deno
2a4d1ba8 - feat(ext/crypto): add ChaCha20-Poly1305, SHAKE, cSHAKE, TurboSHAKE, SHA-3 HMAC (#34417)

Commit
50 days ago
feat(ext/crypto): add ChaCha20-Poly1305, SHAKE, cSHAKE, TurboSHAKE, SHA-3 HMAC (#34417) ## Summary A first pass of [WICG "Modern Algorithms in the Web Cryptography API"](https://wicg.github.io/webcrypto-modern-algos/) for Deno, addressing #33245. This PR adds support for: - **ChaCha20-Poly1305** (RFC 8439) — AEAD: `generateKey`, `importKey`/`exportKey` (raw), `encrypt`, `decrypt`. Backed by `aws-lc-rs::aead::CHACHA20_POLY1305`. Key is 256-bit, nonce 12 bytes, tag 16 bytes appended. - **SHA-3 HMAC** — extends existing `HMAC` `sign`/`verify`/`generateKey` to accept `SHA3-256`, `SHA3-384`, `SHA3-512` hash algorithms. Previously rejected because `aws-lc-rs` HMAC does not expose SHA-3; this PR routes those three hashes through the `hmac` + `sha3` crates already in the workspace. - **SHAKE128**, **SHAKE256** — extendable-output digests; new dictionary `ShakeParams { length }`. - **cSHAKE128**, **cSHAKE256** (NIST SP 800-185) — XOFs with optional `functionName` and `customization` parameters. With both empty, the output matches plain SHAKE per the spec. - **TurboSHAKE128**, **TurboSHAKE256** (RFC 9861) — XOFs with optional `domainSeparation` byte in [0x01, 0x7F] (default 0x1F). New XOFs are routed through a new op `op_crypto_subtle_digest_xof` so the existing `op_crypto_subtle_digest` (for fixed-length hashes) keeps its narrow signature. ## What's left (follow-up PRs) - **ML-KEM** (FIPS 203) and the four new `SubtleCrypto` methods `encapsulateKey`, `encapsulateBits`, `decapsulateKey`, `decapsulateBits` — `aws-lc-rs::kem` already exposes ML-KEM-512/768/1024; deferring because it requires new SubtleCrypto API surface. - **ML-DSA** (FIPS 204) via `sign`/`verify` — `aws-lc-rs::unstable::signature` exposes ML-DSA-44/65/87. ## Test plan New unit tests in `tests/unit/webcrypto_test.ts`: - `chaCha20Poly1305RoundTrip` — generateKey → encrypt → decrypt round trip with AAD - `chaCha20Poly1305TamperDetected` — flipped bit in ciphertext rejected - `chaCha20Poly1305RejectsBadNonceLength` — non-12-byte nonce rejected - `chaCha20Poly1305ImportRawKey` — raw key import/export round trip - `hmacSha3SignVerify` — sign/verify under SHA3-256/384/512 - `shakeDigest` — SHAKE128 empty-input NIST vector + SHAKE256 length - `cshakeDigest` — empty customization equals SHAKE; non-empty differs - `turboShakeDigest` — output length + domain separation byte changes output All 8 new tests pass locally. Existing webcrypto tests continue to pass; the only 2 local failures (`importRsaPkcs8`, `importNonInteroperableRsaPkcs8`) pre-date this branch and are caused by the test runner being unable to escalate read permission outside the integration harness. Closes denoland/orchid#247 --------- Co-authored-by: divybot <divybot@users.noreply.github.com> Co-authored-by: Divy Srivastava <me@littledivy.com>
Author
Parents
Loading