From dffa62db931d919bd53a4f01ad47d3d18c73c0d7 Mon Sep 17 00:00:00 2001
From: Filip Skokan <panva.ip@gmail.com>
Date: Mon, 29 Jun 2026 14:54:03 +0200
Subject: [PATCH 1/2] crypto: support OpenSSL STORE private keys

Signed-off-by: Filip Skokan <panva.ip@gmail.com>
---
 .github/workflows/build-shared.yml            |   9 +-
 .github/workflows/test-shared.yml             |   1 +
 deps/ncrypto/ncrypto.cc                       | 175 +++++-
 deps/ncrypto/ncrypto.h                        |  14 +
 doc/api/cli.md                                |  20 +
 doc/api/crypto.md                             |  32 +-
 doc/api/permissions.md                        |   8 +-
 doc/api/process.md                            |   2 +
 doc/node-config-schema.json                   |   8 +
 doc/node.1                                    |  11 +
 lib/internal/crypto/keys.js                   |  56 +-
 lib/internal/process/permission.js            |   1 +
 lib/internal/process/pre_execution.js         |   1 +
 node.gyp                                      |   2 +
 src/crypto/crypto_dsa.cc                      |  53 +-
 src/crypto/crypto_ec.cc                       |  39 +-
 src/crypto/crypto_keys.cc                     | 116 +++-
 src/crypto/crypto_rsa.cc                      |  77 ++-
 src/crypto/crypto_sig.cc                      | 121 +++-
 src/env.cc                                    |   4 +
 src/node_options.cc                           |   7 +
 src/node_options.h                            |   1 +
 src/permission/crypto_store_permission.cc     |  31 +
 src/permission/crypto_store_permission.h      |  34 +
 src/permission/permission.cc                  |   8 +
 src/permission/permission.h                   |   1 +
 src/permission/permission_base.h              |   6 +-
 test/parallel/test-crypto-key-store-pkcs11.js | 585 ++++++++++++++++++
 test/parallel/test-crypto-key-store.js        |  94 +++
 test/parallel/test-permission-crypto-store.js |  55 ++
 test/parallel/test-permission-has.js          |   1 +
 .../parallel/test-permission-warning-flags.js |   1 +
 typings/internalBinding/crypto.d.ts           |  11 +-
 33 files changed, 1500 insertions(+), 85 deletions(-)
 create mode 100644 src/permission/crypto_store_permission.cc
 create mode 100644 src/permission/crypto_store_permission.h
 create mode 100644 test/parallel/test-crypto-key-store-pkcs11.js
 create mode 100644 test/parallel/test-crypto-key-store.js
 create mode 100644 test/parallel/test-permission-crypto-store.js

diff --git a/.github/workflows/build-shared.yml b/.github/workflows/build-shared.yml
index 61441571427eff..98d6dff6c417e5 100644
--- a/.github/workflows/build-shared.yml
+++ b/.github/workflows/build-shared.yml
@@ -22,6 +22,11 @@ on:
         required: false
         type: string
         default: ''
+      pkcs11-store-test:
+        description: Whether to enable the PKCS#11-backed crypto STORE test
+        required: false
+        type: boolean
+        default: false
     secrets:
       CACHIX_AUTH_TOKEN:
         description: Cachix auth token for nodejs.cachix.org.
@@ -74,10 +79,12 @@ jobs:
 
       - name: Build Node.js and run tests
         shell: bash
+        env:
+          NODE_TEST_PKCS11_NIX: ${{ inputs.pkcs11-store-test && '1' || '0' }}
         run: |
           nix-shell \
             -I "nixpkgs=$TAR_DIR/tools/nix/pkgs.nix" \
-            --pure --keep TAR_DIR --keep FLAKY_TESTS \
+            --pure --keep TAR_DIR --keep FLAKY_TESTS --keep NODE_TEST_PKCS11_NIX \
             --keep SCCACHE_GHA_ENABLED --keep ACTIONS_CACHE_SERVICE_V2 --keep ACTIONS_RESULTS_URL --keep ACTIONS_RUNTIME_TOKEN \
             --arg loadJSBuiltinsDynamically false \
             --arg ccache "${NIX_SCCACHE:-null}" \
diff --git a/.github/workflows/test-shared.yml b/.github/workflows/test-shared.yml
index ef22c29f478c86..09bc2776159638 100644
--- a/.github/workflows/test-shared.yml
+++ b/.github/workflows/test-shared.yml
@@ -245,6 +245,7 @@ jobs:
     with:
       runner: ubuntu-24.04-arm
       v8-nar: ${{ needs.build-aarch64-linux-v8.outputs.local-cache && 'libv8-aarch64-linux.nar' }}
+      pkcs11-store-test: ${{ matrix.openssl.attr == 'openssl_3_5' }}
       # Override just the `openssl` attr of the default shared-lib set with
       # the matrix-selected nixpkgs attribute (e.g. `openssl_3_6`). All
       # other shared libs (brotli, cares, libuv, …) keep their defaults.
diff --git a/deps/ncrypto/ncrypto.cc b/deps/ncrypto/ncrypto.cc
index 81af3ded563777..56d850ffe80a52 100644
--- a/deps/ncrypto/ncrypto.cc
+++ b/deps/ncrypto/ncrypto.cc
@@ -20,6 +20,7 @@
 #include <openssl/core_names.h>
 #include <openssl/params.h>
 #include <openssl/provider.h>
+#include <openssl/store.h>
 #if OPENSSL_WITH_ARGON2
 #include <openssl/thread.h>
 #endif
@@ -74,6 +75,7 @@ namespace {
 using BignumCtxPointer = DeleteFnPtr<BN_CTX, BN_CTX_free>;
 using BignumGenCallbackPointer = DeleteFnPtr<BN_GENCB, BN_GENCB_free>;
 using NetscapeSPKIPointer = DeleteFnPtr<NETSCAPE_SPKI, NETSCAPE_SPKI_free>;
+using X509PubKeyPointer = DeleteFnPtr<X509_PUBKEY, X509_PUBKEY_free>;
 
 static constexpr int kX509NameFlagsRFC2253WithinUtf8JSON =
     XN_FLAG_RFC2253 & ~ASN1_STRFLGS_ESC_MSB & ~ASN1_STRFLGS_ESC_CTRL;
@@ -618,6 +620,26 @@ int PasswordCallback(char* buf, int size, int rwflag, void* u) {
   return -1;
 }
 
+struct StorePassphraseData {
+  Buffer<char> passphrase{.data = nullptr, .len = 0};
+  bool has_passphrase = false;
+  bool missing_passphrase = false;
+};
+
+int StorePasswordCallback(char* buf, int size, int rwflag, void* u) {
+  auto data = static_cast<StorePassphraseData*>(u);
+  if (data == nullptr || !data->has_passphrase) {
+    if (data != nullptr) data->missing_passphrase = true;
+    return -1;
+  }
+
+  size_t buflen = static_cast<size_t>(size);
+  size_t len = data->passphrase.len;
+  if (buflen < len) return -1;
+  memcpy(buf, reinterpret_cast<const char*>(data->passphrase.data), len);
+  return len;
+}
+
 // Algorithm: http://howardhinnant.github.io/date_algorithms.html
 constexpr int days_from_epoch(int y, unsigned m, unsigned d) {
   y -= m <= 2;
@@ -2613,6 +2635,102 @@ EVPKeyPointer::ParseKeyResult EVPKeyPointer::TryParsePrivateKey(
   };
 }
 
+EVPKeyPointer::ParseKeyResult EVPKeyPointer::TryLoadPrivateKeyFromStore(
+    const StorePrivateKeyConfig& config) {
+#if defined(OPENSSL_IS_BORINGSSL) || OPENSSL_VERSION_MAJOR < 3
+  return ParseKeyResult(PKParseError::FAILED);
+#else
+  ClearErrorOnReturn clear_error_on_return;
+  std::string uri_str(config.uri);
+  std::string properties_str;
+  const char* properties = nullptr;
+  if (config.properties.has_value()) {
+    properties_str.assign(config.properties->data(), config.properties->size());
+    properties = properties_str.c_str();
+  }
+
+  std::string passphrase_str;
+  Buffer<char> passbuf{.data = nullptr, .len = 0};
+  if (config.passphrase.has_value()) {
+    passphrase_str.assign(config.passphrase->data, config.passphrase->len);
+    passbuf.data = passphrase_str.data();
+    passbuf.len = passphrase_str.size();
+  }
+  StorePassphraseData passphrase_data{
+      .passphrase = passbuf,
+      .has_passphrase = config.passphrase.has_value(),
+  };
+  UI_METHOD* ui_method =
+      UI_UTIL_wrap_read_pem_callback(StorePasswordCallback, 0);
+  if (ui_method == nullptr) return ParseKeyResult(PKParseError::FAILED);
+
+  const OSSL_PARAM store_params[] = {OSSL_PARAM_END};
+  OSSL_STORE_CTX* ctx = OSSL_STORE_open_ex(uri_str.c_str(),
+                                           nullptr,
+                                           properties,
+                                           ui_method,
+                                           &passphrase_data,
+                                           store_params,
+                                           nullptr,
+                                           nullptr);
+  if (ctx == nullptr) {
+    bool missing_passphrase = passphrase_data.missing_passphrase;
+    int err = ERR_peek_error();
+    UI_destroy_method(ui_method);
+    if (missing_passphrase) {
+      return ParseKeyResult(PKParseError::NEED_PASSPHRASE);
+    }
+    return ParseKeyResult(PKParseError::FAILED, err);
+  }
+
+  if (!OSSL_STORE_expect(ctx, OSSL_STORE_INFO_PKEY)) {
+    bool missing_passphrase = passphrase_data.missing_passphrase;
+    int err = ERR_peek_error();
+    OSSL_STORE_close(ctx);
+    UI_destroy_method(ui_method);
+    if (missing_passphrase) {
+      return ParseKeyResult(PKParseError::NEED_PASSPHRASE);
+    }
+    return ParseKeyResult(PKParseError::FAILED, err);
+  }
+
+  EVPKeyPointer pkey;
+  int store_error = 0;
+  while (!OSSL_STORE_eof(ctx)) {
+    OSSL_STORE_INFO* info = OSSL_STORE_load(ctx);
+    if (info == nullptr) {
+      if (OSSL_STORE_error(ctx)) {
+        store_error = ERR_peek_error();
+        break;
+      }
+      continue;
+    }
+    if (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_PKEY) {
+      EVP_PKEY* raw_pkey = OSSL_STORE_INFO_get1_PKEY(info);
+      if (raw_pkey != nullptr) {
+        pkey = EVPKeyPointer(raw_pkey);
+      } else {
+        store_error = ERR_peek_error();
+      }
+    }
+    OSSL_STORE_INFO_free(info);
+    if (pkey || store_error != 0) break;
+  }
+
+  OSSL_STORE_close(ctx);
+  UI_destroy_method(ui_method);
+
+  if (passphrase_data.missing_passphrase) {
+    return ParseKeyResult(PKParseError::NEED_PASSPHRASE);
+  }
+  if (store_error != 0) {
+    return ParseKeyResult(PKParseError::FAILED, store_error);
+  }
+  if (!pkey) return ParseKeyResult(PKParseError::NOT_RECOGNIZED);
+  return ParseKeyResult(std::move(pkey));
+#endif
+}
+
 Result<BIOPointer, bool> EVPKeyPointer::writePrivateKey(
     const PrivateKeyEncodingConfig& config) const {
   if (config.format == PKFormatType::JWK) {
@@ -2638,6 +2756,8 @@ Result<BIOPointer, bool> EVPKeyPointer::writePrivateKey(
 #else
       RSA* rsa = EVP_PKEY_get0_RSA(get());
 #endif
+      if (rsa == nullptr) return Result<BIOPointer, bool>(false);
+
       switch (config.format) {
         case PKFormatType::PEM: {
           err = PEM_write_bio_RSAPrivateKey(
@@ -2701,6 +2821,8 @@ Result<BIOPointer, bool> EVPKeyPointer::writePrivateKey(
 #else
       EC_KEY* ec = EVP_PKEY_get0_EC_KEY(get());
 #endif
+      if (ec == nullptr) return Result<BIOPointer, bool>(false);
+
       switch (config.format) {
         case PKFormatType::PEM: {
           err = PEM_write_bio_ECPrivateKey(
@@ -2754,6 +2876,8 @@ Result<BIOPointer, bool> EVPKeyPointer::writePublicKey(
 #else
     RSA* rsa = EVP_PKEY_get0_RSA(get());
 #endif
+    if (rsa == nullptr) return Result<BIOPointer, bool>(false);
+
     if (config.format == ncrypto::EVPKeyPointer::PKFormatType::PEM) {
       // Encode PKCS#1 as PEM.
       if (PEM_write_bio_RSAPublicKey(bio.get(), rsa) != 1) {
@@ -2773,7 +2897,17 @@ Result<BIOPointer, bool> EVPKeyPointer::writePublicKey(
 
   if (config.format == ncrypto::EVPKeyPointer::PKFormatType::PEM) {
     // Encode SPKI as PEM.
-    if (PEM_write_bio_PUBKEY(bio.get(), get()) != 1) {
+    // Build the SubjectPublicKeyInfo wrapper explicitly before PEM encoding.
+    // Provider-backed keys can fail the direct PEM_write_bio_PUBKEY() path even
+    // when OpenSSL can materialize the public wrapper with X509_PUBKEY_set().
+    X509_PUBKEY* pubkey = nullptr;
+    if (X509_PUBKEY_set(&pubkey, get()) != 1) {
+      X509_PUBKEY_free(pubkey);
+      return Result<BIOPointer, bool>(false,
+                                      mark_pop_error_on_return.peekError());
+    }
+    X509PubKeyPointer pubkey_ptr(pubkey);
+    if (PEM_write_bio_X509_PUBKEY(bio.get(), pubkey_ptr.get()) != 1) {
       return Result<BIOPointer, bool>(false,
                                       mark_pop_error_on_return.peekError());
     }
@@ -2842,14 +2976,45 @@ std::optional<uint32_t> EVPKeyPointer::getBytesOfRS() const {
 
   if (id == EVP_PKEY_DSA) {
     const DSA* dsa_key = EVP_PKEY_get0_DSA(get());
+    bool has_bits = false;
     // Both r and s are computed mod q, so their width is limited by that of q.
-    bits = BignumPointer::GetBitCount(DSA_get0_q(dsa_key));
+    if (dsa_key != nullptr) {
+      const BIGNUM* q = DSA_get0_q(dsa_key);
+      if (q != nullptr) {
+        bits = BignumPointer::GetBitCount(q);
+        has_bits = true;
+      }
+    }
+#if OPENSSL_VERSION_MAJOR >= 3 && !defined(OPENSSL_IS_BORINGSSL)
+    if (!has_bits &&
+        EVP_PKEY_get_int_param(get(), OSSL_PKEY_PARAM_FFC_QBITS, &bits) == 1) {
+      has_bits = true;
+    }
+#endif
+    if (!has_bits) return std::nullopt;
   } else if (id == EVP_PKEY_EC) {
-    bits = EC_GROUP_order_bits(ECKeyPointer::GetGroup(*this));
+    const EC_KEY* ec_key = EVP_PKEY_get0_EC_KEY(get());
+    bool has_bits = false;
+    if (ec_key != nullptr) {
+      const EC_GROUP* group = ECKeyPointer::GetGroup(ec_key);
+      if (group != nullptr) {
+        bits = EC_GROUP_order_bits(group);
+        has_bits = true;
+      }
+    }
+#if OPENSSL_VERSION_MAJOR >= 3 && !defined(OPENSSL_IS_BORINGSSL)
+    if (!has_bits &&
+        EVP_PKEY_get_int_param(get(), OSSL_PKEY_PARAM_BITS, &bits) == 1) {
+      has_bits = true;
+    }
+#endif
+    if (!has_bits) return std::nullopt;
   } else {
     return std::nullopt;
   }
 
+  if (bits <= 0) return std::nullopt;
+
   return (bits + 7) / 8;
 }
 
@@ -2880,16 +3045,18 @@ EVPKeyPointer::operator Dsa() const {
 
 bool EVPKeyPointer::validateDsaParameters() const {
   if (!pkey_) return false;
-    /* Validate DSA2 parameters from FIPS 186-4 */
 #if OPENSSL_VERSION_MAJOR >= 3
   if (EVP_default_properties_is_fips_enabled(nullptr) && EVP_PKEY_DSA == id()) {
 #else
   if (FIPS_mode() && EVP_PKEY_DSA == id()) {
 #endif
+    // Validate DSA2 parameters from FIPS 186-4.
     const DSA* dsa = EVP_PKEY_get0_DSA(pkey_.get());
+    if (dsa == nullptr) return false;
     const BIGNUM* p;
     const BIGNUM* q;
     DSA_get0_pqg(dsa, &p, &q, nullptr);
+    if (p == nullptr || q == nullptr) return false;
     int L = BignumPointer::GetBitCount(p);
     int N = BignumPointer::GetBitCount(q);
 
diff --git a/deps/ncrypto/ncrypto.h b/deps/ncrypto/ncrypto.h
index a6befbf7cf6794..876f8470fed8c8 100644
--- a/deps/ncrypto/ncrypto.h
+++ b/deps/ncrypto/ncrypto.h
@@ -946,6 +946,7 @@ class EVPKeyPointer final {
     RAW_PUBLIC,
     RAW_PRIVATE,
     RAW_SEED,
+    STORE,
   };
 
   enum class PKParseError { NOT_RECOGNIZED, NEED_PASSPHRASE, FAILED };
@@ -978,6 +979,12 @@ class EVPKeyPointer final {
     PrivateKeyEncodingConfig& operator=(const PrivateKeyEncodingConfig&);
   };
 
+  struct StorePrivateKeyConfig {
+    std::string_view uri;
+    std::optional<std::string_view> properties = std::nullopt;
+    std::optional<Buffer<const char>> passphrase = std::nullopt;
+  };
+
   static ParseKeyResult TryParsePublicKey(
       const PublicKeyEncodingConfig& config,
       const Buffer<const unsigned char>& buffer);
@@ -989,6 +996,13 @@ class EVPKeyPointer final {
       const PrivateKeyEncodingConfig& config,
       const Buffer<const unsigned char>& buffer);
 
+  // Loads a private key from an OpenSSL OSSL_STORE URI (e.g. "file:", a
+  // provider-backed scheme such as "pkcs11:"). The optional passphrase is
+  // used as the PIN/passphrase for encrypted or token-protected keys.
+  // Returns NOT_RECOGNIZED when no private key is found at the URI.
+  static ParseKeyResult TryLoadPrivateKeyFromStore(
+      const StorePrivateKeyConfig& config);
+
   EVPKeyPointer() = default;
   explicit EVPKeyPointer(EVP_PKEY* pkey);
   EVPKeyPointer(EVPKeyPointer&& other) noexcept;
diff --git a/doc/api/cli.md b/doc/api/cli.md
index ef5734822bf877..ae7869f4993897 100644
--- a/doc/api/cli.md
+++ b/doc/api/cli.md
@@ -191,6 +191,21 @@ This behavior also applies to `child_process.spawn()`, but in that case, the
 flags are propagated via the `NODE_OPTIONS` environment variable rather than
 directly through the process arguments.
 
+### `--allow-crypto-store`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+> Stability: 1.1 - Active development
+
+When using the [Permission Model][], the process will not be able to load
+private keys from OpenSSL store URIs (passed as a {URL} to
+[`crypto.createPrivateKey()`][]) by default. Attempts to do so will throw an
+`ERR_ACCESS_DENIED` unless the user explicitly passes the
+`--allow-crypto-store` flag. This permission can be dropped at runtime via
+[`permission.drop()`][].
+
 ### `--allow-ffi`
 
 <!-- YAML
@@ -2339,6 +2354,7 @@ following permissions are restricted:
 * WASI - manageable through [`--allow-wasi`][] flag
 * Addons - manageable through [`--allow-addons`][] flag
 * FFI - manageable through [`--allow-ffi`](#--allow-ffi) flag
+* Crypto Store - manageable through [`--allow-crypto-store`][] flag
 
 ### `--permission-audit`
 
@@ -3789,6 +3805,7 @@ one is included in the list below.
 
 * `--allow-addons`
 * `--allow-child-process`
+* `--allow-crypto-store`
 * `--allow-ffi`
 * `--allow-fs-read`
 * `--allow-fs-write`
@@ -4433,6 +4450,7 @@ node --stack-trace-limit=12 -p -e "Error.stackTraceLimit" # prints 12
 [`"type"`]: packages.md#type
 [`--allow-addons`]: #--allow-addons
 [`--allow-child-process`]: #--allow-child-process
+[`--allow-crypto-store`]: #--allow-crypto-store
 [`--allow-fs-read`]: #--allow-fs-read
 [`--allow-fs-write`]: #--allow-fs-write
 [`--allow-net`]: #--allow-net
@@ -4466,6 +4484,7 @@ node --stack-trace-limit=12 -p -e "Error.stackTraceLimit" # prints 12
 [`NO_COLOR`]: https://no-color.org
 [`Web Storage`]: https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage_API
 [`YoungGenerationSizeFromSemiSpaceSize`]: https://chromium.googlesource.com/v8/v8.git/+/refs/tags/10.3.129/src/heap/heap.cc#328
+[`crypto.createPrivateKey()`]: crypto.md#cryptocreateprivatekeykey
 [`dns.lookup()`]: dns.md#dnslookuphostname-options-callback
 [`dns.setDefaultResultOrder()`]: dns.md#dnssetdefaultresultorderorder
 [`dnsPromises.lookup()`]: dns.md#dnspromiseslookuphostname-options
@@ -4476,6 +4495,7 @@ node --stack-trace-limit=12 -p -e "Error.stackTraceLimit" # prints 12
 [`node:sqlite`]: sqlite.md
 [`node:stream/iter`]: stream_iter.md
 [`node:vfs`]: vfs.md
+[`permission.drop()`]: permissions.md#permissiondropscope-reference
 [`process.setUncaughtExceptionCaptureCallback()`]: process.md#processsetuncaughtexceptioncapturecallbackfn
 [`tls.DEFAULT_MAX_VERSION`]: tls.md#tlsdefault_max_version
 [`tls.DEFAULT_MIN_VERSION`]: tls.md#tlsdefault_min_version
diff --git a/doc/api/crypto.md b/doc/api/crypto.md
index b73093c648a90d..b2d17802d7c8ea 100644
--- a/doc/api/crypto.md
+++ b/doc/api/crypto.md
@@ -3982,14 +3982,19 @@ changes:
 
 <!--lint disable maximum-line-length remark-lint-->
 
-* `key` {Object|string|ArrayBuffer|Buffer|TypedArray|DataView}
-  * `key` {string|ArrayBuffer|Buffer|TypedArray|DataView|Object} The key
-    material, either in PEM, DER, JWK, or raw format.
+* `key` {Object|string|ArrayBuffer|Buffer|TypedArray|DataView|URL}
+  * `key` {string|ArrayBuffer|Buffer|TypedArray|DataView|Object|URL} The key
+    material, either in PEM, DER, JWK, or raw format, or a {URL} referencing an
+    OpenSSL store.
   * `format` {string} Must be `'pem'`, `'der'`, `'jwk'`, `'raw-private'`,
     or `'raw-seed'`. **Default:** `'pem'`.
   * `type` {string} Must be `'pkcs1'`, `'pkcs8'` or `'sec1'`. This option is
     required only if the `format` is `'der'` and ignored otherwise.
-  * `passphrase` {string | Buffer} The passphrase to use for decryption.
+  * `passphrase` {string | Buffer} The passphrase to use for decryption. When
+    `key` is a {URL}, this is the optional PIN/passphrase forwarded to the
+    store.
+  * `properties` {string} The optional OpenSSL property query used when
+    fetching the store loader for a {URL} key.
   * `encoding` {string} The string encoding to use when `key` is a string.
   * `asymmetricKeyType` {string} Required when `format` is `'raw-private'`
     or `'raw-seed'` and ignored otherwise.
@@ -4007,6 +4012,19 @@ must be an object with the properties described above.
 If the private key is encrypted, a `passphrase` must be specified. The length
 of the passphrase is limited to 1024 bytes.
 
+#### OpenSSL store {URL} keys
+
+> Stability: 1.1 - Active development
+
+If `key` is a {URL} (or an object whose `key` is a {URL}), the private key is
+loaded from the corresponding OpenSSL store URI (for example a `file:` URI or a
+provider-backed scheme such as `pkcs11:`). When the [Permission Model][] is
+enabled, [`--allow-crypto-store`][] is required.
+
+When `properties` is specified with a {URL} key, it is passed to OpenSSL as the
+property query for selecting the store loader. It is not appended to the URL and
+is distinct from provider-specific URI parameters.
+
 ### `crypto.createPublicKey(key)`
 
 <!-- YAML
@@ -4080,6 +4098,10 @@ extracted from the returned `KeyObject`. Similarly, if a `KeyObject` with type
 `'private'` is given, a new `KeyObject` with type `'public'` will be returned
 and it will be impossible to extract the private key from the returned object.
 
+A store-backed private key can be used as a public key by first loading it with
+[`crypto.createPrivateKey()`][]; a {URL} cannot be passed to
+`crypto.createPublicKey()` directly.
+
 ### `crypto.createSecretKey(key[, encoding])`
 
 <!-- YAML
@@ -6960,6 +6982,7 @@ See the [list of SSL OP Flags][] for details.
 [NIST SP 800-38D]: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf
 [OpenSSL's FIPS README file]: https://github.com/openssl/openssl/blob/openssl-3.0/README-FIPS.md
 [OpenSSL's SPKAC implementation]: https://www.openssl.org/docs/man3.0/man1/openssl-spkac.html
+[Permission Model]: permissions.md#permission-model
 [RFC 1421]: https://www.rfc-editor.org/rfc/rfc1421.txt
 [RFC 2409]: https://www.rfc-editor.org/rfc/rfc2409.txt
 [RFC 2818]: https://www.rfc-editor.org/rfc/rfc2818.txt
@@ -6973,6 +6996,7 @@ See the [list of SSL OP Flags][] for details.
 [RFC 8032]: https://www.rfc-editor.org/rfc/rfc8032.txt
 [RFC 9562]: https://www.rfc-editor.org/rfc/rfc9562.txt
 [Web Crypto API documentation]: webcrypto.md
+[`--allow-crypto-store`]: cli.md#--allow-crypto-store
 [`BN_is_prime_ex`]: https://www.openssl.org/docs/man1.1.1/man3/BN_is_prime_ex.html
 [`Buffer`]: buffer.md
 [`DH_generate_key()`]: https://www.openssl.org/docs/man3.0/man3/DH_generate_key.html
diff --git a/doc/api/permissions.md b/doc/api/permissions.md
index 3f2a6411d3f678..fbcde1b889723b 100644
--- a/doc/api/permissions.md
+++ b/doc/api/permissions.md
@@ -74,6 +74,9 @@ flag. For WASI, use the [`--allow-wasi`][] flag. For FFI, use the
 [`--allow-ffi`][] flag. The [`node:ffi`](ffi.md) module also requires the
 `--experimental-ffi` flag and is only available in builds with FFI support.
 
+To allow loading private keys from OpenSSL store URIs via
+[`crypto.createPrivateKey()`][], use the [`--allow-crypto-store`][] flag.
+
 #### Runtime API
 
 When enabling the Permission Model through the [`--permission`][]
@@ -208,7 +211,8 @@ Example `node.config.json`:
     "allow-worker": true,
     "allow-net": true,
     "allow-addons": false,
-    "allow-ffi": false
+    "allow-ffi": false,
+    "allow-crypto-store": false
   }
 }
 ```
@@ -318,6 +322,7 @@ Developers relying on --permission to sandbox untrusted code should be aware tha
 [Security Policy]: https://github.com/nodejs/node/blob/main/SECURITY.md
 [`--allow-addons`]: cli.md#--allow-addons
 [`--allow-child-process`]: cli.md#--allow-child-process
+[`--allow-crypto-store`]: cli.md#--allow-crypto-store
 [`--allow-ffi`]: cli.md#--allow-ffi
 [`--allow-fs-read`]: cli.md#--allow-fs-read
 [`--allow-fs-write`]: cli.md#--allow-fs-write
@@ -325,5 +330,6 @@ Developers relying on --permission to sandbox untrusted code should be aware tha
 [`--allow-wasi`]: cli.md#--allow-wasi
 [`--allow-worker`]: cli.md#--allow-worker
 [`--permission`]: cli.md#--permission
+[`crypto.createPrivateKey()`]: crypto.md#cryptocreateprivatekeykey
 [`npx`]: https://docs.npmjs.com/cli/commands/npx
 [`permission.has()`]: process.md#processpermissionhasscope-reference
diff --git a/doc/api/process.md b/doc/api/process.md
index 0a7f85700ae85a..90dba22af735b6 100644
--- a/doc/api/process.md
+++ b/doc/api/process.md
@@ -3158,6 +3158,7 @@ The available scopes are:
 * `fs.read` - File System read operations
 * `fs.write` - File System write operations
 * `child` - Child process spawning operations
+* `crypto.store` - OpenSSL store URI private key loading
 * `worker` - Worker thread spawning operation
 * `ffi` - Foreign function interface operations
 
@@ -3208,6 +3209,7 @@ The available scopes are the same as [`process.permission.has()`][]:
 * `fs.read` - File System read operations
 * `fs.write` - File System write operations
 * `child` - Child process spawning operations
+* `crypto.store` - OpenSSL store URI private key loading
 * `worker` - Worker thread spawning operation
 * `net` - Network operations
 * `inspector` - Inspector operations
diff --git a/doc/node-config-schema.json b/doc/node-config-schema.json
index a78031061dca87..de635b37d6d46f 100644
--- a/doc/node-config-schema.json
+++ b/doc/node-config-schema.json
@@ -61,6 +61,10 @@
               "type": "boolean",
               "description": "allow use of child process when any permissions are set"
             },
+            "allow-crypto-store": {
+              "type": "boolean",
+              "description": "allow loading private keys from OpenSSL store URIs when any permissions are set"
+            },
             "allow-ffi": {
               "type": "boolean",
               "description": "allow use of FFI when any permissions are set"
@@ -826,6 +830,10 @@
               "type": "boolean",
               "description": "allow use of child process when any permissions are set"
             },
+            "allow-crypto-store": {
+              "type": "boolean",
+              "description": "allow loading private keys from OpenSSL store URIs when any permissions are set"
+            },
             "allow-ffi": {
               "type": "boolean",
               "description": "allow use of FFI when any permissions are set"
diff --git a/doc/node.1 b/doc/node.1
index 2801d2b3f130ba..9d25070047dc0e 100644
--- a/doc/node.1
+++ b/doc/node.1
@@ -118,6 +118,13 @@ This behavior also applies to \fBchild_process.spawn()\fR, but in that case, the
 flags are propagated via the \fBNODE_OPTIONS\fR environment variable rather than
 directly through the process arguments.
 .
+.It Fl -allow-crypto-store
+When using the Permission Model, the process will not be able to load
+private keys from OpenSSL store URIs (passed as a \fB<URL>\fR to \fBcrypto.createPrivateKey()\fR) by default. Attempts to do so will throw an
+\fBERR_ACCESS_DENIED\fR unless the user explicitly passes the
+\fB--allow-crypto-store\fR flag. This permission can be dropped at runtime via
+\fBpermission.drop()\fR.
+.
 .It Fl -allow-ffi
 When using the Permission Model, the process will not be able to use FFI
 APIs by default. Attempts to use FFI APIs will throw an \fBERR_ACCESS_DENIED\fR
@@ -1188,6 +1195,8 @@ WASI - manageable through \fB--allow-wasi\fR flag
 Addons - manageable through \fB--allow-addons\fR flag
 .It
 FFI - manageable through \fB--allow-ffi\fR flag
+.It
+Crypto Store - manageable through \fB--allow-crypto-store\fR flag
 .El
 .
 .It Fl -permission-audit
@@ -1903,6 +1912,8 @@ one is included in the list below.
 .It
 \fB--allow-child-process\fR
 .It
+\fB--allow-crypto-store\fR
+.It
 \fB--allow-ffi\fR
 .It
 \fB--allow-fs-read\fR
diff --git a/lib/internal/crypto/keys.js b/lib/internal/crypto/keys.js
index 250f99cfd20d1a..a16b138452326c 100644
--- a/lib/internal/crypto/keys.js
+++ b/lib/internal/crypto/keys.js
@@ -27,6 +27,7 @@ const {
   kKeyFormatRawPublic,
   kKeyFormatRawPrivate,
   kKeyFormatRawSeed,
+  kKeyFormatStore,
   kKeyEncodingPKCS1,
   kKeyEncodingPKCS8,
   kKeyEncodingSPKI,
@@ -48,6 +49,7 @@ const {
 
 const {
   codes: {
+    ERR_ACCESS_DENIED,
     ERR_CRYPTO_INCOMPATIBLE_KEY_OPTIONS,
     ERR_CRYPTO_INVALID_KEY_OBJECT_TYPE,
     ERR_ILLEGAL_CONSTRUCTOR,
@@ -72,6 +74,9 @@ const {
   isArrayBufferView,
 } = require('internal/util/types');
 
+const { fileURLToPath, isURL } = require('internal/url');
+const permission = require('internal/process/permission');
+
 const {
   customInspectSymbol: kInspect,
   kEnumerableProperty,
@@ -538,6 +543,41 @@ function getKeyTypes(allowKeyObject, bufferOnly = false) {
   return types;
 }
 
+function prepareStorePrivateKey(url, name, passphrase, encoding, properties) {
+  let uri = url.href;
+  if (url.protocol === 'file:') {
+    const path = fileURLToPath(url);
+    if (permission.isEnabled() && !permission.has('fs.read', path)) {
+      throw new ERR_ACCESS_DENIED(
+        'Access to this API has been restricted',
+        'FileSystemRead',
+        path);
+    }
+    uri = path;
+  }
+
+  if (passphrase !== undefined) {
+    if (!isStringOrBuffer(passphrase)) {
+      throw new ERR_INVALID_ARG_VALUE(option('passphrase', name), passphrase);
+    }
+    passphrase = getArrayBufferOrView(
+      passphrase,
+      option('passphrase', name),
+      encoding);
+  }
+
+  if (properties !== undefined)
+    validateString(properties, option('properties', name));
+
+  return {
+    data: {
+      uri,
+      properties: properties ?? null,
+    },
+    format: kKeyFormatStore,
+    passphrase: passphrase ?? null,
+  };
+}
 
 function prepareAsymmetricKey(key, ctx, name = 'key') {
   if (isKeyObject(key)) {
@@ -546,12 +586,16 @@ function prepareAsymmetricKey(key, ctx, name = 'key') {
     validateAsymmetricKeyType(type, ctx, key);
     return { data: getKeyObjectHandle(key) };
   }
+  if ((ctx === kConsumePrivate || ctx === kCreatePrivate) && isURL(key)) {
+    // A private key referenced by an OpenSSL store URI.
+    return prepareStorePrivateKey(key, name);
+  }
   if (isStringOrBuffer(key)) {
     // Expect PEM by default, mostly for backward compatibility.
     return { format: kKeyFormatPEM, data: getArrayBufferOrView(key, name) };
   }
   if (typeof key === 'object') {
-    const { key: data, encoding, format } = key;
+    const { key: data, encoding, format, properties } = key;
 
     // The 'key' property can be a KeyObject as well to allow specifying
     // additional options such as padding along with the key.
@@ -560,6 +604,16 @@ function prepareAsymmetricKey(key, ctx, name = 'key') {
       validateAsymmetricKeyType(type, ctx, data);
       return { data: getKeyObjectHandle(data) };
     }
+    if ((ctx === kConsumePrivate || ctx === kCreatePrivate) && isURL(data)) {
+      // A private key referenced by an OpenSSL store URI, with an optional
+      // passphrase/PIN.
+      return prepareStorePrivateKey(
+        data,
+        name,
+        key.passphrase,
+        encoding,
+        properties);
+    }
     if (format === 'jwk') {
       validateObject(data, `${name}.key`);
       return { data, format: kKeyFormatJWK };
diff --git a/lib/internal/process/permission.js b/lib/internal/process/permission.js
index 78e10e6e15fd0d..9bc57da3dca1ba 100644
--- a/lib/internal/process/permission.js
+++ b/lib/internal/process/permission.js
@@ -70,6 +70,7 @@ module.exports = ObjectFreeze({
       '--allow-inspector',
       '--allow-wasi',
       '--allow-worker',
+      '--allow-crypto-store',
     ];
 
     if (_ffi) {
diff --git a/lib/internal/process/pre_execution.js b/lib/internal/process/pre_execution.js
index 38ea6675928ad8..57f5b777df32b0 100644
--- a/lib/internal/process/pre_execution.js
+++ b/lib/internal/process/pre_execution.js
@@ -684,6 +684,7 @@ function initializePermission() {
     const warnFlags = [
       '--allow-addons',
       '--allow-child-process',
+      '--allow-crypto-store',
       '--allow-inspector',
       '--allow-wasi',
       '--allow-worker',
diff --git a/node.gyp b/node.gyp
index f2b8c49550a3df..6078aab13c31ae 100644
--- a/node.gyp
+++ b/node.gyp
@@ -179,6 +179,7 @@
       'src/node_zlib.cc',
       'src/path.cc',
       'src/permission/child_process_permission.cc',
+      'src/permission/crypto_store_permission.cc',
       'src/permission/ffi_permission.cc',
       'src/permission/fs_permission.cc',
       'src/permission/inspector_permission.cc',
@@ -316,6 +317,7 @@
       'src/node_worker.h',
       'src/path.h',
       'src/permission/child_process_permission.h',
+      'src/permission/crypto_store_permission.h',
       'src/permission/ffi_permission.h',
       'src/permission/fs_permission.h',
       'src/permission/inspector_permission.h',
diff --git a/src/crypto/crypto_dsa.cc b/src/crypto/crypto_dsa.cc
index c2ae2eceb2cf2f..f15d4827f5a2a6 100644
--- a/src/crypto/crypto_dsa.cc
+++ b/src/crypto/crypto_dsa.cc
@@ -1,19 +1,22 @@
 #include "crypto/crypto_dsa.h"
+#include "async_wrap-inl.h"
 #include "crypto/crypto_keys.h"
 #include "crypto/crypto_util.h"
-#include "async_wrap-inl.h"
 #include "env-inl.h"
 #include "memory_tracker-inl.h"
 #include "threadpoolwork-inl.h"
 #include "v8.h"
 
 #include <openssl/bn.h>
+#include <openssl/core_names.h>
 #include <openssl/dsa.h>
+#include <openssl/evp.h>
 
 #include <cstdio>
 
 namespace node {
 
+using ncrypto::BignumPointer;
 using ncrypto::Dsa;
 using ncrypto::EVPKeyCtxPointer;
 using v8::FunctionCallbackInfo;
@@ -62,7 +65,7 @@ Maybe<void> DsaKeyGenTraits::AdditionalConfig(
     const FunctionCallbackInfo<Value>& args,
     unsigned int* offset,
     DsaKeyPairGenConfig* params) {
-  CHECK(args[*offset]->IsUint32());  // modulus bits
+  CHECK(args[*offset]->IsUint32());     // modulus bits
   CHECK(args[*offset + 1]->IsInt32());  // divisor bits
 
   params->params.modulus_bits = args[*offset].As<Uint32>()->Value();
@@ -74,16 +77,10 @@ Maybe<void> DsaKeyGenTraits::AdditionalConfig(
   return JustVoid();
 }
 
-bool GetDsaKeyDetail(Environment* env,
-                     const KeyObjectData& key,
-                     Local<Object> target) {
-  if (!key) return false;
-  Dsa dsa = key.GetAsymmetricKey();
-  if (!dsa) return false;
-
-  size_t modulus_length = dsa.getModulusLength();
-  size_t divisor_length = dsa.getDivisorLength();
-
+static bool SetDsaKeyDetail(Environment* env,
+                            Local<Object> target,
+                            size_t modulus_length,
+                            size_t divisor_length) {
   return target
              ->Set(env->context(),
                    env->modulus_length_string(),
@@ -98,6 +95,38 @@ bool GetDsaKeyDetail(Environment* env,
              .IsJust();
 }
 
+bool GetDsaKeyDetail(Environment* env,
+                     const KeyObjectData& key,
+                     Local<Object> target) {
+  if (!key) return false;
+  const auto& m_pkey = key.GetAsymmetricKey();
+  Dsa dsa = m_pkey;
+  if (!dsa) {
+#if OPENSSL_VERSION_MAJOR >= 3 && !defined(OPENSSL_IS_BORINGSSL)
+    BIGNUM* p = nullptr;
+    BIGNUM* q = nullptr;
+    BignumPointer p_ptr;
+    BignumPointer q_ptr;
+    if (EVP_PKEY_get_bn_param(m_pkey.get(), OSSL_PKEY_PARAM_FFC_P, &p) == 1) {
+      p_ptr.reset(p);
+    }
+    if (EVP_PKEY_get_bn_param(m_pkey.get(), OSSL_PKEY_PARAM_FFC_Q, &q) == 1) {
+      q_ptr.reset(q);
+    }
+    if (p_ptr && q_ptr) {
+      return SetDsaKeyDetail(env,
+                             target,
+                             BignumPointer::GetBitCount(p_ptr.get()),
+                             BignumPointer::GetBitCount(q_ptr.get()));
+    }
+#endif
+    return false;
+  }
+
+  return SetDsaKeyDetail(
+      env, target, dsa.getModulusLength(), dsa.getDivisorLength());
+}
+
 namespace DSAAlg {
 void Initialize(Environment* env, Local<Object> target) {
   DsaKeyPairGenJob::Initialize(env, target);
diff --git a/src/crypto/crypto_ec.cc b/src/crypto/crypto_ec.cc
index a89e3391dbf896..9ba6d0cca52194 100644
--- a/src/crypto/crypto_ec.cc
+++ b/src/crypto/crypto_ec.cc
@@ -11,8 +11,10 @@
 #include "v8.h"
 
 #include <openssl/bn.h>
+#include <openssl/core_names.h>
 #include <openssl/ec.h>
 #include <openssl/ecdh.h>
+#include <openssl/evp.h>
 
 #include <algorithm>
 
@@ -470,14 +472,14 @@ bool ExportJWKEcKey(Environment* env,
   CHECK_EQ(m_pkey.id(), EVP_PKEY_EC);
 
   const EC_KEY* ec = m_pkey;
-  CHECK_NOT_NULL(ec);
+  if (ec == nullptr) return false;
 
   const auto pub = ECKeyPointer::GetPublicKey(ec);
   const auto group = ECKeyPointer::GetGroup(ec);
 
   int degree_bits = EC_GROUP_get_degree(group);
   int degree_bytes =
-    (degree_bits / CHAR_BIT) + (7 + (degree_bits % CHAR_BIT)) / 8;
+      (degree_bits / CHAR_BIT) + (7 + (degree_bits % CHAR_BIT)) / 8;
 
   auto x = BignumPointer::New();
   auto y = BignumPointer::New();
@@ -752,7 +754,25 @@ bool GetEcKeyDetail(Environment* env,
   CHECK_EQ(m_pkey.id(), EVP_PKEY_EC);
 
   const EC_KEY* ec = m_pkey;
-  CHECK_NOT_NULL(ec);
+  if (ec == nullptr) {
+#if OPENSSL_VERSION_MAJOR >= 3 && !defined(OPENSSL_IS_BORINGSSL)
+    char group_name[80];
+    size_t group_name_len = 0;
+    if (EVP_PKEY_get_utf8_string_param(m_pkey.get(),
+                                       OSSL_PKEY_PARAM_GROUP_NAME,
+                                       group_name,
+                                       sizeof(group_name),
+                                       &group_name_len) == 1 &&
+        group_name_len > 0) {
+      return target
+          ->Set(env->context(),
+                env->named_curve_string(),
+                OneByteString(env->isolate(), group_name, group_name_len))
+          .IsJust();
+    }
+#endif
+    return true;
+  }
 
   const auto group = ECKeyPointer::GetGroup(ec);
   int nid = EC_GROUP_get_curve_name(group);
@@ -764,18 +784,5 @@ bool GetEcKeyDetail(Environment* env,
       .IsJust();
 }
 
-// WebCrypto requires a different format for ECDSA signatures than
-// what OpenSSL produces, so we need to convert between them. The
-// implementation here is a adapted from Chromium's impl here:
-// https://github.com/chromium/chromium/blob/7af6cfd/components/webcrypto/algorithms/ecdsa.cc
-
-size_t GroupOrderSize(const EVPKeyPointer& key) {
-  const EC_KEY* ec = key;
-  CHECK_NOT_NULL(ec);
-  auto order = BignumPointer::New();
-  CHECK(order);
-  CHECK(EC_GROUP_get_order(ECKeyPointer::GetGroup(ec), order.get(), nullptr));
-  return order.byteLength();
-}
 }  // namespace crypto
 }  // namespace node
diff --git a/src/crypto/crypto_keys.cc b/src/crypto/crypto_keys.cc
index 40b5ae9563ee7b..543091bc6ea0e3 100644
--- a/src/crypto/crypto_keys.cc
+++ b/src/crypto/crypto_keys.cc
@@ -12,6 +12,7 @@
 #include "memory_tracker-inl.h"
 #include "node.h"
 #include "node_buffer.h"
+#include "permission/permission.h"
 #include "string_bytes.h"
 #include "threadpoolwork-inl.h"
 #include "util-inl.h"
@@ -386,7 +387,11 @@ bool KeyObjectData::ToEncodedPublicKey(
     const auto& pkey = GetAsymmetricKey();
     if (pkey.id() == EVP_PKEY_EC) {
       const EC_KEY* ec_key = pkey;
-      CHECK_NOT_NULL(ec_key);
+      if (ec_key == nullptr) {
+        THROW_ERR_CRYPTO_OPERATION_FAILED(env,
+                                          "Failed to export EC public key");
+        return false;
+      }
       auto form = static_cast<point_conversion_form_t>(config.ec_point_form);
       const auto group = ECKeyPointer::GetGroup(ec_key);
       const auto point = ECKeyPointer::GetPublicKey(ec_key);
@@ -432,9 +437,17 @@ bool KeyObjectData::ToEncodedPrivateKey(
     const auto& pkey = GetAsymmetricKey();
     if (pkey.id() == EVP_PKEY_EC) {
       const EC_KEY* ec_key = pkey;
-      CHECK_NOT_NULL(ec_key);
+      if (ec_key == nullptr) {
+        THROW_ERR_CRYPTO_OPERATION_FAILED(env,
+                                          "Failed to export EC private key");
+        return false;
+      }
       const BIGNUM* private_key = ECKeyPointer::GetPrivateKey(ec_key);
-      CHECK_NOT_NULL(private_key);
+      if (private_key == nullptr) {
+        THROW_ERR_CRYPTO_OPERATION_FAILED(env,
+                                          "Failed to export EC private key");
+        return false;
+      }
       const auto group = ECKeyPointer::GetGroup(ec_key);
       auto order = BignumPointer::New();
       CHECK(order);
@@ -750,6 +763,83 @@ KeyObjectData KeyObjectData::GetPrivateKeyFromJs(
     bool allow_key_object) {
   Environment* env = Environment::GetCurrent(args);
 
+  // Store descriptor: data is a { uri, properties } object, format int is
+  // STORE, and the passphrase slot carries an optional passphrase/PIN.
+  if (args[*offset]->IsObject() && !IsAnyBufferSource(args[*offset]) &&
+      args[*offset + 1]->IsInt32() &&
+      static_cast<EVPKeyPointer::PKFormatType>(
+          args[*offset + 1].As<Int32>()->Value()) ==
+          EVPKeyPointer::PKFormatType::STORE) {
+    Local<Object> store = args[*offset].As<Object>();
+    Local<Value> uri_value;
+    if (!store
+             ->Get(env->context(), FIXED_ONE_BYTE_STRING(env->isolate(), "uri"))
+             .ToLocal(&uri_value)) {
+      return {};
+    }
+    CHECK(uri_value->IsString());
+    Utf8Value uri(env->isolate(), uri_value);
+
+    Local<Value> properties_value;
+    if (!store
+             ->Get(env->context(),
+                   FIXED_ONE_BYTE_STRING(env->isolate(), "properties"))
+             .ToLocal(&properties_value)) {
+      return {};
+    }
+    std::string properties_storage;
+    std::optional<std::string_view> properties;
+    if (properties_value->IsString()) {
+      Utf8Value properties_string(env->isolate(), properties_value);
+      std::string_view properties_view = properties_string.ToStringView();
+      properties_storage.assign(properties_view.data(), properties_view.size());
+      properties = std::string_view(properties_storage);
+    } else {
+      CHECK(properties_value->IsNullOrUndefined());
+    }
+
+    THROW_IF_INSUFFICIENT_PERMISSIONS(env,
+                                      permission::PermissionScope::kCryptoStore,
+                                      uri.ToStringView(),
+                                      KeyObjectData());
+
+    std::optional<ArrayBufferOrViewContents<char>> passphrase_content;
+    std::optional<ncrypto::Buffer<const char>> passphrase;
+    if (IsAnyBufferSource(args[*offset + 3])) {
+      passphrase_content.emplace(args[*offset + 3]);
+      if (!passphrase_content->CheckSizeInt32()) [[unlikely]] {
+        THROW_ERR_OUT_OF_RANGE(env, "passphrase is too big");
+        return {};
+      }
+      passphrase = ncrypto::Buffer<const char>{
+          .data = passphrase_content->data(),
+          .len = passphrase_content->size(),
+      };
+    } else {
+      CHECK(args[*offset + 3]->IsNullOrUndefined());
+    }
+
+    *offset += 5;
+    EVPKeyPointer::StorePrivateKeyConfig config{
+        .uri = uri.ToStringView(),
+        .properties = properties,
+        .passphrase = passphrase,
+    };
+    auto res = EVPKeyPointer::TryLoadPrivateKeyFromStore(config);
+    if (res) {
+      return CreateAsymmetric(KeyType::kKeyTypePrivate, std::move(res.value));
+    }
+    if (res.error.value() == EVPKeyPointer::PKParseError::NEED_PASSPHRASE) {
+      THROW_ERR_MISSING_PASSPHRASE(env,
+                                   "Passphrase required for encrypted key");
+    } else {
+      ThrowCryptoError(env,
+                       res.openssl_error.value_or(0),
+                       "Failed to load private key from store");
+    }
+    return {};
+  }
+
   // JWK format: data is a JS Object (not buffer), format int is JWK.
   if (args[*offset]->IsObject() && !IsAnyBufferSource(args[*offset]) &&
       args[*offset + 1]->IsInt32()) {
@@ -1461,7 +1551,10 @@ void KeyObjectHandle::ExportECPublicRaw(
   }
 
   const EC_KEY* ec_key = m_pkey;
-  CHECK_NOT_NULL(ec_key);
+  if (ec_key == nullptr) {
+    return THROW_ERR_CRYPTO_OPERATION_FAILED(env,
+                                             "Failed to export EC public key");
+  }
 
   CHECK(args[0]->IsInt32());
   auto form =
@@ -1492,10 +1585,16 @@ void KeyObjectHandle::ExportECPrivateRaw(
   }
 
   const EC_KEY* ec_key = m_pkey;
-  CHECK_NOT_NULL(ec_key);
+  if (ec_key == nullptr) {
+    return THROW_ERR_CRYPTO_OPERATION_FAILED(env,
+                                             "Failed to export EC private key");
+  }
 
   const BIGNUM* private_key = ECKeyPointer::GetPrivateKey(ec_key);
-  CHECK_NOT_NULL(private_key);
+  if (private_key == nullptr) {
+    return THROW_ERR_CRYPTO_OPERATION_FAILED(env,
+                                             "Failed to export EC private key");
+  }
 
   const auto group = ECKeyPointer::GetGroup(ec_key);
   auto order = BignumPointer::New();
@@ -1552,6 +1651,8 @@ void KeyObjectHandle::ExportJWK(
 
   if (ExportJWKInner(env, key->Data(), args[0], args[1]->IsTrue())) {
     args.GetReturnValue().Set(args[0]);
+  } else if (!env->isolate()->HasPendingException()) {
+    THROW_ERR_CRYPTO_OPERATION_FAILED(env, "Failed to export JWK");
   }
 }
 
@@ -2023,6 +2124,8 @@ void Initialize(Environment* env, Local<Object> target) {
       static_cast<int>(EVPKeyPointer::PKFormatType::RAW_PRIVATE);
   constexpr int kKeyFormatRawSeed =
       static_cast<int>(EVPKeyPointer::PKFormatType::RAW_SEED);
+  constexpr int kKeyFormatStore =
+      static_cast<int>(EVPKeyPointer::PKFormatType::STORE);
 
   constexpr auto kSigEncDER = DSASigEnc::DER;
   constexpr auto kSigEncP1363 = DSASigEnc::P1363;
@@ -2069,6 +2172,7 @@ void Initialize(Environment* env, Local<Object> target) {
   NODE_DEFINE_CONSTANT(target, kKeyFormatRawPublic);
   NODE_DEFINE_CONSTANT(target, kKeyFormatRawPrivate);
   NODE_DEFINE_CONSTANT(target, kKeyFormatRawSeed);
+  NODE_DEFINE_CONSTANT(target, kKeyFormatStore);
   NODE_DEFINE_CONSTANT(target, kKeyTypeSecret);
   NODE_DEFINE_CONSTANT(target, kKeyTypePublic);
   NODE_DEFINE_CONSTANT(target, kKeyTypePrivate);
diff --git a/src/crypto/crypto_rsa.cc b/src/crypto/crypto_rsa.cc
index acec4b993613cd..748e6e3588cb00 100644
--- a/src/crypto/crypto_rsa.cc
+++ b/src/crypto/crypto_rsa.cc
@@ -10,6 +10,8 @@
 #include "v8.h"
 
 #include <openssl/bn.h>
+#include <openssl/core_names.h>
+#include <openssl/evp.h>
 #include <openssl/rsa.h>
 
 namespace node {
@@ -332,6 +334,38 @@ bool ExportJWKRsaKey(Environment* env,
   return true;
 }
 
+static bool SetRsaKeyDetail(Environment* env,
+                            Local<Object> target,
+                            const BIGNUM* n,
+                            const BIGNUM* e) {
+  if (n == nullptr || e == nullptr) return false;
+
+  if (target
+          ->Set(env->context(),
+                env->modulus_length_string(),
+                Number::New(env->isolate(),
+                            static_cast<double>(BignumPointer::GetBitCount(n))))
+          .IsNothing()) {
+    return false;
+  }
+
+  auto public_exponent = ArrayBuffer::NewBackingStore(
+      env->isolate(),
+      BignumPointer::GetByteCount(e),
+      BackingStoreInitializationMode::kUninitialized);
+  CHECK_EQ(BignumPointer::EncodePaddedInto(
+               e,
+               static_cast<unsigned char*>(public_exponent->Data()),
+               public_exponent->ByteLength()),
+           public_exponent->ByteLength());
+
+  return target
+      ->Set(env->context(),
+            env->public_exponent_string(),
+            ArrayBuffer::New(env->isolate(), std::move(public_exponent)))
+      .IsJust();
+}
+
 KeyObjectData ImportJWKRsaKey(Environment* env, Local<Object> jwk) {
   Local<Value> n_value;
   Local<Value> e_value;
@@ -439,35 +473,28 @@ bool GetRsaKeyDetail(Environment* env,
   // TODO(tniessen): Remove the "else" branch once we drop support for OpenSSL
   // versions older than 1.1.1e via FIPS / dynamic linking.
   const ncrypto::Rsa rsa = m_pkey;
-  if (!rsa) return false;
-
-  auto pub_key = rsa.getPublicKey();
-
-  if (target
-          ->Set(env->context(),
-                env->modulus_length_string(),
-                Number::New(
-                    env->isolate(),
-                    static_cast<double>(BignumPointer::GetBitCount(pub_key.n))))
-          .IsNothing()) {
+  if (!rsa) {
+#if OPENSSL_VERSION_MAJOR >= 3 && !defined(OPENSSL_IS_BORINGSSL)
+    BIGNUM* n = nullptr;
+    BIGNUM* e = nullptr;
+    BignumPointer n_ptr;
+    BignumPointer e_ptr;
+    if (EVP_PKEY_get_bn_param(m_pkey.get(), OSSL_PKEY_PARAM_RSA_N, &n) == 1) {
+      n_ptr.reset(n);
+    }
+    if (EVP_PKEY_get_bn_param(m_pkey.get(), OSSL_PKEY_PARAM_RSA_E, &e) == 1) {
+      e_ptr.reset(e);
+    }
+    if (n_ptr && e_ptr) {
+      return SetRsaKeyDetail(env, target, n_ptr.get(), e_ptr.get());
+    }
+#endif
     return false;
   }
 
-  auto public_exponent = ArrayBuffer::NewBackingStore(
-      env->isolate(),
-      BignumPointer::GetByteCount(pub_key.e),
-      BackingStoreInitializationMode::kUninitialized);
-  CHECK_EQ(BignumPointer::EncodePaddedInto(
-               pub_key.e,
-               static_cast<unsigned char*>(public_exponent->Data()),
-               public_exponent->ByteLength()),
-           public_exponent->ByteLength());
+  auto pub_key = rsa.getPublicKey();
 
-  if (target
-          ->Set(env->context(),
-                env->public_exponent_string(),
-                ArrayBuffer::New(env->isolate(), std::move(public_exponent)))
-          .IsNothing()) {
+  if (!SetRsaKeyDetail(env, target, pub_key.n, pub_key.e)) {
     return false;
   }
 
diff --git a/src/crypto/crypto_sig.cc b/src/crypto/crypto_sig.cc
index de9e62a2a1f13c..daccb716bbd600 100644
--- a/src/crypto/crypto_sig.cc
+++ b/src/crypto/crypto_sig.cc
@@ -390,6 +390,76 @@ bool SupportsContextString(const EVPKeyPointer& key) {
 #endif
   return false;
 }
+
+bool UsePrehashedSignVerify(const EVPKeyPointer& key,
+                            const Digest& digest,
+                            bool has_context) {
+  // Match streaming sign/verify for digest-based keys: hash locally, then ask
+  // the key implementation to sign or verify the digest. Some providers only
+  // expose token-backed keys through that lower-level operation.
+  return digest && !has_context && !key.isOneShotVariant();
+}
+
+ByteSource SignPrehashed(Environment* env,
+                         const EVPKeyPointer& key,
+                         const Digest& digest,
+                         const ByteSource& input,
+                         int padding,
+                         std::optional<int> salt_length,
+                         DSASigEnc dsa_encoding) {
+  EVPMDCtxPointer context = EVPMDCtxPointer::New();
+  if (!context || !context.digestInit(digest) || !context.digestUpdate(input))
+      [[unlikely]] {
+    return {};
+  }
+
+  auto data = context.digestFinal(context.getExpectedSize());
+  if (!data) [[unlikely]] {
+    return {};
+  }
+
+  EVPKeyCtxPointer pkctx = key.newCtx();
+  if (!pkctx || pkctx.initForSign() <= 0 ||
+      !ApplyRSAOptions(key, pkctx.get(), padding, salt_length) ||
+      !pkctx.setSignatureMd(context)) [[unlikely]] {
+    return {};
+  }
+
+  auto signature = pkctx.sign(data);
+  if (!signature) [[unlikely]] {
+    return {};
+  }
+
+  DCHECK(!signature.isSecure());
+  auto out = ByteSource::Allocated(signature.release());
+  if (UseP1363Encoding(key, dsa_encoding)) {
+    return ConvertSignatureToP1363(env, key, std::move(out));
+  }
+  return out;
+}
+
+bool VerifyPrehashed(const EVPKeyPointer& key,
+                     const Digest& digest,
+                     const ByteSource& input,
+                     const ByteSource& signature,
+                     int padding,
+                     std::optional<int> salt_length) {
+  EVPMDCtxPointer context = EVPMDCtxPointer::New();
+  if (!context || !context.digestInit(digest) || !context.digestUpdate(input))
+      [[unlikely]] {
+    return false;
+  }
+
+  auto data = context.digestFinal(context.getExpectedSize());
+  if (!data) [[unlikely]] {
+    return false;
+  }
+
+  EVPKeyCtxPointer pkctx = key.newCtx();
+  return pkctx && pkctx.initForVerify() > 0 &&
+         ApplyRSAOptions(key, pkctx.get(), padding, salt_length) &&
+         pkctx.setSignatureMd(context) && pkctx.verify(signature, data);
+}
 }  // namespace
 
 SignBase::Error SignBase::Init(const char* digest) {
@@ -812,9 +882,6 @@ bool SignTraits::DeriveBits(Environment* env,
                             ByteSource* out,
                             CryptoJobMode mode,
                             CryptoErrorStore* errors) {
-  auto context = EVPMDCtxPointer::New();
-  if (!context) [[unlikely]]
-    return false;
   const auto& key = params.key.GetAsymmetricKey();
 
   bool has_context = (params.flags & SignConfiguration::kHasContextString &&
@@ -826,6 +893,45 @@ bool SignTraits::DeriveBits(Environment* env,
     return false;
   }
 
+  int padding = params.flags & SignConfiguration::kHasPadding
+                    ? params.padding
+                    : key.getDefaultSignPadding();
+
+  std::optional<int> salt_length =
+      params.flags & SignConfiguration::kHasSaltLength
+          ? std::optional<int>(params.salt_length)
+          : std::nullopt;
+
+  if (UsePrehashedSignVerify(key, params.digest, has_context)) {
+    switch (params.mode) {
+      case SignConfiguration::Mode::Sign: {
+        *out = SignPrehashed(env,
+                             key,
+                             params.digest,
+                             params.data,
+                             padding,
+                             salt_length,
+                             params.dsa_encoding);
+        return static_cast<bool>(*out);
+      }
+      case SignConfiguration::Mode::Verify: {
+        auto buf = DataPointer::Alloc(1);
+        static_cast<char*>(buf.get())[0] = VerifyPrehashed(key,
+                                                           params.digest,
+                                                           params.data,
+                                                           params.signature,
+                                                           padding,
+                                                           salt_length);
+        *out = ByteSource::Allocated(buf.release());
+        return true;
+      }
+    }
+  }
+
+  auto context = EVPMDCtxPointer::New();
+  if (!context) [[unlikely]]
+    return false;
+
   auto ctx = ([&] {
     if (has_context) {
       ncrypto::Buffer<const unsigned char> context_buf{
@@ -854,15 +960,6 @@ bool SignTraits::DeriveBits(Environment* env,
     return false;
   }
 
-  int padding = params.flags & SignConfiguration::kHasPadding
-                    ? params.padding
-                    : key.getDefaultSignPadding();
-
-  std::optional<int> salt_length =
-      params.flags & SignConfiguration::kHasSaltLength
-          ? std::optional<int>(params.salt_length)
-          : std::nullopt;
-
   if (!ApplyRSAOptions(key, *ctx, padding, salt_length)) {
     return false;
   }
diff --git a/src/env.cc b/src/env.cc
index 08f5f8807ca054..afe01b972e8452 100644
--- a/src/env.cc
+++ b/src/env.cc
@@ -941,6 +941,10 @@ Environment::Environment(IsolateData* isolate_data,
     if (!options_->allow_ffi) {
       permission()->Apply(this, {"*"}, permission::PermissionScope::kFFI);
     }
+    if (!options_->allow_crypto_store) {
+      permission()->Apply(
+          this, {"*"}, permission::PermissionScope::kCryptoStore);
+    }
     if (!options_->allow_worker_threads) {
       permission()->Apply(
           this, {"*"}, permission::PermissionScope::kWorkerThreads);
diff --git a/src/node_options.cc b/src/node_options.cc
index 16fb1ba34e5050..1eb1cd2fed3d9e 100644
--- a/src/node_options.cc
+++ b/src/node_options.cc
@@ -730,6 +730,13 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
             kAllowedInEnvvar,
             false,
             OptionNamespaces::kPermissionNamespace);
+  AddOption("--allow-crypto-store",
+            "allow loading private keys from OpenSSL store URIs when any "
+            "permissions are set",
+            &EnvironmentOptions::allow_crypto_store,
+            kAllowedInEnvvar,
+            false,
+            OptionNamespaces::kPermissionNamespace);
   AddOption("--experimental-repl-await",
             "experimental await keyword support in REPL",
             &EnvironmentOptions::experimental_repl_await,
diff --git a/src/node_options.h b/src/node_options.h
index 3b3c6f371a03c4..877cb07850f691 100644
--- a/src/node_options.h
+++ b/src/node_options.h
@@ -153,6 +153,7 @@ class EnvironmentOptions : public Options {
   bool allow_net = false;
   bool allow_wasi = false;
   bool allow_ffi = false;
+  bool allow_crypto_store = false;
   bool allow_worker_threads = false;
   bool experimental_repl_await = true;
   bool experimental_vm_modules = EXPERIMENTALS_DEFAULT_VALUE;
diff --git a/src/permission/crypto_store_permission.cc b/src/permission/crypto_store_permission.cc
new file mode 100644
index 00000000000000..d7fec2561c6e04
--- /dev/null
+++ b/src/permission/crypto_store_permission.cc
@@ -0,0 +1,31 @@
+#include "permission/crypto_store_permission.h"
+
+#include <string>
+#include <vector>
+
+namespace node {
+
+namespace permission {
+
+// CryptoStorePermission manages a single global deny state for loading
+// private keys from OpenSSL store URIs.
+void CryptoStorePermission::Apply(Environment* env,
+                                  const std::vector<std::string>& allow,
+                                  PermissionScope scope) {
+  deny_all_ = true;
+}
+
+void CryptoStorePermission::Drop(Environment* env,
+                                 PermissionScope scope,
+                                 const std::string_view& param) {
+  deny_all_ = true;
+}
+
+bool CryptoStorePermission::is_granted(Environment* env,
+                                       PermissionScope perm,
+                                       const std::string_view& param) const {
+  return perm != PermissionScope::kCryptoStore || !deny_all_;
+}
+
+}  // namespace permission
+}  // namespace node
diff --git a/src/permission/crypto_store_permission.h b/src/permission/crypto_store_permission.h
new file mode 100644
index 00000000000000..ff538b493abf10
--- /dev/null
+++ b/src/permission/crypto_store_permission.h
@@ -0,0 +1,34 @@
+#ifndef SRC_PERMISSION_CRYPTO_STORE_PERMISSION_H_
+#define SRC_PERMISSION_CRYPTO_STORE_PERMISSION_H_
+
+#if defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS
+
+#include <vector>
+#include "permission/permission_base.h"
+
+namespace node {
+
+namespace permission {
+
+class CryptoStorePermission final : public PermissionBase {
+ public:
+  void Apply(Environment* env,
+             const std::vector<std::string>& allow,
+             PermissionScope scope) override;
+  void Drop(Environment* env,
+            PermissionScope scope,
+            const std::string_view& param = "") override;
+  bool is_granted(Environment* env,
+                  PermissionScope perm,
+                  const std::string_view& param = "") const override;
+
+ private:
+  bool deny_all_ = false;
+};
+
+}  // namespace permission
+
+}  // namespace node
+
+#endif  // defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS
+#endif  // SRC_PERMISSION_CRYPTO_STORE_PERMISSION_H_
diff --git a/src/permission/permission.cc b/src/permission/permission.cc
index c593502d94eb49..c6dc35b786057c 100644
--- a/src/permission/permission.cc
+++ b/src/permission/permission.cc
@@ -48,6 +48,8 @@ constexpr std::string_view GetDiagnosticsChannelName(PermissionScope scope) {
       return "node:permission-model:addon";
     case PermissionScope::kFFI:
       return "node:permission-model:ffi";
+    case PermissionScope::kCryptoStore:
+      return "node:permission-model:crypto-store";
     default:
       return {};
   }
@@ -131,6 +133,8 @@ Permission::Permission() : enabled_(false), warning_only_(false) {
   std::shared_ptr<PermissionBase> net = std::make_shared<NetPermission>();
   std::shared_ptr<PermissionBase> addon = std::make_shared<AddonPermission>();
   std::shared_ptr<FFIPermission> ffi = std::make_shared<FFIPermission>();
+  std::shared_ptr<PermissionBase> crypto_store =
+      std::make_shared<CryptoStorePermission>();
 #define V(Name, _, __, ___)                                                    \
   nodes_.insert(std::make_pair(PermissionScope::k##Name, fs));
   FILESYSTEM_PERMISSIONS(V)
@@ -163,6 +167,10 @@ Permission::Permission() : enabled_(false), warning_only_(false) {
   nodes_.insert(std::make_pair(PermissionScope::k##Name, ffi));
   FFI_PERMISSIONS(V)
 #undef V
+#define V(Name, _, __, ___)                                                    \
+  nodes_.insert(std::make_pair(PermissionScope::k##Name, crypto_store));
+  CRYPTO_STORE_PERMISSIONS(V)
+#undef V
 }
 
 const char* GetErrorFlagSuggestion(node::permission::PermissionScope perm) {
diff --git a/src/permission/permission.h b/src/permission/permission.h
index 84e3ea67ed5e04..7ebe1c6748d8d2 100644
--- a/src/permission/permission.h
+++ b/src/permission/permission.h
@@ -8,6 +8,7 @@
 #include "node_options.h"
 #include "permission/addon_permission.h"
 #include "permission/child_process_permission.h"
+#include "permission/crypto_store_permission.h"
 #include "permission/ffi_permission.h"
 #include "permission/fs_permission.h"
 #include "permission/inspector_permission.h"
diff --git a/src/permission/permission_base.h b/src/permission/permission_base.h
index 11f4d6c6bfa65f..7fadaf8bb98cb6 100644
--- a/src/permission/permission_base.h
+++ b/src/permission/permission_base.h
@@ -37,6 +37,9 @@ namespace permission {
 
 #define FFI_PERMISSIONS(V) V(FFI, "ffi", PermissionsRoot, "--allow-ffi")
 
+#define CRYPTO_STORE_PERMISSIONS(V)                                            \
+  V(CryptoStore, "crypto.store", PermissionsRoot, "--allow-crypto-store")
+
 #define PERMISSIONS(V)                                                         \
   FILESYSTEM_PERMISSIONS(V)                                                    \
   CHILD_PROCESS_PERMISSIONS(V)                                                 \
@@ -45,7 +48,8 @@ namespace permission {
   INSPECTOR_PERMISSIONS(V)                                                     \
   NET_PERMISSIONS(V)                                                           \
   ADDON_PERMISSIONS(V)                                                         \
-  FFI_PERMISSIONS(V)
+  FFI_PERMISSIONS(V)                                                           \
+  CRYPTO_STORE_PERMISSIONS(V)
 
 #define V(name, _, __, ___) k##name,
 enum class PermissionScope {
diff --git a/test/parallel/test-crypto-key-store-pkcs11.js b/test/parallel/test-crypto-key-store-pkcs11.js
new file mode 100644
index 00000000000000..02d06398c80274
--- /dev/null
+++ b/test/parallel/test-crypto-key-store-pkcs11.js
@@ -0,0 +1,585 @@
+'use strict';
+
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+const { hasOpenSSL } = require('../common/crypto');
+if (!hasOpenSSL(3, 0))
+  common.skip('requires OpenSSL 3.x');
+
+const assert = require('assert');
+const fs = require('fs');
+const path = require('path');
+const { spawnSync } = require('child_process');
+const {
+  createPublicKey,
+  createPrivateKey,
+  createSign,
+  sign,
+  verify,
+} = require('crypto');
+const tmpdir = require('../common/tmpdir');
+
+const { subtle } = globalThis.crypto;
+const kData = Buffer.from(
+  Array.from({ length: 256 }, (_, i) => (i * 17 + 43) & 0xff));
+const kProperties = 'provider=pkcs11';
+const kOpenSSLConfig = process.env.NODE_TEST_PKCS11_OPENSSL_CONF;
+const kPin = process.env.NODE_TEST_PKCS11_PIN;
+const kExpectedPrivateExportFailure =
+  /Failed to encode private key|Failed to export JWK|Failed to get raw .* key|keymgmt export failure|not exportable|operation not supported/i;
+
+function run(command, args, options = {}) {
+  const result = spawnSync(command, args, {
+    encoding: 'utf8',
+    ...options,
+  });
+
+  if (result.status !== 0) {
+    const output = [
+      result.error?.message,
+      result.stdout,
+      result.stderr,
+    ].filter(Boolean).join('\n');
+    assert.fail(`${command} ${args.join(' ')} failed\n${output}`);
+  }
+
+  return result.stdout.trim();
+}
+
+function commandExists(command) {
+  const result = spawnSync(command, ['--version'], { stdio: 'ignore' });
+  return result.status === 0;
+}
+
+function findNixBuild() {
+  return [
+    'nix-build',
+    '/nix/var/nix/profiles/default/bin/nix-build',
+    '/run/current-system/sw/bin/nix-build',
+  ].find(commandExists);
+}
+
+function lastStorePath(output) {
+  const lines = output.split(/\r?\n/);
+  for (let i = lines.length - 1; i >= 0; i--) {
+    if (lines[i].startsWith('/nix/store/')) return lines[i];
+  }
+}
+
+function nixBuild(command, repo, expression) {
+  const output = run(command, [
+    '-I',
+    `nixpkgs=${path.join(repo, 'tools/nix/pkgs.nix')}`,
+    '-I',
+    `node=${repo}`,
+    '--no-out-link',
+    '-E',
+    expression,
+  ]);
+  const storePath = lastStorePath(output);
+  assert(storePath, `nix-build did not print a store path:\n${output}`);
+  return storePath;
+}
+
+function findFile(root, suffixes) {
+  const stack = [root];
+  while (stack.length > 0) {
+    const dir = stack.pop();
+    for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+      const file = path.join(dir, entry.name);
+      if (entry.isDirectory()) {
+        stack.push(file);
+      } else if (suffixes.some((suffix) => file.endsWith(suffix))) {
+        return file;
+      }
+    }
+  }
+}
+
+function shouldCreateNixFixture() {
+  // Enabled explicitly by the shared OpenSSL CI matrix.
+  return process.env.NODE_TEST_PKCS11_NIX === '1';
+}
+
+function createNixFixture() {
+  if (!shouldCreateNixFixture()) {
+    common.skip('requires a configured PKCS#11 provider test fixture');
+  }
+  const nixBuildCommand = findNixBuild();
+  if (nixBuildCommand === undefined) {
+    assert.fail('requires nix-build for the PKCS#11 provider test fixture');
+  }
+
+  const repo = process.env.TAR_DIR || path.resolve(__dirname, '..', '..');
+  const opensslExpression = `
+    let
+      pkgs = import <nixpkgs> {};
+      openssl = (import <node/tools/nix/sharedLibDeps.nix> {
+        inherit pkgs;
+      }).openssl;
+    in
+  `;
+  const pkcs11ProviderPackage = nixBuild(nixBuildCommand, repo, `
+    ${opensslExpression}
+      (pkgs.pkcs11-provider.override { inherit openssl; })
+        .overrideAttrs (_: { doCheck = false; })
+  `);
+  const softhsmPackage = nixBuild(nixBuildCommand, repo, `
+    ${opensslExpression}
+      (pkgs.softhsm.override { inherit openssl; })
+        .overrideAttrs (_: { doCheck = false; })
+  `);
+  const openscPackage = nixBuild(
+    nixBuildCommand,
+    repo,
+    'let pkgs = import <nixpkgs> {}; in pkgs.opensc');
+
+  const pkcs11ProviderModule = findFile(pkcs11ProviderPackage, [
+    '/lib/ossl-modules/pkcs11.so',
+    '/lib/ossl-modules/pkcs11.dylib',
+  ]);
+  const softhsmModule = findFile(softhsmPackage, [
+    '/lib/softhsm/libsofthsm2.so',
+    '/lib/softhsm/libsofthsm2.dylib',
+  ]);
+  const softhsm2Util = path.join(softhsmPackage, 'bin/softhsm2-util');
+  const pkcs11Tool = path.join(openscPackage, 'bin/pkcs11-tool');
+  for (const file of [
+    pkcs11ProviderModule,
+    softhsmModule,
+    softhsm2Util,
+    pkcs11Tool,
+  ]) {
+    assert(file && fs.existsSync(file), `missing PKCS#11 fixture file: ${file}`);
+  }
+
+  tmpdir.refresh();
+  const work = tmpdir.resolve('pkcs11-store');
+  const tokens = path.join(work, 'tokens');
+  fs.mkdirSync(tokens, { recursive: true });
+
+  const pin = '1234';
+  const softhsmConf = path.join(work, 'softhsm2.conf');
+  const opensslConf = path.join(work, 'openssl-pkcs11.cnf');
+  fs.writeFileSync(softhsmConf, `
+directories.tokendir = ${tokens}
+objectstore.backend = file
+log.level = ERROR
+slots.removable = false
+`);
+  fs.writeFileSync(opensslConf, `
+nodejs_conf = nodejs_init
+
+[nodejs_init]
+providers = provider_sect
+
+[provider_sect]
+default = default_sect
+pkcs11 = pkcs11_sect
+
+[default_sect]
+activate = 1
+
+[pkcs11_sect]
+module = ${pkcs11ProviderModule}
+pkcs11-module-path = ${softhsmModule}
+pkcs11-module-quirks = no-deinit
+activate = 1
+`);
+
+  const env = { ...process.env, SOFTHSM2_CONF: softhsmConf };
+  run(softhsm2Util, [
+    '--init-token',
+    '--free',
+    '--label',
+    'node-test',
+    '--pin',
+    pin,
+    '--so-pin',
+    pin,
+  ], { env });
+
+  for (const [keyType, id, label] of [
+    ['RSA:2048', '01', 'node-rsa'],
+    ['EC:prime256v1', '02', 'node-ec'],
+    ['EC:ED25519', '03', 'node-ed25519'],
+  ]) {
+    run(pkcs11Tool, [
+      '--module',
+      softhsmModule,
+      '--login',
+      '--pin',
+      pin,
+      '--keypairgen',
+      '--key-type',
+      keyType,
+      '--id',
+      id,
+      '--label',
+      label,
+      '--usage-sign',
+    ], { env });
+  }
+
+  return { opensslConf, pin, softhsmConf };
+}
+
+function getFixture() {
+  if (process.env.NODE_TEST_PKCS11_OPENSSL_CONF &&
+      process.env.NODE_TEST_PKCS11_PIN) {
+    return {
+      opensslConf: process.env.NODE_TEST_PKCS11_OPENSSL_CONF,
+      pin: process.env.NODE_TEST_PKCS11_PIN,
+      softhsmConf: process.env.SOFTHSM2_CONF,
+    };
+  }
+
+  return createNixFixture();
+}
+
+function runInChild() {
+  const fixture = getFixture();
+  const child = spawnSync(process.execPath, [
+    `--openssl-config=${fixture.opensslConf}`,
+    __filename,
+  ], {
+    env: {
+      ...process.env,
+      NODE_TEST_PKCS11_CHILD: '1',
+      NODE_TEST_PKCS11_OPENSSL_CONF: fixture.opensslConf,
+      NODE_TEST_PKCS11_PIN: fixture.pin,
+      ...(fixture.softhsmConf && { SOFTHSM2_CONF: fixture.softhsmConf }),
+    },
+    stdio: 'inherit',
+  });
+  assert.strictEqual(child.status, 0);
+}
+
+function privateKeyUrl(label) {
+  return new URL(`pkcs11:object=${label};type=private`);
+}
+
+function loadPrivateKey(label) {
+  return createPrivateKey({
+    key: privateKeyUrl(label),
+    passphrase: kPin,
+    properties: kProperties,
+  });
+}
+
+function assertKeyDetails(key, type, asymmetricKeyType) {
+  assert.strictEqual(key.type, type);
+  assert.strictEqual(key.asymmetricKeyType, asymmetricKeyType);
+
+  switch (asymmetricKeyType) {
+    case 'rsa':
+      assert.strictEqual(key.asymmetricKeyDetails.modulusLength, 2048);
+      assert.strictEqual(key.asymmetricKeyDetails.publicExponent, 65537n);
+      break;
+    case 'ec':
+      assert.strictEqual(key.asymmetricKeyDetails.namedCurve, 'prime256v1');
+      break;
+    case 'ed25519':
+      assert.deepStrictEqual(key.asymmetricKeyDetails, {});
+      break;
+    default:
+      assert.fail(`unexpected asymmetric key type ${asymmetricKeyType}`);
+  }
+}
+
+function assertDerivedPublicKey(privateKey, asymmetricKeyType) {
+  const publicKey = createPublicKey(privateKey);
+  assertKeyDetails(publicKey, 'public', asymmetricKeyType);
+  return publicKey;
+}
+
+function assertPublicExports(publicKey) {
+  const spkiPem = publicKey.export({ format: 'pem', type: 'spki' });
+  assert.strictEqual(
+    spkiPem.split('\n')[0],
+    '-----BEGIN PUBLIC KEY-----');
+
+  const spkiDer = publicKey.export({ format: 'der', type: 'spki' });
+  assert(Buffer.isBuffer(spkiDer));
+  assert(spkiDer.byteLength > 0);
+}
+
+function assertPrivateExportsRejected(privateKey, type = 'pkcs8') {
+  assert.throws(() => {
+    privateKey.export({ format: 'pem', type });
+  }, {
+    message: kExpectedPrivateExportFailure,
+  });
+  assert.throws(() => {
+    privateKey.export({ format: 'der', type });
+  }, {
+    message: kExpectedPrivateExportFailure,
+  });
+  assert.throws(() => {
+    privateKey.export({ format: 'jwk' });
+  }, {
+    message: kExpectedPrivateExportFailure,
+  });
+}
+
+function assertOneShotSignVerify(digest, data, privateKey, options = {}) {
+  const publicKey = createPublicKey(privateKey);
+  const signKey = { key: privateKey, ...options };
+  const verifyPublicKey = { key: publicKey, ...options };
+  const verifyPrivateKey = { key: privateKey, ...options };
+
+  const signature = sign(digest, data, signKey);
+  assert(signature.byteLength > 0);
+  assert.strictEqual(verify(digest, data, verifyPublicKey, signature), true);
+  assert.strictEqual(verify(digest, data, verifyPrivateKey, signature), true);
+
+  return signature;
+}
+
+function assertStreamingSignOneShotVerify(digest, data, privateKey) {
+  const publicKey = createPublicKey(privateKey);
+  const signature = createSign(digest).update(data).sign(privateKey);
+  assert(signature.byteLength > 0);
+  assert.strictEqual(verify(digest, data, publicKey, signature), true);
+  assert.strictEqual(verify(digest, data, privateKey, signature), true);
+}
+
+async function assertWebCryptoSignVerify(
+  privateKey,
+  publicKey,
+  algorithm,
+  privateUsages,
+  publicUsages,
+  signAlgorithm = algorithm.name,
+) {
+  const privateCryptoKey = privateKey.toCryptoKey(
+    algorithm,
+    false,
+    privateUsages);
+  assert.strictEqual(privateCryptoKey.type, 'private');
+  assert.strictEqual(privateCryptoKey.extractable, false);
+  assert.deepStrictEqual(privateCryptoKey.usages, privateUsages);
+
+  await assert.rejects(
+    subtle.exportKey('pkcs8', privateCryptoKey),
+    {
+      name: 'InvalidAccessError',
+      message: /not extractable/i,
+    });
+
+  const publicCryptoKey = publicKey.toCryptoKey(
+    algorithm,
+    true,
+    publicUsages);
+  assert.strictEqual(publicCryptoKey.type, 'public');
+  assert.strictEqual(publicCryptoKey.extractable, true);
+  assert.deepStrictEqual(publicCryptoKey.usages, publicUsages);
+
+  const signature = await subtle.sign(
+    signAlgorithm,
+    privateCryptoKey,
+    kData);
+  assert(signature instanceof ArrayBuffer);
+  assert(signature.byteLength > 0);
+  assert.strictEqual(
+    await subtle.verify(
+      signAlgorithm,
+      publicCryptoKey,
+      signature,
+      kData),
+    true);
+
+  try {
+    const exportedPublicKey = await subtle.exportKey('spki', publicCryptoKey);
+    assert(exportedPublicKey instanceof ArrayBuffer);
+    assert(exportedPublicKey.byteLength > 0);
+  } catch (err) {
+    assert.strictEqual(err.name, 'OperationError');
+    assert.match(err.message, /operation-specific reason|not supported/i);
+  }
+}
+
+function assertStoreOptions() {
+  assert.strictEqual(
+    createPrivateKey({
+      key: privateKeyUrl('node-rsa'),
+      passphrase: kPin,
+    }).asymmetricKeyType,
+    'rsa');
+
+  assert.strictEqual(
+    createPrivateKey({
+      key: privateKeyUrl('node-rsa'),
+      passphrase: kPin,
+      properties: kProperties,
+    }).asymmetricKeyType,
+    'rsa');
+}
+
+function assertChild(args, expectedStatus, stderrPattern) {
+  const child = spawnSync(process.execPath, args, {
+    env: process.env,
+    encoding: 'utf8',
+  });
+  assert.strictEqual(child.signal, null);
+  assert.strictEqual(child.status, expectedStatus, child.stderr || child.stdout);
+  if (stderrPattern) assert.match(child.stderr, stderrPattern);
+}
+
+function assertStoreLoadFailure(code, stderrPattern) {
+  assertChild([
+    `--openssl-config=${kOpenSSLConfig}`,
+    '-e',
+    code,
+  ], 1, stderrPattern);
+}
+
+function assertPassphraseHandling() {
+  assertStoreLoadFailure(`
+    require('crypto').createPrivateKey({
+      key: new URL('pkcs11:object=node-rsa;type=private'),
+      properties: ${JSON.stringify(kProperties)},
+    });
+  `, /ERR_MISSING_PASSPHRASE/);
+
+  assertStoreLoadFailure(`
+    require('crypto').createPrivateKey({
+      key: new URL('pkcs11:object=node-rsa;type=private'),
+      passphrase: 'bad',
+      properties: ${JSON.stringify(kProperties)},
+    });
+  `, /Failed to load private key from store/);
+}
+
+function assertBadProperties() {
+  assertStoreLoadFailure(`
+    require('crypto').createPrivateKey({
+      key: new URL('pkcs11:object=node-rsa;type=private'),
+      passphrase: ${JSON.stringify(kPin)},
+      properties: 'provider=default',
+    });
+  `, /Failed to load private key from store|No such file or directory|unsupported/i);
+}
+
+function assertPermissionModel() {
+  const code = `
+    require('crypto').createPrivateKey({
+      key: new URL('pkcs11:object=node-rsa;type=private'),
+      passphrase: ${JSON.stringify(kPin)},
+      properties: ${JSON.stringify(kProperties)},
+    });
+  `;
+
+  assertChild([
+    `--openssl-config=${kOpenSSLConfig}`,
+    '--permission',
+    '--allow-fs-read=*',
+    '-e',
+    code,
+  ], 1, /ERR_ACCESS_DENIED/);
+
+  assertChild([
+    `--openssl-config=${kOpenSSLConfig}`,
+    '--permission',
+    '--allow-crypto-store',
+    '--allow-fs-read=*',
+    '-e',
+    code,
+  ], 0);
+}
+
+function assertInlineSignWithStoreUrl(privateKey) {
+  const publicKey = createPublicKey(privateKey);
+  const signature = sign('sha256', kData, {
+    key: privateKeyUrl('node-rsa'),
+    passphrase: kPin,
+    properties: kProperties,
+  });
+  assert(signature.byteLength > 0);
+  assert.strictEqual(verify('sha256', kData, publicKey, signature), true);
+}
+
+async function testRsa() {
+  const privateKey = loadPrivateKey('node-rsa');
+  assertKeyDetails(privateKey, 'private', 'rsa');
+
+  const publicKey = assertDerivedPublicKey(privateKey, 'rsa');
+  assertOneShotSignVerify('sha256', kData, privateKey);
+  assertStreamingSignOneShotVerify('sha256', kData, privateKey);
+  assertInlineSignWithStoreUrl(privateKey);
+  assertPublicExports(publicKey);
+  assertPrivateExportsRejected(privateKey);
+
+  await assertWebCryptoSignVerify(
+    privateKey,
+    publicKey,
+    { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' },
+    ['sign'],
+    ['verify']);
+}
+
+async function testEc() {
+  const privateKey = loadPrivateKey('node-ec');
+  assertKeyDetails(privateKey, 'private', 'ec');
+
+  const publicKey = assertDerivedPublicKey(privateKey, 'ec');
+  assertOneShotSignVerify('sha256', kData, privateKey);
+
+  const p1363Signature = assertOneShotSignVerify(
+    'sha256',
+    kData,
+    privateKey,
+    { dsaEncoding: 'ieee-p1363' });
+  assert.strictEqual(p1363Signature.byteLength, 64);
+
+  assertStreamingSignOneShotVerify('sha256', kData, privateKey);
+  assertPublicExports(publicKey);
+  assertPrivateExportsRejected(privateKey);
+
+  await assertWebCryptoSignVerify(
+    privateKey,
+    publicKey,
+    { name: 'ECDSA', namedCurve: 'P-256' },
+    ['sign'],
+    ['verify'],
+    { name: 'ECDSA', hash: 'SHA-256' });
+}
+
+async function testEd25519() {
+  const privateKey = loadPrivateKey('node-ed25519');
+  assertKeyDetails(privateKey, 'private', 'ed25519');
+
+  const publicKey = assertDerivedPublicKey(privateKey, 'ed25519');
+  assertOneShotSignVerify(null, kData, privateKey);
+  assertPublicExports(publicKey);
+  assertPrivateExportsRejected(privateKey);
+
+  await assertWebCryptoSignVerify(
+    privateKey,
+    publicKey,
+    { name: 'Ed25519' },
+    ['sign'],
+    ['verify']);
+}
+
+async function runTest() {
+  assertStoreOptions();
+  assertPassphraseHandling();
+  assertBadProperties();
+  assertPermissionModel();
+
+  await testRsa();
+  await testEc();
+  await testEd25519();
+}
+
+if (process.env.NODE_TEST_PKCS11_CHILD === '1') {
+  runTest().then(common.mustCall()).catch((err) => {
+    process.nextTick(() => {
+      throw err;
+    });
+  });
+} else {
+  runInChild();
+}
diff --git a/test/parallel/test-crypto-key-store.js b/test/parallel/test-crypto-key-store.js
new file mode 100644
index 00000000000000..0e03effa57c36c
--- /dev/null
+++ b/test/parallel/test-crypto-key-store.js
@@ -0,0 +1,94 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+const { hasOpenSSL3 } = require('../common/crypto');
+if (!hasOpenSSL3)
+  common.skip('requires OpenSSL 3.x');
+
+// Verifies that crypto.createPrivateKey() can load a private key from an
+// OpenSSL OSSL_STORE URI passed as a WHATWG URL (here a file: URI), and that
+// the resulting KeyObject works for signing and verification.
+
+const assert = require('assert');
+const fs = require('fs');
+const path = require('path');
+const { pathToFileURL } = require('url');
+const {
+  createPrivateKey,
+  generateKeyPairSync,
+  sign,
+  verify,
+} = require('crypto');
+const tmpdir = require('../common/tmpdir');
+tmpdir.refresh();
+
+const data = Buffer.from('hello store');
+
+{
+  const { privateKey, publicKey } = generateKeyPairSync('ed25519');
+  const file = path.join(tmpdir.path, 'priv.pem');
+  fs.writeFileSync(file, privateKey.export({ format: 'pem', type: 'pkcs8' }));
+  const url = pathToFileURL(file);
+
+  const pk = createPrivateKey(url);
+  assert.strictEqual(pk.type, 'private');
+  assert.strictEqual(pk.asymmetricKeyType, 'ed25519');
+
+  const sig = sign(null, data, pk);
+  assert.strictEqual(verify(null, data, publicKey, sig), true);
+
+  const pkWithProperties = createPrivateKey({ key: url, properties: '' });
+  assert.strictEqual(pkWithProperties.type, 'private');
+  assert.strictEqual(pkWithProperties.asymmetricKeyType, 'ed25519');
+  assert.strictEqual(
+    verify(null, data, publicKey, sign(null, data, pkWithProperties)),
+    true);
+
+  // Passing the URL inline to sign() behaves like createPrivateKey().
+  assert.strictEqual(verify(null, data, publicKey, sign(null, data, url)), true);
+
+  assert.throws(() => createPrivateKey({ key: url, properties: 1 }), {
+    code: 'ERR_INVALID_ARG_TYPE',
+  });
+}
+
+{
+  // Encrypted PKCS#8 with passphrase via { key: url, passphrase }.
+  const { privateKey, publicKey } = generateKeyPairSync('ed25519');
+  const file = path.join(tmpdir.path, 'enc.pem');
+  fs.writeFileSync(file, privateKey.export({
+    format: 'pem', type: 'pkcs8', cipher: 'aes-256-cbc', passphrase: 'pw',
+  }));
+  const url = pathToFileURL(file);
+
+  const sig = sign(null, data, { key: url, passphrase: Buffer.from('pw') });
+  assert.strictEqual(verify(null, data, publicKey, sig), true);
+
+  assert.throws(() => createPrivateKey(url), {
+    code: 'ERR_MISSING_PASSPHRASE',
+  });
+
+  assert.throws(() => createPrivateKey({ key: url, passphrase: 'bad' }),
+                common.expectsError({
+                  name: 'Error',
+                  code: /^ERR_OSSL_/,
+                }));
+}
+
+{
+  // A URL is only accepted in private-key contexts.
+  const url = pathToFileURL(path.join(tmpdir.path, 'priv.pem'));
+  assert.throws(() => require('crypto').createPublicKey(url), {
+    code: 'ERR_INVALID_ARG_TYPE',
+  });
+}
+
+{
+  // A non-key URI fails to load.
+  const file = path.join(tmpdir.path, 'nope.pem');
+  fs.writeFileSync(file, 'not a key');
+  assert.throws(() => createPrivateKey(pathToFileURL(file)), {
+    name: 'Error',
+  });
+}
diff --git a/test/parallel/test-permission-crypto-store.js b/test/parallel/test-permission-crypto-store.js
new file mode 100644
index 00000000000000..a83fc0c02c2751
--- /dev/null
+++ b/test/parallel/test-permission-crypto-store.js
@@ -0,0 +1,55 @@
+// Flags: --permission --allow-fs-read=* --allow-fs-write=* --allow-crypto-store --allow-child-process
+'use strict';
+
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+const { hasOpenSSL3 } = require('../common/crypto');
+if (!hasOpenSSL3)
+  common.skip('requires OpenSSL 3.x');
+
+// Verifies the crypto.store permission: allowed when --allow-crypto-store is
+// set, can be dropped at runtime, and denied by default in a child process.
+
+const assert = require('assert');
+const fs = require('fs');
+const path = require('path');
+const { pathToFileURL } = require('url');
+const { createPrivateKey, generateKeyPairSync } = require('crypto');
+const { spawnSync } = require('child_process');
+const tmpdir = require('../common/tmpdir');
+tmpdir.refresh();
+
+const file = path.join(tmpdir.path, 'priv.pem');
+fs.writeFileSync(
+  file, generateKeyPairSync('ed25519').privateKey.export({
+    format: 'pem', type: 'pkcs8',
+  }));
+const url = pathToFileURL(file);
+
+assert.strictEqual(process.permission.has('crypto.store'), true);
+assert.strictEqual(createPrivateKey(url).type, 'private');
+
+process.permission.drop('crypto.store');
+assert.strictEqual(process.permission.has('crypto.store'), false);
+assert.throws(() => createPrivateKey(url), { code: 'ERR_ACCESS_DENIED' });
+
+// Denied by default when the flag is not provided.
+{
+  const { status, stdout } = spawnSync(process.execPath, [
+    '--permission', '--allow-fs-read=*',
+    '-e', `try { require('crypto').createPrivateKey(new URL(${JSON.stringify(url.href)})); console.log('LOADED'); } catch (e) { console.log(e.code, e.permission); }`,
+  ]);
+  assert.strictEqual(status, 0);
+  assert.match(stdout.toString(), /ERR_ACCESS_DENIED CryptoStore/);
+}
+
+// file: store URIs also require fs.read permission.
+{
+  const { status, stdout } = spawnSync(process.execPath, [
+    '--permission', '--allow-crypto-store',
+    '-e', `try { require('crypto').createPrivateKey(new URL(${JSON.stringify(url.href)})); console.log('LOADED'); } catch (e) { console.log(e.code, e.permission); }`,
+  ]);
+  assert.strictEqual(status, 0);
+  assert.match(stdout.toString(), /ERR_ACCESS_DENIED FileSystemRead/);
+}
diff --git a/test/parallel/test-permission-has.js b/test/parallel/test-permission-has.js
index 838599735610e2..42e86a35ffa530 100644
--- a/test/parallel/test-permission-has.js
+++ b/test/parallel/test-permission-has.js
@@ -30,6 +30,7 @@ const assert = require('assert');
   assert.ok(!process.permission.has('fs'));
   assert.ok(process.permission.has('fs.read'));
   assert.ok(!process.permission.has('fs.write'));
+  assert.ok(!process.permission.has('crypto.store'));
   assert.ok(!process.permission.has('wasi'));
   assert.ok(!process.permission.has('worker'));
   assert.ok(!process.permission.has('inspector'));
diff --git a/test/parallel/test-permission-warning-flags.js b/test/parallel/test-permission-warning-flags.js
index d90bdadf78771e..3355421d61bd5c 100644
--- a/test/parallel/test-permission-warning-flags.js
+++ b/test/parallel/test-permission-warning-flags.js
@@ -7,6 +7,7 @@ const assert = require('assert');
 const warnFlags = [
   '--allow-addons',
   '--allow-child-process',
+  '--allow-crypto-store',
   '--allow-inspector',
   '--allow-wasi',
   '--allow-worker',
diff --git a/typings/internalBinding/crypto.d.ts b/typings/internalBinding/crypto.d.ts
index d91c5018ba688a..e2028c7d25fcaf 100644
--- a/typings/internalBinding/crypto.d.ts
+++ b/typings/internalBinding/crypto.d.ts
@@ -9,16 +9,22 @@ declare namespace InternalCryptoBinding {
   type KeyFormatRawPublic = 3;
   type KeyFormatRawPrivate = 4;
   type KeyFormatRawSeed = 5;
+  type KeyFormatStore = 6;
   type PublicKeyFormat =
     KeyFormatDER | KeyFormatPEM | KeyFormatJWK | KeyFormatRawPublic | undefined;
   type PrivateKeyFormat =
     KeyFormatDER | KeyFormatPEM | KeyFormatJWK |
-    KeyFormatRawPrivate | KeyFormatRawSeed | undefined;
+    KeyFormatRawPrivate | KeyFormatRawSeed | KeyFormatStore | undefined;
   type KeyFormat = PublicKeyFormat | PrivateKeyFormat;
   type KeyEncoding = string | number | null | undefined;
   type KeyPassphrase = ByteSource | null | undefined;
   type NamedCurve = string | null | undefined;
-  type PreparedAsymmetricKeyData = KeyObjectHandle | ByteSource | JwkKey;
+  interface StorePrivateKeyData {
+    uri: string;
+    properties: string | null;
+  }
+  type PreparedAsymmetricKeyData =
+    KeyObjectHandle | ByteSource | JwkKey | StorePrivateKeyData;
   type PreparedSecretKeyData = KeyObjectHandle | ByteSource;
   type CryptoJobAsyncMode = 0;
   type CryptoJobSyncMode = 1;
@@ -862,6 +868,7 @@ export interface CryptoBinding {
   kKeyFormatRawPrivate: InternalCryptoBinding.KeyFormatRawPrivate;
   kKeyFormatRawPublic: InternalCryptoBinding.KeyFormatRawPublic;
   kKeyFormatRawSeed: InternalCryptoBinding.KeyFormatRawSeed;
+  kKeyFormatStore: InternalCryptoBinding.KeyFormatStore;
   kKeyTypePrivate: number;
   kKeyTypePublic: number;
   kKeyTypeSecret: number;

From fcb4bf35ea6faabeffad3e5a20962a450068960d Mon Sep 17 00:00:00 2001
From: Filip Skokan <panva.ip@gmail.com>
Date: Mon, 29 Jun 2026 19:00:57 +0200
Subject: [PATCH 2/2] fixup! crypto: support OpenSSL STORE private keys

---
 deps/ncrypto/ncrypto.cc                  | 11 +++--
 deps/ncrypto/ncrypto.h                   |  2 +
 src/crypto/crypto_sig.cc                 | 61 +++++++++++-------------
 test/parallel/test-crypto-sign-verify.js | 38 +++++++++++++++
 4 files changed, 76 insertions(+), 36 deletions(-)

diff --git a/deps/ncrypto/ncrypto.cc b/deps/ncrypto/ncrypto.cc
index 56d850ffe80a52..8c9caccc4b588c 100644
--- a/deps/ncrypto/ncrypto.cc
+++ b/deps/ncrypto/ncrypto.cc
@@ -4784,9 +4784,14 @@ DataPointer EVPMDCtxPointer::sign(
 
 bool EVPMDCtxPointer::verify(const Buffer<const unsigned char>& buf,
                              const Buffer<const unsigned char>& sig) const {
-  if (!ctx_) return false;
-  int ret = EVP_DigestVerify(ctx_.get(), sig.data, sig.len, buf.data, buf.len);
-  return ret == 1;
+  return verifyOneShot(buf, sig) == 1;
+}
+
+int EVPMDCtxPointer::verifyOneShot(
+    const Buffer<const unsigned char>& buf,
+    const Buffer<const unsigned char>& sig) const {
+  if (!ctx_) return -1;
+  return EVP_DigestVerify(ctx_.get(), sig.data, sig.len, buf.data, buf.len);
 }
 
 EVPMDCtxPointer EVPMDCtxPointer::New() {
diff --git a/deps/ncrypto/ncrypto.h b/deps/ncrypto/ncrypto.h
index 876f8470fed8c8..029aa5539edc5b 100644
--- a/deps/ncrypto/ncrypto.h
+++ b/deps/ncrypto/ncrypto.h
@@ -1531,6 +1531,8 @@ class EVPMDCtxPointer final {
   DataPointer sign(const Buffer<const unsigned char>& buf) const;
   bool verify(const Buffer<const unsigned char>& buf,
               const Buffer<const unsigned char>& sig) const;
+  int verifyOneShot(const Buffer<const unsigned char>& buf,
+                    const Buffer<const unsigned char>& sig) const;
 
   const EVP_MD* getDigest() const;
   size_t getDigestSize() const;
diff --git a/src/crypto/crypto_sig.cc b/src/crypto/crypto_sig.cc
index daccb716bbd600..15e1a186753408 100644
--- a/src/crypto/crypto_sig.cc
+++ b/src/crypto/crypto_sig.cc
@@ -391,12 +391,12 @@ bool SupportsContextString(const EVPKeyPointer& key) {
   return false;
 }
 
-bool UsePrehashedSignVerify(const EVPKeyPointer& key,
-                            const Digest& digest,
-                            bool has_context) {
-  // Match streaming sign/verify for digest-based keys: hash locally, then ask
-  // the key implementation to sign or verify the digest. Some providers only
-  // expose token-backed keys through that lower-level operation.
+bool CanFallbackToPrehashedSignVerify(const EVPKeyPointer& key,
+                                      const Digest& digest,
+                                      bool has_context) {
+  // The primary path is OpenSSL's digest-sign operation. Fall back to hashing
+  // locally only when that path fails; some providers expose token-backed keys
+  // through the lower-level prehashed sign/verify operation only.
   return digest && !has_context && !key.isOneShotVariant();
 }
 
@@ -901,32 +901,8 @@ bool SignTraits::DeriveBits(Environment* env,
       params.flags & SignConfiguration::kHasSaltLength
           ? std::optional<int>(params.salt_length)
           : std::nullopt;
-
-  if (UsePrehashedSignVerify(key, params.digest, has_context)) {
-    switch (params.mode) {
-      case SignConfiguration::Mode::Sign: {
-        *out = SignPrehashed(env,
-                             key,
-                             params.digest,
-                             params.data,
-                             padding,
-                             salt_length,
-                             params.dsa_encoding);
-        return static_cast<bool>(*out);
-      }
-      case SignConfiguration::Mode::Verify: {
-        auto buf = DataPointer::Alloc(1);
-        static_cast<char*>(buf.get())[0] = VerifyPrehashed(key,
-                                                           params.digest,
-                                                           params.data,
-                                                           params.signature,
-                                                           padding,
-                                                           salt_length);
-        *out = ByteSource::Allocated(buf.release());
-        return true;
-      }
-    }
-  }
+  bool can_fallback_to_prehash =
+      CanFallbackToPrehashedSignVerify(key, params.digest, has_context);
 
   auto context = EVPMDCtxPointer::New();
   if (!context) [[unlikely]]
@@ -975,6 +951,16 @@ bool SignTraits::DeriveBits(Environment* env,
         *out = ByteSource::Allocated(data.release());
       } else {
         auto data = context.sign(params.data);
+        if (!data && can_fallback_to_prehash) {
+          *out = SignPrehashed(env,
+                               key,
+                               params.digest,
+                               params.data,
+                               padding,
+                               salt_length,
+                               params.dsa_encoding);
+          return static_cast<bool>(*out);
+        }
         if (!data) [[unlikely]] {
           return false;
         }
@@ -992,9 +978,18 @@ bool SignTraits::DeriveBits(Environment* env,
     case SignConfiguration::Mode::Verify: {
       auto buf = DataPointer::Alloc(1);
       static_cast<char*>(buf.get())[0] = 0;
-      if (context.verify(params.data, params.signature) &&
+      int verify_result = context.verifyOneShot(params.data, params.signature);
+      if (verify_result == 1 &&
           !HasSmallOrderEdDsaPoint(key, params.signature)) {
         static_cast<char*>(buf.get())[0] = 1;
+      } else if (verify_result < 0 && can_fallback_to_prehash &&
+                 VerifyPrehashed(key,
+                                 params.digest,
+                                 params.data,
+                                 params.signature,
+                                 padding,
+                                 salt_length)) {
+        static_cast<char*>(buf.get())[0] = 1;
       }
       *out = ByteSource::Allocated(buf.release());
     }
diff --git a/test/parallel/test-crypto-sign-verify.js b/test/parallel/test-crypto-sign-verify.js
index a6a0d339d2432d..b79e8942ead65f 100644
--- a/test/parallel/test-crypto-sign-verify.js
+++ b/test/parallel/test-crypto-sign-verify.js
@@ -625,6 +625,44 @@ if (hasOpenSSL(3, 2)) {
   assert.throws(() => crypto.verify(null, data, 'test', input), errObj);
 });
 
+// Preserve the current behavior from https://github.com/nodejs/node/issues/53761:
+// one-shot verify does not accept SM2 signatures produced by the streaming path.
+if (hasOpenSSL(3) && crypto.getHashes().includes('sm3')) {
+  const data = Buffer.from('AABB');
+  const privateKey = crypto.createPrivateKey(`-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqBHM9VAYItBG0wawIBAQQgbjCNHopgvyGVfLaP
+PamI9E9lf6jXT+xm1Pns1t/xQTihRANCAATV+I7HUGF2gC+miVl3JfjpoZaU2hrZ
+QqHwKUNtIDE/uxxWNLBbYKaiLOWrbYA8skrWQWl3RkbXW4ZI28afRw9g
+-----END PRIVATE KEY-----
+`);
+  const publicKey = crypto.createPublicKey(`-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAE1fiOx1BhdoAvpolZdyX46aGWlNoa
+2UKh8ClDbSAxP7scVjSwW2Cmoizlq22APLJK1kFpd0ZG11uGSNvGn0cPYA==
+-----END PUBLIC KEY-----`);
+  const validOneShotSignature = Buffer.from(
+    '3045022100cf800e13a0ead14be0ec9d614257fb6f409187642404dccb3a43' +
+    '74ace9fc162602206bf6820b8902ae9ce4cd10708f188fddd5bc2a41db2c47' +
+    'c003ca8265a00396ae',
+    'hex');
+  const streamingOnlySignature = Buffer.from(
+    '3044022056cc3567aa4842c4b1c5f9de75059dbaf63efab5aa34097e5a85' +
+    '47419aa3175e02206deb865046f12b25f111922da6858c7e97e475b656604' +
+    '679bcd4a0b05d8c76f1',
+    'hex');
+
+  assert.strictEqual(
+    crypto.verify('sm3', data, publicKey, validOneShotSignature),
+    true);
+  assert.strictEqual(
+    crypto.verify('sm3', data, publicKey, streamingOnlySignature),
+    false);
+
+  const generatedSignature = crypto.sign('sm3', data, privateKey);
+  assert.strictEqual(
+    crypto.verify('sm3', data, publicKey, generatedSignature),
+    true);
+}
+
 {
   const data = Buffer.from('Hello world');
   const keys = [['ec-key.pem', 64], ['dsa_private_1025.pem', 40]];