diff --git a/lee/state_machine/src/signature/private_key.rs b/lee/state_machine/src/signature/private_key.rs index 4f05ba80..c13be154 100644 --- a/lee/state_machine/src/signature/private_key.rs +++ b/lee/state_machine/src/signature/private_key.rs @@ -74,7 +74,8 @@ impl PrivateKey { let sk = k256::SecretKey::from_slice(value).map_err(|_e| LeeError::InvalidPrivateKey)?; - let hashed: [u8; 32] = Sha256::digest(sk.public_key().to_encoded_point(true).as_bytes()).into(); + let hashed: [u8; 32] = + Sha256::digest(sk.public_key().to_encoded_point(true).as_bytes()).into(); let sk = sk.to_nonzero_scalar(); diff --git a/lez/keycard_wallet/keycard_applets/LEE_keycard.cap b/lez/keycard_wallet/keycard_applets/LEE_keycard.cap index b44835c4..b2e71d56 100644 Binary files a/lez/keycard_wallet/keycard_applets/LEE_keycard.cap and b/lez/keycard_wallet/keycard_applets/LEE_keycard.cap differ diff --git a/lez/keycard_wallet/src/lib.rs b/lez/keycard_wallet/src/lib.rs index 1f009900..93f55756 100644 --- a/lez/keycard_wallet/src/lib.rs +++ b/lez/keycard_wallet/src/lib.rs @@ -7,8 +7,9 @@ use zeroize::Zeroizing; pub mod python_path; -/// NSK and VSK as fixed-length zeroizing byte arrays. -type PrivateKeyPair = (Zeroizing<[u8; 32]>, Zeroizing<[u8; 32]>); +/// NSK (32 bytes) and VSK (64 bytes, the ML-KEM-768 seed `d || z`) as fixed-length zeroizing byte +/// arrays. +type PrivateKeyPair = (Zeroizing<[u8; 32]>, Zeroizing<[u8; 64]>); // TODO: encrypt at rest alongside broader wallet storage encryption work. #[derive(Serialize, Deserialize)] @@ -239,13 +240,13 @@ impl KeycardWallet { }; let vsk = { - if raw_vsk.len() != 32 { + if raw_vsk.len() != 64 { return Err(PyErr::new::(format!( - "expected 32-byte VSK from keycard, got {} bytes", + "expected 64-byte VSK from keycard, got {} bytes", raw_vsk.len() ))); } - let mut arr = Zeroizing::new([0_u8; 32]); + let mut arr = Zeroizing::new([0_u8; 64]); arr.copy_from_slice(&raw_vsk); arr };