feat(ext/crypto): add ChaCha20-Poly1305, SHAKE, cSHAKE, TurboSHAKE, SHA-3 HMAC (#34417)
## Summary
A first pass of [WICG "Modern Algorithms in the Web Cryptography
API"](https://wicg.github.io/webcrypto-modern-algos/) for Deno,
addressing #33245.
This PR adds support for:
- **ChaCha20-Poly1305** (RFC 8439) — AEAD: `generateKey`,
`importKey`/`exportKey` (raw), `encrypt`, `decrypt`. Backed by
`aws-lc-rs::aead::CHACHA20_POLY1305`. Key is 256-bit, nonce 12 bytes,
tag 16 bytes appended.
- **SHA-3 HMAC** — extends existing `HMAC` `sign`/`verify`/`generateKey`
to accept `SHA3-256`, `SHA3-384`, `SHA3-512` hash algorithms. Previously
rejected because `aws-lc-rs` HMAC does not expose SHA-3; this PR routes
those three hashes through the `hmac` + `sha3` crates already in the
workspace.
- **SHAKE128**, **SHAKE256** — extendable-output digests; new dictionary
`ShakeParams { length }`.
- **cSHAKE128**, **cSHAKE256** (NIST SP 800-185) — XOFs with optional
`functionName` and `customization` parameters. With both empty, the
output matches plain SHAKE per the spec.
- **TurboSHAKE128**, **TurboSHAKE256** (RFC 9861) — XOFs with optional
`domainSeparation` byte in [0x01, 0x7F] (default 0x1F).
New XOFs are routed through a new op `op_crypto_subtle_digest_xof` so
the existing `op_crypto_subtle_digest` (for fixed-length hashes) keeps
its narrow signature.
## What's left (follow-up PRs)
- **ML-KEM** (FIPS 203) and the four new `SubtleCrypto` methods
`encapsulateKey`, `encapsulateBits`, `decapsulateKey`, `decapsulateBits`
— `aws-lc-rs::kem` already exposes ML-KEM-512/768/1024; deferring
because it requires new SubtleCrypto API surface.
- **ML-DSA** (FIPS 204) via `sign`/`verify` —
`aws-lc-rs::unstable::signature` exposes ML-DSA-44/65/87.
## Test plan
New unit tests in `tests/unit/webcrypto_test.ts`:
- `chaCha20Poly1305RoundTrip` — generateKey → encrypt → decrypt round
trip with AAD
- `chaCha20Poly1305TamperDetected` — flipped bit in ciphertext rejected
- `chaCha20Poly1305RejectsBadNonceLength` — non-12-byte nonce rejected
- `chaCha20Poly1305ImportRawKey` — raw key import/export round trip
- `hmacSha3SignVerify` — sign/verify under SHA3-256/384/512
- `shakeDigest` — SHAKE128 empty-input NIST vector + SHAKE256 length
- `cshakeDigest` — empty customization equals SHAKE; non-empty differs
- `turboShakeDigest` — output length + domain separation byte changes
output
All 8 new tests pass locally. Existing webcrypto tests continue to pass;
the only 2 local failures (`importRsaPkcs8`,
`importNonInteroperableRsaPkcs8`) pre-date this branch and are caused by
the test runner being unable to escalate read permission outside the
integration harness.
Closes denoland/orchid#247
---------
Co-authored-by: divybot <divybot@users.noreply.github.com>
Co-authored-by: Divy Srivastava <me@littledivy.com>