Skip to main content

pqcrypto/
lib.rs

1//! PQCrypto - Post-Quantum Cryptography for R-SRP Ultra
2//!
3//! Provides hybrid cryptographic primitives combining classical algorithms
4//! (RSA, ECDSA) with post-quantum algorithms (Dilithium, Kyber) from NIST 2024.
5//!
6//! # Security Model
7//!
8//! - **Hybrid Signatures**: Ed25519 + Dilithium2/3/5
9//! - **Hybrid KEM**: X25519 + Kyber512/768/1024
10//! - Both classical and PQ must be broken to compromise the system
11//!
12//! # Standards
13//!
14//! - NIST FIPS 203: ML-KEM (Key Encapsulation)
15//! - NIST FIPS 204: ML-DSA (Digital Signatures)
16//! - NIST FIPS 205: SLH-DSA (Hash-based signatures)
17
18#[cfg(all(feature = "mock-crypto", feature = "real-crypto"))]
19compile_error!("Enable exactly one of `mock-crypto` or `real-crypto` for rsrp-pqcrypto.");
20
21#[cfg(all(feature = "production", feature = "mock-crypto"))]
22compile_error!("`production` cannot be combined with `mock-crypto` in rsrp-pqcrypto.");
23
24#[cfg(all(feature = "production", not(feature = "real-crypto")))]
25compile_error!("`production` requires `real-crypto` in rsrp-pqcrypto.");
26
27#[cfg(all(
28    feature = "production",
29    any(
30        not(feature = "kyber768"),
31        not(feature = "dilithium3"),
32        feature = "kyber512",
33        feature = "kyber1024",
34        feature = "dilithium2",
35        feature = "dilithium5"
36    )
37))]
38compile_error!(
39    "`production` freezes algorithms to ML-KEM-768 and ML-DSA-65 only in rsrp-pqcrypto."
40);
41
42#[cfg(all(not(debug_assertions), not(feature = "real-crypto")))]
43compile_error!(
44    "Release builds require `real-crypto` for rsrp-pqcrypto (mock backend forbidden in release)."
45);
46
47pub mod error;
48pub mod hybrid;
49pub mod kem;
50pub mod signature;
51
52pub use error::PqcError;
53pub use hybrid::{HybridKEM, HybridSignature};
54#[cfg(feature = "real-crypto")]
55pub use kem::OqsKemProvider;
56pub use kem::{KemProvider, Kyber, KyberLevel, MockKemProvider};
57#[cfg(feature = "real-crypto")]
58pub use signature::OqsProvider;
59pub use signature::{Dilithium, DilithiumLevel, MockProvider, SignatureProvider};
60
61/// PQC Algorithm identifiers for serialization
62pub const ALGORITHM_DILITHIUM2: &str = "ML-DSA-44";
63pub const ALGORITHM_DILITHIUM3: &str = "ML-DSA-65";
64pub const ALGORITHM_DILITHIUM5: &str = "ML-DSA-87";
65pub const ALGORITHM_KYBER512: &str = "ML-KEM-512";
66pub const ALGORITHM_KYBER768: &str = "ML-KEM-768";
67pub const ALGORITHM_KYBER1024: &str = "ML-KEM-1024";
68
69/// Version information
70pub const VERSION: &str = env!("CARGO_PKG_VERSION");
71
72/// Frozen production default for signatures.
73pub const PRODUCTION_DEFAULT_DILITHIUM_LEVEL: DilithiumLevel = DilithiumLevel::Dilithium3;
74/// Frozen production default for KEM.
75pub const PRODUCTION_DEFAULT_KYBER_LEVEL: KyberLevel = KyberLevel::Kyber768;
76
77/// Runtime hardening checks for production deployments.
78///
79/// In `production` builds:
80/// - debug/trace logging levels are rejected,
81/// - disabling hybrid mode via env is rejected.
82pub fn validate_runtime_security_config() -> Result<(), PqcError> {
83    #[cfg(feature = "production")]
84    {
85        if let Ok(level) = std::env::var("RUST_LOG") {
86            let level = level.to_ascii_lowercase();
87            if level.contains("debug") || level.contains("trace") {
88                return Err(PqcError::InvalidParameter(
89                    "RUST_LOG debug/trace is forbidden in production-hardening mode".into(),
90                ));
91            }
92        }
93
94        if let Ok(flag) = std::env::var("RSRP_HYBRID_REQUIRED") {
95            let flag = flag.to_ascii_lowercase();
96            if matches!(flag.as_str(), "0" | "false" | "no" | "off") {
97                return Err(PqcError::InvalidParameter(
98                    "RSRP_HYBRID_REQUIRED cannot be disabled in production-hardening mode".into(),
99                ));
100            }
101        }
102    }
103
104    Ok(())
105}