feat: pending ML-KEM encryption and decryption

Cargo.lock

@@ -818,6 +818,15 @@ dependencies = [
  "windows-sys 0.59.0",
 ]
 
+[[package]]
+name = "hybrid-array"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f2d35805454dc9f8662a98d6d61886ffe26bd465f5960e0e55345c70d5c0d2a9"
+dependencies = [
+ "typenum",
+]
+
 [[package]]
 name = "iana-time-zone"
 version = "0.1.64"
@@ -922,6 +931,25 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "keccak"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ecc2af9a1119c51f12a14607e783cb977bde58bc069ff0c3da1095e635d70654"
+dependencies = [
+ "cpufeatures",
+]
+
+[[package]]
+name = "kem"
+version = "0.3.0-pre.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2b8645470337db67b01a7f966decf7d0bafedbae74147d33e641c67a91df239f"
+dependencies = [
+ "rand_core 0.6.4",
+ "zeroize",
+]
+
 [[package]]
 name = "lazy_static"
 version = "1.5.0"
@@ -992,6 +1020,19 @@ dependencies = [
  "adler2",
 ]
 
+[[package]]
+name = "ml-kem"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "97befee0c869cb56f3118f49d0f9bb68c9e3f380dec23c1100aedc4ec3ba239a"
+dependencies = [
+ "hybrid-array",
+ "kem",
+ "rand_core 0.6.4",
+ "sha3",
+ "zeroize",
+]
+
 [[package]]
 name = "nix"
 version = "0.30.1"
@@ -1757,6 +1798,16 @@ dependencies = [
  "digest",
 ]
 
+[[package]]
+name = "sha3"
+version = "0.10.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "75872d278a8f37ef87fa0ddbda7802605cb18344497949862c0d4dcb291eba60"
+dependencies = [
+ "digest",
+ "keccak",
+]
+
 [[package]]
 name = "shell-words"
 version = "1.1.0"
@@ -2023,6 +2074,7 @@ dependencies = [
  "hex",
  "indicatif",
  "json5",
+ "ml-kem",
  "openpgp-card",
  "openpgp-card-pcsc",
  "p256",

Cargo.toml

@@ -55,6 +55,7 @@ swift-secure-enclave-tool-rs = "1.0"
 json5 = "0.4"
 external-command-rs = "0.1"
 percent-encoding = "2.3"
+ml-kem = { version = "0.2.1", features = ["zeroize"] }
 
 [profile.release]
 codegen-units = 1

src/cmd_decrypt.rs

@@ -469,6 +469,7 @@ pub fn try_decrypt_key(config: &Option<TinyEncryptConfig>,
         TinyEncryptEnvelopType::PivP256 | TinyEncryptEnvelopType::PivP384 => try_decrypt_piv_key_ecdh(config, envelop, pin, slot, silent),
         TinyEncryptEnvelopType::KeyP256 => try_decrypt_se_key_ecdh(config, envelop),
         TinyEncryptEnvelopType::ExtP256 | TinyEncryptEnvelopType::ExtP384 => try_decrypt_ext_key_ecdh(config, envelop),
+        // TODO EXT ML-KEM 768 & 1024
         TinyEncryptEnvelopType::PivRsa => try_decrypt_piv_key_rsa(config, envelop, pin, slot, silent),
         #[cfg(feature = "macos")]
         TinyEncryptEnvelopType::StaticKyber1024 => try_decrypt_key_ecdh_static_kyber1204(config, envelop),

src/cmd_encrypt.rs

@@ -333,6 +333,7 @@ pub fn encrypt_envelops(cryptor: Cryptor, key: &[u8], envelops: &[&TinyEncryptCo
             TinyEncryptEnvelopType::PivP384 | TinyEncryptEnvelopType::ExtP384 => {
                 encrypted_envelops.push(encrypt_envelop_ecdh_p384(cryptor, key, envelop)?);
             }
+            // TODO ML-KEM 768 & 1024
             TinyEncryptEnvelopType::StaticKyber1024 => {
                 encrypted_envelops.push(encrypt_envelop_ecdh_kyber1204(cryptor, key, envelop)?);
             }

src/lib.rs

@@ -78,4 +78,5 @@ mod util_keychainkey;
 mod util_simple_pbe;
 mod util_log;
 mod temporary_key;
+mod util_mlkem;
 

src/spec.rs

@@ -98,6 +98,12 @@ pub enum TinyEncryptEnvelopType {
     // External ECDH P384
     #[serde(rename = "ext-p384")]
     ExtP384,
+    // External ML-KEM 768
+    #[serde(rename = "ext-mlkem768")]
+    ExtMlKem768,
+    // External ML-KEM 1024
+    #[serde(rename = "ext-mlkem1024")]
+    ExtMlKem1024,
     // PIV RSA
     #[serde(rename = "piv-rsa")]
     PivRsa,
@@ -124,6 +130,8 @@ impl TinyEncryptEnvelopType {
             TinyEncryptEnvelopType::KeyP256 => "key-p256",
             TinyEncryptEnvelopType::ExtP256 => "ext-p256",
             TinyEncryptEnvelopType::ExtP384 => "ext-p384",
+            TinyEncryptEnvelopType::ExtMlKem768 => "ext-mlkem768",
+            TinyEncryptEnvelopType::ExtMlKem1024 => "ext-mlkem1024",
             TinyEncryptEnvelopType::PivP256 => "piv-p256",
             TinyEncryptEnvelopType::PivP384 => "piv-p384",
             TinyEncryptEnvelopType::PivRsa => "piv-rsa",
@@ -142,6 +150,8 @@ impl TinyEncryptEnvelopType {
             "key-p256" => Some(TinyEncryptEnvelopType::KeyP256),
             "ext-p256" => Some(TinyEncryptEnvelopType::ExtP256),
             "ext-p384" => Some(TinyEncryptEnvelopType::ExtP384),
+            "ext-mlkem768" => Some(TinyEncryptEnvelopType::ExtMlKem768),
+            "ext-mlkem1024" => Some(TinyEncryptEnvelopType::ExtMlKem1024),
             "piv-p256" => Some(TinyEncryptEnvelopType::PivP256),
             "piv-p384" => Some(TinyEncryptEnvelopType::PivP384),
             "piv-rsa" => Some(TinyEncryptEnvelopType::PivRsa),
@@ -162,6 +172,8 @@ impl TinyEncryptEnvelopType {
             | TinyEncryptEnvelopType::PgpX25519
             | TinyEncryptEnvelopType::ExtP256
             | TinyEncryptEnvelopType::ExtP384
+            | TinyEncryptEnvelopType::ExtMlKem768
+            | TinyEncryptEnvelopType::ExtMlKem1024
             | TinyEncryptEnvelopType::PivP256
             | TinyEncryptEnvelopType::PivP384
             | TinyEncryptEnvelopType::PivRsa
@@ -184,7 +196,9 @@ impl TinyEncryptEnvelopType {
             // GPG is unknown(hardware/software)
             TinyEncryptEnvelopType::Gpg
             | TinyEncryptEnvelopType::ExtP256
-            | TinyEncryptEnvelopType::ExtP384 => None,
+            | TinyEncryptEnvelopType::ExtP384
+            | TinyEncryptEnvelopType::ExtMlKem768
+            | TinyEncryptEnvelopType::ExtMlKem1024 => None,
         }
     }
 }