An implementation of the Web Crypto API standard.
See the Web Crypto API documentation for details.
namespace
crypto.webcrypto
namespace webcrypto
interface AesCbcParams
interface AesCtrParams
interface AesDerivedKeyParams
interface AesGcmParams
interface AesKeyAlgorithm
interface AesKeyGenParams
interface Crypto
Importing the
webcryptoobject (import { webcrypto } from 'node:crypto') gives an instance of theCryptoclass.Cryptois a singleton that provides access to the remainder of the crypto API.- getRandomValues<T extends Uint8Array<ArrayBufferLike> | Uint8ClampedArray<ArrayBufferLike> | Uint16Array<ArrayBufferLike> | Uint32Array<ArrayBufferLike> | Int8Array<ArrayBufferLike> | Int16Array<ArrayBufferLike> | Int32Array<ArrayBufferLike> | BigUint64Array<ArrayBufferLike> | BigInt64Array<ArrayBufferLike>>(typedArray: T): T;
Generates cryptographically strong random values. The given
typedArrayis filled with random values, and a reference totypedArrayis returned.The given
typedArraymust be an integer-based instance of NodeJS.TypedArray, i.e.Float32ArrayandFloat64Arrayare not accepted.An error will be thrown if the given
typedArrayis larger than 65,536 bytes. Generates a random RFC 4122 version 4 UUID. The UUID is generated using a cryptographic pseudorandom number generator.
interface CryptoKey
- readonly algorithm: KeyAlgorithm
An object detailing the algorithm for which the key can be used along with additional algorithm-specific parameters.
- readonly extractable: boolean
When
true, the CryptoKey can be extracted using eithersubtleCrypto.exportKey()orsubtleCrypto.wrapKey(). - readonly usages: KeyUsage[]
An array of strings identifying the operations for which the key may be used.
The possible usages are:
'encrypt'- The key may be used to encrypt data.'decrypt'- The key may be used to decrypt data.'sign'- The key may be used to generate digital signatures.'verify'- The key may be used to verify digital signatures.'deriveKey'- The key may be used to derive a new key.'deriveBits'- The key may be used to derive bits.'wrapKey'- The key may be used to wrap another key.'unwrapKey'- The key may be used to unwrap another key.
Valid key usages depend on the key algorithm (identified by
cryptokey.algorithm.name).
interface CryptoKeyConstructor
interface CryptoKeyPair
The
CryptoKeyPairis a simple dictionary object withpublicKeyandprivateKeyproperties, representing an asymmetric key pair.interface EcdhKeyDeriveParams
interface EcdsaParams
interface EcKeyAlgorithm
interface EcKeyGenParams
interface EcKeyImportParams
interface Ed448Params
interface HkdfParams
interface HmacImportParams
interface HmacKeyAlgorithm
interface HmacKeyGenParams
interface KeyAlgorithm
interface Pbkdf2Params
interface RsaHashedImportParams
interface RsaHashedKeyAlgorithm
interface RsaHashedKeyGenParams
interface RsaKeyAlgorithm
interface RsaKeyGenParams
interface RsaOaepParams
interface RsaOtherPrimesInfo
interface RsaPssParams
interface SubtleCrypto
Using the method and parameters specified in
algorithmand the keying material provided bykey,subtle.decrypt()attempts to decipher the provideddata. If successful, the returned promise will be resolved with an<ArrayBuffer>containing the plaintext result.The algorithms currently supported include:
'RSA-OAEP''AES-CTR''AES-CBC''AES-GCM'
- length?: null | number
Using the method and parameters specified in
algorithmand the keying material provided bybaseKey,subtle.deriveBits()attempts to generatelengthbits. The Node.js implementation requires that whenlengthis a number it must be multiple of8. Whenlengthisnullthe maximum number of bits for a given algorithm is generated. This is allowed for the'ECDH','X25519', and'X448'algorithms. If successful, the returned promise will be resolved with an<ArrayBuffer>containing the generated data.The algorithms currently supported include:
'ECDH''X25519''X448''HKDF''PBKDF2'
length: number - extractable: boolean,
Using the method and parameters specified in
algorithm, and the keying material provided bybaseKey,subtle.deriveKey()attempts to generate a new <CryptoKey>based on the method and parameters inderivedKeyAlgorithm`.Calling
subtle.deriveKey()is equivalent to callingsubtle.deriveBits()to generate raw keying material, then passing the result into thesubtle.importKey()method using thederiveKeyAlgorithm,extractable, andkeyUsagesparameters as input.The algorithms currently supported include:
'ECDH''X25519''X448''HKDF''PBKDF2'
@param keyUsagesSee Key usages.
Using the method identified by
algorithm,subtle.digest()attempts to generate a digest ofdata. If successful, the returned promise is resolved with an<ArrayBuffer>containing the computed digest.If
algorithmis provided as a<string>, it must be one of:'SHA-1''SHA-256''SHA-384''SHA-512'
If
algorithmis provided as an<Object>, it must have anameproperty whose value is one of the above.Using the method and parameters specified by
algorithmand the keying material provided bykey,subtle.encrypt()attempts to encipherdata. If successful, the returned promise is resolved with an<ArrayBuffer>containing the encrypted result.The algorithms currently supported include:
'RSA-OAEP''AES-CTR''AES-CBC''AES-GCM'
- format: 'jwk',
Exports the given key into the specified format, if supported.
If the
<CryptoKey>is not extractable, the returned promise will reject.When
formatis either'pkcs8'or'spki'and the export is successful, the returned promise will be resolved with an<ArrayBuffer>containing the exported key data.When
formatis'jwk'and the export is successful, the returned promise will be resolved with a JavaScript object conforming to the JSON Web Key specification.@param formatMust be one of
'raw','pkcs8','spki', or'jwk'.@returns<Promise>containing<ArrayBuffer>. - extractable: boolean,
Using the method and parameters provided in
algorithm,subtle.generateKey()attempts to generate new keying material. Depending the method used, the method may generate either a single<CryptoKey>or a<CryptoKeyPair>.The
<CryptoKeyPair>(public and private key) generating algorithms supported include:'RSASSA-PKCS1-v1_5''RSA-PSS''RSA-OAEP''ECDSA''Ed25519''Ed448''ECDH''X25519''X448'The<CryptoKey>(secret key) generating algorithms supported include:'HMAC''AES-CTR''AES-CBC''AES-GCM''AES-KW'
@param keyUsagesSee Key usages.
extractable: boolean,extractable: boolean, - format: 'jwk',algorithm: AlgorithmIdentifier | RsaHashedImportParams | EcKeyImportParams | HmacImportParams | AesKeyAlgorithm,extractable: boolean,
The
subtle.importKey()method attempts to interpret the providedkeyDataas the givenformatto create a<CryptoKey>instance using the providedalgorithm,extractable, andkeyUsagesarguments. If the import is successful, the returned promise will be resolved with the created<CryptoKey>.If importing a
'PBKDF2'key,extractablemust befalse.@param formatMust be one of
'raw','pkcs8','spki', or'jwk'.@param keyUsagesSee Key usages.
format: 'spki' | 'pkcs8' | 'raw',algorithm: AlgorithmIdentifier | RsaHashedImportParams | EcKeyImportParams | HmacImportParams | AesKeyAlgorithm,extractable: boolean, - sign(
Using the method and parameters given by
algorithmand the keying material provided bykey,subtle.sign()attempts to generate a cryptographic signature ofdata. If successful, the returned promise is resolved with an<ArrayBuffer>containing the generated signature.The algorithms currently supported include:
'RSASSA-PKCS1-v1_5''RSA-PSS''ECDSA''Ed25519''Ed448''HMAC'
- unwrappedKeyAlgorithm: AlgorithmIdentifier | RsaHashedImportParams | EcKeyImportParams | HmacImportParams | AesKeyAlgorithm,extractable: boolean,
In cryptography, "wrapping a key" refers to exporting and then encrypting the keying material. The
subtle.unwrapKey()method attempts to decrypt a wrapped key and create a<CryptoKey>instance. It is equivalent to callingsubtle.decrypt()first on the encrypted key data (using thewrappedKey,unwrapAlgo, andunwrappingKeyarguments as input) then passing the results in to thesubtle.importKey()method using theunwrappedKeyAlgo,extractable, andkeyUsagesarguments as inputs. If successful, the returned promise is resolved with a<CryptoKey>object.The wrapping algorithms currently supported include:
'RSA-OAEP''AES-CTR''AES-CBC''AES-GCM''AES-KW'
The unwrapped key algorithms supported include:
'RSASSA-PKCS1-v1_5''RSA-PSS''RSA-OAEP''ECDSA''Ed25519''Ed448''ECDH''X25519''X448''HMAC''AES-CTR''AES-CBC''AES-GCM''AES-KW'
@param formatMust be one of
'raw','pkcs8','spki', or'jwk'.@param keyUsagesSee Key usages.
- ): Promise<boolean>;
Using the method and parameters given in
algorithmand the keying material provided bykey,subtle.verify()attempts to verify thatsignatureis a valid cryptographic signature ofdata. The returned promise is resolved with eithertrueorfalse.The algorithms currently supported include:
'RSASSA-PKCS1-v1_5''RSA-PSS''ECDSA''Ed25519''Ed448''HMAC'
In cryptography, "wrapping a key" refers to exporting and then encrypting the keying material. The
subtle.wrapKey()method exports the keying material into the format identified byformat, then encrypts it using the method and parameters specified bywrapAlgoand the keying material provided bywrappingKey. It is the equivalent to callingsubtle.exportKey()usingformatandkeyas the arguments, then passing the result to thesubtle.encrypt()method usingwrappingKeyandwrapAlgoas inputs. If successful, the returned promise will be resolved with an<ArrayBuffer>containing the encrypted key data.The wrapping algorithms currently supported include:
'RSA-OAEP''AES-CTR''AES-CBC''AES-GCM''AES-KW'
@param formatMust be one of
'raw','pkcs8','spki', or'jwk'.
- type AlgorithmIdentifier = Algorithm | string
- type BigInteger = Uint8Array
- type BufferSource = ArrayBufferView | ArrayBuffer
- type KeyFormat = 'jwk' | 'pkcs8' | 'raw' | 'spki'
- type KeyType = 'private' | 'public' | 'secret'
- type KeyUsage = 'decrypt' | 'deriveBits' | 'deriveKey' | 'encrypt' | 'sign' | 'unwrapKey' | 'verify' | 'wrapKey'
- type NamedCurve = string