Skip to content

crypto: support ML-DSA KeyObject, sign, and verify #59259

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 13 commits into from
Aug 6, 2025

Conversation

panva
Copy link
Member

@panva panva commented Jul 28, 2025

This allows node:crypto to recognize the following asymmetric KeyObject types (keyObject.asymmetricKeyType) when built with or linked to OpenSSL 3.5 (#59234):

And the following functionality for them:

  • import crypto.createPublicKey() SPKI/JWK
  • import crypto.createPrivateKey() PKCS#8/JWK
  • export keyObject.export() SPKI/PKCS#8/JWK
  • keygen crypto.generateKeyPair(Sync)() into KeyObject, PEM, DER, JWK
  • ML-DSA signing via crypto.sign() and signature verification via crypto.verify()

notable-change PRs with changes that should be highlighted in changelogs.

ML-DSA support in node:crypto kicks off post-quantum cryptography efforts in Node.js. This is part of a broader effort to support NIST's post-quantum cryptography standards for future-proofing applications against quantum computing threats.


@panva panva requested review from jasnell and tniessen July 28, 2025 12:49
@panva panva added crypto Issues and PRs related to the crypto subsystem. c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. commit-queue-rebase Add this label to allow the Commit Queue to land a PR in several commits. dont-land-on-v20.x PRs that should not land on the v20.x-staging branch and should not be released in v20.x. dont-land-on-v22.x PRs that should not land on the v22.x-staging branch and should not be released in v22.x. labels Jul 28, 2025
@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/crypto
  • @nodejs/gyp
  • @nodejs/security-wg

@nodejs-github-bot nodejs-github-bot added the needs-ci PRs that need a full CI run. label Jul 28, 2025
@panva panva force-pushed the crypto-pqc-keyobjects branch from 18133e1 to 2f37933 Compare July 28, 2025 12:53
@nodejs-github-bot

This comment was marked as outdated.

@panva
Copy link
Member Author

panva commented Jul 28, 2025

cc @nodejs/cpp-reviewers 🙏

@panva panva added the semver-minor PRs that contain new features and should be released in the next minor version. label Jul 28, 2025
@panva panva force-pushed the crypto-pqc-keyobjects branch from 521deae to 7a6c57c Compare July 28, 2025 14:01
@nodejs-github-bot

This comment was marked as outdated.

@panva panva changed the title crypto: add ML-DSA and ML-KEM KeyObject support crypto: add ML-DSA and ML-KEM KeyObject support, ML-DSA sign and verify Jul 28, 2025
@panva panva force-pushed the crypto-pqc-keyobjects branch 3 times, most recently from 7c37a1c to 3c220b4 Compare July 28, 2025 18:23
@panva panva changed the title crypto: add ML-DSA and ML-KEM KeyObject support, ML-DSA sign and verify crypto: support ML-DSA KeyObject, sign, and verify Jul 28, 2025
@panva panva force-pushed the crypto-pqc-keyobjects branch from 3c220b4 to 7bd6d1e Compare July 28, 2025 18:26
@panva panva added commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. and removed commit-queue-rebase Add this label to allow the Commit Queue to land a PR in several commits. labels Jul 28, 2025
@panva panva force-pushed the crypto-pqc-keyobjects branch from 7bd6d1e to a08d556 Compare July 28, 2025 18:32
@panva panva added the notable-change PRs with changes that should be highlighted in changelogs. label Jul 28, 2025
Copy link
Contributor

The notable-change PRs with changes that should be highlighted in changelogs. label has been added by @panva.

Please suggest a text for the release notes if you'd like to include a more detailed summary, then proceed to update the PR description with the text or a link to the notable change suggested text comment. Otherwise, the commit will be placed in the Other Notable Changes section.

@nodejs-github-bot

This comment was marked as outdated.

@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Aug 1, 2025

@panva panva added the review wanted PRs that need reviews. label Aug 2, 2025
@panva panva requested a review from jasnell August 3, 2025 21:36
Copy link
Contributor

@Ethan-Arrowood Ethan-Arrowood left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Excellent work on this! None of my comments should be considered blocking.

if (ctx == nullptr) return {};

EVP_PKEY* pkey = nullptr;
if (ctx == nullptr || EVP_PKEY_fromdata_init(ctx) <= 0 ||
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if (ctx == nullptr || EVP_PKEY_fromdata_init(ctx) <= 0 ||
if (EVP_PKEY_fromdata_init(ctx) <= 0 ||

Based on line 1912 this part of the condition will always be false, right?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I'll be doing a pass on this in a follow up unless a blocking review comes in.

Comment on lines +71 to +76
if (hasSeed) {
assert.strictEqual(key.export({ format: 'pem', type: 'pkcs8' }), keys.private);
} else {
assert.strictEqual(key.export({ format: 'pem', type: 'pkcs8' }), keys.private_priv_only);
}
if (hasSeed) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could combine these

Copy link
Member Author

@panva panva Aug 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 in a followup unless a blocking review comes in.

@panva
Copy link
Member Author

panva commented Aug 6, 2025

@Ethan-Arrowood thank you for the review, i'll include the nit fixes in a followup as I'm happy to have a 💚 CI at the moment.

@panva panva added the commit-queue Add this label to land a pull request using GitHub Actions. label Aug 6, 2025
@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Aug 6, 2025
@nodejs-github-bot nodejs-github-bot merged commit 24e28c4 into nodejs:main Aug 6, 2025
60 checks passed
@nodejs-github-bot
Copy link
Collaborator

Landed in 24e28c4

@panva panva deleted the crypto-pqc-keyobjects branch August 6, 2025 21:49
panva added a commit to panva/node that referenced this pull request Aug 7, 2025
PR-URL: nodejs#59259
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Ethan Arrowood <[email protected]>
Reviewed-By: James M Snell <[email protected]>
targos pushed a commit that referenced this pull request Aug 8, 2025
PR-URL: #59259
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Ethan Arrowood <[email protected]>
Reviewed-By: James M Snell <[email protected]>
mete0rfish pushed a commit to mete0rfish/node-contribute that referenced this pull request Aug 9, 2025
PR-URL: nodejs#59259
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Ethan Arrowood <[email protected]>
Reviewed-By: James M Snell <[email protected]>
panva added a commit to panva/node that referenced this pull request Aug 9, 2025
PR-URL: nodejs#59259
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Ethan Arrowood <[email protected]>
Reviewed-By: James M Snell <[email protected]>
nodejs-github-bot added a commit that referenced this pull request Aug 11, 2025
Notable changes:

cli:
  * (SEMVER-MINOR) add NODE_USE_SYSTEM_CA=1 (Joyee Cheung) #59276
crypto:
  * (SEMVER-MINOR) support ML-DSA KeyObject, sign, and verify (Filip Skokan) #59259
fs:
  * (SEMVER-MINOR) port SonicBoom module to fs module as Utf8Stream (James M Snell) #58897
http:
  * (SEMVER-MINOR) add server.keepAliveTimeoutBuffer option (Haram Jeong) #59243
lib:
  * docs deprecate _http_* (Sebastian Beltran) #59293
zlib:
  * (SEMVER-MINOR) add dictionary support to zstdCompress and zstdDecompress (lluisemper) #59240

PR-URL: #59449
RafaelGSS pushed a commit that referenced this pull request Aug 12, 2025
PR-URL: #59259
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Ethan Arrowood <[email protected]>
Reviewed-By: James M Snell <[email protected]>
RafaelGSS pushed a commit that referenced this pull request Aug 12, 2025
Notable changes:

cli:
  * (SEMVER-MINOR) add NODE_USE_SYSTEM_CA=1 (Joyee Cheung) #59276
  * (SEMVER-MINOR) add --use-env-proxy (Joyee Cheung) #59151
  * (SEMVER-MINOR) support `${pid}` placeholder in --cpu-prof-name (Haram Jeong) #59072
crypto:
  * (SEMVER-MINOR) support ML-DSA KeyObject, sign, and verify (Filip Skokan) #59259
  * (SEMVER-MINOR) add tls.setDefaultCACertificates() (Joyee Cheung) #58822
deps:
  * update archs files for openssl-3.5.1 (Node.js GitHub Bot) #59234
  * upgrade openssl sources to openssl-3.5.1 (Node.js GitHub Bot) #59234
dns:
  * (SEMVER-MINOR) support max timeout (theanarkh) #58440
doc:
  * update the instruction on how to verify releases (Antoine du Hamel) #59113
esm:
  * (SEMVER-MINOR) unflag --experimental-wasm-modules (Guy Bedford) #57038
fs:
  * (SEMVER-MINOR) port SonicBoom module to fs module as Utf8Stream (James M Snell) #58897
http:
  * (SEMVER-MINOR) add server.keepAliveTimeoutBuffer option (Haram Jeong) #59243
http,https:
  * (SEMVER-MINOR) add built-in proxy support in http/https.request and Agent (Joyee Cheung) #58980
lib:
  * docs deprecate _http_* (Sebastian Beltran) #59293
net:
  * (SEMVER-MINOR) update net.blocklist to allow file save and file management (alphaleadership) #58087
test:
  * (SEMVER-MINOR) move http proxy tests to test/client-proxy (Joyee Cheung) #58980
worker:
  * (SEMVER-MINOR) add web locks api (ishabi) #58666
zlib:
  * (SEMVER-MINOR) add dictionary support to zstdCompress and zstdDecompress (lluisemper) #59240

PR-URL: #59449
Signed-off-by: RafaelGSS <[email protected]>
RafaelGSS pushed a commit that referenced this pull request Aug 12, 2025
Notable changes:

cli:
  * (SEMVER-MINOR) add NODE_USE_SYSTEM_CA=1 (Joyee Cheung) #59276
  * (SEMVER-MINOR) add --use-env-proxy (Joyee Cheung) #59151
  * (SEMVER-MINOR) support `${pid}` placeholder in --cpu-prof-name (Haram Jeong) #59072
crypto:
  * (SEMVER-MINOR) support ML-DSA KeyObject, sign, and verify (Filip Skokan) #59259
  * (SEMVER-MINOR) add tls.setDefaultCACertificates() (Joyee Cheung) #58822
deps:
  * update archs files for openssl-3.5.1 (Node.js GitHub Bot) #59234
  * upgrade openssl sources to openssl-3.5.1 (Node.js GitHub Bot) #59234
dns:
  * (SEMVER-MINOR) support max timeout (theanarkh) #58440
doc:
  * update the instruction on how to verify releases (Antoine du Hamel) #59113
esm:
  * (SEMVER-MINOR) unflag --experimental-wasm-modules (Guy Bedford) #57038
fs:
  * (SEMVER-MINOR) port SonicBoom module to fs module as Utf8Stream (James M Snell) #58897
http:
  * (SEMVER-MINOR) add server.keepAliveTimeoutBuffer option (Haram Jeong) #59243
http,https:
  * (SEMVER-MINOR) add built-in proxy support in http/https.request and Agent (Joyee Cheung) #58980
lib:
  * docs deprecate _http_* (Sebastian Beltran) #59293
net:
  * (SEMVER-MINOR) update net.blocklist to allow file save and file management (alphaleadership) #58087
test:
  * (SEMVER-MINOR) move http proxy tests to test/client-proxy (Joyee Cheung) #58980
worker:
  * (SEMVER-MINOR) add web locks api (ishabi) #58666
zlib:
  * (SEMVER-MINOR) add dictionary support to zstdCompress and zstdDecompress (lluisemper) #59240

PR-URL: #59449
Signed-off-by: RafaelGSS <[email protected]>
RafaelGSS pushed a commit that referenced this pull request Aug 12, 2025
Notable changes:

cli:
  * (SEMVER-MINOR) add NODE_USE_SYSTEM_CA=1 (Joyee Cheung) #59276
crypto:
  * (SEMVER-MINOR) support ML-DSA KeyObject, sign, and verify (Filip Skokan) #59259
fs:
  * (SEMVER-MINOR) port SonicBoom module to fs module as Utf8Stream (James M Snell) #58897
http:
  * (SEMVER-MINOR) add server.keepAliveTimeoutBuffer option (Haram Jeong) #59243
lib:
  * docs deprecate _http_* (Sebastian Beltran) #59293
zlib:
  * (SEMVER-MINOR) add dictionary support to zstdCompress and zstdDecompress (lluisemper) #59240

PR-URL: #59449
Signed-off-by: RafaelGSS <[email protected]>
RafaelGSS pushed a commit that referenced this pull request Aug 14, 2025
Notable changes:

cli:
  * (SEMVER-MINOR) add NODE_USE_SYSTEM_CA=1 (Joyee Cheung) #59276
crypto:
  * (SEMVER-MINOR) support ML-DSA KeyObject, sign, and verify (Filip Skokan) #59259
fs:
  * (SEMVER-MINOR) port SonicBoom module to fs module as Utf8Stream (James M Snell) #58897
http:
  * (SEMVER-MINOR) add server.keepAliveTimeoutBuffer option (Haram Jeong) #59243
lib:
  * docs deprecate _http_* (Sebastian Beltran) #59293
zlib:
  * (SEMVER-MINOR) add dictionary support to zstdCompress and zstdDecompress (lluisemper) #59240

PR-URL: #59449
Signed-off-by: RafaelGSS <[email protected]>
RafaelGSS pushed a commit that referenced this pull request Aug 14, 2025
Notable changes:

cli:
  * (SEMVER-MINOR) add NODE_USE_SYSTEM_CA=1 (Joyee Cheung) #59276
crypto:
  * (SEMVER-MINOR) support ML-DSA KeyObject, sign, and verify (Filip Skokan) #59259
fs:
  * (SEMVER-MINOR) port SonicBoom module to fs module as Utf8Stream (James M Snell) #58897
http:
  * (SEMVER-MINOR) add server.keepAliveTimeoutBuffer option (Haram Jeong) #59243
lib:
  * docs deprecate _http_* (Sebastian Beltran) #59293
zlib:
  * (SEMVER-MINOR) add dictionary support to zstdCompress and zstdDecompress (lluisemper) #59240

PR-URL: #59449
Signed-off-by: RafaelGSS <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c++ Issues and PRs that require attention from people who are familiar with C++. commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. crypto Issues and PRs related to the crypto subsystem. dont-land-on-v20.x PRs that should not land on the v20.x-staging branch and should not be released in v20.x. dont-land-on-v22.x PRs that should not land on the v22.x-staging branch and should not be released in v22.x. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. notable-change PRs with changes that should be highlighted in changelogs. review wanted PRs that need reviews. semver-minor PRs that contain new features and should be released in the next minor version.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants