This codemod handles Node.js crypto deprecation DEP0154 by transforming deprecated RSA-PSS key generation option names to their modern equivalents.
What It Does
The codemod transforms RSA-PSS crypto options:
hash → hashAlgorithmmgf1Hash → mgf1HashAlgorithm
Transformations only apply to:
crypto.generateKeyPair() callscrypto.generateKeyPairSync() calls- Only when key type is
'rsa-pss'
Usage
npx codemod nodejs/crypto-rsa-pss-update
Examples
Async Key Generation
const crypto = require("node:crypto");
crypto.generateKeyPair(
"rsa-pss",
{
modulusLength: 2048,
hash: "sha256",
mgf1Hash: "sha1",
saltLength: 32,
},
(err, publicKey, privateKey) => {
// callback
},
);
const crypto = require("node:crypto");
crypto.generateKeyPair(
"rsa-pss",
{
modulusLength: 2048,
hashAlgorithm: "sha256",
mgf1HashAlgorithm: "sha1",
saltLength: 32,
},
(err, publicKey, privateKey) => {
// callback
},
);
Sync Key Generation
const crypto = require("node:crypto");
crypto.generateKeyPairSync("rsa-pss", {
modulusLength: 2048,
hash: "sha256",
});
const crypto = require("node:crypto");
crypto.generateKeyPairSync("rsa-pss", {
modulusLength: 2048,
hashAlgorithm: "sha256",
});
Supported Patterns
The codemod handles various code patterns:
Destructured Imports
const { generateKeyPair } = require('crypto');
generateKeyPair('rsa-pss', {
hash: 'sha256'
}, callback);
Variable References
const options = {
modulusLength: 2048,
hash: 'sha256',
mgf1Hash: 'sha1'
};
crypto.generateKeyPair('rsa-pss', options, callback);
Object Properties
this.options = {
hash: 'sha256',
mgf1Hash: 'sha1'
};
crypto.generateKeyPair('rsa-pss', this.options, callback);
Function Returns
function getKeyOptions() {
return {
modulusLength: 2048,
hash: 'sha256'
};
}
crypto.generateKeyPair('rsa-pss', getKeyOptions(), callback);
What is RSA-PSS?
RSA-PSS (Probabilistic Signature Scheme) is a signature scheme with enhanced security properties:
- More secure than traditional RSA signatures
- Includes randomized padding
- Recommended for new applications requiring RSA signatures
RSA-PSS requires specification of hash algorithms for both the signature and the MGF1 (Mask Generation Function) padding.
Why Migrate?
The old option names hash and mgf1Hash were deprecated to avoid ambiguity and align with cryptographic terminology.
- Explicitly indicate they specify algorithms, not hash values
- Reduce confusion with other crypto APIs
- Align with cryptographic standards terminology
- Improve code clarity
Scope and Limitations
Only RSA-PSS
The transformation only applies to 'rsa-pss' key type. Other key types are not affected:
// This is NOT transformed (different key type)
crypto.generateKeyPair('rsa', {
modulusLength: 2048,
hash: 'sha256' // Remains unchanged
}, callback);
// This IS transformed (rsa-pss)
crypto.generateKeyPair('rsa-pss', {
modulusLength: 2048,
hash: 'sha256' // Changes to hashAlgorithm
}, callback);
Preserved Structure
- All other options remain unchanged
- Callback functions are preserved
- Code formatting is maintained
- Comments are retained
Valid Hash Algorithms
Common hash algorithms used with RSA-PSS:
'sha256' (recommended for most use cases)'sha384''sha512''sha1' (legacy, not recommended)
Deprecation Reference
This migration addresses DEP0154. 