react-native-quick-crypto 1.0.0-beta.11 → 1.0.0-beta.13

package/android/CMakeLists.txt

@@ -9,6 +9,8 @@ set(CMAKE_CXX_STANDARD 20)
 add_library(
   ${PACKAGE_NAME} SHARED
   src/main/cpp/cpp-adapter.cpp
+  ../cpp/hmac/HybridHmac.cpp
+  ../cpp/hash/HybridHash.cpp
   ../cpp/ed25519/HybridEdKeyPair.cpp
   ../cpp/pbkdf2/HybridPbkdf2.cpp
   ../cpp/random/HybridRandom.cpp
@@ -21,6 +23,8 @@ include(${CMAKE_SOURCE_DIR}/../nitrogen/generated/android/QuickCrypto+autolinkin
 # local includes
 include_directories(
   "src/main/cpp"
+  "../cpp/hmac"
+  "../cpp/hash"
   "../cpp/ed25519"
   "../cpp/pbkdf2"
   "../cpp/random"

package/cpp/ed25519/HybridEdKeyPair.cpp

@@ -5,45 +5,23 @@
 
 namespace margelo::nitro::crypto {
 
-std::shared_ptr<Promise<void>>
-HybridEdKeyPair::generateKeyPair(
-  double publicFormat,
-  double publicType,
-  double privateFormat,
-  double privateType,
-  const std::optional<std::string>& cipher,
-  const std::optional<std::shared_ptr<ArrayBuffer>>& passphrase
-) {
+std::shared_ptr<Promise<void>> HybridEdKeyPair::generateKeyPair(double publicFormat, double publicType, double privateFormat,
+                                                                double privateType, const std::optional<std::string>& cipher,
+                                                                const std::optional<std::shared_ptr<ArrayBuffer>>& passphrase) {
   // get owned NativeArrayBuffers before passing to sync function
   std::optional<std::shared_ptr<ArrayBuffer>> nativePassphrase = std::nullopt;
   if (passphrase.has_value()) {
     nativePassphrase = ToNativeArrayBuffer(passphrase.value());
   }
 
-  return Promise<void>::async(
-    [this, publicFormat, publicType, privateFormat, privateType, cipher,
-     nativePassphrase]() {
-      this->generateKeyPairSync(
-        publicFormat,
-        publicType,
-        privateFormat,
-        privateType,
-        cipher,
-        nativePassphrase
-      );
-    }
-  );
+  return Promise<void>::async([this, publicFormat, publicType, privateFormat, privateType, cipher, nativePassphrase]() {
+    this->generateKeyPairSync(publicFormat, publicType, privateFormat, privateType, cipher, nativePassphrase);
+  });
 }
 
-void
-HybridEdKeyPair::generateKeyPairSync(
-    double publicFormat,
-    double publicType,
-    double privateFormat,
-    double privateType,
-    const std::optional<std::string>& cipher,
-    const std::optional<std::shared_ptr<ArrayBuffer>>& passphrase
-) {
+void HybridEdKeyPair::generateKeyPairSync(double publicFormat, double publicType, double privateFormat, double privateType,
+                                          const std::optional<std::string>& cipher,
+                                          const std::optional<std::shared_ptr<ArrayBuffer>>& passphrase) {
   EVP_PKEY_CTX* pctx;
 
   // key context
@@ -69,12 +47,8 @@ HybridEdKeyPair::generateKeyPairSync(
   EVP_PKEY_CTX_free(pctx);
 }
 
-
-std::shared_ptr<Promise<std::shared_ptr<ArrayBuffer>>>
-HybridEdKeyPair::sign(
-  const std::shared_ptr<ArrayBuffer>& message,
-  const std::optional<std::shared_ptr<ArrayBuffer>>& key
-) {
+std::shared_ptr<Promise<std::shared_ptr<ArrayBuffer>>> HybridEdKeyPair::sign(const std::shared_ptr<ArrayBuffer>& message,
+                                                                             const std::optional<std::shared_ptr<ArrayBuffer>>& key) {
   // get owned NativeArrayBuffer before passing to sync function
   auto nativeMessage = ToNativeArrayBuffer(message);
   std::optional<std::shared_ptr<ArrayBuffer>> nativeKey = std::nullopt;
@@ -82,17 +56,12 @@ HybridEdKeyPair::sign(
     nativeKey = ToNativeArrayBuffer(key.value());
   }
 
-  return Promise<std::shared_ptr<ArrayBuffer>>::async([this, nativeMessage, nativeKey]() {
-      return this->signSync(nativeMessage, nativeKey);
-    }
-  );
+  return Promise<std::shared_ptr<ArrayBuffer>>::async(
+      [this, nativeMessage, nativeKey]() { return this->signSync(nativeMessage, nativeKey); });
 }
 
-std::shared_ptr<ArrayBuffer>
-HybridEdKeyPair::signSync(
-  const std::shared_ptr<ArrayBuffer>& message,
-  const std::optional<std::shared_ptr<ArrayBuffer>>& key
-) {
+std::shared_ptr<ArrayBuffer> HybridEdKeyPair::signSync(const std::shared_ptr<ArrayBuffer>& message,
+                                                       const std::optional<std::shared_ptr<ArrayBuffer>>& key) {
 
   size_t sig_len = 0;
   uint8_t* sig = NULL;
@@ -135,11 +104,7 @@ HybridEdKeyPair::signSync(
   }
 
   // return value for JS
-  std::shared_ptr<ArrayBuffer> signature = std::make_shared<NativeArrayBuffer>(
-    sig,
-    sig_len,
-    [=]() { delete[] sig; }
-  );
+  std::shared_ptr<ArrayBuffer> signature = std::make_shared<NativeArrayBuffer>(sig, sig_len, [=]() { delete[] sig; });
 
   // Clean up
   EVP_MD_CTX_free(md_ctx);
@@ -147,12 +112,9 @@ HybridEdKeyPair::signSync(
   return signature;
 }
 
-std::shared_ptr<Promise<bool>>
-HybridEdKeyPair::verify(
-  const std::shared_ptr<ArrayBuffer>& signature,
-  const std::shared_ptr<ArrayBuffer>& message,
-  const std::optional<std::shared_ptr<ArrayBuffer>>& key
-) {
+std::shared_ptr<Promise<bool>> HybridEdKeyPair::verify(const std::shared_ptr<ArrayBuffer>& signature,
+                                                       const std::shared_ptr<ArrayBuffer>& message,
+                                                       const std::optional<std::shared_ptr<ArrayBuffer>>& key) {
   // get owned NativeArrayBuffers before passing to sync function
   auto nativeSignature = ToNativeArrayBuffer(signature);
   auto nativeMessage = ToNativeArrayBuffer(message);
@@ -161,18 +123,12 @@ HybridEdKeyPair::verify(
     nativeKey = ToNativeArrayBuffer(key.value());
   }
 
-  return Promise<bool>::async([this, nativeSignature, nativeMessage, nativeKey]() {
-      return this->verifySync(nativeSignature, nativeMessage, nativeKey);
-    }
-  );
+  return Promise<bool>::async(
+      [this, nativeSignature, nativeMessage, nativeKey]() { return this->verifySync(nativeSignature, nativeMessage, nativeKey); });
 }
 
-bool
-HybridEdKeyPair::verifySync(
-  const std::shared_ptr<ArrayBuffer>& signature,
-  const std::shared_ptr<ArrayBuffer>& message,
-  const std::optional<std::shared_ptr<ArrayBuffer>>& key
-) {
+bool HybridEdKeyPair::verifySync(const std::shared_ptr<ArrayBuffer>& signature, const std::shared_ptr<ArrayBuffer>& message,
+                                 const std::optional<std::shared_ptr<ArrayBuffer>>& key) {
   // get key to use for verifying
   EVP_PKEY* pkey = this->importPrivateKey(key);
 
@@ -199,13 +155,9 @@ HybridEdKeyPair::verifySync(
   }
 
   // verify
-  auto res = EVP_DigestVerify(
-    md_ctx,
-    signature.get()->data(), signature.get()->size(),
-    message.get()->data(), message.get()->size()
-  );
+  auto res = EVP_DigestVerify(md_ctx, signature.get()->data(), signature.get()->size(), message.get()->data(), message.get()->size());
 
-  //return value for JS
+  // return value for JS
   if (res < 0) {
     EVP_MD_CTX_free(md_ctx);
     throw std::runtime_error("Failed to verify");
@@ -213,8 +165,7 @@ HybridEdKeyPair::verifySync(
   return res == 1; // true if 1, false if 0
 }
 
-std::shared_ptr<ArrayBuffer>
-HybridEdKeyPair::getPublicKey() {
+std::shared_ptr<ArrayBuffer> HybridEdKeyPair::getPublicKey() {
   this->checkKeyPair();
   size_t len = 32;
   uint8_t* publ = new uint8_t[len];
@@ -223,8 +174,7 @@ HybridEdKeyPair::getPublicKey() {
   return std::make_shared<NativeArrayBuffer>(publ, len, [=]() { delete[] publ; });
 }
 
-std::shared_ptr<ArrayBuffer>
-HybridEdKeyPair::getPrivateKey() {
+std::shared_ptr<ArrayBuffer> HybridEdKeyPair::getPrivateKey() {
   this->checkKeyPair();
   size_t len = 32;
   uint8_t* priv = new uint8_t[len];
@@ -233,28 +183,21 @@ HybridEdKeyPair::getPrivateKey() {
   return std::make_shared<NativeArrayBuffer>(priv, len, [=]() { delete[] priv; });
 }
 
-void
-HybridEdKeyPair::checkKeyPair() {
+void HybridEdKeyPair::checkKeyPair() {
   if (this->pkey == nullptr) {
     throw std::runtime_error("Keypair not initialized");
   }
 }
 
-void
-HybridEdKeyPair::setCurve(const std::string& curve) {
+void HybridEdKeyPair::setCurve(const std::string& curve) {
   this->curve = curve;
 }
 
-EVP_PKEY*
-HybridEdKeyPair::importPrivateKey(const std::optional<std::shared_ptr<ArrayBuffer>>& key) {
+EVP_PKEY* HybridEdKeyPair::importPrivateKey(const std::optional<std::shared_ptr<ArrayBuffer>>& key) {
   EVP_PKEY* pkey = nullptr;
   if (key.has_value()) {
-    pkey = EVP_PKEY_new_raw_private_key(
-      EVP_PKEY_ED25519, // TODO: use this->curve somehow
-      NULL,
-      key.value()->data(),
-      32
-    );
+    pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_ED25519, // TODO: use this->curve somehow
+                                        NULL, key.value()->data(), 32);
     if (pkey == nullptr) {
       throw std::runtime_error("Failed to read private key");
     }

package/cpp/ed25519/HybridEdKeyPair.hpp

@@ -1,6 +1,6 @@
-#include <openssl/evp.h>
-#include <openssl/err.h>
 #include <memory>
+#include <openssl/err.h>
+#include <openssl/evp.h>
 #include <string>
 
 #include "HybridEdKeyPairSpec.hpp"
@@ -16,58 +16,30 @@ class HybridEdKeyPair : public HybridEdKeyPairSpec {
 
  public:
   // Methods
-  std::shared_ptr<Promise<void>>
-  generateKeyPair(
-    double publicFormat,
-    double publicType,
-    double privateFormat,
-    double privateType,
-    const std::optional<std::string>& cipher,
-    const std::optional<std::shared_ptr<ArrayBuffer>>& passphrase
-  ) override;
-
-  void
-  generateKeyPairSync(
-    double publicFormat,
-    double publicType,
-    double privateFormat,
-    double privateType,
-    const std::optional<std::string>& cipher,
-    const std::optional<std::shared_ptr<ArrayBuffer>>& passphrase
-  ) override;
-
-  std::shared_ptr<Promise<std::shared_ptr<ArrayBuffer>>>
-  sign(
-    const std::shared_ptr<ArrayBuffer>& message,
-    const std::optional<std::shared_ptr<ArrayBuffer>>& key
-  ) override;
-
-  std::shared_ptr<ArrayBuffer>
-  signSync(
-    const std::shared_ptr<ArrayBuffer>& message,
-    const std::optional<std::shared_ptr<ArrayBuffer>>& key
-  ) override;
-
-  std::shared_ptr<Promise<bool>>
-  verify(
-    const std::shared_ptr<ArrayBuffer>& signature,
-    const std::shared_ptr<ArrayBuffer>& message,
-    const std::optional<std::shared_ptr<ArrayBuffer>>& key
-  ) override;
-
-  bool
-  verifySync(
-    const std::shared_ptr<ArrayBuffer>& signature,
-    const std::shared_ptr<ArrayBuffer>& message,
-    const std::optional<std::shared_ptr<ArrayBuffer>>& key
-  ) override;
+  std::shared_ptr<Promise<void>> generateKeyPair(double publicFormat, double publicType, double privateFormat, double privateType,
+                                                 const std::optional<std::string>& cipher,
+                                                 const std::optional<std::shared_ptr<ArrayBuffer>>& passphrase) override;
+
+  void generateKeyPairSync(double publicFormat, double publicType, double privateFormat, double privateType,
+                           const std::optional<std::string>& cipher,
+                           const std::optional<std::shared_ptr<ArrayBuffer>>& passphrase) override;
+
+  std::shared_ptr<Promise<std::shared_ptr<ArrayBuffer>>> sign(const std::shared_ptr<ArrayBuffer>& message,
+                                                              const std::optional<std::shared_ptr<ArrayBuffer>>& key) override;
+
+  std::shared_ptr<ArrayBuffer> signSync(const std::shared_ptr<ArrayBuffer>& message,
+                                        const std::optional<std::shared_ptr<ArrayBuffer>>& key) override;
+
+  std::shared_ptr<Promise<bool>> verify(const std::shared_ptr<ArrayBuffer>& signature, const std::shared_ptr<ArrayBuffer>& message,
+                                        const std::optional<std::shared_ptr<ArrayBuffer>>& key) override;
+
+  bool verifySync(const std::shared_ptr<ArrayBuffer>& signature, const std::shared_ptr<ArrayBuffer>& message,
+                  const std::optional<std::shared_ptr<ArrayBuffer>>& key) override;
 
  protected:
-  std::shared_ptr<ArrayBuffer>
-  getPublicKey() override;
+  std::shared_ptr<ArrayBuffer> getPublicKey() override;
 
-  std::shared_ptr<ArrayBuffer>
-  getPrivateKey() override;
+  std::shared_ptr<ArrayBuffer> getPrivateKey() override;
 
   void checkKeyPair();
 
@@ -77,9 +49,7 @@ class HybridEdKeyPair : public HybridEdKeyPairSpec {
   std::string curve;
   EVP_PKEY* pkey = nullptr;
 
-  EVP_PKEY* importPrivateKey(
-    const std::optional<std::shared_ptr<ArrayBuffer>>& key
-  );
+  EVP_PKEY* importPrivateKey(const std::optional<std::shared_ptr<ArrayBuffer>>& key);
 };
 
 } // namespace margelo::nitro::crypto

package/cpp/hash/HybridHash.cpp

@@ -0,0 +1,151 @@
+#include <NitroModules/ArrayBuffer.hpp>
+#include <memory>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <optional>
+#include <string>
+#include <vector>
+
+#include "HybridHash.hpp"
+
+namespace margelo::nitro::crypto {
+
+HybridHash::~HybridHash() {
+  if (ctx) {
+    EVP_MD_CTX_free(ctx);
+    ctx = nullptr;
+  }
+}
+
+void HybridHash::createHash(const std::string& hashAlgorithmArg, const std::optional<double> outputLengthArg) {
+  algorithm = hashAlgorithmArg;
+  outputLength = outputLengthArg;
+
+  // Create hash context
+  ctx = EVP_MD_CTX_new();
+  if (!ctx) {
+    throw std::runtime_error("Failed to create hash context: " + std::to_string(ERR_get_error()));
+  }
+
+  // Get the message digest by name
+  md = EVP_get_digestbyname(algorithm.c_str());
+  if (!md) {
+    EVP_MD_CTX_free(ctx);
+    ctx = nullptr;
+    throw std::runtime_error("Unknown hash algorithm: " + algorithm);
+  }
+
+  // Initialize the digest
+  if (EVP_DigestInit_ex(ctx, md, nullptr) != 1) {
+    EVP_MD_CTX_free(ctx);
+    ctx = nullptr;
+    throw std::runtime_error("Failed to initialize hash digest: " + std::to_string(ERR_get_error()));
+  }
+}
+
+void HybridHash::update(const std::shared_ptr<ArrayBuffer>& data) {
+  if (!ctx) {
+    throw std::runtime_error("Hash context not initialized");
+  }
+
+  // Update the digest with the data
+  if (EVP_DigestUpdate(ctx, reinterpret_cast<const uint8_t*>(data->data()), data->size()) != 1) {
+    throw std::runtime_error("Failed to update hash digest: " + std::to_string(ERR_get_error()));
+  }
+}
+
+std::shared_ptr<ArrayBuffer> HybridHash::digest(const std::optional<std::string>& encoding) {
+  if (!ctx) {
+    throw std::runtime_error("Hash context not initialized");
+  }
+
+  setParams();
+
+  // Get the default digest size
+  const size_t defaultLen = EVP_MD_CTX_size(ctx);
+  const size_t digestSize = (outputLength.has_value()) ? static_cast<int>(*outputLength) : defaultLen;
+
+  if (digestSize < 0) {
+    throw std::runtime_error("Invalid digest size: " + std::to_string(digestSize));
+  }
+
+  // Create a buffer for the hash output
+  uint8_t* hashBuffer = new uint8_t[digestSize];
+  size_t hashLength = digestSize;
+
+  // Finalize the digest
+  int ret;
+  if (digestSize == defaultLen) {
+    ret = EVP_DigestFinal_ex(ctx, hashBuffer, reinterpret_cast<unsigned int*>(&hashLength));
+  } else {
+    ret = EVP_DigestFinalXOF(ctx, hashBuffer, hashLength);
+  }
+
+  if (ret != 1) {
+    delete[] hashBuffer;
+    throw std::runtime_error("Failed to finalize hash digest: " + std::to_string(ERR_get_error()));
+  }
+
+  return std::make_shared<NativeArrayBuffer>(hashBuffer, hashLength, [=]() { delete[] hashBuffer; });
+}
+
+std::shared_ptr<margelo::nitro::crypto::HybridHashSpec> HybridHash::copy(const std::optional<double> outputLengthArg) {
+  if (!ctx) {
+    throw std::runtime_error("Hash context not initialized");
+  }
+
+  // Create a new context
+  EVP_MD_CTX* newCtx = EVP_MD_CTX_new();
+  if (!newCtx) {
+    throw std::runtime_error("Failed to create new hash context: " + std::to_string(ERR_get_error()));
+  }
+
+  // Copy the existing context to the new one
+  if (EVP_MD_CTX_copy(newCtx, ctx) != 1) {
+    EVP_MD_CTX_free(newCtx);
+    throw std::runtime_error("Failed to copy hash context: " + std::to_string(ERR_get_error()));
+  }
+
+  return std::make_shared<HybridHash>(newCtx, md, algorithm, outputLengthArg);
+}
+
+std::vector<std::string> HybridHash::getSupportedHashAlgorithms() {
+  std::vector<std::string> hashAlgorithms;
+
+  EVP_MD_do_all_provided(
+      nullptr,
+      [](EVP_MD* md, void* arg) {
+        auto* algorithms = static_cast<std::vector<std::string>*>(arg);
+        const char* name = EVP_MD_get0_name(md);
+        if (name) {
+          algorithms->push_back(name);
+        }
+      },
+      &hashAlgorithms);
+
+  return hashAlgorithms;
+}
+
+void HybridHash::setParams() {
+  // Handle algorithm parameters (like XOF length for SHAKE)
+  if (outputLength.has_value()) {
+    uint32_t xoflen = outputLength.value();
+
+    // Add a reasonable maximum output length
+    const int MAX_OUTPUT_LENGTH = 16 * 1024 * 1024; // 16MB
+    if (xoflen > MAX_OUTPUT_LENGTH) {
+      throw std::runtime_error("Output length " + std::to_string(xoflen) + " exceeds maximum allowed size of " +
+                               std::to_string(MAX_OUTPUT_LENGTH));
+    }
+
+    OSSL_PARAM params[] = {OSSL_PARAM_construct_uint("xoflen", &xoflen), OSSL_PARAM_END};
+
+    if (EVP_MD_CTX_set_params(ctx, params) != 1) {
+      EVP_MD_CTX_free(ctx);
+      ctx = nullptr;
+      throw std::runtime_error("Failed to set XOF length (outputLength) parameter: " + std::to_string(ERR_get_error()));
+    }
+  }
+}
+
+} // namespace margelo::nitro::crypto

package/cpp/hash/HybridHash.hpp

@@ -0,0 +1,41 @@
+#include <NitroModules/ArrayBuffer.hpp>
+#include <memory>
+#include <openssl/evp.h>
+#include <optional>
+#include <string>
+#include <vector>
+
+#include "HybridHashSpec.hpp"
+
+namespace margelo::nitro::crypto {
+
+using namespace facebook;
+
+class HybridHash : public HybridHashSpec {
+ public:
+  HybridHash() : HybridObject(TAG) {}
+  HybridHash(EVP_MD_CTX* ctx, const EVP_MD* md, const std::string& algorithm, const std::optional<double> outputLength)
+      : HybridObject(TAG), ctx(ctx), md(md), algorithm(algorithm), outputLength(outputLength) {}
+  ~HybridHash();
+
+ public:
+  // Methods
+  void createHash(const std::string& algorithm, const std::optional<double> outputLength) override;
+  void update(const std::shared_ptr<ArrayBuffer>& data) override;
+  std::shared_ptr<ArrayBuffer> digest(const std::optional<std::string>& encoding = std::nullopt) override;
+  std::shared_ptr<margelo::nitro::crypto::HybridHashSpec> copy(const std::optional<double> outputLength) override;
+  std::vector<std::string> getSupportedHashAlgorithms() override;
+
+ private:
+  // Methods
+  void setParams();
+
+ private:
+  // Properties
+  EVP_MD_CTX* ctx = nullptr;
+  const EVP_MD* md = nullptr;
+  std::string algorithm = "";
+  std::optional<double> outputLength = std::nullopt;
+};
+
+} // namespace margelo::nitro::crypto

package/cpp/hmac/HybridHmac.cpp

@@ -0,0 +1,95 @@
+#include <NitroModules/ArrayBuffer.hpp>
+#include <memory>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <optional>
+#include <string>
+#include <vector>
+
+#include "HybridHmac.hpp"
+
+namespace margelo::nitro::crypto {
+
+HybridHmac::~HybridHmac() {
+  if (ctx) {
+    EVP_MAC_CTX_free(ctx);
+    ctx = nullptr;
+  }
+}
+
+void HybridHmac::createHmac(const std::string& hmacAlgorithm, const std::shared_ptr<ArrayBuffer>& secretKey) {
+  algorithm = hmacAlgorithm;
+
+  // Create and use EVP_MAC locally
+  EVP_MAC* mac = EVP_MAC_fetch(nullptr, "HMAC", nullptr);
+  if (!mac) {
+    throw std::runtime_error("Failed to fetch HMAC implementation: " + std::to_string(ERR_get_error()));
+  }
+
+  // Create HMAC context
+  ctx = EVP_MAC_CTX_new(mac);
+  EVP_MAC_free(mac); // Free immediately after creating the context
+  if (!ctx) {
+    throw std::runtime_error("Failed to create HMAC context: " + std::to_string(ERR_get_error()));
+  }
+
+  // Validate algorithm
+  const EVP_MD* md = EVP_get_digestbyname(algorithm.c_str());
+  if (!md) {
+    throw std::runtime_error("Unknown HMAC algorithm: " + algorithm);
+  }
+
+  // Set up parameters for HMAC
+  OSSL_PARAM params[2];
+  params[0] = OSSL_PARAM_construct_utf8_string("digest", const_cast<char*>(algorithm.c_str()), 0);
+  params[1] = OSSL_PARAM_construct_end();
+
+  const uint8_t* keyData = reinterpret_cast<const uint8_t*>(secretKey->data());
+  size_t keySize = secretKey->size();
+
+  // Handle empty key case by providing a dummy key
+  static const uint8_t dummyKey = 0;
+  if (keySize == 0) {
+    keyData = &dummyKey;
+    keySize = 1;
+  }
+
+  // Initialize HMAC
+  if (EVP_MAC_init(ctx, keyData, keySize, params) != 1) {
+    throw std::runtime_error("Failed to initialize HMAC: " + std::to_string(ERR_get_error()));
+  }
+}
+
+void HybridHmac::update(const std::shared_ptr<ArrayBuffer>& data) {
+  if (!ctx) {
+    throw std::runtime_error("HMAC context not initialized");
+  }
+
+  // Update HMAC with new data
+  if (EVP_MAC_update(ctx, reinterpret_cast<const uint8_t*>(data->data()), data->size()) != 1) {
+    throw std::runtime_error("Failed to update HMAC: " + std::to_string(ERR_get_error()));
+  }
+}
+
+std::shared_ptr<ArrayBuffer> HybridHmac::digest() {
+  if (!ctx) {
+    throw std::runtime_error("HMAC context not initialized");
+  }
+
+  // Determine the maximum possible size of the HMAC output
+  const EVP_MD* md = EVP_get_digestbyname(algorithm.c_str());
+  const size_t hmacLength = EVP_MD_get_size(md);
+
+  // Allocate buffer with the exact required size
+  uint8_t* hmacBuffer = new uint8_t[hmacLength];
+
+  // Finalize the HMAC computation directly into the final buffer
+  if (EVP_MAC_final(ctx, hmacBuffer, nullptr, hmacLength) != 1) {
+    delete[] hmacBuffer;
+    throw std::runtime_error("Failed to finalize HMAC digest: " + std::to_string(ERR_get_error()));
+  }
+
+  return std::make_shared<NativeArrayBuffer>(hmacBuffer, hmacLength, [=]() { delete[] hmacBuffer; });
+}
+
+} // namespace margelo::nitro::crypto

package/cpp/hmac/HybridHmac.hpp

@@ -0,0 +1,31 @@
+#include <NitroModules/ArrayBuffer.hpp>
+#include <memory>
+#include <openssl/evp.h>
+#include <optional>
+#include <string>
+#include <vector>
+
+#include "HybridHmacSpec.hpp"
+
+namespace margelo::nitro::crypto {
+
+using namespace facebook;
+
+class HybridHmac : public HybridHmacSpec {
+ public:
+  HybridHmac() : HybridObject(TAG) {}
+  ~HybridHmac();
+
+ public:
+  // Methods
+  void createHmac(const std::string& algorithm, const std::shared_ptr<ArrayBuffer>& key) override;
+  void update(const std::shared_ptr<ArrayBuffer>& data) override;
+  std::shared_ptr<ArrayBuffer> digest() override;
+
+ private:
+  // Properties
+  EVP_MAC_CTX* ctx = nullptr;
+  std::string algorithm = "";
+};
+
+} // namespace margelo::nitro::crypto