fixup! crypto: support deterministic ECDSA/DSA signatures

Author: panva

doc/api/crypto.md

@@ -2379,7 +2379,9 @@ object, the following additional properties can be passed:
   * `'ieee-p1363'`: Signature format `r || s` as proposed in IEEE-P1363.
 * `dsaNonceType` {string} For DSA and ECDSA, this option specifies the
   nonce generation method. It can be one of the following:
-  * `'random'` (default): Use a random nonce.
+  * `'hedged'` (default): Use a hedged nonce that combines cryptographic
+    randomness with the private key and the message, providing resilience
+    against both weak random number generators and side-channel attacks.
   * `'deterministic'`[^openssl32]: Use a deterministic nonce as defined in [RFC 6979][].
 * `padding` {integer} Optional padding value for RSA, one of the following:
 
@@ -2515,7 +2517,9 @@ object, the following additional properties can be passed:
   * `'ieee-p1363'`: Signature format `r || s` as proposed in IEEE-P1363.
 * `dsaNonceType` {string} For DSA and ECDSA, this option specifies the
   nonce generation method used during signing. It can be one of the following:
-  * `'random'` (default): Use a random nonce.
+  * `'hedged'` (default): Use a hedged nonce that combines cryptographic
+    randomness with the private key and the message, providing resilience
+    against both weak random number generators and side-channel attacks.
   * `'deterministic'`[^openssl32]: Use a deterministic nonce as defined in [RFC 6979][].
 * `padding` {integer} Optional padding value for RSA, one of the following:
 
@@ -5808,7 +5812,9 @@ additional properties can be passed:
   * `'ieee-p1363'`: Signature format `r || s` as proposed in IEEE-P1363.
 * `dsaNonceType` {string} For DSA and ECDSA, this option specifies the
   nonce generation method. It can be one of the following:
-  * `'random'` (default): Use a random nonce.
+  * `'hedged'` (default): Use a hedged nonce that combines cryptographic
+    randomness with the private key and the message, providing resilience
+    against both weak random number generators and side-channel attacks.
   * `'deterministic'`[^openssl32]: Use a deterministic nonce as defined in [RFC 6979][].
 * `padding` {integer} Optional padding value for RSA, one of the following:
 
@@ -5943,7 +5949,9 @@ additional properties can be passed:
   * `'ieee-p1363'`: Signature format `r || s` as proposed in IEEE-P1363.
 * `dsaNonceType` {string} For DSA and ECDSA, this option specifies the
   nonce generation method used during signing. It can be one of the following:
-  * `'random'` (default): Use a random nonce.
+  * `'hedged'` (default): Use a hedged nonce that combines cryptographic
+    randomness with the private key and the message, providing resilience
+    against both weak random number generators and side-channel attacks.
   * `'deterministic'`[^openssl32]: Use a deterministic nonce as defined in [RFC 6979][].
 * `padding` {integer} Optional padding value for RSA, one of the following:
 

lib/internal/crypto/sig.js

@@ -109,7 +109,7 @@ function getDSASignatureEncoding(options) {
 function getDSANonceType(options) {
   if (typeof options === 'object') {
     const { dsaNonceType } = options;
-    if (dsaNonceType === undefined || dsaNonceType === 'random')
+    if (dsaNonceType === undefined || dsaNonceType === 'hedged')
       return undefined;
     if (dsaNonceType === 'deterministic')
       return true;

test/parallel/test-crypto-sign-deterministic-unsupported.js

@@ -81,11 +81,11 @@ const expectedError = {
   }));
 }
 
-// dsaNonceType: 'random' should still work (explicit default).
+// dsaNonceType: 'hedged' should still work (explicit default).
 {
   const sig = crypto.sign('sha256', data, {
     key: ecPrivKey,
-    dsaNonceType: 'random',
+    dsaNonceType: 'hedged',
   });
   assert.strictEqual(
     crypto.verify('sha256', data, ecPrivKey, sig),
@@ -95,7 +95,7 @@ const expectedError = {
 
 // Invalid dsaNonceType values should still throw validation errors.
 {
-  for (const dsaNonceType of ['foo', null, {}, 5, true, NaN]) {
+  for (const dsaNonceType of ['foo', 'random', null, {}, 5, true, NaN]) {
     assert.throws(() => {
       crypto.sign('sha256', data, {
         key: ecPrivKey,

test/parallel/test-crypto-sign-deterministic.js

@@ -96,13 +96,13 @@ const data = Buffer.from('Hello world');
   );
 }
 
-// Test dsaNonceType: 'random' produces valid signatures (explicit default).
+// Test dsaNonceType: 'hedged' produces valid signatures (explicit default).
 {
   const ecPrivKey = fixtures.readKey('ec_p256_private.pem');
 
   const sig = crypto.sign('sha256', data, {
     key: ecPrivKey,
-    dsaNonceType: 'random',
+    dsaNonceType: 'hedged',
   });
   assert.strictEqual(
     crypto.verify('sha256', data, ecPrivKey, sig),
@@ -170,7 +170,7 @@ const data = Buffer.from('Hello world');
 {
   const ecPrivKey = fixtures.readKey('ec_p256_private.pem');
 
-  for (const dsaNonceType of ['foo', null, {}, 5, true, NaN]) {
+  for (const dsaNonceType of ['foo', 'random', null, {}, 5, true, NaN]) {
     assert.throws(() => {
       crypto.sign('sha256', data, {
         key: ecPrivKey,
@@ -186,7 +186,7 @@ const data = Buffer.from('Hello world');
 {
   const ecPrivKey = fixtures.readKey('ec_p256_private.pem');
 
-  for (const dsaNonceType of ['foo', null, {}, 5, true, NaN]) {
+  for (const dsaNonceType of ['foo', 'random', null, {}, 5, true, NaN]) {
     assert.throws(() => {
       crypto.createSign('sha256').update(data).sign({
         key: ecPrivKey,