fix: preserve existing keys in DH generateKeys() (#954)

Author: boorad

example/ios/Podfile.lock

@@ -2811,7 +2811,7 @@ SPEC CHECKSUMS:
   MMKVCore: f2dd4c9befea04277a55e84e7812f930537993df
   NitroMmkv: afbc5b2fbf963be567c6c545aa1efcf6a9cec68e
   NitroModules: 11bba9d065af151eae51e38a6425e04c3b223ff3
-  QuickCrypto: e284e5357d96346ce473c754f840dcdb79443b1f
+  QuickCrypto: 34cbc0a0deada5ffccae96aae6622a4efafd3969
   RCT-Folly: 846fda9475e61ec7bcbf8a3fe81edfcaeb090669
   RCTDeprecation: c4b9e2fd0ab200e3af72b013ed6113187c607077
   RCTRequired: e97dd5dafc1db8094e63bc5031e0371f092ae92a

example/package.json

@@ -40,7 +40,7 @@
     "react-native-mmkv": "4.0.1",
     "react-native-nitro-modules": "0.33.2",
     "react-native-quick-base64": "2.2.2",
-    "react-native-quick-crypto": "1.0.13",
+    "react-native-quick-crypto": "workspace:*",
     "react-native-safe-area-context": "5.6.2",
     "react-native-screens": "4.18.0",
     "react-native-vector-icons": "10.3.0",

example/src/tests/dh/dh_tests.ts

@@ -74,6 +74,31 @@ test(SUITE, 'should set keys', () => {
   assert.strictEqual(bob.getPrivateKey('hex'), alice.getPrivateKey('hex'));
 });
 
+test(SUITE, 'generateKeys should preserve a previously set private key', () => {
+  const dh1 = crypto.getDiffieHellman('modp14');
+  dh1.generateKeys();
+
+  const dh2 = crypto.createDiffieHellman(dh1.getPrime(), dh1.getGenerator());
+  dh2.setPrivateKey(dh1.getPrivateKey());
+  dh2.generateKeys();
+
+  assert.strictEqual(dh2.getPrivateKey('hex'), dh1.getPrivateKey('hex'));
+  assert.strictEqual(dh2.getPublicKey('hex'), dh1.getPublicKey('hex'));
+});
+
+test(SUITE, 'generateKeys should not regenerate keys on second call', () => {
+  const dh = crypto.getDiffieHellman('modp14');
+  dh.generateKeys();
+
+  const privKey = dh.getPrivateKey('hex');
+  const pubKey = dh.getPublicKey('hex');
+
+  dh.generateKeys();
+
+  assert.strictEqual(dh.getPrivateKey('hex'), privKey);
+  assert.strictEqual(dh.getPublicKey('hex'), pubKey);
+});
+
 test(SUITE, 'should create DiffieHellman from standard group', () => {
   const dh = crypto.getDiffieHellman('modp14');
   assert.isOk(dh);

packages/react-native-quick-crypto/cpp/dh/HybridDiffieHellman.cpp

@@ -101,23 +101,29 @@ void HybridDiffieHellman::initWithSize(double primeLength, double generator) {
 std::shared_ptr<ArrayBuffer> HybridDiffieHellman::generateKeys() {
   ensureInitialized();
 
-  EVP_PKEY_CTX_ptr kctx(EVP_PKEY_CTX_new(_pkey.get(), nullptr), EVP_PKEY_CTX_free);
-  if (!kctx) {
-    throw std::runtime_error("DiffieHellman: failed to create keygen context");
-  }
-
-  if (EVP_PKEY_keygen_init(kctx.get()) <= 0) {
-    throw std::runtime_error("DiffieHellman: failed to initialize key generation");
+  // EVP_PKEY_get0_DH may return a provider-cached copy in OpenSSL 3.x,
+  // so we must detach the DH, generate keys on it directly (like ncrypto),
+  // then re-wrap in a fresh EVP_PKEY.
+  DH* dh = EVP_PKEY_get1_DH(_pkey.get());
+  if (!dh) {
+    throw std::runtime_error("DiffieHellman: failed to get DH key");
   }
 
-  EVP_PKEY* newKey = nullptr;
-  if (EVP_PKEY_keygen(kctx.get(), &newKey) <= 0) {
+  // DH_generate_key preserves an existing private key and only computes the
+  // public key.  When no private key is set it generates both.
+  if (!DH_generate_key(dh)) {
+    DH_free(dh);
     throw std::runtime_error("DiffieHellman: failed to generate key pair");
   }
 
-  // Replace parameters-only key with full key (which includes parameters)
-  _pkey.reset(newKey);
+  EVP_PKEY_ptr newPkey(EVP_PKEY_new(), EVP_PKEY_free);
+  if (!newPkey || EVP_PKEY_assign_DH(newPkey.get(), dh) != 1) {
+    DH_free(dh);
+    throw std::runtime_error("DiffieHellman: failed to assign DH to EVP_PKEY");
+  }
+  // EVP_PKEY_assign_DH took ownership of dh
 
+  _pkey = std::move(newPkey);
   return getPublicKey();
 }