JNI/JCE: add ML-KEM (FIPS 203) support to wolfCrypt JNI and wolfJCE

[cconlon]

This PR adds ML-KEM (FIPS 203) for parameter sets ML-KEM-512/768/1024, at both the JNI and JCE layers, backed by native wolfSSL's wc_MlKemKey_* API.

JNI (com.wolfssl.wolfcrypt)

• New MlKem class + jni/jni_mlkem.c: key generation (RNG and deterministic 64-byte seed), encapsulation (RNG and deterministic encapsulateWithRandom), decapsulation, raw key import/export, and size getters.

JCE (wolfJCE)

• KeyPairGenerator, KeyFactory, and KEM (KEMSpi, JDK 21+) services plus ML-KEM public/private key classes, registered with family + per-level + OID aliases.
• X.509 SubjectPublicKeyInfo and PKCS#8 PrivateKeyInfo (RFC 9935) encoding/decoding accepts all three PKCS#8 CHOICE forms (seed/expandedKey/both).
• Interoperates with OpenJDK SunJCE, outputs expandedKey by default, honors the jdk.mlkem.pkcs8.encoding property.

Compatibility

• Java 8 compatible: the KEM SPI is conditionally compiled (JDK 21+) and registered behind a runtime guard, so Java 8 builds load with the KEM service absent.

Tests

• JNI and JCE unit tests, wolfJCE/SunJCE interop tests, and NIST/wolfSSL known-answer tests (key generation, encapsulation, decapsulation) for all three parameter sets.

Build

• Requires wolfSSL built with --enable-mlkem (defines WOLFSSL_HAVE_MLKEM).
• Wired into makefiles, build.xml, pom.xml, Android/VS projects, and infer.sh. Includes MlKemExample and README updates.

[Copilot]

Pull request overview

Adds ML-KEM (FIPS 203) support across the wolfCrypt JNI layer and the wolfJCE provider, including key generation, key encoding (RFC 9935 SPKI/PKCS#8), and JDK 21+ javax.crypto.KEM integration, plus tests and build wiring.

Changes:

• Introduces a new com.wolfssl.wolfcrypt.MlKem JNI wrapper and native jni_mlkem.c bindings for keygen/encap/decap/import/export/size queries.
• Adds wolfJCE ML-KEM provider services: KeyPairGenerator, KeyFactory, ML-KEM public/private key classes, RFC 9935 encoding utilities, and optional JDK 21+ KEM SPI registration.
• Adds ML-KEM unit tests (including interop with SunJCE) and updates build scripts/docs/project files to include ML-KEM.

Reviewed changes

Copilot reviewed 28 out of 29 changed files in this pull request and generated 11 comments.

Show a summary per file

File	Description
src/test/java/com/wolfssl/wolfcrypt/test/WolfCryptTestSuite.java	Adds ML-KEM tests to the wolfCrypt JNI test suite.
src/test/java/com/wolfssl/provider/jce/test/WolfJCETestSuite.java	Adds ML-KEM JCE tests to the provider test suite.
src/test/java/com/wolfssl/provider/jce/test/WolfCryptMlKemKeyPairGeneratorTest.java	Verifies ML-KEM KeyPairGenerator behavior and defaults.
src/test/java/com/wolfssl/provider/jce/test/WolfCryptMlKemKeyFactoryTest.java	Validates ML-KEM KeyFactory parsing/encoding (including PKCS#8 CHOICE forms).
src/test/java/com/wolfssl/provider/jce/test/WolfCryptMlKemKemTest.java	Tests JDK 21+ KEM SPI behavior and SunJCE interop via reflection for Java 8 compatibility.
src/main/java/com/wolfssl/wolfcrypt/MlKem.java	New JNI wrapper API for native ML-KEM operations.
src/main/java/com/wolfssl/provider/jce/WolfPQCJdkCompat.java	Adds ML-KEM name→level mapping helper for parameter specs.
src/main/java/com/wolfssl/provider/jce/WolfCryptProvider.java	Registers ML-KEM services (KeyPairGenerator/KeyFactory/KEM + OID aliases) with feature/JDK guards.
src/main/java/com/wolfssl/provider/jce/WolfCryptMlKemUtil.java	Implements RFC 9935 DER encode/decode helpers for ML-KEM SPKI/PKCS#8.
src/main/java/com/wolfssl/provider/jce/WolfCryptMlKemPublicKey.java	New ML-KEM PublicKey type backed by raw key bytes + SPKI encoding.
src/main/java/com/wolfssl/provider/jce/WolfCryptMlKemPrivateKey.java	New ML-KEM PrivateKey type supporting seed/expanded/both PKCS#8 CHOICE inputs.
src/main/java/com/wolfssl/provider/jce/WolfCryptMlKemKeyFactory.java	New KeyFactorySpi implementation for ML-KEM (generic + per-level variants).
src/main/java/com/wolfssl/provider/jce/WolfCryptMlKemKem.java	New JDK 21+ KEMSpi implementation for ML-KEM encapsulation/decapsulation.
src/main/java/com/wolfssl/provider/jce/WolfCryptKeyPairGenerator.java	Extends KeyPairGenerator support to ML-KEM (levels, defaults, seed retention).
src/main/java/com/wolfssl/provider/jce/WolfCryptASN1Util.java	Adds ASN.1 context-specific primitive tag constant used by ML-KEM PKCS#8 seed form.
scripts/infer.sh	Adds ML-KEM sources to Infer’s javac invocation.
README.md	Documents native build requirement for ML-KEM and JDK 21+ KEM note.
README_JCE.md	Documents ML-KEM services, parameter selection, encoding property, and OIDs.
pom.xml	Adds a JDK<21 profile to exclude KEM SPI compilation.
makefile.macosx	Adds jni_mlkem.o to macOS JNI build.
makefile.linux	Adds jni_mlkem.o to Linux JNI build.
jni/jni_mlkem.c	Implements native JNI bindings to wolfSSL wc_MlKemKey_* APIs.
jni/include/com_wolfssl_wolfcrypt_MlKem.h	Adds generated JNI header for MlKem.
IDE/WIN/wolfcryptjni.vcxproj	Includes ML-KEM JNI sources/headers in the Windows project.
IDE/Android/app/src/main/cpp/CMakeLists.txt	Includes ML-KEM JNI source in Android build.
examples/provider/MlKemExample.sh	Adds a helper script to run the ML-KEM example.
examples/provider/MlKemExample.java	Adds a JDK 21+ ML-KEM KEM + encoding round-trip example.
build.xml	Adds JDK 21+ detection and excludes KEM SPI + example from Java 8 builds/javadoc.

Files not reviewed (1)

• jni/include/com_wolfssl_wolfcrypt_MlKem.h: Generated file

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 30 out of 31 changed files in this pull request and generated 4 comments.

Files not reviewed (1)

• jni/include/com_wolfssl_wolfcrypt_MlKem.h: Generated file

[Copilot]

Pull request overview

Copilot reviewed 30 out of 31 changed files in this pull request and generated 2 comments.

Files not reviewed (1)

• jni/include/com_wolfssl_wolfcrypt_MlKem.h: Generated file