diff --git a/bindings/wasm/Cargo.toml b/bindings/wasm/Cargo.toml index 25bc84f..bbc88be 100644 --- a/bindings/wasm/Cargo.toml +++ b/bindings/wasm/Cargo.toml @@ -20,6 +20,11 @@ console_error_panic_hook = { version = "0.1", optional = true } # aes-gcm (via the reader) pulls getrandom 0.2; the wasm32-unknown-unknown # target needs its "js" backend explicitly enabled to build. getrandom = { version = "0.2", features = ["js"] } +# ml-dsa 0.1 (via the reader) pulls getrandom 0.4, which renamed the wasm +# backend feature from "js" to "wasm_js". Both versions coexist in the +# dep graph; we surface the 0.4 instance here under a rename so we can +# enable wasm_js without colliding with the 0.2 alias above. +getrandom_v04 = { package = "getrandom", version = "0.4", features = ["wasm_js"] } [features] default = ["console_error_panic_hook"] diff --git a/impl/rust/pqf-reader/Cargo.toml b/impl/rust/pqf-reader/Cargo.toml index 584ff99..2017d77 100644 --- a/impl/rust/pqf-reader/Cargo.toml +++ b/impl/rust/pqf-reader/Cargo.toml @@ -26,11 +26,11 @@ ml-kem = "0.2" # Hybrid signatures ed25519-dalek = { version = "2.1", features = ["std"] } -# Pinned to 0.0.4 (not 0.1) because ml-dsa 0.1 swapped to the -# `signature` 3.0 Verifier trait and renamed the verify method. Same -# situation as ml-kem above — dep-compatible but needs code changes -# in reader.rs. -ml-dsa = "0.0.4" +# ml-dsa 0.1 routes the `signature::Verifier::verify` trait method to +# FIPS 204 Algorithm 8 (no domain separator). BouncyCastle's pure +# ML-DSA-87 signs with Algorithm 3 (with the empty-context prefix), so +# the verifier in reader.rs uses `verify_with_context(msg, &[], &sig)`. +ml-dsa = "0.1.0" # AEAD + hashing + KDF aes-gcm = "0.10" diff --git a/impl/rust/pqf-reader/src/reader.rs b/impl/rust/pqf-reader/src/reader.rs index 08ceb8e..822c0e5 100644 --- a/impl/rust/pqf-reader/src/reader.rs +++ b/impl/rust/pqf-reader/src/reader.rs @@ -533,7 +533,7 @@ fn verify_mldsa87(pub_key: &[u8], message: &[u8], sig: &[u8]) -> bool { let Some(parsed) = ml_dsa::Signature::::decode(&sig_encoded) else { return false; }; - vk.verify(message, &parsed).is_ok() + vk.verify_with_context(message, &[], &parsed) } fn decode_mlkem_dk(