Static method:Certificate.exportChallenge(spkac[, encoding])#

• spkac<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView>
• encoding<string> Theencoding of thespkac string.
• Returns:<Buffer> The challenge component of thespkac data structure, whichincludes a public key and a challenge.

const {Certificate } =awaitimport('node:crypto');const spkac =getSpkacSomehow();const challenge =Certificate.exportChallenge(spkac);console.log(challenge.toString('utf8'));// Prints: the challenge as a UTF8 stringconst {Certificate } =require('node:crypto');const spkac =getSpkacSomehow();const challenge =Certificate.exportChallenge(spkac);console.log(challenge.toString('utf8'));// Prints: the challenge as a UTF8 stringcopy

Static method:Certificate.exportPublicKey(spkac[, encoding])#

• spkac<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView>
• encoding<string> Theencoding of thespkac string.
• Returns:<Buffer> The public key component of thespkac data structure,which includes a public key and a challenge.

const {Certificate } =awaitimport('node:crypto');const spkac =getSpkacSomehow();const publicKey =Certificate.exportPublicKey(spkac);console.log(publicKey);// Prints: the public key as <Buffer ...>const {Certificate } =require('node:crypto');const spkac =getSpkacSomehow();const publicKey =Certificate.exportPublicKey(spkac);console.log(publicKey);// Prints: the public key as <Buffer ...>copy

Static method:Certificate.verifySpkac(spkac[, encoding])#

• spkac<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView>
• encoding<string> Theencoding of thespkac string.
• Returns:<boolean>true if the givenspkac data structure is valid,false otherwise.

import {Buffer }from'node:buffer';const {Certificate } =awaitimport('node:crypto');const spkac =getSpkacSomehow();console.log(Certificate.verifySpkac(Buffer.from(spkac)));// Prints: true or falseconst {Buffer } =require('node:buffer');const {Certificate } =require('node:crypto');const spkac =getSpkacSomehow();console.log(Certificate.verifySpkac(Buffer.from(spkac)));// Prints: true or falsecopy

Legacy API#

As a legacy interface, it is possible to create new instances ofthecrypto.Certificate class as illustrated in the examples below.

const {Certificate } =awaitimport('node:crypto');const cert1 =newCertificate();const cert2 =Certificate();const {Certificate } =require('node:crypto');const cert1 =newCertificate();const cert2 =Certificate();copy

const {Certificate } =awaitimport('node:crypto');const cert =Certificate();const spkac =getSpkacSomehow();const challenge = cert.exportChallenge(spkac);console.log(challenge.toString('utf8'));// Prints: the challenge as a UTF8 stringconst {Certificate } =require('node:crypto');const cert =Certificate();const spkac =getSpkacSomehow();const challenge = cert.exportChallenge(spkac);console.log(challenge.toString('utf8'));// Prints: the challenge as a UTF8 stringcopy

const {Certificate } =awaitimport('node:crypto');const cert =Certificate();const spkac =getSpkacSomehow();const publicKey = cert.exportPublicKey(spkac);console.log(publicKey);// Prints: the public key as <Buffer ...>const {Certificate } =require('node:crypto');const cert =Certificate();const spkac =getSpkacSomehow();const publicKey = cert.exportPublicKey(spkac);console.log(publicKey);// Prints: the public key as <Buffer ...>copy

import {Buffer }from'node:buffer';const {Certificate } =awaitimport('node:crypto');const cert =Certificate();const spkac =getSpkacSomehow();console.log(cert.verifySpkac(Buffer.from(spkac)));// Prints: true or falseconst {Buffer } =require('node:buffer');const {Certificate } =require('node:crypto');const cert =Certificate();const spkac =getSpkacSomehow();console.log(cert.verifySpkac(Buffer.from(spkac)));// Prints: true or falsecopy

cipher.final([outputEncoding])#

• outputEncoding<string> Theencoding of the return value.
• Returns:<Buffer> |<string> Any remaining enciphered contents.IfoutputEncoding is specified, a string isreturned. If anoutputEncoding is not provided, aBuffer is returned.

Once thecipher.final() method has been called, theCipheriv object can nolonger be used to encrypt data. Attempts to callcipher.final() more thanonce will result in an error being thrown.

cipher.getAuthTag()#

• Returns:<Buffer> When using an authenticated encryption mode (GCM,CCM,OCB, andchacha20-poly1305 are currently supported), thecipher.getAuthTag() method returns aBuffer containing theauthentication tag that has been computed fromthe given data.

Thecipher.getAuthTag() method should only be called after encryption hasbeen completed using thecipher.final() method.

If theauthTagLength option was set during thecipher instance's creation,this function will return exactlyauthTagLength bytes.

cipher.setAAD(buffer[, options])#

• buffer<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView>
• options<Object>stream.transform options
  • plaintextLength<number>
  • encoding<string> The string encoding to use whenbuffer is a string.
• Returns:<Cipheriv> The sameCipheriv instance for method chaining.

When using an authenticated encryption mode (GCM,CCM,OCB, andchacha20-poly1305 arecurrently supported), thecipher.setAAD() method sets the value used for theadditional authenticated data (AAD) input parameter.

TheplaintextLength option is optional forGCM andOCB. When usingCCM,theplaintextLength option must be specified and its value must match thelength of the plaintext in bytes. SeeCCM mode.

Thecipher.setAAD() method must be called beforecipher.update().

cipher.setAutoPadding([autoPadding])#

• autoPadding<boolean>Default:true
• Returns:<Cipheriv> The sameCipheriv instance for method chaining.

When using block encryption algorithms, theCipheriv class will automaticallyadd padding to the input data to the appropriate block size. To disable thedefault padding callcipher.setAutoPadding(false).

WhenautoPadding isfalse, the length of the entire input data must be amultiple of the cipher's block size orcipher.final() will throw an error.Disabling automatic padding is useful for non-standard padding, for instanceusing0x0 instead of PKCS padding.

Thecipher.setAutoPadding() method must be called beforecipher.final().

cipher.update(data[, inputEncoding][, outputEncoding])#

• data<string> |<Buffer> |<TypedArray> |<DataView>
• inputEncoding<string> Theencoding of the data.
• outputEncoding<string> Theencoding of the return value.
• Returns:<Buffer> |<string>

Updates the cipher withdata. If theinputEncoding argument is given,thedataargument is a string using the specified encoding. If theinputEncodingargument is not given,data must be aBuffer,TypedArray, orDataView. Ifdata is aBuffer,TypedArray, orDataView, theninputEncoding is ignored.

TheoutputEncoding specifies the output format of the enciphereddata. If theoutputEncodingis specified, a string using the specified encoding is returned. If nooutputEncoding is provided, aBuffer is returned.

Thecipher.update() method can be called multiple times with new data untilcipher.final() is called. Callingcipher.update() aftercipher.final() will result in an error being thrown.

decipher.final([outputEncoding])#

• outputEncoding<string> Theencoding of the return value.
• Returns:<Buffer> |<string> Any remaining deciphered contents.IfoutputEncoding is specified, a string isreturned. If anoutputEncoding is not provided, aBuffer is returned.

Once thedecipher.final() method has been called, theDecipheriv object canno longer be used to decrypt data. Attempts to calldecipher.final() morethan once will result in an error being thrown.

decipher.setAAD(buffer[, options])#

• buffer<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView>
• options<Object>stream.transform options
  • plaintextLength<number>
  • encoding<string> String encoding to use whenbuffer is a string.
• Returns:<Decipheriv> The same Decipher for method chaining.

When using an authenticated encryption mode (GCM,CCM,OCB, andchacha20-poly1305 arecurrently supported), thedecipher.setAAD() method sets the value used for theadditional authenticated data (AAD) input parameter.

Theoptions argument is optional forGCM. When usingCCM, theplaintextLength option must be specified and its value must match the lengthof the ciphertext in bytes. SeeCCM mode.

Thedecipher.setAAD() method must be called beforedecipher.update().

When passing a string as thebuffer, please considercaveats when using strings as inputs to cryptographic APIs.

decipher.setAuthTag(buffer[, encoding])#

• buffer<string> |<Buffer> |<ArrayBuffer> |<TypedArray> |<DataView>
• encoding<string> String encoding to use whenbuffer is a string.
• Returns:<Decipheriv> The same Decipher for method chaining.

When using an authenticated encryption mode (GCM,CCM,OCB, andchacha20-poly1305 arecurrently supported), thedecipher.setAuthTag() method is used to pass in thereceivedauthentication tag. If no tag is provided, or if the cipher texthas been tampered with,decipher.final() will throw, indicating that thecipher text should be discarded due to failed authentication. If the tag lengthis invalid according toNIST SP 800-38D or does not match the value of theauthTagLength option,decipher.setAuthTag() will throw an error.

Thedecipher.setAuthTag() method must be called beforedecipher.update()forCCM mode or beforedecipher.final() forGCM andOCB modes andchacha20-poly1305.decipher.setAuthTag() can only be called once.

When passing a string as the authentication tag, please considercaveats when using strings as inputs to cryptographic APIs.

decipher.setAutoPadding([autoPadding])#

• autoPadding<boolean>Default:true
• Returns:<Decipheriv> The same Decipher for method chaining.

When data has been encrypted without standard block padding, callingdecipher.setAutoPadding(false) will disable automatic padding to preventdecipher.final() from checking for and removing padding.

Turning auto padding off will only work if the input data's length is amultiple of the ciphers block size.

Thedecipher.setAutoPadding() method must be called beforedecipher.final().

decipher.update(data[, inputEncoding][, outputEncoding])#

• data<string> |<Buffer> |<TypedArray> |<DataView>
• inputEncoding<string> Theencoding of thedata string.
• outputEncoding<string> Theencoding of the return value.
• Returns:<Buffer> |<string>

Updates the decipher withdata. If theinputEncoding argument is given,thedataargument is a string using the specified encoding. If theinputEncodingargument is not given,data must be aBuffer. Ifdata is aBuffer theninputEncoding is ignored.

TheoutputEncoding specifies the output format of the enciphereddata. If theoutputEncodingis specified, a string using the specified encoding is returned. If nooutputEncoding is provided, aBuffer is returned.

Thedecipher.update() method can be called multiple times with new data untildecipher.final() is called. Callingdecipher.update() afterdecipher.final() will result in an error being thrown.

Even if the underlying cipher implements authentication, the authenticity andintegrity of the plaintext returned from this function may be uncertain at thistime. For authenticated encryption algorithms, authenticity is generally onlyestablished when the application callsdecipher.final().

diffieHellman.computeSecret(otherPublicKey[, inputEncoding][, outputEncoding])#

• otherPublicKey<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView>
• inputEncoding<string> Theencoding of anotherPublicKey string.
• outputEncoding<string> Theencoding of the return value.
• Returns:<Buffer> |<string>

Computes the shared secret usingotherPublicKey as the otherparty's public key and returns the computed shared secret. The suppliedkey is interpreted using the specifiedinputEncoding, and secret isencoded using specifiedoutputEncoding.If theinputEncoding is notprovided,otherPublicKey is expected to be aBuffer,TypedArray, orDataView.

IfoutputEncoding is given a string is returned; otherwise, aBuffer is returned.

diffieHellman.generateKeys([encoding])#

• encoding<string> Theencoding of the return value.
• Returns:<Buffer> |<string>

Generates private and public Diffie-Hellman key values unless they have beengenerated or computed already, and returnsthe public key in the specifiedencoding. This key should betransferred to the other party.Ifencoding is provided a string is returned; otherwise aBuffer is returned.

This function is a thin wrapper aroundDH_generate_key(). In particular,once a private key has been generated or set, calling this function only updatesthe public key but does not generate a new private key.

diffieHellman.getGenerator([encoding])#

• encoding<string> Theencoding of the return value.
• Returns:<Buffer> |<string>

Returns the Diffie-Hellman generator in the specifiedencoding.Ifencoding is provided a string isreturned; otherwise aBuffer is returned.

diffieHellman.getPrime([encoding])#

• encoding<string> Theencoding of the return value.
• Returns:<Buffer> |<string>

Returns the Diffie-Hellman prime in the specifiedencoding.Ifencoding is provided a string isreturned; otherwise aBuffer is returned.

diffieHellman.getPrivateKey([encoding])#

• encoding<string> Theencoding of the return value.
• Returns:<Buffer> |<string>

Returns the Diffie-Hellman private key in the specifiedencoding.Ifencoding is provided astring is returned; otherwise aBuffer is returned.

diffieHellman.getPublicKey([encoding])#

• encoding<string> Theencoding of the return value.
• Returns:<Buffer> |<string>

Returns the Diffie-Hellman public key in the specifiedencoding.Ifencoding is provided astring is returned; otherwise aBuffer is returned.

diffieHellman.setPrivateKey(privateKey[, encoding])#

• privateKey<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView>
• encoding<string> Theencoding of theprivateKey string.

Sets the Diffie-Hellman private key. If theencoding argument is provided,privateKey is expectedto be a string. If noencoding is provided,privateKey is expectedto be aBuffer,TypedArray, orDataView.

This function does not automatically compute the associated public key. EitherdiffieHellman.setPublicKey() ordiffieHellman.generateKeys() can beused to manually provide the public key or to automatically derive it.

diffieHellman.setPublicKey(publicKey[, encoding])#

• publicKey<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView>
• encoding<string> Theencoding of thepublicKey string.

Sets the Diffie-Hellman public key. If theencoding argument is provided,publicKey is expectedto be a string. If noencoding is provided,publicKey is expectedto be aBuffer,TypedArray, orDataView.

diffieHellman.verifyError#

A bit field containing any warnings and/or errors resulting from a checkperformed during initialization of theDiffieHellman object.

The following values are valid for this property (as defined innode:constants module):

• DH_CHECK_P_NOT_SAFE_PRIME
• DH_CHECK_P_NOT_PRIME
• DH_UNABLE_TO_CHECK_GENERATOR
• DH_NOT_SUITABLE_GENERATOR

Static method:ECDH.convertKey(key, curve[, inputEncoding[, outputEncoding[, format]]])#

• key<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView>
• curve<string>
• inputEncoding<string> Theencoding of thekey string.
• outputEncoding<string> Theencoding of the return value.
• format<string>Default:'uncompressed'
• Returns:<Buffer> |<string>

Converts the EC Diffie-Hellman public key specified bykey andcurve to theformat specified byformat. Theformat argument specifies point encodingand can be'compressed','uncompressed' or'hybrid'. The supplied key isinterpreted using the specifiedinputEncoding, and the returned key is encodedusing the specifiedoutputEncoding.

Usecrypto.getCurves() to obtain a list of available curve names.On recent OpenSSL releases,openssl ecparam -list_curves will also displaythe name and description of each available elliptic curve.

Ifformat is not specified the point will be returned in'uncompressed'format.

If theinputEncoding is not provided,key is expected to be aBuffer,TypedArray, orDataView.

Example (uncompressing a key):

const {  createECDH,ECDH,} =awaitimport('node:crypto');const ecdh =createECDH('secp256k1');ecdh.generateKeys();const compressedKey = ecdh.getPublicKey('hex','compressed');const uncompressedKey =ECDH.convertKey(compressedKey,'secp256k1','hex','hex','uncompressed');// The converted key and the uncompressed public key should be the sameconsole.log(uncompressedKey === ecdh.getPublicKey('hex'));const {  createECDH,ECDH,} =require('node:crypto');const ecdh =createECDH('secp256k1');ecdh.generateKeys();const compressedKey = ecdh.getPublicKey('hex','compressed');const uncompressedKey =ECDH.convertKey(compressedKey,'secp256k1','hex','hex','uncompressed');// The converted key and the uncompressed public key should be the sameconsole.log(uncompressedKey === ecdh.getPublicKey('hex'));copy

ecdh.computeSecret(otherPublicKey[, inputEncoding][, outputEncoding])#

• otherPublicKey<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView>
• inputEncoding<string> Theencoding of theotherPublicKey string.
• outputEncoding<string> Theencoding of the return value.
• Returns:<Buffer> |<string>

Computes the shared secret usingotherPublicKey as the otherparty's public key and returns the computed shared secret. The suppliedkey is interpreted using specifiedinputEncoding, and the returned secretis encoded using the specifiedoutputEncoding.If theinputEncoding is notprovided,otherPublicKey is expected to be aBuffer,TypedArray, orDataView.

IfoutputEncoding is given a string will be returned; otherwise aBuffer is returned.

ecdh.computeSecret will throw anERR_CRYPTO_ECDH_INVALID_PUBLIC_KEY error whenotherPublicKeylies outside of the elliptic curve. SinceotherPublicKey isusually supplied from a remote user over an insecure network,be sure to handle this exception accordingly.

ecdh.generateKeys([encoding[, format]])#

• encoding<string> Theencoding of the return value.
• format<string>Default:'uncompressed'
• Returns:<Buffer> |<string>

Generates private and public EC Diffie-Hellman key values, and returnsthe public key in the specifiedformat andencoding. This key should betransferred to the other party.

Theformat argument specifies point encoding and can be'compressed' or'uncompressed'. Ifformat is not specified, the point will be returned in'uncompressed' format.

Ifencoding is provided a string is returned; otherwise aBufferis returned.

ecdh.getPrivateKey([encoding])#

• encoding<string> Theencoding of the return value.
• Returns:<Buffer> |<string> The EC Diffie-Hellman in the specifiedencoding.

Ifencoding is specified, a string is returned; otherwise aBuffer isreturned.

ecdh.getPublicKey([encoding][, format])#

• encoding<string> Theencoding of the return value.
• format<string>Default:'uncompressed'
• Returns:<Buffer> |<string> The EC Diffie-Hellman public key in the specifiedencoding andformat.

Theformat argument specifies point encoding and can be'compressed' or'uncompressed'. Ifformat is not specified the point will be returned in'uncompressed' format.

Ifencoding is specified, a string is returned; otherwise aBuffer isreturned.

ecdh.setPrivateKey(privateKey[, encoding])#

• privateKey<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView>
• encoding<string> Theencoding of theprivateKey string.

Sets the EC Diffie-Hellman private key.Ifencoding is provided,privateKey is expectedto be a string; otherwiseprivateKey is expected to be aBuffer,TypedArray, orDataView.

IfprivateKey is not valid for the curve specified when theECDH object wascreated, an error is thrown. Upon setting the private key, the associatedpublic point (key) is also generated and set in theECDH object.

ecdh.setPublicKey(publicKey[, encoding])#

• publicKey<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView>
• encoding<string> Theencoding of thepublicKey string.

Sets the EC Diffie-Hellman public key.Ifencoding is providedpublicKey is expected tobe a string; otherwise aBuffer,TypedArray, orDataView is expected.

There is not normally a reason to call this method becauseECDHonly requires a private key and the other party's public key to compute theshared secret. Typically eitherecdh.generateKeys() orecdh.setPrivateKey() will be called. Theecdh.setPrivateKey() methodattempts to generate the public point/key associated with the private key beingset.

Example (obtaining a shared secret):

const {  createECDH,  createHash,} =awaitimport('node:crypto');const alice =createECDH('secp256k1');const bob =createECDH('secp256k1');// This is a shortcut way of specifying one of Alice's previous private// keys. It would be unwise to use such a predictable private key in a real// application.alice.setPrivateKey(createHash('sha256').update('alice','utf8').digest(),);// Bob uses a newly generated cryptographically strong// pseudorandom key pairbob.generateKeys();const aliceSecret = alice.computeSecret(bob.getPublicKey(),null,'hex');const bobSecret = bob.computeSecret(alice.getPublicKey(),null,'hex');// aliceSecret and bobSecret should be the same shared secret valueconsole.log(aliceSecret === bobSecret);const {  createECDH,  createHash,} =require('node:crypto');const alice =createECDH('secp256k1');const bob =createECDH('secp256k1');// This is a shortcut way of specifying one of Alice's previous private// keys. It would be unwise to use such a predictable private key in a real// application.alice.setPrivateKey(createHash('sha256').update('alice','utf8').digest(),);// Bob uses a newly generated cryptographically strong// pseudorandom key pairbob.generateKeys();const aliceSecret = alice.computeSecret(bob.getPublicKey(),null,'hex');const bobSecret = bob.computeSecret(alice.getPublicKey(),null,'hex');// aliceSecret and bobSecret should be the same shared secret valueconsole.log(aliceSecret === bobSecret);copy

hash.copy([options])#

• options<Object>stream.transform options
• Returns:<Hash>

Creates a newHash object that contains a deep copy of the internal stateof the currentHash object.

The optionaloptions argument controls stream behavior. For XOF hashfunctions such as'shake256', theoutputLength option can be used tospecify the desired output length in bytes.

An error is thrown when an attempt is made to copy theHash object afteritshash.digest() method has been called.

// Calculate a rolling hash.const {  createHash,} =awaitimport('node:crypto');const hash =createHash('sha256');hash.update('one');console.log(hash.copy().digest('hex'));hash.update('two');console.log(hash.copy().digest('hex'));hash.update('three');console.log(hash.copy().digest('hex'));// Etc.// Calculate a rolling hash.const {  createHash,} =require('node:crypto');const hash =createHash('sha256');hash.update('one');console.log(hash.copy().digest('hex'));hash.update('two');console.log(hash.copy().digest('hex'));hash.update('three');console.log(hash.copy().digest('hex'));// Etc.copy

hash.digest([encoding])#

• encoding<string> Theencoding of the return value.
• Returns:<Buffer> |<string>

Calculates the digest of all of the data passed to be hashed (using thehash.update() method).Ifencoding is provided a string will be returned; otherwiseaBuffer is returned.

TheHash object can not be used again afterhash.digest() method has beencalled. Multiple calls will cause an error to be thrown.

hash.update(data[, inputEncoding])#

• data<string> |<Buffer> |<TypedArray> |<DataView>
• inputEncoding<string> Theencoding of thedata string.

Updates the hash content with the givendata, the encoding of whichis given ininputEncoding.Ifencoding is not provided, and thedata is a string, anencoding of'utf8' is enforced. Ifdata is aBuffer,TypedArray, orDataView, theninputEncoding is ignored.

This can be called many times with new data as it is streamed.

hmac.digest([encoding])#

• encoding<string> Theencoding of the return value.
• Returns:<Buffer> |<string>

Calculates the HMAC digest of all of the data passed usinghmac.update().Ifencoding isprovided a string is returned; otherwise aBuffer is returned;

TheHmac object can not be used again afterhmac.digest() has beencalled. Multiple calls tohmac.digest() will result in an error being thrown.

hmac.update(data[, inputEncoding])#

• data<string> |<Buffer> |<TypedArray> |<DataView>
• inputEncoding<string> Theencoding of thedata string.

Updates theHmac content with the givendata, the encoding of whichis given ininputEncoding.Ifencoding is not provided, and thedata is a string, anencoding of'utf8' is enforced. Ifdata is aBuffer,TypedArray, orDataView, theninputEncoding is ignored.

This can be called many times with new data as it is streamed.

Static method:KeyObject.from(key)#

• key<CryptoKey>
• Returns:<KeyObject>

Example: Converting aCryptoKey instance to aKeyObject:

const {KeyObject } =awaitimport('node:crypto');const { subtle } = globalThis.crypto;const key =await subtle.generateKey({name:'HMAC',hash:'SHA-256',length:256,},true, ['sign','verify']);const keyObject =KeyObject.from(key);console.log(keyObject.symmetricKeySize);// Prints: 32 (symmetric key size in bytes)const {KeyObject } =require('node:crypto');const { subtle } = globalThis.crypto;(asyncfunction() {const key =await subtle.generateKey({name:'HMAC',hash:'SHA-256',length:256,  },true, ['sign','verify']);const keyObject =KeyObject.from(key);console.log(keyObject.symmetricKeySize);// Prints: 32 (symmetric key size in bytes)})();copy

keyObject.asymmetricKeyDetails#

• <Object>
  • modulusLength:<number> Key size in bits (RSA, DSA).
  • publicExponent:<bigint> Public exponent (RSA).
  • hashAlgorithm:<string> Name of the message digest (RSA-PSS).
  • mgf1HashAlgorithm:<string> Name of the message digest used byMGF1 (RSA-PSS).
  • saltLength:<number> Minimal salt length in bytes (RSA-PSS).
  • divisorLength:<number> Size ofq in bits (DSA).
  • namedCurve:<string> Name of the curve (EC).

This property exists only on asymmetric keys. Depending on the type of the key,this object contains information about the key. None of the information obtainedthrough this property can be used to uniquely identify a key or to compromisethe security of the key.

For RSA-PSS keys, if the key material contains aRSASSA-PSS-params sequence,thehashAlgorithm,mgf1HashAlgorithm, andsaltLength properties will beset.

Other key details might be exposed via this API using additional attributes.

keyObject.asymmetricKeyType#

• <string>

For asymmetric keys, this property represents the type of the key. Supported keytypes are:

• 'rsa' (OID 1.2.840.113549.1.1.1)
• 'rsa-pss' (OID 1.2.840.113549.1.1.10)
• 'dsa' (OID 1.2.840.10040.4.1)
• 'ec' (OID 1.2.840.10045.2.1)
• 'x25519' (OID 1.3.101.110)
• 'x448' (OID 1.3.101.111)
• 'ed25519' (OID 1.3.101.112)
• 'ed448' (OID 1.3.101.113)
• 'dh' (OID 1.2.840.113549.1.3.1)

This property isundefined for unrecognizedKeyObject types and symmetrickeys.

keyObject.equals(otherKeyObject)#

• otherKeyObject:<KeyObject> AKeyObject with which tocomparekeyObject.
• Returns:<boolean>

Returnstrue orfalse depending on whether the keys have exactly the sametype, value, and parameters. This method is notconstant time.

keyObject.export([options])#

• options:<Object>
• Returns:<string> |<Buffer> |<Object>

For symmetric keys, the following encoding options can be used:

• format:<string> Must be'buffer' (default) or'jwk'.

For public keys, the following encoding options can be used:

• type:<string> Must be one of'pkcs1' (RSA only) or'spki'.
• format:<string> Must be'pem','der', or'jwk'.

For private keys, the following encoding options can be used:

• type:<string> Must be one of'pkcs1' (RSA only),'pkcs8' or'sec1' (EC only).
• format:<string> Must be'pem','der', or'jwk'.
• cipher:<string> If specified, the private key will be encrypted withthe givencipher andpassphrase using PKCS#5 v2.0 password basedencryption.
• passphrase:<string> |<Buffer> The passphrase to use for encryption, seecipher.

The result type depends on the selected encoding format, when PEM theresult is a string, when DER it will be a buffer containing the dataencoded as DER, whenJWK it will be an object.

WhenJWK encoding format was selected, all other encoding options areignored.

PKCS#1, SEC1, and PKCS#8 type keys can be encrypted by using a combination ofthecipher andformat options. The PKCS#8type can be used with anyformat to encrypt any key algorithm (RSA, EC, or DH) by specifying acipher. PKCS#1 and SEC1 can only be encrypted by specifying acipherwhen the PEMformat is used. For maximum compatibility, use PKCS#8 forencrypted private keys. Since PKCS#8 defines its ownencryption mechanism, PEM-level encryption is not supported when encryptinga PKCS#8 key. SeeRFC 5208 for PKCS#8 encryption andRFC 1421 forPKCS#1 and SEC1 encryption.

keyObject.symmetricKeySize#

• <number>

For secret keys, this property represents the size of the key in bytes. Thisproperty isundefined for asymmetric keys.

keyObject.toCryptoKey(algorithm, extractable, keyUsages)#

• algorithm:<string> |<Algorithm> |<RsaHashedImportParams> |<EcKeyImportParams> |<HmacImportParams>

• extractable:<boolean>
• keyUsages:<string[]> SeeKey usages.
• Returns:<CryptoKey>

Converts aKeyObject instance to aCryptoKey.

keyObject.type#

• <string>

Depending on the type of thisKeyObject, this property is either'secret' for secret (symmetric) keys,'public' for public (asymmetric) keysor'private' for private (asymmetric) keys.

sign.sign(privateKey[, outputEncoding])#

• privateKey<Object> |<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView> |<KeyObject> |<CryptoKey>
  • dsaEncoding<string>
  • padding<integer>
  • saltLength<integer>
• outputEncoding<string> Theencoding of the return value.
• Returns:<Buffer> |<string>

Calculates the signature on all the data passed through using eithersign.update() orsign.write().

IfprivateKey is not aKeyObject, this function behaves as ifprivateKey had been passed tocrypto.createPrivateKey(). If it is anobject, the following additional properties can be passed:

• dsaEncoding<string> For DSA and ECDSA, this option specifies theformat of the generated signature. It can be one of the following:

  • 'der' (default): DER-encoded ASN.1 signature structure encoding(r, s).
  • 'ieee-p1363': Signature formatr || s as proposed in IEEE-P1363.

• padding<integer> Optional padding value for RSA, one of the following:

  • crypto.constants.RSA_PKCS1_PADDING (default)
  • crypto.constants.RSA_PKCS1_PSS_PADDING

  RSA_PKCS1_PSS_PADDING will use MGF1 with the same hash functionused to sign the message as specified in section 3.1 ofRFC 4055, unlessan MGF1 hash function has been specified as part of the key in compliance withsection 3.3 ofRFC 4055.

• saltLength<integer> Salt length for when padding isRSA_PKCS1_PSS_PADDING. The special valuecrypto.constants.RSA_PSS_SALTLEN_DIGEST sets the salt length to the digestsize,crypto.constants.RSA_PSS_SALTLEN_MAX_SIGN (default) sets it to themaximum permissible value.

IfoutputEncoding is provided a string is returned; otherwise aBufferis returned.

TheSign object can not be again used aftersign.sign() method has beencalled. Multiple calls tosign.sign() will result in an error being thrown.

sign.update(data[, inputEncoding])#

• data<string> |<Buffer> |<TypedArray> |<DataView>
• inputEncoding<string> Theencoding of thedata string.

Updates theSign content with the givendata, the encoding of whichis given ininputEncoding.Ifencoding is not provided, and thedata is a string, anencoding of'utf8' is enforced. Ifdata is aBuffer,TypedArray, orDataView, theninputEncoding is ignored.

This can be called many times with new data as it is streamed.

verify.update(data[, inputEncoding])#

• data<string> |<Buffer> |<TypedArray> |<DataView>
• inputEncoding<string> Theencoding of thedata string.

Updates theVerify content with the givendata, the encoding of whichis given ininputEncoding.IfinputEncoding is not provided, and thedata is a string, anencoding of'utf8' is enforced. Ifdata is aBuffer,TypedArray, orDataView, theninputEncoding is ignored.

This can be called many times with new data as it is streamed.

verify.verify(object, signature[, signatureEncoding])#

• object<Object> |<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView> |<KeyObject> |<CryptoKey>
  • dsaEncoding<string>
  • padding<integer>
  • saltLength<integer>
• signature<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView>
• signatureEncoding<string> Theencoding of thesignature string.
• Returns:<boolean>true orfalse depending on the validity of thesignature for the data and public key.

Verifies the provided data using the givenobject andsignature.

Ifobject is not aKeyObject, this function behaves as ifobject had been passed tocrypto.createPublicKey(). If it is anobject, the following additional properties can be passed:

• dsaEncoding<string> For DSA and ECDSA, this option specifies theformat of the signature. It can be one of the following:

  • 'der' (default): DER-encoded ASN.1 signature structure encoding(r, s).
  • 'ieee-p1363': Signature formatr || s as proposed in IEEE-P1363.

• padding<integer> Optional padding value for RSA, one of the following:

  • crypto.constants.RSA_PKCS1_PADDING (default)
  • crypto.constants.RSA_PKCS1_PSS_PADDING

  RSA_PKCS1_PSS_PADDING will use MGF1 with the same hash functionused to verify the message as specified in section 3.1 ofRFC 4055, unlessan MGF1 hash function has been specified as part of the key in compliance withsection 3.3 ofRFC 4055.

• saltLength<integer> Salt length for when padding isRSA_PKCS1_PSS_PADDING. The special valuecrypto.constants.RSA_PSS_SALTLEN_DIGEST sets the salt length to the digestsize,crypto.constants.RSA_PSS_SALTLEN_AUTO (default) causes it to bedetermined automatically.

Thesignature argument is the previously calculated signature for the data, inthesignatureEncoding.If asignatureEncoding is specified, thesignature is expected to be astring; otherwisesignature is expected to be aBuffer,TypedArray, orDataView.

Theverify object can not be used again afterverify.verify() has beencalled. Multiple calls toverify.verify() will result in an error beingthrown.

Because public keys can be derived from private keys, a private key maybe passed instead of a public key.

new X509Certificate(buffer)#

• buffer<string> |<TypedArray> |<Buffer> |<DataView> A PEM or DER encodedX509 Certificate.

x509.ca#

• Type:<boolean> Will betrue if this is a Certificate Authority (CA)certificate.

x509.checkEmail(email[, options])#

• email<string>
• options<Object>
  • subject<string>'default','always', or'never'.Default:'default'.
• Returns:<string> |<undefined> Returnsemail if the certificate matches,undefined if it does not.

Checks whether the certificate matches the given email address.

If the'subject' option is undefined or set to'default', the certificatesubject is only considered if the subject alternative name extension either doesnot exist or does not contain any email addresses.

If the'subject' option is set to'always' and if the subject alternativename extension either does not exist or does not contain a matching emailaddress, the certificate subject is considered.

If the'subject' option is set to'never', the certificate subject is neverconsidered, even if the certificate contains no subject alternative names.

x509.checkHost(name[, options])#

• name<string>
• options<Object>
  • subject<string>'default','always', or'never'.Default:'default'.
  • wildcards<boolean>Default:true.
  • partialWildcards<boolean>Default:true.
  • multiLabelWildcards<boolean>Default:false.
  • singleLabelSubdomains<boolean>Default:false.
• Returns:<string> |<undefined> Returns a subject name that matchesname,orundefined if no subject name matchesname.

Checks whether the certificate matches the given host name.

If the certificate matches the given host name, the matching subject name isreturned. The returned name might be an exact match (e.g.,foo.example.com)or it might contain wildcards (e.g.,*.example.com). Because host namecomparisons are case-insensitive, the returned subject name might also differfrom the givenname in capitalization.

If the'subject' option is undefined or set to'default', the certificatesubject is only considered if the subject alternative name extension either doesnot exist or does not contain any DNS names. This behavior is consistent withRFC 2818 ("HTTP Over TLS").

If the'subject' option is set to'always' and if the subject alternativename extension either does not exist or does not contain a matching DNS name,the certificate subject is considered.

If the'subject' option is set to'never', the certificate subject is neverconsidered, even if the certificate contains no subject alternative names.

x509.checkIP(ip)#

• ip<string>
• Returns:<string> |<undefined> Returnsip if the certificate matches,undefined if it does not.

Checks whether the certificate matches the given IP address (IPv4 or IPv6).

OnlyRFC 5280iPAddress subject alternative names are considered, and theymust match the givenip address exactly. Other subject alternative names aswell as the subject field of the certificate are ignored.

x509.checkIssued(otherCert)#

• otherCert<X509Certificate>
• Returns:<boolean>

Checks whether this certificate was potentially issued by the givenotherCertby comparing the certificate metadata.

This is useful for pruning a list of possible issuer certificates which have beenselected using a more rudimentary filtering routine, i.e. just based on subjectand issuer names.

Finally, to verify that this certificate's signature was produced by a private keycorresponding tootherCert's public key usex509.verify(publicKey)withotherCert's public key represented as aKeyObjectlike so

if (!x509.verify(otherCert.publicKey)) {thrownewError('otherCert did not issue x509');}copy

x509.checkPrivateKey(privateKey)#

• privateKey<KeyObject> A private key.
• Returns:<boolean>

Checks whether the public key for this certificate is consistent withthe given private key.

x509.extKeyUsage#

• Type:<string[]>

An array detailing the key extended usages for this certificate.

x509.fingerprint#

• Type:<string>

The SHA-1 fingerprint of this certificate.

Because SHA-1 is cryptographically broken and because the security of SHA-1 issignificantly worse than that of algorithms that are commonly used to signcertificates, consider usingx509.fingerprint256 instead.

x509.fingerprint256#

• Type:<string>

The SHA-256 fingerprint of this certificate.

x509.fingerprint512#

• Type:<string>

The SHA-512 fingerprint of this certificate.

Because computing the SHA-256 fingerprint is usually faster and because it isonly half the size of the SHA-512 fingerprint,x509.fingerprint256 may bea better choice. While SHA-512 presumably provides a higher level of security ingeneral, the security of SHA-256 matches that of most algorithms that arecommonly used to sign certificates.

x509.infoAccess#

• Type:<string>

A textual representation of the certificate's authority information accessextension.

This is a line feed separated list of access descriptions. Each line begins withthe access method and the kind of the access location, followed by a colon andthe value associated with the access location.

After the prefix denoting the access method and the kind of the access location,the remainder of each line might be enclosed in quotes to indicate that thevalue is a JSON string literal. For backward compatibility, Node.js only usesJSON string literals within this property when necessary to avoid ambiguity.Third-party code should be prepared to handle both possible entry formats.

x509.issuer#

• Type:<string>

The issuer identification included in this certificate.

x509.issuerCertificate#

• Type:<X509Certificate>

The issuer certificate orundefined if the issuer certificate is notavailable.

x509.publicKey#

• Type:<KeyObject>

The public key<KeyObject> for this certificate.

x509.raw#

• Type:<Buffer>

ABuffer containing the DER encoding of this certificate.

x509.serialNumber#

• Type:<string>

The serial number of this certificate.

Serial numbers are assigned by certificate authorities and do not uniquelyidentify certificates. Consider usingx509.fingerprint256 as a uniqueidentifier instead.

x509.subject#

• Type:<string>

The complete subject of this certificate.

x509.subjectAltName#

• Type:<string>

The subject alternative name specified for this certificate.

This is a comma-separated list of subject alternative names. Each entry beginswith a string identifying the kind of the subject alternative name followed bya colon and the value associated with the entry.

Earlier versions of Node.js incorrectly assumed that it is safe to split thisproperty at the two-character sequence', ' (seeCVE-2021-44532). However,both malicious and legitimate certificates can contain subject alternative namesthat include this sequence when represented as a string.

After the prefix denoting the type of the entry, the remainder of each entrymight be enclosed in quotes to indicate that the value is a JSON string literal.For backward compatibility, Node.js only uses JSON string literals within thisproperty when necessary to avoid ambiguity. Third-party code should be preparedto handle both possible entry formats.

x509.toJSON()#

• Type:<string>

There is no standard JSON encoding for X509 certificates. ThetoJSON() method returns a string containing the PEM encodedcertificate.

x509.toLegacyObject()#

• Type:<Object>

Returns information about this certificate using the legacycertificate object encoding.

x509.toString()#

• Type:<string>

Returns the PEM-encoded certificate.

x509.validFrom#

• Type:<string>

The date/time from which this certificate is valid.

x509.validFromDate#

• Type:<Date>

The date/time from which this certificate is valid, encapsulated in aDate object.

x509.validTo#

• Type:<string>

The date/time until which this certificate is valid.

x509.validToDate#

• Type:<Date>

The date/time until which this certificate is valid, encapsulated in aDate object.

x509.verify(publicKey)#

• publicKey<KeyObject> A public key.
• Returns:<boolean>

Verifies that this certificate was signed by the given public key.Does not perform any other validation checks on the certificate.

crypto.checkPrime(candidate[, options], callback)#

• candidate<ArrayBuffer> |<SharedArrayBuffer> |<TypedArray> |<Buffer> |<DataView> |<bigint>A possible prime encoded as a sequence of big endian octets of arbitrarylength.
• options<Object>
  • checks<number> The number of Miller-Rabin probabilistic primalityiterations to perform. When the value is0 (zero), a number of checksis used that yields a false positive rate of at most 2^-64 forrandom input. Care must be used when selecting a number of checks. Referto the OpenSSL documentation for theBN_is_prime_ex functionnchecksoptions for more details.Default:0
• callback<Function>
  • err<Error> Set to an<Error> object if an error occurred during check.
  • result<boolean>true if the candidate is a prime with an errorprobability less than0.25 ** options.checks.

Checks the primality of thecandidate.

crypto.checkPrimeSync(candidate[, options])#

• candidate<ArrayBuffer> |<SharedArrayBuffer> |<TypedArray> |<Buffer> |<DataView> |<bigint>A possible prime encoded as a sequence of big endian octets of arbitrarylength.
• options<Object>
  • checks<number> The number of Miller-Rabin probabilistic primalityiterations to perform. When the value is0 (zero), a number of checksis used that yields a false positive rate of at most 2^-64 forrandom input. Care must be used when selecting a number of checks. Referto the OpenSSL documentation for theBN_is_prime_ex functionnchecksoptions for more details.Default:0
• Returns:<boolean>true if the candidate is a prime with an errorprobability less than0.25 ** options.checks.

Checks the primality of thecandidate.

crypto.constants#

• <Object>

An object containing commonly used constants for crypto and security relatedoperations. The specific constants currently defined are described inCrypto constants.

crypto.createCipheriv(algorithm, key, iv[, options])#

• algorithm<string>
• key<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView> |<KeyObject> |<CryptoKey>
• iv<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView> |<null>
• options<Object>stream.transform options
• Returns:<Cipheriv>

Creates and returns aCipheriv object, with the givenalgorithm,key andinitialization vector (iv).

Theoptions argument controls stream behavior and is optional except when acipher in CCM or OCB mode (e.g.'aes-128-ccm') is used. In that case, theauthTagLength option is required and specifies the length of theauthentication tag in bytes, seeCCM mode. In GCM mode, theauthTagLengthoption is not required but can be used to set the length of the authenticationtag that will be returned bygetAuthTag() and defaults to 16 bytes.Forchacha20-poly1305, theauthTagLength option defaults to 16 bytes.

Thealgorithm is dependent on OpenSSL, examples are'aes192', etc. Onrecent OpenSSL releases,openssl list -cipher-algorithms willdisplay the available cipher algorithms.

Thekey is the raw key used by thealgorithm andiv is aninitialization vector. Both arguments must be'utf8' encoded strings,Buffers,TypedArray, orDataViews. Thekey may optionally beaKeyObject of typesecret. If the cipher does not needan initialization vector,iv may benull.

When passing strings forkey oriv, please considercaveats when using strings as inputs to cryptographic APIs.

Initialization vectors should be unpredictable and unique; ideally, they will becryptographically random. They do not have to be secret: IVs are typically justadded to ciphertext messages unencrypted. It may sound contradictory thatsomething has to be unpredictable and unique, but does not have to be secret;remember that an attacker must not be able to predict ahead of time what agiven IV will be.

crypto.createDecipheriv(algorithm, key, iv[, options])#

• algorithm<string>
• key<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView> |<KeyObject> |<CryptoKey>
• iv<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView> |<null>
• options<Object>stream.transform options
• Returns:<Decipheriv>

Creates and returns aDecipheriv object that uses the givenalgorithm,keyand initialization vector (iv).

Theoptions argument controls stream behavior and is optional except when acipher in CCM or OCB mode (e.g.'aes-128-ccm') is used. In that case, theauthTagLength option is required and specifies the length of theauthentication tag in bytes, seeCCM mode.For AES-GCM andchacha20-poly1305, theauthTagLength option defaults to 16bytes and must be set to a different value if a different length is used.

Thealgorithm is dependent on OpenSSL, examples are'aes192', etc. Onrecent OpenSSL releases,openssl list -cipher-algorithms willdisplay the available cipher algorithms.

Thekey is the raw key used by thealgorithm andiv is aninitialization vector. Both arguments must be'utf8' encoded strings,Buffers,TypedArray, orDataViews. Thekey may optionally beaKeyObject of typesecret. If the cipher does not needan initialization vector,iv may benull.

When passing strings forkey oriv, please considercaveats when using strings as inputs to cryptographic APIs.

Initialization vectors should be unpredictable and unique; ideally, they will becryptographically random. They do not have to be secret: IVs are typically justadded to ciphertext messages unencrypted. It may sound contradictory thatsomething has to be unpredictable and unique, but does not have to be secret;remember that an attacker must not be able to predict ahead of time what a givenIV will be.

crypto.createDiffieHellman(prime[, primeEncoding][, generator][, generatorEncoding])#

• prime<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView>
• primeEncoding<string> Theencoding of theprime string.
• generator<number> |<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView>Default:2
• generatorEncoding<string> Theencoding of thegenerator string.
• Returns:<DiffieHellman>

Creates aDiffieHellman key exchange object using the suppliedprime and anoptional specificgenerator.

Thegenerator argument can be a number, string, orBuffer. Ifgenerator is not specified, the value2 is used.

IfprimeEncoding is specified,prime is expected to be a string; otherwiseaBuffer,TypedArray, orDataView is expected.

IfgeneratorEncoding is specified,generator is expected to be a string;otherwise a number,Buffer,TypedArray, orDataView is expected.

crypto.createDiffieHellman(primeLength[, generator])#

• primeLength<number>
• generator<number>Default:2
• Returns:<DiffieHellman>

Creates aDiffieHellman key exchange object and generates a prime ofprimeLength bits using an optional specific numericgenerator.Ifgenerator is not specified, the value2 is used.

crypto.createDiffieHellmanGroup(name)#

• name<string>
• Returns:<DiffieHellmanGroup>

An alias forcrypto.getDiffieHellman()

crypto.createECDH(curveName)#

• curveName<string>
• Returns:<ECDH>

Creates an Elliptic Curve Diffie-Hellman (ECDH) key exchange object using apredefined curve specified by thecurveName string. Usecrypto.getCurves() to obtain a list of available curve names. On recentOpenSSL releases,openssl ecparam -list_curves will also display the nameand description of each available elliptic curve.

crypto.createHash(algorithm[, options])#

• algorithm<string>
• options<Object>stream.transform options
• Returns:<Hash>

Creates and returns aHash object that can be used to generate hash digestsusing the givenalgorithm. Optionaloptions argument controls streambehavior. For XOF hash functions such as'shake256', theoutputLength optioncan be used to specify the desired output length in bytes.

Thealgorithm is dependent on the available algorithms supported by theversion of OpenSSL on the platform. Examples are'sha256','sha512', etc.On recent releases of OpenSSL,openssl list -digest-algorithms willdisplay the available digest algorithms.

Example: generating the sha256 sum of a file

import {  createReadStream,}from'node:fs';import { argv }from'node:process';const {  createHash,} =awaitimport('node:crypto');const filename = argv[2];const hash =createHash('sha256');const input =createReadStream(filename);input.on('readable',() => {// Only one element is going to be produced by the// hash stream.const data = input.read();if (data)    hash.update(data);else {console.log(`${hash.digest('hex')}${filename}`);  }});const {  createReadStream,} =require('node:fs');const {  createHash,} =require('node:crypto');const { argv } =require('node:process');const filename = argv[2];const hash =createHash('sha256');const input =createReadStream(filename);input.on('readable',() => {// Only one element is going to be produced by the// hash stream.const data = input.read();if (data)    hash.update(data);else {console.log(`${hash.digest('hex')}${filename}`);  }});copy

crypto.createHmac(algorithm, key[, options])#

• algorithm<string>
• key<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView> |<KeyObject> |<CryptoKey>
• options<Object>stream.transform options
  • encoding<string> The string encoding to use whenkey is a string.
• Returns:<Hmac>

Creates and returns anHmac object that uses the givenalgorithm andkey.Optionaloptions argument controls stream behavior.

Thealgorithm is dependent on the available algorithms supported by theversion of OpenSSL on the platform. Examples are'sha256','sha512', etc.On recent releases of OpenSSL,openssl list -digest-algorithms willdisplay the available digest algorithms.

Thekey is the HMAC key used to generate the cryptographic HMAC hash. If it isaKeyObject, its type must besecret. If it is a string, please considercaveats when using strings as inputs to cryptographic APIs. If it wasobtained from a cryptographically secure source of entropy, such ascrypto.randomBytes() orcrypto.generateKey(), its length should notexceed the block size ofalgorithm (e.g., 512 bits for SHA-256).

Example: generating the sha256 HMAC of a file

import {  createReadStream,}from'node:fs';import { argv }from'node:process';const {  createHmac,} =awaitimport('node:crypto');const filename = argv[2];const hmac =createHmac('sha256','a secret');const input =createReadStream(filename);input.on('readable',() => {// Only one element is going to be produced by the// hash stream.const data = input.read();if (data)    hmac.update(data);else {console.log(`${hmac.digest('hex')}${filename}`);  }});const {  createReadStream,} =require('node:fs');const {  createHmac,} =require('node:crypto');const { argv } =require('node:process');const filename = argv[2];const hmac =createHmac('sha256','a secret');const input =createReadStream(filename);input.on('readable',() => {// Only one element is going to be produced by the// hash stream.const data = input.read();if (data)    hmac.update(data);else {console.log(`${hmac.digest('hex')}${filename}`);  }});copy

crypto.createPrivateKey(key)#

• key<Object> |<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView>
  • key:<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView> |<Object> The keymaterial, either in PEM, DER, or JWK format.
  • format:<string> Must be'pem','der', or ''jwk'.Default:'pem'.
  • type:<string> Must be'pkcs1','pkcs8' or'sec1'. This option isrequired only if theformat is'der' and ignored otherwise.
  • passphrase:<string> |<Buffer> The passphrase to use for decryption.
  • encoding:<string> The string encoding to use whenkey is a string.
• Returns:<KeyObject>

Creates and returns a new key object containing a private key. Ifkey is astring orBuffer,format is assumed to be'pem'; otherwise,keymust be an object with the properties described above.

If the private key is encrypted, apassphrase must be specified. The lengthof the passphrase is limited to 1024 bytes.

crypto.createPublicKey(key)#

• key<Object> |<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView>
  • key:<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView> |<Object> The keymaterial, either in PEM, DER, or JWK format.
  • format:<string> Must be'pem','der', or'jwk'.Default:'pem'.
  • type:<string> Must be'pkcs1' or'spki'. This option isrequired only if theformat is'der' and ignored otherwise.
  • encoding<string> The string encoding to use whenkey is a string.
• Returns:<KeyObject>

Creates and returns a new key object containing a public key. Ifkey is astring orBuffer,format is assumed to be'pem'; ifkey is aKeyObjectwith type'private', the public key is derived from the given private key;otherwise,key must be an object with the properties described above.

If the format is'pem', the'key' may also be an X.509 certificate.

Because public keys can be derived from private keys, a private key may bepassed instead of a public key. In that case, this function behaves as ifcrypto.createPrivateKey() had been called, except that the type of thereturnedKeyObject will be'public' and that the private key cannot beextracted from the returnedKeyObject. Similarly, if aKeyObject with type'private' is given, a newKeyObject with type'public' will be returnedand it will be impossible to extract the private key from the returned object.

crypto.createSecretKey(key[, encoding])#

• key<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView>
• encoding<string> The string encoding whenkey is a string.
• Returns:<KeyObject>

Creates and returns a new key object containing a secret key for symmetricencryption orHmac.

crypto.createSign(algorithm[, options])#

• algorithm<string>
• options<Object>stream.Writable options
• Returns:<Sign>

Creates and returns aSign object that uses the givenalgorithm. Usecrypto.getHashes() to obtain the names of the available digest algorithms.Optionaloptions argument controls thestream.Writable behavior.

In some cases, aSign instance can be created using the name of a signaturealgorithm, such as'RSA-SHA256', instead of a digest algorithm. This will usethe corresponding digest algorithm. This does not work for all signaturealgorithms, such as'ecdsa-with-SHA256', so it is best to always use digestalgorithm names.

crypto.createVerify(algorithm[, options])#

• algorithm<string>
• options<Object>stream.Writable options
• Returns:<Verify>

Creates and returns aVerify object that uses the given algorithm.Usecrypto.getHashes() to obtain an array of names of the availablesigning algorithms. Optionaloptions argument controls thestream.Writable behavior.

In some cases, aVerify instance can be created using the name of a signaturealgorithm, such as'RSA-SHA256', instead of a digest algorithm. This will usethe corresponding digest algorithm. This does not work for all signaturealgorithms, such as'ecdsa-with-SHA256', so it is best to always use digestalgorithm names.

crypto.diffieHellman(options[, callback])#

• options:<Object>
  • privateKey:<KeyObject>
  • publicKey:<KeyObject>
• callback<Function>
  • err<Error>
  • secret<Buffer>
• Returns:<Buffer> if thecallback function is not provided.

Computes the Diffie-Hellman secret based on aprivateKey and apublicKey.Both keys must have the sameasymmetricKeyType, which must be one of'dh'(for Diffie-Hellman),'ec','x448', or'x25519' (for ECDH).

If thecallback function is provided this function uses libuv's threadpool.

crypto.fips#

Property for checking and controlling whether a FIPS compliant crypto provideris currently in use. Setting to true requires a FIPS build of Node.js.

This property is deprecated. Please usecrypto.setFips() andcrypto.getFips() instead.

crypto.generateKey(type, options, callback)#

• type:<string> The intended use of the generated secret key. Currentlyaccepted values are'hmac' and'aes'.
• options:<Object>
  • length:<number> The bit length of the key to generate. This must be avalue greater than 0.
    • Iftype is'hmac', the minimum is 8, and the maximum length is2³¹-1. If the value is not a multiple of 8, the generatedkey will be truncated toMath.floor(length / 8).
    • Iftype is'aes', the length must be one of128,192, or256.
• callback:<Function>
  • err:<Error>
  • key:<KeyObject>

Asynchronously generates a new random secret key of the givenlength. Thetype will determine which validations will be performed on thelength.

const {  generateKey,} =awaitimport('node:crypto');generateKey('hmac', {length:512 },(err, key) => {if (err)throw err;console.log(key.export().toString('hex'));// 46e..........620});const {  generateKey,} =require('node:crypto');generateKey('hmac', {length:512 },(err, key) => {if (err)throw err;console.log(key.export().toString('hex'));// 46e..........620});copy

The size of a generated HMAC key should not exceed the block size of theunderlying hash function. Seecrypto.createHmac() for more information.

crypto.generateKeyPair(type, options, callback)#

• type:<string> Must be'rsa','rsa-pss','dsa','ec','ed25519','ed448','x25519','x448', or'dh'.
• options:<Object>
  • modulusLength:<number> Key size in bits (RSA, DSA).
  • publicExponent:<number> Public exponent (RSA).Default:0x10001.
  • hashAlgorithm:<string> Name of the message digest (RSA-PSS).
  • mgf1HashAlgorithm:<string> Name of the message digest used byMGF1 (RSA-PSS).
  • saltLength:<number> Minimal salt length in bytes (RSA-PSS).
  • divisorLength:<number> Size ofq in bits (DSA).
  • namedCurve:<string> Name of the curve to use (EC).
  • prime:<Buffer> The prime parameter (DH).
  • primeLength:<number> Prime length in bits (DH).
  • generator:<number> Custom generator (DH).Default:2.
  • groupName:<string> Diffie-Hellman group name (DH). Seecrypto.getDiffieHellman().
  • paramEncoding:<string> Must be'named' or'explicit' (EC).Default:'named'.
  • publicKeyEncoding:<Object> SeekeyObject.export().
  • privateKeyEncoding:<Object> SeekeyObject.export().
• callback:<Function>
  • err:<Error>
  • publicKey:<string> |<Buffer> |<KeyObject>
  • privateKey:<string> |<Buffer> |<KeyObject>

Generates a new asymmetric key pair of the giventype. RSA, RSA-PSS, DSA, EC,Ed25519, Ed448, X25519, X448, and DH are currently supported.

If apublicKeyEncoding orprivateKeyEncoding was specified, this functionbehaves as ifkeyObject.export() had been called on its result. Otherwise,the respective part of the key is returned as aKeyObject.

It is recommended to encode public keys as'spki' and private keys as'pkcs8' with encryption for long-term storage:

const {  generateKeyPair,} =awaitimport('node:crypto');generateKeyPair('rsa', {modulusLength:4096,publicKeyEncoding: {type:'spki',format:'pem',  },privateKeyEncoding: {type:'pkcs8',format:'pem',cipher:'aes-256-cbc',passphrase:'top secret',  },},(err, publicKey, privateKey) => {// Handle errors and use the generated key pair.});const {  generateKeyPair,} =require('node:crypto');generateKeyPair('rsa', {modulusLength:4096,publicKeyEncoding: {type:'spki',format:'pem',  },privateKeyEncoding: {type:'pkcs8',format:'pem',cipher:'aes-256-cbc',passphrase:'top secret',  },},(err, publicKey, privateKey) => {// Handle errors and use the generated key pair.});copy

On completion,callback will be called witherr set toundefined andpublicKey /privateKey representing the generated key pair.

If this method is invoked as itsutil.promisify()ed version, it returnsaPromise for anObject withpublicKey andprivateKey properties.

crypto.generateKeyPairSync(type, options)#

• type:<string> Must be'rsa','rsa-pss','dsa','ec','ed25519','ed448','x25519','x448', or'dh'.
• options:<Object>
  • modulusLength:<number> Key size in bits (RSA, DSA).
  • publicExponent:<number> Public exponent (RSA).Default:0x10001.
  • hashAlgorithm:<string> Name of the message digest (RSA-PSS).
  • mgf1HashAlgorithm:<string> Name of the message digest used byMGF1 (RSA-PSS).
  • saltLength:<number> Minimal salt length in bytes (RSA-PSS).
  • divisorLength:<number> Size ofq in bits (DSA).
  • namedCurve:<string> Name of the curve to use (EC).
  • prime:<Buffer> The prime parameter (DH).
  • primeLength:<number> Prime length in bits (DH).
  • generator:<number> Custom generator (DH).Default:2.
  • groupName:<string> Diffie-Hellman group name (DH). Seecrypto.getDiffieHellman().
  • paramEncoding:<string> Must be'named' or'explicit' (EC).Default:'named'.
  • publicKeyEncoding:<Object> SeekeyObject.export().
  • privateKeyEncoding:<Object> SeekeyObject.export().
• Returns:<Object>
  • publicKey:<string> |<Buffer> |<KeyObject>
  • privateKey:<string> |<Buffer> |<KeyObject>

Generates a new asymmetric key pair of the giventype. RSA, RSA-PSS, DSA, EC,Ed25519, Ed448, X25519, X448, and DH are currently supported.

If apublicKeyEncoding orprivateKeyEncoding was specified, this functionbehaves as ifkeyObject.export() had been called on its result. Otherwise,the respective part of the key is returned as aKeyObject.

When encoding public keys, it is recommended to use'spki'. When encodingprivate keys, it is recommended to use'pkcs8' with a strong passphrase,and to keep the passphrase confidential.

const {  generateKeyPairSync,} =awaitimport('node:crypto');const {  publicKey,  privateKey,} =generateKeyPairSync('rsa', {modulusLength:4096,publicKeyEncoding: {type:'spki',format:'pem',  },privateKeyEncoding: {type:'pkcs8',format:'pem',cipher:'aes-256-cbc',passphrase:'top secret',  },});const {  generateKeyPairSync,} =require('node:crypto');const {  publicKey,  privateKey,} =generateKeyPairSync('rsa', {modulusLength:4096,publicKeyEncoding: {type:'spki',format:'pem',  },privateKeyEncoding: {type:'pkcs8',format:'pem',cipher:'aes-256-cbc',passphrase:'top secret',  },});copy

The return value{ publicKey, privateKey } represents the generated key pair.When PEM encoding was selected, the respective key will be a string, otherwiseit will be a buffer containing the data encoded as DER.

crypto.generateKeySync(type, options)#

• type:<string> The intended use of the generated secret key. Currentlyaccepted values are'hmac' and'aes'.
• options:<Object>
  • length:<number> The bit length of the key to generate.
    • Iftype is'hmac', the minimum is 8, and the maximum length is2³¹-1. If the value is not a multiple of 8, the generatedkey will be truncated toMath.floor(length / 8).
    • Iftype is'aes', the length must be one of128,192, or256.
• Returns:<KeyObject>

Synchronously generates a new random secret key of the givenlength. Thetype will determine which validations will be performed on thelength.

const {  generateKeySync,} =awaitimport('node:crypto');const key =generateKeySync('hmac', {length:512 });console.log(key.export().toString('hex'));// e89..........41econst {  generateKeySync,} =require('node:crypto');const key =generateKeySync('hmac', {length:512 });console.log(key.export().toString('hex'));// e89..........41ecopy

The size of a generated HMAC key should not exceed the block size of theunderlying hash function. Seecrypto.createHmac() for more information.

crypto.generatePrime(size[, options], callback)#

• size<number> The size (in bits) of the prime to generate.
• options<Object>
  • add<ArrayBuffer> |<SharedArrayBuffer> |<TypedArray> |<Buffer> |<DataView> |<bigint>
  • rem<ArrayBuffer> |<SharedArrayBuffer> |<TypedArray> |<Buffer> |<DataView> |<bigint>
  • safe<boolean>Default:false.
  • bigint<boolean> Whentrue, the generated prime is returnedas abigint.
• callback<Function>
  • err<Error>
  • prime<ArrayBuffer> |<bigint>

Generates a pseudorandom prime ofsize bits.

Ifoptions.safe istrue, the prime will be a safe prime -- that is,(prime - 1) / 2 will also be a prime.

Theoptions.add andoptions.rem parameters can be used to enforce additionalrequirements, e.g., for Diffie-Hellman:

• Ifoptions.add andoptions.rem are both set, the prime will satisfy thecondition thatprime % add = rem.
• If onlyoptions.add is set andoptions.safe is nottrue, the prime willsatisfy the condition thatprime % add = 1.
• If onlyoptions.add is set andoptions.safe is set totrue, the primewill instead satisfy the condition thatprime % add = 3. This is necessarybecauseprime % add = 1 foroptions.add > 2 would contradict the conditionenforced byoptions.safe.
• options.rem is ignored ifoptions.add is not given.

Bothoptions.add andoptions.rem must be encoded as big-endian sequencesif given as anArrayBuffer,SharedArrayBuffer,TypedArray,Buffer, orDataView.

By default, the prime is encoded as a big-endian sequence of octetsin an<ArrayBuffer>. If thebigint option istrue, then a<bigint>is provided.

Thesize of the prime will have a direct impact on how long it takes togenerate the prime. The larger the size, the longer it will take. Becausewe use OpenSSL'sBN_generate_prime_ex function, which provides onlyminimal control over our ability to interrupt the generation process,it is not recommended to generate overly large primes, as doing so may makethe process unresponsive.

crypto.generatePrimeSync(size[, options])#

• size<number> The size (in bits) of the prime to generate.
• options<Object>
  • add<ArrayBuffer> |<SharedArrayBuffer> |<TypedArray> |<Buffer> |<DataView> |<bigint>
  • rem<ArrayBuffer> |<SharedArrayBuffer> |<TypedArray> |<Buffer> |<DataView> |<bigint>
  • safe<boolean>Default:false.
  • bigint<boolean> Whentrue, the generated prime is returnedas abigint.
• Returns:<ArrayBuffer> |<bigint>

Generates a pseudorandom prime ofsize bits.

Ifoptions.safe istrue, the prime will be a safe prime -- that is,(prime - 1) / 2 will also be a prime.

Theoptions.add andoptions.rem parameters can be used to enforce additionalrequirements, e.g., for Diffie-Hellman:

• Ifoptions.add andoptions.rem are both set, the prime will satisfy thecondition thatprime % add = rem.
• If onlyoptions.add is set andoptions.safe is nottrue, the prime willsatisfy the condition thatprime % add = 1.
• If onlyoptions.add is set andoptions.safe is set totrue, the primewill instead satisfy the condition thatprime % add = 3. This is necessarybecauseprime % add = 1 foroptions.add > 2 would contradict the conditionenforced byoptions.safe.
• options.rem is ignored ifoptions.add is not given.

Bothoptions.add andoptions.rem must be encoded as big-endian sequencesif given as anArrayBuffer,SharedArrayBuffer,TypedArray,Buffer, orDataView.

By default, the prime is encoded as a big-endian sequence of octetsin an<ArrayBuffer>. If thebigint option istrue, then a<bigint>is provided.

Thesize of the prime will have a direct impact on how long it takes togenerate the prime. The larger the size, the longer it will take. Becausewe use OpenSSL'sBN_generate_prime_ex function, which provides onlyminimal control over our ability to interrupt the generation process,it is not recommended to generate overly large primes, as doing so may makethe process unresponsive.

crypto.getCipherInfo(nameOrNid[, options])#

• nameOrNid:<string> |<number> The name or nid of the cipher to query.
• options:<Object>
  • keyLength:<number> A test key length.
  • ivLength:<number> A test IV length.
• Returns:<Object>
  • name<string> The name of the cipher
  • nid<number> The nid of the cipher
  • blockSize<number> The block size of the cipher in bytes. This propertyis omitted whenmode is'stream'.
  • ivLength<number> The expected or default initialization vector length inbytes. This property is omitted if the cipher does not use an initializationvector.
  • keyLength<number> The expected or default key length in bytes.
  • mode<string> The cipher mode. One of'cbc','ccm','cfb','ctr','ecb','gcm','ocb','ofb','stream','wrap','xts'.

Returns information about a given cipher.

Some ciphers accept variable length keys and initialization vectors. By default,thecrypto.getCipherInfo() method will return the default values for theseciphers. To test if a given key length or iv length is acceptable for givencipher, use thekeyLength andivLength options. If the given values areunacceptable,undefined will be returned.

crypto.getCiphers()#

• Returns:<string[]> An array with the names of the supported cipheralgorithms.

const {  getCiphers,} =awaitimport('node:crypto');console.log(getCiphers());// ['aes-128-cbc', 'aes-128-ccm', ...]const {  getCiphers,} =require('node:crypto');console.log(getCiphers());// ['aes-128-cbc', 'aes-128-ccm', ...]copy

crypto.getCurves()#

• Returns:<string[]> An array with the names of the supported elliptic curves.

const {  getCurves,} =awaitimport('node:crypto');console.log(getCurves());// ['Oakley-EC2N-3', 'Oakley-EC2N-4', ...]const {  getCurves,} =require('node:crypto');console.log(getCurves());// ['Oakley-EC2N-3', 'Oakley-EC2N-4', ...]copy

crypto.getDiffieHellman(groupName)#

• groupName<string>
• Returns:<DiffieHellmanGroup>

Creates a predefinedDiffieHellmanGroup key exchange object. Thesupported groups are listed in the documentation forDiffieHellmanGroup.

The returned object mimics the interface of objects created bycrypto.createDiffieHellman(), but will not allow changingthe keys (withdiffieHellman.setPublicKey(), for example). Theadvantage of using this method is that the parties do not have togenerate nor exchange a group modulus beforehand, saving both processorand communication time.

Example (obtaining a shared secret):

const {  getDiffieHellman,} =awaitimport('node:crypto');const alice =getDiffieHellman('modp14');const bob =getDiffieHellman('modp14');alice.generateKeys();bob.generateKeys();const aliceSecret = alice.computeSecret(bob.getPublicKey(),null,'hex');const bobSecret = bob.computeSecret(alice.getPublicKey(),null,'hex');/* aliceSecret and bobSecret should be the same */console.log(aliceSecret === bobSecret);const {  getDiffieHellman,} =require('node:crypto');const alice =getDiffieHellman('modp14');const bob =getDiffieHellman('modp14');alice.generateKeys();bob.generateKeys();const aliceSecret = alice.computeSecret(bob.getPublicKey(),null,'hex');const bobSecret = bob.computeSecret(alice.getPublicKey(),null,'hex');/* aliceSecret and bobSecret should be the same */console.log(aliceSecret === bobSecret);copy

crypto.getFips()#

• Returns:<number>1 if and only if a FIPS compliant crypto provider iscurrently in use,0 otherwise. A future semver-major release may changethe return type of this API to a<boolean>.

crypto.getHashes()#

• Returns:<string[]> An array of the names of the supported hash algorithms,such as'RSA-SHA256'. Hash algorithms are also called "digest" algorithms.

const {  getHashes,} =awaitimport('node:crypto');console.log(getHashes());// ['DSA', 'DSA-SHA', 'DSA-SHA1', ...]const {  getHashes,} =require('node:crypto');console.log(getHashes());// ['DSA', 'DSA-SHA', 'DSA-SHA1', ...]copy

crypto.getRandomValues(typedArray)#

• typedArray<Buffer> |<TypedArray> |<DataView> |<ArrayBuffer>
• Returns:<Buffer> |<TypedArray> |<DataView> |<ArrayBuffer> ReturnstypedArray.

A convenient alias forcrypto.webcrypto.getRandomValues(). Thisimplementation is not compliant with the Web Crypto spec, to writeweb-compatible code usecrypto.webcrypto.getRandomValues() instead.

crypto.hash(algorithm, data[, options])#

• algorithm<string> |<undefined>
• data<string> |<Buffer> |<TypedArray> |<DataView> Whendata is astring, it will be encoded as UTF-8 before being hashed. If a differentinput encoding is desired for a string input, user could encode the stringinto aTypedArray using eitherTextEncoder orBuffer.from() and passingthe encodedTypedArray into this API instead.
• options<Object> |<string>
  • outputEncoding<string>Encoding used to encode thereturned digest.Default:'hex'.
  • outputLength<number> For XOF hash functions such as 'shake256',the outputLength option can be used to specify the desired output length in bytes.
• Returns:<string> |<Buffer>

A utility for creating one-shot hash digests of data. It can be faster thanthe object-basedcrypto.createHash() when hashing a smaller amount of data(<= 5MB) that's readily available. If the data can be big or if it is streamed,it's still recommended to usecrypto.createHash() instead.

Thealgorithm is dependent on the available algorithms supported by theversion of OpenSSL on the platform. Examples are'sha256','sha512', etc.On recent releases of OpenSSL,openssl list -digest-algorithms willdisplay the available digest algorithms.

Ifoptions is a string, then it specifies theoutputEncoding.

Example:

const crypto =require('node:crypto');const {Buffer } =require('node:buffer');// Hashing a string and return the result as a hex-encoded string.const string ='Node.js';// 10b3493287f831e81a438811a1ffba01f8cec4b7console.log(crypto.hash('sha1', string));// Encode a base64-encoded string into a Buffer, hash it and return// the result as a buffer.const base64 ='Tm9kZS5qcw==';// <Buffer 10 b3 49 32 87 f8 31 e8 1a 43 88 11 a1 ff ba 01 f8 ce c4 b7>console.log(crypto.hash('sha1',Buffer.from(base64,'base64'),'buffer'));import cryptofrom'node:crypto';import {Buffer }from'node:buffer';// Hashing a string and return the result as a hex-encoded string.const string ='Node.js';// 10b3493287f831e81a438811a1ffba01f8cec4b7console.log(crypto.hash('sha1', string));// Encode a base64-encoded string into a Buffer, hash it and return// the result as a buffer.const base64 ='Tm9kZS5qcw==';// <Buffer 10 b3 49 32 87 f8 31 e8 1a 43 88 11 a1 ff ba 01 f8 ce c4 b7>console.log(crypto.hash('sha1',Buffer.from(base64,'base64'),'buffer'));copy

crypto.hkdf(digest, ikm, salt, info, keylen, callback)#

• digest<string> The digest algorithm to use.
• ikm<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView> |<KeyObject> The inputkeying material. Must be provided but can be zero-length.
• salt<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView> The salt value. Mustbe provided but can be zero-length.
• info<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView> Additional info value.Must be provided but can be zero-length, and cannot be more than 1024 bytes.
• keylen<number> The length of the key to generate. Must be greater than 0.The maximum allowable value is255 times the number of bytes produced bythe selected digest function (e.g.sha512 generates 64-byte hashes, makingthe maximum HKDF output 16320 bytes).
• callback<Function>
  • err<Error>
  • derivedKey<ArrayBuffer>

HKDF is a simple key derivation function defined in RFC 5869. The givenikm,salt andinfo are used with thedigest to derive a key ofkeylen bytes.

The suppliedcallback function is called with two arguments:err andderivedKey. If an errors occurs while deriving the key,err will be set;otherwiseerr will benull. The successfully generatedderivedKey willbe passed to the callback as an<ArrayBuffer>. An error will be thrown if anyof the input arguments specify invalid values or types.

import {Buffer }from'node:buffer';const {  hkdf,} =awaitimport('node:crypto');hkdf('sha512','key','salt','info',64,(err, derivedKey) => {if (err)throw err;console.log(Buffer.from(derivedKey).toString('hex'));// '24156e2...5391653'});const {  hkdf,} =require('node:crypto');const {Buffer } =require('node:buffer');hkdf('sha512','key','salt','info',64,(err, derivedKey) => {if (err)throw err;console.log(Buffer.from(derivedKey).toString('hex'));// '24156e2...5391653'});copy

crypto.hkdfSync(digest, ikm, salt, info, keylen)#

• digest<string> The digest algorithm to use.
• ikm<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView> |<KeyObject> The inputkeying material. Must be provided but can be zero-length.
• salt<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView> The salt value. Mustbe provided but can be zero-length.
• info<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView> Additional info value.Must be provided but can be zero-length, and cannot be more than 1024 bytes.
• keylen<number> The length of the key to generate. Must be greater than 0.The maximum allowable value is255 times the number of bytes produced bythe selected digest function (e.g.sha512 generates 64-byte hashes, makingthe maximum HKDF output 16320 bytes).
• Returns:<ArrayBuffer>

Provides a synchronous HKDF key derivation function as defined in RFC 5869. Thegivenikm,salt andinfo are used with thedigest to derive a key ofkeylen bytes.

The successfully generatedderivedKey will be returned as an<ArrayBuffer>.

An error will be thrown if any of the input arguments specify invalid values ortypes, or if the derived key cannot be generated.

import {Buffer }from'node:buffer';const {  hkdfSync,} =awaitimport('node:crypto');const derivedKey =hkdfSync('sha512','key','salt','info',64);console.log(Buffer.from(derivedKey).toString('hex'));// '24156e2...5391653'const {  hkdfSync,} =require('node:crypto');const {Buffer } =require('node:buffer');const derivedKey =hkdfSync('sha512','key','salt','info',64);console.log(Buffer.from(derivedKey).toString('hex'));// '24156e2...5391653'copy

crypto.pbkdf2(password, salt, iterations, keylen, digest, callback)#

• password<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView>
• salt<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView>
• iterations<number>
• keylen<number>
• digest<string>
• callback<Function>
  • err<Error>
  • derivedKey<Buffer>

Provides an asynchronous Password-Based Key Derivation Function 2 (PBKDF2)implementation. A selected HMAC digest algorithm specified bydigest isapplied to derive a key of the requested byte length (keylen) from thepassword,salt anditerations.

The suppliedcallback function is called with two arguments:err andderivedKey. If an error occurs while deriving the key,err will be set;otherwiseerr will benull. By default, the successfully generatedderivedKey will be passed to the callback as aBuffer. An error will bethrown if any of the input arguments specify invalid values or types.

Theiterations argument must be a number set as high as possible. Thehigher the number of iterations, the more secure the derived key will be,but will take a longer amount of time to complete.

Thesalt should be as unique as possible. It is recommended that a salt israndom and at least 16 bytes long. SeeNIST SP 800-132 for details.

When passing strings forpassword orsalt, please considercaveats when using strings as inputs to cryptographic APIs.

const {  pbkdf2,} =awaitimport('node:crypto');pbkdf2('secret','salt',100000,64,'sha512',(err, derivedKey) => {if (err)throw err;console.log(derivedKey.toString('hex'));// '3745e48...08d59ae'});const {  pbkdf2,} =require('node:crypto');pbkdf2('secret','salt',100000,64,'sha512',(err, derivedKey) => {if (err)throw err;console.log(derivedKey.toString('hex'));// '3745e48...08d59ae'});copy

An array of supported digest functions can be retrieved usingcrypto.getHashes().

This API uses libuv's threadpool, which can have surprising andnegative performance implications for some applications; see theUV_THREADPOOL_SIZE documentation for more information.

crypto.pbkdf2Sync(password, salt, iterations, keylen, digest)#

• password<string> |<Buffer> |<TypedArray> |<DataView>
• salt<string> |<Buffer> |<TypedArray> |<DataView>
• iterations<number>
• keylen<number>
• digest<string>
• Returns:<Buffer>

Provides a synchronous Password-Based Key Derivation Function 2 (PBKDF2)implementation. A selected HMAC digest algorithm specified bydigest isapplied to derive a key of the requested byte length (keylen) from thepassword,salt anditerations.

If an error occurs anError will be thrown, otherwise the derived key will bereturned as aBuffer.

Theiterations argument must be a number set as high as possible. Thehigher the number of iterations, the more secure the derived key will be,but will take a longer amount of time to complete.

Thesalt should be as unique as possible. It is recommended that a salt israndom and at least 16 bytes long. SeeNIST SP 800-132 for details.

When passing strings forpassword orsalt, please considercaveats when using strings as inputs to cryptographic APIs.

const {  pbkdf2Sync,} =awaitimport('node:crypto');const key =pbkdf2Sync('secret','salt',100000,64,'sha512');console.log(key.toString('hex'));// '3745e48...08d59ae'const {  pbkdf2Sync,} =require('node:crypto');const key =pbkdf2Sync('secret','salt',100000,64,'sha512');console.log(key.toString('hex'));// '3745e48...08d59ae'copy

An array of supported digest functions can be retrieved usingcrypto.getHashes().

crypto.privateDecrypt(privateKey, buffer)#

• privateKey<Object> |<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView> |<KeyObject> |<CryptoKey>
  • oaepHash<string> The hash function to use for OAEP padding and MGF1.Default:'sha1'
  • oaepLabel<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView> The label touse for OAEP padding. If not specified, no label is used.
  • padding<crypto.constants> An optional padding value defined incrypto.constants, which may be:crypto.constants.RSA_NO_PADDING,crypto.constants.RSA_PKCS1_PADDING, orcrypto.constants.RSA_PKCS1_OAEP_PADDING.
• buffer<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView>
• Returns:<Buffer> A newBuffer with the decrypted content.

Decryptsbuffer withprivateKey.buffer was previously encrypted usingthe corresponding public key, for example usingcrypto.publicEncrypt().

IfprivateKey is not aKeyObject, this function behaves as ifprivateKey had been passed tocrypto.createPrivateKey(). If it is anobject, thepadding property can be passed. Otherwise, this function usesRSA_PKCS1_OAEP_PADDING.

Usingcrypto.constants.RSA_PKCS1_PADDING incrypto.privateDecrypt()requires OpenSSL to support implicit rejection (rsa_pkcs1_implicit_rejection).If the version of OpenSSL used by Node.js does not support this feature,attempting to useRSA_PKCS1_PADDING will fail.

crypto.privateEncrypt(privateKey, buffer)#

• privateKey<Object> |<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView> |<KeyObject> |<CryptoKey>
  • key<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView> |<KeyObject> |<CryptoKey>A PEM encoded private key.
  • passphrase<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView> An optionalpassphrase for the private key.
  • padding<crypto.constants> An optional padding value defined incrypto.constants, which may be:crypto.constants.RSA_NO_PADDING orcrypto.constants.RSA_PKCS1_PADDING.
  • encoding<string> The string encoding to use whenbuffer,key,orpassphrase are strings.
• buffer<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView>
• Returns:<Buffer> A newBuffer with the encrypted content.

Encryptsbuffer withprivateKey. The returned data can be decrypted usingthe corresponding public key, for example usingcrypto.publicDecrypt().

IfprivateKey is not aKeyObject, this function behaves as ifprivateKey had been passed tocrypto.createPrivateKey(). If it is anobject, thepadding property can be passed. Otherwise, this function usesRSA_PKCS1_PADDING.

crypto.publicDecrypt(key, buffer)#

• key<Object> |<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView> |<KeyObject> |<CryptoKey>
  • passphrase<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView> An optionalpassphrase for the private key.
  • padding<crypto.constants> An optional padding value defined incrypto.constants, which may be:crypto.constants.RSA_NO_PADDING orcrypto.constants.RSA_PKCS1_PADDING.
  • encoding<string> The string encoding to use whenbuffer,key,orpassphrase are strings.
• buffer<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView>
• Returns:<Buffer> A newBuffer with the decrypted content.

Decryptsbuffer withkey.buffer was previously encrypted usingthe corresponding private key, for example usingcrypto.privateEncrypt().

Ifkey is not aKeyObject, this function behaves as ifkey had been passed tocrypto.createPublicKey(). If it is anobject, thepadding property can be passed. Otherwise, this function usesRSA_PKCS1_PADDING.

Because RSA public keys can be derived from private keys, a private key maybe passed instead of a public key.

crypto.publicEncrypt(key, buffer)#

• key<Object> |<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView> |<KeyObject> |<CryptoKey>
  • key<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView> |<KeyObject> |<CryptoKey>A PEM encoded public or private key,<KeyObject>, or<CryptoKey>.
  • oaepHash<string> The hash function to use for OAEP padding and MGF1.Default:'sha1'
  • oaepLabel<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView> The label touse for OAEP padding. If not specified, no label is used.
  • passphrase<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView> An optionalpassphrase for the private key.
  • padding<crypto.constants> An optional padding value defined incrypto.constants, which may be:crypto.constants.RSA_NO_PADDING,crypto.constants.RSA_PKCS1_PADDING, orcrypto.constants.RSA_PKCS1_OAEP_PADDING.
  • encoding<string> The string encoding to use whenbuffer,key,oaepLabel, orpassphrase are strings.
• buffer<string> |<ArrayBuffer> |<Buffer> |<TypedArray> |<DataView>
• Returns:<Buffer> A newBuffer with the encrypted content.

Encrypts the content ofbuffer withkey and returns a newBuffer with encrypted content. The returned data can be decrypted usingthe corresponding private key, for example usingcrypto.privateDecrypt().

Ifkey is not aKeyObject, this function behaves as ifkey had been passed tocrypto.createPublicKey(). If it is anobject, thepadding property can be passed. Otherwise, this function usesRSA_PKCS1_OAEP_PADDING.

Because RSA public keys can be derived from private keys, a private key maybe passed instead of a public key.

crypto.randomBytes(size[, callback])#

• size<number> The number of bytes to generate. Thesize mustnot be larger than2**31 - 1.
• callback<Function>
  • err<Error>
  • buf<Buffer>
• Returns:<Buffer> if thecallback function is not provided.

Generates cryptographically strong pseudorandom data. Thesize argumentis a number indicating the number of bytes to generate.