feat: v1.6.0, support kyber1024

Author: jht5945

Cargo.lock

@@ -1,6 +1,6 @@
 [package]
 name = "tiny-encrypt"
-version = "1.5.3"
+version = "1.6.0"
 edition = "2021"
 license = "MIT"
 description = "A simple and tiny file encrypt tool"
@@ -46,6 +46,8 @@ yubikey = { version = "0.8", features = ["untested"], optional = true }
 zeroize = "1.7"
 swift-rs = { path = "swift-rs", optional = true }
 spki = "0.7.3"
+pqcrypto-kyber = "0.8.0"
+pqcrypto-traits = "0.3.5"
 
 [build-dependencies]
 swift-rs = { path = "swift-rs", features = ["build"], optional = true }

Cargo.toml

@@ -25,8 +25,9 @@ use crate::compress::GzStreamDecoder;
 use crate::config::TinyEncryptConfig;
 use crate::consts::{
     DATE_TIME_FORMAT,
-    ENC_AES256_GCM_P256, ENC_AES256_GCM_P384, ENC_AES256_GCM_X25519,
-    ENC_CHACHA20_POLY1305_P256, ENC_CHACHA20_POLY1305_P384, ENC_CHACHA20_POLY1305_X25519,
+    ENC_AES256_GCM_KYBER1204, ENC_AES256_GCM_P256, ENC_AES256_GCM_P384,
+    ENC_AES256_GCM_X25519, ENC_CHACHA20_POLY1305_KYBER1204, ENC_CHACHA20_POLY1305_P256,
+    ENC_CHACHA20_POLY1305_P384, ENC_CHACHA20_POLY1305_X25519,
     SALT_COMMENT, TINY_ENC_CONFIG_FILE, TINY_ENC_FILE_EXT,
 };
 use crate::crypto_cryptor::{Cryptor, KeyNonce};
@@ -451,6 +452,8 @@ pub fn try_decrypt_key(config: &Option<TinyEncryptConfig>,
         #[cfg(feature = "secure-enclave")]
         TinyEncryptEnvelopType::KeyP256 => try_decrypt_se_key_ecdh(config, envelop),
         TinyEncryptEnvelopType::PivRsa => try_decrypt_piv_key_rsa(config, envelop, pin, slot),
+        #[cfg(feature = "macos")]
+        TinyEncryptEnvelopType::StaticKyber1024 => try_decrypt_key_ecdh_static_kyber1204(config, envelop),
         unknown_type => simple_error!("Unknown or unsupported type: {}", unknown_type.get_name()),
     }
 }
@@ -619,7 +622,42 @@ fn try_decrypt_key_ecdh_static_x25519(config: &Option<TinyEncryptConfig>, envelo
     };
 
     let shared_secret = opt_result!(
-        util_keychainstatic::decrypt_data(&keychain_key, &e_pub_key_bytes), "Decrypt static x25519 failed: {}");
+        util_keychainstatic::decrypt_x25519_data(&keychain_key, &e_pub_key_bytes), "Decrypt static x25519 failed: {}");
+
+    let key = util::simple_kdf(shared_secret.as_slice());
+    let key_nonce = KeyNonce { k: &key, n: &wrap_key.nonce };
+    let decrypted_key = crypto_simple::decrypt(
+        cryptor, &key_nonce, &wrap_key.encrypted_data)?;
+    util::zeroize(key);
+    util::zeroize(shared_secret);
+    Ok(decrypted_key)
+}
+
+#[cfg(feature = "macos")]
+fn try_decrypt_key_ecdh_static_kyber1204(config: &Option<TinyEncryptConfig>, envelop: &TinyEncryptEnvelop) -> XResult<Vec<u8>> {
+    let wrap_key = WrapKey::parse(&envelop.encrypted_key)?;
+    let cryptor = match wrap_key.header.enc.as_str() {
+        ENC_AES256_GCM_KYBER1204 => Cryptor::Aes256Gcm,
+        ENC_CHACHA20_POLY1305_KYBER1204 => Cryptor::ChaCha20Poly1305,
+        _ => return simple_error!("Unsupported header enc: {}", &wrap_key.header.enc),
+    };
+    let e_pub_key_bytes = wrap_key.header.get_e_pub_key_bytes()?;
+    let config = opt_value_result!(config, "Tiny encrypt config is not found");
+    let config_envelop = opt_value_result!(
+        config.find_by_kid(&envelop.kid), "Cannot find config for: {}", &envelop.kid);
+    let config_envelop_args = opt_value_result!(&config_envelop.args, "No arguments found for: {}", &envelop.kid);
+    if config_envelop_args.len() != 1 && config_envelop_args.len() != 3 {
+        return simple_error!("Not enough arguments for: {}", &envelop.kid);
+    }
+
+    let keychain_key = if config_envelop_args.len() == 1 {
+        KeychainKey::parse(&config_envelop_args[0])?
+    } else {
+        KeychainKey::from(&config_envelop_args[0], &config_envelop_args[1], &config_envelop_args[2])
+    };
+
+    let shared_secret = opt_result!(
+        util_keychainstatic::decrypt_kyber1204_data(&keychain_key, &e_pub_key_bytes), "Decrypt static kyber1204 failed: {}");
 
     let key = util::simple_kdf(shared_secret.as_slice());
     let key_nonce = KeyNonce { k: &key, n: &wrap_key.nonce };