crypto: support ML-KEM KeyObject #59461

panva · 2025-08-13T16:00:01Z

This allows node:crypto to recognize the ML-KEM KeyObject types (keyObject.asymmetricKeyType) when built with or linked to OpenSSL 3.5 and the following functionality for them:

import crypto.createPublicKey() SPKI
import crypto.createPrivateKey() PKCS#8
export keyObject.export() SPKI/PKCS#8
keygen crypto.generateKeyPair(Sync)() into KeyObject, PEM, DER

JWK import/export is not implemented because it has not been standardized yet

Edit: I've dropped SLH-DSA from this PR because testing its higher level of security variants was intermittenly grinding CI to a halt. I might reintroduce it separately. For now i'm just looking to add ML-KEM to be able to introduce key encapsulation in a follow up PR.

nodejs-github-bot · 2025-08-13T16:00:08Z

Review requested:

@nodejs/crypto
@nodejs/security-wg

github-actions · 2025-08-13T16:00:13Z

The notable-change PRs with changes that should be highlighted in changelogs. label has been added by @panva.

Please suggest a text for the release notes if you'd like to include a more detailed summary, then proceed to update the PR description with the text or a link to the notable change suggested text comment. Otherwise, the commit will be placed in the Other Notable Changes section.

codecov · 2025-08-13T17:04:49Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.86%. Comparing base (abb1f92) to head (2f07d66).

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #59461      +/-   ##
==========================================
- Coverage   89.88%   89.86%   -0.02%     
==========================================
  Files         656      656              
  Lines      193068   193083      +15     
  Branches    37871    37876       +5     
==========================================
- Hits       173534   173514      -20     
- Misses      12079    12083       +4     
- Partials     7455     7486      +31

Files with missing lines	Coverage Δ
lib/internal/crypto/keygen.js	`92.10% <100.00%> (+0.17%)`	⬆️
src/crypto/crypto_keys.cc	`72.91% <100.00%> (+0.33%)`	⬆️

... and 29 files with indirect coverage changes

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

tniessen

Amazing work @panva!

deps/ncrypto/ncrypto.cc

Ethan-Arrowood

LGTM 🚀

panva · 2025-08-16T07:25:26Z

I've dropped SLH-DSA from this PR because testing its higher level of security variants was intermittenly grinding CI to a halt. I might reintroduce it separately. For now i'm just looking to add ML-KEM to be able to introduce key encapsulation in a follow up PR.

nodejs-github-bot · 2025-08-16T07:26:03Z

CI: https://ci.nodejs.org/job/node-test-pull-request/68666/

panva requested review from jasnell and tniessen August 13, 2025 16:00

nodejs-github-bot added lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. labels Aug 13, 2025

panva force-pushed the ml-kem-slh-dsa branch from ddc61d7 to 54b2ab7 Compare August 13, 2025 16:07

tniessen approved these changes Aug 14, 2025

View reviewed changes

deps/ncrypto/ncrypto.cc Outdated Show resolved Hide resolved