react-native-quick-crypto 1.0.10 → 1.0.12

package/src/subtle.ts

@@ -28,11 +28,12 @@ import {
 } from './keys';
 import type { CryptoKeyPair } from './utils/types';
 import { bufferLikeToArrayBuffer } from './utils/conversion';
+import { argon2Sync } from './argon2';
 import { lazyDOMException } from './utils/errors';
 import { normalizeHashName, HashContext } from './utils/hashnames';
 import { validateMaxBufferLength } from './utils/validation';
 import { asyncDigest } from './hash';
-import { createSecretKey } from './keys';
+import { createSecretKey, createPublicKey } from './keys';
 import { NitroModules } from 'react-native-nitro-modules';
 import type { KeyObjectHandle } from './specs/keyObjectHandle.nitro';
 import type { RsaCipher } from './specs/rsaCipher.nitro';
@@ -47,6 +48,8 @@ import {
 import { rsa_generateKeyPair } from './rsa';
 import { getRandomValues } from './random';
 import { createHmac } from './hmac';
+import type { Kmac } from './specs/kmac.nitro';
+import { timingSafeEqual } from './utils/timingSafeEqual';
 import { createSign, createVerify } from './keys/signVerify';
 import {
   ed_generateKeyPairWebCrypto,
@@ -55,13 +58,13 @@ import {
   Ed,
 } from './ed';
 import { mldsa_generateKeyPairWebCrypto, type MlDsaVariant } from './mldsa';
+import {
+  mlkem_generateKeyPairWebCrypto,
+  type MlKemVariant,
+  MlKem,
+} from './mlkem';
+import type { EncapsulateResult } from './utils';
 import { hkdfDeriveBits, type HkdfAlgorithm } from './hkdf';
-// import { pbkdf2DeriveBits } from './pbkdf2';
-// import { aesCipher, aesGenerateKey, aesImportKey, getAlgorithmName } from './aes';
-// import { rsaCipher, rsaExportKey, rsaImportKey, rsaKeyGenerate } from './rsa';
-// import { normalizeAlgorithm, type Operation } from './algorithms';
-// import { hmacImportKey } from './mac';
-
 // Temporary enums that need to be defined
 
 enum KWebCryptoKeyFormat {
@@ -113,12 +116,12 @@ function getAlgorithmName(name: string, length: number): string {
 function ecExportKey(key: CryptoKey, format: KWebCryptoKeyFormat): ArrayBuffer {
   const keyObject = key.keyObject;
 
-  if (format === KWebCryptoKeyFormat.kWebCryptoKeyFormatSPKI) {
-    // Export public key in SPKI format
+  if (format === KWebCryptoKeyFormat.kWebCryptoKeyFormatRaw) {
+    return bufferLikeToArrayBuffer(keyObject.handle.exportKey());
+  } else if (format === KWebCryptoKeyFormat.kWebCryptoKeyFormatSPKI) {
     const exported = keyObject.export({ format: 'der', type: 'spki' });
     return bufferLikeToArrayBuffer(exported);
   } else if (format === KWebCryptoKeyFormat.kWebCryptoKeyFormatPKCS8) {
-    // Export private key in PKCS8 format
     const exported = keyObject.export({ format: 'der', type: 'pkcs8' });
     return bufferLikeToArrayBuffer(exported);
   } else {
@@ -704,6 +707,164 @@ async function hmacGenerateKey(
   return new CryptoKey(keyObject, keyAlgorithm, keyUsages, extractable);
 }
 
+async function kmacGenerateKey(
+  algorithm: SubtleAlgorithm,
+  extractable: boolean,
+  keyUsages: KeyUsage[],
+): Promise<CryptoKey> {
+  const { name } = algorithm;
+
+  if (hasAnyNotIn(keyUsages, ['sign', 'verify'])) {
+    throw lazyDOMException(
+      `Unsupported key usage for ${name} key`,
+      'SyntaxError',
+    );
+  }
+
+  const defaultLength = name === 'KMAC128' ? 128 : 256;
+  const length = algorithm.length ?? defaultLength;
+
+  if (length === 0) {
+    throw lazyDOMException(
+      'Zero-length key is not supported',
+      'OperationError',
+    );
+  }
+
+  const keyBytes = new Uint8Array(Math.ceil(length / 8));
+  getRandomValues(keyBytes);
+
+  const keyObject = createSecretKey(keyBytes);
+
+  const keyAlgorithm: SubtleAlgorithm = { name: name as AnyAlgorithm, length };
+
+  return new CryptoKey(keyObject, keyAlgorithm, keyUsages, extractable);
+}
+
+function kmacSignVerify(
+  key: CryptoKey,
+  data: BufferLike,
+  algorithm: SubtleAlgorithm,
+  signature?: BufferLike,
+): ArrayBuffer | boolean {
+  const { name } = algorithm;
+
+  const defaultLength = name === 'KMAC128' ? 256 : 512;
+  const outputLengthBits = algorithm.length ?? defaultLength;
+
+  if (outputLengthBits % 8 !== 0) {
+    throw lazyDOMException(
+      'KMAC output length must be a multiple of 8',
+      'OperationError',
+    );
+  }
+
+  const outputLengthBytes = outputLengthBits / 8;
+
+  const keyData = key.keyObject.export();
+
+  const kmac = NitroModules.createHybridObject<Kmac>('Kmac');
+
+  let customizationBuffer: ArrayBuffer | undefined;
+  if (algorithm.customization !== undefined) {
+    customizationBuffer = bufferLikeToArrayBuffer(algorithm.customization);
+  }
+
+  kmac.createKmac(
+    name,
+    bufferLikeToArrayBuffer(keyData),
+    outputLengthBytes,
+    customizationBuffer,
+  );
+  kmac.update(bufferLikeToArrayBuffer(data));
+  const computed = kmac.digest();
+
+  if (signature === undefined) {
+    return computed;
+  }
+
+  const sigBuffer = bufferLikeToArrayBuffer(signature);
+  if (computed.byteLength !== sigBuffer.byteLength) {
+    return false;
+  }
+
+  return timingSafeEqual(new Uint8Array(computed), new Uint8Array(sigBuffer));
+}
+
+async function kmacImportKey(
+  algorithm: SubtleAlgorithm,
+  format: ImportFormat,
+  data: BufferLike | JWK,
+  extractable: boolean,
+  keyUsages: KeyUsage[],
+): Promise<CryptoKey> {
+  const { name } = algorithm;
+
+  if (hasAnyNotIn(keyUsages, ['sign', 'verify'])) {
+    throw lazyDOMException(
+      `Unsupported key usage for ${name} key`,
+      'SyntaxError',
+    );
+  }
+
+  let keyObject: KeyObject;
+
+  if (format === 'jwk') {
+    const jwk = data as JWK;
+
+    if (!jwk || typeof jwk !== 'object') {
+      throw lazyDOMException('Invalid keyData', 'DataError');
+    }
+
+    if (jwk.kty !== 'oct') {
+      throw lazyDOMException('Invalid JWK format for KMAC key', 'DataError');
+    }
+
+    const expectedAlg = name === 'KMAC128' ? 'K128' : 'K256';
+    if (jwk.alg !== undefined && jwk.alg !== expectedAlg) {
+      throw lazyDOMException(
+        'JWK "alg" does not match the requested algorithm',
+        'DataError',
+      );
+    }
+
+    const handle =
+      NitroModules.createHybridObject<KeyObjectHandle>('KeyObjectHandle');
+    const keyType = handle.initJwk(jwk, undefined);
+
+    if (keyType === undefined || keyType !== 0) {
+      throw lazyDOMException('Failed to import KMAC JWK', 'DataError');
+    }
+
+    keyObject = new SecretKeyObject(handle);
+  } else if (format === 'raw' || format === 'raw-secret') {
+    keyObject = createSecretKey(data as BinaryLike);
+  } else {
+    throw lazyDOMException(
+      `Unable to import ${name} key with format ${format}`,
+      'NotSupportedError',
+    );
+  }
+
+  const exported = keyObject.export();
+  const keyLength = exported.byteLength * 8;
+
+  if (keyLength === 0) {
+    throw lazyDOMException('Zero-length key is not supported', 'DataError');
+  }
+
+  if (algorithm.length !== undefined && algorithm.length !== keyLength) {
+    throw lazyDOMException('Invalid key length', 'DataError');
+  }
+
+  const keyAlgorithm: SubtleAlgorithm = {
+    name: name as AnyAlgorithm,
+    length: keyLength,
+  };
+
+  return new CryptoKey(keyObject, keyAlgorithm, keyUsages, extractable);
+}
+
 function rsaImportKey(
   format: ImportFormat,
   data: BufferLike | JWK,
@@ -1024,6 +1185,49 @@ function edImportKey(
   return new CryptoKey(keyObject, { name }, keyUsages, extractable);
 }
 
+function pqcImportKeyObject(
+  format: ImportFormat,
+  data: BufferLike,
+  name: string,
+): KeyObject {
+  if (format === 'spki') {
+    return KeyObject.createKeyObject(
+      'public',
+      bufferLikeToArrayBuffer(data),
+      KFormatType.DER,
+      KeyEncoding.SPKI,
+    );
+  } else if (format === 'pkcs8') {
+    return KeyObject.createKeyObject(
+      'private',
+      bufferLikeToArrayBuffer(data),
+      KFormatType.DER,
+      KeyEncoding.PKCS8,
+    );
+  } else if (format === 'raw') {
+    const handle =
+      NitroModules.createHybridObject<KeyObjectHandle>('KeyObjectHandle');
+    if (!handle.initPqcRaw(name, bufferLikeToArrayBuffer(data), true)) {
+      throw lazyDOMException(
+        `Failed to import ${name} raw public key`,
+        'DataError',
+      );
+    }
+    return new PublicKeyObject(handle);
+  } else if (format === 'raw-seed') {
+    const handle =
+      NitroModules.createHybridObject<KeyObjectHandle>('KeyObjectHandle');
+    if (!handle.initPqcRaw(name, bufferLikeToArrayBuffer(data), false)) {
+      throw lazyDOMException(`Failed to import ${name} raw seed`, 'DataError');
+    }
+    return new PrivateKeyObject(handle);
+  }
+  throw lazyDOMException(
+    `Unsupported format for ${name} import: ${format}`,
+    'NotSupportedError',
+  );
+}
+
 function mldsaImportKey(
   format: ImportFormat,
   data: BufferLike,
@@ -1032,43 +1236,45 @@ function mldsaImportKey(
   keyUsages: KeyUsage[],
 ): CryptoKey {
   const { name } = algorithm;
-
-  // Validate usages
-  if (hasAnyNotIn(keyUsages, ['sign', 'verify'])) {
+  const isPublicFormat = format === 'spki' || format === 'raw';
+  if (hasAnyNotIn(keyUsages, isPublicFormat ? ['verify'] : ['sign'])) {
     throw lazyDOMException(
       `Unsupported key usage for ${name} key`,
       'SyntaxError',
     );
   }
+  return new CryptoKey(
+    pqcImportKeyObject(format, data, name),
+    { name },
+    keyUsages,
+    extractable,
+  );
+}
 
-  let keyObject: KeyObject;
-
-  if (format === 'spki') {
-    // Import public key
-    const keyData = bufferLikeToArrayBuffer(data);
-    keyObject = KeyObject.createKeyObject(
-      'public',
-      keyData,
-      KFormatType.DER,
-      KeyEncoding.SPKI,
-    );
-  } else if (format === 'pkcs8') {
-    // Import private key
-    const keyData = bufferLikeToArrayBuffer(data);
-    keyObject = KeyObject.createKeyObject(
-      'private',
-      keyData,
-      KFormatType.DER,
-      KeyEncoding.PKCS8,
-    );
-  } else {
+function mlkemImportKey(
+  format: ImportFormat,
+  data: BufferLike,
+  algorithm: SubtleAlgorithm,
+  extractable: boolean,
+  keyUsages: KeyUsage[],
+): CryptoKey {
+  const { name } = algorithm;
+  const isPublicFormat = format === 'spki' || format === 'raw';
+  const allowedUsages: KeyUsage[] = isPublicFormat
+    ? ['encapsulateBits', 'encapsulateKey']
+    : ['decapsulateBits', 'decapsulateKey'];
+  if (hasAnyNotIn(keyUsages, allowedUsages)) {
     throw lazyDOMException(
-      `Unsupported format for ${name} import: ${format}`,
-      'NotSupportedError',
+      `Unsupported key usage for ${name} key`,
+      'SyntaxError',
     );
   }
-
-  return new CryptoKey(keyObject, { name }, keyUsages, extractable);
+  return new CryptoKey(
+    pqcImportKeyObject(format, data, name),
+    { name },
+    keyUsages,
+    extractable,
+  );
 }
 
 const exportKeySpki = async (
@@ -1117,6 +1323,17 @@ const exportKeySpki = async (
         );
       }
       break;
+    case 'ML-KEM-512':
+    // Fall through
+    case 'ML-KEM-768':
+    // Fall through
+    case 'ML-KEM-1024':
+      if (key.type === 'public') {
+        return bufferLikeToArrayBuffer(
+          key.keyObject.handle.exportKey(KFormatType.DER, KeyEncoding.SPKI),
+        );
+      }
+      break;
   }
 
   throw new Error(
@@ -1170,6 +1387,17 @@ const exportKeyPkcs8 = async (
         );
       }
       break;
+    case 'ML-KEM-512':
+    // Fall through
+    case 'ML-KEM-768':
+    // Fall through
+    case 'ML-KEM-1024':
+      if (key.type === 'private') {
+        return bufferLikeToArrayBuffer(
+          key.keyObject.handle.exportKey(KFormatType.DER, KeyEncoding.PKCS8),
+        );
+      }
+      break;
   }
 
   throw new Error(
@@ -1194,7 +1422,22 @@ const exportKeyRaw = (key: CryptoKey): ArrayBuffer | unknown => {
     // Fall through
     case 'X448':
       if (key.type === 'public') {
-        // Export raw public key
+        const exported = key.keyObject.handle.exportKey();
+        return bufferLikeToArrayBuffer(exported);
+      }
+      break;
+    case 'ML-KEM-512':
+    // Fall through
+    case 'ML-KEM-768':
+    // Fall through
+    case 'ML-KEM-1024':
+    // Fall through
+    case 'ML-DSA-44':
+    // Fall through
+    case 'ML-DSA-65':
+    // Fall through
+    case 'ML-DSA-87':
+      if (key.type === 'public') {
         const exported = key.keyObject.handle.exportKey();
         return bufferLikeToArrayBuffer(exported);
       }
@@ -1211,7 +1454,11 @@ const exportKeyRaw = (key: CryptoKey): ArrayBuffer | unknown => {
     // Fall through
     case 'ChaCha20-Poly1305':
     // Fall through
-    case 'HMAC': {
+    case 'HMAC':
+    // Fall through
+    case 'KMAC128':
+    // Fall through
+    case 'KMAC256': {
       const exported = key.keyObject.export();
       // Convert Buffer to ArrayBuffer
       return exported.buffer.slice(
@@ -1248,6 +1495,12 @@ const exportKeyJWK = (key: CryptoKey): ArrayBuffer | unknown => {
     case 'HMAC':
       jwk.alg = normalizeHashName(key.algorithm.hash, HashContext.JwkHmac);
       return jwk;
+    case 'KMAC128':
+      jwk.alg = 'K128';
+      return jwk;
+    case 'KMAC256':
+      jwk.alg = 'K256';
+      return jwk;
     case 'ECDSA':
     // Fall through
     case 'ECDH':
@@ -1364,6 +1617,45 @@ const checkCryptoKeyPairUsages = (pair: CryptoKeyPair) => {
   );
 };
 
+function argon2DeriveBits(
+  algorithm: SubtleAlgorithm,
+  baseKey: CryptoKey,
+  length: number,
+): ArrayBuffer {
+  if (length === 0 || length % 8 !== 0) {
+    throw lazyDOMException(
+      'Invalid Argon2 derived key length',
+      'OperationError',
+    );
+  }
+  if (length < 32) {
+    throw lazyDOMException(
+      'Argon2 derived key length must be at least 32 bits',
+      'OperationError',
+    );
+  }
+
+  const { nonce, parallelism, memory, passes, secretValue, associatedData } =
+    algorithm;
+  const tagLength = length / 8;
+  const message = baseKey.keyObject.export();
+  const algName = algorithm.name.toLowerCase();
+
+  const result = argon2Sync(algName, {
+    message,
+    nonce: nonce ?? new Uint8Array(0),
+    parallelism: parallelism ?? 1,
+    tagLength,
+    memory: memory ?? 65536,
+    passes: passes ?? 3,
+    secret: secretValue,
+    associatedData,
+    version: algorithm.version,
+  });
+
+  return bufferLikeToArrayBuffer(result);
+}
+
 // Type guard to check if result is CryptoKeyPair
 export function isCryptoKeyPair(
   result: CryptoKey | CryptoKeyPair,
@@ -1395,24 +1687,20 @@ function hmacSignVerify(
     );
   }
 
-  // Verify operation - compare computed HMAC with provided signature
-  const sigBytes = new Uint8Array(bufferLikeToArrayBuffer(signature));
-  const computedBytes = new Uint8Array(
-    computed.buffer,
+  const sigBuffer = bufferLikeToArrayBuffer(signature);
+  const computedBuffer = computed.buffer.slice(
     computed.byteOffset,
-    computed.byteLength,
+    computed.byteOffset + computed.byteLength,
   );
 
-  if (computedBytes.length !== sigBytes.length) {
+  if (computedBuffer.byteLength !== sigBuffer.byteLength) {
     return false;
   }
 
-  // Constant-time comparison to prevent timing attacks
-  let result = 0;
-  for (let i = 0; i < computedBytes.length; i++) {
-    result |= computedBytes[i]! ^ sigBytes[i]!;
-  }
-  return result === 0;
+  return timingSafeEqual(
+    new Uint8Array(computedBuffer),
+    new Uint8Array(sigBuffer),
+  );
 }
 
 function rsaSignVerify(
@@ -1555,6 +1843,9 @@ const signVerify = (
     case 'ML-DSA-65':
     case 'ML-DSA-87':
       return mldsaSignVerify(key, data, signature);
+    case 'KMAC128':
+    case 'KMAC256':
+      return kmacSignVerify(key, data, algorithm, signature);
   }
   throw lazyDOMException(
     `Unrecognized algorithm name '${algorithm.name}' for '${usage}'`,
@@ -1604,7 +1895,241 @@ const cipherOrWrap = async (
   }
 };
 
+const SUPPORTED_ALGORITHMS: Record<string, Set<string>> = {
+  encrypt: new Set([
+    'RSA-OAEP',
+    'AES-CTR',
+    'AES-CBC',
+    'AES-GCM',
+    'AES-OCB',
+    'ChaCha20-Poly1305',
+  ]),
+  decrypt: new Set([
+    'RSA-OAEP',
+    'AES-CTR',
+    'AES-CBC',
+    'AES-GCM',
+    'AES-OCB',
+    'ChaCha20-Poly1305',
+  ]),
+  sign: new Set([
+    'RSASSA-PKCS1-v1_5',
+    'RSA-PSS',
+    'ECDSA',
+    'HMAC',
+    'KMAC128',
+    'KMAC256',
+    'Ed25519',
+    'Ed448',
+    'ML-DSA-44',
+    'ML-DSA-65',
+    'ML-DSA-87',
+  ]),
+  verify: new Set([
+    'RSASSA-PKCS1-v1_5',
+    'RSA-PSS',
+    'ECDSA',
+    'HMAC',
+    'KMAC128',
+    'KMAC256',
+    'Ed25519',
+    'Ed448',
+    'ML-DSA-44',
+    'ML-DSA-65',
+    'ML-DSA-87',
+  ]),
+  digest: new Set([
+    'SHA-1',
+    'SHA-256',
+    'SHA-384',
+    'SHA-512',
+    'SHA3-256',
+    'SHA3-384',
+    'SHA3-512',
+    'cSHAKE128',
+    'cSHAKE256',
+  ]),
+  generateKey: new Set([
+    'RSASSA-PKCS1-v1_5',
+    'RSA-PSS',
+    'RSA-OAEP',
+    'ECDSA',
+    'ECDH',
+    'Ed25519',
+    'Ed448',
+    'X25519',
+    'X448',
+    'AES-CTR',
+    'AES-CBC',
+    'AES-GCM',
+    'AES-KW',
+    'AES-OCB',
+    'ChaCha20-Poly1305',
+    'HMAC',
+    'KMAC128',
+    'KMAC256',
+    'ML-DSA-44',
+    'ML-DSA-65',
+    'ML-DSA-87',
+    'ML-KEM-512',
+    'ML-KEM-768',
+    'ML-KEM-1024',
+  ]),
+  importKey: new Set([
+    'RSASSA-PKCS1-v1_5',
+    'RSA-PSS',
+    'RSA-OAEP',
+    'ECDSA',
+    'ECDH',
+    'Ed25519',
+    'Ed448',
+    'X25519',
+    'X448',
+    'AES-CTR',
+    'AES-CBC',
+    'AES-GCM',
+    'AES-KW',
+    'AES-OCB',
+    'ChaCha20-Poly1305',
+    'HMAC',
+    'KMAC128',
+    'KMAC256',
+    'HKDF',
+    'PBKDF2',
+    'Argon2d',
+    'Argon2i',
+    'Argon2id',
+    'ML-DSA-44',
+    'ML-DSA-65',
+    'ML-DSA-87',
+    'ML-KEM-512',
+    'ML-KEM-768',
+    'ML-KEM-1024',
+  ]),
+  exportKey: new Set([
+    'RSASSA-PKCS1-v1_5',
+    'RSA-PSS',
+    'RSA-OAEP',
+    'ECDSA',
+    'ECDH',
+    'Ed25519',
+    'Ed448',
+    'X25519',
+    'X448',
+    'AES-CTR',
+    'AES-CBC',
+    'AES-GCM',
+    'AES-KW',
+    'AES-OCB',
+    'ChaCha20-Poly1305',
+    'HMAC',
+    'KMAC128',
+    'KMAC256',
+    'ML-DSA-44',
+    'ML-DSA-65',
+    'ML-DSA-87',
+    'ML-KEM-512',
+    'ML-KEM-768',
+    'ML-KEM-1024',
+  ]),
+  deriveBits: new Set([
+    'PBKDF2',
+    'HKDF',
+    'ECDH',
+    'X25519',
+    'X448',
+    'Argon2d',
+    'Argon2i',
+    'Argon2id',
+  ]),
+  wrapKey: new Set([
+    'AES-CTR',
+    'AES-CBC',
+    'AES-GCM',
+    'AES-KW',
+    'AES-OCB',
+    'ChaCha20-Poly1305',
+    'RSA-OAEP',
+  ]),
+  unwrapKey: new Set([
+    'AES-CTR',
+    'AES-CBC',
+    'AES-GCM',
+    'AES-KW',
+    'AES-OCB',
+    'ChaCha20-Poly1305',
+    'RSA-OAEP',
+  ]),
+  encapsulateBits: new Set(['ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024']),
+  decapsulateBits: new Set(['ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024']),
+  encapsulateKey: new Set(['ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024']),
+  decapsulateKey: new Set(['ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024']),
+};
+
+const ASYMMETRIC_ALGORITHMS = new Set([
+  'RSASSA-PKCS1-v1_5',
+  'RSA-PSS',
+  'RSA-OAEP',
+  'ECDSA',
+  'ECDH',
+  'Ed25519',
+  'Ed448',
+  'X25519',
+  'X448',
+  'ML-DSA-44',
+  'ML-DSA-65',
+  'ML-DSA-87',
+  'ML-KEM-512',
+  'ML-KEM-768',
+  'ML-KEM-1024',
+]);
+
 export class Subtle {
+  static supports(
+    operation: string,
+    algorithm: SubtleAlgorithm | AnyAlgorithm,
+    _lengthOrAdditionalAlgorithm?: unknown,
+  ): boolean {
+    let normalizedAlgorithm: SubtleAlgorithm;
+    try {
+      normalizedAlgorithm = normalizeAlgorithm(
+        algorithm,
+        (operation === 'getPublicKey' ? 'exportKey' : operation) as Operation,
+      );
+    } catch {
+      return false;
+    }
+
+    const name = normalizedAlgorithm.name;
+
+    if (operation === 'getPublicKey') {
+      return ASYMMETRIC_ALGORITHMS.has(name);
+    }
+
+    if (operation === 'deriveKey') {
+      // deriveKey decomposes to deriveBits + importKey of additional algorithm
+      if (!SUPPORTED_ALGORITHMS.deriveBits?.has(name)) return false;
+      if (_lengthOrAdditionalAlgorithm != null) {
+        try {
+          const additionalAlg = normalizeAlgorithm(
+            _lengthOrAdditionalAlgorithm as SubtleAlgorithm | AnyAlgorithm,
+            'importKey',
+          );
+          return (
+            SUPPORTED_ALGORITHMS.importKey?.has(additionalAlg.name) ?? false
+          );
+        } catch {
+          return false;
+        }
+      }
+      return true;
+    }
+
+    const supported = SUPPORTED_ALGORITHMS[operation];
+    if (!supported) return false;
+    return supported.has(name);
+  }
+
   async decrypt(
     algorithm: EncryptDecryptParams,
     key: CryptoKey,
@@ -1660,6 +2185,10 @@ export class Subtle {
           baseKey,
           length,
         );
+      case 'Argon2d':
+      case 'Argon2i':
+      case 'Argon2id':
+        return argon2DeriveBits(algorithm, baseKey, length);
     }
     throw new Error(
       `'subtle.deriveBits()' for ${algorithm.name} is not implemented.`,
@@ -1711,6 +2240,11 @@ export class Subtle {
           length,
         );
         break;
+      case 'Argon2d':
+      case 'Argon2i':
+      case 'Argon2id':
+        derivedBits = argon2DeriveBits(algorithm, baseKey, length);
+        break;
       default:
         throw new Error(
           `'subtle.deriveKey()' for ${algorithm.name} is not implemented.`,
@@ -1748,7 +2282,32 @@ export class Subtle {
   ): Promise<ArrayBuffer | JWK> {
     if (!key.extractable) throw new Error('key is not extractable');
 
-    if (format === 'raw-secret') format = 'raw';
+    if (format === 'raw-seed') {
+      const pqcAlgos = [
+        'ML-KEM-512',
+        'ML-KEM-768',
+        'ML-KEM-1024',
+        'ML-DSA-44',
+        'ML-DSA-65',
+        'ML-DSA-87',
+      ];
+      if (!pqcAlgos.includes(key.algorithm.name)) {
+        throw lazyDOMException(
+          'raw-seed export only supported for PQC keys',
+          'NotSupportedError',
+        );
+      }
+      if (key.type !== 'private') {
+        throw lazyDOMException(
+          'raw-seed export requires a private key',
+          'InvalidAccessError',
+        );
+      }
+      return bufferLikeToArrayBuffer(key.keyObject.handle.exportKey());
+    }
+
+    // Note: 'raw-seed' is handled above; do NOT normalize it here
+    if (format === 'raw-secret' || format === 'raw-public') format = 'raw';
 
     switch (format) {
       case 'spki':
@@ -1935,6 +2494,11 @@ export class Subtle {
       case 'HMAC':
         result = await hmacGenerateKey(algorithm, extractable, keyUsages);
         break;
+      case 'KMAC128':
+      // Fall through
+      case 'KMAC256':
+        result = await kmacGenerateKey(algorithm, extractable, keyUsages);
+        break;
       case 'Ed25519':
       // Fall through
       case 'Ed448':
@@ -1967,6 +2531,18 @@ export class Subtle {
         );
         checkCryptoKeyPairUsages(result as CryptoKeyPair);
         break;
+      case 'ML-KEM-512':
+      // Fall through
+      case 'ML-KEM-768':
+      // Fall through
+      case 'ML-KEM-1024':
+        result = await mlkem_generateKeyPairWebCrypto(
+          algorithm.name as MlKemVariant,
+          extractable,
+          keyUsages,
+        );
+        checkCryptoKeyPairUsages(result as CryptoKeyPair);
+        break;
       default:
         throw new Error(
           `'subtle.generateKey()' is not implemented for ${algorithm.name}.
@@ -1977,6 +2553,21 @@ export class Subtle {
     return result;
   }
 
+  async getPublicKey(
+    key: CryptoKey,
+    keyUsages: KeyUsage[],
+  ): Promise<CryptoKey> {
+    if (key.type === 'secret') {
+      throw lazyDOMException('key must be a private key', 'NotSupportedError');
+    }
+    if (key.type !== 'private') {
+      throw lazyDOMException('key must be a private key', 'InvalidAccessError');
+    }
+
+    const publicKeyObject = createPublicKey(key.keyObject);
+    return publicKeyObject.toCryptoKey(key.algorithm, true, keyUsages);
+  }
+
   async importKey(
     format: ImportFormat,
     data: BufferLike | BinaryLike | JWK,
@@ -1984,7 +2575,8 @@ export class Subtle {
     extractable: boolean,
     keyUsages: KeyUsage[],
   ): Promise<CryptoKey> {
-    if (format === 'raw-secret') format = 'raw';
+    // Note: 'raw-seed' is NOT normalized — PQC import functions handle it directly
+    if (format === 'raw-secret' || format === 'raw-public') format = 'raw';
     const normalizedAlgorithm = normalizeAlgorithm(algorithm, 'importKey');
     let result: CryptoKey;
     switch (normalizedAlgorithm.name) {
@@ -2021,6 +2613,17 @@ export class Subtle {
           keyUsages,
         );
         break;
+      case 'KMAC128':
+      // Fall through
+      case 'KMAC256':
+        result = await kmacImportKey(
+          normalizedAlgorithm,
+          format,
+          data as BufferLike | JWK,
+          extractable,
+          keyUsages,
+        );
+        break;
       case 'AES-CTR':
       // Fall through
       case 'AES-CBC':
@@ -2041,6 +2644,9 @@ export class Subtle {
         );
         break;
       case 'PBKDF2':
+      case 'Argon2d':
+      case 'Argon2i':
+      case 'Argon2id':
         result = await importGenericSecretKey(
           normalizedAlgorithm,
           format,
@@ -2086,6 +2692,19 @@ export class Subtle {
           keyUsages,
         );
         break;
+      case 'ML-KEM-512':
+      // Fall through
+      case 'ML-KEM-768':
+      // Fall through
+      case 'ML-KEM-1024':
+        result = mlkemImportKey(
+          format,
+          data as BufferLike,
+          normalizedAlgorithm,
+          extractable,
+          keyUsages,
+        );
+        break;
       default:
         throw new Error(
           `"subtle.importKey()" is not implemented for ${normalizedAlgorithm.name}`,
@@ -2109,103 +2728,164 @@ export class Subtle {
     key: CryptoKey,
     data: BufferLike,
   ): Promise<ArrayBuffer> {
-    const normalizedAlgorithm = normalizeAlgorithm(algorithm, 'sign');
+    return signVerify(
+      normalizeAlgorithm(algorithm, 'sign'),
+      key,
+      data,
+    ) as ArrayBuffer;
+  }
 
-    if (normalizedAlgorithm.name === 'HMAC') {
-      // Validate key usage
-      if (!key.usages.includes('sign')) {
-        throw lazyDOMException(
-          'Key does not have sign usage',
-          'InvalidAccessError',
-        );
-      }
+  async verify(
+    algorithm: SubtleAlgorithm,
+    key: CryptoKey,
+    signature: BufferLike,
+    data: BufferLike,
+  ): Promise<boolean> {
+    return signVerify(
+      normalizeAlgorithm(algorithm, 'verify'),
+      key,
+      data,
+      signature,
+    ) as boolean;
+  }
 
-      // Get hash algorithm from key or algorithm params
-      // Hash can be either a string or an object with name property
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const alg = normalizedAlgorithm as any;
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const keyAlg = key.algorithm as any;
-      let hashAlgorithm = 'SHA-256';
-
-      if (typeof alg.hash === 'string') {
-        hashAlgorithm = alg.hash;
-      } else if (alg.hash?.name) {
-        hashAlgorithm = alg.hash.name;
-      } else if (typeof keyAlg.hash === 'string') {
-        hashAlgorithm = keyAlg.hash;
-      } else if (keyAlg.hash?.name) {
-        hashAlgorithm = keyAlg.hash.name;
-      }
+  private _encapsulateCore(
+    algorithm: SubtleAlgorithm,
+    key: CryptoKey,
+  ): EncapsulateResult {
+    const normalizedAlgorithm = normalizeAlgorithm(
+      algorithm,
+      'encapsulateBits' as Operation,
+    );
 
-      // Create HMAC and sign
-      const keyData = key.keyObject.export();
-      const hmac = createHmac(hashAlgorithm, keyData);
-      hmac.update(bufferLikeToArrayBuffer(data));
-      return bufferLikeToArrayBuffer(hmac.digest());
+    if (key.algorithm.name !== normalizedAlgorithm.name) {
+      throw lazyDOMException('Key algorithm mismatch', 'InvalidAccessError');
     }
 
-    return signVerify(normalizedAlgorithm, key, data) as ArrayBuffer;
+    const variant = normalizedAlgorithm.name as MlKemVariant;
+    const mlkem = new MlKem(variant);
+
+    const keyData = key.keyObject.handle.exportKey(
+      KFormatType.DER,
+      KeyEncoding.SPKI,
+    );
+    mlkem.setPublicKey(
+      bufferLikeToArrayBuffer(keyData),
+      KFormatType.DER,
+      KeyEncoding.SPKI,
+    );
+
+    return mlkem.encapsulateSync();
   }
 
-  async verify(
+  private _decapsulateCore(
     algorithm: SubtleAlgorithm,
     key: CryptoKey,
-    signature: BufferLike,
-    data: BufferLike,
-  ): Promise<boolean> {
-    const normalizedAlgorithm = normalizeAlgorithm(algorithm, 'verify');
+    ciphertext: BufferLike,
+  ): ArrayBuffer {
+    const normalizedAlgorithm = normalizeAlgorithm(
+      algorithm,
+      'decapsulateBits' as Operation,
+    );
 
-    if (normalizedAlgorithm.name === 'HMAC') {
-      // Validate key usage
-      if (!key.usages.includes('verify')) {
-        throw lazyDOMException(
-          'Key does not have verify usage',
-          'InvalidAccessError',
-        );
-      }
+    if (key.algorithm.name !== normalizedAlgorithm.name) {
+      throw lazyDOMException('Key algorithm mismatch', 'InvalidAccessError');
+    }
 
-      // Get hash algorithm
-      // Hash can be either a string or an object with name property
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const alg = normalizedAlgorithm as any;
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const keyAlg = key.algorithm as any;
-      let hashAlgorithm = 'SHA-256';
-
-      if (typeof alg.hash === 'string') {
-        hashAlgorithm = alg.hash;
-      } else if (alg.hash?.name) {
-        hashAlgorithm = alg.hash.name;
-      } else if (typeof keyAlg.hash === 'string') {
-        hashAlgorithm = keyAlg.hash;
-      } else if (keyAlg.hash?.name) {
-        hashAlgorithm = keyAlg.hash.name;
-      }
+    const variant = normalizedAlgorithm.name as MlKemVariant;
+    const mlkem = new MlKem(variant);
 
-      // Create HMAC and compute expected signature
-      const keyData = key.keyObject.export();
-      const hmac = createHmac(hashAlgorithm, keyData);
-      const dataBuffer = bufferLikeToArrayBuffer(data);
-      hmac.update(dataBuffer);
-      const expectedDigest = hmac.digest();
-      const expected = new Uint8Array(bufferLikeToArrayBuffer(expectedDigest));
-
-      // Constant-time comparison
-      const signatureArray = new Uint8Array(bufferLikeToArrayBuffer(signature));
-      if (expected.length !== signatureArray.length) {
-        return false;
-      }
+    const keyData = key.keyObject.handle.exportKey(
+      KFormatType.DER,
+      KeyEncoding.PKCS8,
+    );
+    mlkem.setPrivateKey(
+      bufferLikeToArrayBuffer(keyData),
+      KFormatType.DER,
+      KeyEncoding.PKCS8,
+    );
 
-      // Manual constant-time comparison
-      let result = 0;
-      for (let i = 0; i < expected.length; i++) {
-        result |= expected[i]! ^ signatureArray[i]!;
-      }
-      return result === 0;
+    return mlkem.decapsulateSync(bufferLikeToArrayBuffer(ciphertext));
+  }
+
+  async encapsulateBits(
+    algorithm: SubtleAlgorithm,
+    key: CryptoKey,
+  ): Promise<EncapsulateResult> {
+    if (!key.usages.includes('encapsulateBits')) {
+      throw lazyDOMException(
+        'Key does not have encapsulateBits usage',
+        'InvalidAccessError',
+      );
+    }
+
+    return this._encapsulateCore(algorithm, key);
+  }
+
+  async encapsulateKey(
+    algorithm: SubtleAlgorithm,
+    key: CryptoKey,
+    sharedKeyAlgorithm: SubtleAlgorithm | AnyAlgorithm,
+    extractable: boolean,
+    usages: KeyUsage[],
+  ): Promise<{ key: CryptoKey; ciphertext: ArrayBuffer }> {
+    if (!key.usages.includes('encapsulateKey')) {
+      throw lazyDOMException(
+        'Key does not have encapsulateKey usage',
+        'InvalidAccessError',
+      );
+    }
+
+    const { sharedKey, ciphertext } = this._encapsulateCore(algorithm, key);
+    const importedKey = await this.importKey(
+      'raw',
+      sharedKey,
+      sharedKeyAlgorithm,
+      extractable,
+      usages,
+    );
+
+    return { key: importedKey, ciphertext };
+  }
+
+  async decapsulateBits(
+    algorithm: SubtleAlgorithm,
+    key: CryptoKey,
+    ciphertext: BufferLike,
+  ): Promise<ArrayBuffer> {
+    if (!key.usages.includes('decapsulateBits')) {
+      throw lazyDOMException(
+        'Key does not have decapsulateBits usage',
+        'InvalidAccessError',
+      );
     }
 
-    return signVerify(normalizedAlgorithm, key, data, signature) as boolean;
+    return this._decapsulateCore(algorithm, key, ciphertext);
+  }
+
+  async decapsulateKey(
+    algorithm: SubtleAlgorithm,
+    key: CryptoKey,
+    ciphertext: BufferLike,
+    sharedKeyAlgorithm: SubtleAlgorithm | AnyAlgorithm,
+    extractable: boolean,
+    usages: KeyUsage[],
+  ): Promise<CryptoKey> {
+    if (!key.usages.includes('decapsulateKey')) {
+      throw lazyDOMException(
+        'Key does not have decapsulateKey usage',
+        'InvalidAccessError',
+      );
+    }
+
+    const sharedKey = this._decapsulateCore(algorithm, key, ciphertext);
+    return this.importKey(
+      'raw',
+      sharedKey,
+      sharedKeyAlgorithm,
+      extractable,
+      usages,
+    );
   }
 }
 
@@ -2228,6 +2908,11 @@ function getKeyLength(algorithm: SubtleAlgorithm): number {
       return hmacAlg.length || 256;
     }
 
+    case 'KMAC128':
+      return algorithm.length || 128;
+    case 'KMAC256':
+      return algorithm.length || 256;
+
     default:
       throw lazyDOMException(
         `Cannot determine key length for ${name}`,