crypto: unify asymmetric key import through KeyObjectHandle::Init by panva · Pull Request #62499 · nodejs/node

panva · 2026-03-29T19:44:59Z

Consolidate all asymmetric key import paths (DER/PEM, JWK, raw) into a single KeyObjectHandle::Init() entry point with a uniform signature.

Remove the per-type C++ init methods (InitECRaw, InitEDRaw, InitPqcRaw, InitJwk, InitECPrivateRaw) and their JS-side callers, replacing them with shared C++ and JS helpers.

createPublicKey, createPrivateKey, sign, verify, and other operations that accept key material now handle JWK and raw formats directly in C++, removing redundant JS-to-C++ key handle round-trips.

This also makes JWK import error for keys when their private and public components don't match, this aligns with the behaviour present in other runtimes, most notably browser webcrypto APIs. It was already present in our WebCryptoAPI for some keys but not all, this makes it all as well as node:crypto, this behaviour was useful for bypassing the inability to import "raw" private keys but that affordance is also coming with 26.x through its own recognized key format (#62455).

nodejs-github-bot · 2026-03-29T19:45:05Z

Review requested:

@nodejs/crypto
@nodejs/security-wg

codecov · 2026-03-29T22:49:35Z

Codecov Report

❌ Patch coverage is 88.16667% with 71 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.70%. Comparing base (c3042c6) to head (e862156).
⚠️ Report is 21 commits behind head on main.

Files with missing lines	Patch %	Lines
src/crypto/crypto_keys.cc	76.47%	22 Missing and 30 partials ⚠️
src/crypto/crypto_ec.cc	81.81%	3 Missing and 7 partials ⚠️
src/crypto/crypto_ml_dsa.cc	88.67%	1 Missing and 5 partials ⚠️
lib/internal/crypto/keys.js	95.83%	1 Missing ⚠️
lib/internal/crypto/webcrypto_util.js	98.92%	0 Missing and 1 partial ⚠️
src/crypto/crypto_rsa.cc	90.90%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #62499      +/-   ##
==========================================
- Coverage   89.70%   89.70%   -0.01%     
==========================================
  Files         692      693       +1     
  Lines      214167   213849     -318     
  Branches    41113    40957     -156     
==========================================
- Hits       192121   191830     -291     
+ Misses      14116    14080      -36     
- Partials     7930     7939       +9

Files with missing lines	Coverage Δ
lib/internal/crypto/aes.js	`89.89% <100.00%> (+1.43%)`	⬆️
lib/internal/crypto/cfrg.js	`93.23% <100.00%> (-1.24%)`	⬇️
lib/internal/crypto/chacha20_poly1305.js	`92.05% <100.00%> (-0.72%)`	⬇️
lib/internal/crypto/cipher.js	`97.94% <100.00%> (ø)`
lib/internal/crypto/ec.js	`94.17% <100.00%> (-0.61%)`	⬇️
lib/internal/crypto/kem.js	`97.41% <100.00%> (+0.09%)`	⬆️
lib/internal/crypto/mac.js	`92.70% <100.00%> (+1.57%)`	⬆️
lib/internal/crypto/ml_dsa.js	`95.39% <100.00%> (+0.35%)`	⬆️
lib/internal/crypto/ml_kem.js	`92.45% <100.00%> (+0.56%)`	⬆️
lib/internal/crypto/rsa.js	`94.51% <100.00%> (+2.10%)`	⬆️
... and 11 more

... and 24 files with indirect coverage changes

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Consolidate all asymmetric key import paths (DER/PEM, JWK, raw) into a single KeyObjectHandle::Init() entry point with a uniform signature. Remove the per-type C++ init methods (InitECRaw, InitEDRaw, InitPqcRaw, InitJwk, InitECPrivateRaw) and their JS-side callers, replacing them with shared C++ and JS helpers. createPublicKey, createPrivateKey, sign, verify, and other operations that accept key material now handle JWK and raw formats directly in C++, removing redundant JS-to-C++ key handle round-trips. Signed-off-by: Filip Skokan <panva.ip@gmail.com>

lib/internal/crypto/rsa.js

lib/internal/crypto/webcrypto_util.js

src/crypto/crypto_ec.cc

lib/internal/crypto/aes.js

nodejs-github-bot · 2026-03-31T06:22:19Z

CI: https://ci.nodejs.org/job/node-test-pull-request/72332/

panva · 2026-03-31T18:44:59Z

cc @nodejs/tsc for semver-major PRs that contain breaking changes and should be released in the next major version.

nodejs-github-bot · 2026-03-31T19:57:36Z

Landed in 1ccae7c

nodejs-github-bot added lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. labels Mar 29, 2026

panva marked this pull request as ready for review March 29, 2026 21:29

panva force-pushed the key-refactor branch from bdfec98 to e862156 Compare March 30, 2026 19:36

panva requested review from anonrig and jasnell March 30, 2026 19:37

anonrig reviewed Mar 30, 2026

View reviewed changes

lib/internal/crypto/rsa.js Show resolved Hide resolved

lib/internal/crypto/webcrypto_util.js Show resolved Hide resolved

src/crypto/crypto_ec.cc Show resolved Hide resolved

lib/internal/crypto/aes.js Show resolved Hide resolved

panva added request-ci Add this label to start a Jenkins CI on a PR. and removed request-ci Add this label to start a Jenkins CI on a PR. labels Mar 31, 2026

panva requested review from anonrig and tniessen March 31, 2026 14:20

anonrig approved these changes Mar 31, 2026

View reviewed changes

anonrig added the commit-queue Add this label to land a pull request using GitHub Actions. label Mar 31, 2026

jasnell approved these changes Mar 31, 2026

View reviewed changes

panva added the commit-queue Add this label to land a pull request using GitHub Actions. label Mar 31, 2026

nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Mar 31, 2026

nodejs-github-bot merged commit 1ccae7c into nodejs:main Mar 31, 2026
78 checks passed

panva deleted the key-refactor branch March 31, 2026 19:59

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

crypto: unify asymmetric key import through KeyObjectHandle::Init#62499

crypto: unify asymmetric key import through KeyObjectHandle::Init#62499
nodejs-github-bot merged 1 commit intonodejs:mainfrom
panva:key-refactor

panva commented Mar 29, 2026 •

edited

Loading

Uh oh!

nodejs-github-bot commented Mar 29, 2026

Uh oh!

codecov bot commented Mar 29, 2026 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

nodejs-github-bot commented Mar 31, 2026

Uh oh!

panva commented Mar 31, 2026

Uh oh!

Uh oh!

nodejs-github-bot commented Mar 31, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Uh oh!

Conversation

panva commented Mar 29, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

nodejs-github-bot commented Mar 29, 2026

Uh oh!

codecov bot commented Mar 29, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

nodejs-github-bot commented Mar 31, 2026

Uh oh!

panva commented Mar 31, 2026

Uh oh!

Uh oh!

nodejs-github-bot commented Mar 31, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

panva commented Mar 29, 2026 •

edited

Loading

codecov bot commented Mar 29, 2026 •

edited

Loading