pq_crypto 0.6.0 → 0.6.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 11bb63e90651697a30709e9621678c7a53224facc67264a331291a8c57520880
-  data.tar.gz: 111c87fa0809924f0c2997fc0d9c2ea41c43e88044c2802d35370c01ed5f88ca
+  metadata.gz: 94d0fc254c0169b1e49ce177e0bf9830c9a1140dc425be9e917e8b2acfb870ed
+  data.tar.gz: 148381930753a4d6eb850522619ddf43b602cf9ae9966190c91f276c56f0d426
 SHA512:
-  metadata.gz: c95c38ec77fce342cb92febfbdbecdee5c35495323e7f153a2e263e04b89dc6cb13e8bd2874b8abb0b5e19e5b26cde13fb7f6b9d99ef107c5d6e3e41b20d819c
-  data.tar.gz: 1aa62a91a03203fcd6253e3175d1166b5bf2a3590889509517b8b5eaa57ff6fac49023b253f0859b45c7c2e0f4b28b849a657a5d089890b328da8a234ef7b5c9
+  metadata.gz: bb8d4c4683429e99d0147ece542dabdb2276ec3933482d03e3dae81a8bd55b3ed2e617c89221dcdec4dbc34c134027dc406ab7d5e814af2ceef91aa1fb1a0240
+  data.tar.gz: 1e911b991634858610ceea12d5cb3a7efbb3a2f480f7ccb531e9afd1e4d01befe673ebec0f1935500dafed37b595d9c9a11a5b9a12adf1ff0720a0a76bf95c96

data/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## [0.6.2] - 2026-05-24
+
+### Changed
+- update native mldsa `v1.0.0-beta` → `v1.0.0-beta2`
+
+## [0.6.1] - 2026-05-14
+
+### Security
+
+- Moved PKCS#8 PEM handling, PrivateKeyInfo wrapping/unwrapping, and encrypted PKCS#8 encryption/decryption to native C/OpenSSL helpers.
+- Removed Ruby `OpenSSL::ASN1` parsing/building from the PKCS#8 path while preserving the existing Ruby API.
+
 ## [0.6.0] - 2026-05-14
 
 ### Added

data/SECURITY.md

@@ -23,6 +23,13 @@ PKCS#8 encodings where the linked OpenSSL exposes the corresponding ML-KEM /
 ML-DSA EVP support. These tests improve compatibility coverage but are not a
 substitute for a security audit.
 
+The test surface also includes libFuzzer targets for PKCS#8 DER/PEM decoding
+and pq_crypto-local container decoding, built with AddressSanitizer and
+UndefinedBehaviorSanitizer. A representative clang-17 run executed
+approximately 253 million inputs across these targets and produced no crash
+artifacts. This improves malformed-input parser coverage but is not a proof of
+memory safety and is not a substitute for a security audit.
+
 ## Algorithm notes
 
 ### ML-KEM / ML-DSA

data/ext/pqcrypto/extconf.rb

@@ -201,6 +201,8 @@ def configure_openssl!
   abort "openssl/evp.h is required" unless have_header("openssl/evp.h")
   abort "openssl/rand.h is required" unless have_header("openssl/rand.h")
   abort "openssl/crypto.h is required" unless have_header("openssl/crypto.h")
+  abort "openssl/x509.h is required" unless have_header("openssl/x509.h")
+  abort "openssl/pkcs12.h is required" unless have_header("openssl/pkcs12.h")
 
   version_check = <<~SRC
     #include <openssl/opensslv.h>

data/ext/pqcrypto/pqcrypto_ruby_secure.c

@@ -1741,6 +1741,136 @@ static VALUE pqcrypto__native_mldsa_verify_mu(int argc, VALUE *argv, VALUE self)
     pq_raise_general_error(call.result);
 }
 
+static VALUE pqcrypto_pkcs8_private_key_info_to_der(VALUE self, VALUE oid_text, VALUE private_key) {
+    (void)self;
+    uint8_t *out = NULL;
+    size_t out_len = 0;
+    VALUE result;
+    int ret;
+
+    StringValue(oid_text);
+    StringValue(private_key);
+    ret = pq_pkcs8_private_key_info_to_der(&out, &out_len, RSTRING_PTR(oid_text),
+                                           (const uint8_t *)RSTRING_PTR(private_key),
+                                           (size_t)RSTRING_LEN(private_key));
+    if (ret != PQ_SUCCESS)
+        pq_raise_general_error(ret);
+    result = pq_string_from_buffer(out, out_len);
+    pq_wipe_and_free(out, out_len);
+    return result;
+}
+
+static VALUE pqcrypto_pkcs8_private_key_info_from_der(VALUE self, VALUE der) {
+    (void)self;
+    char *oid_text = NULL;
+    uint8_t *private_key = NULL;
+    size_t private_key_len = 0;
+    VALUE result;
+    int ret;
+
+    StringValue(der);
+    ret = pq_pkcs8_private_key_info_from_der(&oid_text, &private_key, &private_key_len,
+                                             (const uint8_t *)RSTRING_PTR(der),
+                                             (size_t)RSTRING_LEN(der));
+    if (ret != PQ_SUCCESS)
+        pq_raise_general_error(ret);
+
+    result = rb_ary_new_capa(2);
+    rb_ary_push(result, rb_str_new_cstr(oid_text));
+    rb_ary_push(result, pq_string_from_buffer(private_key, private_key_len));
+    free(oid_text);
+    pq_wipe_and_free(private_key, private_key_len);
+    return result;
+}
+
+static VALUE pqcrypto_pkcs8_encrypt_der(VALUE self, VALUE der, VALUE passphrase,
+                                        VALUE iterations_value) {
+    (void)self;
+    uint8_t *out = NULL;
+    size_t out_len = 0;
+    int iterations;
+    VALUE result;
+    int ret;
+
+    StringValue(der);
+    StringValue(passphrase);
+    iterations = NUM2INT(iterations_value);
+    ret = pq_pkcs8_encrypt_private_key_info_der(&out, &out_len, (const uint8_t *)RSTRING_PTR(der),
+                                                (size_t)RSTRING_LEN(der), RSTRING_PTR(passphrase),
+                                                (size_t)RSTRING_LEN(passphrase), iterations);
+    if (ret != PQ_SUCCESS)
+        pq_raise_general_error(ret);
+    result = pq_string_from_buffer(out, out_len);
+    pq_wipe_and_free(out, out_len);
+    return result;
+}
+
+static VALUE pqcrypto_pkcs8_decrypt_der(VALUE self, VALUE der, VALUE passphrase) {
+    (void)self;
+    uint8_t *out = NULL;
+    size_t out_len = 0;
+    VALUE result;
+    int ret;
+
+    StringValue(der);
+    StringValue(passphrase);
+    ret = pq_pkcs8_decrypt_private_key_info_der(&out, &out_len, (const uint8_t *)RSTRING_PTR(der),
+                                                (size_t)RSTRING_LEN(der), RSTRING_PTR(passphrase),
+                                                (size_t)RSTRING_LEN(passphrase));
+    if (ret != PQ_SUCCESS)
+        pq_raise_general_error(ret);
+    result = pq_string_from_buffer(out, out_len);
+    pq_wipe_and_free(out, out_len);
+    return result;
+}
+
+static VALUE pqcrypto_pkcs8_encrypted_der_p(VALUE self, VALUE der) {
+    (void)self;
+    StringValue(der);
+    return pq_pkcs8_der_is_encrypted_private_key_info((const uint8_t *)RSTRING_PTR(der),
+                                                      (size_t)RSTRING_LEN(der))
+               ? Qtrue
+               : Qfalse;
+}
+
+static VALUE pqcrypto_pkcs8_der_to_pem(VALUE self, VALUE der, VALUE encrypted_value) {
+    (void)self;
+    char *pem = NULL;
+    size_t pem_len = 0;
+    VALUE result;
+    int ret;
+
+    StringValue(der);
+    ret = pq_pkcs8_der_to_pem(&pem, &pem_len, (const uint8_t *)RSTRING_PTR(der),
+                              (size_t)RSTRING_LEN(der), RTEST(encrypted_value) ? 1 : 0);
+    if (ret != PQ_SUCCESS)
+        pq_raise_general_error(ret);
+    result = rb_str_new(pem, (long)pem_len);
+    pq_secure_wipe(pem, pem_len);
+    free(pem);
+    return result;
+}
+
+static VALUE pqcrypto_pkcs8_pem_to_der(VALUE self, VALUE pem) {
+    (void)self;
+    uint8_t *der = NULL;
+    size_t der_len = 0;
+    int encrypted = 0;
+    VALUE result;
+    int ret;
+
+    StringValue(pem);
+    ret =
+        pq_pkcs8_pem_to_der(&der, &der_len, &encrypted, RSTRING_PTR(pem), (size_t)RSTRING_LEN(pem));
+    if (ret != PQ_SUCCESS)
+        pq_raise_general_error(ret);
+    result = rb_ary_new_capa(2);
+    rb_ary_push(result, encrypted ? Qtrue : Qfalse);
+    rb_ary_push(result, pq_string_from_buffer(der, der_len));
+    pq_wipe_and_free(der, der_len);
+    return result;
+}
+
 static void define_constants(void) {
     rb_define_const(mPQCrypto, "ML_KEM_512_PUBLIC_KEY_BYTES", INT2NUM(MLKEM512_PUBLICKEYBYTES));
     rb_define_const(mPQCrypto, "ML_KEM_512_SECRET_KEY_BYTES", INT2NUM(MLKEM512_SECRETKEYBYTES));
@@ -1911,6 +2041,15 @@ void Init_pqcrypto_secure(void) {
                               pqcrypto_secret_key_from_pqc_container_der, 1);
     rb_define_module_function(mPQCrypto, "secret_key_from_pqc_container_pem",
                               pqcrypto_secret_key_from_pqc_container_pem, 1);
+    rb_define_module_function(mPQCrypto, "pkcs8_private_key_info_to_der",
+                              pqcrypto_pkcs8_private_key_info_to_der, 2);
+    rb_define_module_function(mPQCrypto, "pkcs8_private_key_info_from_der",
+                              pqcrypto_pkcs8_private_key_info_from_der, 1);
+    rb_define_module_function(mPQCrypto, "pkcs8_encrypt_der", pqcrypto_pkcs8_encrypt_der, 3);
+    rb_define_module_function(mPQCrypto, "pkcs8_decrypt_der", pqcrypto_pkcs8_decrypt_der, 2);
+    rb_define_module_function(mPQCrypto, "pkcs8_encrypted_der?", pqcrypto_pkcs8_encrypted_der_p, 1);
+    rb_define_module_function(mPQCrypto, "pkcs8_der_to_pem", pqcrypto_pkcs8_der_to_pem, 2);
+    rb_define_module_function(mPQCrypto, "pkcs8_pem_to_der", pqcrypto_pkcs8_pem_to_der, 1);
     rb_define_module_function(mPQCrypto, "_native_mldsa_extract_tr",
                               pqcrypto__native_mldsa_extract_tr, -1);
     rb_define_module_function(mPQCrypto, "_native_mldsa_compute_tr",