pq_crypto 0.6.0 → 0.6.2

data/lib/pq_crypto/signature.rb

@@ -189,7 +189,7 @@ module PQCrypto
         builder = PQCrypto.__send__(:_native_mldsa_mu_builder_new, tr, context)
         builder_consumed = false
         mu = nil
-        sig_bytes = String(signature).b
+        sig_bytes = Internal.binary_string(signature)
         begin
           _drain_io_into_builder(io, builder, chunk_size)
           mu = PQCrypto.__send__(:_native_mldsa_mu_builder_finalize, builder)
@@ -230,7 +230,7 @@ module PQCrypto
       end
 
       def validate_context!(context)
-        ctx = String(context).b
+        ctx = Internal.binary_string(context)
         if ctx.bytesize > 255
           raise ArgumentError, "context must be at most 255 bytes (FIPS 204)"
         end
@@ -264,7 +264,7 @@ module PQCrypto
 
       def initialize(algorithm, bytes)
         @algorithm = algorithm
-        @bytes = String(bytes).b
+        @bytes = Internal.binary_string(bytes)
         validate_length!
       end
 
@@ -291,7 +291,7 @@ module PQCrypto
       def verify(message, signature, context: "".b)
         context = Signature.send(:validate_context!, context)
         begin
-          PQCrypto.__send__(Signature.send(:native_method_for, @algorithm, :verify), String(message).b, String(signature).b, @bytes, context)
+          PQCrypto.__send__(Signature.send(:native_method_for, @algorithm, :verify), Internal.binary_string(message), Internal.binary_string(signature), @bytes, context)
         rescue ArgumentError => e
           raise InvalidKeyError, e.message
         end
@@ -315,7 +315,7 @@ module PQCrypto
 
       def ==(other)
         return false unless other.is_a?(PublicKey) && other.algorithm == algorithm
-        PQCrypto.__send__(:native_ct_equals, other.send(:bytes_for_native), @bytes)
+        Internal.constant_time_equal?(other.send(:bytes_for_native), @bytes)
       end
 
       alias eql? ==
@@ -345,14 +345,14 @@ module PQCrypto
 
       def initialize(algorithm, bytes, seed: nil)
         @algorithm = algorithm
-        @bytes = String(bytes).b
-        @seed = seed.nil? ? nil : String(seed).b
+        @bytes = Internal.binary_string(bytes)
+        @seed = seed.nil? ? nil : Internal.binary_string(seed)
         validate_length!
         validate_seed_length! if @seed
       end
 
       def self.from_seed(algorithm, seed)
-        seed_bytes = String(seed).b
+        seed_bytes = Internal.binary_string(seed)
         _public_key, expanded = PQCrypto.__send__(Signature.send(:native_method_for, algorithm, :keypair_from_seed), seed_bytes)
         new(algorithm, expanded, seed: seed_bytes)
       rescue ArgumentError => e
@@ -372,39 +372,17 @@ module PQCrypto
       end
 
       def to_pkcs8_der(format: :expanded, passphrase: nil, iterations: PKCS8::ENCRYPTED_PKCS8_DEFAULT_ITERATIONS)
-        case format
-        when :expanded
-          PKCS8.encode_der(@algorithm, @bytes, format: :expanded, passphrase: passphrase, iterations: iterations)
-        when :seed
-          ensure_seed_available!(format)
-          PKCS8.encode_der(@algorithm, @seed, format: :seed, passphrase: passphrase, iterations: iterations)
-        when :both
-          ensure_seed_available!(format)
-          PKCS8.encode_der(@algorithm, [@seed, @bytes], format: :both, passphrase: passphrase, iterations: iterations)
-        else
-          raise SerializationError, "Unsupported PKCS#8 private key format: #{format.inspect}"
-        end
+        PKCS8.encode_der(@algorithm, pkcs8_material(format), format: format, passphrase: passphrase, iterations: iterations)
       end
 
       def to_pkcs8_pem(format: :expanded, passphrase: nil, iterations: PKCS8::ENCRYPTED_PKCS8_DEFAULT_ITERATIONS)
-        case format
-        when :expanded
-          PKCS8.encode_pem(@algorithm, @bytes, format: :expanded, passphrase: passphrase, iterations: iterations)
-        when :seed
-          ensure_seed_available!(format)
-          PKCS8.encode_pem(@algorithm, @seed, format: :seed, passphrase: passphrase, iterations: iterations)
-        when :both
-          ensure_seed_available!(format)
-          PKCS8.encode_pem(@algorithm, [@seed, @bytes], format: :both, passphrase: passphrase, iterations: iterations)
-        else
-          raise SerializationError, "Unsupported PKCS#8 private key format: #{format.inspect}"
-        end
+        PKCS8.encode_pem(@algorithm, pkcs8_material(format), format: format, passphrase: passphrase, iterations: iterations)
       end
 
       def sign(message, context: "".b)
         context = Signature.send(:validate_context!, context)
         begin
-          PQCrypto.__send__(Signature.send(:native_method_for, @algorithm, :sign), String(message).b, @bytes, context)
+          PQCrypto.__send__(Signature.send(:native_method_for, @algorithm, :sign), Internal.binary_string(message), @bytes, context)
         rescue ArgumentError => e
           raise InvalidKeyError, e.message
         end
@@ -422,7 +400,7 @@ module PQCrypto
 
       def ==(other)
         return false unless other.is_a?(SecretKey) && other.algorithm == algorithm
-        PQCrypto.__send__(:native_ct_equals, other.send(:bytes_for_native), @bytes)
+        Internal.constant_time_equal?(other.send(:bytes_for_native), @bytes)
       end
 
       alias eql? ==
@@ -446,8 +424,23 @@ module PQCrypto
         raise InvalidKeyError, "Invalid signature secret key length" unless @bytes.bytesize == expected
       end
 
+      def pkcs8_material(format)
+        case format
+        when :expanded
+          @bytes
+        when :seed
+          ensure_seed_available!(format)
+          @seed
+        when :both
+          ensure_seed_available!(format)
+          [@seed, @bytes]
+        else
+          raise SerializationError, "Unsupported PKCS#8 private key format: #{format.inspect}"
+        end
+      end
+
       def validate_seed_length!
-        expected = PKCS8::PRIVATE_KEY_CHOICES.fetch(@algorithm).fetch(:seed_bytes)
+        expected = PKCS8::PrivateKeyChoice.seed_bytes(@algorithm)
         raise InvalidKeyError, "Invalid signature seed length" unless @seed.bytesize == expected
       end
 

data/lib/pq_crypto/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module PQCrypto
-  VERSION = "0.6.0"
+  VERSION = "0.6.2"
 end

data/lib/pq_crypto.rb

@@ -30,9 +30,12 @@ end
 
 require_relative "pq_crypto/errors"
 require_relative "pq_crypto/version"
+require_relative "pq_crypto/internal"
 require_relative "pq_crypto/algorithm_registry"
 require_relative "pq_crypto/serialization"
 require_relative "pq_crypto/spki"
+require_relative "pq_crypto/pkcs8/der"
+require_relative "pq_crypto/pkcs8/private_key_choice"
 require_relative "pq_crypto/pkcs8"
 require_relative "pq_crypto/kem"
 require_relative "pq_crypto/signature"
@@ -93,6 +96,13 @@ module PQCrypto
       public_key_from_pqc_container_pem
       secret_key_from_pqc_container_der
       secret_key_from_pqc_container_pem
+      pkcs8_private_key_info_to_der
+      pkcs8_private_key_info_from_der
+      pkcs8_encrypt_der
+      pkcs8_decrypt_der
+      pkcs8_encrypted_der?
+      pkcs8_der_to_pem
+      pkcs8_pem_to_der
       __test_ml_kem_keypair_from_seed
       __test_ml_kem_encapsulate_from_seed
       __test_ml_kem_512_encapsulate_from_seed

data/script/vendor_libs.rb

@@ -21,9 +21,9 @@ PINS = {
   },
   mldsa: {
     repo: "https://github.com/pq-code-package/mldsa-native.git",
-    ref: "v1.0.0-beta",
-    commit: "db65535319d9750d75d34c6d170677415f9d2c46",
-    tree_sha256: "3b2cb648dade4540191f08d606b422042bf781fb37b434934ab02b58a0121f5c",
+    ref: "v1.0.0-beta2",
+    commit: "9b0ee84f4cf399043eca59eca4e5f8531ca1d61b",
+    tree_sha256: "2887f59926c18a877e8c5a5e30727e84497c357032093d00d7135aedf53f011e",
     target: "mldsa-native",
     source_dir: "mldsa"
   }

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: pq_crypto
 version: !ruby/object:Gem::Version
-  version: 0.6.0
+  version: 0.6.2
 platform: ruby
 authors:
 - Roman Haydarov
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2026-05-14 00:00:00.000000000 Z
+date: 2026-05-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -84,6 +84,7 @@ files:
 - ext/pqcrypto/vendor/mldsa-native/META.yml
 - ext/pqcrypto/vendor/mldsa-native/README.md
 - ext/pqcrypto/vendor/mldsa-native/SECURITY.md
+- ext/pqcrypto/vendor/mldsa-native/mldsa/README.md
 - ext/pqcrypto/vendor/mldsa-native/mldsa/mldsa_native.c
 - ext/pqcrypto/vendor/mldsa-native/mldsa/mldsa_native.h
 - ext/pqcrypto/vendor/mldsa-native/mldsa/mldsa_native_asm.S
@@ -102,11 +103,11 @@ files:
 - ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/keccakf1600.h
 - ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/native/aarch64/auto.h
 - ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/native/aarch64/src/fips202_native_aarch64.h
-- ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/native/aarch64/src/keccak_f1600_x1_scalar_asm.S
-- ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/native/aarch64/src/keccak_f1600_x1_v84a_asm.S
-- ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/native/aarch64/src/keccak_f1600_x2_v84a_asm.S
-- ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/native/aarch64/src/keccak_f1600_x4_v8a_scalar_hybrid_asm.S
-- ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/native/aarch64/src/keccak_f1600_x4_v8a_v84a_scalar_hybrid_asm.S
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/native/aarch64/src/keccak_f1600_x1_scalar_aarch64_asm.S
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/native/aarch64/src/keccak_f1600_x1_v84a_aarch64_asm.S
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/native/aarch64/src/keccak_f1600_x2_v84a_aarch64_asm.S
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/native/aarch64/src/keccak_f1600_x4_v8a_scalar_hybrid_aarch64_asm.S
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/native/aarch64/src/keccak_f1600_x4_v8a_v84a_scalar_hybrid_aarch64_asm.S
 - ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/native/aarch64/src/keccakf1600_round_constants.c
 - ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/native/aarch64/x1_scalar.h
 - ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/native/aarch64/x1_v84a.h
@@ -120,31 +121,34 @@ files:
 - ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/native/armv81m/src/keccak_f1600_x4_mve.S
 - ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/native/armv81m/src/keccak_f1600_x4_mve.c
 - ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/native/armv81m/src/keccakf1600_round_constants.c
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/native/armv81m/src/state_extract_bytes_x4_mve.S
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/native/armv81m/src/state_xor_bytes_x4_mve.S
 - ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/native/auto.h
-- ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/native/x86_64/src/KeccakP_1600_times4_SIMD256.c
-- ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/native/x86_64/src/KeccakP_1600_times4_SIMD256.h
-- ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/native/x86_64/xkcp.h
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/native/x86_64/keccak_f1600_x4_avx2.h
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/native/x86_64/src/fips202_native_x86_64.h
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/native/x86_64/src/keccak_f1600_x4_avx2_asm.S
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/native/x86_64/src/keccakf1600_constants.c
 - ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/meta.h
 - ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/aarch64_zetas.c
 - ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/arith_native_aarch64.h
-- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/intt.S
-- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/mld_polyvecl_pointwise_acc_montgomery_l4.S
-- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/mld_polyvecl_pointwise_acc_montgomery_l5.S
-- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/mld_polyvecl_pointwise_acc_montgomery_l7.S
-- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/ntt.S
-- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/pointwise_montgomery.S
-- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/poly_caddq_asm.S
-- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/poly_chknorm_asm.S
-- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/poly_decompose_32_asm.S
-- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/poly_decompose_88_asm.S
-- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/poly_use_hint_32_asm.S
-- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/poly_use_hint_88_asm.S
-- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/polyz_unpack_17_asm.S
-- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/polyz_unpack_19_asm.S
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/intt_aarch64_asm.S
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/mld_polyvecl_pointwise_acc_montgomery_l4_aarch64_asm.S
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/mld_polyvecl_pointwise_acc_montgomery_l5_aarch64_asm.S
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/mld_polyvecl_pointwise_acc_montgomery_l7_aarch64_asm.S
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/ntt_aarch64_asm.S
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/pointwise_montgomery_aarch64_asm.S
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/poly_caddq_aarch64_asm.S
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/poly_chknorm_aarch64_asm.S
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/poly_decompose_32_aarch64_asm.S
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/poly_decompose_88_aarch64_asm.S
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/poly_use_hint_32_aarch64_asm.S
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/poly_use_hint_88_aarch64_asm.S
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/polyz_unpack_17_aarch64_asm.S
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/polyz_unpack_19_aarch64_asm.S
 - ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/polyz_unpack_table.c
-- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/rej_uniform_asm.S
-- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/rej_uniform_eta2_asm.S
-- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/rej_uniform_eta4_asm.S
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/rej_uniform_aarch64_asm.S
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/rej_uniform_eta2_aarch64_asm.S
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/rej_uniform_eta4_aarch64_asm.S
 - ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/rej_uniform_eta_table.c
 - ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/aarch64/src/rej_uniform_table.c
 - ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/api.h
@@ -153,14 +157,14 @@ files:
 - ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/x86_64/src/arith_native_x86_64.h
 - ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/x86_64/src/consts.c
 - ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/x86_64/src/consts.h
-- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/x86_64/src/intt.S
-- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/x86_64/src/ntt.S
-- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/x86_64/src/nttunpack.S
-- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/x86_64/src/pointwise.S
-- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/x86_64/src/pointwise_acc_l4.S
-- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/x86_64/src/pointwise_acc_l5.S
-- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/x86_64/src/pointwise_acc_l7.S
-- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/x86_64/src/poly_caddq_avx2.c
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/x86_64/src/intt_avx2_asm.S
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/x86_64/src/ntt_avx2_asm.S
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/x86_64/src/nttunpack_avx2_asm.S
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/x86_64/src/pointwise_acc_l4_avx2_asm.S
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/x86_64/src/pointwise_acc_l5_avx2_asm.S
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/x86_64/src/pointwise_acc_l7_avx2_asm.S
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/x86_64/src/pointwise_avx2_asm.S
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/x86_64/src/poly_caddq_avx2_asm.S
 - ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/x86_64/src/poly_chknorm_avx2.c
 - ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/x86_64/src/poly_decompose_32_avx2.c
 - ext/pqcrypto/vendor/mldsa-native/mldsa/src/native/x86_64/src/poly_decompose_88_avx2.c
@@ -181,6 +185,8 @@ files:
 - ext/pqcrypto/vendor/mldsa-native/mldsa/src/poly_kl.h
 - ext/pqcrypto/vendor/mldsa-native/mldsa/src/polyvec.c
 - ext/pqcrypto/vendor/mldsa-native/mldsa/src/polyvec.h
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/polyvec_lazy.c
+- ext/pqcrypto/vendor/mldsa-native/mldsa/src/polyvec_lazy.h
 - ext/pqcrypto/vendor/mldsa-native/mldsa/src/randombytes.h
 - ext/pqcrypto/vendor/mldsa-native/mldsa/src/reduce.h
 - ext/pqcrypto/vendor/mldsa-native/mldsa/src/rounding.h
@@ -314,9 +320,12 @@ files:
 - lib/pq_crypto/algorithm_registry.rb
 - lib/pq_crypto/errors.rb
 - lib/pq_crypto/hybrid_kem.rb
+- lib/pq_crypto/internal.rb
 - lib/pq_crypto/kem.rb
 - lib/pq_crypto/key.rb
 - lib/pq_crypto/pkcs8.rb
+- lib/pq_crypto/pkcs8/der.rb
+- lib/pq_crypto/pkcs8/private_key_choice.rb
 - lib/pq_crypto/serialization.rb
 - lib/pq_crypto/signature.rb
 - lib/pq_crypto/spki.rb