react-native-quick-crypto 1.0.0-beta.9 → 1.0.1

package/cpp/keys/HybridKeyObjectHandle.hpp

@@ -0,0 +1,51 @@
+#pragma once
+
+#include <memory>
+#include <optional>
+#include <string>
+
+#include "HybridKeyObjectHandleSpec.hpp"
+#include "JWK.hpp"
+#include "KeyDetail.hpp"
+#include "KeyObjectData.hpp"
+#include "KeyType.hpp"
+#include "NamedCurve.hpp"
+
+namespace margelo::nitro::crypto {
+
+class HybridKeyObjectHandle : public HybridKeyObjectHandleSpec {
+ public:
+  HybridKeyObjectHandle() : HybridObject(TAG) {}
+
+ public:
+  std::shared_ptr<ArrayBuffer> exportKey(std::optional<KFormatType> format, std::optional<KeyEncoding> type,
+                                         const std::optional<std::string>& cipher,
+                                         const std::optional<std::shared_ptr<ArrayBuffer>>& passphrase) override;
+
+  JWK exportJwk(const JWK& key, bool handleRsaPss) override;
+
+  AsymmetricKeyType getAsymmetricKeyType() override;
+
+  bool init(KeyType keyType, const std::variant<std::string, std::shared_ptr<ArrayBuffer>>& key, std::optional<KFormatType> format,
+            std::optional<KeyEncoding> type, const std::optional<std::shared_ptr<ArrayBuffer>>& passphrase) override;
+
+  bool initECRaw(const std::string& namedCurve, const std::shared_ptr<ArrayBuffer>& keyData) override;
+
+  std::optional<KeyType> initJwk(const JWK& keyData, std::optional<NamedCurve> namedCurve) override;
+
+  KeyDetail keyDetail() override;
+
+  KeyObjectData& getKeyObjectData() {
+    return data_;
+  }
+  const KeyObjectData& getKeyObjectData() const {
+    return data_;
+  }
+
+ private:
+  KeyObjectData data_;
+
+  bool initRawKey(KeyType keyType, std::shared_ptr<ArrayBuffer> keyData);
+};
+
+} // namespace margelo::nitro::crypto

package/cpp/keys/KeyObjectData.cpp

@@ -0,0 +1,268 @@
+#include "KeyObjectData.hpp"
+#include "Utils.hpp"
+#include <cstdio>
+#include <optional>
+
+namespace margelo::nitro::crypto {
+
+ncrypto::EVPKeyPointer::PrivateKeyEncodingConfig GetPrivateKeyEncodingConfig(KFormatType format, KeyEncoding type) {
+  auto pk_format = static_cast<ncrypto::EVPKeyPointer::PKFormatType>(format);
+  auto pk_type = static_cast<ncrypto::EVPKeyPointer::PKEncodingType>(type);
+
+  auto config = ncrypto::EVPKeyPointer::PrivateKeyEncodingConfig(false, pk_format, pk_type);
+  return config;
+}
+
+ncrypto::EVPKeyPointer::PublicKeyEncodingConfig GetPublicKeyEncodingConfig(KFormatType format, KeyEncoding type) {
+  auto pk_format = static_cast<ncrypto::EVPKeyPointer::PKFormatType>(format);
+  auto pk_type = static_cast<ncrypto::EVPKeyPointer::PKEncodingType>(type);
+
+  auto config = ncrypto::EVPKeyPointer::PublicKeyEncodingConfig(false, pk_format, pk_type);
+  return config;
+}
+
+KeyObjectData TryParsePrivateKey(std::shared_ptr<ArrayBuffer> key, std::optional<KFormatType> format, std::optional<KeyEncoding> type,
+                                 const std::optional<std::shared_ptr<ArrayBuffer>>& passphrase) {
+  // For PEM format, use PKCS8 as default encoding
+  KeyEncoding actualType = type.value_or(KeyEncoding::PKCS8);
+  auto config = GetPrivateKeyEncodingConfig(format.value(), actualType);
+
+  if (passphrase.has_value()) {
+    auto& passphrase_ptr = passphrase.value();
+    config.passphrase = std::make_optional(ncrypto::DataPointer(passphrase_ptr->data(), passphrase_ptr->size()));
+  }
+
+  auto buffer = ncrypto::Buffer<const unsigned char>{key->data(), key->size()};
+
+  // Clear any existing OpenSSL errors before parsing
+  ERR_clear_error();
+
+  auto res = ncrypto::EVPKeyPointer::TryParsePrivateKey(config, buffer);
+  if (res) {
+    return KeyObjectData::CreateAsymmetric(KeyType::PRIVATE, std::move(res.value));
+  }
+
+  if (res.error.has_value() && res.error.value() == ncrypto::EVPKeyPointer::PKParseError::NEED_PASSPHRASE) {
+    throw std::runtime_error("Passphrase required for encrypted key");
+  } else {
+    // Get OpenSSL error details
+    unsigned long err = ERR_get_error();
+    char err_buf[256];
+    ERR_error_string_n(err, err_buf, sizeof(err_buf));
+    throw std::runtime_error("Failed to read private key: " + std::string(err_buf));
+  }
+}
+
+KeyObjectData::KeyObjectData(std::nullptr_t) : key_type_(KeyType::SECRET) {}
+
+KeyObjectData::KeyObjectData(std::shared_ptr<ArrayBuffer> symmetric_key)
+    : key_type_(KeyType::SECRET), data_(std::make_shared<Data>(std::move(symmetric_key))) {}
+
+KeyObjectData::KeyObjectData(KeyType type, ncrypto::EVPKeyPointer&& pkey)
+    : key_type_(type), data_(std::make_shared<Data>(std::move(pkey))) {}
+
+KeyObjectData KeyObjectData::CreateSecret(std::shared_ptr<ArrayBuffer> key) {
+  return KeyObjectData(std::move(key));
+}
+
+KeyObjectData KeyObjectData::CreateAsymmetric(KeyType key_type, ncrypto::EVPKeyPointer&& pkey) {
+  CHECK(pkey);
+  return KeyObjectData(key_type, std::move(pkey));
+}
+
+KeyType KeyObjectData::GetKeyType() const {
+  if (!data_) {
+    throw std::runtime_error("Invalid key object: no key data available");
+  }
+  return key_type_;
+}
+
+const ncrypto::EVPKeyPointer& KeyObjectData::GetAsymmetricKey() const {
+  if (key_type_ == KeyType::SECRET) {
+    throw std::runtime_error("Cannot get asymmetric key from secret key object");
+  }
+  if (!data_) {
+    throw std::runtime_error("Invalid key object: no key data available");
+  }
+  return data_->asymmetric_key;
+}
+
+std::shared_ptr<ArrayBuffer> KeyObjectData::GetSymmetricKey() const {
+  if (key_type_ != KeyType::SECRET) {
+    throw std::runtime_error("Cannot get symmetric key from asymmetric key object");
+  }
+  if (!data_) {
+    throw std::runtime_error("Invalid key object: no key data available");
+  }
+  return data_->symmetric_key;
+}
+
+size_t KeyObjectData::GetSymmetricKeySize() const {
+  if (key_type_ != KeyType::SECRET) {
+    throw std::runtime_error("Cannot get symmetric key size from asymmetric key object");
+  }
+  if (!data_) {
+    throw std::runtime_error("Invalid key object: no key data available");
+  }
+  return data_->symmetric_key->size();
+}
+
+KeyObjectData KeyObjectData::GetPublicOrPrivateKey(std::shared_ptr<ArrayBuffer> key, std::optional<KFormatType> format,
+                                                   std::optional<KeyEncoding> type,
+                                                   const std::optional<std::shared_ptr<ArrayBuffer>>& passphrase) {
+  if (key->size() > static_cast<size_t>(std::numeric_limits<int32_t>::max())) {
+    throw std::runtime_error("key is too big");
+  }
+
+  KFormatType actualFormat = format.value_or(KFormatType::DER);
+
+  if (actualFormat == KFormatType::PEM || actualFormat == KFormatType::DER) {
+    auto buffer = ncrypto::Buffer<const unsigned char>{key->data(), key->size()};
+
+    if (actualFormat == KFormatType::PEM) {
+      if (type.has_value() && type.value() == KeyEncoding::SPKI) {
+        auto res = ncrypto::EVPKeyPointer::TryParsePublicKeyPEM(buffer);
+        if (res) {
+          return CreateAsymmetric(KeyType::PUBLIC, std::move(res.value));
+        }
+        throw std::runtime_error("Failed to read PEM public key: key is not in SPKI format");
+      }
+
+      if (type.has_value() &&
+          (type.value() == KeyEncoding::PKCS8 || type.value() == KeyEncoding::SEC1 || type.value() == KeyEncoding::PKCS1)) {
+        auto config = GetPrivateKeyEncodingConfig(actualFormat, type.value());
+        if (passphrase.has_value()) {
+          auto& passphrase_ptr = passphrase.value();
+          config.passphrase = std::make_optional(ncrypto::DataPointer(passphrase_ptr->data(), passphrase_ptr->size()));
+        }
+        ERR_clear_error();
+        auto private_res = ncrypto::EVPKeyPointer::TryParsePrivateKey(config, buffer);
+        if (private_res) {
+          return CreateAsymmetric(KeyType::PRIVATE, std::move(private_res.value));
+        }
+        unsigned long err = ERR_get_error();
+        char err_buf[256];
+        ERR_error_string_n(err, err_buf, sizeof(err_buf));
+        throw std::runtime_error("Failed to read PEM private key: " + std::string(err_buf));
+      }
+
+      auto res = ncrypto::EVPKeyPointer::TryParsePublicKeyPEM(buffer);
+      if (res) {
+        return CreateAsymmetric(KeyType::PUBLIC, std::move(res.value));
+      }
+
+      KeyEncoding actualType = KeyEncoding::PKCS8;
+      auto config = GetPrivateKeyEncodingConfig(actualFormat, actualType);
+      if (passphrase.has_value()) {
+        auto& passphrase_ptr = passphrase.value();
+        config.passphrase = std::make_optional(ncrypto::DataPointer(passphrase_ptr->data(), passphrase_ptr->size()));
+      }
+
+      ERR_clear_error();
+
+      auto private_res = ncrypto::EVPKeyPointer::TryParsePrivateKey(config, buffer);
+      if (private_res) {
+        return CreateAsymmetric(KeyType::PRIVATE, std::move(private_res.value));
+      }
+
+      unsigned long err = ERR_get_error();
+      char err_buf[256];
+      ERR_error_string_n(err, err_buf, sizeof(err_buf));
+      throw std::runtime_error("Failed to read PEM asymmetric key: " + std::string(err_buf));
+    } else if (actualFormat == KFormatType::DER) {
+      // For DER, try parsing as public key first
+      if (type.has_value() && type.value() == KeyEncoding::SPKI) {
+        auto public_config = GetPublicKeyEncodingConfig(actualFormat, type.value());
+        auto res = ncrypto::EVPKeyPointer::TryParsePublicKey(public_config, buffer);
+        if (res) {
+          return CreateAsymmetric(KeyType::PUBLIC, std::move(res.value));
+        }
+      } else if (type.has_value() && type.value() == KeyEncoding::PKCS8) {
+        auto private_config = GetPrivateKeyEncodingConfig(actualFormat, type.value());
+        if (passphrase.has_value()) {
+          auto& passphrase_ptr = passphrase.value();
+          private_config.passphrase = std::make_optional(ncrypto::DataPointer(passphrase_ptr->data(), passphrase_ptr->size()));
+        }
+        auto res = ncrypto::EVPKeyPointer::TryParsePrivateKey(private_config, buffer);
+        if (res) {
+          return CreateAsymmetric(KeyType::PRIVATE, std::move(res.value));
+        }
+      } else {
+        // If no encoding type specified, try both SPKI and PKCS8
+        auto public_config = GetPublicKeyEncodingConfig(actualFormat, KeyEncoding::SPKI);
+        auto public_res = ncrypto::EVPKeyPointer::TryParsePublicKey(public_config, buffer);
+        if (public_res) {
+          return CreateAsymmetric(KeyType::PUBLIC, std::move(public_res.value));
+        }
+
+        auto private_config = GetPrivateKeyEncodingConfig(actualFormat, KeyEncoding::PKCS8);
+        auto private_res = ncrypto::EVPKeyPointer::TryParsePrivateKey(private_config, buffer);
+        if (private_res) {
+          return CreateAsymmetric(KeyType::PRIVATE, std::move(private_res.value));
+        }
+      }
+      throw std::runtime_error("Failed to read DER asymmetric key");
+    }
+  }
+
+  throw std::runtime_error("Unsupported key format for GetPublicOrPrivateKey. Only PEM and DER are supported.");
+}
+
+KeyObjectData KeyObjectData::GetPrivateKey(std::shared_ptr<ArrayBuffer> key, std::optional<KFormatType> format,
+                                           std::optional<KeyEncoding> type, const std::optional<std::shared_ptr<ArrayBuffer>>& passphrase,
+                                           bool /* isPublic */) {
+  // Check if key size fits in int32_t without using double conversion
+  if (key->size() > static_cast<size_t>(std::numeric_limits<int32_t>::max())) {
+    std::string error_msg = "key is too big (int32): size=" + std::to_string(key->size()) +
+                            ", max_int32=" + std::to_string(std::numeric_limits<int32_t>::max());
+    throw std::runtime_error(error_msg);
+  }
+
+  // If no format is specified, assume DER format for binary data
+  KFormatType actualFormat = format.has_value() ? format.value() : KFormatType::DER;
+
+  if (actualFormat == KFormatType::PEM || actualFormat == KFormatType::DER) {
+    auto buffer = ncrypto::Buffer<const unsigned char>{key->data(), key->size()};
+
+    if (actualFormat == KFormatType::PEM) {
+      return TryParsePrivateKey(key, format, type, passphrase);
+    } else if (actualFormat == KFormatType::DER) {
+      // Try the specified encoding first, or PKCS8 as default
+      KeyEncoding primaryEncoding = type.value_or(KeyEncoding::PKCS8);
+      auto private_config = GetPrivateKeyEncodingConfig(actualFormat, primaryEncoding);
+      if (passphrase.has_value()) {
+        auto& passphrase_ptr = passphrase.value();
+        private_config.passphrase = std::make_optional(ncrypto::DataPointer(passphrase_ptr->data(), passphrase_ptr->size()));
+      }
+
+      // Clear any existing OpenSSL errors before parsing
+      ERR_clear_error();
+
+      auto res = ncrypto::EVPKeyPointer::TryParsePrivateKey(private_config, buffer);
+      if (res) {
+        return CreateAsymmetric(KeyType::PRIVATE, std::move(res.value));
+      }
+
+      // If no specific encoding was provided, try other encodings as fallback
+      if (!type.has_value()) {
+        std::vector<KeyEncoding> fallbackEncodings = {KeyEncoding::SEC1, KeyEncoding::PKCS1};
+        for (auto encoding : fallbackEncodings) {
+          auto config = GetPrivateKeyEncodingConfig(actualFormat, encoding);
+          if (passphrase.has_value()) {
+            auto& passphrase_ptr = passphrase.value();
+            config.passphrase = std::make_optional(ncrypto::DataPointer(passphrase_ptr->data(), passphrase_ptr->size()));
+          }
+          auto fallback_res = ncrypto::EVPKeyPointer::TryParsePrivateKey(config, buffer);
+          if (fallback_res) {
+            return CreateAsymmetric(KeyType::PRIVATE, std::move(fallback_res.value));
+          }
+        }
+      }
+      throw std::runtime_error("Failed to read DER private key");
+    }
+  }
+
+  throw std::runtime_error("Unsupported key format for GetPrivateKey. Only PEM and DER are supported.");
+}
+
+} // namespace margelo::nitro::crypto

package/cpp/keys/KeyObjectData.hpp

@@ -0,0 +1,71 @@
+#include <memory>
+
+#include <NitroModules/ArrayBuffer.hpp>
+
+#include "KFormatType.hpp"
+#include "KeyEncoding.hpp"
+#include "KeyType.hpp"
+#include "Utils.hpp"
+#include <ncrypto.h>
+
+namespace margelo::nitro::crypto {
+
+class KeyObjectData final {
+ public:
+  static KeyObjectData CreateSecret(std::shared_ptr<ArrayBuffer> key);
+
+  static KeyObjectData CreateAsymmetric(KeyType type, ncrypto::EVPKeyPointer&& pkey);
+
+  KeyObjectData(std::nullptr_t = nullptr);
+
+  inline operator bool() const {
+    return data_ != nullptr;
+  }
+
+  KeyType GetKeyType() const;
+
+  // These functions allow unprotected access to the raw key material and should
+  // only be used to implement cryptographic operations requiring the key.
+  const ncrypto::EVPKeyPointer& GetAsymmetricKey() const;
+  std::shared_ptr<ArrayBuffer> GetSymmetricKey() const;
+  size_t GetSymmetricKeySize() const;
+
+  static KeyObjectData GetPublicOrPrivateKey(std::shared_ptr<ArrayBuffer> key, std::optional<KFormatType> format,
+                                             std::optional<KeyEncoding> type,
+                                             const std::optional<std::shared_ptr<ArrayBuffer>>& passphrase);
+
+  static KeyObjectData GetPrivateKey(std::shared_ptr<ArrayBuffer> key, std::optional<KFormatType> format, std::optional<KeyEncoding> type,
+                                     const std::optional<std::shared_ptr<ArrayBuffer>>& passphrase, bool isPublic);
+
+  inline KeyObjectData addRef() const {
+    return KeyObjectData(key_type_, data_);
+  }
+
+  inline KeyObjectData addRefWithType(KeyType type) const {
+    return KeyObjectData(type, data_);
+  }
+
+ private:
+  explicit KeyObjectData(std::shared_ptr<ArrayBuffer> symmetric_key);
+  explicit KeyObjectData(KeyType type, ncrypto::EVPKeyPointer&& pkey);
+
+  //   static KeyObjectData GetParsedKey(KeyType type,
+  //     Environment* env,
+  //     ncrypto::EVPKeyPointer&& pkey,
+  //     ParseKeyResult ret,
+  //     const char* default_msg);
+
+  KeyType key_type_;
+
+  struct Data {
+    const std::shared_ptr<ArrayBuffer> symmetric_key;
+    const ncrypto::EVPKeyPointer asymmetric_key;
+    explicit Data(std::shared_ptr<ArrayBuffer> symmetric_key) : symmetric_key(std::move(symmetric_key)) {}
+    explicit Data(ncrypto::EVPKeyPointer asymmetric_key) : asymmetric_key(std::move(asymmetric_key)) {}
+  };
+  std::shared_ptr<Data> data_;
+
+  KeyObjectData(KeyType type, std::shared_ptr<Data> data) : key_type_(type), data_(data) {}
+};
+
+} // namespace margelo::nitro::crypto

package/cpp/keys/node.h

@@ -0,0 +1,5 @@
+#pragma once
+
+// BINARY is a deprecated alias of LATIN1.
+// BASE64URL is not currently exposed to the JavaScript side.
+enum encoding { ASCII, UTF8, BASE64, UCS2, BINARY, HEX, BUFFER, BASE64URL, LATIN1 = BINARY };

package/cpp/mldsa/HybridMlDsaKeyPair.cpp

@@ -0,0 +1,264 @@
+#include "HybridMlDsaKeyPair.hpp"
+
+#include <NitroModules/ArrayBuffer.hpp>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+
+#include "Utils.hpp"
+
+#if OPENSSL_VERSION_NUMBER >= 0x30500000L
+#define RNQC_HAS_ML_DSA 1
+#else
+#define RNQC_HAS_ML_DSA 0
+#endif
+
+namespace margelo::nitro::crypto {
+
+HybridMlDsaKeyPair::~HybridMlDsaKeyPair() {
+  if (pkey_ != nullptr) {
+    EVP_PKEY_free(pkey_);
+    pkey_ = nullptr;
+  }
+}
+
+int HybridMlDsaKeyPair::getEvpPkeyType() const {
+#if RNQC_HAS_ML_DSA
+  if (variant_ == "ML-DSA-44")
+    return EVP_PKEY_ML_DSA_44;
+  if (variant_ == "ML-DSA-65")
+    return EVP_PKEY_ML_DSA_65;
+  if (variant_ == "ML-DSA-87")
+    return EVP_PKEY_ML_DSA_87;
+#endif
+  return 0;
+}
+
+void HybridMlDsaKeyPair::setVariant(const std::string& variant) {
+#if !RNQC_HAS_ML_DSA
+  throw std::runtime_error("ML-DSA requires OpenSSL 3.5+");
+#endif
+  if (variant != "ML-DSA-44" && variant != "ML-DSA-65" && variant != "ML-DSA-87") {
+    throw std::runtime_error("Invalid ML-DSA variant: " + variant + ". Must be ML-DSA-44, ML-DSA-65, or ML-DSA-87");
+  }
+  variant_ = variant;
+}
+
+std::shared_ptr<Promise<void>> HybridMlDsaKeyPair::generateKeyPair(double publicFormat, double publicType, double privateFormat,
+                                                                   double privateType) {
+  return Promise<void>::async([this, publicFormat, publicType, privateFormat, privateType]() {
+    this->generateKeyPairSync(publicFormat, publicType, privateFormat, privateType);
+  });
+}
+
+void HybridMlDsaKeyPair::generateKeyPairSync(double publicFormat, double publicType, double privateFormat, double privateType) {
+#if !RNQC_HAS_ML_DSA
+  throw std::runtime_error("ML-DSA requires OpenSSL 3.5+");
+#else
+  clearOpenSSLErrors();
+
+  if (variant_.empty()) {
+    throw std::runtime_error("ML-DSA variant not set. Call setVariant() first.");
+  }
+
+  publicFormat_ = static_cast<int>(publicFormat);
+  publicType_ = static_cast<int>(publicType);
+  privateFormat_ = static_cast<int>(privateFormat);
+  privateType_ = static_cast<int>(privateType);
+
+  if (pkey_ != nullptr) {
+    EVP_PKEY_free(pkey_);
+    pkey_ = nullptr;
+  }
+
+  EVP_PKEY_CTX* pctx = EVP_PKEY_CTX_new_from_name(nullptr, variant_.c_str(), nullptr);
+  if (pctx == nullptr) {
+    throw std::runtime_error("Failed to create key context for " + variant_ + ": " + getOpenSSLError());
+  }
+
+  if (EVP_PKEY_keygen_init(pctx) <= 0) {
+    EVP_PKEY_CTX_free(pctx);
+    throw std::runtime_error("Failed to initialize keygen: " + getOpenSSLError());
+  }
+
+  if (EVP_PKEY_keygen(pctx, &pkey_) <= 0) {
+    EVP_PKEY_CTX_free(pctx);
+    throw std::runtime_error("Failed to generate ML-DSA key pair: " + getOpenSSLError());
+  }
+
+  EVP_PKEY_CTX_free(pctx);
+#endif
+}
+
+std::shared_ptr<ArrayBuffer> HybridMlDsaKeyPair::getPublicKey() {
+#if !RNQC_HAS_ML_DSA
+  throw std::runtime_error("ML-DSA requires OpenSSL 3.5+");
+#else
+  checkKeyPair();
+
+  BIO* bio = BIO_new(BIO_s_mem());
+  if (!bio) {
+    throw std::runtime_error("Failed to create BIO for public key export");
+  }
+
+  int result;
+  if (publicFormat_ == 1) {
+    result = PEM_write_bio_PUBKEY(bio, pkey_);
+  } else {
+    result = i2d_PUBKEY_bio(bio, pkey_);
+  }
+
+  if (result != 1) {
+    BIO_free(bio);
+    throw std::runtime_error("Failed to export public key: " + getOpenSSLError());
+  }
+
+  BUF_MEM* bptr;
+  BIO_get_mem_ptr(bio, &bptr);
+
+  uint8_t* data = new uint8_t[bptr->length];
+  memcpy(data, bptr->data, bptr->length);
+  size_t len = bptr->length;
+
+  BIO_free(bio);
+
+  return std::make_shared<NativeArrayBuffer>(data, len, [=]() { delete[] data; });
+#endif
+}
+
+std::shared_ptr<ArrayBuffer> HybridMlDsaKeyPair::getPrivateKey() {
+#if !RNQC_HAS_ML_DSA
+  throw std::runtime_error("ML-DSA requires OpenSSL 3.5+");
+#else
+  checkKeyPair();
+
+  BIO* bio = BIO_new(BIO_s_mem());
+  if (!bio) {
+    throw std::runtime_error("Failed to create BIO for private key export");
+  }
+
+  int result;
+  if (privateFormat_ == 1) {
+    result = PEM_write_bio_PrivateKey(bio, pkey_, nullptr, nullptr, 0, nullptr, nullptr);
+  } else {
+    // Use PKCS8 format for DER export (not raw private key format)
+    result = i2d_PKCS8PrivateKey_bio(bio, pkey_, nullptr, nullptr, 0, nullptr, nullptr);
+  }
+
+  if (result != 1) {
+    BIO_free(bio);
+    throw std::runtime_error("Failed to export private key: " + getOpenSSLError());
+  }
+
+  BUF_MEM* bptr;
+  BIO_get_mem_ptr(bio, &bptr);
+
+  uint8_t* data = new uint8_t[bptr->length];
+  memcpy(data, bptr->data, bptr->length);
+  size_t len = bptr->length;
+
+  BIO_free(bio);
+
+  return std::make_shared<NativeArrayBuffer>(data, len, [=]() { delete[] data; });
+#endif
+}
+
+std::shared_ptr<Promise<std::shared_ptr<ArrayBuffer>>> HybridMlDsaKeyPair::sign(const std::shared_ptr<ArrayBuffer>& message) {
+  auto nativeMessage = ToNativeArrayBuffer(message);
+  return Promise<std::shared_ptr<ArrayBuffer>>::async([this, nativeMessage]() { return this->signSync(nativeMessage); });
+}
+
+std::shared_ptr<ArrayBuffer> HybridMlDsaKeyPair::signSync(const std::shared_ptr<ArrayBuffer>& message) {
+#if !RNQC_HAS_ML_DSA
+  throw std::runtime_error("ML-DSA requires OpenSSL 3.5+");
+#else
+  clearOpenSSLErrors();
+  checkKeyPair();
+
+  EVP_MD_CTX* md_ctx = EVP_MD_CTX_new();
+  if (md_ctx == nullptr) {
+    throw std::runtime_error("Failed to create signing context");
+  }
+
+  EVP_PKEY_CTX* pkey_ctx = EVP_PKEY_CTX_new_from_name(nullptr, variant_.c_str(), nullptr);
+  if (pkey_ctx == nullptr) {
+    EVP_MD_CTX_free(md_ctx);
+    throw std::runtime_error("Failed to create signing context for " + variant_);
+  }
+
+  if (EVP_DigestSignInit(md_ctx, &pkey_ctx, nullptr, nullptr, pkey_) <= 0) {
+    EVP_MD_CTX_free(md_ctx);
+    EVP_PKEY_CTX_free(pkey_ctx);
+    throw std::runtime_error("Failed to initialize signing: " + getOpenSSLError());
+  }
+
+  size_t sig_len = 0;
+  if (EVP_DigestSign(md_ctx, nullptr, &sig_len, message->data(), message->size()) <= 0) {
+    EVP_MD_CTX_free(md_ctx);
+    throw std::runtime_error("Failed to calculate signature size: " + getOpenSSLError());
+  }
+
+  uint8_t* sig = new uint8_t[sig_len];
+
+  if (EVP_DigestSign(md_ctx, sig, &sig_len, message->data(), message->size()) <= 0) {
+    EVP_MD_CTX_free(md_ctx);
+    delete[] sig;
+    throw std::runtime_error("Failed to sign message: " + getOpenSSLError());
+  }
+
+  EVP_MD_CTX_free(md_ctx);
+
+  return std::make_shared<NativeArrayBuffer>(sig, sig_len, [=]() { delete[] sig; });
+#endif
+}
+
+std::shared_ptr<Promise<bool>> HybridMlDsaKeyPair::verify(const std::shared_ptr<ArrayBuffer>& signature,
+                                                          const std::shared_ptr<ArrayBuffer>& message) {
+  auto nativeSignature = ToNativeArrayBuffer(signature);
+  auto nativeMessage = ToNativeArrayBuffer(message);
+  return Promise<bool>::async([this, nativeSignature, nativeMessage]() { return this->verifySync(nativeSignature, nativeMessage); });
+}
+
+bool HybridMlDsaKeyPair::verifySync(const std::shared_ptr<ArrayBuffer>& signature, const std::shared_ptr<ArrayBuffer>& message) {
+#if !RNQC_HAS_ML_DSA
+  throw std::runtime_error("ML-DSA requires OpenSSL 3.5+");
+#else
+  clearOpenSSLErrors();
+  checkKeyPair();
+
+  EVP_MD_CTX* md_ctx = EVP_MD_CTX_new();
+  if (md_ctx == nullptr) {
+    throw std::runtime_error("Failed to create verify context");
+  }
+
+  EVP_PKEY_CTX* pkey_ctx = EVP_PKEY_CTX_new_from_name(nullptr, variant_.c_str(), nullptr);
+  if (pkey_ctx == nullptr) {
+    EVP_MD_CTX_free(md_ctx);
+    throw std::runtime_error("Failed to create verify context for " + variant_);
+  }
+
+  if (EVP_DigestVerifyInit(md_ctx, &pkey_ctx, nullptr, nullptr, pkey_) <= 0) {
+    EVP_MD_CTX_free(md_ctx);
+    EVP_PKEY_CTX_free(pkey_ctx);
+    throw std::runtime_error("Failed to initialize verification: " + getOpenSSLError());
+  }
+
+  int result = EVP_DigestVerify(md_ctx, signature->data(), signature->size(), message->data(), message->size());
+
+  EVP_MD_CTX_free(md_ctx);
+
+  if (result < 0) {
+    throw std::runtime_error("Verification error: " + getOpenSSLError());
+  }
+
+  return result == 1;
+#endif
+}
+
+void HybridMlDsaKeyPair::checkKeyPair() {
+  if (pkey_ == nullptr) {
+    throw std::runtime_error("Key pair not initialized");
+  }
+}
+
+} // namespace margelo::nitro::crypto