react-native-quick-crypto 0.6.0 → 0.7.0-rc.0

package/README.md

@@ -9,20 +9,20 @@ A fast implementation of Node's `crypto` module.
 Unlike any other current JS-based polyfills, react-native-quick-crypto is written in C/C++ JSI and provides much greater performance - especially on mobile devices.
 QuickCrypto can be used as a drop-in replacement for your Web3/Crypto apps to speed up common cryptography functions.
 
-* 🏎️ Up to 58x faster than all other solutions
-* ⚡️ Lightning fast implementation with pure C++ and JSI, instead of JS
-* 🧪 Well tested in JS and C++ (OpenSSL)
-* 💰 Made for crypto apps and Wallets
-* 🔢 Secure native compiled cryptography
-* 🔁 Easy drop-in replacement for [crypto-browserify](https://github.com/crypto-browserify/crypto-browserify) or [react-native-crypto](https://github.com/tradle/react-native-crypto)
+- 🏎️ Up to 58x faster than all other solutions
+- ⚡️ Lightning fast implementation with pure C++ and JSI, instead of JS
+- 🧪 Well tested in JS and C++ (OpenSSL)
+- 💰 Made for crypto apps and Wallets
+- 🔢 Secure native compiled cryptography
+- 🔁 Easy drop-in replacement for [crypto-browserify](https://github.com/browserify/crypto-browserify) or [react-native-crypto](https://github.com/tradle/react-native-crypto)
 
 For example, creating a Wallet using ethers.js uses complex algorithms to generate a private-key/mnemonic-phrase pair:
 
 ```ts
-const start = performance.now()
-const wallet = ethers.Wallet.createRandom()
-const end = performance.now()
-console.log(`Creating a Wallet took ${end - start} ms.`)
+const start = performance.now();
+const wallet = ethers.Wallet.createRandom();
+const end = performance.now();
+console.log(`Creating a Wallet took ${end - start} ms.`);
 ```
 
 **Without** react-native-quick-crypto 🐢:
@@ -65,7 +65,34 @@ expo prebuild
 
 If you are using a library that depends on `crypto`, instead of polyfilling it with `crypto-browserify` (or `react-native-crypto`) you can use `react-native-quick-crypto` for a fully native implementation. This way you can get much faster crypto operations with just a single-line change!
 
-In your `babel.config.js`, add a module resolver to replace `crypto` with `react-native-quick-crypto`:
+### Using metro config
+
+Use the [`resolveRequest`](https://facebook.github.io/metro/docs/resolution#resolverequest-customresolver) configuration option in your `metro.config.js`
+
+```
+config.resolver.resolveRequest = (context, moduleName, platform) => {
+  if (moduleName === 'crypto') {
+    // when importing crypto, resolve to react-native-quick-crypto
+    return context.resolveRequest(
+      context,
+      'react-native-quick-crypto',
+      platform,
+    )
+  }
+  // otherwise chain to the standard Metro resolver.
+  return context.resolveRequest(context, moduleName, platform)
+}
+```
+
+### Using babel-plugin-module-resolver
+
+You need to install `babel-plugin-module-resolver`, it's a babel plugin that will alias any imports in the code with the values you pass to it. It tricks any module that will try to import certain dependencies with the native versions we require for React Native.
+
+```sh
+yarn add --dev babel-plugin-module-resolver
+```
+
+Then, in your `babel.config.js`, add the plugin to swap the `crypto`, `stream` and `buffer` dependencies:
 
 ```diff
 module.exports = {
@@ -76,7 +103,7 @@ module.exports = {
 +     {
 +       alias: {
 +         'crypto': 'react-native-quick-crypto',
-+         'stream': 'stream-browserify',
++         'stream': 'readable-stream',
 +         'buffer': '@craftzdog/react-native-buffer',
 +       },
 +     },
@@ -88,22 +115,43 @@ module.exports = {
 
 Then restart your bundler using `yarn start --reset-cache`.
 
-Now, all imports for `crypto` will be resolved as `react-native-quick-crypto` instead.
-
-> 💡 Since react-native-quick-crypto depends on `stream` and `buffer`, we can resolve those to `stream-browserify` and @craftzdog's `react-native-buffer` (which is faster than `buffer` because it uses JSI for base64 encoding and decoding).
-
 ## Usage
 
 For example, to hash a string with SHA256 you can do the following:
 
 ```ts
-import Crypto from 'react-native-quick-crypto'
+import Crypto from 'react-native-quick-crypto';
 
 const hashed = Crypto.createHash('sha256')
   .update('Damn, Margelo writes hella good software!')
-  .digest('hex')
+  .digest('hex');
 ```
 
+## Android build errors
+
+If you get an error similar to this:
+
+```
+Execution failed for task ':app:mergeDebugNativeLibs'.
+> A failure occurred while executing com.android.build.gradle.internal.tasks.MergeNativeLibsTask$MergeNativeLibsTaskWorkAction
+   > 2 files found with path 'lib/arm64-v8a/libcrypto.so' from inputs:
+      - /Users/osp/Developer/mac_test/node_modules/react-native-quick-crypto/android/build/intermediates/library_jni/debug/jni/arm64-v8a/libcrypto.so
+      - /Users/osp/.gradle/caches/transforms-3/e13f88164840fe641a466d05cd8edac7/transformed/jetified-flipper-0.182.0/jni/arm64-v8a/libcrypto.so
+```
+
+It means you have a transitive dependency where two libraries depend on OpenSSL and are generating a `libcrypto.so` file. You can get around this issue by adding the following in your `app/build.gradle`:
+
+```groovy
+packagingOptions {
+  // Should prevent clashes with other libraries that use OpenSSL
+  pickFirst '**/libcrypto.so'
+}
+```
+
+> This caused by flipper which also depends on OpenSSL
+
+This just tells Gradle to grab whatever OpenSSL version it finds first and link against that, but as you can imagine this is not correct if the packages depend on different OpenSSL versions (quick-crypto depends on `com.android.ndk.thirdparty:openssl:1.1.1q-beta-1`). You should make sure all the OpenSSL versions match and you have no conflicts or errors.
+
 ---
 
 ## Sponsors
@@ -154,6 +202,10 @@ const hashed = Crypto.createHash('sha256')
 
 As the library uses JSI for synchronous native methods access, remote debugging (e.g. with Chrome) is no longer possible. Instead, you should use [Flipper](https://fbflipper.com).
 
+## Community Discord
+
+[Join the Margelo Community Discord](https://discord.gg/6CSHz2qAvA) to chat about react-native-quick-crypto or other Margelo libraries.
+
 ## Adopting at scale
 
 react-native-quick-crypto was built at Margelo, an elite app development agency. For enterprise support or other business inquiries, contact us at <a href="mailto:hello@margelo.io?subject=Adopting react-native-quick-crypto at scale">hello@margelo.io</a>!

package/android/CMakeLists.txt

@@ -1,82 +1,79 @@
-project(react-native-quick-crypto)
-cmake_minimum_required(VERSION 3.9.0)
+project(ReactNativeQuickCrypto)
+cmake_minimum_required(VERSION 3.10.2)
 
 set(PACKAGE_NAME "reactnativequickcrypto")
 set(BUILD_DIR ${CMAKE_SOURCE_DIR}/build)
+set(CMAKE_VERBOSE_MAKEFILE ON)
 set(CMAKE_CXX_STANDARD 17)
+set(NODE_MODULES_DIR "${CMAKE_CURRENT_SOURCE_DIR}/../node_modules")
 
-# TODO(osp) remove before release
 # set (CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} -g")
 # set (CMAKE_CXX_FLAGS_DEBUG "${CMAKE_CXX_FLAGS_DEBUG} -g")
 
-# Consume shared libraries and headers from prefabs
+# Third party libraries (Prefabs)
 find_package(fbjni REQUIRED CONFIG)
 find_package(ReactAndroid REQUIRED CONFIG)
-
-include_directories(
-        ../cpp
-        "${NODE_MODULES_DIR}/react-native/ReactAndroid/src/main/jni/react/turbomodule"
-        "${NODE_MODULES_DIR}/react-native/ReactCommon"
-        "${NODE_MODULES_DIR}/react-native/ReactCommon/callinvoker"
-        "${NODE_MODULES_DIR}/react-native/ReactCommon/jsi"
-        "${NODE_MODULES_DIR}/react-native/ReactCommon/turbomodule/core"
-        "${NODE_MODULES_DIR}/react-native/ReactCommon/react/nativemodule/core"
-)
+find_package(openssl REQUIRED CONFIG)
+find_library(LOG_LIB log)
 
 add_library(
-        ${PACKAGE_NAME}
-        SHARED
-        "src/main/cpp/cpp-adapter.cpp"
-        "../cpp/MGLQuickCryptoHostObject.cpp"
-        "../cpp/JSIUtils/MGLTypedArray.cpp"
-        "../cpp/Utils/MGLDispatchQueue.cpp"
-        "../cpp/JSIUtils/MGLThreadAwareHostObject.cpp"
-        "../cpp/JSIUtils/MGLSmartHostObject.cpp"
-        "../cpp/HMAC/MGLHmacInstaller.cpp"
-        "../cpp/HMAC/MGLHmacHostObject.cpp"
-        "../cpp/fastpbkdf2/MGLPbkdf2HostObject.cpp"
-        "../cpp/fastpbkdf2/fastpbkdf2.c"
-        "../cpp/Random/MGLRandomHostObject.cpp"
-        "../cpp/Hash/MGLHashInstaller.cpp"
-        "../cpp/Hash/MGLHashHostObject.cpp"
-        "../cpp/Cipher/MGLCipherHostObject.cpp"
-        "../cpp/Cipher/MGLCreateCipherInstaller.cpp"
-        "../cpp/Cipher/MGLCreateDecipherInstaller.cpp"
-        "../cpp/MGLKeys.cpp"
-        "../cpp/Utils/MGLUtils.cpp"
-        "../cpp/Cipher/MGLRsa.cpp"
-        "../cpp/Cipher/MGLGenerateKeyPairInstaller.cpp"
-        "../cpp/Cipher/MGLGenerateKeyPairSyncInstaller.cpp"
-        "../cpp/Sig/MGLSignInstaller.cpp"
-        "../cpp/Sig/MGLVerifyInstaller.cpp"
-        "../cpp/Sig/MGLSignHostObjects.cpp"
+  ${PACKAGE_NAME}
+  SHARED
+  "src/main/cpp/cpp-adapter.cpp"
+  "../cpp/MGLQuickCryptoHostObject.cpp"
+  "../cpp/JSIUtils/MGLTypedArray.cpp"
+  "../cpp/Utils/MGLDispatchQueue.cpp"
+  "../cpp/JSIUtils/MGLThreadAwareHostObject.cpp"
+  "../cpp/JSIUtils/MGLSmartHostObject.cpp"
+  "../cpp/HMAC/MGLHmacInstaller.cpp"
+  "../cpp/HMAC/MGLHmacHostObject.cpp"
+  "../cpp/fastpbkdf2/MGLPbkdf2HostObject.cpp"
+  "../cpp/fastpbkdf2/fastpbkdf2.c"
+  "../cpp/Random/MGLRandomHostObject.cpp"
+  "../cpp/Hash/MGLHashInstaller.cpp"
+  "../cpp/Hash/MGLHashHostObject.cpp"
+  "../cpp/Cipher/MGLCipherHostObject.cpp"
+  "../cpp/Cipher/MGLCreateCipherInstaller.cpp"
+  "../cpp/Cipher/MGLCreateDecipherInstaller.cpp"
+  "../cpp/MGLKeys.cpp"
+  "../cpp/Utils/MGLUtils.cpp"
+  "../cpp/Cipher/MGLRsa.cpp"
+  "../cpp/Cipher/MGLGenerateKeyPairInstaller.cpp"
+  "../cpp/Cipher/MGLGenerateKeyPairSyncInstaller.cpp"
+  "../cpp/Sig/MGLSignInstaller.cpp"
+  "../cpp/Sig/MGLVerifyInstaller.cpp"
+  "../cpp/Sig/MGLSignHostObjects.cpp"
+  "../cpp/webcrypto/MGLWebCrypto.cpp"
+  "../cpp/webcrypto/crypto_ec.cpp"
 )
 
-set_target_properties(
-        ${PACKAGE_NAME}
-        PROPERTIES
-        CXX_STANDARD 17
-        CXX_EXTENSIONS OFF
-        POSITION_INDEPENDENT_CODE ON
+include_directories(
+  "../node_modules/react-native-quick-base64/cpp"
 )
 
-file(GLOB LIBRN_DIR "${BUILD_DIR}/react-native-0*/jni/${ANDROID_ABI}")
-
-find_library(
-        log-lib
-        log
+target_include_directories(
+  ${PACKAGE_NAME}
+  PRIVATE
+  "../cpp"
+  "src/main/cpp"
+  "${NODE_MODULES_DIR}/react-native/ReactCommon"
+  "${NODE_MODULES_DIR}/react-native/ReactCommon/callinvoker"
+  "${NODE_MODULES_DIR}/react-native/ReactAndroid/src/main/jni/react/turbomodule"
+  "${NODE_MODULES_DIR}/react-native/ReactCommon/jsi"
+  "${NODE_MODULES_DIR}/react-native/ReactCommon/turbomodule/core"
+  "${NODE_MODULES_DIR}/react-native/ReactCommon/react/nativemodule/core"
 )
 
-find_package(openssl REQUIRED CONFIG)
+#file(GLOB LIBRN_DIR "${BUILD_DIR}/react-native-0*/jni/${ANDROID_ABI}")
 
 target_link_libraries(
-        ${PACKAGE_NAME}
-        ReactAndroid::turbomodulejsijni
-        fbjni::fbjni
-        ${log-lib}
-        ReactAndroid::jsi
-        ReactAndroid::reactnativejni
-        ReactAndroid::react_nativemodule_core
-        android
-        openssl::crypto
+  ${PACKAGE_NAME}
+  ReactAndroid::turbomodulejsijni
+  fbjni::fbjni                           # <-- fbjni
+  ${LOG_LIB}                             # <-- Logcat logger
+  ReactAndroid::jsi                      # <-- RN: JSI
+  ReactAndroid::reactnativejni           # <-- RN: React Native JNI bindings
+  ReactAndroid::react_nativemodule_core  # <-- RN: React Native native module core
+  android                                # <-- Android JNI core
+  openssl::crypto                        # <-- OpenSSL (Crypto)
 )

package/android/build.gradle

@@ -1,79 +1,121 @@
 import java.nio.file.Paths
+import com.android.Version
 
-static def findNodeModules(baseDir) {
-  def basePath = baseDir.toPath().normalize()
-  // Node's module resolution algorithm searches up to the root directory,
-  // after which the base path will be null
-  while (basePath) {
-    def nodeModulesPath = Paths.get(basePath.toString(), "node_modules")
-    def reactNativePath = Paths.get(nodeModulesPath.toString(), "react-native")
-    if (nodeModulesPath.toFile().exists() && reactNativePath.toFile().exists()) {
-      return nodeModulesPath.toString()
-    }
-    basePath = basePath.getParent()
-  }
-  throw new GradleException("QuickCrypto: Failed to find node_modules/ path!")
-}
-
-def nodeModules = findNodeModules(projectDir)
-logger.warn("QuickCrypto: node_modules/ found at: ${nodeModules}")
+def agpVersion = com.android.Version.ANDROID_GRADLE_PLUGIN_VERSION
+def agpVersionMajor = agpVersion.tokenize('.')[0].toInteger()
+def agpVersionMinor = agpVersion.tokenize('.')[1].toInteger()
 
 buildscript {
   repositories {
-    google()
-    jcenter()
     maven {
       url "https://plugins.gradle.org/m2/"
     }
+    mavenCentral()
+    google()
   }
 
   dependencies {
-    classpath 'com.android.tools.build:gradle:4.2.2'
+    classpath("com.android.tools.build:gradle:8.3.1")
   }
 }
 
-apply plugin: 'com.android.library'
+def isNewArchitectureEnabled() {
+  // To opt-in for the New Architecture, you can either:
+  // - Set `newArchEnabled` to true inside the `gradle.properties` file
+  // - Invoke gradle with `-newArchEnabled=true`
+  // - Set an environment variable `ORG_GRADLE_PROJECT_newArchEnabled=true`
+  return project.hasProperty("newArchEnabled") && project.newArchEnabled == "true"
+}
+
+def resolveBuildType() {
+    Gradle gradle = getGradle()
+    String tskReqStr = gradle.getStartParameter().getTaskRequests()['args'].toString()
 
-def getExtOrDefault(name) {
-  return rootProject.ext.has(name) ? rootProject.ext.get(name) : project.properties['QuickCrypto_' + name]
+    return tskReqStr.contains('Release') ? 'release' : 'debug'
 }
 
-def getExtOrIntegerDefault(name) {
-  return rootProject.ext.has(name) ? rootProject.ext.get(name) : (project.properties['QuickCrypto_' + name]).toInteger()
+if (isNewArchitectureEnabled()) {
+  apply plugin: "com.facebook.react"
+}
+apply plugin: 'com.android.library'
+
+def safeExtGet(prop, fallback) {
+  rootProject.ext.has(prop) ? rootProject.ext.get(prop) : fallback
 }
 
 def reactNativeArchitectures() {
-    def value = project.getProperties().get("reactNativeArchitectures")
-    return value ? value.split(",") : ["armeabi-v7a", "x86", "x86_64", "arm64-v8a"]
+  def value = project.getProperties().get("reactNativeArchitectures")
+  return value ? value.split(",") : ["armeabi-v7a", "x86", "x86_64", "arm64-v8a"]
 }
 
-def reactProperties = new Properties()
-file("$nodeModules/react-native/ReactAndroid/gradle.properties").withInputStream { reactProperties.load(it) }
+// static def findNodeModules(baseDir) {
+//   def basePath = baseDir.toPath().normalize()
+//   // Node's module resolution algorithm searches up to the root directory,
+//   // after which the base path will be null
+//   while (basePath) {
+//     def nodeModulesPath = Paths.get(basePath.toString(), "node_modules")
+//     def reactNativePath = Paths.get(nodeModulesPath.toString(), "react-native")
+//     if (nodeModulesPath.toFile().exists() && reactNativePath.toFile().exists()) {
+//       return nodeModulesPath.toString()
+//     }
+//     basePath = basePath.getParent()
+//   }
+//   throw new GradleException("react-native-quick-crypto: Failed to find node_modules/ path!")
+// }
+
+// def nodeModules = findNodeModules(projectDir)
+
+repositories {
+  google()
+  mavenCentral()
+}
 
 android {
-  compileSdkVersion getExtOrIntegerDefault('compileSdkVersion')
-  buildToolsVersion getExtOrDefault('buildToolsVersion')
-  ndkVersion getExtOrDefault('ndkVersion')
+  compileSdkVersion safeExtGet("compileSdkVersion", 31)
+
+  if ((agpVersionMajor == 7 && agpVersionMinor >= 3) || agpVersionMajor >= 8) {
+    // Namespace support was added in 7.3.0
+    namespace "com.margelo.quickcrypto"
+
+    sourceSets {
+      main {
+        manifest.srcFile "src/main/AndroidManifestNew.xml"
+      }
+    }
+  }
+
+  if (agpVersionMajor >= 8) {
+      buildFeatures {
+          buildConfig = true
+      }
+  }
+
+  // Used to override the NDK path/version on internal CI or by allowing
+  // users to customize the NDK path/version from their root project (e.g. for M1 support)
+  if (rootProject.hasProperty("ndkPath")) {
+    ndkPath rootProject.ext.ndkPath
+  }
+  if (rootProject.hasProperty("ndkVersion")) {
+    ndkVersion rootProject.ext.ndkVersion
+  }
 
   buildFeatures {
     prefab true
   }
 
   defaultConfig {
-    minSdkVersion 21
-    targetSdkVersion getExtOrIntegerDefault('targetSdkVersion')
+    minSdkVersion safeExtGet('minSdkVersion', 23)
+    targetSdkVersion safeExtGet('targetSdkVersion', 31)
     versionCode 1
     versionName "1.0"
+    buildConfigField "boolean", "IS_NEW_ARCHITECTURE_ENABLED", isNewArchitectureEnabled().toString()
     externalNativeBuild {
       cmake {
-        cppFlags "-fexceptions", "-frtti", "-std=c++1y", "-DONANDROID", "-DANDROID"
-        arguments '-DANDROID_STL=c++_shared',
-                  "-DNODE_MODULES_DIR=${nodeModules}"
+        cppFlags "-O2 -frtti -fexceptions -Wall -Wno-unused-variable -fstack-protector-all"
+        arguments '-DANDROID_STL=c++_shared' //, "-DNODE_MODULES_DIR=${nodeModules}",
+        abiFilters (*reactNativeArchitectures())
       }
     }
-    ndk {
-      abiFilters (*reactNativeArchitectures())
-    }
   }
 
   externalNativeBuild {
@@ -83,6 +125,7 @@ android {
   }
 
   packagingOptions {
+    doNotStrip resolveBuildType() == 'debug' ? "**/**/*.so" : ''
     excludes = [
             "**/libc++_shared.so",
             "**/libfbjni.so",
@@ -91,12 +134,13 @@ android {
             "**/libreact_nativemodule_core.so",
             "**/libturbomodulejsijni.so",
             "**/MANIFEST.MF",
-            ""
     ]
-    doNotStrip '**/*.so'
   }
 
   buildTypes {
+    release {
+      minifyEnabled false
+    }
     debug {
       packagingOptions {
         doNotStrip '**/*.so'
@@ -106,11 +150,8 @@ android {
       jniDebuggable true
       renderscriptDebuggable true
     }
-
-    release {
-      minifyEnabled false
-    }
   }
+
   lintOptions {
     disable 'GradleCompatible'
   }
@@ -119,9 +160,6 @@ android {
     targetCompatibility JavaVersion.VERSION_1_8
   }
 
-  buildFeatures {
-    prefab true
-  }
 }
 
 repositories {
@@ -130,9 +168,23 @@ repositories {
 }
 
 dependencies {
+  //noinspection GradleDynamicVersion
+  implementation "com.facebook.react:react-android:+"
   // https://mvnrepository.com/artifact/com.android.ndk.thirdparty/openssl
-  implementation 'com.android.ndk.thirdparty:openssl:1.1.1l-beta-1'
-
-  implementation "com.facebook.react:react-android:"
-  implementation "com.facebook.react:hermes-android:"
+  implementation 'com.android.ndk.thirdparty:openssl:1.1.1q-beta-1'
 }
+
+// Resolves "LOCAL_SRC_FILES points to a missing file, Check that libfb.so exists or that its path is correct".
+tasks.whenTaskAdded { task ->
+  if (task.name.contains("configureCMakeDebug")) {
+    rootProject.getTasksByName("packageReactNdkDebugLibs", true).forEach {
+      task.dependsOn(it)
+    }
+  }
+  // We want to add a dependency for both configureCMakeRelease and configureCMakeRelWithDebInfo
+  if (task.name.contains("configureCMakeRel")) {
+    rootProject.getTasksByName("packageReactNdkReleaseLibs", true).forEach {
+      task.dependsOn(it)
+    }
+  }
+}

package/android/gradle/wrapper/gradle-wrapper.properties

@@ -1,5 +1,5 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-6.9-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.4-bin.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists

package/android/gradle.properties

@@ -1,6 +1,6 @@
-QuickCrypto_compileSdkVersion=30
-QuickCrypto_buildToolsVersion=30.0.2
-QuickCrypto_targetSdkVersion=30
+QuickCrypto_compileSdkVersion=31
+QuickCrypto_targetSdkVersion=31
+QuickCrypto_ndkversion=21.4.7075529
+QuickCrypto_minSdkVersion=23
+
 android.useAndroidX=true
-# Enables Prefab
-#android.enablePrefab=true

package/android/src/main/{AndroidManifest.xml → AndroidManifestNew.xml}

@@ -1,4 +1,3 @@
-<manifest xmlns:android="http://schemas.android.com/apk/res/android"
-          package="com.margelo.quickcrypto">
+<manifest xmlns:android="http://schemas.android.com/apk/res/android">
 
 </manifest>

package/cpp/Cipher/MGLCipherHostObject.cpp

@@ -329,10 +329,12 @@ void MGLCipherHostObject::installMethods() {
       ok = EVP_CipherFinal_ex(ctx_, out.getBuffer(runtime).data(runtime),
                               &out_len) == 1;
 
+      // Additional operations for authenticated modes
       if (ok && isCipher_ && IsAuthenticatedMode()) {
-        // In GCM mode, the authentication tag length can be specified in
-        // advance, but defaults to 16 bytes when encrypting. In CCM and OCB
-        // mode, it must always be given by the user.
+        // In GCM mode: default to 16 bytes.
+        // In CCM, OCB mode: must be provided by user.
+
+        // Logic for default auth tag length
         if (auth_tag_len_ == kNoAuthTagLength) {
           // TODO(osp) check
           // CHECK(mode == EVP_CIPH_GCM_MODE);
@@ -391,8 +393,8 @@ void MGLCipherHostObject::installMethods() {
         plaintext_len =
             (int)args.getProperty(runtime, "plaintextLength").asNumber();
       } else {
-        throw new jsi::JSError(runtime,
-                               "plaintextLength property needs to be a number");
+        throw jsi::JSError(runtime,
+                           "plaintextLength property needs to be a number");
       }
     }
 
@@ -446,6 +448,28 @@ void MGLCipherHostObject::installMethods() {
     return EVP_CIPHER_CTX_set_padding(ctx_, arguments[0].getBool());
   }));
 
+
+  // getAuthTag
+  this->fields.push_back(buildPair(
+    "getAuthTag", JSIF([this]) {
+        if (ctx_) {
+          throw jsi::JSError(runtime, "Cannot getAuthTag while encryption in progress.");
+        }
+        if (!isCipher_) {
+          throw jsi::JSError(runtime, "Cannot getAuthTag in decryption mode.");
+        }
+        if (auth_tag_len_ == kNoAuthTagLength) {
+          throw jsi::JSError(runtime, "Authentication tag not set or not available. Make sure to call 'final' before getting the authentication tag.");
+        }
+
+        MGLTypedArray<MGLTypedArrayKind::Uint8Array> authTagArray(runtime, auth_tag_len_);
+        auto buffer = authTagArray.getBuffer(runtime);
+        auto dataPtr = buffer.data(runtime);
+        std::memcpy(dataPtr, auth_tag_, auth_tag_len_);
+
+        return authTagArray;
+    }));
+
   // setAuthTag
   this->fields.push_back(buildPair(
       "setAuthTag", JSIF([=]) {
@@ -577,6 +601,8 @@ bool MGLCipherHostObject::InitAuthenticated(const char *cipher_type, int iv_len,
     // TODO(tniessen) Support CCM decryption in FIPS mode
 
 #if OPENSSL_VERSION_MAJOR >= 3
+    // TODO: not sure where kind_ comes from in next line, but as we bump
+    // OpenSSL version we will need to look at Node.js code and figure it out.
     if (mode == EVP_CIPH_CCM_MODE && kind_ == kDecipher &&
         EVP_default_properties_is_fips_enabled(nullptr)) {
 #else