react-native-quick-crypto 1.0.10 → 1.0.12

package/lib/module/subtle.js

@@ -5,27 +5,24 @@ import { Buffer as SBuffer } from 'safe-buffer';
 import { KFormatType, KeyEncoding, KeyType } from './utils';
 import { CryptoKey, KeyObject, PublicKeyObject, PrivateKeyObject, SecretKeyObject } from './keys';
 import { bufferLikeToArrayBuffer } from './utils/conversion';
+import { argon2Sync } from './argon2';
 import { lazyDOMException } from './utils/errors';
 import { normalizeHashName, HashContext } from './utils/hashnames';
 import { validateMaxBufferLength } from './utils/validation';
 import { asyncDigest } from './hash';
-import { createSecretKey } from './keys';
+import { createSecretKey, createPublicKey } from './keys';
 import { NitroModules } from 'react-native-nitro-modules';
 import { pbkdf2DeriveBits } from './pbkdf2';
 import { ecImportKey, ecdsaSignVerify, ec_generateKeyPair, ecDeriveBits } from './ec';
 import { rsa_generateKeyPair } from './rsa';
 import { getRandomValues } from './random';
 import { createHmac } from './hmac';
+import { timingSafeEqual } from './utils/timingSafeEqual';
 import { createSign, createVerify } from './keys/signVerify';
 import { ed_generateKeyPairWebCrypto, x_generateKeyPairWebCrypto, xDeriveBits, Ed } from './ed';
 import { mldsa_generateKeyPairWebCrypto } from './mldsa';
+import { mlkem_generateKeyPairWebCrypto, MlKem } from './mlkem';
 import { hkdfDeriveBits } from './hkdf';
-// import { pbkdf2DeriveBits } from './pbkdf2';
-// import { aesCipher, aesGenerateKey, aesImportKey, getAlgorithmName } from './aes';
-// import { rsaCipher, rsaExportKey, rsaImportKey, rsaKeyGenerate } from './rsa';
-// import { normalizeAlgorithm, type Operation } from './algorithms';
-// import { hmacImportKey } from './mac';
-
 // Temporary enums that need to be defined
 var KWebCryptoKeyFormat = /*#__PURE__*/function (KWebCryptoKeyFormat) {
   KWebCryptoKeyFormat[KWebCryptoKeyFormat["kWebCryptoKeyFormatRaw"] = 0] = "kWebCryptoKeyFormatRaw";
@@ -71,15 +68,15 @@ function getAlgorithmName(name, length) {
 // Placeholder implementations for missing functions
 function ecExportKey(key, format) {
   const keyObject = key.keyObject;
-  if (format === KWebCryptoKeyFormat.kWebCryptoKeyFormatSPKI) {
-    // Export public key in SPKI format
+  if (format === KWebCryptoKeyFormat.kWebCryptoKeyFormatRaw) {
+    return bufferLikeToArrayBuffer(keyObject.handle.exportKey());
+  } else if (format === KWebCryptoKeyFormat.kWebCryptoKeyFormatSPKI) {
     const exported = keyObject.export({
       format: 'der',
       type: 'spki'
     });
     return bufferLikeToArrayBuffer(exported);
   } else if (format === KWebCryptoKeyFormat.kWebCryptoKeyFormatPKCS8) {
-    // Export private key in PKCS8 format
     const exported = keyObject.export({
       format: 'der',
       type: 'pkcs8'
@@ -488,6 +485,100 @@ async function hmacGenerateKey(algorithm, extractable, keyUsages) {
   };
   return new CryptoKey(keyObject, keyAlgorithm, keyUsages, extractable);
 }
+async function kmacGenerateKey(algorithm, extractable, keyUsages) {
+  const {
+    name
+  } = algorithm;
+  if (hasAnyNotIn(keyUsages, ['sign', 'verify'])) {
+    throw lazyDOMException(`Unsupported key usage for ${name} key`, 'SyntaxError');
+  }
+  const defaultLength = name === 'KMAC128' ? 128 : 256;
+  const length = algorithm.length ?? defaultLength;
+  if (length === 0) {
+    throw lazyDOMException('Zero-length key is not supported', 'OperationError');
+  }
+  const keyBytes = new Uint8Array(Math.ceil(length / 8));
+  getRandomValues(keyBytes);
+  const keyObject = createSecretKey(keyBytes);
+  const keyAlgorithm = {
+    name: name,
+    length
+  };
+  return new CryptoKey(keyObject, keyAlgorithm, keyUsages, extractable);
+}
+function kmacSignVerify(key, data, algorithm, signature) {
+  const {
+    name
+  } = algorithm;
+  const defaultLength = name === 'KMAC128' ? 256 : 512;
+  const outputLengthBits = algorithm.length ?? defaultLength;
+  if (outputLengthBits % 8 !== 0) {
+    throw lazyDOMException('KMAC output length must be a multiple of 8', 'OperationError');
+  }
+  const outputLengthBytes = outputLengthBits / 8;
+  const keyData = key.keyObject.export();
+  const kmac = NitroModules.createHybridObject('Kmac');
+  let customizationBuffer;
+  if (algorithm.customization !== undefined) {
+    customizationBuffer = bufferLikeToArrayBuffer(algorithm.customization);
+  }
+  kmac.createKmac(name, bufferLikeToArrayBuffer(keyData), outputLengthBytes, customizationBuffer);
+  kmac.update(bufferLikeToArrayBuffer(data));
+  const computed = kmac.digest();
+  if (signature === undefined) {
+    return computed;
+  }
+  const sigBuffer = bufferLikeToArrayBuffer(signature);
+  if (computed.byteLength !== sigBuffer.byteLength) {
+    return false;
+  }
+  return timingSafeEqual(new Uint8Array(computed), new Uint8Array(sigBuffer));
+}
+async function kmacImportKey(algorithm, format, data, extractable, keyUsages) {
+  const {
+    name
+  } = algorithm;
+  if (hasAnyNotIn(keyUsages, ['sign', 'verify'])) {
+    throw lazyDOMException(`Unsupported key usage for ${name} key`, 'SyntaxError');
+  }
+  let keyObject;
+  if (format === 'jwk') {
+    const jwk = data;
+    if (!jwk || typeof jwk !== 'object') {
+      throw lazyDOMException('Invalid keyData', 'DataError');
+    }
+    if (jwk.kty !== 'oct') {
+      throw lazyDOMException('Invalid JWK format for KMAC key', 'DataError');
+    }
+    const expectedAlg = name === 'KMAC128' ? 'K128' : 'K256';
+    if (jwk.alg !== undefined && jwk.alg !== expectedAlg) {
+      throw lazyDOMException('JWK "alg" does not match the requested algorithm', 'DataError');
+    }
+    const handle = NitroModules.createHybridObject('KeyObjectHandle');
+    const keyType = handle.initJwk(jwk, undefined);
+    if (keyType === undefined || keyType !== 0) {
+      throw lazyDOMException('Failed to import KMAC JWK', 'DataError');
+    }
+    keyObject = new SecretKeyObject(handle);
+  } else if (format === 'raw' || format === 'raw-secret') {
+    keyObject = createSecretKey(data);
+  } else {
+    throw lazyDOMException(`Unable to import ${name} key with format ${format}`, 'NotSupportedError');
+  }
+  const exported = keyObject.export();
+  const keyLength = exported.byteLength * 8;
+  if (keyLength === 0) {
+    throw lazyDOMException('Zero-length key is not supported', 'DataError');
+  }
+  if (algorithm.length !== undefined && algorithm.length !== keyLength) {
+    throw lazyDOMException('Invalid key length', 'DataError');
+  }
+  const keyAlgorithm = {
+    name: name,
+    length: keyLength
+  };
+  return new CryptoKey(keyObject, keyAlgorithm, keyUsages, extractable);
+}
 function rsaImportKey(format, data, algorithm, extractable, keyUsages) {
   const {
     name
@@ -725,28 +816,48 @@ function edImportKey(format, data, algorithm, extractable, keyUsages) {
     name
   }, keyUsages, extractable);
 }
+function pqcImportKeyObject(format, data, name) {
+  if (format === 'spki') {
+    return KeyObject.createKeyObject('public', bufferLikeToArrayBuffer(data), KFormatType.DER, KeyEncoding.SPKI);
+  } else if (format === 'pkcs8') {
+    return KeyObject.createKeyObject('private', bufferLikeToArrayBuffer(data), KFormatType.DER, KeyEncoding.PKCS8);
+  } else if (format === 'raw') {
+    const handle = NitroModules.createHybridObject('KeyObjectHandle');
+    if (!handle.initPqcRaw(name, bufferLikeToArrayBuffer(data), true)) {
+      throw lazyDOMException(`Failed to import ${name} raw public key`, 'DataError');
+    }
+    return new PublicKeyObject(handle);
+  } else if (format === 'raw-seed') {
+    const handle = NitroModules.createHybridObject('KeyObjectHandle');
+    if (!handle.initPqcRaw(name, bufferLikeToArrayBuffer(data), false)) {
+      throw lazyDOMException(`Failed to import ${name} raw seed`, 'DataError');
+    }
+    return new PrivateKeyObject(handle);
+  }
+  throw lazyDOMException(`Unsupported format for ${name} import: ${format}`, 'NotSupportedError');
+}
 function mldsaImportKey(format, data, algorithm, extractable, keyUsages) {
   const {
     name
   } = algorithm;
-
-  // Validate usages
-  if (hasAnyNotIn(keyUsages, ['sign', 'verify'])) {
+  const isPublicFormat = format === 'spki' || format === 'raw';
+  if (hasAnyNotIn(keyUsages, isPublicFormat ? ['verify'] : ['sign'])) {
     throw lazyDOMException(`Unsupported key usage for ${name} key`, 'SyntaxError');
   }
-  let keyObject;
-  if (format === 'spki') {
-    // Import public key
-    const keyData = bufferLikeToArrayBuffer(data);
-    keyObject = KeyObject.createKeyObject('public', keyData, KFormatType.DER, KeyEncoding.SPKI);
-  } else if (format === 'pkcs8') {
-    // Import private key
-    const keyData = bufferLikeToArrayBuffer(data);
-    keyObject = KeyObject.createKeyObject('private', keyData, KFormatType.DER, KeyEncoding.PKCS8);
-  } else {
-    throw lazyDOMException(`Unsupported format for ${name} import: ${format}`, 'NotSupportedError');
+  return new CryptoKey(pqcImportKeyObject(format, data, name), {
+    name
+  }, keyUsages, extractable);
+}
+function mlkemImportKey(format, data, algorithm, extractable, keyUsages) {
+  const {
+    name
+  } = algorithm;
+  const isPublicFormat = format === 'spki' || format === 'raw';
+  const allowedUsages = isPublicFormat ? ['encapsulateBits', 'encapsulateKey'] : ['decapsulateBits', 'decapsulateKey'];
+  if (hasAnyNotIn(keyUsages, allowedUsages)) {
+    throw lazyDOMException(`Unsupported key usage for ${name} key`, 'SyntaxError');
   }
-  return new CryptoKey(keyObject, {
+  return new CryptoKey(pqcImportKeyObject(format, data, name), {
     name
   }, keyUsages, extractable);
 }
@@ -790,6 +901,15 @@ const exportKeySpki = async key => {
         return bufferLikeToArrayBuffer(key.keyObject.handle.exportKey(KFormatType.DER, KeyEncoding.SPKI));
       }
       break;
+    case 'ML-KEM-512':
+    // Fall through
+    case 'ML-KEM-768':
+    // Fall through
+    case 'ML-KEM-1024':
+      if (key.type === 'public') {
+        return bufferLikeToArrayBuffer(key.keyObject.handle.exportKey(KFormatType.DER, KeyEncoding.SPKI));
+      }
+      break;
   }
   throw new Error(`Unable to export a spki ${key.algorithm.name} ${key.type} key`);
 };
@@ -833,6 +953,15 @@ const exportKeyPkcs8 = async key => {
         return bufferLikeToArrayBuffer(key.keyObject.handle.exportKey(KFormatType.DER, KeyEncoding.PKCS8));
       }
       break;
+    case 'ML-KEM-512':
+    // Fall through
+    case 'ML-KEM-768':
+    // Fall through
+    case 'ML-KEM-1024':
+      if (key.type === 'private') {
+        return bufferLikeToArrayBuffer(key.keyObject.handle.exportKey(KFormatType.DER, KeyEncoding.PKCS8));
+      }
+      break;
   }
   throw new Error(`Unable to export a pkcs8 ${key.algorithm.name} ${key.type} key`);
 };
@@ -853,7 +982,22 @@ const exportKeyRaw = key => {
     // Fall through
     case 'X448':
       if (key.type === 'public') {
-        // Export raw public key
+        const exported = key.keyObject.handle.exportKey();
+        return bufferLikeToArrayBuffer(exported);
+      }
+      break;
+    case 'ML-KEM-512':
+    // Fall through
+    case 'ML-KEM-768':
+    // Fall through
+    case 'ML-KEM-1024':
+    // Fall through
+    case 'ML-DSA-44':
+    // Fall through
+    case 'ML-DSA-65':
+    // Fall through
+    case 'ML-DSA-87':
+      if (key.type === 'public') {
         const exported = key.keyObject.handle.exportKey();
         return bufferLikeToArrayBuffer(exported);
       }
@@ -871,6 +1015,10 @@ const exportKeyRaw = key => {
     case 'ChaCha20-Poly1305':
     // Fall through
     case 'HMAC':
+    // Fall through
+    case 'KMAC128':
+    // Fall through
+    case 'KMAC256':
       {
         const exported = key.keyObject.export();
         // Convert Buffer to ArrayBuffer
@@ -897,6 +1045,12 @@ const exportKeyJWK = key => {
     case 'HMAC':
       jwk.alg = normalizeHashName(key.algorithm.hash, HashContext.JwkHmac);
       return jwk;
+    case 'KMAC128':
+      jwk.alg = 'K128';
+      return jwk;
+    case 'KMAC256':
+      jwk.alg = 'K256';
+      return jwk;
     case 'ECDSA':
     // Fall through
     case 'ECDH':
@@ -984,6 +1138,37 @@ const checkCryptoKeyPairUsages = pair => {
   }
   throw lazyDOMException('Usages cannot be empty when creating a key.', 'SyntaxError');
 };
+function argon2DeriveBits(algorithm, baseKey, length) {
+  if (length === 0 || length % 8 !== 0) {
+    throw lazyDOMException('Invalid Argon2 derived key length', 'OperationError');
+  }
+  if (length < 32) {
+    throw lazyDOMException('Argon2 derived key length must be at least 32 bits', 'OperationError');
+  }
+  const {
+    nonce,
+    parallelism,
+    memory,
+    passes,
+    secretValue,
+    associatedData
+  } = algorithm;
+  const tagLength = length / 8;
+  const message = baseKey.keyObject.export();
+  const algName = algorithm.name.toLowerCase();
+  const result = argon2Sync(algName, {
+    message,
+    nonce: nonce ?? new Uint8Array(0),
+    parallelism: parallelism ?? 1,
+    tagLength,
+    memory: memory ?? 65536,
+    passes: passes ?? 3,
+    secret: secretValue,
+    associatedData,
+    version: algorithm.version
+  });
+  return bufferLikeToArrayBuffer(result);
+}
 
 // Type guard to check if result is CryptoKeyPair
 export function isCryptoKeyPair(result) {
@@ -1004,20 +1189,12 @@ function hmacSignVerify(key, data, signature) {
     // Sign operation - return the HMAC as ArrayBuffer
     return computed.buffer.slice(computed.byteOffset, computed.byteOffset + computed.byteLength);
   }
-
-  // Verify operation - compare computed HMAC with provided signature
-  const sigBytes = new Uint8Array(bufferLikeToArrayBuffer(signature));
-  const computedBytes = new Uint8Array(computed.buffer, computed.byteOffset, computed.byteLength);
-  if (computedBytes.length !== sigBytes.length) {
+  const sigBuffer = bufferLikeToArrayBuffer(signature);
+  const computedBuffer = computed.buffer.slice(computed.byteOffset, computed.byteOffset + computed.byteLength);
+  if (computedBuffer.byteLength !== sigBuffer.byteLength) {
     return false;
   }
-
-  // Constant-time comparison to prevent timing attacks
-  let result = 0;
-  for (let i = 0; i < computedBytes.length; i++) {
-    result |= computedBytes[i] ^ sigBytes[i];
-  }
-  return result === 0;
+  return timingSafeEqual(new Uint8Array(computedBuffer), new Uint8Array(sigBuffer));
 }
 function rsaSignVerify(key, data, padding, signature, saltLength) {
   // Get hash algorithm from key
@@ -1120,6 +1297,9 @@ const signVerify = (algorithm, key, data, signature) => {
     case 'ML-DSA-65':
     case 'ML-DSA-87':
       return mldsaSignVerify(key, data, signature);
+    case 'KMAC128':
+    case 'KMAC256':
+      return kmacSignVerify(key, data, algorithm, signature);
   }
   throw lazyDOMException(`Unrecognized algorithm name '${algorithm.name}' for '${usage}'`, 'NotSupportedError');
 };
@@ -1145,7 +1325,53 @@ const cipherOrWrap = async (mode, algorithm, key, data, op) => {
       return chaCha20Poly1305Cipher(mode, key, data, algorithm);
   }
 };
+const SUPPORTED_ALGORITHMS = {
+  encrypt: new Set(['RSA-OAEP', 'AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-OCB', 'ChaCha20-Poly1305']),
+  decrypt: new Set(['RSA-OAEP', 'AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-OCB', 'ChaCha20-Poly1305']),
+  sign: new Set(['RSASSA-PKCS1-v1_5', 'RSA-PSS', 'ECDSA', 'HMAC', 'KMAC128', 'KMAC256', 'Ed25519', 'Ed448', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87']),
+  verify: new Set(['RSASSA-PKCS1-v1_5', 'RSA-PSS', 'ECDSA', 'HMAC', 'KMAC128', 'KMAC256', 'Ed25519', 'Ed448', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87']),
+  digest: new Set(['SHA-1', 'SHA-256', 'SHA-384', 'SHA-512', 'SHA3-256', 'SHA3-384', 'SHA3-512', 'cSHAKE128', 'cSHAKE256']),
+  generateKey: new Set(['RSASSA-PKCS1-v1_5', 'RSA-PSS', 'RSA-OAEP', 'ECDSA', 'ECDH', 'Ed25519', 'Ed448', 'X25519', 'X448', 'AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-KW', 'AES-OCB', 'ChaCha20-Poly1305', 'HMAC', 'KMAC128', 'KMAC256', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', 'ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024']),
+  importKey: new Set(['RSASSA-PKCS1-v1_5', 'RSA-PSS', 'RSA-OAEP', 'ECDSA', 'ECDH', 'Ed25519', 'Ed448', 'X25519', 'X448', 'AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-KW', 'AES-OCB', 'ChaCha20-Poly1305', 'HMAC', 'KMAC128', 'KMAC256', 'HKDF', 'PBKDF2', 'Argon2d', 'Argon2i', 'Argon2id', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', 'ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024']),
+  exportKey: new Set(['RSASSA-PKCS1-v1_5', 'RSA-PSS', 'RSA-OAEP', 'ECDSA', 'ECDH', 'Ed25519', 'Ed448', 'X25519', 'X448', 'AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-KW', 'AES-OCB', 'ChaCha20-Poly1305', 'HMAC', 'KMAC128', 'KMAC256', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', 'ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024']),
+  deriveBits: new Set(['PBKDF2', 'HKDF', 'ECDH', 'X25519', 'X448', 'Argon2d', 'Argon2i', 'Argon2id']),
+  wrapKey: new Set(['AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-KW', 'AES-OCB', 'ChaCha20-Poly1305', 'RSA-OAEP']),
+  unwrapKey: new Set(['AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-KW', 'AES-OCB', 'ChaCha20-Poly1305', 'RSA-OAEP']),
+  encapsulateBits: new Set(['ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024']),
+  decapsulateBits: new Set(['ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024']),
+  encapsulateKey: new Set(['ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024']),
+  decapsulateKey: new Set(['ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024'])
+};
+const ASYMMETRIC_ALGORITHMS = new Set(['RSASSA-PKCS1-v1_5', 'RSA-PSS', 'RSA-OAEP', 'ECDSA', 'ECDH', 'Ed25519', 'Ed448', 'X25519', 'X448', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', 'ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024']);
 export class Subtle {
+  static supports(operation, algorithm, _lengthOrAdditionalAlgorithm) {
+    let normalizedAlgorithm;
+    try {
+      normalizedAlgorithm = normalizeAlgorithm(algorithm, operation === 'getPublicKey' ? 'exportKey' : operation);
+    } catch {
+      return false;
+    }
+    const name = normalizedAlgorithm.name;
+    if (operation === 'getPublicKey') {
+      return ASYMMETRIC_ALGORITHMS.has(name);
+    }
+    if (operation === 'deriveKey') {
+      // deriveKey decomposes to deriveBits + importKey of additional algorithm
+      if (!SUPPORTED_ALGORITHMS.deriveBits?.has(name)) return false;
+      if (_lengthOrAdditionalAlgorithm != null) {
+        try {
+          const additionalAlg = normalizeAlgorithm(_lengthOrAdditionalAlgorithm, 'importKey');
+          return SUPPORTED_ALGORITHMS.importKey?.has(additionalAlg.name) ?? false;
+        } catch {
+          return false;
+        }
+      }
+      return true;
+    }
+    const supported = SUPPORTED_ALGORITHMS[operation];
+    if (!supported) return false;
+    return supported.has(name);
+  }
   async decrypt(algorithm, key, data) {
     const normalizedAlgorithm = normalizeAlgorithm(algorithm, 'decrypt');
     return cipherOrWrap(CipherOrWrapMode.kWebCryptoCipherDecrypt, normalizedAlgorithm, key, bufferLikeToArrayBuffer(data), 'decrypt');
@@ -1171,6 +1397,10 @@ export class Subtle {
         return ecDeriveBits(algorithm, baseKey, length);
       case 'HKDF':
         return hkdfDeriveBits(algorithm, baseKey, length);
+      case 'Argon2d':
+      case 'Argon2i':
+      case 'Argon2id':
+        return argon2DeriveBits(algorithm, baseKey, length);
     }
     throw new Error(`'subtle.deriveBits()' for ${algorithm.name} is not implemented.`);
   }
@@ -1201,6 +1431,11 @@ export class Subtle {
       case 'HKDF':
         derivedBits = hkdfDeriveBits(algorithm, baseKey, length);
         break;
+      case 'Argon2d':
+      case 'Argon2i':
+      case 'Argon2id':
+        derivedBits = argon2DeriveBits(algorithm, baseKey, length);
+        break;
       default:
         throw new Error(`'subtle.deriveKey()' for ${algorithm.name} is not implemented.`);
     }
@@ -1214,7 +1449,19 @@ export class Subtle {
   }
   async exportKey(format, key) {
     if (!key.extractable) throw new Error('key is not extractable');
-    if (format === 'raw-secret') format = 'raw';
+    if (format === 'raw-seed') {
+      const pqcAlgos = ['ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87'];
+      if (!pqcAlgos.includes(key.algorithm.name)) {
+        throw lazyDOMException('raw-seed export only supported for PQC keys', 'NotSupportedError');
+      }
+      if (key.type !== 'private') {
+        throw lazyDOMException('raw-seed export requires a private key', 'InvalidAccessError');
+      }
+      return bufferLikeToArrayBuffer(key.keyObject.handle.exportKey());
+    }
+
+    // Note: 'raw-seed' is handled above; do NOT normalize it here
+    if (format === 'raw-secret' || format === 'raw-public') format = 'raw';
     switch (format) {
       case 'spki':
         return await exportKeySpki(key);
@@ -1339,6 +1586,11 @@ export class Subtle {
       case 'HMAC':
         result = await hmacGenerateKey(algorithm, extractable, keyUsages);
         break;
+      case 'KMAC128':
+      // Fall through
+      case 'KMAC256':
+        result = await kmacGenerateKey(algorithm, extractable, keyUsages);
+        break;
       case 'Ed25519':
       // Fall through
       case 'Ed448':
@@ -1359,14 +1611,33 @@ export class Subtle {
         result = await x_generateKeyPairWebCrypto(algorithm.name.toLowerCase(), extractable, keyUsages);
         checkCryptoKeyPairUsages(result);
         break;
+      case 'ML-KEM-512':
+      // Fall through
+      case 'ML-KEM-768':
+      // Fall through
+      case 'ML-KEM-1024':
+        result = await mlkem_generateKeyPairWebCrypto(algorithm.name, extractable, keyUsages);
+        checkCryptoKeyPairUsages(result);
+        break;
       default:
         throw new Error(`'subtle.generateKey()' is not implemented for ${algorithm.name}.
             Unrecognized algorithm name`);
     }
     return result;
   }
+  async getPublicKey(key, keyUsages) {
+    if (key.type === 'secret') {
+      throw lazyDOMException('key must be a private key', 'NotSupportedError');
+    }
+    if (key.type !== 'private') {
+      throw lazyDOMException('key must be a private key', 'InvalidAccessError');
+    }
+    const publicKeyObject = createPublicKey(key.keyObject);
+    return publicKeyObject.toCryptoKey(key.algorithm, true, keyUsages);
+  }
   async importKey(format, data, algorithm, extractable, keyUsages) {
-    if (format === 'raw-secret') format = 'raw';
+    // Note: 'raw-seed' is NOT normalized — PQC import functions handle it directly
+    if (format === 'raw-secret' || format === 'raw-public') format = 'raw';
     const normalizedAlgorithm = normalizeAlgorithm(algorithm, 'importKey');
     let result;
     switch (normalizedAlgorithm.name) {
@@ -1385,6 +1656,11 @@ export class Subtle {
       case 'HMAC':
         result = await hmacImportKey(normalizedAlgorithm, format, data, extractable, keyUsages);
         break;
+      case 'KMAC128':
+      // Fall through
+      case 'KMAC256':
+        result = await kmacImportKey(normalizedAlgorithm, format, data, extractable, keyUsages);
+        break;
       case 'AES-CTR':
       // Fall through
       case 'AES-CBC':
@@ -1399,6 +1675,9 @@ export class Subtle {
         result = await aesImportKey(normalizedAlgorithm, format, data, extractable, keyUsages);
         break;
       case 'PBKDF2':
+      case 'Argon2d':
+      case 'Argon2i':
+      case 'Argon2id':
         result = await importGenericSecretKey(normalizedAlgorithm, format, data, extractable, keyUsages);
         break;
       case 'HKDF':
@@ -1420,6 +1699,13 @@ export class Subtle {
       case 'ML-DSA-87':
         result = mldsaImportKey(format, data, normalizedAlgorithm, extractable, keyUsages);
         break;
+      case 'ML-KEM-512':
+      // Fall through
+      case 'ML-KEM-768':
+      // Fall through
+      case 'ML-KEM-1024':
+        result = mlkemImportKey(format, data, normalizedAlgorithm, extractable, keyUsages);
+        break;
       default:
         throw new Error(`"subtle.importKey()" is not implemented for ${normalizedAlgorithm.name}`);
     }
@@ -1429,85 +1715,65 @@ export class Subtle {
     return result;
   }
   async sign(algorithm, key, data) {
-    const normalizedAlgorithm = normalizeAlgorithm(algorithm, 'sign');
-    if (normalizedAlgorithm.name === 'HMAC') {
-      // Validate key usage
-      if (!key.usages.includes('sign')) {
-        throw lazyDOMException('Key does not have sign usage', 'InvalidAccessError');
-      }
-
-      // Get hash algorithm from key or algorithm params
-      // Hash can be either a string or an object with name property
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const alg = normalizedAlgorithm;
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const keyAlg = key.algorithm;
-      let hashAlgorithm = 'SHA-256';
-      if (typeof alg.hash === 'string') {
-        hashAlgorithm = alg.hash;
-      } else if (alg.hash?.name) {
-        hashAlgorithm = alg.hash.name;
-      } else if (typeof keyAlg.hash === 'string') {
-        hashAlgorithm = keyAlg.hash;
-      } else if (keyAlg.hash?.name) {
-        hashAlgorithm = keyAlg.hash.name;
-      }
-
-      // Create HMAC and sign
-      const keyData = key.keyObject.export();
-      const hmac = createHmac(hashAlgorithm, keyData);
-      hmac.update(bufferLikeToArrayBuffer(data));
-      return bufferLikeToArrayBuffer(hmac.digest());
-    }
-    return signVerify(normalizedAlgorithm, key, data);
+    return signVerify(normalizeAlgorithm(algorithm, 'sign'), key, data);
   }
   async verify(algorithm, key, signature, data) {
-    const normalizedAlgorithm = normalizeAlgorithm(algorithm, 'verify');
-    if (normalizedAlgorithm.name === 'HMAC') {
-      // Validate key usage
-      if (!key.usages.includes('verify')) {
-        throw lazyDOMException('Key does not have verify usage', 'InvalidAccessError');
-      }
-
-      // Get hash algorithm
-      // Hash can be either a string or an object with name property
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const alg = normalizedAlgorithm;
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const keyAlg = key.algorithm;
-      let hashAlgorithm = 'SHA-256';
-      if (typeof alg.hash === 'string') {
-        hashAlgorithm = alg.hash;
-      } else if (alg.hash?.name) {
-        hashAlgorithm = alg.hash.name;
-      } else if (typeof keyAlg.hash === 'string') {
-        hashAlgorithm = keyAlg.hash;
-      } else if (keyAlg.hash?.name) {
-        hashAlgorithm = keyAlg.hash.name;
-      }
-
-      // Create HMAC and compute expected signature
-      const keyData = key.keyObject.export();
-      const hmac = createHmac(hashAlgorithm, keyData);
-      const dataBuffer = bufferLikeToArrayBuffer(data);
-      hmac.update(dataBuffer);
-      const expectedDigest = hmac.digest();
-      const expected = new Uint8Array(bufferLikeToArrayBuffer(expectedDigest));
-
-      // Constant-time comparison
-      const signatureArray = new Uint8Array(bufferLikeToArrayBuffer(signature));
-      if (expected.length !== signatureArray.length) {
-        return false;
-      }
-
-      // Manual constant-time comparison
-      let result = 0;
-      for (let i = 0; i < expected.length; i++) {
-        result |= expected[i] ^ signatureArray[i];
-      }
-      return result === 0;
+    return signVerify(normalizeAlgorithm(algorithm, 'verify'), key, data, signature);
+  }
+  _encapsulateCore(algorithm, key) {
+    const normalizedAlgorithm = normalizeAlgorithm(algorithm, 'encapsulateBits');
+    if (key.algorithm.name !== normalizedAlgorithm.name) {
+      throw lazyDOMException('Key algorithm mismatch', 'InvalidAccessError');
     }
-    return signVerify(normalizedAlgorithm, key, data, signature);
+    const variant = normalizedAlgorithm.name;
+    const mlkem = new MlKem(variant);
+    const keyData = key.keyObject.handle.exportKey(KFormatType.DER, KeyEncoding.SPKI);
+    mlkem.setPublicKey(bufferLikeToArrayBuffer(keyData), KFormatType.DER, KeyEncoding.SPKI);
+    return mlkem.encapsulateSync();
+  }
+  _decapsulateCore(algorithm, key, ciphertext) {
+    const normalizedAlgorithm = normalizeAlgorithm(algorithm, 'decapsulateBits');
+    if (key.algorithm.name !== normalizedAlgorithm.name) {
+      throw lazyDOMException('Key algorithm mismatch', 'InvalidAccessError');
+    }
+    const variant = normalizedAlgorithm.name;
+    const mlkem = new MlKem(variant);
+    const keyData = key.keyObject.handle.exportKey(KFormatType.DER, KeyEncoding.PKCS8);
+    mlkem.setPrivateKey(bufferLikeToArrayBuffer(keyData), KFormatType.DER, KeyEncoding.PKCS8);
+    return mlkem.decapsulateSync(bufferLikeToArrayBuffer(ciphertext));
+  }
+  async encapsulateBits(algorithm, key) {
+    if (!key.usages.includes('encapsulateBits')) {
+      throw lazyDOMException('Key does not have encapsulateBits usage', 'InvalidAccessError');
+    }
+    return this._encapsulateCore(algorithm, key);
+  }
+  async encapsulateKey(algorithm, key, sharedKeyAlgorithm, extractable, usages) {
+    if (!key.usages.includes('encapsulateKey')) {
+      throw lazyDOMException('Key does not have encapsulateKey usage', 'InvalidAccessError');
+    }
+    const {
+      sharedKey,
+      ciphertext
+    } = this._encapsulateCore(algorithm, key);
+    const importedKey = await this.importKey('raw', sharedKey, sharedKeyAlgorithm, extractable, usages);
+    return {
+      key: importedKey,
+      ciphertext
+    };
+  }
+  async decapsulateBits(algorithm, key, ciphertext) {
+    if (!key.usages.includes('decapsulateBits')) {
+      throw lazyDOMException('Key does not have decapsulateBits usage', 'InvalidAccessError');
+    }
+    return this._decapsulateCore(algorithm, key, ciphertext);
+  }
+  async decapsulateKey(algorithm, key, ciphertext, sharedKeyAlgorithm, extractable, usages) {
+    if (!key.usages.includes('decapsulateKey')) {
+      throw lazyDOMException('Key does not have decapsulateKey usage', 'InvalidAccessError');
+    }
+    const sharedKey = this._decapsulateCore(algorithm, key, ciphertext);
+    return this.importKey('raw', sharedKey, sharedKeyAlgorithm, extractable, usages);
   }
 }
 export const subtle = new Subtle();
@@ -1526,6 +1792,10 @@ function getKeyLength(algorithm) {
         const hmacAlg = algorithm;
         return hmacAlg.length || 256;
       }
+    case 'KMAC128':
+      return algorithm.length || 128;
+    case 'KMAC256':
+      return algorithm.length || 256;
     default:
       throw lazyDOMException(`Cannot determine key length for ${name}`, 'NotSupportedError');
   }