feat(crypto): add RSA-PSS codemod for DEP0154

recipes/crypto-rsa-pss-update/README.md

@@ -0,0 +1,75 @@
+# crypto-rsa-pss-update
+
+Codemod to handle Node.js crypto deprecation DEP0154 by transforming deprecated RSA-PSS key generation options.
+
+## What it does
+
+This codemod transforms deprecated RSA-PSS crypto options in `crypto.generateKeyPair()` and `crypto.generateKeyPairSync()` calls:
+
+- `hash` → `hashAlgorithm`
+- `mgf1Hash` → `mgf1HashAlgorithm`
+
+The transformation only applies to calls with `'rsa-pss'` as the key type.
+
+## Examples
+
+**Before**
+
+```js
+const crypto = require("node:crypto");
+
+crypto.generateKeyPair(
+	"rsa-pss",
+	{
+		modulusLength: 2048,
+		hash: "sha256",
+		mgf1Hash: "sha1",
+		saltLength: 32,
+	},
+	(err, publicKey, privateKey) => {
+		// callback
+	},
+);
+
+crypto.generateKeyPairSync("node:rsa-pss", {
+	modulusLength: 2048,
+	hash: "sha256",
+});
+```
+
+**After**
+
+```js
+const crypto = require("crypto");
+
+crypto.generateKeyPair(
+	"rsa-pss",
+	{
+		modulusLength: 2048,
+		hashAlgorithm: "sha256",
+		mgf1HashAlgorithm: "sha1",
+		saltLength: 32,
+	},
+	(err, publicKey, privateKey) => {
+		// callback
+	},
+);
+
+crypto.generateKeyPairSync("rsa-pss", {
+	modulusLength: 2048,
+	hashAlgorithm: "sha256",
+});
+```
+
+## Usage
+
+```bash
+npx codemod@next @nodejs/crypto-rsa-pss-update
+```
+
+## Supports
+
+- Both `crypto.generateKeyPair()` and `crypto.generateKeyPairSync()`
+- Destructured imports: `const { generateKeyPair } = require('crypto')`
+- Only transforms `'rsa-pss'` key type calls
+- Preserves all other options and call structure

recipes/crypto-rsa-pss-update/codemod.yaml

@@ -0,0 +1,23 @@
+schema_version: "1.0"
+name: "@nodejs/crypto-rsa-pss-update"
+version: 1.0.0
+description: Handle DEP0154 via transforming deprecated RSA-PSS crypto options `hash` to `hashAlgorithm` and `mgf1Hash` to `mgf1HashAlgorithm`
+author: Mauro Nievas
+license: MIT
+workflow: workflow.yaml
+category: migration
+
+targets:
+  languages:
+    - javascript
+    - typescript
+
+keywords:
+  - transformation
+  - migration
+  - crypto
+  - rsa-pss
+
+registry:
+  access: public
+  visibility: public

recipes/crypto-rsa-pss-update/package.json

@@ -0,0 +1,25 @@
+{
+  "name": "@nodejs/crypto-rsa-pss-update",
+  "version": "1.0.0",
+  "description": "Handle DEP0154 via transforming deprecated RSA-PSS crypto options `hash` to `hashAlgorithm` and `mgf1Hash` to `mgf1HashAlgorithm`.",
+  "type": "module",
+  "scripts": {
+    "test": "npx codemod@next jssg test -l typescript ./src/workflow.ts ./"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/nodejs/userland-migrations.git",
+    "directory": "recipes/crypto-rsa-pss-update",
+    "bugs": "https://github.com/nodejs/userland-migrations/issues"
+  },
+  "author": "Mauro Nievas",
+  "license": "MIT",
+  "homepage": "https://github.com/nodejs/userland-migrations/blob/main/recipes/crypto-rsa-pss-update/README.md",
+  "devDependencies": {
+    "@types/node": "^24.0.3",
+    "@codemod.com/jssg-types": "^1.0.3"
+  },
+  "dependencies": {
+    "@nodejs/codemod-utils": "*"
+  }
+}

recipes/crypto-rsa-pss-update/src/workflow.ts

@@ -0,0 +1,160 @@
+import type { SgRoot, SgNode, Edit } from "@codemod.com/jssg-types/main";
+import { getNodeImportStatements } from "@nodejs/codemod-utils/ast-grep/import-statement";
+import { getNodeRequireCalls } from "@nodejs/codemod-utils/ast-grep/require-call";
+import { resolveBindingPath } from "@nodejs/codemod-utils/ast-grep/resolve-binding-path";
+import type JS from "@codemod.com/jssg-types/langs/javascript";
+
+/**
+ * Transform function that updates deprecated RSA-PSS crypto options.
+ *
+ * Transforms:
+ * - hash → hashAlgorithm
+ * - mgf1Hash → mgf1HashAlgorithm
+ *
+ * Only applies to crypto.generateKeyPair() and crypto.generateKeyPairSync()
+ * calls with 'rsa-pss' as the first argument.
+ */
+export default function transform(root: SgRoot<JS>): string | null {
+	const rootNode = root.root();
+	let hasChanges = false;
+	const edits: Edit[] = [];
+
+	// Collect all possible function names that could be generateKeyPair or generateKeyPairSync
+	const cryptoBindings = getCryptoBindings(root);
+
+	// Find all potential calls using any of the identified bindings
+	const allCalls = findCryptoCalls(rootNode, cryptoBindings);
+
+	for (const call of allCalls) {
+		const typeMatch = call.getMatch("TYPE");
+		const optionsMatch = call.getMatch("OPTIONS");
+
+		if (!typeMatch || !optionsMatch) continue;
+
+		// Only process 'rsa-pss' key type
+		const typeText = typeMatch.text();
+		if (!typeText.includes("'rsa-pss'") && !typeText.includes('"rsa-pss"')) {
+			continue;
+		}
+
+		// Find the object node that contains the options
+		const objectNode = optionsMatch.find({
+			rule: {
+				kind: "object"
+			}
+		});
+
+		if (!objectNode) continue;
+
+		// Find all property pairs in the object
+		const pairs = objectNode.findAll({
+			rule: {
+				kind: "pair"
+			}
+		});
+
+		// Transform hash and mgf1Hash properties
+		for (const pair of pairs) {
+				const keyNode = pair.find({
+					rule: {
+						any: [
+							{
+								regex: "hash",
+								kind: "property_identifier",
+							},
+							{
+								regex: "mgf1Hash",
+								kind: "property_identifier",
+							},
+						],
+					},
+				});
+				if (!keyNode) continue;
+				const key = keyNode.text();
+
+				// Get the value node to preserve it in the transformation
+				const valueNode = pair.find({
+					rule: {
+						kind: "string"
+					}
+				}) || pair.find({
+					rule: {
+						kind: "identifier"
+					}
+				}) || pair.find({
+					rule: {
+						kind: "template_string"
+					}
+				});
+
+				if (!valueNode) continue;
+
+				hasChanges = true;
+				const value = valueNode.text();
+
+				if (key === "hash") {
+					edits.push(pair.replace(`hashAlgorithm: ${value}`));
+				}
+				if (key === "mgf1Hash") {
+					edits.push(pair.replace(`mgf1HashAlgorithm: ${value}`));
+				}
+			}
+		}
+
+	if (!hasChanges) return null;
+
+	return rootNode.commitEdits(edits);
+}
+
+/**
+ * Analyzes imports and requires to determine all possible identifiers
+ * that could refer to generateKeyPair or generateKeyPairSync functions
+ */
+function getCryptoBindings(root: SgRoot<JS>): Map<string, string[]> {
+	const bindings = new Map<string, string[]>();
+
+	// @ts-ignore - ast-grep types compatibility
+	const importStatements = getNodeImportStatements(root, "crypto");
+	// @ts-ignore - ast-grep types compatibility
+	const requireCalls = getNodeRequireCalls(root, "crypto");
+
+	// Handle both ES6 imports and CommonJS requires
+	for (const stmt of [...importStatements, ...requireCalls]) {
+		const generateKeyPairBinding = resolveBindingPath(stmt, "$.generateKeyPair");
+		const generateKeyPairSyncBinding = resolveBindingPath(stmt, "$.generateKeyPairSync");
+
+		if (generateKeyPairBinding) {
+			bindings.set(generateKeyPairBinding, ['generateKeyPair']);
+		}
+		if (generateKeyPairSyncBinding) {
+			bindings.set(generateKeyPairSyncBinding, ['generateKeyPairSync']);
+		}
+	}
+
+	return bindings;
+}
+
+/**
+ * Find all function calls that match the crypto bindings
+ */
+function findCryptoCalls(rootNode: SgNode<JS>, bindings: Map<string, string[]>) {
+	const allCalls = [];
+
+	for (const [bindingName] of bindings) {
+		// Generate patterns for each binding
+		const patterns = [
+			{ pattern: `${bindingName}($TYPE, $OPTIONS, $CALLBACK)` },
+			{ pattern: `${bindingName}($TYPE, $OPTIONS)` }
+		];
+
+		const calls = rootNode.findAll({
+			rule: {
+				any: patterns
+			}
+		});
+
+		allCalls.push(...calls);
+	}
+
+	return allCalls;
+}

recipes/crypto-rsa-pss-update/tests/expected/basic.js

@@ -0,0 +1,24 @@
+const crypto = require('crypto');
+
+// Basic case with hash option
+crypto.generateKeyPair('rsa-pss', {
+  modulusLength: 2048,
+  hashAlgorithm: 'sha256',
+  saltLength: 32
+}, (err, publicKey, privateKey) => {
+  console.log('Generated keys');
+});
+
+// Basic case with mgf1Hash option
+crypto.generateKeyPairSync('rsa-pss', {
+  modulusLength: 2048,
+  mgf1HashAlgorithm: 'sha256'
+});
+
+// Both options together
+crypto.generateKeyPair('rsa-pss', {
+  modulusLength: 2048,
+  hashAlgorithm: 'sha256',
+  mgf1HashAlgorithm: 'sha1',
+  saltLength: 32
+});

recipes/crypto-rsa-pss-update/tests/expected/destructured-renamed.js

@@ -0,0 +1,16 @@
+const { generateKeyPair: foo, generateKeyPairSync: bar } = require('node:crypto');
+
+// This should be transformed but currently fails
+foo('rsa-pss', {
+  modulusLength: 2048,
+  hashAlgorithm: 'sha256',
+  saltLength: 32
+}, (err, publicKey, privateKey) => {
+  console.log('Generated keys');
+});
+
+// This should also be transformed
+bar('rsa-pss', {
+  modulusLength: 2048,
+  mgf1HashAlgorithm: 'sha256'
+});

recipes/crypto-rsa-pss-update/tests/expected/destructured.js

@@ -0,0 +1,25 @@
+// Comprehensive import patterns test
+import { generateKeyPair } from 'crypto';
+const { generateKeyPairSync } = require('node:crypto');
+const { generateKeyPair: aliasedGenerateKeyPair } = require('crypto');
+
+// ES6 import destructuring
+generateKeyPair('rsa-pss', {
+  modulusLength: 2048,
+  hashAlgorithm: 'sha256'
+}, (err, publicKey, privateKey) => {
+  console.log('ES6 import');
+});
+
+// CommonJS destructuring
+generateKeyPairSync('rsa-pss', {
+  modulusLength: 2048,
+  mgf1HashAlgorithm: 'sha1'
+});
+
+// Aliased destructuring
+aliasedGenerateKeyPair('rsa-pss', {
+  modulusLength: 2048,
+  hashAlgorithm: 'sha512',
+  mgf1HashAlgorithm: 'sha256'
+});