react-native-quick-crypto 1.0.11 → 1.0.13

package/src/subtle.ts

@@ -48,6 +48,8 @@ import {
 import { rsa_generateKeyPair } from './rsa';
 import { getRandomValues } from './random';
 import { createHmac } from './hmac';
+import type { Kmac } from './specs/kmac.nitro';
+import { timingSafeEqual } from './utils/timingSafeEqual';
 import { createSign, createVerify } from './keys/signVerify';
 import {
   ed_generateKeyPairWebCrypto,
@@ -56,6 +58,12 @@ import {
   Ed,
 } from './ed';
 import { mldsa_generateKeyPairWebCrypto, type MlDsaVariant } from './mldsa';
+import {
+  mlkem_generateKeyPairWebCrypto,
+  type MlKemVariant,
+  MlKem,
+} from './mlkem';
+import type { EncapsulateResult } from './utils';
 import { hkdfDeriveBits, type HkdfAlgorithm } from './hkdf';
 // Temporary enums that need to be defined
 
@@ -699,6 +707,164 @@ async function hmacGenerateKey(
   return new CryptoKey(keyObject, keyAlgorithm, keyUsages, extractable);
 }
 
+async function kmacGenerateKey(
+  algorithm: SubtleAlgorithm,
+  extractable: boolean,
+  keyUsages: KeyUsage[],
+): Promise<CryptoKey> {
+  const { name } = algorithm;
+
+  if (hasAnyNotIn(keyUsages, ['sign', 'verify'])) {
+    throw lazyDOMException(
+      `Unsupported key usage for ${name} key`,
+      'SyntaxError',
+    );
+  }
+
+  const defaultLength = name === 'KMAC128' ? 128 : 256;
+  const length = algorithm.length ?? defaultLength;
+
+  if (length === 0) {
+    throw lazyDOMException(
+      'Zero-length key is not supported',
+      'OperationError',
+    );
+  }
+
+  const keyBytes = new Uint8Array(Math.ceil(length / 8));
+  getRandomValues(keyBytes);
+
+  const keyObject = createSecretKey(keyBytes);
+
+  const keyAlgorithm: SubtleAlgorithm = { name: name as AnyAlgorithm, length };
+
+  return new CryptoKey(keyObject, keyAlgorithm, keyUsages, extractable);
+}
+
+function kmacSignVerify(
+  key: CryptoKey,
+  data: BufferLike,
+  algorithm: SubtleAlgorithm,
+  signature?: BufferLike,
+): ArrayBuffer | boolean {
+  const { name } = algorithm;
+
+  const defaultLength = name === 'KMAC128' ? 256 : 512;
+  const outputLengthBits = algorithm.length ?? defaultLength;
+
+  if (outputLengthBits % 8 !== 0) {
+    throw lazyDOMException(
+      'KMAC output length must be a multiple of 8',
+      'OperationError',
+    );
+  }
+
+  const outputLengthBytes = outputLengthBits / 8;
+
+  const keyData = key.keyObject.export();
+
+  const kmac = NitroModules.createHybridObject<Kmac>('Kmac');
+
+  let customizationBuffer: ArrayBuffer | undefined;
+  if (algorithm.customization !== undefined) {
+    customizationBuffer = bufferLikeToArrayBuffer(algorithm.customization);
+  }
+
+  kmac.createKmac(
+    name,
+    bufferLikeToArrayBuffer(keyData),
+    outputLengthBytes,
+    customizationBuffer,
+  );
+  kmac.update(bufferLikeToArrayBuffer(data));
+  const computed = kmac.digest();
+
+  if (signature === undefined) {
+    return computed;
+  }
+
+  const sigBuffer = bufferLikeToArrayBuffer(signature);
+  if (computed.byteLength !== sigBuffer.byteLength) {
+    return false;
+  }
+
+  return timingSafeEqual(new Uint8Array(computed), new Uint8Array(sigBuffer));
+}
+
+async function kmacImportKey(
+  algorithm: SubtleAlgorithm,
+  format: ImportFormat,
+  data: BufferLike | JWK,
+  extractable: boolean,
+  keyUsages: KeyUsage[],
+): Promise<CryptoKey> {
+  const { name } = algorithm;
+
+  if (hasAnyNotIn(keyUsages, ['sign', 'verify'])) {
+    throw lazyDOMException(
+      `Unsupported key usage for ${name} key`,
+      'SyntaxError',
+    );
+  }
+
+  let keyObject: KeyObject;
+
+  if (format === 'jwk') {
+    const jwk = data as JWK;
+
+    if (!jwk || typeof jwk !== 'object') {
+      throw lazyDOMException('Invalid keyData', 'DataError');
+    }
+
+    if (jwk.kty !== 'oct') {
+      throw lazyDOMException('Invalid JWK format for KMAC key', 'DataError');
+    }
+
+    const expectedAlg = name === 'KMAC128' ? 'K128' : 'K256';
+    if (jwk.alg !== undefined && jwk.alg !== expectedAlg) {
+      throw lazyDOMException(
+        'JWK "alg" does not match the requested algorithm',
+        'DataError',
+      );
+    }
+
+    const handle =
+      NitroModules.createHybridObject<KeyObjectHandle>('KeyObjectHandle');
+    const keyType = handle.initJwk(jwk, undefined);
+
+    if (keyType === undefined || keyType !== 0) {
+      throw lazyDOMException('Failed to import KMAC JWK', 'DataError');
+    }
+
+    keyObject = new SecretKeyObject(handle);
+  } else if (format === 'raw' || format === 'raw-secret') {
+    keyObject = createSecretKey(data as BinaryLike);
+  } else {
+    throw lazyDOMException(
+      `Unable to import ${name} key with format ${format}`,
+      'NotSupportedError',
+    );
+  }
+
+  const exported = keyObject.export();
+  const keyLength = exported.byteLength * 8;
+
+  if (keyLength === 0) {
+    throw lazyDOMException('Zero-length key is not supported', 'DataError');
+  }
+
+  if (algorithm.length !== undefined && algorithm.length !== keyLength) {
+    throw lazyDOMException('Invalid key length', 'DataError');
+  }
+
+  const keyAlgorithm: SubtleAlgorithm = {
+    name: name as AnyAlgorithm,
+    length: keyLength,
+  };
+
+  return new CryptoKey(keyObject, keyAlgorithm, keyUsages, extractable);
+}
+
 function rsaImportKey(
   format: ImportFormat,
   data: BufferLike | JWK,
@@ -1019,6 +1185,49 @@ function edImportKey(
   return new CryptoKey(keyObject, { name }, keyUsages, extractable);
 }
 
+function pqcImportKeyObject(
+  format: ImportFormat,
+  data: BufferLike,
+  name: string,
+): KeyObject {
+  if (format === 'spki') {
+    return KeyObject.createKeyObject(
+      'public',
+      bufferLikeToArrayBuffer(data),
+      KFormatType.DER,
+      KeyEncoding.SPKI,
+    );
+  } else if (format === 'pkcs8') {
+    return KeyObject.createKeyObject(
+      'private',
+      bufferLikeToArrayBuffer(data),
+      KFormatType.DER,
+      KeyEncoding.PKCS8,
+    );
+  } else if (format === 'raw') {
+    const handle =
+      NitroModules.createHybridObject<KeyObjectHandle>('KeyObjectHandle');
+    if (!handle.initPqcRaw(name, bufferLikeToArrayBuffer(data), true)) {
+      throw lazyDOMException(
+        `Failed to import ${name} raw public key`,
+        'DataError',
+      );
+    }
+    return new PublicKeyObject(handle);
+  } else if (format === 'raw-seed') {
+    const handle =
+      NitroModules.createHybridObject<KeyObjectHandle>('KeyObjectHandle');
+    if (!handle.initPqcRaw(name, bufferLikeToArrayBuffer(data), false)) {
+      throw lazyDOMException(`Failed to import ${name} raw seed`, 'DataError');
+    }
+    return new PrivateKeyObject(handle);
+  }
+  throw lazyDOMException(
+    `Unsupported format for ${name} import: ${format}`,
+    'NotSupportedError',
+  );
+}
+
 function mldsaImportKey(
   format: ImportFormat,
   data: BufferLike,
@@ -1027,43 +1236,45 @@ function mldsaImportKey(
   keyUsages: KeyUsage[],
 ): CryptoKey {
   const { name } = algorithm;
-
-  // Validate usages
-  if (hasAnyNotIn(keyUsages, ['sign', 'verify'])) {
+  const isPublicFormat = format === 'spki' || format === 'raw';
+  if (hasAnyNotIn(keyUsages, isPublicFormat ? ['verify'] : ['sign'])) {
     throw lazyDOMException(
       `Unsupported key usage for ${name} key`,
       'SyntaxError',
     );
   }
+  return new CryptoKey(
+    pqcImportKeyObject(format, data, name),
+    { name },
+    keyUsages,
+    extractable,
+  );
+}
 
-  let keyObject: KeyObject;
-
-  if (format === 'spki') {
-    // Import public key
-    const keyData = bufferLikeToArrayBuffer(data);
-    keyObject = KeyObject.createKeyObject(
-      'public',
-      keyData,
-      KFormatType.DER,
-      KeyEncoding.SPKI,
-    );
-  } else if (format === 'pkcs8') {
-    // Import private key
-    const keyData = bufferLikeToArrayBuffer(data);
-    keyObject = KeyObject.createKeyObject(
-      'private',
-      keyData,
-      KFormatType.DER,
-      KeyEncoding.PKCS8,
-    );
-  } else {
+function mlkemImportKey(
+  format: ImportFormat,
+  data: BufferLike,
+  algorithm: SubtleAlgorithm,
+  extractable: boolean,
+  keyUsages: KeyUsage[],
+): CryptoKey {
+  const { name } = algorithm;
+  const isPublicFormat = format === 'spki' || format === 'raw';
+  const allowedUsages: KeyUsage[] = isPublicFormat
+    ? ['encapsulateBits', 'encapsulateKey']
+    : ['decapsulateBits', 'decapsulateKey'];
+  if (hasAnyNotIn(keyUsages, allowedUsages)) {
     throw lazyDOMException(
-      `Unsupported format for ${name} import: ${format}`,
-      'NotSupportedError',
+      `Unsupported key usage for ${name} key`,
+      'SyntaxError',
     );
   }
-
-  return new CryptoKey(keyObject, { name }, keyUsages, extractable);
+  return new CryptoKey(
+    pqcImportKeyObject(format, data, name),
+    { name },
+    keyUsages,
+    extractable,
+  );
 }
 
 const exportKeySpki = async (
@@ -1112,6 +1323,17 @@ const exportKeySpki = async (
         );
       }
       break;
+    case 'ML-KEM-512':
+    // Fall through
+    case 'ML-KEM-768':
+    // Fall through
+    case 'ML-KEM-1024':
+      if (key.type === 'public') {
+        return bufferLikeToArrayBuffer(
+          key.keyObject.handle.exportKey(KFormatType.DER, KeyEncoding.SPKI),
+        );
+      }
+      break;
   }
 
   throw new Error(
@@ -1165,6 +1387,17 @@ const exportKeyPkcs8 = async (
         );
       }
       break;
+    case 'ML-KEM-512':
+    // Fall through
+    case 'ML-KEM-768':
+    // Fall through
+    case 'ML-KEM-1024':
+      if (key.type === 'private') {
+        return bufferLikeToArrayBuffer(
+          key.keyObject.handle.exportKey(KFormatType.DER, KeyEncoding.PKCS8),
+        );
+      }
+      break;
   }
 
   throw new Error(
@@ -1189,7 +1422,22 @@ const exportKeyRaw = (key: CryptoKey): ArrayBuffer | unknown => {
     // Fall through
     case 'X448':
       if (key.type === 'public') {
-        // Export raw public key
+        const exported = key.keyObject.handle.exportKey();
+        return bufferLikeToArrayBuffer(exported);
+      }
+      break;
+    case 'ML-KEM-512':
+    // Fall through
+    case 'ML-KEM-768':
+    // Fall through
+    case 'ML-KEM-1024':
+    // Fall through
+    case 'ML-DSA-44':
+    // Fall through
+    case 'ML-DSA-65':
+    // Fall through
+    case 'ML-DSA-87':
+      if (key.type === 'public') {
         const exported = key.keyObject.handle.exportKey();
         return bufferLikeToArrayBuffer(exported);
       }
@@ -1206,7 +1454,11 @@ const exportKeyRaw = (key: CryptoKey): ArrayBuffer | unknown => {
     // Fall through
     case 'ChaCha20-Poly1305':
     // Fall through
-    case 'HMAC': {
+    case 'HMAC':
+    // Fall through
+    case 'KMAC128':
+    // Fall through
+    case 'KMAC256': {
       const exported = key.keyObject.export();
       // Convert Buffer to ArrayBuffer
       return exported.buffer.slice(
@@ -1243,6 +1495,12 @@ const exportKeyJWK = (key: CryptoKey): ArrayBuffer | unknown => {
     case 'HMAC':
       jwk.alg = normalizeHashName(key.algorithm.hash, HashContext.JwkHmac);
       return jwk;
+    case 'KMAC128':
+      jwk.alg = 'K128';
+      return jwk;
+    case 'KMAC256':
+      jwk.alg = 'K256';
+      return jwk;
     case 'ECDSA':
     // Fall through
     case 'ECDH':
@@ -1429,24 +1687,20 @@ function hmacSignVerify(
     );
   }
 
-  // Verify operation - compare computed HMAC with provided signature
-  const sigBytes = new Uint8Array(bufferLikeToArrayBuffer(signature));
-  const computedBytes = new Uint8Array(
-    computed.buffer,
+  const sigBuffer = bufferLikeToArrayBuffer(signature);
+  const computedBuffer = computed.buffer.slice(
     computed.byteOffset,
-    computed.byteLength,
+    computed.byteOffset + computed.byteLength,
   );
 
-  if (computedBytes.length !== sigBytes.length) {
+  if (computedBuffer.byteLength !== sigBuffer.byteLength) {
     return false;
   }
 
-  // Constant-time comparison to prevent timing attacks
-  let result = 0;
-  for (let i = 0; i < computedBytes.length; i++) {
-    result |= computedBytes[i]! ^ sigBytes[i]!;
-  }
-  return result === 0;
+  return timingSafeEqual(
+    new Uint8Array(computedBuffer),
+    new Uint8Array(sigBuffer),
+  );
 }
 
 function rsaSignVerify(
@@ -1589,6 +1843,9 @@ const signVerify = (
     case 'ML-DSA-65':
     case 'ML-DSA-87':
       return mldsaSignVerify(key, data, signature);
+    case 'KMAC128':
+    case 'KMAC256':
+      return kmacSignVerify(key, data, algorithm, signature);
   }
   throw lazyDOMException(
     `Unrecognized algorithm name '${algorithm.name}' for '${usage}'`,
@@ -1660,6 +1917,8 @@ const SUPPORTED_ALGORITHMS: Record<string, Set<string>> = {
     'RSA-PSS',
     'ECDSA',
     'HMAC',
+    'KMAC128',
+    'KMAC256',
     'Ed25519',
     'Ed448',
     'ML-DSA-44',
@@ -1671,13 +1930,25 @@ const SUPPORTED_ALGORITHMS: Record<string, Set<string>> = {
     'RSA-PSS',
     'ECDSA',
     'HMAC',
+    'KMAC128',
+    'KMAC256',
     'Ed25519',
     'Ed448',
     'ML-DSA-44',
     'ML-DSA-65',
     'ML-DSA-87',
   ]),
-  digest: new Set(['SHA-1', 'SHA-256', 'SHA-384', 'SHA-512']),
+  digest: new Set([
+    'SHA-1',
+    'SHA-256',
+    'SHA-384',
+    'SHA-512',
+    'SHA3-256',
+    'SHA3-384',
+    'SHA3-512',
+    'cSHAKE128',
+    'cSHAKE256',
+  ]),
   generateKey: new Set([
     'RSASSA-PKCS1-v1_5',
     'RSA-PSS',
@@ -1695,9 +1966,14 @@ const SUPPORTED_ALGORITHMS: Record<string, Set<string>> = {
     'AES-OCB',
     'ChaCha20-Poly1305',
     'HMAC',
+    'KMAC128',
+    'KMAC256',
     'ML-DSA-44',
     'ML-DSA-65',
     'ML-DSA-87',
+    'ML-KEM-512',
+    'ML-KEM-768',
+    'ML-KEM-1024',
   ]),
   importKey: new Set([
     'RSASSA-PKCS1-v1_5',
@@ -1716,6 +1992,8 @@ const SUPPORTED_ALGORITHMS: Record<string, Set<string>> = {
     'AES-OCB',
     'ChaCha20-Poly1305',
     'HMAC',
+    'KMAC128',
+    'KMAC256',
     'HKDF',
     'PBKDF2',
     'Argon2d',
@@ -1724,6 +2002,9 @@ const SUPPORTED_ALGORITHMS: Record<string, Set<string>> = {
     'ML-DSA-44',
     'ML-DSA-65',
     'ML-DSA-87',
+    'ML-KEM-512',
+    'ML-KEM-768',
+    'ML-KEM-1024',
   ]),
   exportKey: new Set([
     'RSASSA-PKCS1-v1_5',
@@ -1742,9 +2023,14 @@ const SUPPORTED_ALGORITHMS: Record<string, Set<string>> = {
     'AES-OCB',
     'ChaCha20-Poly1305',
     'HMAC',
+    'KMAC128',
+    'KMAC256',
     'ML-DSA-44',
     'ML-DSA-65',
     'ML-DSA-87',
+    'ML-KEM-512',
+    'ML-KEM-768',
+    'ML-KEM-1024',
   ]),
   deriveBits: new Set([
     'PBKDF2',
@@ -1774,6 +2060,10 @@ const SUPPORTED_ALGORITHMS: Record<string, Set<string>> = {
     'ChaCha20-Poly1305',
     'RSA-OAEP',
   ]),
+  encapsulateBits: new Set(['ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024']),
+  decapsulateBits: new Set(['ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024']),
+  encapsulateKey: new Set(['ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024']),
+  decapsulateKey: new Set(['ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024']),
 };
 
 const ASYMMETRIC_ALGORITHMS = new Set([
@@ -1789,6 +2079,9 @@ const ASYMMETRIC_ALGORITHMS = new Set([
   'ML-DSA-44',
   'ML-DSA-65',
   'ML-DSA-87',
+  'ML-KEM-512',
+  'ML-KEM-768',
+  'ML-KEM-1024',
 ]);
 
 export class Subtle {
@@ -1989,6 +2282,31 @@ export class Subtle {
   ): Promise<ArrayBuffer | JWK> {
     if (!key.extractable) throw new Error('key is not extractable');
 
+    if (format === 'raw-seed') {
+      const pqcAlgos = [
+        'ML-KEM-512',
+        'ML-KEM-768',
+        'ML-KEM-1024',
+        'ML-DSA-44',
+        'ML-DSA-65',
+        'ML-DSA-87',
+      ];
+      if (!pqcAlgos.includes(key.algorithm.name)) {
+        throw lazyDOMException(
+          'raw-seed export only supported for PQC keys',
+          'NotSupportedError',
+        );
+      }
+      if (key.type !== 'private') {
+        throw lazyDOMException(
+          'raw-seed export requires a private key',
+          'InvalidAccessError',
+        );
+      }
+      return bufferLikeToArrayBuffer(key.keyObject.handle.exportKey());
+    }
+
+    // Note: 'raw-seed' is handled above; do NOT normalize it here
     if (format === 'raw-secret' || format === 'raw-public') format = 'raw';
 
     switch (format) {
@@ -2176,6 +2494,11 @@ export class Subtle {
       case 'HMAC':
         result = await hmacGenerateKey(algorithm, extractable, keyUsages);
         break;
+      case 'KMAC128':
+      // Fall through
+      case 'KMAC256':
+        result = await kmacGenerateKey(algorithm, extractable, keyUsages);
+        break;
       case 'Ed25519':
       // Fall through
       case 'Ed448':
@@ -2208,6 +2531,18 @@ export class Subtle {
         );
         checkCryptoKeyPairUsages(result as CryptoKeyPair);
         break;
+      case 'ML-KEM-512':
+      // Fall through
+      case 'ML-KEM-768':
+      // Fall through
+      case 'ML-KEM-1024':
+        result = await mlkem_generateKeyPairWebCrypto(
+          algorithm.name as MlKemVariant,
+          extractable,
+          keyUsages,
+        );
+        checkCryptoKeyPairUsages(result as CryptoKeyPair);
+        break;
       default:
         throw new Error(
           `'subtle.generateKey()' is not implemented for ${algorithm.name}.
@@ -2240,6 +2575,7 @@ export class Subtle {
     extractable: boolean,
     keyUsages: KeyUsage[],
   ): Promise<CryptoKey> {
+    // Note: 'raw-seed' is NOT normalized — PQC import functions handle it directly
     if (format === 'raw-secret' || format === 'raw-public') format = 'raw';
     const normalizedAlgorithm = normalizeAlgorithm(algorithm, 'importKey');
     let result: CryptoKey;
@@ -2277,6 +2613,17 @@ export class Subtle {
           keyUsages,
         );
         break;
+      case 'KMAC128':
+      // Fall through
+      case 'KMAC256':
+        result = await kmacImportKey(
+          normalizedAlgorithm,
+          format,
+          data as BufferLike | JWK,
+          extractable,
+          keyUsages,
+        );
+        break;
       case 'AES-CTR':
       // Fall through
       case 'AES-CBC':
@@ -2345,6 +2692,19 @@ export class Subtle {
           keyUsages,
         );
         break;
+      case 'ML-KEM-512':
+      // Fall through
+      case 'ML-KEM-768':
+      // Fall through
+      case 'ML-KEM-1024':
+        result = mlkemImportKey(
+          format,
+          data as BufferLike,
+          normalizedAlgorithm,
+          extractable,
+          keyUsages,
+        );
+        break;
       default:
         throw new Error(
           `"subtle.importKey()" is not implemented for ${normalizedAlgorithm.name}`,
@@ -2368,103 +2728,164 @@ export class Subtle {
     key: CryptoKey,
     data: BufferLike,
   ): Promise<ArrayBuffer> {
-    const normalizedAlgorithm = normalizeAlgorithm(algorithm, 'sign');
+    return signVerify(
+      normalizeAlgorithm(algorithm, 'sign'),
+      key,
+      data,
+    ) as ArrayBuffer;
+  }
 
-    if (normalizedAlgorithm.name === 'HMAC') {
-      // Validate key usage
-      if (!key.usages.includes('sign')) {
-        throw lazyDOMException(
-          'Key does not have sign usage',
-          'InvalidAccessError',
-        );
-      }
+  async verify(
+    algorithm: SubtleAlgorithm,
+    key: CryptoKey,
+    signature: BufferLike,
+    data: BufferLike,
+  ): Promise<boolean> {
+    return signVerify(
+      normalizeAlgorithm(algorithm, 'verify'),
+      key,
+      data,
+      signature,
+    ) as boolean;
+  }
 
-      // Get hash algorithm from key or algorithm params
-      // Hash can be either a string or an object with name property
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const alg = normalizedAlgorithm as any;
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const keyAlg = key.algorithm as any;
-      let hashAlgorithm = 'SHA-256';
-
-      if (typeof alg.hash === 'string') {
-        hashAlgorithm = alg.hash;
-      } else if (alg.hash?.name) {
-        hashAlgorithm = alg.hash.name;
-      } else if (typeof keyAlg.hash === 'string') {
-        hashAlgorithm = keyAlg.hash;
-      } else if (keyAlg.hash?.name) {
-        hashAlgorithm = keyAlg.hash.name;
-      }
+  private _encapsulateCore(
+    algorithm: SubtleAlgorithm,
+    key: CryptoKey,
+  ): EncapsulateResult {
+    const normalizedAlgorithm = normalizeAlgorithm(
+      algorithm,
+      'encapsulateBits' as Operation,
+    );
 
-      // Create HMAC and sign
-      const keyData = key.keyObject.export();
-      const hmac = createHmac(hashAlgorithm, keyData);
-      hmac.update(bufferLikeToArrayBuffer(data));
-      return bufferLikeToArrayBuffer(hmac.digest());
+    if (key.algorithm.name !== normalizedAlgorithm.name) {
+      throw lazyDOMException('Key algorithm mismatch', 'InvalidAccessError');
     }
 
-    return signVerify(normalizedAlgorithm, key, data) as ArrayBuffer;
+    const variant = normalizedAlgorithm.name as MlKemVariant;
+    const mlkem = new MlKem(variant);
+
+    const keyData = key.keyObject.handle.exportKey(
+      KFormatType.DER,
+      KeyEncoding.SPKI,
+    );
+    mlkem.setPublicKey(
+      bufferLikeToArrayBuffer(keyData),
+      KFormatType.DER,
+      KeyEncoding.SPKI,
+    );
+
+    return mlkem.encapsulateSync();
   }
 
-  async verify(
+  private _decapsulateCore(
     algorithm: SubtleAlgorithm,
     key: CryptoKey,
-    signature: BufferLike,
-    data: BufferLike,
-  ): Promise<boolean> {
-    const normalizedAlgorithm = normalizeAlgorithm(algorithm, 'verify');
+    ciphertext: BufferLike,
+  ): ArrayBuffer {
+    const normalizedAlgorithm = normalizeAlgorithm(
+      algorithm,
+      'decapsulateBits' as Operation,
+    );
 
-    if (normalizedAlgorithm.name === 'HMAC') {
-      // Validate key usage
-      if (!key.usages.includes('verify')) {
-        throw lazyDOMException(
-          'Key does not have verify usage',
-          'InvalidAccessError',
-        );
-      }
+    if (key.algorithm.name !== normalizedAlgorithm.name) {
+      throw lazyDOMException('Key algorithm mismatch', 'InvalidAccessError');
+    }
 
-      // Get hash algorithm
-      // Hash can be either a string or an object with name property
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const alg = normalizedAlgorithm as any;
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const keyAlg = key.algorithm as any;
-      let hashAlgorithm = 'SHA-256';
-
-      if (typeof alg.hash === 'string') {
-        hashAlgorithm = alg.hash;
-      } else if (alg.hash?.name) {
-        hashAlgorithm = alg.hash.name;
-      } else if (typeof keyAlg.hash === 'string') {
-        hashAlgorithm = keyAlg.hash;
-      } else if (keyAlg.hash?.name) {
-        hashAlgorithm = keyAlg.hash.name;
-      }
+    const variant = normalizedAlgorithm.name as MlKemVariant;
+    const mlkem = new MlKem(variant);
 
-      // Create HMAC and compute expected signature
-      const keyData = key.keyObject.export();
-      const hmac = createHmac(hashAlgorithm, keyData);
-      const dataBuffer = bufferLikeToArrayBuffer(data);
-      hmac.update(dataBuffer);
-      const expectedDigest = hmac.digest();
-      const expected = new Uint8Array(bufferLikeToArrayBuffer(expectedDigest));
-
-      // Constant-time comparison
-      const signatureArray = new Uint8Array(bufferLikeToArrayBuffer(signature));
-      if (expected.length !== signatureArray.length) {
-        return false;
-      }
+    const keyData = key.keyObject.handle.exportKey(
+      KFormatType.DER,
+      KeyEncoding.PKCS8,
+    );
+    mlkem.setPrivateKey(
+      bufferLikeToArrayBuffer(keyData),
+      KFormatType.DER,
+      KeyEncoding.PKCS8,
+    );
 
-      // Manual constant-time comparison
-      let result = 0;
-      for (let i = 0; i < expected.length; i++) {
-        result |= expected[i]! ^ signatureArray[i]!;
-      }
-      return result === 0;
+    return mlkem.decapsulateSync(bufferLikeToArrayBuffer(ciphertext));
+  }
+
+  async encapsulateBits(
+    algorithm: SubtleAlgorithm,
+    key: CryptoKey,
+  ): Promise<EncapsulateResult> {
+    if (!key.usages.includes('encapsulateBits')) {
+      throw lazyDOMException(
+        'Key does not have encapsulateBits usage',
+        'InvalidAccessError',
+      );
     }
 
-    return signVerify(normalizedAlgorithm, key, data, signature) as boolean;
+    return this._encapsulateCore(algorithm, key);
+  }
+
+  async encapsulateKey(
+    algorithm: SubtleAlgorithm,
+    key: CryptoKey,
+    sharedKeyAlgorithm: SubtleAlgorithm | AnyAlgorithm,
+    extractable: boolean,
+    usages: KeyUsage[],
+  ): Promise<{ key: CryptoKey; ciphertext: ArrayBuffer }> {
+    if (!key.usages.includes('encapsulateKey')) {
+      throw lazyDOMException(
+        'Key does not have encapsulateKey usage',
+        'InvalidAccessError',
+      );
+    }
+
+    const { sharedKey, ciphertext } = this._encapsulateCore(algorithm, key);
+    const importedKey = await this.importKey(
+      'raw',
+      sharedKey,
+      sharedKeyAlgorithm,
+      extractable,
+      usages,
+    );
+
+    return { key: importedKey, ciphertext };
+  }
+
+  async decapsulateBits(
+    algorithm: SubtleAlgorithm,
+    key: CryptoKey,
+    ciphertext: BufferLike,
+  ): Promise<ArrayBuffer> {
+    if (!key.usages.includes('decapsulateBits')) {
+      throw lazyDOMException(
+        'Key does not have decapsulateBits usage',
+        'InvalidAccessError',
+      );
+    }
+
+    return this._decapsulateCore(algorithm, key, ciphertext);
+  }
+
+  async decapsulateKey(
+    algorithm: SubtleAlgorithm,
+    key: CryptoKey,
+    ciphertext: BufferLike,
+    sharedKeyAlgorithm: SubtleAlgorithm | AnyAlgorithm,
+    extractable: boolean,
+    usages: KeyUsage[],
+  ): Promise<CryptoKey> {
+    if (!key.usages.includes('decapsulateKey')) {
+      throw lazyDOMException(
+        'Key does not have decapsulateKey usage',
+        'InvalidAccessError',
+      );
+    }
+
+    const sharedKey = this._decapsulateCore(algorithm, key, ciphertext);
+    return this.importKey(
+      'raw',
+      sharedKey,
+      sharedKeyAlgorithm,
+      extractable,
+      usages,
+    );
   }
 }
 
@@ -2487,6 +2908,11 @@ function getKeyLength(algorithm: SubtleAlgorithm): number {
       return hmacAlg.length || 256;
     }
 
+    case 'KMAC128':
+      return algorithm.length || 128;
+    case 'KMAC256':
+      return algorithm.length || 256;
+
     default:
       throw lazyDOMException(
         `Cannot determine key length for ${name}`,