Skip to content

feat(crypto): add NIST EC/ML-KEM hybrid key support #3275

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
sujankota wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

feat(crypto): add NIST EC/ML-KEM hybrid key support #3275

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4af7a32
feat(kas): add hybrid X-Wing key wrapping support
sujankota Apr 2, 2026
2985635
feat(crypto): add NIST EC/ML-KEM hybrid key support
sujankota Apr 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 15 additions & 3 deletions docs/grpc/index.html
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions docs/openapi/authorization/authorization.openapi.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions docs/openapi/authorization/v2/authorization.openapi.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 3 additions & 3 deletions docs/openapi/kas/kas.openapi.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions docs/openapi/policy/actions/actions.openapi.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions docs/openapi/policy/attributes/attributes.openapi.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 5 additions & 3 deletions docs/openapi/policy/kasregistry/key_access_server_registry.openapi.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions docs/openapi/policy/namespaces/namespaces.openapi.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions docs/openapi/policy/objects.openapi.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions docs/openapi/policy/obligations/obligations.openapi.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions docs/openapi/policy/registeredresources/registered_resources.openapi.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions docs/openapi/policy/resourcemapping/resource_mapping.openapi.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions docs/openapi/policy/subjectmapping/subject_mapping.openapi.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions docs/openapi/policy/unsafe/unsafe.openapi.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions lib/ocrypto/asym_decryption.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,12 @@ func FromPrivatePEMWithSalt(privateKeyInPem string, salt, info []byte) (PrivateK
if block == nil {
return AsymDecryption{}, errors.New("failed to parse PEM formatted private key")
}
if block.Type == PEMBlockXWingPrivateKey {
return NewSaltedXWingDecryptor(block.Bytes, salt, info)
}
if params, ok := hybridParamsFromPrivatePEMType(block.Type); ok {
return newSaltedHybridECMLKEMDecryptor(params, block.Bytes, salt, info)
}
Comment on lines +46 to +51
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

There is a type mismatch here. NewSaltedXWingDecryptor and newSaltedHybridECMLKEMDecryptor return pointers to specific decryptor types (e.g., *XWingDecryptor), but FromPrivatePEMWithSalt is declared to return an AsymDecryption struct. This will cause a compilation error. You likely need to wrap these decryptors in an AsymDecryption instance before returning.


priv, err := x509.ParsePKCS8PrivateKey(block.Bytes)
switch {
Expand Down
16 changes: 14 additions & 2 deletions lib/ocrypto/asym_encryption.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,9 @@ import (
type SchemeType string

const (
RSA SchemeType = "wrapped"
EC SchemeType = "ec-wrapped"
RSA SchemeType = "wrapped"
EC SchemeType = "ec-wrapped"
Hybrid SchemeType = "hybrid-wrapped"
)

type PublicKeyEncryptor interface {
Expand Down Expand Up @@ -69,6 +70,17 @@ func FromPublicPEM(publicKeyInPem string) (PublicKeyEncryptor, error) {
}

func FromPublicPEMWithSalt(publicKeyInPem string, salt, info []byte) (PublicKeyEncryptor, error) {
block, _ := pem.Decode([]byte(publicKeyInPem))
if block == nil {
return nil, errors.New("failed to parse PEM formatted public key")
}
if block.Type == PEMBlockXWingPublicKey {
return NewXWingEncryptor(block.Bytes, salt, info)
}
if params, ok := hybridParamsFromPublicPEMType(block.Type); ok {
return newHybridECMLKEMEncryptor(params, block.Bytes, salt, info)
}

pub, err := getPublicPart(publicKeyInPem)
if err != nil {
return nil, err
Expand Down
28 changes: 23 additions & 5 deletions lib/ocrypto/ec_key_pair.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,11 +22,14 @@ type ECCMode uint8
type KeyType string

const (
RSA2048Key KeyType = "rsa:2048"
RSA4096Key KeyType = "rsa:4096"
EC256Key KeyType = "ec:secp256r1"
EC384Key KeyType = "ec:secp384r1"
EC521Key KeyType = "ec:secp521r1"
RSA2048Key KeyType = "rsa:2048"
RSA4096Key KeyType = "rsa:4096"
EC256Key KeyType = "ec:secp256r1"
EC384Key KeyType = "ec:secp384r1"
EC521Key KeyType = "ec:secp521r1"
HybridXWingKey KeyType = "hpqt:xwing"
HybridSecp256r1MLKEM768Key KeyType = "hpqt:secp256r1-mlkem768"
HybridSecp384r1MLKEM1024Key KeyType = "hpqt:secp384r1-mlkem1024"
)

const (
Expand Down Expand Up @@ -64,6 +67,12 @@ func NewKeyPair(kt KeyType) (KeyPair, error) {
return nil, err
}
return NewECKeyPair(mode)
case HybridXWingKey:
return NewXWingKeyPair()
case HybridSecp256r1MLKEM768Key:
return NewP256MLKEM768KeyPair()
case HybridSecp384r1MLKEM1024Key:
return NewP384MLKEM1024KeyPair()
default:
return nil, fmt.Errorf("unsupported key type: %v", kt)
}
Expand Down Expand Up @@ -91,6 +100,15 @@ func IsRSAKeyType(kt KeyType) bool {
}
}

func IsHybridKeyType(kt KeyType) bool {
switch kt { //nolint:exhaustive // only handle hybrid types
case HybridXWingKey, HybridSecp256r1MLKEM768Key, HybridSecp384r1MLKEM1024Key:
return true
default:
return false
}
}

// GetECCurveFromECCMode return elliptic curve from ecc mode
func GetECCurveFromECCMode(mode ECCMode) (elliptic.Curve, error) {
var c elliptic.Curve
Expand Down
Loading
Loading