purecrypto 0.6.21

A pure-Rust cryptography toolkit with no foreign-code dependencies, from constant-time primitives up to keys, X.509 and TLS.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396

//! Algorithm-agnostic ML-KEM key loading and a unified outer enum that routes
//! between signing/agreement keys ([`AnyPrivateKey`](super::AnyPrivateKey) /
//! [`AnyPublicKey`](super::AnyPublicKey)) and KEM keys.
//!
//! ML-KEM (FIPS 203) decapsulation/encapsulation keys are not
//! [`PrivateKey`](crate::key::PrivateKey) / [`PublicKey`](crate::key::PublicKey)
//! facade keys — encapsulate/decapsulate is its own contract — so the
//! per-algorithm `Any*` enums in [`privkey`](super::AnyPrivateKey) /
//! [`pubkey`](super::AnyPublicKey) deliberately exclude them. This module adds
//! the KEM-only [`AnyDecapsulationKey`] / [`AnyEncapsulationKey`] and the outer
//! [`AnyKey`] / [`AnyKeyPublic`] enums that accept *either* a facade key or a
//! KEM key parsed from the same PKCS#8 / SPKI byte streams.
//!
//! Unlike the ML-KEM types' own `from_pkcs8_der`, the algorithm is not known up
//! front here: each parser tries the three parameter sets in turn (512, 768,
//! 1024) and the first that validates wins. Plaintext only — encrypted PKCS#8
//! KEM keys are out of scope for these entry points (use the per-set
//! `from_pkcs8_der_encrypted` constructors with a known parameter set).

use super::Error;
use crate::der::pem_decode;
use crate::mlkem::{
    MlKem512DecapsKey, MlKem512EncapsKey, MlKem768DecapsKey, MlKem768EncapsKey, MlKem1024DecapsKey,
    MlKem1024EncapsKey,
};

/// An ML-KEM (FIPS 203) decapsulation (secret) key of any parameter set — the
/// KEM counterpart to [`AnyPrivateKey`](super::AnyPrivateKey), returned by
/// [`AnyDecapsulationKey::from_pkcs8_der`].
///
/// `#[non_exhaustive]`: new parameter sets are added over time. A `Debug` is
/// provided but deliberately redacts the secret key material.
// ML-KEM keys are stack-allocated fixed-size arrays by design (the mlkem
// module is allocation-free), so the parameter sets differ in size; boxing
// them would defeat that. Mirrors the per-key types' own layout.
#[allow(clippy::large_enum_variant)]
#[derive(Clone)]
#[non_exhaustive]
pub enum AnyDecapsulationKey {
    /// An ML-KEM-512 decapsulation key.
    MlKem512(MlKem512DecapsKey),
    /// An ML-KEM-768 decapsulation key.
    MlKem768(MlKem768DecapsKey),
    /// An ML-KEM-1024 decapsulation key.
    MlKem1024(MlKem1024DecapsKey),
}

impl core::fmt::Debug for AnyDecapsulationKey {
    fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
        // Never print key material.
        let kind = match self {
            AnyDecapsulationKey::MlKem512(_) => "MlKem512",
            AnyDecapsulationKey::MlKem768(_) => "MlKem768",
            AnyDecapsulationKey::MlKem1024(_) => "MlKem1024",
        };
        write!(f, "AnyDecapsulationKey::{kind}(<redacted>)")
    }
}

impl AnyDecapsulationKey {
    /// Parses a PKCS#8 `PrivateKeyInfo` DER (raw expanded `dk` form) by trying
    /// each ML-KEM parameter set in turn (512, then 768, then 1024); the first
    /// that parses and validates (FIPS 203 §7.3 key check) wins. An input that
    /// matches no set yields [`Error::UnsupportedAlgorithm`].
    ///
    /// **Plaintext only** — encrypted (PBES2 `EncryptedPrivateKeyInfo`) KEM keys
    /// are not handled here; decrypt them via the per-set
    /// `from_pkcs8_der_encrypted` constructor with a known parameter set.
    pub fn from_pkcs8_der(der: &[u8]) -> Result<Self, Error> {
        if let Ok(k) = MlKem512DecapsKey::from_pkcs8_der(der) {
            Ok(AnyDecapsulationKey::MlKem512(k))
        } else if let Ok(k) = MlKem768DecapsKey::from_pkcs8_der(der) {
            Ok(AnyDecapsulationKey::MlKem768(k))
        } else if let Ok(k) = MlKem1024DecapsKey::from_pkcs8_der(der) {
            Ok(AnyDecapsulationKey::MlKem1024(k))
        } else {
            Err(Error::UnsupportedAlgorithm)
        }
    }

    /// Parses a PKCS#8 PEM (`-----BEGIN PRIVATE KEY-----`) ML-KEM decapsulation
    /// key. Plaintext only; see [`Self::from_pkcs8_der`].
    pub fn from_pkcs8_pem(pem: &str) -> Result<Self, Error> {
        Self::from_pkcs8_der(&pem_decode(pem, "PRIVATE KEY")?)
    }

    /// The ML-KEM parameter set of this key.
    pub fn algorithm(&self) -> crate::key::Algorithm {
        match self {
            AnyDecapsulationKey::MlKem512(_) => crate::key::Algorithm::MlKem512,
            AnyDecapsulationKey::MlKem768(_) => crate::key::Algorithm::MlKem768,
            AnyDecapsulationKey::MlKem1024(_) => crate::key::Algorithm::MlKem1024,
        }
    }
}

#[cfg(feature = "key")]
impl AnyDecapsulationKey {
    /// Converts this key into a boxed unified [`Decapsulator`](crate::key::Decapsulator)
    /// trait object, so a parsed-by-set KEM key can be decapsulated
    /// polymorphically without matching on the variant.
    pub fn into_dyn(self) -> alloc::boxed::Box<dyn crate::key::Decapsulator> {
        use alloc::boxed::Box;
        match self {
            AnyDecapsulationKey::MlKem512(k) => Box::new(k),
            AnyDecapsulationKey::MlKem768(k) => Box::new(k),
            AnyDecapsulationKey::MlKem1024(k) => Box::new(k),
        }
    }

    /// Borrows the matched variant as a [`Decapsulator`](crate::key::Decapsulator).
    fn inner(&self) -> &dyn crate::key::Decapsulator {
        match self {
            AnyDecapsulationKey::MlKem512(k) => k,
            AnyDecapsulationKey::MlKem768(k) => k,
            AnyDecapsulationKey::MlKem1024(k) => k,
        }
    }
}

/// `AnyDecapsulationKey` is itself a [`Decapsulator`](crate::key::Decapsulator):
/// it delegates to the matched variant, so a parsed-by-set KEM key is usable
/// both ways — `match` on it for the concrete parameter-set API, or decapsulate
/// directly without erasing the type.
#[cfg(feature = "key")]
impl crate::key::Decapsulator for AnyDecapsulationKey {
    fn decapsulate(&self, ct: &[u8]) -> Result<crate::key::Secret, crate::key::Error> {
        self.inner().decapsulate(ct)
    }
}

/// An ML-KEM (FIPS 203) encapsulation (public) key of any parameter set — the
/// KEM counterpart to [`AnyPublicKey`](super::AnyPublicKey), returned by
/// [`AnyEncapsulationKey::from_spki_der`].
///
/// `#[non_exhaustive]`: new parameter sets are added over time.
#[allow(clippy::large_enum_variant)]
#[derive(Clone, Debug)]
#[non_exhaustive]
pub enum AnyEncapsulationKey {
    /// An ML-KEM-512 encapsulation key.
    MlKem512(MlKem512EncapsKey),
    /// An ML-KEM-768 encapsulation key.
    MlKem768(MlKem768EncapsKey),
    /// An ML-KEM-1024 encapsulation key.
    MlKem1024(MlKem1024EncapsKey),
}

impl AnyEncapsulationKey {
    /// Parses a PKIX `SubjectPublicKeyInfo` DER by trying each ML-KEM parameter
    /// set in turn (512, then 768, then 1024); the first that parses and
    /// validates (FIPS 203 §7.2 encapsulation-key check) wins. An input that
    /// matches no set yields [`Error::UnsupportedAlgorithm`].
    pub fn from_spki_der(der: &[u8]) -> Result<Self, Error> {
        if let Ok(k) = MlKem512EncapsKey::from_spki_der(der) {
            Ok(AnyEncapsulationKey::MlKem512(k))
        } else if let Ok(k) = MlKem768EncapsKey::from_spki_der(der) {
            Ok(AnyEncapsulationKey::MlKem768(k))
        } else if let Ok(k) = MlKem1024EncapsKey::from_spki_der(der) {
            Ok(AnyEncapsulationKey::MlKem1024(k))
        } else {
            Err(Error::UnsupportedAlgorithm)
        }
    }

    /// Parses a PKIX PEM (`-----BEGIN PUBLIC KEY-----`) ML-KEM encapsulation key.
    /// See [`Self::from_spki_der`].
    pub fn from_spki_pem(pem: &str) -> Result<Self, Error> {
        Self::from_spki_der(&pem_decode(pem, "PUBLIC KEY")?)
    }

    /// The ML-KEM parameter set of this key.
    pub fn algorithm(&self) -> crate::key::Algorithm {
        match self {
            AnyEncapsulationKey::MlKem512(_) => crate::key::Algorithm::MlKem512,
            AnyEncapsulationKey::MlKem768(_) => crate::key::Algorithm::MlKem768,
            AnyEncapsulationKey::MlKem1024(_) => crate::key::Algorithm::MlKem1024,
        }
    }
}

#[cfg(feature = "key")]
impl AnyEncapsulationKey {
    /// Converts this key into a boxed unified [`Encapsulator`](crate::key::Encapsulator)
    /// trait object, so a parsed-by-set KEM key can encapsulate polymorphically
    /// without matching on the variant.
    pub fn into_dyn(self) -> alloc::boxed::Box<dyn crate::key::Encapsulator> {
        use alloc::boxed::Box;
        match self {
            AnyEncapsulationKey::MlKem512(k) => Box::new(k),
            AnyEncapsulationKey::MlKem768(k) => Box::new(k),
            AnyEncapsulationKey::MlKem1024(k) => Box::new(k),
        }
    }

    /// Borrows the matched variant as an [`Encapsulator`](crate::key::Encapsulator).
    fn inner(&self) -> &dyn crate::key::Encapsulator {
        match self {
            AnyEncapsulationKey::MlKem512(k) => k,
            AnyEncapsulationKey::MlKem768(k) => k,
            AnyEncapsulationKey::MlKem1024(k) => k,
        }
    }
}

/// `AnyEncapsulationKey` is itself an [`Encapsulator`](crate::key::Encapsulator):
/// it delegates to the matched variant.
#[cfg(feature = "key")]
impl crate::key::Encapsulator for AnyEncapsulationKey {
    fn encapsulate(
        &self,
        rng: &mut dyn crate::rng::CryptoRngCore,
    ) -> Result<(alloc::vec::Vec<u8>, crate::key::Secret), crate::key::Error> {
        self.inner().encapsulate(rng)
    }
}

/// The outer "either" enum over a PKCS#8 secret key: a signing/agreement facade
/// key ([`AnyPrivateKey`](super::AnyPrivateKey)) **or** a KEM decapsulation key
/// ([`AnyDecapsulationKey`]). Returned by [`AnyKey::from_pkcs8_der`].
///
/// [`AnyPrivateKey`](super::AnyPrivateKey) can still be used directly when you
/// don't expect a KEM key; this outer enum is for code that might receive
/// either.
///
/// `#[non_exhaustive]`: new key categories may be added over time.
#[allow(clippy::large_enum_variant)]
#[derive(Clone, Debug)]
#[non_exhaustive]
pub enum AnyKey {
    /// A signing or key-agreement private key.
    PrivateKey(super::AnyPrivateKey),
    /// An ML-KEM decapsulation key.
    DecapsulationKey(AnyDecapsulationKey),
}

impl AnyKey {
    /// Parses a PKCS#8 secret key from DER, accepting either a facade
    /// (signing/agreement) key or an ML-KEM decapsulation key.
    ///
    /// [`AnyPrivateKey::from_pkcs8_der`](super::AnyPrivateKey::from_pkcs8_der)
    /// is tried first (it dispatches on the `privateKeyAlgorithm` OID, honoring
    /// `opts` for encrypted keys). Only if that reports
    /// [`Error::UnsupportedAlgorithm`] — i.e. a well-formed PKCS#8 whose OID is
    /// none of the facade algorithms — does it fall back to the ML-KEM sets via
    /// [`AnyDecapsulationKey::from_pkcs8_der`]. Any other error (malformed
    /// input, missing/wrong password) propagates unchanged.
    pub fn from_pkcs8_der(der: &[u8], opts: super::Pkcs8ReadOptions) -> Result<Self, Error> {
        match super::AnyPrivateKey::from_pkcs8_der(der, opts) {
            Ok(k) => Ok(AnyKey::PrivateKey(k)),
            Err(Error::UnsupportedAlgorithm) => Ok(AnyKey::DecapsulationKey(
                AnyDecapsulationKey::from_pkcs8_der(der)?,
            )),
            Err(e) => Err(e),
        }
    }

    /// Parses a PKCS#8 secret key from PEM, accepting either a facade key or an
    /// ML-KEM decapsulation key. See [`Self::from_pkcs8_der`].
    pub fn from_pkcs8_pem(pem: &str, opts: super::Pkcs8ReadOptions) -> Result<Self, Error> {
        match super::AnyPrivateKey::from_pkcs8_pem(pem, opts) {
            Ok(k) => Ok(AnyKey::PrivateKey(k)),
            Err(Error::UnsupportedAlgorithm) => Ok(AnyKey::DecapsulationKey(
                AnyDecapsulationKey::from_pkcs8_pem(pem)?,
            )),
            Err(e) => Err(e),
        }
    }
}

/// The outer "either" enum over an SPKI public key: a verifying/agreement facade
/// key ([`AnyPublicKey`](super::AnyPublicKey)) **or** a KEM encapsulation key
/// ([`AnyEncapsulationKey`]). The public-key mirror of [`AnyKey`].
///
/// [`AnyPublicKey`](super::AnyPublicKey) can still be used directly when you
/// don't expect a KEM key; this outer enum is for code that might receive
/// either.
///
/// `#[non_exhaustive]`: new key categories may be added over time.
#[allow(clippy::large_enum_variant)]
#[derive(Clone, Debug)]
#[non_exhaustive]
pub enum AnyKeyPublic {
    /// A signing or key-agreement public key.
    PublicKey(super::AnyPublicKey),
    /// An ML-KEM encapsulation key.
    EncapsulationKey(AnyEncapsulationKey),
}

impl AnyKeyPublic {
    /// Parses a PKIX `SubjectPublicKeyInfo` DER, accepting either a facade
    /// public key or an ML-KEM encapsulation key.
    ///
    /// [`AnyPublicKey::from_spki_der`](super::AnyPublicKey::from_spki_der) is
    /// tried first; only on [`Error::UnsupportedAlgorithm`] does it fall back to
    /// the ML-KEM sets via [`AnyEncapsulationKey::from_spki_der`]. Any other
    /// error propagates unchanged.
    pub fn from_spki_der(der: &[u8]) -> Result<Self, Error> {
        match super::AnyPublicKey::from_spki_der(der) {
            Ok(k) => Ok(AnyKeyPublic::PublicKey(k)),
            Err(Error::UnsupportedAlgorithm) => Ok(AnyKeyPublic::EncapsulationKey(
                AnyEncapsulationKey::from_spki_der(der)?,
            )),
            Err(e) => Err(e),
        }
    }

    /// Parses a PKIX PEM public key, accepting either a facade public key or an
    /// ML-KEM encapsulation key. See [`Self::from_spki_der`].
    pub fn from_spki_pem(pem: &str) -> Result<Self, Error> {
        Self::from_spki_der(&pem_decode(pem, "PUBLIC KEY")?)
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::hash::Sha256;
    use crate::rng::HmacDrbg;

    fn rng(seed: &[u8]) -> HmacDrbg<Sha256> {
        HmacDrbg::<Sha256>::new(seed, b"nonce", &[])
    }

    #[test]
    fn any_decaps_dispatch_768() {
        let mut r = rng(b"anykey-768");
        let (dk, ek) = MlKem768DecapsKey::generate(&mut r);
        let pem = dk.to_pkcs8_pem();

        let parsed = AnyDecapsulationKey::from_pkcs8_pem(&pem).unwrap();
        assert!(matches!(parsed, AnyDecapsulationKey::MlKem768(_)));
        assert_eq!(parsed.algorithm(), crate::key::Algorithm::MlKem768);

        // A 768 key must NOT mis-parse as 512 or 1024.
        match parsed {
            AnyDecapsulationKey::MlKem768(_) => {}
            other => panic!("wrong set: {other:?}"),
        }

        // SPKI side.
        let spki = ek.to_spki_pem();
        let pub_parsed = AnyEncapsulationKey::from_spki_pem(&spki).unwrap();
        assert!(matches!(pub_parsed, AnyEncapsulationKey::MlKem768(_)));
    }

    #[cfg(feature = "key")]
    #[test]
    fn anykey_routes_kem_and_roundtrips_secret() {
        use crate::key::Encapsulator;

        let mut r = rng(b"anykey-route");
        let (dk, ek) = MlKem768DecapsKey::generate(&mut r);
        let pem = dk.to_pkcs8_pem();

        // Outer AnyKey routes a KEM key into the DecapsulationKey arm.
        let parsed = AnyKey::from_pkcs8_pem(&pem, super::super::Pkcs8ReadOptions::new()).unwrap();
        let decaps = match parsed {
            AnyKey::DecapsulationKey(d @ AnyDecapsulationKey::MlKem768(_)) => d,
            other => panic!("expected ML-KEM-768 decaps key, got {other:?}"),
        };

        // Encapsulate with the public key (via the unified Encapsulator trait,
        // which yields wire bytes), decapsulate via the boxed Decapsulator.
        let (ct, ss_a) = Encapsulator::encapsulate(&ek, &mut r).unwrap();
        let boxed = decaps.into_dyn();
        let ss_b = boxed.decapsulate(&ct).unwrap();
        assert_eq!(ss_a.as_bytes(), ss_b.as_bytes());
    }

    #[test]
    fn anykey_routes_ed25519_to_private_key() {
        use crate::ec::Ed25519PrivateKey;
        let mut r = rng(b"anykey-ed");
        let sk = Ed25519PrivateKey::generate(&mut r);
        let pem = sk.to_pkcs8_pem();

        let parsed = AnyKey::from_pkcs8_pem(&pem, super::super::Pkcs8ReadOptions::new()).unwrap();
        assert!(matches!(
            parsed,
            AnyKey::PrivateKey(super::super::AnyPrivateKey::Ed25519(_))
        ));
    }

    #[test]
    fn any_decaps_rejects_non_kem_pkcs8() {
        use crate::ec::Ed25519PrivateKey;
        let mut r = rng(b"anykey-notkem");
        let sk = Ed25519PrivateKey::generate(&mut r);
        let der = sk.to_pkcs8_der();
        assert!(matches!(
            AnyDecapsulationKey::from_pkcs8_der(&der),
            Err(Error::UnsupportedAlgorithm)
        ));
    }
}