react-native-quick-crypto 1.0.9 → 1.0.11

package/cpp/ecdh/HybridECDH.cpp

@@ -284,6 +284,41 @@ void HybridECDH::setPublicKey(const std::shared_ptr<ArrayBuffer>& publicKey) {
   _pkey = std::move(pkey);
 }
 
+std::shared_ptr<ArrayBuffer> HybridECDH::convertKey(const std::shared_ptr<ArrayBuffer>& key, const std::string& curve, double format) {
+  int nid = getCurveNid(curve);
+  if (nid == NID_undef) {
+    throw std::runtime_error("ECDH: unknown curve: " + curve);
+  }
+
+  EC_GROUP_ptr group(EC_GROUP_new_by_curve_name(nid), EC_GROUP_free);
+  if (!group) {
+    throw std::runtime_error("ECDH: failed to create EC group for curve: " + curve);
+  }
+
+  EC_POINT_ptr point(EC_POINT_new(group.get()), EC_POINT_free);
+  if (!point) {
+    throw std::runtime_error("ECDH: failed to create EC point");
+  }
+
+  if (EC_POINT_oct2point(group.get(), point.get(), key->data(), key->size(), nullptr) != 1) {
+    throw std::runtime_error("ECDH: failed to decode public key");
+  }
+
+  auto form = static_cast<point_conversion_form_t>(static_cast<int>(format));
+
+  size_t len = EC_POINT_point2oct(group.get(), point.get(), form, nullptr, 0, nullptr);
+  if (len == 0) {
+    throw std::runtime_error("ECDH: failed to get converted key length");
+  }
+
+  std::vector<uint8_t> buf(len);
+  if (EC_POINT_point2oct(group.get(), point.get(), form, buf.data(), len, nullptr) == 0) {
+    throw std::runtime_error("ECDH: failed to convert key");
+  }
+
+  return ToNativeArrayBuffer(buf);
+}
+
 void HybridECDH::ensureInitialized() const {
   if (_curveNid == 0 || !_group) {
     throw std::runtime_error("ECDH: not initialized");

package/cpp/ecdh/HybridECDH.hpp

@@ -28,6 +28,7 @@ class HybridECDH : public HybridECDHSpec {
   void setPrivateKey(const std::shared_ptr<ArrayBuffer>& privateKey) override;
   std::shared_ptr<ArrayBuffer> getPublicKey() override;
   void setPublicKey(const std::shared_ptr<ArrayBuffer>& publicKey) override;
+  std::shared_ptr<ArrayBuffer> convertKey(const std::shared_ptr<ArrayBuffer>& key, const std::string& curve, double format) override;
 
  private:
   EVP_PKEY_ptr _pkey;

package/cpp/hash/HybridHash.cpp

@@ -68,7 +68,7 @@ void HybridHash::createHash(const std::string& hashAlgorithmArg, const std::opti
   }
 }
 
-void HybridHash::update(const std::variant<std::string, std::shared_ptr<ArrayBuffer>>& data) {
+void HybridHash::update(const std::variant<std::shared_ptr<ArrayBuffer>, std::string>& data) {
   if (!ctx) {
     throw std::runtime_error("Hash context not initialized");
   }

package/cpp/hash/HybridHash.hpp

@@ -21,7 +21,7 @@ class HybridHash : public HybridHashSpec {
  public:
   // Methods
   void createHash(const std::string& algorithm, const std::optional<double> outputLength) override;
-  void update(const std::variant<std::string, std::shared_ptr<ArrayBuffer>>& data) override;
+  void update(const std::variant<std::shared_ptr<ArrayBuffer>, std::string>& data) override;
   std::shared_ptr<ArrayBuffer> digest(const std::optional<std::string>& encoding = std::nullopt) override;
   std::shared_ptr<margelo::nitro::crypto::HybridHashSpec> copy(const std::optional<double> outputLength) override;
   std::vector<std::string> getSupportedHashAlgorithms() override;

package/cpp/hmac/HybridHmac.cpp

@@ -60,7 +60,7 @@ void HybridHmac::createHmac(const std::string& hmacAlgorithm, const std::shared_
   }
 }
 
-void HybridHmac::update(const std::variant<std::string, std::shared_ptr<ArrayBuffer>>& data) {
+void HybridHmac::update(const std::variant<std::shared_ptr<ArrayBuffer>, std::string>& data) {
   if (!ctx) {
     throw std::runtime_error("HMAC context not initialized");
   }

package/cpp/hmac/HybridHmac.hpp

@@ -20,7 +20,7 @@ class HybridHmac : public HybridHmacSpec {
  public:
   // Methods
   void createHmac(const std::string& algorithm, const std::shared_ptr<ArrayBuffer>& key) override;
-  void update(const std::variant<std::string, std::shared_ptr<ArrayBuffer>>& data) override;
+  void update(const std::variant<std::shared_ptr<ArrayBuffer>, std::string>& data) override;
   std::shared_ptr<ArrayBuffer> digest() override;
 
  private:

package/cpp/keys/HybridKeyObjectHandle.cpp

@@ -5,6 +5,7 @@
 #include "HybridKeyObjectHandle.hpp"
 #include "QuickCryptoUtils.hpp"
 #include <openssl/bn.h>
+#include <openssl/crypto.h>
 #include <openssl/ec.h>
 #include <openssl/evp.h>
 #include <openssl/obj_mac.h>
@@ -124,6 +125,25 @@ std::shared_ptr<ArrayBuffer> HybridKeyObjectHandle::exportKey(std::optional<KFor
       }
     }
 
+    // For EC keys, handle raw format (uncompressed point)
+    if (!format.has_value() && !type.has_value() && keyId == EVP_PKEY_EC && keyType == KeyType::PUBLIC) {
+      const EC_KEY* ec_key = EVP_PKEY_get0_EC_KEY(pkey.get());
+      if (!ec_key)
+        throw std::runtime_error("Failed to get EC key");
+      const EC_GROUP* group = EC_KEY_get0_group(ec_key);
+      const EC_POINT* point = EC_KEY_get0_public_key(ec_key);
+      if (!group || !point)
+        throw std::runtime_error("Failed to get EC public key");
+      size_t len = EC_POINT_point2oct(group, point, POINT_CONVERSION_UNCOMPRESSED, nullptr, 0, nullptr);
+      if (len == 0)
+        throw std::runtime_error("Failed to get EC point size");
+      std::vector<uint8_t> buf(len);
+      if (EC_POINT_point2oct(group, point, POINT_CONVERSION_UNCOMPRESSED, buf.data(), len, nullptr) == 0) {
+        throw std::runtime_error("Failed to encode EC public key");
+      }
+      return ToNativeArrayBuffer(std::string(reinterpret_cast<const char*>(buf.data()), buf.size()));
+    }
+
     // Set default format and type if not provided
     auto exportFormat = format.value_or(KFormatType::DER);
     auto exportType = type.value_or(keyType == KeyType::PUBLIC ? KeyEncoding::SPKI : KeyEncoding::PKCS8);
@@ -292,6 +312,44 @@ JWK HybridKeyObjectHandle::exportJwk(const JWK& key, bool handleRsaPss) {
     return result;
   }
 
+  // Export OKP keys (Ed25519, Ed448, X25519, X448) per RFC 8037
+  if (keyId == EVP_PKEY_ED25519 || keyId == EVP_PKEY_ED448 || keyId == EVP_PKEY_X25519 || keyId == EVP_PKEY_X448) {
+    result.kty = JWKkty::OKP;
+
+    switch (keyId) {
+      case EVP_PKEY_ED25519:
+        result.crv = "Ed25519";
+        break;
+      case EVP_PKEY_ED448:
+        result.crv = "Ed448";
+        break;
+      case EVP_PKEY_X25519:
+        result.crv = "X25519";
+        break;
+      case EVP_PKEY_X448:
+        result.crv = "X448";
+        break;
+      default:
+        break;
+    }
+
+    auto pubKey = pkey.rawPublicKey();
+    if (!pubKey) {
+      throw std::runtime_error("Failed to get raw public key for OKP JWK export");
+    }
+    result.x = base64url_encode(reinterpret_cast<const unsigned char*>(pubKey.get()), pubKey.size());
+
+    if (keyType == KeyType::PRIVATE) {
+      auto privKey = pkey.rawPrivateKey();
+      if (!privKey) {
+        throw std::runtime_error("Failed to get raw private key for OKP JWK export");
+      }
+      result.d = base64url_encode(reinterpret_cast<const unsigned char*>(privKey.get()), privKey.size());
+    }
+
+    return result;
+  }
+
   throw std::runtime_error("Unsupported key type for JWK export");
 }
 
@@ -335,7 +393,7 @@ AsymmetricKeyType HybridKeyObjectHandle::getAsymmetricKeyType() {
   }
 }
 
-bool HybridKeyObjectHandle::init(KeyType keyType, const std::variant<std::string, std::shared_ptr<ArrayBuffer>>& key,
+bool HybridKeyObjectHandle::init(KeyType keyType, const std::variant<std::shared_ptr<ArrayBuffer>, std::string>& key,
                                  std::optional<KFormatType> format, std::optional<KeyEncoding> type,
                                  const std::optional<std::shared_ptr<ArrayBuffer>>& passphrase) {
   // Reset any existing data to prevent state leakage
@@ -597,6 +655,50 @@ std::optional<KeyType> HybridKeyObjectHandle::initJwk(const JWK& keyData, std::o
     return type;
   }
 
+  // Handle OKP keys (Ed25519, Ed448, X25519, X448) per RFC 8037
+  if (kty == JWKkty::OKP) {
+    bool isPrivate = keyData.d.has_value();
+
+    if (!keyData.crv.has_value() || !keyData.x.has_value()) {
+      throw std::runtime_error("JWK OKP key missing required fields (crv, x)");
+    }
+
+    std::string crv = keyData.crv.value();
+
+    int evpType;
+    if (crv == "Ed25519") {
+      evpType = EVP_PKEY_ED25519;
+    } else if (crv == "Ed448") {
+      evpType = EVP_PKEY_ED448;
+    } else if (crv == "X25519") {
+      evpType = EVP_PKEY_X25519;
+    } else if (crv == "X448") {
+      evpType = EVP_PKEY_X448;
+    } else {
+      throw std::runtime_error("Unsupported OKP curve: " + crv);
+    }
+
+    if (isPrivate) {
+      std::string privBytes = base64url_decode(keyData.d.value());
+      EVP_PKEY* pkey =
+          EVP_PKEY_new_raw_private_key(evpType, nullptr, reinterpret_cast<const unsigned char*>(privBytes.data()), privBytes.size());
+      if (!pkey) {
+        throw std::runtime_error("Failed to create OKP private key from JWK");
+      }
+      data_ = KeyObjectData::CreateAsymmetric(KeyType::PRIVATE, ncrypto::EVPKeyPointer(pkey));
+      return KeyType::PRIVATE;
+    } else {
+      std::string pubBytes = base64url_decode(keyData.x.value());
+      EVP_PKEY* pkey =
+          EVP_PKEY_new_raw_public_key(evpType, nullptr, reinterpret_cast<const unsigned char*>(pubBytes.data()), pubBytes.size());
+      if (!pkey) {
+        throw std::runtime_error("Failed to create OKP public key from JWK");
+      }
+      data_ = KeyObjectData::CreateAsymmetric(KeyType::PUBLIC, ncrypto::EVPKeyPointer(pkey));
+      return KeyType::PUBLIC;
+    }
+  }
+
   throw std::runtime_error("Unsupported JWK key type");
 }
 
@@ -754,4 +856,32 @@ bool HybridKeyObjectHandle::initECRaw(const std::string& namedCurve, const std::
   return true;
 }
 
+bool HybridKeyObjectHandle::keyEquals(const std::shared_ptr<HybridKeyObjectHandleSpec>& other) {
+  auto otherHandle = std::dynamic_pointer_cast<HybridKeyObjectHandle>(other);
+  if (!otherHandle)
+    return false;
+
+  const auto& otherData = otherHandle->getKeyObjectData();
+  if (data_.GetKeyType() != otherData.GetKeyType())
+    return false;
+
+  if (data_.GetKeyType() == KeyType::SECRET) {
+    auto thisKey = data_.GetSymmetricKey();
+    auto otherKey = otherData.GetSymmetricKey();
+    if (thisKey->size() != otherKey->size())
+      return false;
+    return CRYPTO_memcmp(thisKey->data(), otherKey->data(), thisKey->size()) == 0;
+  }
+
+  const auto& thisPkey = data_.GetAsymmetricKey();
+  const auto& otherPkey = otherData.GetAsymmetricKey();
+  if (!thisPkey || !otherPkey)
+    return false;
+  return EVP_PKEY_eq(thisPkey.get(), otherPkey.get()) == 1;
+}
+
+double HybridKeyObjectHandle::getSymmetricKeySize() {
+  return static_cast<double>(data_.GetSymmetricKeySize());
+}
+
 } // namespace margelo::nitro::crypto

package/cpp/keys/HybridKeyObjectHandle.hpp

@@ -26,7 +26,7 @@ class HybridKeyObjectHandle : public HybridKeyObjectHandleSpec {
 
   AsymmetricKeyType getAsymmetricKeyType() override;
 
-  bool init(KeyType keyType, const std::variant<std::string, std::shared_ptr<ArrayBuffer>>& key, std::optional<KFormatType> format,
+  bool init(KeyType keyType, const std::variant<std::shared_ptr<ArrayBuffer>, std::string>& key, std::optional<KFormatType> format,
             std::optional<KeyEncoding> type, const std::optional<std::shared_ptr<ArrayBuffer>>& passphrase) override;
 
   bool initECRaw(const std::string& namedCurve, const std::shared_ptr<ArrayBuffer>& keyData) override;
@@ -35,6 +35,10 @@ class HybridKeyObjectHandle : public HybridKeyObjectHandleSpec {
 
   KeyDetail keyDetail() override;
 
+  bool keyEquals(const std::shared_ptr<HybridKeyObjectHandleSpec>& other) override;
+
+  double getSymmetricKeySize() override;
+
   KeyObjectData& getKeyObjectData() {
     return data_;
   }

package/cpp/prime/HybridPrime.cpp

@@ -0,0 +1,81 @@
+#include "HybridPrime.hpp"
+#include "QuickCryptoUtils.hpp"
+#include <ncrypto.h>
+
+namespace margelo::nitro::crypto {
+
+using namespace ncrypto;
+
+static BignumPointer toBignum(const std::optional<std::shared_ptr<ArrayBuffer>>& buf) {
+  if (!buf.has_value() || buf.value()->size() == 0) {
+    return BignumPointer();
+  }
+  return BignumPointer(buf.value()->data(), buf.value()->size());
+}
+
+static std::shared_ptr<ArrayBuffer> generatePrimeImpl(double size, bool safe, const std::optional<std::shared_ptr<ArrayBuffer>>& add,
+                                                      const std::optional<std::shared_ptr<ArrayBuffer>>& rem) {
+  int bits = static_cast<int>(size);
+
+  auto addBn = toBignum(add);
+  auto remBn = toBignum(rem);
+
+  BignumPointer::PrimeConfig config{bits, safe, addBn, remBn};
+  auto prime = BignumPointer::NewPrime(config);
+  if (!prime) {
+    throw std::runtime_error("Failed to generate prime");
+  }
+
+  auto encoded = prime.encode();
+  if (!encoded) {
+    throw std::runtime_error("Failed to encode prime");
+  }
+
+  return ToNativeArrayBuffer(encoded.get<uint8_t>(), encoded.size());
+}
+
+std::shared_ptr<Promise<std::shared_ptr<ArrayBuffer>>> HybridPrime::generatePrime(double size, bool safe,
+                                                                                  const std::optional<std::shared_ptr<ArrayBuffer>>& add,
+                                                                                  const std::optional<std::shared_ptr<ArrayBuffer>>& rem) {
+  auto addCopy = add.has_value() ? std::make_optional(ToNativeArrayBuffer(add.value())) : std::nullopt;
+  auto remCopy = rem.has_value() ? std::make_optional(ToNativeArrayBuffer(rem.value())) : std::nullopt;
+
+  return Promise<std::shared_ptr<ArrayBuffer>>::async([size, safe, addCopy = std::move(addCopy), remCopy = std::move(remCopy)]() {
+    return generatePrimeImpl(size, safe, addCopy, remCopy);
+  });
+}
+
+std::shared_ptr<ArrayBuffer> HybridPrime::generatePrimeSync(double size, bool safe, const std::optional<std::shared_ptr<ArrayBuffer>>& add,
+                                                            const std::optional<std::shared_ptr<ArrayBuffer>>& rem) {
+  return generatePrimeImpl(size, safe, add, rem);
+}
+
+bool HybridPrime::checkPrimeSync(const std::shared_ptr<ArrayBuffer>& candidate, double checks) {
+  BignumPointer bn(candidate->data(), candidate->size());
+  if (!bn) {
+    throw std::runtime_error("Invalid candidate");
+  }
+
+  int result = bn.isPrime(static_cast<int>(checks));
+  if (result == -1) {
+    throw std::runtime_error("Prime check failed");
+  }
+  return result == 1;
+}
+
+std::shared_ptr<Promise<bool>> HybridPrime::checkPrime(const std::shared_ptr<ArrayBuffer>& candidate, double checks) {
+  auto candidateCopy = ToNativeArrayBuffer(candidate);
+  return Promise<bool>::async([candidateCopy, checks]() {
+    BignumPointer bn(candidateCopy->data(), candidateCopy->size());
+    if (!bn) {
+      throw std::runtime_error("Invalid candidate");
+    }
+    int result = bn.isPrime(static_cast<int>(checks));
+    if (result == -1) {
+      throw std::runtime_error("Prime check failed");
+    }
+    return result == 1;
+  });
+}
+
+} // namespace margelo::nitro::crypto

package/cpp/prime/HybridPrime.hpp

@@ -0,0 +1,20 @@
+#pragma once
+
+#include "HybridPrimeSpec.hpp"
+
+namespace margelo::nitro::crypto {
+
+class HybridPrime : public HybridPrimeSpec {
+ public:
+  HybridPrime() : HybridObject(TAG) {}
+
+  std::shared_ptr<Promise<std::shared_ptr<ArrayBuffer>>> generatePrime(double size, bool safe,
+                                                                       const std::optional<std::shared_ptr<ArrayBuffer>>& add,
+                                                                       const std::optional<std::shared_ptr<ArrayBuffer>>& rem) override;
+  std::shared_ptr<ArrayBuffer> generatePrimeSync(double size, bool safe, const std::optional<std::shared_ptr<ArrayBuffer>>& add,
+                                                 const std::optional<std::shared_ptr<ArrayBuffer>>& rem) override;
+  std::shared_ptr<Promise<bool>> checkPrime(const std::shared_ptr<ArrayBuffer>& candidate, double checks) override;
+  bool checkPrimeSync(const std::shared_ptr<ArrayBuffer>& candidate, double checks) override;
+};
+
+} // namespace margelo::nitro::crypto

package/deps/ncrypto/.bazelrc

@@ -1,2 +1 @@
-common --enable_workspace
 build --cxxopt="-std=c++20"

package/deps/ncrypto/.bazelversion

@@ -1 +1 @@
-8.0.0
+9.0.0

package/deps/ncrypto/.github/workflows/commitlint.yml

@@ -0,0 +1,16 @@
+name: Conventional Commit Linter
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  commitlint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        with:
+          fetch-depth: 100
+      - uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6.2.1

package/deps/ncrypto/.github/workflows/linter.yml

@@ -27,9 +27,9 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Run clang-format
-        uses: jidicula/clang-format-action@c74383674bf5f7c69f60ce562019c1c94bc1421a # v4.13.0
+        uses: jidicula/clang-format-action@6cd220de46c89139a0365edae93eee8eb30ca8fe # v4.16.0
         with:
-          clang-format-version: '17'
+          clang-format-version: '21'
           fallback-style: 'Google'
 
       - uses: chartboost/ruff-action@e18ae971ccee1b2d7bbef113930f00c670b78da4 # v1.0.0

package/deps/ncrypto/.github/workflows/release-please.yml

@@ -0,0 +1,16 @@
+name: Release Please
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38  # v4.4.0

package/deps/ncrypto/.github/workflows/ubuntu.yml

@@ -44,3 +44,85 @@ jobs:
         run: cmake --build build -j=4
       - name: Test
         run: ctest --output-on-failure --test-dir build
+
+  # Test with OpenSSL 3.2+ to cover Argon2 code path
+  openssl:
+    runs-on: ubuntu-latest
+    env:
+      OPENSSL_VERSION: "3.4.1"
+      OPENSSL_DIR: "${{ github.workspace }}/openssl-install"
+    steps:
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - name: Cache OpenSSL
+        id: cache-openssl
+        uses: actions/cache@v4
+        with:
+          path: ${{ env.OPENSSL_DIR }}
+          key: openssl-${{ env.OPENSSL_VERSION }}-${{ runner.os }}
+      - name: Build OpenSSL
+        if: steps.cache-openssl.outputs.cache-hit != 'true'
+        run: |
+          curl -LO https://github.com/openssl/openssl/releases/download/openssl-${OPENSSL_VERSION}/openssl-${OPENSSL_VERSION}.tar.gz
+          tar xzf openssl-${OPENSSL_VERSION}.tar.gz
+          cd openssl-${OPENSSL_VERSION}
+          ./Configure --prefix=${OPENSSL_DIR} --openssldir=${OPENSSL_DIR}/ssl
+          make -j$(nproc)
+          make install_sw
+      - name: ccache
+        uses: hendrikmuhs/ccache-action@v1.2
+        with:
+          key: ${{github.job}}-openssl
+      - name: Setup dependencies
+        run: sudo apt-get update && sudo apt-get install -y ninja-build libgtest-dev
+      - name: Prepare
+        run: |
+          cmake -DNCRYPTO_SHARED_LIBS=ON -G Ninja -B build \
+            -DOPENSSL_ROOT_DIR=${OPENSSL_DIR} \
+            -DCMAKE_PREFIX_PATH=${OPENSSL_DIR}
+      - name: Build
+        run: cmake --build build -j=4
+      - name: Test
+        run: ctest --output-on-failure --test-dir build
+        env:
+          LD_LIBRARY_PATH: ${{ env.OPENSSL_DIR }}/lib64:${{ env.OPENSSL_DIR }}/lib
+
+  # Test with OPENSSL_NO_ARGON2 defined (Argon2 tests excluded)
+  openssl-no-argon2:
+    runs-on: ubuntu-latest
+    env:
+      OPENSSL_VERSION: "3.4.1"
+      OPENSSL_DIR: "${{ github.workspace }}/openssl-install"
+    steps:
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - name: Cache OpenSSL
+        id: cache-openssl
+        uses: actions/cache@v4
+        with:
+          path: ${{ env.OPENSSL_DIR }}
+          key: openssl-${{ env.OPENSSL_VERSION }}-${{ runner.os }}
+      - name: Build OpenSSL
+        if: steps.cache-openssl.outputs.cache-hit != 'true'
+        run: |
+          curl -LO https://github.com/openssl/openssl/releases/download/openssl-${OPENSSL_VERSION}/openssl-${OPENSSL_VERSION}.tar.gz
+          tar xzf openssl-${OPENSSL_VERSION}.tar.gz
+          cd openssl-${OPENSSL_VERSION}
+          ./Configure --prefix=${OPENSSL_DIR} --openssldir=${OPENSSL_DIR}/ssl
+          make -j$(nproc)
+          make install_sw
+      - name: ccache
+        uses: hendrikmuhs/ccache-action@v1.2
+        with:
+          key: ${{github.job}}-openssl-no-argon2
+      - name: Setup dependencies
+        run: sudo apt-get update && sudo apt-get install -y ninja-build libgtest-dev
+      - name: Prepare
+        run: |
+          cmake -DNCRYPTO_SHARED_LIBS=ON -DCMAKE_CXX_FLAGS="-DOPENSSL_NO_ARGON2" -G Ninja -B build \
+            -DOPENSSL_ROOT_DIR=${OPENSSL_DIR} \
+            -DCMAKE_PREFIX_PATH=${OPENSSL_DIR}
+      - name: Build
+        run: cmake --build build -j=4
+      - name: Test
+        run: ctest --output-on-failure --test-dir build
+        env:
+          LD_LIBRARY_PATH: ${{ env.OPENSSL_DIR }}/lib64:${{ env.OPENSSL_DIR }}/lib

package/deps/ncrypto/.release-please-manifest.json

@@ -0,0 +1,3 @@
+{
+  ".": "1.1.3"
+}

package/deps/ncrypto/BUILD.bazel

@@ -1,4 +1,5 @@
 load("@bazel_skylib//rules:common_settings.bzl", "bool_flag")
+load("@rules_cc//cc:cc_library.bzl", "cc_library")
 
 bool_flag(
     name = "bssl_libdecrepit_missing",
@@ -15,7 +16,14 @@ config_setting(
 cc_library(
     name = "ncrypto",
     srcs = glob(["src/*.cpp"]),
-    hdrs = glob(["include/*.h"]),
+    hdrs = glob(["include/*.h", "include/ncrypto/*.h"]),
+    copts = [
+        "-Werror",
+        "-Wextra",
+        "-Wno-unused-parameter",
+        "-Wimplicit-fallthrough",
+        "-Wno-deprecated-declarations",  # OpenSSL 3.0 deprecates many APIs we intentionally use
+    ],
     includes = ["include"],
     local_defines = {
         "NCRYPTO_BSSL_LIBDECREPIT_MISSING": select(

package/deps/ncrypto/CHANGELOG.md

@@ -0,0 +1,37 @@
+# Changelog
+
+## [1.1.3](https://github.com/nodejs/ncrypto/compare/v1.1.2...v1.1.3) (2026-02-04)
+
+
+### Bug Fixes
+
+* unconditionally include vector ([ba39e40](https://github.com/nodejs/ncrypto/commit/ba39e40ed1c1231902a676f53906cdd2f6119648))
+* use more strict compiler flags ([fc401e3](https://github.com/nodejs/ncrypto/commit/fc401e387491005bfbe6c48b7296862d07ea85d7))
+
+## [1.1.2](https://github.com/nodejs/ncrypto/compare/v1.1.1...v1.1.2) (2026-02-02)
+
+
+### Bug Fixes
+
+* handle edge cases and CI builds ([57cae0f](https://github.com/nodejs/ncrypto/commit/57cae0f055ba7c2d060f0ed4e49431e9e56a0a2d))
+
+## [1.1.1](https://github.com/nodejs/ncrypto/compare/v1.1.0...v1.1.1) (2026-02-02)
+
+
+### Bug Fixes
+
+* re-add more functions that are moved ([2ceab38](https://github.com/nodejs/ncrypto/commit/2ceab38e9caafd49b2f0a722ad76ae68f68fe7b5))
+* re-add removed BignumPointer::bitLength() ([0ba85e3](https://github.com/nodejs/ncrypto/commit/0ba85e3c3a3cdd8abcab066b046bbb11c9136bc8))
+
+## [1.1.0](https://github.com/nodejs/ncrypto/compare/1.0.1...v1.1.0) (2026-01-31)
+
+
+### Features
+
+* sync source code with nodejs/node ([#17](https://github.com/nodejs/ncrypto/issues/17)) ([47c21db](https://github.com/nodejs/ncrypto/commit/47c21db34df5f00eab945e2cd4e3ca6d9d57c793))
+
+
+### Bug Fixes
+
+* add missing header files during install ([#27](https://github.com/nodejs/ncrypto/issues/27)) ([d714e74](https://github.com/nodejs/ncrypto/commit/d714e745cd54b5f06686e2def826da101ebb2205))
+* use BN_GENCB_get_arg accessor for OpenSSL 3.x compatibility ([#16](https://github.com/nodejs/ncrypto/issues/16)) ([afc7e12](https://github.com/nodejs/ncrypto/commit/afc7e12c3f862165d7cfdc10bd971d7115d4fdb5))