Skip to content

Comments

fix(ext/node): support Ed25519, X25519, and P-521 keys in X509Certificate.publicKey#32267

Open
bartlomieju wants to merge 1 commit intodenoland:mainfrom
bartlomieju:fix/x509-ed25519-p521-public-key
Open

fix(ext/node): support Ed25519, X25519, and P-521 keys in X509Certificate.publicKey#32267
bartlomieju wants to merge 1 commit intodenoland:mainfrom
bartlomieju:fix/x509-ed25519-p521-public-key

Conversation

@bartlomieju
Copy link
Member

@bartlomieju bartlomieju commented Feb 22, 2026

Summary

  • Fixes X509Certificate.prototype.publicKey throwing "unsupported x509 public key type" for Ed25519 and X25519 certificates
  • Fixes X509Certificate.prototype.publicKey throwing "unsupported ec named curve" for P-521 (secp521r1) EC certificates
  • Adds full P-521 EC key support across the node:crypto compat layer

Ref: #27211

What changed

Ed25519 / X25519 in X509Certificate.publicKey

KeyObjectHandle::new_x509_public_key() relied on x509-parser's spki.parsed() which returns PublicKey::Unknown for Ed25519/X25519 keys (the library doesn't have specific variants for these). The catch-all _ arm now checks the algorithm OID and constructs the appropriate key objects.

P-521 support (new)

Added P-521 (secp521r1) support everywhere P-384 was already handled:

File Changes
Cargo.toml Added ecdh and jwk features to the p521 workspace dep
ext/node_crypto/Cargo.toml Added p521.workspace = true
ext/node_crypto/keys.rs EcPublicKey::P521 / EcPrivateKey::P521 variants, OID constant, key parsing (PKCS8/SEC1/SPKI/X509), JWK import/export, DER export, key generation, key details
ext/node_crypto/sign.rs ECDSA signing and verification with P-521
ext/node_crypto/lib.rs ECDH operations (encode, generate, compute secret, compute public key, diffie-hellman)
ext/node_crypto/x509.rs X509 key info extraction for secp521r1 curve

Tests

Added two unit tests in tests/unit_node/crypto/crypto_key_test.ts:

  • Ed25519 X509Certificate.publicKey extraction and comparison with standalone SPKI
  • P-521 X509Certificate.publicKey extraction with key type/details verification

What's still not implemented

The issue reporter also mentions createPublicKey failing for these certificate types — that path is separate from the X509 path and may need its own fix (untested here).

Other gaps found during this work:

  • KeyObject.prototype.equals is not implemented (returns ERR_NOT_IMPLEMENTED)
  • X25519 X509 certificates are handled but there are no known test certs to validate against

Test plan

  • cargo build succeeds
  • cargo test -p deno_node_crypto passes
  • Unit tests pass: deno test --no-check --allow-all --config tests/config/deno.json tests/unit_node/crypto/crypto_key_test.ts --filter "X509Certificate publicKey for"
  • Full CI

🤖 Generated with Claude Code

@bartlomieju @claude
fix(ext/node): support Ed25519, X25519, and P-521 keys in X509Certifi…
cc2fe12 
…cate.publicKey

Adds support for extracting Ed25519, X25519, and P-521 (secp521r1) public keys
from X509 certificates via `X509Certificate.prototype.publicKey`. Also adds full
P-521 EC key support across the node:crypto compat layer (key parsing, export,
signing, verification, ECDH, generation, and JWK).

Ref: denoland#27211

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bartlomieju