remove crypto and use webcrypto

Author: PavelSafronov

.eslintrc.json

@@ -103,6 +103,10 @@
           {
             "name": "node:*",
             "message": "Don't use `node:*`; use bare Node core module names instead."
+          },
+          {
+            "name": "crypto",
+            "message": "Use standard Web Crypto API, globalThis.crypto."
           }
         ]
       }
@@ -276,7 +280,8 @@
             "patterns": [
               "**/../lib/**",
               "mongodb-mock-server",
-              "node:*"
+              "node:*",
+              "crypto"
             ],
             "paths": [
               {

src/cmap/auth/scram.ts

@@ -1,5 +1,4 @@
 import { saslprep } from '@mongodb-js/saslprep';
-import * as crypto from 'crypto';
 
 import {
   allocateBuffer,
@@ -164,22 +163,22 @@ async function continueScramConversation(
 
   // Set up start of proof
   const withoutProof = `c=biws,r=${rnonce}`;
-  const saltedPassword = HI(processedPassword, fromBase64(salt), iterations, cryptoMethod);
+  const saltedPassword = await HI(processedPassword, fromBase64(salt), iterations, cryptoMethod);
 
-  const clientKey = HMAC(cryptoMethod, saltedPassword, 'Client Key');
-  const serverKey = HMAC(cryptoMethod, saltedPassword, 'Server Key');
-  const storedKey = H(cryptoMethod, clientKey);
+  const clientKey = await HMAC(cryptoMethod, saltedPassword, 'Client Key');
+  const serverKey = await HMAC(cryptoMethod, saltedPassword, 'Server Key');
+  const storedKey = await H(cryptoMethod, clientKey);
   const authMessage = [
     clientFirstMessageBare(username, nonce),
     payload.toString('utf8'),
     withoutProof
   ].join(',');
 
-  const clientSignature = HMAC(cryptoMethod, storedKey, authMessage);
+  const clientSignature = await HMAC(cryptoMethod, storedKey, authMessage);
   const clientProof = `p=${xor(clientKey, clientSignature)}`;
   const clientFinal = [withoutProof, clientProof].join(',');
 
-  const serverSignature = HMAC(cryptoMethod, serverKey, authMessage);
+  const serverSignature = await HMAC(cryptoMethod, serverKey, authMessage);
   const saslContinueCmd = {
     saslContinue: 1,
     conversationId: response.conversationId,
@@ -231,19 +230,28 @@ function passwordDigest(username: string, password: string) {
     throw new MongoInvalidArgumentError('Password cannot be empty');
   }
 
-  let md5: crypto.Hash;
+  let nodeCrypto;
   try {
-    md5 = crypto.createHash('md5');
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
+    nodeCrypto = require('crypto');
+  } catch (e) {
+    throw new MongoRuntimeError('Crypto support is required for SCRAM-SHA-1 authentication', {
+      cause: e
+    });
+  }
+
+  try {
+    const md5 = nodeCrypto.createHash('md5');
+    md5.update(`${username}:mongo:${password}`, 'utf8');
+    return md5.digest('hex');
   } catch (err) {
-    if (crypto.getFips()) {
+    if (nodeCrypto.getFips()) {
       // This error is (slightly) more helpful than what comes from OpenSSL directly, e.g.
       // 'Error: error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS'
       throw new Error('Auth mechanism SCRAM-SHA-1 is not supported in FIPS mode');
     }
     throw err;
   }
-  md5.update(`${username}:mongo:${password}`, 'utf8');
-  return md5.digest('hex');
 }
 
 // XOR two buffers
@@ -258,12 +266,28 @@ function xor(a: Uint8Array, b: Uint8Array) {
   return ByteUtils.toBase64(fromNumberArray(res));
 }
 
-function H(method: CryptoMethod, text: Uint8Array): Uint8Array {
-  return crypto.createHash(method).update(text).digest();
+async function H(method: CryptoMethod, text: Uint8Array): Promise<Uint8Array> {
+  const buffer = await crypto.subtle.digest(method === 'sha256' ? 'SHA-256' : 'SHA-1', text);
+  return new Uint8Array(buffer);
 }
 
-function HMAC(method: CryptoMethod, key: Uint8Array, text: Uint8Array | string): Uint8Array {
-  return crypto.createHmac(method, key).update(text).digest();
+async function HMAC(
+  method: CryptoMethod,
+  key: Uint8Array,
+  text: Uint8Array | string
+): Promise<Uint8Array> {
+  const keyBuffer = ByteUtils.toLocalBufferType(key);
+  const cryptoKey = await crypto.subtle.importKey(
+    'raw',
+    keyBuffer,
+    { name: 'HMAC', hash: { name: method === 'sha256' ? 'SHA-256' : 'SHA-1' } },
+    false,
+    ['sign', 'verify']
+  );
+  const textData: Uint8Array = typeof text === 'string' ? new TextEncoder().encode(text) : text;
+  const textBuffer = ByteUtils.toLocalBufferType(textData);
+  const signature = await crypto.subtle.sign('HMAC', cryptoKey, textBuffer);
+  return new Uint8Array(signature);
 }
 
 interface HICache {
@@ -282,21 +306,32 @@ const hiLengthMap = {
   sha1: 20
 };
 
-function HI(data: string, salt: Uint8Array, iterations: number, cryptoMethod: CryptoMethod) {
+async function HI(data: string, salt: Uint8Array, iterations: number, cryptoMethod: CryptoMethod) {
   // omit the work if already generated
   const key = [data, ByteUtils.toBase64(salt), iterations].join('_');
   if (_hiCache[key] != null) {
     return _hiCache[key];
   }
 
-  // generate the salt
-  const saltedData = crypto.pbkdf2Sync(
-    data,
-    salt,
-    iterations,
-    hiLengthMap[cryptoMethod],
-    cryptoMethod
+  const keyMaterial = await crypto.subtle.importKey(
+    'raw',
+    new TextEncoder().encode(data),
+    { name: 'PBKDF2' },
+    false,
+    ['deriveBits']
   );
+  const params = {
+    name: 'PBKDF2',
+    salt: salt,
+    iterations: iterations,
+    hash: { name: cryptoMethod === 'sha256' ? 'SHA-256' : 'SHA-1' }
+  };
+  const derivedBits = await crypto.subtle.deriveBits(
+    params,
+    keyMaterial,
+    hiLengthMap[cryptoMethod] * 8
+  );
+  const saltedData = new Uint8Array(derivedBits);
 
   // cache a copy to speed up the next lookup, but prevent unbounded cache growth
   if (_hiCacheCount >= 200) {
@@ -313,10 +348,6 @@ function compareDigest(lhs: Uint8Array, rhs: Uint8Array) {
     return false;
   }
 
-  if (typeof crypto.timingSafeEqual === 'function') {
-    return crypto.timingSafeEqual(lhs, rhs);
-  }
-
   let result = 0;
   for (let i = 0; i < lhs.length; i++) {
     result |= lhs[i] ^ rhs[i];

src/utils.ts

@@ -1,4 +1,3 @@
-import * as crypto from 'crypto';
 import type { SrvRecord } from 'dns';
 import { type EventEmitter } from 'events';
 import { promises as fs } from 'fs';
@@ -308,7 +307,7 @@ export function* makeCounter(seed = 0): Generator<number> {
  * @internal
  */
 export function uuidV4(): Uint8Array {
-  const result = crypto.randomBytes(16);
+  const result = crypto.getRandomValues(new Uint8Array(16));
   result[6] = (result[6] & 0x0f) | 0x40;
   result[8] = (result[8] & 0x3f) | 0x80;
   return result;
@@ -1228,13 +1227,8 @@ export function squashError(_error: unknown) {
   return;
 }
 
-export const randomBytes = (size: number) => {
-  return new Promise<Uint8Array>((resolve, reject) => {
-    crypto.randomBytes(size, (error: Error | null, buf: Uint8Array) => {
-      if (error) return reject(error);
-      resolve(buf);
-    });
-  });
+export const randomBytes = (size: number): Promise<Uint8Array> => {
+  return Promise.resolve(crypto.getRandomValues(new Uint8Array(size)));
 };
 
 /**