Refactor Crypto to Web Crypto API

XMLWordPrintableJSON

    • Type: Improvement
    • Resolution: Unresolved
    • Priority: Unknown
    • None
    • Affects Version/s: None
    • Component/s: None
    • Hide

      1. What would you like to communicate to the user about this feature?
      2. Would you like the user to see examples of the syntax and/or executable code and its output?
      3. Which versions of the driver/connector does this apply to?

      Show
      1. What would you like to communicate to the user about this feature? 2. Would you like the user to see examples of the syntax and/or executable code and its output? 3. Which versions of the driver/connector does this apply to?
    • None
    • None
    • None
    • None
    • None
    • None

      Use Case

      As a Node Driver Maintainer
      I want the driver to use the standard Web Crypto API (globalThis.crypto).
      So that the driver can be used in JS environments where the Node.js crypto module is not available.

      User Experience

      • Authentication works seamlessly in Edge runtimes that don't have node crypto module.

      User Experience

      • No changes in behaviour
      • Existing FIPS detection logic remains identical to previous versions.

      Risks/Unknowns

      • The Web Crypto API (subtle.digest, subtle.sign, subtle.deriveBits) is asynchronous (Promise-based). The current Node.js crypto usage is synchronous.
      • Retaining require('crypto') for .getFips() (even conditionally) can cause bundlers to include polyfills automatically.

      Acceptance Criteria

      Implementation Requirements

      • Replace randomBytes: Use crypto.getRandomValues() (Synchronous replacement).
      • Replace Hashing: Replace createHash and createHmac with crypto.subtle.digest and crypto.subtle.sign.
      • Replace PBKDF2: Replace crypto.pbkdf2Sync with crypto.subtle.deriveBits (Must be async).
      • Remove require('crypto') for all hashing/random/pbkdf2 operations.
      • Preserve the crypto.getFips() where it will be conditionally imported on demand.
      try {
  // Dynamic require to avoid crashing in non-Node envs
  if (require('crypto').getFips()) {
     throw new Error('Auth mechanism SCRAM-SHA-1 is not supported in FIPS mode');
  }
} catch (e) { /* ignore if module missing */ }
      • Comparison: implement a manual, constant-time timingSafeEqual function, as Web Crypto does not provide one.

      Testing Requirements

      • Verify existing SCRAM authentication tests pass.
      • Verify replacement functions generate the same output as node crypto module.
      • Verify that all modified crypto lines are covered in tests, and that these tests ran and passed

      Documentation Requirements

      • Add a section "Running in Custom Runtimes" to the Driver Readme explaining that users using Webpack/Vite may need to prevent crypto polyfill injection and note that getFips support is specific to the Node.js runtime.

      Follow Up Requirements

      • additional tickets to file, required releases, etc
      • if node behavior differs/will differ from other drivers, confirm with dbx devs what standard to aim for and what plan, if any, exists to reconcile the diverging behavior moving forward

            Assignee:
            Pavel Safronov
            Reporter:
            Sergey Zelenov
            None
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: