RubyGems - pq_crypto - Versions diffs - 0.4.2 → 0.5.1 - Mend

pq_crypto 0.4.2 → 0.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (410) hide show

data/ext/pqcrypto/pqcrypto_secure.c CHANGED Viewed

@@ -15,19 +15,12 @@
 #include <openssl/crypto.h>
 #include <openssl/evp.h>
 #include <openssl/rand.h>
-#include <openssl/bio.h>
-#include <openssl/buffer.h>
 #if OPENSSL_VERSION_NUMBER < 0x30000000L
 #error "OpenSSL 3.0 or later is required for pq_crypto"
 #endif
-#ifndef HAVE_PQCLEAN
-#error "PQClean-backed algorithms are required. Run: bundle exec rake vendor"
-#endif
-#include "mlkem_api.h"
-#include "mldsa_api.h"
+#include "pqcrypto_native_api.h"
 void pq_secure_wipe(void *ptr, size_t len) {
     if (ptr == NULL) {
@@ -54,43 +47,6 @@ static int pq_is_pem_whitespace(char c) {
     return c == '\n' || c == '\r' || c == ' ' || c == '\t';
 }
-static int x25519_keypair(uint8_t *pk, uint8_t *sk) {
-    EVP_PKEY_CTX *ctx = NULL;
-    EVP_PKEY *pkey = NULL;
-    size_t pklen = X25519_PUBLICKEYBYTES;
-    size_t sklen = X25519_SECRETKEYBYTES;
-    int ret = PQ_ERROR_KEYPAIR;
-    ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_X25519, NULL);
-    if (!ctx)
-        goto cleanup;
-    if (EVP_PKEY_keygen_init(ctx) <= 0)
-        goto cleanup;
-    if (EVP_PKEY_keygen(ctx, &pkey) <= 0)
-        goto cleanup;
-    if (EVP_PKEY_get_raw_private_key(pkey, sk, &sklen) <= 0)
-        goto cleanup;
-    if (sklen != X25519_SECRETKEYBYTES)
-        goto cleanup;
-    if (EVP_PKEY_get_raw_public_key(pkey, pk, &pklen) <= 0)
-        goto cleanup;
-    if (pklen != X25519_PUBLICKEYBYTES)
-        goto cleanup;
-    ret = PQ_SUCCESS;
-cleanup:
-    if (pkey)
-        EVP_PKEY_free(pkey);
-    if (ctx)
-        EVP_PKEY_CTX_free(ctx);
-    return ret;
-}
 static int x25519_public_from_private(uint8_t *pk, const uint8_t *sk) {
     EVP_PKEY *pkey = NULL;
     size_t pklen = X25519_PUBLICKEYBYTES;
@@ -117,16 +73,15 @@ cleanup:
     return ret;
 }
-static int x25519_shared_secret(uint8_t *shared, const uint8_t *their_pk, const uint8_t *my_sk) {
+static int x25519_shared_secret_with_pkey(uint8_t *shared, const uint8_t *their_pk, EVP_PKEY *pkey) {
     EVP_PKEY_CTX *ctx = NULL;
-    EVP_PKEY *pkey = NULL;
     EVP_PKEY *peer_key = NULL;
     size_t shared_len = X25519_SHAREDSECRETBYTES;
     int ret = PQ_ERROR_ENCAPSULATE;
-    pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_X25519, NULL, my_sk, X25519_SECRETKEYBYTES);
-    if (!pkey)
-        goto cleanup;
+    if (!shared || !their_pk || !pkey) {
+        return PQ_ERROR_BUFFER;
+    }
     peer_key = EVP_PKEY_new_raw_public_key(EVP_PKEY_X25519, NULL, their_pk, X25519_PUBLICKEYBYTES);
     if (!peer_key)
@@ -155,53 +110,94 @@ cleanup:
         EVP_PKEY_CTX_free(ctx);
     if (peer_key)
         EVP_PKEY_free(peer_key);
-    if (pkey)
-        EVP_PKEY_free(pkey);
     return ret;
 }
-static const uint8_t XWING_LABEL[6] = {0x5c, 0x2e, 0x2f, 0x2f, 0x5e, 0x5c};
+static int x25519_shared_secret(uint8_t *shared, const uint8_t *their_pk, const uint8_t *my_sk) {
+    EVP_PKEY *pkey = NULL;
+    int ret;
-static int xwing_combiner(uint8_t shared_secret[HYBRID_SHAREDSECRETBYTES],
-                          const uint8_t ss_M[MLKEM_SHAREDSECRETBYTES],
-                          const uint8_t ss_X[X25519_SHAREDSECRETBYTES],
-                          const uint8_t ct_X[X25519_PUBLICKEYBYTES],
-                          const uint8_t pk_X[X25519_PUBLICKEYBYTES]) {
-    EVP_MD_CTX *ctx = EVP_MD_CTX_new();
-    unsigned int out_len = 0;
-    int ret = PQ_ERROR_OPENSSL;
+    if (!shared || !their_pk || !my_sk) {
+        return PQ_ERROR_BUFFER;
+    }
-    if (!ctx) {
-        return PQ_ERROR_OPENSSL;
+    pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_X25519, NULL, my_sk, X25519_SECRETKEYBYTES);
+    if (!pkey)
+        return PQ_ERROR_ENCAPSULATE;
+    ret = x25519_shared_secret_with_pkey(shared, their_pk, pkey);
+    EVP_PKEY_free(pkey);
+    return ret;
+}
+static int x25519_ephemeral_keypair_and_shared_secret(uint8_t *ephemeral_pk, uint8_t *shared,
+                                                       const uint8_t *their_pk) {
+    EVP_PKEY_CTX *keygen_ctx = NULL;
+    EVP_PKEY *ephemeral_pkey = NULL;
+    size_t pklen = X25519_PUBLICKEYBYTES;
+    int ret = PQ_ERROR_ENCAPSULATE;
+    if (!ephemeral_pk || !shared || !their_pk) {
+        return PQ_ERROR_BUFFER;
     }
-    if (EVP_DigestInit_ex(ctx, EVP_sha3_256(), NULL) != 1)
+    keygen_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_X25519, NULL);
+    if (!keygen_ctx)
         goto cleanup;
-    if (EVP_DigestUpdate(ctx, ss_M, MLKEM_SHAREDSECRETBYTES) != 1)
-        goto cleanup;
-    if (EVP_DigestUpdate(ctx, ss_X, X25519_SHAREDSECRETBYTES) != 1)
-        goto cleanup;
-    if (EVP_DigestUpdate(ctx, ct_X, X25519_PUBLICKEYBYTES) != 1)
-        goto cleanup;
-    if (EVP_DigestUpdate(ctx, pk_X, X25519_PUBLICKEYBYTES) != 1)
+    if (EVP_PKEY_keygen_init(keygen_ctx) <= 0)
         goto cleanup;
-    if (EVP_DigestUpdate(ctx, XWING_LABEL, sizeof(XWING_LABEL)) != 1)
+    if (EVP_PKEY_keygen(keygen_ctx, &ephemeral_pkey) <= 0)
         goto cleanup;
-    if (EVP_DigestFinal_ex(ctx, shared_secret, &out_len) != 1)
+    if (EVP_PKEY_get_raw_public_key(ephemeral_pkey, ephemeral_pk, &pklen) <= 0)
         goto cleanup;
-    if (out_len != HYBRID_SHAREDSECRETBYTES)
+    if (pklen != X25519_PUBLICKEYBYTES)
         goto cleanup;
-    ret = PQ_SUCCESS;
+    ret = x25519_shared_secret_with_pkey(shared, their_pk, ephemeral_pkey);
 cleanup:
-    EVP_MD_CTX_free(ctx);
+    if (ephemeral_pkey)
+        EVP_PKEY_free(ephemeral_pkey);
+    if (keygen_ctx)
+        EVP_PKEY_CTX_free(keygen_ctx);
     return ret;
 }
+static const uint8_t XWING_LABEL[6] = {0x5c, 0x2e, 0x2f, 0x2f, 0x5e, 0x5c};
+static int xwing_combiner(uint8_t shared_secret[HYBRID_SHAREDSECRETBYTES],
+                          const uint8_t ss_M[MLKEM_SHAREDSECRETBYTES],
+                          const uint8_t ss_X[X25519_SHAREDSECRETBYTES],
+                          const uint8_t ct_X[X25519_PUBLICKEYBYTES],
+                          const uint8_t pk_X[X25519_PUBLICKEYBYTES]) {
+    uint8_t input[MLKEM_SHAREDSECRETBYTES + X25519_SHAREDSECRETBYTES +
+                  X25519_PUBLICKEYBYTES + X25519_PUBLICKEYBYTES + sizeof(XWING_LABEL)];
+    uint8_t *cur = input;
+    if (!shared_secret || !ss_M || !ss_X || !ct_X || !pk_X) {
+        return PQ_ERROR_BUFFER;
+    }
+    memcpy(cur, ss_M, MLKEM_SHAREDSECRETBYTES);
+    cur += MLKEM_SHAREDSECRETBYTES;
+    memcpy(cur, ss_X, X25519_SHAREDSECRETBYTES);
+    cur += X25519_SHAREDSECRETBYTES;
+    memcpy(cur, ct_X, X25519_PUBLICKEYBYTES);
+    cur += X25519_PUBLICKEYBYTES;
+    memcpy(cur, pk_X, X25519_PUBLICKEYBYTES);
+    cur += X25519_PUBLICKEYBYTES;
+    memcpy(cur, XWING_LABEL, sizeof(XWING_LABEL));
+    pqcr_mlkem_sha3_256(shared_secret, input, sizeof(input));
+    pq_secure_wipe(input, sizeof(input));
+    return PQ_SUCCESS;
+}
 static int xwing_expand_secret_key(hybrid_expanded_secret_key_t *expanded_key,
                                    const uint8_t seed[HYBRID_SECRETKEYBYTES]) {
-    EVP_MD_CTX *ctx = NULL;
     uint8_t expanded[XWING_EXPANDEDBYTES];
     int ret = PQ_ERROR_OPENSSL;
@@ -212,19 +208,9 @@ static int xwing_expand_secret_key(hybrid_expanded_secret_key_t *expanded_key,
     memset(expanded_key, 0, sizeof(*expanded_key));
     memset(expanded, 0, sizeof(expanded));
-    ctx = EVP_MD_CTX_new();
-    if (!ctx)
-        goto cleanup;
-    if (EVP_DigestInit_ex(ctx, EVP_shake256(), NULL) != 1)
-        goto cleanup;
-    if (EVP_DigestUpdate(ctx, seed, HYBRID_SECRETKEYBYTES) != 1)
-        goto cleanup;
-    if (EVP_DigestFinalXOF(ctx, expanded, sizeof(expanded)) != 1)
-        goto cleanup;
+    pqcr_mlkem_shake256(expanded, sizeof(expanded), seed, HYBRID_SECRETKEYBYTES);
-    ret = PQCLEAN_MLKEM768_CLEAN_crypto_kem_keypair_derand(expanded_key->mlkem_pk,
-                                                           expanded_key->mlkem_sk, expanded);
+    ret = pqcr_mlkem768_keypair_derand(expanded_key->mlkem_pk, expanded_key->mlkem_sk, expanded);
     if (ret != 0) {
         ret = PQ_ERROR_KEYPAIR;
         goto cleanup;
@@ -239,8 +225,6 @@ static int xwing_expand_secret_key(hybrid_expanded_secret_key_t *expanded_key,
     ret = PQ_SUCCESS;
 cleanup:
-    if (ctx)
-        EVP_MD_CTX_free(ctx);
     pq_secure_wipe(expanded, sizeof(expanded));
     if (ret != PQ_SUCCESS && expanded_key) {
         pq_secure_wipe(expanded_key, sizeof(*expanded_key));
@@ -248,31 +232,36 @@ cleanup:
     return ret;
 }
-#define PQ_MLKEM_VARIANTS(X)    \
-    X(mlkem, MLKEM768_CLEAN)    \
-    X(mlkem512, MLKEM512_CLEAN) \
-    X(mlkem1024, MLKEM1024_CLEAN)
-#define PQ_DEFINE_MLKEM_SHIMS(prefix, pqclean)                                             \
-    int pq_##prefix##_keypair(uint8_t *pk, uint8_t *sk) {                                  \
-        return PQCLEAN_##pqclean##_crypto_kem_keypair(pk, sk) == 0 ? PQ_SUCCESS            \
-                                                                   : PQ_ERROR_KEYPAIR;     \
-    }                                                                                      \
-    int pq_##prefix##_keypair_from_seed(uint8_t *pk, uint8_t *sk, const uint8_t *seed64) { \
-        if (!pk || !sk || !seed64) {                                                       \
-            return PQ_ERROR_BUFFER;                                                        \
-        }                                                                                  \
-        return PQCLEAN_##pqclean##_crypto_kem_keypair_derand(pk, sk, seed64) == 0          \
-                   ? PQ_SUCCESS                                                            \
-                   : PQ_ERROR_KEYPAIR;                                                     \
-    }                                                                                      \
-    int pq_##prefix##_encapsulate(uint8_t *ct, uint8_t *ss, const uint8_t *pk) {           \
-        return PQCLEAN_##pqclean##_crypto_kem_enc(ct, ss, pk) == 0 ? PQ_SUCCESS            \
-                                                                   : PQ_ERROR_ENCAPSULATE; \
-    }                                                                                      \
-    int pq_##prefix##_decapsulate(uint8_t *ss, const uint8_t *ct, const uint8_t *sk) {     \
-        return PQCLEAN_##pqclean##_crypto_kem_dec(ss, ct, sk) == 0 ? PQ_SUCCESS            \
-                                                                   : PQ_ERROR_DECAPSULATE; \
+#define PQ_MLKEM_VARIANTS(X)             \
+    X(mlkem, pqcr_mlkem768)             \
+    X(mlkem512, pqcr_mlkem512)          \
+    X(mlkem1024, pqcr_mlkem1024)
+#define PQ_DEFINE_MLKEM_SHIMS(prefix, native)                                             \
+    int pq_##prefix##_keypair(uint8_t *pk, uint8_t *sk) {                                \
+        if (!pk || !sk) {                                                                 \
+            return PQ_ERROR_BUFFER;                                                       \
+        }                                                                                 \
+        return native##_keypair(pk, sk) == 0 ? PQ_SUCCESS : PQ_ERROR_KEYPAIR;             \
+    }                                                                                     \
+    int pq_##prefix##_keypair_from_seed(uint8_t *pk, uint8_t *sk, const uint8_t *seed64) {\
+        if (!pk || !sk || !seed64) {                                                      \
+            return PQ_ERROR_BUFFER;                                                       \
+        }                                                                                 \
+        return native##_keypair_derand(pk, sk, seed64) == 0 ? PQ_SUCCESS                  \
+                                                            : PQ_ERROR_KEYPAIR;           \
+    }                                                                                     \
+    int pq_##prefix##_encapsulate(uint8_t *ct, uint8_t *ss, const uint8_t *pk) {          \
+        if (!ct || !ss || !pk) {                                                          \
+            return PQ_ERROR_BUFFER;                                                       \
+        }                                                                                 \
+        return native##_enc(ct, ss, pk) == 0 ? PQ_SUCCESS : PQ_ERROR_ENCAPSULATE;         \
+    }                                                                                     \
+    int pq_##prefix##_decapsulate(uint8_t *ss, const uint8_t *ct, const uint8_t *sk) {    \
+        if (!ss || !ct || !sk) {                                                          \
+            return PQ_ERROR_BUFFER;                                                       \
+        }                                                                                 \
+        return native##_dec(ss, ct, sk) == 0 ? PQ_SUCCESS : PQ_ERROR_DECAPSULATE;         \
     }
 PQ_MLKEM_VARIANTS(PQ_DEFINE_MLKEM_SHIMS)
@@ -299,136 +288,152 @@ static int pq_testing_mlkem_encapsulate_from_seed_with(
                                                                         : PQ_ERROR_ENCAPSULATE;
 }
-#define PQ_DEFINE_MLKEM_TESTING_SHIMS(prefix, pqclean)                                           \
-    int pq_testing_##prefix##_keypair_from_seed(uint8_t *public_key, uint8_t *secret_key,        \
-                                                const uint8_t *seed, size_t seed_len) {          \
-        return pq_testing_mlkem_keypair_from_seed_with(                                          \
-            public_key, secret_key, seed, seed_len,                                              \
-            PQCLEAN_##pqclean##_crypto_kem_keypair_derand);                                      \
-    }                                                                                            \
-    int pq_testing_##prefix##_encapsulate_from_seed(uint8_t *ciphertext, uint8_t *shared_secret, \
-                                                    const uint8_t *public_key,                   \
-                                                    const uint8_t *seed, size_t seed_len) {      \
-        return pq_testing_mlkem_encapsulate_from_seed_with(                                      \
-            ciphertext, shared_secret, public_key, seed, seed_len,                               \
-            PQCLEAN_##pqclean##_crypto_kem_enc_derand);                                          \
+#define PQ_DEFINE_MLKEM_TESTING_SHIMS(prefix, native)                                         \
+    int pq_testing_##prefix##_keypair_from_seed(uint8_t *public_key, uint8_t *secret_key,      \
+                                                const uint8_t *seed, size_t seed_len) {        \
+        return pq_testing_mlkem_keypair_from_seed_with(public_key, secret_key, seed, seed_len, \
+                                                       native##_keypair_derand);               \
+    }                                                                                          \
+    int pq_testing_##prefix##_encapsulate_from_seed(uint8_t *ciphertext, uint8_t *shared_secret,\
+                                                    const uint8_t *public_key,                 \
+                                                    const uint8_t *seed, size_t seed_len) {    \
+        return pq_testing_mlkem_encapsulate_from_seed_with(ciphertext, shared_secret, public_key,\
+                                                           seed, seed_len, native##_enc_derand);\
     }
 PQ_MLKEM_VARIANTS(PQ_DEFINE_MLKEM_TESTING_SHIMS)
 #undef PQ_DEFINE_MLKEM_TESTING_SHIMS
-#define PQ_DEFINE_MLDSA_SIGN_KEYPAIR(prefix, pqclean)                               \
-    int pq_##prefix##_keypair(uint8_t *public_key, uint8_t *secret_key) {           \
-        return PQCLEAN_##pqclean##_crypto_sign_keypair(public_key, secret_key) == 0 \
-                   ? PQ_SUCCESS                                                     \
-                   : PQ_ERROR_KEYPAIR;                                              \
+#define PQ_DEFINE_MLDSA_SIGN_KEYPAIR(prefix, native)                              \
+    int pq_##prefix##_keypair(uint8_t *public_key, uint8_t *secret_key) {         \
+        if (!public_key || !secret_key) {                                         \
+            return PQ_ERROR_BUFFER;                                               \
+        }                                                                         \
+        return native##_keypair(public_key, secret_key) == 0 ? PQ_SUCCESS         \
+                                                            : PQ_ERROR_KEYPAIR;   \
     }
-PQ_DEFINE_MLDSA_SIGN_KEYPAIR(sign, MLDSA65_CLEAN)
-PQ_DEFINE_MLDSA_SIGN_KEYPAIR(mldsa44_sign, MLDSA44_CLEAN)
-PQ_DEFINE_MLDSA_SIGN_KEYPAIR(mldsa87_sign, MLDSA87_CLEAN)
+PQ_DEFINE_MLDSA_SIGN_KEYPAIR(sign, pqcr_mldsa65)
+PQ_DEFINE_MLDSA_SIGN_KEYPAIR(mldsa44_sign, pqcr_mldsa44)
+PQ_DEFINE_MLDSA_SIGN_KEYPAIR(mldsa87_sign, pqcr_mldsa87)
 #undef PQ_DEFINE_MLDSA_SIGN_KEYPAIR
-#define PQ_DEFINE_MLDSA_SIGN(name, pqclean)                                                 \
-    int pq_##name(uint8_t *signature, size_t *signature_len, const uint8_t *message,        \
-                  size_t message_len, const uint8_t *secret_key) {                          \
-        return PQCLEAN_##pqclean##_crypto_sign_signature(signature, signature_len, message, \
-                                                         message_len, secret_key) == 0      \
-                   ? PQ_SUCCESS                                                             \
-                   : PQ_ERROR_SIGN;                                                         \
+#define PQ_DEFINE_MLDSA_SIGN(name, native)                                                \
+    int pq_##name(uint8_t *signature, size_t *signature_len, const uint8_t *message,      \
+                  size_t message_len, const uint8_t *secret_key) {                        \
+        if (!signature || !signature_len || !secret_key || (message_len > 0 && !message)) {\
+            return PQ_ERROR_BUFFER;                                                       \
+        }                                                                                 \
+        return native##_signature(signature, signature_len, message, message_len, NULL, 0,\
+                                  secret_key) == 0                                        \
+                   ? PQ_SUCCESS                                                           \
+                   : PQ_ERROR_SIGN;                                                       \
     }
-PQ_DEFINE_MLDSA_SIGN(sign, MLDSA65_CLEAN)
-PQ_DEFINE_MLDSA_SIGN(mldsa44_sign, MLDSA44_CLEAN)
-PQ_DEFINE_MLDSA_SIGN(mldsa87_sign, MLDSA87_CLEAN)
+PQ_DEFINE_MLDSA_SIGN(sign, pqcr_mldsa65)
+PQ_DEFINE_MLDSA_SIGN(mldsa44_sign, pqcr_mldsa44)
+PQ_DEFINE_MLDSA_SIGN(mldsa87_sign, pqcr_mldsa87)
 #undef PQ_DEFINE_MLDSA_SIGN
-#define PQ_DEFINE_MLDSA_VERIFY(name, pqclean)                                             \
+#define PQ_DEFINE_MLDSA_VERIFY(name, native)                                             \
     int pq_##name(const uint8_t *signature, size_t signature_len, const uint8_t *message, \
-                  size_t message_len, const uint8_t *public_key) {                        \
-        return PQCLEAN_##pqclean##_crypto_sign_verify(signature, signature_len, message,  \
-                                                      message_len, public_key) == 0       \
+                  size_t message_len, const uint8_t *public_key) {                       \
+        if (!signature || !public_key || (message_len > 0 && !message)) {                 \
+            return PQ_ERROR_BUFFER;                                                       \
+        }                                                                                 \
+        return native##_verify(signature, signature_len, message, message_len, NULL, 0,   \
+                               public_key) == 0                                          \
                    ? PQ_SUCCESS                                                           \
                    : PQ_ERROR_VERIFY;                                                     \
     }
-PQ_DEFINE_MLDSA_VERIFY(verify, MLDSA65_CLEAN)
-PQ_DEFINE_MLDSA_VERIFY(mldsa44_verify, MLDSA44_CLEAN)
-PQ_DEFINE_MLDSA_VERIFY(mldsa87_verify, MLDSA87_CLEAN)
+PQ_DEFINE_MLDSA_VERIFY(verify, pqcr_mldsa65)
+PQ_DEFINE_MLDSA_VERIFY(mldsa44_verify, pqcr_mldsa44)
+PQ_DEFINE_MLDSA_VERIFY(mldsa87_verify, pqcr_mldsa87)
 #undef PQ_DEFINE_MLDSA_VERIFY
-static int pq_testing_mldsa_keypair_from_seed_with(uint8_t *public_key, uint8_t *secret_key,
-                                                   const uint8_t *seed, size_t seed_len,
-                                                   int (*keypair)(uint8_t *, uint8_t *)) {
-    int rc;
-    if (!public_key || !secret_key || !seed || seed_len != 32 || !keypair) {
-        return PQ_ERROR_BUFFER;
-    }
-    pq_testing_set_seed(seed, seed_len);
-    rc = keypair(public_key, secret_key);
-    pq_testing_clear_seed();
-    return rc == 0 ? PQ_SUCCESS : PQ_ERROR_KEYPAIR;
-}
 static int pq_testing_mldsa_sign_from_seed_with(
     uint8_t *signature, size_t *signature_len, const uint8_t *message, size_t message_len,
     const uint8_t *secret_key, const uint8_t *seed, size_t seed_len,
-    int (*sign)(uint8_t *, size_t *, const uint8_t *, size_t, const uint8_t *)) {
-    int rc;
-    if (!signature || !signature_len || !secret_key || !seed || seed_len != 32 || !sign) {
+    int (*signature_internal)(uint8_t *, size_t *, const uint8_t *, size_t, const uint8_t *, size_t,
+                              const uint8_t *, const uint8_t *, int),
+    size_t (*prepare_prefix)(uint8_t *, const uint8_t *, size_t, const uint8_t *, size_t, int)) {
+    uint8_t pre[MLDSA_DOMAIN_SEPARATION_MAX_BYTES];
+    size_t pre_len;
+    if (!signature || !signature_len || !secret_key || !seed || seed_len != MLDSA_RNDBYTES ||
+        !signature_internal || !prepare_prefix || (message_len > 0 && !message)) {
         return PQ_ERROR_BUFFER;
     }
-    pq_testing_set_seed(seed, seed_len);
-    rc = sign(signature, signature_len, message, message_len, secret_key);
-    pq_testing_clear_seed();
-    return rc == 0 ? PQ_SUCCESS : PQ_ERROR_SIGN;
+    /*
+     * mldsa-native's signature_internal is lower-level than the public pure
+     * ML-DSA signing API. It expects the FIPS 204 domain-separation prefix explicitly. Passing
+     * NULL/0 signs CRH(tr, message) instead of CRH(tr, 0x00 || ctxlen || ctx || message),
+     * which produces signatures that do not verify through the public pure-ML-DSA API
+     * and do not match ACVP/KAT sigGen vectors.
+     */
+    pre_len = prepare_prefix(pre, NULL, 0, NULL, 0, MLDSA_PREHASH_NONE);
+    if (pre_len == 0) {
+        return PQ_ERROR_SIGN;
+    }
+    return signature_internal(signature, signature_len, message, message_len, pre, pre_len, seed,
+                              secret_key, 0) == 0
+               ? PQ_SUCCESS
+               : PQ_ERROR_SIGN;
 }
-/*
- * Production ML-DSA seed expansion for RFC 9881 seed-format PKCS#8 imports.
- *
- * PQClean does not expose a public crypto_sign_keypair_derand entrypoint for
- * ML-DSA. This deliberately reuses pq_crypto's thread-local seed-replay
- * randombytes() path, the same path covered by Patch 8 KATs, and is surfaced
- * only through the Ruby PKCS#8 opt-in gate.
- */
 int pq_mldsa44_keypair_from_seed(uint8_t *public_key, uint8_t *secret_key, const uint8_t *seed32) {
-    return pq_testing_mldsa_keypair_from_seed_with(public_key, secret_key, seed32, 32,
-                                                   PQCLEAN_MLDSA44_CLEAN_crypto_sign_keypair);
+    if (!public_key || !secret_key || !seed32) {
+        return PQ_ERROR_BUFFER;
+    }
+    return pqcr_mldsa44_keypair_internal(public_key, secret_key, seed32) == 0 ? PQ_SUCCESS
+                                                                              : PQ_ERROR_KEYPAIR;
 }
 int pq_mldsa_keypair_from_seed(uint8_t *public_key, uint8_t *secret_key, const uint8_t *seed32) {
-    return pq_testing_mldsa_keypair_from_seed_with(public_key, secret_key, seed32, 32,
-                                                   PQCLEAN_MLDSA65_CLEAN_crypto_sign_keypair);
+    if (!public_key || !secret_key || !seed32) {
+        return PQ_ERROR_BUFFER;
+    }
+    return pqcr_mldsa65_keypair_internal(public_key, secret_key, seed32) == 0 ? PQ_SUCCESS
+                                                                              : PQ_ERROR_KEYPAIR;
 }
 int pq_mldsa87_keypair_from_seed(uint8_t *public_key, uint8_t *secret_key, const uint8_t *seed32) {
-    return pq_testing_mldsa_keypair_from_seed_with(public_key, secret_key, seed32, 32,
-                                                   PQCLEAN_MLDSA87_CLEAN_crypto_sign_keypair);
+    if (!public_key || !secret_key || !seed32) {
+        return PQ_ERROR_BUFFER;
+    }
+    return pqcr_mldsa87_keypair_internal(public_key, secret_key, seed32) == 0 ? PQ_SUCCESS
+                                                                              : PQ_ERROR_KEYPAIR;
 }
 int pq_testing_mldsa_keypair_from_seed(uint8_t *public_key, uint8_t *secret_key,
                                        const uint8_t *seed, size_t seed_len) {
-    return pq_testing_mldsa_keypair_from_seed_with(public_key, secret_key, seed, seed_len,
-                                                   PQCLEAN_MLDSA65_CLEAN_crypto_sign_keypair);
+    if (seed_len != MLDSA_SEEDBYTES) {
+        return PQ_ERROR_BUFFER;
+    }
+    return pq_mldsa_keypair_from_seed(public_key, secret_key, seed);
 }
 int pq_testing_mldsa44_keypair_from_seed(uint8_t *public_key, uint8_t *secret_key,
                                          const uint8_t *seed, size_t seed_len) {
-    return pq_testing_mldsa_keypair_from_seed_with(public_key, secret_key, seed, seed_len,
-                                                   PQCLEAN_MLDSA44_CLEAN_crypto_sign_keypair);
+    if (seed_len != MLDSA_SEEDBYTES) {
+        return PQ_ERROR_BUFFER;
+    }
+    return pq_mldsa44_keypair_from_seed(public_key, secret_key, seed);
 }
 int pq_testing_mldsa87_keypair_from_seed(uint8_t *public_key, uint8_t *secret_key,
                                          const uint8_t *seed, size_t seed_len) {
-    return pq_testing_mldsa_keypair_from_seed_with(public_key, secret_key, seed, seed_len,
-                                                   PQCLEAN_MLDSA87_CLEAN_crypto_sign_keypair);
+    if (seed_len != MLDSA_SEEDBYTES) {
+        return PQ_ERROR_BUFFER;
+    }
+    return pq_mldsa87_keypair_from_seed(public_key, secret_key, seed);
 }
 int pq_testing_mldsa_sign_from_seed(uint8_t *signature, size_t *signature_len,
@@ -437,7 +442,8 @@ int pq_testing_mldsa_sign_from_seed(uint8_t *signature, size_t *signature_len,
                                     size_t seed_len) {
     return pq_testing_mldsa_sign_from_seed_with(signature, signature_len, message, message_len,
                                                 secret_key, seed, seed_len,
-                                                PQCLEAN_MLDSA65_CLEAN_crypto_sign_signature);
+                                                pqcr_mldsa65_signature_internal,
+                                                pqcr_mldsa65_prepare_domain_separation_prefix);
 }
 int pq_testing_mldsa44_sign_from_seed(uint8_t *signature, size_t *signature_len,
@@ -446,7 +452,8 @@ int pq_testing_mldsa44_sign_from_seed(uint8_t *signature, size_t *signature_len,
                                       size_t seed_len) {
     return pq_testing_mldsa_sign_from_seed_with(signature, signature_len, message, message_len,
                                                 secret_key, seed, seed_len,
-                                                PQCLEAN_MLDSA44_CLEAN_crypto_sign_signature);
+                                                pqcr_mldsa44_signature_internal,
+                                                pqcr_mldsa44_prepare_domain_separation_prefix);
 }
 int pq_testing_mldsa87_sign_from_seed(uint8_t *signature, size_t *signature_len,
@@ -455,7 +462,8 @@ int pq_testing_mldsa87_sign_from_seed(uint8_t *signature, size_t *signature_len,
                                       size_t seed_len) {
     return pq_testing_mldsa_sign_from_seed_with(signature, signature_len, message, message_len,
                                                 secret_key, seed, seed_len,
-                                                PQCLEAN_MLDSA87_CLEAN_crypto_sign_signature);
+                                                pqcr_mldsa87_signature_internal,
+                                                pqcr_mldsa87_prepare_domain_separation_prefix);
 }
 int pq_hybrid_kem_keypair(uint8_t *public_key, uint8_t *secret_key) {
@@ -499,7 +507,6 @@ int pq_hybrid_kem_encapsulate(uint8_t *ciphertext, uint8_t *shared_secret,
     hybrid_ciphertext_t ct;
     uint8_t mlkem_ss[MLKEM_SHAREDSECRETBYTES];
     uint8_t x25519_ss[X25519_SHAREDSECRETBYTES];
-    uint8_t x25519_ephemeral_sk[X25519_SECRETKEYBYTES];
     int ret = PQ_SUCCESS;
     if (!ciphertext || !shared_secret || !public_key) {
@@ -510,20 +517,14 @@ int pq_hybrid_kem_encapsulate(uint8_t *ciphertext, uint8_t *shared_secret,
     memset(&ct, 0, sizeof(ct));
     memset(mlkem_ss, 0, sizeof(mlkem_ss));
     memset(x25519_ss, 0, sizeof(x25519_ss));
-    memset(x25519_ephemeral_sk, 0, sizeof(x25519_ephemeral_sk));
-    if (PQCLEAN_MLKEM768_CLEAN_crypto_kem_enc(ct.mlkem_ct, mlkem_ss, pk.mlkem_pk) != 0) {
+    if (pqcr_mlkem768_enc(ct.mlkem_ct, mlkem_ss, pk.mlkem_pk) != 0) {
         ret = PQ_ERROR_ENCAPSULATE;
         goto cleanup;
     }
-    ret = x25519_keypair(ct.x25519_ephemeral, x25519_ephemeral_sk);
-    if (ret != PQ_SUCCESS) {
-        ret = PQ_ERROR_ENCAPSULATE;
-        goto cleanup;
-    }
-    ret = x25519_shared_secret(x25519_ss, pk.x25519_pk, x25519_ephemeral_sk);
+    ret = x25519_ephemeral_keypair_and_shared_secret(ct.x25519_ephemeral, x25519_ss,
+                                                     pk.x25519_pk);
     if (ret != PQ_SUCCESS) {
         ret = PQ_ERROR_ENCAPSULATE;
         goto cleanup;
@@ -539,51 +540,121 @@ int pq_hybrid_kem_encapsulate(uint8_t *ciphertext, uint8_t *shared_secret,
 cleanup:
     pq_secure_wipe(mlkem_ss, sizeof(mlkem_ss));
     pq_secure_wipe(x25519_ss, sizeof(x25519_ss));
-    pq_secure_wipe(x25519_ephemeral_sk, sizeof(x25519_ephemeral_sk));
     return ret;
 }
-int pq_hybrid_kem_decapsulate(uint8_t *shared_secret, const uint8_t *ciphertext,
-                              const uint8_t *secret_key) {
-    hybrid_ciphertext_t ct;
+int pq_hybrid_kem_expand_secret_key(uint8_t *expanded_secret_key, const uint8_t *secret_key) {
     hybrid_expanded_secret_key_t expanded;
+    int ret;
+    if (!expanded_secret_key || !secret_key) {
+        return PQ_ERROR_BUFFER;
+    }
+    memset(&expanded, 0, sizeof(expanded));
+    ret = xwing_expand_secret_key(&expanded, secret_key);
+    if (ret == PQ_SUCCESS) {
+        memcpy(expanded_secret_key, &expanded, sizeof(expanded));
+    }
+    pq_secure_wipe(&expanded, sizeof(expanded));
+    return ret == PQ_SUCCESS ? PQ_SUCCESS : PQ_ERROR_DECAPSULATE;
+}
+int pq_hybrid_kem_decapsulate_expanded(uint8_t *shared_secret, const uint8_t *ciphertext,
+                                       const uint8_t *expanded_secret_key) {
+    hybrid_ciphertext_t ct;
+    const hybrid_expanded_secret_key_t *expanded;
     uint8_t mlkem_ss[MLKEM_SHAREDSECRETBYTES];
     uint8_t x25519_ss[X25519_SHAREDSECRETBYTES];
     int ret = PQ_SUCCESS;
-    if (!shared_secret || !ciphertext || !secret_key) {
+    if (!shared_secret || !ciphertext || !expanded_secret_key) {
         return PQ_ERROR_BUFFER;
     }
+    expanded = (const hybrid_expanded_secret_key_t *)expanded_secret_key;
     memcpy(&ct, ciphertext, HYBRID_CIPHERTEXTBYTES);
-    memset(&expanded, 0, sizeof(expanded));
     memset(mlkem_ss, 0, sizeof(mlkem_ss));
     memset(x25519_ss, 0, sizeof(x25519_ss));
-    ret = xwing_expand_secret_key(&expanded, secret_key);
+    if (pqcr_mlkem768_dec(mlkem_ss, ct.mlkem_ct, expanded->mlkem_sk) != 0) {
+        ret = PQ_ERROR_DECAPSULATE;
+        goto cleanup;
+    }
+    ret = x25519_shared_secret(x25519_ss, ct.x25519_ephemeral, expanded->x25519_sk);
     if (ret != PQ_SUCCESS) {
         ret = PQ_ERROR_DECAPSULATE;
         goto cleanup;
     }
-    if (PQCLEAN_MLKEM768_CLEAN_crypto_kem_dec(mlkem_ss, ct.mlkem_ct, expanded.mlkem_sk) != 0) {
+    ret = xwing_combiner(shared_secret, mlkem_ss, x25519_ss, ct.x25519_ephemeral,
+                         expanded->x25519_pk);
+cleanup:
+    pq_secure_wipe(mlkem_ss, sizeof(mlkem_ss));
+    pq_secure_wipe(x25519_ss, sizeof(x25519_ss));
+    return ret;
+}
+int pq_hybrid_kem_decapsulate_expanded_pkey(uint8_t *shared_secret, const uint8_t *ciphertext,
+                                            const uint8_t *expanded_secret_key,
+                                            void *x25519_private_pkey) {
+    hybrid_ciphertext_t ct;
+    const hybrid_expanded_secret_key_t *expanded;
+    uint8_t mlkem_ss[MLKEM_SHAREDSECRETBYTES];
+    uint8_t x25519_ss[X25519_SHAREDSECRETBYTES];
+    int ret = PQ_SUCCESS;
+    if (!shared_secret || !ciphertext || !expanded_secret_key || !x25519_private_pkey) {
+        return PQ_ERROR_BUFFER;
+    }
+    expanded = (const hybrid_expanded_secret_key_t *)expanded_secret_key;
+    memcpy(&ct, ciphertext, HYBRID_CIPHERTEXTBYTES);
+    memset(mlkem_ss, 0, sizeof(mlkem_ss));
+    memset(x25519_ss, 0, sizeof(x25519_ss));
+    if (pqcr_mlkem768_dec(mlkem_ss, ct.mlkem_ct, expanded->mlkem_sk) != 0) {
         ret = PQ_ERROR_DECAPSULATE;
         goto cleanup;
     }
-    ret = x25519_shared_secret(x25519_ss, ct.x25519_ephemeral, expanded.x25519_sk);
+    ret = x25519_shared_secret_with_pkey(x25519_ss, ct.x25519_ephemeral,
+                                         (EVP_PKEY *)x25519_private_pkey);
     if (ret != PQ_SUCCESS) {
         ret = PQ_ERROR_DECAPSULATE;
         goto cleanup;
     }
-    ret =
-        xwing_combiner(shared_secret, mlkem_ss, x25519_ss, ct.x25519_ephemeral, expanded.x25519_pk);
+    ret = xwing_combiner(shared_secret, mlkem_ss, x25519_ss, ct.x25519_ephemeral,
+                         expanded->x25519_pk);
 cleanup:
     pq_secure_wipe(mlkem_ss, sizeof(mlkem_ss));
     pq_secure_wipe(x25519_ss, sizeof(x25519_ss));
-    pq_secure_wipe(&expanded, sizeof(expanded));
+    return ret;
+}
+int pq_hybrid_kem_decapsulate(uint8_t *shared_secret, const uint8_t *ciphertext,
+                              const uint8_t *secret_key) {
+    uint8_t expanded[HYBRID_EXPANDED_SECRETKEYBYTES];
+    int ret;
+    if (!shared_secret || !ciphertext || !secret_key) {
+        return PQ_ERROR_BUFFER;
+    }
+    memset(expanded, 0, sizeof(expanded));
+    ret = pq_hybrid_kem_expand_secret_key(expanded, secret_key);
+    if (ret != PQ_SUCCESS) {
+        goto cleanup;
+    }
+    ret = pq_hybrid_kem_decapsulate_expanded(shared_secret, ciphertext, expanded);
+cleanup:
+    pq_secure_wipe(expanded, sizeof(expanded));
     return ret;
 }
@@ -787,24 +858,51 @@ static int pq_decode_serialized_key(const uint8_t *input, size_t input_len, uint
     return PQ_SUCCESS;
 }
+static int pq_base64_char_value(unsigned char c) {
+    if (c >= 'A' && c <= 'Z')
+        return (int)(c - 'A');
+    if (c >= 'a' && c <= 'z')
+        return (int)(c - 'a' + 26);
+    if (c >= '0' && c <= '9')
+        return (int)(c - '0' + 52);
+    if (c == '+')
+        return 62;
+    if (c == '/')
+        return 63;
+    if (c == '=')
+        return 64;
+    return -1;
+}
+static const char *pq_find_pem_footer(const char *start, size_t len, const char *footer,
+                                      size_t footer_len) {
+    if (!start || !footer || footer_len == 0 || len < footer_len)
+        return NULL;
+    for (size_t i = 0; i <= len - footer_len; ++i) {
+        if (start[i] == '-' && memcmp(start + i, footer, footer_len) == 0)
+            return start + i;
+    }
+    return NULL;
+}
 static int pq_der_to_pem(const char *label, const uint8_t *der, size_t der_len, char **output,
                          size_t *output_len) {
-    BIO *bio_mem = NULL;
-    BIO *bio_b64 = NULL;
-    BIO *bio_chain = NULL;
-    BUF_MEM *bptr = NULL;
     char header[64];
     char footer[64];
     int header_len, footer_len;
-    int ret = PQ_ERROR_OPENSSL;
     char *pem = NULL;
-    size_t total_len = 0;
-    size_t needed = 0;
+    unsigned char *encoded = NULL;
+    size_t encoded_len;
+    size_t line_count;
+    size_t needed;
+    char *cur;
     if (!label || !der || !output || !output_len)
         return PQ_ERROR_BUFFER;
     *output = NULL;
     *output_len = 0;
     header_len = snprintf(header, sizeof(header), "-----BEGIN %s-----", label);
     footer_len = snprintf(footer, sizeof(footer), "-----END %s-----", label);
     if (header_len <= 0 || footer_len <= 0)
@@ -812,68 +910,60 @@ static int pq_der_to_pem(const char *label, const uint8_t *der, size_t der_len,
     if (der_len > (size_t)INT_MAX)
         return PQ_ERROR_BUFFER;
-    bio_b64 = BIO_new(BIO_f_base64());
-    bio_mem = BIO_new(BIO_s_mem());
-    if (!bio_b64 || !bio_mem) {
-        ret = PQ_ERROR_NOMEM;
-        goto cleanup;
+    encoded_len = 4 * ((der_len + 2) / 3);
+    if (encoded_len > (size_t)INT_MAX)
+        return PQ_ERROR_BUFFER;
+    encoded = malloc(encoded_len + 1);
+    if (!encoded)
+        return PQ_ERROR_NOMEM;
+    if (EVP_EncodeBlock(encoded, der, (int)der_len) != (int)encoded_len) {
+        pq_secure_wipe(encoded, encoded_len + 1);
+        free(encoded);
+        return PQ_ERROR_OPENSSL;
     }
-    bio_chain = BIO_push(bio_b64, bio_mem);
+    line_count = encoded_len == 0 ? 0 : ((encoded_len + 63) / 64);
+    if (SIZE_MAX - (size_t)header_len < 1 || SIZE_MAX - ((size_t)header_len + 1) < encoded_len ||
+        SIZE_MAX - ((size_t)header_len + 1 + encoded_len) < line_count ||
+        SIZE_MAX - ((size_t)header_len + 1 + encoded_len + line_count) < (size_t)footer_len + 1) {
+        pq_secure_wipe(encoded, encoded_len + 1);
+        free(encoded);
+        return PQ_ERROR_BUFFER;
+    }
+    needed = (size_t)header_len + 1 + encoded_len + line_count + (size_t)footer_len + 1;
-    if (BIO_write(bio_chain, der, (int)der_len) != (int)der_len)
-        goto cleanup;
-    if (BIO_flush(bio_chain) != 1)
-        goto cleanup;
-    BIO_get_mem_ptr(bio_chain, &bptr);
-    if (!bptr || !bptr->data)
-        goto cleanup;
+    pem = malloc(needed);
+    if (!pem) {
+        pq_secure_wipe(encoded, encoded_len + 1);
+        free(encoded);
+        return PQ_ERROR_NOMEM;
+    }
-    {
-        size_t body_len = bptr->length;
-        needed = (size_t)header_len + 1 + body_len;
-        if (body_len == 0 || bptr->data[body_len - 1] != '\n')
-            needed += 1;
-        needed += (size_t)footer_len + 1;
-        pem = malloc(needed);
-        if (!pem) {
-            ret = PQ_ERROR_NOMEM;
-            goto cleanup;
-        }
-        char *cur = pem;
-        memcpy(cur, header, (size_t)header_len);
-        cur += header_len;
+    cur = pem;
+    memcpy(cur, header, (size_t)header_len);
+    cur += header_len;
+    *cur++ = '\n';
+    for (size_t offset = 0; offset < encoded_len; offset += 64) {
+        size_t line_len = encoded_len - offset;
+        if (line_len > 64)
+            line_len = 64;
+        memcpy(cur, encoded + offset, line_len);
+        cur += line_len;
         *cur++ = '\n';
-        memcpy(cur, bptr->data, body_len);
-        cur += body_len;
-        if (body_len == 0 || bptr->data[body_len - 1] != '\n')
-            *cur++ = '\n';
-        memcpy(cur, footer, (size_t)footer_len);
-        cur += footer_len;
-        *cur = '\0';
-        total_len = (size_t)(cur - pem);
     }
-    *output = pem;
-    *output_len = total_len;
-    pem = NULL;
-    ret = PQ_SUCCESS;
+    memcpy(cur, footer, (size_t)footer_len);
+    cur += footer_len;
+    *cur = '\0';
-cleanup:
-    if (bio_chain) {
-        BIO_free_all(bio_chain);
-    } else {
-        if (bio_b64)
-            BIO_free(bio_b64);
-        if (bio_mem)
-            BIO_free(bio_mem);
-    }
-    if (pem) {
-        pq_secure_wipe(pem, needed);
-        free(pem);
-    }
-    return ret;
+    *output = pem;
+    *output_len = (size_t)(cur - pem);
+    pq_secure_wipe(encoded, encoded_len + 1);
+    free(encoded);
+    return PQ_SUCCESS;
 }
 static int pq_pem_to_der(const char *label, const char *input, size_t input_len, uint8_t **der_out,
@@ -883,17 +973,19 @@ static int pq_pem_to_der(const char *label, const char *input, size_t input_len,
     const char *body_start, *footer_pos;
     const char *tail;
     uint8_t *der = NULL;
+    unsigned char *compact = NULL;
     size_t body_len = 0;
-    int ret;
-    BIO *bio_b64 = NULL;
-    BIO *bio_mem = NULL;
-    BIO *bio_chain = NULL;
+    size_t compact_len = 0;
+    size_t der_cap = 0;
     int decoded_len = 0;
+    int padding = 0;
+    int saw_padding = 0;
     if (!label || !input || !der_out || !der_len_out)
         return PQ_ERROR_BUFFER;
     *der_out = NULL;
     *der_len_out = 0;
     header_len = snprintf(header, sizeof(header), "-----BEGIN %s-----", label);
     footer_len = snprintf(footer, sizeof(footer), "-----END %s-----", label);
     if (header_len <= 0 || footer_len <= 0)
@@ -902,22 +994,13 @@ static int pq_pem_to_der(const char *label, const char *input, size_t input_len,
         return PQ_ERROR_BUFFER;
     if (strncmp(input, header, (size_t)header_len) != 0)
         return PQ_ERROR_BUFFER;
     body_start = input + header_len;
     while ((size_t)(body_start - input) < input_len && pq_is_pem_whitespace(*body_start))
         body_start++;
-    footer_pos = NULL;
-    {
-        size_t remaining = input_len - (size_t)(body_start - input);
-        size_t footer_size = (size_t)footer_len;
-        if (remaining < footer_size)
-            return PQ_ERROR_BUFFER;
-        for (size_t i = 0; i <= remaining - footer_size; ++i) {
-            if (memcmp(body_start + i, footer, footer_size) == 0) {
-                footer_pos = body_start + i;
-                break;
-            }
-        }
-    }
+    footer_pos = pq_find_pem_footer(body_start, input_len - (size_t)(body_start - input), footer,
+                                    (size_t)footer_len);
     if (!footer_pos)
         return PQ_ERROR_BUFFER;
@@ -932,53 +1015,65 @@ static int pq_pem_to_der(const char *label, const char *input, size_t input_len,
     if (body_len > (size_t)INT_MAX)
         return PQ_ERROR_BUFFER;
-    {
-        size_t der_cap = (body_len * 3) / 4 + 3;
-        der = malloc(der_cap ? der_cap : 1);
-        if (!der)
-            return PQ_ERROR_NOMEM;
+    compact = malloc(body_len ? body_len : 1);
+    if (!compact)
+        return PQ_ERROR_NOMEM;
-        bio_mem = BIO_new_mem_buf(body_start, (int)body_len);
-        bio_b64 = BIO_new(BIO_f_base64());
-        if (!bio_mem || !bio_b64) {
-            ret = PQ_ERROR_NOMEM;
-            goto cleanup;
-        }
-        bio_chain = BIO_push(bio_b64, bio_mem);
+    for (size_t i = 0; i < body_len; ++i) {
+        unsigned char c = (unsigned char)body_start[i];
+        int value;
+        if (pq_is_pem_whitespace((char)c))
+            continue;
-        decoded_len = BIO_read(bio_chain, der, (int)der_cap);
-        if (decoded_len <= 0) {
-            ret = PQ_ERROR_BUFFER;
-            goto cleanup;
+        value = pq_base64_char_value(c);
+        if (value < 0) {
+            pq_secure_wipe(compact, body_len);
+            free(compact);
+            return PQ_ERROR_BUFFER;
         }
-        {
-            unsigned char tail_byte;
-            int extra = BIO_read(bio_chain, &tail_byte, 1);
-            if (extra > 0) {
-                ret = PQ_ERROR_BUFFER;
-                goto cleanup;
+        if (c == '=') {
+            saw_padding = 1;
+            padding++;
+            if (padding > 2) {
+                pq_secure_wipe(compact, body_len);
+                free(compact);
+                return PQ_ERROR_BUFFER;
             }
+        } else if (saw_padding) {
+            pq_secure_wipe(compact, body_len);
+            free(compact);
+            return PQ_ERROR_BUFFER;
         }
+        compact[compact_len++] = c;
+    }
-        *der_len_out = (size_t)decoded_len;
-        *der_out = der;
-        der = NULL;
-        ret = PQ_SUCCESS;
+    if (compact_len == 0 || (compact_len % 4) != 0 || compact_len > (size_t)INT_MAX) {
+        pq_secure_wipe(compact, body_len);
+        free(compact);
+        return PQ_ERROR_BUFFER;
     }
-cleanup:
-    if (bio_chain) {
-        BIO_free_all(bio_chain);
-    } else {
-        if (bio_b64)
-            BIO_free(bio_b64);
-        if (bio_mem)
-            BIO_free(bio_mem);
+    der_cap = (compact_len / 4) * 3;
+    der = malloc(der_cap ? der_cap : 1);
+    if (!der) {
+        pq_secure_wipe(compact, body_len);
+        free(compact);
+        return PQ_ERROR_NOMEM;
     }
-    if (der) {
+    decoded_len = EVP_DecodeBlock(der, compact, (int)compact_len);
+    pq_secure_wipe(compact, body_len);
+    free(compact);
+    compact = NULL;
+    if (decoded_len <= 0 || decoded_len < padding) {
+        pq_secure_wipe(der, der_cap);
         free(der);
+        return PQ_ERROR_BUFFER;
     }
-    return ret;
+    *der_len_out = (size_t)(decoded_len - padding);
+    *der_out = der;
+    return PQ_SUCCESS;
 }
 int pq_public_key_to_pqc_container_der(uint8_t **output, size_t *output_len,