crypto: support deterministic ECDSA/DSA signatures

Add dsaNonceType option to sign/verify node:crypto
APIs. When set to 'deterministic', uses
deterministic digital signature generation
procedure per RFC 6979.

Author: panva

deps/ncrypto/ncrypto.cc

@@ -3877,6 +3877,18 @@ bool EVPKeyCtxPointer::signInto(const Buffer<const unsigned char>& data,
   return true;
 }
 
+bool EVPKeyCtxPointer::setNonceType(unsigned int type) {
+#ifdef OSSL_SIGNATURE_PARAM_NONCE_TYPE
+  if (!ctx_) return false;
+  OSSL_PARAM params[] = {
+      OSSL_PARAM_construct_uint(OSSL_SIGNATURE_PARAM_NONCE_TYPE, &type),
+      OSSL_PARAM_END};
+  return EVP_PKEY_CTX_set_params(ctx_.get(), params) == 1;
+#else
+  return false;
+#endif
+}
+
 // ============================================================================
 
 namespace {
@@ -4362,6 +4374,50 @@ std::optional<EVP_PKEY_CTX*> EVPMDCtxPointer::verifyInitWithContext(
 #endif
 }
 
+std::optional<EVP_PKEY_CTX*> EVPMDCtxPointer::signInitDeterministic(
+    const EVPKeyPointer& key, const Digest& digest) {
+#ifdef OSSL_SIGNATURE_PARAM_NONCE_TYPE
+  EVP_PKEY_CTX* ctx = nullptr;
+  unsigned int nonce_type = 1;
+
+  const OSSL_PARAM params[] = {
+      OSSL_PARAM_construct_uint(OSSL_SIGNATURE_PARAM_NONCE_TYPE, &nonce_type),
+      OSSL_PARAM_END};
+
+  const char* md_name = digest ? EVP_MD_get0_name(digest) : nullptr;
+
+  if (!EVP_DigestSignInit_ex(
+          ctx_.get(), &ctx, md_name, nullptr, nullptr, key.get(), params)) {
+    return std::nullopt;
+  }
+  return ctx;
+#else
+  return std::nullopt;
+#endif
+}
+
+std::optional<EVP_PKEY_CTX*> EVPMDCtxPointer::verifyInitDeterministic(
+    const EVPKeyPointer& key, const Digest& digest) {
+#ifdef OSSL_SIGNATURE_PARAM_NONCE_TYPE
+  EVP_PKEY_CTX* ctx = nullptr;
+  unsigned int nonce_type = 1;
+
+  const OSSL_PARAM params[] = {
+      OSSL_PARAM_construct_uint(OSSL_SIGNATURE_PARAM_NONCE_TYPE, &nonce_type),
+      OSSL_PARAM_END};
+
+  const char* md_name = digest ? EVP_MD_get0_name(digest) : nullptr;
+
+  if (!EVP_DigestVerifyInit_ex(
+          ctx_.get(), &ctx, md_name, nullptr, nullptr, key.get(), params)) {
+    return std::nullopt;
+  }
+  return ctx;
+#else
+  return std::nullopt;
+#endif
+}
+
 DataPointer EVPMDCtxPointer::signOneShot(
     const Buffer<const unsigned char>& buf) const {
   if (!ctx_) return {};

deps/ncrypto/ncrypto.h

@@ -807,6 +807,7 @@ class EVPKeyCtxPointer final {
   DataPointer sign(const Buffer<const unsigned char>& data);
   bool signInto(const Buffer<const unsigned char>& data,
                 Buffer<unsigned char>* sig);
+  bool setNonceType(unsigned int type);
 
   static constexpr int kDefaultRsaExponent = 0x10001;
 
@@ -1423,6 +1424,11 @@ class EVPMDCtxPointer final {
       const Digest& digest,
       const Buffer<const unsigned char>& context_string);
 
+  std::optional<EVP_PKEY_CTX*> signInitDeterministic(const EVPKeyPointer& key,
+                                                     const Digest& digest);
+  std::optional<EVP_PKEY_CTX*> verifyInitDeterministic(const EVPKeyPointer& key,
+                                                       const Digest& digest);
+
   DataPointer signOneShot(const Buffer<const unsigned char>& buf) const;
   DataPointer sign(const Buffer<const unsigned char>& buf) const;
   bool verify(const Buffer<const unsigned char>& buf,

doc/api/crypto.md

@@ -2358,6 +2358,7 @@ changes:
 
 * `privateKey` {Object|string|ArrayBuffer|Buffer|TypedArray|DataView|KeyObject|CryptoKey}
   * `dsaEncoding` {string}
+  * `dsaNonceType` {string}
   * `padding` {integer}
   * `saltLength` {integer}
 * `outputEncoding` {string} The [encoding][] of the return value.
@@ -2376,6 +2377,10 @@ object, the following additional properties can be passed:
   format of the generated signature. It can be one of the following:
   * `'der'` (default): DER-encoded ASN.1 signature structure encoding `(r, s)`.
   * `'ieee-p1363'`: Signature format `r || s` as proposed in IEEE-P1363.
+* `dsaNonceType` {string} For DSA and ECDSA, this option specifies the
+  nonce generation method. It can be one of the following:
+  * `'random'` (default): Use a random nonce.
+  * `'deterministic'`[^openssl32]: Use a deterministic nonce as defined in [RFC 6979][].
 * `padding` {integer} Optional padding value for RSA, one of the following:
 
   * `crypto.constants.RSA_PKCS1_PADDING` (default)
@@ -2488,6 +2493,7 @@ changes:
 
 * `object` {Object|string|ArrayBuffer|Buffer|TypedArray|DataView|KeyObject|CryptoKey}
   * `dsaEncoding` {string}
+  * `dsaNonceType` {string}
   * `padding` {integer}
   * `saltLength` {integer}
 * `signature` {string|ArrayBuffer|Buffer|TypedArray|DataView}
@@ -2507,6 +2513,10 @@ object, the following additional properties can be passed:
   format of the signature. It can be one of the following:
   * `'der'` (default): DER-encoded ASN.1 signature structure encoding `(r, s)`.
   * `'ieee-p1363'`: Signature format `r || s` as proposed in IEEE-P1363.
+* `dsaNonceType` {string} For DSA and ECDSA, this option specifies the
+  nonce generation method used during signing. It can be one of the following:
+  * `'random'` (default): Use a random nonce.
+  * `'deterministic'`[^openssl32]: Use a deterministic nonce as defined in [RFC 6979][].
 * `padding` {integer} Optional padding value for RSA, one of the following:
 
   * `crypto.constants.RSA_PKCS1_PADDING` (default)
@@ -5796,6 +5806,10 @@ additional properties can be passed:
   format of the generated signature. It can be one of the following:
   * `'der'` (default): DER-encoded ASN.1 signature structure encoding `(r, s)`.
   * `'ieee-p1363'`: Signature format `r || s` as proposed in IEEE-P1363.
+* `dsaNonceType` {string} For DSA and ECDSA, this option specifies the
+  nonce generation method. It can be one of the following:
+  * `'random'` (default): Use a random nonce.
+  * `'deterministic'`[^openssl32]: Use a deterministic nonce as defined in [RFC 6979][].
 * `padding` {integer} Optional padding value for RSA, one of the following:
 
   * `crypto.constants.RSA_PKCS1_PADDING` (default)
@@ -5927,6 +5941,10 @@ additional properties can be passed:
   format of the signature. It can be one of the following:
   * `'der'` (default): DER-encoded ASN.1 signature structure encoding `(r, s)`.
   * `'ieee-p1363'`: Signature format `r || s` as proposed in IEEE-P1363.
+* `dsaNonceType` {string} For DSA and ECDSA, this option specifies the
+  nonce generation method used during signing. It can be one of the following:
+  * `'random'` (default): Use a random nonce.
+  * `'deterministic'`[^openssl32]: Use a deterministic nonce as defined in [RFC 6979][].
 * `padding` {integer} Optional padding value for RSA, one of the following:
 
   * `crypto.constants.RSA_PKCS1_PADDING` (default)
@@ -6539,6 +6557,7 @@ See the [list of SSL OP Flags][] for details.
 [RFC 4122]: https://www.rfc-editor.org/rfc/rfc4122.txt
 [RFC 5208]: https://www.rfc-editor.org/rfc/rfc5208.txt
 [RFC 5280]: https://www.rfc-editor.org/rfc/rfc5280.txt
+[RFC 6979]: https://www.rfc-editor.org/rfc/rfc6979.txt
 [Web Crypto API documentation]: webcrypto.md
 [`BN_is_prime_ex`]: https://www.openssl.org/docs/man1.1.1/man3/BN_is_prime_ex.html
 [`Buffer`]: buffer.md

lib/internal/crypto/cfrg.js

@@ -363,6 +363,7 @@ async function eddsaSignVerify(key, data, algorithm, signature) {
     undefined,
     undefined,
     undefined,
+    undefined,  // dsaNonceType, not used with EdDSA
     algorithm.name === 'Ed448' ? algorithm.context : undefined,
     signature));
 }

lib/internal/crypto/ec.js

@@ -305,6 +305,7 @@ async function ecdsaSignVerify(key, data, { name, hash }, signature) {
     undefined,  // Salt length, not used with ECDSA
     undefined,  // PSS Padding, not used with ECDSA
     kSigEncP1363,
+    undefined,  // dsaNonceType, not used with WebCrypto
     undefined,
     signature));
 }

lib/internal/crypto/ml_dsa.js

@@ -320,6 +320,7 @@ async function mlDsaSignVerify(key, data, algorithm, signature) {
     undefined,
     undefined,
     undefined,
+    undefined,  // dsaNonceType, not used with ML-DSA
     algorithm.context,
     signature));
 }

lib/internal/crypto/rsa.js

@@ -358,6 +358,7 @@ async function rsaSignVerify(key, data, { saltLength }, signature) {
       saltLength,
       key[kAlgorithm].name === 'RSA-PSS' ? RSA_PKCS1_PSS_PADDING : undefined,
       undefined,
+      undefined,  // dsaNonceType, not used with RSA
       undefined,
       signature);
   });

lib/internal/crypto/sig.js

@@ -106,6 +106,19 @@ function getDSASignatureEncoding(options) {
   return kSigEncDER;
 }
 
+function getDSANonceType(options) {
+  if (typeof options === 'object') {
+    const { dsaNonceType } = options;
+    if (dsaNonceType === undefined || dsaNonceType === 'random')
+      return undefined;
+    if (dsaNonceType === 'deterministic')
+      return true;
+    throw new ERR_INVALID_ARG_VALUE('options.dsaNonceType', dsaNonceType);
+  }
+
+  return undefined;
+}
+
 function getContext(options) {
   if (options?.context === undefined) {
     return undefined;
@@ -143,8 +156,11 @@ Sign.prototype.sign = function sign(options, encoding) {
   // Options specific to (EC)DSA
   const dsaSigEnc = getDSASignatureEncoding(options);
 
+  // Options specific to (EC)DSA nonce generation
+  const dsaNonceType = getDSANonceType(options);
+
   const ret = this[kHandle].sign(data, format, type, passphrase, rsaPadding,
-                                 pssSaltLength, dsaSigEnc);
+                                 pssSaltLength, dsaSigEnc, dsaNonceType);
 
   if (encoding && encoding !== 'buffer')
     return ret.toString(encoding);
@@ -171,6 +187,9 @@ function signOneShot(algorithm, data, key, callback) {
   // Options specific to (EC)DSA
   const dsaSigEnc = getDSASignatureEncoding(key);
 
+  // Options specific to (EC)DSA nonce generation
+  const dsaNonceType = getDSANonceType(key);
+
   // Options specific to Ed448 and ML-DSA
   const context = getContext(key);
 
@@ -193,6 +212,7 @@ function signOneShot(algorithm, data, key, callback) {
     pssSaltLength,
     rsaPadding,
     dsaSigEnc,
+    dsaNonceType,
     context,
     undefined);
 
@@ -242,10 +262,14 @@ Verify.prototype.verify = function verify(options, signature, sigEncoding) {
   // Options specific to (EC)DSA
   const dsaSigEnc = getDSASignatureEncoding(options);
 
+  // Options specific to (EC)DSA nonce generation
+  const dsaNonceType = getDSANonceType(options);
+
   signature = getArrayBufferOrView(signature, 'signature', sigEncoding);
 
   return this[kHandle].verify(data, format, type, passphrase, signature,
-                              rsaPadding, pssSaltLength, dsaSigEnc);
+                              rsaPadding, pssSaltLength, dsaSigEnc,
+                              dsaNonceType);
 };
 
 function verifyOneShot(algorithm, data, key, signature, callback) {
@@ -272,6 +296,9 @@ function verifyOneShot(algorithm, data, key, signature, callback) {
   // Options specific to (EC)DSA
   const dsaSigEnc = getDSASignatureEncoding(key);
 
+  // Options specific to (EC)DSA nonce generation
+  const dsaNonceType = getDSANonceType(key);
+
   // Options specific to Ed448 and ML-DSA
   const context = getContext(key);
 
@@ -302,6 +329,7 @@ function verifyOneShot(algorithm, data, key, signature, callback) {
     pssSaltLength,
     rsaPadding,
     dsaSigEnc,
+    dsaNonceType,
     context,
     signature);