feat: encrypt ML-KEM-768&1024

src/cmd_encrypt.rs

@@ -12,24 +12,20 @@ use rust_util::{debugging, failure, iff, information, opt_result, simple_error,
 
 use crate::compress::GzStreamEncoder;
 use crate::config::{TinyEncryptConfig, TinyEncryptConfigEnvelop};
-use crate::consts::{
-    ENC_AES256_GCM_KYBER1204, ENC_AES256_GCM_P256, ENC_AES256_GCM_P384, ENC_AES256_GCM_X25519,
-    ENC_CHACHA20_POLY1305_KYBER1204, ENC_CHACHA20_POLY1305_P256, ENC_CHACHA20_POLY1305_P384,
-    ENC_CHACHA20_POLY1305_X25519, SALT_COMMENT, TINY_ENC_FILE_EXT, TINY_ENC_PEM_FILE_EXT,
-    TINY_ENC_PEM_NAME,
-};
+use crate::consts::{ENC_AES256_GCM_KYBER1204, ENC_AES256_GCM_MLKEM1024, ENC_AES256_GCM_MLKEM768, ENC_AES256_GCM_P256, ENC_AES256_GCM_P384, ENC_AES256_GCM_X25519, ENC_CHACHA20_POLY1305_KYBER1204, ENC_CHACHA20_POLY1305_MLKEM1024, ENC_CHACHA20_POLY1305_MLKEM768, ENC_CHACHA20_POLY1305_P256, ENC_CHACHA20_POLY1305_P384, ENC_CHACHA20_POLY1305_X25519, SALT_COMMENT, TINY_ENC_FILE_EXT, TINY_ENC_PEM_FILE_EXT, TINY_ENC_PEM_NAME};
 use crate::crypto_cryptor::{Cryptor, KeyNonce};
 use crate::spec::{
     EncEncryptedMeta, EncMetadata,
     TinyEncryptEnvelop, TinyEncryptEnvelopType, TinyEncryptMeta,
 };
-use crate::util::{is_tiny_enc_file, to_pem};
+use crate::util::{decode_base64, is_tiny_enc_file, to_pem};
 use crate::util_ecdh::{ecdh_kyber1024, ecdh_p256, ecdh_p384, ecdh_x25519};
 use crate::util_progress::Progress;
-use crate::util_rsa;
+use crate::{util_mlkem, util_rsa};
 use crate::wrap_key::{WrapKey, WrapKeyHeader};
 use crate::{crypto_cryptor, crypto_simple, util, util_enc_file, util_env, util_gpg};
 use crate::temporary_key::parse_temporary_keys;
+use crate::util_mlkem::MlKemAlgo;
 
 #[derive(Debug, Args)]
 pub struct CmdEncrypt {
@@ -333,10 +329,12 @@ pub fn encrypt_envelops(cryptor: Cryptor, key: &[u8], envelops: &[&TinyEncryptCo
             TinyEncryptEnvelopType::PivP384 | TinyEncryptEnvelopType::ExtP384 => {
                 encrypted_envelops.push(encrypt_envelop_ecdh_p384(cryptor, key, envelop)?);
             }
-            // TODO ML-KEM 768 & 1024
             TinyEncryptEnvelopType::StaticKyber1024 => {
                 encrypted_envelops.push(encrypt_envelop_ecdh_kyber1204(cryptor, key, envelop)?);
             }
+            TinyEncryptEnvelopType::ExtMlKem768 | TinyEncryptEnvelopType::ExtMlKem1024 => {
+                encrypted_envelops.push(encrypt_envelop_ecdh_ml_kem(cryptor, key, envelop)?);
+            }
             _ => return simple_error!("Not supported type: {:?}", envelop.r#type),
         }
     }
@@ -383,6 +381,19 @@ fn encrypt_envelop_ecdh_kyber1204(cryptor: Cryptor, key: &[u8], envelop: &TinyEn
     encrypt_envelop_shared_secret(cryptor, key, &shared_secret, &ephemeral_spki, enc_type, envelop)
 }
 
+fn encrypt_envelop_ecdh_ml_kem(cryptor: Cryptor, key: &[u8], envelop: &TinyEncryptConfigEnvelop) -> XResult<TinyEncryptEnvelop> {
+    let public_key_base64 = &envelop.public_part;
+    let public_key = opt_result!(decode_base64(public_key_base64), "Decode ML-KEM public key from base64 failed: {}");
+    let (shared_secret, ciphertext, ml_kem_algo) = util_mlkem::try_ml_kem_encapsulate(&public_key)?;
+    let enc_type = match (cryptor, ml_kem_algo) {
+        (Cryptor::Aes256Gcm, MlKemAlgo::MlKem768) => ENC_AES256_GCM_MLKEM768,
+        (Cryptor::Aes256Gcm, MlKemAlgo::MlKem1024) => ENC_AES256_GCM_MLKEM1024,
+        (Cryptor::ChaCha20Poly1305, MlKemAlgo::MlKem768) => ENC_CHACHA20_POLY1305_MLKEM768,
+        (Cryptor::ChaCha20Poly1305, MlKemAlgo::MlKem1024) => ENC_CHACHA20_POLY1305_MLKEM1024,
+    };
+    encrypt_envelop_shared_secret(cryptor, key, &shared_secret, &ciphertext, enc_type, envelop)
+}
+
 fn encrypt_envelop_shared_secret(cryptor: Cryptor,
                                  key: &[u8],
                                  shared_secret: &[u8],