react-native-quick-crypto 1.0.0-beta.2 → 1.0.0-beta.21

package/cpp/ed25519/HybridEdKeyPair.cpp

@@ -0,0 +1,300 @@
+#include <NitroModules/ArrayBuffer.hpp>
+#include <memory>
+#include <openssl/evp.h>
+#include <string>
+
+#include "HybridEdKeyPair.hpp"
+
+namespace margelo::nitro::crypto {
+
+std::shared_ptr<ArrayBuffer> HybridEdKeyPair::diffieHellman(const std::shared_ptr<ArrayBuffer>& privateKey,
+                                                            const std::shared_ptr<ArrayBuffer>& publicKey) {
+  using EVP_PKEY_ptr = std::unique_ptr<EVP_PKEY, decltype(&EVP_PKEY_free)>;
+  using EVP_PKEY_CTX_ptr = std::unique_ptr<EVP_PKEY_CTX, decltype(&EVP_PKEY_CTX_free)>;
+
+  // 1. Create EVP_PKEY for private key (our key)
+  EVP_PKEY_ptr pkey_priv(EVP_PKEY_new_raw_private_key(EVP_PKEY_X25519, NULL, privateKey->data(), privateKey->size()), EVP_PKEY_free);
+  if (!pkey_priv) {
+    throw std::runtime_error("Failed to create private key: " + getOpenSSLError());
+  }
+
+  // 2. Create EVP_PKEY for public key (peer's key)
+  EVP_PKEY_ptr pkey_pub(EVP_PKEY_new_raw_public_key(EVP_PKEY_X25519, NULL, publicKey->data(), publicKey->size()), EVP_PKEY_free);
+  if (!pkey_pub) {
+    throw std::runtime_error("Failed to create public key: " + getOpenSSLError());
+  }
+
+  // 3. Create the context for the key exchange
+  EVP_PKEY_CTX_ptr ctx(EVP_PKEY_CTX_new_from_pkey(NULL, pkey_priv.get(), NULL), EVP_PKEY_CTX_free);
+  if (!ctx) {
+    throw std::runtime_error("Failed to create key exchange context: " + getOpenSSLError());
+  }
+
+  // 4. Initialize the context
+  if (EVP_PKEY_derive_init(ctx.get()) <= 0) {
+    throw std::runtime_error("Failed to initialize key exchange: " + getOpenSSLError());
+  }
+
+  // 5. Provide the peer's public key
+  if (EVP_PKEY_derive_set_peer(ctx.get(), pkey_pub.get()) <= 0) {
+    throw std::runtime_error("Failed to set peer key: " + getOpenSSLError());
+  }
+
+  // 6. Determine the size of the shared secret
+  size_t shared_secret_len;
+  if (EVP_PKEY_derive(ctx.get(), NULL, &shared_secret_len) <= 0) {
+    throw std::runtime_error("Failed to determine shared secret length: " + getOpenSSLError());
+  }
+
+  // 7. Allocate memory for the shared secret
+  auto shared_secret = new uint8_t[shared_secret_len];
+
+  // 8. Derive the shared secret
+  if (EVP_PKEY_derive(ctx.get(), shared_secret, &shared_secret_len) <= 0) {
+    delete[] shared_secret;
+    throw std::runtime_error("Failed to derive shared secret: " + getOpenSSLError());
+  }
+
+  // 9. Return a newly-created ArrayBuffer from the raw buffer w/ cleanup
+  return std::make_shared<NativeArrayBuffer>(shared_secret, shared_secret_len, [=]() { delete[] shared_secret; });
+}
+
+std::shared_ptr<Promise<void>> HybridEdKeyPair::generateKeyPair(double publicFormat, double publicType, double privateFormat,
+                                                                double privateType, const std::optional<std::string>& cipher,
+                                                                const std::optional<std::shared_ptr<ArrayBuffer>>& passphrase) {
+  // get owned NativeArrayBuffers before passing to sync function
+  std::optional<std::shared_ptr<ArrayBuffer>> nativePassphrase = std::nullopt;
+  if (passphrase.has_value()) {
+    nativePassphrase = ToNativeArrayBuffer(passphrase.value());
+  }
+
+  return Promise<void>::async([this, publicFormat, publicType, privateFormat, privateType, cipher, nativePassphrase]() {
+    this->generateKeyPairSync(publicFormat, publicType, privateFormat, privateType, cipher, nativePassphrase);
+  });
+}
+
+void HybridEdKeyPair::generateKeyPairSync(double publicFormat, double publicType, double privateFormat, double privateType,
+                                          const std::optional<std::string>& cipher,
+                                          const std::optional<std::shared_ptr<ArrayBuffer>>& passphrase) {
+  // Clear any previous OpenSSL errors to prevent pollution
+  clearOpenSSLErrors();
+
+  if (this->curve.empty()) {
+    throw std::runtime_error("EC curve not set. Call setCurve() first.");
+  }
+
+  // Clean up existing key if any
+  if (this->pkey != nullptr) {
+    EVP_PKEY_free(this->pkey);
+    this->pkey = nullptr;
+  }
+
+  EVP_PKEY_CTX* pctx;
+
+  // key context
+  pctx = EVP_PKEY_CTX_new_from_name(nullptr, this->curve.c_str(), nullptr);
+  if (pctx == nullptr) {
+    throw std::runtime_error("Invalid curve name: " + this->curve);
+  }
+
+  // keygen init
+  if (EVP_PKEY_keygen_init(pctx) <= 0) {
+    EVP_PKEY_CTX_free(pctx);
+    throw std::runtime_error("Failed to initialize keygen");
+  }
+
+  // generate key
+  EVP_PKEY_keygen(pctx, &this->pkey);
+  if (this->pkey == nullptr) {
+    EVP_PKEY_CTX_free(pctx);
+    throw std::runtime_error("Failed to generate key");
+  }
+
+  // cleanup
+  EVP_PKEY_CTX_free(pctx);
+}
+
+std::shared_ptr<Promise<std::shared_ptr<ArrayBuffer>>> HybridEdKeyPair::sign(const std::shared_ptr<ArrayBuffer>& message,
+                                                                             const std::optional<std::shared_ptr<ArrayBuffer>>& key) {
+  // get owned NativeArrayBuffer before passing to sync function
+  auto nativeMessage = ToNativeArrayBuffer(message);
+  std::optional<std::shared_ptr<ArrayBuffer>> nativeKey = std::nullopt;
+  if (key.has_value()) {
+    nativeKey = ToNativeArrayBuffer(key.value());
+  }
+
+  return Promise<std::shared_ptr<ArrayBuffer>>::async(
+      [this, nativeMessage, nativeKey]() { return this->signSync(nativeMessage, nativeKey); });
+}
+
+std::shared_ptr<ArrayBuffer> HybridEdKeyPair::signSync(const std::shared_ptr<ArrayBuffer>& message,
+                                                       const std::optional<std::shared_ptr<ArrayBuffer>>& key) {
+  // Clear any previous OpenSSL errors to prevent pollution
+  clearOpenSSLErrors();
+
+  size_t sig_len = 0;
+  uint8_t* sig = NULL;
+  EVP_MD_CTX* md_ctx = nullptr;
+  EVP_PKEY_CTX* pkey_ctx = nullptr;
+
+  // get key to use for signing
+  EVP_PKEY* pkey = this->importPrivateKey(key);
+
+  // key context
+  md_ctx = EVP_MD_CTX_new();
+  if (md_ctx == nullptr) {
+    throw std::runtime_error("Error creating signing context");
+  }
+
+  pkey_ctx = EVP_PKEY_CTX_new_from_name(nullptr, this->curve.c_str(), nullptr);
+  if (pkey_ctx == nullptr) {
+    EVP_MD_CTX_free(md_ctx);
+    throw std::runtime_error("Error creating signing context: " + this->curve);
+  }
+
+  if (EVP_DigestSignInit(md_ctx, &pkey_ctx, NULL, NULL, pkey) <= 0) {
+    EVP_MD_CTX_free(md_ctx);
+    EVP_PKEY_CTX_free(pkey_ctx);
+    char* err = ERR_error_string(ERR_get_error(), NULL);
+    throw std::runtime_error("Failed to initialize signing: " + std::string(err));
+  }
+
+  // Calculate the required size for the signature by passing a NULL buffer.
+  if (EVP_DigestSign(md_ctx, NULL, &sig_len, message.get()->data(), message.get()->size()) <= 0) {
+    EVP_MD_CTX_free(md_ctx);
+    throw std::runtime_error("Failed to calculate signature size");
+  }
+  sig = new uint8_t[sig_len];
+
+  // Actually calculate the signature
+  if (EVP_DigestSign(md_ctx, sig, &sig_len, message.get()->data(), message.get()->size()) <= 0) {
+    EVP_MD_CTX_free(md_ctx);
+    delete[] sig;
+    throw std::runtime_error("Failed to calculate signature");
+  }
+
+  // return value for JS
+  std::shared_ptr<ArrayBuffer> signature = std::make_shared<NativeArrayBuffer>(sig, sig_len, [=]() { delete[] sig; });
+
+  // Clean up
+  EVP_MD_CTX_free(md_ctx);
+  // Note: pkey_ctx is freed automatically by EVP_MD_CTX_free when using EVP_DigestSignInit
+
+  return signature;
+}
+
+std::shared_ptr<Promise<bool>> HybridEdKeyPair::verify(const std::shared_ptr<ArrayBuffer>& signature,
+                                                       const std::shared_ptr<ArrayBuffer>& message,
+                                                       const std::optional<std::shared_ptr<ArrayBuffer>>& key) {
+  // get owned NativeArrayBuffers before passing to sync function
+  auto nativeSignature = ToNativeArrayBuffer(signature);
+  auto nativeMessage = ToNativeArrayBuffer(message);
+  std::optional<std::shared_ptr<ArrayBuffer>> nativeKey = std::nullopt;
+  if (key.has_value()) {
+    nativeKey = ToNativeArrayBuffer(key.value());
+  }
+
+  return Promise<bool>::async(
+      [this, nativeSignature, nativeMessage, nativeKey]() { return this->verifySync(nativeSignature, nativeMessage, nativeKey); });
+}
+
+bool HybridEdKeyPair::verifySync(const std::shared_ptr<ArrayBuffer>& signature, const std::shared_ptr<ArrayBuffer>& message,
+                                 const std::optional<std::shared_ptr<ArrayBuffer>>& key) {
+  // Clear any previous OpenSSL errors to prevent pollution
+  clearOpenSSLErrors();
+
+  // get key to use for verifying
+  EVP_PKEY* pkey = this->importPublicKey(key);
+
+  EVP_MD_CTX* md_ctx = nullptr;
+  EVP_PKEY_CTX* pkey_ctx = nullptr;
+
+  // key context
+  md_ctx = EVP_MD_CTX_new();
+  if (md_ctx == nullptr) {
+    throw std::runtime_error("Error creating verify context");
+  }
+
+  pkey_ctx = EVP_PKEY_CTX_new_from_name(nullptr, this->curve.c_str(), nullptr);
+  if (pkey_ctx == nullptr) {
+    EVP_MD_CTX_free(md_ctx);
+    throw std::runtime_error("Error creating verify context: " + this->curve);
+  }
+
+  if (EVP_DigestVerifyInit(md_ctx, &pkey_ctx, NULL, NULL, pkey) <= 0) {
+    EVP_MD_CTX_free(md_ctx);
+    EVP_PKEY_CTX_free(pkey_ctx);
+    char* err = ERR_error_string(ERR_get_error(), NULL);
+    throw std::runtime_error("Failed to initialize verify: " + std::string(err));
+  }
+
+  // verify
+  auto res = EVP_DigestVerify(md_ctx, signature.get()->data(), signature.get()->size(), message.get()->data(), message.get()->size());
+
+  // return value for JS
+  if (res < 0) {
+    EVP_MD_CTX_free(md_ctx);
+    throw std::runtime_error("Failed to verify");
+  }
+  return res == 1; // true if 1, false if 0
+}
+
+std::shared_ptr<ArrayBuffer> HybridEdKeyPair::getPublicKey() {
+  this->checkKeyPair();
+  size_t len = 32;
+  uint8_t* publ = new uint8_t[len];
+  EVP_PKEY_get_raw_public_key(this->pkey, publ, &len);
+
+  return std::make_shared<NativeArrayBuffer>(publ, len, [=]() { delete[] publ; });
+}
+
+std::shared_ptr<ArrayBuffer> HybridEdKeyPair::getPrivateKey() {
+  this->checkKeyPair();
+  size_t len = 32;
+  uint8_t* priv = new uint8_t[len];
+  EVP_PKEY_get_raw_private_key(this->pkey, priv, &len);
+
+  return std::make_shared<NativeArrayBuffer>(priv, len, [=]() { delete[] priv; });
+}
+
+void HybridEdKeyPair::checkKeyPair() {
+  if (this->pkey == nullptr) {
+    throw std::runtime_error("Keypair not initialized");
+  }
+}
+
+void HybridEdKeyPair::setCurve(const std::string& curve) {
+  this->curve = curve;
+}
+
+EVP_PKEY* HybridEdKeyPair::importPublicKey(const std::optional<std::shared_ptr<ArrayBuffer>>& key) {
+  EVP_PKEY* pkey = nullptr;
+  if (key.has_value()) {
+    pkey = EVP_PKEY_new_raw_public_key(EVP_PKEY_ED25519, // TODO: use this->curve somehow
+                                       NULL, key.value()->data(), 32);
+    if (pkey == nullptr) {
+      throw std::runtime_error("Failed to read public key");
+    }
+  } else {
+    this->checkKeyPair();
+    pkey = this->pkey;
+  }
+  return pkey;
+}
+
+EVP_PKEY* HybridEdKeyPair::importPrivateKey(const std::optional<std::shared_ptr<ArrayBuffer>>& key) {
+  EVP_PKEY* pkey = nullptr;
+  if (key.has_value()) {
+    pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_ED25519, // TODO: use this->curve somehow
+                                        NULL, key.value()->data(), 32);
+    if (pkey == nullptr) {
+      throw std::runtime_error("Failed to read private key");
+    }
+  } else {
+    this->checkKeyPair();
+    pkey = this->pkey;
+  }
+  return pkey;
+}
+
+} // namespace margelo::nitro::crypto

package/cpp/ed25519/HybridEdKeyPair.hpp

@@ -0,0 +1,63 @@
+#include <memory>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <string>
+
+#include "HybridEdKeyPairSpec.hpp"
+#include "Utils.hpp"
+
+namespace margelo::nitro::crypto {
+
+class HybridEdKeyPair : public HybridEdKeyPairSpec {
+ public:
+  HybridEdKeyPair() : HybridObject(TAG) {}
+  ~HybridEdKeyPair() {
+    if (pkey != nullptr) {
+      EVP_PKEY_free(pkey);
+      pkey = nullptr;
+    }
+  }
+
+ public:
+  // Methods
+  std::shared_ptr<ArrayBuffer> diffieHellman(const std::shared_ptr<ArrayBuffer>& privateKey,
+                                             const std::shared_ptr<ArrayBuffer>& publicKey) override;
+
+  std::shared_ptr<Promise<void>> generateKeyPair(double publicFormat, double publicType, double privateFormat, double privateType,
+                                                 const std::optional<std::string>& cipher,
+                                                 const std::optional<std::shared_ptr<ArrayBuffer>>& passphrase) override;
+
+  void generateKeyPairSync(double publicFormat, double publicType, double privateFormat, double privateType,
+                           const std::optional<std::string>& cipher,
+                           const std::optional<std::shared_ptr<ArrayBuffer>>& passphrase) override;
+
+  std::shared_ptr<Promise<std::shared_ptr<ArrayBuffer>>> sign(const std::shared_ptr<ArrayBuffer>& message,
+                                                              const std::optional<std::shared_ptr<ArrayBuffer>>& key) override;
+
+  std::shared_ptr<ArrayBuffer> signSync(const std::shared_ptr<ArrayBuffer>& message,
+                                        const std::optional<std::shared_ptr<ArrayBuffer>>& key) override;
+
+  std::shared_ptr<Promise<bool>> verify(const std::shared_ptr<ArrayBuffer>& signature, const std::shared_ptr<ArrayBuffer>& message,
+                                        const std::optional<std::shared_ptr<ArrayBuffer>>& key) override;
+
+  bool verifySync(const std::shared_ptr<ArrayBuffer>& signature, const std::shared_ptr<ArrayBuffer>& message,
+                  const std::optional<std::shared_ptr<ArrayBuffer>>& key) override;
+
+ protected:
+  std::shared_ptr<ArrayBuffer> getPublicKey() override;
+
+  std::shared_ptr<ArrayBuffer> getPrivateKey() override;
+
+  void checkKeyPair();
+
+  void setCurve(const std::string& curve) override;
+
+ private:
+  std::string curve;
+  EVP_PKEY* pkey = nullptr;
+
+  EVP_PKEY* importPublicKey(const std::optional<std::shared_ptr<ArrayBuffer>>& key);
+  EVP_PKEY* importPrivateKey(const std::optional<std::shared_ptr<ArrayBuffer>>& key);
+};
+
+} // namespace margelo::nitro::crypto

package/cpp/hash/HybridHash.cpp

@@ -0,0 +1,185 @@
+#include <NitroModules/ArrayBuffer.hpp>
+#include <memory>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <optional>
+#include <string>
+#include <vector>
+
+#include "HybridHash.hpp"
+#include "Utils.hpp"
+
+namespace margelo::nitro::crypto {
+
+HybridHash::~HybridHash() {
+  if (ctx) {
+    EVP_MD_CTX_free(ctx);
+    ctx = nullptr;
+  }
+  if (md && md_fetched) {
+    EVP_MD_free(md);
+    md = nullptr;
+  }
+}
+
+void HybridHash::createHash(const std::string& hashAlgorithmArg, const std::optional<double> outputLengthArg) {
+  // Clear any previous OpenSSL errors to prevent pollution
+  clearOpenSSLErrors();
+
+  // Clean up existing resources before creating new ones
+  if (ctx) {
+    EVP_MD_CTX_free(ctx);
+    ctx = nullptr;
+  }
+  if (md && md_fetched) {
+    EVP_MD_free(md);
+    md = nullptr;
+    md_fetched = false;
+  }
+
+  algorithm = hashAlgorithmArg;
+  outputLength = outputLengthArg;
+
+  // Create hash context
+  ctx = EVP_MD_CTX_new();
+  if (!ctx) {
+    throw std::runtime_error("Failed to create hash context: " + std::to_string(ERR_get_error()));
+  }
+
+  // Fetch the message digest using modern provider-based API
+  md = EVP_MD_fetch(nullptr, algorithm.c_str(), nullptr);
+  if (!md) {
+    EVP_MD_CTX_free(ctx);
+    ctx = nullptr;
+    throw std::runtime_error("Unknown hash algorithm: " + algorithm);
+  }
+  md_fetched = true;
+
+  // Initialize the digest
+  if (EVP_DigestInit_ex(ctx, md, nullptr) != 1) {
+    EVP_MD_CTX_free(ctx);
+    ctx = nullptr;
+    if (md_fetched) {
+      EVP_MD_free(md);
+      md = nullptr;
+      md_fetched = false;
+    }
+    throw std::runtime_error("Failed to initialize hash digest: " + std::to_string(ERR_get_error()));
+  }
+}
+
+void HybridHash::update(const std::shared_ptr<ArrayBuffer>& data) {
+  if (!ctx) {
+    throw std::runtime_error("Hash context not initialized");
+  }
+
+  // Update the digest with the data
+  if (EVP_DigestUpdate(ctx, reinterpret_cast<const uint8_t*>(data->data()), data->size()) != 1) {
+    throw std::runtime_error("Failed to update hash digest: " + std::to_string(ERR_get_error()));
+  }
+}
+
+std::shared_ptr<ArrayBuffer> HybridHash::digest(const std::optional<std::string>& encoding) {
+  if (!ctx) {
+    throw std::runtime_error("Hash context not initialized");
+  }
+
+  setParams();
+
+  // Get the default digest size
+  const size_t defaultLen = EVP_MD_CTX_size(ctx);
+  const size_t digestSize = (outputLength.has_value()) ? static_cast<int>(*outputLength) : defaultLen;
+
+  if (digestSize < 0) {
+    throw std::runtime_error("Invalid digest size: " + std::to_string(digestSize));
+  }
+
+  // Create a buffer for the hash output
+  uint8_t* hashBuffer = new uint8_t[digestSize];
+  size_t hashLength = digestSize;
+
+  // Finalize the digest
+  int ret;
+  if (digestSize == defaultLen) {
+    ret = EVP_DigestFinal_ex(ctx, hashBuffer, reinterpret_cast<unsigned int*>(&hashLength));
+  } else {
+    ret = EVP_DigestFinalXOF(ctx, hashBuffer, hashLength);
+  }
+
+  if (ret != 1) {
+    delete[] hashBuffer;
+    throw std::runtime_error("Failed to finalize hash digest: " + std::to_string(ERR_get_error()));
+  }
+
+  return std::make_shared<NativeArrayBuffer>(hashBuffer, hashLength, [=]() { delete[] hashBuffer; });
+}
+
+std::shared_ptr<margelo::nitro::crypto::HybridHashSpec> HybridHash::copy(const std::optional<double> outputLengthArg) {
+  if (!ctx) {
+    throw std::runtime_error("Hash context not initialized");
+  }
+
+  // Create a new context
+  EVP_MD_CTX* newCtx = EVP_MD_CTX_new();
+  if (!newCtx) {
+    throw std::runtime_error("Failed to create new hash context: " + std::to_string(ERR_get_error()));
+  }
+
+  // Copy the existing context to the new one
+  if (EVP_MD_CTX_copy(newCtx, ctx) != 1) {
+    EVP_MD_CTX_free(newCtx);
+    throw std::runtime_error("Failed to copy hash context: " + std::to_string(ERR_get_error()));
+  }
+
+  return std::make_shared<HybridHash>(newCtx, md, algorithm, outputLengthArg, false);
+}
+
+std::vector<std::string> HybridHash::getSupportedHashAlgorithms() {
+  std::vector<std::string> hashAlgorithms;
+
+  EVP_MD_do_all_provided(
+      nullptr,
+      [](EVP_MD* md, void* arg) {
+        auto* algorithms = static_cast<std::vector<std::string>*>(arg);
+        const char* name = EVP_MD_get0_name(md);
+        if (name) {
+          algorithms->push_back(name);
+        }
+      },
+      &hashAlgorithms);
+
+  return hashAlgorithms;
+}
+
+void HybridHash::setParams() {
+  // Handle algorithm parameters (like XOF length for SHAKE)
+  if (outputLength.has_value()) {
+    uint32_t xoflen = outputLength.value();
+
+    // Add a reasonable maximum output length
+    const int MAX_OUTPUT_LENGTH = 16 * 1024 * 1024; // 16MB
+    if (xoflen > MAX_OUTPUT_LENGTH) {
+      throw std::runtime_error("Output length " + std::to_string(xoflen) + " exceeds maximum allowed size of " +
+                               std::to_string(MAX_OUTPUT_LENGTH));
+    }
+
+    OSSL_PARAM params[] = {OSSL_PARAM_construct_uint("xoflen", &xoflen), OSSL_PARAM_END};
+
+    if (EVP_MD_CTX_set_params(ctx, params) != 1) {
+      EVP_MD_CTX_free(ctx);
+      ctx = nullptr;
+      if (md && md_fetched) {
+        EVP_MD_free(md);
+        md = nullptr;
+        md_fetched = false;
+      }
+      throw std::runtime_error("Failed to set XOF length (outputLength) parameter: " + std::to_string(ERR_get_error()));
+    }
+  }
+}
+
+std::string HybridHash::getOpenSSLVersion() {
+  return OpenSSL_version(OPENSSL_VERSION);
+}
+
+} // namespace margelo::nitro::crypto

package/cpp/hash/HybridHash.hpp

@@ -0,0 +1,43 @@
+#include <NitroModules/ArrayBuffer.hpp>
+#include <memory>
+#include <openssl/evp.h>
+#include <optional>
+#include <string>
+#include <vector>
+
+#include "HybridHashSpec.hpp"
+
+namespace margelo::nitro::crypto {
+
+using namespace facebook;
+
+class HybridHash : public HybridHashSpec {
+ public:
+  HybridHash() : HybridObject(TAG) {}
+  HybridHash(EVP_MD_CTX* ctx, EVP_MD* md, const std::string& algorithm, const std::optional<double> outputLength, bool md_fetched = false)
+      : HybridObject(TAG), ctx(ctx), md(md), md_fetched(md_fetched), algorithm(algorithm), outputLength(outputLength) {}
+  ~HybridHash();
+
+ public:
+  // Methods
+  void createHash(const std::string& algorithm, const std::optional<double> outputLength) override;
+  void update(const std::shared_ptr<ArrayBuffer>& data) override;
+  std::shared_ptr<ArrayBuffer> digest(const std::optional<std::string>& encoding = std::nullopt) override;
+  std::shared_ptr<margelo::nitro::crypto::HybridHashSpec> copy(const std::optional<double> outputLength) override;
+  std::vector<std::string> getSupportedHashAlgorithms() override;
+  std::string getOpenSSLVersion() override;
+
+ private:
+  // Methods
+  void setParams();
+
+ private:
+  // Properties
+  EVP_MD_CTX* ctx = nullptr;
+  EVP_MD* md = nullptr;
+  bool md_fetched = false;
+  std::string algorithm = "";
+  std::optional<double> outputLength = std::nullopt;
+};
+
+} // namespace margelo::nitro::crypto

package/cpp/hmac/HybridHmac.cpp

@@ -0,0 +1,95 @@
+#include <NitroModules/ArrayBuffer.hpp>
+#include <memory>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <optional>
+#include <string>
+#include <vector>
+
+#include "HybridHmac.hpp"
+
+namespace margelo::nitro::crypto {
+
+HybridHmac::~HybridHmac() {
+  if (ctx) {
+    EVP_MAC_CTX_free(ctx);
+    ctx = nullptr;
+  }
+}
+
+void HybridHmac::createHmac(const std::string& hmacAlgorithm, const std::shared_ptr<ArrayBuffer>& secretKey) {
+  algorithm = hmacAlgorithm;
+
+  // Create and use EVP_MAC locally
+  EVP_MAC* mac = EVP_MAC_fetch(nullptr, "HMAC", nullptr);
+  if (!mac) {
+    throw std::runtime_error("Failed to fetch HMAC implementation: " + std::to_string(ERR_get_error()));
+  }
+
+  // Create HMAC context
+  ctx = EVP_MAC_CTX_new(mac);
+  EVP_MAC_free(mac); // Free immediately after creating the context
+  if (!ctx) {
+    throw std::runtime_error("Failed to create HMAC context: " + std::to_string(ERR_get_error()));
+  }
+
+  // Validate algorithm
+  const EVP_MD* md = EVP_get_digestbyname(algorithm.c_str());
+  if (!md) {
+    throw std::runtime_error("Unknown HMAC algorithm: " + algorithm);
+  }
+
+  // Set up parameters for HMAC
+  OSSL_PARAM params[2];
+  params[0] = OSSL_PARAM_construct_utf8_string("digest", const_cast<char*>(algorithm.c_str()), 0);
+  params[1] = OSSL_PARAM_construct_end();
+
+  const uint8_t* keyData = reinterpret_cast<const uint8_t*>(secretKey->data());
+  size_t keySize = secretKey->size();
+
+  // Handle empty key case by providing a dummy key
+  static const uint8_t dummyKey = 0;
+  if (keySize == 0) {
+    keyData = &dummyKey;
+    keySize = 1;
+  }
+
+  // Initialize HMAC
+  if (EVP_MAC_init(ctx, keyData, keySize, params) != 1) {
+    throw std::runtime_error("Failed to initialize HMAC: " + std::to_string(ERR_get_error()));
+  }
+}
+
+void HybridHmac::update(const std::shared_ptr<ArrayBuffer>& data) {
+  if (!ctx) {
+    throw std::runtime_error("HMAC context not initialized");
+  }
+
+  // Update HMAC with new data
+  if (EVP_MAC_update(ctx, reinterpret_cast<const uint8_t*>(data->data()), data->size()) != 1) {
+    throw std::runtime_error("Failed to update HMAC: " + std::to_string(ERR_get_error()));
+  }
+}
+
+std::shared_ptr<ArrayBuffer> HybridHmac::digest() {
+  if (!ctx) {
+    throw std::runtime_error("HMAC context not initialized");
+  }
+
+  // Determine the maximum possible size of the HMAC output
+  const EVP_MD* md = EVP_get_digestbyname(algorithm.c_str());
+  const size_t hmacLength = EVP_MD_get_size(md);
+
+  // Allocate buffer with the exact required size
+  uint8_t* hmacBuffer = new uint8_t[hmacLength];
+
+  // Finalize the HMAC computation directly into the final buffer
+  if (EVP_MAC_final(ctx, hmacBuffer, nullptr, hmacLength) != 1) {
+    delete[] hmacBuffer;
+    throw std::runtime_error("Failed to finalize HMAC digest: " + std::to_string(ERR_get_error()));
+  }
+
+  return std::make_shared<NativeArrayBuffer>(hmacBuffer, hmacLength, [=]() { delete[] hmacBuffer; });
+}
+
+} // namespace margelo::nitro::crypto