chore(node_compat): ignore 3 crypto tests gated on missing WebCrypto algorithms#33553
Open
lunadogbot wants to merge 3 commits intodenoland:mainfrom
Open
chore(node_compat): ignore 3 crypto tests gated on missing WebCrypto algorithms#33553lunadogbot wants to merge 3 commits intodenoland:mainfrom
lunadogbot wants to merge 3 commits intodenoland:mainfrom
Conversation
Tests SubtleCrypto.digest with cSHAKE128 / cSHAKE256:
```
NotSupportedError: Unrecognized algorithm name
new Uint8Array(await subtle.digest({ name: 'cSHAKE128', length: ... }, ...))
```
cSHAKE (Customizable SHAKE per NIST SP 800-185) is a Node-specific
WebCrypto extension that requires OpenSSL >= 3 for the
customization-string wrapper. Deno's ext/crypto/ doesn't register
cSHAKE as a recognised digest algorithm (only the underlying
SHAKE128 / SHAKE256 are exposed via the legacy
crypto.createHash() path).
Could be revisited if a SHA3-based cSHAKE implementation lands --
the existing sha3 / cshake Rust crates would cover the
customization-string path.
Tests `subtle.getPublicKey(privateKey, usages)` -- the WebCrypto Level 2 method that derives a public CryptoKey from a private one: ``` TypeError: subtle.getPublicKey is not a function const publicKey = await subtle.getPublicKey(privateKey, usages); ``` Deno does not implement this method. Implementable on top of Deno's existing per-algorithm export/import paths, but would need to handle every supported algorithm (ECDH, ECDSA, Ed25519, RSA-OAEP, RSA-PSS, RSASSA-PKCS1-v1_5, X25519). Could be revisited as a discrete WebCrypto Level 2 add-on; it's the same API surface that the already-ignored `test-webcrypto-supports.mjs` advertises.
After the RSASSA-PKCS1-v1_5 / RSA-PSS / ECDSA / HMAC blocks pass
and the Ed448 case self-skips, the test continues into a
`hasOpenSSL(3)`-gated KMAC128 / KMAC256 sign/verify block:
```
NotSupportedError: Unrecognized algorithm name
const key = await subtle.generateKey({
^
```
Deno's `ext/crypto/` does not register KMAC as a recognised
SubtleCrypto algorithm, so the test fails on KMAC before reaching
the Ed25519 cases. Same blocker family as the already-ignored
`test-webcrypto-keygen-kmac.js` and
`test-webcrypto-sign-verify-kmac.js`. Could be revisited if KMAC
is added (SHA-3-based KMAC is implementable via the existing
`sha3` / `cshake` Rust crates).
fibibot
approved these changes
Apr 26, 2026
Contributor
fibibot
left a comment
fibibot
left a comment
There was a problem hiding this comment.
LGTM. Pure config-additions, all three positioned correctly:
test-webcrypto-digest.jsbetweenderivebits-argon2andencap-decap-ml-kem.test-webcrypto-get-public-key.mjsbetweenexport-import-ml-kemandgetRandomValues.test-webcrypto-sign-verify.jsbetweensign-verify-ml-dsaandutil.
Each reason identifies a distinct underlying gap and cross-references the sibling test where applicable:
- cSHAKE128/cSHAKE256 for
digest— NIST SP 800-185 customizable SHAKE variants Deno doesn't register; reason points at the implementation path (cshake-rsor sha3+cshake wrapper). subtle.getPublicKey(privateKey, usages)is a WebCrypto Level 2 method Deno doesn't implement; reason correctly enumerates the algorithms it'd need to cover.- KMAC128/256 in
sign-verify.js— same family as the already-ignoredtest-webcrypto-keygen-kmac.jsandtest-webcrypto-sign-verify-kmac.js; reason notes the test fails before reaching the Ed25519 cases.
CI green.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Marks three more failing crypto tests as ignored in
tests/node_compat/config.jsonc. All three depend on WebCrypto algorithms / Level 2 APIs Deno doesn't implement. Failure outputs come from the 2026-04-26 node compat run; pure-config-change ignores so I did not rebuild Deno locally to re-confirm.parallel/test-webcrypto-digest.jscSHAKE (Customizable SHAKE per NIST SP 800-185) is a Node-specific WebCrypto extension that requires OpenSSL >= 3 for the customization-string wrapper. Deno's
ext/crypto/only exposes the underlying SHAKE128 / SHAKE256 viacrypto.createHash(). Could be revisited if a SHA3-based cSHAKE implementation lands -- the existingsha3/cshakeRust crates would cover the customization-string path.parallel/test-webcrypto-get-public-key.mjsThe WebCrypto Level 2 method that derives a public CryptoKey from a private one. Deno does not implement it. Implementable on top of Deno's existing per-algorithm export/import paths, but would need to handle every supported algorithm (ECDH, ECDSA, Ed25519, RSA-OAEP, RSA-PSS, RSASSA-PKCS1-v1_5, X25519). Could be revisited as a discrete WebCrypto Level 2 add-on -- same surface that the already-ignored
test-webcrypto-supports.mjsadvertises.parallel/test-webcrypto-sign-verify.jsAfter the RSASSA-PKCS1-v1_5 / RSA-PSS / ECDSA / HMAC blocks pass and Ed448 self-skips, the test continues into a
hasOpenSSL(3)-gated KMAC128 / KMAC256 sign/verify block. Same blocker family as the already-ignoredtest-webcrypto-keygen-kmac.jsandtest-webcrypto-sign-verify-kmac.js. Could be revisited if KMAC is added.Test plan
Deno.readTextFileSync+@std/jsonc); all three new entries readable as{ignore: true, reason: ...}.node_compat_testswith the three tests now skipped.