> ## Documentation Index
> Fetch the complete documentation index at: https://mintlify.com/nodejs/userland-migrations/llms.txt
> Use this file to discover all available pages before exploring further.
# RSA-PSS Crypto Options Update (DEP0154)
> Update deprecated RSA-PSS key generation options from hash/mgf1Hash to hashAlgorithm/mgf1HashAlgorithm
This codemod handles Node.js crypto deprecation DEP0154 by transforming deprecated RSA-PSS key generation option names to their modern equivalents.
## What It Does
The codemod transforms RSA-PSS crypto options:
* `hash` → `hashAlgorithm`
* `mgf1Hash` → `mgf1HashAlgorithm`
Transformations only apply to:
* `crypto.generateKeyPair()` calls
* `crypto.generateKeyPairSync()` calls
* Only when key type is `'rsa-pss'`
## Usage
```bash theme={null}
npx codemod nodejs/crypto-rsa-pss-update
```
## Examples
### Async Key Generation
```javascript Before theme={null}
const crypto = require("node:crypto");
crypto.generateKeyPair(
"rsa-pss",
{
modulusLength: 2048,
hash: "sha256",
mgf1Hash: "sha1",
saltLength: 32,
},
(err, publicKey, privateKey) => {
// callback
},
);
```
```javascript After theme={null}
const crypto = require("node:crypto");
crypto.generateKeyPair(
"rsa-pss",
{
modulusLength: 2048,
hashAlgorithm: "sha256",
mgf1HashAlgorithm: "sha1",
saltLength: 32,
},
(err, publicKey, privateKey) => {
// callback
},
);
```
### Sync Key Generation
```javascript Before theme={null}
const crypto = require("node:crypto");
crypto.generateKeyPairSync("rsa-pss", {
modulusLength: 2048,
hash: "sha256",
});
```
```javascript After theme={null}
const crypto = require("node:crypto");
crypto.generateKeyPairSync("rsa-pss", {
modulusLength: 2048,
hashAlgorithm: "sha256",
});
```
## Supported Patterns
The codemod handles various code patterns:
### Destructured Imports
```javascript theme={null}
const { generateKeyPair } = require('crypto');
generateKeyPair('rsa-pss', {
hash: 'sha256'
}, callback);
```
### Variable References
```javascript theme={null}
const options = {
modulusLength: 2048,
hash: 'sha256',
mgf1Hash: 'sha1'
};
crypto.generateKeyPair('rsa-pss', options, callback);
```
### Object Properties
```javascript theme={null}
this.options = {
hash: 'sha256',
mgf1Hash: 'sha1'
};
crypto.generateKeyPair('rsa-pss', this.options, callback);
```
### Function Returns
```javascript theme={null}
function getKeyOptions() {
return {
modulusLength: 2048,
hash: 'sha256'
};
}
crypto.generateKeyPair('rsa-pss', getKeyOptions(), callback);
```
## What is RSA-PSS?
RSA-PSS (Probabilistic Signature Scheme) is a signature scheme with enhanced security properties:
* More secure than traditional RSA signatures
* Includes randomized padding
* Recommended for new applications requiring RSA signatures
RSA-PSS requires specification of hash algorithms for both the signature and the MGF1 (Mask Generation Function) padding.
## Why Migrate?
The old option names `hash` and `mgf1Hash` were deprecated to avoid ambiguity and align with cryptographic terminology.
The new names:
* Explicitly indicate they specify algorithms, not hash values
* Reduce confusion with other crypto APIs
* Align with cryptographic standards terminology
* Improve code clarity
## Scope and Limitations
### Only RSA-PSS
The transformation **only** applies to `'rsa-pss'` key type. Other key types are not affected:
```javascript theme={null}
// This is NOT transformed (different key type)
crypto.generateKeyPair('rsa', {
modulusLength: 2048,
hash: 'sha256' // Remains unchanged
}, callback);
// This IS transformed (rsa-pss)
crypto.generateKeyPair('rsa-pss', {
modulusLength: 2048,
hash: 'sha256' // Changes to hashAlgorithm
}, callback);
```
### Preserved Structure
* All other options remain unchanged
* Callback functions are preserved
* Code formatting is maintained
* Comments are retained
## Valid Hash Algorithms
Common hash algorithms used with RSA-PSS:
* `'sha256'` (recommended for most use cases)
* `'sha384'`
* `'sha512'`
* `'sha1'` (legacy, not recommended)
## Deprecation Reference
This migration addresses [DEP0154](https://nodejs.org/docs/latest/api/deprecations.html#DEP0154).