pq_crypto 0.5.3 → 0.6.1

data/lib/pq_crypto/signature.rb

@@ -46,6 +46,10 @@ module PQCrypto
         SecretKey.new(algorithm, bytes)
       end
 
+      def secret_key_from_seed(algorithm, seed)
+        SecretKey.from_seed(resolve_algorithm!(algorithm), seed)
+      end
+
       def public_key_from_pqc_container_der(der, algorithm = nil)
         resolved_algorithm, bytes = Serialization.public_key_from_pqc_container_der(algorithm, der)
         resolve_algorithm!(resolved_algorithm)
@@ -82,12 +86,12 @@ module PQCrypto
         PublicKey.new(resolve_algorithm!(resolved_algorithm), bytes)
       end
 
-      def secret_key_from_pkcs8_der(der)
-        secret_key_from_decoded_pkcs8(*PKCS8.decode_der(der))
+      def secret_key_from_pkcs8_der(der, passphrase: nil)
+        secret_key_from_decoded_pkcs8(*PKCS8.decode_der(der, passphrase: passphrase))
       end
 
-      def secret_key_from_pkcs8_pem(pem)
-        secret_key_from_decoded_pkcs8(*PKCS8.decode_pem(pem))
+      def secret_key_from_pkcs8_pem(pem, passphrase: nil)
+        secret_key_from_decoded_pkcs8(*PKCS8.decode_pem(pem, passphrase: passphrase))
       end
 
       def details(algorithm)
@@ -114,10 +118,10 @@ module PQCrypto
           SecretKey.new(algorithm, material)
         when :seed
           _public_key, expanded = PQCrypto.__send__(native_method_for(algorithm, :keypair_from_seed), material)
-          SecretKey.new(algorithm, expanded)
+          SecretKey.new(algorithm, expanded, seed: material)
         when :both
           _seed, expanded = material
-          SecretKey.new(algorithm, expanded)
+          SecretKey.new(algorithm, expanded, seed: _seed)
         else
           raise SerializationError, "Unsupported ML-DSA PKCS#8 private key format: #{format.inspect}"
         end
@@ -145,9 +149,10 @@ module PQCrypto
         context = validate_context!(context)
         validate_io!(io)
 
+        algorithm = secret_key.algorithm
         sk_bytes = secret_key.__send__(:bytes_for_native)
         begin
-          tr = PQCrypto.__send__(:_native_mldsa_extract_tr, sk_bytes)
+          tr = PQCrypto.__send__(:_native_mldsa_extract_tr, algorithm, sk_bytes)
         rescue ArgumentError => e
           raise InvalidKeyError, e.message
         end
@@ -159,7 +164,7 @@ module PQCrypto
           _drain_io_into_builder(io, builder, chunk_size)
           mu = PQCrypto.__send__(:_native_mldsa_mu_builder_finalize, builder)
           builder_consumed = true
-          PQCrypto.__send__(:_native_mldsa_sign_mu, mu, sk_bytes)
+          PQCrypto.__send__(:_native_mldsa_sign_mu, algorithm, mu, sk_bytes)
         ensure
           PQCrypto.__send__(:_native_mldsa_mu_builder_release, builder) unless builder_consumed
           PQCrypto.secure_wipe(tr) if tr && !tr.frozen?
@@ -173,9 +178,10 @@ module PQCrypto
         context = validate_context!(context)
         validate_io!(io)
 
+        algorithm = public_key.algorithm
         pk_bytes = public_key.__send__(:bytes_for_native)
         begin
-          tr = PQCrypto.__send__(:_native_mldsa_compute_tr, pk_bytes)
+          tr = PQCrypto.__send__(:_native_mldsa_compute_tr, algorithm, pk_bytes)
         rescue ArgumentError => e
           raise InvalidKeyError, e.message
         end
@@ -183,12 +189,12 @@ module PQCrypto
         builder = PQCrypto.__send__(:_native_mldsa_mu_builder_new, tr, context)
         builder_consumed = false
         mu = nil
-        sig_bytes = String(signature).b
+        sig_bytes = Internal.binary_string(signature)
         begin
           _drain_io_into_builder(io, builder, chunk_size)
           mu = PQCrypto.__send__(:_native_mldsa_mu_builder_finalize, builder)
           builder_consumed = true
-          PQCrypto.__send__(:_native_mldsa_verify_mu, mu, sig_bytes, pk_bytes)
+          PQCrypto.__send__(:_native_mldsa_verify_mu, algorithm, mu, sig_bytes, pk_bytes)
         ensure
           PQCrypto.__send__(:_native_mldsa_mu_builder_release, builder) unless builder_consumed
 
@@ -224,7 +230,7 @@ module PQCrypto
       end
 
       def validate_context!(context)
-        ctx = String(context).b
+        ctx = Internal.binary_string(context)
         if ctx.bytesize > 255
           raise ArgumentError, "context must be at most 255 bytes (FIPS 204)"
         end
@@ -232,10 +238,7 @@ module PQCrypto
       end
 
       def validate_streaming_algorithm!(algorithm)
-        return if resolve_algorithm!(algorithm) == CANONICAL_ALGORITHM
-
-        raise UnsupportedAlgorithmError,
-              "Streaming sign_io/verify_io currently supports only #{CANONICAL_ALGORITHM.inspect}"
+        resolve_algorithm!(algorithm)
       end
     end
 
@@ -261,7 +264,7 @@ module PQCrypto
 
       def initialize(algorithm, bytes)
         @algorithm = algorithm
-        @bytes = String(bytes).b
+        @bytes = Internal.binary_string(bytes)
         validate_length!
       end
 
@@ -285,14 +288,17 @@ module PQCrypto
         SPKI.encode_pem(@algorithm, @bytes)
       end
 
-      def verify(message, signature)
-        PQCrypto.__send__(Signature.send(:native_method_for, @algorithm, :verify), String(message).b, String(signature).b, @bytes)
-      rescue ArgumentError => e
-        raise InvalidKeyError, e.message
+      def verify(message, signature, context: "".b)
+        context = Signature.send(:validate_context!, context)
+        begin
+          PQCrypto.__send__(Signature.send(:native_method_for, @algorithm, :verify), Internal.binary_string(message), Internal.binary_string(signature), @bytes, context)
+        rescue ArgumentError => e
+          raise InvalidKeyError, e.message
+        end
       end
 
-      def verify!(message, signature)
-        raise PQCrypto::VerificationError, "Verification failed" unless verify(message, signature)
+      def verify!(message, signature, context: "".b)
+        raise PQCrypto::VerificationError, "Verification failed" unless verify(message, signature, context: context)
         true
       end
 
@@ -309,7 +315,7 @@ module PQCrypto
 
       def ==(other)
         return false unless other.is_a?(PublicKey) && other.algorithm == algorithm
-        PQCrypto.__send__(:native_ct_equals, other.to_bytes, @bytes)
+        Internal.constant_time_equal?(other.send(:bytes_for_native), @bytes)
       end
 
       alias eql? ==
@@ -337,10 +343,20 @@ module PQCrypto
     class SecretKey
       attr_reader :algorithm
 
-      def initialize(algorithm, bytes)
+      def initialize(algorithm, bytes, seed: nil)
         @algorithm = algorithm
-        @bytes = String(bytes).b
+        @bytes = Internal.binary_string(bytes)
+        @seed = seed.nil? ? nil : Internal.binary_string(seed)
         validate_length!
+        validate_seed_length! if @seed
+      end
+
+      def self.from_seed(algorithm, seed)
+        seed_bytes = Internal.binary_string(seed)
+        _public_key, expanded = PQCrypto.__send__(Signature.send(:native_method_for, algorithm, :keypair_from_seed), seed_bytes)
+        new(algorithm, expanded, seed: seed_bytes)
+      rescue ArgumentError => e
+        raise InvalidKeyError, e.message
       end
 
       def to_bytes
@@ -355,34 +371,21 @@ module PQCrypto
         Serialization.secret_key_to_pqc_container_pem(@algorithm, @bytes)
       end
 
-      def to_pkcs8_der(format: :expanded)
-        case format
-        when :expanded
-          PKCS8.encode_der(@algorithm, @bytes, format: :expanded)
-        when :seed, :both
-          raise SerializationError,
-                "ML-DSA seed/both PKCS#8 export requires original seed material; use PQCrypto::PKCS8.encode_der/encode_pem directly"
-        else
-          raise SerializationError, "Unsupported PKCS#8 private key format: #{format.inspect}"
-        end
+      def to_pkcs8_der(format: :expanded, passphrase: nil, iterations: PKCS8::ENCRYPTED_PKCS8_DEFAULT_ITERATIONS)
+        PKCS8.encode_der(@algorithm, pkcs8_material(format), format: format, passphrase: passphrase, iterations: iterations)
       end
 
-      def to_pkcs8_pem(format: :expanded)
-        case format
-        when :expanded
-          PKCS8.encode_pem(@algorithm, @bytes, format: :expanded)
-        when :seed, :both
-          raise SerializationError,
-                "ML-DSA seed/both PKCS#8 export requires original seed material; use PQCrypto::PKCS8.encode_der/encode_pem directly"
-        else
-          raise SerializationError, "Unsupported PKCS#8 private key format: #{format.inspect}"
-        end
+      def to_pkcs8_pem(format: :expanded, passphrase: nil, iterations: PKCS8::ENCRYPTED_PKCS8_DEFAULT_ITERATIONS)
+        PKCS8.encode_pem(@algorithm, pkcs8_material(format), format: format, passphrase: passphrase, iterations: iterations)
       end
 
-      def sign(message)
-        PQCrypto.__send__(Signature.send(:native_method_for, @algorithm, :sign), String(message).b, @bytes)
-      rescue ArgumentError => e
-        raise InvalidKeyError, e.message
+      def sign(message, context: "".b)
+        context = Signature.send(:validate_context!, context)
+        begin
+          PQCrypto.__send__(Signature.send(:native_method_for, @algorithm, :sign), Internal.binary_string(message), @bytes, context)
+        rescue ArgumentError => e
+          raise InvalidKeyError, e.message
+        end
       end
 
       def sign_io(io, chunk_size: 1 << 20, context: "".b)
@@ -391,12 +394,13 @@ module PQCrypto
 
       def wipe!
         PQCrypto.secure_wipe(@bytes)
+        PQCrypto.secure_wipe(@seed) if @seed
         self
       end
 
       def ==(other)
         return false unless other.is_a?(SecretKey) && other.algorithm == algorithm
-        PQCrypto.__send__(:native_ct_equals, other.to_bytes, @bytes)
+        Internal.constant_time_equal?(other.send(:bytes_for_native), @bytes)
       end
 
       alias eql? ==
@@ -419,6 +423,32 @@ module PQCrypto
         expected = Signature.details(@algorithm).fetch(:secret_key_bytes)
         raise InvalidKeyError, "Invalid signature secret key length" unless @bytes.bytesize == expected
       end
+
+      def pkcs8_material(format)
+        case format
+        when :expanded
+          @bytes
+        when :seed
+          ensure_seed_available!(format)
+          @seed
+        when :both
+          ensure_seed_available!(format)
+          [@seed, @bytes]
+        else
+          raise SerializationError, "Unsupported PKCS#8 private key format: #{format.inspect}"
+        end
+      end
+
+      def validate_seed_length!
+        expected = PKCS8::PrivateKeyChoice.seed_bytes(@algorithm)
+        raise InvalidKeyError, "Invalid signature seed length" unless @seed.bytesize == expected
+      end
+
+      def ensure_seed_available!(format)
+        return if @seed
+
+        raise SerializationError, "ML-DSA #{format.inspect} PKCS#8 export requires original seed material"
+      end
     end
   end
 end

data/lib/pq_crypto/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module PQCrypto
-  VERSION = "0.5.3"
+  VERSION = "0.6.1"
 end

data/lib/pq_crypto.rb

@@ -30,13 +30,17 @@ end
 
 require_relative "pq_crypto/errors"
 require_relative "pq_crypto/version"
+require_relative "pq_crypto/internal"
 require_relative "pq_crypto/algorithm_registry"
 require_relative "pq_crypto/serialization"
 require_relative "pq_crypto/spki"
+require_relative "pq_crypto/pkcs8/der"
+require_relative "pq_crypto/pkcs8/private_key_choice"
 require_relative "pq_crypto/pkcs8"
 require_relative "pq_crypto/kem"
 require_relative "pq_crypto/signature"
 require_relative "pq_crypto/hybrid_kem"
+require_relative "pq_crypto/key"
 
 module PQCrypto
   SUITES = {
@@ -65,6 +69,7 @@ module PQCrypto
       hybrid_kem_encapsulate
       hybrid_kem_expand_secret_key
       hybrid_kem_expand_secret_key_object
+      hybrid_kem_expanded_secret_key_wipe
       hybrid_kem_decapsulate
       hybrid_kem_decapsulate_expanded
       hybrid_kem_decapsulate_expanded_object
@@ -91,6 +96,13 @@ module PQCrypto
       public_key_from_pqc_container_pem
       secret_key_from_pqc_container_der
       secret_key_from_pqc_container_pem
+      pkcs8_private_key_info_to_der
+      pkcs8_private_key_info_from_der
+      pkcs8_encrypt_der
+      pkcs8_decrypt_der
+      pkcs8_encrypted_der?
+      pkcs8_der_to_pem
+      pkcs8_pem_to_der
       __test_ml_kem_keypair_from_seed
       __test_ml_kem_encapsulate_from_seed
       __test_ml_kem_512_encapsulate_from_seed
@@ -164,25 +176,25 @@ module PQCrypto
     KEM_KEYPAIR_METHODS = {
       ml_kem_512: :native_ml_kem_512_keypair_from_seed,
       ml_kem_768: :native_ml_kem_keypair_from_seed,
-      ml_kem_1024: :native_ml_kem_1024_keypair_from_seed,
+      ml_kem_1024: :native_ml_kem_1024_keypair_from_seed
     }.freeze
 
     KEM_ENCAPSULATE_METHODS = {
       ml_kem_512: :native_test_ml_kem_512_encapsulate_from_seed,
       ml_kem_768: :native_test_ml_kem_encapsulate_from_seed,
-      ml_kem_1024: :native_test_ml_kem_1024_encapsulate_from_seed,
+      ml_kem_1024: :native_test_ml_kem_1024_encapsulate_from_seed
     }.freeze
 
     MLDSA_KEYPAIR_METHODS = {
       ml_dsa_44: :native_test_ml_dsa_44_keypair_from_seed,
       ml_dsa_65: :native_test_sign_keypair_from_seed,
-      ml_dsa_87: :native_test_ml_dsa_87_keypair_from_seed,
+      ml_dsa_87: :native_test_ml_dsa_87_keypair_from_seed
     }.freeze
 
     MLDSA_SIGN_METHODS = {
       ml_dsa_44: :native_test_ml_dsa_44_sign_from_seed,
       ml_dsa_65: :native_test_sign_from_seed,
-      ml_dsa_87: :native_test_ml_dsa_87_sign_from_seed,
+      ml_dsa_87: :native_test_ml_dsa_87_sign_from_seed
     }.freeze
 
     def self.ml_kem_keypair_from_seed(seed, algorithm: :ml_kem_768)

metadata

@@ -1,13 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: pq_crypto
 version: !ruby/object:Gem::Version
-  version: 0.5.3
+  version: 0.6.1
 platform: ruby
 authors:
 - Roman Haydarov
+autorequire:
 bindir: exe
 cert_chain: []
-date: 1980-01-02 00:00:00.000000000 Z
+date: 2026-05-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -313,8 +314,12 @@ files:
 - lib/pq_crypto/algorithm_registry.rb
 - lib/pq_crypto/errors.rb
 - lib/pq_crypto/hybrid_kem.rb
+- lib/pq_crypto/internal.rb
 - lib/pq_crypto/kem.rb
+- lib/pq_crypto/key.rb
 - lib/pq_crypto/pkcs8.rb
+- lib/pq_crypto/pkcs8/der.rb
+- lib/pq_crypto/pkcs8/private_key_choice.rb
 - lib/pq_crypto/serialization.rb
 - lib/pq_crypto/signature.rb
 - lib/pq_crypto/spki.rb
@@ -328,6 +333,7 @@ metadata:
   homepage_uri: https://github.com/roman-haidarov/pq_crypto
   source_code_uri: https://github.com/roman-haidarov/pq_crypto/tree/main
   changelog_uri: https://github.com/roman-haidarov/pq_crypto/blob/main/CHANGELOG.md
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -342,7 +348,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.7
+rubygems_version: 3.3.27
+signing_key:
 specification_version: 4
 summary: Primitive-first post-quantum cryptography for Ruby
 test_files: []