feat: integrate ml-dsa65 support in subscription template services

kastov · kastov · commit 97c7ed46c217 · 2025-10-07T21:26:54.000+03:00
- Added support for ml-dsa65 public key generation and verification in the subscription template services.
- Updated relevant interfaces and methods to accommodate the new mldsa65Verify field.
- Bumped version to 2.1.65 in the contract library.
diff --git a/libs/contract/commands/subscriptions/get-by/get-raw-subscription-by-short-uuid.command.ts b/libs/contract/commands/subscriptions/get-by/get-raw-subscription-by-short-uuid.command.ts
@@ -79,6 +79,7 @@ export namespace GetRawSubscriptionByShortUuidCommand {
                     allowInsecure: z.optional(z.nullable(z.boolean())),
                     shuffleHost: z.optional(z.nullable(z.boolean())),
                     mihomoX25519: z.optional(z.nullable(z.boolean())),
+                    mldsa65Verify: z.optional(z.nullable(z.string())),
                     protocolOptions: z.optional(
                         z.nullable(
                             z.object({
diff --git a/libs/contract/package.json b/libs/contract/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@remnawave/backend-contract",
-  "version": "2.1.64",
+  "version": "2.1.65",
   "public": true,
   "license": "AGPL-3.0-only",
   "description": "A contract library for Remnawave Backend. It can be used in backend and frontend.",
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -71,6 +71,7 @@
     "@nestjs/swagger": "11.2.0",
     "@nestjs/terminus": "^11.0.0",
     "@nestjstools/messaging": "^2.22.0",
+    "@noble/post-quantum": "^0.5.2",
     "@peculiar/webcrypto": "^1.5.0",
     "@peculiar/x509": "^1.14.0",
     "@prisma/adapter-pg": "^6.15.0",
@@ -163,4 +164,4 @@
     "typescript": "~5.9.2",
     "typescript-eslint": "^8.39.1"
   }
-}
+}
diff --git a/src/common/helpers/xray-config/resolve-public-key.ts b/src/common/helpers/xray-config/resolve-public-key.ts
@@ -1,4 +1,5 @@
 import { createPrivateKey, createPublicKey, KeyObject } from 'node:crypto';
+import { ml_dsa65 } from '@noble/post-quantum/ml-dsa.js';
 
 export async function resolveInboundAndPublicKey(inbounds: any[]): Promise<Map<string, string>> {
     const publicKeyMap = new Map<string, string>();
@@ -36,6 +37,36 @@ export async function resolveInboundAndPublicKey(inbounds: any[]): Promise<Map<s
     return publicKeyMap;
 }
 
+export async function resolveInboundAndMlDsa65PublicKey(
+    inbounds: any[],
+): Promise<Map<string, string>> {
+    const mldsa65PublicKeyMap = new Map<string, string>();
+
+    for (const inbound of inbounds) {
+        if (inbound.streamSettings?.realitySettings?.mldsa65Seed) {
+            try {
+                if (mldsa65PublicKeyMap.has(inbound.tag)) {
+                    continue;
+                }
+
+                const publicKey = getMlDsa65PublicKey(
+                    inbound.streamSettings.realitySettings.mldsa65Seed,
+                );
+
+                if (!publicKey) {
+                    continue;
+                }
+
+                mldsa65PublicKeyMap.set(inbound.tag, publicKey);
+            } catch {
+                continue;
+            }
+        }
+    }
+
+    return mldsa65PublicKeyMap;
+}
+
 async function createX25519KeyPairFromBase64(base64PrivateKey: string): Promise<{
     publicKey: KeyObject;
     privateKey: KeyObject;
@@ -64,3 +95,13 @@ async function createX25519KeyPairFromBase64(base64PrivateKey: string): Promise<
         }
     });
 }
+
+export function getMlDsa65PublicKey(seed: string): string | null {
+    try {
+        const seedBuffer = Buffer.from(seed, 'base64');
+        const { publicKey } = ml_dsa65.keygen(seedBuffer);
+        return Buffer.from(publicKey).toString('base64url');
+    } catch {
+        return null;
+    }
+}
diff --git a/src/modules/subscription-template/generators/format-hosts.service.ts b/src/modules/subscription-template/generators/format-hosts.service.ts
@@ -13,9 +13,12 @@ import {
     WebSocketObject,
     xHttpObject,
 } from '@common/helpers/xray-config/interfaces/transport.config';
+import {
+    resolveInboundAndMlDsa65PublicKey,
+    resolveInboundAndPublicKey,
+} from '@common/helpers/xray-config';
 import { RawObject } from '@common/helpers/xray-config/interfaces/transport.config';
 import { TemplateEngine } from '@common/utils/templates/replace-templates-values';
-import { resolveInboundAndPublicKey } from '@common/helpers/xray-config';
 import { ICommandResponse } from '@common/types/command-response.type';
 import { InboundObject } from '@common/helpers/xray-config/interfaces';
 import { setVlessRouteForUuid } from '@common/utils/vless-route';
@@ -106,6 +109,9 @@ export class FormatHostsService {
         }
 
         const publicKeyMap = await resolveInboundAndPublicKey(hosts.map((host) => host.rawInbound));
+        const mldsa65PublicKeyMap = await resolveInboundAndMlDsa65PublicKey(
+            hosts.map((host) => host.rawInbound),
+        );
 
         const knownRemarks = new Map<string, number>();
 
@@ -228,6 +234,7 @@ export class FormatHostsService {
             let publicKeyFromConfig: string | undefined;
             let shortIdFromConfig: string | undefined;
             let spiderXFromConfig: string | undefined;
+            let mldsa65PublicKeyFromConfig: string | undefined;
 
             switch (inbound.streamSettings?.security) {
                 case 'tls':
@@ -252,6 +259,7 @@ export class FormatHostsService {
                     fingerprintFromConfig = realitySettings?.fingerprint;
 
                     publicKeyFromConfig = publicKeyMap.get(inbound.tag);
+                    mldsa65PublicKeyFromConfig = mldsa65PublicKeyMap.get(inbound.tag);
 
                     spiderXFromConfig = realitySettings?.spiderX;
                     const shortIds = inbound.streamSettings?.realitySettings?.shortIds || [];
@@ -406,6 +414,7 @@ export class FormatHostsService {
                 shuffleHost: inputHost.shuffleHost,
                 mihomoX25519: inputHost.mihomoX25519,
                 dbData,
+                mldsa65Verify: mldsa65PublicKeyFromConfig,
             });
         }
 
diff --git a/src/modules/subscription-template/generators/interfaces/formatted-hosts.interface.ts b/src/modules/subscription-template/generators/interfaces/formatted-hosts.interface.ts
@@ -35,4 +35,5 @@ export interface IFormattedHost {
     shuffleHost?: boolean;
     mihomoX25519?: boolean;
     dbData?: IDbHostData;
+    mldsa65Verify?: string;
 }
diff --git a/src/modules/subscription-template/generators/interfaces/raw-host.interface.ts b/src/modules/subscription-template/generators/interfaces/raw-host.interface.ts
@@ -46,6 +46,7 @@ export interface IRawHost {
     allowInsecure?: boolean;
     shuffleHost?: boolean;
     mihomoX25519?: boolean;
+    mldsa65Verify?: string;
     protocolOptions?: {
         ss?: {
             method: string;
diff --git a/src/modules/subscription-template/generators/xray-json.generator.service.ts b/src/modules/subscription-template/generators/xray-json.generator.service.ts
@@ -345,6 +345,10 @@ export class XrayJsonGeneratorService {
             settings.publicKey = host.publicKey;
         }
 
+        if (host.mldsa65Verify) {
+            settings.mldsa65Verify = host.mldsa65Verify;
+        }
+
         if (host.shortId) {
             settings.shortId = host.shortId;
         }
diff --git a/src/modules/subscription-template/generators/xray.generator.service.ts b/src/modules/subscription-template/generators/xray.generator.service.ts
@@ -170,6 +170,7 @@ export class XrayGeneratorService {
                 fp: params.fingerprint,
                 pbk: params.publicKey,
                 sid: params.shortId,
+                pqv: params.mldsa65Verify,
                 ...(params.spiderX && { spx: params.spiderX }),
             });
         }
@@ -244,6 +245,7 @@ export class XrayGeneratorService {
                 fp: params.fingerprint,
                 pbk: params.publicKey,
                 sid: params.shortId,
+                pqv: params.mldsa65Verify,
                 ...(params.spiderX && { spx: params.spiderX }),
             });
         }

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@remnawave/backend-contract",`
`3`		`- "version": "2.1.64",`
	`3`	`+ "version": "2.1.65",`
`4`	`4`	`"public": true,`
`5`	`5`	`"license": "AGPL-3.0-only",`
`6`	`6`	`"description": "A contract library for Remnawave Backend. It can be used in backend and frontend.",`
Original file line number	Diff line number	Diff line change
`@@ -35,4 +35,5 @@ export interface IFormattedHost {`
`35`	`35`	`shuffleHost?: boolean;`
`36`	`36`	`mihomoX25519?: boolean;`
`37`	`37`	`dbData?: IDbHostData;`
	`38`	`+ mldsa65Verify?: string;`
`38`	`39`	`}`
Original file line number	Diff line number	Diff line change
`@@ -345,6 +345,10 @@ export class XrayJsonGeneratorService {`
`345`	`345`	`settings.publicKey = host.publicKey;`
`346`	`346`	`}`
`347`	`347`
	`348`	`+ if (host.mldsa65Verify) {`
	`349`	`+ settings.mldsa65Verify = host.mldsa65Verify;`
	`350`	`+ }`
	`351`	`+`
`348`	`352`	`if (host.shortId) {`
`349`	`353`	`settings.shortId = host.shortId;`
`350`	`354`	`}`