Skip to content

crypto: add raw key formats support to the KeyObject APIs#62240

Open
panva wants to merge 2 commits intonodejs:mainfrom
panva:raw-formats
Open

crypto: add raw key formats support to the KeyObject APIs#62240
panva wants to merge 2 commits intonodejs:mainfrom
panva:raw-formats

Conversation

@panva
Copy link
Member

@panva panva commented Mar 13, 2026
edited
Loading

Add raw key format support (raw-public, raw-private, raw-seed) to KeyObject.prototype.export(), crypto.createPrivateKey(), and crypto.createPublicKey() for applicable asymmetric keys (EC, CFRG curves, ML-DSA, ML-KEM, and SLH-DSA). This intrinsically means it is supported as input to sign/verify as well.

This also adds a much needed docs section on the different key formats and their usage examples.

Also wire these to their existing Web Cryptography APIs counterparts and remove the unnecessary KeyExportJob. The KeyExportJob classes were removed because the export operations they performed are not computationally expensive. They're just serialization of already-available key data (SPKI, PKCS8, raw bytes). Running them as async CryptoJobs on the libuv thread pool added unnecessary overhead and complexity for operations that complete instantly.

This is not a semver-major but bits of it depend on #62178 which is. I will try to open a partial backport to 24.

Key Type vs Format matrix
Key Type 'pem' 'der' 'jwk' 'raw-public' 'raw-private' 'raw-seed'
'dh'
'dsa'
'ec'
'ed25519'
'ed448'
'ml-dsa-44'
'ml-dsa-65'
'ml-dsa-87'
'ml-kem-512'
'ml-kem-768'
'ml-kem-1024'
'rsa-pss'
'rsa'
'slh-dsa-sha2-128f'
'slh-dsa-sha2-128s'
'slh-dsa-sha2-192f'
'slh-dsa-sha2-192s'
'slh-dsa-sha2-256f'
'slh-dsa-sha2-256s'
'slh-dsa-shake-128f'
'slh-dsa-shake-128s'
'slh-dsa-shake-192f'
'slh-dsa-shake-192s'
'slh-dsa-shake-256f'
'slh-dsa-shake-256s'
'x25519'
'x448'

@panva panva added crypto Issues and PRs related to the crypto subsystem. notable-change PRs with changes that should be highlighted in changelogs. experimental Issues and PRs related to experimental features. webcrypto dont-land-on-v20.x PRs that should not land on the v20.x-staging branch and should not be released in v20.x. dont-land-on-v22.x PRs that should not land on the v22.x-staging branch and should not be released in v22.x. dont-land-on-v24.x PRs that should not land on the v24.x-staging branch and should not be released in v24.x. dont-land-on-v25.x PRs that should not land on the v25.x-staging branch and should not be released in v25.x. labels Mar 13, 2026
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Mar 13, 2026

Review requested:

  • @nodejs/crypto

@github-actions
Copy link
Contributor

github-actions bot commented Mar 13, 2026

The notable-change PRs with changes that should be highlighted in changelogs. label has been added by @panva.

Please suggest a text for the release notes if you'd like to include a more detailed summary, then proceed to update the PR description with the text or a link to the notable change suggested text comment. Otherwise, the commit will be placed in the Other Notable Changes section.

@nodejs-github-bot nodejs-github-bot added lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. labels Mar 13, 2026
@panva panva mentioned this pull request Mar 13, 2026
Closed
@codecov
Copy link

codecov bot commented Mar 13, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 81.75000% with 73 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.67%. Comparing base (65b521f) to head (782342f).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
src/crypto/crypto_keys.cc 66.90% 11 Missing and 35 partials ⚠️
lib/internal/crypto/cfrg.js 65.51% 10 Missing ⚠️
lib/internal/crypto/ec.js 85.10% 7 Missing ⚠️
lib/internal/crypto/rsa.js 68.18% 7 Missing ⚠️
lib/internal/crypto/keys.js 97.77% 3 Missing ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #62240   +/-   ##
=======================================
  Coverage   89.66%   89.67%           
=======================================
  Files         676      676           
  Lines      206500   206515   +15     
  Branches    39539    39582   +43     
=======================================
+ Hits       185168   185198   +30     
+ Misses      13463    13450   -13     
+ Partials     7869     7867    -2
Files with missing lines Coverage Δ
lib/internal/crypto/ml_dsa.js 95.06% <100.00%> (-0.12%) ⬇️
lib/internal/crypto/ml_kem.js 91.91% <100.00%> (-0.22%) ⬇️
lib/internal/crypto/webcrypto.js 96.35% <100.00%> (-0.02%) ⬇️
src/crypto/crypto_dh.cc 67.37% <ø> (+2.55%) ⬆️
src/crypto/crypto_dh.h 11.11% <ø> (+2.77%) ⬆️
src/crypto/crypto_ec.cc 67.29% <ø> (+0.62%) ⬆️
src/crypto/crypto_ec.h 12.50% <ø> (+3.40%) ⬆️
src/crypto/crypto_keys.h 60.71% <ø> (+4.11%) ⬆️
src/crypto/crypto_rsa.cc 64.45% <ø> (+1.55%) ⬆️
src/crypto/crypto_rsa.h 58.33% <ø> (+5.39%) ⬆️
... and 6 more

... and 40 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@panva panva added the semver-minor PRs that contain new features and should be released in the next minor version. label Mar 13, 2026
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Mar 14, 2026

CI: https://ci.nodejs.org/job/node-test-pull-request/71762/

@panva
crypto: add raw key formats support to the KeyObject APIs
46ff6e0 
Add raw key format support (raw-public, raw-private, raw-seed) to
KeyObject.prototype.export(), crypto.createPrivateKey(),
and crypto.createPublicKey() for applicable asymmetric keys (EC,
CFRG curves, ML-DSA, ML-KEM, and SLH-DSA).

Also wire these to the Web Cryptography APIs and remove the unnecessary
KeyExportJob. The KeyExportJob classes were removed because the export
operations they performed are not computationally expensive. They're
just serialization of already-available key data (SPKI, PKCS8, raw
bytes). Running them as async CryptoJobs on the libuv thread pool added
unnecessary overhead and complexity for operations that complete
instantly.
@panva
Copy link
Member Author

panva commented Mar 14, 2026
edited
Loading

cc @ChALkeR @paulmillr FYI as it makes working with ECC much much easier

@paulmillr
Copy link

paulmillr commented Mar 14, 2026

Great improvement!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

crypto Issues and PRs related to the crypto subsystem. dont-land-on-v20.x PRs that should not land on the v20.x-staging branch and should not be released in v20.x. dont-land-on-v22.x PRs that should not land on the v22.x-staging branch and should not be released in v22.x. dont-land-on-v24.x PRs that should not land on the v24.x-staging branch and should not be released in v24.x. dont-land-on-v25.x PRs that should not land on the v25.x-staging branch and should not be released in v25.x. experimental Issues and PRs related to experimental features. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. notable-change PRs with changes that should be highlighted in changelogs. semver-minor PRs that contain new features and should be released in the next minor version. webcrypto

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@panva @nodejs-github-bot @paulmillr