pub struct PqdsaKeyPair { /* private fields */ }Expand description
A PQDSA (Post-Quantum Digital Signature Algorithm) key pair, used for signing and verification.
Implementations§
Source§impl PqdsaKeyPair
impl PqdsaKeyPair
Sourcepub fn generate(
algorithm: &'static PqdsaSigningAlgorithm,
) -> Result<Self, Unspecified>
pub fn generate( algorithm: &'static PqdsaSigningAlgorithm, ) -> Result<Self, Unspecified>
Generates a new PQDSA key pair for the specified algorithm.
§Errors
Returns Unspecified is the key generation fails.
Sourcepub fn from_pkcs8(
algorithm: &'static PqdsaSigningAlgorithm,
pkcs8: &[u8],
) -> Result<Self, KeyRejected>
pub fn from_pkcs8( algorithm: &'static PqdsaSigningAlgorithm, pkcs8: &[u8], ) -> Result<Self, KeyRejected>
Constructs a key pair from the parsing of PKCS#8.
§Errors
Returns Unspecified if the key is not valid for the specified signing algorithm.
Sourcepub fn from_raw_private_key(
algorithm: &'static PqdsaSigningAlgorithm,
raw_private_key: &[u8],
) -> Result<Self, KeyRejected>
pub fn from_raw_private_key( algorithm: &'static PqdsaSigningAlgorithm, raw_private_key: &[u8], ) -> Result<Self, KeyRejected>
Constructs a key pair from raw private key bytes.
§Errors
Returns Unspecified if the key is not valid for the specified signing algorithm.
Sourcepub fn from_seed(
algorithm: &'static PqdsaSigningAlgorithm,
seed: &[u8],
) -> Result<Self, KeyRejected>
pub fn from_seed( algorithm: &'static PqdsaSigningAlgorithm, seed: &[u8], ) -> Result<Self, KeyRejected>
Constructs a key pair deterministically from a 32-byte seed.
Per FIPS 204, the same seed always produces the same key pair. This enables reproducible key generation for testing, ACVP validation, and interoperability with implementations that store seeds rather than expanded private keys.
algorithm is the PqdsaSigningAlgorithm to be associated with the key pair.
seed is the 32-byte seed from which the key pair is deterministically derived.
All ML-DSA variants (ML-DSA-44, ML-DSA-65, ML-DSA-87) use 32-byte seeds.
§Security Considerations
The seed is the root secret. Compromise of the seed is equivalent to compromise of the private key. Callers are responsible for generating seeds from a cryptographically secure random source and protecting them accordingly.
This method expands the seed into the full private key internally. The seed
itself is not retained in the returned PqdsaKeyPair; the expanded key material
is stored instead. The expanded private key can be retrieved via
Self::private_key and serialized via Self::to_pkcs8 or
PqdsaPrivateKey::as_raw_bytes.
§Errors
Returns KeyRejected::too_small() if seed.len() < 32.
Returns KeyRejected::too_large() if seed.len() > 32.
Returns KeyRejected::unspecified() if the underlying cryptographic operation fails.
Sourcepub fn to_pkcs8(&self) -> Result<Document, Unspecified>
pub fn to_pkcs8(&self) -> Result<Document, Unspecified>
Sourcepub fn sign(
&self,
msg: &[u8],
signature: &mut [u8],
) -> Result<usize, Unspecified>
pub fn sign( &self, msg: &[u8], signature: &mut [u8], ) -> Result<usize, Unspecified>
Uses this key to sign the message provided. The signature is written to the signature
slice provided. It returns the length of the signature on success.
§Errors
Returns Unspecified if signing fails.
Sourcepub fn algorithm(&self) -> &'static PqdsaSigningAlgorithm
pub fn algorithm(&self) -> &'static PqdsaSigningAlgorithm
Returns the signing algorithm associated with this key pair.
Sourcepub fn private_key(&self) -> PqdsaPrivateKey<'_>
pub fn private_key(&self) -> PqdsaPrivateKey<'_>
Returns the private key associated with this key pair.