From 6879ab9b893ef5144f83fc17214719db03dbdfaf Mon Sep 17 00:00:00 2001
From: James M Snell <jasnell@gmail.com>
Date: Wed, 8 Jan 2025 07:14:32 -0800
Subject: [PATCH] src: cleaning up more crypto internals for ncrypto

PR-URL: https://github.com/nodejs/node/pull/56526
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
---
 deps/ncrypto/ncrypto.h              |  3 -
 src/crypto/crypto_aes.cc            |  7 ++-
 src/crypto/crypto_bio.cc            |  3 +
 src/crypto/crypto_bio.h             |  7 ++-
 src/crypto/crypto_cipher.cc         | 22 ++++---
 src/crypto/crypto_cipher.h          |  4 +-
 src/crypto/crypto_common.cc         | 16 +++--
 src/crypto/crypto_common.h          | 36 +++++------
 src/crypto/crypto_context.cc        | 22 +++++--
 src/crypto/crypto_context.h         | 30 ++++-----
 src/crypto/crypto_dh.cc             | 12 ++--
 src/crypto/crypto_dh.h              | 12 ++--
 src/crypto/crypto_dsa.cc            |  3 +
 src/crypto/crypto_dsa.h             |  2 +-
 src/crypto/crypto_ec.cc             | 10 ++-
 src/crypto/crypto_ec.h              | 16 ++---
 src/crypto/crypto_hash.cc           |  2 +
 src/crypto/crypto_hash.h            |  2 +-
 src/crypto/crypto_hmac.cc           |  1 +
 src/crypto/crypto_hmac.h            |  2 +-
 src/crypto/crypto_keygen.cc         |  1 +
 src/crypto/crypto_keygen.h          |  6 +-
 src/crypto/crypto_keys.cc           | 98 +++++++++++++++--------------
 src/crypto/crypto_keys.h            | 20 +++---
 src/crypto/crypto_random.cc         |  5 +-
 src/crypto/crypto_random.h          |  8 +--
 src/crypto/crypto_rsa.cc            |  4 ++
 src/crypto/crypto_rsa.h             |  2 +-
 src/crypto/crypto_sig.cc            |  6 ++
 src/crypto/crypto_sig.h             |  6 +-
 src/crypto/crypto_spkac.cc          |  1 +
 src/crypto/crypto_tls.cc            |  6 ++
 src/crypto/crypto_tls.h             |  6 +-
 src/crypto/crypto_util.cc           | 17 +++--
 src/crypto/crypto_util.h            | 37 ++---------
 src/crypto/crypto_x509.cc           | 68 ++++++++++----------
 src/crypto/crypto_x509.h            | 27 ++++----
 src/quic/tlscontext.cc              | 65 ++++++++++---------
 src/quic/tlscontext.h               | 15 ++---
 test/cctest/test_node_crypto_env.cc |  3 +-
 40 files changed, 336 insertions(+), 277 deletions(-)

diff --git a/deps/ncrypto/ncrypto.h b/deps/ncrypto/ncrypto.h
index c718ae404dd223..4a9f1878b5451f 100644
--- a/deps/ncrypto/ncrypto.h
+++ b/deps/ncrypto/ncrypto.h
@@ -197,10 +197,7 @@ using DeleteFnPtr = typename FunctionDeleter<T, function>::Pointer;
 
 using BignumCtxPointer = DeleteFnPtr<BN_CTX, BN_CTX_free>;
 using BignumGenCallbackPointer = DeleteFnPtr<BN_GENCB, BN_GENCB_free>;
-using DSAPointer = DeleteFnPtr<DSA, DSA_free>;
-using DSASigPointer = DeleteFnPtr<DSA_SIG, DSA_SIG_free>;
 using ECDSASigPointer = DeleteFnPtr<ECDSA_SIG, ECDSA_SIG_free>;
-using ECPointer = DeleteFnPtr<EC_KEY, EC_KEY_free>;
 using ECGroupPointer = DeleteFnPtr<EC_GROUP, EC_GROUP_free>;
 using ECKeyPointer = DeleteFnPtr<EC_KEY, EC_KEY_free>;
 using ECPointPointer = DeleteFnPtr<EC_POINT, EC_POINT_free>;
diff --git a/src/crypto/crypto_aes.cc b/src/crypto/crypto_aes.cc
index 698f3574e47c3b..ce32b578f9b24a 100644
--- a/src/crypto/crypto_aes.cc
+++ b/src/crypto/crypto_aes.cc
@@ -16,6 +16,9 @@
 
 namespace node {
 
+using ncrypto::BignumPointer;
+using ncrypto::Cipher;
+using ncrypto::CipherCtxPointer;
 using v8::FunctionCallbackInfo;
 using v8::Just;
 using v8::JustVoid;
@@ -60,7 +63,7 @@ WebCryptoCipherStatus AES_Cipher(Environment* env,
 
   if (!ctx.setKeyLength(key_data.GetSymmetricKeySize()) ||
       !ctx.init(
-          ncrypto::Cipher(),
+          Cipher(),
           encrypt,
           reinterpret_cast<const unsigned char*>(key_data.GetSymmetricKey()),
           params.iv.data<unsigned char>())) {
@@ -464,7 +467,7 @@ Maybe<void> AESCipherTraits::AdditionalConfig(
   }
 #undef V
 
-  params->cipher = ncrypto::Cipher::FromNid(cipher_nid);
+  params->cipher = Cipher::FromNid(cipher_nid);
   if (!params->cipher) {
     THROW_ERR_CRYPTO_UNKNOWN_CIPHER(env);
     return Nothing<void>();
diff --git a/src/crypto/crypto_bio.cc b/src/crypto/crypto_bio.cc
index e9c920ccffa70a..f32cb1cff7d41d 100644
--- a/src/crypto/crypto_bio.cc
+++ b/src/crypto/crypto_bio.cc
@@ -30,6 +30,9 @@
 #include <cstring>
 
 namespace node {
+
+using ncrypto::BIOPointer;
+
 namespace crypto {
 
 BIOPointer NodeBIO::New(Environment* env) {
diff --git a/src/crypto/crypto_bio.h b/src/crypto/crypto_bio.h
index 7587a353f11cde..d621d611f748f8 100644
--- a/src/crypto/crypto_bio.h
+++ b/src/crypto/crypto_bio.h
@@ -43,12 +43,13 @@ class NodeBIO : public MemoryRetainer {
  public:
   ~NodeBIO() override;
 
-  static BIOPointer New(Environment* env = nullptr);
+  static ncrypto::BIOPointer New(Environment* env = nullptr);
 
   // NewFixed takes a copy of `len` bytes from `data` and returns a BIO that,
   // when read from, returns those bytes followed by EOF.
-  static BIOPointer NewFixed(const char* data, size_t len,
-                             Environment* env = nullptr);
+  static ncrypto::BIOPointer NewFixed(const char* data,
+                                      size_t len,
+                                      Environment* env = nullptr);
 
   // Move read head to next buffer if needed
   void TryMoveReadHead();
diff --git a/src/crypto/crypto_cipher.cc b/src/crypto/crypto_cipher.cc
index 8d8914058fc06c..61dd1e97d9672a 100644
--- a/src/crypto/crypto_cipher.cc
+++ b/src/crypto/crypto_cipher.cc
@@ -10,6 +10,13 @@
 
 namespace node {
 
+using ncrypto::Cipher;
+using ncrypto::CipherCtxPointer;
+using ncrypto::EVPKeyCtxPointer;
+using ncrypto::EVPKeyPointer;
+using ncrypto::MarkPopErrorOnReturn;
+using ncrypto::SSLCtxPointer;
+using ncrypto::SSLPointer;
 using v8::Array;
 using v8::ArrayBuffer;
 using v8::BackingStore;
@@ -42,10 +49,10 @@ void GetCipherInfo(const FunctionCallbackInfo<Value>& args) {
   const auto cipher = ([&] {
     if (args[1]->IsString()) {
       Utf8Value name(env->isolate(), args[1]);
-      return ncrypto::Cipher::FromName(*name);
+      return Cipher::FromName(*name);
     } else {
       int nid = args[1].As<Int32>()->Value();
-      return ncrypto::Cipher::FromNid(nid);
+      return Cipher::FromNid(nid);
     }
   })();
 
@@ -334,7 +341,7 @@ void CipherBase::CommonInit(const char* cipher_type,
     return THROW_ERR_CRYPTO_INVALID_KEYLEN(env());
   }
 
-  if (!ctx_.init(ncrypto::Cipher(), encrypt, key, iv)) {
+  if (!ctx_.init(Cipher(), encrypt, key, iv)) {
     return ThrowCryptoError(env(), ERR_get_error(),
                             "Failed to initialize cipher");
   }
@@ -345,7 +352,7 @@ void CipherBase::Init(const char* cipher_type,
                       unsigned int auth_tag_len) {
   HandleScope scope(env()->isolate());
   MarkPopErrorOnReturn mark_pop_error_on_return;
-  auto cipher = ncrypto::Cipher::FromName(cipher_type);
+  auto cipher = Cipher::FromName(cipher_type);
   if (!cipher) {
     return THROW_ERR_CRYPTO_UNKNOWN_CIPHER(env());
   }
@@ -415,7 +422,7 @@ void CipherBase::InitIv(const char* cipher_type,
   HandleScope scope(env()->isolate());
   MarkPopErrorOnReturn mark_pop_error_on_return;
 
-  auto cipher = ncrypto::Cipher::FromName(cipher_type);
+  auto cipher = Cipher::FromName(cipher_type);
   if (!cipher) return THROW_ERR_CRYPTO_UNKNOWN_CIPHER(env());
 
   const int expected_iv_len = cipher.getIvLength();
@@ -628,8 +635,7 @@ void CipherBase::SetAuthTag(const FunctionCallbackInfo<Value>& args) {
   } else {
     // At this point, the tag length is already known and must match the
     // length of the given authentication tag.
-    CHECK(
-        ncrypto::Cipher::FromCtx(cipher->ctx_).isSupportedAuthenticatedMode());
+    CHECK(Cipher::FromCtx(cipher->ctx_).isSupportedAuthenticatedMode());
     CHECK_NE(cipher->auth_tag_len_, kNoAuthTagLength);
     is_valid = cipher->auth_tag_len_ == tag_len;
   }
@@ -854,7 +860,7 @@ bool CipherBase::Final(std::unique_ptr<BackingStore>* out) {
   }
 
   if (kind_ == kDecipher &&
-      ncrypto::Cipher::FromCtx(ctx_).isSupportedAuthenticatedMode()) {
+      Cipher::FromCtx(ctx_).isSupportedAuthenticatedMode()) {
     MaybePassAuthTagToOpenSSL();
   }
 
diff --git a/src/crypto/crypto_cipher.h b/src/crypto/crypto_cipher.h
index d15a231475d657..57c424e7509fa2 100644
--- a/src/crypto/crypto_cipher.h
+++ b/src/crypto/crypto_cipher.h
@@ -85,7 +85,7 @@ class CipherBase : public BaseObject {
   CipherBase(Environment* env, v8::Local<v8::Object> wrap, CipherKind kind);
 
  private:
-  CipherCtxPointer ctx_;
+  ncrypto::CipherCtxPointer ctx_;
   const CipherKind kind_;
   AuthTagState auth_tag_state_;
   unsigned int auth_tag_len_;
@@ -110,7 +110,7 @@ class PublicKeyCipher {
             EVP_PKEY_cipher_init_t EVP_PKEY_cipher_init,
             EVP_PKEY_cipher_t EVP_PKEY_cipher>
   static bool Cipher(Environment* env,
-                     const EVPKeyPointer& pkey,
+                     const ncrypto::EVPKeyPointer& pkey,
                      int padding,
                      const EVP_MD* digest,
                      const ArrayBufferOrViewContents<unsigned char>& oaep_label,
diff --git a/src/crypto/crypto_common.cc b/src/crypto/crypto_common.cc
index 8ea34fe78b2592..568f2889fe88ad 100644
--- a/src/crypto/crypto_common.cc
+++ b/src/crypto/crypto_common.cc
@@ -27,7 +27,13 @@
 
 namespace node {
 
+using ncrypto::ClearErrorOnReturn;
+using ncrypto::EVPKeyPointer;
+using ncrypto::SSLPointer;
+using ncrypto::SSLSessionPointer;
 using ncrypto::StackOfX509;
+using ncrypto::X509Pointer;
+using ncrypto::X509View;
 using v8::ArrayBuffer;
 using v8::BackingStore;
 using v8::Context;
@@ -135,7 +141,7 @@ MaybeLocal<Object> AddIssuerChainToObject(X509Pointer* cert,
   for (;;) {
     int i;
     for (i = 0; i < sk_X509_num(peer_certs.get()); i++) {
-      ncrypto::X509View ca(sk_X509_value(peer_certs.get(), i));
+      X509View ca(sk_X509_value(peer_certs.get(), i));
       if (!cert->view().isIssuedBy(ca)) continue;
 
       Local<Value> ca_info;
@@ -243,7 +249,7 @@ MaybeLocal<Object> GetEphemeralKey(Environment* env, const SSLPointer& ssl) {
 
   EscapableHandleScope scope(env->isolate());
   Local<Object> info = Object::New(env->isolate());
-  crypto::EVPKeyPointer key = ssl.getPeerTempKey();
+  EVPKeyPointer key = ssl.getPeerTempKey();
   if (!key) return scope.Escape(info);
 
   Local<Context> context = env->context();
@@ -341,8 +347,8 @@ MaybeLocal<Value> GetPeerCert(
     if (cert) {
       return X509Certificate::toObject(env, cert.view());
     }
-    return X509Certificate::toObject(
-        env, ncrypto::X509View(sk_X509_value(ssl_certs, 0)));
+    return X509Certificate::toObject(env,
+                                     X509View(sk_X509_value(ssl_certs, 0)));
   }
 
   StackOfX509 peer_certs = CloneSSLCerts(std::move(cert), ssl_certs);
@@ -351,7 +357,7 @@ MaybeLocal<Value> GetPeerCert(
 
   // First and main certificate.
   Local<Value> result;
-  ncrypto::X509View first_cert(sk_X509_value(peer_certs.get(), 0));
+  X509View first_cert(sk_X509_value(peer_certs.get(), 0));
   CHECK(first_cert);
   if (!X509Certificate::toObject(env, first_cert).ToLocal(&result)) return {};
   CHECK(result->IsObject());
diff --git a/src/crypto/crypto_common.h b/src/crypto/crypto_common.h
index bce577ade78b58..e3a8ebecf3c4e9 100644
--- a/src/crypto/crypto_common.h
+++ b/src/crypto/crypto_common.h
@@ -22,13 +22,15 @@
 namespace node {
 namespace crypto {
 
-SSLSessionPointer GetTLSSession(const unsigned char* buf, size_t length);
+ncrypto::SSLSessionPointer GetTLSSession(const unsigned char* buf,
+                                         size_t length);
 
 long VerifyPeerCertificate(  // NOLINT(runtime/int)
-    const SSLPointer& ssl,
+    const ncrypto::SSLPointer& ssl,
     long def = X509_V_ERR_UNSPECIFIED);  // NOLINT(runtime/int)
 
-bool UseSNIContext(const SSLPointer& ssl, BaseObjectPtr<SecureContext> context);
+bool UseSNIContext(const ncrypto::SSLPointer& ssl,
+                   BaseObjectPtr<SecureContext> context);
 
 bool SetGroups(SecureContext* sc, const char* groups);
 
@@ -36,21 +38,19 @@ v8::MaybeLocal<v8::Value> GetValidationErrorReason(Environment* env, int err);
 
 v8::MaybeLocal<v8::Value> GetValidationErrorCode(Environment* env, int err);
 
-v8::MaybeLocal<v8::Value> GetCert(Environment* env, const SSLPointer& ssl);
+v8::MaybeLocal<v8::Value> GetCert(Environment* env,
+                                  const ncrypto::SSLPointer& ssl);
 
-v8::MaybeLocal<v8::Object> GetCipherInfo(
-    Environment* env,
-    const SSLPointer& ssl);
+v8::MaybeLocal<v8::Object> GetCipherInfo(Environment* env,
+                                         const ncrypto::SSLPointer& ssl);
 
-v8::MaybeLocal<v8::Object> GetEphemeralKey(
-    Environment* env,
-    const SSLPointer& ssl);
+v8::MaybeLocal<v8::Object> GetEphemeralKey(Environment* env,
+                                           const ncrypto::SSLPointer& ssl);
 
-v8::MaybeLocal<v8::Value> GetPeerCert(
-    Environment* env,
-    const SSLPointer& ssl,
-    bool abbreviated = false,
-    bool is_server = false);
+v8::MaybeLocal<v8::Value> GetPeerCert(Environment* env,
+                                      const ncrypto::SSLPointer& ssl,
+                                      bool abbreviated = false,
+                                      bool is_server = false);
 
 v8::MaybeLocal<v8::Object> ECPointToBuffer(
     Environment* env,
@@ -60,9 +60,9 @@ v8::MaybeLocal<v8::Object> ECPointToBuffer(
     const char** error);
 
 v8::MaybeLocal<v8::Value> GetCurrentCipherName(Environment* env,
-                                               const SSLPointer& ssl);
-v8::MaybeLocal<v8::Value> GetCurrentCipherVersion(Environment* env,
-                                                  const SSLPointer& ssl);
+                                               const ncrypto::SSLPointer& ssl);
+v8::MaybeLocal<v8::Value> GetCurrentCipherVersion(
+    Environment* env, const ncrypto::SSLPointer& ssl);
 
 }  // namespace crypto
 }  // namespace node
diff --git a/src/crypto/crypto_context.cc b/src/crypto/crypto_context.cc
index fa96b8d7a51d46..8f1e6dc7110b11 100644
--- a/src/crypto/crypto_context.cc
+++ b/src/crypto/crypto_context.cc
@@ -21,7 +21,17 @@
 
 namespace node {
 
+using ncrypto::BignumPointer;
+using ncrypto::BIOPointer;
+using ncrypto::ClearErrorOnReturn;
+using ncrypto::CryptoErrorList;
+using ncrypto::DHPointer;
+using ncrypto::EnginePointer;
+using ncrypto::EVPKeyPointer;
+using ncrypto::MarkPopErrorOnReturn;
+using ncrypto::SSLPointer;
 using ncrypto::StackOfX509;
+using ncrypto::X509Pointer;
 using v8::Array;
 using v8::ArrayBufferView;
 using v8::Boolean;
@@ -693,10 +703,10 @@ void SecureContext::SetEngineKey(const FunctionCallbackInfo<Value>& args) {
         "experimental permission model is enabled");
   }
 
-  ncrypto::CryptoErrorList errors;
+  CryptoErrorList errors;
   Utf8Value engine_id(env->isolate(), args[1]);
-  auto engine = ncrypto::EnginePointer::getEngineByName(
-      engine_id.ToStringView(), &errors);
+  auto engine =
+      EnginePointer::getEngineByName(engine_id.ToStringView(), &errors);
   if (!engine) {
     Local<Value> exception;
     if (errors.empty()) {
@@ -1205,10 +1215,10 @@ void SecureContext::SetClientCertEngine(
         "experimental permission model is enabled");
   }
 
-  ncrypto::CryptoErrorList errors;
+  CryptoErrorList errors;
   const Utf8Value engine_id(env->isolate(), args[0]);
-  auto engine = ncrypto::EnginePointer::getEngineByName(
-      engine_id.ToStringView(), &errors);
+  auto engine =
+      EnginePointer::getEngineByName(engine_id.ToStringView(), &errors);
   if (!engine) {
     Local<Value> exception;
     if (errors.empty()) {
diff --git a/src/crypto/crypto_context.h b/src/crypto/crypto_context.h
index 7ba6a5441300fc..b6801fc0b40708 100644
--- a/src/crypto/crypto_context.h
+++ b/src/crypto/crypto_context.h
@@ -23,7 +23,7 @@ X509_STORE* NewRootCertStore();
 
 X509_STORE* GetOrCreateRootCertStore();
 
-BIOPointer LoadBIO(Environment* env, v8::Local<v8::Value> v);
+ncrypto::BIOPointer LoadBIO(Environment* env, v8::Local<v8::Value> v);
 
 class SecureContext final : public BaseObject {
  public:
@@ -41,27 +41,27 @@ class SecureContext final : public BaseObject {
   static void RegisterExternalReferences(ExternalReferenceRegistry* registry);
   static SecureContext* Create(Environment* env);
 
-  const SSLCtxPointer& ctx() const { return ctx_; }
+  const ncrypto::SSLCtxPointer& ctx() const { return ctx_; }
 
   // Non-const ctx() that allows for non-default initialization of
   // the SecureContext.
-  SSLCtxPointer& ctx() { return ctx_; }
+  ncrypto::SSLCtxPointer& ctx() { return ctx_; }
 
-  SSLPointer CreateSSL();
+  ncrypto::SSLPointer CreateSSL();
 
   void SetGetSessionCallback(GetSessionCb cb);
   void SetKeylogCallback(KeylogCb cb);
   void SetNewSessionCallback(NewSessionCb cb);
   void SetSelectSNIContextCallback(SelectSNIContextCb cb);
 
-  inline const X509Pointer& issuer() const { return issuer_; }
-  inline const X509Pointer& cert() const { return cert_; }
+  inline const ncrypto::X509Pointer& issuer() const { return issuer_; }
+  inline const ncrypto::X509Pointer& cert() const { return cert_; }
 
-  v8::Maybe<void> AddCert(Environment* env, BIOPointer&& bio);
-  v8::Maybe<void> SetCRL(Environment* env, const BIOPointer& bio);
+  v8::Maybe<void> AddCert(Environment* env, ncrypto::BIOPointer&& bio);
+  v8::Maybe<void> SetCRL(Environment* env, const ncrypto::BIOPointer& bio);
   v8::Maybe<void> UseKey(Environment* env, const KeyObjectData& key);
 
-  void SetCACert(const BIOPointer& bio);
+  void SetCACert(const ncrypto::BIOPointer& bio);
   void SetRootCerts();
 
   void SetX509StoreFlag(unsigned long flags);  // NOLINT(runtime/int)
@@ -144,9 +144,9 @@ class SecureContext final : public BaseObject {
   void Reset();
 
  private:
-  SSLCtxPointer ctx_;
-  X509Pointer cert_;
-  X509Pointer issuer_;
+  ncrypto::SSLCtxPointer ctx_;
+  ncrypto::X509Pointer cert_;
+  ncrypto::X509Pointer issuer_;
   // Non-owning cache for SSL_CTX_get_cert_store(ctx_.get())
   X509_STORE* own_cert_store_cache_ = nullptr;
 #ifndef OPENSSL_NO_ENGINE
@@ -160,9 +160,9 @@ class SecureContext final : public BaseObject {
 };
 
 int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
-                                  BIOPointer&& in,
-                                  X509Pointer* cert,
-                                  X509Pointer* issuer);
+                                  ncrypto::BIOPointer&& in,
+                                  ncrypto::X509Pointer* cert,
+                                  ncrypto::X509Pointer* issuer);
 
 }  // namespace crypto
 }  // namespace node
diff --git a/src/crypto/crypto_dh.cc b/src/crypto/crypto_dh.cc
index d760a0d3ea1d12..7041eb985d9f6d 100644
--- a/src/crypto/crypto_dh.cc
+++ b/src/crypto/crypto_dh.cc
@@ -14,6 +14,11 @@
 
 namespace node {
 
+using ncrypto::BignumPointer;
+using ncrypto::DataPointer;
+using ncrypto::DHPointer;
+using ncrypto::EVPKeyCtxPointer;
+using ncrypto::EVPKeyPointer;
 using v8::ArrayBuffer;
 using v8::ConstructorBehavior;
 using v8::Context;
@@ -47,14 +52,11 @@ void DiffieHellman::MemoryInfo(MemoryTracker* tracker) const {
 }
 
 namespace {
-MaybeLocal<Value> DataPointerToBuffer(Environment* env,
-                                      ncrypto::DataPointer&& data) {
+MaybeLocal<Value> DataPointerToBuffer(Environment* env, DataPointer&& data) {
   auto backing = ArrayBuffer::NewBackingStore(
       data.get(),
       data.size(),
-      [](void* data, size_t len, void* ptr) {
-        ncrypto::DataPointer free_ne(data, len);
-      },
+      [](void* data, size_t len, void* ptr) { DataPointer free_me(data, len); },
       nullptr);
   data.release();
 
diff --git a/src/crypto/crypto_dh.h b/src/crypto/crypto_dh.h
index a84993ddd55f02..2af668035bbb0a 100644
--- a/src/crypto/crypto_dh.h
+++ b/src/crypto/crypto_dh.h
@@ -19,22 +19,24 @@ class DiffieHellman final : public BaseObject {
   static void Initialize(Environment* env, v8::Local<v8::Object> target);
   static void RegisterExternalReferences(ExternalReferenceRegistry* registry);
 
-  DiffieHellman(Environment* env, v8::Local<v8::Object> wrap, DHPointer dh);
-  operator DHPointer&() { return dh_; }
+  DiffieHellman(Environment* env,
+                v8::Local<v8::Object> wrap,
+                ncrypto::DHPointer dh);
+  operator ncrypto::DHPointer&() { return dh_; }
 
   void MemoryInfo(MemoryTracker* tracker) const override;
   SET_MEMORY_INFO_NAME(DiffieHellman)
   SET_SELF_SIZE(DiffieHellman)
 
  private:
-  DHPointer dh_;
+  ncrypto::DHPointer dh_;
 };
 
 struct DhKeyPairParams final : public MemoryRetainer {
   // Diffie-Hellman can either generate keys using a fixed prime, or by first
   // generating a random prime of a given size (in bits). Only one of both
   // options may be specified.
-  std::variant<BignumPointer, int> prime;
+  std::variant<ncrypto::BignumPointer, int> prime;
   unsigned int generator;
   SET_NO_MEMORY_INFO()
   SET_MEMORY_INFO_NAME(DhKeyPairParams)
@@ -47,7 +49,7 @@ struct DhKeyGenTraits final {
   using AdditionalParameters = DhKeyPairGenConfig;
   static constexpr const char* JobName = "DhKeyPairGenJob";
 
-  static EVPKeyCtxPointer Setup(DhKeyPairGenConfig* params);
+  static ncrypto::EVPKeyCtxPointer Setup(DhKeyPairGenConfig* params);
 
   static v8::Maybe<void> AdditionalConfig(
       CryptoJobMode mode,
diff --git a/src/crypto/crypto_dsa.cc b/src/crypto/crypto_dsa.cc
index b557de774117e4..471fee77531139 100644
--- a/src/crypto/crypto_dsa.cc
+++ b/src/crypto/crypto_dsa.cc
@@ -25,6 +25,9 @@
 
 namespace node {
 
+using ncrypto::BignumPointer;
+using ncrypto::EVPKeyCtxPointer;
+using ncrypto::EVPKeyPointer;
 using v8::FunctionCallbackInfo;
 using v8::Int32;
 using v8::JustVoid;
diff --git a/src/crypto/crypto_dsa.h b/src/crypto/crypto_dsa.h
index fab167038c8862..c31aa9786558c2 100644
--- a/src/crypto/crypto_dsa.h
+++ b/src/crypto/crypto_dsa.h
@@ -26,7 +26,7 @@ struct DsaKeyGenTraits final {
   using AdditionalParameters = DsaKeyPairGenConfig;
   static constexpr const char* JobName = "DsaKeyPairGenJob";
 
-  static EVPKeyCtxPointer Setup(DsaKeyPairGenConfig* params);
+  static ncrypto::EVPKeyCtxPointer Setup(DsaKeyPairGenConfig* params);
 
   static v8::Maybe<void> AdditionalConfig(
       CryptoJobMode mode,
diff --git a/src/crypto/crypto_ec.cc b/src/crypto/crypto_ec.cc
index 9670f821ef97a6..84b1dd9c2ff3b5 100644
--- a/src/crypto/crypto_ec.cc
+++ b/src/crypto/crypto_ec.cc
@@ -18,6 +18,14 @@
 
 namespace node {
 
+using ncrypto::BignumPointer;
+using ncrypto::DataPointer;
+using ncrypto::ECGroupPointer;
+using ncrypto::ECKeyPointer;
+using ncrypto::ECPointPointer;
+using ncrypto::EVPKeyCtxPointer;
+using ncrypto::EVPKeyPointer;
+using ncrypto::MarkPopErrorOnReturn;
 using v8::Array;
 using v8::ArrayBuffer;
 using v8::BackingStore;
@@ -821,7 +829,7 @@ Maybe<void> ExportJWKEdKey(Environment* env,
   })();
 
   static constexpr auto trySetKey = [](Environment* env,
-                                       ncrypto::DataPointer data,
+                                       DataPointer data,
                                        Local<Object> target,
                                        Local<String> key) {
     Local<Value> encoded;
diff --git a/src/crypto/crypto_ec.h b/src/crypto/crypto_ec.h
index b5de681fbe1516..7aeeebbe303eda 100644
--- a/src/crypto/crypto_ec.h
+++ b/src/crypto/crypto_ec.h
@@ -24,9 +24,9 @@ class ECDH final : public BaseObject {
   static void Initialize(Environment* env, v8::Local<v8::Object> target);
   static void RegisterExternalReferences(ExternalReferenceRegistry* registry);
 
-  static ECPointPointer BufferToPoint(Environment* env,
-                                      const EC_GROUP* group,
-                                      v8::Local<v8::Value> buf);
+  static ncrypto::ECPointPointer BufferToPoint(Environment* env,
+                                               const EC_GROUP* group,
+                                               v8::Local<v8::Value> buf);
 
   void MemoryInfo(MemoryTracker* tracker) const override;
   SET_MEMORY_INFO_NAME(ECDH)
@@ -37,7 +37,9 @@ class ECDH final : public BaseObject {
   static void GetCurves(const v8::FunctionCallbackInfo<v8::Value>& args);
 
  protected:
-  ECDH(Environment* env, v8::Local<v8::Object> wrap, ECKeyPointer&& key);
+  ECDH(Environment* env,
+       v8::Local<v8::Object> wrap,
+       ncrypto::ECKeyPointer&& key);
 
   static void New(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void GenerateKeys(const v8::FunctionCallbackInfo<v8::Value>& args);
@@ -48,9 +50,9 @@ class ECDH final : public BaseObject {
   static void SetPublicKey(const v8::FunctionCallbackInfo<v8::Value>& args);
 
   bool IsKeyPairValid();
-  bool IsKeyValidForCurve(const BignumPointer& private_key);
+  bool IsKeyValidForCurve(const ncrypto::BignumPointer& private_key);
 
-  ECKeyPointer key_;
+  ncrypto::ECKeyPointer key_;
   const EC_GROUP* group_;
 };
 
@@ -102,7 +104,7 @@ struct EcKeyGenTraits final {
   using AdditionalParameters = EcKeyPairGenConfig;
   static constexpr const char* JobName = "EcKeyPairGenJob";
 
-  static EVPKeyCtxPointer Setup(EcKeyPairGenConfig* params);
+  static ncrypto::EVPKeyCtxPointer Setup(EcKeyPairGenConfig* params);
 
   static v8::Maybe<void> AdditionalConfig(
       CryptoJobMode mode,
diff --git a/src/crypto/crypto_hash.cc b/src/crypto/crypto_hash.cc
index 58856397cdff92..bcd4c533b07ceb 100644
--- a/src/crypto/crypto_hash.cc
+++ b/src/crypto/crypto_hash.cc
@@ -11,6 +11,8 @@
 
 namespace node {
 
+using ncrypto::EVPMDCtxPointer;
+using ncrypto::MarkPopErrorOnReturn;
 using v8::Context;
 using v8::FunctionCallbackInfo;
 using v8::FunctionTemplate;
diff --git a/src/crypto/crypto_hash.h b/src/crypto/crypto_hash.h
index 4289c352a7cdae..85da86dba98d5a 100644
--- a/src/crypto/crypto_hash.h
+++ b/src/crypto/crypto_hash.h
@@ -36,7 +36,7 @@ class Hash final : public BaseObject {
   Hash(Environment* env, v8::Local<v8::Object> wrap);
 
  private:
-  EVPMDCtxPointer mdctx_{};
+  ncrypto::EVPMDCtxPointer mdctx_{};
   unsigned int md_len_ = 0;
   ByteSource digest_;
 };
diff --git a/src/crypto/crypto_hmac.cc b/src/crypto/crypto_hmac.cc
index ecc4f3fd8ae7df..25ccb1b9d04e51 100644
--- a/src/crypto/crypto_hmac.cc
+++ b/src/crypto/crypto_hmac.cc
@@ -13,6 +13,7 @@
 
 namespace node {
 
+using ncrypto::HMACCtxPointer;
 using v8::Boolean;
 using v8::FunctionCallbackInfo;
 using v8::FunctionTemplate;
diff --git a/src/crypto/crypto_hmac.h b/src/crypto/crypto_hmac.h
index 2f54b1c8a14af6..e29ec231a1b7d4 100644
--- a/src/crypto/crypto_hmac.h
+++ b/src/crypto/crypto_hmac.h
@@ -36,7 +36,7 @@ class Hmac : public BaseObject {
   static void Sign(const v8::FunctionCallbackInfo<v8::Value>& args);
 
  private:
-  HMACCtxPointer ctx_;
+  ncrypto::HMACCtxPointer ctx_;
 };
 
 struct HmacConfig final : public MemoryRetainer {
diff --git a/src/crypto/crypto_keygen.cc b/src/crypto/crypto_keygen.cc
index c13acd63886673..246191f5d51796 100644
--- a/src/crypto/crypto_keygen.cc
+++ b/src/crypto/crypto_keygen.cc
@@ -12,6 +12,7 @@
 
 namespace node {
 
+using ncrypto::EVPKeyCtxPointer;
 using v8::FunctionCallbackInfo;
 using v8::Int32;
 using v8::JustVoid;
diff --git a/src/crypto/crypto_keygen.h b/src/crypto/crypto_keygen.h
index f1e92c69cb4065..6fdac8333b6ac6 100644
--- a/src/crypto/crypto_keygen.h
+++ b/src/crypto/crypto_keygen.h
@@ -163,7 +163,7 @@ struct KeyPairGenTraits final {
   static KeyGenJobStatus DoKeyGen(
       Environment* env,
       AdditionalParameters* params) {
-    EVPKeyCtxPointer ctx = KeyPairAlgorithmTraits::Setup(params);
+    ncrypto::EVPKeyCtxPointer ctx = KeyPairAlgorithmTraits::Setup(params);
 
     if (!ctx)
       return KeyGenJobStatus::FAILED;
@@ -174,7 +174,7 @@ struct KeyPairGenTraits final {
       return KeyGenJobStatus::FAILED;
 
     auto data = KeyObjectData::CreateAsymmetric(KeyType::kKeyTypePrivate,
-                                                EVPKeyPointer(pkey));
+                                                ncrypto::EVPKeyPointer(pkey));
     if (!data) [[unlikely]]
       return KeyGenJobStatus::FAILED;
     params->key = std::move(data);
@@ -280,7 +280,7 @@ struct NidKeyPairGenTraits final {
   using AdditionalParameters = NidKeyPairGenConfig;
   static constexpr const char* JobName = "NidKeyPairGenJob";
 
-  static EVPKeyCtxPointer Setup(NidKeyPairGenConfig* params);
+  static ncrypto::EVPKeyCtxPointer Setup(NidKeyPairGenConfig* params);
 
   static v8::Maybe<void> AdditionalConfig(
       CryptoJobMode mode,
diff --git a/src/crypto/crypto_keys.cc b/src/crypto/crypto_keys.cc
index 4a686a77b2a0ac..30c463bf75f6b1 100644
--- a/src/crypto/crypto_keys.cc
+++ b/src/crypto/crypto_keys.cc
@@ -18,6 +18,13 @@
 
 namespace node {
 
+using ncrypto::BIOPointer;
+using ncrypto::ECKeyPointer;
+using ncrypto::ECPointPointer;
+using ncrypto::EVPKeyCtxPointer;
+using ncrypto::EVPKeyPointer;
+using ncrypto::MarkPopErrorOnReturn;
+using ncrypto::PKCS8Pointer;
 using v8::Array;
 using v8::Context;
 using v8::Function;
@@ -41,11 +48,11 @@ using v8::Value;
 
 namespace crypto {
 namespace {
-Maybe<ncrypto::EVPKeyPointer::AsymmetricKeyEncodingConfig>
-GetKeyFormatAndTypeFromJs(const FunctionCallbackInfo<Value>& args,
-                          unsigned int* offset,
-                          KeyEncodingContext context) {
-  ncrypto::EVPKeyPointer::AsymmetricKeyEncodingConfig config;
+Maybe<EVPKeyPointer::AsymmetricKeyEncodingConfig> GetKeyFormatAndTypeFromJs(
+    const FunctionCallbackInfo<Value>& args,
+    unsigned int* offset,
+    KeyEncodingContext context) {
+  EVPKeyPointer::AsymmetricKeyEncodingConfig config;
   // During key pair generation, it is possible not to specify a key encoding,
   // which will lead to a key object being returned.
   if (args[*offset]->IsUndefined()) {
@@ -56,19 +63,19 @@ GetKeyFormatAndTypeFromJs(const FunctionCallbackInfo<Value>& args,
     config.output_key_object = false;
 
     CHECK(args[*offset]->IsInt32());
-    config.format = static_cast<ncrypto::EVPKeyPointer::PKFormatType>(
+    config.format = static_cast<EVPKeyPointer::PKFormatType>(
         args[*offset].As<Int32>()->Value());
 
     if (args[*offset + 1]->IsInt32()) {
-      config.type = static_cast<ncrypto::EVPKeyPointer::PKEncodingType>(
+      config.type = static_cast<EVPKeyPointer::PKEncodingType>(
           args[*offset + 1].As<Int32>()->Value());
     } else {
       CHECK((context == kKeyContextInput &&
-             config.format == ncrypto::EVPKeyPointer::PKFormatType::PEM) ||
+             config.format == EVPKeyPointer::PKFormatType::PEM) ||
             (context == kKeyContextGenerate &&
-             config.format == ncrypto::EVPKeyPointer::PKFormatType::JWK));
+             config.format == EVPKeyPointer::PKFormatType::JWK));
       CHECK(args[*offset + 1]->IsNullOrUndefined());
-      config.type = ncrypto::EVPKeyPointer::PKEncodingType::PKCS1;
+      config.type = EVPKeyPointer::PKEncodingType::PKCS1;
     }
   }
 
@@ -79,16 +86,16 @@ GetKeyFormatAndTypeFromJs(const FunctionCallbackInfo<Value>& args,
 MaybeLocal<Value> BIOToStringOrBuffer(
     Environment* env,
     const BIOPointer& bio,
-    const ncrypto::EVPKeyPointer::AsymmetricKeyEncodingConfig& config) {
+    const EVPKeyPointer::AsymmetricKeyEncodingConfig& config) {
   BUF_MEM* bptr = bio;
-  if (config.format == ncrypto::EVPKeyPointer::PKFormatType::PEM) {
+  if (config.format == EVPKeyPointer::PKFormatType::PEM) {
     // PEM is an ASCII format, so we will return it as a string.
     return String::NewFromUtf8(
                env->isolate(), bptr->data, NewStringType::kNormal, bptr->length)
         .FromMaybe(Local<Value>());
   }
 
-  CHECK_EQ(config.format, ncrypto::EVPKeyPointer::PKFormatType::DER);
+  CHECK_EQ(config.format, EVPKeyPointer::PKFormatType::DER);
   // DER is binary, return it as a buffer.
   return Buffer::Copy(env, bptr->data, bptr->length).FromMaybe(Local<Value>());
 }
@@ -96,7 +103,7 @@ MaybeLocal<Value> BIOToStringOrBuffer(
 MaybeLocal<Value> WritePrivateKey(
     Environment* env,
     const EVPKeyPointer& pkey,
-    const ncrypto::EVPKeyPointer::PrivateKeyEncodingConfig& config) {
+    const EVPKeyPointer::PrivateKeyEncodingConfig& config) {
   CHECK(pkey);
   auto res = pkey.writePrivateKey(config);
   if (res) {
@@ -111,7 +118,7 @@ MaybeLocal<Value> WritePrivateKey(
 MaybeLocal<Value> WritePublicKey(
     Environment* env,
     const EVPKeyPointer& pkey,
-    const ncrypto::EVPKeyPointer::PublicKeyEncodingConfig& config) {
+    const EVPKeyPointer::PublicKeyEncodingConfig& config) {
   CHECK(pkey);
   auto res = pkey.writePublicKey(config);
   if (res) {
@@ -243,7 +250,7 @@ Maybe<void> GetAsymmetricKeyDetail(Environment* env,
 
 KeyObjectData TryParsePrivateKey(
     Environment* env,
-    const ncrypto::EVPKeyPointer::PrivateKeyEncodingConfig& config,
+    const EVPKeyPointer::PrivateKeyEncodingConfig& config,
     const ncrypto::Buffer<const unsigned char>& buffer) {
   auto res = EVPKeyPointer::TryParsePrivateKey(config, buffer);
   if (res) {
@@ -285,7 +292,7 @@ Maybe<void> ExportJWKInner(Environment* env,
 
 Maybe<void> KeyObjectData::ToEncodedPublicKey(
     Environment* env,
-    const ncrypto::EVPKeyPointer::PublicKeyEncodingConfig& config,
+    const EVPKeyPointer::PublicKeyEncodingConfig& config,
     Local<Value>* out) {
   CHECK(key_type_ != KeyType::kKeyTypeSecret);
   if (config.output_key_object) {
@@ -294,7 +301,7 @@ Maybe<void> KeyObjectData::ToEncodedPublicKey(
     return NothingIfFalse(
         KeyObjectHandle::Create(env, addRefWithType(KeyType::kKeyTypePublic))
             .ToLocal(out));
-  } else if (config.format == ncrypto::EVPKeyPointer::PKFormatType::JWK) {
+  } else if (config.format == EVPKeyPointer::PKFormatType::JWK) {
     *out = Object::New(env->isolate());
     return ExportJWKInner(
         env, addRefWithType(KeyType::kKeyTypePublic), *out, false);
@@ -306,14 +313,14 @@ Maybe<void> KeyObjectData::ToEncodedPublicKey(
 
 Maybe<void> KeyObjectData::ToEncodedPrivateKey(
     Environment* env,
-    const ncrypto::EVPKeyPointer::PrivateKeyEncodingConfig& config,
+    const EVPKeyPointer::PrivateKeyEncodingConfig& config,
     Local<Value>* out) {
   CHECK(key_type_ != KeyType::kKeyTypeSecret);
   if (config.output_key_object) {
     return NothingIfFalse(
         KeyObjectHandle::Create(env, addRefWithType(KeyType::kKeyTypePrivate))
             .ToLocal(out));
-  } else if (config.format == ncrypto::EVPKeyPointer::PKFormatType::JWK) {
+  } else if (config.format == EVPKeyPointer::PKFormatType::JWK) {
     *out = Object::New(env->isolate());
     return ExportJWKInner(
         env, addRefWithType(KeyType::kKeyTypePrivate), *out, false);
@@ -323,16 +330,16 @@ Maybe<void> KeyObjectData::ToEncodedPrivateKey(
       WritePrivateKey(env, GetAsymmetricKey(), config).ToLocal(out));
 }
 
-Maybe<ncrypto::EVPKeyPointer::PrivateKeyEncodingConfig>
+Maybe<EVPKeyPointer::PrivateKeyEncodingConfig>
 KeyObjectData::GetPrivateKeyEncodingFromJs(
     const FunctionCallbackInfo<Value>& args,
     unsigned int* offset,
     KeyEncodingContext context) {
   Environment* env = Environment::GetCurrent(args);
 
-  ncrypto::EVPKeyPointer::PrivateKeyEncodingConfig config;
+  EVPKeyPointer::PrivateKeyEncodingConfig config;
   if (!GetKeyFormatAndTypeFromJs(args, offset, context).To(&config)) {
-    return Nothing<ncrypto::EVPKeyPointer::PrivateKeyEncodingConfig>();
+    return Nothing<EVPKeyPointer::PrivateKeyEncodingConfig>();
   }
 
   if (config.output_key_object) {
@@ -346,7 +353,7 @@ KeyObjectData::GetPrivateKeyEncodingFromJs(
         config.cipher = EVP_get_cipherbyname(*cipher_name);
         if (config.cipher == nullptr) {
           THROW_ERR_CRYPTO_UNKNOWN_CIPHER(env);
-          return Nothing<ncrypto::EVPKeyPointer::PrivateKeyEncodingConfig>();
+          return Nothing<EVPKeyPointer::PrivateKeyEncodingConfig>();
         }
         needs_passphrase = true;
       } else {
@@ -361,7 +368,7 @@ KeyObjectData::GetPrivateKeyEncodingFromJs(
       ArrayBufferOrViewContents<char> passphrase(args[*offset]);
       if (!passphrase.CheckSizeInt32()) [[unlikely]] {
         THROW_ERR_OUT_OF_RANGE(env, "passphrase is too big");
-        return Nothing<ncrypto::EVPKeyPointer::PrivateKeyEncodingConfig>();
+        return Nothing<EVPKeyPointer::PrivateKeyEncodingConfig>();
       }
       config.passphrase = passphrase.ToDataPointer();
     } else {
@@ -370,11 +377,10 @@ KeyObjectData::GetPrivateKeyEncodingFromJs(
   }
 
   (*offset)++;
-  return Just<ncrypto::EVPKeyPointer::PrivateKeyEncodingConfig>(
-      std::move(config));
+  return Just<EVPKeyPointer::PrivateKeyEncodingConfig>(std::move(config));
 }
 
-Maybe<ncrypto::EVPKeyPointer::PublicKeyEncodingConfig>
+Maybe<EVPKeyPointer::PublicKeyEncodingConfig>
 KeyObjectData::GetPublicKeyEncodingFromJs(
     const FunctionCallbackInfo<Value>& args,
     unsigned int* offset,
@@ -390,7 +396,7 @@ KeyObjectData KeyObjectData::GetPrivateKeyFromJs(
     Environment* env = Environment::GetCurrent(args);
     auto key = ByteSource::FromStringOrBuffer(env, args[(*offset)++]);
 
-    ncrypto::EVPKeyPointer::PrivateKeyEncodingConfig config;
+    EVPKeyPointer::PrivateKeyEncodingConfig config;
     if (!GetPrivateKeyEncodingFromJs(args, offset, kKeyContextInput)
              .To(&config)) {
       return {};
@@ -423,7 +429,7 @@ KeyObjectData KeyObjectData::GetPublicOrPrivateKeyFromJs(
       return {};
     }
 
-    ncrypto::EVPKeyPointer::PrivateKeyEncodingConfig config;
+    EVPKeyPointer::PrivateKeyEncodingConfig config;
     if (!KeyObjectData::GetPrivateKeyEncodingFromJs(
              args, offset, kKeyContextInput)
              .To(&config)) {
@@ -435,7 +441,7 @@ KeyObjectData KeyObjectData::GetPublicOrPrivateKeyFromJs(
         .len = data.size(),
     };
 
-    if (config.format == ncrypto::EVPKeyPointer::PKFormatType::PEM) {
+    if (config.format == EVPKeyPointer::PKFormatType::PEM) {
       // For PEM, we can easily determine whether it is a public or private key
       // by looking for the respective PEM tags.
       auto res = EVPKeyPointer::TryParsePublicKeyPEM(buffer);
@@ -456,13 +462,13 @@ KeyObjectData KeyObjectData::GetPublicOrPrivateKeyFromJs(
     static const auto is_public = [](const auto& config,
                                      const auto& buffer) -> bool {
       switch (config.type) {
-        case ncrypto::EVPKeyPointer::PKEncodingType::PKCS1:
+        case EVPKeyPointer::PKEncodingType::PKCS1:
           return !EVPKeyPointer::IsRSAPrivateKey(buffer);
-        case ncrypto::EVPKeyPointer::PKEncodingType::SPKI:
+        case EVPKeyPointer::PKEncodingType::SPKI:
           return true;
-        case ncrypto::EVPKeyPointer::PKEncodingType::PKCS8:
+        case EVPKeyPointer::PKEncodingType::PKCS8:
           return false;
-        case ncrypto::EVPKeyPointer::PKEncodingType::SEC1:
+        case EVPKeyPointer::PKEncodingType::SEC1:
           return false;
         default:
           UNREACHABLE("Invalid key encoding type");
@@ -990,7 +996,7 @@ void KeyObjectHandle::Export(const FunctionCallbackInfo<Value>& args) {
     result = key->ExportSecretKey();
   } else if (type == kKeyTypePublic) {
     unsigned int offset = 0;
-    ncrypto::EVPKeyPointer::PublicKeyEncodingConfig config;
+    EVPKeyPointer::PublicKeyEncodingConfig config;
     if (!KeyObjectData::GetPublicKeyEncodingFromJs(
              args, &offset, kKeyContextExport)
              .To(&config)) {
@@ -1001,7 +1007,7 @@ void KeyObjectHandle::Export(const FunctionCallbackInfo<Value>& args) {
   } else {
     CHECK_EQ(type, kKeyTypePrivate);
     unsigned int offset = 0;
-    ncrypto::EVPKeyPointer::PrivateKeyEncodingConfig config;
+    EVPKeyPointer::PrivateKeyEncodingConfig config;
     if (!KeyObjectData::GetPrivateKeyEncodingFromJs(
              args, &offset, kKeyContextExport)
              .To(&config)) {
@@ -1022,12 +1028,12 @@ MaybeLocal<Value> KeyObjectHandle::ExportSecretKey() const {
 }
 
 MaybeLocal<Value> KeyObjectHandle::ExportPublicKey(
-    const ncrypto::EVPKeyPointer::PublicKeyEncodingConfig& config) const {
+    const EVPKeyPointer::PublicKeyEncodingConfig& config) const {
   return WritePublicKey(env(), data_.GetAsymmetricKey(), config);
 }
 
 MaybeLocal<Value> KeyObjectHandle::ExportPrivateKey(
-    const ncrypto::EVPKeyPointer::PrivateKeyEncodingConfig& config) const {
+    const EVPKeyPointer::PrivateKeyEncodingConfig& config) const {
   return WritePrivateKey(env(), data_.GetAsymmetricKey(), config);
 }
 
@@ -1184,19 +1190,19 @@ void Initialize(Environment* env, Local<Object> target) {
               KeyObjectHandle::Initialize(env)).Check();
 
   constexpr int kKeyEncodingPKCS1 =
-      static_cast<int>(ncrypto::EVPKeyPointer::PKEncodingType::PKCS1);
+      static_cast<int>(EVPKeyPointer::PKEncodingType::PKCS1);
   constexpr int kKeyEncodingPKCS8 =
-      static_cast<int>(ncrypto::EVPKeyPointer::PKEncodingType::PKCS8);
+      static_cast<int>(EVPKeyPointer::PKEncodingType::PKCS8);
   constexpr int kKeyEncodingSPKI =
-      static_cast<int>(ncrypto::EVPKeyPointer::PKEncodingType::SPKI);
+      static_cast<int>(EVPKeyPointer::PKEncodingType::SPKI);
   constexpr int kKeyEncodingSEC1 =
-      static_cast<int>(ncrypto::EVPKeyPointer::PKEncodingType::SEC1);
+      static_cast<int>(EVPKeyPointer::PKEncodingType::SEC1);
   constexpr int kKeyFormatDER =
-      static_cast<int>(ncrypto::EVPKeyPointer::PKFormatType::DER);
+      static_cast<int>(EVPKeyPointer::PKFormatType::DER);
   constexpr int kKeyFormatPEM =
-      static_cast<int>(ncrypto::EVPKeyPointer::PKFormatType::PEM);
+      static_cast<int>(EVPKeyPointer::PKFormatType::PEM);
   constexpr int kKeyFormatJWK =
-      static_cast<int>(ncrypto::EVPKeyPointer::PKFormatType::JWK);
+      static_cast<int>(EVPKeyPointer::PKFormatType::JWK);
 
   NODE_DEFINE_CONSTANT(target, kWebCryptoKeyFormatRaw);
   NODE_DEFINE_CONSTANT(target, kWebCryptoKeyFormatPKCS8);
diff --git a/src/crypto/crypto_keys.h b/src/crypto/crypto_keys.h
index 32832e87798372..e4f3e03e59bf48 100644
--- a/src/crypto/crypto_keys.h
+++ b/src/crypto/crypto_keys.h
@@ -33,10 +33,11 @@ enum KeyEncodingContext {
 
 enum class ParseKeyResult {
   kParseKeyNotRecognized =
-      static_cast<int>(EVPKeyPointer::PKParseError::NOT_RECOGNIZED),
+      static_cast<int>(ncrypto::EVPKeyPointer::PKParseError::NOT_RECOGNIZED),
   kParseKeyNeedPassphrase =
-      static_cast<int>(EVPKeyPointer::PKParseError::NEED_PASSPHRASE),
-  kParseKeyFailed = static_cast<int>(EVPKeyPointer::PKParseError::FAILED),
+      static_cast<int>(ncrypto::EVPKeyPointer::PKParseError::NEED_PASSPHRASE),
+  kParseKeyFailed =
+      static_cast<int>(ncrypto::EVPKeyPointer::PKParseError::FAILED),
   kParseKeyOk,
 };
 
@@ -45,7 +46,8 @@ class KeyObjectData final : public MemoryRetainer {
  public:
   static KeyObjectData CreateSecret(ByteSource key);
 
-  static KeyObjectData CreateAsymmetric(KeyType type, EVPKeyPointer&& pkey);
+  static KeyObjectData CreateAsymmetric(KeyType type,
+                                        ncrypto::EVPKeyPointer&& pkey);
 
   KeyObjectData(std::nullptr_t = nullptr);
 
@@ -55,7 +57,7 @@ class KeyObjectData final : public MemoryRetainer {
 
   // These functions allow unprotected access to the raw key material and should
   // only be used to implement cryptographic operations requiring the key.
-  const EVPKeyPointer& GetAsymmetricKey() const;
+  const ncrypto::EVPKeyPointer& GetAsymmetricKey() const;
   const char* GetSymmetricKey() const;
   size_t GetSymmetricKeySize() const;
 
@@ -103,11 +105,11 @@ class KeyObjectData final : public MemoryRetainer {
 
  private:
   explicit KeyObjectData(ByteSource symmetric_key);
-  explicit KeyObjectData(KeyType type, EVPKeyPointer&& pkey);
+  explicit KeyObjectData(KeyType type, ncrypto::EVPKeyPointer&& pkey);
 
   static KeyObjectData GetParsedKey(KeyType type,
                                     Environment* env,
-                                    EVPKeyPointer&& pkey,
+                                    ncrypto::EVPKeyPointer&& pkey,
                                     ParseKeyResult ret,
                                     const char* default_msg);
 
@@ -116,10 +118,10 @@ class KeyObjectData final : public MemoryRetainer {
 
   struct Data {
     const ByteSource symmetric_key;
-    const EVPKeyPointer asymmetric_key;
+    const ncrypto::EVPKeyPointer asymmetric_key;
     explicit Data(ByteSource symmetric_key)
         : symmetric_key(std::move(symmetric_key)) {}
-    explicit Data(EVPKeyPointer asymmetric_key)
+    explicit Data(ncrypto::EVPKeyPointer asymmetric_key)
         : asymmetric_key(std::move(asymmetric_key)) {}
   };
   std::shared_ptr<Data> data_;
diff --git a/src/crypto/crypto_random.cc b/src/crypto/crypto_random.cc
index 0c26834de3126c..cb96698aa644c3 100644
--- a/src/crypto/crypto_random.cc
+++ b/src/crypto/crypto_random.cc
@@ -11,6 +11,8 @@
 
 namespace node {
 
+using ncrypto::BignumPointer;
+using ncrypto::ClearErrorOnReturn;
 using v8::ArrayBuffer;
 using v8::BackingStore;
 using v8::Boolean;
@@ -27,8 +29,7 @@ using v8::Value;
 
 namespace crypto {
 namespace {
-ncrypto::BignumPointer::PrimeCheckCallback getPrimeCheckCallback(
-    Environment* env) {
+BignumPointer::PrimeCheckCallback getPrimeCheckCallback(Environment* env) {
   // The callback is used to check if the operation should be stopped.
   // Currently, the only check we perform is if env->is_stopping()
   // is true.
diff --git a/src/crypto/crypto_random.h b/src/crypto/crypto_random.h
index 01cfc38f45e2f9..8b3193c24f6aa1 100644
--- a/src/crypto/crypto_random.h
+++ b/src/crypto/crypto_random.h
@@ -45,9 +45,9 @@ struct RandomBytesTraits final {
 using RandomBytesJob = DeriveBitsJob<RandomBytesTraits>;
 
 struct RandomPrimeConfig final : public MemoryRetainer {
-  BignumPointer prime;
-  BignumPointer rem;
-  BignumPointer add;
+  ncrypto::BignumPointer prime;
+  ncrypto::BignumPointer rem;
+  ncrypto::BignumPointer add;
   int bits;
   bool safe;
   void MemoryInfo(MemoryTracker* tracker) const override;
@@ -80,7 +80,7 @@ struct RandomPrimeTraits final {
 using RandomPrimeJob = DeriveBitsJob<RandomPrimeTraits>;
 
 struct CheckPrimeConfig final : public MemoryRetainer {
-  BignumPointer candidate;
+  ncrypto::BignumPointer candidate;
   int checks = 1;
 
   void MemoryInfo(MemoryTracker* tracker) const override;
diff --git a/src/crypto/crypto_rsa.cc b/src/crypto/crypto_rsa.cc
index 6d360554b31d53..05a3882c7e17d7 100644
--- a/src/crypto/crypto_rsa.cc
+++ b/src/crypto/crypto_rsa.cc
@@ -14,6 +14,10 @@
 
 namespace node {
 
+using ncrypto::BignumPointer;
+using ncrypto::EVPKeyCtxPointer;
+using ncrypto::EVPKeyPointer;
+using ncrypto::RSAPointer;
 using v8::ArrayBuffer;
 using v8::BackingStore;
 using v8::FunctionCallbackInfo;
diff --git a/src/crypto/crypto_rsa.h b/src/crypto/crypto_rsa.h
index cbab0ef15acdf7..29b259ae2f5284 100644
--- a/src/crypto/crypto_rsa.h
+++ b/src/crypto/crypto_rsa.h
@@ -41,7 +41,7 @@ struct RsaKeyGenTraits final {
   using AdditionalParameters = RsaKeyPairGenConfig;
   static constexpr const char* JobName = "RsaKeyPairGenJob";
 
-  static EVPKeyCtxPointer Setup(RsaKeyPairGenConfig* params);
+  static ncrypto::EVPKeyCtxPointer Setup(RsaKeyPairGenConfig* params);
 
   static v8::Maybe<void> AdditionalConfig(
       CryptoJobMode mode,
diff --git a/src/crypto/crypto_sig.cc b/src/crypto/crypto_sig.cc
index 0e808013a31f9d..0b73f0281217b8 100644
--- a/src/crypto/crypto_sig.cc
+++ b/src/crypto/crypto_sig.cc
@@ -12,6 +12,12 @@
 
 namespace node {
 
+using ncrypto::BignumPointer;
+using ncrypto::ClearErrorOnReturn;
+using ncrypto::ECDSASigPointer;
+using ncrypto::EVPKeyCtxPointer;
+using ncrypto::EVPKeyPointer;
+using ncrypto::EVPMDCtxPointer;
 using v8::ArrayBuffer;
 using v8::BackingStore;
 using v8::Boolean;
diff --git a/src/crypto/crypto_sig.h b/src/crypto/crypto_sig.h
index 14c553fe3fca66..3a3c27b4e8e748 100644
--- a/src/crypto/crypto_sig.h
+++ b/src/crypto/crypto_sig.h
@@ -42,7 +42,7 @@ class SignBase : public BaseObject {
   SET_SELF_SIZE(SignBase)
 
  protected:
-  EVPMDCtxPointer mdctx_;
+  ncrypto::EVPMDCtxPointer mdctx_;
 };
 
 class Sign : public SignBase {
@@ -60,7 +60,7 @@ class Sign : public SignBase {
       : error(err), signature(std::move(sig)) {}
   };
 
-  SignResult SignFinal(const EVPKeyPointer& pkey,
+  SignResult SignFinal(const ncrypto::EVPKeyPointer& pkey,
                        int padding,
                        const v8::Maybe<int>& saltlen,
                        DSASigEnc dsa_sig_enc);
@@ -81,7 +81,7 @@ class Verify : public SignBase {
   static void Initialize(Environment* env, v8::Local<v8::Object> target);
   static void RegisterExternalReferences(ExternalReferenceRegistry* registry);
 
-  Error VerifyFinal(const EVPKeyPointer& key,
+  Error VerifyFinal(const ncrypto::EVPKeyPointer& key,
                     const ByteSource& sig,
                     int padding,
                     const v8::Maybe<int>& saltlen,
diff --git a/src/crypto/crypto_spkac.cc b/src/crypto/crypto_spkac.cc
index d0dcb1d7be5581..ba085226984767 100644
--- a/src/crypto/crypto_spkac.cc
+++ b/src/crypto/crypto_spkac.cc
@@ -9,6 +9,7 @@
 
 namespace node {
 
+using ncrypto::BIOPointer;
 using v8::Context;
 using v8::FunctionCallbackInfo;
 using v8::Local;
diff --git a/src/crypto/crypto_tls.cc b/src/crypto/crypto_tls.cc
index 21a4e7538366be..0f1defef16661a 100644
--- a/src/crypto/crypto_tls.cc
+++ b/src/crypto/crypto_tls.cc
@@ -36,6 +36,12 @@
 
 namespace node {
 
+using ncrypto::BIOPointer;
+using ncrypto::ClearErrorOnReturn;
+using ncrypto::MarkPopErrorOnReturn;
+using ncrypto::SSLPointer;
+using ncrypto::SSLSessionPointer;
+using ncrypto::X509Pointer;
 using v8::Array;
 using v8::ArrayBuffer;
 using v8::ArrayBufferView;
diff --git a/src/crypto/crypto_tls.h b/src/crypto/crypto_tls.h
index 1faad67a4a2886..ed1ee337b42ec1 100644
--- a/src/crypto/crypto_tls.h
+++ b/src/crypto/crypto_tls.h
@@ -248,8 +248,8 @@ class TLSWrap : public AsyncWrap,
 
   Environment* const env_;
   Kind kind_;
-  SSLSessionPointer next_sess_;
-  SSLPointer ssl_;
+  ncrypto::SSLSessionPointer next_sess_;
+  ncrypto::SSLPointer ssl_;
   ClientHelloParser hello_parser_;
   v8::Global<v8::ArrayBufferView> ocsp_response_;
   BaseObjectPtr<SecureContext> sni_context_;
@@ -288,7 +288,7 @@ class TLSWrap : public AsyncWrap,
   CertCb cert_cb_ = nullptr;
   void* cert_cb_arg_ = nullptr;
 
-  BIOPointer bio_trace_;
+  ncrypto::BIOPointer bio_trace_;
 
   bool has_active_write_issued_by_prev_listener_ = false;
 
diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
index 49ef332dfac7e0..60610b1b795c9b 100644
--- a/src/crypto/crypto_util.cc
+++ b/src/crypto/crypto_util.cc
@@ -26,6 +26,11 @@
 
 namespace node {
 
+using ncrypto::BignumPointer;
+using ncrypto::BIOPointer;
+using ncrypto::CryptoErrorList;
+using ncrypto::EnginePointer;
+using ncrypto::EVPKeyCtxPointer;
 using v8::ArrayBuffer;
 using v8::BackingStore;
 using v8::BigInt;
@@ -162,7 +167,7 @@ void InitCryptoOnce() {
   sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());
 
 #ifndef OPENSSL_NO_ENGINE
-  ncrypto::EnginePointer::initEnginesOnce();
+  EnginePointer::initEnginesOnce();
 #endif  // !OPENSSL_NO_ENGINE
 }
 
@@ -181,7 +186,7 @@ void SetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
   CHECK(env->owns_process_state());
   bool enable = args[0]->BooleanValue(env->isolate());
 
-  ncrypto::CryptoErrorList errors;
+  CryptoErrorList errors;
   if (!ncrypto::setFipsEnabled(enable, &errors)) {
     Local<Value> exception;
     if (cryptoErrorListToException(env, errors).ToLocal(&exception)) {
@@ -210,8 +215,8 @@ bool CryptoErrorStore::Empty() const {
   return errors_.empty();
 }
 
-MaybeLocal<Value> cryptoErrorListToException(
-    Environment* env, const ncrypto::CryptoErrorList& errors) {
+MaybeLocal<Value> cryptoErrorListToException(Environment* env,
+                                             const CryptoErrorList& errors) {
   // The CryptoErrorList contains a listing of zero or more errors.
   // If there are no errors, it is likely a bug but we will return
   // an error anyway.
@@ -588,7 +593,7 @@ void SetEngine(const FunctionCallbackInfo<Value>& args) {
   // If the engine name is not known, calling setAsDefault on the
   // empty engine pointer will be non-op that always returns false.
   args.GetReturnValue().Set(
-      ncrypto::EnginePointer::getEngineByName(engine_id.ToStringView())
+      EnginePointer::getEngineByName(engine_id.ToStringView())
           .setAsDefault(flags));
 }
 #endif  // !OPENSSL_NO_ENGINE
@@ -598,7 +603,7 @@ MaybeLocal<Value> EncodeBignum(
     const BIGNUM* bn,
     int size,
     Local<Value>* error) {
-  auto buf = ncrypto::BignumPointer::EncodePadded(bn, size);
+  auto buf = BignumPointer::EncodePadded(bn, size);
   CHECK_EQ(buf.size(), static_cast<size_t>(size));
   return StringBytes::Encode(env->isolate(),
                              reinterpret_cast<const char*>(buf.get()),
diff --git a/src/crypto/crypto_util.h b/src/crypto/crypto_util.h
index bd38be97094f1e..a5967c7d24b836 100644
--- a/src/crypto/crypto_util.h
+++ b/src/crypto/crypto_util.h
@@ -38,6 +38,7 @@
 #include <vector>
 
 namespace node {
+
 namespace crypto {
 // Currently known sizes of commonly used OpenSSL struct sizes.
 // OpenSSL considers it's various structs to be opaque and the
@@ -53,33 +54,6 @@ constexpr size_t kSizeOf_EVP_PKEY = 72;
 constexpr size_t kSizeOf_EVP_PKEY_CTX = 80;
 constexpr size_t kSizeOf_HMAC_CTX = 32;
 
-// Define smart pointers for the most commonly used OpenSSL types:
-using X509Pointer = ncrypto::X509Pointer;
-using BIOPointer = ncrypto::BIOPointer;
-using SSLCtxPointer = ncrypto::SSLCtxPointer;
-using SSLSessionPointer = ncrypto::SSLSessionPointer;
-using SSLPointer = ncrypto::SSLPointer;
-using PKCS8Pointer = ncrypto::PKCS8Pointer;
-using EVPKeyPointer = ncrypto::EVPKeyPointer;
-using EVPKeyCtxPointer = ncrypto::EVPKeyCtxPointer;
-using EVPMDCtxPointer = ncrypto::EVPMDCtxPointer;
-using RSAPointer = ncrypto::RSAPointer;
-using ECPointer = ncrypto::ECPointer;
-using BignumPointer = ncrypto::BignumPointer;
-using NetscapeSPKIPointer = ncrypto::NetscapeSPKIPointer;
-using ECGroupPointer = ncrypto::ECGroupPointer;
-using ECPointPointer = ncrypto::ECPointPointer;
-using ECKeyPointer = ncrypto::ECKeyPointer;
-using DHPointer = ncrypto::DHPointer;
-using ECDSASigPointer = ncrypto::ECDSASigPointer;
-using HMACCtxPointer = ncrypto::HMACCtxPointer;
-using CipherCtxPointer = ncrypto::CipherCtxPointer;
-using DsaPointer = ncrypto::DSAPointer;
-using DsaSigPointer = ncrypto::DSASigPointer;
-
-using ClearErrorOnReturn = ncrypto::ClearErrorOnReturn;
-using MarkPopErrorOnReturn = ncrypto::MarkPopErrorOnReturn;
-
 bool ProcessFipsOptions();
 
 bool InitCryptoOnce(v8::Isolate* isolate);
@@ -260,8 +234,8 @@ class ByteSource {
 
   operator bool() const { return data_ != nullptr; }
 
-  BignumPointer ToBN() const {
-    return BignumPointer(data<unsigned char>(), size());
+  ncrypto::BignumPointer ToBN() const {
+    return ncrypto::BignumPointer(data<unsigned char>(), size());
   }
 
   // Creates a v8::BackingStore that takes over responsibility for
@@ -296,7 +270,7 @@ class ByteSource {
   static ByteSource FromBuffer(v8::Local<v8::Value> buffer,
                                bool ntc = false);
 
-  static ByteSource FromBIO(const BIOPointer& bio);
+  static ByteSource FromBIO(const ncrypto::BIOPointer& bio);
 
   static ByteSource NullTerminatedCopy(Environment* env,
                                        v8::Local<v8::Value> value);
@@ -733,7 +707,8 @@ v8::Maybe<void> SetEncodedValue(Environment* env,
                                 const BIGNUM* bn,
                                 int size = 0);
 
-bool SetRsaOaepLabel(const EVPKeyCtxPointer& rsa, const ByteSource& label);
+bool SetRsaOaepLabel(const ncrypto::EVPKeyCtxPointer& rsa,
+                     const ByteSource& label);
 
 namespace Util {
 void Initialize(Environment* env, v8::Local<v8::Object> target);
diff --git a/src/crypto/crypto_x509.cc b/src/crypto/crypto_x509.cc
index a19b1d07e02609..ccb7a3a0eeb7a9 100644
--- a/src/crypto/crypto_x509.cc
+++ b/src/crypto/crypto_x509.cc
@@ -15,6 +15,14 @@
 
 namespace node {
 
+using ncrypto::BignumPointer;
+using ncrypto::BIOPointer;
+using ncrypto::ClearErrorOnReturn;
+using ncrypto::DataPointer;
+using ncrypto::SSLPointer;
+using ncrypto::StackOfASN1;
+using ncrypto::X509Pointer;
+using ncrypto::X509View;
 using v8::Array;
 using v8::ArrayBuffer;
 using v8::ArrayBufferView;
@@ -62,7 +70,7 @@ void ManagedX509::MemoryInfo(MemoryTracker* tracker) const {
 namespace {
 MaybeLocal<Value> GetFingerprintDigest(Environment* env,
                                        const EVP_MD* method,
-                                       const ncrypto::X509View& cert) {
+                                       const X509View& cert) {
   auto fingerprint = cert.getFingerprint(method);
   // Returning an empty string indicates that the digest failed for
   // some reason.
@@ -129,7 +137,7 @@ MaybeLocal<Value> ToV8Value(Local<Context> context, const ASN1_STRING* str) {
   if (value_str_size < 0) {
     return Undefined(context->GetIsolate());
   }
-  ncrypto::DataPointer free_value_str(value_str, value_str_size);
+  DataPointer free_value_str(value_str, value_str_size);
 
   Local<Value> result;
   if (!String::NewFromUtf8(context->GetIsolate(),
@@ -171,7 +179,7 @@ MaybeLocal<Value> ToBuffer(Environment* env, BIOPointer* bio) {
   return ret;
 }
 
-MaybeLocal<Value> GetDer(Environment* env, const ncrypto::X509View& view) {
+MaybeLocal<Value> GetDer(Environment* env, const X509View& view) {
   Local<Value> ret;
   auto bio = view.toDER();
   if (!bio) return Undefined(env->isolate());
@@ -182,7 +190,7 @@ MaybeLocal<Value> GetDer(Environment* env, const ncrypto::X509View& view) {
 }
 
 MaybeLocal<Value> GetSubjectAltNameString(Environment* env,
-                                          const ncrypto::X509View& view) {
+                                          const X509View& view) {
   Local<Value> ret;
   auto bio = view.getSubjectAltName();
   if (!bio) return Undefined(env->isolate());
@@ -190,8 +198,7 @@ MaybeLocal<Value> GetSubjectAltNameString(Environment* env,
   return ret;
 }
 
-MaybeLocal<Value> GetInfoAccessString(Environment* env,
-                                      const ncrypto::X509View& view) {
+MaybeLocal<Value> GetInfoAccessString(Environment* env, const X509View& view) {
   Local<Value> ret;
   auto bio = view.getInfoAccess();
   if (!bio) return Undefined(env->isolate());
@@ -201,8 +208,7 @@ MaybeLocal<Value> GetInfoAccessString(Environment* env,
   return ret;
 }
 
-MaybeLocal<Value> GetValidFrom(Environment* env,
-                               const ncrypto::X509View& view) {
+MaybeLocal<Value> GetValidFrom(Environment* env, const X509View& view) {
   Local<Value> ret;
   auto bio = view.getValidFrom();
   if (!bio) return Undefined(env->isolate());
@@ -212,7 +218,7 @@ MaybeLocal<Value> GetValidFrom(Environment* env,
   return ret;
 }
 
-MaybeLocal<Value> GetValidTo(Environment* env, const ncrypto::X509View& view) {
+MaybeLocal<Value> GetValidTo(Environment* env, const X509View& view) {
   Local<Value> ret;
   auto bio = view.getValidTo();
   if (!bio) return Undefined(env->isolate());
@@ -222,20 +228,17 @@ MaybeLocal<Value> GetValidTo(Environment* env, const ncrypto::X509View& view) {
   return ret;
 }
 
-MaybeLocal<Value> GetValidFromDate(Environment* env,
-                                   const ncrypto::X509View& view) {
+MaybeLocal<Value> GetValidFromDate(Environment* env, const X509View& view) {
   int64_t validFromTime = view.getValidFromTime();
   return Date::New(env->context(), validFromTime * 1000.);
 }
 
-MaybeLocal<Value> GetValidToDate(Environment* env,
-                                 const ncrypto::X509View& view) {
+MaybeLocal<Value> GetValidToDate(Environment* env, const X509View& view) {
   int64_t validToTime = view.getValidToTime();
   return Date::New(env->context(), validToTime * 1000.);
 }
 
-MaybeLocal<Value> GetSerialNumber(Environment* env,
-                                  const ncrypto::X509View& view) {
+MaybeLocal<Value> GetSerialNumber(Environment* env, const X509View& view) {
   if (auto serial = view.getSerialNumber()) {
     return OneByteString(env->isolate(),
                          static_cast<unsigned char*>(serial.get()));
@@ -243,8 +246,8 @@ MaybeLocal<Value> GetSerialNumber(Environment* env,
   return Undefined(env->isolate());
 }
 
-MaybeLocal<Value> GetKeyUsage(Environment* env, const ncrypto::X509View& cert) {
-  ncrypto::StackOfASN1 eku(static_cast<STACK_OF(ASN1_OBJECT)*>(
+MaybeLocal<Value> GetKeyUsage(Environment* env, const X509View& cert) {
+  StackOfASN1 eku(static_cast<STACK_OF(ASN1_OBJECT)*>(
       X509_get_ext_d2i(cert.get(), NID_ext_key_usage, nullptr, nullptr)));
   if (eku) {
     const int count = sk_ASN1_OBJECT_num(eku.get());
@@ -458,10 +461,10 @@ void CheckHost(const FunctionCallbackInfo<Value>& args) {
 
   Utf8Value name(env->isolate(), args[0]);
   uint32_t flags = args[1].As<Uint32>()->Value();
-  ncrypto::DataPointer peername;
+  DataPointer peername;
 
   switch (cert->view().checkHost(name.ToStringView(), flags, &peername)) {
-    case ncrypto::X509View::CheckMatch::MATCH: {  // Match!
+    case X509View::CheckMatch::MATCH: {  // Match!
       Local<Value> ret = args[0];
       if (peername) {
         ret = OneByteString(env->isolate(),
@@ -470,9 +473,9 @@ void CheckHost(const FunctionCallbackInfo<Value>& args) {
       }
       return args.GetReturnValue().Set(ret);
     }
-    case ncrypto::X509View::CheckMatch::NO_MATCH:  // No Match!
+    case X509View::CheckMatch::NO_MATCH:  // No Match!
       return;  // No return value is set
-    case ncrypto::X509View::CheckMatch::INVALID_NAME:  // Error!
+    case X509View::CheckMatch::INVALID_NAME:  // Error!
       return THROW_ERR_INVALID_ARG_VALUE(env, "Invalid name");
     default:  // Error!
       return THROW_ERR_CRYPTO_OPERATION_FAILED(env);
@@ -491,11 +494,11 @@ void CheckEmail(const FunctionCallbackInfo<Value>& args) {
   uint32_t flags = args[1].As<Uint32>()->Value();
 
   switch (cert->view().checkEmail(name.ToStringView(), flags)) {
-    case ncrypto::X509View::CheckMatch::MATCH:  // Match!
+    case X509View::CheckMatch::MATCH:  // Match!
       return args.GetReturnValue().Set(args[0]);
-    case ncrypto::X509View::CheckMatch::NO_MATCH:  // No Match!
+    case X509View::CheckMatch::NO_MATCH:  // No Match!
       return;  // No return value is set
-    case ncrypto::X509View::CheckMatch::INVALID_NAME:  // Error!
+    case X509View::CheckMatch::INVALID_NAME:  // Error!
       return THROW_ERR_INVALID_ARG_VALUE(env, "Invalid name");
     default:  // Error!
       return THROW_ERR_CRYPTO_OPERATION_FAILED(env);
@@ -514,11 +517,11 @@ void CheckIP(const FunctionCallbackInfo<Value>& args) {
   uint32_t flags = args[1].As<Uint32>()->Value();
 
   switch (cert->view().checkIp(name.ToStringView(), flags)) {
-    case ncrypto::X509View::CheckMatch::MATCH:  // Match!
+    case X509View::CheckMatch::MATCH:  // Match!
       return args.GetReturnValue().Set(args[0]);
-    case ncrypto::X509View::CheckMatch::NO_MATCH:  // No Match!
+    case X509View::CheckMatch::NO_MATCH:  // No Match!
       return;  // No return value is set
-    case ncrypto::X509View::CheckMatch::INVALID_NAME:  // Error!
+    case X509View::CheckMatch::INVALID_NAME:  // Error!
       return THROW_ERR_INVALID_ARG_VALUE(env, "Invalid IP");
     default:  // Error!
       return THROW_ERR_CRYPTO_OPERATION_FAILED(env);
@@ -594,7 +597,7 @@ bool Set(Environment* env,
 // The property value may be a single string or an array of strings.
 template <X509_NAME* get_name(const X509*)>
 static MaybeLocal<Value> GetX509NameObject(Environment* env,
-                                           const ncrypto::X509View& cert) {
+                                           const X509View& cert) {
   X509_NAME* name = get_name(cert.get());
   CHECK_NOT_NULL(name);
 
@@ -718,8 +721,7 @@ MaybeLocal<Value> GetCurveName(Environment* env, const int nid) {
              : MaybeLocal<Value>(Undefined(env->isolate()));
 }
 
-MaybeLocal<Object> X509ToObject(Environment* env,
-                                const ncrypto::X509View& cert) {
+MaybeLocal<Object> X509ToObject(Environment* env, const X509View& cert) {
   EscapableHandleScope scope(env->isolate());
   Local<Object> info = Object::New(env->isolate());
 
@@ -906,7 +908,7 @@ MaybeLocal<Object> X509Certificate::New(Environment* env,
 
 MaybeLocal<Object> X509Certificate::GetCert(Environment* env,
                                             const SSLPointer& ssl) {
-  auto cert = ncrypto::X509View::From(ssl);
+  auto cert = X509View::From(ssl);
   if (!cert) return {};
   return New(env, cert.clone());
 }
@@ -940,8 +942,8 @@ v8::MaybeLocal<v8::Value> X509Certificate::toObject(Environment* env) {
   return toObject(env, view());
 }
 
-v8::MaybeLocal<v8::Value> X509Certificate::toObject(
-    Environment* env, const ncrypto::X509View& cert) {
+v8::MaybeLocal<v8::Value> X509Certificate::toObject(Environment* env,
+                                                    const X509View& cert) {
   if (!cert) return {};
   return X509ToObject(env, cert).FromMaybe(Local<Value>());
 }
diff --git a/src/crypto/crypto_x509.h b/src/crypto/crypto_x509.h
index 595a2344641030..54f4b2a40732d2 100644
--- a/src/crypto/crypto_x509.h
+++ b/src/crypto/crypto_x509.h
@@ -21,7 +21,7 @@ namespace crypto {
 class ManagedX509 final : public MemoryRetainer {
  public:
   ManagedX509() = default;
-  explicit ManagedX509(X509Pointer&& cert);
+  explicit ManagedX509(ncrypto::X509Pointer&& cert);
   ManagedX509(const ManagedX509& that);
   ManagedX509& operator=(const ManagedX509& that);
 
@@ -35,7 +35,7 @@ class ManagedX509 final : public MemoryRetainer {
   SET_SELF_SIZE(ManagedX509)
 
  private:
-  X509Pointer cert_;
+  ncrypto::X509Pointer cert_;
 };
 
 class X509Certificate final : public BaseObject {
@@ -53,27 +53,24 @@ class X509Certificate final : public BaseObject {
 
   static v8::MaybeLocal<v8::Object> New(
       Environment* env,
-      X509Pointer cert,
-      STACK_OF(X509)* issuer_chain = nullptr);
+      ncrypto::X509Pointer cert,
+      STACK_OF(X509) * issuer_chain = nullptr);
 
   static v8::MaybeLocal<v8::Object> New(
       Environment* env,
       std::shared_ptr<ManagedX509> cert,
       STACK_OF(X509)* issuer_chain = nullptr);
 
-  static v8::MaybeLocal<v8::Object> GetCert(
-      Environment* env,
-      const SSLPointer& ssl);
+  static v8::MaybeLocal<v8::Object> GetCert(Environment* env,
+                                            const ncrypto::SSLPointer& ssl);
 
-  static v8::MaybeLocal<v8::Object> GetPeerCert(
-      Environment* env,
-      const SSLPointer& ssl,
-      GetPeerCertificateFlag flag);
+  static v8::MaybeLocal<v8::Object> GetPeerCert(Environment* env,
+                                                const ncrypto::SSLPointer& ssl,
+                                                GetPeerCertificateFlag flag);
 
-  static v8::Local<v8::Object> Wrap(
-      Environment* env,
-      v8::Local<v8::Object> object,
-      X509Pointer cert);
+  static v8::Local<v8::Object> Wrap(Environment* env,
+                                    v8::Local<v8::Object> object,
+                                    ncrypto::X509Pointer cert);
 
   inline BaseObjectPtr<X509Certificate> getIssuerCert() const {
     return issuer_cert_;
diff --git a/src/quic/tlscontext.cc b/src/quic/tlscontext.cc
index 8e2995589c9116..c8f88b34561eb2 100644
--- a/src/quic/tlscontext.cc
+++ b/src/quic/tlscontext.cc
@@ -20,6 +20,13 @@
 
 namespace node {
 
+using ncrypto::BIOPointer;
+using ncrypto::ClearErrorOnReturn;
+using ncrypto::MarkPopErrorOnReturn;
+using ncrypto::SSLCtxPointer;
+using ncrypto::SSLPointer;
+using ncrypto::SSLSessionPointer;
+using ncrypto::X509Pointer;
 using v8::ArrayBuffer;
 using v8::Just;
 using v8::Local;
@@ -43,7 +50,7 @@ namespace {
 //   return 0;
 // }();
 
-void EnableTrace(Environment* env, crypto::BIOPointer* bio, SSL* ssl) {
+void EnableTrace(Environment* env, BIOPointer* bio, SSL* ssl) {
 #if HAVE_SSL_TRACE
   static bool warn_trace_tls = true;
   if (warn_trace_tls) {
@@ -63,7 +70,7 @@ void EnableTrace(Environment* env, crypto::BIOPointer* bio, SSL* ssl) {
            size_t len,
            SSL* ssl,
            void* arg) -> void {
-          crypto::MarkPopErrorOnReturn mark_pop_error_on_return;
+          MarkPopErrorOnReturn mark_pop_error_on_return;
           SSL_trace(write_p, version, content_type, buf, len, ssl, arg);
         });
     SSL_set_msg_callback_arg(ssl, bio->get());
@@ -240,12 +247,12 @@ std::unique_ptr<TLSSession> TLSContext::NewSession(
       session, shared_from_this(), maybeSessionTicket);
 }
 
-crypto::SSLCtxPointer TLSContext::Initialize() {
-  crypto::SSLCtxPointer ctx;
+SSLCtxPointer TLSContext::Initialize() {
+  SSLCtxPointer ctx;
   switch (side_) {
     case Side::SERVER: {
       static constexpr unsigned char kSidCtx[] = "Node.js QUIC Server";
-      ctx = crypto::SSLCtxPointer::NewServer();
+      ctx = SSLCtxPointer::NewServer();
       CHECK_EQ(ngtcp2_crypto_quictls_configure_server_context(ctx.get()), 0);
       CHECK_EQ(SSL_CTX_set_max_early_data(ctx.get(), UINT32_MAX), 1);
       SSL_CTX_set_options(ctx.get(),
@@ -276,7 +283,7 @@ crypto::SSLCtxPointer TLSContext::Initialize() {
       break;
     }
     case Side::CLIENT: {
-      ctx = crypto::SSLCtxPointer::NewClient();
+      ctx = SSLCtxPointer::NewClient();
       CHECK_EQ(ngtcp2_crypto_quictls_configure_client_context(ctx.get()), 0);
 
       SSL_CTX_set_session_cache_mode(
@@ -291,16 +298,16 @@ crypto::SSLCtxPointer TLSContext::Initialize() {
 
   if (SSL_CTX_set_ciphersuites(ctx.get(), options_.ciphers.c_str()) != 1) {
     validation_error_ = "Invalid cipher suite";
-    return crypto::SSLCtxPointer();
+    return SSLCtxPointer();
   }
 
   if (SSL_CTX_set1_groups_list(ctx.get(), options_.groups.c_str()) != 1) {
     validation_error_ = "Invalid cipher groups";
-    return crypto::SSLCtxPointer();
+    return SSLCtxPointer();
   }
 
   {
-    crypto::ClearErrorOnReturn clear_error_on_return;
+    ClearErrorOnReturn clear_error_on_return;
     if (options_.ca.empty()) {
       auto store = crypto::GetOrCreateRootCertStore();
       X509_STORE_up_ref(store);
@@ -313,14 +320,12 @@ crypto::SSLCtxPointer TLSContext::Initialize() {
           X509_STORE_up_ref(store);
           SSL_CTX_set_cert_store(ctx.get(), store);
         } else {
-          crypto::BIOPointer bio = crypto::NodeBIO::NewFixed(buf.base, buf.len);
+          BIOPointer bio = crypto::NodeBIO::NewFixed(buf.base, buf.len);
           CHECK(bio);
           X509_STORE* cert_store = SSL_CTX_get_cert_store(ctx.get());
-          while (crypto::X509Pointer x509 = crypto::X509Pointer(
-                     PEM_read_bio_X509_AUX(bio.get(),
-                                           nullptr,
-                                           crypto::NoPasswordCallback,
-                                           nullptr))) {
+          while (
+              auto x509 = X509Pointer(PEM_read_bio_X509_AUX(
+                  bio.get(), nullptr, crypto::NoPasswordCallback, nullptr))) {
             if (cert_store == crypto::GetOrCreateRootCertStore()) {
               cert_store = crypto::NewRootCertStore();
               SSL_CTX_set_cert_store(ctx.get(), cert_store);
@@ -334,48 +339,48 @@ crypto::SSLCtxPointer TLSContext::Initialize() {
   }
 
   {
-    crypto::ClearErrorOnReturn clear_error_on_return;
+    ClearErrorOnReturn clear_error_on_return;
     for (const auto& cert : options_.certs) {
       uv_buf_t buf = cert;
       if (buf.len > 0) {
-        crypto::BIOPointer bio = crypto::NodeBIO::NewFixed(buf.base, buf.len);
+        BIOPointer bio = crypto::NodeBIO::NewFixed(buf.base, buf.len);
         CHECK(bio);
         cert_.reset();
         issuer_.reset();
         if (crypto::SSL_CTX_use_certificate_chain(
                 ctx.get(), std::move(bio), &cert_, &issuer_) == 0) {
           validation_error_ = "Invalid certificate";
-          return crypto::SSLCtxPointer();
+          return SSLCtxPointer();
         }
       }
     }
   }
 
   {
-    crypto::ClearErrorOnReturn clear_error_on_return;
+    ClearErrorOnReturn clear_error_on_return;
     for (const auto& key : options_.keys) {
       if (key.GetKeyType() != crypto::KeyType::kKeyTypePrivate) {
         validation_error_ = "Invalid key";
-        return crypto::SSLCtxPointer();
+        return SSLCtxPointer();
       }
       if (!SSL_CTX_use_PrivateKey(ctx.get(), key.GetAsymmetricKey().get())) {
         validation_error_ = "Invalid key";
-        return crypto::SSLCtxPointer();
+        return SSLCtxPointer();
       }
     }
   }
 
   {
-    crypto::ClearErrorOnReturn clear_error_on_return;
+    ClearErrorOnReturn clear_error_on_return;
     for (const auto& crl : options_.crl) {
       uv_buf_t buf = crl;
-      crypto::BIOPointer bio = crypto::NodeBIO::NewFixed(buf.base, buf.len);
+      BIOPointer bio = crypto::NodeBIO::NewFixed(buf.base, buf.len);
       DeleteFnPtr<X509_CRL, X509_CRL_free> crlptr(PEM_read_bio_X509_CRL(
           bio.get(), nullptr, crypto::NoPasswordCallback, nullptr));
 
       if (!crlptr) {
         validation_error_ = "Invalid CRL";
-        return crypto::SSLCtxPointer();
+        return SSLCtxPointer();
       }
 
       X509_STORE* cert_store = SSL_CTX_get_cert_store(ctx.get());
@@ -393,11 +398,11 @@ crypto::SSLCtxPointer TLSContext::Initialize() {
   }
 
   {
-    crypto::ClearErrorOnReturn clear_error_on_return;
+    ClearErrorOnReturn clear_error_on_return;
     if (options_.verify_private_key &&
         SSL_CTX_check_private_key(ctx.get()) != 1) {
       validation_error_ = "Invalid private key";
-      return crypto::SSLCtxPointer();
+      return SSLCtxPointer();
     }
   }
 
@@ -514,11 +519,11 @@ bool TLSSession::early_data_was_accepted() const {
   return SSL_get_early_data_status(*this) == SSL_EARLY_DATA_ACCEPTED;
 }
 
-crypto::SSLPointer TLSSession::Initialize(
+SSLPointer TLSSession::Initialize(
     const std::optional<SessionTicket>& maybeSessionTicket) {
   auto& ctx = context();
   auto& options = ctx.options();
-  crypto::SSLPointer ssl(SSL_new(ctx));
+  SSLPointer ssl(SSL_new(ctx));
   SSL_set_app_data(ssl.get(), &ref_);
   ngtcp2_conn_set_tls_native_handle(*session_, ssl.get());
 
@@ -541,7 +546,7 @@ crypto::SSLPointer TLSSession::Initialize(
               reinterpret_cast<const unsigned char*>(options.protocol.data()),
               options.protocol.size()) != 0) {
         validation_error_ = "Invalid ALPN";
-        return crypto::SSLPointer();
+        return SSLPointer();
       }
 
       if (!options.servername.empty()) {
@@ -553,7 +558,7 @@ crypto::SSLPointer TLSSession::Initialize(
       if (maybeSessionTicket.has_value()) {
         auto sessionTicket = maybeSessionTicket.value();
         uv_buf_t buf = sessionTicket.ticket();
-        crypto::SSLSessionPointer ticket = crypto::GetTLSSession(
+        SSLSessionPointer ticket = crypto::GetTLSSession(
             reinterpret_cast<unsigned char*>(buf.base), buf.len);
 
         // The early data will just be ignored if it's invalid.
diff --git a/src/quic/tlscontext.h b/src/quic/tlscontext.h
index 77771d1a252a24..97536f3abecc50 100644
--- a/src/quic/tlscontext.h
+++ b/src/quic/tlscontext.h
@@ -7,6 +7,7 @@
 #include <crypto/crypto_context.h>
 #include <crypto/crypto_keys.h>
 #include <memory_tracker.h>
+#include <ncrypto.h>
 #include <ngtcp2/ngtcp2_crypto.h>
 #include "bindingdata.h"
 #include "data.h"
@@ -84,7 +85,7 @@ class TLSSession final : public MemoryRetainer {
 
  private:
   operator SSL*() const;
-  crypto::SSLPointer Initialize(
+  ncrypto::SSLPointer Initialize(
       const std::optional<SessionTicket>& maybeSessionTicket);
 
   static ngtcp2_conn* connection(ngtcp2_crypto_conn_ref* ref);
@@ -92,8 +93,8 @@ class TLSSession final : public MemoryRetainer {
   ngtcp2_crypto_conn_ref ref_;
   std::shared_ptr<TLSContext> context_;
   Session* session_;
-  crypto::SSLPointer ssl_;
-  crypto::BIOPointer bio_trace_;
+  ncrypto::SSLPointer ssl_;
+  ncrypto::BIOPointer bio_trace_;
   std::string validation_error_ = "";
   bool in_key_update_ = false;
 };
@@ -198,7 +199,7 @@ class TLSContext final : public MemoryRetainer,
   SET_SELF_SIZE(TLSContext)
 
  private:
-  crypto::SSLCtxPointer Initialize();
+  ncrypto::SSLCtxPointer Initialize();
   operator SSL_CTX*() const;
 
   static void OnKeylog(const SSL* ssl, const char* line);
@@ -213,9 +214,9 @@ class TLSContext final : public MemoryRetainer,
 
   Side side_;
   Options options_;
-  crypto::X509Pointer cert_;
-  crypto::X509Pointer issuer_;
-  crypto::SSLCtxPointer ctx_;
+  ncrypto::X509Pointer cert_;
+  ncrypto::X509Pointer issuer_;
+  ncrypto::SSLCtxPointer ctx_;
   std::string validation_error_ = "";
 
   friend class TLSSession;
diff --git a/test/cctest/test_node_crypto_env.cc b/test/cctest/test_node_crypto_env.cc
index 001867720f5e80..79c2e78a71cbb6 100644
--- a/test/cctest/test_node_crypto_env.cc
+++ b/test/cctest/test_node_crypto_env.cc
@@ -3,6 +3,7 @@
 #include "node_options.h"
 #include "node_test_fixture.h"
 #include "openssl/err.h"
+#include <ncrypto.h>
 
 using v8::Local;
 using v8::String;
@@ -21,7 +22,7 @@ TEST_F(NodeCryptoEnv, LoadBIO) {
   Env env{handle_scope, argv};
   //  just put a random string into BIO
   Local<String> key = String::NewFromUtf8(isolate_, "abcdef").ToLocalChecked();
-  node::crypto::BIOPointer bio(node::crypto::LoadBIO(*env, key));
+  ncrypto::BIOPointer bio(node::crypto::LoadBIO(*env, key));
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
   const int ofs = 2;
   ASSERT_EQ(BIO_seek(bio.get(), ofs), ofs);