Add PQC signature support

.gitignore

@@ -66,6 +66,9 @@ examples/eckeygen
 examples/rsakeygen
 examples/ed25519keygen
 examples/ed448keygen
+examples/falcon512keygen
+examples/mldsa87keygen
+examples/slhdsa256skeygen
 examples/storecert
 
 test-driver
@@ -90,6 +93,7 @@ tests/ed25519-keygen
 tests/ed448-keygen
 tests/ed25519-keygen-prov
 tests/ed448-keygen-prov
+tests/mldsa87-keygen-prov
 tests/check-all-prov
 
 tests/*.log

NEWS

@@ -3,6 +3,9 @@ NEWS for Libp11 -- History of user visible changes
 New in 0.4.19; unreleased
 * Define LIBP11_VERSION_NUMBER (Michał Trojnara)
 * Added PKCS#11 provider support for OpenSSL 4.x. (Małgorzata Olszówka)
+* Added support for ML-DSA, SLH-DSA and FALCON key generation, signing and
+  verification (Małgorzata Olszówka)
+* Added PQC key generation examples and provider tests (Małgorzata Olszówka)
 
 New in 0.4.18; 2026-02-16; Michał Trojnara
 * Support for RSA-PSS and RSA-OAEP using keys retrieved using the

examples/Makefile.am

@@ -4,7 +4,10 @@ AM_CPPFLAGS = -I$(srcdir) -I$(top_srcdir)/src \
 
 EXTRA_DIST = README
 
-noinst_PROGRAMS = auth decrypt getrandom listkeys listkeys_ext ed25519keygen ed448keygen eckeygen rsakeygen storecert
+noinst_PROGRAMS = auth decrypt getrandom listkeys listkeys_ext \
+	ed25519keygen ed448keygen eckeygen rsakeygen \
+	mldsa87keygen slhdsa256skeygen falcon512keygen \
+	storecert
 
 LDADD = ../src/libp11.la $(OPENSSL_LIBS)
 

examples/ed25519keygen.c

@@ -27,13 +27,13 @@
  * SUCH DAMAGE.
  */
 
+#include <libp11.h>
+#include <string.h>
+
 #if !defined(OPENSSL_NO_EC) && \
     (OPENSSL_VERSION_NUMBER >= 0x30000000L) && \
     (OPENSSL_VERSION_NUMBER < 0x40000000L)
 
-#include <libp11.h>
-#include <string.h>
-
 #define CHECK_ERR(cond, txt, code) \
 	do { \
 		if (cond) { \

examples/ed448keygen.c

@@ -27,13 +27,13 @@
  * SUCH DAMAGE.
  */
 
+#include <libp11.h>
+#include <string.h>
+
 #if !defined(OPENSSL_NO_EC) && \
     (OPENSSL_VERSION_NUMBER >= 0x30000000L) && \
     (OPENSSL_VERSION_NUMBER < 0x40000000L)
 
-#include <libp11.h>
-#include <string.h>
-
 #define CHECK_ERR(cond, txt, code) \
 	do { \
 		if (cond) { \

examples/falcon512keygen.c

@@ -0,0 +1,205 @@
+/*
+ * Copyright © 2026 Mobi - Com Polska Sp. z o.o.
+ * Author: Małgorzata Olszówka <Malgorzata.Olszowka@stunnel.org>
+ * All rights reserved.
+ *
+ * PQC FALCON 512 key generation
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <libp11.h>
+#include <string.h>
+
+#if OPENSSL_VERSION_NUMBER >= 0x30500000L
+
+#define EVP_PKEY_FALCON512 0x10001
+
+#define CHECK_ERR(cond, txt, code) \
+	do { \
+		if (cond) { \
+			fprintf(stderr, "%s\n", (txt)); \
+			rc=(code); \
+			goto end; \
+		} \
+	} while (0)
+
+static void error_queue(const char *name)
+{
+	if (ERR_peek_last_error()) {
+		fprintf(stderr, "%s generated errors:\n", name);
+		ERR_print_errors_fp(stderr);
+	}
+}
+
+static int hex_to_bytes(const char *hex, unsigned char *out, size_t out_len)
+{
+	size_t i;
+
+	for (i = 0; i < out_len; i++) {
+		if (sscanf(hex + (i * 2), "%2hhx", &out[i]) != 1) {
+			return -1;
+		}
+	}
+	return 0;
+}
+
+static void list_keys(const char *title, const PKCS11_KEY *keys,
+		const unsigned int nkeys) {
+	unsigned int i;
+
+	printf("\n%s:\n", title);
+	for (i = 0; i < nkeys; i++) {
+		printf(" #%d id=", i);
+		for (size_t j = 0; j < keys[i].id_len; j++) {
+			printf("%02x", keys[i].id[j]);
+		}
+		printf(";object=%s\n", keys[i].label);
+	}
+}
+
+static int register_falcon512_oid(void)
+{
+	int nid;
+
+	nid = OBJ_txt2nid("1.3.9999.3.11");
+	if (nid != NID_undef)
+		return nid;
+
+	return OBJ_create("1.3.9999.3.11", "FALCON512", "Falcon-512");
+}
+
+int main(int argc, char *argv[])
+{
+	PKCS11_CTX *ctx = NULL;
+	PKCS11_SLOT *slots = NULL, *slot;
+	PKCS11_KEY *keys;
+	unsigned int nslots, nkeys;
+	unsigned char *key_id = NULL;
+	size_t len, key_id_len;
+	const char *key_id_str;
+	int rc = 0;
+	int falcon512_nid = register_falcon512_oid();
+	PKCS11_NID_KGEN falcon = { .nid = falcon512_nid };
+	PKCS11_params params = {.sensitive = 1, .extractable = 0};
+	PKCS11_KGEN_ATTRS mlkg = {0};
+
+	if (argc < 5) {
+		fprintf(stderr, "usage: %s [module] [TOKEN] [KEY-LABEL] [KEY-ID] [PIN]\n", argv[0]);
+		return 1;
+	}
+	key_id_str = argv[4];
+	len = strlen(key_id_str);
+	CHECK_ERR(len % 2 != 0, "Invalid key ID format: odd length", 1);
+
+	/* key_id_str is a null-terminated string, but key_id is not */
+	key_id_len = len / 2;
+	key_id = OPENSSL_malloc(key_id_len);
+	CHECK_ERR(!key_id, "Memory allocation failed for key ID", 2);
+
+	rc = hex_to_bytes(key_id_str, key_id, key_id_len);
+	CHECK_ERR(rc != 0, "Invalid hex digit in key ID", 3);
+
+	ctx = PKCS11_CTX_new();
+	error_queue("PKCS11_CTX_new");
+
+	/* load PKCS#11 module */
+	rc = PKCS11_CTX_load(ctx, argv[1]);
+	error_queue("PKCS11_CTX_load");
+	CHECK_ERR(rc < 0, "loading PKCS#11 module failed", 4);
+
+	/* get information on all slots */
+	rc = PKCS11_enumerate_slots(ctx, &slots, &nslots);
+	error_queue("PKCS11_enumerate_slots");
+	CHECK_ERR(rc < 0, "no slots available", 5);
+
+	slot = PKCS11_find_token(ctx, slots, nslots);
+	error_queue("PKCS11_find_token");
+	while (slot) {
+		if (slot->token && slot->token->initialized && slot->token->label
+			&& strcmp(argv[2], slot->token->label) == 0)
+			break;
+		slot = PKCS11_find_next_token(ctx, slots, nslots, slot);
+	};
+	CHECK_ERR(!slot || !slot->token, "no token available", 6);
+
+	printf("Found token:\n");
+	printf("Slot manufacturer......: %s\n", slot->manufacturer);
+	printf("Slot description.......: %s\n", slot->description);
+	printf("Slot token label.......: %s\n", slot->token->label);
+	printf("Slot token serialnr....: %s\n", slot->token->serialnr);
+
+	rc = PKCS11_login(slot, 0, argv[5]);
+	error_queue("PKCS11_login");
+	CHECK_ERR(rc < 0, "PKCS11_login failed", 7);
+
+	mlkg.type = EVP_PKEY_FALCON512;
+	mlkg.kgen.nid = &falcon;
+	mlkg.token_label = argv[2];
+	mlkg.key_label = argv[3];
+	/* key_id is a raw binary buffer of length key_id_len */
+	mlkg.key_id = (const unsigned char *)key_id;
+	mlkg.id_len = key_id_len;
+	mlkg.key_params = &params;
+
+	rc = PKCS11_keygen(slot->token, &mlkg);
+	error_queue("PKCS11_keygen");
+	CHECK_ERR(rc < 0, "Failed to generate a key pair on the token", 8);
+
+	printf("\nFalcon-512 keys generated\n");
+
+	/* get private keys */
+	rc = PKCS11_enumerate_keys(slot->token, &keys, &nkeys);
+	error_queue("PKCS11_enumerate_keys");
+	CHECK_ERR(rc < 0, "PKCS11_enumerate_keys failed", 9);
+	CHECK_ERR(nkeys == 0, "No private keys found", 10);
+	list_keys("Private keys", keys, nkeys);
+
+end:
+	if (slots)
+		PKCS11_release_all_slots(ctx, slots, nslots);
+	if (ctx) {
+		PKCS11_CTX_unload(ctx);
+		PKCS11_CTX_free(ctx);
+	}
+	OPENSSL_free(key_id);
+
+	if (rc)
+		printf("Failed (error code %d).\n", rc);
+	else
+		printf("Success.\n");
+	return rc;
+}
+
+#else /* OPENSSL_VERSION_NUMBER >= 0x30500000L */
+
+#include <stdio.h>
+
+int main(void)
+{
+	fprintf(stderr, "Skipped: requires OpenSSL 3.5 built\n");
+	return 77;
+}
+
+#endif /* OPENSSL_VERSION_NUMBER >= 0x30500000L */
+
+/* vim: set noexpandtab: */