Crypto#

Stability: 2 - Stable

Source Code: lib/crypto.js

The node:crypto module provides cryptographic functionality that includes a set of wrappers for OpenSSL's hash, HMAC, cipher, decipher, sign, and verify functions.

const { createHmac } = await import('node:crypto');

const secret = 'abcdefg';
const hash = createHmac('sha256', secret)
               .update('I love cupcakes')
               .digest('hex');
console.log(hash);
// Prints:
//   c0fa1bc00531bd78ef38c628449c5102aeabd49b5dc3a2a516ea6ea959d6658econst { createHmac } = require('node:crypto');

const secret = 'abcdefg';
const hash = createHmac('sha256', secret)
               .update('I love cupcakes')
               .digest('hex');
console.log(hash);
// Prints:
//   c0fa1bc00531bd78ef38c628449c5102aeabd49b5dc3a2a516ea6ea959d6658e

Determining if crypto support is unavailable#

It is possible for Node.js to be built without including support for the node:crypto module. In such cases, attempting to import from crypto or calling require('node:crypto') will result in an error being thrown.

When using CommonJS, the error thrown can be caught using try/catch:

let crypto;
try {
  crypto = require('node:crypto');
} catch (err) {
  console.error('crypto support is disabled!');
}

When using the lexical ESM import keyword, the error can only be caught if a handler for process.on('uncaughtException') is registered before any attempt to load the module is made (using, for instance, a preload module).

When using ESM, if there is a chance that the code may be run on a build of Node.js where crypto support is not enabled, consider using the import() function instead of the lexical import keyword:

let crypto;
try {
  crypto = await import('node:crypto');
} catch (err) {
  console.error('crypto support is disabled!');
}

Asymmetric key types#

The following table lists the asymmetric key types recognized by the KeyObject API:

Key TypeDescriptionOID
'dh'Diffie-Hellman1.2.840.113549.1.3.1
'dsa'DSA1.2.840.10040.4.1
'ec'Elliptic curve1.2.840.10045.2.1
'ed25519'Ed255191.3.101.112
'ed448'Ed4481.3.101.113
'ml-dsa-44'1ML-DSA-442.16.840.1.101.3.4.3.17
'ml-dsa-65'1ML-DSA-652.16.840.1.101.3.4.3.18
'ml-dsa-87'1ML-DSA-872.16.840.1.101.3.4.3.19
'ml-kem-1024'1ML-KEM-10242.16.840.1.101.3.4.4.3
'ml-kem-512'1ML-KEM-5122.16.840.1.101.3.4.4.1
'ml-kem-768'1ML-KEM-7682.16.840.1.101.3.4.4.2
'rsa-pss'RSA PSS1.2.840.113549.1.1.10
'rsa'RSA1.2.840.113549.1.1.1
'x25519'X255191.3.101.110
'x448'X4481.3.101.111

Class: Certificate#

Added in: v0.11.8

SPKAC is a Certificate Signing Request mechanism originally implemented by Netscape and was specified formally as part of HTML5's keygen element.

<keygen> is deprecated since HTML 5.2 and new projects should not use this element anymore.

The node:crypto module provides the Certificate class for working with SPKAC data. The most common usage is handling output generated by the HTML5 <keygen> element. Node.js uses OpenSSL's SPKAC implementation internally.

Static method: Certificate.exportChallenge(spkac[, encoding])#

History
VersionChanges
v15.0.0

The spkac argument can be an ArrayBuffer. Limited the size of the spkac argument to a maximum of 2**31 - 1 bytes.

v9.0.0

Added in: v9.0.0

const { Certificate } = await import('node:crypto');
const spkac = getSpkacSomehow();
const challenge = Certificate.exportChallenge(spkac);
console.log(challenge.toString('utf8'));
// Prints: the challenge as a UTF8 stringconst { Certificate } = require('node:crypto');
const spkac = getSpkacSomehow();
const challenge = Certificate.exportChallenge(spkac);
console.log(challenge.toString('utf8'));
// Prints: the challenge as a UTF8 string

Static method: Certificate.exportPublicKey(spkac[, encoding])