npm - react-native-quick-crypto - Versions diffs - 1.0.10 → 1.0.12 - Mend

react-native-quick-crypto 1.0.10 → 1.0.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (293) hide show

package/android/CMakeLists.txt +16 -0
package/cpp/argon2/HybridArgon2.cpp +103 -0
package/cpp/argon2/HybridArgon2.hpp +32 -0
package/cpp/certificate/HybridCertificate.cpp +42 -0
package/cpp/certificate/HybridCertificate.hpp +16 -0
package/cpp/cipher/CCMCipher.cpp +4 -1
package/cpp/cipher/ChaCha20Cipher.cpp +3 -1
package/cpp/cipher/ChaCha20Poly1305Cipher.cpp +5 -5
package/cpp/cipher/ChaCha20Poly1305Cipher.hpp +1 -2
package/cpp/cipher/HybridCipher.cpp +68 -1
package/cpp/cipher/HybridCipher.hpp +6 -0
package/cpp/cipher/HybridRsaCipher.cpp +0 -13
package/cpp/cipher/XChaCha20Poly1305Cipher.cpp +7 -5
package/cpp/cipher/XChaCha20Poly1305Cipher.hpp +1 -2
package/cpp/cipher/XSalsa20Cipher.cpp +4 -0
package/cpp/cipher/XSalsa20Poly1305Cipher.cpp +7 -5
package/cpp/cipher/XSalsa20Poly1305Cipher.hpp +1 -2
package/cpp/dh/HybridDhKeyPair.cpp +179 -0
package/cpp/dh/HybridDhKeyPair.hpp +37 -0
package/cpp/dsa/HybridDsaKeyPair.cpp +128 -0
package/cpp/dsa/HybridDsaKeyPair.hpp +32 -0
package/cpp/ecdh/HybridECDH.cpp +42 -120
package/cpp/ecdh/HybridECDH.hpp +1 -0
package/cpp/keys/HybridKeyObjectHandle.cpp +150 -128
package/cpp/keys/HybridKeyObjectHandle.hpp +6 -3
package/cpp/keys/KeyObjectData.hpp +2 -0
package/cpp/kmac/HybridKmac.cpp +83 -0
package/cpp/kmac/HybridKmac.hpp +31 -0
package/cpp/mldsa/HybridMlDsaKeyPair.cpp +11 -20
package/cpp/mldsa/HybridMlDsaKeyPair.hpp +4 -2
package/cpp/mlkem/HybridMlKemKeyPair.cpp +319 -0
package/cpp/mlkem/HybridMlKemKeyPair.hpp +48 -0
package/cpp/prime/HybridPrime.cpp +81 -0
package/cpp/prime/HybridPrime.hpp +20 -0
package/cpp/sign/SignUtils.hpp +9 -26
package/cpp/utils/QuickCryptoUtils.cpp +44 -0
package/cpp/utils/QuickCryptoUtils.hpp +39 -0
package/cpp/x509/HybridX509Certificate.cpp +174 -0
package/cpp/x509/HybridX509Certificate.hpp +51 -0
package/lib/commonjs/argon2.js +39 -0
package/lib/commonjs/argon2.js.map +1 -0
package/lib/commonjs/certificate.js +35 -0
package/lib/commonjs/certificate.js.map +1 -0
package/lib/commonjs/cipher.js +23 -2
package/lib/commonjs/cipher.js.map +1 -1
package/lib/commonjs/dhKeyPair.js +109 -0
package/lib/commonjs/dhKeyPair.js.map +1 -0
package/lib/commonjs/dsa.js +92 -0
package/lib/commonjs/dsa.js.map +1 -0
package/lib/commonjs/ec.js +18 -18
package/lib/commonjs/ec.js.map +1 -1
package/lib/commonjs/ecdh.js +37 -0
package/lib/commonjs/ecdh.js.map +1 -1
package/lib/commonjs/ed.js +9 -9
package/lib/commonjs/ed.js.map +1 -1
package/lib/commonjs/hash.js +17 -12
package/lib/commonjs/hash.js.map +1 -1
package/lib/commonjs/hkdf.js.map +1 -1
package/lib/commonjs/index.js +57 -0
package/lib/commonjs/index.js.map +1 -1
package/lib/commonjs/keys/classes.js +11 -9
package/lib/commonjs/keys/classes.js.map +1 -1
package/lib/commonjs/keys/generateKeyPair.js +11 -0
package/lib/commonjs/keys/generateKeyPair.js.map +1 -1
package/lib/commonjs/keys/index.js +24 -0
package/lib/commonjs/keys/index.js.map +1 -1
package/lib/commonjs/keys/signVerify.js +0 -2
package/lib/commonjs/keys/signVerify.js.map +1 -1
package/lib/commonjs/mlkem.js +219 -0
package/lib/commonjs/mlkem.js.map +1 -0
package/lib/commonjs/pbkdf2.js +18 -1
package/lib/commonjs/pbkdf2.js.map +1 -1
package/lib/commonjs/prime.js +84 -0
package/lib/commonjs/prime.js.map +1 -0
package/lib/commonjs/rsa.js +7 -7
package/lib/commonjs/rsa.js.map +1 -1
package/lib/commonjs/specs/argon2.nitro.js +6 -0
package/lib/commonjs/specs/argon2.nitro.js.map +1 -0
package/lib/commonjs/specs/certificate.nitro.js +6 -0
package/lib/commonjs/specs/certificate.nitro.js.map +1 -0
package/lib/commonjs/specs/dhKeyPair.nitro.js +6 -0
package/lib/commonjs/specs/dhKeyPair.nitro.js.map +1 -0
package/lib/commonjs/specs/dsaKeyPair.nitro.js +6 -0
package/lib/commonjs/specs/dsaKeyPair.nitro.js.map +1 -0
package/lib/commonjs/specs/kmac.nitro.js +6 -0
package/lib/commonjs/specs/kmac.nitro.js.map +1 -0
package/lib/commonjs/specs/mlKemKeyPair.nitro.js +6 -0
package/lib/commonjs/specs/mlKemKeyPair.nitro.js.map +1 -0
package/lib/commonjs/specs/prime.nitro.js +6 -0
package/lib/commonjs/specs/prime.nitro.js.map +1 -0
package/lib/commonjs/specs/x509certificate.nitro.js +6 -0
package/lib/commonjs/specs/x509certificate.nitro.js.map +1 -0
package/lib/commonjs/subtle.js +385 -114
package/lib/commonjs/subtle.js.map +1 -1
package/lib/commonjs/utils/conversion.js +3 -3
package/lib/commonjs/utils/conversion.js.map +1 -1
package/lib/commonjs/utils/hashnames.js +31 -0
package/lib/commonjs/utils/hashnames.js.map +1 -1
package/lib/commonjs/utils/types.js.map +1 -1
package/lib/commonjs/x509certificate.js +189 -0
package/lib/commonjs/x509certificate.js.map +1 -0
package/lib/module/argon2.js +34 -0
package/lib/module/argon2.js.map +1 -0
package/lib/module/certificate.js +30 -0
package/lib/module/certificate.js.map +1 -0
package/lib/module/cipher.js +23 -3
package/lib/module/cipher.js.map +1 -1
package/lib/module/dhKeyPair.js +102 -0
package/lib/module/dhKeyPair.js.map +1 -0
package/lib/module/dsa.js +85 -0
package/lib/module/dsa.js.map +1 -0
package/lib/module/ec.js +6 -6
package/lib/module/ec.js.map +1 -1
package/lib/module/ecdh.js +37 -0
package/lib/module/ecdh.js.map +1 -1
package/lib/module/ed.js +1 -1
package/lib/module/ed.js.map +1 -1
package/lib/module/hash.js +17 -12
package/lib/module/hash.js.map +1 -1
package/lib/module/hkdf.js.map +1 -1
package/lib/module/index.js +15 -0
package/lib/module/index.js.map +1 -1
package/lib/module/keys/classes.js +11 -9
package/lib/module/keys/classes.js.map +1 -1
package/lib/module/keys/generateKeyPair.js +11 -0
package/lib/module/keys/generateKeyPair.js.map +1 -1
package/lib/module/keys/index.js +25 -1
package/lib/module/keys/index.js.map +1 -1
package/lib/module/keys/signVerify.js +0 -2
package/lib/module/keys/signVerify.js.map +1 -1
package/lib/module/mlkem.js +211 -0
package/lib/module/mlkem.js.map +1 -0
package/lib/module/pbkdf2.js +18 -1
package/lib/module/pbkdf2.js.map +1 -1
package/lib/module/prime.js +77 -0
package/lib/module/prime.js.map +1 -0
package/lib/module/rsa.js +1 -1
package/lib/module/rsa.js.map +1 -1
package/lib/module/specs/argon2.nitro.js +4 -0
package/lib/module/specs/argon2.nitro.js.map +1 -0
package/lib/module/specs/certificate.nitro.js +4 -0
package/lib/module/specs/certificate.nitro.js.map +1 -0
package/lib/module/specs/dhKeyPair.nitro.js +4 -0
package/lib/module/specs/dhKeyPair.nitro.js.map +1 -0
package/lib/module/specs/dsaKeyPair.nitro.js +4 -0
package/lib/module/specs/dsaKeyPair.nitro.js.map +1 -0
package/lib/module/specs/kmac.nitro.js +4 -0
package/lib/module/specs/kmac.nitro.js.map +1 -0
package/lib/module/specs/mlKemKeyPair.nitro.js +4 -0
package/lib/module/specs/mlKemKeyPair.nitro.js.map +1 -0
package/lib/module/specs/prime.nitro.js +4 -0
package/lib/module/specs/prime.nitro.js.map +1 -0
package/lib/module/specs/x509certificate.nitro.js +4 -0
package/lib/module/specs/x509certificate.nitro.js.map +1 -0
package/lib/module/subtle.js +386 -116
package/lib/module/subtle.js.map +1 -1
package/lib/module/utils/conversion.js +3 -4
package/lib/module/utils/conversion.js.map +1 -1
package/lib/module/utils/hashnames.js +31 -0
package/lib/module/utils/hashnames.js.map +1 -1
package/lib/module/utils/types.js.map +1 -1
package/lib/module/x509certificate.js +184 -0
package/lib/module/x509certificate.js.map +1 -0
package/lib/tsconfig.tsbuildinfo +1 -1
package/lib/typescript/argon2.d.ts +16 -0
package/lib/typescript/argon2.d.ts.map +1 -0
package/lib/typescript/certificate.d.ts +8 -0
package/lib/typescript/certificate.d.ts.map +1 -0
package/lib/typescript/cipher.d.ts +15 -0
package/lib/typescript/cipher.d.ts.map +1 -1
package/lib/typescript/dhKeyPair.d.ts +19 -0
package/lib/typescript/dhKeyPair.d.ts.map +1 -0
package/lib/typescript/dsa.d.ts +19 -0
package/lib/typescript/dsa.d.ts.map +1 -0
package/lib/typescript/ec.d.ts +1 -1
package/lib/typescript/ec.d.ts.map +1 -1
package/lib/typescript/ecdh.d.ts +3 -0
package/lib/typescript/ecdh.d.ts.map +1 -1
package/lib/typescript/ed.d.ts +1 -1
package/lib/typescript/ed.d.ts.map +1 -1
package/lib/typescript/hash.d.ts.map +1 -1
package/lib/typescript/hkdf.d.ts +2 -6
package/lib/typescript/hkdf.d.ts.map +1 -1
package/lib/typescript/index.d.ts +32 -4
package/lib/typescript/index.d.ts.map +1 -1
package/lib/typescript/keys/classes.d.ts +7 -5
package/lib/typescript/keys/classes.d.ts.map +1 -1
package/lib/typescript/keys/generateKeyPair.d.ts.map +1 -1
package/lib/typescript/keys/index.d.ts +2 -2
package/lib/typescript/keys/index.d.ts.map +1 -1
package/lib/typescript/keys/signVerify.d.ts.map +1 -1
package/lib/typescript/mlkem.d.ts +30 -0
package/lib/typescript/mlkem.d.ts.map +1 -0
package/lib/typescript/pbkdf2.d.ts +2 -2
package/lib/typescript/pbkdf2.d.ts.map +1 -1
package/lib/typescript/prime.d.ts +19 -0
package/lib/typescript/prime.d.ts.map +1 -0
package/lib/typescript/rsa.d.ts +1 -1
package/lib/typescript/rsa.d.ts.map +1 -1
package/lib/typescript/specs/argon2.nitro.d.ts +9 -0
package/lib/typescript/specs/argon2.nitro.d.ts.map +1 -0
package/lib/typescript/specs/certificate.nitro.d.ts +10 -0
package/lib/typescript/specs/certificate.nitro.d.ts.map +1 -0
package/lib/typescript/specs/cipher.nitro.d.ts +9 -0
package/lib/typescript/specs/cipher.nitro.d.ts.map +1 -1
package/lib/typescript/specs/dhKeyPair.nitro.d.ts +14 -0
package/lib/typescript/specs/dhKeyPair.nitro.d.ts.map +1 -0
package/lib/typescript/specs/dsaKeyPair.nitro.d.ts +13 -0
package/lib/typescript/specs/dsaKeyPair.nitro.d.ts.map +1 -0
package/lib/typescript/specs/ecdh.nitro.d.ts +1 -0
package/lib/typescript/specs/ecdh.nitro.d.ts.map +1 -1
package/lib/typescript/specs/keyObjectHandle.nitro.d.ts +1 -0
package/lib/typescript/specs/keyObjectHandle.nitro.d.ts.map +1 -1
package/lib/typescript/specs/kmac.nitro.d.ts +10 -0
package/lib/typescript/specs/kmac.nitro.d.ts.map +1 -0
package/lib/typescript/specs/mlKemKeyPair.nitro.d.ts +18 -0
package/lib/typescript/specs/mlKemKeyPair.nitro.d.ts.map +1 -0
package/lib/typescript/specs/prime.nitro.d.ts +11 -0
package/lib/typescript/specs/prime.nitro.d.ts.map +1 -0
package/lib/typescript/specs/x509certificate.nitro.d.ts +34 -0
package/lib/typescript/specs/x509certificate.nitro.d.ts.map +1 -0
package/lib/typescript/subtle.d.ts +12 -0
package/lib/typescript/subtle.d.ts.map +1 -1
package/lib/typescript/utils/conversion.d.ts.map +1 -1
package/lib/typescript/utils/hashnames.d.ts +1 -1
package/lib/typescript/utils/hashnames.d.ts.map +1 -1
package/lib/typescript/utils/types.d.ts +25 -9
package/lib/typescript/utils/types.d.ts.map +1 -1
package/lib/typescript/x509certificate.d.ts +64 -0
package/lib/typescript/x509certificate.d.ts.map +1 -0
package/nitrogen/generated/android/QuickCrypto+autolinking.cmake +8 -0
package/nitrogen/generated/android/QuickCryptoOnLoad.cpp +80 -0
package/nitrogen/generated/ios/QuickCryptoAutolinking.mm +80 -0
package/nitrogen/generated/shared/c++/AsymmetricKeyType.hpp +12 -0
package/nitrogen/generated/shared/c++/CipherInfo.hpp +104 -0
package/nitrogen/generated/shared/c++/HybridArgon2Spec.cpp +22 -0
package/nitrogen/generated/shared/c++/HybridArgon2Spec.hpp +66 -0
package/nitrogen/generated/shared/c++/HybridCertificateSpec.cpp +23 -0
package/nitrogen/generated/shared/c++/HybridCertificateSpec.hpp +64 -0
package/nitrogen/generated/shared/c++/HybridCipherSpec.cpp +1 -0
package/nitrogen/generated/shared/c++/HybridCipherSpec.hpp +4 -0
package/nitrogen/generated/shared/c++/HybridDhKeyPairSpec.cpp +27 -0
package/nitrogen/generated/shared/c++/HybridDhKeyPairSpec.hpp +69 -0
package/nitrogen/generated/shared/c++/HybridDsaKeyPairSpec.cpp +26 -0
package/nitrogen/generated/shared/c++/HybridDsaKeyPairSpec.hpp +68 -0
package/nitrogen/generated/shared/c++/HybridECDHSpec.cpp +1 -0
package/nitrogen/generated/shared/c++/HybridECDHSpec.hpp +1 -0
package/nitrogen/generated/shared/c++/HybridKeyObjectHandleSpec.cpp +1 -0
package/nitrogen/generated/shared/c++/HybridKeyObjectHandleSpec.hpp +1 -0
package/nitrogen/generated/shared/c++/HybridKmacSpec.cpp +23 -0
package/nitrogen/generated/shared/c++/HybridKmacSpec.hpp +66 -0
package/nitrogen/generated/shared/c++/HybridMlKemKeyPairSpec.cpp +31 -0
package/nitrogen/generated/shared/c++/HybridMlKemKeyPairSpec.hpp +74 -0
package/nitrogen/generated/shared/c++/HybridPrimeSpec.cpp +24 -0
package/nitrogen/generated/shared/c++/HybridPrimeSpec.hpp +67 -0
package/nitrogen/generated/shared/c++/HybridX509CertificateHandleSpec.cpp +46 -0
package/nitrogen/generated/shared/c++/HybridX509CertificateHandleSpec.hpp +96 -0
package/package.json +4 -1
package/src/argon2.ts +83 -0
package/src/certificate.ts +41 -0
package/src/cipher.ts +41 -3
package/src/dhKeyPair.ts +156 -0
package/src/dsa.ts +129 -0
package/src/ec.ts +9 -9
package/src/ecdh.ts +59 -0
package/src/ed.ts +2 -2
package/src/hash.ts +34 -11
package/src/hkdf.ts +2 -7
package/src/index.ts +16 -0
package/src/keys/classes.ts +26 -14
package/src/keys/generateKeyPair.ts +14 -0
package/src/keys/index.ts +37 -2
package/src/keys/signVerify.ts +0 -5
package/src/mlkem.ts +350 -0
package/src/pbkdf2.ts +34 -5
package/src/prime.ts +134 -0
package/src/rsa.ts +1 -1
package/src/specs/argon2.nitro.ts +29 -0
package/src/specs/certificate.nitro.ts +8 -0
package/src/specs/cipher.nitro.ts +14 -0
package/src/specs/dhKeyPair.nitro.ts +14 -0
package/src/specs/dsaKeyPair.nitro.ts +13 -0
package/src/specs/ecdh.nitro.ts +1 -0
package/src/specs/keyObjectHandle.nitro.ts +5 -0
package/src/specs/kmac.nitro.ts +12 -0
package/src/specs/mlKemKeyPair.nitro.ts +32 -0
package/src/specs/prime.nitro.ts +18 -0
package/src/specs/x509certificate.nitro.ts +38 -0
package/src/subtle.ts +821 -136
package/src/utils/conversion.ts +10 -4
package/src/utils/hashnames.ts +33 -2
package/src/utils/types.ts +64 -8
package/src/x509certificate.ts +277 -0

package/cpp/ecdh/HybridECDH.cpp CHANGED Viewed

@@ -2,6 +2,7 @@
 #include "QuickCryptoUtils.hpp"
 #include <NitroModules/ArrayBuffer.hpp>
 #include <openssl/bn.h>
+#include <openssl/core_names.h>
 #include <openssl/ec.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
@@ -12,15 +13,9 @@ namespace margelo::nitro::crypto {
 // Smart pointer type aliases for RAII
 using EVP_PKEY_CTX_ptr = std::unique_ptr<EVP_PKEY_CTX, decltype(&EVP_PKEY_CTX_free)>;
-using EC_KEY_ptr = std::unique_ptr<EC_KEY, decltype(&EC_KEY_free)>;
 using EC_POINT_ptr = std::unique_ptr<EC_POINT, decltype(&EC_POINT_free)>;
 using BN_ptr = std::unique_ptr<BIGNUM, decltype(&BN_free)>;
-// Suppress deprecation warnings for EC_KEY_* functions
-// These APIs work but are deprecated in OpenSSL 3.x
-#pragma clang diagnostic push
-#pragma clang diagnostic ignored "-Wdeprecated-declarations"
 void HybridECDH::init(const std::string& curveName) {
   int nid = getCurveNid(curveName);
   if (nid == NID_undef) {
@@ -70,41 +65,8 @@ std::shared_ptr<ArrayBuffer> HybridECDH::computeSecret(const std::shared_ptr<Arr
     throw std::runtime_error("ECDH: private key not set");
   }
-  // Create EC_POINT from the peer's public key bytes
-  EC_POINT_ptr point(EC_POINT_new(_group.get()), EC_POINT_free);
-  if (!point) {
-    throw std::runtime_error("ECDH: failed to create EC point");
-  }
-  if (EC_POINT_oct2point(_group.get(), point.get(), otherPublicKey->data(), otherPublicKey->size(), nullptr) != 1) {
-    throw std::runtime_error("ECDH: failed to decode peer public key");
-  }
-  // Create EC_KEY for the peer
-  EC_KEY_ptr ecKey(EC_KEY_new(), EC_KEY_free);
-  if (!ecKey) {
-    throw std::runtime_error("ECDH: failed to create EC_KEY");
-  }
-  if (EC_KEY_set_group(ecKey.get(), _group.get()) != 1) {
-    throw std::runtime_error("ECDH: failed to set EC group");
-  }
-  if (EC_KEY_set_public_key(ecKey.get(), point.get()) != 1) {
-    throw std::runtime_error("ECDH: failed to set peer public key");
-  }
-  // Create EVP_PKEY for the peer
-  EVP_PKEY_ptr peerPkey(EVP_PKEY_new(), EVP_PKEY_free);
-  if (!peerPkey) {
-    throw std::runtime_error("ECDH: failed to create peer EVP_PKEY");
-  }
-  // EVP_PKEY_assign_EC_KEY takes ownership of ecKey on success
-  if (EVP_PKEY_assign_EC_KEY(peerPkey.get(), ecKey.get()) != 1) {
-    throw std::runtime_error("ECDH: failed to assign EC_KEY to EVP_PKEY");
-  }
-  ecKey.release(); // EVP_PKEY now owns the EC_KEY
+  // Build peer EVP_PKEY from raw public key octets
+  EVP_PKEY_ptr peerPkey(createEcEvpPkey(_curveName.c_str(), otherPublicKey->data(), otherPublicKey->size()), EVP_PKEY_free);
   // Derive shared secret using EVP API
   EVP_PKEY_CTX_ptr ctx(EVP_PKEY_CTX_new(_pkey.get(), nullptr), EVP_PKEY_CTX_free);
@@ -142,19 +104,15 @@ std::shared_ptr<ArrayBuffer> HybridECDH::getPrivateKey() {
     throw std::runtime_error("ECDH: no key set");
   }
-  const EC_KEY* ec = EVP_PKEY_get0_EC_KEY(_pkey.get());
-  if (!ec) {
-    throw std::runtime_error("ECDH: key is not an EC key");
-  }
-  const BIGNUM* priv = EC_KEY_get0_private_key(ec);
-  if (!priv) {
+  BIGNUM* priv = nullptr;
+  if (EVP_PKEY_get_bn_param(_pkey.get(), OSSL_PKEY_PARAM_PRIV_KEY, &priv) != 1 || !priv) {
     throw std::runtime_error("ECDH: no private key available");
   }
   int len = BN_num_bytes(priv);
   std::vector<uint8_t> buf(len);
   BN_bn2bin(priv, buf.data());
+  BN_free(priv);
   return ToNativeArrayBuffer(buf);
 }
@@ -162,23 +120,12 @@ std::shared_ptr<ArrayBuffer> HybridECDH::getPrivateKey() {
 void HybridECDH::setPrivateKey(const std::shared_ptr<ArrayBuffer>& privateKey) {
   ensureInitialized();
-  // Create new EC_KEY
-  EC_KEY_ptr ecKey(EC_KEY_new(), EC_KEY_free);
-  if (!ecKey) {
-    throw std::runtime_error("ECDH: failed to create EC_KEY");
-  }
-  if (EC_KEY_set_group(ecKey.get(), _group.get()) != 1) {
-    throw std::runtime_error("ECDH: failed to set EC group");
-  }
   // Convert private key bytes to BIGNUM
   BN_ptr privBn(BN_bin2bn(privateKey->data(), static_cast<int>(privateKey->size()), nullptr), BN_free);
   if (!privBn) {
     throw std::runtime_error("ECDH: failed to convert private key");
   }
-  // Calculate public key from private key
   EC_POINT_ptr pubPoint(EC_POINT_new(_group.get()), EC_POINT_free);
   if (!pubPoint) {
     throw std::runtime_error("ECDH: failed to create EC point");
@@ -188,28 +135,17 @@ void HybridECDH::setPrivateKey(const std::shared_ptr<ArrayBuffer>& privateKey) {
     throw std::runtime_error("ECDH: failed to compute public key from private key");
   }
-  // Set keys on EC_KEY (these functions copy the values, so we still own privBn and pubPoint)
-  if (EC_KEY_set_private_key(ecKey.get(), privBn.get()) != 1) {
-    throw std::runtime_error("ECDH: failed to set private key");
-  }
-  if (EC_KEY_set_public_key(ecKey.get(), pubPoint.get()) != 1) {
-    throw std::runtime_error("ECDH: failed to set public key");
-  }
-  // Create new EVP_PKEY
-  EVP_PKEY_ptr pkey(EVP_PKEY_new(), EVP_PKEY_free);
-  if (!pkey) {
-    throw std::runtime_error("ECDH: failed to create EVP_PKEY");
+  size_t pubLen = EC_POINT_point2oct(_group.get(), pubPoint.get(), POINT_CONVERSION_UNCOMPRESSED, nullptr, 0, nullptr);
+  if (pubLen == 0) {
+    throw std::runtime_error("ECDH: failed to get public key length");
   }
-  // EVP_PKEY_assign_EC_KEY takes ownership of ecKey on success
-  if (EVP_PKEY_assign_EC_KEY(pkey.get(), ecKey.get()) != 1) {
-    throw std::runtime_error("ECDH: failed to assign EC_KEY to EVP_PKEY");
+  std::vector<uint8_t> pubOct(pubLen);
+  if (EC_POINT_point2oct(_group.get(), pubPoint.get(), POINT_CONVERSION_UNCOMPRESSED, pubOct.data(), pubLen, nullptr) == 0) {
+    throw std::runtime_error("ECDH: failed to serialize public key");
   }
-  ecKey.release(); // EVP_PKEY now owns the EC_KEY
-  _pkey = std::move(pkey);
+  // Build EVP_PKEY via OSSL_PARAM_BLD
+  _pkey.reset(createEcEvpPkey(_curveName.c_str(), pubOct.data(), pubOct.size(), privBn.get()));
 }
 std::shared_ptr<ArrayBuffer> HybridECDH::getPublicKey() {
@@ -217,26 +153,14 @@ std::shared_ptr<ArrayBuffer> HybridECDH::getPublicKey() {
     throw std::runtime_error("ECDH: no key set");
   }
-  const EC_KEY* ec = EVP_PKEY_get0_EC_KEY(_pkey.get());
-  if (!ec) {
-    throw std::runtime_error("ECDH: key is not an EC key");
-  }
-  const EC_POINT* point = EC_KEY_get0_public_key(ec);
-  const EC_GROUP* group = EC_KEY_get0_group(ec);
-  if (!point || !group) {
-    throw std::runtime_error("ECDH: incomplete key");
-  }
-  // Get uncompressed public key size
-  size_t len = EC_POINT_point2oct(group, point, POINT_CONVERSION_UNCOMPRESSED, nullptr, 0, nullptr);
-  if (len == 0) {
+  size_t len = 0;
+  if (EVP_PKEY_get_octet_string_param(_pkey.get(), OSSL_PKEY_PARAM_PUB_KEY, nullptr, 0, &len) != 1 || len == 0) {
     throw std::runtime_error("ECDH: failed to get public key length");
   }
   std::vector<uint8_t> buf(len);
-  if (EC_POINT_point2oct(group, point, POINT_CONVERSION_UNCOMPRESSED, buf.data(), len, nullptr) == 0) {
-    throw std::runtime_error("ECDH: failed to encode public key");
+  if (EVP_PKEY_get_octet_string_param(_pkey.get(), OSSL_PKEY_PARAM_PUB_KEY, buf.data(), buf.size(), &len) != 1) {
+    throw std::runtime_error("ECDH: failed to get public key");
   }
   return ToNativeArrayBuffer(buf);
@@ -245,43 +169,43 @@ std::shared_ptr<ArrayBuffer> HybridECDH::getPublicKey() {
 void HybridECDH::setPublicKey(const std::shared_ptr<ArrayBuffer>& publicKey) {
   ensureInitialized();
-  // Create EC_POINT from the public key bytes
-  EC_POINT_ptr point(EC_POINT_new(_group.get()), EC_POINT_free);
-  if (!point) {
-    throw std::runtime_error("ECDH: failed to create EC point");
-  }
+  // Build EVP_PKEY directly from public key octets
+  _pkey.reset(createEcEvpPkey(_curveName.c_str(), publicKey->data(), publicKey->size()));
+}
-  if (EC_POINT_oct2point(_group.get(), point.get(), publicKey->data(), publicKey->size(), nullptr) != 1) {
-    throw std::runtime_error("ECDH: invalid public key");
+std::shared_ptr<ArrayBuffer> HybridECDH::convertKey(const std::shared_ptr<ArrayBuffer>& key, const std::string& curve, double format) {
+  int nid = getCurveNid(curve);
+  if (nid == NID_undef) {
+    throw std::runtime_error("ECDH: unknown curve: " + curve);
   }
-  // Create new EC_KEY
-  EC_KEY_ptr ecKey(EC_KEY_new(), EC_KEY_free);
-  if (!ecKey) {
-    throw std::runtime_error("ECDH: failed to create EC_KEY");
+  EC_GROUP_ptr group(EC_GROUP_new_by_curve_name(nid), EC_GROUP_free);
+  if (!group) {
+    throw std::runtime_error("ECDH: failed to create EC group for curve: " + curve);
   }
-  if (EC_KEY_set_group(ecKey.get(), _group.get()) != 1) {
-    throw std::runtime_error("ECDH: failed to set EC group");
+  EC_POINT_ptr point(EC_POINT_new(group.get()), EC_POINT_free);
+  if (!point) {
+    throw std::runtime_error("ECDH: failed to create EC point");
   }
-  if (EC_KEY_set_public_key(ecKey.get(), point.get()) != 1) {
-    throw std::runtime_error("ECDH: failed to set public key");
+  if (EC_POINT_oct2point(group.get(), point.get(), key->data(), key->size(), nullptr) != 1) {
+    throw std::runtime_error("ECDH: failed to decode public key");
   }
-  // Create new EVP_PKEY
-  EVP_PKEY_ptr pkey(EVP_PKEY_new(), EVP_PKEY_free);
-  if (!pkey) {
-    throw std::runtime_error("ECDH: failed to create EVP_PKEY");
+  auto form = static_cast<point_conversion_form_t>(static_cast<int>(format));
+  size_t len = EC_POINT_point2oct(group.get(), point.get(), form, nullptr, 0, nullptr);
+  if (len == 0) {
+    throw std::runtime_error("ECDH: failed to get converted key length");
   }
-  // EVP_PKEY_assign_EC_KEY takes ownership of ecKey on success
-  if (EVP_PKEY_assign_EC_KEY(pkey.get(), ecKey.get()) != 1) {
-    throw std::runtime_error("ECDH: failed to assign EC_KEY to EVP_PKEY");
+  std::vector<uint8_t> buf(len);
+  if (EC_POINT_point2oct(group.get(), point.get(), form, buf.data(), len, nullptr) == 0) {
+    throw std::runtime_error("ECDH: failed to convert key");
   }
-  ecKey.release(); // EVP_PKEY now owns the EC_KEY
-  _pkey = std::move(pkey);
+  return ToNativeArrayBuffer(buf);
 }
 void HybridECDH::ensureInitialized() const {
@@ -301,6 +225,4 @@ int HybridECDH::getCurveNid(const std::string& name) {
   return nid;
 }
-#pragma clang diagnostic pop
 } // namespace margelo::nitro::crypto

package/cpp/ecdh/HybridECDH.hpp CHANGED Viewed

@@ -28,6 +28,7 @@ class HybridECDH : public HybridECDHSpec {
   void setPrivateKey(const std::shared_ptr<ArrayBuffer>& privateKey) override;
   std::shared_ptr<ArrayBuffer> getPublicKey() override;
   void setPublicKey(const std::shared_ptr<ArrayBuffer>& publicKey) override;
+  std::shared_ptr<ArrayBuffer> convertKey(const std::shared_ptr<ArrayBuffer>& key, const std::string& curve, double format) override;
  private:
   EVP_PKEY_ptr _pkey;

package/cpp/keys/HybridKeyObjectHandle.cpp CHANGED Viewed

@@ -5,6 +5,7 @@
 #include "HybridKeyObjectHandle.hpp"
 #include "QuickCryptoUtils.hpp"
 #include <openssl/bn.h>
+#include <openssl/core_names.h>
 #include <openssl/crypto.h>
 #include <openssl/ec.h>
 #include <openssl/evp.h>
@@ -91,9 +92,9 @@ std::shared_ptr<ArrayBuffer> HybridKeyObjectHandle::exportKey(std::optional<KFor
                                                               const std::optional<std::shared_ptr<ArrayBuffer>>& passphrase) {
   auto keyType = data_.GetKeyType();
-  // Handle secret keys
+  // Copy to avoid JSI ArrayBuffer GC issues. See #645.
   if (keyType == KeyType::SECRET) {
-    return data_.GetSymmetricKey();
+    return ToNativeArrayBuffer(data_.GetSymmetricKey());
   }
   // Handle asymmetric keys (public/private)
@@ -125,6 +126,42 @@ std::shared_ptr<ArrayBuffer> HybridKeyObjectHandle::exportKey(std::optional<KFor
       }
     }
+    // For EC keys, handle raw format (uncompressed point)
+    if (!format.has_value() && !type.has_value() && keyId == EVP_PKEY_EC && keyType == KeyType::PUBLIC) {
+      size_t len = 0;
+      if (EVP_PKEY_get_octet_string_param(pkey.get(), OSSL_PKEY_PARAM_PUB_KEY, nullptr, 0, &len) != 1 || len == 0)
+        throw std::runtime_error("Failed to get EC public key size");
+      std::vector<uint8_t> buf(len);
+      if (EVP_PKEY_get_octet_string_param(pkey.get(), OSSL_PKEY_PARAM_PUB_KEY, buf.data(), buf.size(), &len) != 1)
+        throw std::runtime_error("Failed to get EC public key");
+      return ToNativeArrayBuffer(std::string(reinterpret_cast<const char*>(buf.data()), len));
+    }
+#if OPENSSL_VERSION_NUMBER >= 0x30500000L
+    if (!format.has_value() && !type.has_value()) {
+      const char* typeName = EVP_PKEY_get0_type_name(pkey.get());
+      if (typeName != nullptr) {
+        std::string name(typeName);
+        bool isPqcKey = (name.starts_with("ML-KEM-") || name.starts_with("ML-DSA-"));
+        if (isPqcKey) {
+          if (keyType == KeyType::PUBLIC) {
+            auto rawData = pkey.rawPublicKey();
+            if (!rawData) {
+              throw std::runtime_error("Failed to get raw PQC public key");
+            }
+            return ToNativeArrayBuffer(std::string(reinterpret_cast<const char*>(rawData.get()), rawData.size()));
+          } else {
+            auto rawData = pkey.rawSeed();
+            if (!rawData) {
+              throw std::runtime_error("Failed to get raw PQC seed");
+            }
+            return ToNativeArrayBuffer(std::string(reinterpret_cast<const char*>(rawData.get()), rawData.size()));
+          }
+        }
+      }
+    }
+#endif
     // Set default format and type if not provided
     auto exportFormat = format.value_or(KFormatType::DER);
     auto exportType = type.value_or(keyType == KeyType::PUBLIC ? KeyEncoding::SPKI : KeyEncoding::PKCS8);
@@ -239,54 +276,50 @@ JWK HybridKeyObjectHandle::exportJwk(const JWK& key, bool handleRsaPss) {
   // Export EC keys
   if (keyId == EVP_PKEY_EC) {
-    const EC_KEY* ec = EVP_PKEY_get0_EC_KEY(pkey.get());
-    if (!ec)
-      throw std::runtime_error("Failed to get EC key");
-    const EC_GROUP* group = EC_KEY_get0_group(ec);
-    if (!group)
-      throw std::runtime_error("Failed to get EC group");
+    char curve_name_buf[64];
+    size_t name_len = 0;
+    if (EVP_PKEY_get_utf8_string_param(pkey.get(), OSSL_PKEY_PARAM_GROUP_NAME, curve_name_buf, sizeof(curve_name_buf), &name_len) != 1)
+      throw std::runtime_error("Failed to get EC group name");
-    int nid = EC_GROUP_get_curve_name(group);
-    const char* curve_name = OBJ_nid2sn(nid);
-    if (!curve_name)
-      throw std::runtime_error("Unknown curve");
+    std::string curve_name(curve_name_buf, name_len);
-    // Get the field size in bytes for proper padding
-    size_t field_size = (EC_GROUP_get_degree(group) + 7) / 8;
+    int bits = EVP_PKEY_bits(pkey.get());
+    if (bits <= 0)
+      throw std::runtime_error("Failed to get EC key size");
+    size_t field_size = (static_cast<size_t>(bits) + 7) / 8;
     result.kty = JWKkty::EC;
     // Map OpenSSL curve names to JWK curve names
-    if (strcmp(curve_name, "prime256v1") == 0) {
+    if (curve_name == "prime256v1") {
       result.crv = "P-256";
-    } else if (strcmp(curve_name, "secp384r1") == 0) {
+    } else if (curve_name == "secp384r1") {
       result.crv = "P-384";
-    } else if (strcmp(curve_name, "secp521r1") == 0) {
+    } else if (curve_name == "secp521r1") {
       result.crv = "P-521";
     } else {
       result.crv = curve_name;
     }
-    const EC_POINT* pub_key = EC_KEY_get0_public_key(ec);
-    if (pub_key) {
-      BIGNUM* x_bn = BN_new();
-      BIGNUM* y_bn = BN_new();
-      if (EC_POINT_get_affine_coordinates(group, pub_key, x_bn, y_bn, nullptr) == 1) {
-        result.x = bn_to_base64url(x_bn, field_size);
-        result.y = bn_to_base64url(y_bn, field_size);
-      }
+    BIGNUM* x_bn = nullptr;
+    BIGNUM* y_bn = nullptr;
+    if (EVP_PKEY_get_bn_param(pkey.get(), OSSL_PKEY_PARAM_EC_PUB_X, &x_bn) != 1 ||
+        EVP_PKEY_get_bn_param(pkey.get(), OSSL_PKEY_PARAM_EC_PUB_Y, &y_bn) != 1) {
       BN_free(x_bn);
       BN_free(y_bn);
+      throw std::runtime_error("Failed to get EC public key coordinates");
     }
+    result.x = bn_to_base64url(x_bn, field_size);
+    result.y = bn_to_base64url(y_bn, field_size);
+    BN_free(x_bn);
+    BN_free(y_bn);
     // Export private key if this is a private key
     if (keyType == KeyType::PRIVATE) {
-      const BIGNUM* priv_key = EC_KEY_get0_private_key(ec);
-      if (priv_key) {
-        result.d = bn_to_base64url(priv_key, field_size);
+      BIGNUM* priv_bn = nullptr;
+      if (EVP_PKEY_get_bn_param(pkey.get(), OSSL_PKEY_PARAM_PRIV_KEY, &priv_bn) == 1 && priv_bn) {
+        result.d = bn_to_base64url(priv_bn, field_size);
+        BN_free(priv_bn);
       }
     }
@@ -370,8 +403,25 @@ AsymmetricKeyType HybridKeyObjectHandle::getAsymmetricKeyType() {
       return AsymmetricKeyType::ML_DSA_87;
 #endif
     default:
-      throw std::runtime_error("Unsupported asymmetric key type");
+      break;
+  }
+#if OPENSSL_VERSION_NUMBER >= 0x30500000L
+  // EVP_PKEY_id returns -1 for provider-only key types (e.g. ML-KEM)
+  // Fall back to string-based type name comparison
+  const char* typeName = EVP_PKEY_get0_type_name(pkey.get());
+  if (typeName != nullptr) {
+    std::string name(typeName);
+    if (name == "ML-KEM-512")
+      return AsymmetricKeyType::ML_KEM_512;
+    if (name == "ML-KEM-768")
+      return AsymmetricKeyType::ML_KEM_768;
+    if (name == "ML-KEM-1024")
+      return AsymmetricKeyType::ML_KEM_1024;
   }
+#endif
+  throw std::runtime_error("Unsupported asymmetric key type");
 }
 bool HybridKeyObjectHandle::init(KeyType keyType, const std::variant<std::shared_ptr<ArrayBuffer>, std::string>& key,
@@ -555,81 +605,54 @@ std::optional<KeyType> HybridKeyObjectHandle::initJwk(const JWK& keyData, std::o
     std::string crv = keyData.crv.value();
-    // Map JWK curve names to OpenSSL NIDs
-    int nid;
+    // Map JWK curve names to OpenSSL group names and field sizes
+    const char* group_name;
+    size_t field_size;
     if (crv == "P-256") {
-      nid = NID_X9_62_prime256v1;
+      group_name = "prime256v1";
+      field_size = 32;
     } else if (crv == "P-384") {
-      nid = NID_secp384r1;
+      group_name = "secp384r1";
+      field_size = 48;
     } else if (crv == "P-521") {
-      nid = NID_secp521r1;
+      group_name = "secp521r1";
+      field_size = 66;
     } else {
       throw std::runtime_error("Unsupported EC curve: " + crv);
     }
-    // Create EC_KEY
-    EC_KEY* ec = EC_KEY_new_by_curve_name(nid);
-    if (!ec)
-      throw std::runtime_error("Failed to create EC key");
-    const EC_GROUP* group = EC_KEY_get0_group(ec);
     // Decode public key coordinates
     BIGNUM* x_bn = base64url_to_bn(keyData.x.value());
     BIGNUM* y_bn = base64url_to_bn(keyData.y.value());
     if (!x_bn || !y_bn) {
-      EC_KEY_free(ec);
-      throw std::runtime_error("Failed to decode EC public key coordinates");
-    }
-    // Set public key
-    EC_POINT* pub_key = EC_POINT_new(group);
-    if (!pub_key || EC_POINT_set_affine_coordinates(group, pub_key, x_bn, y_bn, nullptr) != 1) {
       BN_free(x_bn);
       BN_free(y_bn);
-      if (pub_key)
-        EC_POINT_free(pub_key);
-      EC_KEY_free(ec);
-      throw std::runtime_error("Failed to set EC public key");
+      throw std::runtime_error("Failed to decode EC public key coordinates");
     }
+    // Build uncompressed point: 0x04 || x_padded || y_padded
+    std::vector<uint8_t> pub_oct(1 + 2 * field_size, 0);
+    pub_oct[0] = 0x04;
+    BN_bn2binpad(x_bn, pub_oct.data() + 1, static_cast<int>(field_size));
+    BN_bn2binpad(y_bn, pub_oct.data() + 1 + field_size, static_cast<int>(field_size));
     BN_free(x_bn);
     BN_free(y_bn);
-    if (EC_KEY_set_public_key(ec, pub_key) != 1) {
-      EC_POINT_free(pub_key);
-      EC_KEY_free(ec);
-      throw std::runtime_error("Failed to set EC public key on EC_KEY");
-    }
-    EC_POINT_free(pub_key);
-    // Set private key if present
+    BIGNUM* d_bn = nullptr;
     if (isPrivate) {
-      BIGNUM* d_bn = base64url_to_bn(keyData.d.value());
-      if (!d_bn) {
-        EC_KEY_free(ec);
+      d_bn = base64url_to_bn(keyData.d.value());
+      if (!d_bn)
         throw std::runtime_error("Failed to decode EC private key");
-      }
-      if (EC_KEY_set_private_key(ec, d_bn) != 1) {
-        BN_free(d_bn);
-        EC_KEY_free(ec);
-        throw std::runtime_error("Failed to set EC private key");
-      }
-      BN_free(d_bn);
     }
-    // Create EVP_PKEY from EC_KEY
-    EVP_PKEY* pkey = EVP_PKEY_new();
-    if (!pkey || EVP_PKEY_assign_EC_KEY(pkey, ec) != 1) {
-      EC_KEY_free(ec);
-      if (pkey)
-        EVP_PKEY_free(pkey);
-      throw std::runtime_error("Failed to create EVP_PKEY from EC_KEY");
+    EVP_PKEY* pkey = nullptr;
+    try {
+      pkey = createEcEvpPkey(group_name, pub_oct.data(), pub_oct.size(), d_bn);
+    } catch (...) {
+      BN_free(d_bn);
+      throw;
     }
+    BN_free(d_bn);
     KeyType type = isPrivate ? KeyType::PRIVATE : KeyType::PUBLIC;
     data_ = KeyObjectData::CreateAsymmetric(type, ncrypto::EVPKeyPointer(pkey));
@@ -714,20 +737,11 @@ KeyDetail HybridKeyObjectHandle::keyDetail() {
   }
   if (keyType == EVP_PKEY_EC) {
-    // Extract EC curve name
-    EC_KEY* ec_key = EVP_PKEY_get1_EC_KEY(pkey);
-    if (ec_key) {
-      const EC_GROUP* group = EC_KEY_get0_group(ec_key);
-      if (group) {
-        int nid = EC_GROUP_get_curve_name(group);
-        const char* curve_name = OBJ_nid2sn(nid);
-        if (curve_name) {
-          std::string namedCurve(curve_name);
-          EC_KEY_free(ec_key);
-          return KeyDetail(std::nullopt, std::nullopt, std::nullopt, std::nullopt, std::nullopt, std::nullopt, namedCurve);
-        }
-      }
-      EC_KEY_free(ec_key);
+    char curve_name[64];
+    size_t name_len = 0;
+    if (EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME, curve_name, sizeof(curve_name), &name_len) == 1) {
+      return KeyDetail(std::nullopt, std::nullopt, std::nullopt, std::nullopt, std::nullopt, std::nullopt,
+                       std::string(curve_name, name_len));
     }
   }
@@ -793,48 +807,56 @@ bool HybridKeyObjectHandle::initECRaw(const std::string& namedCurve, const std::
     throw std::runtime_error("Unknown curve: " + namedCurve);
   }
-  // Create EC_GROUP for the curve
-  ncrypto::ECGroupPointer group = ncrypto::ECGroupPointer::NewByCurveName(nid);
-  if (!group) {
-    throw std::runtime_error("Failed to create EC_GROUP for curve");
+  // Get the OpenSSL group name for this curve
+  const char* group_name = OBJ_nid2sn(nid);
+  if (!group_name) {
+    throw std::runtime_error("Failed to get curve name for NID");
   }
-  // Create EC_POINT from raw bytes
-  ncrypto::ECPointPointer point = ncrypto::ECPointPointer::New(group.get());
-  if (!point) {
-    throw std::runtime_error("Failed to create EC_POINT");
-  }
+  EVP_PKEY* pkey = createEcEvpPkey(group_name, keyData->data(), keyData->size());
+  this->data_ = KeyObjectData::CreateAsymmetric(KeyType::PUBLIC, ncrypto::EVPKeyPointer(pkey));
+  return true;
+}
-  // Convert raw bytes to EC_POINT
-  ncrypto::Buffer<const unsigned char> buffer{.data = reinterpret_cast<const unsigned char*>(keyData->data()), .len = keyData->size()};
+bool HybridKeyObjectHandle::initPqcRaw(const std::string& algorithmName, const std::shared_ptr<ArrayBuffer>& keyData, bool isPublic) {
+#if OPENSSL_VERSION_NUMBER >= 0x30500000L
+  data_ = KeyObjectData();
-  if (!point.setFromBuffer(buffer, group.get())) {
-    throw std::runtime_error("Failed to read DER asymmetric key");
-  }
+  int nid = 0;
+  if (algorithmName == "ML-KEM-512")
+    nid = EVP_PKEY_ML_KEM_512;
+  else if (algorithmName == "ML-KEM-768")
+    nid = EVP_PKEY_ML_KEM_768;
+  else if (algorithmName == "ML-KEM-1024")
+    nid = EVP_PKEY_ML_KEM_1024;
+  else if (algorithmName == "ML-DSA-44")
+    nid = EVP_PKEY_ML_DSA_44;
+  else if (algorithmName == "ML-DSA-65")
+    nid = EVP_PKEY_ML_DSA_65;
+  else if (algorithmName == "ML-DSA-87")
+    nid = EVP_PKEY_ML_DSA_87;
+  else
+    throw std::runtime_error("Unknown PQC algorithm: " + algorithmName);
-  // Create EC_KEY and set the public key
-  ncrypto::ECKeyPointer ec = ncrypto::ECKeyPointer::New(group.get());
-  if (!ec) {
-    throw std::runtime_error("Failed to create EC_KEY");
-  }
+  ncrypto::Buffer<const unsigned char> buffer{.data = reinterpret_cast<const unsigned char*>(keyData->data()), .len = keyData->size()};
-  if (!ec.setPublicKey(point)) {
-    throw std::runtime_error("Failed to set public key on EC_KEY");
+  ncrypto::EVPKeyPointer pkey;
+  if (isPublic) {
+    pkey = ncrypto::EVPKeyPointer::NewRawPublic(nid, buffer);
+  } else {
+    pkey = ncrypto::EVPKeyPointer::NewRawSeed(nid, buffer);
   }
-  // Create EVP_PKEY from EC_KEY
-  ncrypto::EVPKeyPointer pkey = ncrypto::EVPKeyPointer::New();
   if (!pkey) {
-    throw std::runtime_error("Failed to create EVP_PKEY");
-  }
-  if (!pkey.set(ec)) {
-    throw std::runtime_error("Failed to assign EC_KEY to EVP_PKEY");
+    return false;
   }
-  // Store as public key
-  this->data_ = KeyObjectData::CreateAsymmetric(KeyType::PUBLIC, std::move(pkey));
+  auto keyType = isPublic ? KeyType::PUBLIC : KeyType::PRIVATE;
+  this->data_ = KeyObjectData::CreateAsymmetric(keyType, std::move(pkey));
   return true;
+#else
+  throw std::runtime_error("PQC raw key import requires OpenSSL 3.5+");
+#endif
 }
 bool HybridKeyObjectHandle::keyEquals(const std::shared_ptr<HybridKeyObjectHandleSpec>& other) {