Add support for MLDSA keys (#631)

* WIP.

* WIP

* WIP Edit

* Key selection.

* WIP

* WIP

* Proxy through

* WIP

* Remove verify.

* Migration.

* Comment

* Add param

* Semi-offering key

* Ignore updates if test build.

* Fix rsa public key gen

* Messily fix RSA

* Remove 1024 bit rsa

* Cleanup

* Cleanup

* MLDSA warning.

* MLDSA working.

* Strings.

* Put back UI changes

Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHPublicKeyWriter.swift

@@ -17,6 +17,10 @@ public struct OpenSSHPublicKeyWriter: Sendable {
             openSSHIdentifier(for: secret.keyType).lengthAndData +
             ("nistp" + String(describing: secret.keyType.size)).lengthAndData +
             secret.publicKey.lengthAndData
+        case .mldsa:
+            // https://www.ietf.org/archive/id/draft-sfluhrer-ssh-mldsa-04.txt
+            openSSHIdentifier(for: secret.keyType).lengthAndData +
+            secret.publicKey.lengthAndData
         case .rsa:
             // https://datatracker.ietf.org/doc/html/rfc4253#section-6.6
             openSSHIdentifier(for: secret.keyType).lengthAndData +
@@ -72,8 +76,14 @@ extension OpenSSHPublicKeyWriter {
     /// - Returns: The OpenSSH identifier for the algorithm.
     public func openSSHIdentifier(for keyType: KeyType) -> String {
         switch (keyType.algorithm, keyType.size) {
-        case (.ecdsa, 256), (.ecdsa, 384):
-            "ecdsa-sha2-nistp" + String(describing: keyType.size)
+        case (.ecdsa, 256):
+            "ecdsa-sha2-nistp256"
+        case (.ecdsa, 384):
+            "ecdsa-sha2-nistp384"
+        case (.mldsa, 65):
+            "ssh-mldsa-65"
+        case (.mldsa, 87):
+            "ssh-mldsa-87"
         case (.rsa, _):
             "ssh-rsa"
         default:

Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHSignatureWriter.swift

@@ -15,6 +15,9 @@ public struct OpenSSHSignatureWriter: Sendable {
         case .ecdsa:
             // https://datatracker.ietf.org/doc/html/rfc5656#section-3.1
             ecdsaSignature(signature, keyType: secret.keyType)
+        case .mldsa:
+            // https://datatracker.ietf.org/doc/html/draft-sfluhrer-ssh-mldsa-00#name-public-key-algorithms
+            mldsaSignature(signature, keyType: secret.keyType)
         case .rsa:
             // https://datatracker.ietf.org/doc/html/rfc4253#section-6.6
             rsaSignature(signature)
@@ -51,6 +54,15 @@ extension OpenSSHSignatureWriter {
         return mutSignedData
     }
 
+    func mldsaSignature(_ rawRepresentation: Data, keyType: KeyType) -> Data {
+        var mutSignedData = Data()
+        var sub = Data()
+        sub.append(OpenSSHPublicKeyWriter().openSSHIdentifier(for: keyType).lengthAndData)
+        sub.append(rawRepresentation.lengthAndData)
+        mutSignedData.append(sub.lengthAndData)
+        return mutSignedData
+    }
+
     func rsaSignature(_ rawRepresentation: Data) -> Data {
         var mutSignedData = Data()
         var sub = Data()

Sources/Packages/Sources/SecretKit/Types/Secret.swift

@@ -35,6 +35,7 @@ public struct KeyType: Hashable, Sendable, Codable, CustomStringConvertible {
     
     public enum Algorithm: Hashable, Sendable, Codable {
         case ecdsa
+        case mldsa
         case rsa
     }
 
@@ -67,6 +68,8 @@ public struct KeyType: Hashable, Sendable, Codable, CustomStringConvertible {
             kSecAttrKeyTypeEC
         case .rsa:
             kSecAttrKeyTypeRSA
+        case .mldsa:
+            nil
         }
     }