From 1d49b7c1c1048aae5acc93e8cc55cbc0b753582b Mon Sep 17 00:00:00 2001
From: Hatter Jiang <jht5945@gmail.com>
Date: Sat, 27 Sep 2025 12:11:03 +0800
Subject: [PATCH] feat: external_ecdh for ML-KEM

---
 src/cmd_external_ecdh.rs | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/cmd_external_ecdh.rs b/src/cmd_external_ecdh.rs
index 2eff207..9ff07d9 100644
--- a/src/cmd_external_ecdh.rs
+++ b/src/cmd_external_ecdh.rs
@@ -1,6 +1,6 @@
 use crate::keyutil::{parse_key_uri, KeyAlgorithmId, KeyUri, KeyUsage};
 use crate::pivutil::ToStr;
-use crate::{cmd_hmac_decrypt, cmd_se_ecdh, cmdutil, ecdhutil, pivutil, seutil, util, yubikeyutil};
+use crate::{cmd_hmac_decrypt, cmd_se_ecdh, cmdutil, ecdhutil, mlkemutil, pivutil, seutil, util, yubikeyutil};
 use clap::{App, ArgMatches, SubCommand};
 use rust_util::util_clap::{Command, CommandError};
 use rust_util::XResult;
@@ -123,7 +123,14 @@ pub fn ecdh(
                     return Ok(shared_secret.to_vec());
                 }
 
-                simple_error!("Invalid private key and/or ephemeral public key")
+                simple_error!("Invalid EC private key and/or ephemeral public key")
+            } else if key.algorithm.is_mlkem() {
+                let private_key = cmd_hmac_decrypt::try_decrypt(&mut None, &key.hmac_enc_private_key)?;
+                let private_key_bytes = try_decode(&private_key)?;
+                if let Ok((_, shared_secret)) = mlkemutil::try_parse_decapsulate_key_private_then_decapsulate(&private_key_bytes, ephemeral_public_key_bytes) {
+                    return Ok(shared_secret);
+                }
+                simple_error!("Invalid ML-KEM private key and/or ephemeral public key")
             } else {
                 simple_error!("Invalid algorithm: {}", key.algorithm.to_str())
             }