릴리즈 변경사항 총집합 & CLI

CONTRIBUTION.md

@@ -64,9 +64,11 @@ _안녕하세요. 저희는 팀 퀀트(Quant)이며, 저는 Quant Theodore Felix
 - 공통
   - **올바른 오류 전파 방법**: 많은 크레이트의 핵심 기능은 `Result` 열거형을 통해 `SecureBuffer` 구조체와 문자열 참조를 반환합니다. 이는 오류 전파에 부적절합니다.
   - **컴플라이언스 문제**: 암호 모듈 구현에 있어 국제적 인증 및 규정을 준수하지 않은 부분을 발견했다면, 즉시 연락주세요.
+  - **오류 메시지**: 오류 메시지는 기본적으로 모호해야 하지만 알아차리기 애-매한 정도로 진실성이 있어야 합니다. 현재 오류 메시지는 어때 보이시나요?
 - 보안 버퍼 크레이트 `entlib-native-secure-buffer`
   - **베어메탈 캐시 플러시 문제**: `zeroizer.rs` 내 no_std 폐쇄 환경을 위한 Fall-back 시, 해당 환경의 하드웨어(CPU) 특성에 따라 캐시 라인 플러시가 보장되지 않을 수 있다고 합니다. 이 부분에 대해 섬세한 평가검증이 필요합니다.
   - **이중 잠금**: JO(Java-Owned) 패턴을 통해 상호 작용 시 메모리 lock 수행 후 전달됩니다. Rust 측 `SecureMemoryBlock` 구조체는 이 데이터에 대해 한 번 더 lock을 수행합니다. 이 작업에 대해 어떻게 생각하시나요?
+  - **베어메탈 대응**: 최신 IoT, HSM, 자동차 천장 시스템(Automotive) 등은 대부분 ARM 기반의 베어메 또는 RTOS 환경에서 구동됩니다. 현재 보안 버퍼는 `mlock` 등의 시스템 콜을 이용해 메모리를 잠그고 있는데, 베어메탈에선 이러한 대응이 불가능합니다. 소프트웨어 레벨에서 '가능한 대응'에 대한 아이디어가 필요합니다.
 - CI 워크플로
   - **엄격한 상수-시간 검사**: 현재 구현된 상수-시간 연산이 부족해 보이시거나, 엄격한 검증을 위해서는 어떻게 해야 한다고 생각하시나요?
   - **메모리 오염 추적 방법**: CC 상수-시간 감사 워크플로의 Level 3(바이너리 메모리 오염 추적)은 Unix 환경에서 Valgrind를 사용하여 테스트를 수행합니다. 하지만 저는 아직 이 부분에 대해 큰 아이디어가 없어 임시 비활성화해둔 상태입니다. 이 부분에 대해 좋은 아이디어를 가지고 있다면 알려주세요.

CONTRIBUTION_EN.md

@@ -64,9 +64,11 @@ Contributions corresponding to the following items for this project are classifi
 - Common
   - **Correct error propagation method**: The core function of many crates returns a `SecureBuffer` struct and a string reference through a `Result` enum. This is inappropriate for error propagation.
   - **Compliance issues**: If you find any parts that do not comply with international certifications and regulations in the implementation of the cryptographic module, please contact us immediately.
+  - **Error messages**: Error messages should be ambiguous by default, but they must be truthful enough to be subtly recognizable. What do you think of the current error messages?
 - Secure buffer crate `entlib-native-secure-buffer`
   - **Bare-metal cache flush issue**: When falling back for a no_std closed environment in `zeroizer.rs`, it is said that cache line flushing may not be guaranteed depending on the hardware (CPU) characteristics of the environment. Delicate evaluation and verification are needed for this part.
   - **Double lock**: When interacting through the JO (Java-Owned) pattern, the memory is locked and then transmitted. The `SecureMemoryBlock` struct on the Rust side performs another lock on this data. What do you think about this operation?
+  - **Bare-metal support**: Most modern IoT, HSM, and automotive systems run on ARM-based bare-metal or RTOS environments. Currently, the secure buffer uses system calls like `mlock` to lock memory, but such responses are impossible in bare-metal environments. We need ideas for "possible responses" at the software level.
 - CI workflow
   - **Strict constant-time check**: Do you think the currently implemented constant-time operation is insufficient, or what do you think should be done for strict verification?
   - **How to track memory corruption**: Level 3 (binary memory corruption tracking) of the CC constant-time audit workflow uses Valgrind to perform tests in a Unix environment. However, I have temporarily disabled it because I don't have a big idea about this part yet. Please let me know if you have a good idea about this.

Cargo.toml

@@ -1,5 +1,5 @@
 [workspace]
-members = ["internal/*", "crypto/*", "core/*"]
+members = ["internal/*", "crypto/*", "core/*", "cli"]
 resolver = "2"
 
 [workspace.package]
@@ -33,11 +33,13 @@ entlib-native-secure-buffer = { path = "core/secure-buffer", version = "2.0.0" }
 entlib-native-constant-time = { path = "core/constant-time", version = "2.0.0" }
 ### INTERNAL CRYPTO DEPENDENCIES ###
 entlib-native-tls =               { path = "crypto/tls",               version = "2.0.0" }
+entlib-native-aes =               { path = "crypto/aes",               version = "2.0.0" }
 entlib-native-hkdf =              { path = "crypto/hkdf",              version = "2.0.0" }
 entlib-native-hmac =              { path = "crypto/hmac",              version = "2.0.0" }
 entlib-native-sha2 =              { path = "crypto/sha2",              version = "2.0.0" }
 entlib-native-sha3 =              { path = "crypto/sha3",              version = "2.0.0" }
 entlib-native-mldsa =             { path = "crypto/mldsa",             version = "2.0.0" }
+entlib-native-pbkdf2 =            { path = "crypto/pbkdf2",            version = "2.0.0" }
 entlib-native-chacha20 =          { path = "crypto/chacha20",          version = "2.0.0" }
 entlib-native-key-establishment = { path = "crypto/key-establishment", version = "2.0.0" }
 entlib-native-digital-signature = { path = "crypto/digital-signature", version = "2.0.0" }

README.md

@@ -2,7 +2,7 @@
 
 [![Version](https://img.shields.io/badge/version-2.0.0-blue?style=for-the-badge)](https://github.com/Quant-Off/entlib-native)
 [![License](https://img.shields.io/badge/license-MIT-green?style=for-the-badge)](LICENSE)
-[![Language](https://img.shields.io/badge/language-Java-orange?style=for-the-badge)](https://github.com/Quant-Off/entlib-native)
+[![Language](https://img.shields.io/badge/language-Rust-000000?style=for-the-badge)](https://github.com/Quant-Off/entlib-native)
 
 ![lol](entanglementlib-logo.png)
 
@@ -47,25 +47,33 @@ Python이나 JPMS(Java Platform Module System)와 일관된 모듈 관리, 캡
 - BlockCipher
   - [ ] AES(128, 192, 256)
   - [ ] ARIA(128, 192, 256)
+- KDF
+  - [ ] PBKDF2
+  - [ ] Argon2id
 - Digital Signature
   - [ ] RSA(2048, 4096, 8192)
   - [ ] ED25519, ED448 서명
   - [ ] X25519, X448 키 합의
-
-이 뿐만 아니라 HMAC, HKDF 등의 암호학적 필수 기능도 제공되어야 합니다.
+- De/Serializer, En/Decoder
+  - [ ] ASN.1 인/디코더
+  - [ ] PEM/DER 직렬화기
+- PKC Standard Pipeline
+  - [ ] PKCS #8
+  - [PKCS #11](https://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html)
+    - [ ] C-API FFI 매핑
+    - [ ] Dyn Loader (시스템 콜 방식)
 
 양자-내성 암호화(Post-Quantum Cryptography, PQC) 알고리즘은 다음의 목표를 가집니다.
 
 - [ ] [FIPS 203(Module Lattice-based Key Encapsulate Mechanism, ML-KEM)](https://csrc.nist.gov/pubs/fips/203/final)
 - [X] [FIPS 204(Module Lattice-based Digital Signature Algorithm, ML-DSA)](https://csrc.nist.gov/pubs/fips/204/final)
 - [ ] [FIPS 205(Stateless Hash-based Digital Signature Algorithm, SLH-DSA)](https://csrc.nist.gov/pubs/fips/205/final)
 
-위 PQC 알고리즘이 구현되면 다음의 TLS 기능도 제공되어야 합니다.
+그리고 다음의 TLS 기능도 제공되어야 합니다.
 
 - [ ] TLS 1.3
 - [ ] [`draft-ietf-tls-ecdhe-mlkem`](https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/)에 따른 X25519MLKEM768
-
-PKIX나 JWT 및 CWT, OTP 등, 아직 갈 길이 멀다는 것이 실감됩니다.
+- [ ] X9.146 QTLS 확장 표준
 
 ## 인증 및 규정 준수 필요
 

README_EN.md

@@ -43,29 +43,37 @@ The final security goal of the Entanglement Library is to obtain a grade of CC E
 We need to implement a variety of supported classic cryptographic algorithm modules.
 
 - AEAD
-    - [ ] ChaCha20
-- BlockCipher
-    - [ ] AES(128, 192, 256)
-    - [ ] ARIA(128, 192, 256)
+  - [ ] ChaCha20
+- Block Cipher
+  - [ ] AES (128, 192, 256)
+  - [ ] ARIA (128, 192, 256)
+- KDF (Key Derivation Function)
+  - [ ] PBKDF2
+  - [ ] Argon2id
 - Digital Signature
-    - [ ] RSA(2048, 4096, 8192)
-    - [ ] ED25519, ED448 signature
-    - [ ] X25519, X448 key agreement
-
-In addition, cryptographic essential functions such as HMAC and HKDF must also be provided.
-
-The Post-Quantum Cryptography (PQC) algorithm has the following goals.
-
-- [ ] [FIPS 203 (Module Lattice-based Key Encapsulate Mechanism, ML-KEM)](https://csrc.nist.gov/pubs/fips/203/final)
-- [X] [FIPS 204(Module Lattice-based Digital Signature Algorithm, ML-DSA)](https://csrc.nist.gov/pubs/fips/204/final)
-- [ ] [FIPS 205 (Stateless Hash-based Digital Signature Algorithm, SLH-DSA)](https://csrc.nist.gov/pubs/fips/205/final)
-
-Once the above PQC algorithm is implemented, the following TLS features must also be provided.
+  - [ ] RSA (2048, 4096, 8192)
+  - [ ] ED25519, ED448 Signatures
+  - [ ] X25519, X448 Key Agreement
+- De/Serializer, En/Decoder
+  - [ ] ASN.1 Encoder/Decoder
+  - [ ] PEM/DER Serializer
+- PKC Standard Pipeline
+  - [ ] PKCS #8
+  - [PKCS #11](https://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html)
+    - [ ] C-API FFI Mapping
+    - [ ] Dynamic Loader (System Call-based)
+
+Post-Quantum Cryptography (PQC) algorithms aim to achieve the following goals.
+
+- [ ] FIPS 203 (Module Lattice-based Key Encapsulation Mechanism, ML-KEM)
+- [x] FIPS 204 (Module Lattice-based Digital Signature Algorithm, ML-DSA)
+- [ ] FIPS 205 (Stateless Hash-based Digital Signature Algorithm, SLH-DSA)
+
+Additionally, the following TLS features must be supported.
 
 - [ ] TLS 1.3
-- [ ] X25519MLKEM768 according to [`draft-ietf-tls-ecdhe-mlkem`](https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/)
-
-I realize that there is still a long way to go, such as PKIX, JWT and CWT, and OTP.
+- [ ] X25519MLKEM768 in accordance with `draft-ietf-tls-ecdhe-mlkem`
+- [ ] X9.146 QTLS Extension Standard
 
 ## Certification and Compliance Required
 

cli/Cargo.toml

@@ -0,0 +1,21 @@
+[package]
+name = "entlib-native-cli"
+version.workspace = true
+edition.workspace = true
+authors.workspace = true
+license.workspace = true
+
+[[bin]]
+name = "entlib-cli"
+path = "src/main.rs"
+
+[dependencies]
+clap = { version = "4.5.51", features = ["derive"] }
+entlib-native-base64.workspace = true
+entlib-native-hex.workspace = true
+entlib-native-sha2.workspace = true
+entlib-native-sha3.workspace = true
+entlib-native-secure-buffer.workspace = true
+
+[target.'cfg(unix)'.dependencies]
+libc = "0.2"

cli/src/cmd/base64.rs

@@ -0,0 +1,48 @@
+use crate::input;
+use clap::Subcommand;
+use entlib_native_base64::{decode, encode};
+
+#[derive(Subcommand)]
+pub(crate) enum Ops {
+    /// Base64 인코딩
+    Encode {
+        #[arg(long)]
+        in_file: Option<String>,
+        #[arg(long)]
+        out_file: Option<String>,
+    },
+    /// Base64 디코딩
+    Decode {
+        #[arg(long)]
+        in_file: Option<String>,
+        #[arg(long)]
+        out_file: Option<String>,
+    },
+}
+
+pub(crate) fn run(op: Ops) {
+    match op {
+        Ops::Encode { in_file, out_file } => {
+            let interactive = in_file.is_none();
+            let buf = match in_file.as_deref().map(input::read_file).unwrap_or_else(input::read_stdin) {
+                Ok(b) => b,
+                Err(e) => { eprintln!("오류: {e}"); std::process::exit(1); }
+            };
+            match encode(&buf) {
+                Ok(result) => input::write_output(result, out_file.as_deref(), interactive),
+                Err(e) => { eprintln!("인코딩 오류: {e}"); std::process::exit(1); }
+            }
+        }
+        Ops::Decode { in_file, out_file } => {
+            let interactive = in_file.is_none();
+            let buf = match in_file.as_deref().map(input::read_file).unwrap_or_else(input::read_stdin) {
+                Ok(b) => b,
+                Err(e) => { eprintln!("오류: {e}"); std::process::exit(1); }
+            };
+            match decode(&buf) {
+                Ok(result) => input::write_output(result, out_file.as_deref(), interactive),
+                Err(e) => { eprintln!("디코딩 오류: {e}"); std::process::exit(1); }
+            }
+        }
+    }
+}

cli/src/cmd/hex.rs

@@ -0,0 +1,48 @@
+use crate::input;
+use clap::Subcommand;
+use entlib_native_hex::{decode, encode};
+
+#[derive(Subcommand)]
+pub(crate) enum Ops {
+    /// Hex 인코딩
+    Encode {
+        #[arg(long)]
+        in_file: Option<String>,
+        #[arg(long)]
+        out_file: Option<String>,
+    },
+    /// Hex 디코딩
+    Decode {
+        #[arg(long)]
+        in_file: Option<String>,
+        #[arg(long)]
+        out_file: Option<String>,
+    },
+}
+
+pub(crate) fn run(op: Ops) {
+    match op {
+        Ops::Encode { in_file, out_file } => {
+            let interactive = in_file.is_none();
+            let buf = match in_file.as_deref().map(input::read_file).unwrap_or_else(input::read_stdin) {
+                Ok(b) => b,
+                Err(e) => { eprintln!("오류: {e}"); std::process::exit(1); }
+            };
+            match encode(&buf) {
+                Ok(result) => input::write_output(result, out_file.as_deref(), interactive),
+                Err(e) => { eprintln!("인코딩 오류: {e}"); std::process::exit(1); }
+            }
+        }
+        Ops::Decode { in_file, out_file } => {
+            let interactive = in_file.is_none();
+            let buf = match in_file.as_deref().map(input::read_file).unwrap_or_else(input::read_stdin) {
+                Ok(b) => b,
+                Err(e) => { eprintln!("오류: {e}"); std::process::exit(1); }
+            };
+            match decode(&buf) {
+                Ok(result) => input::write_output(result, out_file.as_deref(), interactive),
+                Err(e) => { eprintln!("디코딩 오류: {e}"); std::process::exit(1); }
+            }
+        }
+    }
+}

cli/src/cmd/mod.rs

@@ -0,0 +1,13 @@
+use entlib_native_secure_buffer::SecureBuffer;
+
+pub mod base64;
+pub mod hex;
+pub mod sha2;
+pub mod sha3;
+
+pub(crate) fn hex_encode(digest: SecureBuffer) -> SecureBuffer {
+    match entlib_native_hex::encode(&digest) {
+        Ok(h) => h,
+        Err(e) => { eprintln!("hex 인코딩 오류: {e}"); std::process::exit(1); }
+    }
+}

cli/src/cmd/sha2.rs

@@ -0,0 +1,76 @@
+use super::hex_encode;
+use crate::input;
+use clap::Subcommand;
+use entlib_native_sha2::api::{SHA224, SHA256, SHA384, SHA512};
+
+#[derive(Subcommand)]
+pub(crate) enum Ops {
+    /// SHA-224 (112-bit security)
+    Sha224 {
+        #[arg(long)]
+        in_file: Option<String>,
+        #[arg(long)]
+        out_file: Option<String>,
+        /// raw 바이너리 출력 (기본: hex)
+        #[arg(long)]
+        raw: bool,
+    },
+    /// SHA-256 (128-bit security)
+    Sha256 {
+        #[arg(long)]
+        in_file: Option<String>,
+        #[arg(long)]
+        out_file: Option<String>,
+        #[arg(long)]
+        raw: bool,
+    },
+    /// SHA-384 (192-bit security)
+    Sha384 {
+        #[arg(long)]
+        in_file: Option<String>,
+        #[arg(long)]
+        out_file: Option<String>,
+        #[arg(long)]
+        raw: bool,
+    },
+    /// SHA-512 (256-bit security)
+    Sha512 {
+        #[arg(long)]
+        in_file: Option<String>,
+        #[arg(long)]
+        out_file: Option<String>,
+        #[arg(long)]
+        raw: bool,
+    },
+}
+
+macro_rules! run_hash {
+    ($hasher:expr, $in_file:expr, $out_file:expr, $raw:expr) => {{
+        let interactive = $in_file.is_none();
+        let buf = match $in_file.as_deref().map(input::read_file).unwrap_or_else(input::read_stdin) {
+            Ok(b) => b,
+            Err(e) => { eprintln!("오류: {e}"); std::process::exit(1); }
+        };
+        let mut hasher = $hasher;
+        hasher.update(buf.as_slice());
+        let digest = match hasher.finalize() {
+            Ok(d) => d,
+            Err(e) => { eprintln!("해시 오류: {e}"); std::process::exit(1); }
+        };
+        let result = if $raw {
+            digest
+        } else {
+            hex_encode(digest)
+        };
+        input::write_output(result, $out_file.as_deref(), interactive);
+    }};
+}
+
+pub(crate) fn run(op: Ops) {
+    match op {
+        Ops::Sha224 { in_file, out_file, raw } => run_hash!(SHA224::new(), in_file, out_file, raw),
+        Ops::Sha256 { in_file, out_file, raw } => run_hash!(SHA256::new(), in_file, out_file, raw),
+        Ops::Sha384 { in_file, out_file, raw } => run_hash!(SHA384::new(), in_file, out_file, raw),
+        Ops::Sha512 { in_file, out_file, raw } => run_hash!(SHA512::new(), in_file, out_file, raw),
+    }
+}