pqc_asn1 0.1.0 → 0.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d82d0cdf76e9156af39368f55311d62bc7bf1a0f8b7c50e1a59cf8d49a90ff95
-  data.tar.gz: d922d07e2f12177fe0a0b1a88df589aa6edf9f9ff45f4ec6278a20926d628071
+  metadata.gz: c30efe239594f245393a2ec72d0794c685d469d064be4da9f480343cf25435fd
+  data.tar.gz: 733d22810457f379abc602ff94fbac6c510df30e2e8f33fe0006d2f0a55af4ec
 SHA512:
-  metadata.gz: dd25d378e2719c6b29abbb6cb68d8c2c1e76b974b7532c97cdb4399e19f24e90aa38ff36b12bbcf2b191f7f8f5bc8207a90ed76016c5bbaafe11ae588d842082
-  data.tar.gz: f77499b592e7cd301780cf33d9a9cf5112a167a1cf4c0c624d97ebdbcc3f1e9dd30ba25cc0d9c82831f8d208faec920d89ea21740f5f12af05dc08df066b2b28
+  metadata.gz: ad3dcf7c1a955dd30c59c10e96708dc9aa806af18373625f4301843be5d06c488b157ea9f86b33d30d31c3c6a0c41b3e82e252862713ee8f5e0b17a2c2fcb67c
+  data.tar.gz: 767ceaedb4cfddf337a0367b2a6fa0ea3786203a57d8113904d4ef0dbcf460d1ae7fc68bae90767924768fdce6ab5d751cac701fd63a082d311aa722f2e36b90

data/CHANGELOG.md

@@ -7,6 +7,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.1.1] — 2026-03-19
+
+### Changed
+
+- **libpqcsb integration**: Replaced the 997-line inline secure buffer
+  implementation with the standalone [libpqcsb](https://github.com/msuliq/libpqcsb)
+  C library. This eliminates code duplication and improves maintainability.
+  - SecureBuffer now uses libpqcsb's opaque buffer API, guard-based access control,
+    and improved memory protection.
+  - Updated `extconf.rb` to vendor libpqcsb with pkg-config fallback.
+  - All existing SecureBuffer methods and their semantics remain unchanged.
+  - Public API is fully backward-compatible.
+- Updated vendored libpqcasn1 to version 0.1.5 (from 0.1.3).
+
 ### Fixed
 
 - `SecureBuffer#wipe!` now returns `self` instead of `nil`, enabling method

data/README.md

@@ -249,6 +249,17 @@ Error categories:
 `PqcAsn1::DER::KEY_SIZES` maps each OID to `{ public:, secret: }` byte counts.
 Used automatically when `validate: true` is passed to `build_spki` / `build_pkcs8`.
 
+## Implementation
+
+The gem is implemented in C with no OpenSSL dependency:
+
+- **libpqcasn1** (v0.1.5) — Vendored pure C ASN.1/DER codec for key serialization
+- **libpqcsb** (v0.1.0) — Vendored secure memory buffer library providing `mmap`-backed
+  allocation, guard pages, memory locking, and secure zeroing
+
+Both libraries are vendored; the gem builds a single native extension with no external
+C dependencies beyond POSIX APIs and the C standard library.
+
 ## Requirements
 
 - Ruby >= 2.7.2

data/ext/pqc_asn1/der.c

@@ -265,7 +265,7 @@ typedef struct {
     size_t written;
 } pkcs8_build_ctx_t;
 
-static void
+static pqcsb_status_t
 pkcs8_build_fill(uint8_t *data, size_t len, void *ctx_ptr)
 {
     pkcs8_build_ctx_t *ctx = (pkcs8_build_ctx_t *)ctx_ptr;
@@ -276,6 +276,7 @@ pkcs8_build_fill(uint8_t *data, size_t len, void *ctx_ptr)
         ctx->sk_ptr, ctx->sk_len,
         ctx->pk_ptr, ctx->pk_len,
         &ctx->written);
+    return ctx->rc == PQC_ASN1_OK ? PQCSB_OK : PQCSB_ERR_ALLOC;
 }
 
 /* ------------------------------------------------------------------ */
@@ -289,6 +290,7 @@ pkcs8_build_fill(uint8_t *data, size_t len, void *ctx_ptr)
 typedef struct {
     VALUE          rb_oid_der;
     pqcsb_buf_t   *sk_buf;
+    pqcsb_read_guard_t guard;  /* Read access guard to sk_buf */
     VALUE          result;
     pqc_asn1_status_t rc;
     /* Extended fields (NULL/0 when not using keywords). */
@@ -310,19 +312,19 @@ pkcs8_sb_build_body(VALUE arg)
     pqc_asn1_status_t rc = pqc_asn1_pkcs8_size_ex(
         oid_ptr, oid_len,
         ctx->params_ptr, ctx->params_len,
-        ctx->sk_buf->len, ctx->pk_len, &total);
+        ctx->guard.len, ctx->pk_len, &total);
     if (rc != PQC_ASN1_OK)
         raise_status(rc, NULL);
 
     pkcs8_build_ctx_t build_ctx = {
         oid_ptr, oid_len,
         ctx->params_ptr, ctx->params_len,
-        ctx->sk_buf->data, ctx->sk_buf->len,
+        ctx->guard.data, ctx->guard.len,
         ctx->pk_ptr, ctx->pk_len,
         PQC_ASN1_OK, 0
     };
-    ctx->result = pqcsb_create_inplace(pqcsb_class(), total,
-                                       pkcs8_build_fill, &build_ctx);
+    ctx->result = pqcsb_rb_create_inplace(pqcsb_class(), total,
+                                          pkcs8_build_fill, &build_ctx);
     ctx->rc = build_ctx.rc;
     return Qnil;
 }
@@ -330,7 +332,8 @@ pkcs8_sb_build_body(VALUE arg)
 static VALUE
 pkcs8_sb_ensure_end_read(VALUE arg)
 {
-    pqcsb_end_read((pqcsb_buf_t *)arg);
+    pkcs8_sb_ctx_t *ctx = (pkcs8_sb_ctx_t *)arg;
+    pqcsb_end_read(&ctx->guard);
     return Qnil;
 }
 
@@ -385,21 +388,23 @@ rb_der_build_pkcs8(int argc, VALUE *argv, VALUE _self)
     /* Accept SecureBuffer input: read directly from its mmap region
      * without ever placing secret key material on the Ruby heap. */
     if (rb_obj_is_kind_of(rb_sk, pqcsb_class())) {
-        pqcsb_buf_t *sk_buf;
-        TypedData_Get_Struct(rb_sk, pqcsb_buf_t, &pqcsb_buf_type, sk_buf);
-        if (sk_buf->wiped)
+        pqcsb_buf_t *sk_buf = (pqcsb_buf_t *)RTYPEDDATA_DATA(rb_sk);
+        if (pqcsb_is_wiped(sk_buf))
             rb_raise(rb_eRuntimeError, "SecureBuffer has been wiped");
 
         pkcs8_sb_ctx_t sb_ctx = {
-            rb_oid_der, sk_buf, Qnil, PQC_ASN1_OK,
+            rb_oid_der, sk_buf, {NULL, 0, PQCSB_OK, NULL}, Qnil, PQC_ASN1_OK,
             params_ptr, params_len, pk_ptr, pk_len
         };
-        pqcsb_begin_read(sk_buf);
+        sb_ctx.guard = pqcsb_begin_read(sk_buf);
+        if (sb_ctx.guard.status != PQCSB_OK)
+            rb_raise(rb_eRuntimeError, "pqcsb_begin_read failed");
+
         rb_ensure(pkcs8_sb_build_body, (VALUE)&sb_ctx,
-                  pkcs8_sb_ensure_end_read, (VALUE)sk_buf);
+                  pkcs8_sb_ensure_end_read, (VALUE)&sb_ctx);
 
         if (sb_ctx.rc != PQC_ASN1_OK) {
-            pqcsb_wipe(sb_ctx.result);
+            pqcsb_rb_wipe(sb_ctx.result);
             raise_status(sb_ctx.rc, NULL);
         }
         return sb_ctx.result;
@@ -428,12 +433,12 @@ rb_der_build_pkcs8(int argc, VALUE *argv, VALUE _self)
         pk_ptr, pk_len,
         PQC_ASN1_OK, 0
     };
-    VALUE result = pqcsb_create_inplace(pqcsb_class(), total,
-                                        pkcs8_build_fill, &build_ctx);
+    VALUE result = pqcsb_rb_create_inplace(pqcsb_class(), total,
+                                           pkcs8_build_fill, &build_ctx);
     if (build_ctx.rc != PQC_ASN1_OK) {
         /* Wipe the SecureBuffer so garbage content doesn't escape if
          * the caller rescues the exception. */
-        pqcsb_wipe(result);
+        pqcsb_rb_wipe(result);
         raise_status(build_ctx.rc, NULL);
     }
     return result;
@@ -527,7 +532,7 @@ pkcs8_parse_use_cb(VALUE rb_bytes, VALUE data2,
                         ? frozen_bin_str((const char *)alg_params, (long)alg_params_len)
                         : Qnil;
 
-    ctx->rb_key = pqcsb_create(pqcsb_class(), sk_bytes, sk_len);
+    ctx->rb_key = pqcsb_rb_create(pqcsb_class(), sk_bytes, sk_len);
 
     ctx->rb_pub = pub_key && pub_key_len > 0
                     ? frozen_bin_str((const char *)pub_key, (long)pub_key_len)
@@ -582,7 +587,7 @@ rb_der_parse_pkcs8(UNUSED VALUE _self, VALUE rb_der)
                          ? frozen_bin_str((const char *)alg_params, (long)alg_params_len)
                          : Qnil;
 
-    VALUE key_val = pqcsb_create(pqcsb_class(), sk_bytes, sk_len);
+    VALUE key_val = pqcsb_rb_create(pqcsb_class(), sk_bytes, sk_len);
 
     VALUE pub_val  = pub_key && pub_key_len > 0
                        ? frozen_bin_str((const char *)pub_key, (long)pub_key_len)

data/ext/pqc_asn1/extconf.rb

@@ -2,15 +2,17 @@
 
 require "mkmf"
 
-# Try to find libpqcasn1 as a system-installed library first.
-# If pkg-config finds it, the system headers and library are used and the
-# vendored pqc_asn1.c is excluded from compilation.
-# If not found, fall back to the vendored copy bundled in ext/pqc_asn1/.
-if pkg_config("pqcasn1")
-  $srcs = %w[pqc_asn1_ext.c error.c secure_buffer.c oid.c cursor.c der.c pem.c base64_ext.c]
-else
-  $srcs = %w[pqc_asn1_ext.c pqc_asn1.c error.c secure_buffer.c oid.c cursor.c der.c pem.c base64_ext.c]
-end
+# Try to find system-installed libraries first.
+# If pkg-config finds them, the system headers and libraries are used and
+# the vendored sources are excluded from compilation.
+# If not found, fall back to the vendored copies bundled in ext/pqc_asn1/.
+pqcsb_available = pkg_config("pqcsb")
+pqcasn1_available = pkg_config("pqcasn1")
+
+$srcs_pqcsb = pqcsb_available ? [] : %w[pqcsb.c]
+$srcs_pqcasn1 = pqcasn1_available ? [] : %w[pqc_asn1.c]
+
+$srcs = %w[pqc_asn1_ext.c error.c secure_buffer.c oid.c cursor.c der.c pem.c base64_ext.c] + $srcs_pqcasn1 + $srcs_pqcsb
 
 # -Wpedantic generates excessive noise from Ruby's own UCRT headers on Windows
 # (C23 attributes like [[nodiscard]], [[maybe_unused]], __VA_OPT__).

data/ext/pqc_asn1/internal.h

@@ -0,0 +1,116 @@
+/*
+ * internal.h — private definitions shared across libpqcsb source files.
+ *
+ * This header is NOT installed and is NOT part of the public API.
+ */
+
+#ifndef PQCSB_INTERNAL_H
+#define PQCSB_INTERNAL_H
+
+/* Include generated config before anything else. */
+#include "pqcsb_config.h"
+
+/* Enable memset_s() on Apple/BSD via C11 Annex K.
+ * Must appear before any system header that may include string.h. */
+#ifndef __STDC_WANT_LIB_EXT1__
+#define __STDC_WANT_LIB_EXT1__ 1
+#endif
+
+#include "pqcsb.h"
+
+#include <string.h>
+#include <stdio.h>
+#include <stdatomic.h>
+
+#ifndef _WIN32
+#include <unistd.h>
+#endif
+
+#ifdef HAVE_SYS_MMAN_H
+#include <sys/mman.h>
+#endif
+
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif
+
+#ifdef _WIN32
+#include <windows.h>
+#include <ntsecapi.h>
+#endif
+
+/* ------------------------------------------------------------------ */
+/* MAP_ANONYMOUS portability                                           */
+/* ------------------------------------------------------------------ */
+
+#if defined(HAVE_MMAP) && !defined(MAP_ANONYMOUS) && defined(MAP_ANON)
+#define MAP_ANONYMOUS MAP_ANON
+#endif
+
+/* ------------------------------------------------------------------ */
+/* Platform backend selection                                          */
+/* ------------------------------------------------------------------ */
+
+#if defined(HAVE_MMAP) && defined(MAP_ANONYMOUS)
+#  define PQCSB_USE_MMAP 1
+#elif defined(_WIN32)
+#  define PQCSB_USE_VIRTUALALLOC 1
+#elif defined(PQCSB_ALLOW_MALLOC_FALLBACK)
+   /* Weak protection: canaries only, no guard pages, no mprotect */
+#else
+#  error "No mmap or VirtualAlloc available. Define PQCSB_ALLOW_MALLOC_FALLBACK "\
+         "to opt into the malloc fallback (no guard pages — reduced security guarantees)."
+#endif
+
+/* ------------------------------------------------------------------ */
+/* Protection macros                                                   */
+/* ------------------------------------------------------------------ */
+
+#if defined(PQCSB_USE_MMAP) && defined(HAVE_MPROTECT)
+#  define PQCSB_SET_PROT(base, ps, dp, prot) \
+       mprotect((base) + (ps), (dp), (prot))
+#  define PQCSB_PROT_NONE   PROT_NONE
+#  define PQCSB_PROT_READ   PROT_READ
+#  define PQCSB_PROT_RW     (PROT_READ | PROT_WRITE)
+#  define PQCSB_HAS_PROTECT 1
+#elif defined(PQCSB_USE_VIRTUALALLOC)
+#  define PQCSB_SET_PROT(base, ps, dp, prot) do { \
+       DWORD _old; \
+       VirtualProtect((base) + (ps), (dp), (prot), &_old); \
+   } while (0)
+#  define PQCSB_PROT_NONE   PAGE_NOACCESS
+#  define PQCSB_PROT_READ   PAGE_READONLY
+#  define PQCSB_PROT_RW     PAGE_READWRITE
+#  define PQCSB_HAS_PROTECT 1
+#else
+#  define PQCSB_HAS_PROTECT 0
+#endif
+
+/* ------------------------------------------------------------------ */
+/* Buffer struct (opaque to consumers)                                 */
+/* ------------------------------------------------------------------ */
+
+struct pqcsb_buf {
+    uint8_t *data;          /* pointer to user data (inside mmap or malloc'd) */
+    size_t   len;           /* user-requested byte length */
+    uint8_t *mmap_base;     /* base of entire mmap region (NULL if malloc) */
+    size_t   mmap_len;      /* total mmap size including guard pages */
+    size_t   data_pages;    /* size of data region (between guard pages) */
+    int      wiped;         /* 1 if wipe() was called */
+    int      locked;        /* 1 if mlock succeeded on the data pages */
+    _Atomic int read_refs;  /* reference count for nested begin_read/end_read */
+    uint8_t  canary[PQCSB_CANARY_SIZE]; /* per-buffer random canary */
+    pqcsb_config_t config;  /* runtime configuration options for this buffer */
+};
+
+/* ------------------------------------------------------------------ */
+/* Internal function declarations                                      */
+/* ------------------------------------------------------------------ */
+
+/* secure_zero.c */
+/* (pqcsb_secure_zero is public, declared in pqcsb.h) */
+
+/* random.c */
+/* (pqcsb_fill_random is public, declared in pqcsb.h) */
+
+#endif /* PQCSB_INTERNAL_H */

data/ext/pqc_asn1/pem.c

@@ -77,18 +77,18 @@ pem_decoded_cleanup(VALUE arg)
  * pem_encode_sb_ctx_t — SecureBuffer encode context.
  *
  * pem_encode_sb_body calls pqc_asn1_pem_encode with the SecureBuffer's
- * data pointer (valid only inside begin_read/end_read).
+ * data pointer (valid only inside the read guard).
  * pem_encode_sb_cleanup always calls pqcsb_end_read to restore guard
  * pages even when pqc_asn1_pem_encode raises via ruby_xmalloc.  On
  * exception paths it also frees any partially-allocated pem_buf.
  */
 typedef struct {
-    pqcsb_buf_t *sb;
-    const char  *label;
-    size_t       label_len;
-    char        *pem_buf;
-    size_t       pem_len;
-    pqc_asn1_status_t rc;
+    pqcsb_read_guard_t guard;
+    const char        *label;
+    size_t             label_len;
+    char              *pem_buf;
+    size_t             pem_len;
+    pqc_asn1_status_t  rc;
 } pem_encode_sb_ctx_t;
 
 static VALUE
@@ -96,7 +96,7 @@ pem_encode_sb_body(VALUE arg)
 {
     pem_encode_sb_ctx_t *ctx = (pem_encode_sb_ctx_t *)arg;
     ctx->rc = pqc_asn1_pem_encode(
-        ctx->sb->data, ctx->sb->len,
+        ctx->guard.data, ctx->guard.len,
         ctx->label, ctx->label_len,
         &ctx->pem_buf, &ctx->pem_len);
     return Qnil;
@@ -107,7 +107,7 @@ pem_encode_sb_cleanup(VALUE arg)
 {
     pem_encode_sb_ctx_t *ctx = (pem_encode_sb_ctx_t *)arg;
     /* Always restore mprotect — this is the primary purpose of rb_ensure here. */
-    pqcsb_end_read(ctx->sb);
+    pqcsb_end_read(&ctx->guard);
     /* On exception paths pem_buf may have been allocated inside
      * pqc_asn1_pem_encode before ruby_xmalloc raised NoMemoryError.
      * Zero and free it here to prevent leaking PEM-encoded key material.
@@ -263,13 +263,15 @@ rb_pem_encode(UNUSED VALUE _self, VALUE rb_der, VALUE rb_label)
     if (rb_obj_is_kind_of(rb_der, pqcsb_class())) {
         /* SecureBuffer input: use rb_ensure to restore PROT_NONE even when
          * pqc_asn1_pem_encode raises via ruby_xmalloc under memory pressure. */
-        pqcsb_buf_t *sb;
-        TypedData_Get_Struct(rb_der, pqcsb_buf_t, &pqcsb_buf_type, sb);
-        if (sb->wiped)
+        pqcsb_buf_t *sb = (pqcsb_buf_t *)RTYPEDDATA_DATA(rb_der);
+        if (pqcsb_is_wiped(sb))
             rb_raise(rb_eRuntimeError, "SecureBuffer has been wiped");
 
-        pem_encode_sb_ctx_t ctx = {sb, label, label_len, NULL, 0, PQC_ASN1_OK};
-        pqcsb_begin_read(sb);
+        pqcsb_read_guard_t guard = pqcsb_begin_read(sb);
+        if (guard.status != PQCSB_OK)
+            rb_raise(rb_eRuntimeError, "pqcsb_begin_read failed");
+
+        pem_encode_sb_ctx_t ctx = {guard, label, label_len, NULL, 0, PQC_ASN1_OK};
         rb_ensure(pem_encode_sb_body, (VALUE)&ctx,
                   pem_encode_sb_cleanup, (VALUE)&ctx);
         rc      = ctx.rc;

data/ext/pqc_asn1/pqc_asn1.c

@@ -1,10 +1,18 @@
 /*
  * pqc_asn1.c — DER/PEM/Base64 utilities for post-quantum key serialization.
  *
- * VENDORED FILE — do not edit directly.
- * Origin: libpqcasn1 (https://github.com/msuliq/libpqcasn1)
- * To update: run `bundle exec rake vendor:concat` (local checkout) or
- *            run `bundle exec rake vendor:update[VERSION]` (release tarball).
+ * GENERATED FILE — do not edit directly.
+ * Edit the individual source files in src/ and run scripts/concat.sh to
+ * regenerate this file.
+ *
+ * Source files (in concatenation order):
+ *   src/tlv.c      — version, safe arithmetic, secure zeroing, DER TLV helpers
+ *   src/builder.c  — SPKI/PKCS#8 layout structs and DER builders
+ *   src/parser.c   — SPKI/PKCS#8 DER parsers
+ *   src/base64.c   — RFC 4648 Base64 encode/decode
+ *   src/pem.c      — RFC 7468 PEM encode/decode
+ *
+ * Version: 0.1.5
  *
  * Standalone C library — no external dependencies beyond the C standard library.
  *