Skip to content

Add Hybrid Public Key Encryption (HPKE) API Support#1061

Open
sylph01 wants to merge 45 commits into
ruby:masterfrom
sylph01:hpke
Open

Add Hybrid Public Key Encryption (HPKE) API Support#1061
sylph01 wants to merge 45 commits into
ruby:masterfrom
sylph01:hpke

Conversation

@sylph01
Copy link
Copy Markdown
Contributor

@sylph01 sylph01 commented Jun 5, 2026
edited
Loading

This patch introduces Hybrid Public Key Encryption (HPKE; RFC 9180) through OpenSSL's HPKE APIs ( https://docs.openssl.org/3.5/man3/OSSL_HPKE_CTX_new/ ), added in OpenSSL 3.2.0.

Usage

suite = OpenSSL::HPKE::Suite.new_with_names(:dhkem_x25519_hkdf_sha256, :hkdf_sha256, :aes_128_gcm)
pkey = OpenSSL::HPKE.keygen_with_suite(suite)
pub = pkey.raw_public_key
s = OpenSSL::HPKE::Context::Sender.new(:base, suite)
enc = s.encap(pub, "info")
ct = s.seal("aad", "hi")
r = OpenSSL::HPKE::Context::Receiver.new(:base, suite)
r.decap(enc, pkey, "info")
puts "roundtrip: #{r.open("aad", ct) == "hi"}, export match: #{s.export(32,"l")==r.export(32,"l")}"

APIs

OpenSSL::HPKE::Suite

  • new: Instantiate cipher suite with KEM, KDF, and AEAD identifiers listed in RFC 9180
  • new_with_names: Instantiate cipher suite with pre-defined names. Uses the list of KEMs, KDFs, AEADs listed in RFC 9180.

OpenSSL::HPKE

  • keygen: Generate OpenSSL::PKey private key with the specified KEM, KDF, and AEAD ID.
    • This exposes OpenSSL's OSSL_HPKE_keygen() API.
  • keygen_with_suite: Generate OpenSSL::PKey private key with the specified cipher suite

These are more like utility functions so if they look extraneous they can be removed in favor of using OpenSSL::PKey to generate corresponding keys.

OpenSSL::HPKE::Context::Sender and OpenSSL::HPKE::Context::Receiver

  • new: Instantiate HPKE Context.
    • Currently supports :base mode only; I wanted to let the maintainers see this pull request before adding :auth, :psk, and :auth_psk modes

OpenSSL::HPKE::Context::Sender

  • encap: Encapsulates key into the specified public key. Takes receiver's public key and info (application context information)
  • seal: Using the encapsulated key, seal message into ciphertext. Takes aad (additional authenticated data) and ciphertext itself.

OpenSSL::HPKE::Context::Receiver

  • decap: Decapsulates the key using the private key. Takes the encapsulation, private key, and info (application context information).
  • open: Using the decapsulated key, decrypt the ciphertext. Takes aad and ciphertext.

Availability

  • This functionality is available on OpenSSL newer than 3.2.0 without FIPS mode.
    • As OpenSSL's FIPS mode does not implement EC KEMs, HPKE on OpenSSL is unavailable even for curves that are supported by FIPS.
  • LibreSSL, AWS-LC is not supported.
    • As far as I know, they do not have the corresponding APIs.

sylph01 added 30 commits June 5, 2026 09:18
@sylph01
[hpke] initialize OSSL::HPKE::Context
9ee96bd
@sylph01
[hpke] check for openssl/hpke.h
e7e1f17 
from now on this needs OpenSSL 3.2 to compile
@sylph01
[hpke] allocate/initialize context
ec8a3a2
@sylph01
[hpke-a] experiment: try reopening class with a ruby file
afe4bff
@sylph01
[hpke] HPKE.keygen
34ea7a3
@sylph01
[hpke] create HPKE::Context
5301f44
@sylph01
[hpke] encap
aaaac90
@sylph01
set constant buffers to a high enough number
d8b0dda
@sylph01
[hpke] seal
d3b0ddf
@sylph01
[hpke] decap
64748ed
@sylph01
[hpke] open and export, but getting different values?
2f5d645
@sylph01
[hpke] debug: keygen_pub
024c8f0
@sylph01
[hpke] debug: assume fixed ikme
3d0b6e3
@sylph01
lots of debug prints
1efad02 
works only with hpke.h that exposes OSSL_HPKE_CTX
@sylph01
[hpke] 🎉
5411682
@sylph01
[hpke] fix encap so that it returns a string with correct length
e1f743e
@sylph01
[hpke] do not assume fixed ikm_e
e68494b
@sylph01
Set buffer size of OSSL_HPKE_keygen to 133
012f241 
The current longest possible public key size is 133 bytes, according to RFC 9180 section 7.1
@sylph01
Remove debug method keygen_pub
4a1a787
@sylph01
Use of HPKE::Suite
1f5e54c 
- HPKE::Context.new that takes mode, role, and suite
- HPKE::Context now keeps track of which KEM/KDF/AEAD it uses under instance variable
- HPKE.keygen_with_suite
@sylph01
Use OSSL_HPKE_get_ciphertext_size to determine ciphertext size
0977513 
In this patch I also moved the `attr_reader` definitions of kem/kdf/aead_ids into C code
@sylph01
Allocate memory based on OSSL_HPKE_get_public_encap_size
efb922d 
I am very iffy about this. Is there a safer way to handle this allocation?
@sylph01
Now that most of the things work, comment out the debug prints
e798bf2
@sylph01
[hpke] macro to remove code when OpenSSL is less than 3.2.0
eb533a9
@sylph01
Fix the guards against older OpenSSL
b73af54
@sylph01
Fix initialize API
f7c4278
@sylph01
Change class structure, fix initialize API
b181210 
The last version was not working....

- Sender and Receiver contexts get different classes
- Sender gets only sender APIs, Receiver gets only receiver APIs
- Sender and Receiver need Suite to initialize
- Removed old Context initialization API
@sylph01
Apply rename: ossl_pkey_new -> ossl_pkey_wrap
0212ddb
@sylph01
Re-add include and init
798b929
@sylph01
Ensure String inputs are String with StringValue
9a7cb45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sylph01