RubyGems - pq_crypto - Versions diffs - 0.3.2 → 0.5.0 - Mend

pq_crypto 0.3.2 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (328) hide show

data/lib/pq_crypto/signature.rb CHANGED Viewed

@@ -6,22 +6,33 @@ module PQCrypto
   module Signature
     CANONICAL_ALGORITHM = :ml_dsa_65
-    DETAILS = {
-      CANONICAL_ALGORITHM => {
-        name: CANONICAL_ALGORITHM,
-        family: Serialization.algorithm_to_family(CANONICAL_ALGORITHM),
-        oid: Serialization.algorithm_to_oid(CANONICAL_ALGORITHM),
-        public_key_bytes: SIGN_PUBLIC_KEY_BYTES,
-        secret_key_bytes: SIGN_SECRET_KEY_BYTES,
-        signature_bytes: SIGN_BYTES,
-        description: "ML-DSA-65 signature primitive (FIPS 204).",
+    DETAILS = AlgorithmRegistry.details_for_family(:ml_dsa).freeze
+    NATIVE_DISPATCH = {
+      ml_dsa_44: {
+        keypair: :native_ml_dsa_44_keypair,
+        sign: :native_ml_dsa_44_sign,
+        verify: :native_ml_dsa_44_verify,
+        keypair_from_seed: :native_ml_dsa_44_keypair_from_seed,
+      }.freeze,
+      ml_dsa_65: {
+        keypair: :native_sign_keypair,
+        sign: :native_sign,
+        verify: :native_verify,
+        keypair_from_seed: :native_ml_dsa_keypair_from_seed,
+      }.freeze,
+      ml_dsa_87: {
+        keypair: :native_ml_dsa_87_keypair,
+        sign: :native_ml_dsa_87_sign,
+        verify: :native_ml_dsa_87_verify,
+        keypair_from_seed: :native_ml_dsa_87_keypair_from_seed,
       }.freeze,
     }.freeze
     class << self
       def generate(algorithm = CANONICAL_ALGORITHM)
-        resolve_algorithm!(algorithm)
-        public_key, secret_key = PQCrypto.__send__(:native_sign_keypair)
+        algorithm = resolve_algorithm!(algorithm)
+        public_key, secret_key = PQCrypto.__send__(native_method_for(algorithm, :keypair))
         Keypair.new(PublicKey.new(algorithm, public_key), SecretKey.new(algorithm, secret_key))
       end
@@ -59,6 +70,26 @@ module PQCrypto
         SecretKey.new(resolved_algorithm, bytes)
       end
+      def public_key_from_spki_der(der, algorithm: nil)
+        resolved_algorithm, bytes = SPKI.decode_der(der)
+        validate_algorithm_match!(algorithm, resolved_algorithm) if algorithm
+        PublicKey.new(resolve_algorithm!(resolved_algorithm), bytes)
+      end
+      def public_key_from_spki_pem(pem, algorithm: nil)
+        resolved_algorithm, bytes = SPKI.decode_pem(pem)
+        validate_algorithm_match!(algorithm, resolved_algorithm) if algorithm
+        PublicKey.new(resolve_algorithm!(resolved_algorithm), bytes)
+      end
+      def secret_key_from_pkcs8_der(der)
+        secret_key_from_decoded_pkcs8(*PKCS8.decode_der(der))
+      end
+      def secret_key_from_pkcs8_pem(pem)
+        secret_key_from_decoded_pkcs8(*PKCS8.decode_pem(pem))
+      end
       def details(algorithm)
         DETAILS.fetch(resolve_algorithm!(algorithm)).dup
       end
@@ -75,9 +106,43 @@ module PQCrypto
         raise UnsupportedAlgorithmError, "Unsupported signature algorithm: #{algorithm.inspect}"
       end
+      def secret_key_from_decoded_pkcs8(algorithm, format, material)
+        algorithm = resolve_algorithm!(algorithm)
+        case format
+        when :expanded
+          SecretKey.new(algorithm, material)
+        when :seed
+          _public_key, expanded = PQCrypto.__send__(native_method_for(algorithm, :keypair_from_seed), material)
+          SecretKey.new(algorithm, expanded)
+        when :both
+          _seed, expanded = material
+          SecretKey.new(algorithm, expanded)
+        else
+          raise SerializationError, "Unsupported ML-DSA PKCS#8 private key format: #{format.inspect}"
+        end
+      rescue ArgumentError => e
+        raise InvalidKeyError, e.message
+      end
+      def native_method_for(algorithm, operation)
+        NATIVE_DISPATCH.fetch(resolve_algorithm!(algorithm)).fetch(operation)
+      end
+      def validate_algorithm_match!(expected_algorithm, actual_algorithm)
+        expected = resolve_algorithm!(expected_algorithm)
+        return if expected == actual_algorithm
+        raise SerializationError,
+              "Expected #{expected.inspect}, got #{actual_algorithm.inspect} (SPKI key algorithm mismatch)"
+      rescue UnsupportedAlgorithmError => e
+        raise SerializationError, e.message
+      end
       def _streaming_sign(secret_key, io, chunk_size, context)
+        validate_streaming_algorithm!(secret_key.algorithm)
         validate_chunk_size!(chunk_size)
-        validate_context!(context)
+        context = validate_context!(context)
         validate_io!(io)
         sk_bytes = secret_key.__send__(:bytes_for_native)
@@ -87,7 +152,7 @@ module PQCrypto
           raise InvalidKeyError, e.message
         end
-        builder = PQCrypto.__send__(:_native_mldsa_mu_builder_new, tr, context.b)
+        builder = PQCrypto.__send__(:_native_mldsa_mu_builder_new, tr, context)
         builder_consumed = false
         mu = nil
         begin
@@ -103,8 +168,9 @@ module PQCrypto
       end
       def _streaming_verify(public_key, io, signature, chunk_size, context)
+        validate_streaming_algorithm!(public_key.algorithm)
         validate_chunk_size!(chunk_size)
-        validate_context!(context)
+        context = validate_context!(context)
         validate_io!(io)
         pk_bytes = public_key.__send__(:bytes_for_native)
@@ -114,7 +180,7 @@ module PQCrypto
           raise InvalidKeyError, e.message
         end
-        builder = PQCrypto.__send__(:_native_mldsa_mu_builder_new, tr, context.b)
+        builder = PQCrypto.__send__(:_native_mldsa_mu_builder_new, tr, context)
         builder_consumed = false
         mu = nil
         sig_bytes = String(signature).b
@@ -162,6 +228,14 @@ module PQCrypto
         if ctx.bytesize > 255
           raise ArgumentError, "context must be at most 255 bytes (FIPS 204)"
         end
+        ctx
+      end
+      def validate_streaming_algorithm!(algorithm)
+        return if resolve_algorithm!(algorithm) == CANONICAL_ALGORITHM
+        raise UnsupportedAlgorithmError,
+              "Streaming sign_io/verify_io currently supports only #{CANONICAL_ALGORITHM.inspect}"
       end
     end
@@ -203,8 +277,16 @@ module PQCrypto
         Serialization.public_key_to_pqc_container_pem(@algorithm, @bytes)
       end
+      def to_spki_der
+        SPKI.encode_der(@algorithm, @bytes)
+      end
+      def to_spki_pem
+        SPKI.encode_pem(@algorithm, @bytes)
+      end
       def verify(message, signature)
-        PQCrypto.__send__(:native_verify, String(message).b, String(signature).b, @bytes)
+        PQCrypto.__send__(Signature.send(:native_method_for, @algorithm, :verify), String(message).b, String(signature).b, @bytes)
       rescue ArgumentError => e
         raise InvalidKeyError, e.message
       end
@@ -273,8 +355,32 @@ module PQCrypto
         Serialization.secret_key_to_pqc_container_pem(@algorithm, @bytes)
       end
+      def to_pkcs8_der(format: :expanded)
+        case format
+        when :expanded
+          PKCS8.encode_der(@algorithm, @bytes, format: :expanded)
+        when :seed, :both
+          raise SerializationError,
+                "ML-DSA seed/both PKCS#8 export requires original seed material; use PQCrypto::PKCS8.encode_der/encode_pem directly"
+        else
+          raise SerializationError, "Unsupported PKCS#8 private key format: #{format.inspect}"
+        end
+      end
+      def to_pkcs8_pem(format: :expanded)
+        case format
+        when :expanded
+          PKCS8.encode_pem(@algorithm, @bytes, format: :expanded)
+        when :seed, :both
+          raise SerializationError,
+                "ML-DSA seed/both PKCS#8 export requires original seed material; use PQCrypto::PKCS8.encode_der/encode_pem directly"
+        else
+          raise SerializationError, "Unsupported PKCS#8 private key format: #{format.inspect}"
+        end
+      end
       def sign(message)
-        PQCrypto.__send__(:native_sign, String(message).b, @bytes)
+        PQCrypto.__send__(Signature.send(:native_method_for, @algorithm, :sign), String(message).b, @bytes)
       rescue ArgumentError => e
         raise InvalidKeyError, e.message
       end

data/lib/pq_crypto/spki.rb ADDED Viewed

@@ -0,0 +1,131 @@
+# frozen_string_literal: true
+require "openssl"
+module PQCrypto
+  module SPKI
+    PEM_LABEL = "PUBLIC KEY"
+    PEM_BEGIN = "-----BEGIN #{PEM_LABEL}-----"
+    PEM_END = "-----END #{PEM_LABEL}-----"
+    class << self
+      def encode_der(algorithm_symbol, public_key_bytes)
+        entry = AlgorithmRegistry.fetch(algorithm_symbol)
+        validate_public_key_algorithm!(algorithm_symbol, entry)
+        bytes = String(public_key_bytes).b
+        expected = entry.fetch(:public_key_bytes)
+        unless bytes.bytesize == expected
+          raise SerializationError,
+                "Invalid #{algorithm_symbol.inspect} public key length: expected #{expected}, got #{bytes.bytesize}"
+        end
+        OpenSSL::ASN1::Sequence.new([
+          OpenSSL::ASN1::Sequence.new([
+            OpenSSL::ASN1::ObjectId.new(AlgorithmRegistry.standard_oid(algorithm_symbol)),
+          ]),
+          OpenSSL::ASN1::BitString.new(bytes),
+        ]).to_der.b
+      rescue OpenSSL::ASN1::ASN1Error => e
+        raise SerializationError, e.message
+      end
+      def encode_pem(algorithm_symbol, public_key_bytes)
+        der = encode_der(algorithm_symbol, public_key_bytes)
+        body = encode_base64(der).scan(/.{1,64}/).join("\n")
+        "#{PEM_BEGIN}\n#{body}\n#{PEM_END}\n"
+      end
+      def decode_der(der)
+        input = String(der).b
+        outer = decode_asn1(input)
+        raise SerializationError, "SPKI DER contains trailing data" unless outer.to_der.b == input
+        raise SerializationError, "SPKI must be an ASN.1 SEQUENCE" unless outer.is_a?(OpenSSL::ASN1::Sequence)
+        raise SerializationError, "SPKI SEQUENCE must contain exactly 2 elements" unless outer.value.size == 2
+        algorithm_identifier, subject_public_key = outer.value
+        algorithm = decode_algorithm_identifier(algorithm_identifier)
+        entry = AlgorithmRegistry.fetch(algorithm)
+        validate_public_key_algorithm!(algorithm, entry)
+        unless subject_public_key.is_a?(OpenSSL::ASN1::BitString)
+          raise SerializationError, "SPKI subjectPublicKey must be a BIT STRING"
+        end
+        unless subject_public_key.unused_bits.zero?
+          raise SerializationError, "SPKI subjectPublicKey must have zero unused bits"
+        end
+        bytes = String(subject_public_key.value).b
+        expected = entry.fetch(:public_key_bytes)
+        unless bytes.bytesize == expected
+          raise SerializationError,
+                "Invalid #{algorithm.inspect} SPKI public key length: expected #{expected}, got #{bytes.bytesize}"
+        end
+        [algorithm, bytes]
+      end
+      def decode_pem(pem)
+        der = der_from_pem(pem)
+        decode_der(der)
+      end
+      private
+      def decode_asn1(der)
+        OpenSSL::ASN1.decode(der)
+      rescue OpenSSL::ASN1::ASN1Error => e
+        raise SerializationError, e.message
+      end
+      def decode_algorithm_identifier(value)
+        unless value.is_a?(OpenSSL::ASN1::Sequence)
+          raise SerializationError, "SPKI algorithm must be an AlgorithmIdentifier SEQUENCE"
+        end
+        unless value.value.size == 1
+          raise SerializationError, "SPKI AlgorithmIdentifier parameters must be absent"
+        end
+        oid = value.value.first
+        raise SerializationError, "SPKI AlgorithmIdentifier must contain an OBJECT IDENTIFIER" unless oid.is_a?(OpenSSL::ASN1::ObjectId)
+        algorithm = AlgorithmRegistry.by_standard_oid(oid.oid)
+        raise SerializationError, "Unsupported SPKI algorithm OID: #{oid.oid}" if algorithm.nil?
+        algorithm
+      end
+      def validate_public_key_algorithm!(algorithm_symbol, entry)
+        return if %i[ml_kem ml_dsa].include?(entry.fetch(:family))
+        raise SerializationError, "SPKI public key codec is not supported for #{algorithm_symbol.inspect}"
+      end
+      def encode_base64(bytes)
+        [String(bytes).b].pack("m0")
+      end
+      def decode_base64(body)
+        compact = body.gsub(/[\r\n]/, "")
+        unless compact.match?(/\A(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=)?\z/)
+          raise SerializationError, "Invalid SPKI PEM: invalid base64"
+        end
+        compact.unpack1("m0").b
+      rescue ArgumentError => e
+        raise SerializationError, e.message
+      end
+      def der_from_pem(pem)
+        text = String(pem)
+        match = text.match(/\A#{Regexp.escape(PEM_BEGIN)}\r?\n(?<body>[A-Za-z0-9+\/=\r\n]+)\r?\n#{Regexp.escape(PEM_END)}[ \t\r\n]*\z/)
+        raise SerializationError, "Invalid SPKI PEM: expected #{PEM_LABEL.inspect} label" unless match
+        body = match[:body]
+        raise SerializationError, "Invalid SPKI PEM: embedded NUL in body" if body.include?("\0")
+        decode_base64(body)
+      end
+    end
+  end
+end

data/lib/pq_crypto/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module PQCrypto
-  VERSION = "0.3.2"
+  VERSION = "0.5.0"
 end

data/lib/pq_crypto.rb CHANGED Viewed

@@ -1,12 +1,10 @@
 # frozen_string_literal: true
-require "rbconfig"
-require_relative "pq_crypto/version"
-require_relative "pq_crypto/errors"
 begin
-  require "pqcrypto/pqcrypto_secure"
+  require "pqcrypto/pqcrypto_secure" # native extension first
 rescue LoadError => original_error
+  require "rbconfig"
   ext_dir = File.expand_path("pqcrypto", __dir__)
   extensions = [".#{RbConfig::CONFIG.fetch('DLEXT')}", ".bundle", ".so"].uniq
   search_dirs = [ext_dir, File.join(ext_dir, "pqcrypto")].uniq
@@ -30,13 +28,21 @@ rescue LoadError => original_error
   raise original_error unless loaded
 end
+require_relative "pq_crypto/errors"
+require_relative "pq_crypto/version"
+require_relative "pq_crypto/algorithm_registry"
 require_relative "pq_crypto/serialization"
+require_relative "pq_crypto/spki"
+require_relative "pq_crypto/pkcs8"
+require_relative "pq_crypto/kem"
+require_relative "pq_crypto/signature"
+require_relative "pq_crypto/hybrid_kem"
 module PQCrypto
   SUITES = {
-    kem: [:ml_kem_768].freeze,
-    hybrid_kem: [:ml_kem_768_x25519_xwing].freeze,
-    signature: [:ml_dsa_65].freeze,
+    kem: AlgorithmRegistry.supported_kems,
+    hybrid_kem: AlgorithmRegistry.supported_hybrid_kems,
+    signature: AlgorithmRegistry.supported_signatures,
   }.freeze
   NATIVE_EXTENSION_LOADED = true
@@ -44,14 +50,32 @@ module PQCrypto
   module NativeBindings
     NATIVE_METHODS = %i[
       ml_kem_keypair
+      ml_kem_keypair_from_seed
       ml_kem_encapsulate
       ml_kem_decapsulate
+      ml_kem_512_keypair
+      ml_kem_512_keypair_from_seed
+      ml_kem_512_encapsulate
+      ml_kem_512_decapsulate
+      ml_kem_1024_keypair
+      ml_kem_1024_keypair_from_seed
+      ml_kem_1024_encapsulate
+      ml_kem_1024_decapsulate
       hybrid_kem_keypair
       hybrid_kem_encapsulate
       hybrid_kem_decapsulate
       sign_keypair
       sign
       verify
+      ml_dsa_44_keypair
+      ml_dsa_44_keypair_from_seed
+      ml_dsa_keypair_from_seed
+      ml_dsa_44_sign
+      ml_dsa_44_verify
+      ml_dsa_87_keypair
+      ml_dsa_87_keypair_from_seed
+      ml_dsa_87_sign
+      ml_dsa_87_verify
       ct_equals
       secure_wipe
       version
@@ -65,8 +89,14 @@ module PQCrypto
       secret_key_from_pqc_container_pem
       __test_ml_kem_keypair_from_seed
       __test_ml_kem_encapsulate_from_seed
+      __test_ml_kem_512_encapsulate_from_seed
+      __test_ml_kem_1024_encapsulate_from_seed
       __test_sign_keypair_from_seed
+      __test_ml_dsa_44_keypair_from_seed
+      __test_ml_dsa_87_keypair_from_seed
       __test_sign_from_seed
+      __test_ml_dsa_44_sign_from_seed
+      __test_ml_dsa_87_sign_from_seed
     ].freeze
     EXTERNAL_MU_METHODS = %i[
@@ -99,7 +129,7 @@ module PQCrypto
     end
     def backend
-      :native_pqclean
+      :native_pq_code_package
     end
     def native_extension_loaded?
@@ -127,32 +157,61 @@ module PQCrypto
   end
   module Testing
-    def self.ml_kem_keypair_from_seed(seed)
-      PQCrypto.__send__(:native_test_ml_kem_keypair_from_seed, String(seed).b)
+    KEM_KEYPAIR_METHODS = {
+      ml_kem_512: :native_ml_kem_512_keypair_from_seed,
+      ml_kem_768: :native_ml_kem_keypair_from_seed,
+      ml_kem_1024: :native_ml_kem_1024_keypair_from_seed,
+    }.freeze
+    KEM_ENCAPSULATE_METHODS = {
+      ml_kem_512: :native_test_ml_kem_512_encapsulate_from_seed,
+      ml_kem_768: :native_test_ml_kem_encapsulate_from_seed,
+      ml_kem_1024: :native_test_ml_kem_1024_encapsulate_from_seed,
+    }.freeze
+    MLDSA_KEYPAIR_METHODS = {
+      ml_dsa_44: :native_test_ml_dsa_44_keypair_from_seed,
+      ml_dsa_65: :native_test_sign_keypair_from_seed,
+      ml_dsa_87: :native_test_ml_dsa_87_keypair_from_seed,
+    }.freeze
+    MLDSA_SIGN_METHODS = {
+      ml_dsa_44: :native_test_ml_dsa_44_sign_from_seed,
+      ml_dsa_65: :native_test_sign_from_seed,
+      ml_dsa_87: :native_test_ml_dsa_87_sign_from_seed,
+    }.freeze
+    def self.ml_kem_keypair_from_seed(seed, algorithm: :ml_kem_768)
+      PQCrypto.__send__(KEM_KEYPAIR_METHODS.fetch(algorithm), String(seed).b)
+    rescue KeyError
+      raise UnsupportedAlgorithmError, "Unsupported ML-KEM KAT algorithm: #{algorithm.inspect}"
     rescue ArgumentError => e
       raise InvalidKeyError, e.message
     end
-    def self.ml_kem_encapsulate_from_seed(public_key, seed)
-      PQCrypto.__send__(:native_test_ml_kem_encapsulate_from_seed, String(public_key).b, String(seed).b)
+    def self.ml_kem_encapsulate_from_seed(public_key, seed, algorithm: :ml_kem_768)
+      PQCrypto.__send__(KEM_ENCAPSULATE_METHODS.fetch(algorithm), String(public_key).b, String(seed).b)
+    rescue KeyError
+      raise UnsupportedAlgorithmError, "Unsupported ML-KEM KAT algorithm: #{algorithm.inspect}"
     rescue ArgumentError => e
       raise InvalidKeyError, e.message
     end
-    def self.ml_dsa_keypair_from_seed(seed)
-      PQCrypto.__send__(:native_test_sign_keypair_from_seed, String(seed).b)
+    def self.ml_dsa_keypair_from_seed(seed, algorithm: :ml_dsa_65)
+      PQCrypto.__send__(MLDSA_KEYPAIR_METHODS.fetch(algorithm), String(seed).b)
+    rescue KeyError
+      raise UnsupportedAlgorithmError, "Unsupported ML-DSA KAT algorithm: #{algorithm.inspect}"
     rescue ArgumentError => e
       raise InvalidKeyError, e.message
     end
-    def self.ml_dsa_sign_from_seed(message, secret_key, seed)
-      PQCrypto.__send__(:native_test_sign_from_seed, String(message).b, String(secret_key).b, String(seed).b)
+    def self.ml_dsa_sign_from_seed(message, secret_key, seed, algorithm: :ml_dsa_65)
+      PQCrypto.__send__(MLDSA_SIGN_METHODS.fetch(algorithm), String(message).b, String(secret_key).b, String(seed).b)
+    rescue KeyError
+      raise UnsupportedAlgorithmError, "Unsupported ML-DSA KAT algorithm: #{algorithm.inspect}"
     rescue ArgumentError => e
       raise InvalidKeyError, e.message
     end
   end
 end
-require_relative "pq_crypto/kem"
-require_relative "pq_crypto/hybrid_kem"
-require_relative "pq_crypto/signature"