react-native-quick-crypto 1.0.10 → 1.0.11

package/android/CMakeLists.txt

@@ -25,7 +25,9 @@ endif()
 add_library(
   ${PACKAGE_NAME} SHARED
   src/main/cpp/cpp-adapter.cpp
+  ../cpp/argon2/HybridArgon2.cpp
   ../cpp/blake3/HybridBlake3.cpp
+  ../cpp/certificate/HybridCertificate.cpp
   ../cpp/cipher/CCMCipher.cpp
   ../cpp/cipher/GCMCipher.cpp
   ../cpp/cipher/HybridCipher.cpp
@@ -37,6 +39,8 @@ add_library(
   ../cpp/cipher/ChaCha20Cipher.cpp
   ../cpp/cipher/ChaCha20Poly1305Cipher.cpp
   ../cpp/dh/HybridDiffieHellman.cpp
+  ../cpp/dh/HybridDhKeyPair.cpp
+  ../cpp/dsa/HybridDsaKeyPair.cpp
   ../cpp/ec/HybridEcKeyPair.cpp
   ../cpp/ecdh/HybridECDH.cpp
   ../cpp/ed25519/HybridEdKeyPair.cpp
@@ -47,6 +51,7 @@ add_library(
   ../cpp/keys/KeyObjectData.cpp
   ../cpp/mldsa/HybridMlDsaKeyPair.cpp
   ../cpp/pbkdf2/HybridPbkdf2.cpp
+  ../cpp/prime/HybridPrime.cpp
   ../cpp/random/HybridRandom.cpp
   ../cpp/rsa/HybridRsaKeyPair.cpp
   ../cpp/scrypt/HybridScrypt.cpp
@@ -66,9 +71,12 @@ include(${CMAKE_SOURCE_DIR}/../nitrogen/generated/android/QuickCrypto+autolinkin
 # local includes
 include_directories(
   "src/main/cpp"
+  "../cpp/argon2"
   "../cpp/blake3"
+  "../cpp/certificate"
   "../cpp/cipher"
   "../cpp/dh"
+  "../cpp/dsa"
   "../cpp/ec"
   "../cpp/ecdh"
   "../cpp/ed25519"
@@ -78,6 +86,7 @@ include_directories(
   "../cpp/keys"
   "../cpp/mldsa"
   "../cpp/pbkdf2"
+  "../cpp/prime"
   "../cpp/random"
   "../cpp/rsa"
   "../cpp/sign"

package/cpp/argon2/HybridArgon2.cpp

@@ -0,0 +1,103 @@
+#include <NitroModules/ArrayBuffer.hpp>
+#include <memory>
+#include <ncrypto.h>
+#include <openssl/err.h>
+#include <openssl/opensslv.h>
+#include <string>
+
+#include "HybridArgon2.hpp"
+#include "QuickCryptoUtils.hpp"
+
+namespace margelo::nitro::crypto {
+
+#if OPENSSL_VERSION_NUMBER >= 0x30200000L
+#ifndef OPENSSL_NO_ARGON2
+
+static ncrypto::Argon2Type parseAlgorithm(const std::string& algo) {
+  if (algo == "argon2d")
+    return ncrypto::Argon2Type::ARGON2D;
+  if (algo == "argon2i")
+    return ncrypto::Argon2Type::ARGON2I;
+  if (algo == "argon2id")
+    return ncrypto::Argon2Type::ARGON2ID;
+  throw std::runtime_error("Unknown argon2 algorithm: " + algo);
+}
+
+static std::shared_ptr<ArrayBuffer> hashImpl(const std::string& algorithm, const std::shared_ptr<ArrayBuffer>& message,
+                                             const std::shared_ptr<ArrayBuffer>& nonce, double parallelism, double tagLength, double memory,
+                                             double passes, double version, const std::optional<std::shared_ptr<ArrayBuffer>>& secret,
+                                             const std::optional<std::shared_ptr<ArrayBuffer>>& associatedData) {
+
+  auto type = parseAlgorithm(algorithm);
+
+  ncrypto::Buffer<const char> passBuf{message->size() > 0 ? reinterpret_cast<const char*>(message->data()) : "", message->size()};
+
+  ncrypto::Buffer<const unsigned char> saltBuf{nonce->size() > 0 ? reinterpret_cast<const unsigned char*>(nonce->data())
+                                                                 : reinterpret_cast<const unsigned char*>(""),
+                                               nonce->size()};
+
+  ncrypto::Buffer<const unsigned char> secretBuf{nullptr, 0};
+  if (secret.has_value() && secret.value()->size() > 0) {
+    secretBuf = {reinterpret_cast<const unsigned char*>(secret.value()->data()), secret.value()->size()};
+  }
+
+  ncrypto::Buffer<const unsigned char> adBuf{nullptr, 0};
+  if (associatedData.has_value() && associatedData.value()->size() > 0) {
+    adBuf = {reinterpret_cast<const unsigned char*>(associatedData.value()->data()), associatedData.value()->size()};
+  }
+
+  auto result =
+      ncrypto::argon2(passBuf, saltBuf, static_cast<uint32_t>(parallelism), static_cast<size_t>(tagLength), static_cast<uint32_t>(memory),
+                      static_cast<uint32_t>(passes), static_cast<uint32_t>(version), secretBuf, adBuf, type);
+
+  if (!result) {
+    unsigned long err = ERR_peek_last_error();
+    const char* reason = err ? ERR_reason_error_string(err) : nullptr;
+    throw std::runtime_error(reason ? std::string("Argon2 operation failed: ") + reason : "Argon2 operation failed");
+  }
+
+  return ToNativeArrayBuffer(reinterpret_cast<const uint8_t*>(result.get()), result.size());
+}
+
+#endif // OPENSSL_NO_ARGON2
+#endif // OPENSSL_VERSION_NUMBER
+
+std::shared_ptr<Promise<std::shared_ptr<ArrayBuffer>>>
+HybridArgon2::hash(const std::string& algorithm, const std::shared_ptr<ArrayBuffer>& message, const std::shared_ptr<ArrayBuffer>& nonce,
+                   double parallelism, double tagLength, double memory, double passes, double version,
+                   const std::optional<std::shared_ptr<ArrayBuffer>>& secret,
+                   const std::optional<std::shared_ptr<ArrayBuffer>>& associatedData) {
+#if OPENSSL_VERSION_NUMBER >= 0x30200000L && !defined(OPENSSL_NO_ARGON2)
+  auto nativeMessage = ToNativeArrayBuffer(message);
+  auto nativeNonce = ToNativeArrayBuffer(nonce);
+  std::optional<std::shared_ptr<ArrayBuffer>> nativeSecret;
+  if (secret.has_value()) {
+    nativeSecret = ToNativeArrayBuffer(secret.value());
+  }
+  std::optional<std::shared_ptr<ArrayBuffer>> nativeAd;
+  if (associatedData.has_value()) {
+    nativeAd = ToNativeArrayBuffer(associatedData.value());
+  }
+
+  return Promise<std::shared_ptr<ArrayBuffer>>::async([algorithm, nativeMessage, nativeNonce, parallelism, tagLength, memory, passes,
+                                                       version, nativeSecret = std::move(nativeSecret), nativeAd = std::move(nativeAd)]() {
+    return hashImpl(algorithm, nativeMessage, nativeNonce, parallelism, tagLength, memory, passes, version, nativeSecret, nativeAd);
+  });
+#else
+  throw std::runtime_error("Argon2 is not supported (requires OpenSSL 3.2+)");
+#endif
+}
+
+std::shared_ptr<ArrayBuffer> HybridArgon2::hashSync(const std::string& algorithm, const std::shared_ptr<ArrayBuffer>& message,
+                                                    const std::shared_ptr<ArrayBuffer>& nonce, double parallelism, double tagLength,
+                                                    double memory, double passes, double version,
+                                                    const std::optional<std::shared_ptr<ArrayBuffer>>& secret,
+                                                    const std::optional<std::shared_ptr<ArrayBuffer>>& associatedData) {
+#if OPENSSL_VERSION_NUMBER >= 0x30200000L && !defined(OPENSSL_NO_ARGON2)
+  return hashImpl(algorithm, message, nonce, parallelism, tagLength, memory, passes, version, secret, associatedData);
+#else
+  throw std::runtime_error("Argon2 is not supported (requires OpenSSL 3.2+)");
+#endif
+}
+
+} // namespace margelo::nitro::crypto

package/cpp/argon2/HybridArgon2.hpp

@@ -0,0 +1,32 @@
+#pragma once
+
+#include <NitroModules/ArrayBuffer.hpp>
+#include <NitroModules/Promise.hpp>
+#include <memory>
+#include <optional>
+#include <string>
+
+#include "HybridArgon2Spec.hpp"
+
+namespace margelo::nitro::crypto {
+
+using namespace facebook;
+
+class HybridArgon2 : public HybridArgon2Spec {
+ public:
+  HybridArgon2() : HybridObject(TAG) {}
+
+ public:
+  std::shared_ptr<Promise<std::shared_ptr<ArrayBuffer>>> hash(const std::string& algorithm, const std::shared_ptr<ArrayBuffer>& message,
+                                                              const std::shared_ptr<ArrayBuffer>& nonce, double parallelism,
+                                                              double tagLength, double memory, double passes, double version,
+                                                              const std::optional<std::shared_ptr<ArrayBuffer>>& secret,
+                                                              const std::optional<std::shared_ptr<ArrayBuffer>>& associatedData) override;
+
+  std::shared_ptr<ArrayBuffer> hashSync(const std::string& algorithm, const std::shared_ptr<ArrayBuffer>& message,
+                                        const std::shared_ptr<ArrayBuffer>& nonce, double parallelism, double tagLength, double memory,
+                                        double passes, double version, const std::optional<std::shared_ptr<ArrayBuffer>>& secret,
+                                        const std::optional<std::shared_ptr<ArrayBuffer>>& associatedData) override;
+};
+
+} // namespace margelo::nitro::crypto

package/cpp/certificate/HybridCertificate.cpp

@@ -0,0 +1,42 @@
+#include "HybridCertificate.hpp"
+#include "QuickCryptoUtils.hpp"
+#include <ncrypto.h>
+#include <openssl/crypto.h>
+
+namespace margelo::nitro::crypto {
+
+bool HybridCertificate::verifySpkac(const std::shared_ptr<ArrayBuffer>& spkac) {
+  return ncrypto::VerifySpkac(reinterpret_cast<const char*>(spkac->data()), spkac->size());
+}
+
+std::shared_ptr<ArrayBuffer> HybridCertificate::exportPublicKey(const std::shared_ptr<ArrayBuffer>& spkac) {
+  auto bio = ncrypto::ExportPublicKey(reinterpret_cast<const char*>(spkac->data()), spkac->size());
+
+  if (!bio) {
+    auto empty = new uint8_t[0];
+    return std::make_shared<NativeArrayBuffer>(empty, 0, [empty]() { delete[] empty; });
+  }
+
+  BUF_MEM* mem = bio;
+  if (!mem || mem->length == 0) {
+    auto empty = new uint8_t[0];
+    return std::make_shared<NativeArrayBuffer>(empty, 0, [empty]() { delete[] empty; });
+  }
+
+  return ToNativeArrayBuffer(reinterpret_cast<const uint8_t*>(mem->data), mem->length);
+}
+
+std::shared_ptr<ArrayBuffer> HybridCertificate::exportChallenge(const std::shared_ptr<ArrayBuffer>& spkac) {
+  auto buf = ncrypto::ExportChallenge(reinterpret_cast<const char*>(spkac->data()), spkac->size());
+
+  if (buf.data == nullptr) {
+    auto empty = new uint8_t[0];
+    return std::make_shared<NativeArrayBuffer>(empty, 0, [empty]() { delete[] empty; });
+  }
+
+  auto result = ToNativeArrayBuffer(reinterpret_cast<const uint8_t*>(buf.data), buf.len);
+  OPENSSL_free(buf.data);
+  return result;
+}
+
+} // namespace margelo::nitro::crypto

package/cpp/certificate/HybridCertificate.hpp

@@ -0,0 +1,16 @@
+#pragma once
+
+#include "HybridCertificateSpec.hpp"
+
+namespace margelo::nitro::crypto {
+
+class HybridCertificate : public HybridCertificateSpec {
+ public:
+  HybridCertificate() : HybridObject(TAG) {}
+
+  bool verifySpkac(const std::shared_ptr<ArrayBuffer>& spkac) override;
+  std::shared_ptr<ArrayBuffer> exportPublicKey(const std::shared_ptr<ArrayBuffer>& spkac) override;
+  std::shared_ptr<ArrayBuffer> exportChallenge(const std::shared_ptr<ArrayBuffer>& spkac) override;
+};
+
+} // namespace margelo::nitro::crypto

package/cpp/cipher/HybridCipher.cpp

@@ -8,6 +8,7 @@
 #include "HybridCipher.hpp"
 #include "QuickCryptoUtils.hpp"
 
+#include <ncrypto.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
 
@@ -336,4 +337,61 @@ std::vector<std::string> HybridCipher::getSupportedCiphers() {
   return cipher_names;
 }
 
+std::optional<CipherInfo> HybridCipher::getCipherInfo(const std::string& name, std::optional<double> keyLength,
+                                                      std::optional<double> ivLength) {
+  auto cipher = ncrypto::Cipher::FromName(name.c_str());
+  if (!cipher)
+    return std::nullopt;
+
+  size_t iv_length = cipher.getIvLength();
+  size_t key_length = cipher.getKeyLength();
+
+  if (keyLength.has_value() || ivLength.has_value()) {
+    auto ctx = ncrypto::CipherCtxPointer::New();
+    if (!ctx.init(cipher, true))
+      return std::nullopt;
+
+    if (keyLength.has_value()) {
+      size_t check_len = static_cast<size_t>(keyLength.value());
+      if (!ctx.setKeyLength(check_len))
+        return std::nullopt;
+      key_length = check_len;
+    }
+
+    if (ivLength.has_value()) {
+      size_t check_len = static_cast<size_t>(ivLength.value());
+      if (cipher.isCcmMode()) {
+        if (check_len < 7 || check_len > 13)
+          return std::nullopt;
+      } else if (cipher.isGcmMode()) {
+        // GCM accepts flexible IV lengths
+      } else if (cipher.isOcbMode()) {
+        if (!ctx.setIvLength(check_len))
+          return std::nullopt;
+      } else {
+        if (check_len != iv_length)
+          return std::nullopt;
+      }
+      iv_length = check_len;
+    }
+  }
+
+  std::string name_str(cipher.getName());
+  std::transform(name_str.begin(), name_str.end(), name_str.begin(), ::tolower);
+
+  std::string mode_str(cipher.getModeLabel());
+
+  std::optional<double> block_size = std::nullopt;
+  if (!cipher.isStreamMode()) {
+    block_size = static_cast<double>(cipher.getBlockSize());
+  }
+
+  std::optional<double> iv_len = std::nullopt;
+  if (iv_length != 0) {
+    iv_len = static_cast<double>(iv_length);
+  }
+
+  return CipherInfo{name_str, static_cast<double>(cipher.getNid()), mode_str, static_cast<double>(key_length), block_size, iv_len};
+}
+
 } // namespace margelo::nitro::crypto

package/cpp/cipher/HybridCipher.hpp

@@ -8,6 +8,7 @@
 #include <string>
 #include <vector>
 
+#include "CipherInfo.hpp"
 #include "HybridCipherSpec.hpp"
 
 namespace margelo::nitro::crypto {
@@ -40,6 +41,9 @@ class HybridCipher : public HybridCipherSpec {
 
   std::vector<std::string> getSupportedCiphers() override;
 
+  std::optional<CipherInfo> getCipherInfo(const std::string& name, std::optional<double> keyLength,
+                                          std::optional<double> ivLength) override;
+
  protected:
   // Protected enums for state management
   enum CipherKind { kCipher, kDecipher };

package/cpp/dh/HybridDhKeyPair.cpp

@@ -0,0 +1,179 @@
+#include "HybridDhKeyPair.hpp"
+
+#include <NitroModules/ArrayBuffer.hpp>
+#include <NitroModules/Promise.hpp>
+#include <memory>
+#include <openssl/bio.h>
+#include <openssl/bn.h>
+#include <openssl/buffer.h>
+#include <openssl/dh.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/pem.h>
+#include <stdexcept>
+#include <string>
+
+// Suppress deprecation warnings for DH_* functions
+// Node.js ncrypto uses the same pattern — these APIs work but are deprecated in OpenSSL 3.x
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+
+namespace margelo::nitro::crypto {
+
+using BN_ptr = std::unique_ptr<BIGNUM, decltype(&BN_free)>;
+using DH_ptr = std::unique_ptr<DH, decltype(&DH_free)>;
+using EVP_PKEY_CTX_ptr = std::unique_ptr<EVP_PKEY_CTX, decltype(&EVP_PKEY_CTX_free)>;
+
+void HybridDhKeyPair::setPrimeLength(double primeLength) {
+  primeLength_ = static_cast<int>(primeLength);
+}
+
+void HybridDhKeyPair::setPrime(const std::shared_ptr<ArrayBuffer>& prime) {
+  prime_.assign(prime->data(), prime->data() + prime->size());
+}
+
+void HybridDhKeyPair::setGenerator(double generator) {
+  generator_ = static_cast<int>(generator);
+}
+
+std::shared_ptr<Promise<void>> HybridDhKeyPair::generateKeyPair() {
+  return Promise<void>::async([this]() { this->generateKeyPairSync(); });
+}
+
+void HybridDhKeyPair::generateKeyPairSync() {
+  pkey_.reset();
+
+  EVP_PKEY* params = nullptr;
+
+  if (!prime_.empty()) {
+    // Mode B: Custom prime provided as binary
+    DH_ptr dh(DH_new(), DH_free);
+    if (!dh) {
+      throw std::runtime_error("DH: failed to create DH structure");
+    }
+
+    BIGNUM* p = BN_bin2bn(prime_.data(), static_cast<int>(prime_.size()), nullptr);
+    BIGNUM* g = BN_new();
+    if (!p || !g) {
+      if (p)
+        BN_free(p);
+      if (g)
+        BN_free(g);
+      throw std::runtime_error("DH: failed to create BIGNUM parameters");
+    }
+    BN_set_word(g, static_cast<unsigned long>(generator_));
+
+    if (DH_set0_pqg(dh.get(), p, nullptr, g) != 1) {
+      BN_free(p);
+      BN_free(g);
+      throw std::runtime_error("DH: failed to set DH parameters");
+    }
+
+    EVP_PKEY* pkey_params = EVP_PKEY_new();
+    if (!pkey_params) {
+      throw std::runtime_error("DH: failed to create EVP_PKEY for parameters");
+    }
+
+    if (EVP_PKEY_assign_DH(pkey_params, dh.get()) != 1) {
+      EVP_PKEY_free(pkey_params);
+      throw std::runtime_error("DH: failed to assign DH to EVP_PKEY");
+    }
+    dh.release(); // EVP_PKEY now owns it
+
+    params = pkey_params;
+
+  } else if (primeLength_ > 0) {
+    // Mode C: Generate random prime of given size
+    EVP_PKEY_CTX_ptr pctx(EVP_PKEY_CTX_new_id(EVP_PKEY_DH, nullptr), EVP_PKEY_CTX_free);
+    if (!pctx) {
+      throw std::runtime_error("DH: failed to create parameter context");
+    }
+
+    if (EVP_PKEY_paramgen_init(pctx.get()) <= 0) {
+      throw std::runtime_error("DH: failed to initialize parameter generation");
+    }
+
+    if (EVP_PKEY_CTX_set_dh_paramgen_prime_len(pctx.get(), primeLength_) <= 0) {
+      throw std::runtime_error("DH: failed to set prime length");
+    }
+
+    if (EVP_PKEY_CTX_set_dh_paramgen_generator(pctx.get(), generator_) <= 0) {
+      throw std::runtime_error("DH: failed to set generator");
+    }
+
+    if (EVP_PKEY_paramgen(pctx.get(), &params) <= 0) {
+      throw std::runtime_error("DH: failed to generate parameters");
+    }
+  } else {
+    throw std::runtime_error("DH: either prime or primeLength must be set");
+  }
+
+  std::unique_ptr<EVP_PKEY, decltype(&EVP_PKEY_free)> params_guard(params, EVP_PKEY_free);
+
+  // Generate key pair from parameters
+  EVP_PKEY_CTX_ptr kctx(EVP_PKEY_CTX_new(params, nullptr), EVP_PKEY_CTX_free);
+  if (!kctx) {
+    throw std::runtime_error("DH: failed to create keygen context");
+  }
+
+  if (EVP_PKEY_keygen_init(kctx.get()) <= 0) {
+    throw std::runtime_error("DH: failed to initialize key generation");
+  }
+
+  EVP_PKEY* raw_pkey = nullptr;
+  if (EVP_PKEY_keygen(kctx.get(), &raw_pkey) <= 0) {
+    throw std::runtime_error("DH: failed to generate key pair");
+  }
+
+  pkey_.reset(raw_pkey);
+}
+
+std::shared_ptr<ArrayBuffer> HybridDhKeyPair::getPublicKey() {
+  if (!pkey_) {
+    throw std::runtime_error("DH: no key pair generated");
+  }
+
+  BIO* bio = BIO_new(BIO_s_mem());
+  if (!bio) {
+    throw std::runtime_error("DH: failed to create BIO for public key export");
+  }
+
+  if (i2d_PUBKEY_bio(bio, pkey_.get()) != 1) {
+    BIO_free(bio);
+    throw std::runtime_error("DH: failed to export public key");
+  }
+
+  BUF_MEM* mem;
+  BIO_get_mem_ptr(bio, &mem);
+  std::string derData(mem->data, mem->length);
+  BIO_free(bio);
+
+  return ToNativeArrayBuffer(derData);
+}
+
+std::shared_ptr<ArrayBuffer> HybridDhKeyPair::getPrivateKey() {
+  if (!pkey_) {
+    throw std::runtime_error("DH: no key pair generated");
+  }
+
+  BIO* bio = BIO_new(BIO_s_mem());
+  if (!bio) {
+    throw std::runtime_error("DH: failed to create BIO for private key export");
+  }
+
+  if (i2d_PKCS8PrivateKey_bio(bio, pkey_.get(), nullptr, nullptr, 0, nullptr, nullptr) != 1) {
+    BIO_free(bio);
+    throw std::runtime_error("DH: failed to export private key");
+  }
+
+  BUF_MEM* mem;
+  BIO_get_mem_ptr(bio, &mem);
+  std::string derData(mem->data, mem->length);
+  BIO_free(bio);
+
+  return ToNativeArrayBuffer(derData);
+}
+
+#pragma clang diagnostic pop
+
+} // namespace margelo::nitro::crypto

package/cpp/dh/HybridDhKeyPair.hpp

@@ -0,0 +1,37 @@
+#pragma once
+
+#include <memory>
+#include <openssl/dh.h>
+#include <openssl/evp.h>
+#include <string>
+#include <vector>
+
+#include "HybridDhKeyPairSpec.hpp"
+#include "QuickCryptoUtils.hpp"
+
+namespace margelo::nitro::crypto {
+
+class HybridDhKeyPair : public HybridDhKeyPairSpec {
+ public:
+  HybridDhKeyPair() : HybridObject(TAG) {}
+  ~HybridDhKeyPair() override = default;
+
+ public:
+  std::shared_ptr<Promise<void>> generateKeyPair() override;
+  void generateKeyPairSync() override;
+  void setPrimeLength(double primeLength) override;
+  void setPrime(const std::shared_ptr<ArrayBuffer>& prime) override;
+  void setGenerator(double generator) override;
+  std::shared_ptr<ArrayBuffer> getPublicKey() override;
+  std::shared_ptr<ArrayBuffer> getPrivateKey() override;
+
+ private:
+  int primeLength_ = 0;
+  std::vector<uint8_t> prime_;
+  int generator_ = 2;
+
+  using EVP_PKEY_ptr = std::unique_ptr<EVP_PKEY, decltype(&EVP_PKEY_free)>;
+  EVP_PKEY_ptr pkey_{nullptr, EVP_PKEY_free};
+};
+
+} // namespace margelo::nitro::crypto

package/cpp/dsa/HybridDsaKeyPair.cpp

@@ -0,0 +1,128 @@
+#include "HybridDsaKeyPair.hpp"
+
+#include <NitroModules/ArrayBuffer.hpp>
+#include <NitroModules/Promise.hpp>
+#include <memory>
+#include <openssl/bio.h>
+#include <openssl/buffer.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/pem.h>
+#include <stdexcept>
+#include <string>
+
+namespace margelo::nitro::crypto {
+
+void HybridDsaKeyPair::setModulusLength(double modulusLength) {
+  modulusLength_ = static_cast<int>(modulusLength);
+}
+
+void HybridDsaKeyPair::setDivisorLength(double divisorLength) {
+  divisorLength_ = static_cast<int>(divisorLength);
+}
+
+std::shared_ptr<Promise<void>> HybridDsaKeyPair::generateKeyPair() {
+  return Promise<void>::async([this]() { this->generateKeyPairSync(); });
+}
+
+void HybridDsaKeyPair::generateKeyPairSync() {
+  if (modulusLength_ <= 0) {
+    throw std::runtime_error("DSA modulusLength must be set before generating key pair");
+  }
+
+  pkey_.reset();
+
+  // Step 1: Generate DSA parameters
+  std::unique_ptr<EVP_PKEY_CTX, decltype(&EVP_PKEY_CTX_free)> param_ctx(EVP_PKEY_CTX_new_id(EVP_PKEY_DSA, nullptr), EVP_PKEY_CTX_free);
+
+  if (!param_ctx) {
+    throw std::runtime_error("DSA: failed to create parameter context");
+  }
+
+  if (EVP_PKEY_paramgen_init(param_ctx.get()) <= 0) {
+    throw std::runtime_error("DSA: failed to initialize parameter generation");
+  }
+
+  if (EVP_PKEY_CTX_set_dsa_paramgen_bits(param_ctx.get(), modulusLength_) <= 0) {
+    throw std::runtime_error("DSA: failed to set modulus length");
+  }
+
+  if (divisorLength_ >= 0) {
+    if (EVP_PKEY_CTX_set_dsa_paramgen_q_bits(param_ctx.get(), divisorLength_) <= 0) {
+      throw std::runtime_error("DSA: failed to set divisor length");
+    }
+  }
+
+  EVP_PKEY* raw_params = nullptr;
+  if (EVP_PKEY_paramgen(param_ctx.get(), &raw_params) <= 0) {
+    throw std::runtime_error("DSA: failed to generate parameters");
+  }
+
+  std::unique_ptr<EVP_PKEY, decltype(&EVP_PKEY_free)> params(raw_params, EVP_PKEY_free);
+
+  // Step 2: Generate key pair from parameters
+  std::unique_ptr<EVP_PKEY_CTX, decltype(&EVP_PKEY_CTX_free)> key_ctx(EVP_PKEY_CTX_new(params.get(), nullptr), EVP_PKEY_CTX_free);
+
+  if (!key_ctx) {
+    throw std::runtime_error("DSA: failed to create key generation context");
+  }
+
+  if (EVP_PKEY_keygen_init(key_ctx.get()) <= 0) {
+    throw std::runtime_error("DSA: failed to initialize key generation");
+  }
+
+  EVP_PKEY* raw_pkey = nullptr;
+  if (EVP_PKEY_keygen(key_ctx.get(), &raw_pkey) <= 0) {
+    throw std::runtime_error("DSA: failed to generate key pair");
+  }
+
+  pkey_.reset(raw_pkey);
+}
+
+std::shared_ptr<ArrayBuffer> HybridDsaKeyPair::getPublicKey() {
+  if (!pkey_) {
+    throw std::runtime_error("DSA: no key pair generated");
+  }
+
+  BIO* bio = BIO_new(BIO_s_mem());
+  if (!bio) {
+    throw std::runtime_error("DSA: failed to create BIO for public key export");
+  }
+
+  if (i2d_PUBKEY_bio(bio, pkey_.get()) != 1) {
+    BIO_free(bio);
+    throw std::runtime_error("DSA: failed to export public key");
+  }
+
+  BUF_MEM* mem;
+  BIO_get_mem_ptr(bio, &mem);
+  std::string derData(mem->data, mem->length);
+  BIO_free(bio);
+
+  return ToNativeArrayBuffer(derData);
+}
+
+std::shared_ptr<ArrayBuffer> HybridDsaKeyPair::getPrivateKey() {
+  if (!pkey_) {
+    throw std::runtime_error("DSA: no key pair generated");
+  }
+
+  BIO* bio = BIO_new(BIO_s_mem());
+  if (!bio) {
+    throw std::runtime_error("DSA: failed to create BIO for private key export");
+  }
+
+  if (i2d_PKCS8PrivateKey_bio(bio, pkey_.get(), nullptr, nullptr, 0, nullptr, nullptr) != 1) {
+    BIO_free(bio);
+    throw std::runtime_error("DSA: failed to export private key");
+  }
+
+  BUF_MEM* mem;
+  BIO_get_mem_ptr(bio, &mem);
+  std::string derData(mem->data, mem->length);
+  BIO_free(bio);
+
+  return ToNativeArrayBuffer(derData);
+}
+
+} // namespace margelo::nitro::crypto