feat: support ML-DSA JWS Algorithm Identifiers

panva · panva · commit 5e9e6293d97d · 2025-08-27T23:59:03.000+02:00
diff --git a/docs/interfaces/JWK.md b/docs/interfaces/JWK.md
@@ -54,6 +54,12 @@ Support from the community to continue maintaining and improving this module is
 
 ***
 
+### pub?
+
+• `readonly` `optional` **pub**: `string`
+
+***
+
 ### use?
 
 • `readonly` `optional` **use**: `string`
diff --git a/docs/type-aliases/JWSAlgorithm.md b/docs/type-aliases/JWSAlgorithm.md
@@ -6,7 +6,7 @@ Support from the community to continue maintaining and improving this module is
 
 ***
 
-• **JWSAlgorithm**: `"PS256"` \| `"ES256"` \| `"RS256"` \| `"Ed25519"` \| `"ES384"` \| `"PS384"` \| `"RS384"` \| `"ES512"` \| `"PS512"` \| `"RS512"` \| `"EdDSA"`
+• **JWSAlgorithm**: `"PS256"` \| `"ES256"` \| `"RS256"` \| `"Ed25519"` \| `"ES384"` \| `"PS384"` \| `"RS384"` \| `"ES512"` \| `"PS512"` \| `"RS512"` \| `"ML-DSA-44"` \| `"ML-DSA-65"` \| `"ML-DSA-87"` \| `"EdDSA"`
 
 JWS `alg` Algorithm identifiers from the
 [JSON Web Signature and Encryption Algorithms IANA registry](https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms)
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -85,7 +85,7 @@
     "esbuild": "^0.25.8",
     "happy-dom": "^18.0.1",
     "http-cookie-agent": "^7.0.2",
-    "jose": "^6.0.12",
+    "jose": "^6.1.0",
     "oidc-provider": "^9.4.0",
     "patch-package": "^8.0.0",
     "prettier": "^3.6.2",
diff --git a/src/index.ts b/src/index.ts
@@ -112,6 +112,9 @@ export type JWSAlgorithm =
   | 'ES512'
   | 'PS512'
   | 'RS512'
+  | 'ML-DSA-44'
+  | 'ML-DSA-65'
+  | 'ML-DSA-87'
   // Deprecated
   | 'EdDSA'
 
@@ -126,6 +129,7 @@ export interface JWK {
   readonly crv?: string
   readonly x?: string
   readonly y?: string
+  readonly pub?: string
 
   readonly [parameter: string]: JsonValue | undefined
 }
@@ -1043,6 +1047,44 @@ function OPE(message: string, code?: string, cause?: unknown) {
   return new OperationProcessingError(message, { code, cause })
 }
 
+async function calculateJwkThumbprint(jwk: JWK): Promise<string> {
+  let components: JsonObject
+  switch (jwk.kty) {
+    case 'EC':
+      components = {
+        crv: jwk.crv,
+        kty: jwk.kty,
+        x: jwk.x,
+        y: jwk.y,
+      }
+      break
+    case 'OKP':
+      components = {
+        crv: jwk.crv,
+        kty: jwk.kty,
+        x: jwk.x,
+      }
+      break
+    case 'AKP':
+      components = {
+        alg: jwk.alg,
+        kty: jwk.kty,
+        pub: jwk.pub,
+      }
+      break
+    case 'RSA':
+      components = {
+        e: jwk.e,
+        kty: jwk.kty,
+        n: jwk.n,
+      }
+      break
+    default:
+      throw new UnsupportedOperationError('unsupported JWK key type', { cause: jwk })
+  }
+  return b64u(await crypto.subtle.digest('SHA-256', buf(JSON.stringify(components))))
+}
+
 function assertCryptoKey(key: unknown, it: string): asserts key is CryptoKey {
   if (!(key instanceof CryptoKey)) {
     throw CodedTypeError(`${it} must be a CryptoKey`, ERR_INVALID_ARG_TYPE)
@@ -1591,7 +1633,11 @@ function keyToJws(key: CryptoKey) {
       return rsAlg(key)
     case 'ECDSA':
       return esAlg(key)
-    case 'Ed25519': // Fall through
+    case 'Ed25519':
+    case 'ML-DSA-44':
+    case 'ML-DSA-65':
+    case 'ML-DSA-87':
+      return key.algorithm.name
     case 'EdDSA':
       return 'Ed25519'
     default:
@@ -2244,24 +2290,7 @@ class DPoPHandler implements DPoPHandle {
   async calculateThumbprint() {
     if (!this.#jkt) {
       const jwk = await crypto.subtle.exportKey('jwk', this.#publicKey)
-      let components: JsonValue
-      switch (jwk.kty) {
-        case 'EC':
-          components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y }
-          break
-        case 'OKP':
-          components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x }
-          break
-        case 'RSA':
-          components = { e: jwk.e, kty: jwk.kty, n: jwk.n }
-          break
-        default:
-          throw new UnsupportedOperationError('unsupported JWK', { cause: { jwk } })
-      }
-
-      this.#jkt ||= b64u(
-        await crypto.subtle.digest({ name: 'SHA-256' }, buf(JSON.stringify(components))),
-      )
+      this.#jkt ||= await calculateJwkThumbprint(jwk as JWK)
     }
 
     return this.#jkt
@@ -3047,6 +3076,9 @@ async function getPublicSigKeyFromIssuerJwksUri(
     case 'Ed':
       kty = 'OKP'
       break
+    case 'ML':
+      kty = 'AKP'
+      break
     default:
       throw new UnsupportedOperationError('unsupported JWS algorithm', { cause: { alg } })
   }
@@ -4713,6 +4745,9 @@ function supported(alg: string) {
     case 'RS512':
     case 'Ed25519':
     case 'EdDSA':
+    case 'ML-DSA-44':
+    case 'ML-DSA-65':
+    case 'ML-DSA-87':
       return true
     default:
       return false
@@ -4775,6 +4810,9 @@ function keyToSubtle(key: CryptoKey): AlgorithmIdentifier | RsaPssParams | Ecdsa
     case 'RSASSA-PKCS1-v1_5':
       checkRsaKeyAlgorithm(key)
       return key.algorithm.name
+    case 'ML-DSA-44':
+    case 'ML-DSA-65':
+    case 'ML-DSA-87':
     case 'Ed25519':
       return key.algorithm.name
   }
@@ -4985,8 +5023,13 @@ export async function validateJwtAuthResponse(
   return validateAuthResponse(as, client, result, expectedState)
 }
 
+interface CShakeParams {
+  name: string
+  length: number
+}
+
 async function idTokenHash(data: string, header: CompactJWSHeaderParameters, claimName: string) {
-  let algorithm: string
+  let algorithm: string | CShakeParams
   switch (header.alg) {
     case 'RS256': // Fall through
     case 'PS256': // Fall through
@@ -5005,6 +5048,11 @@ async function idTokenHash(data: string, header: CompactJWSHeaderParameters, cla
     case 'EdDSA':
       algorithm = 'SHA-512'
       break
+    case 'ML-DSA-44':
+    case 'ML-DSA-65':
+    case 'ML-DSA-87':
+      algorithm = { name: 'cSHAKE256', length: 512 }
+      break
     default:
       throw new UnsupportedOperationError(
         `unsupported JWS algorithm for ${claimName} calculation`,
@@ -5563,9 +5611,13 @@ function algToSubtle(alg: string): RsaHashedImportParams | EcKeyImportParams | A
       return { name: 'ECDSA', namedCurve: `P-${alg.slice(-3)}` }
     case 'ES512':
       return { name: 'ECDSA', namedCurve: 'P-521' }
-    case 'Ed25519':
     case 'EdDSA':
       return 'Ed25519'
+    case 'Ed25519':
+    case 'ML-DSA-44':
+    case 'ML-DSA-65':
+    case 'ML-DSA-87':
+      return alg
     default:
       throw new UnsupportedOperationError('unsupported JWS algorithm', { cause: { alg } })
   }
@@ -5970,34 +6022,7 @@ async function validateDPoP(
   }
 
   {
-    let components: JWK
-    switch (proof.header.jwk!.kty) {
-      case 'EC':
-        components = {
-          crv: proof.header.jwk!.crv,
-          kty: proof.header.jwk!.kty,
-          x: proof.header.jwk!.x,
-          y: proof.header.jwk!.y,
-        }
-        break
-      case 'OKP':
-        components = {
-          crv: proof.header.jwk!.crv,
-          kty: proof.header.jwk!.kty,
-          x: proof.header.jwk!.x,
-        }
-        break
-      case 'RSA':
-        components = {
-          e: proof.header.jwk!.e,
-          kty: proof.header.jwk!.kty,
-          n: proof.header.jwk!.n,
-        }
-        break
-      default:
-        throw new UnsupportedOperationError('unsupported JWK key type', { cause: proof.header.jwk })
-    }
-    const expected = b64u(await crypto.subtle.digest('SHA-256', buf(JSON.stringify(components))))
+    const expected = await calculateJwkThumbprint(proof.header.jwk!)
 
     if (accessTokenClaims.cnf.jkt !== expected) {
       throw OPE('JWT Access Token confirmation mismatch', JWT_CLAIM_COMPARISON, {
diff --git a/tap/env.ts b/tap/env.ts
@@ -40,3 +40,9 @@ export const isGecko = isBrowser && (await isEngine('Gecko'))
 
 export const isWorkerd =
   typeof navigator !== 'undefined' && navigator.userAgent === 'Cloudflare-Workers'
+
+export function isNodeVersionAtLeast(major: number, minor: number) {
+  // @ts-ignore
+  const parts = globalThis.process.versions.node.split('.').map((i: string) => parseInt(i, 10))
+  return parts[0] >= major || (parts[0] === major && parts[1] > minor)
+}
diff --git a/tap/generate.ts b/tap/generate.ts
@@ -51,6 +51,9 @@ export default (QUnit: QUnit) => {
           case 'RS':
             t.equal(key.algorithm.name, 'RSASSA-PKCS1-v1_5')
             break
+          case 'ML':
+            t.equal(key.algorithm.name, alg)
+            break
         }
 
         if (isRSA(alg)) {
diff --git a/tap/keys.ts b/tap/keys.ts
@@ -19,6 +19,12 @@ if (!env.isDeno) {
   algs.push('ES512')
 }
 
+if (env.isNode && env.isNodeVersionAtLeast(24, 7)) {
+  algs.push('ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87')
+} else {
+  fails.push('ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87')
+}
+
 export const keys = algs.reduce(
   (acc, alg) => {
     acc[alg] = lib.generateKeyPair(alg)
diff --git a/tap/request_object.ts b/tap/request_object.ts
@@ -20,19 +20,7 @@ export default (QUnit: QUnit) => {
         ['resource', 'urn:example:resource'],
       ],
     ]) {
-      const jwt = await lib.issueRequestObject(
-        issuer,
-        client,
-        parameters,
-        { key: privateKey },
-        {
-          [lib.modifyAssertion]: (header) => {
-            if (header.alg === 'Ed25519') {
-              header.alg = 'EdDSA'
-            }
-          },
-        },
-      )
+      const jwt = await lib.issueRequestObject(issuer, client, parameters, { key: privateKey })
 
       const { payload, protectedHeader } = await jose.jwtVerify(jwt, publicKey)
       t.propEqual(protectedHeader, {

Original file line number	Diff line number	Diff line change
`@@ -51,6 +51,9 @@ export default (QUnit: QUnit) => {`
`51`	`51`	`case 'RS':`
`52`	`52`	`t.equal(key.algorithm.name, 'RSASSA-PKCS1-v1_5')`
`53`	`53`	`break`
	`54`	`+ case 'ML':`
	`55`	`+ t.equal(key.algorithm.name, alg)`
	`56`	`+ break`
`54`	`57`	`}`
`55`	`58`
`56`	`59`	`if (isRSA(alg)) {`