Skip to content

crypto: add signDigest/verifyDigest and Ed25519ctx support#62345

Open
panva wants to merge 8 commits intonodejs:mainfrom
panva:sig-prehash
Open

crypto: add signDigest/verifyDigest and Ed25519ctx support#62345
panva wants to merge 8 commits intonodejs:mainfrom
panva:sig-prehash

Conversation

@panva
Copy link
Member

@panva panva commented Mar 19, 2026
edited
Loading

notable-change PRs with changes that should be highlighted in changelogs. 👇

Adds crypto.signDigest() and crypto.verifyDigest(), one-shot functions that sign/verify a pre-computed hash digest directly, without hashing internally.

const digest = crypto.createHash('sha256').update(data).digest();

const sig = crypto.signDigest('sha256', digest, privateKey);
const ok = crypto.verifyDigest('sha256', digest, publicKey, sig);

Supports RSA (PKCS#1 v1.5, PSS), ECDSA, DSA, Ed25519, Ed448, and ML-DSA (external mu).

Also adds Ed25519 context string support to crypto.sign(), crypto.verify() as well as the new methods.

Resolves: #60263

Pre-hash variants of Ed25519 and Ed448 as well Ed25519 context is defined in RFC8032

@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Mar 19, 2026

Review requested:

  • @nodejs/crypto
  • @nodejs/security-wg

@nodejs-github-bot nodejs-github-bot added lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. labels Mar 19, 2026
@panva panva added crypto Issues and PRs related to the crypto subsystem. semver-minor PRs that contain new features and should be released in the next minor version. labels Mar 19, 2026
This was referenced Mar 19, 2026
Open
Closed
@panva panva marked this pull request as ready for review March 19, 2026 22:04
@panva panva added the notable-change PRs with changes that should be highlighted in changelogs. label Mar 19, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Mar 19, 2026

The notable-change PRs with changes that should be highlighted in changelogs. label has been added by @panva.

Please suggest a text for the release notes if you'd like to include a more detailed summary, then proceed to update the PR description with the text or a link to the notable change suggested text comment. Otherwise, the commit will be placed in the Other Notable Changes section.

@codecov
Copy link

codecov bot commented Mar 19, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 84.24242% with 26 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.70%. Comparing base (b328bf7) to head (8427faf).
⚠️ Report is 6 commits behind head on main.

Files with missing lines Patch % Lines
src/crypto/crypto_sig.cc 78.15% 16 Missing and 10 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #62345      +/-   ##
==========================================
+ Coverage   89.68%   89.70%   +0.01%     
==========================================
  Files         676      676              
  Lines      206689   206807     +118     
  Branches    39579    39611      +32     
==========================================
+ Hits       185370   185507     +137     
- Misses      13450    13457       +7     
+ Partials     7869     7843      -26
Files with missing lines Coverage Δ
lib/crypto.js 93.04% <100.00%> (+0.07%) ⬆️
lib/internal/crypto/sig.js 98.03% <100.00%> (+2.30%) ⬆️
src/crypto/crypto_sig.h 63.63% <ø> (ø)
src/crypto/crypto_sig.cc 72.63% <78.15%> (+2.29%) ⬆️

... and 44 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

ChALkeR
ChALkeR reviewed Mar 20, 2026
View reviewed changes
ChALkeR
ChALkeR reviewed Mar 20, 2026
View reviewed changes
@ChALkeR
Copy link
Member

ChALkeR commented Mar 20, 2026

Not entirely certain how this works, will test

@panva
Copy link
Member Author

panva commented Mar 20, 2026
edited
Loading

Not entirely certain how this works, will test

regular

crypto.sign('sha256', data, key) uses OpenSSL's EVP_DigestSign API, it hashes the input internally, then signs the resulting digest. One call does both steps.

prehashed

crypto.signDigest('sha256', digest, key) uses the lower-level EVP_PKEY_sign API, it receives an already-computed digest and goes straight for the signature. No hashing happens inside OpenSSL.

Even though the digest is already computed, OpenSSL needs to know which digest was used:

  • RSA PKCS#1 v1.5, The signed payload isn't just the hash. It's DigestInfo || hash, where DigestInfo is an ASN.1 prefix encoding the digest algorithm OID. Without the algorithm, OpenSSL can't construct DigestInfo, and verifiers wouldn't know what they're looking at.

  • RSA-PSS, digest algorithm feeds into both the MGF1 mask generation and the internal padding hash. OpenSSL needs it to build the PSS padding structure correctly.

  • ECDSA / DSA, digest bytes are interpreted as a big integer (truncated to the curve order bit-length for ECDSA). EVP_PKEY_CTX_set_signature_md is still required by OpenSSL for consistency, even though the actual ECDSA/DSA math only operates on the raw digest bytes. This is also why signing a SHA-512 digest with P-256 (32-byte order) works fine, the integer just gets truncated.

Other key type dependant cases:

  • Ed25519ph / Ed448ph, have fixed prehash requirements (SHA-512 for Ed25519ph, SHAKE256(m, 64) for Ed448ph)

  • ML-DSA, has a fixed prehash construction, external mu per FIPS 204

  • SLH-DSA (Pure SLH-DSA), not supported

  • HashSLH-DSA, not supported

addaleax
addaleax approved these changes Mar 20, 2026
View reviewed changes
src/crypto/crypto_sig.cc
break;
#else
if (can_throw)
crypto::CheckThrow(env, SignBase::Error::PrehashUnsupported);
Copy link
Member

@addaleax addaleax Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This conflicts with #62348, right?

Copy link
Member Author

@panva panva Mar 20, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it is what lead me to open #62348. To be dealt with depending in whichever is to land second.

@panva panva added author ready PRs that have at least one approval, no pending requests for changes, and a CI started. request-ci Add this label to start a Jenkins CI on a PR. labels Mar 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ChALkeR ChALkeR ChALkeR left review comments

@addaleax addaleax addaleax approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

author ready PRs that have at least one approval, no pending requests for changes, and a CI started. crypto Issues and PRs related to the crypto subsystem. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. notable-change PRs with changes that should be highlighted in changelogs. request-ci Add this label to start a Jenkins CI on a PR. semver-minor PRs that contain new features and should be released in the next minor version.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Crypto cant sign/verify prehashed inputs

4 participants

@panva @nodejs-github-bot @ChALkeR @addaleax