react-native-quick-crypto 1.1.1 → 1.1.2

package/lib/commonjs/subtle.js

@@ -3,11 +3,12 @@
 Object.defineProperty(exports, "__esModule", {
   value: true
 });
-exports.Subtle = void 0;
+exports.Subtle = exports.PQC_SEEDLESS_PKCS8_LENGTHS = void 0;
 exports.isCryptoKeyPair = isCryptoKeyPair;
 exports.subtle = void 0;
 var _safeBuffer = require("safe-buffer");
 var _utils = require("./utils");
+var _reactNativeBuffer = require("@craftzdog/react-native-buffer");
 var _keys = require("./keys");
 var _conversion = require("./utils/conversion");
 var _argon = require("./argon2");
@@ -25,6 +26,7 @@ var _timingSafeEqual = require("./utils/timingSafeEqual");
 var _signVerify = require("./keys/signVerify");
 var _ed = require("./ed");
 var _mldsa = require("./mldsa");
+var _slhdsa = require("./slhdsa");
 var _mlkem = require("./mlkem");
 var _hkdf = require("./hkdf");
 /* eslint-disable @typescript-eslint/no-unused-vars */
@@ -44,6 +46,16 @@ function hasAnyNotIn(usages, allowed) {
   return usages.some(usage => !allowed.includes(usage));
 }
 
+// Mirrors webidl.requiredArguments. Node throws TypeError when a SubtleCrypto
+// method is called with fewer than the spec-required number of arguments
+// (webcrypto.js:866 etc.); we relied on TypeScript types alone, which apps
+// catching `instanceof TypeError` could not see at runtime.
+function requireArgs(actual, required, method) {
+  if (actual < required) {
+    throw new TypeError(`Failed to execute '${method}' on 'SubtleCrypto': ${required} arguments required, but only ${actual} present.`);
+  }
+}
+
 // WebCrypto §18.4.4: algorithm name lookup is case-insensitive, but the
 // canonical mixed-case form is preserved in the resulting `name` field
 // (e.g. "aes-gcm" → "AES-GCM"). This map is built lazily on first call so
@@ -85,27 +97,6 @@ function normalizeAlgorithm(algorithm, _operation) {
   }
   return algorithm;
 }
-
-// WebCrypto §25.7.6 (JWK import): if the JWK's `ext` member is present and
-// false, the requested `extractable` parameter must also be false. If the
-// JWK's `key_ops` member is present, every requested usage must appear in
-// it. We centralize the check here so every importKey path that accepts
-// `format === 'jwk'` can reuse it.
-function validateJwkExtAndKeyOps(jwk, extractable, keyUsages) {
-  if (jwk.ext === false && extractable) {
-    throw (0, _errors.lazyDOMException)('JWK "ext" is false but extractable was requested', 'DataError');
-  }
-  if (jwk.key_ops !== undefined) {
-    if (!Array.isArray(jwk.key_ops)) {
-      throw (0, _errors.lazyDOMException)('JWK "key_ops" must be an array', 'DataError');
-    }
-    for (const usage of keyUsages) {
-      if (!jwk.key_ops.includes(usage)) {
-        throw (0, _errors.lazyDOMException)(`JWK "key_ops" does not include requested usage "${usage}"`, 'DataError');
-      }
-    }
-  }
-}
 function getAlgorithmName(name, length) {
   switch (name) {
     case 'AES-CBC':
@@ -125,17 +116,55 @@ function getAlgorithmName(name, length) {
   }
 }
 
-// Placeholder implementations for missing functions
+// Mirrors Node's aliasKeyFormat (lib/internal/crypto/webcrypto.js): for
+// algorithms whose import/export accepts both 'raw' and the disambiguated
+// 'raw-secret' / 'raw-public', collapse the latter to 'raw'. Used per-algorithm
+// — algorithms that demand the disambiguated form (KMAC, AES-OCB,
+// ChaCha20-Poly1305, Argon2*, ML-DSA, ML-KEM) MUST NOT alias.
+function aliasKeyFormat(format) {
+  if (format === 'raw-secret' || format === 'raw-public') return 'raw';
+  return format;
+}
+const kUncompressedSpkiLength = {
+  'P-256': 91,
+  'P-384': 120,
+  'P-521': 158
+};
 function ecExportKey(key, format) {
   const keyObject = key.keyObject;
   if (format === KWebCryptoKeyFormat.kWebCryptoKeyFormatRaw) {
     return (0, _conversion.bufferLikeToArrayBuffer)(keyObject.handle.exportKey());
   } else if (format === KWebCryptoKeyFormat.kWebCryptoKeyFormatSPKI) {
-    const exported = keyObject.export({
+    const exported = (0, _conversion.bufferLikeToArrayBuffer)(keyObject.export({
       format: 'der',
       type: 'spki'
-    });
-    return (0, _conversion.bufferLikeToArrayBuffer)(exported);
+    }));
+
+    // WebCrypto requires uncompressed point format for SPKI exports.
+    // If the key was imported in compressed form, re-export as uncompressed
+    // by reconstructing the point from the JWK x,y coordinates and
+    // round-tripping through initECRaw.
+    const namedCurve = key.algorithm.namedCurve;
+    const expected = namedCurve === undefined ? undefined : kUncompressedSpkiLength[namedCurve];
+    if (expected !== undefined && exported.byteLength !== expected) {
+      const jwk = keyObject.handle.exportJwk({}, false);
+      if (!jwk.x || !jwk.y) {
+        throw (0, _errors.lazyDOMException)('Failed to re-export EC public key as uncompressed SPKI', 'OperationError');
+      }
+      const x = _reactNativeBuffer.Buffer.from(jwk.x, 'base64url');
+      const y = _reactNativeBuffer.Buffer.from(jwk.y, 'base64url');
+      const raw = new Uint8Array(1 + x.length + y.length);
+      raw[0] = 0x04;
+      raw.set(x, 1);
+      raw.set(y, 1 + x.length);
+      const tmp = _reactNativeNitroModules.NitroModules.createHybridObject('KeyObjectHandle');
+      const curveAlias = _utils.kNamedCurveAliases[namedCurve];
+      if (!tmp.initECRaw(curveAlias, raw.buffer)) {
+        throw (0, _errors.lazyDOMException)('Failed to re-export EC public key as uncompressed SPKI', 'OperationError');
+      }
+      return (0, _conversion.bufferLikeToArrayBuffer)(tmp.exportKey(_utils.KFormatType.DER, _utils.KeyEncoding.SPKI));
+    }
+    return exported;
   } else if (format === KWebCryptoKeyFormat.kWebCryptoKeyFormatPKCS8) {
     const exported = keyObject.export({
       format: 'der',
@@ -570,10 +599,17 @@ function kmacSignVerify(key, data, algorithm, signature) {
   const {
     name
   } = algorithm;
-  const defaultLength = name === 'KMAC128' ? 256 : 512;
-  const outputLengthBits = algorithm.length ?? defaultLength;
+
+  // KmacParams.outputLength is required per
+  // https://wicg.github.io/webcrypto-modern-algos/#KmacParams-dictionary
+  // and the rename from `length` (commit ab8dc2b84c2). Mirror Node's
+  // mac.js:213-223 by reading `outputLength` (in bits).
+  if (typeof algorithm.outputLength !== 'number') {
+    throw (0, _errors.lazyDOMException)(`${name}Params.outputLength is required`, 'OperationError');
+  }
+  const outputLengthBits = algorithm.outputLength;
   if (outputLengthBits % 8 !== 0) {
-    throw (0, _errors.lazyDOMException)('KMAC output length must be a multiple of 8', 'OperationError');
+    throw (0, _errors.lazyDOMException)(`Unsupported ${name}Params outputLength`, 'NotSupportedError');
   }
   const outputLengthBytes = outputLengthBits / 8;
   const keyData = key.keyObject.export();
@@ -598,30 +634,43 @@ async function kmacImportKey(algorithm, format, data, extractable, keyUsages) {
   const {
     name
   } = algorithm;
-  if (hasAnyNotIn(keyUsages, ['sign', 'verify'])) {
-    throw (0, _errors.lazyDOMException)(`Unsupported key usage for ${name} key`, 'SyntaxError');
-  }
   let keyObject;
   if (format === 'jwk') {
     const jwk = data;
     if (!jwk || typeof jwk !== 'object') {
       throw (0, _errors.lazyDOMException)('Invalid keyData', 'DataError');
     }
-    validateJwkExtAndKeyOps(jwk, extractable, keyUsages);
     if (jwk.kty !== 'oct') {
-      throw (0, _errors.lazyDOMException)('Invalid JWK format for KMAC key', 'DataError');
+      throw (0, _errors.lazyDOMException)('Invalid JWK "kty" Parameter', 'DataError');
     }
+    (0, _validation.validateJwkStructure)(jwk, extractable, keyUsages, 'sig');
     const expectedAlg = name === 'KMAC128' ? 'K128' : 'K256';
     if (jwk.alg !== undefined && jwk.alg !== expectedAlg) {
-      throw (0, _errors.lazyDOMException)('JWK "alg" does not match the requested algorithm', 'DataError');
+      throw (0, _errors.lazyDOMException)('JWK "alg" Parameter and algorithm name mismatch', 'DataError');
+    }
+    if (hasAnyNotIn(keyUsages, ['sign', 'verify'])) {
+      throw (0, _errors.lazyDOMException)(`Unsupported key usage for ${name} key`, 'SyntaxError');
     }
     const handle = _reactNativeNitroModules.NitroModules.createHybridObject('KeyObjectHandle');
-    const keyType = handle.initJwk(jwk, undefined);
+    let keyType;
+    try {
+      keyType = handle.initJwk(jwk, undefined);
+    } catch (err) {
+      throw (0, _errors.lazyDOMException)('Invalid keyData', {
+        name: 'DataError',
+        cause: err
+      });
+    }
     if (keyType === undefined || keyType !== 0) {
-      throw (0, _errors.lazyDOMException)('Failed to import KMAC JWK', 'DataError');
+      throw (0, _errors.lazyDOMException)('Invalid keyData', 'DataError');
     }
     keyObject = new _keys.SecretKeyObject(handle);
-  } else if (format === 'raw' || format === 'raw-secret') {
+  } else if (format === 'raw-secret') {
+    // KMAC accepts only the disambiguated 'raw-secret' form (Node mac.js:141-145
+    // returns undefined for plain 'raw' when not HMAC).
+    if (hasAnyNotIn(keyUsages, ['sign', 'verify'])) {
+      throw (0, _errors.lazyDOMException)(`Unsupported key usage for ${name} key`, 'SyntaxError');
+    }
     keyObject = (0, _keys.createSecretKey)(data);
   } else {
     throw (0, _errors.lazyDOMException)(`Unable to import ${name} key with format ${format}`, 'NotSupportedError');
@@ -644,8 +693,6 @@ function rsaImportKey(format, data, algorithm, extractable, keyUsages) {
   const {
     name
   } = algorithm;
-
-  // Validate usages
   let checkSet;
   switch (name) {
     case 'RSASSA-PKCS1-v1_5':
@@ -658,40 +705,70 @@ function rsaImportKey(format, data, algorithm, extractable, keyUsages) {
     default:
       throw new Error(`Unsupported RSA algorithm: ${name}`);
   }
-  if (hasAnyNotIn(keyUsages, checkSet)) {
-    throw new Error(`Unsupported key usage for ${name}`);
-  }
+  const checkUsages = () => {
+    if (hasAnyNotIn(keyUsages, checkSet)) {
+      throw (0, _errors.lazyDOMException)(`Unsupported key usage for ${name} key`, 'SyntaxError');
+    }
+  };
   let keyObject;
   if (format === 'jwk') {
     const jwk = data;
-
-    // Validate JWK
+    if (!jwk || typeof jwk !== 'object') {
+      throw (0, _errors.lazyDOMException)('Invalid keyData', 'DataError');
+    }
     if (jwk.kty !== 'RSA') {
-      throw new Error('Invalid JWK format for RSA key');
+      throw (0, _errors.lazyDOMException)('Invalid JWK "kty" Parameter', 'DataError');
+    }
+    const expectedUse = name === 'RSA-OAEP' ? 'enc' : 'sig';
+    (0, _validation.validateJwkStructure)(jwk, extractable, keyUsages, expectedUse);
+    checkUsages();
+    if (jwk.alg !== undefined) {
+      let jwkContext;
+      switch (name) {
+        case 'RSASSA-PKCS1-v1_5':
+          jwkContext = _hashnames.HashContext.JwkRsa;
+          break;
+        case 'RSA-PSS':
+          jwkContext = _hashnames.HashContext.JwkRsaPss;
+          break;
+        default:
+          jwkContext = _hashnames.HashContext.JwkRsaOaep;
+      }
+      const expectedAlg = (0, _hashnames.normalizeHashName)(algorithm.hash, jwkContext);
+      if (jwk.alg !== expectedAlg) {
+        throw (0, _errors.lazyDOMException)('JWK "alg" does not match the requested algorithm', 'DataError');
+      }
     }
-    validateJwkExtAndKeyOps(jwk, extractable, keyUsages);
     const handle = _reactNativeNitroModules.NitroModules.createHybridObject('KeyObjectHandle');
-    const keyType = handle.initJwk(jwk, undefined);
+    let keyType;
+    try {
+      keyType = handle.initJwk(jwk, undefined);
+    } catch (err) {
+      throw (0, _errors.lazyDOMException)('Invalid keyData', {
+        name: 'DataError',
+        cause: err
+      });
+    }
     if (keyType === undefined) {
-      throw new Error('Failed to import RSA JWK');
+      throw (0, _errors.lazyDOMException)('Invalid keyData', 'DataError');
     }
-
-    // Create the appropriate KeyObject based on type
-    if (keyType === 1) {
+    if (keyType === _utils.KeyType.PUBLIC) {
       keyObject = new _keys.PublicKeyObject(handle);
-    } else if (keyType === 2) {
+    } else if (keyType === _utils.KeyType.PRIVATE) {
       keyObject = new _keys.PrivateKeyObject(handle);
     } else {
-      throw new Error('Unexpected key type from RSA JWK import');
+      throw (0, _errors.lazyDOMException)('Invalid keyData', 'DataError');
     }
   } else if (format === 'spki') {
+    checkUsages();
     const keyData = (0, _conversion.bufferLikeToArrayBuffer)(data);
     keyObject = _keys.KeyObject.createKeyObject('public', keyData, _utils.KFormatType.DER, _utils.KeyEncoding.SPKI);
   } else if (format === 'pkcs8') {
+    checkUsages();
     const keyData = (0, _conversion.bufferLikeToArrayBuffer)(data);
     keyObject = _keys.KeyObject.createKeyObject('private', keyData, _utils.KFormatType.DER, _utils.KeyEncoding.PKCS8);
   } else {
-    throw new Error(`Unsupported format for RSA import: ${format}`);
+    throw (0, _errors.lazyDOMException)(`Unsupported format for ${name} import: ${format}`, 'NotSupportedError');
   }
 
   // Get the modulus length from the key and add it to the algorithm
@@ -725,29 +802,26 @@ function rsaImportKey(format, data, algorithm, extractable, keyUsages) {
   return new _keys.CryptoKey(keyObject, algorithmWithDetails, keyUsages, extractable);
 }
 async function hmacImportKey(algorithm, format, data, extractable, keyUsages) {
-  // Validate usages
-  if (hasAnyNotIn(keyUsages, ['sign', 'verify'])) {
-    throw new Error('Unsupported key usage for an HMAC key');
-  }
+  const checkUsages = () => {
+    if (hasAnyNotIn(keyUsages, ['sign', 'verify'])) {
+      throw new Error('Unsupported key usage for an HMAC key');
+    }
+  };
   let keyObject;
   if (format === 'jwk') {
     const jwk = data;
-
-    // Validate JWK
     if (!jwk || typeof jwk !== 'object') {
       throw new Error('Invalid keyData');
     }
-    validateJwkExtAndKeyOps(jwk, extractable, keyUsages);
     if (jwk.kty !== 'oct') {
       throw new Error('Invalid JWK format for HMAC key');
     }
-
-    // Validate key length if specified
+    (0, _validation.validateJwkStructure)(jwk, extractable, keyUsages, 'sig');
+    checkUsages();
     if (algorithm.length !== undefined) {
       if (!jwk.k) {
         throw new Error('JWK missing key data');
       }
-      // Decode to check length
       const decoded = _safeBuffer.Buffer.from(jwk.k, 'base64');
       const keyBitLength = decoded.length * 8;
       if (algorithm.length === 0) {
@@ -758,15 +832,25 @@ async function hmacImportKey(algorithm, format, data, extractable, keyUsages) {
       }
     }
     const handle = _reactNativeNitroModules.NitroModules.createHybridObject('KeyObjectHandle');
-    const keyType = handle.initJwk(jwk, undefined);
+    let keyType;
+    try {
+      keyType = handle.initJwk(jwk, undefined);
+    } catch (err) {
+      throw (0, _errors.lazyDOMException)('Invalid keyData', {
+        name: 'DataError',
+        cause: err
+      });
+    }
     if (keyType === undefined || keyType !== 0) {
-      throw new Error('Failed to import HMAC JWK');
+      throw (0, _errors.lazyDOMException)('Invalid keyData', 'DataError');
     }
     keyObject = new _keys.SecretKeyObject(handle);
-  } else if (format === 'raw') {
+  } else if (format === 'raw' || format === 'raw-secret') {
+    // HMAC accepts both 'raw' and 'raw-secret' (Node mac.js:141-145).
+    checkUsages();
     keyObject = (0, _keys.createSecretKey)(data);
   } else {
-    throw new Error(`Unable to import HMAC key with format ${format}`);
+    throw (0, _errors.lazyDOMException)(`Unable to import HMAC key with format ${format}`, 'NotSupportedError');
   }
 
   // Normalize hash to { name: string } format per WebCrypto spec
@@ -785,43 +869,57 @@ async function aesImportKey(algorithm, format, data, extractable, keyUsages) {
     name,
     length
   } = algorithm;
-
-  // Validate usages
   const validUsages = ['encrypt', 'decrypt', 'wrapKey', 'unwrapKey'];
-  if (hasAnyNotIn(keyUsages, validUsages)) {
-    throw new Error(`Unsupported key usage for ${name}`);
-  }
+  const checkUsages = () => {
+    if (hasAnyNotIn(keyUsages, validUsages)) {
+      throw new Error(`Unsupported key usage for ${name}`);
+    }
+  };
+
+  // AES-OCB and ChaCha20-Poly1305 require the disambiguated 'raw-secret' form
+  // and reject 'raw' (Node aes.js:243-249, chacha20_poly1305.js:104-134).
+  // Other AES variants accept both 'raw' and 'raw-secret'.
+  const requiresRawSecret = name === 'AES-OCB' || name === 'ChaCha20-Poly1305';
+  const acceptsRaw = format === 'raw-secret' || format === 'raw' && !requiresRawSecret;
   let keyObject;
   let actualLength;
   if (format === 'jwk') {
     const jwk = data;
-
-    // Validate JWK
     if (jwk.kty !== 'oct') {
       throw new Error('Invalid JWK format for AES key');
     }
-    validateJwkExtAndKeyOps(jwk, extractable, keyUsages);
+    (0, _validation.validateJwkStructure)(jwk, extractable, keyUsages, 'enc');
+    checkUsages();
     const handle = _reactNativeNitroModules.NitroModules.createHybridObject('KeyObjectHandle');
-    const keyType = handle.initJwk(jwk, undefined);
+    let keyType;
+    try {
+      keyType = handle.initJwk(jwk, undefined);
+    } catch (err) {
+      throw (0, _errors.lazyDOMException)('Invalid keyData', {
+        name: 'DataError',
+        cause: err
+      });
+    }
     if (keyType === undefined || keyType !== 0) {
-      throw new Error('Failed to import AES JWK');
+      throw (0, _errors.lazyDOMException)('Invalid keyData', 'DataError');
     }
     keyObject = new _keys.SecretKeyObject(handle);
-
-    // Get actual key length from imported key
     const exported = keyObject.export();
     actualLength = exported.byteLength * 8;
-  } else if (format === 'raw') {
+  } else if (acceptsRaw) {
+    checkUsages();
     const keyData = (0, _conversion.bufferLikeToArrayBuffer)(data);
     actualLength = keyData.byteLength * 8;
-
-    // Validate key length
-    if (![128, 192, 256].includes(actualLength)) {
+    if (name === 'ChaCha20-Poly1305') {
+      if (actualLength !== 256) {
+        throw (0, _errors.lazyDOMException)('Invalid ChaCha20-Poly1305 key length', 'DataError');
+      }
+    } else if (![128, 192, 256].includes(actualLength)) {
       throw new Error('Invalid AES key length');
     }
     keyObject = (0, _keys.createSecretKey)(keyData);
   } else {
-    throw new Error(`Unsupported format for AES import: ${format}`);
+    throw (0, _errors.lazyDOMException)(`Unable to import ${name} key with format ${format}`, 'NotSupportedError');
   }
 
   // Validate length if specified
@@ -837,35 +935,57 @@ function edImportKey(format, data, algorithm, extractable, keyUsages) {
   const {
     name
   } = algorithm;
-
-  // Validate usages
   const isX = name === 'X25519' || name === 'X448';
   const allowedUsages = isX ? ['deriveKey', 'deriveBits'] : ['sign', 'verify'];
-  if (hasAnyNotIn(keyUsages, allowedUsages)) {
-    throw (0, _errors.lazyDOMException)(`Unsupported key usage for ${name} key`, 'SyntaxError');
-  }
+  const checkUsages = () => {
+    if (hasAnyNotIn(keyUsages, allowedUsages)) {
+      throw (0, _errors.lazyDOMException)(`Unsupported key usage for ${name} key`, 'SyntaxError');
+    }
+  };
   let keyObject;
   if (format === 'spki') {
-    // Import public key
+    checkUsages();
     const keyData = (0, _conversion.bufferLikeToArrayBuffer)(data);
     keyObject = _keys.KeyObject.createKeyObject('public', keyData, _utils.KFormatType.DER, _utils.KeyEncoding.SPKI);
   } else if (format === 'pkcs8') {
-    // Import private key
+    checkUsages();
     const keyData = (0, _conversion.bufferLikeToArrayBuffer)(data);
     keyObject = _keys.KeyObject.createKeyObject('private', keyData, _utils.KFormatType.DER, _utils.KeyEncoding.PKCS8);
   } else if (format === 'raw') {
-    // Raw format - public key only for Ed keys
+    checkUsages();
     const keyData = (0, _conversion.bufferLikeToArrayBuffer)(data);
     const handle = _reactNativeNitroModules.NitroModules.createHybridObject('KeyObjectHandle');
-    // For raw Ed keys, we need to create them differently
-    // Raw public keys are just the key bytes
-    handle.init(1, keyData); // 1 = public key type
+    handle.init(1, keyData);
     keyObject = new _keys.PublicKeyObject(handle);
   } else if (format === 'jwk') {
     const jwkData = data;
-    validateJwkExtAndKeyOps(jwkData, extractable, keyUsages);
+    if (!jwkData || typeof jwkData !== 'object') {
+      throw (0, _errors.lazyDOMException)('Invalid keyData', 'DataError');
+    }
+    if (jwkData.kty !== 'OKP') {
+      throw (0, _errors.lazyDOMException)('Invalid JWK "kty" Parameter', 'DataError');
+    }
+    const expectedUse = isX ? 'enc' : 'sig';
+    (0, _validation.validateJwkStructure)(jwkData, extractable, keyUsages, expectedUse);
+    if (jwkData.crv !== name) {
+      throw (0, _errors.lazyDOMException)('JWK "crv" Parameter and algorithm name mismatch', 'DataError');
+    }
+    if (!isX && jwkData.alg !== undefined) {
+      if (jwkData.alg !== name && jwkData.alg !== 'EdDSA') {
+        throw (0, _errors.lazyDOMException)('JWK "alg" does not match the requested algorithm', 'DataError');
+      }
+    }
+    checkUsages();
     const handle = _reactNativeNitroModules.NitroModules.createHybridObject('KeyObjectHandle');
-    const keyType = handle.initJwk(jwkData);
+    let keyType;
+    try {
+      keyType = handle.initJwk(jwkData);
+    } catch (err) {
+      throw (0, _errors.lazyDOMException)('Invalid JWK data', {
+        name: 'DataError',
+        cause: err
+      });
+    }
     if (keyType === undefined) {
       throw (0, _errors.lazyDOMException)('Invalid JWK data', 'DataError');
     }
@@ -881,48 +1001,171 @@ function edImportKey(format, data, algorithm, extractable, keyUsages) {
     name
   }, keyUsages, extractable);
 }
+
+// Lengths (in bytes) of seedless ML-DSA / ML-KEM PKCS#8 encodings. A PKCS#8
+// blob of exactly this length contains only the expanded private key with no
+// seed; Node rejects these to keep cross-implementation interop intact.
+// Refs: node lib/internal/crypto/ml_dsa.js (mlDsaImportKey, pkcs8 case)
+//       node lib/internal/crypto/ml_kem.js (mlKemImportKey, pkcs8 case)
+const PQC_SEEDLESS_PKCS8_LENGTHS = exports.PQC_SEEDLESS_PKCS8_LENGTHS = {
+  'ML-DSA-44': 2588,
+  'ML-DSA-65': 4060,
+  'ML-DSA-87': 4924,
+  'ML-KEM-512': 1660,
+  'ML-KEM-768': 2428,
+  'ML-KEM-1024': 3196
+};
+
+// Map from PQC algorithm name to display family. Used to render the
+// import-rejection error message in the same form Node emits.
+const PQC_FAMILY = {
+  'ML-DSA-44': 'ML-DSA',
+  'ML-DSA-65': 'ML-DSA',
+  'ML-DSA-87': 'ML-DSA',
+  'ML-KEM-512': 'ML-KEM',
+  'ML-KEM-768': 'ML-KEM',
+  'ML-KEM-1024': 'ML-KEM',
+  'SLH-DSA-SHA2-128s': 'SLH-DSA',
+  'SLH-DSA-SHA2-128f': 'SLH-DSA',
+  'SLH-DSA-SHA2-192s': 'SLH-DSA',
+  'SLH-DSA-SHA2-192f': 'SLH-DSA',
+  'SLH-DSA-SHA2-256s': 'SLH-DSA',
+  'SLH-DSA-SHA2-256f': 'SLH-DSA',
+  'SLH-DSA-SHAKE-128s': 'SLH-DSA',
+  'SLH-DSA-SHAKE-128f': 'SLH-DSA',
+  'SLH-DSA-SHAKE-192s': 'SLH-DSA',
+  'SLH-DSA-SHAKE-192f': 'SLH-DSA',
+  'SLH-DSA-SHAKE-256s': 'SLH-DSA',
+  'SLH-DSA-SHAKE-256f': 'SLH-DSA'
+};
 function pqcImportKeyObject(format, data, name) {
   if (format === 'spki') {
-    return _keys.KeyObject.createKeyObject('public', (0, _conversion.bufferLikeToArrayBuffer)(data), _utils.KFormatType.DER, _utils.KeyEncoding.SPKI);
+    return {
+      keyObject: _keys.KeyObject.createKeyObject('public', (0, _conversion.bufferLikeToArrayBuffer)(data), _utils.KFormatType.DER, _utils.KeyEncoding.SPKI),
+      isPublic: true
+    };
   } else if (format === 'pkcs8') {
-    return _keys.KeyObject.createKeyObject('private', (0, _conversion.bufferLikeToArrayBuffer)(data), _utils.KFormatType.DER, _utils.KeyEncoding.PKCS8);
-  } else if (format === 'raw') {
+    const ab = (0, _conversion.bufferLikeToArrayBuffer)(data);
+    const family = PQC_FAMILY[name];
+    if (family !== undefined && ab.byteLength === PQC_SEEDLESS_PKCS8_LENGTHS[name]) {
+      throw (0, _errors.lazyDOMException)(`Importing an ${family} PKCS#8 key without a seed is not supported`, 'NotSupportedError');
+    }
+    return {
+      keyObject: _keys.KeyObject.createKeyObject('private', ab, _utils.KFormatType.DER, _utils.KeyEncoding.PKCS8),
+      isPublic: false
+    };
+  } else if (format === 'raw-public') {
+    // ML-DSA / ML-KEM reject plain 'raw' — only 'raw-public' is accepted for
+    // public-key import (Node webcrypto.js:493-499, 506-511).
     const handle = _reactNativeNitroModules.NitroModules.createHybridObject('KeyObjectHandle');
     if (!handle.initPqcRaw(name, (0, _conversion.bufferLikeToArrayBuffer)(data), true)) {
       throw (0, _errors.lazyDOMException)(`Failed to import ${name} raw public key`, 'DataError');
     }
-    return new _keys.PublicKeyObject(handle);
+    return {
+      keyObject: new _keys.PublicKeyObject(handle),
+      isPublic: true
+    };
   } else if (format === 'raw-seed') {
     const handle = _reactNativeNitroModules.NitroModules.createHybridObject('KeyObjectHandle');
     if (!handle.initPqcRaw(name, (0, _conversion.bufferLikeToArrayBuffer)(data), false)) {
       throw (0, _errors.lazyDOMException)(`Failed to import ${name} raw seed`, 'DataError');
     }
-    return new _keys.PrivateKeyObject(handle);
+    return {
+      keyObject: new _keys.PrivateKeyObject(handle),
+      isPublic: false
+    };
+  } else if (format === 'jwk') {
+    const jwkData = data;
+    const isPublic = jwkData.priv === undefined;
+    const handle = _reactNativeNitroModules.NitroModules.createHybridObject('KeyObjectHandle');
+    let keyType;
+    try {
+      keyType = handle.initJwk(jwkData);
+    } catch (err) {
+      throw (0, _errors.lazyDOMException)('Invalid JWK data', {
+        name: 'DataError',
+        cause: err
+      });
+    }
+    if (keyType === undefined) {
+      throw (0, _errors.lazyDOMException)('Invalid JWK data', 'DataError');
+    }
+    return {
+      keyObject: isPublic ? new _keys.PublicKeyObject(handle) : new _keys.PrivateKeyObject(handle),
+      isPublic
+    };
   }
   throw (0, _errors.lazyDOMException)(`Unsupported format for ${name} import: ${format}`, 'NotSupportedError');
 }
+
+// Per WebCrypto AKP JWK rules, public-vs-private is determined by the presence
+// of `priv`. For binary formats it follows from the format itself.
+function pqcIsPublicImport(format, data) {
+  if (format === 'jwk') {
+    return typeof data === 'object' && data !== null && data.priv === undefined;
+  }
+  return format === 'spki' || format === 'raw-public';
+}
+function validatePqcJwk(data, name, extractable, keyUsages, expectedUse) {
+  if (typeof data !== 'object' || data === null) {
+    throw (0, _errors.lazyDOMException)('Invalid keyData', 'DataError');
+  }
+  const jwk = data;
+  if (jwk.kty !== 'AKP') {
+    throw (0, _errors.lazyDOMException)('Invalid JWK "kty" Parameter', 'DataError');
+  }
+  (0, _validation.validateJwkStructure)(jwk, extractable, keyUsages, expectedUse);
+  if (jwk.alg !== name) {
+    throw (0, _errors.lazyDOMException)('JWK "alg" Parameter and algorithm name mismatch', 'DataError');
+  }
+}
+
+// Validates that `format` is one of the formats PQC algorithms accept; rejects
+// plain 'raw' early so the format error wins over usage-based errors.
+function validatePqcFormat(format, name) {
+  if (format !== 'spki' && format !== 'pkcs8' && format !== 'raw-public' && format !== 'raw-seed' && format !== 'jwk') {
+    throw (0, _errors.lazyDOMException)(`Unsupported format for ${name} import: ${format}`, 'NotSupportedError');
+  }
+}
 function mldsaImportKey(format, data, algorithm, extractable, keyUsages) {
   const {
     name
   } = algorithm;
-  const isPublicFormat = format === 'spki' || format === 'raw';
-  if (hasAnyNotIn(keyUsages, isPublicFormat ? ['verify'] : ['sign'])) {
+  validatePqcFormat(format, name);
+  if (format === 'jwk') {
+    validatePqcJwk(data, name, extractable, keyUsages, 'sig');
+  }
+  const isPublic = pqcIsPublicImport(format, data);
+  if (hasAnyNotIn(keyUsages, isPublic ? ['verify'] : ['sign'])) {
     throw (0, _errors.lazyDOMException)(`Unsupported key usage for ${name} key`, 'SyntaxError');
   }
-  return new _keys.CryptoKey(pqcImportKeyObject(format, data, name), {
+  const {
+    keyObject
+  } = pqcImportKeyObject(format, data, name);
+  return new _keys.CryptoKey(keyObject, {
     name
   }, keyUsages, extractable);
 }
+function slhdsaImportKey(format, data, algorithm, extractable, keyUsages) {
+  return mldsaImportKey(format, data, algorithm, extractable, keyUsages);
+}
 function mlkemImportKey(format, data, algorithm, extractable, keyUsages) {
   const {
     name
   } = algorithm;
-  const isPublicFormat = format === 'spki' || format === 'raw';
-  const allowedUsages = isPublicFormat ? ['encapsulateBits', 'encapsulateKey'] : ['decapsulateBits', 'decapsulateKey'];
+  validatePqcFormat(format, name);
+  if (format === 'jwk') {
+    validatePqcJwk(data, name, extractable, keyUsages, 'enc');
+  }
+  const isPublic = pqcIsPublicImport(format, data);
+  const allowedUsages = isPublic ? ['encapsulateBits', 'encapsulateKey'] : ['decapsulateBits', 'decapsulateKey'];
   if (hasAnyNotIn(keyUsages, allowedUsages)) {
     throw (0, _errors.lazyDOMException)(`Unsupported key usage for ${name} key`, 'SyntaxError');
   }
-  return new _keys.CryptoKey(pqcImportKeyObject(format, data, name), {
+  const {
+    keyObject
+  } = pqcImportKeyObject(format, data, name);
+  return new _keys.CryptoKey(keyObject, {
     name
   }, keyUsages, extractable);
 }
@@ -961,8 +1204,21 @@ const exportKeySpki = async key => {
     case 'ML-DSA-65':
     // Fall through
     case 'ML-DSA-87':
+    // Fall through
+    case 'SLH-DSA-SHA2-128s':
+    case 'SLH-DSA-SHA2-128f':
+    case 'SLH-DSA-SHA2-192s':
+    case 'SLH-DSA-SHA2-192f':
+    case 'SLH-DSA-SHA2-256s':
+    case 'SLH-DSA-SHA2-256f':
+    case 'SLH-DSA-SHAKE-128s':
+    case 'SLH-DSA-SHAKE-128f':
+    case 'SLH-DSA-SHAKE-192s':
+    case 'SLH-DSA-SHAKE-192f':
+    case 'SLH-DSA-SHAKE-256s':
+    case 'SLH-DSA-SHAKE-256f':
       if (key.type === 'public') {
-        // Export ML-DSA key in SPKI DER format
+        // Export ML-DSA / SLH-DSA key in SPKI DER format
         return (0, _conversion.bufferLikeToArrayBuffer)(key.keyObject.handle.exportKey(_utils.KFormatType.DER, _utils.KeyEncoding.SPKI));
       }
       break;
@@ -1013,16 +1269,35 @@ const exportKeyPkcs8 = async key => {
     case 'ML-DSA-65':
     // Fall through
     case 'ML-DSA-87':
-      if (key.type === 'private') {
-        // Export ML-DSA key in PKCS8 DER format
-        return (0, _conversion.bufferLikeToArrayBuffer)(key.keyObject.handle.exportKey(_utils.KFormatType.DER, _utils.KeyEncoding.PKCS8));
-      }
-      break;
+    // Fall through
     case 'ML-KEM-512':
     // Fall through
     case 'ML-KEM-768':
     // Fall through
     case 'ML-KEM-1024':
+      if (key.type === 'private') {
+        const ab = (0, _conversion.bufferLikeToArrayBuffer)(key.keyObject.handle.exportKey(_utils.KFormatType.DER, _utils.KeyEncoding.PKCS8));
+        // 22 bytes of PKCS#8 ASN.1 + seed (32 ML-DSA, 64 ML-KEM). Guards
+        // against a seedless KeyObject that was wrapped via toCryptoKey.
+        const expected = key.algorithm.name.startsWith('ML-DSA') ? 54 : 86;
+        if (ab.byteLength !== expected) {
+          throw (0, _errors.lazyDOMException)('The operation failed for an operation-specific reason', 'OperationError');
+        }
+        return ab;
+      }
+      break;
+    case 'SLH-DSA-SHA2-128s':
+    case 'SLH-DSA-SHA2-128f':
+    case 'SLH-DSA-SHA2-192s':
+    case 'SLH-DSA-SHA2-192f':
+    case 'SLH-DSA-SHA2-256s':
+    case 'SLH-DSA-SHA2-256f':
+    case 'SLH-DSA-SHAKE-128s':
+    case 'SLH-DSA-SHAKE-128f':
+    case 'SLH-DSA-SHAKE-192s':
+    case 'SLH-DSA-SHAKE-192f':
+    case 'SLH-DSA-SHAKE-256s':
+    case 'SLH-DSA-SHAKE-256f':
       if (key.type === 'private') {
         return (0, _conversion.bufferLikeToArrayBuffer)(key.keyObject.handle.exportKey(_utils.KFormatType.DER, _utils.KeyEncoding.PKCS8));
       }
@@ -1030,71 +1305,87 @@ const exportKeyPkcs8 = async key => {
   }
   throw new Error(`Unable to export a pkcs8 ${key.algorithm.name} ${key.type} key`);
 };
-const exportKeyRaw = key => {
-  switch (key.algorithm.name) {
+
+// Mirrors Node's export key matrix (lib/internal/crypto/webcrypto.js
+// exportKeyRawSecret / exportKeyRawPublic, lines 472-563):
+//
+//   raw         — AES-CTR/CBC/GCM/KW + HMAC (secret); ECDSA/ECDH/Ed/X (public)
+//   raw-secret  — AES-CTR/CBC/GCM/KW + HMAC + AES-OCB + KMAC + ChaCha20-Poly1305
+//   raw-public  — ECDSA/ECDH + Ed/X + ML-DSA + ML-KEM (public)
+const exportKeyRaw = (key, format) => {
+  const name = key.algorithm.name;
+  const isPublic = key.type === 'public';
+  const isSecret = key.type === 'secret';
+  const exportSecret = () => {
+    const exported = key.keyObject.export();
+    return exported.buffer.slice(exported.byteOffset, exported.byteOffset + exported.byteLength);
+  };
+  const exportRawPublic = () => (0, _conversion.bufferLikeToArrayBuffer)(key.keyObject.handle.exportKey());
+  const fail = () => {
+    throw (0, _errors.lazyDOMException)(`Unable to export ${name} ${key.type} key using ${format} format`, 'NotSupportedError');
+  };
+
+  // Symmetric: AES-CTR/CBC/GCM/KW and HMAC accept both 'raw' and 'raw-secret';
+  // AES-OCB / KMAC* / ChaCha20-Poly1305 only 'raw-secret'.
+  switch (name) {
+    case 'AES-CTR':
+    case 'AES-CBC':
+    case 'AES-GCM':
+    case 'AES-KW':
+    case 'HMAC':
+      if (!isSecret) return fail();
+      if (format === 'raw' || format === 'raw-secret') return exportSecret();
+      return fail();
+    case 'AES-OCB':
+    case 'KMAC128':
+    case 'KMAC256':
+    case 'ChaCha20-Poly1305':
+      if (!isSecret) return fail();
+      if (format === 'raw-secret') return exportSecret();
+      return fail();
     case 'ECDSA':
-    // Fall through
     case 'ECDH':
-      if (key.type === 'public') {
+      if (!isPublic) return fail();
+      if (format === 'raw' || format === 'raw-public') {
         return ecExportKey(key, KWebCryptoKeyFormat.kWebCryptoKeyFormatRaw);
       }
-      break;
+      return fail();
     case 'Ed25519':
-    // Fall through
     case 'Ed448':
-    // Fall through
     case 'X25519':
-    // Fall through
     case 'X448':
-      if (key.type === 'public') {
-        const exported = key.keyObject.handle.exportKey();
-        return (0, _conversion.bufferLikeToArrayBuffer)(exported);
-      }
-      break;
-    case 'ML-KEM-512':
-    // Fall through
-    case 'ML-KEM-768':
-    // Fall through
-    case 'ML-KEM-1024':
-    // Fall through
+      if (!isPublic) return fail();
+      if (format === 'raw' || format === 'raw-public') return exportRawPublic();
+      return fail();
     case 'ML-DSA-44':
-    // Fall through
     case 'ML-DSA-65':
-    // Fall through
     case 'ML-DSA-87':
-      if (key.type === 'public') {
-        const exported = key.keyObject.handle.exportKey();
-        return (0, _conversion.bufferLikeToArrayBuffer)(exported);
-      }
-      break;
-    case 'AES-CTR':
-    // Fall through
-    case 'AES-CBC':
-    // Fall through
-    case 'AES-GCM':
-    // Fall through
-    case 'AES-KW':
-    // Fall through
-    case 'AES-OCB':
-    // Fall through
-    case 'ChaCha20-Poly1305':
-    // Fall through
-    case 'HMAC':
-    // Fall through
-    case 'KMAC128':
-    // Fall through
-    case 'KMAC256':
-      {
-        const exported = key.keyObject.export();
-        // Convert Buffer to ArrayBuffer
-        return exported.buffer.slice(exported.byteOffset, exported.byteOffset + exported.byteLength);
-      }
-  }
-  throw (0, _errors.lazyDOMException)(`Unable to export a raw ${key.algorithm.name} ${key.type} key`, 'InvalidAccessError');
+    case 'ML-KEM-512':
+    case 'ML-KEM-768':
+    case 'ML-KEM-1024':
+    case 'SLH-DSA-SHA2-128s':
+    case 'SLH-DSA-SHA2-128f':
+    case 'SLH-DSA-SHA2-192s':
+    case 'SLH-DSA-SHA2-192f':
+    case 'SLH-DSA-SHA2-256s':
+    case 'SLH-DSA-SHA2-256f':
+    case 'SLH-DSA-SHAKE-128s':
+    case 'SLH-DSA-SHAKE-128f':
+    case 'SLH-DSA-SHAKE-192s':
+    case 'SLH-DSA-SHAKE-192f':
+    case 'SLH-DSA-SHAKE-256s':
+    case 'SLH-DSA-SHAKE-256f':
+      // ML-DSA / ML-KEM / SLH-DSA keys do not recognize plain 'raw' (Node
+      // webcrypto.js lines 488-510).
+      if (!isPublic) return fail();
+      if (format === 'raw-public') return exportRawPublic();
+      return fail();
+  }
+  return fail();
 };
 const exportKeyJWK = key => {
   const jwk = key.keyObject.handle.exportJwk({
-    key_ops: key.usages,
+    key_ops: [...key.usages],
     ext: key.extractable
   }, true);
   switch (key.algorithm.name) {
@@ -1129,6 +1420,31 @@ const exportKeyJWK = key => {
     // Fall through
     case 'X448':
       return jwk;
+    case 'ML-DSA-44':
+    // Fall through
+    case 'ML-DSA-65':
+    // Fall through
+    case 'ML-DSA-87':
+    // Fall through
+    case 'ML-KEM-512':
+    // Fall through
+    case 'ML-KEM-768':
+    // Fall through
+    case 'ML-KEM-1024':
+    // Fall through
+    case 'SLH-DSA-SHA2-128s':
+    case 'SLH-DSA-SHA2-128f':
+    case 'SLH-DSA-SHA2-192s':
+    case 'SLH-DSA-SHA2-192f':
+    case 'SLH-DSA-SHA2-256s':
+    case 'SLH-DSA-SHA2-256f':
+    case 'SLH-DSA-SHAKE-128s':
+    case 'SLH-DSA-SHAKE-128f':
+    case 'SLH-DSA-SHAKE-192s':
+    case 'SLH-DSA-SHAKE-192f':
+    case 'SLH-DSA-SHAKE-256s':
+    case 'SLH-DSA-SHAKE-256f':
+      return jwk;
     case 'AES-CTR':
     // Fall through
     case 'AES-CBC':
@@ -1150,33 +1466,59 @@ const exportKeyJWK = key => {
   }
   throw (0, _errors.lazyDOMException)(`JWK export not yet supported: ${key.algorithm.name}`, 'NotSupportedError');
 };
-const importGenericSecretKey = async ({
+
+// PBKDF2 import. Mirrors Node's importGenericSecretKey ordering
+// (keys.js:945-971): extractable → usage → format → length. Callers pre-alias
+// 'raw-secret' / 'raw-public' to 'raw' via aliasKeyFormat
+// (webcrypto.js:798-808).
+const pbkdf2ImportKey = async ({
   name,
   length
 }, format, keyData, extractable, keyUsages) => {
   if (extractable) {
-    throw new Error(`${name} keys are not extractable`);
+    throw (0, _errors.lazyDOMException)(`${name} keys are not extractable`, 'SyntaxError');
   }
   if (hasAnyNotIn(keyUsages, ['deriveKey', 'deriveBits'])) {
-    throw new Error(`Unsupported key usage for a ${name} key`);
+    throw (0, _errors.lazyDOMException)(`Unsupported key usage for a ${name} key`, 'SyntaxError');
   }
-  switch (format) {
-    case 'raw':
-      {
-        if (hasAnyNotIn(keyUsages, ['deriveKey', 'deriveBits'])) {
-          throw new Error(`Unsupported key usage for a ${name} key`);
-        }
-        const checkLength = typeof keyData === 'string' || _safeBuffer.Buffer.isBuffer(keyData) ? keyData.length * 8 : keyData.byteLength * 8;
-        if (length !== undefined && length !== checkLength) {
-          throw new Error('Invalid key length');
-        }
-        const keyObject = (0, _keys.createSecretKey)(keyData);
-        return new _keys.CryptoKey(keyObject, {
-          name
-        }, keyUsages, false);
-      }
+  if (format !== 'raw') {
+    throw (0, _errors.lazyDOMException)(`Unable to import ${name} key with format ${format}`, 'NotSupportedError');
+  }
+  const checkLength = typeof keyData === 'string' || _safeBuffer.Buffer.isBuffer(keyData) ? keyData.length * 8 : keyData.byteLength * 8;
+  if (length !== undefined && length !== checkLength) {
+    throw (0, _errors.lazyDOMException)('Invalid key length', 'DataError');
+  }
+  const keyObject = (0, _keys.createSecretKey)(keyData);
+  return new _keys.CryptoKey(keyObject, {
+    name
+  }, keyUsages, false);
+};
+
+// Argon2 import. Node gates the format at the dispatcher level — only
+// 'raw-secret' enters importGenericSecretKey (webcrypto.js:813-822). To match
+// that, format is the first check here; remaining ordering matches Node's
+// importGenericSecretKey.
+const argon2ImportKey = async ({
+  name,
+  length
+}, format, keyData, extractable, keyUsages) => {
+  if (format !== 'raw-secret') {
+    throw (0, _errors.lazyDOMException)(`Unable to import ${name} key with format ${format}`, 'NotSupportedError');
+  }
+  if (extractable) {
+    throw (0, _errors.lazyDOMException)(`${name} keys are not extractable`, 'SyntaxError');
   }
-  throw new Error(`Unable to import ${name} key with format ${format}`);
+  if (hasAnyNotIn(keyUsages, ['deriveKey', 'deriveBits'])) {
+    throw (0, _errors.lazyDOMException)(`Unsupported key usage for a ${name} key`, 'SyntaxError');
+  }
+  const checkLength = typeof keyData === 'string' || _safeBuffer.Buffer.isBuffer(keyData) ? keyData.length * 8 : keyData.byteLength * 8;
+  if (length !== undefined && length !== checkLength) {
+    throw (0, _errors.lazyDOMException)('Invalid key length', 'DataError');
+  }
+  const keyObject = (0, _keys.createSecretKey)(keyData);
+  return new _keys.CryptoKey(keyObject, {
+    name
+  }, keyUsages, false);
 };
 const hkdfImportKey = async (format, keyData, algorithm, extractable, keyUsages) => {
   const {
@@ -1350,7 +1692,10 @@ function mldsaSignVerify(key, data, signature) {
 const signVerify = (algorithm, key, data, signature) => {
   const usage = signature === undefined ? 'sign' : 'verify';
   algorithm = normalizeAlgorithm(algorithm, usage);
-  if (!key.usages.includes(usage) || algorithm.name !== key.algorithm.name) {
+  if (algorithm.name !== key.algorithm.name) {
+    throw (0, _errors.lazyDOMException)('Key algorithm mismatch', 'InvalidAccessError');
+  }
+  if (!key.usages.includes(usage)) {
     throw (0, _errors.lazyDOMException)(`Unable to use this key to ${usage}`, 'InvalidAccessError');
   }
   switch (algorithm.name) {
@@ -1368,6 +1713,18 @@ const signVerify = (algorithm, key, data, signature) => {
     case 'ML-DSA-44':
     case 'ML-DSA-65':
     case 'ML-DSA-87':
+    case 'SLH-DSA-SHA2-128s':
+    case 'SLH-DSA-SHA2-128f':
+    case 'SLH-DSA-SHA2-192s':
+    case 'SLH-DSA-SHA2-192f':
+    case 'SLH-DSA-SHA2-256s':
+    case 'SLH-DSA-SHA2-256f':
+    case 'SLH-DSA-SHAKE-128s':
+    case 'SLH-DSA-SHAKE-128f':
+    case 'SLH-DSA-SHAKE-192s':
+    case 'SLH-DSA-SHAKE-192f':
+    case 'SLH-DSA-SHAKE-256s':
+    case 'SLH-DSA-SHAKE-256f':
       return mldsaSignVerify(key, data, signature);
     case 'KMAC128':
     case 'KMAC256':
@@ -1375,10 +1732,12 @@ const signVerify = (algorithm, key, data, signature) => {
   }
   throw (0, _errors.lazyDOMException)(`Unrecognized algorithm name '${algorithm.name}' for '${usage}'`, 'NotSupportedError');
 };
-const cipherOrWrap = async (mode, algorithm, key, data, op) => {
-  if (key.algorithm.name !== algorithm.name || !key.usages.includes(op)) {
-    throw (0, _errors.lazyDOMException)('The requested operation is not valid for the provided key', 'InvalidAccessError');
-  }
+
+// Algorithm-mismatch and usage checks live at the public-method call sites
+// (encrypt / decrypt / wrapKey / unwrapKey) so spec-mandated message and
+// ordering — algorithm-mismatch first, then usage — is preserved
+// (Node webcrypto.js, commit 4cb1f284136).
+const cipherOrWrap = async (mode, algorithm, key, data) => {
   (0, _validation.validateMaxBufferLength)(data, 'data');
   switch (algorithm.name) {
     case 'RSA-OAEP':
@@ -1400,12 +1759,12 @@ const cipherOrWrap = async (mode, algorithm, key, data, op) => {
 const SUPPORTED_ALGORITHMS = {
   encrypt: new Set(['RSA-OAEP', 'AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-OCB', 'ChaCha20-Poly1305']),
   decrypt: new Set(['RSA-OAEP', 'AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-OCB', 'ChaCha20-Poly1305']),
-  sign: new Set(['RSASSA-PKCS1-v1_5', 'RSA-PSS', 'ECDSA', 'HMAC', 'KMAC128', 'KMAC256', 'Ed25519', 'Ed448', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87']),
-  verify: new Set(['RSASSA-PKCS1-v1_5', 'RSA-PSS', 'ECDSA', 'HMAC', 'KMAC128', 'KMAC256', 'Ed25519', 'Ed448', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87']),
-  digest: new Set(['SHA-1', 'SHA-256', 'SHA-384', 'SHA-512', 'SHA3-256', 'SHA3-384', 'SHA3-512', 'cSHAKE128', 'cSHAKE256']),
-  generateKey: new Set(['RSASSA-PKCS1-v1_5', 'RSA-PSS', 'RSA-OAEP', 'ECDSA', 'ECDH', 'Ed25519', 'Ed448', 'X25519', 'X448', 'AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-KW', 'AES-OCB', 'ChaCha20-Poly1305', 'HMAC', 'KMAC128', 'KMAC256', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', 'ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024']),
-  importKey: new Set(['RSASSA-PKCS1-v1_5', 'RSA-PSS', 'RSA-OAEP', 'ECDSA', 'ECDH', 'Ed25519', 'Ed448', 'X25519', 'X448', 'AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-KW', 'AES-OCB', 'ChaCha20-Poly1305', 'HMAC', 'KMAC128', 'KMAC256', 'HKDF', 'PBKDF2', 'Argon2d', 'Argon2i', 'Argon2id', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', 'ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024']),
-  exportKey: new Set(['RSASSA-PKCS1-v1_5', 'RSA-PSS', 'RSA-OAEP', 'ECDSA', 'ECDH', 'Ed25519', 'Ed448', 'X25519', 'X448', 'AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-KW', 'AES-OCB', 'ChaCha20-Poly1305', 'HMAC', 'KMAC128', 'KMAC256', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', 'ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024']),
+  sign: new Set(['RSASSA-PKCS1-v1_5', 'RSA-PSS', 'ECDSA', 'HMAC', 'KMAC128', 'KMAC256', 'Ed25519', 'Ed448', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', ..._slhdsa.SLH_DSA_VARIANTS]),
+  verify: new Set(['RSASSA-PKCS1-v1_5', 'RSA-PSS', 'ECDSA', 'HMAC', 'KMAC128', 'KMAC256', 'Ed25519', 'Ed448', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', ..._slhdsa.SLH_DSA_VARIANTS]),
+  digest: new Set(['SHA-1', 'SHA-256', 'SHA-384', 'SHA-512', 'SHA3-256', 'SHA3-384', 'SHA3-512', 'cSHAKE128', 'cSHAKE256', 'TurboSHAKE128', 'TurboSHAKE256', 'KT128', 'KT256']),
+  generateKey: new Set(['RSASSA-PKCS1-v1_5', 'RSA-PSS', 'RSA-OAEP', 'ECDSA', 'ECDH', 'Ed25519', 'Ed448', 'X25519', 'X448', 'AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-KW', 'AES-OCB', 'ChaCha20-Poly1305', 'HMAC', 'KMAC128', 'KMAC256', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', 'ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024', ..._slhdsa.SLH_DSA_VARIANTS]),
+  importKey: new Set(['RSASSA-PKCS1-v1_5', 'RSA-PSS', 'RSA-OAEP', 'ECDSA', 'ECDH', 'Ed25519', 'Ed448', 'X25519', 'X448', 'AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-KW', 'AES-OCB', 'ChaCha20-Poly1305', 'HMAC', 'KMAC128', 'KMAC256', 'HKDF', 'PBKDF2', 'Argon2d', 'Argon2i', 'Argon2id', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', 'ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024', ..._slhdsa.SLH_DSA_VARIANTS]),
+  exportKey: new Set(['RSASSA-PKCS1-v1_5', 'RSA-PSS', 'RSA-OAEP', 'ECDSA', 'ECDH', 'Ed25519', 'Ed448', 'X25519', 'X448', 'AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-KW', 'AES-OCB', 'ChaCha20-Poly1305', 'HMAC', 'KMAC128', 'KMAC256', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', 'ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024', ..._slhdsa.SLH_DSA_VARIANTS]),
   deriveBits: new Set(['PBKDF2', 'HKDF', 'ECDH', 'X25519', 'X448', 'Argon2d', 'Argon2i', 'Argon2id']),
   wrapKey: new Set(['AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-KW', 'AES-OCB', 'ChaCha20-Poly1305', 'RSA-OAEP']),
   unwrapKey: new Set(['AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-KW', 'AES-OCB', 'ChaCha20-Poly1305', 'RSA-OAEP']),
@@ -1414,119 +1773,315 @@ const SUPPORTED_ALGORITHMS = {
   encapsulateKey: new Set(['ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024']),
   decapsulateKey: new Set(['ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024'])
 };
-const ASYMMETRIC_ALGORITHMS = new Set(['RSASSA-PKCS1-v1_5', 'RSA-PSS', 'RSA-OAEP', 'ECDSA', 'ECDH', 'Ed25519', 'Ed448', 'X25519', 'X448', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', 'ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024']);
-class Subtle {
-  static supports(operation, algorithm, _lengthOrAdditionalAlgorithm) {
-    let normalizedAlgorithm;
+const ASYMMETRIC_ALGORITHMS = new Set(['RSASSA-PKCS1-v1_5', 'RSA-PSS', 'RSA-OAEP', 'ECDSA', 'ECDH', 'Ed25519', 'Ed448', 'X25519', 'X448', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', 'ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024', ..._slhdsa.SLH_DSA_VARIANTS]);
+
+// Per-algorithm validators for deriveBits (mirrors Node's hkdf.js:141-149,
+// pbkdf2.js:96-105, argon2.js:194-209). Used by Subtle.supports to reject
+// length values that the actual deriveBits implementation would reject.
+function validateKdfDeriveBitsLength(length, algName) {
+  if (length === null || length === undefined) {
+    throw (0, _errors.lazyDOMException)('length cannot be null', 'OperationError');
+  }
+  if (length % 8) {
+    throw (0, _errors.lazyDOMException)('length must be a multiple of 8', 'OperationError');
+  }
+  if (algName.startsWith('Argon2') && length < 32) {
+    throw (0, _errors.lazyDOMException)('length must be >= 32', 'OperationError');
+  }
+}
+
+// Mirrors Node's webcrypto.js:1652-1731 `check`. Normalizes the algorithm,
+// looks it up in SUPPORTED_ALGORITHMS, and runs per-algorithm validation
+// (deriveBits length validators, HMAC+SHA3 generateKey rejection).
+// `op` is the operation key in SUPPORTED_ALGORITHMS — wrapKey/unwrapKey fall
+// back to encrypt/decrypt to mirror Node's normalize fallback.
+function supportsCheck(op, alg, length) {
+  let normalizedAlgorithm;
+  try {
+    normalizedAlgorithm = normalizeAlgorithm(alg, op);
+  } catch {
+    if (op === 'wrapKey') return supportsCheck('encrypt', alg);
+    if (op === 'unwrapKey') return supportsCheck('decrypt', alg);
+    return false;
+  }
+  const supported = SUPPORTED_ALGORITHMS[op];
+  if (!supported || !supported.has(normalizedAlgorithm.name)) {
+    if (op === 'wrapKey') return supportsCheck('encrypt', alg);
+    if (op === 'unwrapKey') return supportsCheck('decrypt', alg);
+    return false;
+  }
+  if (op === 'deriveBits') {
+    const name = normalizedAlgorithm.name;
+    if (name === 'HKDF' || name === 'PBKDF2' || name.startsWith('Argon2')) {
+      try {
+        validateKdfDeriveBitsLength(length, name);
+      } catch {
+        return false;
+      }
+    }
+  }
+  if (op === 'generateKey' && normalizedAlgorithm.name === 'HMAC') {
+    const hashName = typeof normalizedAlgorithm.hash === 'string' ? normalizedAlgorithm.hash : normalizedAlgorithm.hash?.name;
+    if (normalizedAlgorithm.length === undefined && typeof hashName === 'string' && hashName.startsWith('SHA3-')) {
+      return false;
+    }
+  }
+  return true;
+}
+function supportsImpl(operation, algorithm, lengthOrAdditionalAlgorithm) {
+  switch (operation) {
+    case 'decapsulateBits':
+    case 'decapsulateKey':
+    case 'decrypt':
+    case 'deriveBits':
+    case 'deriveKey':
+    case 'digest':
+    case 'encapsulateBits':
+    case 'encapsulateKey':
+    case 'encrypt':
+    case 'exportKey':
+    case 'generateKey':
+    case 'getPublicKey':
+    case 'importKey':
+    case 'sign':
+    case 'unwrapKey':
+    case 'verify':
+    case 'wrapKey':
+      break;
+    default:
+      return false;
+  }
+  let length;
+  if (operation === 'deriveKey') {
+    // deriveKey decomposes to importKey of derived alg + deriveBits with that
+    // alg's key length. Node webcrypto.js:1547-1563.
+    if (lengthOrAdditionalAlgorithm != null) {
+      const additional = lengthOrAdditionalAlgorithm;
+      if (!supportsCheck('importKey', additional)) return false;
+      try {
+        length = getKeyLength(normalizeAlgorithm(additional, 'get key length'));
+      } catch {
+        return false;
+      }
+      return supportsCheck('deriveBits', algorithm, length);
+    }
+    // No additional algorithm given — only check the deriveBits side.
+    return supportsCheck('deriveBits', algorithm);
+  }
+  if (operation === 'wrapKey') {
+    // wrapKey decomposes to encrypt of wrapping alg + exportKey of wrapped alg.
+    // Node webcrypto.js:1564-1572.
+    if (lengthOrAdditionalAlgorithm != null) {
+      const additional = lengthOrAdditionalAlgorithm;
+      if (!supportsCheck('exportKey', additional)) return false;
+    }
+    return supportsCheck('wrapKey', algorithm);
+  }
+  if (operation === 'unwrapKey') {
+    // unwrapKey decomposes to decrypt of wrapping alg + importKey of wrapped
+    // alg. Node webcrypto.js:1573-1581.
+    if (lengthOrAdditionalAlgorithm != null) {
+      const additional = lengthOrAdditionalAlgorithm;
+      if (!supportsCheck('importKey', additional)) return false;
+    }
+    return supportsCheck('unwrapKey', algorithm);
+  }
+  if (operation === 'deriveBits') {
+    if (lengthOrAdditionalAlgorithm == null) {
+      length = null;
+    } else if (typeof lengthOrAdditionalAlgorithm === 'number') {
+      length = lengthOrAdditionalAlgorithm;
+    } else {
+      return false;
+    }
+    return supportsCheck('deriveBits', algorithm, length);
+  }
+  if (operation === 'getPublicKey') {
+    let normalized;
     try {
-      normalizedAlgorithm = normalizeAlgorithm(algorithm, operation === 'getPublicKey' ? 'exportKey' : operation);
+      normalized = normalizeAlgorithm(algorithm, 'exportKey');
     } catch {
       return false;
     }
-    const name = normalizedAlgorithm.name;
-    if (operation === 'getPublicKey') {
-      return ASYMMETRIC_ALGORITHMS.has(name);
-    }
-    if (operation === 'deriveKey') {
-      // deriveKey decomposes to deriveBits + importKey of additional algorithm
-      if (!SUPPORTED_ALGORITHMS.deriveBits?.has(name)) return false;
-      if (_lengthOrAdditionalAlgorithm != null) {
-        try {
-          const additionalAlg = normalizeAlgorithm(_lengthOrAdditionalAlgorithm, 'importKey');
-          return SUPPORTED_ALGORITHMS.importKey?.has(additionalAlg.name) ?? false;
-        } catch {
-          return false;
+    return ASYMMETRIC_ALGORITHMS.has(normalized.name);
+  }
+  if (operation === 'encapsulateKey' || operation === 'decapsulateKey') {
+    // sharedKeyAlgorithm must support importKey, with HMAC/KMAC limited to
+    // length === undefined or 256 (Node webcrypto.js:1610-1645).
+    const additional = lengthOrAdditionalAlgorithm;
+    let normalizedAdd;
+    try {
+      normalizedAdd = normalizeAlgorithm(additional, 'importKey');
+    } catch {
+      return false;
+    }
+    switch (normalizedAdd.name) {
+      case 'AES-OCB':
+      case 'AES-KW':
+      case 'AES-GCM':
+      case 'AES-CTR':
+      case 'AES-CBC':
+      case 'ChaCha20-Poly1305':
+      case 'HKDF':
+      case 'PBKDF2':
+      case 'Argon2i':
+      case 'Argon2d':
+      case 'Argon2id':
+        break;
+      case 'HMAC':
+      case 'KMAC128':
+      case 'KMAC256':
+        {
+          const addLen = normalizedAdd.length;
+          if (addLen !== undefined && addLen !== 256) return false;
+          break;
         }
-      }
-      return true;
+      default:
+        return false;
     }
-    const supported = SUPPORTED_ALGORITHMS[operation];
-    if (!supported) return false;
-    return supported.has(name);
+    return supportsCheck(operation, algorithm);
+  }
+  return supportsCheck(operation, algorithm);
+}
+class Subtle {
+  // Spec-compliant capability detector. Mirrors Node's webcrypto.js:1506-1649
+  // `SubtleCrypto.supports`, including:
+  //   • composed-operation decomposition (deriveKey, wrapKey, unwrapKey,
+  //     encapsulateKey, decapsulateKey, getPublicKey)
+  //   • per-algorithm length validators for deriveBits (HKDF/PBKDF2/Argon2)
+  //   • HMAC + SHA3 generateKey with no length → false
+  // Static-only per the WICG spec.
+  static supports(operation, algorithm, lengthOrAdditionalAlgorithm = null) {
+    return supportsImpl(operation, algorithm, lengthOrAdditionalAlgorithm);
   }
   async decrypt(algorithm, key, data) {
+    requireArgs(arguments.length, 3, 'decrypt');
     const normalizedAlgorithm = normalizeAlgorithm(algorithm, 'decrypt');
-    return cipherOrWrap(CipherOrWrapMode.kWebCryptoCipherDecrypt, normalizedAlgorithm, key, (0, _conversion.bufferLikeToArrayBuffer)(data), 'decrypt');
+    if (normalizedAlgorithm.name !== key.algorithm.name) {
+      throw (0, _errors.lazyDOMException)('Key algorithm mismatch', 'InvalidAccessError');
+    }
+    if (!key.usages.includes('decrypt')) {
+      throw (0, _errors.lazyDOMException)('Unable to use this key to decrypt', 'InvalidAccessError');
+    }
+    return cipherOrWrap(CipherOrWrapMode.kWebCryptoCipherDecrypt, normalizedAlgorithm, key, (0, _conversion.bufferLikeToArrayBuffer)(data));
   }
   async digest(algorithm, data) {
+    requireArgs(arguments.length, 2, 'digest');
     const normalizedAlgorithm = normalizeAlgorithm(algorithm, 'digest');
     return (0, _hash.asyncDigest)(normalizedAlgorithm, data);
   }
-  async deriveBits(algorithm, baseKey, length) {
+  async deriveBits(algorithm, baseKey, length = null) {
+    requireArgs(arguments.length, 2, 'deriveBits');
+    const normalizedAlgorithm = normalizeAlgorithm(algorithm, 'deriveBits');
     // WebCrypto §SubtleCrypto.deriveBits step 11: throw InvalidAccessError
     // unless `baseKey.[[usages]]` contains "deriveBits" specifically. The
     // previous `deriveBits || deriveKey` accept-either branch silently
     // promoted deriveKey-only keys into deriveBits use, contradicting the
     // spec usage gate.
-    if (!baseKey.keyUsages.includes('deriveBits')) {
+    if (!baseKey.usages.includes('deriveBits')) {
       throw (0, _errors.lazyDOMException)('baseKey does not have deriveBits usage', 'InvalidAccessError');
     }
-    if (baseKey.algorithm.name !== algorithm.name) throw new Error('Key algorithm mismatch');
-    switch (algorithm.name) {
+    if (baseKey.algorithm.name !== normalizedAlgorithm.name) {
+      throw (0, _errors.lazyDOMException)('Key algorithm mismatch', 'InvalidAccessError');
+    }
+    switch (normalizedAlgorithm.name) {
       case 'PBKDF2':
-        return (0, _pbkdf.pbkdf2DeriveBits)(algorithm, baseKey, length);
+        if (length === null) {
+          throw (0, _errors.lazyDOMException)('length cannot be null', 'OperationError');
+        }
+        return (0, _pbkdf.pbkdf2DeriveBits)(normalizedAlgorithm, baseKey, length);
       case 'X25519':
       // Fall through
       case 'X448':
-        return (0, _ed.xDeriveBits)(algorithm, baseKey, length);
+        return (0, _ed.xDeriveBits)(normalizedAlgorithm, baseKey, length);
       case 'ECDH':
-        return (0, _ec.ecDeriveBits)(algorithm, baseKey, length);
+        return (0, _ec.ecDeriveBits)(normalizedAlgorithm, baseKey, length);
       case 'HKDF':
-        return (0, _hkdf.hkdfDeriveBits)(algorithm, baseKey, length);
+        if (length === null) {
+          throw (0, _errors.lazyDOMException)('length cannot be null', 'OperationError');
+        }
+        return (0, _hkdf.hkdfDeriveBits)(normalizedAlgorithm, baseKey, length);
       case 'Argon2d':
       case 'Argon2i':
       case 'Argon2id':
-        return argon2DeriveBits(algorithm, baseKey, length);
+        if (length === null) {
+          throw (0, _errors.lazyDOMException)('length cannot be null', 'OperationError');
+        }
+        return argon2DeriveBits(normalizedAlgorithm, baseKey, length);
     }
-    throw new Error(`'subtle.deriveBits()' for ${algorithm.name} is not implemented.`);
+    throw (0, _errors.lazyDOMException)(`'subtle.deriveBits()' for ${normalizedAlgorithm.name} is not implemented.`, 'NotSupportedError');
   }
   async deriveKey(algorithm, baseKey, derivedKeyAlgorithm, extractable, keyUsages) {
+    requireArgs(arguments.length, 5, 'deriveKey');
+    const normalizedAlgorithm = normalizeAlgorithm(algorithm, 'deriveBits');
+    const normalizedDerivedKeyAlgorithm = normalizeAlgorithm(derivedKeyAlgorithm, 'importKey');
+
     // Validate baseKey usage
-    if (!baseKey.usages.includes('deriveKey') && !baseKey.usages.includes('deriveBits')) {
-      throw (0, _errors.lazyDOMException)('baseKey does not have deriveKey or deriveBits usage', 'InvalidAccessError');
+    if (!baseKey.usages.includes('deriveKey')) {
+      throw (0, _errors.lazyDOMException)('baseKey does not have deriveKey usage', 'InvalidAccessError');
+    }
+    if (baseKey.algorithm.name !== normalizedAlgorithm.name) {
+      throw (0, _errors.lazyDOMException)('Key algorithm mismatch', 'InvalidAccessError');
     }
 
-    // Calculate required key length
-    const length = getKeyLength(derivedKeyAlgorithm);
+    // Calculate required key length (may be null for KDF-derived material).
+    const length = getKeyLength(normalizedDerivedKeyAlgorithm);
 
     // Step 1: Derive bits
     let derivedBits;
-    if (baseKey.algorithm.name !== algorithm.name) throw new Error('Key algorithm mismatch');
-    switch (algorithm.name) {
+    switch (normalizedAlgorithm.name) {
       case 'PBKDF2':
-        derivedBits = await (0, _pbkdf.pbkdf2DeriveBits)(algorithm, baseKey, length);
+        if (length === null) {
+          throw (0, _errors.lazyDOMException)('length cannot be null', 'OperationError');
+        }
+        derivedBits = await (0, _pbkdf.pbkdf2DeriveBits)(normalizedAlgorithm, baseKey, length);
         break;
       case 'X25519':
       // Fall through
       case 'X448':
-        derivedBits = await (0, _ed.xDeriveBits)(algorithm, baseKey, length);
+        derivedBits = await (0, _ed.xDeriveBits)(normalizedAlgorithm, baseKey, length);
         break;
       case 'ECDH':
-        derivedBits = await (0, _ec.ecDeriveBits)(algorithm, baseKey, length);
+        derivedBits = await (0, _ec.ecDeriveBits)(normalizedAlgorithm, baseKey, length);
         break;
       case 'HKDF':
-        derivedBits = (0, _hkdf.hkdfDeriveBits)(algorithm, baseKey, length);
+        if (length === null) {
+          throw (0, _errors.lazyDOMException)('length cannot be null', 'OperationError');
+        }
+        derivedBits = (0, _hkdf.hkdfDeriveBits)(normalizedAlgorithm, baseKey, length);
         break;
       case 'Argon2d':
       case 'Argon2i':
       case 'Argon2id':
-        derivedBits = argon2DeriveBits(algorithm, baseKey, length);
+        if (length === null) {
+          throw (0, _errors.lazyDOMException)('length cannot be null', 'OperationError');
+        }
+        derivedBits = argon2DeriveBits(normalizedAlgorithm, baseKey, length);
         break;
       default:
-        throw new Error(`'subtle.deriveKey()' for ${algorithm.name} is not implemented.`);
+        throw (0, _errors.lazyDOMException)(`'subtle.deriveKey()' for ${normalizedAlgorithm.name} is not implemented.`, 'NotSupportedError');
     }
 
-    // Step 2: Import as key
-    return this.importKey('raw', derivedBits, derivedKeyAlgorithm, extractable, keyUsages);
+    // Step 2: Import as key. Use 'raw-secret' so derived material flows into
+    // AEADs / KMAC correctly — they reject plain 'raw' (Node webcrypto.js:381-385).
+    return this.importKey('raw-secret', derivedBits, derivedKeyAlgorithm, extractable, keyUsages);
   }
   async encrypt(algorithm, key, data) {
+    requireArgs(arguments.length, 3, 'encrypt');
     const normalizedAlgorithm = normalizeAlgorithm(algorithm, 'encrypt');
-    return cipherOrWrap(CipherOrWrapMode.kWebCryptoCipherEncrypt, normalizedAlgorithm, key, (0, _conversion.bufferLikeToArrayBuffer)(data), 'encrypt');
+    if (normalizedAlgorithm.name !== key.algorithm.name) {
+      throw (0, _errors.lazyDOMException)('Key algorithm mismatch', 'InvalidAccessError');
+    }
+    if (!key.usages.includes('encrypt')) {
+      throw (0, _errors.lazyDOMException)('Unable to use this key to encrypt', 'InvalidAccessError');
+    }
+    return cipherOrWrap(CipherOrWrapMode.kWebCryptoCipherEncrypt, normalizedAlgorithm, key, (0, _conversion.bufferLikeToArrayBuffer)(data));
   }
   async exportKey(format, key) {
-    if (!key.extractable) throw new Error('key is not extractable');
+    requireArgs(arguments.length, 2, 'exportKey');
+    if (!key.extractable) throw (0, _errors.lazyDOMException)('key is not extractable', 'InvalidAccessError');
     if (format === 'raw-seed') {
-      const pqcAlgos = ['ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87'];
+      const pqcAlgos = ['ML-KEM-512', 'ML-KEM-768', 'ML-KEM-1024', 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', ..._slhdsa.SLH_DSA_VARIANTS];
       if (!pqcAlgos.includes(key.algorithm.name)) {
         throw (0, _errors.lazyDOMException)('raw-seed export only supported for PQC keys', 'NotSupportedError');
       }
@@ -1535,9 +2090,6 @@ class Subtle {
       }
       return (0, _conversion.bufferLikeToArrayBuffer)(key.keyObject.handle.exportKey());
     }
-
-    // Note: 'raw-seed' is handled above; do NOT normalize it here
-    if (format === 'raw-secret' || format === 'raw-public') format = 'raw';
     switch (format) {
       case 'spki':
         return await exportKeySpki(key);
@@ -1546,13 +2098,19 @@ class Subtle {
       case 'jwk':
         return exportKeyJWK(key);
       case 'raw':
-        return exportKeyRaw(key);
+      case 'raw-secret':
+      case 'raw-public':
+        return exportKeyRaw(key, format);
     }
   }
   async wrapKey(format, key, wrappingKey, wrapAlgorithm) {
-    // Validate wrappingKey usage
+    requireArgs(arguments.length, 4, 'wrapKey');
+    const normalizedWrapAlgorithm = normalizeAlgorithm(wrapAlgorithm, 'wrapKey');
+    if (normalizedWrapAlgorithm.name !== wrappingKey.algorithm.name) {
+      throw (0, _errors.lazyDOMException)('Key algorithm mismatch', 'InvalidAccessError');
+    }
     if (!wrappingKey.usages.includes('wrapKey')) {
-      throw (0, _errors.lazyDOMException)('wrappingKey does not have wrapKey usage', 'InvalidAccessError');
+      throw (0, _errors.lazyDOMException)('Unable to use this key to wrapKey', 'InvalidAccessError');
     }
 
     // Step 1: Export the key
@@ -1565,7 +2123,7 @@ class Subtle {
       const buffer = _safeBuffer.Buffer.from(jwkString, 'utf8');
 
       // For AES-KW, pad to multiple of 8 bytes (accounting for null terminator)
-      if (wrapAlgorithm.name === 'AES-KW') {
+      if (normalizedWrapAlgorithm.name === 'AES-KW') {
         const length = buffer.length;
         // Add 1 for null terminator, then pad to multiple of 8
         const paddedLength = Math.ceil((length + 1) / 8) * 8;
@@ -1582,16 +2140,20 @@ class Subtle {
     }
 
     // Step 3: Encrypt the exported key
-    return cipherOrWrap(CipherOrWrapMode.kWebCryptoCipherEncrypt, wrapAlgorithm, wrappingKey, keyData, 'wrapKey');
+    return cipherOrWrap(CipherOrWrapMode.kWebCryptoCipherEncrypt, normalizedWrapAlgorithm, wrappingKey, keyData);
   }
   async unwrapKey(format, wrappedKey, unwrappingKey, unwrapAlgorithm, unwrappedKeyAlgorithm, extractable, keyUsages) {
-    // Validate unwrappingKey usage
+    requireArgs(arguments.length, 7, 'unwrapKey');
+    const normalizedUnwrapAlgorithm = normalizeAlgorithm(unwrapAlgorithm, 'unwrapKey');
+    if (normalizedUnwrapAlgorithm.name !== unwrappingKey.algorithm.name) {
+      throw (0, _errors.lazyDOMException)('Key algorithm mismatch', 'InvalidAccessError');
+    }
     if (!unwrappingKey.usages.includes('unwrapKey')) {
-      throw (0, _errors.lazyDOMException)('unwrappingKey does not have unwrapKey usage', 'InvalidAccessError');
+      throw (0, _errors.lazyDOMException)('Unable to use this key to unwrapKey', 'InvalidAccessError');
     }
 
     // Step 1: Decrypt the wrapped key
-    const decrypted = await cipherOrWrap(CipherOrWrapMode.kWebCryptoCipherDecrypt, unwrapAlgorithm, unwrappingKey, (0, _conversion.bufferLikeToArrayBuffer)(wrappedKey), 'unwrapKey');
+    const decrypted = await cipherOrWrap(CipherOrWrapMode.kWebCryptoCipherDecrypt, normalizedUnwrapAlgorithm, unwrappingKey, (0, _conversion.bufferLikeToArrayBuffer)(wrappedKey));
 
     // Step 2: Convert to appropriate format
     let keyData;
@@ -1599,7 +2161,7 @@ class Subtle {
       const buffer = _safeBuffer.Buffer.from(decrypted);
       // For AES-KW, the data may be padded - find the null terminator
       let jwkString;
-      if (unwrapAlgorithm.name === 'AES-KW') {
+      if (normalizedUnwrapAlgorithm.name === 'AES-KW') {
         // Find the null terminator (if present) to get the original string
         const nullIndex = buffer.indexOf(0);
         if (nullIndex !== -1) {
@@ -1620,6 +2182,7 @@ class Subtle {
     return this.importKey(format, keyData, unwrappedKeyAlgorithm, extractable, keyUsages);
   }
   async generateKey(algorithm, extractable, keyUsages) {
+    requireArgs(arguments.length, 3, 'generateKey');
     algorithm = normalizeAlgorithm(algorithm, 'generateKey');
     let result;
     switch (algorithm.name) {
@@ -1681,6 +2244,21 @@ class Subtle {
         result = await (0, _mldsa.mldsa_generateKeyPairWebCrypto)(algorithm.name, extractable, keyUsages);
         checkCryptoKeyPairUsages(result);
         break;
+      case 'SLH-DSA-SHA2-128s':
+      case 'SLH-DSA-SHA2-128f':
+      case 'SLH-DSA-SHA2-192s':
+      case 'SLH-DSA-SHA2-192f':
+      case 'SLH-DSA-SHA2-256s':
+      case 'SLH-DSA-SHA2-256f':
+      case 'SLH-DSA-SHAKE-128s':
+      case 'SLH-DSA-SHAKE-128f':
+      case 'SLH-DSA-SHAKE-192s':
+      case 'SLH-DSA-SHAKE-192f':
+      case 'SLH-DSA-SHAKE-256s':
+      case 'SLH-DSA-SHAKE-256f':
+        result = await (0, _slhdsa.slhdsa_generateKeyPairWebCrypto)(algorithm.name, extractable, keyUsages);
+        checkCryptoKeyPairUsages(result);
+        break;
       case 'X25519':
       // Fall through
       case 'X448':
@@ -1702,6 +2280,7 @@ class Subtle {
     return result;
   }
   async getPublicKey(key, keyUsages) {
+    requireArgs(arguments.length, 2, 'getPublicKey');
     if (key.type === 'secret') {
       throw (0, _errors.lazyDOMException)('key must be a private key', 'NotSupportedError');
     }
@@ -1712,8 +2291,11 @@ class Subtle {
     return publicKeyObject.toCryptoKey(key.algorithm, true, keyUsages);
   }
   async importKey(format, data, algorithm, extractable, keyUsages) {
-    // Note: 'raw-seed' is NOT normalized — PQC import functions handle it directly
-    if (format === 'raw-secret' || format === 'raw-public') format = 'raw';
+    requireArgs(arguments.length, 5, 'importKey');
+    // Per-algorithm format handling. Some algorithms alias raw-secret/raw-public
+    // to 'raw' (RSA, EC, Ed/X, HMAC, HKDF, PBKDF2); others demand the
+    // disambiguated form (KMAC, AES-OCB, ChaCha20-Poly1305, Argon2, ML-DSA,
+    // ML-KEM). 'raw-seed' is never normalized — PQC import handles it directly.
     const normalizedAlgorithm = normalizeAlgorithm(algorithm, 'importKey');
     let result;
     switch (normalizedAlgorithm.name) {
@@ -1722,14 +2304,17 @@ class Subtle {
       case 'RSA-PSS':
       // Fall through
       case 'RSA-OAEP':
-        result = rsaImportKey(format, data, normalizedAlgorithm, extractable, keyUsages);
+        result = rsaImportKey(aliasKeyFormat(format), data, normalizedAlgorithm, extractable, keyUsages);
         break;
       case 'ECDSA':
       // Fall through
       case 'ECDH':
-        result = (0, _ec.ecImportKey)(format, data, normalizedAlgorithm, extractable, keyUsages);
+        result = (0, _ec.ecImportKey)(aliasKeyFormat(format), data, normalizedAlgorithm, extractable, keyUsages);
         break;
       case 'HMAC':
+        // No aliasing — Node routes HMAC straight into mac.js, which accepts
+        // 'raw' / 'raw-secret' / 'jwk' and rejects everything else
+        // (webcrypto.js:774-781, mac.js:136-174).
         result = await hmacImportKey(normalizedAlgorithm, format, data, extractable, keyUsages);
         break;
       case 'KMAC128':
@@ -1751,13 +2336,15 @@ class Subtle {
         result = await aesImportKey(normalizedAlgorithm, format, data, extractable, keyUsages);
         break;
       case 'PBKDF2':
+        result = await pbkdf2ImportKey(normalizedAlgorithm, aliasKeyFormat(format), data, extractable, keyUsages);
+        break;
       case 'Argon2d':
       case 'Argon2i':
       case 'Argon2id':
-        result = await importGenericSecretKey(normalizedAlgorithm, format, data, extractable, keyUsages);
+        result = await argon2ImportKey(normalizedAlgorithm, format, data, extractable, keyUsages);
         break;
       case 'HKDF':
-        result = await hkdfImportKey(format, data, normalizedAlgorithm, extractable, keyUsages);
+        result = await hkdfImportKey(aliasKeyFormat(format), data, normalizedAlgorithm, extractable, keyUsages);
         break;
       case 'X25519':
       // Fall through
@@ -1766,7 +2353,21 @@ class Subtle {
       case 'Ed25519':
       // Fall through
       case 'Ed448':
-        result = edImportKey(format, data, normalizedAlgorithm, extractable, keyUsages);
+        result = edImportKey(aliasKeyFormat(format), data, normalizedAlgorithm, extractable, keyUsages);
+        break;
+      case 'SLH-DSA-SHA2-128s':
+      case 'SLH-DSA-SHA2-128f':
+      case 'SLH-DSA-SHA2-192s':
+      case 'SLH-DSA-SHA2-192f':
+      case 'SLH-DSA-SHA2-256s':
+      case 'SLH-DSA-SHA2-256f':
+      case 'SLH-DSA-SHAKE-128s':
+      case 'SLH-DSA-SHAKE-128f':
+      case 'SLH-DSA-SHAKE-192s':
+      case 'SLH-DSA-SHAKE-192f':
+      case 'SLH-DSA-SHAKE-256s':
+      case 'SLH-DSA-SHAKE-256f':
+        result = slhdsaImportKey(format, data, normalizedAlgorithm, extractable, keyUsages);
         break;
       case 'ML-DSA-44':
       // Fall through
@@ -1791,9 +2392,11 @@ class Subtle {
     return result;
   }
   async sign(algorithm, key, data) {
+    requireArgs(arguments.length, 3, 'sign');
     return signVerify(normalizeAlgorithm(algorithm, 'sign'), key, data);
   }
   async verify(algorithm, key, signature, data) {
+    requireArgs(arguments.length, 4, 'verify');
     return signVerify(normalizeAlgorithm(algorithm, 'verify'), key, data, signature);
   }
   _encapsulateCore(algorithm, key) {
@@ -1819,12 +2422,14 @@ class Subtle {
     return mlkem.decapsulateSync((0, _conversion.bufferLikeToArrayBuffer)(ciphertext));
   }
   async encapsulateBits(algorithm, key) {
+    requireArgs(arguments.length, 2, 'encapsulateBits');
     if (!key.usages.includes('encapsulateBits')) {
       throw (0, _errors.lazyDOMException)('Key does not have encapsulateBits usage', 'InvalidAccessError');
     }
     return this._encapsulateCore(algorithm, key);
   }
   async encapsulateKey(algorithm, key, sharedKeyAlgorithm, extractable, usages) {
+    requireArgs(arguments.length, 5, 'encapsulateKey');
     if (!key.usages.includes('encapsulateKey')) {
       throw (0, _errors.lazyDOMException)('Key does not have encapsulateKey usage', 'InvalidAccessError');
     }
@@ -1832,49 +2437,95 @@ class Subtle {
       sharedKey,
       ciphertext
     } = this._encapsulateCore(algorithm, key);
-    const importedKey = await this.importKey('raw', sharedKey, sharedKeyAlgorithm, extractable, usages);
+    // Node imports the encapsulated shared bits as 'raw-secret'
+    // (webcrypto.js:1370-1374) so AEADs / KMAC accept the result.
+    const importedKey = await this.importKey('raw-secret', sharedKey, sharedKeyAlgorithm, extractable, usages);
     return {
       key: importedKey,
       ciphertext
     };
   }
   async decapsulateBits(algorithm, key, ciphertext) {
+    requireArgs(arguments.length, 3, 'decapsulateBits');
     if (!key.usages.includes('decapsulateBits')) {
       throw (0, _errors.lazyDOMException)('Key does not have decapsulateBits usage', 'InvalidAccessError');
     }
     return this._decapsulateCore(algorithm, key, ciphertext);
   }
   async decapsulateKey(algorithm, key, ciphertext, sharedKeyAlgorithm, extractable, usages) {
+    requireArgs(arguments.length, 6, 'decapsulateKey');
     if (!key.usages.includes('decapsulateKey')) {
       throw (0, _errors.lazyDOMException)('Key does not have decapsulateKey usage', 'InvalidAccessError');
     }
     const sharedKey = this._decapsulateCore(algorithm, key, ciphertext);
-    return this.importKey('raw', sharedKey, sharedKeyAlgorithm, extractable, usages);
+    // Node imports the decapsulated shared bits as 'raw-secret'
+    // (webcrypto.js:1490-1494).
+    return this.importKey('raw-secret', sharedKey, sharedKeyAlgorithm, extractable, usages);
   }
 }
 exports.Subtle = Subtle;
 const subtle = exports.subtle = new Subtle();
+
+// Returns the number of bits to derive for an `importKey` algorithm, mirroring
+// Node's webcrypto.js:269-306 `getKeyLength`. Returns null for KDF algorithms
+// (HKDF / PBKDF2 / Argon2) — those carry their full derived secret without a
+// fixed key length. Throws OperationError on invalid AES / HMAC inputs rather
+// than silently coercing to a default (Node commit 4cb1f284136 behavior).
 function getKeyLength(algorithm) {
   const name = algorithm.name;
+  const length = algorithm.length;
   switch (name) {
     case 'AES-CTR':
     case 'AES-CBC':
     case 'AES-GCM':
     case 'AES-KW':
     case 'AES-OCB':
-    case 'ChaCha20-Poly1305':
-      return algorithm.length || 256;
+      if (length !== 128 && length !== 192 && length !== 256) {
+        throw (0, _errors.lazyDOMException)('Invalid key length', 'OperationError');
+      }
+      return length;
     case 'HMAC':
       {
-        const hmacAlg = algorithm;
-        return hmacAlg.length || 256;
+        if (length === undefined) {
+          return getHmacBlockSize(algorithm.hash?.name ?? algorithm.hash);
+        }
+        if (typeof length === 'number' && length !== 0) {
+          return length;
+        }
+        throw (0, _errors.lazyDOMException)('Invalid key length', 'OperationError');
       }
     case 'KMAC128':
-      return algorithm.length || 128;
+      return typeof length === 'number' ? length : 128;
     case 'KMAC256':
-      return algorithm.length || 256;
+      return typeof length === 'number' ? length : 256;
+    case 'ChaCha20-Poly1305':
+      return 256;
+    case 'HKDF':
+    case 'PBKDF2':
+    case 'Argon2d':
+    case 'Argon2i':
+    case 'Argon2id':
+      return null;
     default:
       throw (0, _errors.lazyDOMException)(`Cannot determine key length for ${name}`, 'NotSupportedError');
   }
 }
+function getHmacBlockSize(name) {
+  switch (name) {
+    case 'SHA-1':
+    case 'SHA-256':
+      return 512;
+    case 'SHA-384':
+    case 'SHA-512':
+      return 1024;
+    case 'SHA3-256':
+    case 'SHA3-384':
+    case 'SHA3-512':
+      // SHA-3 / HMAC interaction undefined — Node throws here too
+      // (webcrypto-modern-algos issue #23).
+      throw (0, _errors.lazyDOMException)('Explicit algorithm length member is required', 'NotSupportedError');
+    default:
+      throw (0, _errors.lazyDOMException)('Invalid key length', 'OperationError');
+  }
+}
 //# sourceMappingURL=subtle.js.map