Fix [Dev] ML-KEM (with Archival) support for CRMFPopClient (and/or cli)

[jmagne]

Add code in KRA to extract the ML-KEM session key if encapsulated.
Added a new user profile caMLKEMUserCert.cfg
Fixed UserKeyDefault.java to recognize ML-KEM, it already checks for ML-DSA.

Assisted-by: Claude Sonnet 4.5

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 48dd03bf-e11a-483a-9d2c-91382d964f06

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces support for ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) by adding a new certificate profile, implementing encapsulation and decapsulation logic in CryptoUtil, and updating the KRA to support ML-KEM transport keys. Feedback from the review highlights a critical need to use the returned token-resident key after calling importPublicKey to ensure correct encapsulation. Additionally, the reviewer suggested using more specific exceptions like NoSuchAlgorithmException, removing redundant log messages, and correcting minor whitespace issues.

[gemini-code-assist]

The return value of token.importPublicKey(wrappingKey, false) is ignored. As noted in the comment on line 2360, ML-KEM requires the public key to be imported as a PKCS#11 object on the token for encapsulation. The importPublicKey method returns a PK11PubKey (as a PublicKey) which should be used in the subsequent encapsulateMLKEM call to ensure the operation uses the token-resident key. Additionally, there is a double space before params on line 2367.

Suggested change

	token.importPublicKey(wrappingKey, false);
	// Do ML-KEM encapsulate to derive shared secret + ciphertext
	logger.debug("CryptoUtil: Using ML-KEM encapsulation for key archival");
	KEMEncapsulation keyResult = encapsulateMLKEM(wrappingKey, params.getPayloadEncryptionAlgorithm());
	PublicKey tokenKey = token.importPublicKey(wrappingKey, false);
	// Do ML-KEM encapsulate to derive shared secret + ciphertext
	logger.debug("CryptoUtil: Using ML-KEM encapsulation for key archival");
	KEMEncapsulation keyResult = encapsulateMLKEM(tokenKey, params.getPayloadEncryptionAlgorithm());

[gemini-code-assist]

This debug log message is identical to the one on line 434. It should be updated to indicate that the decapsulation step has completed successfully or removed to avoid redundancy.

Suggested change

	logger.debug("TransportKeyUnit.unwrap: Using ML-KEM decapsulation");
	logger.debug("TransportKeyUnit.unwrap: ML-KEM decapsulation successful");

[gemini-code-assist]

Using a generic Exception is discouraged. Since this is a cryptographic operation where an algorithm cannot be determined, NoSuchAlgorithmException would be more appropriate and idiomatic.

Suggested change

	throw new Exception("Unable to determine transport key algorithm");
	throw new NoSuchAlgorithmException("Unable to determine transport key algorithm");

[gemini-code-assist]

There are unnecessary extra spaces before the method call.

Suggested change

	session_data = wrapUsingPublicKey(
	session_data = wrapUsingPublicKey(

[sonarqubecloud]

Quality Gate passed

Issues
8 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud