crypto: support Ed448 and ML-DSA context parameter in Web Cryptography

Author: panva

deps/ncrypto/ncrypto.cc

@@ -4243,6 +4243,56 @@ std::optional<EVP_PKEY_CTX*> EVPMDCtxPointer::verifyInit(
   return ctx;
 }
 
+std::optional<EVP_PKEY_CTX*> EVPMDCtxPointer::signInitWithContext(
+    const EVPKeyPointer& key,
+    const Digest& digest,
+    const Buffer<const unsigned char>& context_string) {
+#ifdef OSSL_SIGNATURE_PARAM_CONTEXT_STRING
+  EVP_PKEY_CTX* ctx = nullptr;
+
+  const OSSL_PARAM params[] = {
+      OSSL_PARAM_construct_octet_string(
+          OSSL_SIGNATURE_PARAM_CONTEXT_STRING,
+          const_cast<unsigned char*>(context_string.data),
+          context_string.len),
+      OSSL_PARAM_END};
+
+  const char* digest_name = digest ? EVP_MD_get0_name(digest) : nullptr;
+  if (!EVP_DigestSignInit_ex(
+          ctx_.get(), &ctx, digest_name, nullptr, nullptr, key.get(), params)) {
+    return std::nullopt;
+  }
+  return ctx;
+#else
+  return std::nullopt;
+#endif
+}
+
+std::optional<EVP_PKEY_CTX*> EVPMDCtxPointer::verifyInitWithContext(
+    const EVPKeyPointer& key,
+    const Digest& digest,
+    const Buffer<const unsigned char>& context_string) {
+#ifdef OSSL_SIGNATURE_PARAM_CONTEXT_STRING
+  EVP_PKEY_CTX* ctx = nullptr;
+
+  const OSSL_PARAM params[] = {
+      OSSL_PARAM_construct_octet_string(
+          OSSL_SIGNATURE_PARAM_CONTEXT_STRING,
+          const_cast<unsigned char*>(context_string.data),
+          context_string.len),
+      OSSL_PARAM_END};
+
+  const char* digest_name = digest ? EVP_MD_get0_name(digest) : nullptr;
+  if (!EVP_DigestVerifyInit_ex(
+          ctx_.get(), &ctx, digest_name, nullptr, nullptr, key.get(), params)) {
+    return std::nullopt;
+  }
+  return ctx;
+#else
+  return std::nullopt;
+#endif
+}
+
 DataPointer EVPMDCtxPointer::signOneShot(
     const Buffer<const unsigned char>& buf) const {
   if (!ctx_) return {};

deps/ncrypto/ncrypto.h

@@ -1403,6 +1403,15 @@ class EVPMDCtxPointer final {
   std::optional<EVP_PKEY_CTX*> verifyInit(const EVPKeyPointer& key,
                                           const Digest& digest);
 
+  std::optional<EVP_PKEY_CTX*> signInitWithContext(
+      const EVPKeyPointer& key,
+      const Digest& digest,
+      const Buffer<const unsigned char>& context_string);
+  std::optional<EVP_PKEY_CTX*> verifyInitWithContext(
+      const EVPKeyPointer& key,
+      const Digest& digest,
+      const Buffer<const unsigned char>& context_string);
+
   DataPointer signOneShot(const Buffer<const unsigned char>& buf) const;
   DataPointer sign(const Buffer<const unsigned char>& buf) const;
   bool verify(const Buffer<const unsigned char>& buf,

doc/api/webcrypto.md

@@ -1098,7 +1098,7 @@ changes:
 
 <!--lint disable maximum-line-length remark-lint-->
 
-* `algorithm` {string|Algorithm|RsaPssParams|EcdsaParams|Ed448Params|ContextParams}
+* `algorithm` {string|Algorithm|RsaPssParams|EcdsaParams|ContextParams}
 * `key` {CryptoKey}
 * `data` {ArrayBuffer|TypedArray|DataView|Buffer}
 * Returns: {Promise} Fulfills with an {ArrayBuffer} upon success.
@@ -1204,7 +1204,7 @@ changes:
 
 <!--lint disable maximum-line-length remark-lint-->
 
-* `algorithm` {string|Algorithm|RsaPssParams|EcdsaParams|Ed448Params|ContextParams}
+* `algorithm` {string|Algorithm|RsaPssParams|EcdsaParams|ContextParams}
 * `key` {CryptoKey}
 * `signature` {ArrayBuffer|TypedArray|DataView|Buffer}
 * `data` {ArrayBuffer|TypedArray|DataView|Buffer}
@@ -1482,20 +1482,23 @@ added: REPLACEME
 added: REPLACEME
 -->
 
-* Type: {string} Must be `'ML-DSA-44'`[^modern-algos], `'ML-DSA-65'`[^modern-algos], or `'ML-DSA-87'`[^modern-algos].
+* Type: {string} Must be `Ed448`[^secure-curves], `'ML-DSA-44'`[^modern-algos],
+  `'ML-DSA-65'`[^modern-algos], or `'ML-DSA-87'`[^modern-algos].
 
 #### `contextParams.context`
 
 <!-- YAML
 added: REPLACEME
+changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/00000
+    description: Non-empty context is now supported.
 -->
 
 * Type: {ArrayBuffer|TypedArray|DataView|Buffer|undefined}
 
 The `context` member represents the optional context data to associate with
 the message.
-The Node.js Web Crypto API implementation only supports zero-length context
-which is equivalent to not providing context at all.
 
 ### Class: `CShakeParams`
 
@@ -1676,37 +1679,6 @@ added: v15.0.0
 
 * Type: {string} Must be one of `'P-256'`, `'P-384'`, `'P-521'`.
 
-### Class: `Ed448Params`
-
-<!-- YAML
-added: v15.0.0
--->
-
-#### `ed448Params.name`
-
-<!-- YAML
-added:
-  - v18.4.0
-  - v16.17.0
--->
-
-* Type: {string} Must be `'Ed448'`[^secure-curves].
-
-#### `ed448Params.context`
-
-<!-- YAML
-added:
-  - v18.4.0
-  - v16.17.0
--->
-
-* Type: {ArrayBuffer|TypedArray|DataView|Buffer|undefined}
-
-The `context` member represents the optional context data to associate with
-the message.
-The Node.js Web Crypto API implementation only supports zero-length context
-which is equivalent to not providing context at all.
-
 ### Class: `HkdfParams`
 
 <!-- YAML

lib/internal/crypto/cfrg.js

@@ -359,6 +359,7 @@ function eddsaSignVerify(key, data, algorithm, signature) {
     undefined,
     undefined,
     undefined,
+    algorithm.name === 'Ed448' ? algorithm.context : undefined,
     signature));
 }
 

lib/internal/crypto/ec.js

@@ -302,6 +302,7 @@ function ecdsaSignVerify(key, data, { name, hash }, signature) {
     undefined,  // Salt length, not used with ECDSA
     undefined,  // PSS Padding, not used with ECDSA
     kSigEncP1363,
+    undefined,
     signature));
 }
 

lib/internal/crypto/ml_dsa.js

@@ -309,6 +309,7 @@ function mlDsaSignVerify(key, data, algorithm, signature) {
     undefined,
     undefined,
     undefined,
+    algorithm.context,
     signature));
 }
 

lib/internal/crypto/rsa.js

@@ -355,6 +355,7 @@ function rsaSignVerify(key, data, { saltLength }, signature) {
       saltLength,
       key[kAlgorithm].name === 'RSA-PSS' ? RSA_PKCS1_PSS_PADDING : undefined,
       undefined,
+      undefined,
       signature);
   });
 }

lib/internal/crypto/sig.js

@@ -171,7 +171,9 @@ function signOneShot(algorithm, data, key, callback) {
     algorithm,
     pssSaltLength,
     rsaPadding,
-    dsaSigEnc);
+    dsaSigEnc,
+    undefined,
+    undefined);
 
   if (!callback) {
     const { 0: err, 1: signature } = job.run();
@@ -276,6 +278,7 @@ function verifyOneShot(algorithm, data, key, signature, callback) {
     pssSaltLength,
     rsaPadding,
     dsaSigEnc,
+    undefined,
     signature);
 
   if (!callback) {

lib/internal/crypto/util.js

@@ -239,8 +239,8 @@ const kAlgorithmDefinitions = {
     'generateKey': null,
     'exportKey': null,
     'importKey': null,
-    'sign': 'Ed448Params',
-    'verify': 'Ed448Params',
+    'sign': 'ContextParams',
+    'verify': 'ContextParams',
   },
   'HKDF': {
     'importKey': null,
@@ -410,7 +410,6 @@ const simpleAlgorithmDictionaries = {
     salt: 'BufferSource',
     info: 'BufferSource',
   },
-  Ed448Params: { context: 'BufferSource' },
   ContextParams: { context: 'BufferSource' },
   Pbkdf2Params: { hash: 'HashAlgorithmIdentifier', salt: 'BufferSource' },
   RsaOaepParams: { label: 'BufferSource' },

lib/internal/crypto/webidl.js

@@ -775,18 +775,21 @@ converters.EcdhKeyDeriveParams = createDictionaryConverter(
     },
   ]);
 
-for (const name of ['Ed448Params', 'ContextParams']) {
-  converters[name] = createDictionaryConverter(
-    name, [
-      ...new SafeArrayIterator(dictAlgorithm),
-      {
-        key: 'context',
-        converter: converters.BufferSource,
-        validator: validateZeroLength(`${name}.context`),
-      },
-    ]);
+function isOpenSSL32() {
+  const { 0: major, 1: minor } = process.versions.openssl.split('.').map(i => parseInt(i, 10))
+  return major > 3 || (major === 3 && minor >= 2);
 }
 
+converters.ContextParams = createDictionaryConverter(
+  'ContextParams', [
+    ...new SafeArrayIterator(dictAlgorithm),
+    {
+      key: 'context',
+      converter: converters.BufferSource,
+      validator: isOpenSSL32() ? undefined : validateZeroLength('ContextParams.context'),
+    },
+  ]);
+
 module.exports = {
   converters,
   requiredArguments,