crypto: move deprecated hash and mgf1Hash options to EOL

Runtime deprecation for ~3 years. PR-URL: https://github.com/nodejs/node/pull/58706 Reviewed-By: LiviaMedeiros <livia@cirno.name> Reviewed-By: Ethan Arrowood <ethan@arrowood.dev> Reviewed-By: Filip Skokan <panva.ip@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
2025-12-06 00:20:08 +01:00 · 2025-06-14 14:31:45 -07:00 · 2025-06-14 14:31:45 -07:00 · c3b986853c
commit c3b986853c
parent ce546e468a
5 changed files with 28 additions and 137 deletions
--- a/doc/api/deprecations.md
+++ b/doc/api/deprecations.md
@ -3202,6 +3202,9 @@ option, or a non-nullish non-boolean value for `verbatim` option in

 <!-- YAML
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/58706
+    description: End-of-Life.
  - version: v20.0.0
    pr-url: https://github.com/nodejs/node/pull/45653
    description: Runtime deprecation.
@ -3210,10 +3213,9 @@ changes:
    description: Documentation-only deprecation.
 -->

-Type: Runtime
+Type: End-of-Life

-The `'hash'` and `'mgf1Hash'` options are replaced with `'hashAlgorithm'`
-and `'mgf1HashAlgorithm'`.
+Use  `'hashAlgorithm'` instead of `'hash'`, and `'mgf1HashAlgorithm'` instead of `'mgf1Hash'`.

 ### DEP0155: Trailing slashes in pattern specifier resolutions

--- a/lib/internal/crypto/keygen.js
+++ b/lib/internal/crypto/keygen.js
@ -195,7 +195,7 @@ function createJob(mode, type, options) {
      }

      const {
-        hash, mgf1Hash, hashAlgorithm, mgf1HashAlgorithm, saltLength,
+        hashAlgorithm, mgf1HashAlgorithm, saltLength,
      } = options;

      if (saltLength !== undefined)
@ -204,27 +204,27 @@ function createJob(mode, type, options) {
        validateString(hashAlgorithm, 'options.hashAlgorithm');
      if (mgf1HashAlgorithm !== undefined)
        validateString(mgf1HashAlgorithm, 'options.mgf1HashAlgorithm');
-      if (hash !== undefined) {
-        process.emitWarning(
-          '"options.hash" is deprecated, ' +
-          'use "options.hashAlgorithm" instead.',
-          'DeprecationWarning',
-          'DEP0154');
-        validateString(hash, 'options.hash');
-        if (hashAlgorithm && hash !== hashAlgorithm) {
-          throw new ERR_INVALID_ARG_VALUE('options.hash', hash);
-        }
+      if (options.hash !== undefined) {
+        // This API previously accepted a `hash` option that was deprecated
+        // and removed. However, in order to make the change more visible, we
+        // opted to throw an error if hash is specified rather than removing it
+        // entirely.
+        throw new ERR_INVALID_ARG_VALUE(
+          'options.hash',
+          options.hash,
+          'is no longer supported',
+        );
      }
-      if (mgf1Hash !== undefined) {
-        process.emitWarning(
-          '"options.mgf1Hash" is deprecated, ' +
-          'use "options.mgf1HashAlgorithm" instead.',
-          'DeprecationWarning',
-          'DEP0154');
-        validateString(mgf1Hash, 'options.mgf1Hash');
-        if (mgf1HashAlgorithm && mgf1Hash !== mgf1HashAlgorithm) {
-          throw new ERR_INVALID_ARG_VALUE('options.mgf1Hash', mgf1Hash);
-        }
+      if (options.mgf1Hash !== undefined) {
+        // This API previously accepted a `mgf1Hash` option that was deprecated
+        // and removed. However, in order to make the change more visible, we
+        // opted to throw an error if mgf1Hash is specified rather than removing
+        // it entirely.
+        throw new ERR_INVALID_ARG_VALUE(
+          'options.mgf1Hash',
+          options.mgf1Hash,
+          'is no longer supported',
+        );
      }

      return new RsaKeyPairGenJob(
@ -232,8 +232,8 @@ function createJob(mode, type, options) {
        kKeyVariantRSA_PSS,
        modulusLength,
        publicExponent,
-        hashAlgorithm || hash,
-        mgf1HashAlgorithm || mgf1Hash,
+        hashAlgorithm,
+        mgf1HashAlgorithm,
        saltLength,
        ...encoding);
    }
--- a/test/parallel/test-crypto-keygen-deprecation.js
+++ b/test/parallel/test-crypto-keygen-deprecation.js
@ -1,49 +0,0 @@
-'use strict';
-
-const common = require('../common');
-if (!common.hasCrypto)
-  common.skip('missing crypto');
-
-const DeprecationWarning = [];
-DeprecationWarning.push([
-  '"options.hash" is deprecated, use "options.hashAlgorithm" instead.',
-  'DEP0154']);
-DeprecationWarning.push([
-  '"options.mgf1Hash" is deprecated, use "options.mgf1HashAlgorithm" instead.',
-  'DEP0154']);
-
-common.expectWarning({ DeprecationWarning });
-
-const assert = require('assert');
-const { generateKeyPair } = require('crypto');
-
-{
-  // This test makes sure deprecated options still work as intended
-
-  generateKeyPair('rsa-pss', {
-    modulusLength: 512,
-    saltLength: 16,
-    hash: 'sha256',
-    mgf1Hash: 'sha256'
-  }, common.mustSucceed((publicKey, privateKey) => {
-    assert.strictEqual(publicKey.type, 'public');
-    assert.strictEqual(publicKey.asymmetricKeyType, 'rsa-pss');
-    assert.deepStrictEqual(publicKey.asymmetricKeyDetails, {
-      modulusLength: 512,
-      publicExponent: 65537n,
-      hashAlgorithm: 'sha256',
-      mgf1HashAlgorithm: 'sha256',
-      saltLength: 16
-    });
-
-    assert.strictEqual(privateKey.type, 'private');
-    assert.strictEqual(privateKey.asymmetricKeyType, 'rsa-pss');
-    assert.deepStrictEqual(privateKey.asymmetricKeyDetails, {
-      modulusLength: 512,
-      publicExponent: 65537n,
-      hashAlgorithm: 'sha256',
-      mgf1HashAlgorithm: 'sha256',
-      saltLength: 16
-    });
-  }));
-}
--- a/test/parallel/test-crypto-keygen-duplicate-deprecated-option.js
+++ b/test/parallel/test-crypto-keygen-duplicate-deprecated-option.js
@ -1,43 +0,0 @@
-'use strict';
-
-const common = require('../common');
-if (!common.hasCrypto)
-  common.skip('missing crypto');
-
-const assert = require('assert');
-const {
-  generateKeyPair,
-} = require('crypto');
-
-// This test makes sure deprecated and new options may be used
-// simultaneously so long as they're identical values.
-{
-  generateKeyPair('rsa-pss', {
-    modulusLength: 512,
-    saltLength: 16,
-    hash: 'sha256',
-    hashAlgorithm: 'sha256',
-    mgf1Hash: 'sha256',
-    mgf1HashAlgorithm: 'sha256'
-  }, common.mustSucceed((publicKey, privateKey) => {
-    assert.strictEqual(publicKey.type, 'public');
-    assert.strictEqual(publicKey.asymmetricKeyType, 'rsa-pss');
-    assert.deepStrictEqual(publicKey.asymmetricKeyDetails, {
-      modulusLength: 512,
-      publicExponent: 65537n,
-      hashAlgorithm: 'sha256',
-      mgf1HashAlgorithm: 'sha256',
-      saltLength: 16
-    });
-
-    assert.strictEqual(privateKey.type, 'private');
-    assert.strictEqual(privateKey.asymmetricKeyType, 'rsa-pss');
-    assert.deepStrictEqual(privateKey.asymmetricKeyDetails, {
-      modulusLength: 512,
-      publicExponent: 65537n,
-      hashAlgorithm: 'sha256',
-      mgf1HashAlgorithm: 'sha256',
-      saltLength: 16
-    });
-  }));
-}
--- a/test/parallel/test-crypto-keygen.js
+++ b/test/parallel/test-crypto-keygen.js
@ -800,22 +800,3 @@ const { hasOpenSSL3 } = require('../common/crypto');
    message: 'Invalid MGF1 digest: sha2'
  });
 }
-
-{
-  // This test makes sure deprecated and new options must
-  // be the same value.
-
-  assert.throws(() => generateKeyPair('rsa-pss', {
-    modulusLength: 512,
-    saltLength: 16,
-    mgf1Hash: 'sha256',
-    mgf1HashAlgorithm: 'sha1'
-  }, common.mustNotCall()), { code: 'ERR_INVALID_ARG_VALUE' });
-
-  assert.throws(() => generateKeyPair('rsa-pss', {
-    modulusLength: 512,
-    saltLength: 16,
-    hash: 'sha256',
-    hashAlgorithm: 'sha1'
-  }, common.mustNotCall()), { code: 'ERR_INVALID_ARG_VALUE' });
-}