Crypto
目录
- Determining if crypto support is unavailable
- Class: Certificate
- Class: Cipher
- Class: Decipher
- Class: DiffieHellman
- diffieHellman.computeSecret(otherPublicKey[, inputEncoding][, outputEncoding])
- diffieHellman.generateKeys([encoding])
- diffieHellman.getGenerator([encoding])
- diffieHellman.getPrime([encoding])
- diffieHellman.getPrivateKey([encoding])
- diffieHellman.getPublicKey([encoding])
- diffieHellman.setPrivateKey(privateKey[, encoding])
- diffieHellman.setPublicKey(publicKey[, encoding])
- diffieHellman.verifyError
- Class: DiffieHellmanGroup
- Class: ECDH
- Static method: ECDH.convertKey(key, curve[, inputEncoding[, outputEncoding[, format]]])
- ecdh.computeSecret(otherPublicKey[, inputEncoding][, outputEncoding])
- ecdh.generateKeys([encoding[, format]])
- ecdh.getPrivateKey([encoding])
- ecdh.getPublicKey([encoding][, format])
- ecdh.setPrivateKey(privateKey[, encoding])
- ecdh.setPublicKey(publicKey[, encoding])
- Class: Hash
- Class: Hmac
- Class: KeyObject
- Class: Sign
- Class: Verify
- Class: X509Certificate
- new X509Certificate(buffer)
- x509.ca
- x509.checkEmail(email[, options])
- x509.checkHost(name[, options])
- x509.checkIP(ip)
- x509.checkIssued(otherCert)
- x509.checkPrivateKey(privateKey)
- x509.fingerprint
- x509.fingerprint256
- x509.fingerprint512
- x509.infoAccess
- x509.issuer
- x509.issuerCertificate
- x509.keyUsage
- x509.publicKey
- x509.raw
- x509.serialNumber
- x509.subject
- x509.subjectAltName
- x509.toJSON()
- x509.toLegacyObject()
- x509.toString()
- x509.validFrom
- x509.validTo
- x509.verify(publicKey)
- node:crypto module methods and properties
- crypto.constants
- crypto.DEFAULT_ENCODING
- crypto.fips
- crypto.checkPrime(candidate[, options], callback)
- crypto.checkPrimeSync(candidate[, options])
- crypto.createCipher(algorithm, password[, options])
- crypto.createCipheriv(algorithm, key, iv[, options])
- crypto.createDecipher(algorithm, password[, options])
- crypto.createDecipheriv(algorithm, key, iv[, options])
- crypto.createDiffieHellman(prime[, primeEncoding][, generator][, generatorEncoding])
- crypto.createDiffieHellman(primeLength[, generator])
- crypto.createDiffieHellmanGroup(name)
- crypto.createECDH(curveName)
- crypto.createHash(algorithm[, options])
- crypto.createHmac(algorithm, key[, options])
- crypto.createPrivateKey(key)
- crypto.createPublicKey(key)
- crypto.createSecretKey(key[, encoding])
- crypto.createSign(algorithm[, options])
- crypto.createVerify(algorithm[, options])
- crypto.diffieHellman(options)
- crypto.generateKey(type, options, callback)
- crypto.generateKeyPair(type, options, callback)
- crypto.generateKeyPairSync(type, options)
- crypto.generateKeySync(type, options)
- crypto.generatePrime(size[, options[, callback]])
- crypto.generatePrimeSync(size[, options])
- crypto.getCipherInfo(nameOrNid[, options])
- crypto.getCiphers()
- crypto.getCurves()
- crypto.getDiffieHellman(groupName)
- crypto.getFips()
- crypto.getHashes()
- crypto.hkdf(digest, ikm, salt, info, keylen, callback)
- crypto.hkdfSync(digest, ikm, salt, info, keylen)
- crypto.pbkdf2(password, salt, iterations, keylen, digest, callback)
- crypto.pbkdf2Sync(password, salt, iterations, keylen, digest)
- crypto.privateDecrypt(privateKey, buffer)
- crypto.privateEncrypt(privateKey, buffer)
- crypto.publicDecrypt(key, buffer)
- crypto.publicEncrypt(key, buffer)
- crypto.randomBytes(size[, callback])
- crypto.randomFillSync(buffer[, offset][, size])
- crypto.randomFill(buffer[, offset][, size], callback)
- crypto.randomInt([min, ]max[, callback])
- crypto.randomUUID([options])
- crypto.scrypt(password, salt, keylen[, options], callback)
- crypto.scryptSync(password, salt, keylen[, options])
- crypto.secureHeapUsed()
- crypto.setEngine(engine[, flags])
- crypto.setFips(bool)
- crypto.sign(algorithm, data, key[, callback])
- crypto.timingSafeEqual(a, b)
- crypto.verify(algorithm, data, key, signature[, callback])
- crypto.webcrypto
- Notes
- Crypto constants
Added in: v0.3.6
源代码: lib/crypto.js
The node:crypto
module provides cryptographic functionality that includes a
set of wrappers for OpenSSL's hash, HMAC, cipher, decipher, sign, and verify
functions.
MJS
CJS
Determining if crypto support is unavailable
It is possible for Node.js to be built without including support for the
node:crypto
module. In such cases, attempting to import
from crypto
or
calling require('node:crypto')
will result in an error being thrown.
When using CommonJS, the error thrown can be caught using try/catch:
CJS
When using the lexical ESM import
keyword, the error can only be
caught if a handler for process.on('uncaughtException')
is registered
before any attempt to load the module is made (using, for instance,
a preload module).
When using ESM, if there is a chance that the code may be run on a build
of Node.js where crypto support is not enabled, consider using the
import()
function instead of the lexical import
keyword:
MJS
C Certificate
Added in: v0.11.8
SPKAC is a Certificate Signing Request mechanism originally implemented by
Netscape and was specified formally as part of HTML5's keygen
element.
<keygen>
is deprecated since HTML 5.2 and new projects
should not use this element anymore.
The node:crypto
module provides the Certificate
class for working with SPKAC
data. The most common usage is handling output generated by the HTML5
<keygen>
element. Node.js uses OpenSSL's SPKAC implementation internally.
Static method: Certificate.exportChallenge(spkac[, encoding])
历史
版本 | 更改 |
---|---|
v15.0.0 | The spkac argument can be an ArrayBuffer. Limited the size of the spkac argument to a maximum of 2**31 - 1 bytes. |
v9.0.0 | Added in: v9.0.0 |
spkac
string
|ArrayBuffer
|Buffer
|TypedArray
|DataView
encoding
string
The encoding of thespkac
string.- Returns:
Buffer
The challenge component of thespkac
data structure, which includes a public key and a challenge.
MJS
CJS
Static method: Certificate.exportPublicKey(spkac[, encoding])
历史
版本 | 更改 |
---|---|
v15.0.0 | The spkac argument can be an ArrayBuffer. Limited the size of the spkac argument to a maximum of 2**31 - 1 bytes. |
v9.0.0 | Added in: v9.0.0 |
spkac
string
|ArrayBuffer
|Buffer
|TypedArray
|DataView
encoding
string
The encoding of thespkac
string.- Returns:
Buffer
The public key component of thespkac
data structure, which includes a public key and a challenge.
MJS
CJS
Static method: Certificate.verifySpkac(spkac[, encoding])
历史
版本 | 更改 |
---|---|
v15.0.0 | The spkac argument can be an ArrayBuffer. Added encoding. Limited the size of the spkac argument to a maximum of 2**31 - 1 bytes. |
v9.0.0 | Added in: v9.0.0 |
spkac
string
|ArrayBuffer
|Buffer
|TypedArray
|DataView
encoding
string
The encoding of thespkac
string.- Returns:
boolean
true
if the givenspkac
data structure is valid,false
otherwise.
MJS
CJS
Legacy API
As a legacy interface, it is possible to create new instances of
the crypto.Certificate
class as illustrated in the examples below.
M new crypto.Certificate()
Instances of the Certificate
class can be created using the new
keyword
or by calling crypto.Certificate()
as a function:
MJS
CJS
M certificate.exportChallenge(spkac[, encoding])
Added in: v0.11.8
spkac
string
|ArrayBuffer
|Buffer
|TypedArray
|DataView
encoding
string
The encoding of thespkac
string.- Returns:
Buffer
The challenge component of thespkac
data structure, which includes a public key and a challenge.
MJS
CJS
M certificate.exportPublicKey(spkac[, encoding])
Added in: v0.11.8
spkac
string
|ArrayBuffer
|Buffer
|TypedArray
|DataView
encoding
string
The encoding of thespkac
string.- Returns:
Buffer
The public key component of thespkac
data structure, which includes a public key and a challenge.
MJS
CJS
M certificate.verifySpkac(spkac[, encoding])
Added in: v0.11.8
spkac
string
|ArrayBuffer
|Buffer
|TypedArray
|DataView
encoding
string
The encoding of thespkac
string.- Returns:
boolean
true
if the givenspkac
data structure is valid,false
otherwise.
MJS
CJS
C Cipher
Added in: v0.1.94
- Extends:
stream.Transform
Instances of the Cipher
class are used to encrypt data. The class can be
used in one of two ways:
- As a stream that is both readable and writable, where plain unencrypted data is written to produce encrypted data on the readable side, or
- Using the
cipher.update()
andcipher.final()
methods to produce the encrypted data.
The crypto.createCipher()
or crypto.createCipheriv()
methods are
used to create Cipher
instances. Cipher
objects are not to be created
directly using the new
keyword.
Example: Using Cipher
objects as streams:
MJS
CJS
Example: Using Cipher
and piped streams:
MJS
CJS
Example: Using the cipher.update()
and cipher.final()
methods:
MJS
CJS
M cipher.final([outputEncoding])
Added in: v0.1.94
outputEncoding
string
The encoding of the return value.- Returns:
Buffer
|string
Any remaining enciphered contents. IfoutputEncoding
is specified, a string is returned. If anoutputEncoding
is not provided, aBuffer
is returned.
Once the cipher.final()
method has been called, the Cipher
object can no
longer be used to encrypt data. Attempts to call cipher.final()
more than
once will result in an error being thrown.
M cipher.getAuthTag()
Added in: v1.0.0
- Returns:
Buffer
When using an authenticated encryption mode (GCM
,CCM
,OCB
, andchacha20-poly1305
are currently supported), thecipher.getAuthTag()
method returns aBuffer
containing the authentication tag that has been computed from the given data.
The cipher.getAuthTag()
method should only be called after encryption has
been completed using the cipher.final()
method.
If the authTagLength
option was set during the cipher
instance's creation,
this function will return exactly authTagLength
bytes.
M cipher.setAAD(buffer[, options])
Added in: v1.0.0
buffer
string
|ArrayBuffer
|Buffer
|TypedArray
|DataView
options
Object
stream.transform
options- Returns:
Cipher
for method chaining.
When using an authenticated encryption mode (GCM
, CCM
, OCB
, and
chacha20-poly1305
are
currently supported), the cipher.setAAD()
method sets the value used for the
additional authenticated data (AAD) input parameter.
The plaintextLength
option is optional for GCM
and OCB
. When using CCM
,
the plaintextLength
option must be specified and its value must match the
length of the plaintext in bytes. See CCM mode.
The cipher.setAAD()
method must be called before cipher.update()
.
M cipher.setAutoPadding([autoPadding])
Added in: v0.7.1
When using block encryption algorithms, the Cipher
class will automatically
add padding to the input data to the appropriate block size. To disable the
default padding call cipher.setAutoPadding(false)
.
When autoPadding
is false
, the length of the entire input data must be a
multiple of the cipher's block size or cipher.final()
will throw an error.
Disabling automatic padding is useful for non-standard padding, for instance
using 0x0
instead of PKCS padding.
The cipher.setAutoPadding()
method must be called before
cipher.final()
.
M cipher.update(data[, inputEncoding][, outputEncoding])
历史
版本 | 更改 |
---|---|
v6.0.0 | The default `inputEncoding` changed from `binary` to `utf8`. |
v0.1.94 | Added in: v0.1.94 |
data
string
|Buffer
|TypedArray
|DataView
inputEncoding
string
The encoding of the data.outputEncoding
string
The encoding of the return value.- Returns:
Buffer
|string
Updates the cipher with data
. If the inputEncoding
argument is given,
the data
argument is a string using the specified encoding. If the inputEncoding
argument is not given, data
must be a Buffer
, TypedArray
, or
DataView
. If data
is a Buffer
, TypedArray
, or DataView
, then
inputEncoding
is ignored.
The outputEncoding
specifies the output format of the enciphered
data. If the outputEncoding
is specified, a string using the specified encoding is returned. If no
outputEncoding
is provided, a Buffer
is returned.
The cipher.update()
method can be called multiple times with new data until
cipher.final()
is called. Calling cipher.update()
after
cipher.final()
will result in an error being thrown.
C Decipher
Added in: v0.1.94
- Extends:
stream.Transform
Instances of the Decipher
class are used to decrypt data. The class can be
used in one of two ways:
- As a stream that is both readable and writable, where plain encrypted data is written to produce unencrypted data on the readable side, or
- Using the
decipher.update()
anddecipher.final()
methods to produce the unencrypted data.
The crypto.createDecipher()
or crypto.createDecipheriv()
methods are
used to create Decipher
instances. Decipher
objects are not to be created
directly using the new
keyword.
Example: Using Decipher
objects as streams:
MJS
CJS
Example: Using Decipher
and piped streams:
MJS
CJS
Example: Using the decipher.update()
and decipher.final()
methods:
MJS
CJS
M decipher.final([outputEncoding])
Added in: v0.1.94
outputEncoding
string
The encoding of the return value.- Returns:
Buffer
|string
Any remaining deciphered contents. IfoutputEncoding
is specified, a string is returned. If anoutputEncoding
is not provided, aBuffer
is returned.
Once the decipher.final()
method has been called, the Decipher
object can
no longer be used to decrypt data. Attempts to call decipher.final()
more
than once will result in an error being thrown.
M decipher.setAAD(buffer[, options])
历史
版本 | 更改 |
---|---|
v15.0.0 | The buffer argument can be a string or ArrayBuffer and is limited to no more than 2 ** 31 - 1 bytes. |
v7.2.0 | This method now returns a reference to `decipher`. |
v1.0.0 | Added in: v1.0.0 |
buffer
string
|ArrayBuffer
|Buffer
|TypedArray
|DataView
options
Object
stream.transform
options- Returns:
Decipher
for method chaining.
When using an authenticated encryption mode (GCM
, CCM
, OCB
, and
chacha20-poly1305
are
currently supported), the decipher.setAAD()
method sets the value used for the
additional authenticated data (AAD) input parameter.
The options
argument is optional for GCM
. When using CCM
, the
plaintextLength
option must be specified and its value must match the length
of the ciphertext in bytes. See CCM mode.
The decipher.setAAD()
method must be called before decipher.update()
.
When passing a string as the buffer
, please consider
caveats when using strings as inputs to cryptographic APIs.
M decipher.setAuthTag(buffer[, encoding])
历史
版本 | 更改 |
---|---|
v15.0.0 | The buffer argument can be a string or ArrayBuffer and is limited to no more than 2 ** 31 - 1 bytes. |
v11.0.0 | This method now throws if the GCM tag length is invalid. |
v7.2.0 | This method now returns a reference to `decipher`. |
v1.0.0 | Added in: v1.0.0 |
buffer
string
|Buffer
|ArrayBuffer
|TypedArray
|DataView
encoding
string
String encoding to use whenbuffer
is a string.- Returns:
Decipher
for method chaining.
When using an authenticated encryption mode (GCM
, CCM
, OCB
, and
chacha20-poly1305
are
currently supported), the decipher.setAuthTag()
method is used to pass in the
received authentication tag. If no tag is provided, or if the cipher text
has been tampered with, decipher.final()
will throw, indicating that the
cipher text should be discarded due to failed authentication. If the tag length
is invalid according to NIST SP 800-38D or does not match the value of the
authTagLength
option, decipher.setAuthTag()
will throw an error.
The decipher.setAuthTag()
method must be called before decipher.update()
for CCM
mode or before decipher.final()
for GCM
and OCB
modes and
chacha20-poly1305
.
decipher.setAuthTag()
can only be called once.
When passing a string as the authentication tag, please consider caveats when using strings as inputs to cryptographic APIs.
M decipher.setAutoPadding([autoPadding])
Added in: v0.7.1
When data has been encrypted without standard block padding, calling
decipher.setAutoPadding(false)
will disable automatic padding to prevent
decipher.final()
from checking for and removing padding.
Turning auto padding off will only work if the input data's length is a multiple of the ciphers block size.
The decipher.setAutoPadding()
method must be called before
decipher.final()
.
M decipher.update(data[, inputEncoding][, outputEncoding])
历史
版本 | 更改 |
---|---|
v6.0.0 | The default `inputEncoding` changed from `binary` to `utf8`. |
v0.1.94 | Added in: v0.1.94 |
data
string
|Buffer
|TypedArray
|DataView
inputEncoding
string
The encoding of thedata
string.outputEncoding
string
The encoding of the return value.- Returns:
Buffer
|string
Updates the decipher with data
. If the inputEncoding
argument is given,
the data
argument is a string using the specified encoding. If the inputEncoding
argument is not given, data
must be a Buffer
. If data
is a
Buffer
then inputEncoding
is ignored.
The outputEncoding
specifies the output format of the enciphered
data. If the outputEncoding
is specified, a string using the specified encoding is returned. If no
outputEncoding
is provided, a Buffer
is returned.
The decipher.update()
method can be called multiple times with new data until
decipher.final()
is called. Calling decipher.update()
after
decipher.final()
will result in an error being thrown.
C DiffieHellman
Added in: v0.5.0
The DiffieHellman
class is a utility for creating Diffie-Hellman key
exchanges.
Instances of the DiffieHellman
class can be created using the
crypto.createDiffieHellman()
function.
MJS
CJS
M diffieHellman.computeSecret(otherPublicKey[, inputEncoding][, outputEncoding])
Added in: v0.5.0
otherPublicKey
string
|ArrayBuffer
|Buffer
|TypedArray
|DataView
inputEncoding
string
The encoding of anotherPublicKey
string.outputEncoding
string
The encoding of the return value.- Returns:
Buffer
|string
Computes the shared secret using otherPublicKey
as the other
party's public key and returns the computed shared secret. The supplied
key is interpreted using the specified inputEncoding
, and secret is
encoded using specified outputEncoding
.
If the inputEncoding
is not
provided, otherPublicKey
is expected to be a Buffer
,
TypedArray
, or DataView
.
If outputEncoding
is given a string is returned; otherwise, a
Buffer
is returned.
M diffieHellman.generateKeys([encoding])
Added in: v0.5.0
Generates private and public Diffie-Hellman key values, and returns
the public key in the specified encoding
. This key should be
transferred to the other party.
If encoding
is provided a string is returned; otherwise a
Buffer
is returned.
M diffieHellman.getGenerator([encoding])
Added in: v0.5.0
Returns the Diffie-Hellman generator in the specified encoding
.
If encoding
is provided a string is
returned; otherwise a Buffer
is returned.
M diffieHellman.getPrime([encoding])
Added in: v0.5.0
Returns the Diffie-Hellman prime in the specified encoding
.
If encoding
is provided a string is
returned; otherwise a Buffer
is returned.
M diffieHellman.getPrivateKey([encoding])
Added in: v0.5.0
Returns the Diffie-Hellman private key in the specified encoding
.
If encoding
is provided a
string is returned; otherwise a Buffer
is returned.
M diffieHellman.getPublicKey([encoding])
Added in: v0.5.0
Returns the Diffie-Hellman public key in the specified encoding
.
If encoding
is provided a
string is returned; otherwise a Buffer
is returned.
M diffieHellman.setPrivateKey(privateKey[, encoding])
Added in: v0.5.0
privateKey
string
|ArrayBuffer
|Buffer
|TypedArray
|DataView
encoding
string
The encoding of theprivateKey
string.
Sets the Diffie-Hellman private key. If the encoding
argument is provided,
privateKey
is expected
to be a string. If no encoding
is provided, privateKey
is expected
to be a Buffer
, TypedArray
, or DataView
.
M diffieHellman.setPublicKey(publicKey[, encoding])
Added in: v0.5.0
publicKey
string
|ArrayBuffer
|Buffer
|TypedArray
|DataView
encoding
string
The encoding of thepublicKey
string.
Sets the Diffie-Hellman public key. If the encoding
argument is provided,
publicKey
is expected
to be a string. If no encoding
is provided, publicKey
is expected
to be a Buffer
, TypedArray
, or DataView
.
M diffieHellman.verifyError
Added in: v0.11.12
A bit field containing any warnings and/or errors resulting from a check
performed during initialization of the DiffieHellman
object.
The following values are valid for this property (as defined in node:constants
module):
DH_CHECK_P_NOT_SAFE_PRIME
DH_CHECK_P_NOT_PRIME
DH_UNABLE_TO_CHECK_GENERATOR
DH_NOT_SUITABLE_GENERATOR
C DiffieHellmanGroup
Added in: v0.7.5
The DiffieHellmanGroup
class takes a well-known modp group as its argument.
It works the same as DiffieHellman
, except that it does not allow changing
its keys after creation. In other words, it does not implement setPublicKey()
or setPrivateKey()
methods.
MJS
CJS
The following groups are supported:
'modp14'
(2048 bits, RFC 3526 Section 3)'modp15'
(3072 bits, RFC 3526 Section 4)'modp16'
(4096 bits, RFC 3526 Section 5)'modp17'
(6144 bits, RFC 3526 Section 6)'modp18'
(8192 bits, RFC 3526 Section 7)
The following groups are still supported but deprecated (see Caveats):
'modp1'
(768 bits, RFC 2409 Section 6.1)'modp2'
(1024 bits, RFC 2409 Section 6.2)'modp5'
(1536 bits, RFC 3526 Section 2)
These deprecated groups might be removed in future versions of Node.js.
C ECDH
Added in: v0.11.14
The ECDH
class is a utility for creating Elliptic Curve Diffie-Hellman (ECDH)
key exchanges.
Instances of the ECDH
class can be created using the
crypto.createECDH()
function.
MJS
CJS
Static method: ECDH.convertKey(key, curve[, inputEncoding[, outputEncoding[, format]]])
Added in: v10.0.0
key
string
|ArrayBuffer
|Buffer
|TypedArray
|DataView
curve
string
inputEncoding
string
The encoding of thekey
string.outputEncoding
string
The encoding of the return value.format
string
Default:'uncompressed'
- Returns:
Buffer
|string
Converts the EC Diffie-Hellman public key specified by key
and curve
to the
format specified by format
. The format
argument specifies point encoding
and can be 'compressed'
, 'uncompressed'
or 'hybrid'
. The supplied key is
interpreted using the specified inputEncoding
, and the returned key is encoded
using the specified outputEncoding
.
Use crypto.getCurves()
to obtain a list of available curve names.
On recent OpenSSL releases, openssl ecparam -list_curves
will also display
the name and description of each available elliptic curve.
If format
is not specified the point will be returned in 'uncompressed'
format.
If the inputEncoding
is not provided, key
is expected to be a Buffer
,
TypedArray
, or DataView
.
Example (uncompressing a key):
MJS
CJS
M ecdh.computeSecret(otherPublicKey[, inputEncoding][, outputEncoding])
历史
版本 | 更改 |
---|---|
v10.0.0 | Changed error format to better support invalid public key error. |
v6.0.0 | The default `inputEncoding` changed from `binary` to `utf8`. |
v0.11.14 | Added in: v0.11.14 |
otherPublicKey
string
|ArrayBuffer
|Buffer
|TypedArray
|DataView
inputEncoding
string
The encoding of theotherPublicKey
string.outputEncoding
string
The encoding of the return value.- Returns:
Buffer
|string
Computes the shared secret using otherPublicKey
as the other
party's public key and returns the computed shared secret. The supplied
key is interpreted using specified inputEncoding
, and the returned secret
is encoded using the specified outputEncoding
.
If the inputEncoding
is not
provided, otherPublicKey
is expected to be a Buffer
, TypedArray
, or
DataView
.
If outputEncoding
is given a string will be returned; otherwise a
Buffer
is returned.
ecdh.computeSecret
will throw an
ERR_CRYPTO_ECDH_INVALID_PUBLIC_KEY
error when otherPublicKey
lies outside of the elliptic curve. Since otherPublicKey
is
usually supplied from a remote user over an insecure network,
be sure to handle this exception accordingly.
M ecdh.generateKeys([encoding[, format]])
Added in: v0.11.14
encoding
string
The encoding of the return value.format
string
Default:'uncompressed'
- Returns:
Buffer
|string
Generates private and public EC Diffie-Hellman key values, and returns
the public key in the specified format
and encoding
. This key should be
transferred to the other party.
The format
argument specifies point encoding and can be 'compressed'
or
'uncompressed'
. If format
is not specified, the point will be returned in
'uncompressed'
format.
If encoding
is provided a string is returned; otherwise a Buffer
is returned.
M ecdh.getPrivateKey([encoding])
Added in: v0.11.14
encoding
string
The encoding of the return value.- Returns:
Buffer
|string
The EC Diffie-Hellman in the specifiedencoding
.
If encoding
is specified, a string is returned; otherwise a Buffer
is
returned.
M ecdh.getPublicKey([encoding][, format])
Added in: v0.11.14
encoding
string
The encoding of the return value.format
string
Default:'uncompressed'
- Returns:
Buffer
|string
The EC Diffie-Hellman public key in the specifiedencoding
andformat
.
The format
argument specifies point encoding and can be 'compressed'
or
'uncompressed'
. If format
is not specified the point will be returned in
'uncompressed'
format.
If encoding
is specified, a string is returned; otherwise a Buffer
is
returned.
M ecdh.setPrivateKey(privateKey[, encoding])
Added in: v0.11.14
privateKey
string
|ArrayBuffer
|Buffer
|TypedArray
|DataView
encoding
string
The encoding of theprivateKey
string.
Sets the EC Diffie-Hellman private key.
If encoding
is provided, privateKey
is expected
to be a string; otherwise privateKey
is expected to be a Buffer
,
TypedArray
, or DataView
.
If privateKey
is not valid for the curve specified when the ECDH
object was
created, an error is thrown. Upon setting the private key, the associated
public point (key) is also generated and set in the ECDH
object.
M ecdh.setPublicKey(publicKey[, encoding])
Deprecated in: v5.2.0
publicKey
string
|ArrayBuffer
|Buffer
|TypedArray
|DataView
encoding
string
The encoding of thepublicKey
string.
Sets the EC Diffie-Hellman public key.
If encoding
is provided publicKey
is expected to
be a string; otherwise a Buffer
, TypedArray
, or DataView
is expected.
There is not normally a reason to call this method because ECDH
only requires a private key and the other party's public key to compute the
shared secret. Typically either ecdh.generateKeys()
or
ecdh.setPrivateKey()
will be called. The ecdh.setPrivateKey()
method
attempts to generate the public point/key associated with the private key being
set.
Example (obtaining a shared secret):
MJS
CJS
C Hash
Added in: v0.1.92
- Extends:
stream.Transform
The Hash
class is a utility for creating hash digests of data. It can be
used in one of two ways:
- As a stream that is both readable and writable, where data is written to produce a computed hash digest on the readable side, or
- Using the
hash.update()
andhash.digest()
methods to produce the computed hash.
The crypto.createHash()
method is used to create Hash
instances. Hash
objects are not to be created directly using the new
keyword.
Example: Using Hash
objects as streams:
MJS
CJS
Example: Using Hash
and piped streams:
MJS
CJS
Example: Using the hash.update()
and hash.digest()
methods:
MJS
CJS
M hash.copy([options])
Added in: v13.1.0
options
Object
stream.transform
options- Returns:
Hash
Creates a new Hash
object that contains a deep copy of the internal state
of the current Hash
object.
The optional options
argument controls stream behavior. For XOF hash
functions such as 'shake256'
, the outputLength
option can be used to
specify the desired output length in bytes.
An error is thrown when an attempt is made to copy the Hash
object after
its hash.digest()
method has been called.
MJS
CJS
M hash.digest([encoding])
Added in: v0.1.92
Calculates the digest of all of the data passed to be hashed (using the
hash.update()
method).
If encoding
is provided a string will be returned; otherwise
a Buffer
is returned.
The Hash
object can not be used again after hash.digest()
method has been
called. Multiple calls will cause an error to be thrown.
M hash.update(data[, inputEncoding])
历史
版本 | 更改 |
---|---|
v6.0.0 | The default `inputEncoding` changed from `binary` to `utf8`. |
v0.1.92 | Added in: v0.1.92 |
Updates the hash content with the given data
, the encoding of which
is given in inputEncoding
.
If encoding
is not provided, and the data
is a string, an
encoding of 'utf8'
is enforced. If data
is a Buffer
, TypedArray
, or
DataView
, then inputEncoding
is ignored.
This can be called many times with new data as it is streamed.
C Hmac
Added in: v0.1.94
- Extends:
stream.Transform
The Hmac
class is a utility for creating cryptographic HMAC digests. It can
be used in one of two ways:
- As a stream that is both readable and writable, where data is written to produce a computed HMAC digest on the readable side, or
- Using the
hmac.update()
andhmac.digest()
methods to produce the computed HMAC digest.
The crypto.createHmac()
method is used to create Hmac
instances. Hmac
objects are not to be created directly using the new
keyword.
Example: Using Hmac
objects as streams:
MJS
CJS
Example: Using Hmac
and piped streams:
MJS
CJS
Example: Using the hmac.update()
and hmac.digest()
methods:
MJS
CJS
M hmac.digest([encoding])
Added in: v0.1.94
Calculates the HMAC digest of all of the data passed using hmac.update()
.
If encoding
is
provided a string is returned; otherwise a Buffer
is returned;
The Hmac
object can not be used again after hmac.digest()
has been
called. Multiple calls to hmac.digest()
will result in an error being thrown.
M hmac.update(data[, inputEncoding])
历史
版本 | 更改 |
---|---|
v6.0.0 | The default `inputEncoding` changed from `binary` to `utf8`. |
v0.1.94 | Added in: v0.1.94 |
Updates the Hmac
content with the given data
, the encoding of which
is given in inputEncoding
.
If encoding
is not provided, and the data
is a string, an
encoding of 'utf8'
is enforced. If data
is a Buffer
, TypedArray
, or
DataView
, then inputEncoding
is ignored.
This can be called many times with new data as it is streamed.
C KeyObject
历史
版本 | 更改 |
---|---|
v14.5.0, v12.19.0 | Instances of this class can now be passed to worker threads using `postMessage`. |
v11.13.0 | This class is now exported. |
v11.6.0 | Added in: v11.6.0 |
Node.js uses a KeyObject
class to represent a symmetric or asymmetric key,
and each kind of key exposes different functions. The
crypto.createSecretKey()
, crypto.createPublicKey()
and
crypto.createPrivateKey()
methods are used to create KeyObject
instances. KeyObject
objects are not to be created directly using the new
keyword.
Most applications should consider using the new KeyObject
API instead of
passing keys as strings or Buffer
s due to improved security features.
KeyObject
instances can be passed to other threads via postMessage()
.
The receiver obtains a cloned KeyObject
, and the KeyObject
does not need to
be listed in the transferList
argument.
Static method: KeyObject.from(key)
Added in: v15.0.0
Example: Converting a CryptoKey
instance to a KeyObject
:
MJS
CJS
M keyObject.asymmetricKeyDetails
历史
版本 | 更改 |
---|---|
v16.9.0 | Expose `RSASSA-PSS-params` sequence parameters for RSA-PSS keys. |
v15.7.0 | Added in: v15.7.0 |
Object
modulusLength
:number
Key size in bits (RSA, DSA).publicExponent
:bigint
Public exponent (RSA).hashAlgorithm
:string
Name of the message digest (RSA-PSS).mgf1HashAlgorithm
:string
Name of the message digest used by MGF1 (RSA-PSS).saltLength
:number
Minimal salt length in bytes (RSA-PSS).divisorLength
:number
Size ofq
in bits (DSA).namedCurve
:string
Name of the curve (EC).
This property exists only on asymmetric keys. Depending on the type of the key, this object contains information about the key. None of the information obtained through this property can be used to uniquely identify a key or to compromise the security of the key.
For RSA-PSS keys, if the key material contains a RSASSA-PSS-params
sequence,
the hashAlgorithm
, mgf1HashAlgorithm
, and saltLength
properties will be
set.
Other key details might be exposed via this API using additional attributes.
M keyObject.asymmetricKeyType
历史
版本 | 更改 |
---|---|
v13.9.0, v12.17.0 | Added support for `'dh'`. |
v12.0.0 | Added support for `'rsa-pss'`. |
v12.0.0 | This property now returns `undefined` for KeyObject instances of unrecognized type instead of aborting. |
v12.0.0 | Added support for `'x25519'` and `'x448'`. |
v12.0.0 | Added support for `'ed25519'` and `'ed448'`. |
v11.6.0 | Added in: v11.6.0 |
For asymmetric keys, this property represents the type of the key. Supported key types are:
'rsa'
(OID 1.2.840.113549.1.1.1)'rsa-pss'
(OID 1.2.840.113549.1.1.10)'dsa'
(OID 1.2.840.10040.4.1)'ec'
(OID 1.2.840.10045.2.1)'x25519'
(OID 1.3.101.110)'x448'
(OID 1.3.101.111)'ed25519'
(OID 1.3.101.112)'ed448'
(OID 1.3.101.113)'dh'
(OID 1.2.840.113549.1.3.1)
This property is undefined
for unrecognized KeyObject
types and symmetric
keys.
M keyObject.export([options])
历史
版本 | 更改 |
---|---|
v15.9.0 | Added support for `'jwk'` format. |
v11.6.0 | Added in: v11.6.0 |
For symmetric keys, the following encoding options can be used:
format
:string
Must be'buffer'
(default) or'jwk'
.
For public keys, the following encoding options can be used:
type
:string
Must be one of'pkcs1'
(RSA only) or'spki'
.format
:string
Must be'pem'
,'der'
, or'jwk'
.
For private keys, the following encoding options can be used:
type
:string
Must be one of'pkcs1'
(RSA only),'pkcs8'
or'sec1'
(EC only).format
:string
Must be'pem'
,'der'
, or'jwk'
.cipher
:string
If specified, the private key will be encrypted with the givencipher
andpassphrase
using PKCS#5 v2.0 password based encryption.passphrase
:string
|Buffer
The passphrase to use for encryption, seecipher
.
The result type depends on the selected encoding format, when PEM the result is a string, when DER it will be a buffer containing the data encoded as DER, when JWK it will be an object.
When JWK encoding format was selected, all other encoding options are ignored.
PKCS#1, SEC1, and PKCS#8 type keys can be encrypted by using a combination of
the cipher
and format
options. The PKCS#8 type
can be used with any
format
to encrypt any key algorithm (RSA, EC, or DH) by specifying a
cipher
. PKCS#1 and SEC1 can only be encrypted by specifying a cipher
when the PEM format
is used. For maximum compatibility, use PKCS#8 for
encrypted private keys. Since PKCS#8 defines its own
encryption mechanism, PEM-level encryption is not supported when encrypting
a PKCS#8 key. See RFC 5208 for PKCS#8 encryption and RFC 1421 for
PKCS#1 and SEC1 encryption.
M keyObject.equals(otherKeyObject)
Added in: v16.15.0
Returns true
or false
depending on whether the keys have exactly the same
type, value, and parameters. This method is not
constant time.
M keyObject.symmetricKeySize
Added in: v11.6.0
For secret keys, this property represents the size of the key in bytes. This
property is undefined
for asymmetric keys.
M keyObject.type
Added in: v11.6.0
Depending on the type of this KeyObject
, this property is either
'secret'
for secret (symmetric) keys, 'public'
for public (asymmetric) keys
or 'private'
for private (asymmetric) keys.
C Sign
Added in: v0.1.92
- Extends:
stream.Writable
The Sign
class is a utility for generating signatures. It can be used in one
of two ways:
- As a writable stream, where data to be signed is written and the
sign.sign()
method is used to generate and return the signature, or - Using the
sign.update()
andsign.sign()
methods to produce the signature.
The crypto.createSign()
method is used to create Sign
instances. The
argument is the string name of the hash function to use. Sign
objects are not
to be created directly using the new
keyword.
Example: Using Sign
and Verify
objects as streams:
MJS
CJS
Example: Using the sign.update()
and verify.update()
methods:
MJS
CJS
M sign.sign(privateKey[, outputEncoding])
历史
版本 | 更改 |
---|---|
v15.0.0 | The privateKey can also be an ArrayBuffer and CryptoKey. |
v13.2.0, v12.16.0 | This function now supports IEEE-P1363 DSA and ECDSA signatures. |
v12.0.0 | This function now supports RSA-PSS keys. |
v11.6.0 | This function now supports key objects. |
v8.0.0 | Support for RSASSA-PSS and additional options was added. |
v0.1.92 | Added in: v0.1.92 |
privateKey
Object
|string
|ArrayBuffer
|Buffer
|TypedArray
|DataView
|KeyObject
|CryptoKey
outputEncoding
string
The encoding of the return value.- Returns:
Buffer
|string
Calculates the signature on all the data passed through using either
sign.update()
or sign.write()
.
If privateKey
is not a KeyObject
, this function behaves as if
privateKey
had been passed to crypto.createPrivateKey()
. If it is an
object, the following additional properties can be passed:
dsaEncoding
string
For DSA and ECDSA, this option specifies the format of the generated signature. It can be one of the following:'der'
(default): DER-encoded ASN.1 signature structure encoding(r, s)
.'ieee-p1363'
: Signature formatr || s
as proposed in IEEE-P1363.
padding
integer
Optional padding value for RSA, one of the following:crypto.constants.RSA_PKCS1_PADDING
(default)crypto.constants.RSA_PKCS1_PSS_PADDING
RSA_PKCS1_PSS_PADDING
will use MGF1 with the same hash function used to sign the message as specified in section 3.1 of RFC 4055, unless an MGF1 hash function has been specified as part of the key in compliance with section 3.3 of RFC 4055.saltLength
integer
Salt length for when padding isRSA_PKCS1_PSS_PADDING
. The special valuecrypto.constants.RSA_PSS_SALTLEN_DIGEST
sets the salt length to the digest size,crypto.constants.RSA_PSS_SALTLEN_MAX_SIGN
(default) sets it to the maximum permissible value.
If outputEncoding
is provided a string is returned; otherwise a Buffer
is returned.
The Sign
object can not be again used after sign.sign()
method has been
called. Multiple calls to sign.sign()
will result in an error being thrown.
M sign.update(data[, inputEncoding])
历史
版本 | 更改 |
---|---|
v6.0.0 | The default `inputEncoding` changed from `binary` to `utf8`. |
v0.1.92 | Added in: v0.1.92 |
Updates the Sign
content with the given data
, the encoding of which
is given in inputEncoding
.
If encoding
is not provided, and the data
is a string, an
encoding of 'utf8'
is enforced. If data
is a Buffer
, TypedArray
, or
DataView
, then inputEncoding
is ignored.
This can be called many times with new data as it is streamed.
C Verify
Added in: v0.1.92
- Extends:
stream.Writable
The Verify
class is a utility for verifying signatures. It can be used in one
of two ways:
- As a writable stream where written data is used to validate against the supplied signature, or
- Using the
verify.update()
andverify.verify()
methods to verify the signature.
The crypto.createVerify()
method is used to create Verify
instances.
Verify
objects are not to be created directly using the new
keyword.
See Sign
for examples.
M verify.update(data[, inputEncoding])
历史
版本 | 更改 |
---|---|
v6.0.0 | The default `inputEncoding` changed from `binary` to `utf8`. |
v0.1.92 | Added in: v0.1.92 |
Updates the Verify
content with the given data
, the encoding of which
is given in inputEncoding
.
If inputEncoding
is not provided, and the data
is a string, an
encoding of 'utf8'
is enforced. If data
is a Buffer
, TypedArray
, or
DataView
, then inputEncoding
is ignored.
This can be called many times with new data as it is streamed.
M verify.verify(object, signature[, signatureEncoding])
历史
版本 | 更改 |
---|---|
v15.0.0 | The object can also be an ArrayBuffer and CryptoKey. |
v13.2.0, v12.16.0 | This function now supports IEEE-P1363 DSA and ECDSA signatures. |
v12.0.0 | This function now supports RSA-PSS keys. |
v11.7.0 | The key can now be a private key. |
v8.0.0 | Support for RSASSA-PSS and additional options was added. |
v0.1.92 | Added in: v0.1.92 |
object
Object
|string
|ArrayBuffer
|Buffer
|TypedArray
|DataView
|KeyObject
|CryptoKey
signature
string
|ArrayBuffer
|Buffer
|TypedArray
|DataView
signatureEncoding
string
The encoding of thesignature
string.- Returns:
boolean
true
orfalse
depending on the validity of the signature for the data and public key.
Verifies the provided data using the given object
and signature
.
If object
is not a KeyObject
, this function behaves as if
object
had been passed to crypto.createPublicKey()
. If it is an
object, the following additional properties can be passed:
dsaEncoding
string
For DSA and ECDSA, this option specifies the format of the signature. It can be one of the following:'der'
(default): DER-encoded ASN.1 signature structure encoding(r, s)
.'ieee-p1363'
: Signature formatr || s
as proposed in IEEE-P1363.
padding
integer
Optional padding value for RSA, one of the following:crypto.constants.RSA_PKCS1_PADDING
(default)crypto.constants.RSA_PKCS1_PSS_PADDING
RSA_PKCS1_PSS_PADDING
will use MGF1 with the same hash function used to verify the message as specified in section 3.1 of RFC 4055, unless an MGF1 hash function has been specified as part of the key in compliance with section 3.3 of RFC 4055.saltLength
integer
Salt length for when padding isRSA_PKCS1_PSS_PADDING
. The special valuecrypto.constants.RSA_PSS_SALTLEN_DIGEST
sets the salt length to the digest size,crypto.constants.RSA_PSS_SALTLEN_AUTO
(default) causes it to be determined automatically.
The signature
argument is the previously calculated signature for the data, in
the signatureEncoding
.
If a signatureEncoding
is specified, the signature
is expected to be a
string; otherwise signature
is expected to be a Buffer
,
TypedArray
, or DataView
.
The verify
object can not be used again after verify.verify()
has been
called. Multiple calls to verify.verify()
will result in an error being
thrown.
Because public keys can be derived from private keys, a private key may be passed instead of a public key.
C X509Certificate
Added in: v15.6.0
Encapsulates an X509 certificate and provides read-only access to its information.
MJS
CJS
M new X509Certificate(buffer)
Added in: v15.6.0
buffer
string
|TypedArray
|Buffer
|DataView
A PEM or DER encoded X509 Certificate.
M x509.ca
Added in: v15.6.0
- Type:
boolean
Will betrue
if this is a Certificate Authority (CA) certificate.
M x509.checkEmail(email[, options])
历史
版本 | 更改 |
---|---|
v16.15.0 | The subject option can now be set to `'default'`. |
v16.14.1 | The `wildcards`, `partialWildcards`, `multiLabelWildcards`, and `singleLabelSubdomains` options have been removed since they had no effect. |
v15.6.0 | Added in: v15.6.0 |
email
string
options
Object
- Returns:
string
|undefined
Returnsemail
if the certificate matches,undefined
if it does not.
Checks whether the certificate matches the given email address.
If the 'subject'
option is set to 'always'
and if the subject alternative
name extension either does not exist or does not contain a matching email
address, the certificate subject is considered.
If the 'subject'
option is set to 'default'
, the certificate subject is only
considered if the subject alternative name extension either does not exist or
does not contain any email addresses.
If the 'subject'
option is set to 'never'
, the certificate subject is never
considered, even if the certificate contains no subject alternative names.
M x509.checkHost(name[, options])
历史
版本 | 更改 |
---|---|
v16.15.0 | The subject option can now be set to `'default'`. |
v15.6.0 | Added in: v15.6.0 |
name
string
options
Object
- Returns:
string
|undefined
Returns a subject name that matchesname
, orundefined
if no subject name matchesname
.
Checks whether the certificate matches the given host name.
If the certificate matches the given host name, the matching subject name is
returned. The returned name might be an exact match (e.g., foo.example.com
)
or it might contain wildcards (e.g., *.example.com
). Because host name
comparisons are case-insensitive, the returned subject name might also differ
from the given name
in capitalization.
If the 'subject'
option is set to 'always'
and if the subject alternative
name extension either does not exist or does not contain a matching DNS name,
the certificate subject is considered.
If the 'subject'
option is set to 'default'
, the certificate subject is only
considered if the subject alternative name extension either does not exist or
does not contain any DNS names. This behavior is consistent with RFC 2818
("HTTP Over TLS").
If the 'subject'
option is set to 'never'
, the certificate subject is never
considered, even if the certificate contains no subject alternative names.
M x509.checkIP(ip)
历史
版本 | 更改 |
---|---|
v16.14.1 | The `options` argument has been removed since it had no effect. |
v15.6.0 | Added in: v15.6.0 |
ip
string
- Returns:
string
|undefined
Returnsip
if the certificate matches,undefined
if it does not.
Checks whether the certificate matches the given IP address (IPv4 or IPv6).
Only RFC 5280 iPAddress
subject alternative names are considered, and they
must match the given ip
address exactly. Other subject alternative names as
well as the subject field of the certificate are ignored.
M x509.checkIssued(otherCert)
Added in: v15.6.0
otherCert
X509Certificate
- Returns:
boolean
Checks whether this certificate was issued by the given otherCert
.
M x509.checkPrivateKey(privateKey)
Added in: v15.6.0
Checks whether the public key for this certificate is consistent with the given private key.
M x509.fingerprint
Added in: v15.6.0
- Type:
string
The SHA-1 fingerprint of this certificate.
Because SHA-1 is cryptographically broken and because the security of SHA-1 is
significantly worse than that of algorithms that are commonly used to sign
certificates, consider using x509.fingerprint256
instead.
M x509.fingerprint256
Added in: v15.6.0
- Type:
string
The SHA-256 fingerprint of this certificate.
M x509.fingerprint512
Added in: v16.14.0
- Type:
string
The SHA-512 fingerprint of this certificate.
Because computing the SHA-256 fingerprint is usually faster and because it is
only half the size of the SHA-512 fingerprint, x509.fingerprint256
may be
a better choice. While SHA-512 presumably provides a higher level of security in
general, the security of SHA-256 matches that of most algorithms that are
commonly used to sign certificates.
M x509.infoAccess
历史
版本 | 更改 |
---|---|
v16.13.2 | Parts of this string may be encoded as JSON string literals in response to CVE-2021-44532. |
v15.6.0 | Added in: v15.6.0 |
- Type:
string
A textual representation of the certificate's authority information access extension.
This is a line feed separated list of access descriptions. Each line begins with the access method and the kind of the access location, followed by a colon and the value associated with the access location.
After the prefix denoting the access method and the kind of the access location, the remainder of each line might be enclosed in quotes to indicate that the value is a JSON string literal. For backward compatibility, Node.js only uses JSON string literals within this property when necessary to avoid ambiguity. Third-party code should be prepared to handle both possible entry formats.
M x509.issuer
Added in: v15.6.0
- Type:
string
The issuer identification included in this certificate.
M x509.issuerCertificate
Added in: v15.9.0
- Type:
X509Certificate
The issuer certificate or undefined
if the issuer certificate is not
available.
M x509.keyUsage
Added in: v15.6.0
- Type: string[]
An array detailing the key usages for this certificate.
M x509.publicKey
Added in: v15.6.0
- Type:
KeyObject
The public key KeyObject
for this certificate.
M x509.raw
Added in: v15.6.0
- Type:
Buffer
A Buffer
containing the DER encoding of this certificate.
M x509.serialNumber
Added in: v15.6.0
- Type:
string
The serial number of this certificate.
Serial numbers are assigned by certificate authorities and do not uniquely
identify certificates. Consider using x509.fingerprint256
as a unique
identifier instead.
M x509.subject
Added in: v15.6.0
- Type:
string
The complete subject of this certificate.
M x509.subjectAltName
历史
版本 | 更改 |
---|---|
v16.13.2 | Parts of this string may be encoded as JSON string literals in response to CVE-2021-44532. |
v15.6.0 | Added in: v15.6.0 |
- Type:
string
The subject alternative name specified for this certificate.
This is a comma-separated list of subject alternative names. Each entry begins with a string identifying the kind of the subject alternative name followed by a colon and the value associated with the entry.
Earlier versions of Node.js incorrectly assumed that it is safe to split this
property at the two-character sequence ', '
(see CVE-2021-44532). However,
both malicious and legitimate certificates can contain subject alternative names
that include this sequence when represented as a string.
After the prefix denoting the type of the entry, the remainder of each entry might be enclosed in quotes to indicate that the value is a JSON string literal. For backward compatibility, Node.js only uses JSON string literals within this property when necessary to avoid ambiguity. Third-party code should be prepared to handle both possible entry formats.
M x509.toJSON()
Added in: v15.6.0
- Type:
string
There is no standard JSON encoding for X509 certificates. The
toJSON()
method returns a string containing the PEM encoded
certificate.
M x509.toLegacyObject()
Added in: v15.6.0
- Type:
Object
Returns information about this certificate using the legacy certificate object encoding.
M x509.toString()
Added in: v15.6.0
- Type:
string
Returns the PEM-encoded certificate.
M x509.validFrom
Added in: v15.6.0
- Type:
string
The date/time from which this certificate is considered valid.
M x509.validTo
Added in: v15.6.0
- Type:
string
The date/time until which this certificate is considered valid.
M x509.verify(publicKey)
Added in: v15.6.0
Verifies that this certificate was signed by the given public key. Does not perform any other validation checks on the certificate.
M node:crypto
module methods and properties
M crypto.constants
Added in: v6.3.0
An object containing commonly used constants for crypto and security related operations. The specific constants currently defined are described in Crypto constants.
M crypto.DEFAULT_ENCODING
Deprecated in: v10.0.0
The default encoding to use for functions that can take either strings
or buffers. The default value is 'buffer'
, which makes methods
default to Buffer
objects.
The crypto.DEFAULT_ENCODING
mechanism is provided for backward compatibility
with legacy programs that expect 'latin1'
to be the default encoding.
New applications should expect the default to be 'buffer'
.
This property is deprecated.
M crypto.fips
Deprecated in: v10.0.0
Property for checking and controlling whether a FIPS compliant crypto provider is currently in use. Setting to true requires a FIPS build of Node.js.
This property is deprecated. Please use crypto.setFips()
and
crypto.getFips()
instead.
M crypto.checkPrime(candidate[, options], callback)
Added in: v15.8.0
candidate
ArrayBuffer
|SharedArrayBuffer
|TypedArray
|Buffer
|DataView
|bigint
A possible prime encoded as a sequence of big endian octets of arbitrary length.options
Object
checks
number
The number of Miller-Rabin probabilistic primality iterations to perform. When the value is0
(zero), a number of checks is used that yields a false positive rate of at most 2-64 for random input. Care must be used when selecting a number of checks. Refer to the OpenSSL documentation for theBN_is_prime_ex
functionnchecks
options for more details. Default:0
callback
Function
Checks the primality of the candidate
.
M crypto.checkPrimeSync(candidate[, options])
Added in: v15.8.0
candidate
ArrayBuffer
|SharedArrayBuffer
|TypedArray
|Buffer
|DataView
|bigint
A possible prime encoded as a sequence of big endian octets of arbitrary length.options
Object
checks
number
The number of Miller-Rabin probabilistic primality iterations to perform. When the value is0
(zero), a number of checks is used that yields a false positive rate of at most 2-64 for random input. Care must be used when selecting a number of checks. Refer to the OpenSSL documentation for theBN_is_prime_ex
functionnchecks
options for more details. Default:0
- Returns:
boolean
true
if the candidate is a prime with an error probability less than0.25 ** options.checks
.
Checks the primality of the candidate
.
M crypto.createCipher(algorithm, password[, options])
历史
版本 | 更改 |
---|---|
v16.17.0 | The `authTagLength` option is now optional when using the `chacha20-poly1305` cipher and defaults to 16 bytes. |
v15.0.0 | The password argument can be an ArrayBuffer and is limited to a maximum of 2 ** 31 - 1 bytes. |
v10.10.0 | Ciphers in OCB mode are now supported. |
v10.2.0 | The `authTagLength` option can now be used to produce shorter authentication tags in GCM mode and defaults to 16 bytes. |
v10.0.0 | Added in: v10.0.0 |
algorithm
string
password
string
|ArrayBuffer
|Buffer
|TypedArray
|DataView
options
Object
stream.transform
options- Returns:
Cipher
Creates and returns a Cipher
object that uses the given algorithm
and
password
.
The options
argument controls stream behavior and is optional except when a
cipher in CCM or OCB mode (e.g. 'aes-128-ccm'
) is used. In that case, the
authTagLength
option is required and specifies the length of the
authentication tag in bytes, see CCM mode. In GCM mode, the authTagLength
option is not required but can be used to set the length of the authentication
tag that will be returned by getAuthTag()
and defaults to 16 bytes.
For chacha20-poly1305
, the authTagLength
option defaults to 16 bytes.
The algorithm
is dependent on OpenSSL, examples are 'aes192'
, etc. On
recent OpenSSL releases, openssl list -cipher-algorithms
will
display the available cipher algorithms.
The password
is used to derive the cipher key and initialization vector (IV).
The value must be either a 'latin1'
encoded string, a Buffer
, a
TypedArray
, or a DataView
.
The implementation of crypto.createCipher()
derives keys using the OpenSSL
function EVP_BytesToKey
with the digest algorithm set to MD5, one
iteration, and no salt. The lack of salt allows dictionary attacks as the same
password always creates the same key. The low iteration count and
non-cryptographically secure hash algorithm allow passwords to be tested very
rapidly.
In line with OpenSSL's recommendation to use a more modern algorithm instead of
EVP_BytesToKey
it is recommended that developers derive a key and IV on
their own using crypto.scrypt()
and to use crypto.createCipheriv()
to create the Cipher
object. Users should not use ciphers with counter mode
(e.g. CTR, GCM, or CCM) in crypto.createCipher()
. A warning is emitted when
they are used in order to avoid the risk of IV reuse that causes
vulnerabilities. For the case when IV is reused in GCM, see Nonce-Disrespecting
Adversaries for details.
M crypto.createCipheriv(algorithm, key, iv[, options])
历 史
版本 | 更改 |
---|---|
v16.17.0 | The `authTagLength` option is now optional when using the `chacha20-poly1305` cipher and defaults to 16 bytes. |
v15.0.0 | The password and iv arguments can be an ArrayBuffer and are each limited to a maximum of 2 ** 31 - 1 bytes. |
v11.6.0 | The `key` argument can now be a `KeyObject`. |
v11.2.0, v10.17.0 | The cipher `chacha20-poly1305` (the IETF variant of ChaCha20-Poly1305) is now supported. |
v10.10.0 | Ciphers in OCB mode are now supported. |
v10.2.0 | The `authTagLength` option can now be used to produce shorter authentication tags in GCM mode and defaults to 16 bytes. |
v9.9.0 | The `iv` parameter may now be `null` for ciphers which do not need an initialization vector. |
v0.1.94 | Added in: v0.1.94 |
algorithm
string
key
string
|ArrayBuffer
|Buffer
|TypedArray
|DataView
|KeyObject
|CryptoKey
iv
string
|ArrayBuffer
|Buffer
|TypedArray
|DataView
|null
options
Object
stream.transform
options- Returns:
Cipher
Creates and returns a Cipher
object, with the given algorithm
, key
and
initialization vector (iv
).
The options
argument controls stream behavior and is optional except when a
cipher in CCM or OCB mode (e.g. 'aes-128-ccm'
) is used. In that case, the
authTagLength
option is required and specifies the length of the
authentication tag in bytes, see CCM mode. In GCM mode, the authTagLength
option is not required but can be used to set the length of the authentication
tag that will be returned by getAuthTag()
and defaults to 16 bytes.
For chacha20-poly1305
, the authTagLength
option defaults to 16 bytes.
The algorithm
is dependent on OpenSSL, examples are 'aes192'
, etc. On
recent OpenSSL releases, openssl list -cipher-algorithms
will
display the available cipher algorithms.
The key
is the raw key used by the algorithm
and iv
is an
initialization vector. Both arguments must be 'utf8'
encoded strings,
Buffers, TypedArray
, or DataView
s. The key
may optionally be
a KeyObject
of type secret
. If the cipher does not need
an initialization vector, iv
may be null
.
When passing strings for key
or iv
, please consider
caveats when using strings as inputs to cryptographic APIs.
Initialization vectors should be unpredictable and unique; ideally, they will be cryptographically random. They do not have to be secret: IVs are typically just added to ciphertext messages unencrypted. It may sound contradictory that something has to be unpredictable and unique, but does not have to be secret; remember that an attacker must not be able to predict ahead of time what a given IV will be.
M crypto.createDecipher(algorithm, password[, options])
历史
版本 | 更改 |
---|---|
v16.17.0 | The `authTagLength` option is now optional when using the `chacha20-poly1305` cipher and defaults to 16 bytes. |
v10.10.0 | Ciphers in OCB mode are now supported. |
v10.0.0 | Added in: v10.0.0 |