react-native-quick-crypto 1.1.0 → 1.1.2

package/src/subtle.ts

@@ -18,7 +18,8 @@ import type {
   RsaOaepParams,
   ChaCha20Poly1305Params,
 } from './utils';
-import { KFormatType, KeyEncoding, KeyType } from './utils';
+import { KFormatType, KeyEncoding, KeyType, kNamedCurveAliases } from './utils';
+import { Buffer } from '@craftzdog/react-native-buffer';
 import {
   CryptoKey,
   KeyObject,
@@ -31,7 +32,10 @@ import { bufferLikeToArrayBuffer } from './utils/conversion';
 import { argon2Sync } from './argon2';
 import { lazyDOMException } from './utils/errors';
 import { normalizeHashName, HashContext } from './utils/hashnames';
-import { validateMaxBufferLength } from './utils/validation';
+import {
+  validateJwkStructure,
+  validateMaxBufferLength,
+} from './utils/validation';
 import { asyncDigest } from './hash';
 import { createSecretKey, createPublicKey } from './keys';
 import { NitroModules } from 'react-native-nitro-modules';
@@ -58,6 +62,11 @@ import {
   Ed,
 } from './ed';
 import { mldsa_generateKeyPairWebCrypto, type MlDsaVariant } from './mldsa';
+import {
+  slhdsa_generateKeyPairWebCrypto,
+  SLH_DSA_VARIANTS,
+  type SlhDsaVariant,
+} from './slhdsa';
 import {
   mlkem_generateKeyPairWebCrypto,
   type MlKemVariant,
@@ -83,12 +92,55 @@ function hasAnyNotIn(usages: KeyUsage[], allowed: KeyUsage[]): boolean {
   return usages.some(usage => !allowed.includes(usage));
 }
 
+// Mirrors webidl.requiredArguments. Node throws TypeError when a SubtleCrypto
+// method is called with fewer than the spec-required number of arguments
+// (webcrypto.js:866 etc.); we relied on TypeScript types alone, which apps
+// catching `instanceof TypeError` could not see at runtime.
+function requireArgs(actual: number, required: number, method: string): void {
+  if (actual < required) {
+    throw new TypeError(
+      `Failed to execute '${method}' on 'SubtleCrypto': ${required} arguments required, but only ${actual} present.`,
+    );
+  }
+}
+
+// WebCrypto §18.4.4: algorithm name lookup is case-insensitive, but the
+// canonical mixed-case form is preserved in the resulting `name` field
+// (e.g. "aes-gcm" → "AES-GCM"). This map is built lazily on first call so
+// the registry of canonical names below can stay declared after the
+// function. Without this, callers who pass lowercase strings bypass the
+// downstream `SUPPORTED_ALGORITHMS` set comparisons silently.
+//
+// The map's value type is `AnyAlgorithm` so callers can use the lookup
+// result directly without re-asserting. The `as AnyAlgorithm` at insertion
+// is the single contract boundary: every name in `SUPPORTED_ALGORITHMS` is
+// already a member of `AnyAlgorithm` by construction.
+let _canonicalAlgorithmNames: Map<string, AnyAlgorithm> | null = null;
+function getCanonicalAlgorithmNames(): Map<string, AnyAlgorithm> {
+  if (_canonicalAlgorithmNames === null) {
+    const map = new Map<string, AnyAlgorithm>();
+    for (const set of Object.values(SUPPORTED_ALGORITHMS)) {
+      if (!set) continue;
+      for (const name of set) {
+        map.set(name.toLowerCase(), name as AnyAlgorithm);
+      }
+    }
+    _canonicalAlgorithmNames = map;
+  }
+  return _canonicalAlgorithmNames;
+}
+
 function normalizeAlgorithm(
   algorithm: SubtleAlgorithm | AnyAlgorithm,
   _operation: Operation,
 ): SubtleAlgorithm {
+  const map = getCanonicalAlgorithmNames();
   if (typeof algorithm === 'string') {
-    return { name: algorithm };
+    return { name: map.get(algorithm.toLowerCase()) ?? algorithm };
+  }
+  if (typeof algorithm.name === 'string') {
+    const canonical = map.get(algorithm.name.toLowerCase()) ?? algorithm.name;
+    return { ...algorithm, name: canonical };
   }
   return algorithm as SubtleAlgorithm;
 }
@@ -112,15 +164,70 @@ function getAlgorithmName(name: string, length: number): string {
   }
 }
 
-// Placeholder implementations for missing functions
+// Mirrors Node's aliasKeyFormat (lib/internal/crypto/webcrypto.js): for
+// algorithms whose import/export accepts both 'raw' and the disambiguated
+// 'raw-secret' / 'raw-public', collapse the latter to 'raw'. Used per-algorithm
+// — algorithms that demand the disambiguated form (KMAC, AES-OCB,
+// ChaCha20-Poly1305, Argon2*, ML-DSA, ML-KEM) MUST NOT alias.
+function aliasKeyFormat(format: ImportFormat): ImportFormat {
+  if (format === 'raw-secret' || format === 'raw-public') return 'raw';
+  return format;
+}
+
+const kUncompressedSpkiLength: Record<string, number> = {
+  'P-256': 91,
+  'P-384': 120,
+  'P-521': 158,
+};
+
 function ecExportKey(key: CryptoKey, format: KWebCryptoKeyFormat): ArrayBuffer {
   const keyObject = key.keyObject;
 
   if (format === KWebCryptoKeyFormat.kWebCryptoKeyFormatRaw) {
     return bufferLikeToArrayBuffer(keyObject.handle.exportKey());
   } else if (format === KWebCryptoKeyFormat.kWebCryptoKeyFormatSPKI) {
-    const exported = keyObject.export({ format: 'der', type: 'spki' });
-    return bufferLikeToArrayBuffer(exported);
+    const exported = bufferLikeToArrayBuffer(
+      keyObject.export({ format: 'der', type: 'spki' }),
+    );
+
+    // WebCrypto requires uncompressed point format for SPKI exports.
+    // If the key was imported in compressed form, re-export as uncompressed
+    // by reconstructing the point from the JWK x,y coordinates and
+    // round-tripping through initECRaw.
+    const namedCurve = key.algorithm.namedCurve;
+    const expected =
+      namedCurve === undefined
+        ? undefined
+        : kUncompressedSpkiLength[namedCurve];
+    if (expected !== undefined && exported.byteLength !== expected) {
+      const jwk = keyObject.handle.exportJwk({}, false);
+      if (!jwk.x || !jwk.y) {
+        throw lazyDOMException(
+          'Failed to re-export EC public key as uncompressed SPKI',
+          'OperationError',
+        );
+      }
+      const x = Buffer.from(jwk.x, 'base64url');
+      const y = Buffer.from(jwk.y, 'base64url');
+      const raw = new Uint8Array(1 + x.length + y.length);
+      raw[0] = 0x04;
+      raw.set(x, 1);
+      raw.set(y, 1 + x.length);
+      const tmp =
+        NitroModules.createHybridObject<KeyObjectHandle>('KeyObjectHandle');
+      const curveAlias =
+        kNamedCurveAliases[namedCurve as keyof typeof kNamedCurveAliases];
+      if (!tmp.initECRaw(curveAlias, raw.buffer as ArrayBuffer)) {
+        throw lazyDOMException(
+          'Failed to re-export EC public key as uncompressed SPKI',
+          'OperationError',
+        );
+      }
+      return bufferLikeToArrayBuffer(
+        tmp.exportKey(KFormatType.DER, KeyEncoding.SPKI),
+      );
+    }
+    return exported;
   } else if (format === KWebCryptoKeyFormat.kWebCryptoKeyFormatPKCS8) {
     const exported = keyObject.export({ format: 'der', type: 'pkcs8' });
     return bufferLikeToArrayBuffer(exported);
@@ -749,13 +856,22 @@ function kmacSignVerify(
 ): ArrayBuffer | boolean {
   const { name } = algorithm;
 
-  const defaultLength = name === 'KMAC128' ? 256 : 512;
-  const outputLengthBits = algorithm.length ?? defaultLength;
+  // KmacParams.outputLength is required per
+  // https://wicg.github.io/webcrypto-modern-algos/#KmacParams-dictionary
+  // and the rename from `length` (commit ab8dc2b84c2). Mirror Node's
+  // mac.js:213-223 by reading `outputLength` (in bits).
+  if (typeof algorithm.outputLength !== 'number') {
+    throw lazyDOMException(
+      `${name}Params.outputLength is required`,
+      'OperationError',
+    );
+  }
+  const outputLengthBits = algorithm.outputLength;
 
   if (outputLengthBits % 8 !== 0) {
     throw lazyDOMException(
-      'KMAC output length must be a multiple of 8',
-      'OperationError',
+      `Unsupported ${name}Params outputLength`,
+      'NotSupportedError',
     );
   }
 
@@ -800,13 +916,6 @@ async function kmacImportKey(
 ): Promise<CryptoKey> {
   const { name } = algorithm;
 
-  if (hasAnyNotIn(keyUsages, ['sign', 'verify'])) {
-    throw lazyDOMException(
-      `Unsupported key usage for ${name} key`,
-      'SyntaxError',
-    );
-  }
-
   let keyObject: KeyObject;
 
   if (format === 'jwk') {
@@ -815,29 +924,51 @@ async function kmacImportKey(
     if (!jwk || typeof jwk !== 'object') {
       throw lazyDOMException('Invalid keyData', 'DataError');
     }
-
     if (jwk.kty !== 'oct') {
-      throw lazyDOMException('Invalid JWK format for KMAC key', 'DataError');
+      throw lazyDOMException('Invalid JWK "kty" Parameter', 'DataError');
     }
+    validateJwkStructure(jwk, extractable, keyUsages, 'sig');
 
     const expectedAlg = name === 'KMAC128' ? 'K128' : 'K256';
     if (jwk.alg !== undefined && jwk.alg !== expectedAlg) {
       throw lazyDOMException(
-        'JWK "alg" does not match the requested algorithm',
+        'JWK "alg" Parameter and algorithm name mismatch',
         'DataError',
       );
     }
 
+    if (hasAnyNotIn(keyUsages, ['sign', 'verify'])) {
+      throw lazyDOMException(
+        `Unsupported key usage for ${name} key`,
+        'SyntaxError',
+      );
+    }
+
     const handle =
       NitroModules.createHybridObject<KeyObjectHandle>('KeyObjectHandle');
-    const keyType = handle.initJwk(jwk, undefined);
-
+    let keyType: KeyType | undefined;
+    try {
+      keyType = handle.initJwk(jwk, undefined);
+    } catch (err) {
+      throw lazyDOMException('Invalid keyData', {
+        name: 'DataError',
+        cause: err,
+      });
+    }
     if (keyType === undefined || keyType !== 0) {
-      throw lazyDOMException('Failed to import KMAC JWK', 'DataError');
+      throw lazyDOMException('Invalid keyData', 'DataError');
     }
 
     keyObject = new SecretKeyObject(handle);
-  } else if (format === 'raw' || format === 'raw-secret') {
+  } else if (format === 'raw-secret') {
+    // KMAC accepts only the disambiguated 'raw-secret' form (Node mac.js:141-145
+    // returns undefined for plain 'raw' when not HMAC).
+    if (hasAnyNotIn(keyUsages, ['sign', 'verify'])) {
+      throw lazyDOMException(
+        `Unsupported key usage for ${name} key`,
+        'SyntaxError',
+      );
+    }
     keyObject = createSecretKey(data as BinaryLike);
   } else {
     throw lazyDOMException(
@@ -874,7 +1005,6 @@ function rsaImportKey(
 ): CryptoKey {
   const { name } = algorithm;
 
-  // Validate usages
   let checkSet: KeyUsage[];
   switch (name) {
     case 'RSASSA-PKCS1-v1_5':
@@ -887,38 +1017,75 @@ function rsaImportKey(
     default:
       throw new Error(`Unsupported RSA algorithm: ${name}`);
   }
-
-  if (hasAnyNotIn(keyUsages, checkSet)) {
-    throw new Error(`Unsupported key usage for ${name}`);
-  }
+  const checkUsages = (): void => {
+    if (hasAnyNotIn(keyUsages, checkSet)) {
+      throw lazyDOMException(
+        `Unsupported key usage for ${name} key`,
+        'SyntaxError',
+      );
+    }
+  };
 
   let keyObject: KeyObject;
 
   if (format === 'jwk') {
     const jwk = data as JWK;
 
-    // Validate JWK
+    if (!jwk || typeof jwk !== 'object') {
+      throw lazyDOMException('Invalid keyData', 'DataError');
+    }
     if (jwk.kty !== 'RSA') {
-      throw new Error('Invalid JWK format for RSA key');
+      throw lazyDOMException('Invalid JWK "kty" Parameter', 'DataError');
+    }
+    const expectedUse = name === 'RSA-OAEP' ? 'enc' : 'sig';
+    validateJwkStructure(jwk, extractable, keyUsages, expectedUse);
+    checkUsages();
+
+    if (jwk.alg !== undefined) {
+      let jwkContext: HashContext;
+      switch (name) {
+        case 'RSASSA-PKCS1-v1_5':
+          jwkContext = HashContext.JwkRsa;
+          break;
+        case 'RSA-PSS':
+          jwkContext = HashContext.JwkRsaPss;
+          break;
+        default:
+          jwkContext = HashContext.JwkRsaOaep;
+      }
+      const expectedAlg = normalizeHashName(algorithm.hash, jwkContext);
+      if (jwk.alg !== expectedAlg) {
+        throw lazyDOMException(
+          'JWK "alg" does not match the requested algorithm',
+          'DataError',
+        );
+      }
     }
 
     const handle =
       NitroModules.createHybridObject<KeyObjectHandle>('KeyObjectHandle');
-    const keyType = handle.initJwk(jwk, undefined);
-
+    let keyType: KeyType | undefined;
+    try {
+      keyType = handle.initJwk(jwk, undefined);
+    } catch (err) {
+      throw lazyDOMException('Invalid keyData', {
+        name: 'DataError',
+        cause: err,
+      });
+    }
     if (keyType === undefined) {
-      throw new Error('Failed to import RSA JWK');
+      throw lazyDOMException('Invalid keyData', 'DataError');
     }
 
-    // Create the appropriate KeyObject based on type
-    if (keyType === 1) {
+    if (keyType === KeyType.PUBLIC) {
       keyObject = new PublicKeyObject(handle);
-    } else if (keyType === 2) {
+    } else if (keyType === KeyType.PRIVATE) {
       keyObject = new PrivateKeyObject(handle);
     } else {
-      throw new Error('Unexpected key type from RSA JWK import');
+      throw lazyDOMException('Invalid keyData', 'DataError');
     }
   } else if (format === 'spki') {
+    checkUsages();
     const keyData = bufferLikeToArrayBuffer(data as BufferLike);
     keyObject = KeyObject.createKeyObject(
       'public',
@@ -927,6 +1094,7 @@ function rsaImportKey(
       KeyEncoding.SPKI,
     );
   } else if (format === 'pkcs8') {
+    checkUsages();
     const keyData = bufferLikeToArrayBuffer(data as BufferLike);
     keyObject = KeyObject.createKeyObject(
       'private',
@@ -935,7 +1103,10 @@ function rsaImportKey(
       KeyEncoding.PKCS8,
     );
   } else {
-    throw new Error(`Unsupported format for RSA import: ${format}`);
+    throw lazyDOMException(
+      `Unsupported format for ${name} import: ${format}`,
+      'NotSupportedError',
+    );
   }
 
   // Get the modulus length from the key and add it to the algorithm
@@ -977,31 +1148,30 @@ async function hmacImportKey(
   extractable: boolean,
   keyUsages: KeyUsage[],
 ): Promise<CryptoKey> {
-  // Validate usages
-  if (hasAnyNotIn(keyUsages, ['sign', 'verify'])) {
-    throw new Error('Unsupported key usage for an HMAC key');
-  }
+  const checkUsages = (): void => {
+    if (hasAnyNotIn(keyUsages, ['sign', 'verify'])) {
+      throw new Error('Unsupported key usage for an HMAC key');
+    }
+  };
 
   let keyObject: KeyObject;
 
   if (format === 'jwk') {
     const jwk = data as JWK;
 
-    // Validate JWK
     if (!jwk || typeof jwk !== 'object') {
       throw new Error('Invalid keyData');
     }
-
     if (jwk.kty !== 'oct') {
       throw new Error('Invalid JWK format for HMAC key');
     }
+    validateJwkStructure(jwk, extractable, keyUsages, 'sig');
+    checkUsages();
 
-    // Validate key length if specified
     if (algorithm.length !== undefined) {
       if (!jwk.k) {
         throw new Error('JWK missing key data');
       }
-      // Decode to check length
       const decoded = SBuffer.from(jwk.k, 'base64');
       const keyBitLength = decoded.length * 8;
       if (algorithm.length === 0) {
@@ -1014,17 +1184,29 @@ async function hmacImportKey(
 
     const handle =
       NitroModules.createHybridObject<KeyObjectHandle>('KeyObjectHandle');
-    const keyType = handle.initJwk(jwk, undefined);
-
+    let keyType: KeyType | undefined;
+    try {
+      keyType = handle.initJwk(jwk, undefined);
+    } catch (err) {
+      throw lazyDOMException('Invalid keyData', {
+        name: 'DataError',
+        cause: err,
+      });
+    }
     if (keyType === undefined || keyType !== 0) {
-      throw new Error('Failed to import HMAC JWK');
+      throw lazyDOMException('Invalid keyData', 'DataError');
     }
 
     keyObject = new SecretKeyObject(handle);
-  } else if (format === 'raw') {
+  } else if (format === 'raw' || format === 'raw-secret') {
+    // HMAC accepts both 'raw' and 'raw-secret' (Node mac.js:141-145).
+    checkUsages();
     keyObject = createSecretKey(data as BinaryLike);
   } else {
-    throw new Error(`Unable to import HMAC key with format ${format}`);
+    throw lazyDOMException(
+      `Unable to import HMAC key with format ${format}`,
+      'NotSupportedError',
+    );
   }
 
   // Normalize hash to { name: string } format per WebCrypto spec
@@ -1047,16 +1229,24 @@ async function aesImportKey(
 ): Promise<CryptoKey> {
   const { name, length } = algorithm;
 
-  // Validate usages
   const validUsages: KeyUsage[] = [
     'encrypt',
     'decrypt',
     'wrapKey',
     'unwrapKey',
   ];
-  if (hasAnyNotIn(keyUsages, validUsages)) {
-    throw new Error(`Unsupported key usage for ${name}`);
-  }
+  const checkUsages = (): void => {
+    if (hasAnyNotIn(keyUsages, validUsages)) {
+      throw new Error(`Unsupported key usage for ${name}`);
+    }
+  };
+
+  // AES-OCB and ChaCha20-Poly1305 require the disambiguated 'raw-secret' form
+  // and reject 'raw' (Node aes.js:243-249, chacha20_poly1305.js:104-134).
+  // Other AES variants accept both 'raw' and 'raw-secret'.
+  const requiresRawSecret = name === 'AES-OCB' || name === 'ChaCha20-Poly1305';
+  const acceptsRaw =
+    format === 'raw-secret' || (format === 'raw' && !requiresRawSecret);
 
   let keyObject: KeyObject;
   let actualLength: number;
@@ -1064,36 +1254,53 @@ async function aesImportKey(
   if (format === 'jwk') {
     const jwk = data as JWK;
 
-    // Validate JWK
     if (jwk.kty !== 'oct') {
       throw new Error('Invalid JWK format for AES key');
     }
+    validateJwkStructure(jwk, extractable, keyUsages, 'enc');
+    checkUsages();
 
     const handle =
       NitroModules.createHybridObject<KeyObjectHandle>('KeyObjectHandle');
-    const keyType = handle.initJwk(jwk, undefined);
-
+    let keyType: KeyType | undefined;
+    try {
+      keyType = handle.initJwk(jwk, undefined);
+    } catch (err) {
+      throw lazyDOMException('Invalid keyData', {
+        name: 'DataError',
+        cause: err,
+      });
+    }
     if (keyType === undefined || keyType !== 0) {
-      throw new Error('Failed to import AES JWK');
+      throw lazyDOMException('Invalid keyData', 'DataError');
     }
 
     keyObject = new SecretKeyObject(handle);
 
-    // Get actual key length from imported key
     const exported = keyObject.export();
     actualLength = exported.byteLength * 8;
-  } else if (format === 'raw') {
+  } else if (acceptsRaw) {
+    checkUsages();
     const keyData = bufferLikeToArrayBuffer(data as BufferLike);
     actualLength = keyData.byteLength * 8;
 
-    // Validate key length
-    if (![128, 192, 256].includes(actualLength)) {
+    if (name === 'ChaCha20-Poly1305') {
+      if (actualLength !== 256) {
+        throw lazyDOMException(
+          'Invalid ChaCha20-Poly1305 key length',
+          'DataError',
+        );
+      }
+    } else if (![128, 192, 256].includes(actualLength)) {
       throw new Error('Invalid AES key length');
     }
 
     keyObject = createSecretKey(keyData);
   } else {
-    throw new Error(`Unsupported format for AES import: ${format}`);
+    throw lazyDOMException(
+      `Unable to import ${name} key with format ${format}`,
+      'NotSupportedError',
+    );
   }
 
   // Validate length if specified
@@ -1120,23 +1327,23 @@ function edImportKey(
 ): CryptoKey {
   const { name } = algorithm;
 
-  // Validate usages
   const isX = name === 'X25519' || name === 'X448';
   const allowedUsages: KeyUsage[] = isX
     ? ['deriveKey', 'deriveBits']
     : ['sign', 'verify'];
-
-  if (hasAnyNotIn(keyUsages, allowedUsages)) {
-    throw lazyDOMException(
-      `Unsupported key usage for ${name} key`,
-      'SyntaxError',
-    );
-  }
+  const checkUsages = (): void => {
+    if (hasAnyNotIn(keyUsages, allowedUsages)) {
+      throw lazyDOMException(
+        `Unsupported key usage for ${name} key`,
+        'SyntaxError',
+      );
+    }
+  };
 
   let keyObject: KeyObject;
 
   if (format === 'spki') {
-    // Import public key
+    checkUsages();
     const keyData = bufferLikeToArrayBuffer(data as BufferLike);
     keyObject = KeyObject.createKeyObject(
       'public',
@@ -1145,7 +1352,7 @@ function edImportKey(
       KeyEncoding.SPKI,
     );
   } else if (format === 'pkcs8') {
-    // Import private key
+    checkUsages();
     const keyData = bufferLikeToArrayBuffer(data as BufferLike);
     keyObject = KeyObject.createKeyObject(
       'private',
@@ -1154,19 +1361,51 @@ function edImportKey(
       KeyEncoding.PKCS8,
     );
   } else if (format === 'raw') {
-    // Raw format - public key only for Ed keys
+    checkUsages();
     const keyData = bufferLikeToArrayBuffer(data as BufferLike);
     const handle =
       NitroModules.createHybridObject<KeyObjectHandle>('KeyObjectHandle');
-    // For raw Ed keys, we need to create them differently
-    // Raw public keys are just the key bytes
-    handle.init(1, keyData); // 1 = public key type
+    handle.init(1, keyData);
     keyObject = new PublicKeyObject(handle);
   } else if (format === 'jwk') {
     const jwkData = data as JWK;
+    if (!jwkData || typeof jwkData !== 'object') {
+      throw lazyDOMException('Invalid keyData', 'DataError');
+    }
+    if (jwkData.kty !== 'OKP') {
+      throw lazyDOMException('Invalid JWK "kty" Parameter', 'DataError');
+    }
+    const expectedUse = isX ? 'enc' : 'sig';
+    validateJwkStructure(jwkData, extractable, keyUsages, expectedUse);
+
+    if (jwkData.crv !== name) {
+      throw lazyDOMException(
+        'JWK "crv" Parameter and algorithm name mismatch',
+        'DataError',
+      );
+    }
+
+    if (!isX && jwkData.alg !== undefined) {
+      if (jwkData.alg !== name && jwkData.alg !== 'EdDSA') {
+        throw lazyDOMException(
+          'JWK "alg" does not match the requested algorithm',
+          'DataError',
+        );
+      }
+    }
+
+    checkUsages();
     const handle =
       NitroModules.createHybridObject<KeyObjectHandle>('KeyObjectHandle');
-    const keyType = handle.initJwk(jwkData);
+    let keyType: KeyType | undefined;
+    try {
+      keyType = handle.initJwk(jwkData);
+    } catch (err) {
+      throw lazyDOMException('Invalid JWK data', {
+        name: 'DataError',
+        cause: err,
+      });
+    }
     if (keyType === undefined) {
       throw lazyDOMException('Invalid JWK data', 'DataError');
     }
@@ -1185,42 +1424,133 @@ function edImportKey(
   return new CryptoKey(keyObject, { name }, keyUsages, extractable);
 }
 
+// Lengths (in bytes) of seedless ML-DSA / ML-KEM PKCS#8 encodings. A PKCS#8
+// blob of exactly this length contains only the expanded private key with no
+// seed; Node rejects these to keep cross-implementation interop intact.
+// Refs: node lib/internal/crypto/ml_dsa.js (mlDsaImportKey, pkcs8 case)
+//       node lib/internal/crypto/ml_kem.js (mlKemImportKey, pkcs8 case)
+export const PQC_SEEDLESS_PKCS8_LENGTHS: Readonly<Record<string, number>> = {
+  'ML-DSA-44': 2588,
+  'ML-DSA-65': 4060,
+  'ML-DSA-87': 4924,
+  'ML-KEM-512': 1660,
+  'ML-KEM-768': 2428,
+  'ML-KEM-1024': 3196,
+};
+
+// Map from PQC algorithm name to display family. Used to render the
+// import-rejection error message in the same form Node emits.
+const PQC_FAMILY: Readonly<Record<string, 'ML-DSA' | 'ML-KEM' | 'SLH-DSA'>> = {
+  'ML-DSA-44': 'ML-DSA',
+  'ML-DSA-65': 'ML-DSA',
+  'ML-DSA-87': 'ML-DSA',
+  'ML-KEM-512': 'ML-KEM',
+  'ML-KEM-768': 'ML-KEM',
+  'ML-KEM-1024': 'ML-KEM',
+  'SLH-DSA-SHA2-128s': 'SLH-DSA',
+  'SLH-DSA-SHA2-128f': 'SLH-DSA',
+  'SLH-DSA-SHA2-192s': 'SLH-DSA',
+  'SLH-DSA-SHA2-192f': 'SLH-DSA',
+  'SLH-DSA-SHA2-256s': 'SLH-DSA',
+  'SLH-DSA-SHA2-256f': 'SLH-DSA',
+  'SLH-DSA-SHAKE-128s': 'SLH-DSA',
+  'SLH-DSA-SHAKE-128f': 'SLH-DSA',
+  'SLH-DSA-SHAKE-192s': 'SLH-DSA',
+  'SLH-DSA-SHAKE-192f': 'SLH-DSA',
+  'SLH-DSA-SHAKE-256s': 'SLH-DSA',
+  'SLH-DSA-SHAKE-256f': 'SLH-DSA',
+};
+
 function pqcImportKeyObject(
   format: ImportFormat,
-  data: BufferLike,
+  data: BufferLike | JWK,
   name: string,
-): KeyObject {
+): { keyObject: KeyObject; isPublic: boolean } {
   if (format === 'spki') {
-    return KeyObject.createKeyObject(
-      'public',
-      bufferLikeToArrayBuffer(data),
-      KFormatType.DER,
-      KeyEncoding.SPKI,
-    );
+    return {
+      keyObject: KeyObject.createKeyObject(
+        'public',
+        bufferLikeToArrayBuffer(data as BufferLike),
+        KFormatType.DER,
+        KeyEncoding.SPKI,
+      ),
+      isPublic: true,
+    };
   } else if (format === 'pkcs8') {
-    return KeyObject.createKeyObject(
-      'private',
-      bufferLikeToArrayBuffer(data),
-      KFormatType.DER,
-      KeyEncoding.PKCS8,
-    );
-  } else if (format === 'raw') {
+    const ab = bufferLikeToArrayBuffer(data as BufferLike);
+    const family = PQC_FAMILY[name];
+    if (
+      family !== undefined &&
+      ab.byteLength === PQC_SEEDLESS_PKCS8_LENGTHS[name]
+    ) {
+      throw lazyDOMException(
+        `Importing an ${family} PKCS#8 key without a seed is not supported`,
+        'NotSupportedError',
+      );
+    }
+    return {
+      keyObject: KeyObject.createKeyObject(
+        'private',
+        ab,
+        KFormatType.DER,
+        KeyEncoding.PKCS8,
+      ),
+      isPublic: false,
+    };
+  } else if (format === 'raw-public') {
+    // ML-DSA / ML-KEM reject plain 'raw' — only 'raw-public' is accepted for
+    // public-key import (Node webcrypto.js:493-499, 506-511).
     const handle =
       NitroModules.createHybridObject<KeyObjectHandle>('KeyObjectHandle');
-    if (!handle.initPqcRaw(name, bufferLikeToArrayBuffer(data), true)) {
+    if (
+      !handle.initPqcRaw(
+        name,
+        bufferLikeToArrayBuffer(data as BufferLike),
+        true,
+      )
+    ) {
       throw lazyDOMException(
         `Failed to import ${name} raw public key`,
         'DataError',
       );
     }
-    return new PublicKeyObject(handle);
+    return { keyObject: new PublicKeyObject(handle), isPublic: true };
   } else if (format === 'raw-seed') {
     const handle =
       NitroModules.createHybridObject<KeyObjectHandle>('KeyObjectHandle');
-    if (!handle.initPqcRaw(name, bufferLikeToArrayBuffer(data), false)) {
+    if (
+      !handle.initPqcRaw(
+        name,
+        bufferLikeToArrayBuffer(data as BufferLike),
+        false,
+      )
+    ) {
       throw lazyDOMException(`Failed to import ${name} raw seed`, 'DataError');
     }
-    return new PrivateKeyObject(handle);
+    return { keyObject: new PrivateKeyObject(handle), isPublic: false };
+  } else if (format === 'jwk') {
+    const jwkData = data as JWK;
+    const isPublic = jwkData.priv === undefined;
+    const handle =
+      NitroModules.createHybridObject<KeyObjectHandle>('KeyObjectHandle');
+    let keyType: KeyType | undefined;
+    try {
+      keyType = handle.initJwk(jwkData);
+    } catch (err) {
+      throw lazyDOMException('Invalid JWK data', {
+        name: 'DataError',
+        cause: err,
+      });
+    }
+    if (keyType === undefined) {
+      throw lazyDOMException('Invalid JWK data', 'DataError');
+    }
+    return {
+      keyObject: isPublic
+        ? new PublicKeyObject(handle)
+        : new PrivateKeyObject(handle),
+      isPublic,
+    };
   }
   throw lazyDOMException(
     `Unsupported format for ${name} import: ${format}`,
@@ -1228,39 +1558,109 @@ function pqcImportKeyObject(
   );
 }
 
+// Per WebCrypto AKP JWK rules, public-vs-private is determined by the presence
+// of `priv`. For binary formats it follows from the format itself.
+function pqcIsPublicImport(
+  format: ImportFormat,
+  data: BufferLike | JWK,
+): boolean {
+  if (format === 'jwk') {
+    return (
+      typeof data === 'object' &&
+      data !== null &&
+      (data as JWK).priv === undefined
+    );
+  }
+  return format === 'spki' || format === 'raw-public';
+}
+
+function validatePqcJwk(
+  data: BufferLike | JWK,
+  name: string,
+  extractable: boolean,
+  keyUsages: KeyUsage[],
+  expectedUse: 'sig' | 'enc',
+): void {
+  if (typeof data !== 'object' || data === null) {
+    throw lazyDOMException('Invalid keyData', 'DataError');
+  }
+  const jwk = data as JWK;
+  if (jwk.kty !== 'AKP') {
+    throw lazyDOMException('Invalid JWK "kty" Parameter', 'DataError');
+  }
+  validateJwkStructure(jwk, extractable, keyUsages, expectedUse);
+  if (jwk.alg !== name) {
+    throw lazyDOMException(
+      'JWK "alg" Parameter and algorithm name mismatch',
+      'DataError',
+    );
+  }
+}
+
+// Validates that `format` is one of the formats PQC algorithms accept; rejects
+// plain 'raw' early so the format error wins over usage-based errors.
+function validatePqcFormat(format: ImportFormat, name: string): void {
+  if (
+    format !== 'spki' &&
+    format !== 'pkcs8' &&
+    format !== 'raw-public' &&
+    format !== 'raw-seed' &&
+    format !== 'jwk'
+  ) {
+    throw lazyDOMException(
+      `Unsupported format for ${name} import: ${format}`,
+      'NotSupportedError',
+    );
+  }
+}
+
 function mldsaImportKey(
   format: ImportFormat,
-  data: BufferLike,
+  data: BufferLike | JWK,
   algorithm: SubtleAlgorithm,
   extractable: boolean,
   keyUsages: KeyUsage[],
 ): CryptoKey {
   const { name } = algorithm;
-  const isPublicFormat = format === 'spki' || format === 'raw';
-  if (hasAnyNotIn(keyUsages, isPublicFormat ? ['verify'] : ['sign'])) {
+  validatePqcFormat(format, name);
+  if (format === 'jwk') {
+    validatePqcJwk(data, name, extractable, keyUsages, 'sig');
+  }
+  const isPublic = pqcIsPublicImport(format, data);
+  if (hasAnyNotIn(keyUsages, isPublic ? ['verify'] : ['sign'])) {
     throw lazyDOMException(
       `Unsupported key usage for ${name} key`,
       'SyntaxError',
     );
   }
-  return new CryptoKey(
-    pqcImportKeyObject(format, data, name),
-    { name },
-    keyUsages,
-    extractable,
-  );
+  const { keyObject } = pqcImportKeyObject(format, data, name);
+  return new CryptoKey(keyObject, { name }, keyUsages, extractable);
+}
+
+function slhdsaImportKey(
+  format: ImportFormat,
+  data: BufferLike | JWK,
+  algorithm: SubtleAlgorithm,
+  extractable: boolean,
+  keyUsages: KeyUsage[],
+): CryptoKey {
+  return mldsaImportKey(format, data, algorithm, extractable, keyUsages);
 }
 
 function mlkemImportKey(
   format: ImportFormat,
-  data: BufferLike,
+  data: BufferLike | JWK,
   algorithm: SubtleAlgorithm,
   extractable: boolean,
   keyUsages: KeyUsage[],
 ): CryptoKey {
   const { name } = algorithm;
-  const isPublicFormat = format === 'spki' || format === 'raw';
-  const allowedUsages: KeyUsage[] = isPublicFormat
+  validatePqcFormat(format, name);
+  if (format === 'jwk') {
+    validatePqcJwk(data, name, extractable, keyUsages, 'enc');
+  }
+  const isPublic = pqcIsPublicImport(format, data);
+  const allowedUsages: KeyUsage[] = isPublic
     ? ['encapsulateBits', 'encapsulateKey']
     : ['decapsulateBits', 'decapsulateKey'];
   if (hasAnyNotIn(keyUsages, allowedUsages)) {
@@ -1269,12 +1669,8 @@ function mlkemImportKey(
       'SyntaxError',
     );
   }
-  return new CryptoKey(
-    pqcImportKeyObject(format, data, name),
-    { name },
-    keyUsages,
-    extractable,
-  );
+  const { keyObject } = pqcImportKeyObject(format, data, name);
+  return new CryptoKey(keyObject, { name }, keyUsages, extractable);
 }
 
 const exportKeySpki = async (
@@ -1316,8 +1712,21 @@ const exportKeySpki = async (
     case 'ML-DSA-65':
     // Fall through
     case 'ML-DSA-87':
+    // Fall through
+    case 'SLH-DSA-SHA2-128s':
+    case 'SLH-DSA-SHA2-128f':
+    case 'SLH-DSA-SHA2-192s':
+    case 'SLH-DSA-SHA2-192f':
+    case 'SLH-DSA-SHA2-256s':
+    case 'SLH-DSA-SHA2-256f':
+    case 'SLH-DSA-SHAKE-128s':
+    case 'SLH-DSA-SHAKE-128f':
+    case 'SLH-DSA-SHAKE-192s':
+    case 'SLH-DSA-SHAKE-192f':
+    case 'SLH-DSA-SHAKE-256s':
+    case 'SLH-DSA-SHAKE-256f':
       if (key.type === 'public') {
-        // Export ML-DSA key in SPKI DER format
+        // Export ML-DSA / SLH-DSA key in SPKI DER format
         return bufferLikeToArrayBuffer(
           key.keyObject.handle.exportKey(KFormatType.DER, KeyEncoding.SPKI),
         );
@@ -1380,18 +1789,40 @@ const exportKeyPkcs8 = async (
     case 'ML-DSA-65':
     // Fall through
     case 'ML-DSA-87':
-      if (key.type === 'private') {
-        // Export ML-DSA key in PKCS8 DER format
-        return bufferLikeToArrayBuffer(
-          key.keyObject.handle.exportKey(KFormatType.DER, KeyEncoding.PKCS8),
-        );
-      }
-      break;
+    // Fall through
     case 'ML-KEM-512':
     // Fall through
     case 'ML-KEM-768':
     // Fall through
     case 'ML-KEM-1024':
+      if (key.type === 'private') {
+        const ab = bufferLikeToArrayBuffer(
+          key.keyObject.handle.exportKey(KFormatType.DER, KeyEncoding.PKCS8),
+        );
+        // 22 bytes of PKCS#8 ASN.1 + seed (32 ML-DSA, 64 ML-KEM). Guards
+        // against a seedless KeyObject that was wrapped via toCryptoKey.
+        const expected = key.algorithm.name.startsWith('ML-DSA') ? 54 : 86;
+        if (ab.byteLength !== expected) {
+          throw lazyDOMException(
+            'The operation failed for an operation-specific reason',
+            'OperationError',
+          );
+        }
+        return ab;
+      }
+      break;
+    case 'SLH-DSA-SHA2-128s':
+    case 'SLH-DSA-SHA2-128f':
+    case 'SLH-DSA-SHA2-192s':
+    case 'SLH-DSA-SHA2-192f':
+    case 'SLH-DSA-SHA2-256s':
+    case 'SLH-DSA-SHA2-256f':
+    case 'SLH-DSA-SHAKE-128s':
+    case 'SLH-DSA-SHAKE-128f':
+    case 'SLH-DSA-SHAKE-192s':
+    case 'SLH-DSA-SHAKE-192f':
+    case 'SLH-DSA-SHAKE-256s':
+    case 'SLH-DSA-SHAKE-256f':
       if (key.type === 'private') {
         return bufferLikeToArrayBuffer(
           key.keyObject.handle.exportKey(KFormatType.DER, KeyEncoding.PKCS8),
@@ -1405,79 +1836,101 @@ const exportKeyPkcs8 = async (
   );
 };
 
-const exportKeyRaw = (key: CryptoKey): ArrayBuffer | unknown => {
-  switch (key.algorithm.name) {
+// Mirrors Node's export key matrix (lib/internal/crypto/webcrypto.js
+// exportKeyRawSecret / exportKeyRawPublic, lines 472-563):
+//
+//   raw         — AES-CTR/CBC/GCM/KW + HMAC (secret); ECDSA/ECDH/Ed/X (public)
+//   raw-secret  — AES-CTR/CBC/GCM/KW + HMAC + AES-OCB + KMAC + ChaCha20-Poly1305
+//   raw-public  — ECDSA/ECDH + Ed/X + ML-DSA + ML-KEM (public)
+const exportKeyRaw = (
+  key: CryptoKey,
+  format: 'raw' | 'raw-secret' | 'raw-public',
+): ArrayBuffer => {
+  const name = key.algorithm.name;
+  const isPublic = key.type === 'public';
+  const isSecret = key.type === 'secret';
+
+  const exportSecret = (): ArrayBuffer => {
+    const exported = key.keyObject.export();
+    return exported.buffer.slice(
+      exported.byteOffset,
+      exported.byteOffset + exported.byteLength,
+    ) as ArrayBuffer;
+  };
+  const exportRawPublic = (): ArrayBuffer =>
+    bufferLikeToArrayBuffer(key.keyObject.handle.exportKey());
+
+  const fail = (): never => {
+    throw lazyDOMException(
+      `Unable to export ${name} ${key.type} key using ${format} format`,
+      'NotSupportedError',
+    );
+  };
+
+  // Symmetric: AES-CTR/CBC/GCM/KW and HMAC accept both 'raw' and 'raw-secret';
+  // AES-OCB / KMAC* / ChaCha20-Poly1305 only 'raw-secret'.
+  switch (name) {
+    case 'AES-CTR':
+    case 'AES-CBC':
+    case 'AES-GCM':
+    case 'AES-KW':
+    case 'HMAC':
+      if (!isSecret) return fail();
+      if (format === 'raw' || format === 'raw-secret') return exportSecret();
+      return fail();
+    case 'AES-OCB':
+    case 'KMAC128':
+    case 'KMAC256':
+    case 'ChaCha20-Poly1305':
+      if (!isSecret) return fail();
+      if (format === 'raw-secret') return exportSecret();
+      return fail();
     case 'ECDSA':
-    // Fall through
     case 'ECDH':
-      if (key.type === 'public') {
+      if (!isPublic) return fail();
+      if (format === 'raw' || format === 'raw-public') {
         return ecExportKey(key, KWebCryptoKeyFormat.kWebCryptoKeyFormatRaw);
       }
-      break;
+      return fail();
     case 'Ed25519':
-    // Fall through
     case 'Ed448':
-    // Fall through
     case 'X25519':
-    // Fall through
     case 'X448':
-      if (key.type === 'public') {
-        const exported = key.keyObject.handle.exportKey();
-        return bufferLikeToArrayBuffer(exported);
-      }
-      break;
-    case 'ML-KEM-512':
-    // Fall through
-    case 'ML-KEM-768':
-    // Fall through
-    case 'ML-KEM-1024':
-    // Fall through
+      if (!isPublic) return fail();
+      if (format === 'raw' || format === 'raw-public') return exportRawPublic();
+      return fail();
     case 'ML-DSA-44':
-    // Fall through
     case 'ML-DSA-65':
-    // Fall through
     case 'ML-DSA-87':
-      if (key.type === 'public') {
-        const exported = key.keyObject.handle.exportKey();
-        return bufferLikeToArrayBuffer(exported);
-      }
-      break;
-    case 'AES-CTR':
-    // Fall through
-    case 'AES-CBC':
-    // Fall through
-    case 'AES-GCM':
-    // Fall through
-    case 'AES-KW':
-    // Fall through
-    case 'AES-OCB':
-    // Fall through
-    case 'ChaCha20-Poly1305':
-    // Fall through
-    case 'HMAC':
-    // Fall through
-    case 'KMAC128':
-    // Fall through
-    case 'KMAC256': {
-      const exported = key.keyObject.export();
-      // Convert Buffer to ArrayBuffer
-      return exported.buffer.slice(
-        exported.byteOffset,
-        exported.byteOffset + exported.byteLength,
-      );
-    }
-  }
-
-  throw lazyDOMException(
-    `Unable to export a raw ${key.algorithm.name} ${key.type} key`,
-    'InvalidAccessError',
-  );
+    case 'ML-KEM-512':
+    case 'ML-KEM-768':
+    case 'ML-KEM-1024':
+    case 'SLH-DSA-SHA2-128s':
+    case 'SLH-DSA-SHA2-128f':
+    case 'SLH-DSA-SHA2-192s':
+    case 'SLH-DSA-SHA2-192f':
+    case 'SLH-DSA-SHA2-256s':
+    case 'SLH-DSA-SHA2-256f':
+    case 'SLH-DSA-SHAKE-128s':
+    case 'SLH-DSA-SHAKE-128f':
+    case 'SLH-DSA-SHAKE-192s':
+    case 'SLH-DSA-SHAKE-192f':
+    case 'SLH-DSA-SHAKE-256s':
+    case 'SLH-DSA-SHAKE-256f':
+      // ML-DSA / ML-KEM / SLH-DSA keys do not recognize plain 'raw' (Node
+      // webcrypto.js lines 488-510).
+      if (!isPublic) return fail();
+      if (format === 'raw-public') return exportRawPublic();
+      return fail();
+  }
+
+  return fail();
 };
 
 const exportKeyJWK = (key: CryptoKey): ArrayBuffer | unknown => {
   const jwk = key.keyObject.handle.exportJwk(
     {
-      key_ops: key.usages,
+      key_ops: [...key.usages],
       ext: key.extractable,
     },
     true,
@@ -1503,16 +1956,41 @@ const exportKeyJWK = (key: CryptoKey): ArrayBuffer | unknown => {
       return jwk;
     case 'ECDSA':
     // Fall through
-    case 'ECDH':
-      jwk.crv ||= key.algorithm.namedCurve;
-      return jwk;
-    case 'Ed25519':
+    case 'ECDH':
+      jwk.crv ||= key.algorithm.namedCurve;
+      return jwk;
+    case 'Ed25519':
+    // Fall through
+    case 'Ed448':
+    // Fall through
+    case 'X25519':
+    // Fall through
+    case 'X448':
+      return jwk;
+    case 'ML-DSA-44':
+    // Fall through
+    case 'ML-DSA-65':
+    // Fall through
+    case 'ML-DSA-87':
     // Fall through
-    case 'Ed448':
+    case 'ML-KEM-512':
     // Fall through
-    case 'X25519':
+    case 'ML-KEM-768':
     // Fall through
-    case 'X448':
+    case 'ML-KEM-1024':
+    // Fall through
+    case 'SLH-DSA-SHA2-128s':
+    case 'SLH-DSA-SHA2-128f':
+    case 'SLH-DSA-SHA2-192s':
+    case 'SLH-DSA-SHA2-192f':
+    case 'SLH-DSA-SHA2-256s':
+    case 'SLH-DSA-SHA2-256f':
+    case 'SLH-DSA-SHAKE-128s':
+    case 'SLH-DSA-SHAKE-128f':
+    case 'SLH-DSA-SHAKE-192s':
+    case 'SLH-DSA-SHAKE-192f':
+    case 'SLH-DSA-SHAKE-256s':
+    case 'SLH-DSA-SHAKE-256f':
       return jwk;
     case 'AES-CTR':
     // Fall through
@@ -1543,7 +2021,11 @@ const exportKeyJWK = (key: CryptoKey): ArrayBuffer | unknown => {
   );
 };
 
-const importGenericSecretKey = async (
+// PBKDF2 import. Mirrors Node's importGenericSecretKey ordering
+// (keys.js:945-971): extractable → usage → format → length. Callers pre-alias
+// 'raw-secret' / 'raw-public' to 'raw' via aliasKeyFormat
+// (webcrypto.js:798-808).
+const pbkdf2ImportKey = async (
   { name, length }: SubtleAlgorithm,
   format: ImportFormat,
   keyData: BufferLike | BinaryLike,
@@ -1551,33 +2033,70 @@ const importGenericSecretKey = async (
   keyUsages: KeyUsage[],
 ): Promise<CryptoKey> => {
   if (extractable) {
-    throw new Error(`${name} keys are not extractable`);
+    throw lazyDOMException(`${name} keys are not extractable`, 'SyntaxError');
   }
   if (hasAnyNotIn(keyUsages, ['deriveKey', 'deriveBits'])) {
-    throw new Error(`Unsupported key usage for a ${name} key`);
+    throw lazyDOMException(
+      `Unsupported key usage for a ${name} key`,
+      'SyntaxError',
+    );
+  }
+  if (format !== 'raw') {
+    throw lazyDOMException(
+      `Unable to import ${name} key with format ${format}`,
+      'NotSupportedError',
+    );
   }
 
-  switch (format) {
-    case 'raw': {
-      if (hasAnyNotIn(keyUsages, ['deriveKey', 'deriveBits'])) {
-        throw new Error(`Unsupported key usage for a ${name} key`);
-      }
+  const checkLength =
+    typeof keyData === 'string' || SBuffer.isBuffer(keyData)
+      ? keyData.length * 8
+      : keyData.byteLength * 8;
+  if (length !== undefined && length !== checkLength) {
+    throw lazyDOMException('Invalid key length', 'DataError');
+  }
 
-      const checkLength =
-        typeof keyData === 'string' || SBuffer.isBuffer(keyData)
-          ? keyData.length * 8
-          : keyData.byteLength * 8;
+  const keyObject = createSecretKey(keyData as BinaryLike);
+  return new CryptoKey(keyObject, { name }, keyUsages, false);
+};
 
-      if (length !== undefined && length !== checkLength) {
-        throw new Error('Invalid key length');
-      }
+// Argon2 import. Node gates the format at the dispatcher level — only
+// 'raw-secret' enters importGenericSecretKey (webcrypto.js:813-822). To match
+// that, format is the first check here; remaining ordering matches Node's
+// importGenericSecretKey.
+const argon2ImportKey = async (
+  { name, length }: SubtleAlgorithm,
+  format: ImportFormat,
+  keyData: BufferLike | BinaryLike,
+  extractable: boolean,
+  keyUsages: KeyUsage[],
+): Promise<CryptoKey> => {
+  if (format !== 'raw-secret') {
+    throw lazyDOMException(
+      `Unable to import ${name} key with format ${format}`,
+      'NotSupportedError',
+    );
+  }
+  if (extractable) {
+    throw lazyDOMException(`${name} keys are not extractable`, 'SyntaxError');
+  }
+  if (hasAnyNotIn(keyUsages, ['deriveKey', 'deriveBits'])) {
+    throw lazyDOMException(
+      `Unsupported key usage for a ${name} key`,
+      'SyntaxError',
+    );
+  }
 
-      const keyObject = createSecretKey(keyData as BinaryLike);
-      return new CryptoKey(keyObject, { name }, keyUsages, false);
-    }
+  const checkLength =
+    typeof keyData === 'string' || SBuffer.isBuffer(keyData)
+      ? keyData.length * 8
+      : keyData.byteLength * 8;
+  if (length !== undefined && length !== checkLength) {
+    throw lazyDOMException('Invalid key length', 'DataError');
   }
 
-  throw new Error(`Unable to import ${name} key with format ${format}`);
+  const keyObject = createSecretKey(keyData as BinaryLike);
+  return new CryptoKey(keyObject, { name }, keyUsages, false);
 };
 
 const hkdfImportKey = async (
@@ -1588,6 +2107,13 @@ const hkdfImportKey = async (
   keyUsages: KeyUsage[],
 ): Promise<CryptoKey> => {
   const { name } = algorithm;
+  // WebCrypto §28.7.6: HKDF keys are never extractable. The previous
+  // implementation passed `extractable` through verbatim, allowing callers
+  // to round-trip the input keying material via `exportKey` — defeating
+  // the whole point of the deriveBits-only usage.
+  if (extractable) {
+    throw lazyDOMException(`${name} keys are not extractable`, 'SyntaxError');
+  }
   if (hasAnyNotIn(keyUsages, ['deriveKey', 'deriveBits'])) {
     throw new Error(`Unsupported key usage for a ${name} key`);
   }
@@ -1595,7 +2121,7 @@ const hkdfImportKey = async (
   switch (format) {
     case 'raw': {
       const keyObject = createSecretKey(keyData as BinaryLike);
-      return new CryptoKey(keyObject, { name }, keyUsages, extractable);
+      return new CryptoKey(keyObject, { name }, keyUsages, false);
     }
     default:
       throw new Error(`Unable to import ${name} key with format ${format}`);
@@ -1820,7 +2346,11 @@ const signVerify = (
   const usage: Operation = signature === undefined ? 'sign' : 'verify';
   algorithm = normalizeAlgorithm(algorithm, usage);
 
-  if (!key.usages.includes(usage) || algorithm.name !== key.algorithm.name) {
+  if (algorithm.name !== key.algorithm.name) {
+    throw lazyDOMException('Key algorithm mismatch', 'InvalidAccessError');
+  }
+
+  if (!key.usages.includes(usage)) {
     throw lazyDOMException(
       `Unable to use this key to ${usage}`,
       'InvalidAccessError',
@@ -1842,6 +2372,18 @@ const signVerify = (
     case 'ML-DSA-44':
     case 'ML-DSA-65':
     case 'ML-DSA-87':
+    case 'SLH-DSA-SHA2-128s':
+    case 'SLH-DSA-SHA2-128f':
+    case 'SLH-DSA-SHA2-192s':
+    case 'SLH-DSA-SHA2-192f':
+    case 'SLH-DSA-SHA2-256s':
+    case 'SLH-DSA-SHA2-256f':
+    case 'SLH-DSA-SHAKE-128s':
+    case 'SLH-DSA-SHAKE-128f':
+    case 'SLH-DSA-SHAKE-192s':
+    case 'SLH-DSA-SHAKE-192f':
+    case 'SLH-DSA-SHAKE-256s':
+    case 'SLH-DSA-SHAKE-256f':
       return mldsaSignVerify(key, data, signature);
     case 'KMAC128':
     case 'KMAC256':
@@ -1853,23 +2395,16 @@ const signVerify = (
   );
 };
 
+// Algorithm-mismatch and usage checks live at the public-method call sites
+// (encrypt / decrypt / wrapKey / unwrapKey) so spec-mandated message and
+// ordering — algorithm-mismatch first, then usage — is preserved
+// (Node webcrypto.js, commit 4cb1f284136).
 const cipherOrWrap = async (
   mode: CipherOrWrapMode,
   algorithm: EncryptDecryptParams,
   key: CryptoKey,
   data: ArrayBuffer,
-  op: Operation,
 ): Promise<ArrayBuffer> => {
-  if (
-    key.algorithm.name !== algorithm.name ||
-    !key.usages.includes(op as KeyUsage)
-  ) {
-    throw lazyDOMException(
-      'The requested operation is not valid for the provided key',
-      'InvalidAccessError',
-    );
-  }
-
   validateMaxBufferLength(data, 'data');
 
   switch (algorithm.name) {
@@ -1924,6 +2459,7 @@ const SUPPORTED_ALGORITHMS: Record<string, Set<string>> = {
     'ML-DSA-44',
     'ML-DSA-65',
     'ML-DSA-87',
+    ...SLH_DSA_VARIANTS,
   ]),
   verify: new Set([
     'RSASSA-PKCS1-v1_5',
@@ -1937,6 +2473,7 @@ const SUPPORTED_ALGORITHMS: Record<string, Set<string>> = {
     'ML-DSA-44',
     'ML-DSA-65',
     'ML-DSA-87',
+    ...SLH_DSA_VARIANTS,
   ]),
   digest: new Set([
     'SHA-1',
@@ -1948,6 +2485,10 @@ const SUPPORTED_ALGORITHMS: Record<string, Set<string>> = {
     'SHA3-512',
     'cSHAKE128',
     'cSHAKE256',
+    'TurboSHAKE128',
+    'TurboSHAKE256',
+    'KT128',
+    'KT256',
   ]),
   generateKey: new Set([
     'RSASSA-PKCS1-v1_5',
@@ -1974,6 +2515,7 @@ const SUPPORTED_ALGORITHMS: Record<string, Set<string>> = {
     'ML-KEM-512',
     'ML-KEM-768',
     'ML-KEM-1024',
+    ...SLH_DSA_VARIANTS,
   ]),
   importKey: new Set([
     'RSASSA-PKCS1-v1_5',
@@ -2005,6 +2547,7 @@ const SUPPORTED_ALGORITHMS: Record<string, Set<string>> = {
     'ML-KEM-512',
     'ML-KEM-768',
     'ML-KEM-1024',
+    ...SLH_DSA_VARIANTS,
   ]),
   exportKey: new Set([
     'RSASSA-PKCS1-v1_5',
@@ -2031,6 +2574,7 @@ const SUPPORTED_ALGORITHMS: Record<string, Set<string>> = {
     'ML-KEM-512',
     'ML-KEM-768',
     'ML-KEM-1024',
+    ...SLH_DSA_VARIANTS,
   ]),
   deriveBits: new Set([
     'PBKDF2',
@@ -2066,7 +2610,7 @@ const SUPPORTED_ALGORITHMS: Record<string, Set<string>> = {
   decapsulateKey: new Set(['ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024']),
 };
 
-const ASYMMETRIC_ALGORITHMS = new Set([
+const ASYMMETRIC_ALGORITHMS = new Set<string>([
   'RSASSA-PKCS1-v1_5',
   'RSA-PSS',
   'RSA-OAEP',
@@ -2082,52 +2626,230 @@ const ASYMMETRIC_ALGORITHMS = new Set([
   'ML-KEM-512',
   'ML-KEM-768',
   'ML-KEM-1024',
+  ...SLH_DSA_VARIANTS,
 ]);
 
-export class Subtle {
-  static supports(
-    operation: string,
-    algorithm: SubtleAlgorithm | AnyAlgorithm,
-    _lengthOrAdditionalAlgorithm?: unknown,
-  ): boolean {
-    let normalizedAlgorithm: SubtleAlgorithm;
-    try {
-      normalizedAlgorithm = normalizeAlgorithm(
-        algorithm,
-        (operation === 'getPublicKey' ? 'exportKey' : operation) as Operation,
-      );
-    } catch {
+// Per-algorithm validators for deriveBits (mirrors Node's hkdf.js:141-149,
+// pbkdf2.js:96-105, argon2.js:194-209). Used by Subtle.supports to reject
+// length values that the actual deriveBits implementation would reject.
+function validateKdfDeriveBitsLength(
+  length: number | null | undefined,
+  algName: string,
+): void {
+  if (length === null || length === undefined) {
+    throw lazyDOMException('length cannot be null', 'OperationError');
+  }
+  if (length % 8) {
+    throw lazyDOMException('length must be a multiple of 8', 'OperationError');
+  }
+  if (algName.startsWith('Argon2') && length < 32) {
+    throw lazyDOMException('length must be >= 32', 'OperationError');
+  }
+}
+
+// Mirrors Node's webcrypto.js:1652-1731 `check`. Normalizes the algorithm,
+// looks it up in SUPPORTED_ALGORITHMS, and runs per-algorithm validation
+// (deriveBits length validators, HMAC+SHA3 generateKey rejection).
+// `op` is the operation key in SUPPORTED_ALGORITHMS — wrapKey/unwrapKey fall
+// back to encrypt/decrypt to mirror Node's normalize fallback.
+function supportsCheck(
+  op: string,
+  alg: SubtleAlgorithm | AnyAlgorithm,
+  length?: number | null,
+): boolean {
+  let normalizedAlgorithm: SubtleAlgorithm;
+  try {
+    normalizedAlgorithm = normalizeAlgorithm(alg, op as Operation);
+  } catch {
+    if (op === 'wrapKey') return supportsCheck('encrypt', alg);
+    if (op === 'unwrapKey') return supportsCheck('decrypt', alg);
+    return false;
+  }
+
+  const supported = SUPPORTED_ALGORITHMS[op];
+  if (!supported || !supported.has(normalizedAlgorithm.name)) {
+    if (op === 'wrapKey') return supportsCheck('encrypt', alg);
+    if (op === 'unwrapKey') return supportsCheck('decrypt', alg);
+    return false;
+  }
+
+  if (op === 'deriveBits') {
+    const name = normalizedAlgorithm.name;
+    if (name === 'HKDF' || name === 'PBKDF2' || name.startsWith('Argon2')) {
+      try {
+        validateKdfDeriveBitsLength(length, name);
+      } catch {
+        return false;
+      }
+    }
+  }
+
+  if (op === 'generateKey' && normalizedAlgorithm.name === 'HMAC') {
+    const hashName =
+      typeof normalizedAlgorithm.hash === 'string'
+        ? normalizedAlgorithm.hash
+        : (normalizedAlgorithm.hash as { name?: string } | undefined)?.name;
+    if (
+      normalizedAlgorithm.length === undefined &&
+      typeof hashName === 'string' &&
+      hashName.startsWith('SHA3-')
+    ) {
       return false;
     }
+  }
 
-    const name = normalizedAlgorithm.name;
+  return true;
+}
+
+function supportsImpl(
+  operation: string,
+  algorithm: SubtleAlgorithm | AnyAlgorithm,
+  lengthOrAdditionalAlgorithm: unknown,
+): boolean {
+  switch (operation) {
+    case 'decapsulateBits':
+    case 'decapsulateKey':
+    case 'decrypt':
+    case 'deriveBits':
+    case 'deriveKey':
+    case 'digest':
+    case 'encapsulateBits':
+    case 'encapsulateKey':
+    case 'encrypt':
+    case 'exportKey':
+    case 'generateKey':
+    case 'getPublicKey':
+    case 'importKey':
+    case 'sign':
+    case 'unwrapKey':
+    case 'verify':
+    case 'wrapKey':
+      break;
+    default:
+      return false;
+  }
 
-    if (operation === 'getPublicKey') {
-      return ASYMMETRIC_ALGORITHMS.has(name);
+  let length: number | null | undefined;
+
+  if (operation === 'deriveKey') {
+    // deriveKey decomposes to importKey of derived alg + deriveBits with that
+    // alg's key length. Node webcrypto.js:1547-1563.
+    if (lengthOrAdditionalAlgorithm != null) {
+      const additional = lengthOrAdditionalAlgorithm as
+        | SubtleAlgorithm
+        | AnyAlgorithm;
+      if (!supportsCheck('importKey', additional)) return false;
+      try {
+        length = getKeyLength(normalizeAlgorithm(additional, 'get key length'));
+      } catch {
+        return false;
+      }
+      return supportsCheck('deriveBits', algorithm, length);
     }
+    // No additional algorithm given — only check the deriveBits side.
+    return supportsCheck('deriveBits', algorithm);
+  }
+
+  if (operation === 'wrapKey') {
+    // wrapKey decomposes to encrypt of wrapping alg + exportKey of wrapped alg.
+    // Node webcrypto.js:1564-1572.
+    if (lengthOrAdditionalAlgorithm != null) {
+      const additional = lengthOrAdditionalAlgorithm as
+        | SubtleAlgorithm
+        | AnyAlgorithm;
+      if (!supportsCheck('exportKey', additional)) return false;
+    }
+    return supportsCheck('wrapKey', algorithm);
+  }
 
-    if (operation === 'deriveKey') {
-      // deriveKey decomposes to deriveBits + importKey of additional algorithm
-      if (!SUPPORTED_ALGORITHMS.deriveBits?.has(name)) return false;
-      if (_lengthOrAdditionalAlgorithm != null) {
-        try {
-          const additionalAlg = normalizeAlgorithm(
-            _lengthOrAdditionalAlgorithm as SubtleAlgorithm | AnyAlgorithm,
-            'importKey',
-          );
-          return (
-            SUPPORTED_ALGORITHMS.importKey?.has(additionalAlg.name) ?? false
-          );
-        } catch {
-          return false;
-        }
+  if (operation === 'unwrapKey') {
+    // unwrapKey decomposes to decrypt of wrapping alg + importKey of wrapped
+    // alg. Node webcrypto.js:1573-1581.
+    if (lengthOrAdditionalAlgorithm != null) {
+      const additional = lengthOrAdditionalAlgorithm as
+        | SubtleAlgorithm
+        | AnyAlgorithm;
+      if (!supportsCheck('importKey', additional)) return false;
+    }
+    return supportsCheck('unwrapKey', algorithm);
+  }
+
+  if (operation === 'deriveBits') {
+    if (lengthOrAdditionalAlgorithm == null) {
+      length = null;
+    } else if (typeof lengthOrAdditionalAlgorithm === 'number') {
+      length = lengthOrAdditionalAlgorithm;
+    } else {
+      return false;
+    }
+    return supportsCheck('deriveBits', algorithm, length);
+  }
+
+  if (operation === 'getPublicKey') {
+    let normalized: SubtleAlgorithm;
+    try {
+      normalized = normalizeAlgorithm(algorithm, 'exportKey');
+    } catch {
+      return false;
+    }
+    return ASYMMETRIC_ALGORITHMS.has(normalized.name);
+  }
+
+  if (operation === 'encapsulateKey' || operation === 'decapsulateKey') {
+    // sharedKeyAlgorithm must support importKey, with HMAC/KMAC limited to
+    // length === undefined or 256 (Node webcrypto.js:1610-1645).
+    const additional = lengthOrAdditionalAlgorithm as
+      | SubtleAlgorithm
+      | AnyAlgorithm;
+    let normalizedAdd: SubtleAlgorithm;
+    try {
+      normalizedAdd = normalizeAlgorithm(additional, 'importKey');
+    } catch {
+      return false;
+    }
+    switch (normalizedAdd.name) {
+      case 'AES-OCB':
+      case 'AES-KW':
+      case 'AES-GCM':
+      case 'AES-CTR':
+      case 'AES-CBC':
+      case 'ChaCha20-Poly1305':
+      case 'HKDF':
+      case 'PBKDF2':
+      case 'Argon2i':
+      case 'Argon2d':
+      case 'Argon2id':
+        break;
+      case 'HMAC':
+      case 'KMAC128':
+      case 'KMAC256': {
+        const addLen = normalizedAdd.length;
+        if (addLen !== undefined && addLen !== 256) return false;
+        break;
       }
-      return true;
+      default:
+        return false;
     }
+    return supportsCheck(operation, algorithm);
+  }
 
-    const supported = SUPPORTED_ALGORITHMS[operation];
-    if (!supported) return false;
-    return supported.has(name);
+  return supportsCheck(operation, algorithm);
+}
+
+export class Subtle {
+  // Spec-compliant capability detector. Mirrors Node's webcrypto.js:1506-1649
+  // `SubtleCrypto.supports`, including:
+  //   • composed-operation decomposition (deriveKey, wrapKey, unwrapKey,
+  //     encapsulateKey, decapsulateKey, getPublicKey)
+  //   • per-algorithm length validators for deriveBits (HKDF/PBKDF2/Argon2)
+  //   • HMAC + SHA3 generateKey with no length → false
+  // Static-only per the WICG spec.
+  static supports(
+    operation: string,
+    algorithm: SubtleAlgorithm | AnyAlgorithm,
+    lengthOrAdditionalAlgorithm: unknown = null,
+  ): boolean {
+    return supportsImpl(operation, algorithm, lengthOrAdditionalAlgorithm);
   }
 
   async decrypt(
@@ -2135,13 +2857,25 @@ export class Subtle {
     key: CryptoKey,
     data: BufferLike,
   ): Promise<ArrayBuffer> {
-    const normalizedAlgorithm = normalizeAlgorithm(algorithm, 'decrypt');
+    requireArgs(arguments.length, 3, 'decrypt');
+    const normalizedAlgorithm = normalizeAlgorithm(
+      algorithm,
+      'decrypt',
+    ) as EncryptDecryptParams;
+    if (normalizedAlgorithm.name !== key.algorithm.name) {
+      throw lazyDOMException('Key algorithm mismatch', 'InvalidAccessError');
+    }
+    if (!key.usages.includes('decrypt')) {
+      throw lazyDOMException(
+        'Unable to use this key to decrypt',
+        'InvalidAccessError',
+      );
+    }
     return cipherOrWrap(
       CipherOrWrapMode.kWebCryptoCipherDecrypt,
-      normalizedAlgorithm as EncryptDecryptParams,
+      normalizedAlgorithm,
       key,
       bufferLikeToArrayBuffer(data),
-      'decrypt',
     );
   }
 
@@ -2149,6 +2883,7 @@ export class Subtle {
     algorithm: SubtleAlgorithm | AnyAlgorithm,
     data: BufferLike,
   ): Promise<ArrayBuffer> {
+    requireArgs(arguments.length, 2, 'digest');
     const normalizedAlgorithm = normalizeAlgorithm(
       algorithm,
       'digest' as Operation,
@@ -2159,39 +2894,56 @@ export class Subtle {
   async deriveBits(
     algorithm: SubtleAlgorithm,
     baseKey: CryptoKey,
-    length: number,
+    length: number | null = null,
   ): Promise<ArrayBuffer> {
-    // Allow either deriveBits OR deriveKey usage (WebCrypto spec allows both)
-    if (
-      !baseKey.keyUsages.includes('deriveBits') &&
-      !baseKey.keyUsages.includes('deriveKey')
-    ) {
-      throw new Error('baseKey does not have deriveBits or deriveKey usage');
+    requireArgs(arguments.length, 2, 'deriveBits');
+    const normalizedAlgorithm = normalizeAlgorithm(algorithm, 'deriveBits');
+    // WebCrypto §SubtleCrypto.deriveBits step 11: throw InvalidAccessError
+    // unless `baseKey.[[usages]]` contains "deriveBits" specifically. The
+    // previous `deriveBits || deriveKey` accept-either branch silently
+    // promoted deriveKey-only keys into deriveBits use, contradicting the
+    // spec usage gate.
+    if (!baseKey.usages.includes('deriveBits')) {
+      throw lazyDOMException(
+        'baseKey does not have deriveBits usage',
+        'InvalidAccessError',
+      );
     }
-    if (baseKey.algorithm.name !== algorithm.name)
-      throw new Error('Key algorithm mismatch');
-    switch (algorithm.name) {
+    if (baseKey.algorithm.name !== normalizedAlgorithm.name) {
+      throw lazyDOMException('Key algorithm mismatch', 'InvalidAccessError');
+    }
+    switch (normalizedAlgorithm.name) {
       case 'PBKDF2':
-        return pbkdf2DeriveBits(algorithm, baseKey, length);
+        if (length === null) {
+          throw lazyDOMException('length cannot be null', 'OperationError');
+        }
+        return pbkdf2DeriveBits(normalizedAlgorithm, baseKey, length);
       case 'X25519':
       // Fall through
       case 'X448':
-        return xDeriveBits(algorithm, baseKey, length);
+        return xDeriveBits(normalizedAlgorithm, baseKey, length);
       case 'ECDH':
-        return ecDeriveBits(algorithm, baseKey, length);
+        return ecDeriveBits(normalizedAlgorithm, baseKey, length);
       case 'HKDF':
+        if (length === null) {
+          throw lazyDOMException('length cannot be null', 'OperationError');
+        }
         return hkdfDeriveBits(
-          algorithm as unknown as HkdfAlgorithm,
+          normalizedAlgorithm as unknown as HkdfAlgorithm,
           baseKey,
           length,
         );
       case 'Argon2d':
       case 'Argon2i':
       case 'Argon2id':
-        return argon2DeriveBits(algorithm, baseKey, length);
+        if (length === null) {
+          throw lazyDOMException('length cannot be null', 'OperationError');
+        }
+        return argon2DeriveBits(normalizedAlgorithm, baseKey, length);
     }
-    throw new Error(
-      `'subtle.deriveBits()' for ${algorithm.name} is not implemented.`,
+    throw lazyDOMException(
+      `'subtle.deriveBits()' for ${normalizedAlgorithm.name} is not implemented.`,
+      'NotSupportedError',
     );
   }
 
@@ -2202,40 +2954,55 @@ export class Subtle {
     extractable: boolean,
     keyUsages: KeyUsage[],
   ): Promise<CryptoKey> {
+    requireArgs(arguments.length, 5, 'deriveKey');
+    const normalizedAlgorithm = normalizeAlgorithm(algorithm, 'deriveBits');
+    const normalizedDerivedKeyAlgorithm = normalizeAlgorithm(
+      derivedKeyAlgorithm,
+      'importKey',
+    );
+
     // Validate baseKey usage
-    if (
-      !baseKey.usages.includes('deriveKey') &&
-      !baseKey.usages.includes('deriveBits')
-    ) {
+    if (!baseKey.usages.includes('deriveKey')) {
       throw lazyDOMException(
-        'baseKey does not have deriveKey or deriveBits usage',
+        'baseKey does not have deriveKey usage',
         'InvalidAccessError',
       );
     }
 
-    // Calculate required key length
-    const length = getKeyLength(derivedKeyAlgorithm);
+    if (baseKey.algorithm.name !== normalizedAlgorithm.name) {
+      throw lazyDOMException('Key algorithm mismatch', 'InvalidAccessError');
+    }
+
+    // Calculate required key length (may be null for KDF-derived material).
+    const length = getKeyLength(normalizedDerivedKeyAlgorithm);
 
     // Step 1: Derive bits
     let derivedBits: ArrayBuffer;
-    if (baseKey.algorithm.name !== algorithm.name)
-      throw new Error('Key algorithm mismatch');
-
-    switch (algorithm.name) {
+    switch (normalizedAlgorithm.name) {
       case 'PBKDF2':
-        derivedBits = await pbkdf2DeriveBits(algorithm, baseKey, length);
+        if (length === null) {
+          throw lazyDOMException('length cannot be null', 'OperationError');
+        }
+        derivedBits = await pbkdf2DeriveBits(
+          normalizedAlgorithm,
+          baseKey,
+          length,
+        );
         break;
       case 'X25519':
       // Fall through
       case 'X448':
-        derivedBits = await xDeriveBits(algorithm, baseKey, length);
+        derivedBits = await xDeriveBits(normalizedAlgorithm, baseKey, length);
         break;
       case 'ECDH':
-        derivedBits = await ecDeriveBits(algorithm, baseKey, length);
+        derivedBits = await ecDeriveBits(normalizedAlgorithm, baseKey, length);
         break;
       case 'HKDF':
+        if (length === null) {
+          throw lazyDOMException('length cannot be null', 'OperationError');
+        }
         derivedBits = hkdfDeriveBits(
-          algorithm as unknown as HkdfAlgorithm,
+          normalizedAlgorithm as unknown as HkdfAlgorithm,
           baseKey,
           length,
         );
@@ -2243,17 +3010,22 @@ export class Subtle {
       case 'Argon2d':
       case 'Argon2i':
       case 'Argon2id':
-        derivedBits = argon2DeriveBits(algorithm, baseKey, length);
+        if (length === null) {
+          throw lazyDOMException('length cannot be null', 'OperationError');
+        }
+        derivedBits = argon2DeriveBits(normalizedAlgorithm, baseKey, length);
         break;
       default:
-        throw new Error(
-          `'subtle.deriveKey()' for ${algorithm.name} is not implemented.`,
+        throw lazyDOMException(
+          `'subtle.deriveKey()' for ${normalizedAlgorithm.name} is not implemented.`,
+          'NotSupportedError',
         );
     }
 
-    // Step 2: Import as key
+    // Step 2: Import as key. Use 'raw-secret' so derived material flows into
+    // AEADs / KMAC correctly — they reject plain 'raw' (Node webcrypto.js:381-385).
     return this.importKey(
-      'raw',
+      'raw-secret',
       derivedBits,
       derivedKeyAlgorithm,
       extractable,
@@ -2266,13 +3038,25 @@ export class Subtle {
     key: CryptoKey,
     data: BufferLike,
   ): Promise<ArrayBuffer> {
-    const normalizedAlgorithm = normalizeAlgorithm(algorithm, 'encrypt');
+    requireArgs(arguments.length, 3, 'encrypt');
+    const normalizedAlgorithm = normalizeAlgorithm(
+      algorithm,
+      'encrypt',
+    ) as EncryptDecryptParams;
+    if (normalizedAlgorithm.name !== key.algorithm.name) {
+      throw lazyDOMException('Key algorithm mismatch', 'InvalidAccessError');
+    }
+    if (!key.usages.includes('encrypt')) {
+      throw lazyDOMException(
+        'Unable to use this key to encrypt',
+        'InvalidAccessError',
+      );
+    }
     return cipherOrWrap(
       CipherOrWrapMode.kWebCryptoCipherEncrypt,
-      normalizedAlgorithm as EncryptDecryptParams,
+      normalizedAlgorithm,
       key,
       bufferLikeToArrayBuffer(data),
-      'encrypt',
     );
   }
 
@@ -2280,16 +3064,19 @@ export class Subtle {
     format: ImportFormat,
     key: CryptoKey,
   ): Promise<ArrayBuffer | JWK> {
-    if (!key.extractable) throw new Error('key is not extractable');
+    requireArgs(arguments.length, 2, 'exportKey');
+    if (!key.extractable)
+      throw lazyDOMException('key is not extractable', 'InvalidAccessError');
 
     if (format === 'raw-seed') {
-      const pqcAlgos = [
+      const pqcAlgos: string[] = [
         'ML-KEM-512',
         'ML-KEM-768',
         'ML-KEM-1024',
         'ML-DSA-44',
         'ML-DSA-65',
         'ML-DSA-87',
+        ...SLH_DSA_VARIANTS,
       ];
       if (!pqcAlgos.includes(key.algorithm.name)) {
         throw lazyDOMException(
@@ -2306,9 +3093,6 @@ export class Subtle {
       return bufferLikeToArrayBuffer(key.keyObject.handle.exportKey());
     }
 
-    // Note: 'raw-seed' is handled above; do NOT normalize it here
-    if (format === 'raw-secret' || format === 'raw-public') format = 'raw';
-
     switch (format) {
       case 'spki':
         return (await exportKeySpki(key)) as ArrayBuffer;
@@ -2317,7 +3101,9 @@ export class Subtle {
       case 'jwk':
         return exportKeyJWK(key) as JWK;
       case 'raw':
-        return exportKeyRaw(key) as ArrayBuffer;
+      case 'raw-secret':
+      case 'raw-public':
+        return exportKeyRaw(key, format) as ArrayBuffer;
     }
   }
 
@@ -2327,10 +3113,18 @@ export class Subtle {
     wrappingKey: CryptoKey,
     wrapAlgorithm: EncryptDecryptParams,
   ): Promise<ArrayBuffer> {
-    // Validate wrappingKey usage
+    requireArgs(arguments.length, 4, 'wrapKey');
+    const normalizedWrapAlgorithm = normalizeAlgorithm(
+      wrapAlgorithm,
+      'wrapKey',
+    ) as EncryptDecryptParams;
+
+    if (normalizedWrapAlgorithm.name !== wrappingKey.algorithm.name) {
+      throw lazyDOMException('Key algorithm mismatch', 'InvalidAccessError');
+    }
     if (!wrappingKey.usages.includes('wrapKey')) {
       throw lazyDOMException(
-        'wrappingKey does not have wrapKey usage',
+        'Unable to use this key to wrapKey',
         'InvalidAccessError',
       );
     }
@@ -2345,7 +3139,7 @@ export class Subtle {
       const buffer = SBuffer.from(jwkString, 'utf8');
 
       // For AES-KW, pad to multiple of 8 bytes (accounting for null terminator)
-      if (wrapAlgorithm.name === 'AES-KW') {
+      if (normalizedWrapAlgorithm.name === 'AES-KW') {
         const length = buffer.length;
         // Add 1 for null terminator, then pad to multiple of 8
         const paddedLength = Math.ceil((length + 1) / 8) * 8;
@@ -2364,10 +3158,9 @@ export class Subtle {
     // Step 3: Encrypt the exported key
     return cipherOrWrap(
       CipherOrWrapMode.kWebCryptoCipherEncrypt,
-      wrapAlgorithm,
+      normalizedWrapAlgorithm,
       wrappingKey,
       keyData,
-      'wrapKey',
     );
   }
 
@@ -2380,10 +3173,18 @@ export class Subtle {
     extractable: boolean,
     keyUsages: KeyUsage[],
   ): Promise<CryptoKey> {
-    // Validate unwrappingKey usage
+    requireArgs(arguments.length, 7, 'unwrapKey');
+    const normalizedUnwrapAlgorithm = normalizeAlgorithm(
+      unwrapAlgorithm,
+      'unwrapKey',
+    ) as EncryptDecryptParams;
+
+    if (normalizedUnwrapAlgorithm.name !== unwrappingKey.algorithm.name) {
+      throw lazyDOMException('Key algorithm mismatch', 'InvalidAccessError');
+    }
     if (!unwrappingKey.usages.includes('unwrapKey')) {
       throw lazyDOMException(
-        'unwrappingKey does not have unwrapKey usage',
+        'Unable to use this key to unwrapKey',
         'InvalidAccessError',
       );
     }
@@ -2391,10 +3192,9 @@ export class Subtle {
     // Step 1: Decrypt the wrapped key
     const decrypted = await cipherOrWrap(
       CipherOrWrapMode.kWebCryptoCipherDecrypt,
-      unwrapAlgorithm,
+      normalizedUnwrapAlgorithm,
       unwrappingKey,
       bufferLikeToArrayBuffer(wrappedKey),
-      'unwrapKey',
     );
 
     // Step 2: Convert to appropriate format
@@ -2403,7 +3203,7 @@ export class Subtle {
       const buffer = SBuffer.from(decrypted);
       // For AES-KW, the data may be padded - find the null terminator
       let jwkString: string;
-      if (unwrapAlgorithm.name === 'AES-KW') {
+      if (normalizedUnwrapAlgorithm.name === 'AES-KW') {
         // Find the null terminator (if present) to get the original string
         const nullIndex = buffer.indexOf(0);
         if (nullIndex !== -1) {
@@ -2435,6 +3235,7 @@ export class Subtle {
     extractable: boolean,
     keyUsages: KeyUsage[],
   ): Promise<CryptoKey | CryptoKeyPair> {
+    requireArgs(arguments.length, 3, 'generateKey');
     algorithm = normalizeAlgorithm(algorithm, 'generateKey');
     let result: CryptoKey | CryptoKeyPair;
     switch (algorithm.name) {
@@ -2521,6 +3322,25 @@ export class Subtle {
         );
         checkCryptoKeyPairUsages(result as CryptoKeyPair);
         break;
+      case 'SLH-DSA-SHA2-128s':
+      case 'SLH-DSA-SHA2-128f':
+      case 'SLH-DSA-SHA2-192s':
+      case 'SLH-DSA-SHA2-192f':
+      case 'SLH-DSA-SHA2-256s':
+      case 'SLH-DSA-SHA2-256f':
+      case 'SLH-DSA-SHAKE-128s':
+      case 'SLH-DSA-SHAKE-128f':
+      case 'SLH-DSA-SHAKE-192s':
+      case 'SLH-DSA-SHAKE-192f':
+      case 'SLH-DSA-SHAKE-256s':
+      case 'SLH-DSA-SHAKE-256f':
+        result = await slhdsa_generateKeyPairWebCrypto(
+          algorithm.name as SlhDsaVariant,
+          extractable,
+          keyUsages,
+        );
+        checkCryptoKeyPairUsages(result as CryptoKeyPair);
+        break;
       case 'X25519':
       // Fall through
       case 'X448':
@@ -2557,6 +3377,7 @@ export class Subtle {
     key: CryptoKey,
     keyUsages: KeyUsage[],
   ): Promise<CryptoKey> {
+    requireArgs(arguments.length, 2, 'getPublicKey');
     if (key.type === 'secret') {
       throw lazyDOMException('key must be a private key', 'NotSupportedError');
     }
@@ -2575,8 +3396,11 @@ export class Subtle {
     extractable: boolean,
     keyUsages: KeyUsage[],
   ): Promise<CryptoKey> {
-    // Note: 'raw-seed' is NOT normalized — PQC import functions handle it directly
-    if (format === 'raw-secret' || format === 'raw-public') format = 'raw';
+    requireArgs(arguments.length, 5, 'importKey');
+    // Per-algorithm format handling. Some algorithms alias raw-secret/raw-public
+    // to 'raw' (RSA, EC, Ed/X, HMAC, HKDF, PBKDF2); others demand the
+    // disambiguated form (KMAC, AES-OCB, ChaCha20-Poly1305, Argon2, ML-DSA,
+    // ML-KEM). 'raw-seed' is never normalized — PQC import handles it directly.
     const normalizedAlgorithm = normalizeAlgorithm(algorithm, 'importKey');
     let result: CryptoKey;
     switch (normalizedAlgorithm.name) {
@@ -2586,7 +3410,7 @@ export class Subtle {
       // Fall through
       case 'RSA-OAEP':
         result = rsaImportKey(
-          format,
+          aliasKeyFormat(format),
           data as BufferLike | JWK,
           normalizedAlgorithm,
           extractable,
@@ -2597,7 +3421,7 @@ export class Subtle {
       // Fall through
       case 'ECDH':
         result = ecImportKey(
-          format,
+          aliasKeyFormat(format),
           data,
           normalizedAlgorithm,
           extractable,
@@ -2605,6 +3429,9 @@ export class Subtle {
         );
         break;
       case 'HMAC':
+        // No aliasing — Node routes HMAC straight into mac.js, which accepts
+        // 'raw' / 'raw-secret' / 'jwk' and rejects everything else
+        // (webcrypto.js:774-781, mac.js:136-174).
         result = await hmacImportKey(
           normalizedAlgorithm,
           format,
@@ -2644,10 +3471,18 @@ export class Subtle {
         );
         break;
       case 'PBKDF2':
+        result = await pbkdf2ImportKey(
+          normalizedAlgorithm,
+          aliasKeyFormat(format),
+          data as BufferLike | BinaryLike,
+          extractable,
+          keyUsages,
+        );
+        break;
       case 'Argon2d':
       case 'Argon2i':
       case 'Argon2id':
-        result = await importGenericSecretKey(
+        result = await argon2ImportKey(
           normalizedAlgorithm,
           format,
           data as BufferLike | BinaryLike,
@@ -2657,7 +3492,7 @@ export class Subtle {
         break;
       case 'HKDF':
         result = await hkdfImportKey(
-          format,
+          aliasKeyFormat(format),
           data as BufferLike | BinaryLike,
           normalizedAlgorithm,
           extractable,
@@ -2672,6 +3507,26 @@ export class Subtle {
       // Fall through
       case 'Ed448':
         result = edImportKey(
+          aliasKeyFormat(format),
+          data as BufferLike | JWK,
+          normalizedAlgorithm,
+          extractable,
+          keyUsages,
+        );
+        break;
+      case 'SLH-DSA-SHA2-128s':
+      case 'SLH-DSA-SHA2-128f':
+      case 'SLH-DSA-SHA2-192s':
+      case 'SLH-DSA-SHA2-192f':
+      case 'SLH-DSA-SHA2-256s':
+      case 'SLH-DSA-SHA2-256f':
+      case 'SLH-DSA-SHAKE-128s':
+      case 'SLH-DSA-SHAKE-128f':
+      case 'SLH-DSA-SHAKE-192s':
+      case 'SLH-DSA-SHAKE-192f':
+      case 'SLH-DSA-SHAKE-256s':
+      case 'SLH-DSA-SHAKE-256f':
+        result = slhdsaImportKey(
           format,
           data as BufferLike | JWK,
           normalizedAlgorithm,
@@ -2686,7 +3541,7 @@ export class Subtle {
       case 'ML-DSA-87':
         result = mldsaImportKey(
           format,
-          data as BufferLike,
+          data as BufferLike | JWK,
           normalizedAlgorithm,
           extractable,
           keyUsages,
@@ -2699,7 +3554,7 @@ export class Subtle {
       case 'ML-KEM-1024':
         result = mlkemImportKey(
           format,
-          data as BufferLike,
+          data as BufferLike | JWK,
           normalizedAlgorithm,
           extractable,
           keyUsages,
@@ -2728,6 +3583,7 @@ export class Subtle {
     key: CryptoKey,
     data: BufferLike,
   ): Promise<ArrayBuffer> {
+    requireArgs(arguments.length, 3, 'sign');
     return signVerify(
       normalizeAlgorithm(algorithm, 'sign'),
       key,
@@ -2741,6 +3597,7 @@ export class Subtle {
     signature: BufferLike,
     data: BufferLike,
   ): Promise<boolean> {
+    requireArgs(arguments.length, 4, 'verify');
     return signVerify(
       normalizeAlgorithm(algorithm, 'verify'),
       key,
@@ -2812,6 +3669,7 @@ export class Subtle {
     algorithm: SubtleAlgorithm,
     key: CryptoKey,
   ): Promise<EncapsulateResult> {
+    requireArgs(arguments.length, 2, 'encapsulateBits');
     if (!key.usages.includes('encapsulateBits')) {
       throw lazyDOMException(
         'Key does not have encapsulateBits usage',
@@ -2829,6 +3687,7 @@ export class Subtle {
     extractable: boolean,
     usages: KeyUsage[],
   ): Promise<{ key: CryptoKey; ciphertext: ArrayBuffer }> {
+    requireArgs(arguments.length, 5, 'encapsulateKey');
     if (!key.usages.includes('encapsulateKey')) {
       throw lazyDOMException(
         'Key does not have encapsulateKey usage',
@@ -2837,8 +3696,10 @@ export class Subtle {
     }
 
     const { sharedKey, ciphertext } = this._encapsulateCore(algorithm, key);
+    // Node imports the encapsulated shared bits as 'raw-secret'
+    // (webcrypto.js:1370-1374) so AEADs / KMAC accept the result.
     const importedKey = await this.importKey(
-      'raw',
+      'raw-secret',
       sharedKey,
       sharedKeyAlgorithm,
       extractable,
@@ -2853,6 +3714,7 @@ export class Subtle {
     key: CryptoKey,
     ciphertext: BufferLike,
   ): Promise<ArrayBuffer> {
+    requireArgs(arguments.length, 3, 'decapsulateBits');
     if (!key.usages.includes('decapsulateBits')) {
       throw lazyDOMException(
         'Key does not have decapsulateBits usage',
@@ -2871,6 +3733,7 @@ export class Subtle {
     extractable: boolean,
     usages: KeyUsage[],
   ): Promise<CryptoKey> {
+    requireArgs(arguments.length, 6, 'decapsulateKey');
     if (!key.usages.includes('decapsulateKey')) {
       throw lazyDOMException(
         'Key does not have decapsulateKey usage',
@@ -2879,8 +3742,10 @@ export class Subtle {
     }
 
     const sharedKey = this._decapsulateCore(algorithm, key, ciphertext);
+    // Node imports the decapsulated shared bits as 'raw-secret'
+    // (webcrypto.js:1490-1494).
     return this.importKey(
-      'raw',
+      'raw-secret',
       sharedKey,
       sharedKeyAlgorithm,
       extractable,
@@ -2891,8 +3756,14 @@ export class Subtle {
 
 export const subtle = new Subtle();
 
-function getKeyLength(algorithm: SubtleAlgorithm): number {
+// Returns the number of bits to derive for an `importKey` algorithm, mirroring
+// Node's webcrypto.js:269-306 `getKeyLength`. Returns null for KDF algorithms
+// (HKDF / PBKDF2 / Argon2) — those carry their full derived secret without a
+// fixed key length. Throws OperationError on invalid AES / HMAC inputs rather
+// than silently coercing to a default (Node commit 4cb1f284136 behavior).
+function getKeyLength(algorithm: SubtleAlgorithm): number | null {
   const name = algorithm.name;
+  const length = (algorithm as { length?: number }).length;
 
   switch (name) {
     case 'AES-CTR':
@@ -2900,18 +3771,38 @@ function getKeyLength(algorithm: SubtleAlgorithm): number {
     case 'AES-GCM':
     case 'AES-KW':
     case 'AES-OCB':
-    case 'ChaCha20-Poly1305':
-      return (algorithm as AesKeyGenParams).length || 256;
+      if (length !== 128 && length !== 192 && length !== 256) {
+        throw lazyDOMException('Invalid key length', 'OperationError');
+      }
+      return length;
 
     case 'HMAC': {
-      const hmacAlg = algorithm as { length?: number };
-      return hmacAlg.length || 256;
+      if (length === undefined) {
+        return getHmacBlockSize(
+          (algorithm.hash as { name?: string } | undefined)?.name ??
+            (algorithm.hash as string | undefined),
+        );
+      }
+      if (typeof length === 'number' && length !== 0) {
+        return length;
+      }
+      throw lazyDOMException('Invalid key length', 'OperationError');
     }
 
     case 'KMAC128':
-      return algorithm.length || 128;
+      return typeof length === 'number' ? length : 128;
     case 'KMAC256':
-      return algorithm.length || 256;
+      return typeof length === 'number' ? length : 256;
+
+    case 'ChaCha20-Poly1305':
+      return 256;
+
+    case 'HKDF':
+    case 'PBKDF2':
+    case 'Argon2d':
+    case 'Argon2i':
+    case 'Argon2id':
+      return null;
 
     default:
       throw lazyDOMException(
@@ -2920,3 +3811,25 @@ function getKeyLength(algorithm: SubtleAlgorithm): number {
       );
   }
 }
+
+function getHmacBlockSize(name: string | undefined): number {
+  switch (name) {
+    case 'SHA-1':
+    case 'SHA-256':
+      return 512;
+    case 'SHA-384':
+    case 'SHA-512':
+      return 1024;
+    case 'SHA3-256':
+    case 'SHA3-384':
+    case 'SHA3-512':
+      // SHA-3 / HMAC interaction undefined — Node throws here too
+      // (webcrypto-modern-algos issue #23).
+      throw lazyDOMException(
+        'Explicit algorithm length member is required',
+        'NotSupportedError',
+      );
+    default:
+      throw lazyDOMException('Invalid key length', 'OperationError');
+  }
+}