Skip to content

feat: Add Post-Quantum Cryptography Support (ML-DSA) #842

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
boorad merged 4 commits into from
Dec 5, 2025
Merged

feat: Add Post-Quantum Cryptography Support (ML-DSA) #842

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b572b00
feat: add post-quantum cryptography algorithms
boorad Dec 4, 2025
3432a4d
fix: failing tests, OpenSSL bump bug in privateDecrypt
boorad Dec 4, 2025
e1a5f01
fix: use ncrypto fork until upstream PR is merged
boorad Dec 5, 2025
3bd87d8
fix: android build, remove TLS internal ciphers as they don't work on
boorad Dec 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .gitmodules
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
[submodule "packages/react-native-quick-crypto/deps/blake3"]
path = packages/react-native-quick-crypto/deps/blake3
url = https://github.com/BLAKE3-team/BLAKE3.git
[submodule "packages/react-native-quick-crypto/deps/ncrypto"]
path = packages/react-native-quick-crypto/deps/ncrypto
url = https://github.com/boorad/ncrypto.git
branch = fix/use-BN_GENCB_get_arg
172 changes: 88 additions & 84 deletions docs/implementation-coverage.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,17 @@
# Implementation Coverage - NodeJS
This document attempts to describe the implementation status of Crypto APIs/Interfaces from Node.js in the `react-native-quick-crypto` library.

> Note: This is the status for version 1.x and higher. For version `0.x` see [this document](https://github.com/margelo/react-native-quick-crypto/blob/0.x/docs/implementation-coverage.md) and the [0.x branch](https://github.com/margelo/react-native-quick-crypto/tree/0.x).

* ` ` - not implemented in Node
* ❌ - implemented in Node, not RNQC
* ✅ - implemented in Node and RNQC
* 🚧 - work in progress

## Post-Quantum Cryptography (PQC)

- **ML-DSA** (Module Lattice Digital Signature Algorithm, FIPS 204) - ML-DSA-44, ML-DSA-65, ML-DSA-87
- **ML-KEM** (Module Lattice Key Encapsulation Mechanism, FIPS 203) - ML-KEM-512, ML-KEM-768, ML-KEM-1024

These algorithms provide quantum-resistant cryptography.

# `Crypto`

Expand Down Expand Up @@ -147,13 +153,11 @@ This document attempts to describe the implementation status of Crypto APIs/Inte
* ❌ `crypto.secureHeapUsed()`
* ❌ `crypto.setEngine(engine[, flags])`
* ❌ `crypto.setFips(bool)`
* 🚧 `crypto.sign(algorithm, data, key[, callback])`
* `crypto.sign(algorithm, data, key[, callback])`
* 🚧 `crypto.subtle` (see below)
* ❌ `crypto.timingSafeEqual(a, b)`
* 🚧 `crypto.verify(algorithm, data, key, signature[, callback])`
* ❌ `crypto.webcrypto` (see below)

🚧 Details below still a work in progress 🚧
* ✅ `crypto.verify(algorithm, data, key, signature[, callback])`
* 🚧 `crypto.webcrypto` (see below)

## `crypto.diffieHellman`
| type | Status |
Expand Down Expand Up @@ -204,22 +208,22 @@ This document attempts to describe the implementation status of Crypto APIs/Inte
## `crypto.sign`
| Algorithm | Status |
| --------- | :----: |
| `RSASSA-PKCS1-v1_5` | |
| `RSA-PSS` | |
| `ECDSA` | |
| `RSASSA-PKCS1-v1_5` | |
| `RSA-PSS` | |
| `ECDSA` | |
| `Ed25519` | ✅ |
| `Ed448` | ✅ |
| `HMAC` | |
| `HMAC` | |

## `crypto.verify`
| Algorithm | Status |
| --------- | :----: |
| `RSASSA-PKCS1-v1_5` | |
| `RSA-PSS` | |
| `ECDSA` | |
| `RSASSA-PKCS1-v1_5` | |
| `RSA-PSS` | |
| `ECDSA` | |
| `Ed25519` | ✅ |
| `Ed448` | ✅ |
| `HMAC` | |
| `HMAC` | |

# `WebCrypto`

Expand All @@ -240,7 +244,7 @@ This document attempts to describe the implementation status of Crypto APIs/Inte

# `SubtleCrypto`

* 🚧 Class: `SubtleCrypto`
* Class: `SubtleCrypto`
* ❌ static `supports(operation, algorithm[, lengthOrAdditionalAlgorithm])`
* ❌ `subtle.decapsulateBits(decapsulationAlgorithm, decapsulationKey, ciphertext)`
* ❌ `subtle.decapsulateKey(decapsulationAlgorithm, decapsulationKey, ciphertext, sharedKeyAlgorithm, extractable, usages)`
Expand All @@ -255,9 +259,9 @@ This document attempts to describe the implementation status of Crypto APIs/Inte
* 🚧 `subtle.generateKey(algorithm, extractable, keyUsages)`
* ❌ `subtle.getPublicKey(key, keyUsages)`
* 🚧 `subtle.importKey(format, keyData, algorithm, extractable, keyUsages)`
* 🚧 `subtle.sign(algorithm, key, data)`
* `subtle.sign(algorithm, key, data)`
* ❌ `subtle.unwrapKey(format, wrappedKey, unwrappingKey, unwrapAlgo, unwrappedKeyAlgo, extractable, keyUsages)`
* 🚧 `subtle.verify(algorithm, key, signature, data)`
* `subtle.verify(algorithm, key, signature, data)`
* ❌ `subtle.wrapKey(format, key, wrappingKey, wrapAlgo)`

## `subtle.decrypt`
Expand Down Expand Up @@ -311,27 +315,27 @@ This document attempts to describe the implementation status of Crypto APIs/Inte

## `subtle.exportKey`
| Key Type | `spki` | `pkcs8` | `jwk` | `raw` | `raw-secret` | `raw-public` | `raw-seed` |
| ------------------- | :----: | :-----: | :---: | :---: | :---: | :---: | :---: |
| `AES-CBC` | | | ✅ | ✅ | ✅ | | |
| `AES-CTR` | | | ✅ | ✅ | ✅ | | |
| `AES-GCM` | | | ✅ | ✅ | ✅ | | |
| `AES-KW` | | | ✅ | ✅ | ✅ | | |
| `AES-OCB` | | | ❌ | | ❌ | | |
| `ChaCha20-Poly1305` | | | ❌ | | ❌ | | |
| `ECDH` | ✅ | ✅ | ✅ | ✅ | | ✅ | |
| `ECDSA` | ✅ | ✅ | ✅ | ✅ | | ✅ | |
| `Ed25519` | ❌ | ❌ | ❌ | ❌ | | ❌ | |
| `Ed448` | ❌ | ❌ | ❌ | ❌ | | ❌ | |
| `HMAC` | | | ✅ | ✅ | ✅ | | |
| `ML-DSA-44` | ❌ | ❌ | ❌ | | | ❌ | ❌ |
| `ML-DSA-65` | ❌ | ❌ | ❌ | | | ❌ | ❌ |
| `ML-DSA-87` | ❌ | ❌ | ❌ | | | ❌ | ❌ |
| `ML-KEM-512` | ❌ | ❌ | | | | ❌ | ❌ |
| `ML-KEM-768` | ❌ | ❌ | | | | ❌ | ❌ |
| `ML-KEM-1024` | ❌ | ❌ | | | | ❌ | ❌ |
| `RSA-OAEP` | ✅ | ✅ | ✅ | | | | |
| `RSA-PSS` | ✅ | ✅ | ✅ | | | | |
| `RSASSA-PKCS1-v1_5` | ✅ | ✅ | ✅ | | | | |
| ------------------- | :----: | :-----: | :---: | :---: | :----------: | :----------: | :--------: |
| `AES-CBC` | | | ✅ | ✅ | ✅ | | |
| `AES-CTR` | | | ✅ | ✅ | ✅ | | |
| `AES-GCM` | | | ✅ | ✅ | ✅ | | |
| `AES-KW` | | | ✅ | ✅ | ✅ | | |
| `AES-OCB` | | | ❌ | | ❌ | | |
| `ChaCha20-Poly1305` | | | ❌ | | ❌ | | |
| `ECDH` | ✅ | ✅ | ✅ | ✅ | | ✅ | |
| `ECDSA` | ✅ | ✅ | ✅ | ✅ | | ✅ | |
| `Ed25519` | ✅ | ✅ | ❌ | ❌ | | ❌ | |
| `Ed448` | ✅ | ✅ | ❌ | ❌ | | ❌ | |
| `HMAC` | | | ✅ | ✅ | ✅ | | |
| `ML-DSA-44` | ✅ | ✅ | ✅ | | | ✅ | ✅ |
| `ML-DSA-65` | ✅ | ✅ | ✅ | | | ✅ | ✅ |
| `ML-DSA-87` | ✅ | ✅ | ✅ | | | ✅ | ✅ |
| `ML-KEM-512` | ❌ | ❌ | | | | ❌ | ❌ |
| `ML-KEM-768` | ❌ | ❌ | | | | ❌ | ❌ |
| `ML-KEM-1024` | ❌ | ❌ | | | | ❌ | ❌ |
| `RSA-OAEP` | ✅ | ✅ | ✅ | | | | |
| `RSA-PSS` | ✅ | ✅ | ✅ | | | | |
| `RSASSA-PKCS1-v1_5` | ✅ | ✅ | ✅ | | | | |

* ` ` - not implemented in Node
* ❌ - implemented in Node, not RNQC
Expand All @@ -346,9 +350,9 @@ This document attempts to describe the implementation status of Crypto APIs/Inte
| `ECDSA` | ✅ |
| `Ed25519` | ✅ |
| `Ed448` | ✅ |
| `ML-DSA-44` | |
| `ML-DSA-65` | |
| `ML-DSA-87` | |
| `ML-DSA-44` | |
| `ML-DSA-65` | |
| `ML-DSA-87` | |
| `ML-KEM-512` | ❌ |
| `ML-KEM-768` | ❌ |
| `ML-KEM-1024` | ❌ |
Expand All @@ -367,48 +371,48 @@ This document attempts to describe the implementation status of Crypto APIs/Inte
| `AES-KW` | ❌ |
| `AES-OCB` | ❌ |
| `ChaCha20-Poly1305` | ❌ |
| `HMAC` | |
| `HMAC` | |

## `subtle.importKey`
| Key Type | `spki` | `pkcs8` | `jwk` | `raw` | `raw-secret` | `raw-public` | `raw-seed` |
| ------------------- | :---: | :---: | :---: | :---: | :---: | :---: | :---: |
| `AES-CBC` | | | ✅ | ✅ | ✅ | | |
| `AES-CTR` | | | ✅ | ✅ | ✅ | | |
| `AES-GCM` | | | ✅ | ✅ | ✅ | | |
| `AES-KW` | | | ✅ | ✅ | ✅ | | |
| `AES-OCB` | | | ❌ | | ❌ | | |
| `ChaCha20-Poly1305` | | | ❌ | | ❌ | | |
| `ECDH` | ✅ | ✅ | ✅ | ✅ | | ✅ | |
| `ECDSA` | ✅ | ✅ | ✅ | ✅ | | ✅ | |
| `Ed25519` | ❌ | ❌ | ❌ | ❌ | | ❌ | |
| `Ed448` | ❌ | ❌ | ❌ | ❌ | | ❌ | |
| `HDKF` | | | | ❌ | ❌ | | |
| `HMAC` | | | ✅ | ✅ | ✅ | | |
| `ML-DSA-44` | ❌ | ❌ | ❌ | | | ❌ | ❌ |
| `ML-DSA-65` | ❌ | ❌ | ❌ | | | ❌ | ❌ |
| `ML-DSA-87` | ❌ | ❌ | ❌ | | | ❌ | ❌ |
| `ML-KEM-512` | ❌ | ❌ | | | | ❌ | ❌ |
| `ML-KEM-768` | ❌ | ❌ | | | | ❌ | ❌ |
| `ML-KEM-1024` | ❌ | ❌ | | | | ❌ | ❌ |
| `PBKDF2` | | | | ✅ | ✅ | | |
| `RSA-OAEP` | ✅ | ❌ | ✅ | | | | |
| `RSA-PSS` | ✅ | ❌ | ✅ | | | | |
| `RSASSA-PKCS1-v1_5` | ✅ | ❌ | ✅ | | | | |
| `X25519` | ❌ | ❌ | ❌ | ❌ | | ❌ | |
| `X448` | ❌ | ❌ | ❌ | ❌ | | ❌ | |
| ------------------- | :----: | :-----: | :---: | :---: | :----------: | :----------: | :--------: |
| `AES-CBC` | | | ✅ | ✅ | ✅ | | |
| `AES-CTR` | | | ✅ | ✅ | ✅ | | |
| `AES-GCM` | | | ✅ | ✅ | ✅ | | |
| `AES-KW` | | | ✅ | ✅ | ✅ | | |
| `AES-OCB` | | | ❌ | | ❌ | | |
| `ChaCha20-Poly1305` | | | ❌ | | ❌ | | |
| `ECDH` | ✅ | ✅ | ✅ | ✅ | | ✅ | |
| `ECDSA` | ✅ | ✅ | ✅ | ✅ | | ✅ | |
| `Ed25519` | ✅ | ✅ | ❌ | ❌ | | ❌ | |
| `Ed448` | ✅ | ✅ | ❌ | ❌ | | ❌ | |
| `HKDF` | | | | ❌ | ❌ | | |
| `HMAC` | | | ✅ | ✅ | ✅ | | |
| `ML-DSA-44` | ✅ | ✅ | ✅ | | | ✅ | ✅ |
| `ML-DSA-65` | ✅ | ✅ | ✅ | | | ✅ | ✅ |
| `ML-DSA-87` | ✅ | ✅ | ✅ | | | ✅ | ✅ |
| `ML-KEM-512` | ❌ | ❌ | | | | ❌ | ❌ |
| `ML-KEM-768` | ❌ | ❌ | | | | ❌ | ❌ |
| `ML-KEM-1024` | ❌ | ❌ | | | | ❌ | ❌ |
| `PBKDF2` | | | | ✅ | ✅ | | |
| `RSA-OAEP` | ✅ | ✅ | ✅ | | | | |
| `RSA-PSS` | ✅ | ✅ | ✅ | | | | |
| `RSASSA-PKCS1-v1_5` | ✅ | ✅ | ✅ | | | | |
| `X25519` | ❌ | ❌ | ❌ | ❌ | | ❌ | |
| `X448` | ❌ | ❌ | ❌ | ❌ | | ❌ | |

## `subtle.sign`
| Algorithm | Status |
| --------- | :----: |
| `ECDSA` | ✅ |
| `Ed25519` | |
| `Ed448` | |
| `HMAC` | |
| `ML-DSA-44` | |
| `ML-DSA-65` | |
| `ML-DSA-87` | |
| `RSA-PSS` | |
| `RSASSA-PKCS1-v1_5` | |
| `Ed25519` | |
| `Ed448` | |
| `HMAC` | |
| `ML-DSA-44` | |
| `ML-DSA-65` | |
| `ML-DSA-87` | |
| `RSA-PSS` | |
| `RSASSA-PKCS1-v1_5` | |

## `subtle.unwrapKey`

Expand Down Expand Up @@ -453,14 +457,14 @@ This document attempts to describe the implementation status of Crypto APIs/Inte
| Algorithm | Status |
| --------- | :----: |
| `ECDSA` | ✅ |
| `Ed25519` | |
| `Ed448` | |
| `HMAC` | |
| `ML-DSA-44` | |
| `ML-DSA-65` | |
| `ML-DSA-87` | |
| `RSA-PSS` | |
| `RSASSA-PKCS1-v1_5` | |
| `Ed25519` | |
| `Ed448` | |
| `HMAC` | |
| `ML-DSA-44` | |
| `ML-DSA-65` | |
| `ML-DSA-87` | |
| `RSA-PSS` | |
| `RSASSA-PKCS1-v1_5` | |

## `subtle.wrapKey`

Expand Down
49 changes: 46 additions & 3 deletions example/ios/Podfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,16 +40,16 @@ target 'QuickCryptoExample' do
target.build_configurations.each do |config|
config.build_settings['IPHONEOS_DEPLOYMENT_TARGET'] = '16.1'
config.build_settings['CLANG_CXX_LANGUAGE_STANDARD'] = 'c++20'

# Force C++20 for all targets, especially problematic ones
config.build_settings['GCC_C_LANGUAGE_STANDARD'] = 'gnu11'
config.build_settings['CLANG_CXX_LIBRARY'] = 'libc++'

# Remove any conflicting C++ standard flags
config.build_settings.delete('CLANG_CXX_LANGUAGE_STANDARD_OVERRIDE')
end
end

# Specifically target RCT-Folly and other React Native core pods
installer.pods_project.targets.each do |target|
if target.name.include?('Folly') || target.name.include?('React-') || target.name.include?('RCT')
Expand All @@ -58,5 +58,48 @@ target 'QuickCryptoExample' do
end
end
end

# Embed OpenSSL.framework from SPM into the app bundle
# SPM frameworks added to Pods project need manual embedding
main_project_path = File.join(installer.sandbox.root.parent, 'QuickCryptoExample.xcodeproj')
main_project = Xcodeproj::Project.open(main_project_path)
app_target = main_project.targets.find { |t| t.name == 'QuickCryptoExample' }

if app_target
embed_phase_name = 'Embed SPM Frameworks (OpenSSL)'
existing_phase = app_target.shell_script_build_phases.find { |p| p.name == embed_phase_name }

unless existing_phase
phase = app_target.new_shell_script_build_phase(embed_phase_name)
phase.shell_script = <<~SCRIPT
# Embed OpenSSL.framework from SPM build into app bundle
# SPM builds the framework to BUILT_PRODUCTS_DIR but doesn't embed it
OPENSSL_FRAMEWORK="${BUILT_PRODUCTS_DIR}/OpenSSL.framework"

if [ -d "$OPENSSL_FRAMEWORK" ]; then
echo "Found OpenSSL.framework at $OPENSSL_FRAMEWORK"
mkdir -p "${BUILT_PRODUCTS_DIR}/${FRAMEWORKS_FOLDER_PATH}"
rsync -av --delete "$OPENSSL_FRAMEWORK" "${BUILT_PRODUCTS_DIR}/${FRAMEWORKS_FOLDER_PATH}/"

# Code sign if required
if [ -n "${EXPANDED_CODE_SIGN_IDENTITY:-}" ] && [ "${CODE_SIGNING_REQUIRED:-}" != "NO" ]; then
/usr/bin/codesign --force --sign "${EXPANDED_CODE_SIGN_IDENTITY}" --preserve-metadata=identifier,entitlements "${BUILT_PRODUCTS_DIR}/${FRAMEWORKS_FOLDER_PATH}/OpenSSL.framework"
fi
echo "OpenSSL.framework embedded successfully"
else
echo "warning: OpenSSL.framework not found at $OPENSSL_FRAMEWORK"
fi
SCRIPT

# Move it before the existing embed frameworks phase
embed_pods_phase = app_target.shell_script_build_phases.find { |p| p.name == '[CP] Embed Pods Frameworks' }
if embed_pods_phase
app_target.build_phases.move(phase, app_target.build_phases.index(embed_pods_phase))
end

main_project.save
Pod::UI.puts "[QuickCrypto] Added 'Embed SPM Frameworks (OpenSSL)' build phase"
end
end
end
end
8 changes: 2 additions & 6 deletions example/ios/Podfile.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,6 @@ PODS:
- ReactCommon/turbomodule/core
- SocketRocket
- Yoga
- OpenSSL-Universal (3.3.3001)
- QuickCrypto (1.0.0):
- boost
- DoubleConversion
Expand All @@ -46,7 +45,6 @@ PODS:
- glog
- hermes-engine
- NitroModules
- OpenSSL-Universal (= 3.3.3001)
- RCT-Folly
- RCT-Folly/Fabric
- RCTRequired
Expand Down Expand Up @@ -2605,7 +2603,6 @@ DEPENDENCIES:

SPEC REPOS:
trunk:
- OpenSSL-Universal
- SocketRocket

EXTERNAL SOURCES:
Expand Down Expand Up @@ -2776,8 +2773,7 @@ SPEC CHECKSUMS:
glog: 5683914934d5b6e4240e497e0f4a3b42d1854183
hermes-engine: 4f8246b1f6d79f625e0d99472d1f3a71da4d28ca
NitroModules: 1715fe0e22defd9e2cdd48fb5e0dbfd01af54bec
OpenSSL-Universal: 6082b0bf950e5636fe0d78def171184e2b3899c2
QuickCrypto: 4e82c6565ea7b5f9d4c3f0ad3f19b785a676b4cc
QuickCrypto: fad28b0727d1b6ffecab0fc8e407c14b135cdca0
RCT-Folly: 846fda9475e61ec7bcbf8a3fe81edfcaeb090669
RCTDeprecation: c4b9e2fd0ab200e3af72b013ed6113187c607077
RCTRequired: e97dd5dafc1db8094e63bc5031e0371f092ae92a
Expand Down Expand Up @@ -2849,6 +2845,6 @@ SPEC CHECKSUMS:
SocketRocket: d4aabe649be1e368d1318fdf28a022d714d65748
Yoga: 11c9686a21e2cd82a094a723649d9f4507200fb0

PODFILE CHECKSUM: 8bf59f4e86b38489f786b2878e119cdf1824ca75
PODFILE CHECKSUM: bc958092bb9060694d04c6fcf716262b0549cded

COCOAPODS: 1.15.2
Loading
Loading