home / documentation / v19 / webcrypto

Web Crypto API

Table des matières

Ajouté en: v15.0.0

Stabilité: 2 - Stable

Node.js provides an implementation of the standard Web Crypto API.

Use globalThis.crypto or require('node:crypto').webcrypto to access this module.

JS

Examples

Generating keys

The SubtleCrypto class can be used to generate symmetric (secret) keys or asymmetric key pairs (public key and private key).

AES keys
JS
ECDSA key pairs
JS
Ed25519/Ed448/X25519/X448 key pairs
Stabilité: 1 - Experimental
JS
HMAC keys
JS
RSA key pairs
JS

Encryption and decryption

JS

Exporting and importing keys

JS

Wrapping and unwrapping keys

JS

Sign and verify

JS

Deriving bits and keys

JS

Digest

JS

Algorithm matrix

The table details the algorithms supported by the Node.js Web Crypto API implementation and the APIs supported for each:

AlgorithmgenerateKeyexportKeyimportKeyencryptdecryptwrapKeyunwrapKeyderiveBitsderiveKeysignverifydigest
'RSASSA-PKCS1-v1_5'
'RSA-PSS'
'RSA-OAEP'
'ECDSA'
'Ed25519' 1
'Ed448' 1
'ECDH'
'X25519' 1
'X448' 1
'AES-CTR'
'AES-CBC'
'AES-GCM'
'AES-KW'
'HMAC'
'HKDF'
'PBKDF2'
'SHA-1'
'SHA-256'
'SHA-384'
'SHA-512'

C Crypto

Ajouté en: v15.0.0

globalThis.crypto is an instance of the Crypto class. Crypto is a singleton that provides access to the remainder of the crypto API.

M crypto.subtle

Ajouté en: v15.0.0

Provides access to the SubtleCrypto API.

M crypto.getRandomValues(typedArray)

Ajouté en: v15.0.0

Generates cryptographically strong random values. The given typedArray is filled with random values, and a reference to typedArray is returned.

The given typedArray must be an integer-based instance of TypedArray, i.e. Float32Array and Float64Array are not accepted.

An error will be thrown if the given typedArray is larger than 65,536 bytes.

M crypto.randomUUID()

Ajouté en: v16.7.0

Generates a random RFC 4122 version 4 UUID. The UUID is generated using a cryptographic pseudorandom number generator.

C CryptoKey

Ajouté en: v15.0.0

M cryptoKey.algorithm

Ajouté en: v15.0.0

An object detailing the algorithm for which the key can be used along with additional algorithm-specific parameters.

Read-only.

M cryptoKey.extractable

Ajouté en: v15.0.0

When true, the CryptoKey can be extracted using either subtleCrypto.exportKey() or subtleCrypto.wrapKey().

Read-only.

M cryptoKey.type

Ajouté en: v15.0.0

  • Type: string One of 'secret', 'private', or 'public'.

A string identifying whether the key is a symmetric ('secret') or asymmetric ('private' or 'public') key.

M cryptoKey.usages

Ajouté en: v15.0.0

  • Type: string[]

An array of strings identifying the operations for which the key may be used.

The possible usages are:

  • 'encrypt' - The key may be used to encrypt data.
  • 'decrypt' - The key may be used to decrypt data.
  • 'sign' - The key may be used to generate digital signatures.
  • 'verify' - The key may be used to verify digital signatures.
  • 'deriveKey' - The key may be used to derive a new key.
  • 'deriveBits' - The key may be used to derive bits.
  • 'wrapKey' - The key may be used to wrap another key.
  • 'unwrapKey' - The key may be used to unwrap another key.

Valid key usages depend on the key algorithm (identified by cryptokey.algorithm.name).

Key Type'encrypt''decrypt''sign''verify''deriveKey''deriveBits''wrapKey''unwrapKey'
'AES-CBC'
'AES-CTR'
'AES-GCM'
'AES-KW'
'ECDH'
'X25519' 1
'X448' 1
'ECDSA'
'Ed25519' 1
'Ed448' 1
'HDKF'
'HMAC'
'PBKDF2'
'RSA-OAEP'
'RSA-PSS'
'RSASSA-PKCS1-v1_5'

C CryptoKeyPair

Ajouté en: v15.0.0

The CryptoKeyPair is a simple dictionary object with publicKey and privateKey properties, representing an asymmetric key pair.

M cryptoKeyPair.privateKey

Ajouté en: v15.0.0

M cryptoKeyPair.publicKey

Ajouté en: v15.0.0

C SubtleCrypto

Ajouté en: v15.0.0

M subtle.decrypt(algorithm, key, data)

Ajouté en: v15.0.0

Using the method and parameters specified in algorithm and the keying material provided by key, subtle.decrypt() attempts to decipher the provided data. If successful, the returned promise will be resolved with an ArrayBuffer containing the plaintext result.

The algorithms currently supported include:

  • 'RSA-OAEP'
  • 'AES-CTR'
  • 'AES-CBC'
  • 'AES-GCM'

M subtle.deriveBits(algorithm, baseKey, length)

Historique
VersionChangements
v18.4.0, v16.17.0Added `'X25519'`, and `'X448'` algorithms.
v15.0.0Ajouté en: v15.0.0

Using the method and parameters specified in algorithm and the keying material provided by baseKey, subtle.deriveBits() attempts to generate length bits.

The Node.js implementation requires that when length is a number it must be multiple of 8.

When length is null the maximum number of bits for a given algorithm is generated. This is allowed for the 'ECDH', 'X25519', and 'X448' algorithms.

If successful, the returned promise will be resolved with an ArrayBuffer containing the generated data.

The algorithms currently supported include:

  • 'ECDH'
  • 'X25519' 1
  • 'X448' 1
  • 'HKDF'
  • 'PBKDF2'

M subtle.deriveKey(algorithm, baseKey, derivedKeyAlgorithm, extractable, keyUsages)

Historique
VersionChangements
v18.4.0, v16.17.0Added `'X25519'`, and `'X448'` algorithms.
v15.0.0Ajouté en: v15.0.0

Using the method and parameters specified in algorithm, and the keying material provided by baseKey, subtle.deriveKey() attempts to generate a new CryptoKey based on the method and parameters in derivedKeyAlgorithm.

Calling subtle.deriveKey() is equivalent to calling subtle.deriveBits() to generate raw keying material, then passing the result into the subtle.importKey() method using the deriveKeyAlgorithm, extractable, and keyUsages parameters as input.

The algorithms currently supported include:

  • 'ECDH'
  • 'X25519' 1
  • 'X448' 1
  • 'HKDF'
  • 'PBKDF2'

M subtle.digest(algorithm, data)

Ajouté en: v15.0.0

Using the method identified by algorithm, subtle.digest() attempts to generate a digest of data. If successful, the returned promise is resolved with an ArrayBuffer containing the computed digest.

If algorithm is provided as a string, it must be one of:

  • 'SHA-1'
  • 'SHA-256'
  • 'SHA-384'
  • 'SHA-512'

If algorithm is provided as an Object, it must have a name property whose value is one of the above.

M subtle.encrypt(algorithm, key, data)

Ajouté en: v15.0.0

Using the method and parameters specified by algorithm and the keying material provided by key, subtle.encrypt() attempts to encipher data. If successful, the returned promise is resolved with an ArrayBuffer containing the encrypted result.

The algorithms currently supported include:

  • 'RSA-OAEP'
  • 'AES-CTR'
  • 'AES-CBC'
  • 'AES-GCM'

M subtle.exportKey(format, key)

Historique
VersionChangements
v18.4.0, v16.17.0Added `'Ed25519'`, `'Ed448'`, `'X25519'`, and `'X448'` algorithms.
v15.9.0Removed `'NODE-DSA'` JWK export.
v15.0.0Ajouté en: v15.0.0

Exports the given key into the specified format, if supported.

If the CryptoKey is not extractable, the returned promise will reject.

When format is either 'pkcs8' or 'spki' and the export is successful, the returned promise will be resolved with an ArrayBuffer containing the exported key data.

When format is 'jwk' and the export is successful, the returned promise will be resolved with a JavaScript object conforming to the JSON Web Key specification.

Key Type'spki''pkcs8''jwk''raw'
'AES-CBC'
'AES-CTR'
'AES-GCM'
'AES-KW'
'ECDH'
'ECDSA'
'Ed25519' 1
'Ed448' 1
'HDKF'
'HMAC'
'PBKDF2'
'RSA-OAEP'
'RSA-PSS'
'RSASSA-PKCS1-v1_5'

M subtle.generateKey(algorithm, extractable, keyUsages)

Ajouté en: v15.0.0

Using the method and parameters provided in algorithm, subtle.generateKey() attempts to generate new keying material. Depending the method used, the method may generate either a single CryptoKey or a CryptoKeyPair.

The CryptoKeyPair (public and private key) generating algorithms supported include:

  • 'RSASSA-PKCS1-v1_5'
  • 'RSA-PSS'
  • 'RSA-OAEP'
  • 'ECDSA'
  • 'Ed25519' 1
  • 'Ed448' 1
  • 'ECDH'
  • 'X25519' 1
  • 'X448' 1

The CryptoKey (secret key) generating algorithms supported include:

  • 'HMAC'
  • 'AES-CTR'
  • 'AES-CBC'
  • 'AES-GCM'
  • 'AES-KW'

M subtle.importKey(format, keyData, algorithm, extractable, keyUsages)

Historique
VersionChangements
v18.4.0, v16.17.0Added `'Ed25519'`, `'Ed448'`, `'X25519'`, and `'X448'` algorithms.
v15.9.0Removed `'NODE-DSA'` JWK import.
v15.0.0Ajouté en: v15.0.0

The subtle.importKey() method attempts to interpret the provided keyData as the given format to create a CryptoKey instance using the provided algorithm, extractable, and keyUsages arguments. If the import is successful, the returned promise will be resolved with the created CryptoKey.

If importing a 'PBKDF2' key, extractable must be false.

The algorithms currently supported include:

Key Type'spki''pkcs8''jwk''raw'
'AES-CBC'
'AES-CTR'
'AES-GCM'
'AES-KW'
'ECDH'
'X25519' 1
'X448' 1
'ECDSA'
'Ed25519' 1
'Ed448' 1
'HDKF'
'HMAC'
'PBKDF2'
'RSA-OAEP'
'RSA-PSS'
'RSASSA-PKCS1-v1_5'

M subtle.sign(algorithm, key, data)

Historique
VersionChangements
v18.4.0, v16.17.0Added `'Ed25519'`, and `'Ed448'` algorithms.
v15.0.0Ajouté en: v15.0.0

Using the method and parameters given by algorithm and the keying material provided by key, subtle.sign() attempts to generate a cryptographic signature of data. If successful, the returned promise is resolved with an ArrayBuffer containing the generated signature.

The algorithms currently supported include:

  • 'RSASSA-PKCS1-v1_5'
  • 'RSA-PSS'
  • 'ECDSA'
  • 'Ed25519' 1
  • 'Ed448' 1
  • 'HMAC'

M subtle.unwrapKey(format, wrappedKey, unwrappingKey, unwrapAlgo, unwrappedKeyAlgo, extractable, keyUsages)

Ajouté en: v15.0.0

In cryptography, "wrapping a key" refers to exporting and then encrypting the keying material. The subtle.unwrapKey() method attempts to decrypt a wrapped key and create a CryptoKey instance. It is equivalent to calling subtle.decrypt() first on the encrypted key data (using the wrappedKey, unwrapAlgo, and unwrappingKey arguments as input) then passing the results in to the subtle.importKey() method using the unwrappedKeyAlgo, extractable, and keyUsages arguments as inputs. If successful, the returned promise is resolved with a CryptoKey object.

The wrapping algorithms currently supported include:

  • 'RSA-OAEP'
  • 'AES-CTR'
  • 'AES-CBC'
  • 'AES-GCM'
  • 'AES-KW'

The unwrapped key algorithms supported include:

  • 'RSASSA-PKCS1-v1_5'
  • 'RSA-PSS'
  • 'RSA-OAEP'
  • 'ECDSA'
  • 'Ed25519' 1
  • 'Ed448' 1
  • 'ECDH'
  • 'X25519' 1
  • 'X448' 1
  • 'HMAC'
  • 'AES-CTR'
  • 'AES-CBC'
  • 'AES-GCM'
  • 'AES-KW'

M subtle.verify(algorithm, key, signature, data)

Historique
VersionChangements
v18.4.0, v16.17.0Added `'Ed25519'`, and `'Ed448'` algorithms.
v15.0.0Ajouté en: v15.0.0

Using the method and parameters given in algorithm and the keying material provided by key, subtle.verify() attempts to verify that signature is a valid cryptographic signature of data. The returned promise is resolved with either true or false.

The algorithms currently supported include:

  • 'RSASSA-PKCS1-v1_5'
  • 'RSA-PSS'
  • 'ECDSA'
  • 'Ed25519' 1
  • 'Ed448' 1
  • 'HMAC'

M subtle.wrapKey(format, key, wrappingKey, wrapAlgo)

Ajouté en: v15.0.0

In cryptography, "wrapping a key" refers to exporting and then encrypting the keying material. The subtle.wrapKey() method exports the keying material into the format identified by format, then encrypts it using the method and parameters specified by wrapAlgo and the keying material provided by wrappingKey. It is the equivalent to calling subtle.exportKey() using format and key as the arguments, then passing the result to the subtle.encrypt() method using wrappingKey and wrapAlgo as inputs. If successful, the returned promise will be resolved with an ArrayBuffer containing the encrypted key data.

The wrapping algorithms currently supported include:

  • 'RSA-OAEP'
  • 'AES-CTR'
  • 'AES-CBC'
  • 'AES-GCM'
  • 'AES-KW'

Algorithm parameters

The algorithm parameter objects define the methods and parameters used by the various SubtleCrypto methods. While described here as "classes", they are simple JavaScript dictionary objects.

C AlgorithmIdentifier

Ajouté en: v18.4.0, v16.17.0

M algorithmIdentifier.name

Ajouté en: v18.4.0, v16.17.0

C AesCbcParams

Ajouté en: v15.0.0

M aesCbcParams.iv

Ajouté en: v15.0.0

Provides the initialization vector. It must be exactly 16-bytes in length and should be unpredictable and cryptographically random.

M aesCbcParams.name

Ajouté en: v15.0.0

  • Type: string Must be 'AES-CBC'.

C AesCtrParams

Ajouté en: v15.0.0

M aesCtrParams.counter

Ajouté en: v15.0.0

The initial value of the counter block. This must be exactly 16 bytes long.

The AES-CTR method uses the rightmost length bits of the block as the counter and the remaining bits as the nonce.

M aesCtrParams.length

Ajouté en: v15.0.0

  • Type: number The number of bits in the aesCtrParams.counter that are to be used as the counter.
M aesCtrParams.name

Ajouté en: v15.0.0

  • Type: string Must be 'AES-CTR'.

C AesGcmParams

Ajouté en: v15.0.0

M aesGcmParams.additionalData

Ajouté en: v15.0.0

With the AES-GCM method, the additionalData is extra input that is not encrypted but is included in the authentication of the data. The use of additionalData is optional.

M aesGcmParams.iv

Ajouté en: v15.0.0

The initialization vector must be unique for every encryption operation using a given key.

Ideally, this is a deterministic 12-byte value that is computed in such a way that it is guaranteed to be unique across all invocations that use the same key. Alternatively, the initialization vector may consist of at least 12 cryptographically random bytes. For more information on constructing initialization vectors for AES-GCM, refer to Section 8 of NIST SP 800-38D.

M aesGcmParams.name

Ajouté en: v15.0.0

  • Type: string Must be 'AES-GCM'.
M aesGcmParams.tagLength

Ajouté en: v15.0.0

  • Type: number The size in bits of the generated authentication tag. This values must be one of 32, 64, 96, 104, 112, 120, or 128. Default: 128.

C AesKeyGenParams

Ajouté en: v15.0.0

M aesKeyGenParams.length

Ajouté en: v15.0.0

The length of the AES key to be generated. This must be either 128, 192, or 256.

M aesKeyGenParams.name

Ajouté en: v15.0.0

  • Type: string Must be one of 'AES-CBC', 'AES-CTR', 'AES-GCM', or 'AES-KW'

C EcdhKeyDeriveParams

Ajouté en: v15.0.0

M ecdhKeyDeriveParams.name

Ajouté en: v15.0.0

  • Type: string Must be 'ECDH', 'X25519', or 'X448'.
M ecdhKeyDeriveParams.public

Ajouté en: v15.0.0

ECDH key derivation operates by taking as input one parties private key and another parties public key -- using both to generate a common shared secret. The ecdhKeyDeriveParams.public property is set to the other parties public key.

C EcdsaParams

Ajouté en: v15.0.0

M ecdsaParams.hash

Ajouté en: v15.0.0

If represented as a string, the value must be one of:

  • 'SHA-1'
  • 'SHA-256'
  • 'SHA-384'
  • 'SHA-512'

If represented as an Object, the object must have a name property whose value is one of the above listed values.

M ecdsaParams.name

Ajouté en: v15.0.0

C EcKeyGenParams

Ajouté en: v15.0.0

M ecKeyGenParams.name

Ajouté en: v15.0.0

  • Type: string Must be one of 'ECDSA' or 'ECDH'.
M ecKeyGenParams.namedCurve

Ajouté en: v15.0.0

  • Type: string Must be one of 'P-256', 'P-384', 'P-521'.

C EcKeyImportParams

Ajouté en: v15.0.0

M ecKeyImportParams.name

Ajouté en: v15.0.0

  • Type: string Must be one of 'ECDSA' or 'ECDH'.
M ecKeyImportParams.namedCurve

Ajouté en: v15.0.0

  • Type: string Must be one of 'P-256', 'P-384', 'P-521'.

C Ed448Params

Ajouté en: v15.0.0

M ed448Params.name

Ajouté en: v18.4.0, v16.17.0

M ed448Params.context

Ajouté en: v18.4.0, v16.17.0

The context member represents the optional context data to associate with the message. The Node.js Web Crypto API implementation only supports zero-length context which is equivalent to not providing context at all.

C HkdfParams

Ajouté en: v15.0.0

M hkdfParams.hash

Ajouté en: v15.0.0

If represented as a string, the value must be one of:

  • 'SHA-1'
  • 'SHA-256'
  • 'SHA-384'
  • 'SHA-512'

If represented as an Object, the object must have a name property whose value is one of the above listed values.

M hkdfParams.info

Ajouté en: v15.0.0

Provides application-specific contextual input to the HKDF algorithm. This can be zero-length but must be provided.

M hkdfParams.name

Ajouté en: v15.0.0

M hkdfParams.salt

Ajouté en: v15.0.0

The salt value significantly improves the strength of the HKDF algorithm. It should be random or pseudorandom and should be the same length as the output of the digest function (for instance, if using 'SHA-256' as the digest, the salt should be 256-bits of random data).

C HmacImportParams

Ajouté en: v15.0.0

M hmacImportParams.hash

Ajouté en: v15.0.0

If represented as a string, the value must be one of:

  • 'SHA-1'
  • 'SHA-256'
  • 'SHA-384'
  • 'SHA-512'

If represented as an Object, the object must have a name property whose value is one of the above listed values.

M hmacImportParams.length

Ajouté en: v15.0.0

The optional number of bits in the HMAC key. This is optional and should be omitted for most cases.

M hmacImportParams.name

Ajouté en: v15.0.0

C HmacKeyGenParams

Ajouté en: v15.0.0

M hmacKeyGenParams.hash

Ajouté en: v15.0.0

If represented as a string, the value must be one of:

  • 'SHA-1'
  • 'SHA-256'
  • 'SHA-384'
  • 'SHA-512'

If represented as an Object, the object must have a name property whose value is one of the above listed values.

M hmacKeyGenParams.length

Ajouté en: v15.0.0

The number of bits to generate for the HMAC key. If omitted, the length will be determined by the hash algorithm used. This is optional and should be omitted for most cases.

M hmacKeyGenParams.name

Ajouté en: v15.0.0

C Pbkdf2Params

Ajouté en: v15.0.0

M pbkdb2Params.hash

Ajouté en: v15.0.0

If represented as a string, the value must be one of:

  • 'SHA-1'
  • 'SHA-256'
  • 'SHA-384'
  • 'SHA-512'

If represented as an Object, the object must have a name property whose value is one of the above listed values.

M pbkdf2Params.iterations

Ajouté en: v15.0.0

The number of iterations the PBKDF2 algorithm should make when deriving bits.

M pbkdf2Params.name

Ajouté en: v15.0.0

  • Type: string Must be 'PBKDF2'.
M pbkdf2Params.salt

Ajouté en: v15.0.0

Should be at least 16 random or pseudorandom bytes.

C RsaHashedImportParams

Ajouté en: v15.0.0

M rsaHashedImportParams.hash

Ajouté en: v15.0.0

If represented as a string, the value must be one of:

  • 'SHA-1'
  • 'SHA-256'
  • 'SHA-384'
  • 'SHA-512'

If represented as an Object, the object must have a name property whose value is one of the above listed values.

M rsaHashedImportParams.name

Ajouté en: v15.0.0

  • Type: string Must be one of 'RSASSA-PKCS1-v1_5', 'RSA-PSS', or 'RSA-OAEP'.

C RsaHashedKeyGenParams

Ajouté en: v15.0.0

M rsaHashedKeyGenParams.hash

Ajouté en: v15.0.0

If represented as a string, the value must be one of:

  • 'SHA-1'
  • 'SHA-256'
  • 'SHA-384'
  • 'SHA-512'

If represented as an Object, the object must have a name property whose value is one of the above listed values.

M rsaHashedKeyGenParams.modulusLength

Ajouté en: v15.0.0

The length in bits of the RSA modulus. As a best practice, this should be at least 2048.

M rsaHashedKeyGenParams.name

Ajouté en: v15.0.0

  • Type: string Must be one of 'RSASSA-PKCS1-v1_5', 'RSA-PSS', or 'RSA-OAEP'.
M rsaHashedKeyGenParams.publicExponent

Ajouté en: v15.0.0

The RSA public exponent. This must be a Uint8Array containing a big-endian, unsigned integer that must fit within 32-bits. The Uint8Array may contain an arbitrary number of leading zero-bits. The value must be a prime number. Unless there is reason to use a different value, use new Uint8Array([1, 0, 1]) (65537) as the public exponent.

C RsaOaepParams

Ajouté en: v15.0.0

rsaOaepParams.label

Ajouté en: v15.0.0

An additional collection of bytes that will not be encrypted, but will be bound to the generated ciphertext.

The rsaOaepParams.label parameter is optional.

rsaOaepParams.name

Ajouté en: v15.0.0

  • Type: string must be 'RSA-OAEP'.

C RsaPssParams

Ajouté en: v15.0.0

M rsaPssParams.name

Ajouté en: v15.0.0

  • Type: string Must be 'RSA-PSS'.
M rsaPssParams.saltLength

Ajouté en: v15.0.0

The length (in bytes) of the random salt to use.


  1. An experimental implementation of Secure Curves in the Web Cryptography API as of 05 May 2022