nodejs · nievasdev · Aug 5, 2025 · Aug 5, 2025 · Aug 5, 2025 · Aug 5, 2025
diff --git a/recipes/crypto-rsa-pss-update/src/workflow.ts b/recipes/crypto-rsa-pss-update/src/workflow.ts
@@ -14,8 +14,10 @@ import { resolveBindingPath } from "@nodejs/codemod-utils/ast-grep/resolve-bindi
  * 2. Function call targeting: Only crypto.generateKeyPair() and crypto.generateKeyPairSync()
  * 3. Key type filtering: Only applies to 'rsa-pss' key type (ignores 'rsa', 'ed25519', etc.)
  * 4. Import pattern support: ES6 imports, CommonJS requires, destructuring, aliases, namespace imports
- * 5. Value preservation: Maintains string literals, identifiers, template literals, and variable references
- * 6. Template literal handling: Extracts identifiers from template strings like `${variable}`
+ * 5. Variable key type support: Handles variables containing 'rsa-pss' (e.g., const keyType = 'rsa-pss')
+ * 6. Promisified wrapper support: Handles util.promisify(crypto.generateKeyPair) patterns
+ * 7. Value preservation: Maintains string literals, identifiers, template literals, and variable references
+ * 8. Template literal handling: Extracts identifiers from template strings like `${variable}`
  *
  * Only applies to crypto.generateKeyPair() and crypto.generateKeyPairSync()
  * calls with 'rsa-pss' as the first argument.
@@ -217,9 +219,43 @@ function getCryptoBindings(root: SgRoot<JS>): string[] {
 		}
 	}
 
+	// Find promisified assignments that use the discovered bindings
+	const promisifiedBindings = getPromisifiedBindings(root, bindings);
+	bindings.push(...promisifiedBindings);
+
 	return bindings;
 }
 
+/**
+ * Find promisified wrappers that use crypto bindings discovered by resolveBindingPath
+ */
+function getPromisifiedBindings(root: SgRoot<JS>, existingBindings: string[]): string[] {
+	const promisifiedBindings: string[] = [];
+	const rootNode = root.root();
+
+	for (const binding of existingBindings) {
+		// Find: const someVar = util.promisify(crypto.generateKeyPair)
+		// or:   const someVar = util.promisify(generateKeyPair) 
+		const promisified = rootNode.findAll({
+			rule: {
+				pattern: `const $BINDING = util.promisify(${binding})`
+			}
+		});
+
+		for (const decl of promisified) {
+			const bindingMatch = decl.getMatch("BINDING");
+			if (bindingMatch) {
+				const bindingName = bindingMatch.text()?.trim();
+				if (bindingName) {
+					promisifiedBindings.push(bindingName);
+				}
+			}
+		}
+	}
+
+	return promisifiedBindings;
+}
+
 /**
  * Find all function calls that match the crypto bindings
  */

diff --git a/recipes/crypto-rsa-pss-update/tests/expected/promisified-wrappers.js b/recipes/crypto-rsa-pss-update/tests/expected/promisified-wrappers.js
@@ -0,0 +1,46 @@
+const crypto = require('crypto');
+const util = require('util');
+
+// Case 1: Basic promisified wrapper
+const generateKeyPairAsync = util.promisify(crypto.generateKeyPair);
+
+generateKeyPairAsync('rsa-pss', {
+  modulusLength: 2048,
+  hashAlgorithm: 'sha256',
+  mgf1HashAlgorithm: 'sha1',
+  saltLength: 32
+});
+
+// Case 2: Promisified sync version
+const generateKeyPairSyncAsync = util.promisify(crypto.generateKeyPairSync);
+
+generateKeyPairSyncAsync('rsa-pss', {
+  modulusLength: 2048,
+  hashAlgorithm: 'sha512'
+});
+
+// Case 3: Different variable name
+const keyGenAsync = util.promisify(crypto.generateKeyPair);
+
+keyGenAsync('rsa-pss', {
+  mgf1HashAlgorithm: 'sha256'
+});
+
+// Case 4: Destructured import with promisify
+const { generateKeyPair } = require('crypto');
+const generateKeyPairPromise = util.promisify(generateKeyPair);
+
+generateKeyPairPromise('rsa-pss', {
+  hashAlgorithm: 'sha1',
+  mgf1HashAlgorithm: 'sha256'
+});
+
+// Case 5: Mixed with regular calls
+crypto.generateKeyPair('rsa-pss', {
+  hashAlgorithm: 'sha256'
+});
+
+// Case 6: Non-rsa-pss should not transform
+generateKeyPairAsync('rsa', {
+  hash: 'sha256'
+});
diff --git a/recipes/crypto-rsa-pss-update/tests/input/promisified-wrappers.js b/recipes/crypto-rsa-pss-update/tests/input/promisified-wrappers.js
@@ -0,0 +1,46 @@
+const crypto = require('crypto');
+const util = require('util');
+
+// Case 1: Basic promisified wrapper
+const generateKeyPairAsync = util.promisify(crypto.generateKeyPair);
+
+generateKeyPairAsync('rsa-pss', {
+  modulusLength: 2048,
+  hash: 'sha256',
+  mgf1Hash: 'sha1',
+  saltLength: 32
+});
+
+// Case 2: Promisified sync version
+const generateKeyPairSyncAsync = util.promisify(crypto.generateKeyPairSync);
+
+generateKeyPairSyncAsync('rsa-pss', {
+  modulusLength: 2048,
+  hash: 'sha512'
+});
+
+// Case 3: Different variable name
+const keyGenAsync = util.promisify(crypto.generateKeyPair);
+
+keyGenAsync('rsa-pss', {
+  mgf1Hash: 'sha256'
+});
+
+// Case 4: Destructured import with promisify
+const { generateKeyPair } = require('crypto');
+const generateKeyPairPromise = util.promisify(generateKeyPair);
+
+generateKeyPairPromise('rsa-pss', {
+  hash: 'sha1',
+  mgf1Hash: 'sha256'
+});
+
+// Case 5: Mixed with regular calls
+crypto.generateKeyPair('rsa-pss', {
+  hash: 'sha256'
+});
+
+// Case 6: Non-rsa-pss should not transform
+generateKeyPairAsync('rsa', {
+  hash: 'sha256'
+});