Update to RC SDK (#410)

This patch brings us up-to-date with the RC SDK. There are a couple of
tweaks to the MLDSA code and the XWing code, mostly a few minor
interface changes. I've adopted those in the backing code, and also
wired up the SHA3 integrity checks.

Author: Lukasa

Sources/Crypto/KEM/BoringSSL/MLKEM_wrapper.swift

@@ -102,17 +102,26 @@ extension MLKEM768.InternalPrivateKey: BoringSSLBackedMLKEMPrivateKey {
     }
 
     init<Bytes>(seedRepresentation: Bytes, publicKeyRawRepresentation: Data?) throws where Bytes: DataProtocol {
-        precondition(publicKeyRawRepresentation == nil)
-        self = try .init(seedRepresentation: seedRepresentation)
+        let publicKeyHash = publicKeyRawRepresentation.map {
+            SHA3_256.hash(data: $0)
+        }
+        self = try .init(seedRepresentation: seedRepresentation, publicKeyHash: publicKeyHash)
     }
 
     init<Bytes: DataProtocol>(seedRepresentation: Bytes, publicKeyHash: SHA3_256Digest?) throws {
-        precondition(publicKeyHash == nil)
         self = try .init(seedRepresentation: seedRepresentation)
+        let generatedHash = SHA3_256.hash(data: self.publicKey.rawRepresentation)
+        if let publicKeyHash, generatedHash != publicKeyHash {
+            throw KEM.Errors.publicKeyMismatchDuringInitialization
+        }
     }
 
     var integrityCheckedRepresentation: Data {
-        fatalError()
+        var representation = self.seedRepresentation
+        SHA3_256.hash(data: self.publicKey.rawRepresentation).withUnsafeBytes {
+            representation.append(contentsOf: $0)
+        }
+        return representation
     }
 
     var interiorPublicKey: MLKEM768.InternalPublicKey {
@@ -155,17 +164,26 @@ extension MLKEM1024.InternalPrivateKey: BoringSSLBackedMLKEMPrivateKey {
     }
 
     init<Bytes>(seedRepresentation: Bytes, publicKeyRawRepresentation: Data?) throws where Bytes: DataProtocol {
-        precondition(publicKeyRawRepresentation == nil)
-        self = try .init(seedRepresentation: seedRepresentation)
+        let publicKeyHash = publicKeyRawRepresentation.map {
+            SHA3_256.hash(data: $0)
+        }
+        self = try .init(seedRepresentation: seedRepresentation, publicKeyHash: publicKeyHash)
     }
 
     init<Bytes: DataProtocol>(seedRepresentation: Bytes, publicKeyHash: SHA3_256Digest?) throws {
-        precondition(publicKeyHash == nil)
         self = try .init(seedRepresentation: seedRepresentation)
+        let generatedHash = SHA3_256.hash(data: self.publicKey.rawRepresentation)
+        if let publicKeyHash, generatedHash != publicKeyHash {
+            throw KEM.Errors.publicKeyMismatchDuringInitialization
+        }
     }
 
     var integrityCheckedRepresentation: Data {
-        fatalError()
+        var representation = self.seedRepresentation
+        SHA3_256.hash(data: self.publicKey.rawRepresentation).withUnsafeBytes {
+            representation.append(contentsOf: $0)
+        }
+        return representation
     }
 
     var interiorPublicKey: MLKEM1024.InternalPublicKey {

Sources/Crypto/KEM/BoringSSL/XWing_boring.swift

@@ -30,8 +30,8 @@ struct OpenSSLXWingPublicKeyImpl: Sendable {
         self.publicKeyBytes = publicKeyBytes
     }
 
-    init<D: ContiguousBytes>(dataRepresentation: D) throws {
-        self.publicKeyBytes = try dataRepresentation.withUnsafeBytes {
+    init<D: ContiguousBytes>(rawRepresentation: D) throws {
+        self.publicKeyBytes = try rawRepresentation.withUnsafeBytes {
             guard $0.count == XWING_PUBLIC_KEY_BYTES else {
                 throw CryptoKitError.incorrectKeySize
             }
@@ -164,7 +164,7 @@ extension OpenSSLXWingPrivateKeyImpl {
                 }
 
                 // Matching CryptoKit, we only care that this _is_ a public key, not that it matches.
-                let _ = try OpenSSLXWingPublicKeyImpl(dataRepresentation: publicKeyBytes)
+                let _ = try OpenSSLXWingPublicKeyImpl(rawRepresentation: publicKeyBytes)
             }
         }
 
@@ -187,6 +187,10 @@ extension OpenSSLXWingPrivateKeyImpl {
                     throw CryptoKitError.internalBoringSSLError()
                 }
             }
+
+            if let publicKeyHash, publicKeyHash != self.publicKeyDigest {
+                throw KEM.Errors.publicKeyMismatchDuringInitialization
+            }
         }
 
         var seedRepresentation: Data {
@@ -200,7 +204,11 @@ extension OpenSSLXWingPrivateKeyImpl {
         }
 
         var integrityCheckedRepresentation: Data {
-            fatalError()
+            var representation = self.seedRepresentation
+            self.publicKeyDigest.withUnsafeBytes {
+                representation.append(contentsOf: $0)
+            }
+            return representation
         }
 
         var dataRepresentation: Data {
@@ -215,6 +223,14 @@ extension OpenSSLXWingPrivateKeyImpl {
             }
         }
 
+        private var publicKeyDigest: SHA3_256Digest {
+            withUnsafeTemporaryAllocation(byteCount: Int(XWING_PUBLIC_KEY_BYTES), alignment: 1) {
+                let rc = CCryptoBoringSSL_XWING_public_from_private($0.baseAddress, &self.privateKey)
+                precondition(rc == 1)
+                return SHA3_256.hash(bufferPointer: UnsafeRawBufferPointer($0))
+            }
+        }
+
         static func generate() throws -> Self {
             try Self()
         }

Sources/Crypto/KEM/XWing.swift

@@ -14,25 +14,12 @@
 #if CRYPTO_IN_SWIFTPM && !CRYPTO_IN_SWIFTPM_FORCE_BUILD_API
 @_exported import CryptoKit
 #else
-#if canImport(FoundationEssentials)
-public import FoundationEssentials
-#else
-public import Foundation
-#endif
-
-#if _runtime(_ObjC) && CRYPTO_IN_SWIFTPM && !CRYPTO_IN_SWIFTPM_FORCE_BUILD_API
-@_exported import CryptoKit
-#else
 
-#if CRYPTOKIT_NO_ACCESS_TO_FOUNDATION
-import SwiftSystem
-#else
 #if canImport(FoundationEssentials)
 import FoundationEssentials
 #else
 import Foundation
 #endif
-#endif
 
 #if (!CRYPTO_IN_SWIFTPM_FORCE_BUILD_API) || CRYPTOKIT_NO_ACCESS_TO_FOUNDATION
 @available(macOS 10.15, iOS 13, watchOS 6, tvOS 13, macCatalyst 13, visionOS 1.0, *)
@@ -61,8 +48,8 @@ extension XWingMLKEM768X25519 {
             self.impl = impl
         }
 
-        public init<D: ContiguousBytes>(dataRepresentation: D) throws {
-            self.impl = try .init(dataRepresentation: dataRepresentation)
+        public init<D: ContiguousBytes>(rawRepresentation: D) throws {
+            self.impl = try .init(rawRepresentation: rawRepresentation)
         }
 
         public var rawRepresentation: Data {
@@ -96,20 +83,10 @@ extension XWingMLKEM768X25519 {
             self.impl = impl
         }
 
-        public init<D: ContiguousBytes>(bytes: D) throws {
-            self.impl = try .init(bytes: bytes)
-        }
-
         internal init<D: DataProtocol>(seedRepresentation: D, publicKeyHash: SHA3_256Digest?) throws {
             self.impl = try .init(seedRepresentation: seedRepresentation, publicKeyHash: publicKeyHash)
         }
 
-        public var dataRepresentation: Data {
-            get {
-                self.impl.dataRepresentation
-            }
-        }
-
         public static func generate() throws -> XWingMLKEM768X25519.PrivateKey {
             return try Self(impl: XWingPrivateKeyImpl.generate())
         }
@@ -133,17 +110,12 @@ extension XWingMLKEM768X25519.PrivateKey: HPKEKEMPrivateKeyGeneration {
     }
 
     public init<D: DataProtocol>(seedRepresentation: D, publicKey: XWingMLKEM768X25519.PublicKey?) throws {
-        #if false
         var publicKeyHash: SHA3_256Digest? = nil
         if publicKey != nil {
             publicKeyHash = SHA3_256.hash(data: publicKey!.rawRepresentation)
         }
 
         self = try XWingMLKEM768X25519.PrivateKey.init(seedRepresentation: seedRepresentation, publicKeyHash: publicKeyHash)
-        #else
-        precondition(publicKey == nil)
-        self = try XWingMLKEM768X25519.PrivateKey.init(seedRepresentation: seedRepresentation, publicKeyHash: nil)
-        #endif
     }
 
     public init<D: DataProtocol>(integrityCheckedRepresentation: D) throws {
@@ -178,7 +150,7 @@ extension XWingMLKEM768X25519.PublicKey: HPKEKEMPublicKey {
     /// - Throws: ``CryptoKit/HPKE/Errors/inconsistentCiphersuiteAndKey`` if the key encapsulation mechanism requested is incompatible with this public key.
     public init<D>(_ serialization: D, kem: HPKE.KEM) throws where D: ContiguousBytes {
         try Self.validateCiphersuite(kem)
-        try self.init(dataRepresentation: serialization)
+        try self.init(rawRepresentation: serialization)
     }
 
     /// Creates a serialized representation of the public key.
@@ -197,5 +169,4 @@ extension XWingMLKEM768X25519.PublicKey: HPKEKEMPublicKey {
     /// The type of the ephemeral private key associated with this public key.
     public typealias HPKEEphemeralPrivateKey = XWingMLKEM768X25519.PrivateKey
 }
-#endif
 #endif // Linux or !SwiftPM

Sources/Crypto/Signatures/BoringSSL/MLDSA_boring.swift

@@ -639,7 +639,7 @@ extension MLDSA87 {
 
 enum MLDSA {
     /// The size of the seed in bytes.
-    fileprivate static let seedByteCount = 32
+    static let seedByteCount = 32
 }
 
 #endif  // CRYPTO_IN_SWIFTPM && !CRYPTO_IN_SWIFTPM_FORCE_BUILD_API

Sources/Crypto/Signatures/BoringSSL/MLDSA_boring.swift.gyb

@@ -342,7 +342,7 @@ extension MLDSA${parameter_set} {
 
 enum MLDSA {
     /// The size of the seed in bytes.
-    fileprivate static let seedByteCount = 32
+    static let seedByteCount = 32
 }
 
 #endif  // CRYPTO_IN_SWIFTPM && !CRYPTO_IN_SWIFTPM_FORCE_BUILD_API

Sources/Crypto/Signatures/BoringSSL/MLDSA_wrapper.swift

@@ -84,18 +84,29 @@ extension MLDSA87.InternalPublicKey: BoringSSLBackedMLDSAPublicKey {}
 @available(macOS 10.15, iOS 13, watchOS 6, tvOS 13, macCatalyst 13, visionOS 1.0, *)
 struct OpenSSLMLDSAPrivateKeyImpl<Parameters: BoringSSLBackedMLDSAParameters> {
     private var backing: Parameters.BackingPrivateKey
+    private let publicKeyHash: SHA3_256Digest
 
     init() throws {
         self.backing = try .init()
+        self.publicKeyHash = SHA3_256.hash(data: self.backing.publicKey.rawRepresentation)
     }
 
-    init<D: DataProtocol>(seedRepresentation: D, publicKey: OpenSSLMLDSAPublicKeyImpl<Parameters>?) throws {
-        precondition(publicKey == nil)
-        self.backing = try .init(seedRepresentation: seedRepresentation)
+    init<D: DataProtocol>(seedRepresentation: D, publicKeyRawRepresentation: Data?) throws {
+        let publicKeyHash = publicKeyRawRepresentation.map {
+            SHA3_256.hash(data: $0)
+        }
+        self = try Self(seedRepresentation: seedRepresentation, publicKeyHash: publicKeyHash)
     }
 
-    init<D: DataProtocol>(integrityCheckedRepresentation: D) throws {
-        fatalError()
+    init<D: DataProtocol>(seedRepresentation: D, publicKeyHash: SHA3_256Digest?) throws {
+        self.backing = try .init(seedRepresentation: seedRepresentation)
+        let generatedHash = SHA3_256.hash(data: self.backing.publicKey.rawRepresentation)
+
+        if let publicKeyHash, generatedHash != publicKeyHash {
+            throw CryptoKitError.unwrapFailure
+        }
+
+        self.publicKeyHash = generatedHash
     }
 
     func signature<D: DataProtocol>(for data: D) throws -> Data {
@@ -115,7 +126,16 @@ struct OpenSSLMLDSAPrivateKeyImpl<Parameters: BoringSSLBackedMLDSAParameters> {
     }
 
     var integrityCheckedRepresentation: Data {
-        fatalError()
+        var representation = self.seedRepresentation
+        representation.reserveCapacity(SHA3_256Digest.byteCount)
+        self.publicKeyHash.withUnsafeBytes {
+            representation.append(contentsOf: $0)
+        }
+        return representation
+    }
+
+    static var seedSize: Int {
+        MLDSA.seedByteCount
     }
 }
 
@@ -132,14 +152,14 @@ struct OpenSSLMLDSAPublicKeyImpl<Parameters: BoringSSLBackedMLDSAParameters> {
     }
 
     func isValidSignature<S: DataProtocol, D: DataProtocol>(
-        signature: S,
+        _ signature: S,
         for data: D
     ) -> Bool {
         self.backing.isValidSignature(signature, for: data)
     }
 
     func isValidSignature<S: DataProtocol, D: DataProtocol, C: DataProtocol>(
-        signature: S,
+        _ signature: S,
         for data: D,
         context: C
     ) -> Bool {