fixup! crypto: add signDigest/verifyDigest and Ed25519ctx support

Author: panva

deps/ncrypto/ncrypto.cc

@@ -3800,18 +3800,6 @@ int EVPKeyCtxPointer::initForVerifyEx(const OSSL_PARAM params[]) {
 }
 #endif
 
-#ifdef OSSL_SIGNATURE_PARAM_MU
-int EVPKeyCtxPointer::initForSignMessage(const OSSL_PARAM params[]) {
-  if (!ctx_) return 0;
-  return EVP_PKEY_sign_message_init(ctx_.get(), nullptr, params);
-}
-
-int EVPKeyCtxPointer::initForVerifyMessage(const OSSL_PARAM params[]) {
-  if (!ctx_) return 0;
-  return EVP_PKEY_verify_message_init(ctx_.get(), nullptr, params);
-}
-#endif
-
 bool EVPKeyCtxPointer::initForEncrypt() {
   if (!ctx_) return false;
   return EVP_PKEY_encrypt_init(ctx_.get()) == 1;

deps/ncrypto/ncrypto.h

@@ -826,10 +826,6 @@ class EVPKeyCtxPointer final {
   int initForVerifyEx(const OSSL_PARAM params[]);
   int initForSignEx(const OSSL_PARAM params[]);
 #endif
-#ifdef OSSL_SIGNATURE_PARAM_MU
-  int initForSignMessage(const OSSL_PARAM params[]);
-  int initForVerifyMessage(const OSSL_PARAM params[]);
-#endif
 
   static EVPKeyCtxPointer New(const EVPKeyPointer& key);
   static EVPKeyCtxPointer NewFromID(int id);

doc/api/crypto.md

@@ -5860,11 +5860,6 @@ The interpretation of `algorithm` and `digest` depends on the key type:
   the prehash variants have different domain separation from the pure
   Ed25519/Ed448 (or Ed25519ctx with context) variants used by
   [`crypto.sign()`][] and [`crypto.verify()`][].
-* ML-DSA: `algorithm` must be `null` or `undefined`. `digest` must be the
-  64-byte external mu value per FIPS 204. The resulting signatures are
-  compatible with [`crypto.verify()`][] when the mu value is correctly computed
-  from the message per FIPS 204.
-
 If `key` is not a [`KeyObject`][], this function behaves as if `key` had been
 passed to [`crypto.createPrivateKey()`][]. If it is an object, the following
 additional properties can be passed:
@@ -5887,8 +5882,7 @@ additional properties can be passed:
   maximum permissible value.
 * `context` {ArrayBuffer|Buffer|TypedArray|DataView} For Ed25519ph and Ed448ph,
   this option specifies the optional context to differentiate signatures
-  generated for different purposes with the same key. Not supported for ML-DSA
-  keys because the context is already encoded into the mu value.
+  generated for different purposes with the same key.
 
 If the `callback` function is provided this function uses libuv's threadpool.
 
@@ -6077,11 +6071,6 @@ The interpretation of `algorithm` and `digest` depends on the key type:
   the prehash variants have different domain separation from the pure
   Ed25519/Ed448 (or Ed25519ctx with context) variants used by
   [`crypto.sign()`][] and [`crypto.verify()`][].
-* ML-DSA: `algorithm` must be `null` or `undefined`. `digest` must be the
-  64-byte external mu value per FIPS 204. Signatures produced by
-  [`crypto.sign()`][] can be verified with this function when the mu value is
-  correctly computed from the message per FIPS 204.
-
 If `key` is not a [`KeyObject`][], this function behaves as if `key` had been
 passed to [`crypto.createPublicKey()`][]. If it is an object, the following
 additional properties can be passed:
@@ -6104,8 +6093,7 @@ additional properties can be passed:
   maximum permissible value.
 * `context` {ArrayBuffer|Buffer|TypedArray|DataView} For Ed25519ph and Ed448ph,
   this option specifies the optional context to differentiate signatures
-  generated for different purposes with the same key. Not supported for ML-DSA
-  keys because the context is already encoded into the mu value.
+  generated for different purposes with the same key.
 
 The `signature` argument is the previously calculated signature for the `digest`.
 

src/crypto/crypto_sig.cc

@@ -756,35 +756,6 @@ bool SignTraits::DeriveBits(Environment* env,
 #endif  // OSSL_SIGNATURE_PARAM_INSTANCE
       }
 
-#if OPENSSL_WITH_PQC
-      case EVP_PKEY_ML_DSA_44:
-      case EVP_PKEY_ML_DSA_65:
-      case EVP_PKEY_ML_DSA_87: {
-        // Context must already be part of the externally computed mu value.
-        if (has_context) {
-          if (can_throw)
-            crypto::CheckThrow(env, SignBase::Error::ContextUnsupported);
-          return false;
-        }
-
-#ifdef OSSL_SIGNATURE_PARAM_MU
-        int mu_flag = 1;
-        std::vector<OSSL_PARAM> ossl_params;
-        ossl_params.push_back(
-            OSSL_PARAM_construct_int(OSSL_SIGNATURE_PARAM_MU, &mu_flag));
-        ossl_params.push_back(OSSL_PARAM_END);
-
-        init_ret = is_sign ? pkctx.initForSignMessage(ossl_params.data())
-                           : pkctx.initForVerifyMessage(ossl_params.data());
-        break;
-#else
-        if (can_throw)
-          crypto::CheckThrow(env, SignBase::Error::PrehashUnsupported);
-        return false;
-#endif  // OSSL_SIGNATURE_PARAM_MU
-      }
-#endif  // OPENSSL_WITH_PQC
-
       default:
         if (key.isOneShotVariant()) {
           if (can_throw)

test/parallel/test-crypto-sign-verify-digest.js

@@ -345,35 +345,6 @@ if (hasOpenSSL(3, 2)) {
   }
 }
 
-// --- ML-DSA external mu (prehashed) ---
-if (hasOpenSSL(3, 5)) {
-  // ML-DSA signDigest/verifyDigest treats input as external mu.
-  // mu is the 64-byte SHAKE-256(tr || M') value that the caller computes.
-  const variants = [
-    { alg: 'ml_dsa_44' },
-    { alg: 'ml_dsa_65' },
-    { alg: 'ml_dsa_87' },
-  ];
-
-  for (const { alg } of variants) {
-    const privKey = fixtures.readKey(`${alg}_private.pem`, 'ascii');
-    const pubKey = fixtures.readKey(`${alg}_public.pem`, 'ascii');
-
-    const mu = crypto.randomBytes(64);
-
-    const sig = crypto.signDigest(null, mu, privKey);
-    assert(Buffer.isBuffer(sig));
-    assert(sig.length > 0);
-
-    // Verify with same mu succeeds
-    assert.strictEqual(crypto.verifyDigest(null, mu, pubKey, sig), true);
-
-    // Verify with wrong mu fails
-    const wrongMu = crypto.randomBytes(64);
-    assert.strictEqual(crypto.verifyDigest(null, wrongMu, pubKey, sig), false);
-  }
-}
-
 // --- Async (callback) mode ---
 {
   const privKey = fixtures.readKey('rsa_private_2048.pem', 'ascii');
@@ -409,115 +380,8 @@ if (hasOpenSSL(3, 2)) {
   }));
 }
 
-if (hasOpenSSL(3, 5)) {
-  // ML-DSA async sign+verify with external mu (64-byte pre-computed value)
-  const mldsaPrivKey = fixtures.readKey('ml_dsa_44_private.pem', 'ascii');
-  const mldsaPubKey = fixtures.readKey('ml_dsa_44_public.pem', 'ascii');
-  const mu = crypto.randomBytes(64);
-  crypto.signDigest(null, mu, mldsaPrivKey, common.mustSucceed((sig) => {
-    assert(sig.length > 0);
-    crypto.verifyDigest(null, mu, mldsaPubKey, sig, common.mustSucceed((ok) => {
-      assert.strictEqual(ok, true);
-    }));
-  }));
-
-  // Wrong mu length (32 bytes) is rejected asynchronously
-  crypto.signDigest(null, Buffer.alloc(32), mldsaPrivKey, common.mustCall((err) => {
-    assert(err);
-    assert.match(err.message, /provider signature failure/);
-  }));
-}
-
 // --- Error: unsupported key type for prehashed signing ---
 {
-  // ML-DSA rejects wrong mu length (must be exactly 64 bytes).
-  if (hasOpenSSL(3, 5)) {
-    const privKey = fixtures.readKey('ml_dsa_44_private.pem', 'ascii');
-    const pubKey = fixtures.readKey('ml_dsa_44_public.pem', 'ascii');
-
-    assert.throws(() => {
-      crypto.signDigest(null, Buffer.alloc(32), privKey);
-    }, /provider signature failure/);
-
-    assert.throws(() => {
-      crypto.signDigest(null, Buffer.alloc(128), privKey);
-    }, /provider signature failure/);
-
-    // verifyDigest returns false for wrong mu length (not a throw)
-    assert.strictEqual(
-      crypto.verifyDigest(null, Buffer.alloc(32), pubKey, Buffer.alloc(2420)),
-      false,
-    );
-
-    // Context string is not supported with signDigest/verifyDigest for ML-DSA
-    // since context must already be incorporated into the externally computed mu.
-    assert.throws(() => {
-      crypto.signDigest(null, Buffer.alloc(64), { key: privKey, context: Buffer.from('ctx') });
-    }, { code: 'ERR_CRYPTO_OPERATION_FAILED', message: /Context parameter is unsupported/ });
-    assert.throws(() => {
-      crypto.verifyDigest(null, Buffer.alloc(64), { key: pubKey, context: Buffer.from('ctx') },
-                          Buffer.alloc(2420));
-    }, { code: 'ERR_CRYPTO_OPERATION_FAILED', message: /Context parameter is unsupported/ });
-  }
-
-  // ML-DSA external mu cross-verification with crypto.sign/crypto.verify.
-  // Computes mu = SHAKE-256(tr || M', 64) per FIPS 204, where
-  // tr = SHAKE-256(pk, 64) and M' encodes the context.
-  if (hasOpenSSL(3, 5)) {
-    const variants = [
-      { alg: 'ml_dsa_44', sigLen: 2420 },
-      { alg: 'ml_dsa_65', sigLen: 3309 },
-      { alg: 'ml_dsa_87', sigLen: 4627 },
-    ];
-
-    for (const { alg } of variants) {
-      const privKey = fixtures.readKey(`${alg}_private.pem`, 'ascii');
-      const pubKey = fixtures.readKey(`${alg}_public.pem`, 'ascii');
-
-      // Get raw public key bytes for tr computation via JWK export.
-      const pubKeyObj = crypto.createPublicKey(pubKey);
-      const pkBytes = Buffer.from(pubKeyObj.export({ format: 'jwk' }).pub, 'base64url');
-      const tr = crypto.createHash('shake256', { outputLength: 64 }).update(pkBytes).digest();
-
-      const msg = Buffer.from('ML-DSA cross-verify test message');
-
-      // Without context: M' = 0x00 || 0x00 || M
-      {
-        const mPrime = Buffer.concat([Buffer.from([0x00, 0x00]), msg]);
-        const mu = crypto.createHash('shake256', { outputLength: 64 })
-          .update(tr).update(mPrime).digest();
-
-        const sig = crypto.signDigest(null, mu, privKey);
-        assert.strictEqual(crypto.verify(null, msg, pubKey, sig), true);
-
-        const sig2 = crypto.sign(null, msg, privKey);
-        assert.strictEqual(crypto.verifyDigest(null, mu, pubKey, sig2), true);
-      }
-
-      // With context: M' = 0x00 || len(ctx) || ctx || M
-      {
-        const ctx = Buffer.from('test context string');
-        const mPrime = Buffer.concat([Buffer.from([0x00, ctx.length]), ctx, msg]);
-        const mu = crypto.createHash('shake256', { outputLength: 64 })
-          .update(tr).update(mPrime).digest();
-
-        const sig = crypto.signDigest(null, mu, privKey);
-        assert.strictEqual(
-          crypto.verify(null, msg, { key: pubKey, context: ctx }, sig), true);
-
-        const sig2 = crypto.sign(null, msg, { key: privKey, context: ctx });
-        assert.strictEqual(crypto.verifyDigest(null, mu, pubKey, sig2), true);
-
-        // Mismatched context: signDigest with context mu, verify without context
-        assert.strictEqual(crypto.verify(null, msg, pubKey, sig), false);
-
-        // Mismatched context: sign without context, verifyDigest with context mu
-        const sig3 = crypto.sign(null, msg, privKey);
-        assert.strictEqual(crypto.verifyDigest(null, mu, pubKey, sig3), false);
-      }
-    }
-  }
-
   // Ed25519ph/Ed448ph require OpenSSL >= 3.2. On older versions, they
   // should throw PrehashUnsupported.
   if (!hasOpenSSL(3, 2)) {
@@ -537,6 +401,22 @@ if (hasOpenSSL(3, 5)) {
   assert.throws(() => {
     crypto.signDigest(123, Buffer.alloc(32), fixtures.readKey('rsa_private_2048.pem', 'ascii'));
   }, { code: 'ERR_INVALID_ARG_TYPE' });
+
+  // ML-DSA keys are not supported with signDigest/verifyDigest.
+  if (hasOpenSSL(3, 5)) {
+    for (const alg of ['ml_dsa_44', 'ml_dsa_65', 'ml_dsa_87']) {
+      const privKey = fixtures.readKey(`${alg}_private.pem`, 'ascii');
+      const pubKey = fixtures.readKey(`${alg}_public.pem`, 'ascii');
+
+      assert.throws(() => {
+        crypto.signDigest(null, Buffer.alloc(64), privKey);
+      }, { code: 'ERR_CRYPTO_OPERATION_FAILED', message: /Prehashed signing is not supported/ });
+
+      assert.throws(() => {
+        crypto.verifyDigest(null, Buffer.alloc(64), pubKey, Buffer.alloc(64));
+      }, { code: 'ERR_CRYPTO_OPERATION_FAILED', message: /Prehashed signing is not supported/ });
+    }
+  }
 }
 
 // --- Error: non-signing key types (X25519, X448) ---