docker
diff --git a/‎changelogs/current.yaml‎
Lines changed: 4 additions & 0 deletions b/‎changelogs/current.yaml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎docs/root/intro/arch_overview/advanced/wasm.rst‎
Lines changed: 3 additions & 0 deletions b/‎docs/root/intro/arch_overview/advanced/wasm.rst‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎source/common/crypto/crypto_impl.cc‎
Lines changed: 2 additions & 2 deletions b/‎source/common/crypto/crypto_impl.cc‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎source/common/crypto/crypto_impl.h‎
Lines changed: 5 additions & 4 deletions b/‎source/common/crypto/crypto_impl.h‎
Lines changed: 5 additions & 4 deletions
diff --git a/‎source/common/crypto/utility.h‎
Lines changed: 52 additions & 27 deletions b/‎source/common/crypto/utility.h‎
Lines changed: 52 additions & 27 deletions
diff --git a/‎source/common/crypto/utility_impl.cc‎
Lines changed: 84 additions & 20 deletions b/‎source/common/crypto/utility_impl.cc‎
Lines changed: 84 additions & 20 deletions
diff --git a/‎source/common/crypto/utility_impl.h‎
Lines changed: 13 additions & 5 deletions b/‎source/common/crypto/utility_impl.h‎
Lines changed: 13 additions & 5 deletions
diff --git a/‎source/extensions/common/wasm/BUILD‎
Lines changed: 1 addition & 0 deletions b/‎source/extensions/common/wasm/BUILD‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎source/extensions/common/wasm/ext/BUILD‎
Lines changed: 14 additions & 0 deletions b/‎source/extensions/common/wasm/ext/BUILD‎
Lines changed: 14 additions & 0 deletions
@@ -35,5 +35,9 @@ removed_config_or_runtime:
     Removed runtime guard ``envoy.reloadable_features.original_src_fix_port_exhaustion`` and legacy code paths.
 
 new_features:
+- area: wasm
+  change: |
+    Added ``sign`` foreign function to create cryptographic signatures.
+    See :ref:`Wasm foreign functions <arch_overview_wasm_foreign_functions>` for more details.
 
 deprecated:
@@ -66,12 +66,15 @@ Wasm ABI exposes Envoy-specific host attributes via the dedicated `proxy_get_pro
 standard :ref:`attributes <arch_overview_attributes>` and the values are returned via the type-specific binary
 serialization.
 
+.. _arch_overview_wasm_foreign_functions:
+
 Foreign functions
 -----------------
 
 Envoy offers additional functionality over the Proxy-Wasm ABI via `proxy_call_foreign_function
 <https://github.com/proxy-wasm/spec/tree/main/abi-versions/v0.2.1#proxy_call_foreign_function>`_ binary interface:
 
+* ``sign`` creates cryptographic signatures.
 * ``verify_signature`` verifies cryptographic signatures.
 * ``compress`` applies ``zlib`` compression.
 * ``uncompress`` applies ``zlib`` decompression.
 
@@ -4,9 +4,9 @@ namespace Envoy {
 namespace Common {
 namespace Crypto {
 
-EVP_PKEY* PublicKeyObject::getEVP_PKEY() const { return pkey_.get(); }
+EVP_PKEY* PKeyObject::getEVP_PKEY() const { return pkey_.get(); }
 
-void PublicKeyObject::setEVP_PKEY(EVP_PKEY* pkey) { pkey_.reset(pkey); }
+void PKeyObject::setEVP_PKEY(EVP_PKEY* pkey) { pkey_.reset(pkey); }
 
 } // namespace Crypto
 } // namespace Common
 
@@ -9,18 +9,19 @@ namespace Envoy {
 namespace Common {
 namespace Crypto {
 
-class PublicKeyObject : public Envoy::Common::Crypto::CryptoObject {
+class PKeyObject : public Envoy::Common::Crypto::CryptoObject {
 public:
-  PublicKeyObject() = default;
-  PublicKeyObject(EVP_PKEY* pkey) : pkey_(pkey) {}
-  PublicKeyObject(const PublicKeyObject& pkey_wrapper);
+  PKeyObject() = default;
+  PKeyObject(EVP_PKEY* pkey) : pkey_(pkey) {}
   EVP_PKEY* getEVP_PKEY() const;
   void setEVP_PKEY(EVP_PKEY* pkey);
 
 private:
   bssl::UniquePtr<EVP_PKEY> pkey_;
 };
 
+using PKeyObjectPtr = std::unique_ptr<PKeyObject>;
+
 } // namespace Crypto
 } // namespace Common
 } // namespace Envoy
@@ -4,29 +4,18 @@
 #include <vector>
 
 #include "envoy/buffer/buffer.h"
-#include "envoy/common/crypto/crypto.h"
 
+#include "source/common/crypto/crypto_impl.h"
 #include "source/common/singleton/threadsafe_singleton.h"
 
+#include "absl/status/statusor.h"
 #include "absl/strings/string_view.h"
+#include "absl/types/span.h"
 
 namespace Envoy {
 namespace Common {
 namespace Crypto {
 
-struct VerificationOutput {
-  /**
-   * Verification result. If result_ is true, error_message_ is empty.
-   */
-  bool result_;
-
-  /**
-   * Error message when verification failed.
-   * TODO(crazyxy): switch to absl::StatusOr when available
-   */
-  std::string error_message_;
-};
-
 class Utility {
 public:
   virtual ~Utility() = default;
@@ -44,28 +33,64 @@ class Utility {
    * @param message string_view message data for the HMAC function.
    * @return a vector of bytes for the computed HMAC.
    */
-  virtual std::vector<uint8_t> getSha256Hmac(const std::vector<uint8_t>& key,
+  virtual std::vector<uint8_t> getSha256Hmac(absl::Span<const uint8_t> key,
                                              absl::string_view message) PURE;
 
   /**
    * Verify cryptographic signatures.
-   * @param hash hash function(including SHA1, SHA224, SHA256, SHA384, SHA512)
-   * @param key pointer to EVP_PKEY public key
-   * @param signature signature
-   * @param text clear text
-   * @return If the result_ is true, the error_message_ is empty; otherwise,
-   * the error_message_ stores the error message
+   * @param hash_function hash function name (including SHA1, SHA224, SHA256, SHA384, SHA512)
+   * @param key CryptoObject containing EVP_PKEY public key (must be imported via importPublicKey())
+   * @param signature signature bytes to verify
+   * @param text clear text that was signed
+   * @return absl::Status containing Ok if verification succeeds, or error status on failure
+   * @note The key must be imported using importPublicKey() which supports both DER and PEM formats
+   * @note Works with public keys imported from DER (PKCS#1) or PEM (PKCS#1/PKCS#8) formats
+   */
+  virtual absl::Status verifySignature(absl::string_view hash_function, PKeyObject& key,
+                                       absl::Span<const uint8_t> signature,
+                                       absl::Span<const uint8_t> text) PURE;
+
+  /**
+   * Sign data with a private key.
+   * @param hash_function hash function name (including SHA1, SHA224, SHA256, SHA384, SHA512)
+   * @param key CryptoObject containing EVP_PKEY private key (must be imported via
+   * importPrivateKey())
+   * @param text clear text to sign
+   * @return absl::StatusOr<std::vector<uint8_t>> containing the signature on success, or error
+   * status on failure
+   * @note The key must be imported using importPrivateKey() which supports both DER and PEM formats
+   * @note Works with private keys imported from DER (PKCS#8) or PEM (PKCS#1/PKCS#8) formats
    */
-  virtual const VerificationOutput verifySignature(absl::string_view hash, CryptoObject& key,
-                                                   const std::vector<uint8_t>& signature,
-                                                   const std::vector<uint8_t>& text) PURE;
+  virtual absl::StatusOr<std::vector<uint8_t>>
+  sign(absl::string_view hash_function, PKeyObject& key, absl::Span<const uint8_t> text) PURE;
 
   /**
-   * Import public key.
-   * @param key key string
+   * Import public key from PEM format.
+   * @param key Public key in PEM format
    * @return pointer to EVP_PKEY public key
    */
-  virtual CryptoObjectPtr importPublicKey(const std::vector<uint8_t>& key) PURE;
+  virtual PKeyObjectPtr importPublicKeyPEM(absl::string_view key) PURE;
+
+  /**
+   * Import public key from DER format.
+   * @param key Public key in DER format
+   * @return pointer to EVP_PKEY public key
+   */
+  virtual PKeyObjectPtr importPublicKeyDER(absl::Span<const uint8_t> key) PURE;
+
+  /**
+   * Import private key from PEM format.
+   * @param key Private key in PEM format
+   * @return pointer to EVP_PKEY private key
+   */
+  virtual PKeyObjectPtr importPrivateKeyPEM(absl::string_view key) PURE;
+
+  /**
+   * Import private key from DER format.
+   * @param key Private key in DER format
+   * @return pointer to EVP_PKEY private key
+   */
+  virtual PKeyObjectPtr importPrivateKeyDER(absl::Span<const uint8_t> key) PURE;
 };
 
 using UtilitySingleton = InjectableSingleton<Utility>;
 
@@ -3,9 +3,10 @@
 #include "source/common/common/assert.h"
 #include "source/common/crypto/crypto_impl.h"
 
-#include "absl/container/fixed_array.h"
 #include "absl/strings/ascii.h"
 #include "absl/strings/str_cat.h"
+#include "absl/types/span.h"
+#include "openssl/pem.h"
 
 namespace Envoy {
 namespace Common {
@@ -25,7 +26,7 @@ std::vector<uint8_t> UtilityImpl::getSha256Digest(const Buffer::Instance& buffer
   return digest;
 }
 
-std::vector<uint8_t> UtilityImpl::getSha256Hmac(const std::vector<uint8_t>& key,
+std::vector<uint8_t> UtilityImpl::getSha256Hmac(absl::Span<const uint8_t> key,
                                                 absl::string_view message) {
   std::vector<uint8_t> hmac(SHA256_DIGEST_LENGTH);
   const auto ret =
@@ -35,46 +36,109 @@ std::vector<uint8_t> UtilityImpl::getSha256Hmac(const std::vector<uint8_t>& key,
   return hmac;
 }
 
-const VerificationOutput UtilityImpl::verifySignature(absl::string_view hash, CryptoObject& key,
-                                                      const std::vector<uint8_t>& signature,
-                                                      const std::vector<uint8_t>& text) {
-  // Step 1: initialize EVP_MD_CTX
+absl::Status UtilityImpl::verifySignature(absl::string_view hash_function, PKeyObject& key,
+                                          absl::Span<const uint8_t> signature,
+                                          absl::Span<const uint8_t> text) {
   bssl::ScopedEVP_MD_CTX ctx;
 
-  // Step 2: initialize EVP_MD
-  const EVP_MD* md = getHashFunction(hash);
+  const EVP_MD* md = getHashFunction(hash_function);
 
   if (md == nullptr) {
-    return {false, absl::StrCat(hash, " is not supported.")};
+    return absl::InvalidArgumentError(absl::StrCat(hash_function, " is not supported."));
   }
-  // Step 3: initialize EVP_DigestVerify
-  auto pkey_wrapper = Common::Crypto::Access::getTyped<Common::Crypto::PublicKeyObject>(key);
-  EVP_PKEY* pkey = pkey_wrapper->getEVP_PKEY();
+  EVP_PKEY* pkey = key.getEVP_PKEY();
 
   if (pkey == nullptr) {
-    return {false, "Failed to initialize digest verify."};
+    return absl::InternalError("Failed to initialize digest verify.");
   }
 
   int ok = EVP_DigestVerifyInit(ctx.get(), nullptr, md, nullptr, pkey);
   if (!ok) {
-    return {false, "Failed to initialize digest verify."};
+    return absl::InternalError("Failed to initialize digest verify.");
   }
 
-  // Step 4: verify signature
   ok = EVP_DigestVerify(ctx.get(), signature.data(), signature.size(), text.data(), text.size());
 
-  // Step 5: check result
   if (ok == 1) {
-    return {true, ""};
+    return absl::OkStatus();
   }
 
-  return {false, absl::StrCat("Failed to verify digest. Error code: ", ok)};
+  return absl::InternalError(absl::StrCat("Failed to verify digest. Error code: ", ok));
 }
 
-CryptoObjectPtr UtilityImpl::importPublicKey(const std::vector<uint8_t>& key) {
+absl::StatusOr<std::vector<uint8_t>> UtilityImpl::sign(absl::string_view hash_function,
+                                                       PKeyObject& key,
+                                                       absl::Span<const uint8_t> text) {
+  bssl::ScopedEVP_MD_CTX ctx;
+
+  const EVP_MD* md = getHashFunction(hash_function);
+
+  if (md == nullptr) {
+    return absl::InvalidArgumentError(absl::StrCat(hash_function, " is not supported."));
+  }
+
+  EVP_PKEY* pkey = key.getEVP_PKEY();
+
+  if (pkey == nullptr) {
+    return absl::InternalError("Invalid key type: private key required for signing operation.");
+  }
+
+  int ok = EVP_DigestSignInit(ctx.get(), nullptr, md, nullptr, pkey);
+  if (!ok) {
+    return absl::InternalError("Invalid private key: key data is corrupted or malformed.");
+  }
+
+  size_t sig_len = 0;
+  ok = EVP_DigestSign(ctx.get(), nullptr, &sig_len, text.data(), text.size());
+  if (!ok) {
+    return absl::InternalError("Failed to get signature length.");
+  }
+
+  std::vector<uint8_t> signature(sig_len);
+  ok = EVP_DigestSign(ctx.get(), signature.data(), &sig_len, text.data(), text.size());
+  if (!ok) {
+    return absl::InternalError("Failed to create signature.");
+  }
+
+  RELEASE_ASSERT(signature.size() >= sig_len, "signature.size() >= sig_len");
+  signature.resize(sig_len);
+  return signature;
+}
+
+namespace {
+// Template helper for importing keys with different formats and types
+template <typename KeyObjectType, typename ParseFunction>
+PKeyObjectPtr importKeyPEM(absl::string_view key, ParseFunction parse_func) {
+  // PEM format: Use PEM parsing which automatically handles both PKCS#1 and PKCS#8 formats
+  bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(key.data(), key.size()));
+  if (!bio) {
+    return std::make_unique<KeyObjectType>(nullptr);
+  }
+  return std::make_unique<KeyObjectType>(parse_func(bio.get(), nullptr, nullptr, nullptr));
+}
+
+template <typename KeyObjectType, typename ParseFunction>
+PKeyObjectPtr importKeyDER(absl::Span<const uint8_t> key, ParseFunction parse_func) {
+  // DER format: Use DER parsing
   CBS cbs({key.data(), key.size()});
+  return std::make_unique<KeyObjectType>(parse_func(&cbs));
+}
+} // namespace
+
+PKeyObjectPtr UtilityImpl::importPublicKeyPEM(absl::string_view key) {
+  return importKeyPEM<PKeyObject>(key, PEM_read_bio_PUBKEY);
+}
+
+PKeyObjectPtr UtilityImpl::importPublicKeyDER(absl::Span<const uint8_t> key) {
+  return importKeyDER<PKeyObject>(key, EVP_parse_public_key);
+}
+
+PKeyObjectPtr UtilityImpl::importPrivateKeyPEM(absl::string_view key) {
+  return importKeyPEM<PKeyObject>(key, PEM_read_bio_PrivateKey);
+}
 
-  return std::make_unique<PublicKeyObject>(EVP_parse_public_key(&cbs));
+PKeyObjectPtr UtilityImpl::importPrivateKeyDER(absl::Span<const uint8_t> key) {
+  return importKeyDER<PKeyObject>(key, EVP_parse_private_key);
 }
 
 const EVP_MD* UtilityImpl::getHashFunction(absl::string_view name) {
 
@@ -1,7 +1,10 @@
 #pragma once
 
+#include "source/common/crypto/crypto_impl.h"
 #include "source/common/crypto/utility.h"
 
+#include "absl/types/span.h"
+#include "openssl/bio.h"
 #include "openssl/bytestring.h"
 #include "openssl/hmac.h"
 #include "openssl/sha.h"
@@ -13,12 +16,17 @@ namespace Crypto {
 class UtilityImpl : public Envoy::Common::Crypto::Utility {
 public:
   std::vector<uint8_t> getSha256Digest(const Buffer::Instance& buffer) override;
-  std::vector<uint8_t> getSha256Hmac(const std::vector<uint8_t>& key,
+  std::vector<uint8_t> getSha256Hmac(absl::Span<const uint8_t> key,
                                      absl::string_view message) override;
-  const VerificationOutput verifySignature(absl::string_view hash, CryptoObject& key,
-                                           const std::vector<uint8_t>& signature,
-                                           const std::vector<uint8_t>& text) override;
-  CryptoObjectPtr importPublicKey(const std::vector<uint8_t>& key) override;
+  absl::Status verifySignature(absl::string_view hash_function, PKeyObject& key,
+                               absl::Span<const uint8_t> signature,
+                               absl::Span<const uint8_t> text) override;
+  absl::StatusOr<std::vector<uint8_t>> sign(absl::string_view hash_function, PKeyObject& key,
+                                            absl::Span<const uint8_t> text) override;
+  PKeyObjectPtr importPublicKeyPEM(absl::string_view key) override;
+  PKeyObjectPtr importPublicKeyDER(absl::Span<const uint8_t> key) override;
+  PKeyObjectPtr importPrivateKeyPEM(absl::string_view key) override;
+  PKeyObjectPtr importPrivateKeyDER(absl::Span<const uint8_t> key) override;
 
 private:
   const EVP_MD* getHashFunction(absl::string_view name);
 
@@ -111,6 +111,7 @@ envoy_cc_extension(
         "//source/extensions/common/wasm/ext:declare_property_cc_proto",
         "//source/extensions/common/wasm/ext:envoy_null_vm_wasm_api",
         "//source/extensions/common/wasm/ext:set_envoy_filter_state_cc_proto",
+        "//source/extensions/common/wasm/ext:sign_cc_proto",
         "//source/extensions/common/wasm/ext:verify_signature_cc_proto",
         "//source/extensions/filters/common/expr:context_lib",
         "@com_google_absl//absl/base",
 
@@ -33,6 +33,7 @@ envoy_cc_library(
         ":declare_property_cc_proto",
         ":set_envoy_filter_state_cc_proto",
         ":verify_signature_cc_proto",
+        ":sign_cc_proto",
         "//source/common/grpc:async_client_lib",
         "@envoy_api//envoy/config/core/v3:pkg_cc_proto",
     ],
@@ -50,6 +51,7 @@ cc_library(
         ":node_subset_cc_proto",
         ":set_envoy_filter_state_cc_proto",
         ":verify_signature_cc_proto",
+        ":sign_cc_proto",
         "@proxy_wasm_cpp_sdk//:proxy_wasm_intrinsics",
     ],
     alwayslink = 1,
@@ -117,3 +119,15 @@ cc_proto_library(
     name = "set_envoy_filter_state_cc_proto",
     deps = [":set_envoy_filter_state_proto"],
 )
+
+# NB: this target is compiled both to native code and to Wasm. Hence the generic rule.
+proto_library(
+    name = "sign_proto",
+    srcs = ["sign.proto"],
+)
+
+# NB: this target is compiled both to native code and to Wasm. Hence the generic rule.
+cc_proto_library(
+    name = "sign_cc_proto",
+    deps = [":sign_proto"],
+)