react-native-quick-crypto 1.0.11 → 1.0.13

package/cpp/mlkem/HybridMlKemKeyPair.cpp

@@ -0,0 +1,319 @@
+#include "HybridMlKemKeyPair.hpp"
+
+#include <NitroModules/ArrayBuffer.hpp>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+
+#include "QuickCryptoUtils.hpp"
+
+#if OPENSSL_VERSION_NUMBER >= 0x30500000L
+#define RNQC_HAS_ML_KEM 1
+#else
+#define RNQC_HAS_ML_KEM 0
+#endif
+
+namespace margelo::nitro::crypto {
+
+void HybridMlKemKeyPair::setVariant(const std::string& variant) {
+#if !RNQC_HAS_ML_KEM
+  throw std::runtime_error("ML-KEM requires OpenSSL 3.5+");
+#endif
+  if (variant != "ML-KEM-512" && variant != "ML-KEM-768" && variant != "ML-KEM-1024") {
+    throw std::runtime_error("Invalid ML-KEM variant: " + variant + ". Must be ML-KEM-512, ML-KEM-768, or ML-KEM-1024");
+  }
+  variant_ = variant;
+}
+
+std::shared_ptr<Promise<void>> HybridMlKemKeyPair::generateKeyPair(double publicFormat, double publicType, double privateFormat,
+                                                                   double privateType) {
+  return Promise<void>::async([this, publicFormat, publicType, privateFormat, privateType]() {
+    this->generateKeyPairSync(publicFormat, publicType, privateFormat, privateType);
+  });
+}
+
+void HybridMlKemKeyPair::generateKeyPairSync(double publicFormat, double publicType, double privateFormat, double privateType) {
+#if !RNQC_HAS_ML_KEM
+  throw std::runtime_error("ML-KEM requires OpenSSL 3.5+");
+#else
+  clearOpenSSLErrors();
+
+  if (variant_.empty()) {
+    throw std::runtime_error("ML-KEM variant not set. Call setVariant() first.");
+  }
+
+  publicFormat_ = static_cast<int>(publicFormat);
+  publicType_ = static_cast<int>(publicType);
+  privateFormat_ = static_cast<int>(privateFormat);
+  privateType_ = static_cast<int>(privateType);
+
+  pkey_.reset();
+
+  EVP_PKEY_CTX* pctx = EVP_PKEY_CTX_new_from_name(nullptr, variant_.c_str(), nullptr);
+  if (pctx == nullptr) {
+    throw std::runtime_error("Failed to create key context for " + variant_ + ": " + getOpenSSLError());
+  }
+
+  if (EVP_PKEY_keygen_init(pctx) <= 0) {
+    EVP_PKEY_CTX_free(pctx);
+    throw std::runtime_error("Failed to initialize keygen: " + getOpenSSLError());
+  }
+
+  EVP_PKEY* raw = nullptr;
+  if (EVP_PKEY_keygen(pctx, &raw) <= 0) {
+    EVP_PKEY_CTX_free(pctx);
+    throw std::runtime_error("Failed to generate ML-KEM key pair: " + getOpenSSLError());
+  }
+
+  pkey_.reset(raw);
+  EVP_PKEY_CTX_free(pctx);
+#endif
+}
+
+std::shared_ptr<ArrayBuffer> HybridMlKemKeyPair::getPublicKey() {
+#if !RNQC_HAS_ML_KEM
+  throw std::runtime_error("ML-KEM requires OpenSSL 3.5+");
+#else
+  checkKeyPair();
+
+  BIO* bio = BIO_new(BIO_s_mem());
+  if (!bio) {
+    throw std::runtime_error("Failed to create BIO for public key export");
+  }
+
+  int result;
+  if (publicFormat_ == 1) {
+    result = PEM_write_bio_PUBKEY(bio, pkey_.get());
+  } else {
+    result = i2d_PUBKEY_bio(bio, pkey_.get());
+  }
+
+  if (result != 1) {
+    BIO_free(bio);
+    throw std::runtime_error("Failed to export public key: " + getOpenSSLError());
+  }
+
+  BUF_MEM* bptr;
+  BIO_get_mem_ptr(bio, &bptr);
+
+  uint8_t* data = new uint8_t[bptr->length];
+  memcpy(data, bptr->data, bptr->length);
+  size_t len = bptr->length;
+
+  BIO_free(bio);
+
+  return std::make_shared<NativeArrayBuffer>(data, len, [=]() { delete[] data; });
+#endif
+}
+
+std::shared_ptr<ArrayBuffer> HybridMlKemKeyPair::getPrivateKey() {
+#if !RNQC_HAS_ML_KEM
+  throw std::runtime_error("ML-KEM requires OpenSSL 3.5+");
+#else
+  checkKeyPair();
+
+  BIO* bio = BIO_new(BIO_s_mem());
+  if (!bio) {
+    throw std::runtime_error("Failed to create BIO for private key export");
+  }
+
+  int result;
+  if (privateFormat_ == 1) {
+    result = PEM_write_bio_PrivateKey(bio, pkey_.get(), nullptr, nullptr, 0, nullptr, nullptr);
+  } else {
+    result = i2d_PKCS8PrivateKey_bio(bio, pkey_.get(), nullptr, nullptr, 0, nullptr, nullptr);
+  }
+
+  if (result != 1) {
+    BIO_free(bio);
+    throw std::runtime_error("Failed to export private key: " + getOpenSSLError());
+  }
+
+  BUF_MEM* bptr;
+  BIO_get_mem_ptr(bio, &bptr);
+
+  uint8_t* data = new uint8_t[bptr->length];
+  memcpy(data, bptr->data, bptr->length);
+  size_t len = bptr->length;
+
+  BIO_free(bio);
+
+  return std::make_shared<NativeArrayBuffer>(data, len, [=]() { delete[] data; });
+#endif
+}
+
+void HybridMlKemKeyPair::setPublicKey(const std::shared_ptr<ArrayBuffer>& keyData, double format, double type) {
+#if !RNQC_HAS_ML_KEM
+  throw std::runtime_error("ML-KEM requires OpenSSL 3.5+");
+#else
+  clearOpenSSLErrors();
+
+  if (variant_.empty()) {
+    throw std::runtime_error("ML-KEM variant not set. Call setVariant() first.");
+  }
+
+  publicFormat_ = static_cast<int>(format);
+  publicType_ = static_cast<int>(type);
+
+  BIO* bio = BIO_new_mem_buf(keyData->data(), static_cast<int>(keyData->size()));
+  if (!bio) {
+    throw std::runtime_error("Failed to create BIO for public key import");
+  }
+
+  EVP_PKEY* importedKey = nullptr;
+  if (publicFormat_ == 1) {
+    importedKey = PEM_read_bio_PUBKEY(bio, nullptr, nullptr, nullptr);
+  } else {
+    importedKey = d2i_PUBKEY_bio(bio, nullptr);
+  }
+
+  BIO_free(bio);
+
+  if (importedKey == nullptr) {
+    throw std::runtime_error("Failed to import public key: " + getOpenSSLError());
+  }
+
+  pkey_.reset(importedKey);
+#endif
+}
+
+void HybridMlKemKeyPair::setPrivateKey(const std::shared_ptr<ArrayBuffer>& keyData, double format, double type) {
+#if !RNQC_HAS_ML_KEM
+  throw std::runtime_error("ML-KEM requires OpenSSL 3.5+");
+#else
+  clearOpenSSLErrors();
+
+  if (variant_.empty()) {
+    throw std::runtime_error("ML-KEM variant not set. Call setVariant() first.");
+  }
+
+  privateFormat_ = static_cast<int>(format);
+  privateType_ = static_cast<int>(type);
+
+  BIO* bio = BIO_new_mem_buf(keyData->data(), static_cast<int>(keyData->size()));
+  if (!bio) {
+    throw std::runtime_error("Failed to create BIO for private key import");
+  }
+
+  EVP_PKEY* importedKey = nullptr;
+  if (privateFormat_ == 1) {
+    importedKey = PEM_read_bio_PrivateKey(bio, nullptr, nullptr, nullptr);
+  } else {
+    importedKey = d2i_PrivateKey_bio(bio, nullptr);
+  }
+
+  BIO_free(bio);
+
+  if (importedKey == nullptr) {
+    throw std::runtime_error("Failed to import private key: " + getOpenSSLError());
+  }
+
+  pkey_.reset(importedKey);
+#endif
+}
+
+std::shared_ptr<Promise<std::shared_ptr<ArrayBuffer>>> HybridMlKemKeyPair::encapsulate() {
+  return Promise<std::shared_ptr<ArrayBuffer>>::async([this]() { return this->encapsulateSync(); });
+}
+
+std::shared_ptr<ArrayBuffer> HybridMlKemKeyPair::encapsulateSync() {
+#if !RNQC_HAS_ML_KEM
+  throw std::runtime_error("ML-KEM requires OpenSSL 3.5+");
+#else
+  clearOpenSSLErrors();
+  checkKeyPair();
+
+  EVP_PKEY_CTX* ctx = EVP_PKEY_CTX_new(pkey_.get(), nullptr);
+  if (ctx == nullptr) {
+    throw std::runtime_error("Failed to create encapsulation context: " + getOpenSSLError());
+  }
+
+  if (EVP_PKEY_encapsulate_init(ctx, nullptr) <= 0) {
+    EVP_PKEY_CTX_free(ctx);
+    throw std::runtime_error("Failed to initialize encapsulation: " + getOpenSSLError());
+  }
+
+  size_t ct_len = 0;
+  size_t sk_len = 0;
+  if (EVP_PKEY_encapsulate(ctx, nullptr, &ct_len, nullptr, &sk_len) <= 0) {
+    EVP_PKEY_CTX_free(ctx);
+    throw std::runtime_error("Failed to determine encapsulation output sizes: " + getOpenSSLError());
+  }
+
+  // Pack result as: [uint32 ct_len][uint32 sk_len][ciphertext][shared_key]
+  size_t header_size = sizeof(uint32_t) * 2;
+  size_t total_size = header_size + ct_len + sk_len;
+  uint8_t* out = new uint8_t[total_size];
+
+  uint32_t ct_len_u32 = static_cast<uint32_t>(ct_len);
+  uint32_t sk_len_u32 = static_cast<uint32_t>(sk_len);
+  memcpy(out, &ct_len_u32, sizeof(uint32_t));
+  memcpy(out + sizeof(uint32_t), &sk_len_u32, sizeof(uint32_t));
+
+  uint8_t* ct_data = out + header_size;
+  uint8_t* sk_data = ct_data + ct_len;
+
+  if (EVP_PKEY_encapsulate(ctx, ct_data, &ct_len, sk_data, &sk_len) <= 0) {
+    EVP_PKEY_CTX_free(ctx);
+    delete[] out;
+    throw std::runtime_error("Failed to encapsulate: " + getOpenSSLError());
+  }
+
+  EVP_PKEY_CTX_free(ctx);
+
+  return std::make_shared<NativeArrayBuffer>(out, total_size, [=]() { delete[] out; });
+#endif
+}
+
+std::shared_ptr<Promise<std::shared_ptr<ArrayBuffer>>> HybridMlKemKeyPair::decapsulate(const std::shared_ptr<ArrayBuffer>& ciphertext) {
+  auto nativeCiphertext = ToNativeArrayBuffer(ciphertext);
+  return Promise<std::shared_ptr<ArrayBuffer>>::async([this, nativeCiphertext]() { return this->decapsulateSync(nativeCiphertext); });
+}
+
+std::shared_ptr<ArrayBuffer> HybridMlKemKeyPair::decapsulateSync(const std::shared_ptr<ArrayBuffer>& ciphertext) {
+#if !RNQC_HAS_ML_KEM
+  throw std::runtime_error("ML-KEM requires OpenSSL 3.5+");
+#else
+  clearOpenSSLErrors();
+  checkKeyPair();
+
+  EVP_PKEY_CTX* ctx = EVP_PKEY_CTX_new(pkey_.get(), nullptr);
+  if (ctx == nullptr) {
+    throw std::runtime_error("Failed to create decapsulation context: " + getOpenSSLError());
+  }
+
+  if (EVP_PKEY_decapsulate_init(ctx, nullptr) <= 0) {
+    EVP_PKEY_CTX_free(ctx);
+    throw std::runtime_error("Failed to initialize decapsulation: " + getOpenSSLError());
+  }
+
+  const uint8_t* ct_data = ciphertext->data();
+  size_t ct_size = ciphertext->size();
+
+  size_t sk_len = 0;
+  if (EVP_PKEY_decapsulate(ctx, nullptr, &sk_len, ct_data, ct_size) <= 0) {
+    EVP_PKEY_CTX_free(ctx);
+    throw std::runtime_error("Failed to determine shared key size: " + getOpenSSLError());
+  }
+
+  uint8_t* sk_data = new uint8_t[sk_len];
+
+  if (EVP_PKEY_decapsulate(ctx, sk_data, &sk_len, ct_data, ct_size) <= 0) {
+    EVP_PKEY_CTX_free(ctx);
+    delete[] sk_data;
+    throw std::runtime_error("Failed to decapsulate: " + getOpenSSLError());
+  }
+
+  EVP_PKEY_CTX_free(ctx);
+
+  return std::make_shared<NativeArrayBuffer>(sk_data, sk_len, [=]() { delete[] sk_data; });
+#endif
+}
+
+void HybridMlKemKeyPair::checkKeyPair() {
+  if (!pkey_) {
+    throw std::runtime_error("Key pair not initialized");
+  }
+}
+
+} // namespace margelo::nitro::crypto

package/cpp/mlkem/HybridMlKemKeyPair.hpp

@@ -0,0 +1,48 @@
+#pragma once
+
+#include <memory>
+#include <openssl/evp.h>
+#include <string>
+
+#include "HybridMlKemKeyPairSpec.hpp"
+#include "QuickCryptoUtils.hpp"
+
+namespace margelo::nitro::crypto {
+
+class HybridMlKemKeyPair : public HybridMlKemKeyPairSpec {
+ public:
+  HybridMlKemKeyPair() : HybridObject(TAG) {}
+  ~HybridMlKemKeyPair() override = default;
+
+  void setVariant(const std::string& variant) override;
+
+  std::shared_ptr<Promise<void>> generateKeyPair(double publicFormat, double publicType, double privateFormat, double privateType) override;
+  void generateKeyPairSync(double publicFormat, double publicType, double privateFormat, double privateType) override;
+
+  std::shared_ptr<ArrayBuffer> getPublicKey() override;
+  std::shared_ptr<ArrayBuffer> getPrivateKey() override;
+
+  void setPublicKey(const std::shared_ptr<ArrayBuffer>& keyData, double format, double type) override;
+  void setPrivateKey(const std::shared_ptr<ArrayBuffer>& keyData, double format, double type) override;
+
+  std::shared_ptr<Promise<std::shared_ptr<ArrayBuffer>>> encapsulate() override;
+  std::shared_ptr<ArrayBuffer> encapsulateSync() override;
+
+  std::shared_ptr<Promise<std::shared_ptr<ArrayBuffer>>> decapsulate(const std::shared_ptr<ArrayBuffer>& ciphertext) override;
+  std::shared_ptr<ArrayBuffer> decapsulateSync(const std::shared_ptr<ArrayBuffer>& ciphertext) override;
+
+ private:
+  std::string variant_;
+
+  using EVP_PKEY_ptr = std::unique_ptr<EVP_PKEY, decltype(&EVP_PKEY_free)>;
+  EVP_PKEY_ptr pkey_{nullptr, EVP_PKEY_free};
+
+  int publicFormat_ = -1;
+  int publicType_ = -1;
+  int privateFormat_ = -1;
+  int privateType_ = -1;
+
+  void checkKeyPair();
+};
+
+} // namespace margelo::nitro::crypto

package/cpp/sign/SignUtils.hpp

@@ -2,12 +2,16 @@
 
 #include <cstring>
 #include <memory>
+#include <openssl/bn.h>
+#include <openssl/core_names.h>
 #include <openssl/dsa.h>
 #include <openssl/ec.h>
 #include <openssl/ecdsa.h>
 #include <openssl/evp.h>
 #include <string>
 
+#include "../utils/QuickCryptoUtils.hpp"
+
 namespace margelo::nitro::crypto {
 
 enum DSASigEnc {
@@ -15,29 +19,6 @@ enum DSASigEnc {
   kSigEncP1363 = 1,
 };
 
-inline const EVP_MD* getDigestByName(const std::string& algorithm) {
-  if (algorithm == "SHA1" || algorithm == "sha1" || algorithm == "SHA-1" || algorithm == "sha-1") {
-    return EVP_sha1();
-  } else if (algorithm == "SHA224" || algorithm == "sha224" || algorithm == "SHA-224" || algorithm == "sha-224") {
-    return EVP_sha224();
-  } else if (algorithm == "SHA256" || algorithm == "sha256" || algorithm == "SHA-256" || algorithm == "sha-256") {
-    return EVP_sha256();
-  } else if (algorithm == "SHA384" || algorithm == "sha384" || algorithm == "SHA-384" || algorithm == "sha-384") {
-    return EVP_sha384();
-  } else if (algorithm == "SHA512" || algorithm == "sha512" || algorithm == "SHA-512" || algorithm == "sha-512") {
-    return EVP_sha512();
-  } else if (algorithm == "SHA3-224" || algorithm == "sha3-224") {
-    return EVP_sha3_224();
-  } else if (algorithm == "SHA3-256" || algorithm == "sha3-256") {
-    return EVP_sha3_256();
-  } else if (algorithm == "SHA3-384" || algorithm == "sha3-384") {
-    return EVP_sha3_384();
-  } else if (algorithm == "SHA3-512" || algorithm == "sha3-512") {
-    return EVP_sha3_512();
-  }
-  throw std::runtime_error("Unsupported hash algorithm: " + algorithm);
-}
-
 inline unsigned int getBytesOfRS(EVP_PKEY* pkey) {
   int bits;
   int base_id = EVP_PKEY_base_id(pkey);
@@ -46,9 +27,11 @@ inline unsigned int getBytesOfRS(EVP_PKEY* pkey) {
     const DSA* dsa_key = EVP_PKEY_get0_DSA(pkey);
     bits = BN_num_bits(DSA_get0_q(dsa_key));
   } else if (base_id == EVP_PKEY_EC) {
-    const EC_KEY* ec_key = EVP_PKEY_get0_EC_KEY(pkey);
-    const EC_GROUP* ec_group = EC_KEY_get0_group(ec_key);
-    bits = EC_GROUP_order_bits(ec_group);
+    BIGNUM* order = nullptr;
+    if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_EC_ORDER, &order) != 1 || !order)
+      return 0;
+    bits = BN_num_bits(order);
+    BN_free(order);
   } else {
     return 0;
   }

package/cpp/utils/QuickCryptoUtils.cpp

@@ -0,0 +1,44 @@
+#include "QuickCryptoUtils.hpp"
+#include <openssl/bn.h>
+#include <openssl/core_names.h>
+#include <openssl/evp.h>
+#include <openssl/param_build.h>
+#include <stdexcept>
+
+namespace margelo::nitro::crypto {
+
+EVP_PKEY* createEcEvpPkey(const char* group_name, const uint8_t* pub_oct, size_t pub_len, const BIGNUM* priv_bn) {
+  OSSL_PARAM_BLD* bld = OSSL_PARAM_BLD_new();
+  if (!bld)
+    throw std::runtime_error("Failed to create OSSL_PARAM_BLD");
+
+  OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_PKEY_PARAM_GROUP_NAME, group_name, 0);
+  OSSL_PARAM_BLD_push_octet_string(bld, OSSL_PKEY_PARAM_PUB_KEY, pub_oct, pub_len);
+  if (priv_bn)
+    OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, priv_bn);
+
+  OSSL_PARAM* params = OSSL_PARAM_BLD_to_param(bld);
+  OSSL_PARAM_BLD_free(bld);
+  if (!params)
+    throw std::runtime_error("Failed to build EC parameters");
+
+  EVP_PKEY_CTX* ctx = EVP_PKEY_CTX_new_from_name(nullptr, "EC", nullptr);
+  if (!ctx) {
+    OSSL_PARAM_free(params);
+    throw std::runtime_error("Failed to create EVP_PKEY_CTX for EC");
+  }
+
+  int selection = priv_bn ? EVP_PKEY_KEYPAIR : EVP_PKEY_PUBLIC_KEY;
+  EVP_PKEY* pkey = nullptr;
+  if (EVP_PKEY_fromdata_init(ctx) <= 0 || EVP_PKEY_fromdata(ctx, &pkey, selection, params) <= 0) {
+    EVP_PKEY_CTX_free(ctx);
+    OSSL_PARAM_free(params);
+    throw std::runtime_error("Failed to create EVP_PKEY from EC parameters");
+  }
+
+  EVP_PKEY_CTX_free(ctx);
+  OSSL_PARAM_free(params);
+  return pkey;
+}
+
+} // namespace margelo::nitro::crypto

package/cpp/utils/QuickCryptoUtils.hpp

@@ -3,7 +3,9 @@
 #include <algorithm>
 #include <cctype>
 #include <limits>
+#include <openssl/bn.h>
 #include <openssl/err.h>
+#include <openssl/evp.h>
 #include <string>
 #include <vector>
 
@@ -72,4 +74,41 @@ inline std::string toLower(std::string s) {
   return s;
 }
 
+inline const EVP_MD* getDigestByName(const std::string& algorithm) {
+  std::string algo = toLower(algorithm);
+
+  // Strip legacy RSA- prefix (e.g. rsa-sha256 -> sha256) for Node.js compat
+  if (algo.size() > 4 && algo.compare(0, 4, "rsa-") == 0) {
+    algo = algo.substr(4);
+  }
+
+  if (algo == "sha1" || algo == "sha-1") {
+    return EVP_sha1();
+  } else if (algo == "sha224" || algo == "sha-224") {
+    return EVP_sha224();
+  } else if (algo == "sha256" || algo == "sha-256") {
+    return EVP_sha256();
+  } else if (algo == "sha384" || algo == "sha-384") {
+    return EVP_sha384();
+  } else if (algo == "sha512" || algo == "sha-512") {
+    return EVP_sha512();
+  } else if (algo == "sha3-224") {
+    return EVP_sha3_224();
+  } else if (algo == "sha3-256") {
+    return EVP_sha3_256();
+  } else if (algo == "sha3-384") {
+    return EVP_sha3_384();
+  } else if (algo == "sha3-512") {
+    return EVP_sha3_512();
+  } else if (algo == "ripemd160" || algo == "ripemd-160") {
+    return EVP_ripemd160();
+  }
+  throw std::runtime_error("Unsupported hash algorithm: " + algorithm);
+}
+
+// Build an EVP_PKEY from EC curve name + public key octets + optional private key BIGNUM.
+// Uses OSSL_PARAM_BLD + EVP_PKEY_fromdata (OpenSSL 3.x, no deprecated EC_KEY APIs).
+// Caller owns the returned EVP_PKEY*.
+EVP_PKEY* createEcEvpPkey(const char* group_name, const uint8_t* pub_oct, size_t pub_len, const BIGNUM* priv_bn = nullptr);
+
 } // namespace margelo::nitro::crypto

package/cpp/x509/HybridX509Certificate.cpp

@@ -0,0 +1,174 @@
+#include "HybridX509Certificate.hpp"
+#include "../keys/HybridKeyObjectHandle.hpp"
+#include "../keys/KeyObjectData.hpp"
+#include "QuickCryptoUtils.hpp"
+#include <ncrypto.h>
+
+namespace margelo::nitro::crypto {
+
+std::string HybridX509Certificate::bioToString(ncrypto::BIOPointer bio) const {
+  if (!bio)
+    return "";
+  BUF_MEM* mem = bio;
+  if (!mem || mem->length == 0)
+    return "";
+  return std::string(mem->data, mem->length);
+}
+
+void HybridX509Certificate::init(const std::shared_ptr<ArrayBuffer>& buffer) {
+  ncrypto::Buffer<const unsigned char> buf{.data = reinterpret_cast<const unsigned char*>(buffer->data()), .len = buffer->size()};
+  auto result = ncrypto::X509Pointer::Parse(buf);
+  if (!result) {
+    throw std::runtime_error("Failed to parse X509 certificate");
+  }
+  cert_ = std::move(result.value);
+}
+
+std::string HybridX509Certificate::subject() {
+  return bioToString(cert_.view().getSubject());
+}
+
+std::string HybridX509Certificate::subjectAltName() {
+  return bioToString(cert_.view().getSubjectAltName());
+}
+
+std::string HybridX509Certificate::issuer() {
+  return bioToString(cert_.view().getIssuer());
+}
+
+std::string HybridX509Certificate::infoAccess() {
+  return bioToString(cert_.view().getInfoAccess());
+}
+
+std::string HybridX509Certificate::validFrom() {
+  return bioToString(cert_.view().getValidFrom());
+}
+
+std::string HybridX509Certificate::validTo() {
+  return bioToString(cert_.view().getValidTo());
+}
+
+double HybridX509Certificate::validFromDate() {
+  return static_cast<double>(cert_.view().getValidFromTime()) * 1000.0;
+}
+
+double HybridX509Certificate::validToDate() {
+  return static_cast<double>(cert_.view().getValidToTime()) * 1000.0;
+}
+
+std::string HybridX509Certificate::signatureAlgorithm() {
+  auto algo = cert_.view().getSignatureAlgorithm();
+  if (!algo.has_value())
+    return "";
+  return std::string(algo.value());
+}
+
+std::string HybridX509Certificate::signatureAlgorithmOid() {
+  return cert_.view().getSignatureAlgorithmOID().value_or("");
+}
+
+std::string HybridX509Certificate::serialNumber() {
+  auto serial = cert_.view().getSerialNumber();
+  if (!serial)
+    return "";
+  return std::string(static_cast<const char*>(serial.get()), serial.size());
+}
+
+std::string HybridX509Certificate::fingerprint() {
+  return cert_.view().getFingerprint(ncrypto::Digest::SHA1).value_or("");
+}
+
+std::string HybridX509Certificate::fingerprint256() {
+  return cert_.view().getFingerprint(ncrypto::Digest::SHA256).value_or("");
+}
+
+std::string HybridX509Certificate::fingerprint512() {
+  return cert_.view().getFingerprint(ncrypto::Digest::SHA512).value_or("");
+}
+
+std::shared_ptr<ArrayBuffer> HybridX509Certificate::raw() {
+  auto bio = cert_.view().toDER();
+  if (!bio) {
+    throw std::runtime_error("Failed to export certificate as DER");
+  }
+  BUF_MEM* mem = bio;
+  return ToNativeArrayBuffer(reinterpret_cast<const uint8_t*>(mem->data), mem->length);
+}
+
+std::string HybridX509Certificate::pem() {
+  return bioToString(cert_.view().toPEM());
+}
+
+std::shared_ptr<HybridKeyObjectHandleSpec> HybridX509Certificate::publicKey() {
+  auto result = cert_.view().getPublicKey();
+  if (!result) {
+    throw std::runtime_error("Failed to extract public key from certificate");
+  }
+  auto handle = std::make_shared<HybridKeyObjectHandle>();
+  handle->setKeyObjectData(KeyObjectData::CreateAsymmetric(KeyType::PUBLIC, std::move(result.value)));
+  return handle;
+}
+
+std::vector<std::string> HybridX509Certificate::keyUsage() {
+  std::vector<std::string> usages;
+  cert_.view().enumUsages([&](const char* usage) { usages.emplace_back(usage); });
+  return usages;
+}
+
+bool HybridX509Certificate::ca() {
+  return cert_.view().isCA();
+}
+
+bool HybridX509Certificate::checkIssued(const std::shared_ptr<HybridX509CertificateHandleSpec>& other) {
+  auto otherCert = std::dynamic_pointer_cast<HybridX509Certificate>(other);
+  if (!otherCert) {
+    throw std::runtime_error("Invalid X509Certificate");
+  }
+  return cert_.view().isIssuedBy(otherCert->cert_.view());
+}
+
+bool HybridX509Certificate::checkPrivateKey(const std::shared_ptr<HybridKeyObjectHandleSpec>& key) {
+  auto handle = std::dynamic_pointer_cast<HybridKeyObjectHandle>(key);
+  if (!handle) {
+    throw std::runtime_error("Invalid key object");
+  }
+  return cert_.view().checkPrivateKey(handle->getKeyObjectData().GetAsymmetricKey());
+}
+
+bool HybridX509Certificate::verify(const std::shared_ptr<HybridKeyObjectHandleSpec>& key) {
+  auto handle = std::dynamic_pointer_cast<HybridKeyObjectHandle>(key);
+  if (!handle) {
+    throw std::runtime_error("Invalid key object");
+  }
+  return cert_.view().checkPublicKey(handle->getKeyObjectData().GetAsymmetricKey());
+}
+
+std::optional<std::string> HybridX509Certificate::checkHost(const std::string& name, double flags) {
+  ncrypto::DataPointer peername;
+  auto match = cert_.view().checkHost(name, static_cast<int>(flags), &peername);
+  if (match == ncrypto::X509View::CheckMatch::MATCH) {
+    if (peername) {
+      return std::string(static_cast<const char*>(peername.get()), peername.size());
+    }
+    return name;
+  }
+  return std::nullopt;
+}
+
+std::optional<std::string> HybridX509Certificate::checkEmail(const std::string& email, double flags) {
+  auto match = cert_.view().checkEmail(email, static_cast<int>(flags));
+  if (match == ncrypto::X509View::CheckMatch::MATCH) {
+    return email;
+  }
+  return std::nullopt;
+}
+
+std::optional<std::string> HybridX509Certificate::checkIP(const std::string& ip) {
+  auto match = cert_.view().checkIp(ip, 0);
+  if (match == ncrypto::X509View::CheckMatch::MATCH) {
+    return ip;
+  }
+  return std::nullopt;
+}
+
+} // namespace margelo::nitro::crypto