From d0479ccaf4ddcdd48d258ff86842751e41ae4d3e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= <tniessen@tnie.de>
Date: Wed, 17 May 2023 23:28:23 +0000
Subject: [PATCH] doc: use secure key length for HMAC generateKey

The examples for generateKey() and generateKeySync() generate 64-bit
HMAC keys. That is inadequate for virtually any HMAC instance. As per
common NIST recommendations, the minimum should be roughly 112 bits, or
more commonly 128 bits.

Due to the design of HMAC itself, it is not unreasonable to choose the
underlying hash function's block size as the key length. For many
popular hash functions (SHA-256, SHA-224, SHA-1, MD5, ...) this happens
to be 64 bytes (bytes, not bits!). This is consistent with the HMAC
implementation in .NET, for example, even though it provides virtually
no benefit over a 256-bit key.
---
 doc/api/crypto.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/doc/api/crypto.md b/doc/api/crypto.md
index 7fd9e1d2fd7f64..ccf2b759c58f3d 100644
--- a/doc/api/crypto.md
+++ b/doc/api/crypto.md
@@ -3648,7 +3648,7 @@ const {
   generateKey,
 } = await import('node:crypto');
 
-generateKey('hmac', { length: 64 }, (err, key) => {
+generateKey('hmac', { length: 512 }, (err, key) => {
   if (err) throw err;
   console.log(key.export().toString('hex'));  // 46e..........620
 });
@@ -3659,7 +3659,7 @@ const {
   generateKey,
 } = require('node:crypto');
 
-generateKey('hmac', { length: 64 }, (err, key) => {
+generateKey('hmac', { length: 512 }, (err, key) => {
   if (err) throw err;
   console.log(key.export().toString('hex'));  // 46e..........620
 });
@@ -3922,7 +3922,7 @@ const {
   generateKeySync,
 } = await import('node:crypto');
 
-const key = generateKeySync('hmac', { length: 64 });
+const key = generateKeySync('hmac', { length: 512 });
 console.log(key.export().toString('hex'));  // e89..........41e
 ```
 
@@ -3931,7 +3931,7 @@ const {
   generateKeySync,
 } = require('node:crypto');
 
-const key = generateKeySync('hmac', { length: 64 });
+const key = generateKeySync('hmac', { length: 512 });
 console.log(key.export().toString('hex'));  // e89..........41e
 ```