Add support for post-quantum keys

Author: remko

.github/actions/setup/action.yml

@@ -45,7 +45,7 @@ runs:
   # Install a 6.0 toolchain and SDK so we can package a static Linux binary
   # Used by setting TOOLCHAINS=swift in the environment
   # Once the macOS runner has a Swift 6 compiler, we can remove the toolchain download.
-  - if: runner.os == 'macOS'
+  - if: runner.os == 'macOS' && matrix.os != 'macos-26'
     run: |
       curl -L -s -o swift.pkg https://download.swift.org/swift-6.0-branch/xcode/swift-6.0-DEVELOPMENT-SNAPSHOT-2024-09-17-a/swift-6.0-DEVELOPMENT-SNAPSHOT-2024-09-17-a-osx.pkg
       sudo installer -pkg swift.pkg -verbose -dumplog -target /

.github/workflows/build.yml

@@ -16,11 +16,13 @@ jobs:
   build:
     strategy:
       matrix:
-        os: [macos-14, ubuntu-22.04]
+        os: [macos-14, macos-26, ubuntu-22.04]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/setup
+      - if: matrix.os == 'macos-14' || matrix.os == 'ubuntu-22.04'
+        run: make patch-package-swift-legacy
       - run: make
       - run: make test COVERAGE=1
       - run: make smoke-test-encrypt
@@ -43,7 +45,8 @@ jobs:
         env:
           TOOLCHAINS: swift
           ALPINE_KEY: ${{ secrets.ALPINE_KEY }}
-        if: runner.os == 'macOS'
+        # Having problems on latest macos, so or now limiting this to the older one
+        if: runner.os == 'macOS' && matrix.os == 'macos-14'
       - name: Upload packages
         uses: actions/upload-artifact@v4
         with:
@@ -65,7 +68,7 @@ jobs:
         uses: actions/upload-pages-artifact@v3
         with:
           path: .build/site
-        if: runner.os == 'macOS'
+        if: runner.os == 'macOS' && matrix.os != 'macos-14'
 
   # Running swift from the Makefile doesn't work (yet), so we have a separate
   # build procedure for windows.
@@ -74,6 +77,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/setup
+      - run: make patch-package-swift-legacy
       - run: swift build
       # Unit tests don't seem to work yet
       # - run: swift test

Documentation/age-plugin-se.1.scd

@@ -7,8 +7,8 @@ age-plugin-se - age plugin for Apple Secure Enclave
 
 # SYNOPSIS
 
-*age-plugin-se* *keygen* \[*-o* _OUTPUT_\] \[*--access-control* _ACCESS_CONTROL_\]++
-*age-plugin-se* *recipients* \[*-o* _OUTPUT_\] \[*-i* _INPUT_\]
+*age-plugin-se* *keygen* \[*--pq*\]  \[*-o* _OUTPUT_\] \[*--access-control* _ACCESS_CONTROL_\]++
+*age-plugin-se* *recipients* \[*--pq*\] \[*-o* _OUTPUT_\] \[*-i* _INPUT_\]
 
 
 # DESCRIPTION
@@ -48,6 +48,10 @@ output.
 	*current-biometry*, *current-biometry-and-passcode*.  Default:
 	*any-biometry-or-passcode*.
 
+*--pq*
+
+	Generate post-quantum keys
+
 
 # EXAMPLES
 

Makefile

@@ -44,7 +44,7 @@ MAN_TARGET := man
 endif
 
 .PHONY: all
-all: $(BUILD_DIR)/age-plugin-tag $(MAN_TARGET)
+all: $(BUILD_DIR)/age-plugin-tag $(BUILD_DIR)/age-plugin-tagpq $(MAN_TARGET)
 	swift build $(SWIFT_BUILD_FLAGS)
 
 .PHONY: package
@@ -100,17 +100,27 @@ ifneq ($(SCDOC),)
 	install .build/age-plugin-se.1 $(DESTDIR)$(PREFIX)/share/man/man1
 endif
 
+.IGNORE: .build/age-plugin-se.1
 man: .build/age-plugin-se.1
 
 .build/age-plugin-se.1: Documentation/age-plugin-se.1.scd
 	mkdir -p .build
 	cat $< | sed "s/@VERSION@/$(VERSION)/g" | scdoc > $@.tmp
 	mv $@.tmp $@
 
-$(BUILD_DIR)/age-plugin-tag:
+$(BUILD_DIR)/age-plugin-tag $(BUILD_DIR)/age-plugin-tagpq:
 	mkdir -p $(BUILD_DIR)
 	ln -sf age-plugin-se $@
 
+.PHONY: clean
+clean:
+	-rm -rf .build manual-tests
+
+patch-package-swift-legacy:
+	cat Package.swift | sed -e 's/\/\/ swift-tools-version: .*/\/\/ swift-tools-version: 5.9/' -e 's/\.macOS(\.v26)/\.macOS(\.v14)/' > Package.swift.tmp
+	mv Package.swift.tmp Package.swift
+
+################################################################################
 
 .PHONY: smoke-test
 smoke-test:
@@ -167,6 +177,17 @@ p256tag-decrypt-interop-test:
 	$(AGE) --decrypt -i key.txt secret.txt.age && \
 	rm -f key.txt secret.txt.age
 
+.PHONY: mlkemp256tag-decrypt-interop-test
+mlkem768p256tag-decrypt-interop-test:
+	$(AT)PATH="$(BUILD_DIR):$$PATH" && \
+	$(ECHO) '\xf0\x9f\x94\x91 Generating key...' && \
+	recipient=`age-plugin-se keygen --access-control=none --pq --recipient-type=tag -o key.txt | sed -e "s/Public key: //"` && \
+	$(ECHO) '\xf0\x9f\x94\x92 Encrypting to '$$recipient'...' && \
+	($(ECHO) '\xe2\x9c\x85 \x53\x75\x63\x63\x65\x73\x73' | $(AGE) --encrypt --recipient $$recipient -o secret.txt.age) && \
+	$(ECHO) '\xf0\x9f\x94\x93 Decrypting...' && \
+	$(AGE) --decrypt -i key.txt secret.txt.age && \
+	rm -f key.txt secret.txt.age
+
 .PHONY: gen-manual-tests
 gen-manual-tests:
 	-rm -rf gen-manual-tests
@@ -185,9 +206,3 @@ run-manual-tests:
 		$(AGE) --decrypt -i manual-tests/key.$$control.txt manual-tests/secret.txt.$$control.age; \
 		$(ECHO) "\n-----\n"; \
 	done
-
-.PHONY: clean
-clean:
-	-rm -rf .build manual-tests
-
-.IGNORE: .build/age-plugin-se.1

Package.swift

@@ -1,10 +1,9 @@
-// swift-tools-version: 5.7
-
+// swift-tools-version: 6.2
 import PackageDescription
 
 let package = Package(
   name: "AgeSecureEnclavePlugin",
-  platforms: [.macOS(.v13)],
+  platforms: [.macOS(.v26)],
   dependencies: [
     // Only used on Linux & Windows
     .package(url: "https://github.com/apple/swift-crypto.git", "2.0.0"..<"4.0.0")
@@ -14,7 +13,8 @@ let package = Package(
       name: "age-plugin-se",
       dependencies: [
         .product(
-          name: "Crypto", package: "swift-crypto", condition: .when(platforms: [.linux, .windows]))
+          name: "Crypto", package: "swift-crypto",
+          condition: .when(platforms: [.linux, .windows]))
       ],
       path: "Sources"),
     .testTarget(name: "Tests", dependencies: ["age-plugin-se"], path: "Tests"),

README.md

@@ -25,9 +25,9 @@ them with Touch ID.
 ## Requirements
 
 To generate identities (private keys) and decrypt encrypted files, you need a Mac
-running macOS 13 (Ventura) with a Secure Enclave processor.
+running macOS 14 (Sonoma) with a Secure Enclave processor.
 
-For encrypting files, you need macOS 13 (Ventura), Linux, or Windows. A
+For encrypting files, you need macOS 14 (Sonoma), Linux, or Windows. A
 Secure Enclave processor is not necessary.
 
 ## Installation
@@ -244,8 +244,8 @@ $ age --decrypt -i key.txt data.tar.gz.age > data.tar.gz
 
 ## Usage
 
-    age-plugin-se keygen [-o OUTPUT] [--access-control ACCESS_CONTROL]
-    age-plugin-se recipients [-o OUTPUT] [-i INPUT]
+    age-plugin-se keygen [--pq] [-o OUTPUT] [--access-control ACCESS_CONTROL]
+    age-plugin-se recipients [--pq] [-o OUTPUT] [-i INPUT]
 
     The `keygen` subcommand generates a new private key bound to the current 
     Secure Enclave, with the given access controls, and outputs it to OUTPUT 
@@ -271,6 +271,7 @@ $ age --decrypt -i key.txt data.tar.gz.age > data.tar.gz
 
       -i, --input INPUT                 Read data from the file at path INPUT
 
+      --pq                              Generate post-quantum keys
 
 
 ## Development

Scripts/GenerateMLKEM768Keys.swift

@@ -0,0 +1,23 @@
+#!/usr/bin/swift 
+
+import CryptoKit
+import Foundation
+
+extension Data {
+  func base64RawEncodedData() -> Data {
+    var s = base64EncodedData(options: [])
+    if let pi = s.firstIndex(of: Character("=").asciiValue!) {
+      s = Data(s[s.startIndex..<pi])
+    }
+    return s
+  }
+}
+
+if #available(macOS 21.0, *) {
+  for _ in 1...10 {
+    let privateKey = try! CryptoKit.MLKEM768.PrivateKey()
+    print(String(data: privateKey.seedRepresentation.base64RawEncodedData(), encoding: .utf8)!)
+  }
+} else {
+  print("ML-KEM is not supported on this operating system version.")
+}

Sources/CLI.swift

@@ -16,7 +16,8 @@ struct CLI {
       case .keygen:
         let result = try plugin.generateKey(
           accessControl: options.accessControl.keyAccessControl,
-          recipientType: options.recipientType.recipientType, now: Date())
+          recipientType: options.recipientType.recipientType, now: Date(),
+          pq: options.pq)
         if let outputFile = options.output {
           FileManager.default.createFile(
             atPath: outputFile,
@@ -94,6 +95,8 @@ struct Options {
   var output: String?
   var input: String?
 
+  var pq: Bool = false
+
   enum AccessControl: String {
     case none = "none"
     case passcode = "passcode"
@@ -134,8 +137,8 @@ struct Options {
   static let help =
     """
     Usage:
-      age-plugin-se keygen [-o OUTPUT] [--access-control ACCESS_CONTROL]
-      age-plugin-se recipients [-o OUTPUT] [-i INPUT]
+      age-plugin-se keygen [--pq] [-o OUTPUT] [--access-control ACCESS_CONTROL]
+      age-plugin-se recipients [--pq] [-o OUTPUT] [-i INPUT]
 
     Description:
       The `keygen` subcommand generates a new private key bound to the current 
@@ -163,6 +166,8 @@ struct Options {
 
       -o, --output OUTPUT               Write the result to the file at path OUTPUT
 
+      --pq                              Generate post-quantum keys
+
     Example:
       $ age-plugin-se keygen -o key.txt
       Public key: age1se1qg8vwwqhztnh3vpt2nf2xwn7famktxlmp0nmkfltp8lkvzp8nafkqleh258
@@ -185,6 +190,8 @@ struct Options {
       } else if ["--version"].contains(arg) {
         opts.command = .version
         break
+      } else if ["--pq"].contains(arg) {
+        opts.pq = true
       } else if [
         "--age-plugin", "-i", "--input", "-o", "--output", "--access-control", "--recipient-type",
       ].contains(where: {