSA_SHA3_384: MechanismType = MechanismType {
+        val: CKM_HASH_SLH_DSA_SHA3_384,
+    };
+    /// HashML-DSA signature mechanism with SHA3-512
+    pub const HASH_SLH_DSA_SHA3_512: MechanismType = MechanismType {
+        val: CKM_HASH_SLH_DSA_SHA3_512,
+    };
+    /// HashSLH-DSA signature mechanism with SHAKE128
+    pub const HASH_SLH_DSA_SHAKE128: MechanismType = MechanismType {
+        val: CKM_HASH_SLH_DSA_SHAKE128,
+    };
+    /// HashML-DSA signature mechanism with SHAKE256
+    pub const HASH_SLH_DSA_SHAKE256: MechanismType = MechanismType {
+        val: CKM_HASH_SLH_DSA_SHAKE256,
+    };
+
     /// Create vendor defined mechanism
     ///
     /// # Arguments
@@ -811,6 +863,19 @@ impl MechanismType {
             CKM_HASH_ML_DSA_SHA3_512 => String::from(stringify!(CKM_HASH_ML_DSA_SHA3_512)),
             CKM_HASH_ML_DSA_SHAKE128 => String::from(stringify!(CKM_HASH_ML_DSA_SHAKE128)),
             CKM_HASH_ML_DSA_SHAKE256 => String::from(stringify!(CKM_HASH_ML_DSA_SHAKE256)),
+            CKM_SLH_DSA_KEY_PAIR_GEN => String::from(stringify!(CKM_SLH_DSA_KEY_PAIR_GEN)),
+            CKM_SLH_DSA => String::from(stringify!(CKM_SLH_DSA)),
+            CKM_HASH_SLH_DSA => String::from(stringify!(CKM_HASH_SLH_DSA)),
+            CKM_HASH_SLH_DSA_SHA224 => String::from(stringify!(CKM_HASH_SLH_DSA_SHA224)),
+            CKM_HASH_SLH_DSA_SHA256 => String::from(stringify!(CKM_HASH_SLH_DSA_SHA256)),
+            CKM_HASH_SLH_DSA_SHA384 => String::from(stringify!(CKM_HASH_SLH_DSA_SHA384)),
+            CKM_HASH_SLH_DSA_SHA512 => String::from(stringify!(CKM_HASH_SLH_DSA_SHA512)),
+            CKM_HASH_SLH_DSA_SHA3_224 => String::from(stringify!(CKM_HASH_SLH_DSA_SHA3_224)),
+            CKM_HASH_SLH_DSA_SHA3_256 => String::from(stringify!(CKM_HASH_SLH_DSA_SHA3_256)),
+            CKM_HASH_SLH_DSA_SHA3_384 => String::from(stringify!(CKM_HASH_SLH_DSA_SHA3_384)),
+            CKM_HASH_SLH_DSA_SHA3_512 => String::from(stringify!(CKM_HASH_SLH_DSA_SHA3_512)),
+            CKM_HASH_SLH_DSA_SHAKE128 => String::from(stringify!(CKM_HASH_SLH_DSA_SHAKE128)),
+            CKM_HASH_SLH_DSA_SHAKE256 => String::from(stringify!(CKM_HASH_SLH_DSA_SHAKE256)),
             _ => format!("unknown {mech:08x}"),
         }
     }
@@ -912,6 +977,18 @@ impl TryFrom<CK_MECHANISM_TYPE> for MechanismType {
             CKM_HASH_ML_DSA_SHA3_384 => Ok(MechanismType::HASH_ML_DSA_SHA3_384),
             CKM_HASH_ML_DSA_SHA3_512 => Ok(MechanismType::HASH_ML_DSA_SHA3_512),
             CKM_HASH_ML_DSA_SHAKE128 => Ok(MechanismType::HASH_ML_DSA_SHAKE128),
+            CKM_SLH_DSA_KEY_PAIR_GEN => Ok(MechanismType::SLH_DSA_KEY_PAIR_GEN),
+            CKM_SLH_DSA => Ok(MechanismType::SLH_DSA),
+            CKM_HASH_SLH_DSA => Ok(MechanismType::HASH_SLH_DSA),
+            CKM_HASH_SLH_DSA_SHA224 => Ok(MechanismType::HASH_SLH_DSA_SHA224),
+            CKM_HASH_SLH_DSA_SHA256 => Ok(MechanismType::HASH_SLH_DSA_SHA256),
+            CKM_HASH_SLH_DSA_SHA384 => Ok(MechanismType::HASH_SLH_DSA_SHA384),
+            CKM_HASH_SLH_DSA_SHA512 => Ok(MechanismType::HASH_SLH_DSA_SHA512),
+            CKM_HASH_SLH_DSA_SHA3_224 => Ok(MechanismType::HASH_SLH_DSA_SHA3_224),
+            CKM_HASH_SLH_DSA_SHA3_256 => Ok(MechanismType::HASH_SLH_DSA_SHA3_256),
+            CKM_HASH_SLH_DSA_SHA3_384 => Ok(MechanismType::HASH_SLH_DSA_SHA3_384),
+            CKM_HASH_SLH_DSA_SHA3_512 => Ok(MechanismType::HASH_SLH_DSA_SHA3_512),
+            CKM_HASH_SLH_DSA_SHAKE128 => Ok(MechanismType::HASH_SLH_DSA_SHAKE128),
             other => {
                 error!("Mechanism type {} is not supported.", other);
                 Err(Error::NotSupported)
@@ -1152,29 +1229,57 @@ pub enum Mechanism<'a> {
     /// ML-DSA key pair generation mechanism
     MlDsaKeyPairGen,
     /// ML-DSA signature mechanism
-    MlDsa(mldsa::SignAdditionalContext<'a>),
+    MlDsa(dsa::SignAdditionalContext<'a>),
     /// HashML-DSA signature mechanism
-    HashMlDsa(mldsa::HashSignAdditionalContext<'a>),
+    HashMlDsa(dsa::HashSignAdditionalContext<'a>),
     /// HashML-DSA signature mechanism with SHA224
-    HashMlDsaSha224(mldsa::SignAdditionalContext<'a>),
+    HashMlDsaSha224(dsa::SignAdditionalContext<'a>),
     /// HashML-DSA signature mechanism with SHA256
-    HashMlDsaSha256(mldsa::SignAdditionalContext<'a>),
+    HashMlDsaSha256(dsa::SignAdditionalContext<'a>),
     /// HashML-DSA signature mechanism with SHA384
-    HashMlDsaSha384(mldsa::SignAdditionalContext<'a>),
+    HashMlDsaSha384(dsa::SignAdditionalContext<'a>),
     /// HashML-DSA signature mechanism with SHA512
-    HashMlDsaSha512(mldsa::SignAdditionalContext<'a>),
+    HashMlDsaSha512(dsa::SignAdditionalContext<'a>),
     /// HashML-DSA signature mechanism with SHA3-224
-    HashMlDsaSha3_224(mldsa::SignAdditionalContext<'a>),
+    HashMlDsaSha3_224(dsa::SignAdditionalContext<'a>),
     /// HashML-DSA signature mechanism with SHA3-256
-    HashMlDsaSha3_256(mldsa::SignAdditionalContext<'a>),
+    HashMlDsaSha3_256(dsa::SignAdditionalContext<'a>),
     /// HashML-DSA signature mechanism with SHA3-384
-    HashMlDsaSha3_384(mldsa::SignAdditionalContext<'a>),
+    HashMlDsaSha3_384(dsa::SignAdditionalContext<'a>),
     /// HashML-DSA signature mechanism with SHA3-512
-    HashMlDsaSha3_512(mldsa::SignAdditionalContext<'a>),
+    HashMlDsaSha3_512(dsa::SignAdditionalContext<'a>),
     /// HashML-DSA signature mechanism with SHAKE128
-    HashMlDsaShake128(mldsa::SignAdditionalContext<'a>),
+    HashMlDsaShake128(dsa::SignAdditionalContext<'a>),
     /// HashML-DSA signature mechanism with SHAKE256
-    HashMlDsaShake256(mldsa::SignAdditionalContext<'a>),
+    HashMlDsaShake256(dsa::SignAdditionalContext<'a>),
+
+    // SLH-DSA
+    /// SLH-DSA key pair generation mechanism
+    SlhDsaKeyPairGen,
+    /// SLH-DSA signature mechanism
+    SlhDsa(dsa::SignAdditionalContext<'a>),
+    /// HashSLH-DSA signature mechanism
+    HashSlhDsa(dsa::HashSignAdditionalContext<'a>),
+    /// HashSLH-DSA signature mechanism with SHA224
+    HashSlhDsaSha224(dsa::SignAdditionalContext<'a>),
+    /// HashSLH-DSA signature mechanism with SHA256
+    HashSlhDsaSha256(dsa::SignAdditionalContext<'a>),
+    /// HashSLH-DSA signature mechanism with SHA384
+    HashSlhDsaSha384(dsa::SignAdditionalContext<'a>),
+    /// HashSLH-DSA signature mechanism with SHA512
+    HashSlhDsaSha512(dsa::SignAdditionalContext<'a>),
+    /// HashSLH-DSA signature mechanism with SHA3-224
+    HashSlhDsaSha3_224(dsa::SignAdditionalContext<'a>),
+    /// HashSLH-DSA signature mechanism with SHA3-256
+    HashSlhDsaSha3_256(dsa::SignAdditionalContext<'a>),
+    /// HashSLH-DSA signature mechanism with SHA3-384
+    HashSlhDsaSha3_384(dsa::SignAdditionalContext<'a>),
+    /// HashSLH-DSA signature mechanism with SHA3-512
+    HashSlhDsaSha3_512(dsa::SignAdditionalContext<'a>),
+    /// HashSLH-DSA signature mechanism with SHAKE128
+    HashSlhDsaShake128(dsa::SignAdditionalContext<'a>),
+    /// HashSLH-DSA signature mechanism with SHAKE256
+    HashSlhDsaShake256(dsa::SignAdditionalContext<'a>),
 
     /// Vendor defined mechanism
     VendorDefined(VendorDefinedMechanism<'a>),
@@ -1278,6 +1383,20 @@ impl Mechanism<'_> {
             Mechanism::HashMlDsaShake128(_) => MechanismType::HASH_ML_DSA_SHAKE128,
             Mechanism::HashMlDsaShake256(_) => MechanismType::HASH_ML_DSA_SHAKE256,
 
+            Mechanism::SlhDsaKeyPairGen => MechanismType::SLH_DSA_KEY_PAIR_GEN,
+            Mechanism::SlhDsa(_) => MechanismType::SLH_DSA,
+            Mechanism::HashSlhDsa(_) => MechanismType::HASH_SLH_DSA,
+            Mechanism::HashSlhDsaSha224(_) => MechanismType::HASH_SLH_DSA_SHA224,
+            Mechanism::HashSlhDsaSha256(_) => MechanismType::HASH_SLH_DSA_SHA256,
+            Mechanism::HashSlhDsaSha384(_) => MechanismType::HASH_SLH_DSA_SHA384,
+            Mechanism::HashSlhDsaSha512(_) => MechanismType::HASH_SLH_DSA_SHA512,
+            Mechanism::HashSlhDsaSha3_224(_) => MechanismType::HASH_SLH_DSA_SHA3_224,
+            Mechanism::HashSlhDsaSha3_256(_) => MechanismType::HASH_SLH_DSA_SHA3_256,
+            Mechanism::HashSlhDsaSha3_384(_) => MechanismType::HASH_SLH_DSA_SHA3_384,
+            Mechanism::HashSlhDsaSha3_512(_) => MechanismType::HASH_SLH_DSA_SHA3_512,
+            Mechanism::HashSlhDsaShake128(_) => MechanismType::HASH_SLH_DSA_SHAKE128,
+            Mechanism::HashSlhDsaShake256(_) => MechanismType::HASH_SLH_DSA_SHAKE256,
+
             Mechanism::VendorDefined(vm) => MechanismType {
                 val: vm.inner.mechanism,
             },
@@ -1353,6 +1472,25 @@ impl From<&Mechanism<'_>> for CK_MECHANISM {
                 },
                 Some(params) => make_mechanism(mechanism, params),
             },
+            Mechanism::HashSlhDsa(params) => make_mechanism(mechanism, params),
+            Mechanism::SlhDsa(params)
+            | Mechanism::HashSlhDsaSha224(params)
+            | Mechanism::HashSlhDsaSha256(params)
+            | Mechanism::HashSlhDsaSha384(params)
+            | Mechanism::HashSlhDsaSha512(params)
+            | Mechanism::HashSlhDsaSha3_224(params)
+            | Mechanism::HashSlhDsaSha3_256(params)
+            | Mechanism::HashSlhDsaSha3_384(params)
+            | Mechanism::HashSlhDsaSha3_512(params)
+            | Mechanism::HashSlhDsaShake128(params)
+            | Mechanism::HashSlhDsaShake256(params) => match params.inner() {
+                None => CK_MECHANISM {
+                    mechanism,
+                    pParameter: null_mut(),
+                    ulParameterLen: 0,
+                },
+                Some(params) => make_mechanism(mechanism, params),
+            },
             // Mechanisms without parameters
             Mechanism::AesKeyGen
             | Mechanism::AesEcb
@@ -1400,7 +1538,8 @@ impl From<&Mechanism<'_>> for CK_MECHANISM {
             | Mechanism::HkdfKeyGen
             | Mechanism::MlKemKeyPairGen
             | Mechanism::MlKem
-            | Mechanism::MlDsaKeyPairGen => CK_MECHANISM {
+            | Mechanism::MlDsaKeyPairGen
+            | Mechanism::SlhDsaKeyPairGen => CK_MECHANISM {
                 mechanism,
                 pParameter: null_mut(),
                 ulParameterLen: 0,