Commit 06f30ef
feat(kas): Adds FIPS-203 wrap with ML-KEM-768/1024 (#3652)
## ML-KEM 768/1024
The primary motivation for this work is ML-KEM 768 and 1024 support for
key wrapping and KAS/policy algorithm selection. These provide FIPS 3
compliant NIST 203 implementations, which will provide post-quantum
resistance for TDFs created with this algorithm, just as the hybrids do,
but in a way that should be compliant with FIPS 3 approved software and
hardware encryption modules.
Since this is a new feature for the file, we place it within the new
`mlkem-wrapped` KAO type.
As part of this work, we also extend the policy service, KAS, and the
`otdfctl` tool to support key generation, import, and public key access.
For the configuration, this piggy-backs `mlkem_tdf_enabled` on the
existing `hybrid_tdf_enabled`, so if the latter is set then pure mlkem
is *also* enabled. You can enable just pure mlkem without hybrid,
though. I mostly did this as a convenience for testing, so I can
uncouple these later if desired. but to me it makes sense - hybrid
implies mlkem, but the use of mlkem does not imply hybrid. As part of
this, I've made a normalization pass on the config to set the values,
removing the need to check deprecated config names later when making
decisions.
## Notes for the reviewer
- refactored the hybrid KEM to share more code with the pure
mlkem-wrapped kaos
- Still duplicating logic between the asym enc/dec .go and the
`key_pair.go`. The former are mostly used by service, and the latter by
the sdk, so this is compound interest on the technical debt from not
unifying these
- removes a couple of deprecated constructors for the asym library,
which would produce non-conformant mechanisms anyway. I probalby should
put an ! in the CC because of this, lmk if you want me to. I couldn't
find any live use in a github search
- some other small move refactors
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added ML-KEM 768 and 1024 support across key creation,
wrapping/rewrapping, PEM import/export, and TDF flows (including
`mlkem-wrapped` manifest handling).
* **Bug Fixes**
* Improved encryption/decryption dispatch for ML-KEM vs hybrid-wrapped
keys and tightened validation/error behavior for algorithm mismatches.
* **Documentation**
* Updated OpenAPI/proto schemas, CLI/SDK mappings, and man pages to
include the new ML-KEM options and refreshed `policy.Condition.operator`
field documentation.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Signed-off-by: Dave Mihalcik <dmihalcik@virtru.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>1 parent d7caacd commit 06f30ef
67 files changed
Lines changed: 2685 additions & 1452 deletions
File tree
- adr/decisions
- docs
- grpc
- openapi
- authorization
- v2
- policy
- actions
- attributes
- dynamicvaluemapping
- kasregistry
- namespaces
- obligations
- registeredresources
- resourcemapping
- subjectmapping
- unsafe
- lib/ocrypto
- otdfctl
- cmd/policy
- docs/man/policy/kas-registry/key
- e2e
- pkg
- cli
- utils
- protocol/go/policy
- kasregistry
- sdk
- experimental/tdf
- keysplit
- service
- cmd/keygen
- internal/security
- kas
- access
- policy
- db
- kasregistry
- tests-bdd/cukes/utils
- test
- start-up-with-containers
Some content is hidden
Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| 57 | + | |
| 58 | + | |
| 59 | + | |
| 60 | + | |
| 61 | + | |
| 62 | + | |
| 63 | + | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
| 67 | + | |
| 68 | + | |
| 69 | + | |
| 70 | + | |
| 71 | + | |
| 72 | + | |
| 73 | + | |
| 74 | + | |
| 75 | + | |
| 76 | + | |
| 77 | + | |
| 78 | + | |
| 79 | + | |
| 80 | + | |
| 81 | + | |
| 82 | + | |
| 83 | + | |
| 84 | + | |
| 85 | + | |
| 86 | + | |
| 87 | + | |
| 88 | + | |
| 89 | + | |
| 90 | + | |
| 91 | + | |
| 92 | + | |
| 93 | + | |
| 94 | + | |
| 95 | + | |
| 96 | + | |
| 97 | + | |
| 98 | + | |
| 99 | + | |
| 100 | + | |
| 101 | + | |
| 102 | + | |
| 103 | + | |
| 104 | + | |
| 105 | + | |
| 106 | + | |
| 107 | + | |
| 108 | + | |
| 109 | + | |
| 110 | + | |
| 111 | + | |
| 112 | + | |
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Lines changed: 5 additions & 4 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Lines changed: 7 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
0 commit comments