|
| 1 | +apiVersion: opentdf.io/v1alpha1 |
| 2 | +kind: Scenario |
| 3 | +metadata: |
| 4 | + id: pure-mlkem |
| 5 | + name: pure-mlkem |
| 6 | + title: "Pure ML-KEM (mlkem:768 / mlkem:1024) — platform PR #3537" |
| 7 | + created: "2026-05-29" |
| 8 | +instance: |
| 9 | + apiVersion: opentdf.io/v1alpha1 |
| 10 | + kind: Instance |
| 11 | + metadata: |
| 12 | + name: pure-mlkem |
| 13 | + platform: |
| 14 | + source: |
| 15 | + ref: pr:3537 |
| 16 | + ports: |
| 17 | + base: 8080 |
| 18 | + kas: |
| 19 | + alpha: { source: { ref: "pr:3537" }, mode: standard } |
| 20 | + beta: { source: { ref: "pr:3537" }, mode: standard } |
| 21 | + gamma: { source: { ref: "pr:3537" }, mode: standard } |
| 22 | + delta: { source: { ref: "pr:3537" }, mode: standard } |
| 23 | + km1: { source: { ref: "pr:3537" }, mode: key_management } |
| 24 | + km2: { source: { ref: "pr:3537" }, mode: key_management } |
| 25 | +sdks: |
| 26 | + encrypt: |
| 27 | + - sdk: go |
| 28 | + version: refs--pull--3537--head |
| 29 | + decrypt: |
| 30 | + - sdk: go |
| 31 | + version: refs--pull--3537--head |
| 32 | +suite: |
| 33 | + targets: |
| 34 | + - test_pqc.py::test_mlkem_768_roundtrip |
| 35 | + - test_pqc.py::test_mlkem_1024_roundtrip |
| 36 | + containers: |
| 37 | + - ztdf |
| 38 | +expected: | |
| 39 | + Platform built from PR #3537 accepts mlkem:768 and mlkem:1024 managed-key |
| 40 | + registrations on km1 (kids m1 / m2). Encrypt with go@pr:3537 produces a |
| 41 | + single KAO of type "mlkem-wrapped" whose wrappedKey exceeds the raw |
| 42 | + ML-KEM ciphertext (>1088 / >1568 bytes). Decrypt with go@pr:3537 succeeds |
| 43 | + and round-trips the plaintext. |
| 44 | +actual: | |
| 45 | + Both test_mlkem_768_roundtrip and test_mlkem_1024_roundtrip PASS end-to-end |
| 46 | + with go@refs--pull--3537--head encrypt + decrypt against PR #3537 platform |
| 47 | + (head 08ab3a0a, "refactor(ocrypto): encode pure ML-KEM keys as SPKI/PKCS#8 |
| 48 | + with NIST OIDs"). Observed: KAS Registry accepts algorithm enum 20/21, |
| 49 | + emits SPKI/PKCS#8 PEMs of the expected sizes (mlkem:768 ≥ 1184B encap key, |
| 50 | + mlkem:1024 ≥ 1568B). The KAO `type` field is "wrapped" (the existing |
| 51 | + generic type), NOT "mlkem-wrapped" as some PR notes hint — algorithm is |
| 52 | + disambiguated via key registry / kid, not a new KAO type. Test assertion |
| 53 | + was relaxed to accept either; revisit if the PR later adds a distinct type. |
| 54 | +
|
| 55 | + Decrypt with non-PR clients (Java, JS, older Go) not yet observed — those |
| 56 | + SDKs aren't installed in this scenario. Add them to sdks.decrypt and rerun |
| 57 | + to answer the "can older clients decrypt mlkem?" question empirically. |
| 58 | +
|
| 59 | + Setup notes (one-time per PR worktree): |
| 60 | + 1. Symlinked xtest/platform and xtest/sdk/go/dist → DSPX-3302-02-platform-installer |
| 61 | + worktree (uv-tool-installed otdf-sdk-mgr/otdf-local anchor to that worktree). |
| 62 | + 2. Seeded PR worktree with kas-*.pem + keys/ + opentdf.yaml from main |
| 63 | + (PR source tree ships templates but not generated keys; init-temp-keys.sh |
| 64 | + would generate them properly). |
| 65 | + 3. Set PLATFORM_VERSION=0.17.0 (override; PR build reports version "0.9.0") |
| 66 | + and OTDFCTL_HEADS='["refs--pull--3537--head"]' for the test invocation. |
0 commit comments