@@ -5811,9 +5811,10 @@ additional properties can be passed:
58115811 ` crypto.constants.RSA_PSS_SALTLEN_DIGEST ` sets the salt length to the digest
58125812 size, ` crypto.constants.RSA_PSS_SALTLEN_MAX_SIGN ` (default) sets it to the
58135813 maximum permissible value.
5814- * ` context ` {ArrayBuffer|Buffer|TypedArray|DataView} For Ed25519, Ed448, ML-DSA, and SLH-DSA,
5815- this option specifies the optional context to differentiate signatures generated
5816- for different purposes with the same key.
5814+ * ` context ` {ArrayBuffer|Buffer|TypedArray|DataView} For Ed25519
5815+ (using Ed25519ctx from [ RFC 8032] [ ] ), Ed448, ML-DSA, and SLH-DSA,
5816+ this option specifies the optional context to differentiate signatures
5817+ generated for different purposes with the same key.
58175818
58185819If the ` callback ` function is provided this function uses libuv's threadpool.
58195820
@@ -5846,12 +5847,13 @@ The interpretation of `algorithm` and `digest` depends on the key type:
58465847 and signatures produced by [ ` crypto.sign() ` ] [ ] can be verified with
58475848 [ ` crypto.verifyDigest() ` ] [ ] .
58485849* Ed25519, Ed448: ` algorithm ` must be ` null ` or ` undefined ` . These keys
5849- use the Ed25519ph and Ed448ph prehash variants respectively. ` digest ` must
5850- be the output of the appropriate prehash function (SHA-512 for Ed25519ph,
5851- SHAKE256 with 64-byte output for Ed448ph). The resulting signatures are
5852- not compatible with [ ` crypto.sign() ` ] [ ] or [ ` crypto.verify() ` ] [ ] because
5853- those use the non-prehash Ed25519/Ed448 variants which have different domain
5854- separation.
5850+ use the Ed25519ph and Ed448ph prehash variants from [ RFC 8032] [ ]
5851+ respectively. ` digest ` must be the output of the appropriate prehash
5852+ function (SHA-512 for Ed25519ph, SHAKE256 with 64-byte output for
5853+ Ed448ph). The resulting signatures are not compatible with
5854+ [ ` crypto.sign() ` ] [ ] or [ ` crypto.verify() ` ] [ ] because those use the
5855+ pure Ed25519/Ed448 (or Ed25519ctx with context) variants which have
5856+ different domain separation.
58555857* ML-DSA: ` algorithm ` must be ` null ` or ` undefined ` . ` digest ` must be the
58565858 64-byte external mu value per FIPS 204. The resulting signatures are
58575859 compatible with [ ` crypto.verify() ` ] [ ] when the mu value is correctly computed
@@ -6012,9 +6014,10 @@ additional properties can be passed:
60126014 ` crypto.constants.RSA_PSS_SALTLEN_DIGEST ` sets the salt length to the digest
60136015 size, ` crypto.constants.RSA_PSS_SALTLEN_MAX_SIGN ` (default) sets it to the
60146016 maximum permissible value.
6015- * ` context ` {ArrayBuffer|Buffer|TypedArray|DataView} For Ed25519, Ed448, ML-DSA, and SLH-DSA,
6016- this option specifies the optional context to differentiate signatures generated
6017- for different purposes with the same key.
6017+ * ` context ` {ArrayBuffer|Buffer|TypedArray|DataView} For Ed25519
6018+ (using Ed25519ctx from [ RFC 8032] [ ] ), Ed448, ML-DSA, and SLH-DSA,
6019+ this option specifies the optional context to differentiate signatures
6020+ generated for different purposes with the same key.
60186021
60196022The ` signature ` argument is the previously calculated signature for the ` data ` .
60206023
@@ -6055,12 +6058,13 @@ The interpretation of `algorithm` and `digest` depends on the key type:
60556058 this function, and signatures produced by [ ` crypto.signDigest() ` ] [ ] can be
60566059 verified with [ ` crypto.verify() ` ] [ ] .
60576060* Ed25519, Ed448: ` algorithm ` must be ` null ` or ` undefined ` . These keys
6058- use the Ed25519ph and Ed448ph prehash variants respectively. ` digest ` must
6059- be the output of the appropriate prehash function (SHA-512 for Ed25519ph,
6060- SHAKE256 with 64-byte output for Ed448ph). The resulting signatures are
6061- not compatible with [ ` crypto.sign() ` ] [ ] or [ ` crypto.verify() ` ] [ ] because
6062- those use the non-prehash Ed25519/Ed448 variants which have different domain
6063- separation.
6061+ use the Ed25519ph and Ed448ph prehash variants from [ RFC 8032] [ ]
6062+ respectively. ` digest ` must be the output of the appropriate prehash
6063+ function (SHA-512 for Ed25519ph, SHAKE256 with 64-byte output for
6064+ Ed448ph). The resulting signatures are not compatible with
6065+ [ ` crypto.sign() ` ] [ ] or [ ` crypto.verify() ` ] [ ] because those use the
6066+ pure Ed25519/Ed448 (or Ed25519ctx with context) variants which have
6067+ different domain separation.
60646068* ML-DSA: ` algorithm ` must be ` null ` or ` undefined ` . ` digest ` must be the
60656069 64-byte external mu value per FIPS 204. Signatures produced by
60666070 [ ` crypto.sign() ` ] [ ] can be verified with this function when the mu value is
@@ -6687,6 +6691,7 @@ See the [list of SSL OP Flags][] for details.
66876691[ RFC 4122 ] : https://www.rfc-editor.org/rfc/rfc4122.txt
66886692[ RFC 5208 ] : https://www.rfc-editor.org/rfc/rfc5208.txt
66896693[ RFC 5280 ] : https://www.rfc-editor.org/rfc/rfc5280.txt
6694+ [ RFC 8032 ] : https://www.rfc-editor.org/rfc/rfc8032.txt
66906695[ Web Crypto API documentation ] : webcrypto.md
66916696[ `BN_is_prime_ex` ] : https://www.openssl.org/docs/man1.1.1/man3/BN_is_prime_ex.html
66926697[ `Buffer` ] : buffer.md
0 commit comments