Skip to content

MLDSA signature validation support#29

Open
hwupathum wants to merge 1 commit into
thunder-id:mainfrom
hwupathum:mldsa
Open

MLDSA signature validation support#29
hwupathum wants to merge 1 commit into
thunder-id:mainfrom
hwupathum:mldsa

Conversation

@hwupathum

@hwupathum hwupathum commented Jul 15, 2026

Copy link
Copy Markdown

Purpose

This pull request adds support for post-quantum ML-DSA (RFC 9864) algorithms using AKP JWKs to the JWT verification process, updates the jose library to v6.2.3, and introduces corresponding tests and type updates. These changes ensure that the codebase can handle modern cryptographic standards and remain compatible with the latest library APIs.

ML-DSA support and cryptographic updates:

  • Added support for ML-DSA algorithms (ML-DSA-44, ML-DSA-65, ML-DSA-87) to TokenConstants.SUPPORTED_ALGORITHMS for JWT signature validation.
  • Updated the JWKInterface type to support AKP JWKs (RFC 9864) by making e and n optional and adding a pub field for raw public key bytes.
  • Modified JWT verification logic in DefaultCrypto and NodeCryptoUtils to use the correct key type from the updated jose library. [1] [2]

Testing and library upgrades:

  • Added comprehensive tests for ML-DSA JWT verification, including positive and tampered-signature cases, in DefaultCrypto.test.ts.
  • Upgraded the jose dependency from v5.2.0 to v6.2.3 across the codebase and lockfiles to ensure compatibility with new cryptographic features. [1] [2] [3] [4] [5] [6] [7] [8] [9]

Approach

Update the jose library to 6.x.x version and update the algorithm constant list.

Related Issues

Related PRs

  • N/A

Checklist

  • Followed the contribution guidelines.
  • Manual test round performed and verified.
  • Documentation provided. (Add links if there are any)
  • Tests provided. (Add links if there are any)
    • Unit Tests
    • Integration Tests
  • Breaking changes. (Fill if applicable)
    • Breaking changes section filled.
    • breaking change label added.

Security checks

  • Followed secure coding standards in WSO2 Secure Coding Guidelines
  • Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets.

Summary by CodeRabbit

  • New Features
    • Added support for verifying JWTs signed with ML-DSA-44, ML-DSA-65, and ML-DSA-87 algorithms.
    • Added support for public-key data used by ML-DSA-based credentials.
  • Bug Fixes
    • Improved compatibility when importing and validating supported cryptographic keys.
    • Invalid or tampered JWT signatures continue to be rejected during verification.
  • Tests
    • Added coverage for valid ML-DSA signatures across all supported variants and for modified signatures.

@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Changes

The PR adds ML-DSA-44, ML-DSA-65, and ML-DSA-87 JWT verification support, updates JWK typing for AKP keys, upgrades jose, adjusts key type annotations, and adds valid and tampered-signature tests.

ML-DSA JWT verification

Layer / File(s) Summary
Jose compatibility and verification types
pnpm-workspace.yaml, packages/javascript/src/DefaultCrypto.ts, packages/node/src/utils/NodeCryptoUtils.ts
The jose catalog version is upgraded to 6.2.3, and imported verification keys use jose.CryptoKey | Uint8Array annotations.
ML-DSA algorithm and JWK contracts
packages/javascript/src/models/crypto.ts, packages/javascript/src/constants/TokenConstants.ts
JWKInterface supports AKP public key bytes through optional pub, e, and n fields, while the supported algorithm list adds the three ML-DSA variants.
ML-DSA verification validation
packages/javascript/src/__tests__/DefaultCrypto.test.ts
Tests verify correctly signed ML-DSA-44, ML-DSA-65, and ML-DSA-87 tokens and reject a tampered ML-DSA-65 signature.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Sequence Diagram(s)

sequenceDiagram
  participant DefaultCrypto
  participant jose.importJWK
  participant jose.jwtVerify
  DefaultCrypto->>jose.importJWK: Import ML-DSA JWK
  jose.importJWK-->>DefaultCrypto: Return CryptoKey or Uint8Array
  DefaultCrypto->>jose.jwtVerify: Verify id_token
  jose.jwtVerify-->>DefaultCrypto: Return verification result
Loading

Suggested reviewers: brionmario

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title is concise and clearly summarizes the main change: ML-DSA signature validation support.
Description check ✅ Passed The description follows the template well, covering Purpose, Approach, Issues, PRs, Checklist, and Security checks.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@hwupathum hwupathum moved this to In Progress in Dev Board Jul 15, 2026
@hwupathum hwupathum marked this pull request as draft July 16, 2026 04:29
export interface JWKInterface {
alg: string;
e: string;
e?: string;

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this change intentional? why have we marked e and n as optional attributes?

@hwupathum hwupathum Jul 16, 2026

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, the JWK format of MLDSA algorithm is different and does not have these parameters

@hwupathum hwupathum marked this pull request as ready for review July 16, 2026 08:06
@hwupathum

Copy link
Copy Markdown
Author

Verified with express sample app

Screenshot 2026-07-16 at 13 41 30

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: In Progress

Development

Successfully merging this pull request may close these issues.

2 participants