Skip to content

crypto: support ML-DSA KeyObject, sign, and verify #59259

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 13 commits into
base: main
Choose a base branch
from
Open

crypto: support ML-DSA KeyObject, sign, and verify #59259

wants to merge 13 commits into from
+1,479 −44

Conversation

panva
Copy link
Member

@panva panva commented Jul 28, 2025
edited
Loading

This allows node:crypto to recognize the following asymmetric KeyObject types (keyObject.asymmetricKeyType) when built with or linked to OpenSSL 3.5 (#59234):

And the following functionality for them:

  • import crypto.createPublicKey() SPKI/JWK
  • import crypto.createPrivateKey() PKCS#8/JWK
  • export keyObject.export() SPKI/PKCS#8/JWK
  • keygen crypto.generateKeyPair(Sync)() into KeyObject, PEM, DER, JWK
  • ML-DSA signing via crypto.sign() and signature verification via crypto.verify()

notable-change PRs with changes that should be highlighted in changelogs.

ML-DSA support in node:crypto kicks off post-quantum cryptography efforts in Node.js. This is part of a broader effort to support NIST's post-quantum cryptography standards for future-proofing applications against quantum computing threats.

TODO:

  • JWK format support in crypto.createPublicKey() and crypto.createPrivateKey()
  • check if we can set ML-DSA's optional context-string as an option from crypto.sign() and crypto.verify()
    • yeah, maybe in a followup PR.

@panva panva requested review from jasnell and tniessen July 28, 2025 12:49
@panva panva added crypto Issues and PRs related to the crypto subsystem. c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. commit-queue-rebase Add this label to allow the Commit Queue to land a PR in several commits. dont-land-on-v20.x PRs that should not land on the v20.x-staging branch and should not be released in v20.x. dont-land-on-v22.x PRs that should not land on the v22.x-staging branch and should not be released in v22.x. labels Jul 28, 2025
@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/crypto
  • @nodejs/gyp
  • @nodejs/security-wg

@nodejs-github-bot nodejs-github-bot added the needs-ci PRs that need a full CI run. label Jul 28, 2025
@panva panva force-pushed the crypto-pqc-keyobjects branch from 18133e1 to 2f37933 Compare July 28, 2025 12:53
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@panva
Copy link
Member Author

panva commented Jul 28, 2025

cc @nodejs/cpp-reviewers 🙏

@panva panva added the semver-minor PRs that contain new features and should be released in the next minor version. label Jul 28, 2025
@panva panva force-pushed the crypto-pqc-keyobjects branch from 521deae to 7a6c57c Compare July 28, 2025 14:01
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
panva
panva commented Jul 28, 2025
View reviewed changes
panva
panva commented Jul 28, 2025
View reviewed changes
panva
panva commented Jul 28, 2025
View reviewed changes
@panva panva changed the title crypto: add ML-DSA and ML-KEM KeyObject support crypto: add ML-DSA and ML-KEM KeyObject support, ML-DSA sign and verify Jul 28, 2025
@panva panva force-pushed the crypto-pqc-keyobjects branch 3 times, most recently from 7c37a1c to 3c220b4 Compare July 28, 2025 18:23
@panva panva changed the title crypto: add ML-DSA and ML-KEM KeyObject support, ML-DSA sign and verify crypto: support ML-DSA KeyObject, sign, and verify Jul 28, 2025
@panva panva force-pushed the crypto-pqc-keyobjects branch from 3c220b4 to 7bd6d1e Compare July 28, 2025 18:26
@panva panva added commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. and removed commit-queue-rebase Add this label to allow the Commit Queue to land a PR in several commits. labels Jul 28, 2025
@panva panva force-pushed the crypto-pqc-keyobjects branch from 7bd6d1e to a08d556 Compare July 28, 2025 18:32
@panva panva added the notable-change PRs with changes that should be highlighted in changelogs. label Jul 28, 2025
@github-actions GitHub Actions
Copy link
Contributor

The notable-change PRs with changes that should be highlighted in changelogs. label has been added by @panva.

Please suggest a text for the release notes if you'd like to include a more detailed summary, then proceed to update the PR description with the text or a link to the notable change suggested text comment. Otherwise, the commit will be placed in the Other Notable Changes section.

@panva panva force-pushed the crypto-pqc-keyobjects branch 3 times, most recently from 99ed3b4 to 2739dba Compare July 29, 2025 08:54
@panva panva force-pushed the crypto-pqc-keyobjects branch from 2739dba to 69fc44e Compare July 29, 2025 09:04
@panva panva marked this pull request as ready for review July 29, 2025 09:04
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@codecov Codecov
Copy link

codecov bot commented Jul 29, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 78.76712% with 31 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.98%. Comparing base (5335c10) to head (7b10239).
⚠️ Report is 21 commits behind head on main.

Files with missing lines Patch % Lines
src/crypto/crypto_keys.cc 73.80% 3 Missing and 8 partials ⚠️
src/crypto/crypto_ml_dsa.cc 73.68% 2 Missing and 8 partials ⚠️
lib/internal/crypto/keys.js 82.97% 8 Missing ⚠️
lib/internal/crypto/keygen.js 89.47% 2 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #59259      +/-   ##
==========================================
+ Coverage   89.97%   89.98%   +0.01%     
==========================================
  Files         649      650       +1     
  Lines      192131   192321     +190     
  Branches    37653    37722      +69     
==========================================
+ Hits       172864   173056     +192     
+ Misses      11883    11840      -43     
- Partials     7384     7425      +41
Files with missing lines Coverage Δ
src/crypto/crypto_keys.h 56.60% <ø> (ø)
lib/internal/crypto/keygen.js 91.93% <89.47%> (-0.67%) ⬇️
lib/internal/crypto/keys.js 94.81% <82.97%> (-0.60%) ⬇️
src/crypto/crypto_ml_dsa.cc 73.68% <73.68%> (ø)
src/crypto/crypto_keys.cc 72.31% <73.80%> (-0.40%) ⬇️

... and 54 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

jasnell
jasnell reviewed Jul 29, 2025
View reviewed changes
deps/ncrypto/ncrypto.cc
@@ -1942,7 +1942,16 @@ EVP_PKEY* EVPKeyPointer::release() {

int EVPKeyPointer::id(const EVP_PKEY* key) {
if (key == nullptr) return 0;
return EVP_PKEY_id(key);
int type = EVP_PKEY_id(key);
#if OPENSSL_VERSION_MAJOR >= 3 && OPENSSL_VERSION_MINOR >= 5
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not a blocker but, does this also need to have a OPENSSL_IS_BORING guard? I doubt boring would end up duplicating these version values but just want to be cautious.

/cc @codebytere

jasnell
jasnell reviewed Jul 29, 2025
View reviewed changes
@jasnell
Copy link
Member

jasnell commented Jul 29, 2025

first view pass looks good but there's a lot here so I want to take a second pass through before signing off.

@panva

This comment was marked as off-topic.

Sign in to view
@jasnell

This comment was marked as off-topic.

Sign in to view
jasnell
jasnell reviewed Jul 29, 2025
View reviewed changes
jasnell
jasnell reviewed Jul 29, 2025
View reviewed changes
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Aug 1, 2025
edited by panva
Loading

CI: https://ci.nodejs.org/job/node-test-pull-request/68345/ 💚

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasnell jasnell jasnell left review comments

@tniessen tniessen Awaiting requested review from tniessen

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
c++ Issues and PRs that require attention from people who are familiar with C++. commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. crypto Issues and PRs related to the crypto subsystem. dont-land-on-v20.x PRs that should not land on the v20.x-staging branch and should not be released in v20.x. dont-land-on-v22.x PRs that should not land on the v22.x-staging branch and should not be released in v22.x. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. notable-change PRs with changes that should be highlighted in changelogs. semver-minor PRs that contain new features and should be released in the next minor version.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@panva @nodejs-github-bot @jasnell