-
-
Notifications
You must be signed in to change notification settings - Fork 32.6k
crypto: support ML-DSA KeyObject, sign, and verify #59259
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
Review requested:
|
18133e1
to
2f37933
Compare
This comment was marked as outdated.
This comment was marked as outdated.
cc @nodejs/cpp-reviewers 🙏 |
521deae
to
7a6c57c
Compare
This comment was marked as outdated.
This comment was marked as outdated.
7c37a1c
to
3c220b4
Compare
3c220b4
to
7bd6d1e
Compare
7bd6d1e
to
a08d556
Compare
The
notable-change
Please suggest a text for the release notes if you'd like to include a more detailed summary, then proceed to update the PR description with the text or a link to the notable change suggested text comment. Otherwise, the commit will be placed in the Other Notable Changes section. |
This comment was marked as outdated.
This comment was marked as outdated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Excellent work on this! None of my comments should be considered blocking.
if (ctx == nullptr) return {}; | ||
|
||
EVP_PKEY* pkey = nullptr; | ||
if (ctx == nullptr || EVP_PKEY_fromdata_init(ctx) <= 0 || |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if (ctx == nullptr || EVP_PKEY_fromdata_init(ctx) <= 0 || | |
if (EVP_PKEY_fromdata_init(ctx) <= 0 || |
Based on line 1912 this part of the condition will always be false, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I'll be doing a pass on this in a follow up unless a blocking review comes in.
if (hasSeed) { | ||
assert.strictEqual(key.export({ format: 'pem', type: 'pkcs8' }), keys.private); | ||
} else { | ||
assert.strictEqual(key.export({ format: 'pem', type: 'pkcs8' }), keys.private_priv_only); | ||
} | ||
if (hasSeed) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could combine these
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 in a followup unless a blocking review comes in.
@Ethan-Arrowood thank you for the review, i'll include the nit fixes in a followup as I'm happy to have a 💚 CI at the moment. |
Landed in 24e28c4 |
PR-URL: nodejs#59259 Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Ethan Arrowood <[email protected]> Reviewed-By: James M Snell <[email protected]>
PR-URL: #59259 Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Ethan Arrowood <[email protected]> Reviewed-By: James M Snell <[email protected]>
PR-URL: nodejs#59259 Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Ethan Arrowood <[email protected]> Reviewed-By: James M Snell <[email protected]>
PR-URL: nodejs#59259 Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Ethan Arrowood <[email protected]> Reviewed-By: James M Snell <[email protected]>
Notable changes: cli: * (SEMVER-MINOR) add NODE_USE_SYSTEM_CA=1 (Joyee Cheung) #59276 crypto: * (SEMVER-MINOR) support ML-DSA KeyObject, sign, and verify (Filip Skokan) #59259 fs: * (SEMVER-MINOR) port SonicBoom module to fs module as Utf8Stream (James M Snell) #58897 http: * (SEMVER-MINOR) add server.keepAliveTimeoutBuffer option (Haram Jeong) #59243 lib: * docs deprecate _http_* (Sebastian Beltran) #59293 zlib: * (SEMVER-MINOR) add dictionary support to zstdCompress and zstdDecompress (lluisemper) #59240 PR-URL: #59449
PR-URL: #59259 Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Ethan Arrowood <[email protected]> Reviewed-By: James M Snell <[email protected]>
Notable changes: cli: * (SEMVER-MINOR) add NODE_USE_SYSTEM_CA=1 (Joyee Cheung) #59276 * (SEMVER-MINOR) add --use-env-proxy (Joyee Cheung) #59151 * (SEMVER-MINOR) support `${pid}` placeholder in --cpu-prof-name (Haram Jeong) #59072 crypto: * (SEMVER-MINOR) support ML-DSA KeyObject, sign, and verify (Filip Skokan) #59259 * (SEMVER-MINOR) add tls.setDefaultCACertificates() (Joyee Cheung) #58822 deps: * update archs files for openssl-3.5.1 (Node.js GitHub Bot) #59234 * upgrade openssl sources to openssl-3.5.1 (Node.js GitHub Bot) #59234 dns: * (SEMVER-MINOR) support max timeout (theanarkh) #58440 doc: * update the instruction on how to verify releases (Antoine du Hamel) #59113 esm: * (SEMVER-MINOR) unflag --experimental-wasm-modules (Guy Bedford) #57038 fs: * (SEMVER-MINOR) port SonicBoom module to fs module as Utf8Stream (James M Snell) #58897 http: * (SEMVER-MINOR) add server.keepAliveTimeoutBuffer option (Haram Jeong) #59243 http,https: * (SEMVER-MINOR) add built-in proxy support in http/https.request and Agent (Joyee Cheung) #58980 lib: * docs deprecate _http_* (Sebastian Beltran) #59293 net: * (SEMVER-MINOR) update net.blocklist to allow file save and file management (alphaleadership) #58087 test: * (SEMVER-MINOR) move http proxy tests to test/client-proxy (Joyee Cheung) #58980 worker: * (SEMVER-MINOR) add web locks api (ishabi) #58666 zlib: * (SEMVER-MINOR) add dictionary support to zstdCompress and zstdDecompress (lluisemper) #59240 PR-URL: #59449 Signed-off-by: RafaelGSS <[email protected]>
Notable changes: cli: * (SEMVER-MINOR) add NODE_USE_SYSTEM_CA=1 (Joyee Cheung) #59276 * (SEMVER-MINOR) add --use-env-proxy (Joyee Cheung) #59151 * (SEMVER-MINOR) support `${pid}` placeholder in --cpu-prof-name (Haram Jeong) #59072 crypto: * (SEMVER-MINOR) support ML-DSA KeyObject, sign, and verify (Filip Skokan) #59259 * (SEMVER-MINOR) add tls.setDefaultCACertificates() (Joyee Cheung) #58822 deps: * update archs files for openssl-3.5.1 (Node.js GitHub Bot) #59234 * upgrade openssl sources to openssl-3.5.1 (Node.js GitHub Bot) #59234 dns: * (SEMVER-MINOR) support max timeout (theanarkh) #58440 doc: * update the instruction on how to verify releases (Antoine du Hamel) #59113 esm: * (SEMVER-MINOR) unflag --experimental-wasm-modules (Guy Bedford) #57038 fs: * (SEMVER-MINOR) port SonicBoom module to fs module as Utf8Stream (James M Snell) #58897 http: * (SEMVER-MINOR) add server.keepAliveTimeoutBuffer option (Haram Jeong) #59243 http,https: * (SEMVER-MINOR) add built-in proxy support in http/https.request and Agent (Joyee Cheung) #58980 lib: * docs deprecate _http_* (Sebastian Beltran) #59293 net: * (SEMVER-MINOR) update net.blocklist to allow file save and file management (alphaleadership) #58087 test: * (SEMVER-MINOR) move http proxy tests to test/client-proxy (Joyee Cheung) #58980 worker: * (SEMVER-MINOR) add web locks api (ishabi) #58666 zlib: * (SEMVER-MINOR) add dictionary support to zstdCompress and zstdDecompress (lluisemper) #59240 PR-URL: #59449 Signed-off-by: RafaelGSS <[email protected]>
Notable changes: cli: * (SEMVER-MINOR) add NODE_USE_SYSTEM_CA=1 (Joyee Cheung) #59276 crypto: * (SEMVER-MINOR) support ML-DSA KeyObject, sign, and verify (Filip Skokan) #59259 fs: * (SEMVER-MINOR) port SonicBoom module to fs module as Utf8Stream (James M Snell) #58897 http: * (SEMVER-MINOR) add server.keepAliveTimeoutBuffer option (Haram Jeong) #59243 lib: * docs deprecate _http_* (Sebastian Beltran) #59293 zlib: * (SEMVER-MINOR) add dictionary support to zstdCompress and zstdDecompress (lluisemper) #59240 PR-URL: #59449 Signed-off-by: RafaelGSS <[email protected]>
Notable changes: cli: * (SEMVER-MINOR) add NODE_USE_SYSTEM_CA=1 (Joyee Cheung) #59276 crypto: * (SEMVER-MINOR) support ML-DSA KeyObject, sign, and verify (Filip Skokan) #59259 fs: * (SEMVER-MINOR) port SonicBoom module to fs module as Utf8Stream (James M Snell) #58897 http: * (SEMVER-MINOR) add server.keepAliveTimeoutBuffer option (Haram Jeong) #59243 lib: * docs deprecate _http_* (Sebastian Beltran) #59293 zlib: * (SEMVER-MINOR) add dictionary support to zstdCompress and zstdDecompress (lluisemper) #59240 PR-URL: #59449 Signed-off-by: RafaelGSS <[email protected]>
Notable changes: cli: * (SEMVER-MINOR) add NODE_USE_SYSTEM_CA=1 (Joyee Cheung) #59276 crypto: * (SEMVER-MINOR) support ML-DSA KeyObject, sign, and verify (Filip Skokan) #59259 fs: * (SEMVER-MINOR) port SonicBoom module to fs module as Utf8Stream (James M Snell) #58897 http: * (SEMVER-MINOR) add server.keepAliveTimeoutBuffer option (Haram Jeong) #59243 lib: * docs deprecate _http_* (Sebastian Beltran) #59293 zlib: * (SEMVER-MINOR) add dictionary support to zstdCompress and zstdDecompress (lluisemper) #59240 PR-URL: #59449 Signed-off-by: RafaelGSS <[email protected]>
This allows
node:crypto
to recognize the following asymmetric KeyObject types (keyObject.asymmetricKeyType
) when built with or linked to OpenSSL 3.5 (#59234):'ml-dsa-44'
,'ml-dsa-65'
,'ml-dsa-87'
(https://docs.openssl.org/3.5/man7/EVP_PKEY-ML-DSA/)And the following functionality for them:
crypto.createPublicKey()
SPKI/JWKcrypto.createPrivateKey()
PKCS#8/JWKkeyObject.export()
SPKI/PKCS#8/JWKcrypto.generateKeyPair(Sync)()
into KeyObject, PEM, DER, JWKcrypto.sign()
and signature verification viacrypto.verify()
notable-changePRs with changes that should be highlighted in changelogs.
ML-DSA support in
node:crypto
kicks off post-quantum cryptography efforts in Node.js. This is part of a broader effort to support NIST's post-quantum cryptography standards for future-proofing applications against quantum computing threats.