Fix CryptoUtil ML-KEM methods to accept key size in bits

Change encapsulateMLKEM() and decapsulateMLKEM() to accept key
size in bits instead of bytes, consistent with PKI convention and
other CryptoUtil methods like generateKey().

The methods now convert bits to bytes internally when calling the
Java KEM API, making them compatible with params.getSkLength()
which returns key size in bits.

IDM-6295

Author: ladycfu

base/common/src/main/java/com/netscape/cmsutil/crypto/CryptoUtil.java

@@ -667,7 +667,7 @@ public KEMEncapsulation(SymmetricKey sharedSecret, byte[] ciphertext) {
      * Performs ML-KEM encapsulation to generate a shared secret.
      *
      * @param publicKey ML-KEM public key
-     * @param keySize Derived key size in bytes (typically 32 for AES-256)
+     * @param keySize Derived key size in bits (e.g., 128 or 256 for AES)
      * @return KEMEncapsulation containing shared secret and ciphertext
      * @throws Exception if encapsulation fails
      */
@@ -680,20 +680,21 @@ public static KEMEncapsulation encapsulateMLKEM(PublicKey publicKey, int keySize
         }
 
         logger.debug("CryptoUtil: ML-KEM encapsulation");
-        logger.debug("CryptoUtil: - Key size: " + keySize + " bytes");
+        logger.debug("CryptoUtil: - Key size: " + keySize + " bits");
 
+        int keySizeBytes = keySize / 8;
         javax.crypto.KEM kem = javax.crypto.KEM.getInstance("ML-KEM", "Mozilla-JSS");
         javax.crypto.KEM.Encapsulator encapsulator = kem.newEncapsulator(publicKey);
         javax.crypto.KEM.Encapsulated encapsulated = encapsulator.encapsulate(
-            0,          // offset
-            keySize,    // derived key size in bytes
-            "AES-ECB"   // algorithm for derived key
+            0,              // offset
+            keySizeBytes,   // derived key size in bytes
+            "AES-ECB"       // algorithm for derived key
         );
 
         SymmetricKey sharedSecret = (SymmetricKey) encapsulated.key();
         byte[] ciphertext = encapsulated.encapsulation();
 
-        logger.debug("CryptoUtil: - Shared secret size: " + keySize + " bytes");
+        logger.debug("CryptoUtil: - Shared secret size: " + keySizeBytes + " bytes");
         logger.debug("CryptoUtil: - Ciphertext size: " + ciphertext.length + " bytes");
 
         return new KEMEncapsulation(sharedSecret, ciphertext);
@@ -704,7 +705,7 @@ public static KEMEncapsulation encapsulateMLKEM(PublicKey publicKey, int keySize
      *
      * @param privateKey ML-KEM private key
      * @param ciphertext KEM ciphertext from encapsulation
-     * @param keySize Derived key size in bytes (must match encapsulation)
+     * @param keySize Derived key size in bits (must match encapsulation, e.g., 128 or 256)
      * @return Recovered shared secret (symmetric key)
      * @throws Exception if decapsulation fails
      */
@@ -724,16 +725,17 @@ public static SymmetricKey decapsulateMLKEM(
         }
 
         logger.debug("CryptoUtil: ML-KEM decapsulation");
-        logger.debug("CryptoUtil: - Key size: " + keySize + " bytes");
+        logger.debug("CryptoUtil: - Key size: " + keySize + " bits");
         logger.debug("CryptoUtil: - Ciphertext size: " + ciphertext.length + " bytes");
 
+        int keySizeBytes = keySize / 8;
         javax.crypto.KEM kem = javax.crypto.KEM.getInstance("ML-KEM", "Mozilla-JSS");
         javax.crypto.KEM.Decapsulator decapsulator = kem.newDecapsulator(privateKey);
         SymmetricKey sharedSecret = (SymmetricKey) decapsulator.decapsulate(
             ciphertext,
-            0,          // offset
-            keySize,    // derived key size in bytes
-            "AES-ECB"   // algorithm for derived key
+            0,              // offset
+            keySizeBytes,   // derived key size in bytes
+            "AES-ECB"       // algorithm for derived key
         );
 
         logger.debug("CryptoUtil: - Shared secret recovered");