alicezetion 1.9.6 → 1.9.8

Sign up to get free protection for your applications and to get access to all the features.
Files changed (292) hide show
  1. package/.cache/replit/modules/nodejs-20.res +1 -0
  2. package/.cache/replit/modules/replit.res +1 -0
  3. package/.cache/typescript/5.4/node_modules/.package-lock.json +137 -0
  4. package/.cache/typescript/5.4/node_modules/@types/bluebird/LICENSE +21 -0
  5. package/.cache/typescript/5.4/node_modules/@types/bluebird/README.md +15 -0
  6. package/.cache/typescript/5.4/node_modules/@types/bluebird/index.d.ts +1365 -0
  7. package/.cache/typescript/5.4/node_modules/@types/bluebird/package.json +25 -0
  8. package/.cache/typescript/5.4/node_modules/@types/caseless/LICENSE +21 -0
  9. package/.cache/typescript/5.4/node_modules/@types/caseless/README.md +48 -0
  10. package/.cache/typescript/5.4/node_modules/@types/caseless/index.d.ts +29 -0
  11. package/.cache/typescript/5.4/node_modules/@types/caseless/package.json +35 -0
  12. package/.cache/typescript/5.4/node_modules/@types/cheerio/LICENSE +21 -0
  13. package/.cache/typescript/5.4/node_modules/@types/cheerio/README.md +15 -0
  14. package/.cache/typescript/5.4/node_modules/@types/cheerio/index.d.ts +318 -0
  15. package/.cache/typescript/5.4/node_modules/@types/cheerio/package.json +71 -0
  16. package/.cache/typescript/5.4/node_modules/@types/node/LICENSE +21 -0
  17. package/.cache/typescript/5.4/node_modules/@types/node/README.md +15 -0
  18. package/.cache/typescript/5.4/node_modules/@types/node/assert/strict.d.ts +8 -0
  19. package/.cache/typescript/5.4/node_modules/@types/node/assert.d.ts +1040 -0
  20. package/.cache/typescript/5.4/node_modules/@types/node/async_hooks.d.ts +541 -0
  21. package/.cache/typescript/5.4/node_modules/@types/node/buffer.d.ts +2363 -0
  22. package/.cache/typescript/5.4/node_modules/@types/node/child_process.d.ts +1544 -0
  23. package/.cache/typescript/5.4/node_modules/@types/node/cluster.d.ts +578 -0
  24. package/.cache/typescript/5.4/node_modules/@types/node/console.d.ts +452 -0
  25. package/.cache/typescript/5.4/node_modules/@types/node/constants.d.ts +19 -0
  26. package/.cache/typescript/5.4/node_modules/@types/node/crypto.d.ts +4523 -0
  27. package/.cache/typescript/5.4/node_modules/@types/node/dgram.d.ts +596 -0
  28. package/.cache/typescript/5.4/node_modules/@types/node/diagnostics_channel.d.ts +554 -0
  29. package/.cache/typescript/5.4/node_modules/@types/node/dns/promises.d.ts +476 -0
  30. package/.cache/typescript/5.4/node_modules/@types/node/dns.d.ts +864 -0
  31. package/.cache/typescript/5.4/node_modules/@types/node/dom-events.d.ts +124 -0
  32. package/.cache/typescript/5.4/node_modules/@types/node/domain.d.ts +170 -0
  33. package/.cache/typescript/5.4/node_modules/@types/node/events.d.ts +931 -0
  34. package/.cache/typescript/5.4/node_modules/@types/node/fs/promises.d.ts +1245 -0
  35. package/.cache/typescript/5.4/node_modules/@types/node/fs.d.ts +4317 -0
  36. package/.cache/typescript/5.4/node_modules/@types/node/globals.d.ts +412 -0
  37. package/.cache/typescript/5.4/node_modules/@types/node/globals.global.d.ts +1 -0
  38. package/.cache/typescript/5.4/node_modules/@types/node/http.d.ts +1908 -0
  39. package/.cache/typescript/5.4/node_modules/@types/node/http2.d.ts +2418 -0
  40. package/.cache/typescript/5.4/node_modules/@types/node/https.d.ts +550 -0
  41. package/.cache/typescript/5.4/node_modules/@types/node/index.d.ts +89 -0
  42. package/.cache/typescript/5.4/node_modules/@types/node/inspector.d.ts +2746 -0
  43. package/.cache/typescript/5.4/node_modules/@types/node/module.d.ts +315 -0
  44. package/.cache/typescript/5.4/node_modules/@types/node/net.d.ts +999 -0
  45. package/.cache/typescript/5.4/node_modules/@types/node/os.d.ts +495 -0
  46. package/.cache/typescript/5.4/node_modules/@types/node/package.json +217 -0
  47. package/.cache/typescript/5.4/node_modules/@types/node/path.d.ts +191 -0
  48. package/.cache/typescript/5.4/node_modules/@types/node/perf_hooks.d.ts +905 -0
  49. package/.cache/typescript/5.4/node_modules/@types/node/process.d.ts +1754 -0
  50. package/.cache/typescript/5.4/node_modules/@types/node/punycode.d.ts +117 -0
  51. package/.cache/typescript/5.4/node_modules/@types/node/querystring.d.ts +153 -0
  52. package/.cache/typescript/5.4/node_modules/@types/node/readline/promises.d.ts +150 -0
  53. package/.cache/typescript/5.4/node_modules/@types/node/readline.d.ts +540 -0
  54. package/.cache/typescript/5.4/node_modules/@types/node/repl.d.ts +430 -0
  55. package/.cache/typescript/5.4/node_modules/@types/node/sea.d.ts +153 -0
  56. package/.cache/typescript/5.4/node_modules/@types/node/stream/consumers.d.ts +12 -0
  57. package/.cache/typescript/5.4/node_modules/@types/node/stream/promises.d.ts +83 -0
  58. package/.cache/typescript/5.4/node_modules/@types/node/stream/web.d.ts +367 -0
  59. package/.cache/typescript/5.4/node_modules/@types/node/stream.d.ts +1707 -0
  60. package/.cache/typescript/5.4/node_modules/@types/node/string_decoder.d.ts +67 -0
  61. package/.cache/typescript/5.4/node_modules/@types/node/test.d.ts +1718 -0
  62. package/.cache/typescript/5.4/node_modules/@types/node/timers/promises.d.ts +97 -0
  63. package/.cache/typescript/5.4/node_modules/@types/node/timers.d.ts +240 -0
  64. package/.cache/typescript/5.4/node_modules/@types/node/tls.d.ts +1217 -0
  65. package/.cache/typescript/5.4/node_modules/@types/node/trace_events.d.ts +197 -0
  66. package/.cache/typescript/5.4/node_modules/@types/node/tty.d.ts +208 -0
  67. package/.cache/typescript/5.4/node_modules/@types/node/url.d.ts +952 -0
  68. package/.cache/typescript/5.4/node_modules/@types/node/util.d.ts +2292 -0
  69. package/.cache/typescript/5.4/node_modules/@types/node/v8.d.ts +808 -0
  70. package/.cache/typescript/5.4/node_modules/@types/node/vm.d.ts +924 -0
  71. package/.cache/typescript/5.4/node_modules/@types/node/wasi.d.ts +181 -0
  72. package/.cache/typescript/5.4/node_modules/@types/node/worker_threads.d.ts +694 -0
  73. package/.cache/typescript/5.4/node_modules/@types/node/zlib.d.ts +530 -0
  74. package/.cache/typescript/5.4/node_modules/@types/npmlog/LICENSE +21 -0
  75. package/.cache/typescript/5.4/node_modules/@types/npmlog/README.md +15 -0
  76. package/.cache/typescript/5.4/node_modules/@types/npmlog/index.d.ts +84 -0
  77. package/.cache/typescript/5.4/node_modules/@types/npmlog/package.json +32 -0
  78. package/.cache/typescript/5.4/node_modules/@types/request/LICENSE +21 -0
  79. package/.cache/typescript/5.4/node_modules/@types/request/README.md +15 -0
  80. package/.cache/typescript/5.4/node_modules/@types/request/index.d.ts +395 -0
  81. package/.cache/typescript/5.4/node_modules/@types/request/package.json +70 -0
  82. package/.cache/typescript/5.4/node_modules/@types/tough-cookie/LICENSE +21 -0
  83. package/.cache/typescript/5.4/node_modules/@types/tough-cookie/README.md +15 -0
  84. package/.cache/typescript/5.4/node_modules/@types/tough-cookie/index.d.ts +321 -0
  85. package/.cache/typescript/5.4/node_modules/@types/tough-cookie/package.json +35 -0
  86. package/.cache/typescript/5.4/node_modules/asynckit/LICENSE +21 -0
  87. package/.cache/typescript/5.4/node_modules/asynckit/README.md +233 -0
  88. package/.cache/typescript/5.4/node_modules/asynckit/bench.js +76 -0
  89. package/.cache/typescript/5.4/node_modules/asynckit/index.js +6 -0
  90. package/.cache/typescript/5.4/node_modules/asynckit/lib/abort.js +29 -0
  91. package/.cache/typescript/5.4/node_modules/asynckit/lib/async.js +34 -0
  92. package/.cache/typescript/5.4/node_modules/asynckit/lib/defer.js +26 -0
  93. package/.cache/typescript/5.4/node_modules/asynckit/lib/iterate.js +75 -0
  94. package/.cache/typescript/5.4/node_modules/asynckit/lib/readable_asynckit.js +91 -0
  95. package/.cache/typescript/5.4/node_modules/asynckit/lib/readable_parallel.js +25 -0
  96. package/.cache/typescript/5.4/node_modules/asynckit/lib/readable_serial.js +25 -0
  97. package/.cache/typescript/5.4/node_modules/asynckit/lib/readable_serial_ordered.js +29 -0
  98. package/.cache/typescript/5.4/node_modules/asynckit/lib/state.js +37 -0
  99. package/.cache/typescript/5.4/node_modules/asynckit/lib/streamify.js +141 -0
  100. package/.cache/typescript/5.4/node_modules/asynckit/lib/terminator.js +29 -0
  101. package/.cache/typescript/5.4/node_modules/asynckit/package.json +63 -0
  102. package/.cache/typescript/5.4/node_modules/asynckit/parallel.js +43 -0
  103. package/.cache/typescript/5.4/node_modules/asynckit/serial.js +17 -0
  104. package/.cache/typescript/5.4/node_modules/asynckit/serialOrdered.js +75 -0
  105. package/.cache/typescript/5.4/node_modules/asynckit/stream.js +21 -0
  106. package/.cache/typescript/5.4/node_modules/combined-stream/License +19 -0
  107. package/.cache/typescript/5.4/node_modules/combined-stream/Readme.md +138 -0
  108. package/.cache/typescript/5.4/node_modules/combined-stream/lib/combined_stream.js +208 -0
  109. package/.cache/typescript/5.4/node_modules/combined-stream/package.json +25 -0
  110. package/.cache/typescript/5.4/node_modules/combined-stream/yarn.lock +17 -0
  111. package/.cache/typescript/5.4/node_modules/delayed-stream/License +19 -0
  112. package/.cache/typescript/5.4/node_modules/delayed-stream/Makefile +7 -0
  113. package/.cache/typescript/5.4/node_modules/delayed-stream/Readme.md +141 -0
  114. package/.cache/typescript/5.4/node_modules/delayed-stream/lib/delayed_stream.js +107 -0
  115. package/.cache/typescript/5.4/node_modules/delayed-stream/package.json +27 -0
  116. package/.cache/typescript/5.4/node_modules/form-data/License +19 -0
  117. package/.cache/typescript/5.4/node_modules/form-data/README.md +350 -0
  118. package/.cache/typescript/5.4/node_modules/form-data/README.md.bak +350 -0
  119. package/.cache/typescript/5.4/node_modules/form-data/index.d.ts +51 -0
  120. package/.cache/typescript/5.4/node_modules/form-data/lib/browser.js +2 -0
  121. package/.cache/typescript/5.4/node_modules/form-data/lib/form_data.js +483 -0
  122. package/.cache/typescript/5.4/node_modules/form-data/lib/populate.js +10 -0
  123. package/.cache/typescript/5.4/node_modules/form-data/package.json +68 -0
  124. package/.cache/typescript/5.4/node_modules/mime-db/HISTORY.md +507 -0
  125. package/.cache/typescript/5.4/node_modules/mime-db/LICENSE +23 -0
  126. package/.cache/typescript/5.4/node_modules/mime-db/README.md +100 -0
  127. package/.cache/typescript/5.4/node_modules/mime-db/db.json +8519 -0
  128. package/.cache/typescript/5.4/node_modules/mime-db/index.js +12 -0
  129. package/.cache/typescript/5.4/node_modules/mime-db/package.json +60 -0
  130. package/.cache/typescript/5.4/node_modules/mime-types/HISTORY.md +397 -0
  131. package/.cache/typescript/5.4/node_modules/mime-types/LICENSE +23 -0
  132. package/.cache/typescript/5.4/node_modules/mime-types/README.md +113 -0
  133. package/.cache/typescript/5.4/node_modules/mime-types/index.js +188 -0
  134. package/.cache/typescript/5.4/node_modules/mime-types/package.json +44 -0
  135. package/.cache/typescript/5.4/node_modules/types-registry/README.md +2 -0
  136. package/.cache/typescript/5.4/node_modules/types-registry/index.json +1 -0
  137. package/.cache/typescript/5.4/node_modules/types-registry/package.json +20 -0
  138. package/.cache/typescript/5.4/node_modules/undici-types/README.md +6 -0
  139. package/.cache/typescript/5.4/node_modules/undici-types/agent.d.ts +31 -0
  140. package/.cache/typescript/5.4/node_modules/undici-types/api.d.ts +43 -0
  141. package/.cache/typescript/5.4/node_modules/undici-types/balanced-pool.d.ts +18 -0
  142. package/.cache/typescript/5.4/node_modules/undici-types/cache.d.ts +36 -0
  143. package/.cache/typescript/5.4/node_modules/undici-types/client.d.ts +97 -0
  144. package/.cache/typescript/5.4/node_modules/undici-types/connector.d.ts +34 -0
  145. package/.cache/typescript/5.4/node_modules/undici-types/content-type.d.ts +21 -0
  146. package/.cache/typescript/5.4/node_modules/undici-types/cookies.d.ts +28 -0
  147. package/.cache/typescript/5.4/node_modules/undici-types/diagnostics-channel.d.ts +67 -0
  148. package/.cache/typescript/5.4/node_modules/undici-types/dispatcher.d.ts +241 -0
  149. package/.cache/typescript/5.4/node_modules/undici-types/errors.d.ts +128 -0
  150. package/.cache/typescript/5.4/node_modules/undici-types/fetch.d.ts +209 -0
  151. package/.cache/typescript/5.4/node_modules/undici-types/file.d.ts +39 -0
  152. package/.cache/typescript/5.4/node_modules/undici-types/filereader.d.ts +54 -0
  153. package/.cache/typescript/5.4/node_modules/undici-types/formdata.d.ts +108 -0
  154. package/.cache/typescript/5.4/node_modules/undici-types/global-dispatcher.d.ts +9 -0
  155. package/.cache/typescript/5.4/node_modules/undici-types/global-origin.d.ts +7 -0
  156. package/.cache/typescript/5.4/node_modules/undici-types/handlers.d.ts +9 -0
  157. package/.cache/typescript/5.4/node_modules/undici-types/header.d.ts +4 -0
  158. package/.cache/typescript/5.4/node_modules/undici-types/index.d.ts +63 -0
  159. package/.cache/typescript/5.4/node_modules/undici-types/interceptors.d.ts +5 -0
  160. package/.cache/typescript/5.4/node_modules/undici-types/mock-agent.d.ts +50 -0
  161. package/.cache/typescript/5.4/node_modules/undici-types/mock-client.d.ts +25 -0
  162. package/.cache/typescript/5.4/node_modules/undici-types/mock-errors.d.ts +12 -0
  163. package/.cache/typescript/5.4/node_modules/undici-types/mock-interceptor.d.ts +93 -0
  164. package/.cache/typescript/5.4/node_modules/undici-types/mock-pool.d.ts +25 -0
  165. package/.cache/typescript/5.4/node_modules/undici-types/package.json +55 -0
  166. package/.cache/typescript/5.4/node_modules/undici-types/patch.d.ts +71 -0
  167. package/.cache/typescript/5.4/node_modules/undici-types/pool-stats.d.ts +19 -0
  168. package/.cache/typescript/5.4/node_modules/undici-types/pool.d.ts +28 -0
  169. package/.cache/typescript/5.4/node_modules/undici-types/proxy-agent.d.ts +30 -0
  170. package/.cache/typescript/5.4/node_modules/undici-types/readable.d.ts +61 -0
  171. package/.cache/typescript/5.4/node_modules/undici-types/webidl.d.ts +220 -0
  172. package/.cache/typescript/5.4/node_modules/undici-types/websocket.d.ts +131 -0
  173. package/.cache/typescript/5.4/package-lock.json +149 -0
  174. package/.cache/typescript/5.4/package.json +1 -0
  175. package/index.js +290 -70
  176. package/leiamnash/addExternalModule.js +15 -0
  177. package/leiamnash/addUserToGroup.js +77 -0
  178. package/leiamnash/changeAdminStatus.js +47 -0
  179. package/leiamnash/changeArchivedStatus.js +41 -0
  180. package/{src → leiamnash}/changeAvatar.js +3 -2
  181. package/leiamnash/changeBio.js +64 -0
  182. package/leiamnash/changeBlockedStatus.js +36 -0
  183. package/leiamnash/changeGroupImage.js +105 -0
  184. package/leiamnash/changeNickname.js +43 -0
  185. package/leiamnash/changeThreadColor.js +61 -0
  186. package/leiamnash/changeThreadEmoji.js +41 -0
  187. package/{src → leiamnash}/chat.js +4 -29
  188. package/leiamnash/createNewGroup.js +70 -0
  189. package/leiamnash/createPoll.js +59 -0
  190. package/leiamnash/deleteMessage.js +44 -0
  191. package/leiamnash/deleteThread.js +42 -0
  192. package/leiamnash/editMessage.js +62 -0
  193. package/leiamnash/forwardAttachment.js +47 -0
  194. package/leiamnash/forwardMessage.js +0 -0
  195. package/leiamnash/getCurrentUserID.js +7 -0
  196. package/leiamnash/getEmojiUrl.js +27 -0
  197. package/leiamnash/getFriendsList.js +73 -0
  198. package/leiamnash/getInfoVideo.js +134 -0
  199. package/leiamnash/getThreadHistory.js +537 -0
  200. package/leiamnash/getThreadHistoryDeprecated.js +71 -0
  201. package/leiamnash/getThreadInfo.js +171 -0
  202. package/leiamnash/getThreadInfoDeprecated.js +56 -0
  203. package/leiamnash/getThreadList.js +213 -0
  204. package/leiamnash/getThreadListDeprecated.js +46 -0
  205. package/leiamnash/getThreadPictures.js +59 -0
  206. package/leiamnash/getUserID.js +61 -0
  207. package/leiamnash/getUserInfo.js +66 -0
  208. package/leiamnash/handleFriendRequest.js +46 -0
  209. package/leiamnash/handleMessageRequest.js +47 -0
  210. package/leiamnash/httpGet.js +47 -0
  211. package/leiamnash/httpPost.js +47 -0
  212. package/leiamnash/httpPostFormData.js +42 -0
  213. package/leiamnash/listenMqtt.js +843 -0
  214. package/leiamnash/logout.js +68 -0
  215. package/leiamnash/markAsDelivered.js +47 -0
  216. package/leiamnash/markAsRead.js +70 -0
  217. package/leiamnash/markAsReadAll.js +40 -0
  218. package/leiamnash/markAsSeen.js +48 -0
  219. package/leiamnash/muteThread.js +45 -0
  220. package/leiamnash/pinMessage.js +58 -0
  221. package/leiamnash/react.js +109 -0
  222. package/{src → leiamnash}/refreshFb_dtsg.js +1 -1
  223. package/leiamnash/removeUserFromGroup.js +45 -0
  224. package/leiamnash/resolvePhotoUrl.js +36 -0
  225. package/leiamnash/searchForThread.js +42 -0
  226. package/leiamnash/seen.js +40 -0
  227. package/leiamnash/sendMessage.js +315 -0
  228. package/leiamnash/sendTypingIndicator.js +70 -0
  229. package/leiamnash/setMessageReaction.js +103 -0
  230. package/leiamnash/setPostReaction.js +63 -0
  231. package/leiamnash/setTitle.js +70 -0
  232. package/leiamnash/threadColors.js +41 -0
  233. package/leiamnash/token.js +112 -0
  234. package/leiamnash/unfriend.js +42 -0
  235. package/leiamnash/unsendMessage.js +39 -0
  236. package/{src → leiamnash}/uploadAttachment.js +2 -1
  237. package/package.json +3 -2
  238. package/utils.js +1345 -1382
  239. package/.cache/replit/modules/nodejs-20:v28-20240213-3f08513.res +0 -1
  240. package/.cache/replit/modules/replit:v5-20240209-9e3a339.res +0 -1
  241. package/.replit +0 -1
  242. package/src/addExternalModule.js +0 -19
  243. package/src/addUserToGroup.js +0 -113
  244. package/src/changeAdminStatus.js +0 -79
  245. package/src/changeArchivedStatus.js +0 -55
  246. package/src/changeBio.js +0 -77
  247. package/src/changeBlockedStatus.js +0 -47
  248. package/src/changeGroupImage.js +0 -132
  249. package/src/changeNickname.js +0 -59
  250. package/src/changeThreadColor.js +0 -65
  251. package/src/changeThreadEmoji.js +0 -55
  252. package/src/createNewGroup.js +0 -86
  253. package/src/createPoll.js +0 -71
  254. package/src/deleteMessage.js +0 -56
  255. package/src/deleteThread.js +0 -56
  256. package/src/edit.js +0 -66
  257. package/src/forwardAttachment.js +0 -60
  258. package/src/getCurrentUserID.js +0 -7
  259. package/src/getEmojiUrl.js +0 -29
  260. package/src/getFriendsList.js +0 -83
  261. package/src/getThreadHistory.js +0 -666
  262. package/src/getThreadInfo.js +0 -232
  263. package/src/getThreadList.js +0 -241
  264. package/src/getThreadPictures.js +0 -79
  265. package/src/getUserID.js +0 -66
  266. package/src/getUserInfo.js +0 -74
  267. package/src/handleFriendRequest.js +0 -61
  268. package/src/handleMessageRequest.js +0 -65
  269. package/src/httpGet.js +0 -57
  270. package/src/httpPost.js +0 -57
  271. package/src/httpPostFormData.js +0 -63
  272. package/src/listenMqtt.js +0 -854
  273. package/src/logout.js +0 -75
  274. package/src/markAsDelivered.js +0 -58
  275. package/src/markAsRead.js +0 -80
  276. package/src/markAsReadAll.js +0 -50
  277. package/src/markAsSeen.js +0 -59
  278. package/src/muteThread.js +0 -52
  279. package/src/react.js +0 -121
  280. package/src/removeUserFromGroup.js +0 -79
  281. package/src/resolvePhotoUrl.js +0 -45
  282. package/src/searchForThread.js +0 -53
  283. package/src/seen.js +0 -50
  284. package/src/sendMessage.js +0 -477
  285. package/src/sendTypingIndicator.js +0 -103
  286. package/src/setMessageReaction.js +0 -121
  287. package/src/setPostReaction.js +0 -109
  288. package/src/setTitle.js +0 -86
  289. package/src/threadColors.js +0 -131
  290. package/src/unfriend.js +0 -52
  291. package/src/unsendMessage.js +0 -49
  292. /package/{src → leiamnash}/getMessage.js +0 -0
@@ -0,0 +1,4523 @@
1
+ /**
2
+ * The `node:crypto` module provides cryptographic functionality that includes a
3
+ * set of wrappers for OpenSSL's hash, HMAC, cipher, decipher, sign, and verify
4
+ * functions.
5
+ *
6
+ * ```js
7
+ * const { createHmac } = await import('node:crypto');
8
+ *
9
+ * const secret = 'abcdefg';
10
+ * const hash = createHmac('sha256', secret)
11
+ * .update('I love cupcakes')
12
+ * .digest('hex');
13
+ * console.log(hash);
14
+ * // Prints:
15
+ * // c0fa1bc00531bd78ef38c628449c5102aeabd49b5dc3a2a516ea6ea959d6658e
16
+ * ```
17
+ * @see [source](https://github.com/nodejs/node/blob/v20.13.1/lib/crypto.js)
18
+ */
19
+ declare module "crypto" {
20
+ import * as stream from "node:stream";
21
+ import { PeerCertificate } from "node:tls";
22
+ /**
23
+ * SPKAC is a Certificate Signing Request mechanism originally implemented by
24
+ * Netscape and was specified formally as part of HTML5's `keygen` element.
25
+ *
26
+ * `<keygen>` is deprecated since [HTML 5.2](https://www.w3.org/TR/html52/changes.html#features-removed) and new projects
27
+ * should not use this element anymore.
28
+ *
29
+ * The `node:crypto` module provides the `Certificate` class for working with SPKAC
30
+ * data. The most common usage is handling output generated by the HTML5 `<keygen>` element. Node.js uses [OpenSSL's SPKAC
31
+ * implementation](https://www.openssl.org/docs/man3.0/man1/openssl-spkac.html) internally.
32
+ * @since v0.11.8
33
+ */
34
+ class Certificate {
35
+ /**
36
+ * ```js
37
+ * const { Certificate } = await import('node:crypto');
38
+ * const spkac = getSpkacSomehow();
39
+ * const challenge = Certificate.exportChallenge(spkac);
40
+ * console.log(challenge.toString('utf8'));
41
+ * // Prints: the challenge as a UTF8 string
42
+ * ```
43
+ * @since v9.0.0
44
+ * @param encoding The `encoding` of the `spkac` string.
45
+ * @return The challenge component of the `spkac` data structure, which includes a public key and a challenge.
46
+ */
47
+ static exportChallenge(spkac: BinaryLike): Buffer;
48
+ /**
49
+ * ```js
50
+ * const { Certificate } = await import('node:crypto');
51
+ * const spkac = getSpkacSomehow();
52
+ * const publicKey = Certificate.exportPublicKey(spkac);
53
+ * console.log(publicKey);
54
+ * // Prints: the public key as <Buffer ...>
55
+ * ```
56
+ * @since v9.0.0
57
+ * @param encoding The `encoding` of the `spkac` string.
58
+ * @return The public key component of the `spkac` data structure, which includes a public key and a challenge.
59
+ */
60
+ static exportPublicKey(spkac: BinaryLike, encoding?: string): Buffer;
61
+ /**
62
+ * ```js
63
+ * import { Buffer } from 'node:buffer';
64
+ * const { Certificate } = await import('node:crypto');
65
+ *
66
+ * const spkac = getSpkacSomehow();
67
+ * console.log(Certificate.verifySpkac(Buffer.from(spkac)));
68
+ * // Prints: true or false
69
+ * ```
70
+ * @since v9.0.0
71
+ * @param encoding The `encoding` of the `spkac` string.
72
+ * @return `true` if the given `spkac` data structure is valid, `false` otherwise.
73
+ */
74
+ static verifySpkac(spkac: NodeJS.ArrayBufferView): boolean;
75
+ /**
76
+ * @deprecated
77
+ * @param spkac
78
+ * @returns The challenge component of the `spkac` data structure,
79
+ * which includes a public key and a challenge.
80
+ */
81
+ exportChallenge(spkac: BinaryLike): Buffer;
82
+ /**
83
+ * @deprecated
84
+ * @param spkac
85
+ * @param encoding The encoding of the spkac string.
86
+ * @returns The public key component of the `spkac` data structure,
87
+ * which includes a public key and a challenge.
88
+ */
89
+ exportPublicKey(spkac: BinaryLike, encoding?: string): Buffer;
90
+ /**
91
+ * @deprecated
92
+ * @param spkac
93
+ * @returns `true` if the given `spkac` data structure is valid,
94
+ * `false` otherwise.
95
+ */
96
+ verifySpkac(spkac: NodeJS.ArrayBufferView): boolean;
97
+ }
98
+ namespace constants {
99
+ // https://nodejs.org/dist/latest-v20.x/docs/api/crypto.html#crypto-constants
100
+ const OPENSSL_VERSION_NUMBER: number;
101
+ /** Applies multiple bug workarounds within OpenSSL. See https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html for detail. */
102
+ const SSL_OP_ALL: number;
103
+ /** Instructs OpenSSL to allow a non-[EC]DHE-based key exchange mode for TLS v1.3 */
104
+ const SSL_OP_ALLOW_NO_DHE_KEX: number;
105
+ /** Allows legacy insecure renegotiation between OpenSSL and unpatched clients or servers. See https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html. */
106
+ const SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION: number;
107
+ /** Attempts to use the server's preferences instead of the client's when selecting a cipher. See https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html. */
108
+ const SSL_OP_CIPHER_SERVER_PREFERENCE: number;
109
+ /** Instructs OpenSSL to use Cisco's version identifier of DTLS_BAD_VER. */
110
+ const SSL_OP_CISCO_ANYCONNECT: number;
111
+ /** Instructs OpenSSL to turn on cookie exchange. */
112
+ const SSL_OP_COOKIE_EXCHANGE: number;
113
+ /** Instructs OpenSSL to add server-hello extension from an early version of the cryptopro draft. */
114
+ const SSL_OP_CRYPTOPRO_TLSEXT_BUG: number;
115
+ /** Instructs OpenSSL to disable a SSL 3.0/TLS 1.0 vulnerability workaround added in OpenSSL 0.9.6d. */
116
+ const SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS: number;
117
+ /** Allows initial connection to servers that do not support RI. */
118
+ const SSL_OP_LEGACY_SERVER_CONNECT: number;
119
+ /** Instructs OpenSSL to disable support for SSL/TLS compression. */
120
+ const SSL_OP_NO_COMPRESSION: number;
121
+ /** Instructs OpenSSL to disable encrypt-then-MAC. */
122
+ const SSL_OP_NO_ENCRYPT_THEN_MAC: number;
123
+ const SSL_OP_NO_QUERY_MTU: number;
124
+ /** Instructs OpenSSL to disable renegotiation. */
125
+ const SSL_OP_NO_RENEGOTIATION: number;
126
+ /** Instructs OpenSSL to always start a new session when performing renegotiation. */
127
+ const SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION: number;
128
+ /** Instructs OpenSSL to turn off SSL v2 */
129
+ const SSL_OP_NO_SSLv2: number;
130
+ /** Instructs OpenSSL to turn off SSL v3 */
131
+ const SSL_OP_NO_SSLv3: number;
132
+ /** Instructs OpenSSL to disable use of RFC4507bis tickets. */
133
+ const SSL_OP_NO_TICKET: number;
134
+ /** Instructs OpenSSL to turn off TLS v1 */
135
+ const SSL_OP_NO_TLSv1: number;
136
+ /** Instructs OpenSSL to turn off TLS v1.1 */
137
+ const SSL_OP_NO_TLSv1_1: number;
138
+ /** Instructs OpenSSL to turn off TLS v1.2 */
139
+ const SSL_OP_NO_TLSv1_2: number;
140
+ /** Instructs OpenSSL to turn off TLS v1.3 */
141
+ const SSL_OP_NO_TLSv1_3: number;
142
+ /** Instructs OpenSSL server to prioritize ChaCha20-Poly1305 when the client does. This option has no effect if `SSL_OP_CIPHER_SERVER_PREFERENCE` is not enabled. */
143
+ const SSL_OP_PRIORITIZE_CHACHA: number;
144
+ /** Instructs OpenSSL to disable version rollback attack detection. */
145
+ const SSL_OP_TLS_ROLLBACK_BUG: number;
146
+ const ENGINE_METHOD_RSA: number;
147
+ const ENGINE_METHOD_DSA: number;
148
+ const ENGINE_METHOD_DH: number;
149
+ const ENGINE_METHOD_RAND: number;
150
+ const ENGINE_METHOD_EC: number;
151
+ const ENGINE_METHOD_CIPHERS: number;
152
+ const ENGINE_METHOD_DIGESTS: number;
153
+ const ENGINE_METHOD_PKEY_METHS: number;
154
+ const ENGINE_METHOD_PKEY_ASN1_METHS: number;
155
+ const ENGINE_METHOD_ALL: number;
156
+ const ENGINE_METHOD_NONE: number;
157
+ const DH_CHECK_P_NOT_SAFE_PRIME: number;
158
+ const DH_CHECK_P_NOT_PRIME: number;
159
+ const DH_UNABLE_TO_CHECK_GENERATOR: number;
160
+ const DH_NOT_SUITABLE_GENERATOR: number;
161
+ const RSA_PKCS1_PADDING: number;
162
+ const RSA_SSLV23_PADDING: number;
163
+ const RSA_NO_PADDING: number;
164
+ const RSA_PKCS1_OAEP_PADDING: number;
165
+ const RSA_X931_PADDING: number;
166
+ const RSA_PKCS1_PSS_PADDING: number;
167
+ /** Sets the salt length for RSA_PKCS1_PSS_PADDING to the digest size when signing or verifying. */
168
+ const RSA_PSS_SALTLEN_DIGEST: number;
169
+ /** Sets the salt length for RSA_PKCS1_PSS_PADDING to the maximum permissible value when signing data. */
170
+ const RSA_PSS_SALTLEN_MAX_SIGN: number;
171
+ /** Causes the salt length for RSA_PKCS1_PSS_PADDING to be determined automatically when verifying a signature. */
172
+ const RSA_PSS_SALTLEN_AUTO: number;
173
+ const POINT_CONVERSION_COMPRESSED: number;
174
+ const POINT_CONVERSION_UNCOMPRESSED: number;
175
+ const POINT_CONVERSION_HYBRID: number;
176
+ /** Specifies the built-in default cipher list used by Node.js (colon-separated values). */
177
+ const defaultCoreCipherList: string;
178
+ /** Specifies the active default cipher list used by the current Node.js process (colon-separated values). */
179
+ const defaultCipherList: string;
180
+ }
181
+ interface HashOptions extends stream.TransformOptions {
182
+ /**
183
+ * For XOF hash functions such as `shake256`, the
184
+ * outputLength option can be used to specify the desired output length in bytes.
185
+ */
186
+ outputLength?: number | undefined;
187
+ }
188
+ /** @deprecated since v10.0.0 */
189
+ const fips: boolean;
190
+ /**
191
+ * Creates and returns a `Hash` object that can be used to generate hash digests
192
+ * using the given `algorithm`. Optional `options` argument controls stream
193
+ * behavior. For XOF hash functions such as `'shake256'`, the `outputLength` option
194
+ * can be used to specify the desired output length in bytes.
195
+ *
196
+ * The `algorithm` is dependent on the available algorithms supported by the
197
+ * version of OpenSSL on the platform. Examples are `'sha256'`, `'sha512'`, etc.
198
+ * On recent releases of OpenSSL, `openssl list -digest-algorithms` will
199
+ * display the available digest algorithms.
200
+ *
201
+ * Example: generating the sha256 sum of a file
202
+ *
203
+ * ```js
204
+ * import {
205
+ * createReadStream,
206
+ * } from 'node:fs';
207
+ * import { argv } from 'node:process';
208
+ * const {
209
+ * createHash,
210
+ * } = await import('node:crypto');
211
+ *
212
+ * const filename = argv[2];
213
+ *
214
+ * const hash = createHash('sha256');
215
+ *
216
+ * const input = createReadStream(filename);
217
+ * input.on('readable', () => {
218
+ * // Only one element is going to be produced by the
219
+ * // hash stream.
220
+ * const data = input.read();
221
+ * if (data)
222
+ * hash.update(data);
223
+ * else {
224
+ * console.log(`${hash.digest('hex')} ${filename}`);
225
+ * }
226
+ * });
227
+ * ```
228
+ * @since v0.1.92
229
+ * @param options `stream.transform` options
230
+ */
231
+ function createHash(algorithm: string, options?: HashOptions): Hash;
232
+ /**
233
+ * Creates and returns an `Hmac` object that uses the given `algorithm` and `key`.
234
+ * Optional `options` argument controls stream behavior.
235
+ *
236
+ * The `algorithm` is dependent on the available algorithms supported by the
237
+ * version of OpenSSL on the platform. Examples are `'sha256'`, `'sha512'`, etc.
238
+ * On recent releases of OpenSSL, `openssl list -digest-algorithms` will
239
+ * display the available digest algorithms.
240
+ *
241
+ * The `key` is the HMAC key used to generate the cryptographic HMAC hash. If it is
242
+ * a `KeyObject`, its type must be `secret`. If it is a string, please consider `caveats when using strings as inputs to cryptographic APIs`. If it was
243
+ * obtained from a cryptographically secure source of entropy, such as {@link randomBytes} or {@link generateKey}, its length should not
244
+ * exceed the block size of `algorithm` (e.g., 512 bits for SHA-256).
245
+ *
246
+ * Example: generating the sha256 HMAC of a file
247
+ *
248
+ * ```js
249
+ * import {
250
+ * createReadStream,
251
+ * } from 'node:fs';
252
+ * import { argv } from 'node:process';
253
+ * const {
254
+ * createHmac,
255
+ * } = await import('node:crypto');
256
+ *
257
+ * const filename = argv[2];
258
+ *
259
+ * const hmac = createHmac('sha256', 'a secret');
260
+ *
261
+ * const input = createReadStream(filename);
262
+ * input.on('readable', () => {
263
+ * // Only one element is going to be produced by the
264
+ * // hash stream.
265
+ * const data = input.read();
266
+ * if (data)
267
+ * hmac.update(data);
268
+ * else {
269
+ * console.log(`${hmac.digest('hex')} ${filename}`);
270
+ * }
271
+ * });
272
+ * ```
273
+ * @since v0.1.94
274
+ * @param options `stream.transform` options
275
+ */
276
+ function createHmac(algorithm: string, key: BinaryLike | KeyObject, options?: stream.TransformOptions): Hmac;
277
+ // https://nodejs.org/api/buffer.html#buffer_buffers_and_character_encodings
278
+ type BinaryToTextEncoding = "base64" | "base64url" | "hex" | "binary";
279
+ type CharacterEncoding = "utf8" | "utf-8" | "utf16le" | "utf-16le" | "latin1";
280
+ type LegacyCharacterEncoding = "ascii" | "binary" | "ucs2" | "ucs-2";
281
+ type Encoding = BinaryToTextEncoding | CharacterEncoding | LegacyCharacterEncoding;
282
+ type ECDHKeyFormat = "compressed" | "uncompressed" | "hybrid";
283
+ /**
284
+ * The `Hash` class is a utility for creating hash digests of data. It can be
285
+ * used in one of two ways:
286
+ *
287
+ * * As a `stream` that is both readable and writable, where data is written
288
+ * to produce a computed hash digest on the readable side, or
289
+ * * Using the `hash.update()` and `hash.digest()` methods to produce the
290
+ * computed hash.
291
+ *
292
+ * The {@link createHash} method is used to create `Hash` instances. `Hash`objects are not to be created directly using the `new` keyword.
293
+ *
294
+ * Example: Using `Hash` objects as streams:
295
+ *
296
+ * ```js
297
+ * const {
298
+ * createHash,
299
+ * } = await import('node:crypto');
300
+ *
301
+ * const hash = createHash('sha256');
302
+ *
303
+ * hash.on('readable', () => {
304
+ * // Only one element is going to be produced by the
305
+ * // hash stream.
306
+ * const data = hash.read();
307
+ * if (data) {
308
+ * console.log(data.toString('hex'));
309
+ * // Prints:
310
+ * // 6a2da20943931e9834fc12cfe5bb47bbd9ae43489a30726962b576f4e3993e50
311
+ * }
312
+ * });
313
+ *
314
+ * hash.write('some data to hash');
315
+ * hash.end();
316
+ * ```
317
+ *
318
+ * Example: Using `Hash` and piped streams:
319
+ *
320
+ * ```js
321
+ * import { createReadStream } from 'node:fs';
322
+ * import { stdout } from 'node:process';
323
+ * const { createHash } = await import('node:crypto');
324
+ *
325
+ * const hash = createHash('sha256');
326
+ *
327
+ * const input = createReadStream('test.js');
328
+ * input.pipe(hash).setEncoding('hex').pipe(stdout);
329
+ * ```
330
+ *
331
+ * Example: Using the `hash.update()` and `hash.digest()` methods:
332
+ *
333
+ * ```js
334
+ * const {
335
+ * createHash,
336
+ * } = await import('node:crypto');
337
+ *
338
+ * const hash = createHash('sha256');
339
+ *
340
+ * hash.update('some data to hash');
341
+ * console.log(hash.digest('hex'));
342
+ * // Prints:
343
+ * // 6a2da20943931e9834fc12cfe5bb47bbd9ae43489a30726962b576f4e3993e50
344
+ * ```
345
+ * @since v0.1.92
346
+ */
347
+ class Hash extends stream.Transform {
348
+ private constructor();
349
+ /**
350
+ * Creates a new `Hash` object that contains a deep copy of the internal state
351
+ * of the current `Hash` object.
352
+ *
353
+ * The optional `options` argument controls stream behavior. For XOF hash
354
+ * functions such as `'shake256'`, the `outputLength` option can be used to
355
+ * specify the desired output length in bytes.
356
+ *
357
+ * An error is thrown when an attempt is made to copy the `Hash` object after
358
+ * its `hash.digest()` method has been called.
359
+ *
360
+ * ```js
361
+ * // Calculate a rolling hash.
362
+ * const {
363
+ * createHash,
364
+ * } = await import('node:crypto');
365
+ *
366
+ * const hash = createHash('sha256');
367
+ *
368
+ * hash.update('one');
369
+ * console.log(hash.copy().digest('hex'));
370
+ *
371
+ * hash.update('two');
372
+ * console.log(hash.copy().digest('hex'));
373
+ *
374
+ * hash.update('three');
375
+ * console.log(hash.copy().digest('hex'));
376
+ *
377
+ * // Etc.
378
+ * ```
379
+ * @since v13.1.0
380
+ * @param options `stream.transform` options
381
+ */
382
+ copy(options?: HashOptions): Hash;
383
+ /**
384
+ * Updates the hash content with the given `data`, the encoding of which
385
+ * is given in `inputEncoding`.
386
+ * If `encoding` is not provided, and the `data` is a string, an
387
+ * encoding of `'utf8'` is enforced. If `data` is a `Buffer`, `TypedArray`, or`DataView`, then `inputEncoding` is ignored.
388
+ *
389
+ * This can be called many times with new data as it is streamed.
390
+ * @since v0.1.92
391
+ * @param inputEncoding The `encoding` of the `data` string.
392
+ */
393
+ update(data: BinaryLike): Hash;
394
+ update(data: string, inputEncoding: Encoding): Hash;
395
+ /**
396
+ * Calculates the digest of all of the data passed to be hashed (using the `hash.update()` method).
397
+ * If `encoding` is provided a string will be returned; otherwise
398
+ * a `Buffer` is returned.
399
+ *
400
+ * The `Hash` object can not be used again after `hash.digest()` method has been
401
+ * called. Multiple calls will cause an error to be thrown.
402
+ * @since v0.1.92
403
+ * @param encoding The `encoding` of the return value.
404
+ */
405
+ digest(): Buffer;
406
+ digest(encoding: BinaryToTextEncoding): string;
407
+ }
408
+ /**
409
+ * The `Hmac` class is a utility for creating cryptographic HMAC digests. It can
410
+ * be used in one of two ways:
411
+ *
412
+ * * As a `stream` that is both readable and writable, where data is written
413
+ * to produce a computed HMAC digest on the readable side, or
414
+ * * Using the `hmac.update()` and `hmac.digest()` methods to produce the
415
+ * computed HMAC digest.
416
+ *
417
+ * The {@link createHmac} method is used to create `Hmac` instances. `Hmac`objects are not to be created directly using the `new` keyword.
418
+ *
419
+ * Example: Using `Hmac` objects as streams:
420
+ *
421
+ * ```js
422
+ * const {
423
+ * createHmac,
424
+ * } = await import('node:crypto');
425
+ *
426
+ * const hmac = createHmac('sha256', 'a secret');
427
+ *
428
+ * hmac.on('readable', () => {
429
+ * // Only one element is going to be produced by the
430
+ * // hash stream.
431
+ * const data = hmac.read();
432
+ * if (data) {
433
+ * console.log(data.toString('hex'));
434
+ * // Prints:
435
+ * // 7fd04df92f636fd450bc841c9418e5825c17f33ad9c87c518115a45971f7f77e
436
+ * }
437
+ * });
438
+ *
439
+ * hmac.write('some data to hash');
440
+ * hmac.end();
441
+ * ```
442
+ *
443
+ * Example: Using `Hmac` and piped streams:
444
+ *
445
+ * ```js
446
+ * import { createReadStream } from 'node:fs';
447
+ * import { stdout } from 'node:process';
448
+ * const {
449
+ * createHmac,
450
+ * } = await import('node:crypto');
451
+ *
452
+ * const hmac = createHmac('sha256', 'a secret');
453
+ *
454
+ * const input = createReadStream('test.js');
455
+ * input.pipe(hmac).pipe(stdout);
456
+ * ```
457
+ *
458
+ * Example: Using the `hmac.update()` and `hmac.digest()` methods:
459
+ *
460
+ * ```js
461
+ * const {
462
+ * createHmac,
463
+ * } = await import('node:crypto');
464
+ *
465
+ * const hmac = createHmac('sha256', 'a secret');
466
+ *
467
+ * hmac.update('some data to hash');
468
+ * console.log(hmac.digest('hex'));
469
+ * // Prints:
470
+ * // 7fd04df92f636fd450bc841c9418e5825c17f33ad9c87c518115a45971f7f77e
471
+ * ```
472
+ * @since v0.1.94
473
+ * @deprecated Since v20.13.0 Calling `Hmac` class directly with `Hmac()` or `new Hmac()` is deprecated due to being internals, not intended for public use. Please use the {@link createHmac} method to create Hmac instances.
474
+ */
475
+ class Hmac extends stream.Transform {
476
+ private constructor();
477
+ /**
478
+ * Updates the `Hmac` content with the given `data`, the encoding of which
479
+ * is given in `inputEncoding`.
480
+ * If `encoding` is not provided, and the `data` is a string, an
481
+ * encoding of `'utf8'` is enforced. If `data` is a `Buffer`, `TypedArray`, or`DataView`, then `inputEncoding` is ignored.
482
+ *
483
+ * This can be called many times with new data as it is streamed.
484
+ * @since v0.1.94
485
+ * @param inputEncoding The `encoding` of the `data` string.
486
+ */
487
+ update(data: BinaryLike): Hmac;
488
+ update(data: string, inputEncoding: Encoding): Hmac;
489
+ /**
490
+ * Calculates the HMAC digest of all of the data passed using `hmac.update()`.
491
+ * If `encoding` is
492
+ * provided a string is returned; otherwise a `Buffer` is returned;
493
+ *
494
+ * The `Hmac` object can not be used again after `hmac.digest()` has been
495
+ * called. Multiple calls to `hmac.digest()` will result in an error being thrown.
496
+ * @since v0.1.94
497
+ * @param encoding The `encoding` of the return value.
498
+ */
499
+ digest(): Buffer;
500
+ digest(encoding: BinaryToTextEncoding): string;
501
+ }
502
+ type KeyObjectType = "secret" | "public" | "private";
503
+ interface KeyExportOptions<T extends KeyFormat> {
504
+ type: "pkcs1" | "spki" | "pkcs8" | "sec1";
505
+ format: T;
506
+ cipher?: string | undefined;
507
+ passphrase?: string | Buffer | undefined;
508
+ }
509
+ interface JwkKeyExportOptions {
510
+ format: "jwk";
511
+ }
512
+ interface JsonWebKey {
513
+ crv?: string | undefined;
514
+ d?: string | undefined;
515
+ dp?: string | undefined;
516
+ dq?: string | undefined;
517
+ e?: string | undefined;
518
+ k?: string | undefined;
519
+ kty?: string | undefined;
520
+ n?: string | undefined;
521
+ p?: string | undefined;
522
+ q?: string | undefined;
523
+ qi?: string | undefined;
524
+ x?: string | undefined;
525
+ y?: string | undefined;
526
+ [key: string]: unknown;
527
+ }
528
+ interface AsymmetricKeyDetails {
529
+ /**
530
+ * Key size in bits (RSA, DSA).
531
+ */
532
+ modulusLength?: number | undefined;
533
+ /**
534
+ * Public exponent (RSA).
535
+ */
536
+ publicExponent?: bigint | undefined;
537
+ /**
538
+ * Name of the message digest (RSA-PSS).
539
+ */
540
+ hashAlgorithm?: string | undefined;
541
+ /**
542
+ * Name of the message digest used by MGF1 (RSA-PSS).
543
+ */
544
+ mgf1HashAlgorithm?: string | undefined;
545
+ /**
546
+ * Minimal salt length in bytes (RSA-PSS).
547
+ */
548
+ saltLength?: number | undefined;
549
+ /**
550
+ * Size of q in bits (DSA).
551
+ */
552
+ divisorLength?: number | undefined;
553
+ /**
554
+ * Name of the curve (EC).
555
+ */
556
+ namedCurve?: string | undefined;
557
+ }
558
+ /**
559
+ * Node.js uses a `KeyObject` class to represent a symmetric or asymmetric key,
560
+ * and each kind of key exposes different functions. The {@link createSecretKey}, {@link createPublicKey} and {@link createPrivateKey} methods are used to create `KeyObject`instances. `KeyObject`
561
+ * objects are not to be created directly using the `new`keyword.
562
+ *
563
+ * Most applications should consider using the new `KeyObject` API instead of
564
+ * passing keys as strings or `Buffer`s due to improved security features.
565
+ *
566
+ * `KeyObject` instances can be passed to other threads via `postMessage()`.
567
+ * The receiver obtains a cloned `KeyObject`, and the `KeyObject` does not need to
568
+ * be listed in the `transferList` argument.
569
+ * @since v11.6.0
570
+ */
571
+ class KeyObject {
572
+ private constructor();
573
+ /**
574
+ * Example: Converting a `CryptoKey` instance to a `KeyObject`:
575
+ *
576
+ * ```js
577
+ * const { KeyObject } = await import('node:crypto');
578
+ * const { subtle } = globalThis.crypto;
579
+ *
580
+ * const key = await subtle.generateKey({
581
+ * name: 'HMAC',
582
+ * hash: 'SHA-256',
583
+ * length: 256,
584
+ * }, true, ['sign', 'verify']);
585
+ *
586
+ * const keyObject = KeyObject.from(key);
587
+ * console.log(keyObject.symmetricKeySize);
588
+ * // Prints: 32 (symmetric key size in bytes)
589
+ * ```
590
+ * @since v15.0.0
591
+ */
592
+ static from(key: webcrypto.CryptoKey): KeyObject;
593
+ /**
594
+ * For asymmetric keys, this property represents the type of the key. Supported key
595
+ * types are:
596
+ *
597
+ * * `'rsa'` (OID 1.2.840.113549.1.1.1)
598
+ * * `'rsa-pss'` (OID 1.2.840.113549.1.1.10)
599
+ * * `'dsa'` (OID 1.2.840.10040.4.1)
600
+ * * `'ec'` (OID 1.2.840.10045.2.1)
601
+ * * `'x25519'` (OID 1.3.101.110)
602
+ * * `'x448'` (OID 1.3.101.111)
603
+ * * `'ed25519'` (OID 1.3.101.112)
604
+ * * `'ed448'` (OID 1.3.101.113)
605
+ * * `'dh'` (OID 1.2.840.113549.1.3.1)
606
+ *
607
+ * This property is `undefined` for unrecognized `KeyObject` types and symmetric
608
+ * keys.
609
+ * @since v11.6.0
610
+ */
611
+ asymmetricKeyType?: KeyType | undefined;
612
+ /**
613
+ * For asymmetric keys, this property represents the size of the embedded key in
614
+ * bytes. This property is `undefined` for symmetric keys.
615
+ */
616
+ asymmetricKeySize?: number | undefined;
617
+ /**
618
+ * This property exists only on asymmetric keys. Depending on the type of the key,
619
+ * this object contains information about the key. None of the information obtained
620
+ * through this property can be used to uniquely identify a key or to compromise
621
+ * the security of the key.
622
+ *
623
+ * For RSA-PSS keys, if the key material contains a `RSASSA-PSS-params` sequence,
624
+ * the `hashAlgorithm`, `mgf1HashAlgorithm`, and `saltLength` properties will be
625
+ * set.
626
+ *
627
+ * Other key details might be exposed via this API using additional attributes.
628
+ * @since v15.7.0
629
+ */
630
+ asymmetricKeyDetails?: AsymmetricKeyDetails | undefined;
631
+ /**
632
+ * For symmetric keys, the following encoding options can be used:
633
+ *
634
+ * For public keys, the following encoding options can be used:
635
+ *
636
+ * For private keys, the following encoding options can be used:
637
+ *
638
+ * The result type depends on the selected encoding format, when PEM the
639
+ * result is a string, when DER it will be a buffer containing the data
640
+ * encoded as DER, when [JWK](https://tools.ietf.org/html/rfc7517) it will be an object.
641
+ *
642
+ * When [JWK](https://tools.ietf.org/html/rfc7517) encoding format was selected, all other encoding options are
643
+ * ignored.
644
+ *
645
+ * PKCS#1, SEC1, and PKCS#8 type keys can be encrypted by using a combination of
646
+ * the `cipher` and `format` options. The PKCS#8 `type` can be used with any`format` to encrypt any key algorithm (RSA, EC, or DH) by specifying a`cipher`. PKCS#1 and SEC1 can only be
647
+ * encrypted by specifying a `cipher`when the PEM `format` is used. For maximum compatibility, use PKCS#8 for
648
+ * encrypted private keys. Since PKCS#8 defines its own
649
+ * encryption mechanism, PEM-level encryption is not supported when encrypting
650
+ * a PKCS#8 key. See [RFC 5208](https://www.rfc-editor.org/rfc/rfc5208.txt) for PKCS#8 encryption and [RFC 1421](https://www.rfc-editor.org/rfc/rfc1421.txt) for
651
+ * PKCS#1 and SEC1 encryption.
652
+ * @since v11.6.0
653
+ */
654
+ export(options: KeyExportOptions<"pem">): string | Buffer;
655
+ export(options?: KeyExportOptions<"der">): Buffer;
656
+ export(options?: JwkKeyExportOptions): JsonWebKey;
657
+ /**
658
+ * Returns `true` or `false` depending on whether the keys have exactly the same
659
+ * type, value, and parameters. This method is not [constant time](https://en.wikipedia.org/wiki/Timing_attack).
660
+ * @since v17.7.0, v16.15.0
661
+ * @param otherKeyObject A `KeyObject` with which to compare `keyObject`.
662
+ */
663
+ equals(otherKeyObject: KeyObject): boolean;
664
+ /**
665
+ * For secret keys, this property represents the size of the key in bytes. This
666
+ * property is `undefined` for asymmetric keys.
667
+ * @since v11.6.0
668
+ */
669
+ symmetricKeySize?: number | undefined;
670
+ /**
671
+ * Depending on the type of this `KeyObject`, this property is either`'secret'` for secret (symmetric) keys, `'public'` for public (asymmetric) keys
672
+ * or `'private'` for private (asymmetric) keys.
673
+ * @since v11.6.0
674
+ */
675
+ type: KeyObjectType;
676
+ }
677
+ type CipherCCMTypes = "aes-128-ccm" | "aes-192-ccm" | "aes-256-ccm" | "chacha20-poly1305";
678
+ type CipherGCMTypes = "aes-128-gcm" | "aes-192-gcm" | "aes-256-gcm";
679
+ type CipherOCBTypes = "aes-128-ocb" | "aes-192-ocb" | "aes-256-ocb";
680
+ type BinaryLike = string | NodeJS.ArrayBufferView;
681
+ type CipherKey = BinaryLike | KeyObject;
682
+ interface CipherCCMOptions extends stream.TransformOptions {
683
+ authTagLength: number;
684
+ }
685
+ interface CipherGCMOptions extends stream.TransformOptions {
686
+ authTagLength?: number | undefined;
687
+ }
688
+ interface CipherOCBOptions extends stream.TransformOptions {
689
+ authTagLength: number;
690
+ }
691
+ /**
692
+ * Creates and returns a `Cipher` object that uses the given `algorithm` and `password`.
693
+ *
694
+ * The `options` argument controls stream behavior and is optional except when a
695
+ * cipher in CCM or OCB mode (e.g. `'aes-128-ccm'`) is used. In that case, the`authTagLength` option is required and specifies the length of the
696
+ * authentication tag in bytes, see `CCM mode`. In GCM mode, the `authTagLength`option is not required but can be used to set the length of the authentication
697
+ * tag that will be returned by `getAuthTag()` and defaults to 16 bytes.
698
+ * For `chacha20-poly1305`, the `authTagLength` option defaults to 16 bytes.
699
+ *
700
+ * The `algorithm` is dependent on OpenSSL, examples are `'aes192'`, etc. On
701
+ * recent OpenSSL releases, `openssl list -cipher-algorithms` will
702
+ * display the available cipher algorithms.
703
+ *
704
+ * The `password` is used to derive the cipher key and initialization vector (IV).
705
+ * The value must be either a `'latin1'` encoded string, a `Buffer`, a`TypedArray`, or a `DataView`.
706
+ *
707
+ * **This function is semantically insecure for all**
708
+ * **supported ciphers and fatally flawed for ciphers in counter mode (such as CTR,**
709
+ * **GCM, or CCM).**
710
+ *
711
+ * The implementation of `crypto.createCipher()` derives keys using the OpenSSL
712
+ * function [`EVP_BytesToKey`](https://www.openssl.org/docs/man3.0/man3/EVP_BytesToKey.html) with the digest algorithm set to MD5, one
713
+ * iteration, and no salt. The lack of salt allows dictionary attacks as the same
714
+ * password always creates the same key. The low iteration count and
715
+ * non-cryptographically secure hash algorithm allow passwords to be tested very
716
+ * rapidly.
717
+ *
718
+ * In line with OpenSSL's recommendation to use a more modern algorithm instead of [`EVP_BytesToKey`](https://www.openssl.org/docs/man3.0/man3/EVP_BytesToKey.html) it is recommended that
719
+ * developers derive a key and IV on
720
+ * their own using {@link scrypt} and to use {@link createCipheriv} to create the `Cipher` object. Users should not use ciphers with counter mode
721
+ * (e.g. CTR, GCM, or CCM) in `crypto.createCipher()`. A warning is emitted when
722
+ * they are used in order to avoid the risk of IV reuse that causes
723
+ * vulnerabilities. For the case when IV is reused in GCM, see [Nonce-Disrespecting Adversaries](https://github.com/nonce-disrespect/nonce-disrespect) for details.
724
+ * @since v0.1.94
725
+ * @deprecated Since v10.0.0 - Use {@link createCipheriv} instead.
726
+ * @param options `stream.transform` options
727
+ */
728
+ function createCipher(algorithm: CipherCCMTypes, password: BinaryLike, options: CipherCCMOptions): CipherCCM;
729
+ /** @deprecated since v10.0.0 use `createCipheriv()` */
730
+ function createCipher(algorithm: CipherGCMTypes, password: BinaryLike, options?: CipherGCMOptions): CipherGCM;
731
+ /** @deprecated since v10.0.0 use `createCipheriv()` */
732
+ function createCipher(algorithm: string, password: BinaryLike, options?: stream.TransformOptions): Cipher;
733
+ /**
734
+ * Creates and returns a `Cipher` object, with the given `algorithm`, `key` and
735
+ * initialization vector (`iv`).
736
+ *
737
+ * The `options` argument controls stream behavior and is optional except when a
738
+ * cipher in CCM or OCB mode (e.g. `'aes-128-ccm'`) is used. In that case, the`authTagLength` option is required and specifies the length of the
739
+ * authentication tag in bytes, see `CCM mode`. In GCM mode, the `authTagLength`option is not required but can be used to set the length of the authentication
740
+ * tag that will be returned by `getAuthTag()` and defaults to 16 bytes.
741
+ * For `chacha20-poly1305`, the `authTagLength` option defaults to 16 bytes.
742
+ *
743
+ * The `algorithm` is dependent on OpenSSL, examples are `'aes192'`, etc. On
744
+ * recent OpenSSL releases, `openssl list -cipher-algorithms` will
745
+ * display the available cipher algorithms.
746
+ *
747
+ * The `key` is the raw key used by the `algorithm` and `iv` is an [initialization vector](https://en.wikipedia.org/wiki/Initialization_vector). Both arguments must be `'utf8'` encoded
748
+ * strings,`Buffers`, `TypedArray`, or `DataView`s. The `key` may optionally be
749
+ * a `KeyObject` of type `secret`. If the cipher does not need
750
+ * an initialization vector, `iv` may be `null`.
751
+ *
752
+ * When passing strings for `key` or `iv`, please consider `caveats when using strings as inputs to cryptographic APIs`.
753
+ *
754
+ * Initialization vectors should be unpredictable and unique; ideally, they will be
755
+ * cryptographically random. They do not have to be secret: IVs are typically just
756
+ * added to ciphertext messages unencrypted. It may sound contradictory that
757
+ * something has to be unpredictable and unique, but does not have to be secret;
758
+ * remember that an attacker must not be able to predict ahead of time what a
759
+ * given IV will be.
760
+ * @since v0.1.94
761
+ * @param options `stream.transform` options
762
+ */
763
+ function createCipheriv(
764
+ algorithm: CipherCCMTypes,
765
+ key: CipherKey,
766
+ iv: BinaryLike,
767
+ options: CipherCCMOptions,
768
+ ): CipherCCM;
769
+ function createCipheriv(
770
+ algorithm: CipherOCBTypes,
771
+ key: CipherKey,
772
+ iv: BinaryLike,
773
+ options: CipherOCBOptions,
774
+ ): CipherOCB;
775
+ function createCipheriv(
776
+ algorithm: CipherGCMTypes,
777
+ key: CipherKey,
778
+ iv: BinaryLike,
779
+ options?: CipherGCMOptions,
780
+ ): CipherGCM;
781
+ function createCipheriv(
782
+ algorithm: string,
783
+ key: CipherKey,
784
+ iv: BinaryLike | null,
785
+ options?: stream.TransformOptions,
786
+ ): Cipher;
787
+ /**
788
+ * Instances of the `Cipher` class are used to encrypt data. The class can be
789
+ * used in one of two ways:
790
+ *
791
+ * * As a `stream` that is both readable and writable, where plain unencrypted
792
+ * data is written to produce encrypted data on the readable side, or
793
+ * * Using the `cipher.update()` and `cipher.final()` methods to produce
794
+ * the encrypted data.
795
+ *
796
+ * The {@link createCipher} or {@link createCipheriv} methods are
797
+ * used to create `Cipher` instances. `Cipher` objects are not to be created
798
+ * directly using the `new` keyword.
799
+ *
800
+ * Example: Using `Cipher` objects as streams:
801
+ *
802
+ * ```js
803
+ * const {
804
+ * scrypt,
805
+ * randomFill,
806
+ * createCipheriv,
807
+ * } = await import('node:crypto');
808
+ *
809
+ * const algorithm = 'aes-192-cbc';
810
+ * const password = 'Password used to generate key';
811
+ *
812
+ * // First, we'll generate the key. The key length is dependent on the algorithm.
813
+ * // In this case for aes192, it is 24 bytes (192 bits).
814
+ * scrypt(password, 'salt', 24, (err, key) => {
815
+ * if (err) throw err;
816
+ * // Then, we'll generate a random initialization vector
817
+ * randomFill(new Uint8Array(16), (err, iv) => {
818
+ * if (err) throw err;
819
+ *
820
+ * // Once we have the key and iv, we can create and use the cipher...
821
+ * const cipher = createCipheriv(algorithm, key, iv);
822
+ *
823
+ * let encrypted = '';
824
+ * cipher.setEncoding('hex');
825
+ *
826
+ * cipher.on('data', (chunk) => encrypted += chunk);
827
+ * cipher.on('end', () => console.log(encrypted));
828
+ *
829
+ * cipher.write('some clear text data');
830
+ * cipher.end();
831
+ * });
832
+ * });
833
+ * ```
834
+ *
835
+ * Example: Using `Cipher` and piped streams:
836
+ *
837
+ * ```js
838
+ * import {
839
+ * createReadStream,
840
+ * createWriteStream,
841
+ * } from 'node:fs';
842
+ *
843
+ * import {
844
+ * pipeline,
845
+ * } from 'node:stream';
846
+ *
847
+ * const {
848
+ * scrypt,
849
+ * randomFill,
850
+ * createCipheriv,
851
+ * } = await import('node:crypto');
852
+ *
853
+ * const algorithm = 'aes-192-cbc';
854
+ * const password = 'Password used to generate key';
855
+ *
856
+ * // First, we'll generate the key. The key length is dependent on the algorithm.
857
+ * // In this case for aes192, it is 24 bytes (192 bits).
858
+ * scrypt(password, 'salt', 24, (err, key) => {
859
+ * if (err) throw err;
860
+ * // Then, we'll generate a random initialization vector
861
+ * randomFill(new Uint8Array(16), (err, iv) => {
862
+ * if (err) throw err;
863
+ *
864
+ * const cipher = createCipheriv(algorithm, key, iv);
865
+ *
866
+ * const input = createReadStream('test.js');
867
+ * const output = createWriteStream('test.enc');
868
+ *
869
+ * pipeline(input, cipher, output, (err) => {
870
+ * if (err) throw err;
871
+ * });
872
+ * });
873
+ * });
874
+ * ```
875
+ *
876
+ * Example: Using the `cipher.update()` and `cipher.final()` methods:
877
+ *
878
+ * ```js
879
+ * const {
880
+ * scrypt,
881
+ * randomFill,
882
+ * createCipheriv,
883
+ * } = await import('node:crypto');
884
+ *
885
+ * const algorithm = 'aes-192-cbc';
886
+ * const password = 'Password used to generate key';
887
+ *
888
+ * // First, we'll generate the key. The key length is dependent on the algorithm.
889
+ * // In this case for aes192, it is 24 bytes (192 bits).
890
+ * scrypt(password, 'salt', 24, (err, key) => {
891
+ * if (err) throw err;
892
+ * // Then, we'll generate a random initialization vector
893
+ * randomFill(new Uint8Array(16), (err, iv) => {
894
+ * if (err) throw err;
895
+ *
896
+ * const cipher = createCipheriv(algorithm, key, iv);
897
+ *
898
+ * let encrypted = cipher.update('some clear text data', 'utf8', 'hex');
899
+ * encrypted += cipher.final('hex');
900
+ * console.log(encrypted);
901
+ * });
902
+ * });
903
+ * ```
904
+ * @since v0.1.94
905
+ */
906
+ class Cipher extends stream.Transform {
907
+ private constructor();
908
+ /**
909
+ * Updates the cipher with `data`. If the `inputEncoding` argument is given,
910
+ * the `data`argument is a string using the specified encoding. If the `inputEncoding`argument is not given, `data` must be a `Buffer`, `TypedArray`, or `DataView`. If `data` is a `Buffer`,
911
+ * `TypedArray`, or `DataView`, then `inputEncoding` is ignored.
912
+ *
913
+ * The `outputEncoding` specifies the output format of the enciphered
914
+ * data. If the `outputEncoding`is specified, a string using the specified encoding is returned. If no`outputEncoding` is provided, a `Buffer` is returned.
915
+ *
916
+ * The `cipher.update()` method can be called multiple times with new data until `cipher.final()` is called. Calling `cipher.update()` after `cipher.final()` will result in an error being
917
+ * thrown.
918
+ * @since v0.1.94
919
+ * @param inputEncoding The `encoding` of the data.
920
+ * @param outputEncoding The `encoding` of the return value.
921
+ */
922
+ update(data: BinaryLike): Buffer;
923
+ update(data: string, inputEncoding: Encoding): Buffer;
924
+ update(data: NodeJS.ArrayBufferView, inputEncoding: undefined, outputEncoding: Encoding): string;
925
+ update(data: string, inputEncoding: Encoding | undefined, outputEncoding: Encoding): string;
926
+ /**
927
+ * Once the `cipher.final()` method has been called, the `Cipher` object can no
928
+ * longer be used to encrypt data. Attempts to call `cipher.final()` more than
929
+ * once will result in an error being thrown.
930
+ * @since v0.1.94
931
+ * @param outputEncoding The `encoding` of the return value.
932
+ * @return Any remaining enciphered contents. If `outputEncoding` is specified, a string is returned. If an `outputEncoding` is not provided, a {@link Buffer} is returned.
933
+ */
934
+ final(): Buffer;
935
+ final(outputEncoding: BufferEncoding): string;
936
+ /**
937
+ * When using block encryption algorithms, the `Cipher` class will automatically
938
+ * add padding to the input data to the appropriate block size. To disable the
939
+ * default padding call `cipher.setAutoPadding(false)`.
940
+ *
941
+ * When `autoPadding` is `false`, the length of the entire input data must be a
942
+ * multiple of the cipher's block size or `cipher.final()` will throw an error.
943
+ * Disabling automatic padding is useful for non-standard padding, for instance
944
+ * using `0x0` instead of PKCS padding.
945
+ *
946
+ * The `cipher.setAutoPadding()` method must be called before `cipher.final()`.
947
+ * @since v0.7.1
948
+ * @param [autoPadding=true]
949
+ * @return for method chaining.
950
+ */
951
+ setAutoPadding(autoPadding?: boolean): this;
952
+ }
953
+ interface CipherCCM extends Cipher {
954
+ setAAD(
955
+ buffer: NodeJS.ArrayBufferView,
956
+ options: {
957
+ plaintextLength: number;
958
+ },
959
+ ): this;
960
+ getAuthTag(): Buffer;
961
+ }
962
+ interface CipherGCM extends Cipher {
963
+ setAAD(
964
+ buffer: NodeJS.ArrayBufferView,
965
+ options?: {
966
+ plaintextLength: number;
967
+ },
968
+ ): this;
969
+ getAuthTag(): Buffer;
970
+ }
971
+ interface CipherOCB extends Cipher {
972
+ setAAD(
973
+ buffer: NodeJS.ArrayBufferView,
974
+ options?: {
975
+ plaintextLength: number;
976
+ },
977
+ ): this;
978
+ getAuthTag(): Buffer;
979
+ }
980
+ /**
981
+ * Creates and returns a `Decipher` object that uses the given `algorithm` and `password` (key).
982
+ *
983
+ * The `options` argument controls stream behavior and is optional except when a
984
+ * cipher in CCM or OCB mode (e.g. `'aes-128-ccm'`) is used. In that case, the `authTagLength` option is required and specifies the length of the
985
+ * authentication tag in bytes, see `CCM mode`.
986
+ * For `chacha20-poly1305`, the `authTagLength` option defaults to 16 bytes.
987
+ *
988
+ * **This function is semantically insecure for all**
989
+ * **supported ciphers and fatally flawed for ciphers in counter mode (such as CTR,**
990
+ * **GCM, or CCM).**
991
+ *
992
+ * The implementation of `crypto.createDecipher()` derives keys using the OpenSSL
993
+ * function [`EVP_BytesToKey`](https://www.openssl.org/docs/man3.0/man3/EVP_BytesToKey.html) with the digest algorithm set to MD5, one
994
+ * iteration, and no salt. The lack of salt allows dictionary attacks as the same
995
+ * password always creates the same key. The low iteration count and
996
+ * non-cryptographically secure hash algorithm allow passwords to be tested very
997
+ * rapidly.
998
+ *
999
+ * In line with OpenSSL's recommendation to use a more modern algorithm instead of [`EVP_BytesToKey`](https://www.openssl.org/docs/man3.0/man3/EVP_BytesToKey.html) it is recommended that
1000
+ * developers derive a key and IV on
1001
+ * their own using {@link scrypt} and to use {@link createDecipheriv} to create the `Decipher` object.
1002
+ * @since v0.1.94
1003
+ * @deprecated Since v10.0.0 - Use {@link createDecipheriv} instead.
1004
+ * @param options `stream.transform` options
1005
+ */
1006
+ function createDecipher(algorithm: CipherCCMTypes, password: BinaryLike, options: CipherCCMOptions): DecipherCCM;
1007
+ /** @deprecated since v10.0.0 use `createDecipheriv()` */
1008
+ function createDecipher(algorithm: CipherGCMTypes, password: BinaryLike, options?: CipherGCMOptions): DecipherGCM;
1009
+ /** @deprecated since v10.0.0 use `createDecipheriv()` */
1010
+ function createDecipher(algorithm: string, password: BinaryLike, options?: stream.TransformOptions): Decipher;
1011
+ /**
1012
+ * Creates and returns a `Decipher` object that uses the given `algorithm`, `key` and initialization vector (`iv`).
1013
+ *
1014
+ * The `options` argument controls stream behavior and is optional except when a
1015
+ * cipher in CCM or OCB mode (e.g. `'aes-128-ccm'`) is used. In that case, the `authTagLength` option is required and specifies the length of the
1016
+ * authentication tag in bytes, see `CCM mode`. In GCM mode, the `authTagLength` option is not required but can be used to restrict accepted authentication tags
1017
+ * to those with the specified length.
1018
+ * For `chacha20-poly1305`, the `authTagLength` option defaults to 16 bytes.
1019
+ *
1020
+ * The `algorithm` is dependent on OpenSSL, examples are `'aes192'`, etc. On
1021
+ * recent OpenSSL releases, `openssl list -cipher-algorithms` will
1022
+ * display the available cipher algorithms.
1023
+ *
1024
+ * The `key` is the raw key used by the `algorithm` and `iv` is an [initialization vector](https://en.wikipedia.org/wiki/Initialization_vector). Both arguments must be `'utf8'` encoded
1025
+ * strings,`Buffers`, `TypedArray`, or `DataView`s. The `key` may optionally be
1026
+ * a `KeyObject` of type `secret`. If the cipher does not need
1027
+ * an initialization vector, `iv` may be `null`.
1028
+ *
1029
+ * When passing strings for `key` or `iv`, please consider `caveats when using strings as inputs to cryptographic APIs`.
1030
+ *
1031
+ * Initialization vectors should be unpredictable and unique; ideally, they will be
1032
+ * cryptographically random. They do not have to be secret: IVs are typically just
1033
+ * added to ciphertext messages unencrypted. It may sound contradictory that
1034
+ * something has to be unpredictable and unique, but does not have to be secret;
1035
+ * remember that an attacker must not be able to predict ahead of time what a given
1036
+ * IV will be.
1037
+ * @since v0.1.94
1038
+ * @param options `stream.transform` options
1039
+ */
1040
+ function createDecipheriv(
1041
+ algorithm: CipherCCMTypes,
1042
+ key: CipherKey,
1043
+ iv: BinaryLike,
1044
+ options: CipherCCMOptions,
1045
+ ): DecipherCCM;
1046
+ function createDecipheriv(
1047
+ algorithm: CipherOCBTypes,
1048
+ key: CipherKey,
1049
+ iv: BinaryLike,
1050
+ options: CipherOCBOptions,
1051
+ ): DecipherOCB;
1052
+ function createDecipheriv(
1053
+ algorithm: CipherGCMTypes,
1054
+ key: CipherKey,
1055
+ iv: BinaryLike,
1056
+ options?: CipherGCMOptions,
1057
+ ): DecipherGCM;
1058
+ function createDecipheriv(
1059
+ algorithm: string,
1060
+ key: CipherKey,
1061
+ iv: BinaryLike | null,
1062
+ options?: stream.TransformOptions,
1063
+ ): Decipher;
1064
+ /**
1065
+ * Instances of the `Decipher` class are used to decrypt data. The class can be
1066
+ * used in one of two ways:
1067
+ *
1068
+ * * As a `stream` that is both readable and writable, where plain encrypted
1069
+ * data is written to produce unencrypted data on the readable side, or
1070
+ * * Using the `decipher.update()` and `decipher.final()` methods to
1071
+ * produce the unencrypted data.
1072
+ *
1073
+ * The {@link createDecipher} or {@link createDecipheriv} methods are
1074
+ * used to create `Decipher` instances. `Decipher` objects are not to be created
1075
+ * directly using the `new` keyword.
1076
+ *
1077
+ * Example: Using `Decipher` objects as streams:
1078
+ *
1079
+ * ```js
1080
+ * import { Buffer } from 'node:buffer';
1081
+ * const {
1082
+ * scryptSync,
1083
+ * createDecipheriv,
1084
+ * } = await import('node:crypto');
1085
+ *
1086
+ * const algorithm = 'aes-192-cbc';
1087
+ * const password = 'Password used to generate key';
1088
+ * // Key length is dependent on the algorithm. In this case for aes192, it is
1089
+ * // 24 bytes (192 bits).
1090
+ * // Use the async `crypto.scrypt()` instead.
1091
+ * const key = scryptSync(password, 'salt', 24);
1092
+ * // The IV is usually passed along with the ciphertext.
1093
+ * const iv = Buffer.alloc(16, 0); // Initialization vector.
1094
+ *
1095
+ * const decipher = createDecipheriv(algorithm, key, iv);
1096
+ *
1097
+ * let decrypted = '';
1098
+ * decipher.on('readable', () => {
1099
+ * let chunk;
1100
+ * while (null !== (chunk = decipher.read())) {
1101
+ * decrypted += chunk.toString('utf8');
1102
+ * }
1103
+ * });
1104
+ * decipher.on('end', () => {
1105
+ * console.log(decrypted);
1106
+ * // Prints: some clear text data
1107
+ * });
1108
+ *
1109
+ * // Encrypted with same algorithm, key and iv.
1110
+ * const encrypted =
1111
+ * 'e5f79c5915c02171eec6b212d5520d44480993d7d622a7c4c2da32f6efda0ffa';
1112
+ * decipher.write(encrypted, 'hex');
1113
+ * decipher.end();
1114
+ * ```
1115
+ *
1116
+ * Example: Using `Decipher` and piped streams:
1117
+ *
1118
+ * ```js
1119
+ * import {
1120
+ * createReadStream,
1121
+ * createWriteStream,
1122
+ * } from 'node:fs';
1123
+ * import { Buffer } from 'node:buffer';
1124
+ * const {
1125
+ * scryptSync,
1126
+ * createDecipheriv,
1127
+ * } = await import('node:crypto');
1128
+ *
1129
+ * const algorithm = 'aes-192-cbc';
1130
+ * const password = 'Password used to generate key';
1131
+ * // Use the async `crypto.scrypt()` instead.
1132
+ * const key = scryptSync(password, 'salt', 24);
1133
+ * // The IV is usually passed along with the ciphertext.
1134
+ * const iv = Buffer.alloc(16, 0); // Initialization vector.
1135
+ *
1136
+ * const decipher = createDecipheriv(algorithm, key, iv);
1137
+ *
1138
+ * const input = createReadStream('test.enc');
1139
+ * const output = createWriteStream('test.js');
1140
+ *
1141
+ * input.pipe(decipher).pipe(output);
1142
+ * ```
1143
+ *
1144
+ * Example: Using the `decipher.update()` and `decipher.final()` methods:
1145
+ *
1146
+ * ```js
1147
+ * import { Buffer } from 'node:buffer';
1148
+ * const {
1149
+ * scryptSync,
1150
+ * createDecipheriv,
1151
+ * } = await import('node:crypto');
1152
+ *
1153
+ * const algorithm = 'aes-192-cbc';
1154
+ * const password = 'Password used to generate key';
1155
+ * // Use the async `crypto.scrypt()` instead.
1156
+ * const key = scryptSync(password, 'salt', 24);
1157
+ * // The IV is usually passed along with the ciphertext.
1158
+ * const iv = Buffer.alloc(16, 0); // Initialization vector.
1159
+ *
1160
+ * const decipher = createDecipheriv(algorithm, key, iv);
1161
+ *
1162
+ * // Encrypted using same algorithm, key and iv.
1163
+ * const encrypted =
1164
+ * 'e5f79c5915c02171eec6b212d5520d44480993d7d622a7c4c2da32f6efda0ffa';
1165
+ * let decrypted = decipher.update(encrypted, 'hex', 'utf8');
1166
+ * decrypted += decipher.final('utf8');
1167
+ * console.log(decrypted);
1168
+ * // Prints: some clear text data
1169
+ * ```
1170
+ * @since v0.1.94
1171
+ */
1172
+ class Decipher extends stream.Transform {
1173
+ private constructor();
1174
+ /**
1175
+ * Updates the decipher with `data`. If the `inputEncoding` argument is given,
1176
+ * the `data` argument is a string using the specified encoding. If the `inputEncoding` argument is not given, `data` must be a `Buffer`. If `data` is a `Buffer` then `inputEncoding` is
1177
+ * ignored.
1178
+ *
1179
+ * The `outputEncoding` specifies the output format of the enciphered
1180
+ * data. If the `outputEncoding` is specified, a string using the specified encoding is returned. If no `outputEncoding` is provided, a `Buffer` is returned.
1181
+ *
1182
+ * The `decipher.update()` method can be called multiple times with new data until `decipher.final()` is called. Calling `decipher.update()` after `decipher.final()` will result in an error
1183
+ * being thrown.
1184
+ * @since v0.1.94
1185
+ * @param inputEncoding The `encoding` of the `data` string.
1186
+ * @param outputEncoding The `encoding` of the return value.
1187
+ */
1188
+ update(data: NodeJS.ArrayBufferView): Buffer;
1189
+ update(data: string, inputEncoding: Encoding): Buffer;
1190
+ update(data: NodeJS.ArrayBufferView, inputEncoding: undefined, outputEncoding: Encoding): string;
1191
+ update(data: string, inputEncoding: Encoding | undefined, outputEncoding: Encoding): string;
1192
+ /**
1193
+ * Once the `decipher.final()` method has been called, the `Decipher` object can
1194
+ * no longer be used to decrypt data. Attempts to call `decipher.final()` more
1195
+ * than once will result in an error being thrown.
1196
+ * @since v0.1.94
1197
+ * @param outputEncoding The `encoding` of the return value.
1198
+ * @return Any remaining deciphered contents. If `outputEncoding` is specified, a string is returned. If an `outputEncoding` is not provided, a {@link Buffer} is returned.
1199
+ */
1200
+ final(): Buffer;
1201
+ final(outputEncoding: BufferEncoding): string;
1202
+ /**
1203
+ * When data has been encrypted without standard block padding, calling `decipher.setAutoPadding(false)` will disable automatic padding to prevent `decipher.final()` from checking for and
1204
+ * removing padding.
1205
+ *
1206
+ * Turning auto padding off will only work if the input data's length is a
1207
+ * multiple of the ciphers block size.
1208
+ *
1209
+ * The `decipher.setAutoPadding()` method must be called before `decipher.final()`.
1210
+ * @since v0.7.1
1211
+ * @param [autoPadding=true]
1212
+ * @return for method chaining.
1213
+ */
1214
+ setAutoPadding(auto_padding?: boolean): this;
1215
+ }
1216
+ interface DecipherCCM extends Decipher {
1217
+ setAuthTag(buffer: NodeJS.ArrayBufferView): this;
1218
+ setAAD(
1219
+ buffer: NodeJS.ArrayBufferView,
1220
+ options: {
1221
+ plaintextLength: number;
1222
+ },
1223
+ ): this;
1224
+ }
1225
+ interface DecipherGCM extends Decipher {
1226
+ setAuthTag(buffer: NodeJS.ArrayBufferView): this;
1227
+ setAAD(
1228
+ buffer: NodeJS.ArrayBufferView,
1229
+ options?: {
1230
+ plaintextLength: number;
1231
+ },
1232
+ ): this;
1233
+ }
1234
+ interface DecipherOCB extends Decipher {
1235
+ setAuthTag(buffer: NodeJS.ArrayBufferView): this;
1236
+ setAAD(
1237
+ buffer: NodeJS.ArrayBufferView,
1238
+ options?: {
1239
+ plaintextLength: number;
1240
+ },
1241
+ ): this;
1242
+ }
1243
+ interface PrivateKeyInput {
1244
+ key: string | Buffer;
1245
+ format?: KeyFormat | undefined;
1246
+ type?: "pkcs1" | "pkcs8" | "sec1" | undefined;
1247
+ passphrase?: string | Buffer | undefined;
1248
+ encoding?: string | undefined;
1249
+ }
1250
+ interface PublicKeyInput {
1251
+ key: string | Buffer;
1252
+ format?: KeyFormat | undefined;
1253
+ type?: "pkcs1" | "spki" | undefined;
1254
+ encoding?: string | undefined;
1255
+ }
1256
+ /**
1257
+ * Asynchronously generates a new random secret key of the given `length`. The `type` will determine which validations will be performed on the `length`.
1258
+ *
1259
+ * ```js
1260
+ * const {
1261
+ * generateKey,
1262
+ * } = await import('node:crypto');
1263
+ *
1264
+ * generateKey('hmac', { length: 512 }, (err, key) => {
1265
+ * if (err) throw err;
1266
+ * console.log(key.export().toString('hex')); // 46e..........620
1267
+ * });
1268
+ * ```
1269
+ *
1270
+ * The size of a generated HMAC key should not exceed the block size of the
1271
+ * underlying hash function. See {@link createHmac} for more information.
1272
+ * @since v15.0.0
1273
+ * @param type The intended use of the generated secret key. Currently accepted values are `'hmac'` and `'aes'`.
1274
+ */
1275
+ function generateKey(
1276
+ type: "hmac" | "aes",
1277
+ options: {
1278
+ length: number;
1279
+ },
1280
+ callback: (err: Error | null, key: KeyObject) => void,
1281
+ ): void;
1282
+ /**
1283
+ * Synchronously generates a new random secret key of the given `length`. The `type` will determine which validations will be performed on the `length`.
1284
+ *
1285
+ * ```js
1286
+ * const {
1287
+ * generateKeySync,
1288
+ * } = await import('node:crypto');
1289
+ *
1290
+ * const key = generateKeySync('hmac', { length: 512 });
1291
+ * console.log(key.export().toString('hex')); // e89..........41e
1292
+ * ```
1293
+ *
1294
+ * The size of a generated HMAC key should not exceed the block size of the
1295
+ * underlying hash function. See {@link createHmac} for more information.
1296
+ * @since v15.0.0
1297
+ * @param type The intended use of the generated secret key. Currently accepted values are `'hmac'` and `'aes'`.
1298
+ */
1299
+ function generateKeySync(
1300
+ type: "hmac" | "aes",
1301
+ options: {
1302
+ length: number;
1303
+ },
1304
+ ): KeyObject;
1305
+ interface JsonWebKeyInput {
1306
+ key: JsonWebKey;
1307
+ format: "jwk";
1308
+ }
1309
+ /**
1310
+ * Creates and returns a new key object containing a private key. If `key` is a
1311
+ * string or `Buffer`, `format` is assumed to be `'pem'`; otherwise, `key` must be an object with the properties described above.
1312
+ *
1313
+ * If the private key is encrypted, a `passphrase` must be specified. The length
1314
+ * of the passphrase is limited to 1024 bytes.
1315
+ * @since v11.6.0
1316
+ */
1317
+ function createPrivateKey(key: PrivateKeyInput | string | Buffer | JsonWebKeyInput): KeyObject;
1318
+ /**
1319
+ * Creates and returns a new key object containing a public key. If `key` is a
1320
+ * string or `Buffer`, `format` is assumed to be `'pem'`; if `key` is a `KeyObject` with type `'private'`, the public key is derived from the given private key;
1321
+ * otherwise, `key` must be an object with the properties described above.
1322
+ *
1323
+ * If the format is `'pem'`, the `'key'` may also be an X.509 certificate.
1324
+ *
1325
+ * Because public keys can be derived from private keys, a private key may be
1326
+ * passed instead of a public key. In that case, this function behaves as if {@link createPrivateKey} had been called, except that the type of the
1327
+ * returned `KeyObject` will be `'public'` and that the private key cannot be
1328
+ * extracted from the returned `KeyObject`. Similarly, if a `KeyObject` with type `'private'` is given, a new `KeyObject` with type `'public'` will be returned
1329
+ * and it will be impossible to extract the private key from the returned object.
1330
+ * @since v11.6.0
1331
+ */
1332
+ function createPublicKey(key: PublicKeyInput | string | Buffer | KeyObject | JsonWebKeyInput): KeyObject;
1333
+ /**
1334
+ * Creates and returns a new key object containing a secret key for symmetric
1335
+ * encryption or `Hmac`.
1336
+ * @since v11.6.0
1337
+ * @param encoding The string encoding when `key` is a string.
1338
+ */
1339
+ function createSecretKey(key: NodeJS.ArrayBufferView): KeyObject;
1340
+ function createSecretKey(key: string, encoding: BufferEncoding): KeyObject;
1341
+ /**
1342
+ * Creates and returns a `Sign` object that uses the given `algorithm`. Use {@link getHashes} to obtain the names of the available digest algorithms.
1343
+ * Optional `options` argument controls the `stream.Writable` behavior.
1344
+ *
1345
+ * In some cases, a `Sign` instance can be created using the name of a signature
1346
+ * algorithm, such as `'RSA-SHA256'`, instead of a digest algorithm. This will use
1347
+ * the corresponding digest algorithm. This does not work for all signature
1348
+ * algorithms, such as `'ecdsa-with-SHA256'`, so it is best to always use digest
1349
+ * algorithm names.
1350
+ * @since v0.1.92
1351
+ * @param options `stream.Writable` options
1352
+ */
1353
+ function createSign(algorithm: string, options?: stream.WritableOptions): Sign;
1354
+ type DSAEncoding = "der" | "ieee-p1363";
1355
+ interface SigningOptions {
1356
+ /**
1357
+ * @see crypto.constants.RSA_PKCS1_PADDING
1358
+ */
1359
+ padding?: number | undefined;
1360
+ saltLength?: number | undefined;
1361
+ dsaEncoding?: DSAEncoding | undefined;
1362
+ }
1363
+ interface SignPrivateKeyInput extends PrivateKeyInput, SigningOptions {}
1364
+ interface SignKeyObjectInput extends SigningOptions {
1365
+ key: KeyObject;
1366
+ }
1367
+ interface VerifyPublicKeyInput extends PublicKeyInput, SigningOptions {}
1368
+ interface VerifyKeyObjectInput extends SigningOptions {
1369
+ key: KeyObject;
1370
+ }
1371
+ interface VerifyJsonWebKeyInput extends JsonWebKeyInput, SigningOptions {}
1372
+ type KeyLike = string | Buffer | KeyObject;
1373
+ /**
1374
+ * The `Sign` class is a utility for generating signatures. It can be used in one
1375
+ * of two ways:
1376
+ *
1377
+ * * As a writable `stream`, where data to be signed is written and the `sign.sign()` method is used to generate and return the signature, or
1378
+ * * Using the `sign.update()` and `sign.sign()` methods to produce the
1379
+ * signature.
1380
+ *
1381
+ * The {@link createSign} method is used to create `Sign` instances. The
1382
+ * argument is the string name of the hash function to use. `Sign` objects are not
1383
+ * to be created directly using the `new` keyword.
1384
+ *
1385
+ * Example: Using `Sign` and `Verify` objects as streams:
1386
+ *
1387
+ * ```js
1388
+ * const {
1389
+ * generateKeyPairSync,
1390
+ * createSign,
1391
+ * createVerify,
1392
+ * } = await import('node:crypto');
1393
+ *
1394
+ * const { privateKey, publicKey } = generateKeyPairSync('ec', {
1395
+ * namedCurve: 'sect239k1',
1396
+ * });
1397
+ *
1398
+ * const sign = createSign('SHA256');
1399
+ * sign.write('some data to sign');
1400
+ * sign.end();
1401
+ * const signature = sign.sign(privateKey, 'hex');
1402
+ *
1403
+ * const verify = createVerify('SHA256');
1404
+ * verify.write('some data to sign');
1405
+ * verify.end();
1406
+ * console.log(verify.verify(publicKey, signature, 'hex'));
1407
+ * // Prints: true
1408
+ * ```
1409
+ *
1410
+ * Example: Using the `sign.update()` and `verify.update()` methods:
1411
+ *
1412
+ * ```js
1413
+ * const {
1414
+ * generateKeyPairSync,
1415
+ * createSign,
1416
+ * createVerify,
1417
+ * } = await import('node:crypto');
1418
+ *
1419
+ * const { privateKey, publicKey } = generateKeyPairSync('rsa', {
1420
+ * modulusLength: 2048,
1421
+ * });
1422
+ *
1423
+ * const sign = createSign('SHA256');
1424
+ * sign.update('some data to sign');
1425
+ * sign.end();
1426
+ * const signature = sign.sign(privateKey);
1427
+ *
1428
+ * const verify = createVerify('SHA256');
1429
+ * verify.update('some data to sign');
1430
+ * verify.end();
1431
+ * console.log(verify.verify(publicKey, signature));
1432
+ * // Prints: true
1433
+ * ```
1434
+ * @since v0.1.92
1435
+ */
1436
+ class Sign extends stream.Writable {
1437
+ private constructor();
1438
+ /**
1439
+ * Updates the `Sign` content with the given `data`, the encoding of which
1440
+ * is given in `inputEncoding`.
1441
+ * If `encoding` is not provided, and the `data` is a string, an
1442
+ * encoding of `'utf8'` is enforced. If `data` is a `Buffer`, `TypedArray`, or`DataView`, then `inputEncoding` is ignored.
1443
+ *
1444
+ * This can be called many times with new data as it is streamed.
1445
+ * @since v0.1.92
1446
+ * @param inputEncoding The `encoding` of the `data` string.
1447
+ */
1448
+ update(data: BinaryLike): this;
1449
+ update(data: string, inputEncoding: Encoding): this;
1450
+ /**
1451
+ * Calculates the signature on all the data passed through using either `sign.update()` or `sign.write()`.
1452
+ *
1453
+ * If `privateKey` is not a `KeyObject`, this function behaves as if `privateKey` had been passed to {@link createPrivateKey}. If it is an
1454
+ * object, the following additional properties can be passed:
1455
+ *
1456
+ * If `outputEncoding` is provided a string is returned; otherwise a `Buffer` is returned.
1457
+ *
1458
+ * The `Sign` object can not be again used after `sign.sign()` method has been
1459
+ * called. Multiple calls to `sign.sign()` will result in an error being thrown.
1460
+ * @since v0.1.92
1461
+ */
1462
+ sign(privateKey: KeyLike | SignKeyObjectInput | SignPrivateKeyInput): Buffer;
1463
+ sign(
1464
+ privateKey: KeyLike | SignKeyObjectInput | SignPrivateKeyInput,
1465
+ outputFormat: BinaryToTextEncoding,
1466
+ ): string;
1467
+ }
1468
+ /**
1469
+ * Creates and returns a `Verify` object that uses the given algorithm.
1470
+ * Use {@link getHashes} to obtain an array of names of the available
1471
+ * signing algorithms. Optional `options` argument controls the `stream.Writable` behavior.
1472
+ *
1473
+ * In some cases, a `Verify` instance can be created using the name of a signature
1474
+ * algorithm, such as `'RSA-SHA256'`, instead of a digest algorithm. This will use
1475
+ * the corresponding digest algorithm. This does not work for all signature
1476
+ * algorithms, such as `'ecdsa-with-SHA256'`, so it is best to always use digest
1477
+ * algorithm names.
1478
+ * @since v0.1.92
1479
+ * @param options `stream.Writable` options
1480
+ */
1481
+ function createVerify(algorithm: string, options?: stream.WritableOptions): Verify;
1482
+ /**
1483
+ * The `Verify` class is a utility for verifying signatures. It can be used in one
1484
+ * of two ways:
1485
+ *
1486
+ * * As a writable `stream` where written data is used to validate against the
1487
+ * supplied signature, or
1488
+ * * Using the `verify.update()` and `verify.verify()` methods to verify
1489
+ * the signature.
1490
+ *
1491
+ * The {@link createVerify} method is used to create `Verify` instances. `Verify` objects are not to be created directly using the `new` keyword.
1492
+ *
1493
+ * See `Sign` for examples.
1494
+ * @since v0.1.92
1495
+ */
1496
+ class Verify extends stream.Writable {
1497
+ private constructor();
1498
+ /**
1499
+ * Updates the `Verify` content with the given `data`, the encoding of which
1500
+ * is given in `inputEncoding`.
1501
+ * If `inputEncoding` is not provided, and the `data` is a string, an
1502
+ * encoding of `'utf8'` is enforced. If `data` is a `Buffer`, `TypedArray`, or `DataView`, then `inputEncoding` is ignored.
1503
+ *
1504
+ * This can be called many times with new data as it is streamed.
1505
+ * @since v0.1.92
1506
+ * @param inputEncoding The `encoding` of the `data` string.
1507
+ */
1508
+ update(data: BinaryLike): Verify;
1509
+ update(data: string, inputEncoding: Encoding): Verify;
1510
+ /**
1511
+ * Verifies the provided data using the given `object` and `signature`.
1512
+ *
1513
+ * If `object` is not a `KeyObject`, this function behaves as if `object` had been passed to {@link createPublicKey}. If it is an
1514
+ * object, the following additional properties can be passed:
1515
+ *
1516
+ * The `signature` argument is the previously calculated signature for the data, in
1517
+ * the `signatureEncoding`.
1518
+ * If a `signatureEncoding` is specified, the `signature` is expected to be a
1519
+ * string; otherwise `signature` is expected to be a `Buffer`, `TypedArray`, or `DataView`.
1520
+ *
1521
+ * The `verify` object can not be used again after `verify.verify()` has been
1522
+ * called. Multiple calls to `verify.verify()` will result in an error being
1523
+ * thrown.
1524
+ *
1525
+ * Because public keys can be derived from private keys, a private key may
1526
+ * be passed instead of a public key.
1527
+ * @since v0.1.92
1528
+ */
1529
+ verify(
1530
+ object: KeyLike | VerifyKeyObjectInput | VerifyPublicKeyInput | VerifyJsonWebKeyInput,
1531
+ signature: NodeJS.ArrayBufferView,
1532
+ ): boolean;
1533
+ verify(
1534
+ object: KeyLike | VerifyKeyObjectInput | VerifyPublicKeyInput | VerifyJsonWebKeyInput,
1535
+ signature: string,
1536
+ signature_format?: BinaryToTextEncoding,
1537
+ ): boolean;
1538
+ }
1539
+ /**
1540
+ * Creates a `DiffieHellman` key exchange object using the supplied `prime` and an
1541
+ * optional specific `generator`.
1542
+ *
1543
+ * The `generator` argument can be a number, string, or `Buffer`. If `generator` is not specified, the value `2` is used.
1544
+ *
1545
+ * If `primeEncoding` is specified, `prime` is expected to be a string; otherwise
1546
+ * a `Buffer`, `TypedArray`, or `DataView` is expected.
1547
+ *
1548
+ * If `generatorEncoding` is specified, `generator` is expected to be a string;
1549
+ * otherwise a number, `Buffer`, `TypedArray`, or `DataView` is expected.
1550
+ * @since v0.11.12
1551
+ * @param primeEncoding The `encoding` of the `prime` string.
1552
+ * @param [generator=2]
1553
+ * @param generatorEncoding The `encoding` of the `generator` string.
1554
+ */
1555
+ function createDiffieHellman(primeLength: number, generator?: number): DiffieHellman;
1556
+ function createDiffieHellman(
1557
+ prime: ArrayBuffer | NodeJS.ArrayBufferView,
1558
+ generator?: number | ArrayBuffer | NodeJS.ArrayBufferView,
1559
+ ): DiffieHellman;
1560
+ function createDiffieHellman(
1561
+ prime: ArrayBuffer | NodeJS.ArrayBufferView,
1562
+ generator: string,
1563
+ generatorEncoding: BinaryToTextEncoding,
1564
+ ): DiffieHellman;
1565
+ function createDiffieHellman(
1566
+ prime: string,
1567
+ primeEncoding: BinaryToTextEncoding,
1568
+ generator?: number | ArrayBuffer | NodeJS.ArrayBufferView,
1569
+ ): DiffieHellman;
1570
+ function createDiffieHellman(
1571
+ prime: string,
1572
+ primeEncoding: BinaryToTextEncoding,
1573
+ generator: string,
1574
+ generatorEncoding: BinaryToTextEncoding,
1575
+ ): DiffieHellman;
1576
+ /**
1577
+ * The `DiffieHellman` class is a utility for creating Diffie-Hellman key
1578
+ * exchanges.
1579
+ *
1580
+ * Instances of the `DiffieHellman` class can be created using the {@link createDiffieHellman} function.
1581
+ *
1582
+ * ```js
1583
+ * import assert from 'node:assert';
1584
+ *
1585
+ * const {
1586
+ * createDiffieHellman,
1587
+ * } = await import('node:crypto');
1588
+ *
1589
+ * // Generate Alice's keys...
1590
+ * const alice = createDiffieHellman(2048);
1591
+ * const aliceKey = alice.generateKeys();
1592
+ *
1593
+ * // Generate Bob's keys...
1594
+ * const bob = createDiffieHellman(alice.getPrime(), alice.getGenerator());
1595
+ * const bobKey = bob.generateKeys();
1596
+ *
1597
+ * // Exchange and generate the secret...
1598
+ * const aliceSecret = alice.computeSecret(bobKey);
1599
+ * const bobSecret = bob.computeSecret(aliceKey);
1600
+ *
1601
+ * // OK
1602
+ * assert.strictEqual(aliceSecret.toString('hex'), bobSecret.toString('hex'));
1603
+ * ```
1604
+ * @since v0.5.0
1605
+ */
1606
+ class DiffieHellman {
1607
+ private constructor();
1608
+ /**
1609
+ * Generates private and public Diffie-Hellman key values unless they have been
1610
+ * generated or computed already, and returns
1611
+ * the public key in the specified `encoding`. This key should be
1612
+ * transferred to the other party.
1613
+ * If `encoding` is provided a string is returned; otherwise a `Buffer` is returned.
1614
+ *
1615
+ * This function is a thin wrapper around [`DH_generate_key()`](https://www.openssl.org/docs/man3.0/man3/DH_generate_key.html). In particular,
1616
+ * once a private key has been generated or set, calling this function only updates
1617
+ * the public key but does not generate a new private key.
1618
+ * @since v0.5.0
1619
+ * @param encoding The `encoding` of the return value.
1620
+ */
1621
+ generateKeys(): Buffer;
1622
+ generateKeys(encoding: BinaryToTextEncoding): string;
1623
+ /**
1624
+ * Computes the shared secret using `otherPublicKey` as the other
1625
+ * party's public key and returns the computed shared secret. The supplied
1626
+ * key is interpreted using the specified `inputEncoding`, and secret is
1627
+ * encoded using specified `outputEncoding`.
1628
+ * If the `inputEncoding` is not
1629
+ * provided, `otherPublicKey` is expected to be a `Buffer`, `TypedArray`, or `DataView`.
1630
+ *
1631
+ * If `outputEncoding` is given a string is returned; otherwise, a `Buffer` is returned.
1632
+ * @since v0.5.0
1633
+ * @param inputEncoding The `encoding` of an `otherPublicKey` string.
1634
+ * @param outputEncoding The `encoding` of the return value.
1635
+ */
1636
+ computeSecret(otherPublicKey: NodeJS.ArrayBufferView, inputEncoding?: null, outputEncoding?: null): Buffer;
1637
+ computeSecret(otherPublicKey: string, inputEncoding: BinaryToTextEncoding, outputEncoding?: null): Buffer;
1638
+ computeSecret(
1639
+ otherPublicKey: NodeJS.ArrayBufferView,
1640
+ inputEncoding: null,
1641
+ outputEncoding: BinaryToTextEncoding,
1642
+ ): string;
1643
+ computeSecret(
1644
+ otherPublicKey: string,
1645
+ inputEncoding: BinaryToTextEncoding,
1646
+ outputEncoding: BinaryToTextEncoding,
1647
+ ): string;
1648
+ /**
1649
+ * Returns the Diffie-Hellman prime in the specified `encoding`.
1650
+ * If `encoding` is provided a string is
1651
+ * returned; otherwise a `Buffer` is returned.
1652
+ * @since v0.5.0
1653
+ * @param encoding The `encoding` of the return value.
1654
+ */
1655
+ getPrime(): Buffer;
1656
+ getPrime(encoding: BinaryToTextEncoding): string;
1657
+ /**
1658
+ * Returns the Diffie-Hellman generator in the specified `encoding`.
1659
+ * If `encoding` is provided a string is
1660
+ * returned; otherwise a `Buffer` is returned.
1661
+ * @since v0.5.0
1662
+ * @param encoding The `encoding` of the return value.
1663
+ */
1664
+ getGenerator(): Buffer;
1665
+ getGenerator(encoding: BinaryToTextEncoding): string;
1666
+ /**
1667
+ * Returns the Diffie-Hellman public key in the specified `encoding`.
1668
+ * If `encoding` is provided a
1669
+ * string is returned; otherwise a `Buffer` is returned.
1670
+ * @since v0.5.0
1671
+ * @param encoding The `encoding` of the return value.
1672
+ */
1673
+ getPublicKey(): Buffer;
1674
+ getPublicKey(encoding: BinaryToTextEncoding): string;
1675
+ /**
1676
+ * Returns the Diffie-Hellman private key in the specified `encoding`.
1677
+ * If `encoding` is provided a
1678
+ * string is returned; otherwise a `Buffer` is returned.
1679
+ * @since v0.5.0
1680
+ * @param encoding The `encoding` of the return value.
1681
+ */
1682
+ getPrivateKey(): Buffer;
1683
+ getPrivateKey(encoding: BinaryToTextEncoding): string;
1684
+ /**
1685
+ * Sets the Diffie-Hellman public key. If the `encoding` argument is provided, `publicKey` is expected
1686
+ * to be a string. If no `encoding` is provided, `publicKey` is expected
1687
+ * to be a `Buffer`, `TypedArray`, or `DataView`.
1688
+ * @since v0.5.0
1689
+ * @param encoding The `encoding` of the `publicKey` string.
1690
+ */
1691
+ setPublicKey(publicKey: NodeJS.ArrayBufferView): void;
1692
+ setPublicKey(publicKey: string, encoding: BufferEncoding): void;
1693
+ /**
1694
+ * Sets the Diffie-Hellman private key. If the `encoding` argument is provided,`privateKey` is expected
1695
+ * to be a string. If no `encoding` is provided, `privateKey` is expected
1696
+ * to be a `Buffer`, `TypedArray`, or `DataView`.
1697
+ *
1698
+ * This function does not automatically compute the associated public key. Either `diffieHellman.setPublicKey()` or `diffieHellman.generateKeys()` can be
1699
+ * used to manually provide the public key or to automatically derive it.
1700
+ * @since v0.5.0
1701
+ * @param encoding The `encoding` of the `privateKey` string.
1702
+ */
1703
+ setPrivateKey(privateKey: NodeJS.ArrayBufferView): void;
1704
+ setPrivateKey(privateKey: string, encoding: BufferEncoding): void;
1705
+ /**
1706
+ * A bit field containing any warnings and/or errors resulting from a check
1707
+ * performed during initialization of the `DiffieHellman` object.
1708
+ *
1709
+ * The following values are valid for this property (as defined in `node:constants` module):
1710
+ *
1711
+ * * `DH_CHECK_P_NOT_SAFE_PRIME`
1712
+ * * `DH_CHECK_P_NOT_PRIME`
1713
+ * * `DH_UNABLE_TO_CHECK_GENERATOR`
1714
+ * * `DH_NOT_SUITABLE_GENERATOR`
1715
+ * @since v0.11.12
1716
+ */
1717
+ verifyError: number;
1718
+ }
1719
+ /**
1720
+ * The `DiffieHellmanGroup` class takes a well-known modp group as its argument.
1721
+ * It works the same as `DiffieHellman`, except that it does not allow changing its keys after creation.
1722
+ * In other words, it does not implement `setPublicKey()` or `setPrivateKey()` methods.
1723
+ *
1724
+ * ```js
1725
+ * const { createDiffieHellmanGroup } = await import('node:crypto');
1726
+ * const dh = createDiffieHellmanGroup('modp1');
1727
+ * ```
1728
+ * The name (e.g. `'modp1'`) is taken from [RFC 2412](https://www.rfc-editor.org/rfc/rfc2412.txt) (modp1 and 2) and [RFC 3526](https://www.rfc-editor.org/rfc/rfc3526.txt):
1729
+ * ```bash
1730
+ * $ perl -ne 'print "$1\n" if /"(modp\d+)"/' src/node_crypto_groups.h
1731
+ * modp1 # 768 bits
1732
+ * modp2 # 1024 bits
1733
+ * modp5 # 1536 bits
1734
+ * modp14 # 2048 bits
1735
+ * modp15 # etc.
1736
+ * modp16
1737
+ * modp17
1738
+ * modp18
1739
+ * ```
1740
+ * @since v0.7.5
1741
+ */
1742
+ const DiffieHellmanGroup: DiffieHellmanGroupConstructor;
1743
+ interface DiffieHellmanGroupConstructor {
1744
+ new(name: string): DiffieHellmanGroup;
1745
+ (name: string): DiffieHellmanGroup;
1746
+ readonly prototype: DiffieHellmanGroup;
1747
+ }
1748
+ type DiffieHellmanGroup = Omit<DiffieHellman, "setPublicKey" | "setPrivateKey">;
1749
+ /**
1750
+ * Creates a predefined `DiffieHellmanGroup` key exchange object. The
1751
+ * supported groups are listed in the documentation for `DiffieHellmanGroup`.
1752
+ *
1753
+ * The returned object mimics the interface of objects created by {@link createDiffieHellman}, but will not allow changing
1754
+ * the keys (with `diffieHellman.setPublicKey()`, for example). The
1755
+ * advantage of using this method is that the parties do not have to
1756
+ * generate nor exchange a group modulus beforehand, saving both processor
1757
+ * and communication time.
1758
+ *
1759
+ * Example (obtaining a shared secret):
1760
+ *
1761
+ * ```js
1762
+ * const {
1763
+ * getDiffieHellman,
1764
+ * } = await import('node:crypto');
1765
+ * const alice = getDiffieHellman('modp14');
1766
+ * const bob = getDiffieHellman('modp14');
1767
+ *
1768
+ * alice.generateKeys();
1769
+ * bob.generateKeys();
1770
+ *
1771
+ * const aliceSecret = alice.computeSecret(bob.getPublicKey(), null, 'hex');
1772
+ * const bobSecret = bob.computeSecret(alice.getPublicKey(), null, 'hex');
1773
+ *
1774
+ * // aliceSecret and bobSecret should be the same
1775
+ * console.log(aliceSecret === bobSecret);
1776
+ * ```
1777
+ * @since v0.7.5
1778
+ */
1779
+ function getDiffieHellman(groupName: string): DiffieHellmanGroup;
1780
+ /**
1781
+ * An alias for {@link getDiffieHellman}
1782
+ * @since v0.9.3
1783
+ */
1784
+ function createDiffieHellmanGroup(name: string): DiffieHellmanGroup;
1785
+ /**
1786
+ * Provides an asynchronous Password-Based Key Derivation Function 2 (PBKDF2)
1787
+ * implementation. A selected HMAC digest algorithm specified by `digest` is
1788
+ * applied to derive a key of the requested byte length (`keylen`) from the `password`, `salt` and `iterations`.
1789
+ *
1790
+ * The supplied `callback` function is called with two arguments: `err` and `derivedKey`. If an error occurs while deriving the key, `err` will be set;
1791
+ * otherwise `err` will be `null`. By default, the successfully generated `derivedKey` will be passed to the callback as a `Buffer`. An error will be
1792
+ * thrown if any of the input arguments specify invalid values or types.
1793
+ *
1794
+ * The `iterations` argument must be a number set as high as possible. The
1795
+ * higher the number of iterations, the more secure the derived key will be,
1796
+ * but will take a longer amount of time to complete.
1797
+ *
1798
+ * The `salt` should be as unique as possible. It is recommended that a salt is
1799
+ * random and at least 16 bytes long. See [NIST SP 800-132](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf) for details.
1800
+ *
1801
+ * When passing strings for `password` or `salt`, please consider `caveats when using strings as inputs to cryptographic APIs`.
1802
+ *
1803
+ * ```js
1804
+ * const {
1805
+ * pbkdf2,
1806
+ * } = await import('node:crypto');
1807
+ *
1808
+ * pbkdf2('secret', 'salt', 100000, 64, 'sha512', (err, derivedKey) => {
1809
+ * if (err) throw err;
1810
+ * console.log(derivedKey.toString('hex')); // '3745e48...08d59ae'
1811
+ * });
1812
+ * ```
1813
+ *
1814
+ * An array of supported digest functions can be retrieved using {@link getHashes}.
1815
+ *
1816
+ * This API uses libuv's threadpool, which can have surprising and
1817
+ * negative performance implications for some applications; see the `UV_THREADPOOL_SIZE` documentation for more information.
1818
+ * @since v0.5.5
1819
+ */
1820
+ function pbkdf2(
1821
+ password: BinaryLike,
1822
+ salt: BinaryLike,
1823
+ iterations: number,
1824
+ keylen: number,
1825
+ digest: string,
1826
+ callback: (err: Error | null, derivedKey: Buffer) => void,
1827
+ ): void;
1828
+ /**
1829
+ * Provides a synchronous Password-Based Key Derivation Function 2 (PBKDF2)
1830
+ * implementation. A selected HMAC digest algorithm specified by `digest` is
1831
+ * applied to derive a key of the requested byte length (`keylen`) from the `password`, `salt` and `iterations`.
1832
+ *
1833
+ * If an error occurs an `Error` will be thrown, otherwise the derived key will be
1834
+ * returned as a `Buffer`.
1835
+ *
1836
+ * The `iterations` argument must be a number set as high as possible. The
1837
+ * higher the number of iterations, the more secure the derived key will be,
1838
+ * but will take a longer amount of time to complete.
1839
+ *
1840
+ * The `salt` should be as unique as possible. It is recommended that a salt is
1841
+ * random and at least 16 bytes long. See [NIST SP 800-132](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf) for details.
1842
+ *
1843
+ * When passing strings for `password` or `salt`, please consider `caveats when using strings as inputs to cryptographic APIs`.
1844
+ *
1845
+ * ```js
1846
+ * const {
1847
+ * pbkdf2Sync,
1848
+ * } = await import('node:crypto');
1849
+ *
1850
+ * const key = pbkdf2Sync('secret', 'salt', 100000, 64, 'sha512');
1851
+ * console.log(key.toString('hex')); // '3745e48...08d59ae'
1852
+ * ```
1853
+ *
1854
+ * An array of supported digest functions can be retrieved using {@link getHashes}.
1855
+ * @since v0.9.3
1856
+ */
1857
+ function pbkdf2Sync(
1858
+ password: BinaryLike,
1859
+ salt: BinaryLike,
1860
+ iterations: number,
1861
+ keylen: number,
1862
+ digest: string,
1863
+ ): Buffer;
1864
+ /**
1865
+ * Generates cryptographically strong pseudorandom data. The `size` argument
1866
+ * is a number indicating the number of bytes to generate.
1867
+ *
1868
+ * If a `callback` function is provided, the bytes are generated asynchronously
1869
+ * and the `callback` function is invoked with two arguments: `err` and `buf`.
1870
+ * If an error occurs, `err` will be an `Error` object; otherwise it is `null`. The `buf` argument is a `Buffer` containing the generated bytes.
1871
+ *
1872
+ * ```js
1873
+ * // Asynchronous
1874
+ * const {
1875
+ * randomBytes,
1876
+ * } = await import('node:crypto');
1877
+ *
1878
+ * randomBytes(256, (err, buf) => {
1879
+ * if (err) throw err;
1880
+ * console.log(`${buf.length} bytes of random data: ${buf.toString('hex')}`);
1881
+ * });
1882
+ * ```
1883
+ *
1884
+ * If the `callback` function is not provided, the random bytes are generated
1885
+ * synchronously and returned as a `Buffer`. An error will be thrown if
1886
+ * there is a problem generating the bytes.
1887
+ *
1888
+ * ```js
1889
+ * // Synchronous
1890
+ * const {
1891
+ * randomBytes,
1892
+ * } = await import('node:crypto');
1893
+ *
1894
+ * const buf = randomBytes(256);
1895
+ * console.log(
1896
+ * `${buf.length} bytes of random data: ${buf.toString('hex')}`);
1897
+ * ```
1898
+ *
1899
+ * The `crypto.randomBytes()` method will not complete until there is
1900
+ * sufficient entropy available.
1901
+ * This should normally never take longer than a few milliseconds. The only time
1902
+ * when generating the random bytes may conceivably block for a longer period of
1903
+ * time is right after boot, when the whole system is still low on entropy.
1904
+ *
1905
+ * This API uses libuv's threadpool, which can have surprising and
1906
+ * negative performance implications for some applications; see the `UV_THREADPOOL_SIZE` documentation for more information.
1907
+ *
1908
+ * The asynchronous version of `crypto.randomBytes()` is carried out in a single
1909
+ * threadpool request. To minimize threadpool task length variation, partition
1910
+ * large `randomBytes` requests when doing so as part of fulfilling a client
1911
+ * request.
1912
+ * @since v0.5.8
1913
+ * @param size The number of bytes to generate. The `size` must not be larger than `2**31 - 1`.
1914
+ * @return if the `callback` function is not provided.
1915
+ */
1916
+ function randomBytes(size: number): Buffer;
1917
+ function randomBytes(size: number, callback: (err: Error | null, buf: Buffer) => void): void;
1918
+ function pseudoRandomBytes(size: number): Buffer;
1919
+ function pseudoRandomBytes(size: number, callback: (err: Error | null, buf: Buffer) => void): void;
1920
+ /**
1921
+ * Return a random integer `n` such that `min <= n < max`. This
1922
+ * implementation avoids [modulo bias](https://en.wikipedia.org/wiki/Fisher%E2%80%93Yates_shuffle#Modulo_bias).
1923
+ *
1924
+ * The range (`max - min`) must be less than 2**48. `min` and `max` must
1925
+ * be [safe integers](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Number/isSafeInteger).
1926
+ *
1927
+ * If the `callback` function is not provided, the random integer is
1928
+ * generated synchronously.
1929
+ *
1930
+ * ```js
1931
+ * // Asynchronous
1932
+ * const {
1933
+ * randomInt,
1934
+ * } = await import('node:crypto');
1935
+ *
1936
+ * randomInt(3, (err, n) => {
1937
+ * if (err) throw err;
1938
+ * console.log(`Random number chosen from (0, 1, 2): ${n}`);
1939
+ * });
1940
+ * ```
1941
+ *
1942
+ * ```js
1943
+ * // Synchronous
1944
+ * const {
1945
+ * randomInt,
1946
+ * } = await import('node:crypto');
1947
+ *
1948
+ * const n = randomInt(3);
1949
+ * console.log(`Random number chosen from (0, 1, 2): ${n}`);
1950
+ * ```
1951
+ *
1952
+ * ```js
1953
+ * // With `min` argument
1954
+ * const {
1955
+ * randomInt,
1956
+ * } = await import('node:crypto');
1957
+ *
1958
+ * const n = randomInt(1, 7);
1959
+ * console.log(`The dice rolled: ${n}`);
1960
+ * ```
1961
+ * @since v14.10.0, v12.19.0
1962
+ * @param [min=0] Start of random range (inclusive).
1963
+ * @param max End of random range (exclusive).
1964
+ * @param callback `function(err, n) {}`.
1965
+ */
1966
+ function randomInt(max: number): number;
1967
+ function randomInt(min: number, max: number): number;
1968
+ function randomInt(max: number, callback: (err: Error | null, value: number) => void): void;
1969
+ function randomInt(min: number, max: number, callback: (err: Error | null, value: number) => void): void;
1970
+ /**
1971
+ * Synchronous version of {@link randomFill}.
1972
+ *
1973
+ * ```js
1974
+ * import { Buffer } from 'node:buffer';
1975
+ * const { randomFillSync } = await import('node:crypto');
1976
+ *
1977
+ * const buf = Buffer.alloc(10);
1978
+ * console.log(randomFillSync(buf).toString('hex'));
1979
+ *
1980
+ * randomFillSync(buf, 5);
1981
+ * console.log(buf.toString('hex'));
1982
+ *
1983
+ * // The above is equivalent to the following:
1984
+ * randomFillSync(buf, 5, 5);
1985
+ * console.log(buf.toString('hex'));
1986
+ * ```
1987
+ *
1988
+ * Any `ArrayBuffer`, `TypedArray` or `DataView` instance may be passed as`buffer`.
1989
+ *
1990
+ * ```js
1991
+ * import { Buffer } from 'node:buffer';
1992
+ * const { randomFillSync } = await import('node:crypto');
1993
+ *
1994
+ * const a = new Uint32Array(10);
1995
+ * console.log(Buffer.from(randomFillSync(a).buffer,
1996
+ * a.byteOffset, a.byteLength).toString('hex'));
1997
+ *
1998
+ * const b = new DataView(new ArrayBuffer(10));
1999
+ * console.log(Buffer.from(randomFillSync(b).buffer,
2000
+ * b.byteOffset, b.byteLength).toString('hex'));
2001
+ *
2002
+ * const c = new ArrayBuffer(10);
2003
+ * console.log(Buffer.from(randomFillSync(c)).toString('hex'));
2004
+ * ```
2005
+ * @since v7.10.0, v6.13.0
2006
+ * @param buffer Must be supplied. The size of the provided `buffer` must not be larger than `2**31 - 1`.
2007
+ * @param [offset=0]
2008
+ * @param [size=buffer.length - offset]
2009
+ * @return The object passed as `buffer` argument.
2010
+ */
2011
+ function randomFillSync<T extends NodeJS.ArrayBufferView>(buffer: T, offset?: number, size?: number): T;
2012
+ /**
2013
+ * This function is similar to {@link randomBytes} but requires the first
2014
+ * argument to be a `Buffer` that will be filled. It also
2015
+ * requires that a callback is passed in.
2016
+ *
2017
+ * If the `callback` function is not provided, an error will be thrown.
2018
+ *
2019
+ * ```js
2020
+ * import { Buffer } from 'node:buffer';
2021
+ * const { randomFill } = await import('node:crypto');
2022
+ *
2023
+ * const buf = Buffer.alloc(10);
2024
+ * randomFill(buf, (err, buf) => {
2025
+ * if (err) throw err;
2026
+ * console.log(buf.toString('hex'));
2027
+ * });
2028
+ *
2029
+ * randomFill(buf, 5, (err, buf) => {
2030
+ * if (err) throw err;
2031
+ * console.log(buf.toString('hex'));
2032
+ * });
2033
+ *
2034
+ * // The above is equivalent to the following:
2035
+ * randomFill(buf, 5, 5, (err, buf) => {
2036
+ * if (err) throw err;
2037
+ * console.log(buf.toString('hex'));
2038
+ * });
2039
+ * ```
2040
+ *
2041
+ * Any `ArrayBuffer`, `TypedArray`, or `DataView` instance may be passed as `buffer`.
2042
+ *
2043
+ * While this includes instances of `Float32Array` and `Float64Array`, this
2044
+ * function should not be used to generate random floating-point numbers. The
2045
+ * result may contain `+Infinity`, `-Infinity`, and `NaN`, and even if the array
2046
+ * contains finite numbers only, they are not drawn from a uniform random
2047
+ * distribution and have no meaningful lower or upper bounds.
2048
+ *
2049
+ * ```js
2050
+ * import { Buffer } from 'node:buffer';
2051
+ * const { randomFill } = await import('node:crypto');
2052
+ *
2053
+ * const a = new Uint32Array(10);
2054
+ * randomFill(a, (err, buf) => {
2055
+ * if (err) throw err;
2056
+ * console.log(Buffer.from(buf.buffer, buf.byteOffset, buf.byteLength)
2057
+ * .toString('hex'));
2058
+ * });
2059
+ *
2060
+ * const b = new DataView(new ArrayBuffer(10));
2061
+ * randomFill(b, (err, buf) => {
2062
+ * if (err) throw err;
2063
+ * console.log(Buffer.from(buf.buffer, buf.byteOffset, buf.byteLength)
2064
+ * .toString('hex'));
2065
+ * });
2066
+ *
2067
+ * const c = new ArrayBuffer(10);
2068
+ * randomFill(c, (err, buf) => {
2069
+ * if (err) throw err;
2070
+ * console.log(Buffer.from(buf).toString('hex'));
2071
+ * });
2072
+ * ```
2073
+ *
2074
+ * This API uses libuv's threadpool, which can have surprising and
2075
+ * negative performance implications for some applications; see the `UV_THREADPOOL_SIZE` documentation for more information.
2076
+ *
2077
+ * The asynchronous version of `crypto.randomFill()` is carried out in a single
2078
+ * threadpool request. To minimize threadpool task length variation, partition
2079
+ * large `randomFill` requests when doing so as part of fulfilling a client
2080
+ * request.
2081
+ * @since v7.10.0, v6.13.0
2082
+ * @param buffer Must be supplied. The size of the provided `buffer` must not be larger than `2**31 - 1`.
2083
+ * @param [offset=0]
2084
+ * @param [size=buffer.length - offset]
2085
+ * @param callback `function(err, buf) {}`.
2086
+ */
2087
+ function randomFill<T extends NodeJS.ArrayBufferView>(
2088
+ buffer: T,
2089
+ callback: (err: Error | null, buf: T) => void,
2090
+ ): void;
2091
+ function randomFill<T extends NodeJS.ArrayBufferView>(
2092
+ buffer: T,
2093
+ offset: number,
2094
+ callback: (err: Error | null, buf: T) => void,
2095
+ ): void;
2096
+ function randomFill<T extends NodeJS.ArrayBufferView>(
2097
+ buffer: T,
2098
+ offset: number,
2099
+ size: number,
2100
+ callback: (err: Error | null, buf: T) => void,
2101
+ ): void;
2102
+ interface ScryptOptions {
2103
+ cost?: number | undefined;
2104
+ blockSize?: number | undefined;
2105
+ parallelization?: number | undefined;
2106
+ N?: number | undefined;
2107
+ r?: number | undefined;
2108
+ p?: number | undefined;
2109
+ maxmem?: number | undefined;
2110
+ }
2111
+ /**
2112
+ * Provides an asynchronous [scrypt](https://en.wikipedia.org/wiki/Scrypt) implementation. Scrypt is a password-based
2113
+ * key derivation function that is designed to be expensive computationally and
2114
+ * memory-wise in order to make brute-force attacks unrewarding.
2115
+ *
2116
+ * The `salt` should be as unique as possible. It is recommended that a salt is
2117
+ * random and at least 16 bytes long. See [NIST SP 800-132](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf) for details.
2118
+ *
2119
+ * When passing strings for `password` or `salt`, please consider `caveats when using strings as inputs to cryptographic APIs`.
2120
+ *
2121
+ * The `callback` function is called with two arguments: `err` and `derivedKey`. `err` is an exception object when key derivation fails, otherwise `err` is `null`. `derivedKey` is passed to the
2122
+ * callback as a `Buffer`.
2123
+ *
2124
+ * An exception is thrown when any of the input arguments specify invalid values
2125
+ * or types.
2126
+ *
2127
+ * ```js
2128
+ * const {
2129
+ * scrypt,
2130
+ * } = await import('node:crypto');
2131
+ *
2132
+ * // Using the factory defaults.
2133
+ * scrypt('password', 'salt', 64, (err, derivedKey) => {
2134
+ * if (err) throw err;
2135
+ * console.log(derivedKey.toString('hex')); // '3745e48...08d59ae'
2136
+ * });
2137
+ * // Using a custom N parameter. Must be a power of two.
2138
+ * scrypt('password', 'salt', 64, { N: 1024 }, (err, derivedKey) => {
2139
+ * if (err) throw err;
2140
+ * console.log(derivedKey.toString('hex')); // '3745e48...aa39b34'
2141
+ * });
2142
+ * ```
2143
+ * @since v10.5.0
2144
+ */
2145
+ function scrypt(
2146
+ password: BinaryLike,
2147
+ salt: BinaryLike,
2148
+ keylen: number,
2149
+ callback: (err: Error | null, derivedKey: Buffer) => void,
2150
+ ): void;
2151
+ function scrypt(
2152
+ password: BinaryLike,
2153
+ salt: BinaryLike,
2154
+ keylen: number,
2155
+ options: ScryptOptions,
2156
+ callback: (err: Error | null, derivedKey: Buffer) => void,
2157
+ ): void;
2158
+ /**
2159
+ * Provides a synchronous [scrypt](https://en.wikipedia.org/wiki/Scrypt) implementation. Scrypt is a password-based
2160
+ * key derivation function that is designed to be expensive computationally and
2161
+ * memory-wise in order to make brute-force attacks unrewarding.
2162
+ *
2163
+ * The `salt` should be as unique as possible. It is recommended that a salt is
2164
+ * random and at least 16 bytes long. See [NIST SP 800-132](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf) for details.
2165
+ *
2166
+ * When passing strings for `password` or `salt`, please consider `caveats when using strings as inputs to cryptographic APIs`.
2167
+ *
2168
+ * An exception is thrown when key derivation fails, otherwise the derived key is
2169
+ * returned as a `Buffer`.
2170
+ *
2171
+ * An exception is thrown when any of the input arguments specify invalid values
2172
+ * or types.
2173
+ *
2174
+ * ```js
2175
+ * const {
2176
+ * scryptSync,
2177
+ * } = await import('node:crypto');
2178
+ * // Using the factory defaults.
2179
+ *
2180
+ * const key1 = scryptSync('password', 'salt', 64);
2181
+ * console.log(key1.toString('hex')); // '3745e48...08d59ae'
2182
+ * // Using a custom N parameter. Must be a power of two.
2183
+ * const key2 = scryptSync('password', 'salt', 64, { N: 1024 });
2184
+ * console.log(key2.toString('hex')); // '3745e48...aa39b34'
2185
+ * ```
2186
+ * @since v10.5.0
2187
+ */
2188
+ function scryptSync(password: BinaryLike, salt: BinaryLike, keylen: number, options?: ScryptOptions): Buffer;
2189
+ interface RsaPublicKey {
2190
+ key: KeyLike;
2191
+ padding?: number | undefined;
2192
+ }
2193
+ interface RsaPrivateKey {
2194
+ key: KeyLike;
2195
+ passphrase?: string | undefined;
2196
+ /**
2197
+ * @default 'sha1'
2198
+ */
2199
+ oaepHash?: string | undefined;
2200
+ oaepLabel?: NodeJS.TypedArray | undefined;
2201
+ padding?: number | undefined;
2202
+ }
2203
+ /**
2204
+ * Encrypts the content of `buffer` with `key` and returns a new `Buffer` with encrypted content. The returned data can be decrypted using
2205
+ * the corresponding private key, for example using {@link privateDecrypt}.
2206
+ *
2207
+ * If `key` is not a `KeyObject`, this function behaves as if `key` had been passed to {@link createPublicKey}. If it is an
2208
+ * object, the `padding` property can be passed. Otherwise, this function uses `RSA_PKCS1_OAEP_PADDING`.
2209
+ *
2210
+ * Because RSA public keys can be derived from private keys, a private key may
2211
+ * be passed instead of a public key.
2212
+ * @since v0.11.14
2213
+ */
2214
+ function publicEncrypt(key: RsaPublicKey | RsaPrivateKey | KeyLike, buffer: NodeJS.ArrayBufferView): Buffer;
2215
+ /**
2216
+ * Decrypts `buffer` with `key`.`buffer` was previously encrypted using
2217
+ * the corresponding private key, for example using {@link privateEncrypt}.
2218
+ *
2219
+ * If `key` is not a `KeyObject`, this function behaves as if `key` had been passed to {@link createPublicKey}. If it is an
2220
+ * object, the `padding` property can be passed. Otherwise, this function uses `RSA_PKCS1_PADDING`.
2221
+ *
2222
+ * Because RSA public keys can be derived from private keys, a private key may
2223
+ * be passed instead of a public key.
2224
+ * @since v1.1.0
2225
+ */
2226
+ function publicDecrypt(key: RsaPublicKey | RsaPrivateKey | KeyLike, buffer: NodeJS.ArrayBufferView): Buffer;
2227
+ /**
2228
+ * Decrypts `buffer` with `privateKey`. `buffer` was previously encrypted using
2229
+ * the corresponding public key, for example using {@link publicEncrypt}.
2230
+ *
2231
+ * If `privateKey` is not a `KeyObject`, this function behaves as if `privateKey` had been passed to {@link createPrivateKey}. If it is an
2232
+ * object, the `padding` property can be passed. Otherwise, this function uses `RSA_PKCS1_OAEP_PADDING`.
2233
+ * @since v0.11.14
2234
+ */
2235
+ function privateDecrypt(privateKey: RsaPrivateKey | KeyLike, buffer: NodeJS.ArrayBufferView): Buffer;
2236
+ /**
2237
+ * Encrypts `buffer` with `privateKey`. The returned data can be decrypted using
2238
+ * the corresponding public key, for example using {@link publicDecrypt}.
2239
+ *
2240
+ * If `privateKey` is not a `KeyObject`, this function behaves as if `privateKey` had been passed to {@link createPrivateKey}. If it is an
2241
+ * object, the `padding` property can be passed. Otherwise, this function uses `RSA_PKCS1_PADDING`.
2242
+ * @since v1.1.0
2243
+ */
2244
+ function privateEncrypt(privateKey: RsaPrivateKey | KeyLike, buffer: NodeJS.ArrayBufferView): Buffer;
2245
+ /**
2246
+ * ```js
2247
+ * const {
2248
+ * getCiphers,
2249
+ * } = await import('node:crypto');
2250
+ *
2251
+ * console.log(getCiphers()); // ['aes-128-cbc', 'aes-128-ccm', ...]
2252
+ * ```
2253
+ * @since v0.9.3
2254
+ * @return An array with the names of the supported cipher algorithms.
2255
+ */
2256
+ function getCiphers(): string[];
2257
+ /**
2258
+ * ```js
2259
+ * const {
2260
+ * getCurves,
2261
+ * } = await import('node:crypto');
2262
+ *
2263
+ * console.log(getCurves()); // ['Oakley-EC2N-3', 'Oakley-EC2N-4', ...]
2264
+ * ```
2265
+ * @since v2.3.0
2266
+ * @return An array with the names of the supported elliptic curves.
2267
+ */
2268
+ function getCurves(): string[];
2269
+ /**
2270
+ * @since v10.0.0
2271
+ * @return `1` if and only if a FIPS compliant crypto provider is currently in use, `0` otherwise. A future semver-major release may change the return type of this API to a {boolean}.
2272
+ */
2273
+ function getFips(): 1 | 0;
2274
+ /**
2275
+ * Enables the FIPS compliant crypto provider in a FIPS-enabled Node.js build.
2276
+ * Throws an error if FIPS mode is not available.
2277
+ * @since v10.0.0
2278
+ * @param bool `true` to enable FIPS mode.
2279
+ */
2280
+ function setFips(bool: boolean): void;
2281
+ /**
2282
+ * ```js
2283
+ * const {
2284
+ * getHashes,
2285
+ * } = await import('node:crypto');
2286
+ *
2287
+ * console.log(getHashes()); // ['DSA', 'DSA-SHA', 'DSA-SHA1', ...]
2288
+ * ```
2289
+ * @since v0.9.3
2290
+ * @return An array of the names of the supported hash algorithms, such as `'RSA-SHA256'`. Hash algorithms are also called "digest" algorithms.
2291
+ */
2292
+ function getHashes(): string[];
2293
+ /**
2294
+ * The `ECDH` class is a utility for creating Elliptic Curve Diffie-Hellman (ECDH)
2295
+ * key exchanges.
2296
+ *
2297
+ * Instances of the `ECDH` class can be created using the {@link createECDH} function.
2298
+ *
2299
+ * ```js
2300
+ * import assert from 'node:assert';
2301
+ *
2302
+ * const {
2303
+ * createECDH,
2304
+ * } = await import('node:crypto');
2305
+ *
2306
+ * // Generate Alice's keys...
2307
+ * const alice = createECDH('secp521r1');
2308
+ * const aliceKey = alice.generateKeys();
2309
+ *
2310
+ * // Generate Bob's keys...
2311
+ * const bob = createECDH('secp521r1');
2312
+ * const bobKey = bob.generateKeys();
2313
+ *
2314
+ * // Exchange and generate the secret...
2315
+ * const aliceSecret = alice.computeSecret(bobKey);
2316
+ * const bobSecret = bob.computeSecret(aliceKey);
2317
+ *
2318
+ * assert.strictEqual(aliceSecret.toString('hex'), bobSecret.toString('hex'));
2319
+ * // OK
2320
+ * ```
2321
+ * @since v0.11.14
2322
+ */
2323
+ class ECDH {
2324
+ private constructor();
2325
+ /**
2326
+ * Converts the EC Diffie-Hellman public key specified by `key` and `curve` to the
2327
+ * format specified by `format`. The `format` argument specifies point encoding
2328
+ * and can be `'compressed'`, `'uncompressed'` or `'hybrid'`. The supplied key is
2329
+ * interpreted using the specified `inputEncoding`, and the returned key is encoded
2330
+ * using the specified `outputEncoding`.
2331
+ *
2332
+ * Use {@link getCurves} to obtain a list of available curve names.
2333
+ * On recent OpenSSL releases, `openssl ecparam -list_curves` will also display
2334
+ * the name and description of each available elliptic curve.
2335
+ *
2336
+ * If `format` is not specified the point will be returned in `'uncompressed'` format.
2337
+ *
2338
+ * If the `inputEncoding` is not provided, `key` is expected to be a `Buffer`, `TypedArray`, or `DataView`.
2339
+ *
2340
+ * Example (uncompressing a key):
2341
+ *
2342
+ * ```js
2343
+ * const {
2344
+ * createECDH,
2345
+ * ECDH,
2346
+ * } = await import('node:crypto');
2347
+ *
2348
+ * const ecdh = createECDH('secp256k1');
2349
+ * ecdh.generateKeys();
2350
+ *
2351
+ * const compressedKey = ecdh.getPublicKey('hex', 'compressed');
2352
+ *
2353
+ * const uncompressedKey = ECDH.convertKey(compressedKey,
2354
+ * 'secp256k1',
2355
+ * 'hex',
2356
+ * 'hex',
2357
+ * 'uncompressed');
2358
+ *
2359
+ * // The converted key and the uncompressed public key should be the same
2360
+ * console.log(uncompressedKey === ecdh.getPublicKey('hex'));
2361
+ * ```
2362
+ * @since v10.0.0
2363
+ * @param inputEncoding The `encoding` of the `key` string.
2364
+ * @param outputEncoding The `encoding` of the return value.
2365
+ * @param [format='uncompressed']
2366
+ */
2367
+ static convertKey(
2368
+ key: BinaryLike,
2369
+ curve: string,
2370
+ inputEncoding?: BinaryToTextEncoding,
2371
+ outputEncoding?: "latin1" | "hex" | "base64" | "base64url",
2372
+ format?: "uncompressed" | "compressed" | "hybrid",
2373
+ ): Buffer | string;
2374
+ /**
2375
+ * Generates private and public EC Diffie-Hellman key values, and returns
2376
+ * the public key in the specified `format` and `encoding`. This key should be
2377
+ * transferred to the other party.
2378
+ *
2379
+ * The `format` argument specifies point encoding and can be `'compressed'` or `'uncompressed'`. If `format` is not specified, the point will be returned in`'uncompressed'` format.
2380
+ *
2381
+ * If `encoding` is provided a string is returned; otherwise a `Buffer` is returned.
2382
+ * @since v0.11.14
2383
+ * @param encoding The `encoding` of the return value.
2384
+ * @param [format='uncompressed']
2385
+ */
2386
+ generateKeys(): Buffer;
2387
+ generateKeys(encoding: BinaryToTextEncoding, format?: ECDHKeyFormat): string;
2388
+ /**
2389
+ * Computes the shared secret using `otherPublicKey` as the other
2390
+ * party's public key and returns the computed shared secret. The supplied
2391
+ * key is interpreted using specified `inputEncoding`, and the returned secret
2392
+ * is encoded using the specified `outputEncoding`.
2393
+ * If the `inputEncoding` is not
2394
+ * provided, `otherPublicKey` is expected to be a `Buffer`, `TypedArray`, or `DataView`.
2395
+ *
2396
+ * If `outputEncoding` is given a string will be returned; otherwise a `Buffer` is returned.
2397
+ *
2398
+ * `ecdh.computeSecret` will throw an`ERR_CRYPTO_ECDH_INVALID_PUBLIC_KEY` error when `otherPublicKey` lies outside of the elliptic curve. Since `otherPublicKey` is
2399
+ * usually supplied from a remote user over an insecure network,
2400
+ * be sure to handle this exception accordingly.
2401
+ * @since v0.11.14
2402
+ * @param inputEncoding The `encoding` of the `otherPublicKey` string.
2403
+ * @param outputEncoding The `encoding` of the return value.
2404
+ */
2405
+ computeSecret(otherPublicKey: NodeJS.ArrayBufferView): Buffer;
2406
+ computeSecret(otherPublicKey: string, inputEncoding: BinaryToTextEncoding): Buffer;
2407
+ computeSecret(otherPublicKey: NodeJS.ArrayBufferView, outputEncoding: BinaryToTextEncoding): string;
2408
+ computeSecret(
2409
+ otherPublicKey: string,
2410
+ inputEncoding: BinaryToTextEncoding,
2411
+ outputEncoding: BinaryToTextEncoding,
2412
+ ): string;
2413
+ /**
2414
+ * If `encoding` is specified, a string is returned; otherwise a `Buffer` is
2415
+ * returned.
2416
+ * @since v0.11.14
2417
+ * @param encoding The `encoding` of the return value.
2418
+ * @return The EC Diffie-Hellman in the specified `encoding`.
2419
+ */
2420
+ getPrivateKey(): Buffer;
2421
+ getPrivateKey(encoding: BinaryToTextEncoding): string;
2422
+ /**
2423
+ * The `format` argument specifies point encoding and can be `'compressed'` or `'uncompressed'`. If `format` is not specified the point will be returned in`'uncompressed'` format.
2424
+ *
2425
+ * If `encoding` is specified, a string is returned; otherwise a `Buffer` is
2426
+ * returned.
2427
+ * @since v0.11.14
2428
+ * @param encoding The `encoding` of the return value.
2429
+ * @param [format='uncompressed']
2430
+ * @return The EC Diffie-Hellman public key in the specified `encoding` and `format`.
2431
+ */
2432
+ getPublicKey(encoding?: null, format?: ECDHKeyFormat): Buffer;
2433
+ getPublicKey(encoding: BinaryToTextEncoding, format?: ECDHKeyFormat): string;
2434
+ /**
2435
+ * Sets the EC Diffie-Hellman private key.
2436
+ * If `encoding` is provided, `privateKey` is expected
2437
+ * to be a string; otherwise `privateKey` is expected to be a `Buffer`, `TypedArray`, or `DataView`.
2438
+ *
2439
+ * If `privateKey` is not valid for the curve specified when the `ECDH` object was
2440
+ * created, an error is thrown. Upon setting the private key, the associated
2441
+ * public point (key) is also generated and set in the `ECDH` object.
2442
+ * @since v0.11.14
2443
+ * @param encoding The `encoding` of the `privateKey` string.
2444
+ */
2445
+ setPrivateKey(privateKey: NodeJS.ArrayBufferView): void;
2446
+ setPrivateKey(privateKey: string, encoding: BinaryToTextEncoding): void;
2447
+ }
2448
+ /**
2449
+ * Creates an Elliptic Curve Diffie-Hellman (`ECDH`) key exchange object using a
2450
+ * predefined curve specified by the `curveName` string. Use {@link getCurves} to obtain a list of available curve names. On recent
2451
+ * OpenSSL releases, `openssl ecparam -list_curves` will also display the name
2452
+ * and description of each available elliptic curve.
2453
+ * @since v0.11.14
2454
+ */
2455
+ function createECDH(curveName: string): ECDH;
2456
+ /**
2457
+ * This function compares the underlying bytes that represent the given `ArrayBuffer`, `TypedArray`, or `DataView` instances using a constant-time
2458
+ * algorithm.
2459
+ *
2460
+ * This function does not leak timing information that
2461
+ * would allow an attacker to guess one of the values. This is suitable for
2462
+ * comparing HMAC digests or secret values like authentication cookies or [capability urls](https://www.w3.org/TR/capability-urls/).
2463
+ *
2464
+ * `a` and `b` must both be `Buffer`s, `TypedArray`s, or `DataView`s, and they
2465
+ * must have the same byte length. An error is thrown if `a` and `b` have
2466
+ * different byte lengths.
2467
+ *
2468
+ * If at least one of `a` and `b` is a `TypedArray` with more than one byte per
2469
+ * entry, such as `Uint16Array`, the result will be computed using the platform
2470
+ * byte order.
2471
+ *
2472
+ * **When both of the inputs are `Float32Array`s or `Float64Array`s, this function might return unexpected results due to IEEE 754**
2473
+ * **encoding of floating-point numbers. In particular, neither `x === y` nor `Object.is(x, y)` implies that the byte representations of two floating-point**
2474
+ * **numbers `x` and `y` are equal.**
2475
+ *
2476
+ * Use of `crypto.timingSafeEqual` does not guarantee that the _surrounding_ code
2477
+ * is timing-safe. Care should be taken to ensure that the surrounding code does
2478
+ * not introduce timing vulnerabilities.
2479
+ * @since v6.6.0
2480
+ */
2481
+ function timingSafeEqual(a: NodeJS.ArrayBufferView, b: NodeJS.ArrayBufferView): boolean;
2482
+ type KeyType = "rsa" | "rsa-pss" | "dsa" | "ec" | "ed25519" | "ed448" | "x25519" | "x448";
2483
+ type KeyFormat = "pem" | "der" | "jwk";
2484
+ interface BasePrivateKeyEncodingOptions<T extends KeyFormat> {
2485
+ format: T;
2486
+ cipher?: string | undefined;
2487
+ passphrase?: string | undefined;
2488
+ }
2489
+ interface KeyPairKeyObjectResult {
2490
+ publicKey: KeyObject;
2491
+ privateKey: KeyObject;
2492
+ }
2493
+ interface ED25519KeyPairKeyObjectOptions {}
2494
+ interface ED448KeyPairKeyObjectOptions {}
2495
+ interface X25519KeyPairKeyObjectOptions {}
2496
+ interface X448KeyPairKeyObjectOptions {}
2497
+ interface ECKeyPairKeyObjectOptions {
2498
+ /**
2499
+ * Name of the curve to use
2500
+ */
2501
+ namedCurve: string;
2502
+ /**
2503
+ * Must be `'named'` or `'explicit'`. Default: `'named'`.
2504
+ */
2505
+ paramEncoding?: "explicit" | "named" | undefined;
2506
+ }
2507
+ interface RSAKeyPairKeyObjectOptions {
2508
+ /**
2509
+ * Key size in bits
2510
+ */
2511
+ modulusLength: number;
2512
+ /**
2513
+ * Public exponent
2514
+ * @default 0x10001
2515
+ */
2516
+ publicExponent?: number | undefined;
2517
+ }
2518
+ interface RSAPSSKeyPairKeyObjectOptions {
2519
+ /**
2520
+ * Key size in bits
2521
+ */
2522
+ modulusLength: number;
2523
+ /**
2524
+ * Public exponent
2525
+ * @default 0x10001
2526
+ */
2527
+ publicExponent?: number | undefined;
2528
+ /**
2529
+ * Name of the message digest
2530
+ */
2531
+ hashAlgorithm?: string;
2532
+ /**
2533
+ * Name of the message digest used by MGF1
2534
+ */
2535
+ mgf1HashAlgorithm?: string;
2536
+ /**
2537
+ * Minimal salt length in bytes
2538
+ */
2539
+ saltLength?: string;
2540
+ }
2541
+ interface DSAKeyPairKeyObjectOptions {
2542
+ /**
2543
+ * Key size in bits
2544
+ */
2545
+ modulusLength: number;
2546
+ /**
2547
+ * Size of q in bits
2548
+ */
2549
+ divisorLength: number;
2550
+ }
2551
+ interface RSAKeyPairOptions<PubF extends KeyFormat, PrivF extends KeyFormat> {
2552
+ /**
2553
+ * Key size in bits
2554
+ */
2555
+ modulusLength: number;
2556
+ /**
2557
+ * Public exponent
2558
+ * @default 0x10001
2559
+ */
2560
+ publicExponent?: number | undefined;
2561
+ publicKeyEncoding: {
2562
+ type: "pkcs1" | "spki";
2563
+ format: PubF;
2564
+ };
2565
+ privateKeyEncoding: BasePrivateKeyEncodingOptions<PrivF> & {
2566
+ type: "pkcs1" | "pkcs8";
2567
+ };
2568
+ }
2569
+ interface RSAPSSKeyPairOptions<PubF extends KeyFormat, PrivF extends KeyFormat> {
2570
+ /**
2571
+ * Key size in bits
2572
+ */
2573
+ modulusLength: number;
2574
+ /**
2575
+ * Public exponent
2576
+ * @default 0x10001
2577
+ */
2578
+ publicExponent?: number | undefined;
2579
+ /**
2580
+ * Name of the message digest
2581
+ */
2582
+ hashAlgorithm?: string;
2583
+ /**
2584
+ * Name of the message digest used by MGF1
2585
+ */
2586
+ mgf1HashAlgorithm?: string;
2587
+ /**
2588
+ * Minimal salt length in bytes
2589
+ */
2590
+ saltLength?: string;
2591
+ publicKeyEncoding: {
2592
+ type: "spki";
2593
+ format: PubF;
2594
+ };
2595
+ privateKeyEncoding: BasePrivateKeyEncodingOptions<PrivF> & {
2596
+ type: "pkcs8";
2597
+ };
2598
+ }
2599
+ interface DSAKeyPairOptions<PubF extends KeyFormat, PrivF extends KeyFormat> {
2600
+ /**
2601
+ * Key size in bits
2602
+ */
2603
+ modulusLength: number;
2604
+ /**
2605
+ * Size of q in bits
2606
+ */
2607
+ divisorLength: number;
2608
+ publicKeyEncoding: {
2609
+ type: "spki";
2610
+ format: PubF;
2611
+ };
2612
+ privateKeyEncoding: BasePrivateKeyEncodingOptions<PrivF> & {
2613
+ type: "pkcs8";
2614
+ };
2615
+ }
2616
+ interface ECKeyPairOptions<PubF extends KeyFormat, PrivF extends KeyFormat> extends ECKeyPairKeyObjectOptions {
2617
+ publicKeyEncoding: {
2618
+ type: "pkcs1" | "spki";
2619
+ format: PubF;
2620
+ };
2621
+ privateKeyEncoding: BasePrivateKeyEncodingOptions<PrivF> & {
2622
+ type: "sec1" | "pkcs8";
2623
+ };
2624
+ }
2625
+ interface ED25519KeyPairOptions<PubF extends KeyFormat, PrivF extends KeyFormat> {
2626
+ publicKeyEncoding: {
2627
+ type: "spki";
2628
+ format: PubF;
2629
+ };
2630
+ privateKeyEncoding: BasePrivateKeyEncodingOptions<PrivF> & {
2631
+ type: "pkcs8";
2632
+ };
2633
+ }
2634
+ interface ED448KeyPairOptions<PubF extends KeyFormat, PrivF extends KeyFormat> {
2635
+ publicKeyEncoding: {
2636
+ type: "spki";
2637
+ format: PubF;
2638
+ };
2639
+ privateKeyEncoding: BasePrivateKeyEncodingOptions<PrivF> & {
2640
+ type: "pkcs8";
2641
+ };
2642
+ }
2643
+ interface X25519KeyPairOptions<PubF extends KeyFormat, PrivF extends KeyFormat> {
2644
+ publicKeyEncoding: {
2645
+ type: "spki";
2646
+ format: PubF;
2647
+ };
2648
+ privateKeyEncoding: BasePrivateKeyEncodingOptions<PrivF> & {
2649
+ type: "pkcs8";
2650
+ };
2651
+ }
2652
+ interface X448KeyPairOptions<PubF extends KeyFormat, PrivF extends KeyFormat> {
2653
+ publicKeyEncoding: {
2654
+ type: "spki";
2655
+ format: PubF;
2656
+ };
2657
+ privateKeyEncoding: BasePrivateKeyEncodingOptions<PrivF> & {
2658
+ type: "pkcs8";
2659
+ };
2660
+ }
2661
+ interface KeyPairSyncResult<T1 extends string | Buffer, T2 extends string | Buffer> {
2662
+ publicKey: T1;
2663
+ privateKey: T2;
2664
+ }
2665
+ /**
2666
+ * Generates a new asymmetric key pair of the given `type`. RSA, RSA-PSS, DSA, EC,
2667
+ * Ed25519, Ed448, X25519, X448, and DH are currently supported.
2668
+ *
2669
+ * If a `publicKeyEncoding` or `privateKeyEncoding` was specified, this function
2670
+ * behaves as if `keyObject.export()` had been called on its result. Otherwise,
2671
+ * the respective part of the key is returned as a `KeyObject`.
2672
+ *
2673
+ * When encoding public keys, it is recommended to use `'spki'`. When encoding
2674
+ * private keys, it is recommended to use `'pkcs8'` with a strong passphrase,
2675
+ * and to keep the passphrase confidential.
2676
+ *
2677
+ * ```js
2678
+ * const {
2679
+ * generateKeyPairSync,
2680
+ * } = await import('node:crypto');
2681
+ *
2682
+ * const {
2683
+ * publicKey,
2684
+ * privateKey,
2685
+ * } = generateKeyPairSync('rsa', {
2686
+ * modulusLength: 4096,
2687
+ * publicKeyEncoding: {
2688
+ * type: 'spki',
2689
+ * format: 'pem',
2690
+ * },
2691
+ * privateKeyEncoding: {
2692
+ * type: 'pkcs8',
2693
+ * format: 'pem',
2694
+ * cipher: 'aes-256-cbc',
2695
+ * passphrase: 'top secret',
2696
+ * },
2697
+ * });
2698
+ * ```
2699
+ *
2700
+ * The return value `{ publicKey, privateKey }` represents the generated key pair.
2701
+ * When PEM encoding was selected, the respective key will be a string, otherwise
2702
+ * it will be a buffer containing the data encoded as DER.
2703
+ * @since v10.12.0
2704
+ * @param type Must be `'rsa'`, `'rsa-pss'`, `'dsa'`, `'ec'`, `'ed25519'`, `'ed448'`, `'x25519'`, `'x448'`, or `'dh'`.
2705
+ */
2706
+ function generateKeyPairSync(
2707
+ type: "rsa",
2708
+ options: RSAKeyPairOptions<"pem", "pem">,
2709
+ ): KeyPairSyncResult<string, string>;
2710
+ function generateKeyPairSync(
2711
+ type: "rsa",
2712
+ options: RSAKeyPairOptions<"pem", "der">,
2713
+ ): KeyPairSyncResult<string, Buffer>;
2714
+ function generateKeyPairSync(
2715
+ type: "rsa",
2716
+ options: RSAKeyPairOptions<"der", "pem">,
2717
+ ): KeyPairSyncResult<Buffer, string>;
2718
+ function generateKeyPairSync(
2719
+ type: "rsa",
2720
+ options: RSAKeyPairOptions<"der", "der">,
2721
+ ): KeyPairSyncResult<Buffer, Buffer>;
2722
+ function generateKeyPairSync(type: "rsa", options: RSAKeyPairKeyObjectOptions): KeyPairKeyObjectResult;
2723
+ function generateKeyPairSync(
2724
+ type: "rsa-pss",
2725
+ options: RSAPSSKeyPairOptions<"pem", "pem">,
2726
+ ): KeyPairSyncResult<string, string>;
2727
+ function generateKeyPairSync(
2728
+ type: "rsa-pss",
2729
+ options: RSAPSSKeyPairOptions<"pem", "der">,
2730
+ ): KeyPairSyncResult<string, Buffer>;
2731
+ function generateKeyPairSync(
2732
+ type: "rsa-pss",
2733
+ options: RSAPSSKeyPairOptions<"der", "pem">,
2734
+ ): KeyPairSyncResult<Buffer, string>;
2735
+ function generateKeyPairSync(
2736
+ type: "rsa-pss",
2737
+ options: RSAPSSKeyPairOptions<"der", "der">,
2738
+ ): KeyPairSyncResult<Buffer, Buffer>;
2739
+ function generateKeyPairSync(type: "rsa-pss", options: RSAPSSKeyPairKeyObjectOptions): KeyPairKeyObjectResult;
2740
+ function generateKeyPairSync(
2741
+ type: "dsa",
2742
+ options: DSAKeyPairOptions<"pem", "pem">,
2743
+ ): KeyPairSyncResult<string, string>;
2744
+ function generateKeyPairSync(
2745
+ type: "dsa",
2746
+ options: DSAKeyPairOptions<"pem", "der">,
2747
+ ): KeyPairSyncResult<string, Buffer>;
2748
+ function generateKeyPairSync(
2749
+ type: "dsa",
2750
+ options: DSAKeyPairOptions<"der", "pem">,
2751
+ ): KeyPairSyncResult<Buffer, string>;
2752
+ function generateKeyPairSync(
2753
+ type: "dsa",
2754
+ options: DSAKeyPairOptions<"der", "der">,
2755
+ ): KeyPairSyncResult<Buffer, Buffer>;
2756
+ function generateKeyPairSync(type: "dsa", options: DSAKeyPairKeyObjectOptions): KeyPairKeyObjectResult;
2757
+ function generateKeyPairSync(
2758
+ type: "ec",
2759
+ options: ECKeyPairOptions<"pem", "pem">,
2760
+ ): KeyPairSyncResult<string, string>;
2761
+ function generateKeyPairSync(
2762
+ type: "ec",
2763
+ options: ECKeyPairOptions<"pem", "der">,
2764
+ ): KeyPairSyncResult<string, Buffer>;
2765
+ function generateKeyPairSync(
2766
+ type: "ec",
2767
+ options: ECKeyPairOptions<"der", "pem">,
2768
+ ): KeyPairSyncResult<Buffer, string>;
2769
+ function generateKeyPairSync(
2770
+ type: "ec",
2771
+ options: ECKeyPairOptions<"der", "der">,
2772
+ ): KeyPairSyncResult<Buffer, Buffer>;
2773
+ function generateKeyPairSync(type: "ec", options: ECKeyPairKeyObjectOptions): KeyPairKeyObjectResult;
2774
+ function generateKeyPairSync(
2775
+ type: "ed25519",
2776
+ options: ED25519KeyPairOptions<"pem", "pem">,
2777
+ ): KeyPairSyncResult<string, string>;
2778
+ function generateKeyPairSync(
2779
+ type: "ed25519",
2780
+ options: ED25519KeyPairOptions<"pem", "der">,
2781
+ ): KeyPairSyncResult<string, Buffer>;
2782
+ function generateKeyPairSync(
2783
+ type: "ed25519",
2784
+ options: ED25519KeyPairOptions<"der", "pem">,
2785
+ ): KeyPairSyncResult<Buffer, string>;
2786
+ function generateKeyPairSync(
2787
+ type: "ed25519",
2788
+ options: ED25519KeyPairOptions<"der", "der">,
2789
+ ): KeyPairSyncResult<Buffer, Buffer>;
2790
+ function generateKeyPairSync(type: "ed25519", options?: ED25519KeyPairKeyObjectOptions): KeyPairKeyObjectResult;
2791
+ function generateKeyPairSync(
2792
+ type: "ed448",
2793
+ options: ED448KeyPairOptions<"pem", "pem">,
2794
+ ): KeyPairSyncResult<string, string>;
2795
+ function generateKeyPairSync(
2796
+ type: "ed448",
2797
+ options: ED448KeyPairOptions<"pem", "der">,
2798
+ ): KeyPairSyncResult<string, Buffer>;
2799
+ function generateKeyPairSync(
2800
+ type: "ed448",
2801
+ options: ED448KeyPairOptions<"der", "pem">,
2802
+ ): KeyPairSyncResult<Buffer, string>;
2803
+ function generateKeyPairSync(
2804
+ type: "ed448",
2805
+ options: ED448KeyPairOptions<"der", "der">,
2806
+ ): KeyPairSyncResult<Buffer, Buffer>;
2807
+ function generateKeyPairSync(type: "ed448", options?: ED448KeyPairKeyObjectOptions): KeyPairKeyObjectResult;
2808
+ function generateKeyPairSync(
2809
+ type: "x25519",
2810
+ options: X25519KeyPairOptions<"pem", "pem">,
2811
+ ): KeyPairSyncResult<string, string>;
2812
+ function generateKeyPairSync(
2813
+ type: "x25519",
2814
+ options: X25519KeyPairOptions<"pem", "der">,
2815
+ ): KeyPairSyncResult<string, Buffer>;
2816
+ function generateKeyPairSync(
2817
+ type: "x25519",
2818
+ options: X25519KeyPairOptions<"der", "pem">,
2819
+ ): KeyPairSyncResult<Buffer, string>;
2820
+ function generateKeyPairSync(
2821
+ type: "x25519",
2822
+ options: X25519KeyPairOptions<"der", "der">,
2823
+ ): KeyPairSyncResult<Buffer, Buffer>;
2824
+ function generateKeyPairSync(type: "x25519", options?: X25519KeyPairKeyObjectOptions): KeyPairKeyObjectResult;
2825
+ function generateKeyPairSync(
2826
+ type: "x448",
2827
+ options: X448KeyPairOptions<"pem", "pem">,
2828
+ ): KeyPairSyncResult<string, string>;
2829
+ function generateKeyPairSync(
2830
+ type: "x448",
2831
+ options: X448KeyPairOptions<"pem", "der">,
2832
+ ): KeyPairSyncResult<string, Buffer>;
2833
+ function generateKeyPairSync(
2834
+ type: "x448",
2835
+ options: X448KeyPairOptions<"der", "pem">,
2836
+ ): KeyPairSyncResult<Buffer, string>;
2837
+ function generateKeyPairSync(
2838
+ type: "x448",
2839
+ options: X448KeyPairOptions<"der", "der">,
2840
+ ): KeyPairSyncResult<Buffer, Buffer>;
2841
+ function generateKeyPairSync(type: "x448", options?: X448KeyPairKeyObjectOptions): KeyPairKeyObjectResult;
2842
+ /**
2843
+ * Generates a new asymmetric key pair of the given `type`. RSA, RSA-PSS, DSA, EC,
2844
+ * Ed25519, Ed448, X25519, X448, and DH are currently supported.
2845
+ *
2846
+ * If a `publicKeyEncoding` or `privateKeyEncoding` was specified, this function
2847
+ * behaves as if `keyObject.export()` had been called on its result. Otherwise,
2848
+ * the respective part of the key is returned as a `KeyObject`.
2849
+ *
2850
+ * It is recommended to encode public keys as `'spki'` and private keys as `'pkcs8'` with encryption for long-term storage:
2851
+ *
2852
+ * ```js
2853
+ * const {
2854
+ * generateKeyPair,
2855
+ * } = await import('node:crypto');
2856
+ *
2857
+ * generateKeyPair('rsa', {
2858
+ * modulusLength: 4096,
2859
+ * publicKeyEncoding: {
2860
+ * type: 'spki',
2861
+ * format: 'pem',
2862
+ * },
2863
+ * privateKeyEncoding: {
2864
+ * type: 'pkcs8',
2865
+ * format: 'pem',
2866
+ * cipher: 'aes-256-cbc',
2867
+ * passphrase: 'top secret',
2868
+ * },
2869
+ * }, (err, publicKey, privateKey) => {
2870
+ * // Handle errors and use the generated key pair.
2871
+ * });
2872
+ * ```
2873
+ *
2874
+ * On completion, `callback` will be called with `err` set to `undefined` and `publicKey` / `privateKey` representing the generated key pair.
2875
+ *
2876
+ * If this method is invoked as its `util.promisify()` ed version, it returns
2877
+ * a `Promise` for an `Object` with `publicKey` and `privateKey` properties.
2878
+ * @since v10.12.0
2879
+ * @param type Must be `'rsa'`, `'rsa-pss'`, `'dsa'`, `'ec'`, `'ed25519'`, `'ed448'`, `'x25519'`, `'x448'`, or `'dh'`.
2880
+ */
2881
+ function generateKeyPair(
2882
+ type: "rsa",
2883
+ options: RSAKeyPairOptions<"pem", "pem">,
2884
+ callback: (err: Error | null, publicKey: string, privateKey: string) => void,
2885
+ ): void;
2886
+ function generateKeyPair(
2887
+ type: "rsa",
2888
+ options: RSAKeyPairOptions<"pem", "der">,
2889
+ callback: (err: Error | null, publicKey: string, privateKey: Buffer) => void,
2890
+ ): void;
2891
+ function generateKeyPair(
2892
+ type: "rsa",
2893
+ options: RSAKeyPairOptions<"der", "pem">,
2894
+ callback: (err: Error | null, publicKey: Buffer, privateKey: string) => void,
2895
+ ): void;
2896
+ function generateKeyPair(
2897
+ type: "rsa",
2898
+ options: RSAKeyPairOptions<"der", "der">,
2899
+ callback: (err: Error | null, publicKey: Buffer, privateKey: Buffer) => void,
2900
+ ): void;
2901
+ function generateKeyPair(
2902
+ type: "rsa",
2903
+ options: RSAKeyPairKeyObjectOptions,
2904
+ callback: (err: Error | null, publicKey: KeyObject, privateKey: KeyObject) => void,
2905
+ ): void;
2906
+ function generateKeyPair(
2907
+ type: "rsa-pss",
2908
+ options: RSAPSSKeyPairOptions<"pem", "pem">,
2909
+ callback: (err: Error | null, publicKey: string, privateKey: string) => void,
2910
+ ): void;
2911
+ function generateKeyPair(
2912
+ type: "rsa-pss",
2913
+ options: RSAPSSKeyPairOptions<"pem", "der">,
2914
+ callback: (err: Error | null, publicKey: string, privateKey: Buffer) => void,
2915
+ ): void;
2916
+ function generateKeyPair(
2917
+ type: "rsa-pss",
2918
+ options: RSAPSSKeyPairOptions<"der", "pem">,
2919
+ callback: (err: Error | null, publicKey: Buffer, privateKey: string) => void,
2920
+ ): void;
2921
+ function generateKeyPair(
2922
+ type: "rsa-pss",
2923
+ options: RSAPSSKeyPairOptions<"der", "der">,
2924
+ callback: (err: Error | null, publicKey: Buffer, privateKey: Buffer) => void,
2925
+ ): void;
2926
+ function generateKeyPair(
2927
+ type: "rsa-pss",
2928
+ options: RSAPSSKeyPairKeyObjectOptions,
2929
+ callback: (err: Error | null, publicKey: KeyObject, privateKey: KeyObject) => void,
2930
+ ): void;
2931
+ function generateKeyPair(
2932
+ type: "dsa",
2933
+ options: DSAKeyPairOptions<"pem", "pem">,
2934
+ callback: (err: Error | null, publicKey: string, privateKey: string) => void,
2935
+ ): void;
2936
+ function generateKeyPair(
2937
+ type: "dsa",
2938
+ options: DSAKeyPairOptions<"pem", "der">,
2939
+ callback: (err: Error | null, publicKey: string, privateKey: Buffer) => void,
2940
+ ): void;
2941
+ function generateKeyPair(
2942
+ type: "dsa",
2943
+ options: DSAKeyPairOptions<"der", "pem">,
2944
+ callback: (err: Error | null, publicKey: Buffer, privateKey: string) => void,
2945
+ ): void;
2946
+ function generateKeyPair(
2947
+ type: "dsa",
2948
+ options: DSAKeyPairOptions<"der", "der">,
2949
+ callback: (err: Error | null, publicKey: Buffer, privateKey: Buffer) => void,
2950
+ ): void;
2951
+ function generateKeyPair(
2952
+ type: "dsa",
2953
+ options: DSAKeyPairKeyObjectOptions,
2954
+ callback: (err: Error | null, publicKey: KeyObject, privateKey: KeyObject) => void,
2955
+ ): void;
2956
+ function generateKeyPair(
2957
+ type: "ec",
2958
+ options: ECKeyPairOptions<"pem", "pem">,
2959
+ callback: (err: Error | null, publicKey: string, privateKey: string) => void,
2960
+ ): void;
2961
+ function generateKeyPair(
2962
+ type: "ec",
2963
+ options: ECKeyPairOptions<"pem", "der">,
2964
+ callback: (err: Error | null, publicKey: string, privateKey: Buffer) => void,
2965
+ ): void;
2966
+ function generateKeyPair(
2967
+ type: "ec",
2968
+ options: ECKeyPairOptions<"der", "pem">,
2969
+ callback: (err: Error | null, publicKey: Buffer, privateKey: string) => void,
2970
+ ): void;
2971
+ function generateKeyPair(
2972
+ type: "ec",
2973
+ options: ECKeyPairOptions<"der", "der">,
2974
+ callback: (err: Error | null, publicKey: Buffer, privateKey: Buffer) => void,
2975
+ ): void;
2976
+ function generateKeyPair(
2977
+ type: "ec",
2978
+ options: ECKeyPairKeyObjectOptions,
2979
+ callback: (err: Error | null, publicKey: KeyObject, privateKey: KeyObject) => void,
2980
+ ): void;
2981
+ function generateKeyPair(
2982
+ type: "ed25519",
2983
+ options: ED25519KeyPairOptions<"pem", "pem">,
2984
+ callback: (err: Error | null, publicKey: string, privateKey: string) => void,
2985
+ ): void;
2986
+ function generateKeyPair(
2987
+ type: "ed25519",
2988
+ options: ED25519KeyPairOptions<"pem", "der">,
2989
+ callback: (err: Error | null, publicKey: string, privateKey: Buffer) => void,
2990
+ ): void;
2991
+ function generateKeyPair(
2992
+ type: "ed25519",
2993
+ options: ED25519KeyPairOptions<"der", "pem">,
2994
+ callback: (err: Error | null, publicKey: Buffer, privateKey: string) => void,
2995
+ ): void;
2996
+ function generateKeyPair(
2997
+ type: "ed25519",
2998
+ options: ED25519KeyPairOptions<"der", "der">,
2999
+ callback: (err: Error | null, publicKey: Buffer, privateKey: Buffer) => void,
3000
+ ): void;
3001
+ function generateKeyPair(
3002
+ type: "ed25519",
3003
+ options: ED25519KeyPairKeyObjectOptions | undefined,
3004
+ callback: (err: Error | null, publicKey: KeyObject, privateKey: KeyObject) => void,
3005
+ ): void;
3006
+ function generateKeyPair(
3007
+ type: "ed448",
3008
+ options: ED448KeyPairOptions<"pem", "pem">,
3009
+ callback: (err: Error | null, publicKey: string, privateKey: string) => void,
3010
+ ): void;
3011
+ function generateKeyPair(
3012
+ type: "ed448",
3013
+ options: ED448KeyPairOptions<"pem", "der">,
3014
+ callback: (err: Error | null, publicKey: string, privateKey: Buffer) => void,
3015
+ ): void;
3016
+ function generateKeyPair(
3017
+ type: "ed448",
3018
+ options: ED448KeyPairOptions<"der", "pem">,
3019
+ callback: (err: Error | null, publicKey: Buffer, privateKey: string) => void,
3020
+ ): void;
3021
+ function generateKeyPair(
3022
+ type: "ed448",
3023
+ options: ED448KeyPairOptions<"der", "der">,
3024
+ callback: (err: Error | null, publicKey: Buffer, privateKey: Buffer) => void,
3025
+ ): void;
3026
+ function generateKeyPair(
3027
+ type: "ed448",
3028
+ options: ED448KeyPairKeyObjectOptions | undefined,
3029
+ callback: (err: Error | null, publicKey: KeyObject, privateKey: KeyObject) => void,
3030
+ ): void;
3031
+ function generateKeyPair(
3032
+ type: "x25519",
3033
+ options: X25519KeyPairOptions<"pem", "pem">,
3034
+ callback: (err: Error | null, publicKey: string, privateKey: string) => void,
3035
+ ): void;
3036
+ function generateKeyPair(
3037
+ type: "x25519",
3038
+ options: X25519KeyPairOptions<"pem", "der">,
3039
+ callback: (err: Error | null, publicKey: string, privateKey: Buffer) => void,
3040
+ ): void;
3041
+ function generateKeyPair(
3042
+ type: "x25519",
3043
+ options: X25519KeyPairOptions<"der", "pem">,
3044
+ callback: (err: Error | null, publicKey: Buffer, privateKey: string) => void,
3045
+ ): void;
3046
+ function generateKeyPair(
3047
+ type: "x25519",
3048
+ options: X25519KeyPairOptions<"der", "der">,
3049
+ callback: (err: Error | null, publicKey: Buffer, privateKey: Buffer) => void,
3050
+ ): void;
3051
+ function generateKeyPair(
3052
+ type: "x25519",
3053
+ options: X25519KeyPairKeyObjectOptions | undefined,
3054
+ callback: (err: Error | null, publicKey: KeyObject, privateKey: KeyObject) => void,
3055
+ ): void;
3056
+ function generateKeyPair(
3057
+ type: "x448",
3058
+ options: X448KeyPairOptions<"pem", "pem">,
3059
+ callback: (err: Error | null, publicKey: string, privateKey: string) => void,
3060
+ ): void;
3061
+ function generateKeyPair(
3062
+ type: "x448",
3063
+ options: X448KeyPairOptions<"pem", "der">,
3064
+ callback: (err: Error | null, publicKey: string, privateKey: Buffer) => void,
3065
+ ): void;
3066
+ function generateKeyPair(
3067
+ type: "x448",
3068
+ options: X448KeyPairOptions<"der", "pem">,
3069
+ callback: (err: Error | null, publicKey: Buffer, privateKey: string) => void,
3070
+ ): void;
3071
+ function generateKeyPair(
3072
+ type: "x448",
3073
+ options: X448KeyPairOptions<"der", "der">,
3074
+ callback: (err: Error | null, publicKey: Buffer, privateKey: Buffer) => void,
3075
+ ): void;
3076
+ function generateKeyPair(
3077
+ type: "x448",
3078
+ options: X448KeyPairKeyObjectOptions | undefined,
3079
+ callback: (err: Error | null, publicKey: KeyObject, privateKey: KeyObject) => void,
3080
+ ): void;
3081
+ namespace generateKeyPair {
3082
+ function __promisify__(
3083
+ type: "rsa",
3084
+ options: RSAKeyPairOptions<"pem", "pem">,
3085
+ ): Promise<{
3086
+ publicKey: string;
3087
+ privateKey: string;
3088
+ }>;
3089
+ function __promisify__(
3090
+ type: "rsa",
3091
+ options: RSAKeyPairOptions<"pem", "der">,
3092
+ ): Promise<{
3093
+ publicKey: string;
3094
+ privateKey: Buffer;
3095
+ }>;
3096
+ function __promisify__(
3097
+ type: "rsa",
3098
+ options: RSAKeyPairOptions<"der", "pem">,
3099
+ ): Promise<{
3100
+ publicKey: Buffer;
3101
+ privateKey: string;
3102
+ }>;
3103
+ function __promisify__(
3104
+ type: "rsa",
3105
+ options: RSAKeyPairOptions<"der", "der">,
3106
+ ): Promise<{
3107
+ publicKey: Buffer;
3108
+ privateKey: Buffer;
3109
+ }>;
3110
+ function __promisify__(type: "rsa", options: RSAKeyPairKeyObjectOptions): Promise<KeyPairKeyObjectResult>;
3111
+ function __promisify__(
3112
+ type: "rsa-pss",
3113
+ options: RSAPSSKeyPairOptions<"pem", "pem">,
3114
+ ): Promise<{
3115
+ publicKey: string;
3116
+ privateKey: string;
3117
+ }>;
3118
+ function __promisify__(
3119
+ type: "rsa-pss",
3120
+ options: RSAPSSKeyPairOptions<"pem", "der">,
3121
+ ): Promise<{
3122
+ publicKey: string;
3123
+ privateKey: Buffer;
3124
+ }>;
3125
+ function __promisify__(
3126
+ type: "rsa-pss",
3127
+ options: RSAPSSKeyPairOptions<"der", "pem">,
3128
+ ): Promise<{
3129
+ publicKey: Buffer;
3130
+ privateKey: string;
3131
+ }>;
3132
+ function __promisify__(
3133
+ type: "rsa-pss",
3134
+ options: RSAPSSKeyPairOptions<"der", "der">,
3135
+ ): Promise<{
3136
+ publicKey: Buffer;
3137
+ privateKey: Buffer;
3138
+ }>;
3139
+ function __promisify__(
3140
+ type: "rsa-pss",
3141
+ options: RSAPSSKeyPairKeyObjectOptions,
3142
+ ): Promise<KeyPairKeyObjectResult>;
3143
+ function __promisify__(
3144
+ type: "dsa",
3145
+ options: DSAKeyPairOptions<"pem", "pem">,
3146
+ ): Promise<{
3147
+ publicKey: string;
3148
+ privateKey: string;
3149
+ }>;
3150
+ function __promisify__(
3151
+ type: "dsa",
3152
+ options: DSAKeyPairOptions<"pem", "der">,
3153
+ ): Promise<{
3154
+ publicKey: string;
3155
+ privateKey: Buffer;
3156
+ }>;
3157
+ function __promisify__(
3158
+ type: "dsa",
3159
+ options: DSAKeyPairOptions<"der", "pem">,
3160
+ ): Promise<{
3161
+ publicKey: Buffer;
3162
+ privateKey: string;
3163
+ }>;
3164
+ function __promisify__(
3165
+ type: "dsa",
3166
+ options: DSAKeyPairOptions<"der", "der">,
3167
+ ): Promise<{
3168
+ publicKey: Buffer;
3169
+ privateKey: Buffer;
3170
+ }>;
3171
+ function __promisify__(type: "dsa", options: DSAKeyPairKeyObjectOptions): Promise<KeyPairKeyObjectResult>;
3172
+ function __promisify__(
3173
+ type: "ec",
3174
+ options: ECKeyPairOptions<"pem", "pem">,
3175
+ ): Promise<{
3176
+ publicKey: string;
3177
+ privateKey: string;
3178
+ }>;
3179
+ function __promisify__(
3180
+ type: "ec",
3181
+ options: ECKeyPairOptions<"pem", "der">,
3182
+ ): Promise<{
3183
+ publicKey: string;
3184
+ privateKey: Buffer;
3185
+ }>;
3186
+ function __promisify__(
3187
+ type: "ec",
3188
+ options: ECKeyPairOptions<"der", "pem">,
3189
+ ): Promise<{
3190
+ publicKey: Buffer;
3191
+ privateKey: string;
3192
+ }>;
3193
+ function __promisify__(
3194
+ type: "ec",
3195
+ options: ECKeyPairOptions<"der", "der">,
3196
+ ): Promise<{
3197
+ publicKey: Buffer;
3198
+ privateKey: Buffer;
3199
+ }>;
3200
+ function __promisify__(type: "ec", options: ECKeyPairKeyObjectOptions): Promise<KeyPairKeyObjectResult>;
3201
+ function __promisify__(
3202
+ type: "ed25519",
3203
+ options: ED25519KeyPairOptions<"pem", "pem">,
3204
+ ): Promise<{
3205
+ publicKey: string;
3206
+ privateKey: string;
3207
+ }>;
3208
+ function __promisify__(
3209
+ type: "ed25519",
3210
+ options: ED25519KeyPairOptions<"pem", "der">,
3211
+ ): Promise<{
3212
+ publicKey: string;
3213
+ privateKey: Buffer;
3214
+ }>;
3215
+ function __promisify__(
3216
+ type: "ed25519",
3217
+ options: ED25519KeyPairOptions<"der", "pem">,
3218
+ ): Promise<{
3219
+ publicKey: Buffer;
3220
+ privateKey: string;
3221
+ }>;
3222
+ function __promisify__(
3223
+ type: "ed25519",
3224
+ options: ED25519KeyPairOptions<"der", "der">,
3225
+ ): Promise<{
3226
+ publicKey: Buffer;
3227
+ privateKey: Buffer;
3228
+ }>;
3229
+ function __promisify__(
3230
+ type: "ed25519",
3231
+ options?: ED25519KeyPairKeyObjectOptions,
3232
+ ): Promise<KeyPairKeyObjectResult>;
3233
+ function __promisify__(
3234
+ type: "ed448",
3235
+ options: ED448KeyPairOptions<"pem", "pem">,
3236
+ ): Promise<{
3237
+ publicKey: string;
3238
+ privateKey: string;
3239
+ }>;
3240
+ function __promisify__(
3241
+ type: "ed448",
3242
+ options: ED448KeyPairOptions<"pem", "der">,
3243
+ ): Promise<{
3244
+ publicKey: string;
3245
+ privateKey: Buffer;
3246
+ }>;
3247
+ function __promisify__(
3248
+ type: "ed448",
3249
+ options: ED448KeyPairOptions<"der", "pem">,
3250
+ ): Promise<{
3251
+ publicKey: Buffer;
3252
+ privateKey: string;
3253
+ }>;
3254
+ function __promisify__(
3255
+ type: "ed448",
3256
+ options: ED448KeyPairOptions<"der", "der">,
3257
+ ): Promise<{
3258
+ publicKey: Buffer;
3259
+ privateKey: Buffer;
3260
+ }>;
3261
+ function __promisify__(type: "ed448", options?: ED448KeyPairKeyObjectOptions): Promise<KeyPairKeyObjectResult>;
3262
+ function __promisify__(
3263
+ type: "x25519",
3264
+ options: X25519KeyPairOptions<"pem", "pem">,
3265
+ ): Promise<{
3266
+ publicKey: string;
3267
+ privateKey: string;
3268
+ }>;
3269
+ function __promisify__(
3270
+ type: "x25519",
3271
+ options: X25519KeyPairOptions<"pem", "der">,
3272
+ ): Promise<{
3273
+ publicKey: string;
3274
+ privateKey: Buffer;
3275
+ }>;
3276
+ function __promisify__(
3277
+ type: "x25519",
3278
+ options: X25519KeyPairOptions<"der", "pem">,
3279
+ ): Promise<{
3280
+ publicKey: Buffer;
3281
+ privateKey: string;
3282
+ }>;
3283
+ function __promisify__(
3284
+ type: "x25519",
3285
+ options: X25519KeyPairOptions<"der", "der">,
3286
+ ): Promise<{
3287
+ publicKey: Buffer;
3288
+ privateKey: Buffer;
3289
+ }>;
3290
+ function __promisify__(
3291
+ type: "x25519",
3292
+ options?: X25519KeyPairKeyObjectOptions,
3293
+ ): Promise<KeyPairKeyObjectResult>;
3294
+ function __promisify__(
3295
+ type: "x448",
3296
+ options: X448KeyPairOptions<"pem", "pem">,
3297
+ ): Promise<{
3298
+ publicKey: string;
3299
+ privateKey: string;
3300
+ }>;
3301
+ function __promisify__(
3302
+ type: "x448",
3303
+ options: X448KeyPairOptions<"pem", "der">,
3304
+ ): Promise<{
3305
+ publicKey: string;
3306
+ privateKey: Buffer;
3307
+ }>;
3308
+ function __promisify__(
3309
+ type: "x448",
3310
+ options: X448KeyPairOptions<"der", "pem">,
3311
+ ): Promise<{
3312
+ publicKey: Buffer;
3313
+ privateKey: string;
3314
+ }>;
3315
+ function __promisify__(
3316
+ type: "x448",
3317
+ options: X448KeyPairOptions<"der", "der">,
3318
+ ): Promise<{
3319
+ publicKey: Buffer;
3320
+ privateKey: Buffer;
3321
+ }>;
3322
+ function __promisify__(type: "x448", options?: X448KeyPairKeyObjectOptions): Promise<KeyPairKeyObjectResult>;
3323
+ }
3324
+ /**
3325
+ * Calculates and returns the signature for `data` using the given private key and
3326
+ * algorithm. If `algorithm` is `null` or `undefined`, then the algorithm is
3327
+ * dependent upon the key type (especially Ed25519 and Ed448).
3328
+ *
3329
+ * If `key` is not a `KeyObject`, this function behaves as if `key` had been
3330
+ * passed to {@link createPrivateKey}. If it is an object, the following
3331
+ * additional properties can be passed:
3332
+ *
3333
+ * If the `callback` function is provided this function uses libuv's threadpool.
3334
+ * @since v12.0.0
3335
+ */
3336
+ function sign(
3337
+ algorithm: string | null | undefined,
3338
+ data: NodeJS.ArrayBufferView,
3339
+ key: KeyLike | SignKeyObjectInput | SignPrivateKeyInput,
3340
+ ): Buffer;
3341
+ function sign(
3342
+ algorithm: string | null | undefined,
3343
+ data: NodeJS.ArrayBufferView,
3344
+ key: KeyLike | SignKeyObjectInput | SignPrivateKeyInput,
3345
+ callback: (error: Error | null, data: Buffer) => void,
3346
+ ): void;
3347
+ /**
3348
+ * Verifies the given signature for `data` using the given key and algorithm. If `algorithm` is `null` or `undefined`, then the algorithm is dependent upon the
3349
+ * key type (especially Ed25519 and Ed448).
3350
+ *
3351
+ * If `key` is not a `KeyObject`, this function behaves as if `key` had been
3352
+ * passed to {@link createPublicKey}. If it is an object, the following
3353
+ * additional properties can be passed:
3354
+ *
3355
+ * The `signature` argument is the previously calculated signature for the `data`.
3356
+ *
3357
+ * Because public keys can be derived from private keys, a private key or a public
3358
+ * key may be passed for `key`.
3359
+ *
3360
+ * If the `callback` function is provided this function uses libuv's threadpool.
3361
+ * @since v12.0.0
3362
+ */
3363
+ function verify(
3364
+ algorithm: string | null | undefined,
3365
+ data: NodeJS.ArrayBufferView,
3366
+ key: KeyLike | VerifyKeyObjectInput | VerifyPublicKeyInput | VerifyJsonWebKeyInput,
3367
+ signature: NodeJS.ArrayBufferView,
3368
+ ): boolean;
3369
+ function verify(
3370
+ algorithm: string | null | undefined,
3371
+ data: NodeJS.ArrayBufferView,
3372
+ key: KeyLike | VerifyKeyObjectInput | VerifyPublicKeyInput | VerifyJsonWebKeyInput,
3373
+ signature: NodeJS.ArrayBufferView,
3374
+ callback: (error: Error | null, result: boolean) => void,
3375
+ ): void;
3376
+ /**
3377
+ * Computes the Diffie-Hellman secret based on a `privateKey` and a `publicKey`.
3378
+ * Both keys must have the same `asymmetricKeyType`, which must be one of `'dh'` (for Diffie-Hellman), `'ec'` (for ECDH), `'x448'`, or `'x25519'` (for ECDH-ES).
3379
+ * @since v13.9.0, v12.17.0
3380
+ */
3381
+ function diffieHellman(options: { privateKey: KeyObject; publicKey: KeyObject }): Buffer;
3382
+ /**
3383
+ * A utility for creating one-shot hash digests of data. It can be faster than the object-based `crypto.createHash()` when hashing a smaller amount of data
3384
+ * (<= 5MB) that's readily available. If the data can be big or if it is streamed, it's still recommended to use `crypto.createHash()` instead. The `algorithm`
3385
+ * is dependent on the available algorithms supported by the version of OpenSSL on the platform. Examples are `'sha256'`, `'sha512'`, etc. On recent releases
3386
+ * of OpenSSL, `openssl list -digest-algorithms` will display the available digest algorithms.
3387
+ *
3388
+ * Example:
3389
+ *
3390
+ * ```js
3391
+ * const crypto = require('node:crypto');
3392
+ * const { Buffer } = require('node:buffer');
3393
+ *
3394
+ * // Hashing a string and return the result as a hex-encoded string.
3395
+ * const string = 'Node.js';
3396
+ * // 10b3493287f831e81a438811a1ffba01f8cec4b7
3397
+ * console.log(crypto.hash('sha1', string));
3398
+ *
3399
+ * // Encode a base64-encoded string into a Buffer, hash it and return
3400
+ * // the result as a buffer.
3401
+ * const base64 = 'Tm9kZS5qcw==';
3402
+ * // <Buffer 10 b3 49 32 87 f8 31 e8 1a 43 88 11 a1 ff ba 01 f8 ce c4 b7>
3403
+ * console.log(crypto.hash('sha1', Buffer.from(base64, 'base64'), 'buffer'));
3404
+ * ```
3405
+ * @since v21.7.0, v20.12.0
3406
+ * @param data When `data` is a string, it will be encoded as UTF-8 before being hashed. If a different input encoding is desired for a string input, user
3407
+ * could encode the string into a `TypedArray` using either `TextEncoder` or `Buffer.from()` and passing the encoded `TypedArray` into this API instead.
3408
+ * @param [outputEncoding='hex'] [Encoding](https://nodejs.org/docs/latest-v20.x/api/buffer.html#buffers-and-character-encodings) used to encode the returned digest.
3409
+ */
3410
+ function hash(algorithm: string, data: BinaryLike, outputEncoding?: BinaryToTextEncoding): string;
3411
+ function hash(algorithm: string, data: BinaryLike, outputEncoding: "buffer"): Buffer;
3412
+ function hash(
3413
+ algorithm: string,
3414
+ data: BinaryLike,
3415
+ outputEncoding?: BinaryToTextEncoding | "buffer",
3416
+ ): string | Buffer;
3417
+ type CipherMode = "cbc" | "ccm" | "cfb" | "ctr" | "ecb" | "gcm" | "ocb" | "ofb" | "stream" | "wrap" | "xts";
3418
+ interface CipherInfoOptions {
3419
+ /**
3420
+ * A test key length.
3421
+ */
3422
+ keyLength?: number | undefined;
3423
+ /**
3424
+ * A test IV length.
3425
+ */
3426
+ ivLength?: number | undefined;
3427
+ }
3428
+ interface CipherInfo {
3429
+ /**
3430
+ * The name of the cipher.
3431
+ */
3432
+ name: string;
3433
+ /**
3434
+ * The nid of the cipher.
3435
+ */
3436
+ nid: number;
3437
+ /**
3438
+ * The block size of the cipher in bytes.
3439
+ * This property is omitted when mode is 'stream'.
3440
+ */
3441
+ blockSize?: number | undefined;
3442
+ /**
3443
+ * The expected or default initialization vector length in bytes.
3444
+ * This property is omitted if the cipher does not use an initialization vector.
3445
+ */
3446
+ ivLength?: number | undefined;
3447
+ /**
3448
+ * The expected or default key length in bytes.
3449
+ */
3450
+ keyLength: number;
3451
+ /**
3452
+ * The cipher mode.
3453
+ */
3454
+ mode: CipherMode;
3455
+ }
3456
+ /**
3457
+ * Returns information about a given cipher.
3458
+ *
3459
+ * Some ciphers accept variable length keys and initialization vectors. By default,
3460
+ * the `crypto.getCipherInfo()` method will return the default values for these
3461
+ * ciphers. To test if a given key length or iv length is acceptable for given
3462
+ * cipher, use the `keyLength` and `ivLength` options. If the given values are
3463
+ * unacceptable, `undefined` will be returned.
3464
+ * @since v15.0.0
3465
+ * @param nameOrNid The name or nid of the cipher to query.
3466
+ */
3467
+ function getCipherInfo(nameOrNid: string | number, options?: CipherInfoOptions): CipherInfo | undefined;
3468
+ /**
3469
+ * HKDF is a simple key derivation function defined in RFC 5869\. The given `ikm`, `salt` and `info` are used with the `digest` to derive a key of `keylen` bytes.
3470
+ *
3471
+ * The supplied `callback` function is called with two arguments: `err` and `derivedKey`. If an errors occurs while deriving the key, `err` will be set;
3472
+ * otherwise `err` will be `null`. The successfully generated `derivedKey` will
3473
+ * be passed to the callback as an [ArrayBuffer](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/ArrayBuffer). An error will be thrown if any
3474
+ * of the input arguments specify invalid values or types.
3475
+ *
3476
+ * ```js
3477
+ * import { Buffer } from 'node:buffer';
3478
+ * const {
3479
+ * hkdf,
3480
+ * } = await import('node:crypto');
3481
+ *
3482
+ * hkdf('sha512', 'key', 'salt', 'info', 64, (err, derivedKey) => {
3483
+ * if (err) throw err;
3484
+ * console.log(Buffer.from(derivedKey).toString('hex')); // '24156e2...5391653'
3485
+ * });
3486
+ * ```
3487
+ * @since v15.0.0
3488
+ * @param digest The digest algorithm to use.
3489
+ * @param ikm The input keying material. Must be provided but can be zero-length.
3490
+ * @param salt The salt value. Must be provided but can be zero-length.
3491
+ * @param info Additional info value. Must be provided but can be zero-length, and cannot be more than 1024 bytes.
3492
+ * @param keylen The length of the key to generate. Must be greater than 0. The maximum allowable value is `255` times the number of bytes produced by the selected digest function (e.g. `sha512`
3493
+ * generates 64-byte hashes, making the maximum HKDF output 16320 bytes).
3494
+ */
3495
+ function hkdf(
3496
+ digest: string,
3497
+ irm: BinaryLike | KeyObject,
3498
+ salt: BinaryLike,
3499
+ info: BinaryLike,
3500
+ keylen: number,
3501
+ callback: (err: Error | null, derivedKey: ArrayBuffer) => void,
3502
+ ): void;
3503
+ /**
3504
+ * Provides a synchronous HKDF key derivation function as defined in RFC 5869\. The
3505
+ * given `ikm`, `salt` and `info` are used with the `digest` to derive a key of `keylen` bytes.
3506
+ *
3507
+ * The successfully generated `derivedKey` will be returned as an [ArrayBuffer](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/ArrayBuffer).
3508
+ *
3509
+ * An error will be thrown if any of the input arguments specify invalid values or
3510
+ * types, or if the derived key cannot be generated.
3511
+ *
3512
+ * ```js
3513
+ * import { Buffer } from 'node:buffer';
3514
+ * const {
3515
+ * hkdfSync,
3516
+ * } = await import('node:crypto');
3517
+ *
3518
+ * const derivedKey = hkdfSync('sha512', 'key', 'salt', 'info', 64);
3519
+ * console.log(Buffer.from(derivedKey).toString('hex')); // '24156e2...5391653'
3520
+ * ```
3521
+ * @since v15.0.0
3522
+ * @param digest The digest algorithm to use.
3523
+ * @param ikm The input keying material. Must be provided but can be zero-length.
3524
+ * @param salt The salt value. Must be provided but can be zero-length.
3525
+ * @param info Additional info value. Must be provided but can be zero-length, and cannot be more than 1024 bytes.
3526
+ * @param keylen The length of the key to generate. Must be greater than 0. The maximum allowable value is `255` times the number of bytes produced by the selected digest function (e.g. `sha512`
3527
+ * generates 64-byte hashes, making the maximum HKDF output 16320 bytes).
3528
+ */
3529
+ function hkdfSync(
3530
+ digest: string,
3531
+ ikm: BinaryLike | KeyObject,
3532
+ salt: BinaryLike,
3533
+ info: BinaryLike,
3534
+ keylen: number,
3535
+ ): ArrayBuffer;
3536
+ interface SecureHeapUsage {
3537
+ /**
3538
+ * The total allocated secure heap size as specified using the `--secure-heap=n` command-line flag.
3539
+ */
3540
+ total: number;
3541
+ /**
3542
+ * The minimum allocation from the secure heap as specified using the `--secure-heap-min` command-line flag.
3543
+ */
3544
+ min: number;
3545
+ /**
3546
+ * The total number of bytes currently allocated from the secure heap.
3547
+ */
3548
+ used: number;
3549
+ /**
3550
+ * The calculated ratio of `used` to `total` allocated bytes.
3551
+ */
3552
+ utilization: number;
3553
+ }
3554
+ /**
3555
+ * @since v15.6.0
3556
+ */
3557
+ function secureHeapUsed(): SecureHeapUsage;
3558
+ interface RandomUUIDOptions {
3559
+ /**
3560
+ * By default, to improve performance,
3561
+ * Node.js will pre-emptively generate and persistently cache enough
3562
+ * random data to generate up to 128 random UUIDs. To generate a UUID
3563
+ * without using the cache, set `disableEntropyCache` to `true`.
3564
+ *
3565
+ * @default `false`
3566
+ */
3567
+ disableEntropyCache?: boolean | undefined;
3568
+ }
3569
+ type UUID = `${string}-${string}-${string}-${string}-${string}`;
3570
+ /**
3571
+ * Generates a random [RFC 4122](https://www.rfc-editor.org/rfc/rfc4122.txt) version 4 UUID. The UUID is generated using a
3572
+ * cryptographic pseudorandom number generator.
3573
+ * @since v15.6.0, v14.17.0
3574
+ */
3575
+ function randomUUID(options?: RandomUUIDOptions): UUID;
3576
+ interface X509CheckOptions {
3577
+ /**
3578
+ * @default 'always'
3579
+ */
3580
+ subject?: "always" | "default" | "never";
3581
+ /**
3582
+ * @default true
3583
+ */
3584
+ wildcards?: boolean;
3585
+ /**
3586
+ * @default true
3587
+ */
3588
+ partialWildcards?: boolean;
3589
+ /**
3590
+ * @default false
3591
+ */
3592
+ multiLabelWildcards?: boolean;
3593
+ /**
3594
+ * @default false
3595
+ */
3596
+ singleLabelSubdomains?: boolean;
3597
+ }
3598
+ /**
3599
+ * Encapsulates an X509 certificate and provides read-only access to
3600
+ * its information.
3601
+ *
3602
+ * ```js
3603
+ * const { X509Certificate } = await import('node:crypto');
3604
+ *
3605
+ * const x509 = new X509Certificate('{... pem encoded cert ...}');
3606
+ *
3607
+ * console.log(x509.subject);
3608
+ * ```
3609
+ * @since v15.6.0
3610
+ */
3611
+ class X509Certificate {
3612
+ /**
3613
+ * Will be \`true\` if this is a Certificate Authority (CA) certificate.
3614
+ * @since v15.6.0
3615
+ */
3616
+ readonly ca: boolean;
3617
+ /**
3618
+ * The SHA-1 fingerprint of this certificate.
3619
+ *
3620
+ * Because SHA-1 is cryptographically broken and because the security of SHA-1 is
3621
+ * significantly worse than that of algorithms that are commonly used to sign
3622
+ * certificates, consider using `x509.fingerprint256` instead.
3623
+ * @since v15.6.0
3624
+ */
3625
+ readonly fingerprint: string;
3626
+ /**
3627
+ * The SHA-256 fingerprint of this certificate.
3628
+ * @since v15.6.0
3629
+ */
3630
+ readonly fingerprint256: string;
3631
+ /**
3632
+ * The SHA-512 fingerprint of this certificate.
3633
+ *
3634
+ * Because computing the SHA-256 fingerprint is usually faster and because it is
3635
+ * only half the size of the SHA-512 fingerprint, `x509.fingerprint256` may be
3636
+ * a better choice. While SHA-512 presumably provides a higher level of security in
3637
+ * general, the security of SHA-256 matches that of most algorithms that are
3638
+ * commonly used to sign certificates.
3639
+ * @since v17.2.0, v16.14.0
3640
+ */
3641
+ readonly fingerprint512: string;
3642
+ /**
3643
+ * The complete subject of this certificate.
3644
+ * @since v15.6.0
3645
+ */
3646
+ readonly subject: string;
3647
+ /**
3648
+ * The subject alternative name specified for this certificate.
3649
+ *
3650
+ * This is a comma-separated list of subject alternative names. Each entry begins
3651
+ * with a string identifying the kind of the subject alternative name followed by
3652
+ * a colon and the value associated with the entry.
3653
+ *
3654
+ * Earlier versions of Node.js incorrectly assumed that it is safe to split this
3655
+ * property at the two-character sequence `', '` (see [CVE-2021-44532](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532)). However,
3656
+ * both malicious and legitimate certificates can contain subject alternative names
3657
+ * that include this sequence when represented as a string.
3658
+ *
3659
+ * After the prefix denoting the type of the entry, the remainder of each entry
3660
+ * might be enclosed in quotes to indicate that the value is a JSON string literal.
3661
+ * For backward compatibility, Node.js only uses JSON string literals within this
3662
+ * property when necessary to avoid ambiguity. Third-party code should be prepared
3663
+ * to handle both possible entry formats.
3664
+ * @since v15.6.0
3665
+ */
3666
+ readonly subjectAltName: string | undefined;
3667
+ /**
3668
+ * A textual representation of the certificate's authority information access
3669
+ * extension.
3670
+ *
3671
+ * This is a line feed separated list of access descriptions. Each line begins with
3672
+ * the access method and the kind of the access location, followed by a colon and
3673
+ * the value associated with the access location.
3674
+ *
3675
+ * After the prefix denoting the access method and the kind of the access location,
3676
+ * the remainder of each line might be enclosed in quotes to indicate that the
3677
+ * value is a JSON string literal. For backward compatibility, Node.js only uses
3678
+ * JSON string literals within this property when necessary to avoid ambiguity.
3679
+ * Third-party code should be prepared to handle both possible entry formats.
3680
+ * @since v15.6.0
3681
+ */
3682
+ readonly infoAccess: string | undefined;
3683
+ /**
3684
+ * An array detailing the key usages for this certificate.
3685
+ * @since v15.6.0
3686
+ */
3687
+ readonly keyUsage: string[];
3688
+ /**
3689
+ * The issuer identification included in this certificate.
3690
+ * @since v15.6.0
3691
+ */
3692
+ readonly issuer: string;
3693
+ /**
3694
+ * The issuer certificate or `undefined` if the issuer certificate is not
3695
+ * available.
3696
+ * @since v15.9.0
3697
+ */
3698
+ readonly issuerCertificate?: X509Certificate | undefined;
3699
+ /**
3700
+ * The public key `KeyObject` for this certificate.
3701
+ * @since v15.6.0
3702
+ */
3703
+ readonly publicKey: KeyObject;
3704
+ /**
3705
+ * A `Buffer` containing the DER encoding of this certificate.
3706
+ * @since v15.6.0
3707
+ */
3708
+ readonly raw: Buffer;
3709
+ /**
3710
+ * The serial number of this certificate.
3711
+ *
3712
+ * Serial numbers are assigned by certificate authorities and do not uniquely
3713
+ * identify certificates. Consider using `x509.fingerprint256` as a unique
3714
+ * identifier instead.
3715
+ * @since v15.6.0
3716
+ */
3717
+ readonly serialNumber: string;
3718
+ /**
3719
+ * The date/time from which this certificate is considered valid.
3720
+ * @since v15.6.0
3721
+ */
3722
+ readonly validFrom: string;
3723
+ /**
3724
+ * The date/time until which this certificate is considered valid.
3725
+ * @since v15.6.0
3726
+ */
3727
+ readonly validTo: string;
3728
+ constructor(buffer: BinaryLike);
3729
+ /**
3730
+ * Checks whether the certificate matches the given email address.
3731
+ *
3732
+ * If the `'subject'` option is undefined or set to `'default'`, the certificate
3733
+ * subject is only considered if the subject alternative name extension either does
3734
+ * not exist or does not contain any email addresses.
3735
+ *
3736
+ * If the `'subject'` option is set to `'always'` and if the subject alternative
3737
+ * name extension either does not exist or does not contain a matching email
3738
+ * address, the certificate subject is considered.
3739
+ *
3740
+ * If the `'subject'` option is set to `'never'`, the certificate subject is never
3741
+ * considered, even if the certificate contains no subject alternative names.
3742
+ * @since v15.6.0
3743
+ * @return Returns `email` if the certificate matches, `undefined` if it does not.
3744
+ */
3745
+ checkEmail(email: string, options?: Pick<X509CheckOptions, "subject">): string | undefined;
3746
+ /**
3747
+ * Checks whether the certificate matches the given host name.
3748
+ *
3749
+ * If the certificate matches the given host name, the matching subject name is
3750
+ * returned. The returned name might be an exact match (e.g., `foo.example.com`)
3751
+ * or it might contain wildcards (e.g., `*.example.com`). Because host name
3752
+ * comparisons are case-insensitive, the returned subject name might also differ
3753
+ * from the given `name` in capitalization.
3754
+ *
3755
+ * If the `'subject'` option is undefined or set to `'default'`, the certificate
3756
+ * subject is only considered if the subject alternative name extension either does
3757
+ * not exist or does not contain any DNS names. This behavior is consistent with [RFC 2818](https://www.rfc-editor.org/rfc/rfc2818.txt) ("HTTP Over TLS").
3758
+ *
3759
+ * If the `'subject'` option is set to `'always'` and if the subject alternative
3760
+ * name extension either does not exist or does not contain a matching DNS name,
3761
+ * the certificate subject is considered.
3762
+ *
3763
+ * If the `'subject'` option is set to `'never'`, the certificate subject is never
3764
+ * considered, even if the certificate contains no subject alternative names.
3765
+ * @since v15.6.0
3766
+ * @return Returns a subject name that matches `name`, or `undefined` if no subject name matches `name`.
3767
+ */
3768
+ checkHost(name: string, options?: X509CheckOptions): string | undefined;
3769
+ /**
3770
+ * Checks whether the certificate matches the given IP address (IPv4 or IPv6).
3771
+ *
3772
+ * Only [RFC 5280](https://www.rfc-editor.org/rfc/rfc5280.txt) `iPAddress` subject alternative names are considered, and they
3773
+ * must match the given `ip` address exactly. Other subject alternative names as
3774
+ * well as the subject field of the certificate are ignored.
3775
+ * @since v15.6.0
3776
+ * @return Returns `ip` if the certificate matches, `undefined` if it does not.
3777
+ */
3778
+ checkIP(ip: string): string | undefined;
3779
+ /**
3780
+ * Checks whether this certificate was issued by the given `otherCert`.
3781
+ * @since v15.6.0
3782
+ */
3783
+ checkIssued(otherCert: X509Certificate): boolean;
3784
+ /**
3785
+ * Checks whether the public key for this certificate is consistent with
3786
+ * the given private key.
3787
+ * @since v15.6.0
3788
+ * @param privateKey A private key.
3789
+ */
3790
+ checkPrivateKey(privateKey: KeyObject): boolean;
3791
+ /**
3792
+ * There is no standard JSON encoding for X509 certificates. The`toJSON()` method returns a string containing the PEM encoded
3793
+ * certificate.
3794
+ * @since v15.6.0
3795
+ */
3796
+ toJSON(): string;
3797
+ /**
3798
+ * Returns information about this certificate using the legacy `certificate object` encoding.
3799
+ * @since v15.6.0
3800
+ */
3801
+ toLegacyObject(): PeerCertificate;
3802
+ /**
3803
+ * Returns the PEM-encoded certificate.
3804
+ * @since v15.6.0
3805
+ */
3806
+ toString(): string;
3807
+ /**
3808
+ * Verifies that this certificate was signed by the given public key.
3809
+ * Does not perform any other validation checks on the certificate.
3810
+ * @since v15.6.0
3811
+ * @param publicKey A public key.
3812
+ */
3813
+ verify(publicKey: KeyObject): boolean;
3814
+ }
3815
+ type LargeNumberLike = NodeJS.ArrayBufferView | SharedArrayBuffer | ArrayBuffer | bigint;
3816
+ interface GeneratePrimeOptions {
3817
+ add?: LargeNumberLike | undefined;
3818
+ rem?: LargeNumberLike | undefined;
3819
+ /**
3820
+ * @default false
3821
+ */
3822
+ safe?: boolean | undefined;
3823
+ bigint?: boolean | undefined;
3824
+ }
3825
+ interface GeneratePrimeOptionsBigInt extends GeneratePrimeOptions {
3826
+ bigint: true;
3827
+ }
3828
+ interface GeneratePrimeOptionsArrayBuffer extends GeneratePrimeOptions {
3829
+ bigint?: false | undefined;
3830
+ }
3831
+ /**
3832
+ * Generates a pseudorandom prime of `size` bits.
3833
+ *
3834
+ * If `options.safe` is `true`, the prime will be a safe prime -- that is, `(prime - 1) / 2` will also be a prime.
3835
+ *
3836
+ * The `options.add` and `options.rem` parameters can be used to enforce additional
3837
+ * requirements, e.g., for Diffie-Hellman:
3838
+ *
3839
+ * * If `options.add` and `options.rem` are both set, the prime will satisfy the
3840
+ * condition that `prime % add = rem`.
3841
+ * * If only `options.add` is set and `options.safe` is not `true`, the prime will
3842
+ * satisfy the condition that `prime % add = 1`.
3843
+ * * If only `options.add` is set and `options.safe` is set to `true`, the prime
3844
+ * will instead satisfy the condition that `prime % add = 3`. This is necessary
3845
+ * because `prime % add = 1` for `options.add > 2` would contradict the condition
3846
+ * enforced by `options.safe`.
3847
+ * * `options.rem` is ignored if `options.add` is not given.
3848
+ *
3849
+ * Both `options.add` and `options.rem` must be encoded as big-endian sequences
3850
+ * if given as an `ArrayBuffer`, `SharedArrayBuffer`, `TypedArray`, `Buffer`, or `DataView`.
3851
+ *
3852
+ * By default, the prime is encoded as a big-endian sequence of octets
3853
+ * in an [ArrayBuffer](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/ArrayBuffer). If the `bigint` option is `true`, then a
3854
+ * [bigint](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/BigInt) is provided.
3855
+ * @since v15.8.0
3856
+ * @param size The size (in bits) of the prime to generate.
3857
+ */
3858
+ function generatePrime(size: number, callback: (err: Error | null, prime: ArrayBuffer) => void): void;
3859
+ function generatePrime(
3860
+ size: number,
3861
+ options: GeneratePrimeOptionsBigInt,
3862
+ callback: (err: Error | null, prime: bigint) => void,
3863
+ ): void;
3864
+ function generatePrime(
3865
+ size: number,
3866
+ options: GeneratePrimeOptionsArrayBuffer,
3867
+ callback: (err: Error | null, prime: ArrayBuffer) => void,
3868
+ ): void;
3869
+ function generatePrime(
3870
+ size: number,
3871
+ options: GeneratePrimeOptions,
3872
+ callback: (err: Error | null, prime: ArrayBuffer | bigint) => void,
3873
+ ): void;
3874
+ /**
3875
+ * Generates a pseudorandom prime of `size` bits.
3876
+ *
3877
+ * If `options.safe` is `true`, the prime will be a safe prime -- that is, `(prime - 1) / 2` will also be a prime.
3878
+ *
3879
+ * The `options.add` and `options.rem` parameters can be used to enforce additional
3880
+ * requirements, e.g., for Diffie-Hellman:
3881
+ *
3882
+ * * If `options.add` and `options.rem` are both set, the prime will satisfy the
3883
+ * condition that `prime % add = rem`.
3884
+ * * If only `options.add` is set and `options.safe` is not `true`, the prime will
3885
+ * satisfy the condition that `prime % add = 1`.
3886
+ * * If only `options.add` is set and `options.safe` is set to `true`, the prime
3887
+ * will instead satisfy the condition that `prime % add = 3`. This is necessary
3888
+ * because `prime % add = 1` for `options.add > 2` would contradict the condition
3889
+ * enforced by `options.safe`.
3890
+ * * `options.rem` is ignored if `options.add` is not given.
3891
+ *
3892
+ * Both `options.add` and `options.rem` must be encoded as big-endian sequences
3893
+ * if given as an `ArrayBuffer`, `SharedArrayBuffer`, `TypedArray`, `Buffer`, or `DataView`.
3894
+ *
3895
+ * By default, the prime is encoded as a big-endian sequence of octets
3896
+ * in an [ArrayBuffer](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/ArrayBuffer). If the `bigint` option is `true`, then a
3897
+ * [bigint](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/BigInt) is provided.
3898
+ * @since v15.8.0
3899
+ * @param size The size (in bits) of the prime to generate.
3900
+ */
3901
+ function generatePrimeSync(size: number): ArrayBuffer;
3902
+ function generatePrimeSync(size: number, options: GeneratePrimeOptionsBigInt): bigint;
3903
+ function generatePrimeSync(size: number, options: GeneratePrimeOptionsArrayBuffer): ArrayBuffer;
3904
+ function generatePrimeSync(size: number, options: GeneratePrimeOptions): ArrayBuffer | bigint;
3905
+ interface CheckPrimeOptions {
3906
+ /**
3907
+ * The number of Miller-Rabin probabilistic primality iterations to perform.
3908
+ * When the value is 0 (zero), a number of checks is used that yields a false positive rate of at most `2**-64` for random input.
3909
+ * Care must be used when selecting a number of checks.
3910
+ * Refer to the OpenSSL documentation for the BN_is_prime_ex function nchecks options for more details.
3911
+ *
3912
+ * @default 0
3913
+ */
3914
+ checks?: number | undefined;
3915
+ }
3916
+ /**
3917
+ * Checks the primality of the `candidate`.
3918
+ * @since v15.8.0
3919
+ * @param candidate A possible prime encoded as a sequence of big endian octets of arbitrary length.
3920
+ */
3921
+ function checkPrime(value: LargeNumberLike, callback: (err: Error | null, result: boolean) => void): void;
3922
+ function checkPrime(
3923
+ value: LargeNumberLike,
3924
+ options: CheckPrimeOptions,
3925
+ callback: (err: Error | null, result: boolean) => void,
3926
+ ): void;
3927
+ /**
3928
+ * Checks the primality of the `candidate`.
3929
+ * @since v15.8.0
3930
+ * @param candidate A possible prime encoded as a sequence of big endian octets of arbitrary length.
3931
+ * @return `true` if the candidate is a prime with an error probability less than `0.25 ** options.checks`.
3932
+ */
3933
+ function checkPrimeSync(candidate: LargeNumberLike, options?: CheckPrimeOptions): boolean;
3934
+ /**
3935
+ * Load and set the `engine` for some or all OpenSSL functions (selected by flags).
3936
+ *
3937
+ * `engine` could be either an id or a path to the engine's shared library.
3938
+ *
3939
+ * The optional `flags` argument uses `ENGINE_METHOD_ALL` by default. The `flags` is a bit field taking one of or a mix of the following flags (defined in `crypto.constants`):
3940
+ *
3941
+ * * `crypto.constants.ENGINE_METHOD_RSA`
3942
+ * * `crypto.constants.ENGINE_METHOD_DSA`
3943
+ * * `crypto.constants.ENGINE_METHOD_DH`
3944
+ * * `crypto.constants.ENGINE_METHOD_RAND`
3945
+ * * `crypto.constants.ENGINE_METHOD_EC`
3946
+ * * `crypto.constants.ENGINE_METHOD_CIPHERS`
3947
+ * * `crypto.constants.ENGINE_METHOD_DIGESTS`
3948
+ * * `crypto.constants.ENGINE_METHOD_PKEY_METHS`
3949
+ * * `crypto.constants.ENGINE_METHOD_PKEY_ASN1_METHS`
3950
+ * * `crypto.constants.ENGINE_METHOD_ALL`
3951
+ * * `crypto.constants.ENGINE_METHOD_NONE`
3952
+ * @since v0.11.11
3953
+ * @param flags
3954
+ */
3955
+ function setEngine(engine: string, flags?: number): void;
3956
+ /**
3957
+ * A convenient alias for {@link webcrypto.getRandomValues}. This
3958
+ * implementation is not compliant with the Web Crypto spec, to write
3959
+ * web-compatible code use {@link webcrypto.getRandomValues} instead.
3960
+ * @since v17.4.0
3961
+ * @return Returns `typedArray`.
3962
+ */
3963
+ function getRandomValues<T extends webcrypto.BufferSource>(typedArray: T): T;
3964
+ /**
3965
+ * A convenient alias for `crypto.webcrypto.subtle`.
3966
+ * @since v17.4.0
3967
+ */
3968
+ const subtle: webcrypto.SubtleCrypto;
3969
+ /**
3970
+ * An implementation of the Web Crypto API standard.
3971
+ *
3972
+ * See the {@link https://nodejs.org/docs/latest/api/webcrypto.html Web Crypto API documentation} for details.
3973
+ * @since v15.0.0
3974
+ */
3975
+ const webcrypto: webcrypto.Crypto;
3976
+ namespace webcrypto {
3977
+ type BufferSource = ArrayBufferView | ArrayBuffer;
3978
+ type KeyFormat = "jwk" | "pkcs8" | "raw" | "spki";
3979
+ type KeyType = "private" | "public" | "secret";
3980
+ type KeyUsage =
3981
+ | "decrypt"
3982
+ | "deriveBits"
3983
+ | "deriveKey"
3984
+ | "encrypt"
3985
+ | "sign"
3986
+ | "unwrapKey"
3987
+ | "verify"
3988
+ | "wrapKey";
3989
+ type AlgorithmIdentifier = Algorithm | string;
3990
+ type HashAlgorithmIdentifier = AlgorithmIdentifier;
3991
+ type NamedCurve = string;
3992
+ type BigInteger = Uint8Array;
3993
+ interface AesCbcParams extends Algorithm {
3994
+ iv: BufferSource;
3995
+ }
3996
+ interface AesCtrParams extends Algorithm {
3997
+ counter: BufferSource;
3998
+ length: number;
3999
+ }
4000
+ interface AesDerivedKeyParams extends Algorithm {
4001
+ length: number;
4002
+ }
4003
+ interface AesGcmParams extends Algorithm {
4004
+ additionalData?: BufferSource;
4005
+ iv: BufferSource;
4006
+ tagLength?: number;
4007
+ }
4008
+ interface AesKeyAlgorithm extends KeyAlgorithm {
4009
+ length: number;
4010
+ }
4011
+ interface AesKeyGenParams extends Algorithm {
4012
+ length: number;
4013
+ }
4014
+ interface Algorithm {
4015
+ name: string;
4016
+ }
4017
+ interface EcKeyAlgorithm extends KeyAlgorithm {
4018
+ namedCurve: NamedCurve;
4019
+ }
4020
+ interface EcKeyGenParams extends Algorithm {
4021
+ namedCurve: NamedCurve;
4022
+ }
4023
+ interface EcKeyImportParams extends Algorithm {
4024
+ namedCurve: NamedCurve;
4025
+ }
4026
+ interface EcdhKeyDeriveParams extends Algorithm {
4027
+ public: CryptoKey;
4028
+ }
4029
+ interface EcdsaParams extends Algorithm {
4030
+ hash: HashAlgorithmIdentifier;
4031
+ }
4032
+ interface Ed448Params extends Algorithm {
4033
+ context?: BufferSource;
4034
+ }
4035
+ interface HkdfParams extends Algorithm {
4036
+ hash: HashAlgorithmIdentifier;
4037
+ info: BufferSource;
4038
+ salt: BufferSource;
4039
+ }
4040
+ interface HmacImportParams extends Algorithm {
4041
+ hash: HashAlgorithmIdentifier;
4042
+ length?: number;
4043
+ }
4044
+ interface HmacKeyAlgorithm extends KeyAlgorithm {
4045
+ hash: KeyAlgorithm;
4046
+ length: number;
4047
+ }
4048
+ interface HmacKeyGenParams extends Algorithm {
4049
+ hash: HashAlgorithmIdentifier;
4050
+ length?: number;
4051
+ }
4052
+ interface JsonWebKey {
4053
+ alg?: string;
4054
+ crv?: string;
4055
+ d?: string;
4056
+ dp?: string;
4057
+ dq?: string;
4058
+ e?: string;
4059
+ ext?: boolean;
4060
+ k?: string;
4061
+ key_ops?: string[];
4062
+ kty?: string;
4063
+ n?: string;
4064
+ oth?: RsaOtherPrimesInfo[];
4065
+ p?: string;
4066
+ q?: string;
4067
+ qi?: string;
4068
+ use?: string;
4069
+ x?: string;
4070
+ y?: string;
4071
+ }
4072
+ interface KeyAlgorithm {
4073
+ name: string;
4074
+ }
4075
+ interface Pbkdf2Params extends Algorithm {
4076
+ hash: HashAlgorithmIdentifier;
4077
+ iterations: number;
4078
+ salt: BufferSource;
4079
+ }
4080
+ interface RsaHashedImportParams extends Algorithm {
4081
+ hash: HashAlgorithmIdentifier;
4082
+ }
4083
+ interface RsaHashedKeyAlgorithm extends RsaKeyAlgorithm {
4084
+ hash: KeyAlgorithm;
4085
+ }
4086
+ interface RsaHashedKeyGenParams extends RsaKeyGenParams {
4087
+ hash: HashAlgorithmIdentifier;
4088
+ }
4089
+ interface RsaKeyAlgorithm extends KeyAlgorithm {
4090
+ modulusLength: number;
4091
+ publicExponent: BigInteger;
4092
+ }
4093
+ interface RsaKeyGenParams extends Algorithm {
4094
+ modulusLength: number;
4095
+ publicExponent: BigInteger;
4096
+ }
4097
+ interface RsaOaepParams extends Algorithm {
4098
+ label?: BufferSource;
4099
+ }
4100
+ interface RsaOtherPrimesInfo {
4101
+ d?: string;
4102
+ r?: string;
4103
+ t?: string;
4104
+ }
4105
+ interface RsaPssParams extends Algorithm {
4106
+ saltLength: number;
4107
+ }
4108
+ /**
4109
+ * Calling `require('node:crypto').webcrypto` returns an instance of the `Crypto` class.
4110
+ * `Crypto` is a singleton that provides access to the remainder of the crypto API.
4111
+ * @since v15.0.0
4112
+ */
4113
+ interface Crypto {
4114
+ /**
4115
+ * Provides access to the `SubtleCrypto` API.
4116
+ * @since v15.0.0
4117
+ */
4118
+ readonly subtle: SubtleCrypto;
4119
+ /**
4120
+ * Generates cryptographically strong random values.
4121
+ * The given `typedArray` is filled with random values, and a reference to `typedArray` is returned.
4122
+ *
4123
+ * The given `typedArray` must be an integer-based instance of {@link NodeJS.TypedArray}, i.e. `Float32Array` and `Float64Array` are not accepted.
4124
+ *
4125
+ * An error will be thrown if the given `typedArray` is larger than 65,536 bytes.
4126
+ * @since v15.0.0
4127
+ */
4128
+ getRandomValues<T extends Exclude<NodeJS.TypedArray, Float32Array | Float64Array>>(typedArray: T): T;
4129
+ /**
4130
+ * Generates a random {@link https://www.rfc-editor.org/rfc/rfc4122.txt RFC 4122} version 4 UUID.
4131
+ * The UUID is generated using a cryptographic pseudorandom number generator.
4132
+ * @since v16.7.0
4133
+ */
4134
+ randomUUID(): UUID;
4135
+ CryptoKey: CryptoKeyConstructor;
4136
+ }
4137
+ // This constructor throws ILLEGAL_CONSTRUCTOR so it should not be newable.
4138
+ interface CryptoKeyConstructor {
4139
+ /** Illegal constructor */
4140
+ (_: { readonly _: unique symbol }): never; // Allows instanceof to work but not be callable by the user.
4141
+ readonly length: 0;
4142
+ readonly name: "CryptoKey";
4143
+ readonly prototype: CryptoKey;
4144
+ }
4145
+ /**
4146
+ * @since v15.0.0
4147
+ */
4148
+ interface CryptoKey {
4149
+ /**
4150
+ * An object detailing the algorithm for which the key can be used along with additional algorithm-specific parameters.
4151
+ * @since v15.0.0
4152
+ */
4153
+ readonly algorithm: KeyAlgorithm;
4154
+ /**
4155
+ * When `true`, the {@link CryptoKey} can be extracted using either `subtleCrypto.exportKey()` or `subtleCrypto.wrapKey()`.
4156
+ * @since v15.0.0
4157
+ */
4158
+ readonly extractable: boolean;
4159
+ /**
4160
+ * A string identifying whether the key is a symmetric (`'secret'`) or asymmetric (`'private'` or `'public'`) key.
4161
+ * @since v15.0.0
4162
+ */
4163
+ readonly type: KeyType;
4164
+ /**
4165
+ * An array of strings identifying the operations for which the key may be used.
4166
+ *
4167
+ * The possible usages are:
4168
+ * - `'encrypt'` - The key may be used to encrypt data.
4169
+ * - `'decrypt'` - The key may be used to decrypt data.
4170
+ * - `'sign'` - The key may be used to generate digital signatures.
4171
+ * - `'verify'` - The key may be used to verify digital signatures.
4172
+ * - `'deriveKey'` - The key may be used to derive a new key.
4173
+ * - `'deriveBits'` - The key may be used to derive bits.
4174
+ * - `'wrapKey'` - The key may be used to wrap another key.
4175
+ * - `'unwrapKey'` - The key may be used to unwrap another key.
4176
+ *
4177
+ * Valid key usages depend on the key algorithm (identified by `cryptokey.algorithm.name`).
4178
+ * @since v15.0.0
4179
+ */
4180
+ readonly usages: KeyUsage[];
4181
+ }
4182
+ /**
4183
+ * The `CryptoKeyPair` is a simple dictionary object with `publicKey` and `privateKey` properties, representing an asymmetric key pair.
4184
+ * @since v15.0.0
4185
+ */
4186
+ interface CryptoKeyPair {
4187
+ /**
4188
+ * A {@link CryptoKey} whose type will be `'private'`.
4189
+ * @since v15.0.0
4190
+ */
4191
+ privateKey: CryptoKey;
4192
+ /**
4193
+ * A {@link CryptoKey} whose type will be `'public'`.
4194
+ * @since v15.0.0
4195
+ */
4196
+ publicKey: CryptoKey;
4197
+ }
4198
+ /**
4199
+ * @since v15.0.0
4200
+ */
4201
+ interface SubtleCrypto {
4202
+ /**
4203
+ * Using the method and parameters specified in `algorithm` and the keying material provided by `key`,
4204
+ * `subtle.decrypt()` attempts to decipher the provided `data`. If successful,
4205
+ * the returned promise will be resolved with an `<ArrayBuffer>` containing the plaintext result.
4206
+ *
4207
+ * The algorithms currently supported include:
4208
+ *
4209
+ * - `'RSA-OAEP'`
4210
+ * - `'AES-CTR'`
4211
+ * - `'AES-CBC'`
4212
+ * - `'AES-GCM'`
4213
+ * @since v15.0.0
4214
+ */
4215
+ decrypt(
4216
+ algorithm: AlgorithmIdentifier | RsaOaepParams | AesCtrParams | AesCbcParams | AesGcmParams,
4217
+ key: CryptoKey,
4218
+ data: BufferSource,
4219
+ ): Promise<ArrayBuffer>;
4220
+ /**
4221
+ * Using the method and parameters specified in `algorithm` and the keying material provided by `baseKey`,
4222
+ * `subtle.deriveBits()` attempts to generate `length` bits.
4223
+ * The Node.js implementation requires that when `length` is a number it must be multiple of `8`.
4224
+ * When `length` is `null` the maximum number of bits for a given algorithm is generated. This is allowed
4225
+ * for the `'ECDH'`, `'X25519'`, and `'X448'` algorithms.
4226
+ * If successful, the returned promise will be resolved with an `<ArrayBuffer>` containing the generated data.
4227
+ *
4228
+ * The algorithms currently supported include:
4229
+ *
4230
+ * - `'ECDH'`
4231
+ * - `'X25519'`
4232
+ * - `'X448'`
4233
+ * - `'HKDF'`
4234
+ * - `'PBKDF2'`
4235
+ * @since v15.0.0
4236
+ */
4237
+ deriveBits(algorithm: EcdhKeyDeriveParams, baseKey: CryptoKey, length: number | null): Promise<ArrayBuffer>;
4238
+ deriveBits(
4239
+ algorithm: AlgorithmIdentifier | HkdfParams | Pbkdf2Params,
4240
+ baseKey: CryptoKey,
4241
+ length: number,
4242
+ ): Promise<ArrayBuffer>;
4243
+ /**
4244
+ * Using the method and parameters specified in `algorithm`, and the keying material provided by `baseKey`,
4245
+ * `subtle.deriveKey()` attempts to generate a new <CryptoKey>` based on the method and parameters in `derivedKeyAlgorithm`.
4246
+ *
4247
+ * Calling `subtle.deriveKey()` is equivalent to calling `subtle.deriveBits()` to generate raw keying material,
4248
+ * then passing the result into the `subtle.importKey()` method using the `deriveKeyAlgorithm`, `extractable`, and `keyUsages` parameters as input.
4249
+ *
4250
+ * The algorithms currently supported include:
4251
+ *
4252
+ * - `'ECDH'`
4253
+ * - `'X25519'`
4254
+ * - `'X448'`
4255
+ * - `'HKDF'`
4256
+ * - `'PBKDF2'`
4257
+ * @param keyUsages See {@link https://nodejs.org/docs/latest/api/webcrypto.html#cryptokeyusages Key usages}.
4258
+ * @since v15.0.0
4259
+ */
4260
+ deriveKey(
4261
+ algorithm: AlgorithmIdentifier | EcdhKeyDeriveParams | HkdfParams | Pbkdf2Params,
4262
+ baseKey: CryptoKey,
4263
+ derivedKeyAlgorithm:
4264
+ | AlgorithmIdentifier
4265
+ | AesDerivedKeyParams
4266
+ | HmacImportParams
4267
+ | HkdfParams
4268
+ | Pbkdf2Params,
4269
+ extractable: boolean,
4270
+ keyUsages: readonly KeyUsage[],
4271
+ ): Promise<CryptoKey>;
4272
+ /**
4273
+ * Using the method identified by `algorithm`, `subtle.digest()` attempts to generate a digest of `data`.
4274
+ * If successful, the returned promise is resolved with an `<ArrayBuffer>` containing the computed digest.
4275
+ *
4276
+ * If `algorithm` is provided as a `<string>`, it must be one of:
4277
+ *
4278
+ * - `'SHA-1'`
4279
+ * - `'SHA-256'`
4280
+ * - `'SHA-384'`
4281
+ * - `'SHA-512'`
4282
+ *
4283
+ * If `algorithm` is provided as an `<Object>`, it must have a `name` property whose value is one of the above.
4284
+ * @since v15.0.0
4285
+ */
4286
+ digest(algorithm: AlgorithmIdentifier, data: BufferSource): Promise<ArrayBuffer>;
4287
+ /**
4288
+ * Using the method and parameters specified by `algorithm` and the keying material provided by `key`,
4289
+ * `subtle.encrypt()` attempts to encipher `data`. If successful,
4290
+ * the returned promise is resolved with an `<ArrayBuffer>` containing the encrypted result.
4291
+ *
4292
+ * The algorithms currently supported include:
4293
+ *
4294
+ * - `'RSA-OAEP'`
4295
+ * - `'AES-CTR'`
4296
+ * - `'AES-CBC'`
4297
+ * - `'AES-GCM'`
4298
+ * @since v15.0.0
4299
+ */
4300
+ encrypt(
4301
+ algorithm: AlgorithmIdentifier | RsaOaepParams | AesCtrParams | AesCbcParams | AesGcmParams,
4302
+ key: CryptoKey,
4303
+ data: BufferSource,
4304
+ ): Promise<ArrayBuffer>;
4305
+ /**
4306
+ * Exports the given key into the specified format, if supported.
4307
+ *
4308
+ * If the `<CryptoKey>` is not extractable, the returned promise will reject.
4309
+ *
4310
+ * When `format` is either `'pkcs8'` or `'spki'` and the export is successful,
4311
+ * the returned promise will be resolved with an `<ArrayBuffer>` containing the exported key data.
4312
+ *
4313
+ * When `format` is `'jwk'` and the export is successful, the returned promise will be resolved with a
4314
+ * JavaScript object conforming to the {@link https://tools.ietf.org/html/rfc7517 JSON Web Key} specification.
4315
+ * @param format Must be one of `'raw'`, `'pkcs8'`, `'spki'`, or `'jwk'`.
4316
+ * @returns `<Promise>` containing `<ArrayBuffer>`.
4317
+ * @since v15.0.0
4318
+ */
4319
+ exportKey(format: "jwk", key: CryptoKey): Promise<JsonWebKey>;
4320
+ exportKey(format: Exclude<KeyFormat, "jwk">, key: CryptoKey): Promise<ArrayBuffer>;
4321
+ /**
4322
+ * Using the method and parameters provided in `algorithm`,
4323
+ * `subtle.generateKey()` attempts to generate new keying material.
4324
+ * Depending the method used, the method may generate either a single `<CryptoKey>` or a `<CryptoKeyPair>`.
4325
+ *
4326
+ * The `<CryptoKeyPair>` (public and private key) generating algorithms supported include:
4327
+ *
4328
+ * - `'RSASSA-PKCS1-v1_5'`
4329
+ * - `'RSA-PSS'`
4330
+ * - `'RSA-OAEP'`
4331
+ * - `'ECDSA'`
4332
+ * - `'Ed25519'`
4333
+ * - `'Ed448'`
4334
+ * - `'ECDH'`
4335
+ * - `'X25519'`
4336
+ * - `'X448'`
4337
+ * The `<CryptoKey>` (secret key) generating algorithms supported include:
4338
+ *
4339
+ * - `'HMAC'`
4340
+ * - `'AES-CTR'`
4341
+ * - `'AES-CBC'`
4342
+ * - `'AES-GCM'`
4343
+ * - `'AES-KW'`
4344
+ * @param keyUsages See {@link https://nodejs.org/docs/latest/api/webcrypto.html#cryptokeyusages Key usages}.
4345
+ * @since v15.0.0
4346
+ */
4347
+ generateKey(
4348
+ algorithm: RsaHashedKeyGenParams | EcKeyGenParams,
4349
+ extractable: boolean,
4350
+ keyUsages: readonly KeyUsage[],
4351
+ ): Promise<CryptoKeyPair>;
4352
+ generateKey(
4353
+ algorithm: AesKeyGenParams | HmacKeyGenParams | Pbkdf2Params,
4354
+ extractable: boolean,
4355
+ keyUsages: readonly KeyUsage[],
4356
+ ): Promise<CryptoKey>;
4357
+ generateKey(
4358
+ algorithm: AlgorithmIdentifier,
4359
+ extractable: boolean,
4360
+ keyUsages: KeyUsage[],
4361
+ ): Promise<CryptoKeyPair | CryptoKey>;
4362
+ /**
4363
+ * The `subtle.importKey()` method attempts to interpret the provided `keyData` as the given `format`
4364
+ * to create a `<CryptoKey>` instance using the provided `algorithm`, `extractable`, and `keyUsages` arguments.
4365
+ * If the import is successful, the returned promise will be resolved with the created `<CryptoKey>`.
4366
+ *
4367
+ * If importing a `'PBKDF2'` key, `extractable` must be `false`.
4368
+ * @param format Must be one of `'raw'`, `'pkcs8'`, `'spki'`, or `'jwk'`.
4369
+ * @param keyUsages See {@link https://nodejs.org/docs/latest/api/webcrypto.html#cryptokeyusages Key usages}.
4370
+ * @since v15.0.0
4371
+ */
4372
+ importKey(
4373
+ format: "jwk",
4374
+ keyData: JsonWebKey,
4375
+ algorithm:
4376
+ | AlgorithmIdentifier
4377
+ | RsaHashedImportParams
4378
+ | EcKeyImportParams
4379
+ | HmacImportParams
4380
+ | AesKeyAlgorithm,
4381
+ extractable: boolean,
4382
+ keyUsages: readonly KeyUsage[],
4383
+ ): Promise<CryptoKey>;
4384
+ importKey(
4385
+ format: Exclude<KeyFormat, "jwk">,
4386
+ keyData: BufferSource,
4387
+ algorithm:
4388
+ | AlgorithmIdentifier
4389
+ | RsaHashedImportParams
4390
+ | EcKeyImportParams
4391
+ | HmacImportParams
4392
+ | AesKeyAlgorithm,
4393
+ extractable: boolean,
4394
+ keyUsages: KeyUsage[],
4395
+ ): Promise<CryptoKey>;
4396
+ /**
4397
+ * Using the method and parameters given by `algorithm` and the keying material provided by `key`,
4398
+ * `subtle.sign()` attempts to generate a cryptographic signature of `data`. If successful,
4399
+ * the returned promise is resolved with an `<ArrayBuffer>` containing the generated signature.
4400
+ *
4401
+ * The algorithms currently supported include:
4402
+ *
4403
+ * - `'RSASSA-PKCS1-v1_5'`
4404
+ * - `'RSA-PSS'`
4405
+ * - `'ECDSA'`
4406
+ * - `'Ed25519'`
4407
+ * - `'Ed448'`
4408
+ * - `'HMAC'`
4409
+ * @since v15.0.0
4410
+ */
4411
+ sign(
4412
+ algorithm: AlgorithmIdentifier | RsaPssParams | EcdsaParams | Ed448Params,
4413
+ key: CryptoKey,
4414
+ data: BufferSource,
4415
+ ): Promise<ArrayBuffer>;
4416
+ /**
4417
+ * In cryptography, "wrapping a key" refers to exporting and then encrypting the keying material.
4418
+ * The `subtle.unwrapKey()` method attempts to decrypt a wrapped key and create a `<CryptoKey>` instance.
4419
+ * It is equivalent to calling `subtle.decrypt()` first on the encrypted key data (using the `wrappedKey`, `unwrapAlgo`, and `unwrappingKey` arguments as input)
4420
+ * then passing the results in to the `subtle.importKey()` method using the `unwrappedKeyAlgo`, `extractable`, and `keyUsages` arguments as inputs.
4421
+ * If successful, the returned promise is resolved with a `<CryptoKey>` object.
4422
+ *
4423
+ * The wrapping algorithms currently supported include:
4424
+ *
4425
+ * - `'RSA-OAEP'`
4426
+ * - `'AES-CTR'`
4427
+ * - `'AES-CBC'`
4428
+ * - `'AES-GCM'`
4429
+ * - `'AES-KW'`
4430
+ *
4431
+ * The unwrapped key algorithms supported include:
4432
+ *
4433
+ * - `'RSASSA-PKCS1-v1_5'`
4434
+ * - `'RSA-PSS'`
4435
+ * - `'RSA-OAEP'`
4436
+ * - `'ECDSA'`
4437
+ * - `'Ed25519'`
4438
+ * - `'Ed448'`
4439
+ * - `'ECDH'`
4440
+ * - `'X25519'`
4441
+ * - `'X448'`
4442
+ * - `'HMAC'`
4443
+ * - `'AES-CTR'`
4444
+ * - `'AES-CBC'`
4445
+ * - `'AES-GCM'`
4446
+ * - `'AES-KW'`
4447
+ * @param format Must be one of `'raw'`, `'pkcs8'`, `'spki'`, or `'jwk'`.
4448
+ * @param keyUsages See {@link https://nodejs.org/docs/latest/api/webcrypto.html#cryptokeyusages Key usages}.
4449
+ * @since v15.0.0
4450
+ */
4451
+ unwrapKey(
4452
+ format: KeyFormat,
4453
+ wrappedKey: BufferSource,
4454
+ unwrappingKey: CryptoKey,
4455
+ unwrapAlgorithm: AlgorithmIdentifier | RsaOaepParams | AesCtrParams | AesCbcParams | AesGcmParams,
4456
+ unwrappedKeyAlgorithm:
4457
+ | AlgorithmIdentifier
4458
+ | RsaHashedImportParams
4459
+ | EcKeyImportParams
4460
+ | HmacImportParams
4461
+ | AesKeyAlgorithm,
4462
+ extractable: boolean,
4463
+ keyUsages: KeyUsage[],
4464
+ ): Promise<CryptoKey>;
4465
+ /**
4466
+ * Using the method and parameters given in `algorithm` and the keying material provided by `key`,
4467
+ * `subtle.verify()` attempts to verify that `signature` is a valid cryptographic signature of `data`.
4468
+ * The returned promise is resolved with either `true` or `false`.
4469
+ *
4470
+ * The algorithms currently supported include:
4471
+ *
4472
+ * - `'RSASSA-PKCS1-v1_5'`
4473
+ * - `'RSA-PSS'`
4474
+ * - `'ECDSA'`
4475
+ * - `'Ed25519'`
4476
+ * - `'Ed448'`
4477
+ * - `'HMAC'`
4478
+ * @since v15.0.0
4479
+ */
4480
+ verify(
4481
+ algorithm: AlgorithmIdentifier | RsaPssParams | EcdsaParams | Ed448Params,
4482
+ key: CryptoKey,
4483
+ signature: BufferSource,
4484
+ data: BufferSource,
4485
+ ): Promise<boolean>;
4486
+ /**
4487
+ * In cryptography, "wrapping a key" refers to exporting and then encrypting the keying material.
4488
+ * The `subtle.wrapKey()` method exports the keying material into the format identified by `format`,
4489
+ * then encrypts it using the method and parameters specified by `wrapAlgo` and the keying material provided by `wrappingKey`.
4490
+ * It is the equivalent to calling `subtle.exportKey()` using `format` and `key` as the arguments,
4491
+ * then passing the result to the `subtle.encrypt()` method using `wrappingKey` and `wrapAlgo` as inputs.
4492
+ * If successful, the returned promise will be resolved with an `<ArrayBuffer>` containing the encrypted key data.
4493
+ *
4494
+ * The wrapping algorithms currently supported include:
4495
+ *
4496
+ * - `'RSA-OAEP'`
4497
+ * - `'AES-CTR'`
4498
+ * - `'AES-CBC'`
4499
+ * - `'AES-GCM'`
4500
+ * - `'AES-KW'`
4501
+ * @param format Must be one of `'raw'`, `'pkcs8'`, `'spki'`, or `'jwk'`.
4502
+ * @since v15.0.0
4503
+ */
4504
+ wrapKey(
4505
+ format: KeyFormat,
4506
+ key: CryptoKey,
4507
+ wrappingKey: CryptoKey,
4508
+ wrapAlgorithm: AlgorithmIdentifier | RsaOaepParams | AesCtrParams | AesCbcParams | AesGcmParams,
4509
+ ): Promise<ArrayBuffer>;
4510
+ }
4511
+ }
4512
+
4513
+ global {
4514
+ var crypto: typeof globalThis extends {
4515
+ crypto: infer T;
4516
+ onmessage: any;
4517
+ } ? T
4518
+ : webcrypto.Crypto;
4519
+ }
4520
+ }
4521
+ declare module "node:crypto" {
4522
+ export * from "crypto";
4523
+ }