@idlebox/stripe-node-types 24.0.14 → 24.0.15

package/crypto.d.ts

@@ -29,10 +29,11 @@
  * // Prints:
  * //   c0fa1bc00531bd78ef38c628449c5102aeabd49b5dc3a2a516ea6ea959d6658e
  * ```
- * @see [source](https://github.com/nodejs/node/blob/v24.x/lib/crypto.js)
+ * @see [source](https://github.com/nodejs/node/blob/v25.x/lib/crypto.js)
  */
 
 declare module "node:crypto" {
+    import { NonSharedBuffer } from 'node:buffer';
     import * as stream from 'node:stream';
     import { PeerCertificate } from 'node:tls';
     /**
@@ -60,7 +61,7 @@ declare module "node:crypto" {
          * @param encoding The `encoding` of the `spkac` string.
          * @return The challenge component of the `spkac` data structure, which includes a public key and a challenge.
          */
-        static exportChallenge(spkac: BinaryLike): Buffer;
+        static exportChallenge(spkac: BinaryLike): NonSharedBuffer;
         /**
          * ```js
          * const { Certificate } = await import('node:crypto');
@@ -73,7 +74,7 @@ declare module "node:crypto" {
          * @param encoding The `encoding` of the `spkac` string.
          * @return The public key component of the `spkac` data structure, which includes a public key and a challenge.
          */
-        static exportPublicKey(spkac: BinaryLike, encoding?: string): Buffer;
+        static exportPublicKey(spkac: BinaryLike, encoding?: string): NonSharedBuffer;
         /**
          * ```js
          * import { Buffer } from 'node:buffer';
@@ -94,7 +95,7 @@ declare module "node:crypto" {
          * @returns The challenge component of the `spkac` data structure,
          * which includes a public key and a challenge.
          */
-        exportChallenge(spkac: BinaryLike): Buffer;
+        exportChallenge(spkac: BinaryLike): NonSharedBuffer;
         /**
          * @deprecated
          * @param spkac
@@ -102,7 +103,7 @@ declare module "node:crypto" {
          * @returns The public key component of the `spkac` data structure,
          * which includes a public key and a challenge.
          */
-        exportPublicKey(spkac: BinaryLike, encoding?: string): Buffer;
+        exportPublicKey(spkac: BinaryLike, encoding?: string): NonSharedBuffer;
         /**
          * @deprecated
          * @param spkac
@@ -112,7 +113,7 @@ declare module "node:crypto" {
         verifySpkac(spkac: NodeJS.ArrayBufferView): boolean;
     }
     namespace constants {
-        // https://nodejs.org/dist/latest-v24.x/docs/api/crypto.html#crypto-constants
+        // https://nodejs.org/dist/latest-v25.x/docs/api/crypto.html#crypto-constants
         const OPENSSL_VERSION_NUMBER: number;
         /** Applies multiple bug workarounds within OpenSSL. See https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html for detail. */
         const SSL_OP_ALL: number;
@@ -418,7 +419,7 @@ declare module "node:crypto" {
          * @since v0.1.92
          * @param encoding The `encoding` of the return value.
          */
-        digest(): Buffer;
+        digest(): NonSharedBuffer;
         digest(encoding: BinaryToTextEncoding): string;
     }
     /**
@@ -486,7 +487,6 @@ declare module "node:crypto" {
      * //   7fd04df92f636fd450bc841c9418e5825c17f33ad9c87c518115a45971f7f77e
      * ```
      * @since v0.1.94
-     * @deprecated Since v20.13.0 Calling `Hmac` class directly with `Hmac()` or `new Hmac()` is deprecated due to being internals, not intended for public use. Please use the {@link createHmac} method to create Hmac instances.
      */
     class Hmac extends stream.Transform {
         private constructor();
@@ -512,64 +512,98 @@ declare module "node:crypto" {
          * @since v0.1.94
          * @param encoding The `encoding` of the return value.
          */
-        digest(): Buffer;
+        digest(): NonSharedBuffer;
         digest(encoding: BinaryToTextEncoding): string;
     }
+    type KeyFormat = "pem" | "der" | "jwk";
     type KeyObjectType = "secret" | "public" | "private";
-    interface KeyExportOptions<T extends KeyFormat> {
-        type: "pkcs1" | "spki" | "pkcs8" | "sec1";
-        format: T;
+    type PublicKeyExportType = "pkcs1" | "spki";
+    type PrivateKeyExportType = "pkcs1" | "pkcs8" | "sec1";
+    type KeyExportOptions =
+        | SymmetricKeyExportOptions
+        | PublicKeyExportOptions
+        | PrivateKeyExportOptions
+        | JwkKeyExportOptions;
+    interface SymmetricKeyExportOptions {
+        format?: "buffer" | undefined;
+    }
+    interface PublicKeyExportOptions<T extends PublicKeyExportType = PublicKeyExportType> {
+        type: T;
+        format: Exclude<KeyFormat, "jwk">;
+    }
+    interface PrivateKeyExportOptions<T extends PrivateKeyExportType = PrivateKeyExportType> {
+        type: T;
+        format: Exclude<KeyFormat, "jwk">;
         cipher?: string | undefined;
         passphrase?: string | Buffer | undefined;
     }
     interface JwkKeyExportOptions {
         format: "jwk";
     }
-    interface JsonWebKey {
-        crv?: string | undefined;
-        d?: string | undefined;
-        dp?: string | undefined;
-        dq?: string | undefined;
-        e?: string | undefined;
-        k?: string | undefined;
-        kty?: string | undefined;
-        n?: string | undefined;
-        p?: string | undefined;
-        q?: string | undefined;
-        qi?: string | undefined;
-        x?: string | undefined;
-        y?: string | undefined;
-        [key: string]: unknown;
-    }
+    interface KeyPairExportOptions<
+        TPublic extends PublicKeyExportType = PublicKeyExportType,
+        TPrivate extends PrivateKeyExportType = PrivateKeyExportType,
+    > {
+        publicKeyEncoding?: PublicKeyExportOptions<TPublic> | JwkKeyExportOptions | undefined;
+        privateKeyEncoding?: PrivateKeyExportOptions<TPrivate> | JwkKeyExportOptions | undefined;
+    }
+    type KeyExportResult<T, Default> = T extends { format: infer F extends KeyFormat }
+        ? { der: NonSharedBuffer; jwk: webcrypto.JsonWebKey; pem: string }[F]
+        : Default;
+    interface KeyPairExportResult<T extends KeyPairExportOptions> {
+        publicKey: KeyExportResult<T["publicKeyEncoding"], KeyObject>;
+        privateKey: KeyExportResult<T["privateKeyEncoding"], KeyObject>;
+    }
+    type KeyPairExportCallback<T extends KeyPairExportOptions> = (
+        err: Error | null,
+        publicKey: KeyExportResult<T["publicKeyEncoding"], KeyObject>,
+        privateKey: KeyExportResult<T["privateKeyEncoding"], KeyObject>,
+    ) => void;
+    type MLDSAKeyType = `ml-dsa-${44 | 65 | 87}`;
+    type MLKEMKeyType = `ml-kem-${1024 | 512 | 768}`;
+    type SLHDSAKeyType = `slh-dsa-${"sha2" | "shake"}-${128 | 192 | 256}${"f" | "s"}`;
+    type AsymmetricKeyType =
+        | "dh"
+        | "dsa"
+        | "ec"
+        | "ed25519"
+        | "ed448"
+        | MLDSAKeyType
+        | MLKEMKeyType
+        | "rsa-pss"
+        | "rsa"
+        | SLHDSAKeyType
+        | "x25519"
+        | "x448";
     interface AsymmetricKeyDetails {
         /**
          * Key size in bits (RSA, DSA).
          */
-        modulusLength?: number | undefined;
+        modulusLength?: number;
         /**
          * Public exponent (RSA).
          */
-        publicExponent?: bigint | undefined;
+        publicExponent?: bigint;
         /**
          * Name of the message digest (RSA-PSS).
          */
-        hashAlgorithm?: string | undefined;
+        hashAlgorithm?: string;
         /**
          * Name of the message digest used by MGF1 (RSA-PSS).
          */
-        mgf1HashAlgorithm?: string | undefined;
+        mgf1HashAlgorithm?: string;
         /**
          * Minimal salt length in bytes (RSA-PSS).
          */
-        saltLength?: number | undefined;
+        saltLength?: number;
         /**
          * Size of q in bits (DSA).
          */
-        divisorLength?: number | undefined;
+        divisorLength?: number;
         /**
          * Name of the curve (EC).
          */
-        namedCurve?: string | undefined;
+        namedCurve?: string;
     }
     /**
      * Node.js uses a `KeyObject` class to represent a symmetric or asymmetric key,
@@ -607,24 +641,14 @@ declare module "node:crypto" {
          */
         static from(key: webcrypto.CryptoKey): KeyObject;
         /**
-         * For asymmetric keys, this property represents the type of the key. Supported key
-         * types are:
-         *
-         * * `'rsa'` (OID 1.2.840.113549.1.1.1)
-         * * `'rsa-pss'` (OID 1.2.840.113549.1.1.10)
-         * * `'dsa'` (OID 1.2.840.10040.4.1)
-         * * `'ec'` (OID 1.2.840.10045.2.1)
-         * * `'x25519'` (OID 1.3.101.110)
-         * * `'x448'` (OID 1.3.101.111)
-         * * `'ed25519'` (OID 1.3.101.112)
-         * * `'ed448'` (OID 1.3.101.113)
-         * * `'dh'` (OID 1.2.840.113549.1.3.1)
+         * For asymmetric keys, this property represents the type of the key. See the
+         * supported [asymmetric key types](https://nodejs.org/docs/latest-v25.x/api/crypto.html#asymmetric-key-types).
          *
          * This property is `undefined` for unrecognized `KeyObject` types and symmetric
          * keys.
          * @since v11.6.0
          */
-        asymmetricKeyType?: KeyType | undefined;
+        asymmetricKeyType?: AsymmetricKeyType;
         /**
          * This property exists only on asymmetric keys. Depending on the type of the key,
          * this object contains information about the key. None of the information obtained
@@ -638,7 +662,7 @@ declare module "node:crypto" {
          * Other key details might be exposed via this API using additional attributes.
          * @since v15.7.0
          */
-        asymmetricKeyDetails?: AsymmetricKeyDetails | undefined;
+        asymmetricKeyDetails?: AsymmetricKeyDetails;
         /**
          * For symmetric keys, the following encoding options can be used:
          *
@@ -662,9 +686,7 @@ declare module "node:crypto" {
          * PKCS#1 and SEC1 encryption.
          * @since v11.6.0
          */
-        export(options: KeyExportOptions<"pem">): string | Buffer;
-        export(options?: KeyExportOptions<"der">): Buffer;
-        export(options?: JwkKeyExportOptions): JsonWebKey;
+        export<T extends KeyExportOptions = {}>(options?: T): KeyExportResult<T, NonSharedBuffer>;
         /**
          * Returns `true` or `false` depending on whether the keys have exactly the same
          * type, value, and parameters. This method is not [constant time](https://en.wikipedia.org/wiki/Timing_attack).
@@ -677,7 +699,7 @@ declare module "node:crypto" {
          * property is `undefined` for asymmetric keys.
          * @since v11.6.0
          */
-        symmetricKeySize?: number | undefined;
+        symmetricKeySize?: number;
         /**
          * Converts a `KeyObject` instance to a `CryptoKey`.
          * @since 22.10.0
@@ -912,8 +934,8 @@ declare module "node:crypto" {
          * @param inputEncoding The `encoding` of the data.
          * @param outputEncoding The `encoding` of the return value.
          */
-        update(data: BinaryLike): Buffer;
-        update(data: string, inputEncoding: Encoding): Buffer;
+        update(data: BinaryLike): NonSharedBuffer;
+        update(data: string, inputEncoding: Encoding): NonSharedBuffer;
         update(data: NodeJS.ArrayBufferView, inputEncoding: undefined, outputEncoding: Encoding): string;
         update(data: string, inputEncoding: Encoding | undefined, outputEncoding: Encoding): string;
         /**
@@ -924,7 +946,7 @@ declare module "node:crypto" {
          * @param outputEncoding The `encoding` of the return value.
          * @return Any remaining enciphered contents. If `outputEncoding` is specified, a string is returned. If an `outputEncoding` is not provided, a {@link Buffer} is returned.
          */
-        final(): Buffer;
+        final(): NonSharedBuffer;
         final(outputEncoding: BufferEncoding): string;
         /**
          * When using block encryption algorithms, the `Cipheriv` class will automatically
@@ -950,7 +972,7 @@ declare module "node:crypto" {
                 plaintextLength: number;
             },
         ): this;
-        getAuthTag(): Buffer;
+        getAuthTag(): NonSharedBuffer;
     }
     interface CipherGCM extends Cipheriv {
         setAAD(
@@ -959,7 +981,7 @@ declare module "node:crypto" {
                 plaintextLength: number;
             },
         ): this;
-        getAuthTag(): Buffer;
+        getAuthTag(): NonSharedBuffer;
     }
     interface CipherOCB extends Cipheriv {
         setAAD(
@@ -968,7 +990,7 @@ declare module "node:crypto" {
                 plaintextLength: number;
             },
         ): this;
-        getAuthTag(): Buffer;
+        getAuthTag(): NonSharedBuffer;
     }
     interface CipherChaCha20Poly1305 extends Cipheriv {
         setAAD(
@@ -977,7 +999,7 @@ declare module "node:crypto" {
                 plaintextLength: number;
             },
         ): this;
-        getAuthTag(): Buffer;
+        getAuthTag(): NonSharedBuffer;
     }
     /**
      * Creates and returns a `Decipheriv` object that uses the given `algorithm`, `key` and initialization vector (`iv`).
@@ -1162,8 +1184,8 @@ declare module "node:crypto" {
          * @param inputEncoding The `encoding` of the `data` string.
          * @param outputEncoding The `encoding` of the return value.
          */
-        update(data: NodeJS.ArrayBufferView): Buffer;
-        update(data: string, inputEncoding: Encoding): Buffer;
+        update(data: NodeJS.ArrayBufferView): NonSharedBuffer;
+        update(data: string, inputEncoding: Encoding): NonSharedBuffer;
         update(data: NodeJS.ArrayBufferView, inputEncoding: undefined, outputEncoding: Encoding): string;
         update(data: string, inputEncoding: Encoding | undefined, outputEncoding: Encoding): string;
         /**
@@ -1174,7 +1196,7 @@ declare module "node:crypto" {
          * @param outputEncoding The `encoding` of the return value.
          * @return Any remaining deciphered contents. If `outputEncoding` is specified, a string is returned. If an `outputEncoding` is not provided, a {@link Buffer} is returned.
          */
-        final(): Buffer;
+        final(): NonSharedBuffer;
         final(outputEncoding: BufferEncoding): string;
         /**
          * When data has been encrypted without standard block padding, calling `decipher.setAutoPadding(false)` will disable automatic padding to prevent `decipher.final()` from checking for and
@@ -1229,14 +1251,14 @@ declare module "node:crypto" {
     interface PrivateKeyInput {
         key: string | Buffer;
         format?: KeyFormat | undefined;
-        type?: "pkcs1" | "pkcs8" | "sec1" | undefined;
+        type?: PrivateKeyExportType | undefined;
         passphrase?: string | Buffer | undefined;
         encoding?: string | undefined;
     }
     interface PublicKeyInput {
         key: string | Buffer;
         format?: KeyFormat | undefined;
-        type?: "pkcs1" | "spki" | undefined;
+        type?: PublicKeyExportType | undefined;
         encoding?: string | undefined;
     }
     /**
@@ -1289,7 +1311,7 @@ declare module "node:crypto" {
         },
     ): KeyObject;
     interface JsonWebKeyInput {
-        key: JsonWebKey;
+        key: webcrypto.JsonWebKey;
         format: "jwk";
     }
     /**
@@ -1336,6 +1358,7 @@ declare module "node:crypto" {
      * @since v0.1.92
      * @param options `stream.Writable` options
      */
+    // TODO: signing algorithm type
     function createSign(algorithm: string, options?: stream.WritableOptions): Sign;
     type DSAEncoding = "der" | "ieee-p1363";
     interface SigningOptions {
@@ -1345,6 +1368,7 @@ declare module "node:crypto" {
         padding?: number | undefined;
         saltLength?: number | undefined;
         dsaEncoding?: DSAEncoding | undefined;
+        context?: ArrayBuffer | NodeJS.ArrayBufferView | undefined;
     }
     interface SignPrivateKeyInput extends PrivateKeyInput, SigningOptions {}
     interface SignKeyObjectInput extends SigningOptions {
@@ -1446,7 +1470,7 @@ declare module "node:crypto" {
          * called. Multiple calls to `sign.sign()` will result in an error being thrown.
          * @since v0.1.92
          */
-        sign(privateKey: KeyLike | SignKeyObjectInput | SignPrivateKeyInput | SignJsonWebKeyInput): Buffer;
+        sign(privateKey: KeyLike | SignKeyObjectInput | SignPrivateKeyInput | SignJsonWebKeyInput): NonSharedBuffer;
         sign(
             privateKey: KeyLike | SignKeyObjectInput | SignPrivateKeyInput | SignJsonWebKeyInput,
             outputFormat: BinaryToTextEncoding,
@@ -1605,7 +1629,7 @@ declare module "node:crypto" {
          * @since v0.5.0
          * @param encoding The `encoding` of the return value.
          */
-        generateKeys(): Buffer;
+        generateKeys(): NonSharedBuffer;
         generateKeys(encoding: BinaryToTextEncoding): string;
         /**
          * Computes the shared secret using `otherPublicKey` as the other
@@ -1620,8 +1644,16 @@ declare module "node:crypto" {
          * @param inputEncoding The `encoding` of an `otherPublicKey` string.
          * @param outputEncoding The `encoding` of the return value.
          */
-        computeSecret(otherPublicKey: NodeJS.ArrayBufferView, inputEncoding?: null, outputEncoding?: null): Buffer;
-        computeSecret(otherPublicKey: string, inputEncoding: BinaryToTextEncoding, outputEncoding?: null): Buffer;
+        computeSecret(
+            otherPublicKey: NodeJS.ArrayBufferView,
+            inputEncoding?: null,
+            outputEncoding?: null,
+        ): NonSharedBuffer;
+        computeSecret(
+            otherPublicKey: string,
+            inputEncoding: BinaryToTextEncoding,
+            outputEncoding?: null,
+        ): NonSharedBuffer;
         computeSecret(
             otherPublicKey: NodeJS.ArrayBufferView,
             inputEncoding: null,
@@ -1639,7 +1671,7 @@ declare module "node:crypto" {
          * @since v0.5.0
          * @param encoding The `encoding` of the return value.
          */
-        getPrime(): Buffer;
+        getPrime(): NonSharedBuffer;
         getPrime(encoding: BinaryToTextEncoding): string;
         /**
          * Returns the Diffie-Hellman generator in the specified `encoding`.
@@ -1648,7 +1680,7 @@ declare module "node:crypto" {
          * @since v0.5.0
          * @param encoding The `encoding` of the return value.
          */
-        getGenerator(): Buffer;
+        getGenerator(): NonSharedBuffer;
         getGenerator(encoding: BinaryToTextEncoding): string;
         /**
          * Returns the Diffie-Hellman public key in the specified `encoding`.
@@ -1657,7 +1689,7 @@ declare module "node:crypto" {
          * @since v0.5.0
          * @param encoding The `encoding` of the return value.
          */
-        getPublicKey(): Buffer;
+        getPublicKey(): NonSharedBuffer;
         getPublicKey(encoding: BinaryToTextEncoding): string;
         /**
          * Returns the Diffie-Hellman private key in the specified `encoding`.
@@ -1666,7 +1698,7 @@ declare module "node:crypto" {
          * @since v0.5.0
          * @param encoding The `encoding` of the return value.
          */
-        getPrivateKey(): Buffer;
+        getPrivateKey(): NonSharedBuffer;
         getPrivateKey(encoding: BinaryToTextEncoding): string;
         /**
          * Sets the Diffie-Hellman public key. If the `encoding` argument is provided, `publicKey` is expected
@@ -1810,7 +1842,7 @@ declare module "node:crypto" {
         iterations: number,
         keylen: number,
         digest: string,
-        callback: (err: Error | null, derivedKey: Buffer) => void,
+        callback: (err: Error | null, derivedKey: NonSharedBuffer) => void,
     ): void;
     /**
      * Provides a synchronous Password-Based Key Derivation Function 2 (PBKDF2)
@@ -1847,7 +1879,7 @@ declare module "node:crypto" {
         iterations: number,
         keylen: number,
         digest: string,
-    ): Buffer;
+    ): NonSharedBuffer;
     /**
      * Generates cryptographically strong pseudorandom data. The `size` argument
      * is a number indicating the number of bytes to generate.
@@ -1900,10 +1932,10 @@ declare module "node:crypto" {
      * @param size The number of bytes to generate. The `size` must not be larger than `2**31 - 1`.
      * @return if the `callback` function is not provided.
      */
-    function randomBytes(size: number): Buffer;
-    function randomBytes(size: number, callback: (err: Error | null, buf: Buffer) => void): void;
-    function pseudoRandomBytes(size: number): Buffer;
-    function pseudoRandomBytes(size: number, callback: (err: Error | null, buf: Buffer) => void): void;
+    function randomBytes(size: number): NonSharedBuffer;
+    function randomBytes(size: number, callback: (err: Error | null, buf: NonSharedBuffer) => void): void;
+    function pseudoRandomBytes(size: number): NonSharedBuffer;
+    function pseudoRandomBytes(size: number, callback: (err: Error | null, buf: NonSharedBuffer) => void): void;
     /**
      * Return a random integer `n` such that `min <= n < max`.  This
      * implementation avoids [modulo bias](https://en.wikipedia.org/wiki/Fisher%E2%80%93Yates_shuffle#Modulo_bias).
@@ -2133,14 +2165,14 @@ declare module "node:crypto" {
         password: BinaryLike,
         salt: BinaryLike,
         keylen: number,
-        callback: (err: Error | null, derivedKey: Buffer) => void,
+        callback: (err: Error | null, derivedKey: NonSharedBuffer) => void,
     ): void;
     function scrypt(
         password: BinaryLike,
         salt: BinaryLike,
         keylen: number,
         options: ScryptOptions,
-        callback: (err: Error | null, derivedKey: Buffer) => void,
+        callback: (err: Error | null, derivedKey: NonSharedBuffer) => void,
     ): void;
     /**
      * Provides a synchronous [scrypt](https://en.wikipedia.org/wiki/Scrypt) implementation. Scrypt is a password-based
@@ -2172,7 +2204,12 @@ declare module "node:crypto" {
      * ```
      * @since v10.5.0
      */
-    function scryptSync(password: BinaryLike, salt: BinaryLike, keylen: number, options?: ScryptOptions): Buffer;
+    function scryptSync(
+        password: BinaryLike,
+        salt: BinaryLike,
+        keylen: number,
+        options?: ScryptOptions,
+    ): NonSharedBuffer;
     interface RsaPublicKey {
         key: KeyLike;
         padding?: number | undefined;
@@ -2201,7 +2238,7 @@ declare module "node:crypto" {
     function publicEncrypt(
         key: RsaPublicKey | RsaPrivateKey | KeyLike,
         buffer: NodeJS.ArrayBufferView | string,
-    ): Buffer;
+    ): NonSharedBuffer;
     /**
      * Decrypts `buffer` with `key`.`buffer` was previously encrypted using
      * the corresponding private key, for example using {@link privateEncrypt}.
@@ -2216,7 +2253,7 @@ declare module "node:crypto" {
     function publicDecrypt(
         key: RsaPublicKey | RsaPrivateKey | KeyLike,
         buffer: NodeJS.ArrayBufferView | string,
-    ): Buffer;
+    ): NonSharedBuffer;
     /**
      * Decrypts `buffer` with `privateKey`. `buffer` was previously encrypted using
      * the corresponding public key, for example using {@link publicEncrypt}.
@@ -2225,7 +2262,10 @@ declare module "node:crypto" {
      * object, the `padding` property can be passed. Otherwise, this function uses `RSA_PKCS1_OAEP_PADDING`.
      * @since v0.11.14
      */
-    function privateDecrypt(privateKey: RsaPrivateKey | KeyLike, buffer: NodeJS.ArrayBufferView | string): Buffer;
+    function privateDecrypt(
+        privateKey: RsaPrivateKey | KeyLike,
+        buffer: NodeJS.ArrayBufferView | string,
+    ): NonSharedBuffer;
     /**
      * Encrypts `buffer` with `privateKey`. The returned data can be decrypted using
      * the corresponding public key, for example using {@link publicDecrypt}.
@@ -2234,7 +2274,10 @@ declare module "node:crypto" {
      * object, the `padding` property can be passed. Otherwise, this function uses `RSA_PKCS1_PADDING`.
      * @since v1.1.0
      */
-    function privateEncrypt(privateKey: RsaPrivateKey | KeyLike, buffer: NodeJS.ArrayBufferView | string): Buffer;
+    function privateEncrypt(
+        privateKey: RsaPrivateKey | KeyLike,
+        buffer: NodeJS.ArrayBufferView | string,
+    ): NonSharedBuffer;
     /**
      * ```js
      * const {
@@ -2363,7 +2406,7 @@ declare module "node:crypto" {
             inputEncoding?: BinaryToTextEncoding,
             outputEncoding?: "latin1" | "hex" | "base64" | "base64url",
             format?: "uncompressed" | "compressed" | "hybrid",
-        ): Buffer | string;
+        ): NonSharedBuffer | string;
         /**
          * Generates private and public EC Diffie-Hellman key values, and returns
          * the public key in the specified `format` and `encoding`. This key should be
@@ -2376,7 +2419,7 @@ declare module "node:crypto" {
          * @param encoding The `encoding` of the return value.
          * @param [format='uncompressed']
          */
-        generateKeys(): Buffer;
+        generateKeys(): NonSharedBuffer;
         generateKeys(encoding: BinaryToTextEncoding, format?: ECDHKeyFormat): string;
         /**
          * Computes the shared secret using `otherPublicKey` as the other
@@ -2395,8 +2438,8 @@ declare module "node:crypto" {
          * @param inputEncoding The `encoding` of the `otherPublicKey` string.
          * @param outputEncoding The `encoding` of the return value.
          */
-        computeSecret(otherPublicKey: NodeJS.ArrayBufferView): Buffer;
-        computeSecret(otherPublicKey: string, inputEncoding: BinaryToTextEncoding): Buffer;
+        computeSecret(otherPublicKey: NodeJS.ArrayBufferView): NonSharedBuffer;
+        computeSecret(otherPublicKey: string, inputEncoding: BinaryToTextEncoding): NonSharedBuffer;
         computeSecret(otherPublicKey: NodeJS.ArrayBufferView, outputEncoding: BinaryToTextEncoding): string;
         computeSecret(
             otherPublicKey: string,
@@ -2410,7 +2453,7 @@ declare module "node:crypto" {
          * @param encoding The `encoding` of the return value.
          * @return The EC Diffie-Hellman in the specified `encoding`.
          */
-        getPrivateKey(): Buffer;
+        getPrivateKey(): NonSharedBuffer;
         getPrivateKey(encoding: BinaryToTextEncoding): string;
         /**
          * The `format` argument specifies point encoding and can be `'compressed'` or `'uncompressed'`. If `format` is not specified the point will be returned in`'uncompressed'` format.
@@ -2422,7 +2465,7 @@ declare module "node:crypto" {
          * @param [format='uncompressed']
          * @return The EC Diffie-Hellman public key in the specified `encoding` and `format`.
          */
-        getPublicKey(encoding?: null, format?: ECDHKeyFormat): Buffer;
+        getPublicKey(encoding?: null, format?: ECDHKeyFormat): NonSharedBuffer;
         getPublicKey(encoding: BinaryToTextEncoding, format?: ECDHKeyFormat): string;
         /**
          * Sets the EC Diffie-Hellman private key.
@@ -2472,66 +2515,27 @@ declare module "node:crypto" {
      * @since v6.6.0
      */
     function timingSafeEqual(a: NodeJS.ArrayBufferView, b: NodeJS.ArrayBufferView): boolean;
-    type KeyType = "rsa" | "rsa-pss" | "dsa" | "ec" | "ed25519" | "ed448" | "x25519" | "x448";
-    type KeyFormat = "pem" | "der" | "jwk";
-    interface BasePrivateKeyEncodingOptions<T extends KeyFormat> {
-        format: T;
-        cipher?: string | undefined;
-        passphrase?: string | undefined;
-    }
-    interface KeyPairKeyObjectResult {
-        publicKey: KeyObject;
-        privateKey: KeyObject;
-    }
-    interface ED25519KeyPairKeyObjectOptions {}
-    interface ED448KeyPairKeyObjectOptions {}
-    interface X25519KeyPairKeyObjectOptions {}
-    interface X448KeyPairKeyObjectOptions {}
-    interface ECKeyPairKeyObjectOptions {
-        /**
-         * Name of the curve to use
-         */
-        namedCurve: string;
-        /**
-         * Must be `'named'` or `'explicit'`. Default: `'named'`.
-         */
-        paramEncoding?: "explicit" | "named" | undefined;
-    }
-    interface RSAKeyPairKeyObjectOptions {
-        /**
-         * Key size in bits
-         */
-        modulusLength: number;
-        /**
-         * Public exponent
-         * @default 0x10001
-         */
-        publicExponent?: number | undefined;
-    }
-    interface RSAPSSKeyPairKeyObjectOptions {
-        /**
-         * Key size in bits
-         */
-        modulusLength: number;
+    interface DHKeyPairOptions extends KeyPairExportOptions<"spki", "pkcs8"> {
         /**
-         * Public exponent
-         * @default 0x10001
+         * The prime parameter
          */
-        publicExponent?: number | undefined;
+        prime?: Buffer | undefined;
         /**
-         * Name of the message digest
+         * Prime length in bits
          */
-        hashAlgorithm?: string;
+        primeLength?: number | undefined;
         /**
-         * Name of the message digest used by MGF1
+         * Custom generator
+         * @default 2
          */
-        mgf1HashAlgorithm?: string;
+        generator?: number | undefined;
         /**
-         * Minimal salt length in bytes
+         * Diffie-Hellman group name
+         * @see {@link getDiffieHellman}
          */
-        saltLength?: string;
+        groupName?: string | undefined;
     }
-    interface DSAKeyPairKeyObjectOptions {
+    interface DSAKeyPairOptions extends KeyPairExportOptions<"spki", "pkcs8"> {
         /**
          * Key size in bits
          */
@@ -2541,25 +2545,22 @@ declare module "node:crypto" {
          */
         divisorLength: number;
     }
-    interface RSAKeyPairOptions<PubF extends KeyFormat, PrivF extends KeyFormat> {
+    interface ECKeyPairOptions extends KeyPairExportOptions<"spki", "pkcs8" | "sec1"> {
         /**
-         * Key size in bits
+         * Name of the curve to use
          */
-        modulusLength: number;
+        namedCurve: string;
         /**
-         * Public exponent
-         * @default 0x10001
+         * Must be `'named'` or `'explicit'`
+         * @default 'named'
          */
-        publicExponent?: number | undefined;
-        publicKeyEncoding: {
-            type: "pkcs1" | "spki";
-            format: PubF;
-        };
-        privateKeyEncoding: BasePrivateKeyEncodingOptions<PrivF> & {
-            type: "pkcs1" | "pkcs8";
-        };
+        paramEncoding?: "explicit" | "named" | undefined;
     }
-    interface RSAPSSKeyPairOptions<PubF extends KeyFormat, PrivF extends KeyFormat> {
+    interface ED25519KeyPairOptions extends KeyPairExportOptions<"spki", "pkcs8"> {}
+    interface ED448KeyPairOptions extends KeyPairExportOptions<"spki", "pkcs8"> {}
+    interface MLDSAKeyPairOptions extends KeyPairExportOptions<"spki", "pkcs8"> {}
+    interface MLKEMKeyPairOptions extends KeyPairExportOptions<"spki", "pkcs8"> {}
+    interface RSAPSSKeyPairOptions extends KeyPairExportOptions<"spki", "pkcs8"> {
         /**
          * Key size in bits
          */
@@ -2572,92 +2573,33 @@ declare module "node:crypto" {
         /**
          * Name of the message digest
          */
-        hashAlgorithm?: string;
+        hashAlgorithm?: string | undefined;
         /**
          * Name of the message digest used by MGF1
          */
-        mgf1HashAlgorithm?: string;
+        mgf1HashAlgorithm?: string | undefined;
         /**
          * Minimal salt length in bytes
          */
-        saltLength?: string;
-        publicKeyEncoding: {
-            type: "spki";
-            format: PubF;
-        };
-        privateKeyEncoding: BasePrivateKeyEncodingOptions<PrivF> & {
-            type: "pkcs8";
-        };
+        saltLength?: string | undefined;
     }
-    interface DSAKeyPairOptions<PubF extends KeyFormat, PrivF extends KeyFormat> {
+    interface RSAKeyPairOptions extends KeyPairExportOptions<"pkcs1" | "spki", "pkcs1" | "pkcs8"> {
         /**
          * Key size in bits
          */
         modulusLength: number;
         /**
-         * Size of q in bits
+         * Public exponent
+         * @default 0x10001
          */
-        divisorLength: number;
-        publicKeyEncoding: {
-            type: "spki";
-            format: PubF;
-        };
-        privateKeyEncoding: BasePrivateKeyEncodingOptions<PrivF> & {
-            type: "pkcs8";
-        };
-    }
-    interface ECKeyPairOptions<PubF extends KeyFormat, PrivF extends KeyFormat> extends ECKeyPairKeyObjectOptions {
-        publicKeyEncoding: {
-            type: "pkcs1" | "spki";
-            format: PubF;
-        };
-        privateKeyEncoding: BasePrivateKeyEncodingOptions<PrivF> & {
-            type: "sec1" | "pkcs8";
-        };
-    }
-    interface ED25519KeyPairOptions<PubF extends KeyFormat, PrivF extends KeyFormat> {
-        publicKeyEncoding: {
-            type: "spki";
-            format: PubF;
-        };
-        privateKeyEncoding: BasePrivateKeyEncodingOptions<PrivF> & {
-            type: "pkcs8";
-        };
-    }
-    interface ED448KeyPairOptions<PubF extends KeyFormat, PrivF extends KeyFormat> {
-        publicKeyEncoding: {
-            type: "spki";
-            format: PubF;
-        };
-        privateKeyEncoding: BasePrivateKeyEncodingOptions<PrivF> & {
-            type: "pkcs8";
-        };
-    }
-    interface X25519KeyPairOptions<PubF extends KeyFormat, PrivF extends KeyFormat> {
-        publicKeyEncoding: {
-            type: "spki";
-            format: PubF;
-        };
-        privateKeyEncoding: BasePrivateKeyEncodingOptions<PrivF> & {
-            type: "pkcs8";
-        };
-    }
-    interface X448KeyPairOptions<PubF extends KeyFormat, PrivF extends KeyFormat> {
-        publicKeyEncoding: {
-            type: "spki";
-            format: PubF;
-        };
-        privateKeyEncoding: BasePrivateKeyEncodingOptions<PrivF> & {
-            type: "pkcs8";
-        };
-    }
-    interface KeyPairSyncResult<T1 extends string | Buffer, T2 extends string | Buffer> {
-        publicKey: T1;
-        privateKey: T2;
+        publicExponent?: number | undefined;
     }
+    interface SLHDSAKeyPairOptions extends KeyPairExportOptions<"spki", "pkcs8"> {}
+    interface X25519KeyPairOptions extends KeyPairExportOptions<"spki", "pkcs8"> {}
+    interface X448KeyPairOptions extends KeyPairExportOptions<"spki", "pkcs8"> {}
     /**
      * Generates a new asymmetric key pair of the given `type`. RSA, RSA-PSS, DSA, EC,
-     * Ed25519, Ed448, X25519, X448, and DH are currently supported.
+     * Ed25519, Ed448, X25519, X448, DH, and ML-DSA are currently supported.
      *
      * If a `publicKeyEncoding` or `privateKeyEncoding` was specified, this function
      * behaves as if `keyObject.export()` had been called on its result. Otherwise,
@@ -2694,144 +2636,57 @@ declare module "node:crypto" {
      * When PEM encoding was selected, the respective key will be a string, otherwise
      * it will be a buffer containing the data encoded as DER.
      * @since v10.12.0
-     * @param type Must be `'rsa'`, `'rsa-pss'`, `'dsa'`, `'ec'`, `'ed25519'`, `'ed448'`, `'x25519'`, `'x448'`, or `'dh'`.
-     */
-    function generateKeyPairSync(
-        type: "rsa",
-        options: RSAKeyPairOptions<"pem", "pem">,
-    ): KeyPairSyncResult<string, string>;
-    function generateKeyPairSync(
-        type: "rsa",
-        options: RSAKeyPairOptions<"pem", "der">,
-    ): KeyPairSyncResult<string, Buffer>;
-    function generateKeyPairSync(
-        type: "rsa",
-        options: RSAKeyPairOptions<"der", "pem">,
-    ): KeyPairSyncResult<Buffer, string>;
-    function generateKeyPairSync(
-        type: "rsa",
-        options: RSAKeyPairOptions<"der", "der">,
-    ): KeyPairSyncResult<Buffer, Buffer>;
-    function generateKeyPairSync(type: "rsa", options: RSAKeyPairKeyObjectOptions): KeyPairKeyObjectResult;
-    function generateKeyPairSync(
-        type: "rsa-pss",
-        options: RSAPSSKeyPairOptions<"pem", "pem">,
-    ): KeyPairSyncResult<string, string>;
-    function generateKeyPairSync(
-        type: "rsa-pss",
-        options: RSAPSSKeyPairOptions<"pem", "der">,
-    ): KeyPairSyncResult<string, Buffer>;
-    function generateKeyPairSync(
-        type: "rsa-pss",
-        options: RSAPSSKeyPairOptions<"der", "pem">,
-    ): KeyPairSyncResult<Buffer, string>;
-    function generateKeyPairSync(
-        type: "rsa-pss",
-        options: RSAPSSKeyPairOptions<"der", "der">,
-    ): KeyPairSyncResult<Buffer, Buffer>;
-    function generateKeyPairSync(type: "rsa-pss", options: RSAPSSKeyPairKeyObjectOptions): KeyPairKeyObjectResult;
-    function generateKeyPairSync(
+     * @param type The asymmetric key type to generate. See the
+     * supported [asymmetric key types](https://nodejs.org/docs/latest-v25.x/api/crypto.html#asymmetric-key-types).
+     */
+    function generateKeyPairSync<T extends DHKeyPairOptions>(
+        type: "dh",
+        options: T,
+    ): KeyPairExportResult<T>;
+    function generateKeyPairSync<T extends DSAKeyPairOptions>(
         type: "dsa",
-        options: DSAKeyPairOptions<"pem", "pem">,
-    ): KeyPairSyncResult<string, string>;
-    function generateKeyPairSync(
-        type: "dsa",
-        options: DSAKeyPairOptions<"pem", "der">,
-    ): KeyPairSyncResult<string, Buffer>;
-    function generateKeyPairSync(
-        type: "dsa",
-        options: DSAKeyPairOptions<"der", "pem">,
-    ): KeyPairSyncResult<Buffer, string>;
-    function generateKeyPairSync(
-        type: "dsa",
-        options: DSAKeyPairOptions<"der", "der">,
-    ): KeyPairSyncResult<Buffer, Buffer>;
-    function generateKeyPairSync(type: "dsa", options: DSAKeyPairKeyObjectOptions): KeyPairKeyObjectResult;
-    function generateKeyPairSync(
-        type: "ec",
-        options: ECKeyPairOptions<"pem", "pem">,
-    ): KeyPairSyncResult<string, string>;
-    function generateKeyPairSync(
-        type: "ec",
-        options: ECKeyPairOptions<"pem", "der">,
-    ): KeyPairSyncResult<string, Buffer>;
-    function generateKeyPairSync(
-        type: "ec",
-        options: ECKeyPairOptions<"der", "pem">,
-    ): KeyPairSyncResult<Buffer, string>;
-    function generateKeyPairSync(
+        options: T,
+    ): KeyPairExportResult<T>;
+    function generateKeyPairSync<T extends ECKeyPairOptions>(
         type: "ec",
-        options: ECKeyPairOptions<"der", "der">,
-    ): KeyPairSyncResult<Buffer, Buffer>;
-    function generateKeyPairSync(type: "ec", options: ECKeyPairKeyObjectOptions): KeyPairKeyObjectResult;
-    function generateKeyPairSync(
+        options: T,
+    ): KeyPairExportResult<T>;
+    function generateKeyPairSync<T extends ED25519KeyPairOptions = {}>(
         type: "ed25519",
-        options: ED25519KeyPairOptions<"pem", "pem">,
-    ): KeyPairSyncResult<string, string>;
-    function generateKeyPairSync(
-        type: "ed25519",
-        options: ED25519KeyPairOptions<"pem", "der">,
-    ): KeyPairSyncResult<string, Buffer>;
-    function generateKeyPairSync(
-        type: "ed25519",
-        options: ED25519KeyPairOptions<"der", "pem">,
-    ): KeyPairSyncResult<Buffer, string>;
-    function generateKeyPairSync(
-        type: "ed25519",
-        options: ED25519KeyPairOptions<"der", "der">,
-    ): KeyPairSyncResult<Buffer, Buffer>;
-    function generateKeyPairSync(type: "ed25519", options?: ED25519KeyPairKeyObjectOptions): KeyPairKeyObjectResult;
-    function generateKeyPairSync(
-        type: "ed448",
-        options: ED448KeyPairOptions<"pem", "pem">,
-    ): KeyPairSyncResult<string, string>;
-    function generateKeyPairSync(
-        type: "ed448",
-        options: ED448KeyPairOptions<"pem", "der">,
-    ): KeyPairSyncResult<string, Buffer>;
-    function generateKeyPairSync(
+        options?: T,
+    ): KeyPairExportResult<T>;
+    function generateKeyPairSync<T extends ED448KeyPairOptions = {}>(
         type: "ed448",
-        options: ED448KeyPairOptions<"der", "pem">,
-    ): KeyPairSyncResult<Buffer, string>;
-    function generateKeyPairSync(
-        type: "ed448",
-        options: ED448KeyPairOptions<"der", "der">,
-    ): KeyPairSyncResult<Buffer, Buffer>;
-    function generateKeyPairSync(type: "ed448", options?: ED448KeyPairKeyObjectOptions): KeyPairKeyObjectResult;
-    function generateKeyPairSync(
-        type: "x25519",
-        options: X25519KeyPairOptions<"pem", "pem">,
-    ): KeyPairSyncResult<string, string>;
-    function generateKeyPairSync(
-        type: "x25519",
-        options: X25519KeyPairOptions<"pem", "der">,
-    ): KeyPairSyncResult<string, Buffer>;
-    function generateKeyPairSync(
-        type: "x25519",
-        options: X25519KeyPairOptions<"der", "pem">,
-    ): KeyPairSyncResult<Buffer, string>;
-    function generateKeyPairSync(
+        options?: T,
+    ): KeyPairExportResult<T>;
+    function generateKeyPairSync<T extends MLDSAKeyPairOptions = {}>(
+        type: MLDSAKeyType,
+        options?: T,
+    ): KeyPairExportResult<T>;
+    function generateKeyPairSync<T extends MLKEMKeyPairOptions = {}>(
+        type: MLKEMKeyType,
+        options?: T,
+    ): KeyPairExportResult<T>;
+    function generateKeyPairSync<T extends RSAPSSKeyPairOptions>(
+        type: "rsa-pss",
+        options: T,
+    ): KeyPairExportResult<T>;
+    function generateKeyPairSync<T extends RSAKeyPairOptions>(
+        type: "rsa",
+        options: T,
+    ): KeyPairExportResult<T>;
+    function generateKeyPairSync<T extends SLHDSAKeyPairOptions = {}>(
+        type: SLHDSAKeyType,
+        options?: T,
+    ): KeyPairExportResult<T>;
+    function generateKeyPairSync<T extends X25519KeyPairOptions = {}>(
         type: "x25519",
-        options: X25519KeyPairOptions<"der", "der">,
-    ): KeyPairSyncResult<Buffer, Buffer>;
-    function generateKeyPairSync(type: "x25519", options?: X25519KeyPairKeyObjectOptions): KeyPairKeyObjectResult;
-    function generateKeyPairSync(
+        options?: T,
+    ): KeyPairExportResult<T>;
+    function generateKeyPairSync<T extends X448KeyPairOptions = {}>(
         type: "x448",
-        options: X448KeyPairOptions<"pem", "pem">,
-    ): KeyPairSyncResult<string, string>;
-    function generateKeyPairSync(
-        type: "x448",
-        options: X448KeyPairOptions<"pem", "der">,
-    ): KeyPairSyncResult<string, Buffer>;
-    function generateKeyPairSync(
-        type: "x448",
-        options: X448KeyPairOptions<"der", "pem">,
-    ): KeyPairSyncResult<Buffer, string>;
-    function generateKeyPairSync(
-        type: "x448",
-        options: X448KeyPairOptions<"der", "der">,
-    ): KeyPairSyncResult<Buffer, Buffer>;
-    function generateKeyPairSync(type: "x448", options?: X448KeyPairKeyObjectOptions): KeyPairKeyObjectResult;
+        options?: T,
+    ): KeyPairExportResult<T>;
     /**
      * Generates a new asymmetric key pair of the given `type`. RSA, RSA-PSS, DSA, EC,
      * Ed25519, Ed448, X25519, X448, and DH are currently supported.
@@ -2869,455 +2724,126 @@ declare module "node:crypto" {
      * If this method is invoked as its `util.promisify()` ed version, it returns
      * a `Promise` for an `Object` with `publicKey` and `privateKey` properties.
      * @since v10.12.0
-     * @param type Must be `'rsa'`, `'rsa-pss'`, `'dsa'`, `'ec'`, `'ed25519'`, `'ed448'`, `'x25519'`, `'x448'`, or `'dh'`.
+     * @param type The asymmetric key type to generate. See the
+     * supported [asymmetric key types](https://nodejs.org/docs/latest-v25.x/api/crypto.html#asymmetric-key-types).
      */
-    function generateKeyPair(
-        type: "rsa",
-        options: RSAKeyPairOptions<"pem", "pem">,
-        callback: (err: Error | null, publicKey: string, privateKey: string) => void,
-    ): void;
-    function generateKeyPair(
-        type: "rsa",
-        options: RSAKeyPairOptions<"pem", "der">,
-        callback: (err: Error | null, publicKey: string, privateKey: Buffer) => void,
-    ): void;
-    function generateKeyPair(
-        type: "rsa",
-        options: RSAKeyPairOptions<"der", "pem">,
-        callback: (err: Error | null, publicKey: Buffer, privateKey: string) => void,
-    ): void;
-    function generateKeyPair(
-        type: "rsa",
-        options: RSAKeyPairOptions<"der", "der">,
-        callback: (err: Error | null, publicKey: Buffer, privateKey: Buffer) => void,
-    ): void;
-    function generateKeyPair(
-        type: "rsa",
-        options: RSAKeyPairKeyObjectOptions,
-        callback: (err: Error | null, publicKey: KeyObject, privateKey: KeyObject) => void,
-    ): void;
-    function generateKeyPair(
-        type: "rsa-pss",
-        options: RSAPSSKeyPairOptions<"pem", "pem">,
-        callback: (err: Error | null, publicKey: string, privateKey: string) => void,
-    ): void;
-    function generateKeyPair(
-        type: "rsa-pss",
-        options: RSAPSSKeyPairOptions<"pem", "der">,
-        callback: (err: Error | null, publicKey: string, privateKey: Buffer) => void,
-    ): void;
-    function generateKeyPair(
-        type: "rsa-pss",
-        options: RSAPSSKeyPairOptions<"der", "pem">,
-        callback: (err: Error | null, publicKey: Buffer, privateKey: string) => void,
-    ): void;
-    function generateKeyPair(
-        type: "rsa-pss",
-        options: RSAPSSKeyPairOptions<"der", "der">,
-        callback: (err: Error | null, publicKey: Buffer, privateKey: Buffer) => void,
-    ): void;
-    function generateKeyPair(
-        type: "rsa-pss",
-        options: RSAPSSKeyPairKeyObjectOptions,
-        callback: (err: Error | null, publicKey: KeyObject, privateKey: KeyObject) => void,
-    ): void;
-    function generateKeyPair(
-        type: "dsa",
-        options: DSAKeyPairOptions<"pem", "pem">,
-        callback: (err: Error | null, publicKey: string, privateKey: string) => void,
-    ): void;
-    function generateKeyPair(
-        type: "dsa",
-        options: DSAKeyPairOptions<"pem", "der">,
-        callback: (err: Error | null, publicKey: string, privateKey: Buffer) => void,
+    function generateKeyPair<T extends DHKeyPairOptions>(
+        type: "dh",
+        options: T,
+        callback: KeyPairExportCallback<T>,
     ): void;
-    function generateKeyPair(
+    function generateKeyPair<T extends DSAKeyPairOptions>(
         type: "dsa",
-        options: DSAKeyPairOptions<"der", "pem">,
-        callback: (err: Error | null, publicKey: Buffer, privateKey: string) => void,
+        options: T,
+        callback: KeyPairExportCallback<T>,
     ): void;
-    function generateKeyPair(
-        type: "dsa",
-        options: DSAKeyPairOptions<"der", "der">,
-        callback: (err: Error | null, publicKey: Buffer, privateKey: Buffer) => void,
-    ): void;
-    function generateKeyPair(
-        type: "dsa",
-        options: DSAKeyPairKeyObjectOptions,
-        callback: (err: Error | null, publicKey: KeyObject, privateKey: KeyObject) => void,
-    ): void;
-    function generateKeyPair(
-        type: "ec",
-        options: ECKeyPairOptions<"pem", "pem">,
-        callback: (err: Error | null, publicKey: string, privateKey: string) => void,
-    ): void;
-    function generateKeyPair(
+    function generateKeyPair<T extends ECKeyPairOptions>(
         type: "ec",
-        options: ECKeyPairOptions<"pem", "der">,
-        callback: (err: Error | null, publicKey: string, privateKey: Buffer) => void,
+        options: T,
+        callback: KeyPairExportCallback<T>,
     ): void;
-    function generateKeyPair(
-        type: "ec",
-        options: ECKeyPairOptions<"der", "pem">,
-        callback: (err: Error | null, publicKey: Buffer, privateKey: string) => void,
-    ): void;
-    function generateKeyPair(
-        type: "ec",
-        options: ECKeyPairOptions<"der", "der">,
-        callback: (err: Error | null, publicKey: Buffer, privateKey: Buffer) => void,
-    ): void;
-    function generateKeyPair(
-        type: "ec",
-        options: ECKeyPairKeyObjectOptions,
-        callback: (err: Error | null, publicKey: KeyObject, privateKey: KeyObject) => void,
-    ): void;
-    function generateKeyPair(
-        type: "ed25519",
-        options: ED25519KeyPairOptions<"pem", "pem">,
-        callback: (err: Error | null, publicKey: string, privateKey: string) => void,
-    ): void;
-    function generateKeyPair(
-        type: "ed25519",
-        options: ED25519KeyPairOptions<"pem", "der">,
-        callback: (err: Error | null, publicKey: string, privateKey: Buffer) => void,
-    ): void;
-    function generateKeyPair(
+    function generateKeyPair<T extends ED25519KeyPairOptions = {}>(
         type: "ed25519",
-        options: ED25519KeyPairOptions<"der", "pem">,
-        callback: (err: Error | null, publicKey: Buffer, privateKey: string) => void,
-    ): void;
-    function generateKeyPair(
-        type: "ed25519",
-        options: ED25519KeyPairOptions<"der", "der">,
-        callback: (err: Error | null, publicKey: Buffer, privateKey: Buffer) => void,
-    ): void;
-    function generateKeyPair(
-        type: "ed25519",
-        options: ED25519KeyPairKeyObjectOptions | undefined,
-        callback: (err: Error | null, publicKey: KeyObject, privateKey: KeyObject) => void,
-    ): void;
-    function generateKeyPair(
-        type: "ed448",
-        options: ED448KeyPairOptions<"pem", "pem">,
-        callback: (err: Error | null, publicKey: string, privateKey: string) => void,
-    ): void;
-    function generateKeyPair(
-        type: "ed448",
-        options: ED448KeyPairOptions<"pem", "der">,
-        callback: (err: Error | null, publicKey: string, privateKey: Buffer) => void,
+        options: T | undefined,
+        callback: KeyPairExportCallback<T>,
     ): void;
-    function generateKeyPair(
+    function generateKeyPair<T extends ED448KeyPairOptions = {}>(
         type: "ed448",
-        options: ED448KeyPairOptions<"der", "pem">,
-        callback: (err: Error | null, publicKey: Buffer, privateKey: string) => void,
+        options: T | undefined,
+        callback: KeyPairExportCallback<T>,
     ): void;
-    function generateKeyPair(
-        type: "ed448",
-        options: ED448KeyPairOptions<"der", "der">,
-        callback: (err: Error | null, publicKey: Buffer, privateKey: Buffer) => void,
+    function generateKeyPair<T extends MLDSAKeyPairOptions = {}>(
+        type: MLDSAKeyType,
+        options: T | undefined,
+        callback: KeyPairExportCallback<T>,
     ): void;
-    function generateKeyPair(
-        type: "ed448",
-        options: ED448KeyPairKeyObjectOptions | undefined,
-        callback: (err: Error | null, publicKey: KeyObject, privateKey: KeyObject) => void,
+    function generateKeyPair<T extends MLKEMKeyPairOptions = {}>(
+        type: MLKEMKeyType,
+        options: T | undefined,
+        callback: KeyPairExportCallback<T>,
     ): void;
-    function generateKeyPair(
-        type: "x25519",
-        options: X25519KeyPairOptions<"pem", "pem">,
-        callback: (err: Error | null, publicKey: string, privateKey: string) => void,
+    function generateKeyPair<T extends RSAPSSKeyPairOptions>(
+        type: "rsa-pss",
+        options: T,
+        callback: KeyPairExportCallback<T>,
     ): void;
-    function generateKeyPair(
-        type: "x25519",
-        options: X25519KeyPairOptions<"pem", "der">,
-        callback: (err: Error | null, publicKey: string, privateKey: Buffer) => void,
+    function generateKeyPair<T extends RSAKeyPairOptions>(
+        type: "rsa",
+        options: T,
+        callback: KeyPairExportCallback<T>,
     ): void;
-    function generateKeyPair(
-        type: "x25519",
-        options: X25519KeyPairOptions<"der", "pem">,
-        callback: (err: Error | null, publicKey: Buffer, privateKey: string) => void,
+    function generateKeyPair<T extends SLHDSAKeyPairOptions = {}>(
+        type: SLHDSAKeyType,
+        options: T | undefined,
+        callback: KeyPairExportCallback<T>,
     ): void;
-    function generateKeyPair(
+    function generateKeyPair<T extends X25519KeyPairOptions = {}>(
         type: "x25519",
-        options: X25519KeyPairOptions<"der", "der">,
-        callback: (err: Error | null, publicKey: Buffer, privateKey: Buffer) => void,
+        options: T | undefined,
+        callback: KeyPairExportCallback<T>,
     ): void;
-    function generateKeyPair(
-        type: "x25519",
-        options: X25519KeyPairKeyObjectOptions | undefined,
-        callback: (err: Error | null, publicKey: KeyObject, privateKey: KeyObject) => void,
-    ): void;
-    function generateKeyPair(
-        type: "x448",
-        options: X448KeyPairOptions<"pem", "pem">,
-        callback: (err: Error | null, publicKey: string, privateKey: string) => void,
-    ): void;
-    function generateKeyPair(
-        type: "x448",
-        options: X448KeyPairOptions<"pem", "der">,
-        callback: (err: Error | null, publicKey: string, privateKey: Buffer) => void,
-    ): void;
-    function generateKeyPair(
+    function generateKeyPair<T extends X448KeyPairOptions = {}>(
         type: "x448",
-        options: X448KeyPairOptions<"der", "pem">,
-        callback: (err: Error | null, publicKey: Buffer, privateKey: string) => void,
-    ): void;
-    function generateKeyPair(
-        type: "x448",
-        options: X448KeyPairOptions<"der", "der">,
-        callback: (err: Error | null, publicKey: Buffer, privateKey: Buffer) => void,
-    ): void;
-    function generateKeyPair(
-        type: "x448",
-        options: X448KeyPairKeyObjectOptions | undefined,
-        callback: (err: Error | null, publicKey: KeyObject, privateKey: KeyObject) => void,
+        options: T | undefined,
+        callback: KeyPairExportCallback<T>,
     ): void;
     namespace generateKeyPair {
-        function __promisify__(
-            type: "rsa",
-            options: RSAKeyPairOptions<"pem", "pem">,
-        ): Promise<{
-            publicKey: string;
-            privateKey: string;
-        }>;
-        function __promisify__(
-            type: "rsa",
-            options: RSAKeyPairOptions<"pem", "der">,
-        ): Promise<{
-            publicKey: string;
-            privateKey: Buffer;
-        }>;
-        function __promisify__(
-            type: "rsa",
-            options: RSAKeyPairOptions<"der", "pem">,
-        ): Promise<{
-            publicKey: Buffer;
-            privateKey: string;
-        }>;
-        function __promisify__(
-            type: "rsa",
-            options: RSAKeyPairOptions<"der", "der">,
-        ): Promise<{
-            publicKey: Buffer;
-            privateKey: Buffer;
-        }>;
-        function __promisify__(type: "rsa", options: RSAKeyPairKeyObjectOptions): Promise<KeyPairKeyObjectResult>;
-        function __promisify__(
-            type: "rsa-pss",
-            options: RSAPSSKeyPairOptions<"pem", "pem">,
-        ): Promise<{
-            publicKey: string;
-            privateKey: string;
-        }>;
-        function __promisify__(
-            type: "rsa-pss",
-            options: RSAPSSKeyPairOptions<"pem", "der">,
-        ): Promise<{
-            publicKey: string;
-            privateKey: Buffer;
-        }>;
-        function __promisify__(
-            type: "rsa-pss",
-            options: RSAPSSKeyPairOptions<"der", "pem">,
-        ): Promise<{
-            publicKey: Buffer;
-            privateKey: string;
-        }>;
-        function __promisify__(
-            type: "rsa-pss",
-            options: RSAPSSKeyPairOptions<"der", "der">,
-        ): Promise<{
-            publicKey: Buffer;
-            privateKey: Buffer;
-        }>;
-        function __promisify__(
-            type: "rsa-pss",
-            options: RSAPSSKeyPairKeyObjectOptions,
-        ): Promise<KeyPairKeyObjectResult>;
-        function __promisify__(
-            type: "dsa",
-            options: DSAKeyPairOptions<"pem", "pem">,
-        ): Promise<{
-            publicKey: string;
-            privateKey: string;
-        }>;
-        function __promisify__(
-            type: "dsa",
-            options: DSAKeyPairOptions<"pem", "der">,
-        ): Promise<{
-            publicKey: string;
-            privateKey: Buffer;
-        }>;
-        function __promisify__(
-            type: "dsa",
-            options: DSAKeyPairOptions<"der", "pem">,
-        ): Promise<{
-            publicKey: Buffer;
-            privateKey: string;
-        }>;
-        function __promisify__(
+        function __promisify__<T extends DHKeyPairOptions>(
+            type: "dh",
+            options: T,
+        ): Promise<KeyPairExportResult<T>>;
+        function __promisify__<T extends DSAKeyPairOptions>(
             type: "dsa",
-            options: DSAKeyPairOptions<"der", "der">,
-        ): Promise<{
-            publicKey: Buffer;
-            privateKey: Buffer;
-        }>;
-        function __promisify__(type: "dsa", options: DSAKeyPairKeyObjectOptions): Promise<KeyPairKeyObjectResult>;
-        function __promisify__(
+            options: T,
+        ): Promise<KeyPairExportResult<T>>;
+        function __promisify__<T extends ECKeyPairOptions>(
             type: "ec",
-            options: ECKeyPairOptions<"pem", "pem">,
-        ): Promise<{
-            publicKey: string;
-            privateKey: string;
-        }>;
-        function __promisify__(
-            type: "ec",
-            options: ECKeyPairOptions<"pem", "der">,
-        ): Promise<{
-            publicKey: string;
-            privateKey: Buffer;
-        }>;
-        function __promisify__(
-            type: "ec",
-            options: ECKeyPairOptions<"der", "pem">,
-        ): Promise<{
-            publicKey: Buffer;
-            privateKey: string;
-        }>;
-        function __promisify__(
-            type: "ec",
-            options: ECKeyPairOptions<"der", "der">,
-        ): Promise<{
-            publicKey: Buffer;
-            privateKey: Buffer;
-        }>;
-        function __promisify__(type: "ec", options: ECKeyPairKeyObjectOptions): Promise<KeyPairKeyObjectResult>;
-        function __promisify__(
-            type: "ed25519",
-            options: ED25519KeyPairOptions<"pem", "pem">,
-        ): Promise<{
-            publicKey: string;
-            privateKey: string;
-        }>;
-        function __promisify__(
-            type: "ed25519",
-            options: ED25519KeyPairOptions<"pem", "der">,
-        ): Promise<{
-            publicKey: string;
-            privateKey: Buffer;
-        }>;
-        function __promisify__(
-            type: "ed25519",
-            options: ED25519KeyPairOptions<"der", "pem">,
-        ): Promise<{
-            publicKey: Buffer;
-            privateKey: string;
-        }>;
-        function __promisify__(
+            options: T,
+        ): Promise<KeyPairExportResult<T>>;
+        function __promisify__<T extends ED25519KeyPairOptions = {}>(
             type: "ed25519",
-            options: ED25519KeyPairOptions<"der", "der">,
-        ): Promise<{
-            publicKey: Buffer;
-            privateKey: Buffer;
-        }>;
-        function __promisify__(
-            type: "ed25519",
-            options?: ED25519KeyPairKeyObjectOptions,
-        ): Promise<KeyPairKeyObjectResult>;
-        function __promisify__(
-            type: "ed448",
-            options: ED448KeyPairOptions<"pem", "pem">,
-        ): Promise<{
-            publicKey: string;
-            privateKey: string;
-        }>;
-        function __promisify__(
-            type: "ed448",
-            options: ED448KeyPairOptions<"pem", "der">,
-        ): Promise<{
-            publicKey: string;
-            privateKey: Buffer;
-        }>;
-        function __promisify__(
+            options?: T,
+        ): Promise<KeyPairExportResult<T>>;
+        function __promisify__<T extends ED448KeyPairOptions = {}>(
             type: "ed448",
-            options: ED448KeyPairOptions<"der", "pem">,
-        ): Promise<{
-            publicKey: Buffer;
-            privateKey: string;
-        }>;
-        function __promisify__(
-            type: "ed448",
-            options: ED448KeyPairOptions<"der", "der">,
-        ): Promise<{
-            publicKey: Buffer;
-            privateKey: Buffer;
-        }>;
-        function __promisify__(type: "ed448", options?: ED448KeyPairKeyObjectOptions): Promise<KeyPairKeyObjectResult>;
-        function __promisify__(
-            type: "x25519",
-            options: X25519KeyPairOptions<"pem", "pem">,
-        ): Promise<{
-            publicKey: string;
-            privateKey: string;
-        }>;
-        function __promisify__(
-            type: "x25519",
-            options: X25519KeyPairOptions<"pem", "der">,
-        ): Promise<{
-            publicKey: string;
-            privateKey: Buffer;
-        }>;
-        function __promisify__(
-            type: "x25519",
-            options: X25519KeyPairOptions<"der", "pem">,
-        ): Promise<{
-            publicKey: Buffer;
-            privateKey: string;
-        }>;
-        function __promisify__(
-            type: "x25519",
-            options: X25519KeyPairOptions<"der", "der">,
-        ): Promise<{
-            publicKey: Buffer;
-            privateKey: Buffer;
-        }>;
-        function __promisify__(
+            options?: T,
+        ): Promise<KeyPairExportResult<T>>;
+        function __promisify__<T extends MLDSAKeyPairOptions = {}>(
+            type: MLDSAKeyType,
+            options?: T,
+        ): Promise<KeyPairExportResult<T>>;
+        function __promisify__<T extends MLKEMKeyPairOptions = {}>(
+            type: MLKEMKeyType,
+            options?: T,
+        ): Promise<KeyPairExportResult<T>>;
+        function __promisify__<T extends RSAPSSKeyPairOptions>(
+            type: "rsa-pss",
+            options: T,
+        ): Promise<KeyPairExportResult<T>>;
+        function __promisify__<T extends RSAKeyPairOptions>(
+            type: "rsa",
+            options: T,
+        ): Promise<KeyPairExportResult<T>>;
+        function __promisify__<T extends SLHDSAKeyPairOptions = {}>(
+            type: SLHDSAKeyType,
+            options?: T,
+        ): Promise<KeyPairExportResult<T>>;
+        function __promisify__<T extends X25519KeyPairOptions = {}>(
             type: "x25519",
-            options?: X25519KeyPairKeyObjectOptions,
-        ): Promise<KeyPairKeyObjectResult>;
-        function __promisify__(
-            type: "x448",
-            options: X448KeyPairOptions<"pem", "pem">,
-        ): Promise<{
-            publicKey: string;
-            privateKey: string;
-        }>;
-        function __promisify__(
+            options?: T,
+        ): Promise<KeyPairExportResult<T>>;
+        function __promisify__<T extends X448KeyPairOptions = {}>(
             type: "x448",
-            options: X448KeyPairOptions<"pem", "der">,
-        ): Promise<{
-            publicKey: string;
-            privateKey: Buffer;
-        }>;
-        function __promisify__(
-            type: "x448",
-            options: X448KeyPairOptions<"der", "pem">,
-        ): Promise<{
-            publicKey: Buffer;
-            privateKey: string;
-        }>;
-        function __promisify__(
-            type: "x448",
-            options: X448KeyPairOptions<"der", "der">,
-        ): Promise<{
-            publicKey: Buffer;
-            privateKey: Buffer;
-        }>;
-        function __promisify__(type: "x448", options?: X448KeyPairKeyObjectOptions): Promise<KeyPairKeyObjectResult>;
+            options?: T,
+        ): Promise<KeyPairExportResult<T>>;
     }
     /**
      * Calculates and returns the signature for `data` using the given private key and
      * algorithm. If `algorithm` is `null` or `undefined`, then the algorithm is
-     * dependent upon the key type (especially Ed25519 and Ed448).
+     * dependent upon the key type.
+     *
+     * `algorithm` is required to be `null` or `undefined` for Ed25519, Ed448, and
+     * ML-DSA.
      *
      * If `key` is not a `KeyObject`, this function behaves as if `key` had been
      * passed to {@link createPrivateKey}. If it is an object, the following
@@ -3330,16 +2856,20 @@ declare module "node:crypto" {
         algorithm: string | null | undefined,
         data: NodeJS.ArrayBufferView,
         key: KeyLike | SignKeyObjectInput | SignPrivateKeyInput | SignJsonWebKeyInput,
-    ): Buffer;
+    ): NonSharedBuffer;
     function sign(
         algorithm: string | null | undefined,
         data: NodeJS.ArrayBufferView,
         key: KeyLike | SignKeyObjectInput | SignPrivateKeyInput | SignJsonWebKeyInput,
-        callback: (error: Error | null, data: Buffer) => void,
+        callback: (error: Error | null, data: NonSharedBuffer) => void,
     ): void;
     /**
-     * Verifies the given signature for `data` using the given key and algorithm. If `algorithm` is `null` or `undefined`, then the algorithm is dependent upon the
-     * key type (especially Ed25519 and Ed448).
+     * Verifies the given signature for `data` using the given key and algorithm. If
+     * `algorithm` is `null` or `undefined`, then the algorithm is dependent upon the
+     * key type.
+     *
+     * `algorithm` is required to be `null` or `undefined` for Ed25519, Ed448, and
+     * ML-DSA.
      *
      * If `key` is not a `KeyObject`, this function behaves as if `key` had been
      * passed to {@link createPublicKey}. If it is an object, the following
@@ -3367,23 +2897,102 @@ declare module "node:crypto" {
         callback: (error: Error | null, result: boolean) => void,
     ): void;
     /**
-     * Computes the Diffie-Hellman secret based on a `privateKey` and a `publicKey`.
-     * Both keys must have the same `asymmetricKeyType`, which must be one of `'dh'`
-     * (for Diffie-Hellman), `'ec'`, `'x448'`, or `'x25519'` (for ECDH).
+     * Key decapsulation using a KEM algorithm with a private key.
+     *
+     * Supported key types and their KEM algorithms are:
+     *
+     * * `'rsa'` RSA Secret Value Encapsulation
+     * * `'ec'` DHKEM(P-256, HKDF-SHA256), DHKEM(P-384, HKDF-SHA256), DHKEM(P-521, HKDF-SHA256)
+     * * `'x25519'` DHKEM(X25519, HKDF-SHA256)
+     * * `'x448'` DHKEM(X448, HKDF-SHA512)
+     * * `'ml-kem-512'` ML-KEM
+     * * `'ml-kem-768'` ML-KEM
+     * * `'ml-kem-1024'` ML-KEM
+     *
+     * If `key` is not a {@link KeyObject}, this function behaves as if `key` had been
+     * passed to `crypto.createPrivateKey()`.
+     *
+     * If the `callback` function is provided this function uses libuv's threadpool.
+     * @since v24.7.0
+     */
+    function decapsulate(
+        key: KeyLike | PrivateKeyInput | JsonWebKeyInput,
+        ciphertext: ArrayBuffer | NodeJS.ArrayBufferView,
+    ): NonSharedBuffer;
+    function decapsulate(
+        key: KeyLike | PrivateKeyInput | JsonWebKeyInput,
+        ciphertext: ArrayBuffer | NodeJS.ArrayBufferView,
+        callback: (err: Error, sharedKey: NonSharedBuffer) => void,
+    ): void;
+    /**
+     * Computes the Diffie-Hellman shared secret based on a `privateKey` and a `publicKey`.
+     * Both keys must have the same `asymmetricKeyType` and must support either the DH or
+     * ECDH operation.
      *
      * If the `callback` function is provided this function uses libuv's threadpool.
      * @since v13.9.0, v12.17.0
      */
-    function diffieHellman(options: { privateKey: KeyObject; publicKey: KeyObject }): Buffer;
+    function diffieHellman(options: { privateKey: KeyObject; publicKey: KeyObject }): NonSharedBuffer;
     function diffieHellman(
         options: { privateKey: KeyObject; publicKey: KeyObject },
-        callback: (err: Error | null, secret: Buffer) => void,
+        callback: (err: Error | null, secret: NonSharedBuffer) => void,
+    ): void;
+    /**
+     * Key encapsulation using a KEM algorithm with a public key.
+     *
+     * Supported key types and their KEM algorithms are:
+     *
+     * * `'rsa'` RSA Secret Value Encapsulation
+     * * `'ec'` DHKEM(P-256, HKDF-SHA256), DHKEM(P-384, HKDF-SHA256), DHKEM(P-521, HKDF-SHA256)
+     * * `'x25519'` DHKEM(X25519, HKDF-SHA256)
+     * * `'x448'` DHKEM(X448, HKDF-SHA512)
+     * * `'ml-kem-512'` ML-KEM
+     * * `'ml-kem-768'` ML-KEM
+     * * `'ml-kem-1024'` ML-KEM
+     *
+     * If `key` is not a {@link KeyObject}, this function behaves as if `key` had been
+     * passed to `crypto.createPublicKey()`.
+     *
+     * If the `callback` function is provided this function uses libuv's threadpool.
+     * @since v24.7.0
+     */
+    function encapsulate(
+        key: KeyLike | PublicKeyInput | JsonWebKeyInput,
+    ): { sharedKey: NonSharedBuffer; ciphertext: NonSharedBuffer };
+    function encapsulate(
+        key: KeyLike | PublicKeyInput | JsonWebKeyInput,
+        callback: (err: Error, result: { sharedKey: NonSharedBuffer; ciphertext: NonSharedBuffer }) => void,
     ): void;
+    interface OneShotDigestOptions {
+        /**
+         * Encoding used to encode the returned digest.
+         * @default 'hex'
+         */
+        outputEncoding?: BinaryToTextEncoding | "buffer" | undefined;
+        /**
+         * For XOF hash functions such as 'shake256', the outputLength option
+         * can be used to specify the desired output length in bytes.
+         */
+        outputLength?: number | undefined;
+    }
+    interface OneShotDigestOptionsWithStringEncoding extends OneShotDigestOptions {
+        outputEncoding?: BinaryToTextEncoding | undefined;
+    }
+    interface OneShotDigestOptionsWithBufferEncoding extends OneShotDigestOptions {
+        outputEncoding: "buffer";
+    }
     /**
-     * A utility for creating one-shot hash digests of data. It can be faster than the object-based `crypto.createHash()` when hashing a smaller amount of data
-     * (<= 5MB) that's readily available. If the data can be big or if it is streamed, it's still recommended to use `crypto.createHash()` instead. The `algorithm`
-     * is dependent on the available algorithms supported by the version of OpenSSL on the platform. Examples are `'sha256'`, `'sha512'`, etc. On recent releases
-     * of OpenSSL, `openssl list -digest-algorithms` will display the available digest algorithms.
+     * A utility for creating one-shot hash digests of data. It can be faster than
+     * the object-based `crypto.createHash()` when hashing a smaller amount of data
+     * (<= 5MB) that's readily available. If the data can be big or if it is streamed,
+     * it's still recommended to use `crypto.createHash()` instead.
+     *
+     * The `algorithm` is dependent on the available algorithms supported by the
+     * version of OpenSSL on the platform. Examples are `'sha256'`, `'sha512'`, etc.
+     * On recent releases of OpenSSL, `openssl list -digest-algorithms` will
+     * display the available digest algorithms.
+     *
+     * If `options` is a string, then it specifies the `outputEncoding`.
      *
      * Example:
      *
@@ -3403,17 +3012,26 @@ declare module "node:crypto" {
      * console.log(crypto.hash('sha1', Buffer.from(base64, 'base64'), 'buffer'));
      * ```
      * @since v21.7.0, v20.12.0
-     * @param data When `data` is a string, it will be encoded as UTF-8 before being hashed. If a different input encoding is desired for a string input, user
-     *             could encode the string into a `TypedArray` using either `TextEncoder` or `Buffer.from()` and passing the encoded `TypedArray` into this API instead.
-     * @param [outputEncoding='hex'] [Encoding](https://nodejs.org/docs/latest-v24.x/api/buffer.html#buffers-and-character-encodings) used to encode the returned digest.
+     * @param data When `data` is a string, it will be encoded as UTF-8 before being hashed. If a different
+     * input encoding is desired for a string input, user could encode the string
+     * into a `TypedArray` using either `TextEncoder` or `Buffer.from()` and passing
+     * the encoded `TypedArray` into this API instead.
      */
-    function hash(algorithm: string, data: BinaryLike, outputEncoding?: BinaryToTextEncoding): string;
-    function hash(algorithm: string, data: BinaryLike, outputEncoding: "buffer"): Buffer;
     function hash(
         algorithm: string,
         data: BinaryLike,
-        outputEncoding?: BinaryToTextEncoding | "buffer",
-    ): string | Buffer;
+        options?: OneShotDigestOptionsWithStringEncoding | BinaryToTextEncoding,
+    ): string;
+    function hash(
+        algorithm: string,
+        data: BinaryLike,
+        options: OneShotDigestOptionsWithBufferEncoding | "buffer",
+    ): NonSharedBuffer;
+    function hash(
+        algorithm: string,
+        data: BinaryLike,
+        options: OneShotDigestOptions | BinaryToTextEncoding | "buffer",
+    ): string | NonSharedBuffer;
     type CipherMode = "cbc" | "ccm" | "cfb" | "ctr" | "ecb" | "gcm" | "ocb" | "ofb" | "stream" | "wrap" | "xts";
     interface CipherInfoOptions {
         /**
@@ -3577,23 +3195,23 @@ declare module "node:crypto" {
         /**
          * @default 'always'
          */
-        subject?: "always" | "default" | "never";
+        subject?: "always" | "default" | "never" | undefined;
         /**
          * @default true
          */
-        wildcards?: boolean;
+        wildcards?: boolean | undefined;
         /**
          * @default true
          */
-        partialWildcards?: boolean;
+        partialWildcards?: boolean | undefined;
         /**
          * @default false
          */
-        multiLabelWildcards?: boolean;
+        multiLabelWildcards?: boolean | undefined;
         /**
          * @default false
          */
-        singleLabelSubdomains?: boolean;
+        singleLabelSubdomains?: boolean | undefined;
     }
     /**
      * Encapsulates an X509 certificate and provides read-only access to
@@ -3695,7 +3313,7 @@ declare module "node:crypto" {
          * available.
          * @since v15.9.0
          */
-        readonly issuerCertificate?: X509Certificate | undefined;
+        readonly issuerCertificate: X509Certificate | undefined;
         /**
          * The public key `KeyObject` for this certificate.
          * @since v15.6.0
@@ -3705,7 +3323,7 @@ declare module "node:crypto" {
          * A `Buffer` containing the DER encoding of this certificate.
          * @since v15.6.0
          */
-        readonly raw: Buffer;
+        readonly raw: NonSharedBuffer;
         /**
          * The serial number of this certificate.
          *
@@ -3715,6 +3333,16 @@ declare module "node:crypto" {
          * @since v15.6.0
          */
         readonly serialNumber: string;
+        /**
+         * The algorithm used to sign the certificate or `undefined` if the signature algorithm is unknown by OpenSSL.
+         * @since v24.9.0
+         */
+        readonly signatureAlgorithm: string | undefined;
+        /**
+         * The OID of the algorithm used to sign the certificate.
+         * @since v24.9.0
+         */
+        readonly signatureAlgorithmOid: string;
         /**
          * The date/time from which this certificate is considered valid.
          * @since v15.6.0
@@ -3787,7 +3415,23 @@ declare module "node:crypto" {
          */
         checkIP(ip: string): string | undefined;
         /**
-         * Checks whether this certificate was issued by the given `otherCert`.
+         * Checks whether this certificate was potentially issued by the given `otherCert`
+         * by comparing the certificate metadata.
+         *
+         * This is useful for pruning a list of possible issuer certificates which have been
+         * selected using a more rudimentary filtering routine, i.e. just based on subject
+         * and issuer names.
+         *
+         * Finally, to verify that this certificate's signature was produced by a private key
+         * corresponding to `otherCert`'s public key use `x509.verify(publicKey)`
+         * with `otherCert`'s public key represented as a `KeyObject`
+         * like so
+         *
+         * ```js
+         * if (!x509.verify(otherCert.publicKey)) {
+         *   throw new Error('otherCert did not issue x509');
+         * }
+         * ```
          * @since v15.6.0
          */
         checkIssued(otherCert: X509Certificate): boolean;
@@ -3970,7 +3614,136 @@ declare module "node:crypto" {
      * @since v17.4.0
      * @return Returns `typedArray`.
      */
-    function getRandomValues<T extends webcrypto.BufferSource>(typedArray: T): T;
+    function getRandomValues<
+        T extends Exclude<
+            NodeJS.NonSharedTypedArray,
+            NodeJS.NonSharedFloat16Array | NodeJS.NonSharedFloat32Array | NodeJS.NonSharedFloat64Array
+        >,
+    >(typedArray: T): T;
+    type Argon2Algorithm = "argon2d" | "argon2i" | "argon2id";
+    interface Argon2Parameters {
+        /**
+         * REQUIRED, this is the password for password hashing applications of Argon2.
+         */
+        message: string | ArrayBuffer | NodeJS.ArrayBufferView;
+        /**
+         * REQUIRED, must be at least 8 bytes long. This is the salt for password hashing applications of Argon2.
+         */
+        nonce: string | ArrayBuffer | NodeJS.ArrayBufferView;
+        /**
+         * REQUIRED, degree of parallelism determines how many computational chains (lanes)
+         * can be run. Must be greater than 1 and less than `2**24-1`.
+         */
+        parallelism: number;
+        /**
+         * REQUIRED, the length of the key to generate. Must be greater than 4 and
+         * less than `2**32-1`.
+         */
+        tagLength: number;
+        /**
+         * REQUIRED, memory cost in 1KiB blocks. Must be greater than
+         * `8 * parallelism` and less than `2**32-1`. The actual number of blocks is rounded
+         * down to the nearest multiple of `4 * parallelism`.
+         */
+        memory: number;
+        /**
+         * REQUIRED, number of passes (iterations). Must be greater than 1 and less
+         * than `2**32-1`.
+         */
+        passes: number;
+        /**
+         * OPTIONAL, Random additional input,
+         * similar to the salt, that should **NOT** be stored with the derived key. This is known as pepper in
+         * password hashing applications. If used, must have a length not greater than `2**32-1` bytes.
+         */
+        secret?: string | ArrayBuffer | NodeJS.ArrayBufferView | undefined;
+        /**
+         * OPTIONAL, Additional data to
+         * be added to the hash, functionally equivalent to salt or secret, but meant for
+         * non-random data. If used, must have a length not greater than `2**32-1` bytes.
+         */
+        associatedData?: string | ArrayBuffer | NodeJS.ArrayBufferView | undefined;
+    }
+    /**
+     * Provides an asynchronous [Argon2](https://www.rfc-editor.org/rfc/rfc9106.html) implementation. Argon2 is a password-based
+     * key derivation function that is designed to be expensive computationally and
+     * memory-wise in order to make brute-force attacks unrewarding.
+     *
+     * The `nonce` should be as unique as possible. It is recommended that a nonce is
+     * random and at least 16 bytes long. See [NIST SP 800-132](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf) for details.
+     *
+     * When passing strings for `message`, `nonce`, `secret` or `associatedData`, please
+     * consider [caveats when using strings as inputs to cryptographic APIs](https://nodejs.org/docs/latest-v25.x/api/crypto.html#using-strings-as-inputs-to-cryptographic-apis).
+     *
+     * The `callback` function is called with two arguments: `err` and `derivedKey`.
+     * `err` is an exception object when key derivation fails, otherwise `err` is
+     * `null`. `derivedKey` is passed to the callback as a `Buffer`.
+     *
+     * An exception is thrown when any of the input arguments specify invalid values
+     * or types.
+     *
+     * ```js
+     * const { argon2, randomBytes } = await import('node:crypto');
+     *
+     * const parameters = {
+     *   message: 'password',
+     *   nonce: randomBytes(16),
+     *   parallelism: 4,
+     *   tagLength: 64,
+     *   memory: 65536,
+     *   passes: 3,
+     * };
+     *
+     * argon2('argon2id', parameters, (err, derivedKey) => {
+     *   if (err) throw err;
+     *   console.log(derivedKey.toString('hex'));  // 'af91dad...9520f15'
+     * });
+     * ```
+     * @since v24.7.0
+     * @param algorithm Variant of Argon2, one of `"argon2d"`, `"argon2i"` or `"argon2id"`.
+     * @experimental
+     */
+    function argon2(
+        algorithm: Argon2Algorithm,
+        parameters: Argon2Parameters,
+        callback: (err: Error | null, derivedKey: NonSharedBuffer) => void,
+    ): void;
+    /**
+     * Provides a synchronous [Argon2][] implementation. Argon2 is a password-based
+     * key derivation function that is designed to be expensive computationally and
+     * memory-wise in order to make brute-force attacks unrewarding.
+     *
+     * The `nonce` should be as unique as possible. It is recommended that a nonce is
+     * random and at least 16 bytes long. See [NIST SP 800-132](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf) for details.
+     *
+     * When passing strings for `message`, `nonce`, `secret` or `associatedData`, please
+     * consider [caveats when using strings as inputs to cryptographic APIs](https://nodejs.org/docs/latest-v25.x/api/crypto.html#using-strings-as-inputs-to-cryptographic-apis).
+     *
+     * An exception is thrown when key derivation fails, otherwise the derived key is
+     * returned as a `Buffer`.
+     *
+     * An exception is thrown when any of the input arguments specify invalid values
+     * or types.
+     *
+     * ```js
+     * const { argon2Sync, randomBytes } = await import('node:crypto');
+     *
+     * const parameters = {
+     *   message: 'password',
+     *   nonce: randomBytes(16),
+     *   parallelism: 4,
+     *   tagLength: 64,
+     *   memory: 65536,
+     *   passes: 3,
+     * };
+     *
+     * const derivedKey = argon2Sync('argon2id', parameters);
+     * console.log(derivedKey.toString('hex'));  // 'af91dad...9520f15'
+     * ```
+     * @since v24.7.0
+     * @experimental
+     */
+    function argon2Sync(algorithm: Argon2Algorithm, parameters: Argon2Parameters): NonSharedBuffer;
     /**
      * A convenient alias for `crypto.webcrypto.subtle`.
      * @since v17.4.0
@@ -3984,37 +3757,40 @@ declare module "node:crypto" {
      */
     const webcrypto: webcrypto.Crypto;
     namespace webcrypto {
-        type BufferSource = ArrayBufferView | ArrayBuffer;
-        type KeyFormat = "jwk" | "pkcs8" | "raw" | "spki";
+        type AlgorithmIdentifier = Algorithm | string;
+        type BigInteger = NodeJS.NonSharedUint8Array;
+        type KeyFormat = "jwk" | "pkcs8" | "raw" | "raw-public" | "raw-secret" | "raw-seed" | "spki";
         type KeyType = "private" | "public" | "secret";
         type KeyUsage =
+            | "decapsulateBits"
+            | "decapsulateKey"
             | "decrypt"
             | "deriveBits"
             | "deriveKey"
+            | "encapsulateBits"
+            | "encapsulateKey"
             | "encrypt"
             | "sign"
             | "unwrapKey"
             | "verify"
             | "wrapKey";
-        type AlgorithmIdentifier = Algorithm | string;
         type HashAlgorithmIdentifier = AlgorithmIdentifier;
         type NamedCurve = string;
-        type BigInteger = Uint8Array;
+        interface AeadParams extends Algorithm {
+            additionalData?: NodeJS.BufferSource;
+            iv: NodeJS.BufferSource;
+            tagLength: number;
+        }
         interface AesCbcParams extends Algorithm {
-            iv: BufferSource;
+            iv: NodeJS.BufferSource;
         }
         interface AesCtrParams extends Algorithm {
-            counter: BufferSource;
+            counter: NodeJS.BufferSource;
             length: number;
         }
         interface AesDerivedKeyParams extends Algorithm {
             length: number;
         }
-        interface AesGcmParams extends Algorithm {
-            additionalData?: BufferSource;
-            iv: BufferSource;
-            tagLength?: number;
-        }
         interface AesKeyAlgorithm extends KeyAlgorithm {
             length: number;
         }
@@ -4024,6 +3800,23 @@ declare module "node:crypto" {
         interface Algorithm {
             name: string;
         }
+        interface Argon2Params extends Algorithm {
+            associatedData?: NodeJS.BufferSource;
+            memory: number;
+            nonce: NodeJS.BufferSource;
+            parallelism: number;
+            passes: number;
+            secretValue?: NodeJS.BufferSource;
+            version?: number;
+        }
+        interface CShakeParams extends Algorithm {
+            customization?: NodeJS.BufferSource;
+            functionName?: NodeJS.BufferSource;
+            length: number;
+        }
+        interface ContextParams extends Algorithm {
+            context?: NodeJS.BufferSource;
+        }
         interface EcKeyAlgorithm extends KeyAlgorithm {
             namedCurve: NamedCurve;
         }
@@ -4039,13 +3832,10 @@ declare module "node:crypto" {
         interface EcdsaParams extends Algorithm {
             hash: HashAlgorithmIdentifier;
         }
-        interface Ed448Params extends Algorithm {
-            context?: BufferSource;
-        }
         interface HkdfParams extends Algorithm {
             hash: HashAlgorithmIdentifier;
-            info: BufferSource;
-            salt: BufferSource;
+            info: NodeJS.BufferSource;
+            salt: NodeJS.BufferSource;
         }
         interface HmacImportParams extends Algorithm {
             hash: HashAlgorithmIdentifier;
@@ -4082,10 +3872,23 @@ declare module "node:crypto" {
         interface KeyAlgorithm {
             name: string;
         }
+        interface KmacImportParams extends Algorithm {
+            length?: number;
+        }
+        interface KmacKeyAlgorithm extends KeyAlgorithm {
+            length: number;
+        }
+        interface KmacKeyGenParams extends Algorithm {
+            length?: number;
+        }
+        interface KmacParams extends Algorithm {
+            customization?: NodeJS.BufferSource;
+            length: number;
+        }
         interface Pbkdf2Params extends Algorithm {
             hash: HashAlgorithmIdentifier;
             iterations: number;
-            salt: BufferSource;
+            salt: NodeJS.BufferSource;
         }
         interface RsaHashedImportParams extends Algorithm {
             hash: HashAlgorithmIdentifier;
@@ -4105,7 +3908,7 @@ declare module "node:crypto" {
             publicExponent: BigInteger;
         }
         interface RsaOaepParams extends Algorithm {
-            label?: BufferSource;
+            label?: NodeJS.BufferSource;
         }
         interface RsaOtherPrimesInfo {
             d?: string;
@@ -4115,269 +3918,103 @@ declare module "node:crypto" {
         interface RsaPssParams extends Algorithm {
             saltLength: number;
         }
-        /**
-         * Importing the `webcrypto` object (`import { webcrypto } from 'node:crypto'`) gives an instance of the `Crypto` class.
-         * `Crypto` is a singleton that provides access to the remainder of the crypto API.
-         * @since v15.0.0
-         */
         interface Crypto {
-            /**
-             * Provides access to the `SubtleCrypto` API.
-             * @since v15.0.0
-             */
             readonly subtle: SubtleCrypto;
-            /**
-             * Generates cryptographically strong random values.
-             * The given `typedArray` is filled with random values, and a reference to `typedArray` is returned.
-             *
-             * The given `typedArray` must be an integer-based instance of {@link NodeJS.TypedArray}, i.e. `Float32Array` and `Float64Array` are not accepted.
-             *
-             * An error will be thrown if the given `typedArray` is larger than 65,536 bytes.
-             * @since v15.0.0
-             */
-            getRandomValues<T extends Exclude<NodeJS.TypedArray, Float32Array | Float64Array>>(typedArray: T): T;
-            /**
-             * Generates a random {@link https://www.rfc-editor.org/rfc/rfc4122.txt RFC 4122} version 4 UUID.
-             * The UUID is generated using a cryptographic pseudorandom number generator.
-             * @since v16.7.0
-             */
+            getRandomValues<
+                T extends Exclude<
+                    NodeJS.NonSharedTypedArray,
+                    NodeJS.NonSharedFloat16Array | NodeJS.NonSharedFloat32Array | NodeJS.NonSharedFloat64Array
+                >,
+            >(
+                typedArray: T,
+            ): T;
             randomUUID(): UUID;
-            CryptoKey: CryptoKeyConstructor;
-        }
-        // This constructor throws ILLEGAL_CONSTRUCTOR so it should not be newable.
-        interface CryptoKeyConstructor {
-            /** Illegal constructor */
-            (_: { readonly _: unique symbol }): never; // Allows instanceof to work but not be callable by the user.
-            readonly length: 0;
-            readonly name: "CryptoKey";
-            readonly prototype: CryptoKey;
         }
-        /**
-         * @since v15.0.0
-         */
         interface CryptoKey {
-            /**
-             * An object detailing the algorithm for which the key can be used along with additional algorithm-specific parameters.
-             * @since v15.0.0
-             */
             readonly algorithm: KeyAlgorithm;
-            /**
-             * When `true`, the {@link CryptoKey} can be extracted using either `subtleCrypto.exportKey()` or `subtleCrypto.wrapKey()`.
-             * @since v15.0.0
-             */
             readonly extractable: boolean;
-            /**
-             * A string identifying whether the key is a symmetric (`'secret'`) or asymmetric (`'private'` or `'public'`) key.
-             * @since v15.0.0
-             */
             readonly type: KeyType;
-            /**
-             * An array of strings identifying the operations for which the key may be used.
-             *
-             * The possible usages are:
-             * - `'encrypt'` - The key may be used to encrypt data.
-             * - `'decrypt'` - The key may be used to decrypt data.
-             * - `'sign'` - The key may be used to generate digital signatures.
-             * - `'verify'` - The key may be used to verify digital signatures.
-             * - `'deriveKey'` - The key may be used to derive a new key.
-             * - `'deriveBits'` - The key may be used to derive bits.
-             * - `'wrapKey'` - The key may be used to wrap another key.
-             * - `'unwrapKey'` - The key may be used to unwrap another key.
-             *
-             * Valid key usages depend on the key algorithm (identified by `cryptokey.algorithm.name`).
-             * @since v15.0.0
-             */
             readonly usages: KeyUsage[];
         }
-        /**
-         * The `CryptoKeyPair` is a simple dictionary object with `publicKey` and `privateKey` properties, representing an asymmetric key pair.
-         * @since v15.0.0
-         */
         interface CryptoKeyPair {
-            /**
-             * A {@link CryptoKey} whose type will be `'private'`.
-             * @since v15.0.0
-             */
             privateKey: CryptoKey;
-            /**
-             * A {@link CryptoKey} whose type will be `'public'`.
-             * @since v15.0.0
-             */
             publicKey: CryptoKey;
         }
-        /**
-         * @since v15.0.0
-         */
+        interface EncapsulatedBits {
+            sharedKey: ArrayBuffer;
+            ciphertext: ArrayBuffer;
+        }
+        interface EncapsulatedKey {
+            sharedKey: CryptoKey;
+            ciphertext: ArrayBuffer;
+        }
         interface SubtleCrypto {
-            /**
-             * Using the method and parameters specified in `algorithm` and the keying material provided by `key`,
-             * `subtle.decrypt()` attempts to decipher the provided `data`. If successful,
-             * the returned promise will be resolved with an `<ArrayBuffer>` containing the plaintext result.
-             *
-             * The algorithms currently supported include:
-             *
-             * - `'RSA-OAEP'`
-             * - `'AES-CTR'`
-             * - `'AES-CBC'`
-             * - `'AES-GCM'`
-             * @since v15.0.0
-             */
+            decapsulateBits(
+                decapsulationAlgorithm: AlgorithmIdentifier,
+                decapsulationKey: CryptoKey,
+                ciphertext: NodeJS.BufferSource,
+            ): Promise<ArrayBuffer>;
+            decapsulateKey(
+                decapsulationAlgorithm: AlgorithmIdentifier,
+                decapsulationKey: CryptoKey,
+                ciphertext: NodeJS.BufferSource,
+                sharedKeyAlgorithm: AlgorithmIdentifier | HmacImportParams | AesDerivedKeyParams | KmacImportParams,
+                extractable: boolean,
+                usages: KeyUsage[],
+            ): Promise<CryptoKey>;
             decrypt(
-                algorithm: AlgorithmIdentifier | RsaOaepParams | AesCtrParams | AesCbcParams | AesGcmParams,
+                algorithm: AlgorithmIdentifier | RsaOaepParams | AesCtrParams | AesCbcParams | AeadParams,
                 key: CryptoKey,
-                data: BufferSource,
+                data: NodeJS.BufferSource,
             ): Promise<ArrayBuffer>;
-            /**
-             * Using the method and parameters specified in `algorithm` and the keying material provided by `baseKey`,
-             * `subtle.deriveBits()` attempts to generate `length` bits.
-             * The Node.js implementation requires that when `length` is a number it must be multiple of `8`.
-             * When `length` is `null` the maximum number of bits for a given algorithm is generated. This is allowed
-             * for the `'ECDH'`, `'X25519'`, and `'X448'` algorithms.
-             * If successful, the returned promise will be resolved with an `<ArrayBuffer>` containing the generated data.
-             *
-             * The algorithms currently supported include:
-             *
-             * - `'ECDH'`
-             * - `'X25519'`
-             * - `'X448'`
-             * - `'HKDF'`
-             * - `'PBKDF2'`
-             * @since v15.0.0
-             */
             deriveBits(
-                algorithm: EcdhKeyDeriveParams,
+                algorithm: AlgorithmIdentifier | EcdhKeyDeriveParams | HkdfParams | Pbkdf2Params | Argon2Params,
                 baseKey: CryptoKey,
                 length?: number | null,
             ): Promise<ArrayBuffer>;
-            deriveBits(
-                algorithm: EcdhKeyDeriveParams | HkdfParams | Pbkdf2Params,
-                baseKey: CryptoKey,
-                length: number,
-            ): Promise<ArrayBuffer>;
-            /**
-             * Using the method and parameters specified in `algorithm`, and the keying material provided by `baseKey`,
-             * `subtle.deriveKey()` attempts to generate a new <CryptoKey>` based on the method and parameters in `derivedKeyAlgorithm`.
-             *
-             * Calling `subtle.deriveKey()` is equivalent to calling `subtle.deriveBits()` to generate raw keying material,
-             * then passing the result into the `subtle.importKey()` method using the `deriveKeyAlgorithm`, `extractable`, and `keyUsages` parameters as input.
-             *
-             * The algorithms currently supported include:
-             *
-             * - `'ECDH'`
-             * - `'X25519'`
-             * - `'X448'`
-             * - `'HKDF'`
-             * - `'PBKDF2'`
-             * @param keyUsages See {@link https://nodejs.org/docs/latest/api/webcrypto.html#cryptokeyusages Key usages}.
-             * @since v15.0.0
-             */
             deriveKey(
-                algorithm: EcdhKeyDeriveParams | HkdfParams | Pbkdf2Params,
+                algorithm: AlgorithmIdentifier | EcdhKeyDeriveParams | HkdfParams | Pbkdf2Params | Argon2Params,
                 baseKey: CryptoKey,
-                derivedKeyAlgorithm: AlgorithmIdentifier | HmacImportParams | AesDerivedKeyParams,
+                derivedKeyType: AlgorithmIdentifier | AesDerivedKeyParams | HmacImportParams | KmacImportParams,
                 extractable: boolean,
                 keyUsages: readonly KeyUsage[],
             ): Promise<CryptoKey>;
-            /**
-             * Using the method identified by `algorithm`, `subtle.digest()` attempts to generate a digest of `data`.
-             * If successful, the returned promise is resolved with an `<ArrayBuffer>` containing the computed digest.
-             *
-             * If `algorithm` is provided as a `<string>`, it must be one of:
-             *
-             * - `'SHA-1'`
-             * - `'SHA-256'`
-             * - `'SHA-384'`
-             * - `'SHA-512'`
-             *
-             * If `algorithm` is provided as an `<Object>`, it must have a `name` property whose value is one of the above.
-             * @since v15.0.0
-             */
-            digest(algorithm: AlgorithmIdentifier, data: BufferSource): Promise<ArrayBuffer>;
-            /**
-             * Using the method and parameters specified by `algorithm` and the keying material provided by `key`,
-             * `subtle.encrypt()` attempts to encipher `data`. If successful,
-             * the returned promise is resolved with an `<ArrayBuffer>` containing the encrypted result.
-             *
-             * The algorithms currently supported include:
-             *
-             * - `'RSA-OAEP'`
-             * - `'AES-CTR'`
-             * - `'AES-CBC'`
-             * - `'AES-GCM'`
-             * @since v15.0.0
-             */
+            digest(algorithm: AlgorithmIdentifier | CShakeParams, data: NodeJS.BufferSource): Promise<ArrayBuffer>;
+            encapsulateBits(
+                encapsulationAlgorithm: AlgorithmIdentifier,
+                encapsulationKey: CryptoKey,
+            ): Promise<EncapsulatedBits>;
+            encapsulateKey(
+                encapsulationAlgorithm: AlgorithmIdentifier,
+                encapsulationKey: CryptoKey,
+                sharedKeyAlgorithm: AlgorithmIdentifier | AesDerivedKeyParams | HmacImportParams | KmacImportParams,
+                extractable: boolean,
+                usages: KeyUsage[],
+            ): Promise<EncapsulatedKey>;
             encrypt(
-                algorithm: AlgorithmIdentifier | RsaOaepParams | AesCtrParams | AesCbcParams | AesGcmParams,
+                algorithm: AlgorithmIdentifier | RsaOaepParams | AesCtrParams | AesCbcParams | AeadParams,
                 key: CryptoKey,
-                data: BufferSource,
+                data: NodeJS.BufferSource,
             ): Promise<ArrayBuffer>;
-            /**
-             * Exports the given key into the specified format, if supported.
-             *
-             * If the `<CryptoKey>` is not extractable, the returned promise will reject.
-             *
-             * When `format` is either `'pkcs8'` or `'spki'` and the export is successful,
-             * the returned promise will be resolved with an `<ArrayBuffer>` containing the exported key data.
-             *
-             * When `format` is `'jwk'` and the export is successful, the returned promise will be resolved with a
-             * JavaScript object conforming to the {@link https://tools.ietf.org/html/rfc7517 JSON Web Key} specification.
-             * @param format Must be one of `'raw'`, `'pkcs8'`, `'spki'`, or `'jwk'`.
-             * @returns `<Promise>` containing `<ArrayBuffer>`.
-             * @since v15.0.0
-             */
             exportKey(format: "jwk", key: CryptoKey): Promise<JsonWebKey>;
             exportKey(format: Exclude<KeyFormat, "jwk">, key: CryptoKey): Promise<ArrayBuffer>;
-            /**
-             * Using the method and parameters provided in `algorithm`,
-             * `subtle.generateKey()` attempts to generate new keying material.
-             * Depending the method used, the method may generate either a single `<CryptoKey>` or a `<CryptoKeyPair>`.
-             *
-             * The `<CryptoKeyPair>` (public and private key) generating algorithms supported include:
-             *
-             * - `'RSASSA-PKCS1-v1_5'`
-             * - `'RSA-PSS'`
-             * - `'RSA-OAEP'`
-             * - `'ECDSA'`
-             * - `'Ed25519'`
-             * - `'Ed448'`
-             * - `'ECDH'`
-             * - `'X25519'`
-             * - `'X448'`
-             * The `<CryptoKey>` (secret key) generating algorithms supported include:
-             *
-             * - `'HMAC'`
-             * - `'AES-CTR'`
-             * - `'AES-CBC'`
-             * - `'AES-GCM'`
-             * - `'AES-KW'`
-             * @param keyUsages See {@link https://nodejs.org/docs/latest/api/webcrypto.html#cryptokeyusages Key usages}.
-             * @since v15.0.0
-             */
+            exportKey(format: KeyFormat, key: CryptoKey): Promise<ArrayBuffer | JsonWebKey>;
             generateKey(
                 algorithm: RsaHashedKeyGenParams | EcKeyGenParams,
                 extractable: boolean,
-                keyUsages: readonly KeyUsage[],
+                keyUsages: KeyUsage[],
             ): Promise<CryptoKeyPair>;
             generateKey(
-                algorithm: AesKeyGenParams | HmacKeyGenParams | Pbkdf2Params,
+                algorithm: AesKeyGenParams | HmacKeyGenParams | Pbkdf2Params | KmacKeyGenParams,
                 extractable: boolean,
-                keyUsages: readonly KeyUsage[],
+                keyUsages: KeyUsage[],
             ): Promise<CryptoKey>;
             generateKey(
                 algorithm: AlgorithmIdentifier,
                 extractable: boolean,
                 keyUsages: KeyUsage[],
             ): Promise<CryptoKeyPair | CryptoKey>;
-            /**
-             * The `subtle.importKey()` method attempts to interpret the provided `keyData` as the given `format`
-             * to create a `<CryptoKey>` instance using the provided `algorithm`, `extractable`, and `keyUsages` arguments.
-             * If the import is successful, the returned promise will be resolved with the created `<CryptoKey>`.
-             *
-             * If importing a `'PBKDF2'` key, `extractable` must be `false`.
-             * @param format Must be one of `'raw'`, `'pkcs8'`, `'spki'`, or `'jwk'`.
-             * @param keyUsages See {@link https://nodejs.org/docs/latest/api/webcrypto.html#cryptokeyusages Key usages}.
-             * @since v15.0.0
-             */
+            getPublicKey(key: CryptoKey, keyUsages: KeyUsage[]): Promise<CryptoKey>;
             importKey(
                 format: "jwk",
                 keyData: JsonWebKey,
@@ -4386,144 +4023,56 @@ declare module "node:crypto" {
                     | RsaHashedImportParams
                     | EcKeyImportParams
                     | HmacImportParams
-                    | AesKeyAlgorithm,
+                    | AesKeyAlgorithm
+                    | KmacImportParams,
                 extractable: boolean,
-                keyUsages: readonly KeyUsage[],
+                keyUsages: KeyUsage[],
             ): Promise<CryptoKey>;
             importKey(
                 format: Exclude<KeyFormat, "jwk">,
-                keyData: BufferSource,
+                keyData: NodeJS.BufferSource,
                 algorithm:
                     | AlgorithmIdentifier
                     | RsaHashedImportParams
                     | EcKeyImportParams
                     | HmacImportParams
-                    | AesKeyAlgorithm,
+                    | AesKeyAlgorithm
+                    | KmacImportParams,
                 extractable: boolean,
                 keyUsages: KeyUsage[],
             ): Promise<CryptoKey>;
-            /**
-             * Using the method and parameters given by `algorithm` and the keying material provided by `key`,
-             * `subtle.sign()` attempts to generate a cryptographic signature of `data`. If successful,
-             * the returned promise is resolved with an `<ArrayBuffer>` containing the generated signature.
-             *
-             * The algorithms currently supported include:
-             *
-             * - `'RSASSA-PKCS1-v1_5'`
-             * - `'RSA-PSS'`
-             * - `'ECDSA'`
-             * - `'Ed25519'`
-             * - `'Ed448'`
-             * - `'HMAC'`
-             * @since v15.0.0
-             */
             sign(
-                algorithm: AlgorithmIdentifier | RsaPssParams | EcdsaParams | Ed448Params,
+                algorithm: AlgorithmIdentifier | RsaPssParams | EcdsaParams | ContextParams | KmacParams,
                 key: CryptoKey,
-                data: BufferSource,
+                data: NodeJS.BufferSource,
             ): Promise<ArrayBuffer>;
-            /**
-             * In cryptography, "wrapping a key" refers to exporting and then encrypting the keying material.
-             * The `subtle.unwrapKey()` method attempts to decrypt a wrapped key and create a `<CryptoKey>` instance.
-             * It is equivalent to calling `subtle.decrypt()` first on the encrypted key data (using the `wrappedKey`, `unwrapAlgo`, and `unwrappingKey` arguments as input)
-             * then passing the results in to the `subtle.importKey()` method using the `unwrappedKeyAlgo`, `extractable`, and `keyUsages` arguments as inputs.
-             * If successful, the returned promise is resolved with a `<CryptoKey>` object.
-             *
-             * The wrapping algorithms currently supported include:
-             *
-             * - `'RSA-OAEP'`
-             * - `'AES-CTR'`
-             * - `'AES-CBC'`
-             * - `'AES-GCM'`
-             * - `'AES-KW'`
-             *
-             * The unwrapped key algorithms supported include:
-             *
-             * - `'RSASSA-PKCS1-v1_5'`
-             * - `'RSA-PSS'`
-             * - `'RSA-OAEP'`
-             * - `'ECDSA'`
-             * - `'Ed25519'`
-             * - `'Ed448'`
-             * - `'ECDH'`
-             * - `'X25519'`
-             * - `'X448'`
-             * - `'HMAC'`
-             * - `'AES-CTR'`
-             * - `'AES-CBC'`
-             * - `'AES-GCM'`
-             * - `'AES-KW'`
-             * @param format Must be one of `'raw'`, `'pkcs8'`, `'spki'`, or `'jwk'`.
-             * @param keyUsages See {@link https://nodejs.org/docs/latest/api/webcrypto.html#cryptokeyusages Key usages}.
-             * @since v15.0.0
-             */
             unwrapKey(
                 format: KeyFormat,
-                wrappedKey: BufferSource,
+                wrappedKey: NodeJS.BufferSource,
                 unwrappingKey: CryptoKey,
-                unwrapAlgorithm: AlgorithmIdentifier | RsaOaepParams | AesCtrParams | AesCbcParams | AesGcmParams,
+                unwrapAlgorithm: AlgorithmIdentifier | RsaOaepParams | AesCtrParams | AesCbcParams | AeadParams,
                 unwrappedKeyAlgorithm:
                     | AlgorithmIdentifier
                     | RsaHashedImportParams
                     | EcKeyImportParams
                     | HmacImportParams
-                    | AesKeyAlgorithm,
+                    | AesKeyAlgorithm
+                    | KmacImportParams,
                 extractable: boolean,
                 keyUsages: KeyUsage[],
             ): Promise<CryptoKey>;
-            /**
-             * Using the method and parameters given in `algorithm` and the keying material provided by `key`,
-             * `subtle.verify()` attempts to verify that `signature` is a valid cryptographic signature of `data`.
-             * The returned promise is resolved with either `true` or `false`.
-             *
-             * The algorithms currently supported include:
-             *
-             * - `'RSASSA-PKCS1-v1_5'`
-             * - `'RSA-PSS'`
-             * - `'ECDSA'`
-             * - `'Ed25519'`
-             * - `'Ed448'`
-             * - `'HMAC'`
-             * @since v15.0.0
-             */
             verify(
-                algorithm: AlgorithmIdentifier | RsaPssParams | EcdsaParams | Ed448Params,
+                algorithm: AlgorithmIdentifier | RsaPssParams | EcdsaParams | ContextParams | KmacParams,
                 key: CryptoKey,
-                signature: BufferSource,
-                data: BufferSource,
+                signature: NodeJS.BufferSource,
+                data: NodeJS.BufferSource,
             ): Promise<boolean>;
-            /**
-             * In cryptography, "wrapping a key" refers to exporting and then encrypting the keying material.
-             * The `subtle.wrapKey()` method exports the keying material into the format identified by `format`,
-             * then encrypts it using the method and parameters specified by `wrapAlgo` and the keying material provided by `wrappingKey`.
-             * It is the equivalent to calling `subtle.exportKey()` using `format` and `key` as the arguments,
-             * then passing the result to the `subtle.encrypt()` method using `wrappingKey` and `wrapAlgo` as inputs.
-             * If successful, the returned promise will be resolved with an `<ArrayBuffer>` containing the encrypted key data.
-             *
-             * The wrapping algorithms currently supported include:
-             *
-             * - `'RSA-OAEP'`
-             * - `'AES-CTR'`
-             * - `'AES-CBC'`
-             * - `'AES-GCM'`
-             * - `'AES-KW'`
-             * @param format Must be one of `'raw'`, `'pkcs8'`, `'spki'`, or `'jwk'`.
-             * @since v15.0.0
-             */
             wrapKey(
                 format: KeyFormat,
                 key: CryptoKey,
                 wrappingKey: CryptoKey,
-                wrapAlgorithm: AlgorithmIdentifier | RsaOaepParams | AesCtrParams | AesCbcParams | AesGcmParams,
+                wrapAlgorithm: AlgorithmIdentifier | RsaOaepParams | AesCtrParams | AesCbcParams | AeadParams,
             ): Promise<ArrayBuffer>;
         }
     }
-
-    global {
-        var crypto: typeof globalThis extends {
-            crypto: infer T;
-            onmessage: any;
-        } ? T
-            : webcrypto.Crypto;
-    }
 }