feat: v1.13.21

2025-10-18 14:29:51 +08:00
parent 07e1671867
commit 8a50024285
6 changed files with 282 additions and 298 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "card-cli"
-version = "1.13.20"
+version = "1.13.21"
 authors = ["Hatter Jiang <jht5945@gmail.com>"]
 edition = "2018"

@@ -68,6 +68,7 @@ tokio = "1.45.1"
 ssh-encoding = { version = "0.2.0", features = ["alloc"] }
 zeroize = "1.8"
 ml-kem = { version = "0.2.1", features = ["zeroize"] }
+zeroizing-alloc = "0.1.0"
 #lazy_static = "1.4.0"
 #ctap-hid-fido2 = "2.1.3"

--- a/src/cmd_pgp_card_sign.rs
+++ b/src/cmd_pgp_card_sign.rs
@@ -1,7 +1,7 @@
 use std::collections::BTreeMap;
 use std::fs::File;
 use std::io::{ErrorKind, Read};
-
+use std::ops::Deref;
 use clap::{App, Arg, ArgMatches, SubCommand};
 use digest::Digest;
 use openpgp_card::crypto_data::Hash;
@@ -189,7 +189,7 @@ where
    debugging!("File: {}, length: {}", file_name, file_len);
    loop {
        let len = match f.read(&mut buf) {
-            Ok(0) => return Ok(hasher.finalize().as_slice().to_vec()),
+            Ok(0) => return Ok(hasher.finalize().deref().to_vec()),
            Ok(len) => len,
            Err(ref e) if e.kind() == ErrorKind::Interrupted => continue,
            Err(e) => return simple_error!("Calc file digest failed: {}", e),
--- a/src/cmd_se_generate.rs
+++ b/src/cmd_se_generate.rs
@@ -7,7 +7,7 @@ use p256::PublicKey;
 use rust_util::util_clap::{Command, CommandError};
 use spki::DecodePublicKey;
 use std::collections::BTreeMap;
-use swift_secure_enclave_tool_rs::ControlFlag;
+use swift_secure_enclave_tool_rs::{ControlFlag, KeyMlKem};

 pub struct CommandImpl;

@@ -40,6 +40,14 @@ impl Command for CommandImpl {
                    .takes_value(true)
                    .help("Control flag, e.g. none, user-presence, device-passcode, biometry-any, biometry-current-set"),
            )
+            .arg(
+                Arg::with_name("algorithm")
+                    .long("algorithm")
+                    .required(true)
+                    .takes_value(true)
+                    .default_value("p256")
+                    .help("Algorithm, e.g. p256, mlkem768, mlkem1024"),
+            )
            .arg(cmdutil::build_with_hmac_encrypt_arg())
            .arg(cmdutil::build_with_pbe_encrypt_arg())
            .arg(cmdutil::build_double_pin_check_arg())
@@ -68,14 +76,26 @@ impl Command for CommandImpl {
            "biometry-current-set" | "bio-current" => ControlFlag::BiometryCurrentSet,
            _ => return simple_error!("Invalid control flag: {}", control_flag),
        };
-
-        let (public_key_point, public_key_der, private_key) =
-            seutil::generate_secure_enclave_p256_keypair(sign, control_flag)?;
+        let algorithm = sub_arg_matches.value_of("algorithm").unwrap();
+        let (public_key_point, public_key_der, private_key) = match algorithm {
+            "p256" => {
+                seutil::generate_secure_enclave_p256_keypair(sign, control_flag)?
+            }
+            "mlkem768" | "mlkem1024" => {
+                if sign {
+                    return simple_error!("Algorithm: {} only supports key_agreement", algorithm);
+                }
+                seutil::generate_secure_enclave_mlkem_keypair(
+                    iff!(algorithm == "mlkem768", KeyMlKem::MlKem768, KeyMlKem::MlKem1024), control_flag)?
+            }
+            _ => return simple_error!("Unknown algorithm: {}", algorithm),
+        };

        let private_key = cmd_hmac_encrypt::do_encrypt(&private_key, &mut None, sub_arg_matches)?;
        let key_uri = format!(
-            "key://{}:se/p256:{}:{}",
+            "key://{}:se/{}:{}:{}",
            host,
+            algorithm,
            iff!(sign, "signing", "key_agreement"),
            private_key,
        );
--- a/src/main.rs
+++ b/src/main.rs
@@ -86,6 +86,11 @@ mod yubikeyutil;
 mod cmd_yubikey;
 mod mlkemutil;

+use zeroizing_alloc::ZeroAlloc;
+
+#[global_allocator]
+static ALLOC: ZeroAlloc<std::alloc::System> = ZeroAlloc(std::alloc::System);
+
 pub struct DefaultCommandImpl;

 impl DefaultCommandImpl {
--- a/src/seutil.rs
+++ b/src/seutil.rs
@@ -2,7 +2,7 @@ use crate::util::{base64_decode, base64_encode};
 use rust_util::XResult;
 use se_tool::KeyPurpose;
 use swift_secure_enclave_tool_rs as se_tool;
-use swift_secure_enclave_tool_rs::{ControlFlag, DigestType};
+use swift_secure_enclave_tool_rs::{ControlFlag, DigestType, KeyMlKem};

 pub fn is_support_se() -> bool {
    se_tool::is_secure_enclave_supported().unwrap_or_else(|e| {
@@ -35,6 +35,18 @@ pub fn generate_secure_enclave_p256_keypair(
    ))
 }

+pub fn generate_secure_enclave_mlkem_keypair(
+    key_ml_kem: KeyMlKem,
+    control_flag: ControlFlag,
+) -> XResult<(Vec<u8>, Vec<u8>, String)> {
+    let key_material = se_tool::generate_mlkem_keypair(key_ml_kem, control_flag)?;
+    Ok((
+        key_material.public_key_point,
+        key_material.public_key_der,
+        base64_encode(&key_material.private_key_representation),
+    ))
+}
+
 pub fn recover_secure_enclave_p256_public_key(
    private_key: &str,
    sign: bool,