react-native-quick-crypto 1.0.11 → 1.0.12

package/lib/commonjs/subtle.js

@@ -21,9 +21,11 @@ var _ec = require("./ec");
 var _rsa = require("./rsa");
 var _random = require("./random");
 var _hmac = require("./hmac");
+var _timingSafeEqual = require("./utils/timingSafeEqual");
 var _signVerify = require("./keys/signVerify");
 var _ed = require("./ed");
 var _mldsa = require("./mldsa");
+var _mlkem = require("./mlkem");
 var _hkdf = require("./hkdf");
 /* eslint-disable @typescript-eslint/no-unused-vars */
 // Temporary enums that need to be defined
@@ -488,6 +490,100 @@ async function hmacGenerateKey(algorithm, extractable, keyUsages) {
   };
   return new _keys.CryptoKey(keyObject, keyAlgorithm, keyUsages, extractable);
 }
+async function kmacGenerateKey(algorithm, extractable, keyUsages) {
+  const {
+    name
+  } = algorithm;
+  if (hasAnyNotIn(keyUsages, ['sign', 'verify'])) {
+    throw (0, _errors.lazyDOMException)(`Unsupported key usage for ${name} key`, 'SyntaxError');
+  }
+  const defaultLength = name === 'KMAC128' ? 128 : 256;
+  const length = algorithm.length ?? defaultLength;
+  if (length === 0) {
+    throw (0, _errors.lazyDOMException)('Zero-length key is not supported', 'OperationError');
+  }
+  const keyBytes = new Uint8Array(Math.ceil(length / 8));
+  (0, _random.getRandomValues)(keyBytes);
+  const keyObject = (0, _keys.createSecretKey)(keyBytes);
+  const keyAlgorithm = {
+    name: name,
+    length
+  };
+  return new _keys.CryptoKey(keyObject, keyAlgorithm, keyUsages, extractable);
+}
+function kmacSignVerify(key, data, algorithm, signature) {
+  const {
+    name
+  } = algorithm;
+  const defaultLength = name === 'KMAC128' ? 256 : 512;
+  const outputLengthBits = algorithm.length ?? defaultLength;
+  if (outputLengthBits % 8 !== 0) {
+    throw (0, _errors.lazyDOMException)('KMAC output length must be a multiple of 8', 'OperationError');
+  }
+  const outputLengthBytes = outputLengthBits / 8;
+  const keyData = key.keyObject.export();
+  const kmac = _reactNativeNitroModules.NitroModules.createHybridObject('Kmac');
+  let customizationBuffer;
+  if (algorithm.customization !== undefined) {
+    customizationBuffer = (0, _conversion.bufferLikeToArrayBuffer)(algorithm.customization);
+  }
+  kmac.createKmac(name, (0, _conversion.bufferLikeToArrayBuffer)(keyData), outputLengthBytes, customizationBuffer);
+  kmac.update((0, _conversion.bufferLikeToArrayBuffer)(data));
+  const computed = kmac.digest();
+  if (signature === undefined) {
+    return computed;
+  }
+  const sigBuffer = (0, _conversion.bufferLikeToArrayBuffer)(signature);
+  if (computed.byteLength !== sigBuffer.byteLength) {
+    return false;
+  }
+  return (0, _timingSafeEqual.timingSafeEqual)(new Uint8Array(computed), new Uint8Array(sigBuffer));
+}
+async function kmacImportKey(algorithm, format, data, extractable, keyUsages) {
+  const {
+    name
+  } = algorithm;
+  if (hasAnyNotIn(keyUsages, ['sign', 'verify'])) {
+    throw (0, _errors.lazyDOMException)(`Unsupported key usage for ${name} key`, 'SyntaxError');
+  }
+  let keyObject;
+  if (format === 'jwk') {
+    const jwk = data;
+    if (!jwk || typeof jwk !== 'object') {
+      throw (0, _errors.lazyDOMException)('Invalid keyData', 'DataError');
+    }
+    if (jwk.kty !== 'oct') {
+      throw (0, _errors.lazyDOMException)('Invalid JWK format for KMAC key', 'DataError');
+    }
+    const expectedAlg = name === 'KMAC128' ? 'K128' : 'K256';
+    if (jwk.alg !== undefined && jwk.alg !== expectedAlg) {
+      throw (0, _errors.lazyDOMException)('JWK "alg" does not match the requested algorithm', 'DataError');
+    }
+    const handle = _reactNativeNitroModules.NitroModules.createHybridObject('KeyObjectHandle');
+    const keyType = handle.initJwk(jwk, undefined);
+    if (keyType === undefined || keyType !== 0) {
+      throw (0, _errors.lazyDOMException)('Failed to import KMAC JWK', 'DataError');
+    }
+    keyObject = new _keys.SecretKeyObject(handle);
+  } else if (format === 'raw' || format === 'raw-secret') {
+    keyObject = (0, _keys.createSecretKey)(data);
+  } else {
+    throw (0, _errors.lazyDOMException)(`Unable to import ${name} key with format ${format}`, 'NotSupportedError');
+  }
+  const exported = keyObject.export();
+  const keyLength = exported.byteLength * 8;
+  if (keyLength === 0) {
+    throw (0, _errors.lazyDOMException)('Zero-length key is not supported', 'DataError');
+  }
+  if (algorithm.length !== undefined && algorithm.length !== keyLength) {
+    throw (0, _errors.lazyDOMException)('Invalid key length', 'DataError');
+  }
+  const keyAlgorithm = {
+    name: name,
+    length: keyLength
+  };
+  return new _keys.CryptoKey(keyObject, keyAlgorithm, keyUsages, extractable);
+}
 function rsaImportKey(format, data, algorithm, extractable, keyUsages) {
   const {
     name
@@ -725,28 +821,48 @@ function edImportKey(format, data, algorithm, extractable, keyUsages) {
     name
   }, keyUsages, extractable);
 }
+function pqcImportKeyObject(format, data, name) {
+  if (format === 'spki') {
+    return _keys.KeyObject.createKeyObject('public', (0, _conversion.bufferLikeToArrayBuffer)(data), _utils.KFormatType.DER, _utils.KeyEncoding.SPKI);
+  } else if (format === 'pkcs8') {
+    return _keys.KeyObject.createKeyObject('private', (0, _conversion.bufferLikeToArrayBuffer)(data), _utils.KFormatType.DER, _utils.KeyEncoding.PKCS8);
+  } else if (format === 'raw') {
+    const handle = _reactNativeNitroModules.NitroModules.createHybridObject('KeyObjectHandle');
+    if (!handle.initPqcRaw(name, (0, _conversion.bufferLikeToArrayBuffer)(data), true)) {
+      throw (0, _errors.lazyDOMException)(`Failed to import ${name} raw public key`, 'DataError');
+    }
+    return new _keys.PublicKeyObject(handle);
+  } else if (format === 'raw-seed') {
+    const handle = _reactNativeNitroModules.NitroModules.createHybridObject('KeyObjectHandle');
+    if (!handle.initPqcRaw(name, (0, _conversion.bufferLikeToArrayBuffer)(data), false)) {
+      throw (0, _errors.lazyDOMException)(`Failed to import ${name} raw seed`, 'DataError');
+    }
+    return new _keys.PrivateKeyObject(handle);
+  }
+  throw (0, _errors.lazyDOMException)(`Unsupported format for ${name} import: ${format}`, 'NotSupportedError');
+}
 function mldsaImportKey(format, data, algorithm, extractable, keyUsages) {
   const {
     name
   } = algorithm;
-
-  // Validate usages
-  if (hasAnyNotIn(keyUsages, ['sign', 'verify'])) {
+  const isPublicFormat = format === 'spki' || format === 'raw';
+  if (hasAnyNotIn(keyUsages, isPublicFormat ? ['verify'] : ['sign'])) {
     throw (0, _errors.lazyDOMException)(`Unsupported key usage for ${name} key`, 'SyntaxError');
   }
-  let keyObject;
-  if (format === 'spki') {
-    // Import public key
-    const keyData = (0, _conversion.bufferLikeToArrayBuffer)(data);
-    keyObject = _keys.KeyObject.createKeyObject('public', keyData, _utils.KFormatType.DER, _utils.KeyEncoding.SPKI);
-  } else if (format === 'pkcs8') {
-    // Import private key
-    const keyData = (0, _conversion.bufferLikeToArrayBuffer)(data);
-    keyObject = _keys.KeyObject.createKeyObject('private', keyData, _utils.KFormatType.DER, _utils.KeyEncoding.PKCS8);
-  } else {
-    throw (0, _errors.lazyDOMException)(`Unsupported format for ${name} import: ${format}`, 'NotSupportedError');
+  return new _keys.CryptoKey(pqcImportKeyObject(format, data, name), {
+    name
+  }, keyUsages, extractable);
+}
+function mlkemImportKey(format, data, algorithm, extractable, keyUsages) {
+  const {
+    name
+  } = algorithm;
+  const isPublicFormat = format === 'spki' || format === 'raw';
+  const allowedUsages = isPublicFormat ? ['encapsulateBits', 'encapsulateKey'] : ['decapsulateBits', 'decapsulateKey'];
+  if (hasAnyNotIn(keyUsages, allowedUsages)) {
+    throw (0, _errors.lazyDOMException)(`Unsupported key usage for ${name} key`, 'SyntaxError');
   }
-  return new _keys.CryptoKey(keyObject, {
+  return new _keys.CryptoKey(pqcImportKeyObject(format, data, name), {
     name
   }, keyUsages, extractable);
 }
@@ -790,6 +906,15 @@ const exportKeySpki = async key => {
         return (0, _conversion.bufferLikeToArrayBuffer)(key.keyObject.handle.exportKey(_utils.KFormatType.DER, _utils.KeyEncoding.SPKI));
       }
       break;
+    case 'ML-KEM-512':
+    // Fall through
+    case 'ML-KEM-768':
+    // Fall through
+    case 'ML-KEM-1024':
+      if (key.type === 'public') {
+        return (0, _conversion.bufferLikeToArrayBuffer)(key.keyObject.handle.exportKey(_utils.KFormatType.DER, _utils.KeyEncoding.SPKI));
+      }
+      break;
   }
   throw new Error(`Unable to export a spki ${key.algorithm.name} ${key.type} key`);
 };
@@ -833,6 +958,15 @@ const exportKeyPkcs8 = async key => {
         return (0, _conversion.bufferLikeToArrayBuffer)(key.keyObject.handle.exportKey(_utils.KFormatType.DER, _utils.KeyEncoding.PKCS8));
       }
       break;
+    case 'ML-KEM-512':
+    // Fall through
+    case 'ML-KEM-768':
+    // Fall through
+    case 'ML-KEM-1024':
+      if (key.type === 'private') {
+        return (0, _conversion.bufferLikeToArrayBuffer)(key.keyObject.handle.exportKey(_utils.KFormatType.DER, _utils.KeyEncoding.PKCS8));
+      }
+      break;
   }
   throw new Error(`Unable to export a pkcs8 ${key.algorithm.name} ${key.type} key`);
 };
@@ -853,7 +987,22 @@ const exportKeyRaw = key => {
     // Fall through
     case 'X448':
       if (key.type === 'public') {
-        // Export raw public key
+        const exported = key.keyObject.handle.exportKey();
+        return (0, _conversion.bufferLikeToArrayBuffer)(exported);
+      }
+      break;
+    case 'ML-KEM-512':
+    // Fall through
+    case 'ML-KEM-768':
+    // Fall through
+    case 'ML-KEM-1024':
+    // Fall through
+    case 'ML-DSA-44':
+    // Fall through
+    case 'ML-DSA-65':
+    // Fall through
+    case 'ML-DSA-87':
+      if (key.type === 'public') {
         const exported = key.keyObject.handle.exportKey();
         return (0, _conversion.bufferLikeToArrayBuffer)(exported);
       }
@@ -871,6 +1020,10 @@ const exportKeyRaw = key => {
     case 'ChaCha20-Poly1305':
     // Fall through
     case 'HMAC':
+    // Fall through
+    case 'KMAC128':
+    // Fall through
+    case 'KMAC256':
       {
         const exported = key.keyObject.export();
         // Convert Buffer to ArrayBuffer
@@ -897,6 +1050,12 @@ const exportKeyJWK = key => {
     case 'HMAC':
       jwk.alg = (0, _hashnames.normalizeHashName)(key.algorithm.hash, _hashnames.HashContext.JwkHmac);
       return jwk;
+    case 'KMAC128':
+      jwk.alg = 'K128';
+      return jwk;
+    case 'KMAC256':
+      jwk.alg = 'K256';
+      return jwk;
     case 'ECDSA':
     // Fall through
     case 'ECDH':
@@ -1035,20 +1194,12 @@ function hmacSignVerify(key, data, signature) {
     // Sign operation - return the HMAC as ArrayBuffer
     return computed.buffer.slice(computed.byteOffset, computed.byteOffset + computed.byteLength);
   }
-
-  // Verify operation - compare computed HMAC with provided signature
-  const sigBytes = new Uint8Array((0, _conversion.bufferLikeToArrayBuffer)(signature));
-  const computedBytes = new Uint8Array(computed.buffer, computed.byteOffset, computed.byteLength);
-  if (computedBytes.length !== sigBytes.length) {
+  const sigBuffer = (0, _conversion.bufferLikeToArrayBuffer)(signature);
+  const computedBuffer = computed.buffer.slice(computed.byteOffset, computed.byteOffset + computed.byteLength);
+  if (computedBuffer.byteLength !== sigBuffer.byteLength) {
     return false;
   }
-
-  // Constant-time comparison to prevent timing attacks
-  let result = 0;
-  for (let i = 0; i < computedBytes.length; i++) {
-    result |= computedBytes[i] ^ sigBytes[i];
-  }
-  return result === 0;
+  return (0, _timingSafeEqual.timingSafeEqual)(new Uint8Array(computedBuffer), new Uint8Array(sigBuffer));
 }
 function rsaSignVerify(key, data, padding, signature, saltLength) {
   // Get hash algorithm from key
@@ -1151,6 +1302,9 @@ const signVerify = (algorithm, key, data, signature) => {
     case 'ML-DSA-65':
     case 'ML-DSA-87':
       return mldsaSignVerify(key, data, signature);
+    case 'KMAC128':
+    case 'KMAC256':
+      return kmacSignVerify(key, data, algorithm, signature);
   }
   throw (0, _errors.lazyDOMException)(`Unrecognized algorithm name '${algorithm.name}' for '${usage}'`, 'NotSupportedError');
 };
@@ -1179,17 +1333,21 @@ const cipherOrWrap = async (mode, algorithm, key, data, op) => {
 const SUPPORTED_ALGORITHMS = {
   encrypt: new Set(['RSA-OAEP', 'AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-OCB', 'ChaCha20-Poly1305']),
   decrypt: new Set(['RSA-OAEP', 'AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-OCB', 'ChaCha20-Poly1305']),
-  sign: new Set(['RSASSA-PKCS1-v1_5', 'RSA-PSS', 'ECDSA', 'HMAC', 'Ed25519', 'Ed448', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87']),
-  verify: new Set(['RSASSA-PKCS1-v1_5', 'RSA-PSS', 'ECDSA', 'HMAC', 'Ed25519', 'Ed448', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87']),
-  digest: new Set(['SHA-1', 'SHA-256', 'SHA-384', 'SHA-512']),
-  generateKey: new Set(['RSASSA-PKCS1-v1_5', 'RSA-PSS', 'RSA-OAEP', 'ECDSA', 'ECDH', 'Ed25519', 'Ed448', 'X25519', 'X448', 'AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-KW', 'AES-OCB', 'ChaCha20-Poly1305', 'HMAC', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87']),
-  importKey: new Set(['RSASSA-PKCS1-v1_5', 'RSA-PSS', 'RSA-OAEP', 'ECDSA', 'ECDH', 'Ed25519', 'Ed448', 'X25519', 'X448', 'AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-KW', 'AES-OCB', 'ChaCha20-Poly1305', 'HMAC', 'HKDF', 'PBKDF2', 'Argon2d', 'Argon2i', 'Argon2id', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87']),
-  exportKey: new Set(['RSASSA-PKCS1-v1_5', 'RSA-PSS', 'RSA-OAEP', 'ECDSA', 'ECDH', 'Ed25519', 'Ed448', 'X25519', 'X448', 'AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-KW', 'AES-OCB', 'ChaCha20-Poly1305', 'HMAC', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87']),
+  sign: new Set(['RSASSA-PKCS1-v1_5', 'RSA-PSS', 'ECDSA', 'HMAC', 'KMAC128', 'KMAC256', 'Ed25519', 'Ed448', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87']),
+  verify: new Set(['RSASSA-PKCS1-v1_5', 'RSA-PSS', 'ECDSA', 'HMAC', 'KMAC128', 'KMAC256', 'Ed25519', 'Ed448', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87']),
+  digest: new Set(['SHA-1', 'SHA-256', 'SHA-384', 'SHA-512', 'SHA3-256', 'SHA3-384', 'SHA3-512', 'cSHAKE128', 'cSHAKE256']),
+  generateKey: new Set(['RSASSA-PKCS1-v1_5', 'RSA-PSS', 'RSA-OAEP', 'ECDSA', 'ECDH', 'Ed25519', 'Ed448', 'X25519', 'X448', 'AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-KW', 'AES-OCB', 'ChaCha20-Poly1305', 'HMAC', 'KMAC128', 'KMAC256', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', 'ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024']),
+  importKey: new Set(['RSASSA-PKCS1-v1_5', 'RSA-PSS', 'RSA-OAEP', 'ECDSA', 'ECDH', 'Ed25519', 'Ed448', 'X25519', 'X448', 'AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-KW', 'AES-OCB', 'ChaCha20-Poly1305', 'HMAC', 'KMAC128', 'KMAC256', 'HKDF', 'PBKDF2', 'Argon2d', 'Argon2i', 'Argon2id', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', 'ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024']),
+  exportKey: new Set(['RSASSA-PKCS1-v1_5', 'RSA-PSS', 'RSA-OAEP', 'ECDSA', 'ECDH', 'Ed25519', 'Ed448', 'X25519', 'X448', 'AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-KW', 'AES-OCB', 'ChaCha20-Poly1305', 'HMAC', 'KMAC128', 'KMAC256', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', 'ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024']),
   deriveBits: new Set(['PBKDF2', 'HKDF', 'ECDH', 'X25519', 'X448', 'Argon2d', 'Argon2i', 'Argon2id']),
   wrapKey: new Set(['AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-KW', 'AES-OCB', 'ChaCha20-Poly1305', 'RSA-OAEP']),
-  unwrapKey: new Set(['AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-KW', 'AES-OCB', 'ChaCha20-Poly1305', 'RSA-OAEP'])
+  unwrapKey: new Set(['AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-KW', 'AES-OCB', 'ChaCha20-Poly1305', 'RSA-OAEP']),
+  encapsulateBits: new Set(['ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024']),
+  decapsulateBits: new Set(['ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024']),
+  encapsulateKey: new Set(['ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024']),
+  decapsulateKey: new Set(['ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024'])
 };
-const ASYMMETRIC_ALGORITHMS = new Set(['RSASSA-PKCS1-v1_5', 'RSA-PSS', 'RSA-OAEP', 'ECDSA', 'ECDH', 'Ed25519', 'Ed448', 'X25519', 'X448', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87']);
+const ASYMMETRIC_ALGORITHMS = new Set(['RSASSA-PKCS1-v1_5', 'RSA-PSS', 'RSA-OAEP', 'ECDSA', 'ECDH', 'Ed25519', 'Ed448', 'X25519', 'X448', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', 'ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024']);
 class Subtle {
   static supports(operation, algorithm, _lengthOrAdditionalAlgorithm) {
     let normalizedAlgorithm;
@@ -1296,6 +1454,18 @@ class Subtle {
   }
   async exportKey(format, key) {
     if (!key.extractable) throw new Error('key is not extractable');
+    if (format === 'raw-seed') {
+      const pqcAlgos = ['ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87'];
+      if (!pqcAlgos.includes(key.algorithm.name)) {
+        throw (0, _errors.lazyDOMException)('raw-seed export only supported for PQC keys', 'NotSupportedError');
+      }
+      if (key.type !== 'private') {
+        throw (0, _errors.lazyDOMException)('raw-seed export requires a private key', 'InvalidAccessError');
+      }
+      return (0, _conversion.bufferLikeToArrayBuffer)(key.keyObject.handle.exportKey());
+    }
+
+    // Note: 'raw-seed' is handled above; do NOT normalize it here
     if (format === 'raw-secret' || format === 'raw-public') format = 'raw';
     switch (format) {
       case 'spki':
@@ -1421,6 +1591,11 @@ class Subtle {
       case 'HMAC':
         result = await hmacGenerateKey(algorithm, extractable, keyUsages);
         break;
+      case 'KMAC128':
+      // Fall through
+      case 'KMAC256':
+        result = await kmacGenerateKey(algorithm, extractable, keyUsages);
+        break;
       case 'Ed25519':
       // Fall through
       case 'Ed448':
@@ -1441,6 +1616,14 @@ class Subtle {
         result = await (0, _ed.x_generateKeyPairWebCrypto)(algorithm.name.toLowerCase(), extractable, keyUsages);
         checkCryptoKeyPairUsages(result);
         break;
+      case 'ML-KEM-512':
+      // Fall through
+      case 'ML-KEM-768':
+      // Fall through
+      case 'ML-KEM-1024':
+        result = await (0, _mlkem.mlkem_generateKeyPairWebCrypto)(algorithm.name, extractable, keyUsages);
+        checkCryptoKeyPairUsages(result);
+        break;
       default:
         throw new Error(`'subtle.generateKey()' is not implemented for ${algorithm.name}.
             Unrecognized algorithm name`);
@@ -1458,6 +1641,7 @@ class Subtle {
     return publicKeyObject.toCryptoKey(key.algorithm, true, keyUsages);
   }
   async importKey(format, data, algorithm, extractable, keyUsages) {
+    // Note: 'raw-seed' is NOT normalized — PQC import functions handle it directly
     if (format === 'raw-secret' || format === 'raw-public') format = 'raw';
     const normalizedAlgorithm = normalizeAlgorithm(algorithm, 'importKey');
     let result;
@@ -1477,6 +1661,11 @@ class Subtle {
       case 'HMAC':
         result = await hmacImportKey(normalizedAlgorithm, format, data, extractable, keyUsages);
         break;
+      case 'KMAC128':
+      // Fall through
+      case 'KMAC256':
+        result = await kmacImportKey(normalizedAlgorithm, format, data, extractable, keyUsages);
+        break;
       case 'AES-CTR':
       // Fall through
       case 'AES-CBC':
@@ -1515,6 +1704,13 @@ class Subtle {
       case 'ML-DSA-87':
         result = mldsaImportKey(format, data, normalizedAlgorithm, extractable, keyUsages);
         break;
+      case 'ML-KEM-512':
+      // Fall through
+      case 'ML-KEM-768':
+      // Fall through
+      case 'ML-KEM-1024':
+        result = mlkemImportKey(format, data, normalizedAlgorithm, extractable, keyUsages);
+        break;
       default:
         throw new Error(`"subtle.importKey()" is not implemented for ${normalizedAlgorithm.name}`);
     }
@@ -1524,85 +1720,65 @@ class Subtle {
     return result;
   }
   async sign(algorithm, key, data) {
-    const normalizedAlgorithm = normalizeAlgorithm(algorithm, 'sign');
-    if (normalizedAlgorithm.name === 'HMAC') {
-      // Validate key usage
-      if (!key.usages.includes('sign')) {
-        throw (0, _errors.lazyDOMException)('Key does not have sign usage', 'InvalidAccessError');
-      }
-
-      // Get hash algorithm from key or algorithm params
-      // Hash can be either a string or an object with name property
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const alg = normalizedAlgorithm;
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const keyAlg = key.algorithm;
-      let hashAlgorithm = 'SHA-256';
-      if (typeof alg.hash === 'string') {
-        hashAlgorithm = alg.hash;
-      } else if (alg.hash?.name) {
-        hashAlgorithm = alg.hash.name;
-      } else if (typeof keyAlg.hash === 'string') {
-        hashAlgorithm = keyAlg.hash;
-      } else if (keyAlg.hash?.name) {
-        hashAlgorithm = keyAlg.hash.name;
-      }
-
-      // Create HMAC and sign
-      const keyData = key.keyObject.export();
-      const hmac = (0, _hmac.createHmac)(hashAlgorithm, keyData);
-      hmac.update((0, _conversion.bufferLikeToArrayBuffer)(data));
-      return (0, _conversion.bufferLikeToArrayBuffer)(hmac.digest());
-    }
-    return signVerify(normalizedAlgorithm, key, data);
+    return signVerify(normalizeAlgorithm(algorithm, 'sign'), key, data);
   }
   async verify(algorithm, key, signature, data) {
-    const normalizedAlgorithm = normalizeAlgorithm(algorithm, 'verify');
-    if (normalizedAlgorithm.name === 'HMAC') {
-      // Validate key usage
-      if (!key.usages.includes('verify')) {
-        throw (0, _errors.lazyDOMException)('Key does not have verify usage', 'InvalidAccessError');
-      }
-
-      // Get hash algorithm
-      // Hash can be either a string or an object with name property
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const alg = normalizedAlgorithm;
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const keyAlg = key.algorithm;
-      let hashAlgorithm = 'SHA-256';
-      if (typeof alg.hash === 'string') {
-        hashAlgorithm = alg.hash;
-      } else if (alg.hash?.name) {
-        hashAlgorithm = alg.hash.name;
-      } else if (typeof keyAlg.hash === 'string') {
-        hashAlgorithm = keyAlg.hash;
-      } else if (keyAlg.hash?.name) {
-        hashAlgorithm = keyAlg.hash.name;
-      }
-
-      // Create HMAC and compute expected signature
-      const keyData = key.keyObject.export();
-      const hmac = (0, _hmac.createHmac)(hashAlgorithm, keyData);
-      const dataBuffer = (0, _conversion.bufferLikeToArrayBuffer)(data);
-      hmac.update(dataBuffer);
-      const expectedDigest = hmac.digest();
-      const expected = new Uint8Array((0, _conversion.bufferLikeToArrayBuffer)(expectedDigest));
-
-      // Constant-time comparison
-      const signatureArray = new Uint8Array((0, _conversion.bufferLikeToArrayBuffer)(signature));
-      if (expected.length !== signatureArray.length) {
-        return false;
-      }
-
-      // Manual constant-time comparison
-      let result = 0;
-      for (let i = 0; i < expected.length; i++) {
-        result |= expected[i] ^ signatureArray[i];
-      }
-      return result === 0;
+    return signVerify(normalizeAlgorithm(algorithm, 'verify'), key, data, signature);
+  }
+  _encapsulateCore(algorithm, key) {
+    const normalizedAlgorithm = normalizeAlgorithm(algorithm, 'encapsulateBits');
+    if (key.algorithm.name !== normalizedAlgorithm.name) {
+      throw (0, _errors.lazyDOMException)('Key algorithm mismatch', 'InvalidAccessError');
+    }
+    const variant = normalizedAlgorithm.name;
+    const mlkem = new _mlkem.MlKem(variant);
+    const keyData = key.keyObject.handle.exportKey(_utils.KFormatType.DER, _utils.KeyEncoding.SPKI);
+    mlkem.setPublicKey((0, _conversion.bufferLikeToArrayBuffer)(keyData), _utils.KFormatType.DER, _utils.KeyEncoding.SPKI);
+    return mlkem.encapsulateSync();
+  }
+  _decapsulateCore(algorithm, key, ciphertext) {
+    const normalizedAlgorithm = normalizeAlgorithm(algorithm, 'decapsulateBits');
+    if (key.algorithm.name !== normalizedAlgorithm.name) {
+      throw (0, _errors.lazyDOMException)('Key algorithm mismatch', 'InvalidAccessError');
+    }
+    const variant = normalizedAlgorithm.name;
+    const mlkem = new _mlkem.MlKem(variant);
+    const keyData = key.keyObject.handle.exportKey(_utils.KFormatType.DER, _utils.KeyEncoding.PKCS8);
+    mlkem.setPrivateKey((0, _conversion.bufferLikeToArrayBuffer)(keyData), _utils.KFormatType.DER, _utils.KeyEncoding.PKCS8);
+    return mlkem.decapsulateSync((0, _conversion.bufferLikeToArrayBuffer)(ciphertext));
+  }
+  async encapsulateBits(algorithm, key) {
+    if (!key.usages.includes('encapsulateBits')) {
+      throw (0, _errors.lazyDOMException)('Key does not have encapsulateBits usage', 'InvalidAccessError');
     }
-    return signVerify(normalizedAlgorithm, key, data, signature);
+    return this._encapsulateCore(algorithm, key);
+  }
+  async encapsulateKey(algorithm, key, sharedKeyAlgorithm, extractable, usages) {
+    if (!key.usages.includes('encapsulateKey')) {
+      throw (0, _errors.lazyDOMException)('Key does not have encapsulateKey usage', 'InvalidAccessError');
+    }
+    const {
+      sharedKey,
+      ciphertext
+    } = this._encapsulateCore(algorithm, key);
+    const importedKey = await this.importKey('raw', sharedKey, sharedKeyAlgorithm, extractable, usages);
+    return {
+      key: importedKey,
+      ciphertext
+    };
+  }
+  async decapsulateBits(algorithm, key, ciphertext) {
+    if (!key.usages.includes('decapsulateBits')) {
+      throw (0, _errors.lazyDOMException)('Key does not have decapsulateBits usage', 'InvalidAccessError');
+    }
+    return this._decapsulateCore(algorithm, key, ciphertext);
+  }
+  async decapsulateKey(algorithm, key, ciphertext, sharedKeyAlgorithm, extractable, usages) {
+    if (!key.usages.includes('decapsulateKey')) {
+      throw (0, _errors.lazyDOMException)('Key does not have decapsulateKey usage', 'InvalidAccessError');
+    }
+    const sharedKey = this._decapsulateCore(algorithm, key, ciphertext);
+    return this.importKey('raw', sharedKey, sharedKeyAlgorithm, extractable, usages);
   }
 }
 exports.Subtle = Subtle;
@@ -1622,6 +1798,10 @@ function getKeyLength(algorithm) {
         const hmacAlg = algorithm;
         return hmacAlg.length || 256;
       }
+    case 'KMAC128':
+      return algorithm.length || 128;
+    case 'KMAC256':
+      return algorithm.length || 256;
     default:
       throw (0, _errors.lazyDOMException)(`Cannot determine key length for ${name}`, 'NotSupportedError');
   }