fixup! crypto: add signDigest/verifyDigest and Ed25519ctx support

panva · panva · commit 92b9654a1bbf · 2026-03-20T11:57:34.000+01:00
diff --git a/deps/ncrypto/ncrypto.cc b/deps/ncrypto/ncrypto.cc
@@ -3800,6 +3800,18 @@ int EVPKeyCtxPointer::initForVerifyEx(const OSSL_PARAM params[]) {
 }
 #endif
 
+#ifdef OSSL_SIGNATURE_PARAM_MU
+int EVPKeyCtxPointer::initForSignMessage(const OSSL_PARAM params[]) {
+  if (!ctx_) return 0;
+  return EVP_PKEY_sign_message_init(ctx_.get(), nullptr, params);
+}
+
+int EVPKeyCtxPointer::initForVerifyMessage(const OSSL_PARAM params[]) {
+  if (!ctx_) return 0;
+  return EVP_PKEY_verify_message_init(ctx_.get(), nullptr, params);
+}
+#endif
+
 bool EVPKeyCtxPointer::initForEncrypt() {
   if (!ctx_) return false;
   return EVP_PKEY_encrypt_init(ctx_.get()) == 1;
diff --git a/deps/ncrypto/ncrypto.h b/deps/ncrypto/ncrypto.h
@@ -826,6 +826,10 @@ class EVPKeyCtxPointer final {
   int initForVerifyEx(const OSSL_PARAM params[]);
   int initForSignEx(const OSSL_PARAM params[]);
 #endif
+#ifdef OSSL_SIGNATURE_PARAM_MU
+  int initForSignMessage(const OSSL_PARAM params[]);
+  int initForVerifyMessage(const OSSL_PARAM params[]);
+#endif
 
   static EVPKeyCtxPointer New(const EVPKeyPointer& key);
   static EVPKeyCtxPointer NewFromID(int id);
diff --git a/doc/api/crypto.md b/doc/api/crypto.md
@@ -5839,10 +5839,15 @@ Calculates and returns the signature for `digest` using the given private key
 and algorithm. Unlike [`crypto.sign()`][], this function does not hash the data
 internally — `digest` is expected to be a pre-computed hash digest.
 
-For RSA, ECDSA, and DSA keys, `algorithm` identifies the hash function that was
-used to create `digest`. For Ed25519 and Ed448 keys, `algorithm` must be `null`
-or `undefined`, and `digest` must be the output of the appropriate prehash
-function (SHA-512 for Ed25519ph, SHAKE256 with 64-byte output for Ed448ph).
+The interpretation of `algorithm` and `digest` depends on the key type:
+
+* RSA, ECDSA, DSA: `algorithm` identifies the hash function used to create
+  `digest`.
+* Ed25519, Ed448: `algorithm` must be `null` or `undefined`. `digest` must
+  be the output of the appropriate prehash function (SHA-512 for Ed25519ph,
+  SHAKE256 with 64-byte output for Ed448ph).
+* ML-DSA: `algorithm` must be `null` or `undefined`. `digest` must be the
+  64-byte external mu value per FIPS 204.
 
 If `key` is not a [`KeyObject`][], this function behaves as if `key` had been
 passed to [`crypto.createPrivateKey()`][]. If it is an object, the following
@@ -5866,10 +5871,8 @@ additional properties can be passed:
   maximum permissible value.
 * `context` {ArrayBuffer|Buffer|TypedArray|DataView} For Ed25519ph and Ed448ph,
   this option specifies the optional context to differentiate signatures
-  generated for different purposes with the same key.
-
-This function does not support key types that require one-shot signing without
-prehash variants, such as ML-DSA and SLH-DSA.
+  generated for different purposes with the same key. Not supported for ML-DSA
+  keys because the context is already encoded into the mu value.
 
 If the `callback` function is provided this function uses libuv's threadpool.
 
@@ -6037,10 +6040,15 @@ Verifies the given signature for `digest` using the given key and algorithm.
 Unlike [`crypto.verify()`][], this function does not hash the data
 internally — `digest` is expected to be a pre-computed hash digest.
 
-For RSA, ECDSA, and DSA keys, `algorithm` identifies the hash function that was
-used to create `digest`. For Ed25519 and Ed448 keys, `algorithm` must be `null`
-or `undefined`, and `digest` must be the output of the appropriate prehash
-function (SHA-512 for Ed25519ph, SHAKE256 with 64-byte output for Ed448ph).
+The interpretation of `algorithm` and `digest` depends on the key type:
+
+* RSA, ECDSA, DSA: `algorithm` identifies the hash function used to create
+  `digest`.
+* Ed25519, Ed448: `algorithm` must be `null` or `undefined`. `digest` must
+  be the output of the appropriate prehash function (SHA-512 for Ed25519ph,
+  SHAKE256 with 64-byte output for Ed448ph).
+* ML-DSA: `algorithm` must be `null` or `undefined`. `digest` must be the
+  64-byte external mu value per FIPS 204.
 
 If `key` is not a [`KeyObject`][], this function behaves as if `key` had been
 passed to [`crypto.createPublicKey()`][]. If it is an object, the following
@@ -6064,16 +6072,14 @@ additional properties can be passed:
   maximum permissible value.
 * `context` {ArrayBuffer|Buffer|TypedArray|DataView} For Ed25519ph and Ed448ph,
   this option specifies the optional context to differentiate signatures
-  generated for different purposes with the same key.
+  generated for different purposes with the same key. Not supported for ML-DSA
+  keys because the context is already encoded into the mu value.
 
 The `signature` argument is the previously calculated signature for the `digest`.
 
 Because public keys can be derived from private keys, a private key or a public
 key may be passed for `key`.
 
-This function does not support key types that require one-shot verification
-without prehash variants, such as ML-DSA and SLH-DSA.
-
 If the `callback` function is provided this function uses libuv's threadpool.
 
 ### `crypto.webcrypto`
diff --git a/src/crypto/crypto_sig.cc b/src/crypto/crypto_sig.cc
@@ -713,23 +713,38 @@ bool SignTraits::DeriveBits(Environment* env,
   // Prehashed signing: the caller already hashed the data and is providing
   // the digest directly. Use the low-level EVP_PKEY_sign/EVP_PKEY_verify path.
   if (is_prehashed) {
+    bool is_eddsa = key.id() == EVP_PKEY_ED25519 || key.id() == EVP_PKEY_ED448;
+#if OPENSSL_WITH_PQC
+    bool is_mldsa = key.id() == EVP_PKEY_ML_DSA_44 ||
+                    key.id() == EVP_PKEY_ML_DSA_65 ||
+                    key.id() == EVP_PKEY_ML_DSA_87;
+#else
+    bool is_mldsa = false;
+#endif
+
     // One-shot-only algorithms that don't have prehash variants
-    // (ML-DSA, SLH-DSA) are not supported.
-    if (key.isOneShotVariant() && key.id() != EVP_PKEY_ED25519 &&
-        key.id() != EVP_PKEY_ED448) {
+    // (SLH-DSA) are not supported.
+    if (key.isOneShotVariant() && !is_eddsa && !is_mldsa) {
       if (can_throw)
         crypto::CheckThrow(env, SignBase::Error::PrehashUnsupported);
       return false;
     }
 
+    // For ML-DSA, context must already be part of the externally computed
+    // mu value. Passing a context string separately is not supported.
+    if (has_context && is_mldsa) {
+      if (can_throw)
+        crypto::CheckThrow(env, SignBase::Error::ContextUnsupported);
+      return false;
+    }
+
     EVPKeyCtxPointer pkctx = key.newCtx();
     if (!pkctx) [[unlikely]] {
       if (can_throw) crypto::CheckThrow(env, SignBase::Error::Init);
       return false;
     }
 
     int init_ret;
-    bool is_eddsa = key.id() == EVP_PKEY_ED25519 || key.id() == EVP_PKEY_ED448;
 
     if (is_eddsa) {
 #ifdef OSSL_SIGNATURE_PARAM_INSTANCE
@@ -764,6 +779,31 @@ bool SignTraits::DeriveBits(Environment* env,
         crypto::CheckThrow(env, SignBase::Error::PrehashUnsupported);
       return false;
 #endif  // OSSL_SIGNATURE_PARAM_INSTANCE
+    } else if (is_mldsa) {
+#ifdef OSSL_SIGNATURE_PARAM_MU
+      // For ML-DSA, use EVP_PKEY_sign_message_init with mu param.
+      // The caller provides the 64-byte mu value directly.
+      // Context string is not passed here — it's already incorporated
+      // into mu by the caller.
+      int mu_flag = 1;
+      std::vector<OSSL_PARAM> ossl_params;
+      ossl_params.push_back(
+          OSSL_PARAM_construct_int(OSSL_SIGNATURE_PARAM_MU, &mu_flag));
+      ossl_params.push_back(OSSL_PARAM_END);
+
+      switch (params.mode) {
+        case SignConfiguration::Mode::Sign:
+          init_ret = pkctx.initForSignMessage(ossl_params.data());
+          break;
+        case SignConfiguration::Mode::Verify:
+          init_ret = pkctx.initForVerifyMessage(ossl_params.data());
+          break;
+      }
+#else
+      if (can_throw)
+        crypto::CheckThrow(env, SignBase::Error::PrehashUnsupported);
+      return false;
+#endif  // OSSL_SIGNATURE_PARAM_MU
     } else {
       // RSA, ECDSA, DSA: use standard EVP_PKEY_sign_init path.
       switch (params.mode) {
diff --git a/test/parallel/test-crypto-sign-verify-digest.js b/test/parallel/test-crypto-sign-verify-digest.js
@@ -274,6 +274,35 @@ if (hasOpenSSL(3, 2)) {
   }
 }
 
+// --- ML-DSA external mu (prehashed) ---
+if (hasOpenSSL(3, 5)) {
+  // ML-DSA signDigest/verifyDigest treats input as external mu.
+  // mu is the 64-byte SHAKE-256(tr || M') value that the caller computes.
+  const variants = [
+    { alg: 'ml_dsa_44' },
+    { alg: 'ml_dsa_65' },
+    { alg: 'ml_dsa_87' },
+  ];
+
+  for (const { alg } of variants) {
+    const privKey = fixtures.readKey(`${alg}_private.pem`, 'ascii');
+    const pubKey = fixtures.readKey(`${alg}_public.pem`, 'ascii');
+
+    const mu = crypto.randomBytes(64);
+
+    const sig = crypto.signDigest(null, mu, privKey);
+    assert(Buffer.isBuffer(sig));
+    assert(sig.length > 0);
+
+    // Verify with same mu succeeds
+    assert.strictEqual(crypto.verifyDigest(null, mu, pubKey, sig), true);
+
+    // Verify with wrong mu fails
+    const wrongMu = crypto.randomBytes(64);
+    assert.strictEqual(crypto.verifyDigest(null, wrongMu, pubKey, sig), false);
+  }
+}
+
 // --- Async (callback) mode ---
 {
   const privKey = fixtures.readKey('rsa_private_2048.pem', 'ascii');
@@ -310,30 +339,112 @@ if (hasOpenSSL(3, 2)) {
 }
 
 if (hasOpenSSL(3, 5)) {
-  // PrehashUnsupported error is delivered via callback
+  // ML-DSA async sign+verify with external mu (64-byte pre-computed value)
   const mldsaPrivKey = fixtures.readKey('ml_dsa_44_private.pem', 'ascii');
+  const mldsaPubKey = fixtures.readKey('ml_dsa_44_public.pem', 'ascii');
+  const mu = crypto.randomBytes(64);
+  crypto.signDigest(null, mu, mldsaPrivKey, common.mustSucceed((sig) => {
+    assert(sig.length > 0);
+    crypto.verifyDigest(null, mu, mldsaPubKey, sig, common.mustSucceed((ok) => {
+      assert.strictEqual(ok, true);
+    }));
+  }));
+
+  // Wrong mu length (32 bytes) is rejected asynchronously
   crypto.signDigest(null, Buffer.alloc(32), mldsaPrivKey, common.mustCall((err) => {
     assert(err);
-    // TODO(@panva): revisit how to make CryptoJob async failures retain
-    // and decorate OpenSSL errors.
-    assert.match(err.message, /Deriving bits failed/);
+    assert.match(err.message, /provider signature failure/);
   }));
 }
 
 // --- Error: unsupported key type for prehashed signing ---
 {
-  // ML-DSA keys are one-shot-only and don't support prehashed signing.
+  // ML-DSA rejects wrong mu length (must be exactly 64 bytes).
   if (hasOpenSSL(3, 5)) {
     const privKey = fixtures.readKey('ml_dsa_44_private.pem', 'ascii');
     const pubKey = fixtures.readKey('ml_dsa_44_public.pem', 'ascii');
 
     assert.throws(() => {
       crypto.signDigest(null, Buffer.alloc(32), privKey);
-    }, { code: 'ERR_CRYPTO_OPERATION_FAILED', message: /Prehashed signing is not supported/ });
+    }, /provider signature failure/);
 
     assert.throws(() => {
-      crypto.verifyDigest(null, Buffer.alloc(32), pubKey, Buffer.alloc(64));
-    }, { code: 'ERR_CRYPTO_OPERATION_FAILED', message: /Prehashed signing is not supported/ });
+      crypto.signDigest(null, Buffer.alloc(128), privKey);
+    }, /provider signature failure/);
+
+    // verifyDigest returns false for wrong mu length (not a throw)
+    assert.strictEqual(
+      crypto.verifyDigest(null, Buffer.alloc(32), pubKey, Buffer.alloc(2420)),
+      false,
+    );
+
+    // Context string is not supported with signDigest/verifyDigest for ML-DSA
+    // since context must already be incorporated into the externally computed mu.
+    assert.throws(() => {
+      crypto.signDigest(null, Buffer.alloc(64), { key: privKey, context: Buffer.from('ctx') });
+    }, { code: 'ERR_CRYPTO_OPERATION_FAILED', message: /Context parameter is unsupported/ });
+    assert.throws(() => {
+      crypto.verifyDigest(null, Buffer.alloc(64), { key: pubKey, context: Buffer.from('ctx') },
+                          Buffer.alloc(2420));
+    }, { code: 'ERR_CRYPTO_OPERATION_FAILED', message: /Context parameter is unsupported/ });
+  }
+
+  // ML-DSA external mu cross-verification with crypto.sign/crypto.verify.
+  // Computes mu = SHAKE-256(tr || M', 64) per FIPS 204, where
+  // tr = SHAKE-256(pk, 64) and M' encodes the context.
+  if (hasOpenSSL(3, 5)) {
+    const variants = [
+      { alg: 'ml_dsa_44', sigLen: 2420 },
+      { alg: 'ml_dsa_65', sigLen: 3309 },
+      { alg: 'ml_dsa_87', sigLen: 4627 },
+    ];
+
+    for (const { alg } of variants) {
+      const privKey = fixtures.readKey(`${alg}_private.pem`, 'ascii');
+      const pubKey = fixtures.readKey(`${alg}_public.pem`, 'ascii');
+
+      // Get raw public key bytes for tr computation via JWK export.
+      const pubKeyObj = crypto.createPublicKey(pubKey);
+      const pkBytes = Buffer.from(pubKeyObj.export({ format: 'jwk' }).pub, 'base64url');
+      const tr = crypto.createHash('shake256', { outputLength: 64 }).update(pkBytes).digest();
+
+      const msg = Buffer.from('ML-DSA cross-verify test message');
+
+      // Without context: M' = 0x00 || 0x00 || M
+      {
+        const mPrime = Buffer.concat([Buffer.from([0x00, 0x00]), msg]);
+        const mu = crypto.createHash('shake256', { outputLength: 64 })
+          .update(tr).update(mPrime).digest();
+
+        const sig = crypto.signDigest(null, mu, privKey);
+        assert.strictEqual(crypto.verify(null, msg, pubKey, sig), true);
+
+        const sig2 = crypto.sign(null, msg, privKey);
+        assert.strictEqual(crypto.verifyDigest(null, mu, pubKey, sig2), true);
+      }
+
+      // With context: M' = 0x00 || len(ctx) || ctx || M
+      {
+        const ctx = Buffer.from('test context string');
+        const mPrime = Buffer.concat([Buffer.from([0x00, ctx.length]), ctx, msg]);
+        const mu = crypto.createHash('shake256', { outputLength: 64 })
+          .update(tr).update(mPrime).digest();
+
+        const sig = crypto.signDigest(null, mu, privKey);
+        assert.strictEqual(
+          crypto.verify(null, msg, { key: pubKey, context: ctx }, sig), true);
+
+        const sig2 = crypto.sign(null, msg, { key: privKey, context: ctx });
+        assert.strictEqual(crypto.verifyDigest(null, mu, pubKey, sig2), true);
+
+        // Mismatched context: signDigest with context mu, verify without context
+        assert.strictEqual(crypto.verify(null, msg, pubKey, sig), false);
+
+        // Mismatched context: sign without context, verifyDigest with context mu
+        const sig3 = crypto.sign(null, msg, privKey);
+        assert.strictEqual(crypto.verifyDigest(null, mu, pubKey, sig3), false);
+      }
+    }
   }
 
   // Ed25519ph/Ed448ph require OpenSSL >= 3.2. On older versions, they
