fix(ext/crypto): add SHA3 support to crypto.subtle.digest (#32342)

bartlomieju · web-flow · commit 2aeca4a5e858 · 2026-05-15T18:37:03.000+02:00
The CryptoHash enum was missing SHA3-256, SHA3-384, and SHA3-512 variants, causing serde deserialization to fail when calling crypto.subtle.digest() with SHA3 algorithms despite them being registered in the JS layer. Closes #32330 Draft spec: https://wicg.github.io/webcrypto-modern-algos/ This was added in Node.js in nodejs/node#59365
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -153,11 +153,34 @@ cargo test specs
 cargo test spec::test_name
 ```
 
+### Unit Tests (`tests/unit/`)
+
+JavaScript/TypeScript unit tests live in `tests/unit/` as `*_test.ts` files. Run
+them via `cargo test`:
+
+```bash
+# Run all unit tests in a specific file
+cargo test unit::webcrypto_test
+
+# Run all unit tests
+cargo test unit::
+
+# Run Node.js compatibility unit tests (tests/unit_node/)
+cargo test unit_node::crypto_test
+
+# Run all Node.js compat unit tests
+cargo test unit_node::
+```
+
+Do NOT run these directly with `./target/debug/deno test` — they depend on the
+cargo test harness for correct setup.
+
 ### Test Organization
 
 - **Spec tests** (`tests/specs/`) - Main integration tests, CLI command
   execution and output validation
-- **Unit tests** - Inline with source code in each module
+- **Unit tests** (`tests/unit/`) - JavaScript/TypeScript unit tests for runtime
+  APIs
 - **Integration tests** (`cli/tests/`) - Additional integration tests
 - **WPT** (`tests/wpt/`) - Web Platform Tests for web standards compliance
 
diff --git a/ext/crypto/key.rs b/ext/crypto/key.rs
@@ -19,6 +19,12 @@ pub enum CryptoHash {
   Sha384,
   #[serde(rename = "SHA-512")]
   Sha512,
+  #[serde(rename = "SHA3-256")]
+  Sha3_256,
+  #[serde(rename = "SHA3-384")]
+  Sha3_384,
+  #[serde(rename = "SHA3-512")]
+  Sha3_512,
 }
 
 #[derive(Serialize, Deserialize, Copy, Clone)]
@@ -74,6 +80,11 @@ impl From<CryptoHash> for HmacAlgorithm {
       CryptoHash::Sha256 => aws_lc_rs::hmac::HMAC_SHA256,
       CryptoHash::Sha384 => aws_lc_rs::hmac::HMAC_SHA384,
       CryptoHash::Sha512 => aws_lc_rs::hmac::HMAC_SHA512,
+      // SHA3 is only supported for digest, not HMAC.
+      // The JS layer prevents SHA3 from reaching here.
+      CryptoHash::Sha3_256 | CryptoHash::Sha3_384 | CryptoHash::Sha3_512 => {
+        unreachable!("SHA3 is not supported for HMAC")
+      }
     }
   }
 }
@@ -85,6 +96,9 @@ impl From<CryptoHash> for &'static digest::Algorithm {
       CryptoHash::Sha256 => &digest::SHA256,
       CryptoHash::Sha384 => &digest::SHA384,
       CryptoHash::Sha512 => &digest::SHA512,
+      CryptoHash::Sha3_256 => &digest::SHA3_256,
+      CryptoHash::Sha3_384 => &digest::SHA3_384,
+      CryptoHash::Sha3_512 => &digest::SHA3_512,
     }
   }
 }
diff --git a/ext/crypto/lib.rs b/ext/crypto/lib.rs
@@ -326,6 +326,7 @@ pub async fn op_crypto_sign_key(
             let signing_key = SigningKey::<Sha512>::new(private_key);
             signing_key.sign(data)
           }
+          _ => return Err(CryptoError::UnsupportedAlgorithm),
         }
         .to_vec()
       }
@@ -359,6 +360,7 @@ pub async fn op_crypto_sign_key(
             let hashed = Sha512::digest(data);
             signing_key.sign(Some(&mut rng), &private_key, &hashed)?
           }
+          _ => return Err(CryptoError::UnsupportedAlgorithm),
         }
         .to_vec()
       }
@@ -377,6 +379,7 @@ pub async fn op_crypto_sign_key(
               CryptoHash::Sha256 => sha2::Sha256::digest(data).to_vec(),
               CryptoHash::Sha384 => sha2::Sha384::digest(data).to_vec(),
               CryptoHash::Sha512 => sha2::Sha512::digest(data).to_vec(),
+              _ => return Err(CryptoError::UnsupportedAlgorithm),
             };
             // Sign the prehashed message, producing a raw r||s signature.
             let signature: P256Signature =
@@ -392,6 +395,7 @@ pub async fn op_crypto_sign_key(
               CryptoHash::Sha256 => sha2::Sha256::digest(data).to_vec(),
               CryptoHash::Sha384 => sha2::Sha384::digest(data).to_vec(),
               CryptoHash::Sha512 => sha2::Sha512::digest(data).to_vec(),
+              _ => return Err(CryptoError::UnsupportedAlgorithm),
             };
             let signature: P384Signature =
               signing_key.sign_prehash(&prehash)?;
@@ -408,6 +412,7 @@ pub async fn op_crypto_sign_key(
               CryptoHash::Sha256 => sha2::Sha256::digest(data).to_vec(),
               CryptoHash::Sha384 => sha2::Sha384::digest(data).to_vec(),
               CryptoHash::Sha512 => sha2::Sha512::digest(data).to_vec(),
+              _ => return Err(CryptoError::UnsupportedAlgorithm),
             };
             // P-521 field size is 66 bytes; bits2field requires at least
             // half that (33 bytes). Left-pad shorter hashes to meet the
@@ -488,6 +493,7 @@ pub async fn op_crypto_verify_key(
             let verifying_key = VerifyingKey::<Sha512>::new(public_key);
             verifying_key.verify(data, &signature).is_ok()
           }
+          _ => return Err(CryptoError::UnsupportedAlgorithm),
         }
       }
       Algorithm::RsaPss => {
@@ -520,6 +526,7 @@ pub async fn op_crypto_verify_key(
             let hashed = Sha512::digest(data);
             pss.verify(&public_key, &hashed, signature).is_ok()
           }
+          _ => return Err(CryptoError::UnsupportedAlgorithm),
         }
       }
       Algorithm::Hmac => {
@@ -555,6 +562,7 @@ pub async fn op_crypto_verify_key(
                   CryptoHash::Sha256 => sha2::Sha256::digest(data).to_vec(),
                   CryptoHash::Sha384 => sha2::Sha384::digest(data).to_vec(),
                   CryptoHash::Sha512 => sha2::Sha512::digest(data).to_vec(),
+                  _ => return Err(CryptoError::UnsupportedAlgorithm),
                 };
                 verifying_key.verify_prehash(&prehash, &signature).is_ok()
               }
@@ -583,6 +591,7 @@ pub async fn op_crypto_verify_key(
                   CryptoHash::Sha256 => sha2::Sha256::digest(data).to_vec(),
                   CryptoHash::Sha384 => sha2::Sha384::digest(data).to_vec(),
                   CryptoHash::Sha512 => sha2::Sha512::digest(data).to_vec(),
+                  _ => return Err(CryptoError::UnsupportedAlgorithm),
                 };
                 verifying_key.verify_prehash(&prehash, &signature).is_ok()
               }
@@ -613,6 +622,7 @@ pub async fn op_crypto_verify_key(
                   CryptoHash::Sha256 => sha2::Sha256::digest(data).to_vec(),
                   CryptoHash::Sha384 => sha2::Sha384::digest(data).to_vec(),
                   CryptoHash::Sha512 => sha2::Sha512::digest(data).to_vec(),
+                  _ => return Err(CryptoError::UnsupportedAlgorithm),
                 };
                 // P-521 field size is 66 bytes; bits2field requires at least
                 // half that (33 bytes). Left-pad shorter hashes to meet the
@@ -679,6 +689,7 @@ pub async fn op_crypto_derive_bits(
           CryptoHash::Sha256 => pbkdf2::PBKDF2_HMAC_SHA256,
           CryptoHash::Sha384 => pbkdf2::PBKDF2_HMAC_SHA384,
           CryptoHash::Sha512 => pbkdf2::PBKDF2_HMAC_SHA512,
+          _ => return Err(CryptoError::UnsupportedAlgorithm),
         };
 
         // This will never panic. We have already checked length earlier.
@@ -810,6 +821,7 @@ pub async fn op_crypto_derive_bits(
           CryptoHash::Sha256 => hkdf::HKDF_SHA256,
           CryptoHash::Sha384 => hkdf::HKDF_SHA384,
           CryptoHash::Sha512 => hkdf::HKDF_SHA512,
+          _ => return Err(CryptoError::UnsupportedAlgorithm),
         };
 
         let info = args.info.ok_or(CryptoError::MissingArgumentInfo)?;
diff --git a/tests/unit/webcrypto_test.ts b/tests/unit/webcrypto_test.ts
@@ -2194,6 +2194,83 @@ Deno.test(async function x25519ExportJwk() {
   assert(jwk.x);
 });
 
+// https://github.com/denoland/deno/issues/32330
+Deno.test(async function testSha3DigestAlgorithms() {
+  function toHex(buf: ArrayBuffer): string {
+    return [...new Uint8Array(buf)]
+      .map((b) => b.toString(16).padStart(2, "0"))
+      .join("");
+  }
+
+  const data = new TextEncoder().encode("Hello, Deno!");
+
+  // SHA3-256 produces 32 bytes
+  // deno-lint-ignore camelcase
+  const sha3_256 = await crypto.subtle.digest("SHA3-256", data);
+  assertEquals(sha3_256.byteLength, 32);
+
+  // SHA3-384 produces 48 bytes
+  // deno-lint-ignore camelcase
+  const sha3_384 = await crypto.subtle.digest("SHA3-384", data);
+  assertEquals(sha3_384.byteLength, 48);
+
+  // SHA3-512 produces 64 bytes
+  // deno-lint-ignore camelcase
+  const sha3_512 = await crypto.subtle.digest("SHA3-512", data);
+  assertEquals(sha3_512.byteLength, 64);
+
+  // Verify deterministic: same input always gives same output
+  // deno-lint-ignore camelcase
+  const sha3_256_again = await crypto.subtle.digest("SHA3-256", data);
+  assertEquals(toHex(sha3_256), toHex(sha3_256_again));
+});
+
+Deno.test(async function testSha3DigestKnownVectors() {
+  function toHex(buf: ArrayBuffer): string {
+    return [...new Uint8Array(buf)]
+      .map((b) => b.toString(16).padStart(2, "0"))
+      .join("");
+  }
+
+  // Empty input test vectors (from NIST)
+  const empty = new Uint8Array(0);
+
+  assertEquals(
+    toHex(await crypto.subtle.digest("SHA3-256", empty)),
+    "a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a",
+  );
+  assertEquals(
+    toHex(await crypto.subtle.digest("SHA3-384", empty)),
+    "0c63a75b845e4f7d01107d852e4c2485c51a50aaaa94fc61995e71bbee983a2ac3713831264adb47fb6bd1e058d5f004",
+  );
+  assertEquals(
+    toHex(await crypto.subtle.digest("SHA3-512", empty)),
+    "a69f73cca23a9ac5c8b567dc185a756e97c982164fe25859e0d1dcc1475c80a615b2123af1f5f94c11e3e9402c3ac558f500199d95b6d3e301758586281dcd26",
+  );
+});
+
+Deno.test(async function testSha3DigestVariousInputTypes() {
+  const text = new TextEncoder().encode("test");
+  const expected = await crypto.subtle.digest("SHA3-256", text);
+
+  // ArrayBuffer input
+  const fromBuffer = await crypto.subtle.digest("SHA3-256", text.buffer);
+  assertEquals(
+    new Uint8Array(fromBuffer),
+    new Uint8Array(expected),
+  );
+
+  // DataView input
+  const fromDataView = await crypto.subtle.digest(
+    "SHA3-256",
+    new DataView(text.buffer),
+  );
+  assertEquals(
+    new Uint8Array(fromDataView),
+    new Uint8Array(expected),
+  );
+});
+
 // Regression test for https://github.com/denoland/deno/issues/30243
 // Importing a PKCS#8 RSA key with the wrong algorithm (ECDSA) should throw, not panic.
 Deno.test("crypto.subtle.importKey PKCS#8 with wrong algorithm does not panic", async () => {

Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,12 @@ pub enum CryptoHash {`
`19`	`19`	`Sha384,`
`20`	`20`	`#[serde(rename = "SHA-512")]`
`21`	`21`	`Sha512,`
	`22`	`+ #[serde(rename = "SHA3-256")]`
	`23`	`+ Sha3_256,`
	`24`	`+ #[serde(rename = "SHA3-384")]`
	`25`	`+ Sha3_384,`
	`26`	`+ #[serde(rename = "SHA3-512")]`
	`27`	`+ Sha3_512,`
`22`	`28`	`}`
`23`	`29`
`24`	`30`	`#[derive(Serialize, Deserialize, Copy, Clone)]`
`@@ -74,6 +80,11 @@ impl From<CryptoHash> for HmacAlgorithm {`
`74`	`80`	`CryptoHash::Sha256 => aws_lc_rs::hmac::HMAC_SHA256,`
`75`	`81`	`CryptoHash::Sha384 => aws_lc_rs::hmac::HMAC_SHA384,`
`76`	`82`	`CryptoHash::Sha512 => aws_lc_rs::hmac::HMAC_SHA512,`
	`83`	`+ // SHA3 is only supported for digest, not HMAC.`
	`84`	`+ // The JS layer prevents SHA3 from reaching here.`
	`85`	`+ CryptoHash::Sha3_256 \| CryptoHash::Sha3_384 \| CryptoHash::Sha3_512 => {`
	`86`	`+ unreachable!("SHA3 is not supported for HMAC")`
	`87`	`+ }`
`77`	`88`	`}`
`78`	`89`	`}`
`79`	`90`	`}`
`@@ -85,6 +96,9 @@ impl From<CryptoHash> for &'static digest::Algorithm {`
`85`	`96`	`CryptoHash::Sha256 => &digest::SHA256,`
`86`	`97`	`CryptoHash::Sha384 => &digest::SHA384,`
`87`	`98`	`CryptoHash::Sha512 => &digest::SHA512,`
	`99`	`+ CryptoHash::Sha3_256 => &digest::SHA3_256,`
	`100`	`+ CryptoHash::Sha3_384 => &digest::SHA3_384,`
	`101`	`+ CryptoHash::Sha3_512 => &digest::SHA3_512,`
`88`	`102`	`}`
`89`	`103`	`}`
`90`	`104`	`}`