npm - react-native-quick-crypto - Versions diffs - 1.0.8 → 1.0.10 - Mend

react-native-quick-crypto 1.0.8 → 1.0.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (171) hide show

package/QuickCrypto.podspec +56 -6
package/README.md +17 -11
package/android/CMakeLists.txt +4 -0
package/android/build.gradle +3 -0
package/cpp/cipher/HybridCipherFactory.hpp +15 -1
package/cpp/cipher/OCBCipher.cpp +4 -4
package/cpp/cipher/XChaCha20Poly1305Cipher.cpp +161 -0
package/cpp/cipher/XChaCha20Poly1305Cipher.hpp +43 -0
package/cpp/cipher/XSalsa20Poly1305Cipher.cpp +145 -0
package/cpp/cipher/XSalsa20Poly1305Cipher.hpp +42 -0
package/cpp/dh/HybridDiffieHellman.cpp +10 -0
package/cpp/dh/HybridDiffieHellman.hpp +1 -0
package/cpp/ec/HybridEcKeyPair.cpp +21 -0
package/cpp/ec/HybridEcKeyPair.hpp +1 -0
package/cpp/hash/HybridHash.cpp +1 -1
package/cpp/hash/HybridHash.hpp +1 -1
package/cpp/hmac/HybridHmac.cpp +1 -1
package/cpp/hmac/HybridHmac.hpp +1 -1
package/cpp/keys/HybridKeyObjectHandle.cpp +112 -1
package/cpp/keys/HybridKeyObjectHandle.hpp +5 -1
package/deps/ncrypto/.bazelrc +0 -1
package/deps/ncrypto/.bazelversion +1 -1
package/deps/ncrypto/.github/workflows/commitlint.yml +16 -0
package/deps/ncrypto/.github/workflows/linter.yml +2 -2
package/deps/ncrypto/.github/workflows/release-please.yml +16 -0
package/deps/ncrypto/.github/workflows/ubuntu.yml +82 -0
package/deps/ncrypto/.release-please-manifest.json +3 -0
package/deps/ncrypto/BUILD.bazel +9 -1
package/deps/ncrypto/CHANGELOG.md +37 -0
package/deps/ncrypto/CMakeLists.txt +35 -11
package/deps/ncrypto/MODULE.bazel +16 -1
package/deps/ncrypto/MODULE.bazel.lock +299 -118
package/deps/ncrypto/cmake/ncrypto-flags.cmake +1 -0
package/deps/ncrypto/include/ncrypto/aead.h +137 -0
package/deps/ncrypto/include/ncrypto/version.h +14 -0
package/deps/ncrypto/include/ncrypto.h +85 -230
package/deps/ncrypto/ncrypto.pc.in +10 -0
package/deps/ncrypto/release-please-config.json +11 -0
package/deps/ncrypto/src/CMakeLists.txt +31 -6
package/deps/ncrypto/src/aead.cpp +302 -0
package/deps/ncrypto/src/ncrypto.cpp +274 -556
package/deps/ncrypto/tests/BUILD.bazel +2 -0
package/deps/ncrypto/tests/basic.cpp +772 -2
package/deps/ncrypto/tools/run-clang-format.sh +5 -5
package/lib/commonjs/diffie-hellman.js +4 -1
package/lib/commonjs/diffie-hellman.js.map +1 -1
package/lib/commonjs/ec.js +20 -25
package/lib/commonjs/ec.js.map +1 -1
package/lib/commonjs/ed.js +1 -2
package/lib/commonjs/ed.js.map +1 -1
package/lib/commonjs/hash.js +7 -0
package/lib/commonjs/hash.js.map +1 -1
package/lib/commonjs/index.js +24 -2
package/lib/commonjs/index.js.map +1 -1
package/lib/commonjs/keys/classes.js +9 -5
package/lib/commonjs/keys/classes.js.map +1 -1
package/lib/commonjs/subtle.js +82 -31
package/lib/commonjs/subtle.js.map +1 -1
package/lib/commonjs/utils/types.js.map +1 -1
package/lib/module/diffie-hellman.js +4 -0
package/lib/module/diffie-hellman.js.map +1 -1
package/lib/module/ec.js +19 -25
package/lib/module/ec.js.map +1 -1
package/lib/module/ed.js +1 -2
package/lib/module/ed.js.map +1 -1
package/lib/module/hash.js +6 -0
package/lib/module/hash.js.map +1 -1
package/lib/module/index.js +10 -1
package/lib/module/index.js.map +1 -1
package/lib/module/keys/classes.js +9 -5
package/lib/module/keys/classes.js.map +1 -1
package/lib/module/subtle.js +83 -32
package/lib/module/subtle.js.map +1 -1
package/lib/module/utils/types.js.map +1 -1
package/lib/tsconfig.tsbuildinfo +1 -1
package/lib/typescript/diffie-hellman.d.ts +2 -0
package/lib/typescript/diffie-hellman.d.ts.map +1 -1
package/lib/typescript/ec.d.ts +1 -0
package/lib/typescript/ec.d.ts.map +1 -1
package/lib/typescript/ed.d.ts.map +1 -1
package/lib/typescript/hash.d.ts +2 -0
package/lib/typescript/hash.d.ts.map +1 -1
package/lib/typescript/index.d.ts +7 -0
package/lib/typescript/index.d.ts.map +1 -1
package/lib/typescript/keys/classes.d.ts +2 -0
package/lib/typescript/keys/classes.d.ts.map +1 -1
package/lib/typescript/specs/diffie-hellman.nitro.d.ts +1 -0
package/lib/typescript/specs/diffie-hellman.nitro.d.ts.map +1 -1
package/lib/typescript/specs/ecKeyPair.nitro.d.ts +1 -0
package/lib/typescript/specs/ecKeyPair.nitro.d.ts.map +1 -1
package/lib/typescript/specs/keyObjectHandle.nitro.d.ts +2 -0
package/lib/typescript/specs/keyObjectHandle.nitro.d.ts.map +1 -1
package/lib/typescript/subtle.d.ts.map +1 -1
package/lib/typescript/utils/types.d.ts +12 -5
package/lib/typescript/utils/types.d.ts.map +1 -1
package/nitrogen/generated/android/QuickCrypto+autolinking.cmake +8 -5
package/nitrogen/generated/android/QuickCrypto+autolinking.gradle +1 -1
package/nitrogen/generated/android/QuickCryptoOnLoad.cpp +54 -54
package/nitrogen/generated/android/QuickCryptoOnLoad.hpp +1 -1
package/nitrogen/generated/android/kotlin/com/margelo/nitro/crypto/QuickCryptoOnLoad.kt +1 -1
package/nitrogen/generated/ios/QuickCrypto+autolinking.rb +2 -2
package/nitrogen/generated/ios/QuickCrypto-Swift-Cxx-Bridge.cpp +1 -1
package/nitrogen/generated/ios/QuickCrypto-Swift-Cxx-Bridge.hpp +1 -1
package/nitrogen/generated/ios/QuickCrypto-Swift-Cxx-Umbrella.hpp +1 -1
package/nitrogen/generated/ios/QuickCryptoAutolinking.mm +54 -54
package/nitrogen/generated/ios/QuickCryptoAutolinking.swift +5 -1
package/nitrogen/generated/shared/c++/AsymmetricKeyType.hpp +1 -1
package/nitrogen/generated/shared/c++/CipherArgs.hpp +34 -19
package/nitrogen/generated/shared/c++/HybridBlake3Spec.cpp +1 -1
package/nitrogen/generated/shared/c++/HybridBlake3Spec.hpp +1 -3
package/nitrogen/generated/shared/c++/HybridCipherFactorySpec.cpp +1 -1
package/nitrogen/generated/shared/c++/HybridCipherFactorySpec.hpp +1 -1
package/nitrogen/generated/shared/c++/HybridCipherSpec.cpp +1 -1
package/nitrogen/generated/shared/c++/HybridCipherSpec.hpp +1 -3
package/nitrogen/generated/shared/c++/HybridDiffieHellmanSpec.cpp +2 -1
package/nitrogen/generated/shared/c++/HybridDiffieHellmanSpec.hpp +3 -3
package/nitrogen/generated/shared/c++/HybridECDHSpec.cpp +1 -1
package/nitrogen/generated/shared/c++/HybridECDHSpec.hpp +2 -3
package/nitrogen/generated/shared/c++/HybridEcKeyPairSpec.cpp +2 -1
package/nitrogen/generated/shared/c++/HybridEcKeyPairSpec.hpp +2 -3
package/nitrogen/generated/shared/c++/HybridEdKeyPairSpec.cpp +1 -1
package/nitrogen/generated/shared/c++/HybridEdKeyPairSpec.hpp +2 -3
package/nitrogen/generated/shared/c++/HybridHashSpec.cpp +1 -1
package/nitrogen/generated/shared/c++/HybridHashSpec.hpp +2 -4
package/nitrogen/generated/shared/c++/HybridHkdfSpec.cpp +1 -1
package/nitrogen/generated/shared/c++/HybridHkdfSpec.hpp +2 -3
package/nitrogen/generated/shared/c++/HybridHmacSpec.cpp +1 -1
package/nitrogen/generated/shared/c++/HybridHmacSpec.hpp +3 -4
package/nitrogen/generated/shared/c++/HybridKeyObjectHandleSpec.cpp +3 -1
package/nitrogen/generated/shared/c++/HybridKeyObjectHandleSpec.hpp +8 -4
package/nitrogen/generated/shared/c++/HybridMlDsaKeyPairSpec.cpp +1 -1
package/nitrogen/generated/shared/c++/HybridMlDsaKeyPairSpec.hpp +2 -3
package/nitrogen/generated/shared/c++/HybridPbkdf2Spec.cpp +1 -1
package/nitrogen/generated/shared/c++/HybridPbkdf2Spec.hpp +2 -3
package/nitrogen/generated/shared/c++/HybridRandomSpec.cpp +1 -1
package/nitrogen/generated/shared/c++/HybridRandomSpec.hpp +2 -3
package/nitrogen/generated/shared/c++/HybridRsaCipherSpec.cpp +1 -1
package/nitrogen/generated/shared/c++/HybridRsaCipherSpec.hpp +1 -3
package/nitrogen/generated/shared/c++/HybridRsaKeyPairSpec.cpp +1 -1
package/nitrogen/generated/shared/c++/HybridRsaKeyPairSpec.hpp +1 -3
package/nitrogen/generated/shared/c++/HybridScryptSpec.cpp +1 -1
package/nitrogen/generated/shared/c++/HybridScryptSpec.hpp +2 -3
package/nitrogen/generated/shared/c++/HybridSignHandleSpec.cpp +1 -1
package/nitrogen/generated/shared/c++/HybridSignHandleSpec.hpp +1 -3
package/nitrogen/generated/shared/c++/HybridUtilsSpec.cpp +1 -1
package/nitrogen/generated/shared/c++/HybridUtilsSpec.hpp +2 -3
package/nitrogen/generated/shared/c++/HybridVerifyHandleSpec.cpp +1 -1
package/nitrogen/generated/shared/c++/HybridVerifyHandleSpec.hpp +1 -3
package/nitrogen/generated/shared/c++/JWK.hpp +84 -68
package/nitrogen/generated/shared/c++/JWKkty.hpp +5 -1
package/nitrogen/generated/shared/c++/JWKuse.hpp +1 -1
package/nitrogen/generated/shared/c++/KFormatType.hpp +1 -1
package/nitrogen/generated/shared/c++/KeyDetail.hpp +39 -23
package/nitrogen/generated/shared/c++/KeyEncoding.hpp +1 -1
package/nitrogen/generated/shared/c++/KeyObject.hpp +21 -5
package/nitrogen/generated/shared/c++/KeyType.hpp +1 -1
package/nitrogen/generated/shared/c++/KeyUsage.hpp +1 -1
package/nitrogen/generated/shared/c++/NamedCurve.hpp +1 -1
package/package.json +10 -7
package/src/diffie-hellman.ts +6 -0
package/src/ec.ts +23 -19
package/src/ed.ts +1 -2
package/src/hash.ts +11 -0
package/src/index.ts +9 -0
package/src/keys/classes.ts +10 -3
package/src/specs/diffie-hellman.nitro.ts +1 -0
package/src/specs/ecKeyPair.nitro.ts +2 -0
package/src/specs/keyObjectHandle.nitro.ts +2 -0
package/src/subtle.ts +131 -32
package/src/utils/types.ts +18 -3
package/deps/ncrypto/WORKSPACE +0 -15

package/deps/ncrypto/tests/basic.cpp CHANGED Viewed

@@ -1,4 +1,5 @@
 #include <ncrypto.h>
+#include <ncrypto/aead.h>
 #include <gtest/gtest.h>
 #include <string>
@@ -37,8 +38,493 @@ TEST(basic, cipher_foreach) {
   // as that depends on openssl vs boringssl, versions, configuration, etc.
   // Instead, we look for a couple of very common ciphers that should always be
   // present.
-  ASSERT_TRUE(foundCiphers.count("AES-128-CTR"));
-  ASSERT_TRUE(foundCiphers.count("AES-256-CBC"));
+  ASSERT_TRUE(foundCiphers.count("aes-128-ctr") ||
+              foundCiphers.count("AES-128-CTR"));
+  ASSERT_TRUE(foundCiphers.count("aes-256-cbc") ||
+              foundCiphers.count("AES-256-CBC"));
+}
+TEST(BignumPointer, bitLength) {
+  // Test empty/null BignumPointer
+  BignumPointer empty;
+  ASSERT_EQ(empty.bitLength(), 0);
+  // Test zero value
+  auto zero = BignumPointer::New();
+  ASSERT_TRUE(zero);
+  ASSERT_TRUE(zero.setWord(0));
+  ASSERT_EQ(zero.bitLength(), 0);
+  // Test value 1 (1 bit)
+  auto one = BignumPointer::New();
+  ASSERT_TRUE(one);
+  ASSERT_TRUE(one.setWord(1));
+  ASSERT_EQ(one.bitLength(), 1);
+  // Test value 2 (2 bits: 10 in binary)
+  auto two = BignumPointer::New();
+  ASSERT_TRUE(two);
+  ASSERT_TRUE(two.setWord(2));
+  ASSERT_EQ(two.bitLength(), 2);
+  // Test value 255 (8 bits: 11111111 in binary)
+  auto byte = BignumPointer::New();
+  ASSERT_TRUE(byte);
+  ASSERT_TRUE(byte.setWord(255));
+  ASSERT_EQ(byte.bitLength(), 8);
+  // Test value 256 (9 bits: 100000000 in binary)
+  auto nineBits = BignumPointer::New();
+  ASSERT_TRUE(nineBits);
+  ASSERT_TRUE(nineBits.setWord(256));
+  ASSERT_EQ(nineBits.bitLength(), 9);
+  // Test larger value (0xFFFFFFFF = 32 bits)
+  auto thirtyTwoBits = BignumPointer::New();
+  ASSERT_TRUE(thirtyTwoBits);
+  ASSERT_TRUE(thirtyTwoBits.setWord(0xFFFFFFFF));
+  ASSERT_EQ(thirtyTwoBits.bitLength(), 32);
+}
+TEST(BignumPointer, byteLength) {
+  // Test empty/null BignumPointer
+  BignumPointer empty;
+  ASSERT_EQ(empty.byteLength(), 0);
+  // Test zero value
+  auto zero = BignumPointer::New();
+  ASSERT_TRUE(zero);
+  ASSERT_TRUE(zero.setWord(0));
+  ASSERT_EQ(zero.byteLength(), 0);
+  // Test value 1 (1 byte)
+  auto one = BignumPointer::New();
+  ASSERT_TRUE(one);
+  ASSERT_TRUE(one.setWord(1));
+  ASSERT_EQ(one.byteLength(), 1);
+  // Test value 255 (1 byte)
+  auto byte = BignumPointer::New();
+  ASSERT_TRUE(byte);
+  ASSERT_TRUE(byte.setWord(255));
+  ASSERT_EQ(byte.byteLength(), 1);
+  // Test value 256 (2 bytes)
+  auto twoBytes = BignumPointer::New();
+  ASSERT_TRUE(twoBytes);
+  ASSERT_TRUE(twoBytes.setWord(256));
+  ASSERT_EQ(twoBytes.byteLength(), 2);
+  // Test larger value (0xFFFFFFFF = 4 bytes)
+  auto fourBytes = BignumPointer::New();
+  ASSERT_TRUE(fourBytes);
+  ASSERT_TRUE(fourBytes.setWord(0xFFFFFFFF));
+  ASSERT_EQ(fourBytes.byteLength(), 4);
+}
+// ============================================================================
+// Ec class tests
+// Helper to create an EC key for testing
+static ECKeyPointer createTestEcKey() {
+  // NID_X9_62_prime256v1 is P-256
+  auto key = ECKeyPointer::NewByCurveName(NID_X9_62_prime256v1);
+  if (key && EC_KEY_generate_key(key.get())) {
+    return key;
+  }
+  return {};
+}
+TEST(Ec, getDegree) {
+  auto ecKey = createTestEcKey();
+  ASSERT_TRUE(ecKey);
+  Ec ec(ecKey.get());
+  ASSERT_TRUE(ec);
+  // P-256 has degree 256
+  ASSERT_EQ(ec.getDegree(), 256u);
+}
+TEST(Ec, getCurveName) {
+  auto ecKey = createTestEcKey();
+  ASSERT_TRUE(ecKey);
+  Ec ec(ecKey.get());
+  ASSERT_TRUE(ec);
+  // P-256 is also known as prime256v1
+  std::string name = ec.getCurveName();
+  ASSERT_TRUE(name == "prime256v1" || name == "P-256");
+}
+TEST(Ec, getPublicKey) {
+  auto ecKey = createTestEcKey();
+  ASSERT_TRUE(ecKey);
+  Ec ec(ecKey.get());
+  ASSERT_TRUE(ec);
+  // Public key should exist
+  const EC_POINT* pubKey = ec.getPublicKey();
+  ASSERT_NE(pubKey, nullptr);
+}
+TEST(Ec, getPrivateKey) {
+  auto ecKey = createTestEcKey();
+  ASSERT_TRUE(ecKey);
+  Ec ec(ecKey.get());
+  ASSERT_TRUE(ec);
+  // Private key should exist for a generated key
+  const BIGNUM* privKey = ec.getPrivateKey();
+  ASSERT_NE(privKey, nullptr);
+}
+TEST(Ec, getXYCoordinates) {
+  auto ecKey = createTestEcKey();
+  ASSERT_TRUE(ecKey);
+  Ec ec(ecKey.get());
+  ASSERT_TRUE(ec);
+  // X and Y coordinates should be populated
+  const BignumPointer& x = ec.getX();
+  const BignumPointer& y = ec.getY();
+  ASSERT_TRUE(x);
+  ASSERT_TRUE(y);
+  // For P-256, coordinates should be 256 bits (32 bytes)
+  ASSERT_GT(x.byteLength(), 0u);
+  ASSERT_LE(x.byteLength(), 32u);
+  ASSERT_GT(y.byteLength(), 0u);
+  ASSERT_LE(y.byteLength(), 32u);
+}
+TEST(Ec, getCurve) {
+  auto ecKey = createTestEcKey();
+  ASSERT_TRUE(ecKey);
+  Ec ec(ecKey.get());
+  ASSERT_TRUE(ec);
+  // getCurve should return the NID for P-256
+  int curve = ec.getCurve();
+  ASSERT_EQ(curve, NID_X9_62_prime256v1);
+}
+TEST(Ec, GetCurves) {
+  std::vector<std::string> curves;
+  bool result = Ec::GetCurves([&](const char* name) {
+    curves.push_back(name);
+    return true;
+  });
+  ASSERT_TRUE(result);
+  // Should have at least some built-in curves
+  ASSERT_GT(curves.size(), 0u);
+  // Check that common curves are present
+  bool hasP256 = false;
+  bool hasP384 = false;
+  for (const auto& curve : curves) {
+    if (curve == "prime256v1" || curve == "P-256") hasP256 = true;
+    if (curve == "secp384r1" || curve == "P-384") hasP384 = true;
+  }
+  ASSERT_TRUE(hasP256);
+  ASSERT_TRUE(hasP384);
+}
+TEST(Ec, GetCurves_early_exit) {
+  int count = 0;
+  // Test that returning false stops iteration
+  bool result = Ec::GetCurves([&](const char* name) {
+    count++;
+    return count < 3;  // Stop after 2 curves
+  });
+  ASSERT_FALSE(result);
+  ASSERT_EQ(count, 3);
+}
+// ============================================================================
+// EVPKeyPointer tests
+TEST(EVPKeyPointer, operatorEc) {
+  auto ecKey = createTestEcKey();
+  ASSERT_TRUE(ecKey);
+  // Create EVPKeyPointer from EC_KEY
+  EVPKeyPointer key(EVP_PKEY_new());
+  ASSERT_TRUE(key);
+  ASSERT_TRUE(EVP_PKEY_set1_EC_KEY(key.get(), ecKey.get()));
+  // Convert to Ec
+  Ec ec = key;
+  ASSERT_TRUE(ec);
+  ASSERT_EQ(ec.getDegree(), 256u);
+}
+TEST(EVPKeyPointer, clone) {
+  auto ecKey = createTestEcKey();
+  ASSERT_TRUE(ecKey);
+  // Create EVPKeyPointer from EC_KEY
+  EVPKeyPointer key(EVP_PKEY_new());
+  ASSERT_TRUE(key);
+  ASSERT_TRUE(EVP_PKEY_set1_EC_KEY(key.get(), ecKey.get()));
+  // Clone the key
+  auto cloned = key.clone();
+  ASSERT_TRUE(cloned);
+  // Both should be valid
+  ASSERT_TRUE(key);
+  ASSERT_TRUE(cloned);
+  // Both should have the same key type
+  ASSERT_EQ(key.id(), cloned.id());
+}
+TEST(EVPKeyPointer, cloneEmpty) {
+  EVPKeyPointer empty;
+  ASSERT_FALSE(empty);
+  // Clone of empty should be empty
+  auto cloned = empty.clone();
+  ASSERT_FALSE(cloned);
+}
+// ============================================================================
+// KDF tests
+TEST(KDF, pbkdf2Into) {
+  const char* password = "password";
+  const unsigned char salt[] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08};
+  const size_t length = 32;
+  Buffer<const char> passBuf{password, strlen(password)};
+  Buffer<const unsigned char> saltBuf{salt, sizeof(salt)};
+  unsigned char output[32];
+  Buffer<unsigned char> outBuf{output, length};
+  Digest md(EVP_sha256());
+  ASSERT_TRUE(md);
+  bool result = pbkdf2Into(md, passBuf, saltBuf, 1000, length, &outBuf);
+  ASSERT_TRUE(result);
+  // Verify output is not all zeros
+  bool allZeros = true;
+  for (size_t i = 0; i < length; i++) {
+    if (output[i] != 0) {
+      allZeros = false;
+      break;
+    }
+  }
+  ASSERT_FALSE(allZeros);
+}
+TEST(KDF, pbkdf2) {
+  const char* password = "password";
+  const unsigned char salt[] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08};
+  const size_t length = 32;
+  Buffer<const char> passBuf{password, strlen(password)};
+  Buffer<const unsigned char> saltBuf{salt, sizeof(salt)};
+  Digest md(EVP_sha256());
+  ASSERT_TRUE(md);
+  auto result = pbkdf2(md, passBuf, saltBuf, 1000, length);
+  ASSERT_TRUE(result);
+  ASSERT_EQ(result.size(), length);
+}
+TEST(KDF, scryptInto) {
+  const char* password = "password";
+  const unsigned char salt[] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08};
+  const size_t length = 32;
+  Buffer<const char> passBuf{password, strlen(password)};
+  Buffer<const unsigned char> saltBuf{salt, sizeof(salt)};
+  unsigned char output[32];
+  Buffer<unsigned char> outBuf{output, length};
+  // Use small parameters for testing
+  bool result = scryptInto(passBuf, saltBuf, 16, 1, 1, 0, length, &outBuf);
+  ASSERT_TRUE(result);
+  // Verify output is not all zeros
+  bool allZeros = true;
+  for (size_t i = 0; i < length; i++) {
+    if (output[i] != 0) {
+      allZeros = false;
+      break;
+    }
+  }
+  ASSERT_FALSE(allZeros);
+}
+TEST(KDF, scrypt) {
+  const char* password = "password";
+  const unsigned char salt[] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08};
+  const size_t length = 32;
+  Buffer<const char> passBuf{password, strlen(password)};
+  Buffer<const unsigned char> saltBuf{salt, sizeof(salt)};
+  // Use small parameters for testing
+  auto result = scrypt(passBuf, saltBuf, 16, 1, 1, 0, length);
+  ASSERT_TRUE(result);
+  ASSERT_EQ(result.size(), length);
+}
+TEST(KDF, hkdfInfo) {
+  const unsigned char key[] = {0x0b,
+                               0x0b,
+                               0x0b,
+                               0x0b,
+                               0x0b,
+                               0x0b,
+                               0x0b,
+                               0x0b,
+                               0x0b,
+                               0x0b,
+                               0x0b,
+                               0x0b,
+                               0x0b,
+                               0x0b,
+                               0x0b,
+                               0x0b};
+  const unsigned char salt[] = {
+      0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09};
+  const unsigned char info[] = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7};
+  const size_t length = 42;
+  Buffer<const unsigned char> keyBuf{key, sizeof(key)};
+  Buffer<const unsigned char> saltBuf{salt, sizeof(salt)};
+  Buffer<const unsigned char> infoBuf{info, sizeof(info)};
+  unsigned char output[42];
+  Buffer<unsigned char> outBuf{output, length};
+  Digest md(EVP_sha256());
+  ASSERT_TRUE(md);
+  bool result = hkdfInfo(md, keyBuf, infoBuf, saltBuf, length, &outBuf);
+  ASSERT_TRUE(result);
+  // Verify output is not all zeros
+  bool allZeros = true;
+  for (size_t i = 0; i < length; i++) {
+    if (output[i] != 0) {
+      allZeros = false;
+      break;
+    }
+  }
+  ASSERT_FALSE(allZeros);
+}
+TEST(KDF, hkdf) {
+  const unsigned char key[] = {0x0b,
+                               0x0b,
+                               0x0b,
+                               0x0b,
+                               0x0b,
+                               0x0b,
+                               0x0b,
+                               0x0b,
+                               0x0b,
+                               0x0b,
+                               0x0b,
+                               0x0b,
+                               0x0b,
+                               0x0b,
+                               0x0b,
+                               0x0b};
+  const unsigned char salt[] = {
+      0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09};
+  const unsigned char info[] = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7};
+  const size_t length = 42;
+  Buffer<const unsigned char> keyBuf{key, sizeof(key)};
+  Buffer<const unsigned char> saltBuf{salt, sizeof(salt)};
+  Buffer<const unsigned char> infoBuf{info, sizeof(info)};
+  Digest md(EVP_sha256());
+  ASSERT_TRUE(md);
+  auto result = hkdf(md, keyBuf, infoBuf, saltBuf, length);
+  ASSERT_TRUE(result);
+  ASSERT_EQ(result.size(), length);
+}
+// ============================================================================
+// SPKAC tests
+TEST(SPKAC, VerifySpkacBuffer) {
+  // A valid SPKAC string (base64 encoded)
+  // This is a test SPKAC - in real use, you'd have a properly generated one
+  const char* spkac =
+      "MIIBQDCBqjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2L3lR6VHBxKBZGnr"
+      "5R9AmJwcQPePMHl7X1tj0n5PKMXwXHLqD/xHtqWFN9aSWfZhCYVOYMPLsIEZvtsJ"
+      "qFCJzJXB7lYlLqcLLVJ5sDlT0fM8QiJR6CnBlWgaXEozL5XdKJdQ7UVlL1qqoLJP"
+      "8wLJ0PhXFaNvlNBaXx1lAx0CAwEAARYAMA0GCSqGSIb3DQEBBQUAA4GBAKMzhfqX"
+      "MvWRBfL+VNVX/3rE9IahSMPl/Dz0P4UO0MtDgYFR4N0tPPqg1EMH7HJRxPJQDUlf"
+      "M9TsMI8e8KfJX0VdPmmjvNy3LcboJqmqQ8TViV2U0K0mTgg3kEWdKl25QcleVQry"
+      "CqU2ThYNnK3QEbFwuTS4MHk4MHk2WHJoYzlk";
+  Buffer<const char> buf{spkac, strlen(spkac)};
+  // Note: This specific SPKAC may not verify correctly due to signature issues,
+  // but we're testing that the function runs without crashing and accepts the
+  // buffer interface
+  bool result = VerifySpkac(buf);
+  // The result depends on the validity of the SPKAC
+  (void)result;
+}
+TEST(SPKAC, ExportPublicKeyBuffer) {
+  const char* spkac =
+      "MIIBQDCBqjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2L3lR6VHBxKBZGnr"
+      "5R9AmJwcQPePMHl7X1tj0n5PKMXwXHLqD/xHtqWFN9aSWfZhCYVOYMPLsIEZvtsJ"
+      "qFCJzJXB7lYlLqcLLVJ5sDlT0fM8QiJR6CnBlWgaXEozL5XdKJdQ7UVlL1qqoLJP"
+      "8wLJ0PhXFaNvlNBaXx1lAx0CAwEAARYAMA0GCSqGSIb3DQEBBQUAA4GBAKMzhfqX"
+      "MvWRBfL+VNVX/3rE9IahSMPl/Dz0P4UO0MtDgYFR4N0tPPqg1EMH7HJRxPJQDUlf"
+      "M9TsMI8e8KfJX0VdPmmjvNy3LcboJqmqQ8TViV2U0K0mTgg3kEWdKl25QcleVQry"
+      "CqU2ThYNnK3QEbFwuTS4MHk4MHk2WHJoYzlk";
+  Buffer<const char> buf{spkac, strlen(spkac)};
+  // Test that the buffer version works
+  auto bio = ExportPublicKey(buf);
+  // Result depends on SPKAC validity
+  (void)bio;
+}
+TEST(SPKAC, ExportChallengeBuffer) {
+  const char* spkac =
+      "MIIBQDCBqjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2L3lR6VHBxKBZGnr"
+      "5R9AmJwcQPePMHl7X1tj0n5PKMXwXHLqD/xHtqWFN9aSWfZhCYVOYMPLsIEZvtsJ"
+      "qFCJzJXB7lYlLqcLLVJ5sDlT0fM8QiJR6CnBlWgaXEozL5XdKJdQ7UVlL1qqoLJP"
+      "8wLJ0PhXFaNvlNBaXx1lAx0CAwEAARYAMA0GCSqGSIb3DQEBBQUAA4GBAKMzhfqX"
+      "MvWRBfL+VNVX/3rE9IahSMPl/Dz0P4UO0MtDgYFR4N0tPPqg1EMH7HJRxPJQDUlf"
+      "M9TsMI8e8KfJX0VdPmmjvNy3LcboJqmqQ8TViV2U0K0mTgg3kEWdKl25QcleVQry"
+      "CqU2ThYNnK3QEbFwuTS4MHk4MHk2WHJoYzlk";
+  Buffer<const char> buf{spkac, strlen(spkac)};
+  // Test that the buffer version works and returns DataPointer
+  auto challenge = ExportChallenge(buf);
+  // Result depends on SPKAC validity
+  (void)challenge;
 }
 #ifdef OPENSSL_IS_BORINGSSL
@@ -84,3 +570,287 @@ TEST(basic, aead_info) {
   ASSERT_EQ(aead.getMaxTagLength(), 16);
 }
 #endif
+// ============================================================================
+// Argon2 KDF tests (OpenSSL 3.2.0+ only)
+#if OPENSSL_VERSION_NUMBER >= 0x30200000L
+#ifndef OPENSSL_NO_ARGON2
+TEST(KDF, argon2i) {
+  const char* password = "password";
+  const unsigned char salt[] = {0x01,
+                                0x02,
+                                0x03,
+                                0x04,
+                                0x05,
+                                0x06,
+                                0x07,
+                                0x08,
+                                0x09,
+                                0x0a,
+                                0x0b,
+                                0x0c,
+                                0x0d,
+                                0x0e,
+                                0x0f,
+                                0x10};
+  const size_t length = 32;
+  Buffer<const char> passBuf{password, strlen(password)};
+  Buffer<const unsigned char> saltBuf{salt, sizeof(salt)};
+  Buffer<const unsigned char> secret{nullptr, 0};
+  Buffer<const unsigned char> ad{nullptr, 0};
+  // Use small parameters for testing
+  // lanes=1, memcost=16 (KB), iter=3, version=0x13 (1.3)
+  auto result = argon2(passBuf,
+                       saltBuf,
+                       1,
+                       length,
+                       16,
+                       3,
+                       0x13,
+                       secret,
+                       ad,
+                       Argon2Type::ARGON2I);
+  ASSERT_TRUE(result);
+  ASSERT_EQ(result.size(), length);
+  // Verify output is not all zeros
+  bool allZeros = true;
+  for (size_t i = 0; i < length; i++) {
+    if (reinterpret_cast<unsigned char*>(result.get())[i] != 0) {
+      allZeros = false;
+      break;
+    }
+  }
+  ASSERT_FALSE(allZeros);
+}
+TEST(KDF, argon2d) {
+  const char* password = "password";
+  const unsigned char salt[] = {0x01,
+                                0x02,
+                                0x03,
+                                0x04,
+                                0x05,
+                                0x06,
+                                0x07,
+                                0x08,
+                                0x09,
+                                0x0a,
+                                0x0b,
+                                0x0c,
+                                0x0d,
+                                0x0e,
+                                0x0f,
+                                0x10};
+  const size_t length = 32;
+  Buffer<const char> passBuf{password, strlen(password)};
+  Buffer<const unsigned char> saltBuf{salt, sizeof(salt)};
+  Buffer<const unsigned char> secret{nullptr, 0};
+  Buffer<const unsigned char> ad{nullptr, 0};
+  auto result = argon2(passBuf,
+                       saltBuf,
+                       1,
+                       length,
+                       16,
+                       3,
+                       0x13,
+                       secret,
+                       ad,
+                       Argon2Type::ARGON2D);
+  ASSERT_TRUE(result);
+  ASSERT_EQ(result.size(), length);
+}
+TEST(KDF, argon2id) {
+  const char* password = "password";
+  const unsigned char salt[] = {0x01,
+                                0x02,
+                                0x03,
+                                0x04,
+                                0x05,
+                                0x06,
+                                0x07,
+                                0x08,
+                                0x09,
+                                0x0a,
+                                0x0b,
+                                0x0c,
+                                0x0d,
+                                0x0e,
+                                0x0f,
+                                0x10};
+  const size_t length = 32;
+  Buffer<const char> passBuf{password, strlen(password)};
+  Buffer<const unsigned char> saltBuf{salt, sizeof(salt)};
+  Buffer<const unsigned char> secret{nullptr, 0};
+  Buffer<const unsigned char> ad{nullptr, 0};
+  auto result = argon2(passBuf,
+                       saltBuf,
+                       1,
+                       length,
+                       16,
+                       3,
+                       0x13,
+                       secret,
+                       ad,
+                       Argon2Type::ARGON2ID);
+  ASSERT_TRUE(result);
+  ASSERT_EQ(result.size(), length);
+}
+TEST(KDF, argon2_with_secret_and_ad) {
+  const char* password = "password";
+  const unsigned char salt[] = {0x01,
+                                0x02,
+                                0x03,
+                                0x04,
+                                0x05,
+                                0x06,
+                                0x07,
+                                0x08,
+                                0x09,
+                                0x0a,
+                                0x0b,
+                                0x0c,
+                                0x0d,
+                                0x0e,
+                                0x0f,
+                                0x10};
+  const unsigned char secretData[] = {0xaa, 0xbb, 0xcc, 0xdd};
+  const unsigned char adData[] = {0x11, 0x22, 0x33, 0x44, 0x55};
+  const size_t length = 32;
+  Buffer<const char> passBuf{password, strlen(password)};
+  Buffer<const unsigned char> saltBuf{salt, sizeof(salt)};
+  Buffer<const unsigned char> secret{secretData, sizeof(secretData)};
+  Buffer<const unsigned char> ad{adData, sizeof(adData)};
+  auto result = argon2(passBuf,
+                       saltBuf,
+                       1,
+                       length,
+                       16,
+                       3,
+                       0x13,
+                       secret,
+                       ad,
+                       Argon2Type::ARGON2ID);
+  ASSERT_TRUE(result);
+  ASSERT_EQ(result.size(), length);
+}
+TEST(KDF, argon2_empty_password) {
+  const unsigned char salt[] = {0x01,
+                                0x02,
+                                0x03,
+                                0x04,
+                                0x05,
+                                0x06,
+                                0x07,
+                                0x08,
+                                0x09,
+                                0x0a,
+                                0x0b,
+                                0x0c,
+                                0x0d,
+                                0x0e,
+                                0x0f,
+                                0x10};
+  const size_t length = 32;
+  Buffer<const char> passBuf{"", 0};
+  Buffer<const unsigned char> saltBuf{salt, sizeof(salt)};
+  Buffer<const unsigned char> secret{nullptr, 0};
+  Buffer<const unsigned char> ad{nullptr, 0};
+  // Empty password should still work
+  auto result = argon2(passBuf,
+                       saltBuf,
+                       1,
+                       length,
+                       16,
+                       3,
+                       0x13,
+                       secret,
+                       ad,
+                       Argon2Type::ARGON2ID);
+  ASSERT_TRUE(result);
+  ASSERT_EQ(result.size(), length);
+}
+TEST(KDF, argon2_different_types_produce_different_output) {
+  const char* password = "password";
+  const unsigned char salt[] = {0x01,
+                                0x02,
+                                0x03,
+                                0x04,
+                                0x05,
+                                0x06,
+                                0x07,
+                                0x08,
+                                0x09,
+                                0x0a,
+                                0x0b,
+                                0x0c,
+                                0x0d,
+                                0x0e,
+                                0x0f,
+                                0x10};
+  const size_t length = 32;
+  Buffer<const char> passBuf{password, strlen(password)};
+  Buffer<const unsigned char> saltBuf{salt, sizeof(salt)};
+  Buffer<const unsigned char> secret{nullptr, 0};
+  Buffer<const unsigned char> ad{nullptr, 0};
+  auto resultI = argon2(passBuf,
+                        saltBuf,
+                        1,
+                        length,
+                        16,
+                        3,
+                        0x13,
+                        secret,
+                        ad,
+                        Argon2Type::ARGON2I);
+  auto resultD = argon2(passBuf,
+                        saltBuf,
+                        1,
+                        length,
+                        16,
+                        3,
+                        0x13,
+                        secret,
+                        ad,
+                        Argon2Type::ARGON2D);
+  auto resultID = argon2(passBuf,
+                         saltBuf,
+                         1,
+                         length,
+                         16,
+                         3,
+                         0x13,
+                         secret,
+                         ad,
+                         Argon2Type::ARGON2ID);
+  ASSERT_TRUE(resultI);
+  ASSERT_TRUE(resultD);
+  ASSERT_TRUE(resultID);
+  // All three types should produce different outputs
+  ASSERT_NE(memcmp(resultI.get(), resultD.get(), length), 0);
+  ASSERT_NE(memcmp(resultI.get(), resultID.get(), length), 0);
+  ASSERT_NE(memcmp(resultD.get(), resultID.get(), length), 0);
+}
+#endif  // OPENSSL_NO_ARGON2
+#endif  // OPENSSL_VERSION_NUMBER >= 0x30200000L