cdk-ecr-deployment 2.5.6 → 2.5.21

package/node_modules/@types/keyv/node_modules/@types/node/crypto.d.ts

@@ -1,9 +1,10 @@
 /**
- * The `crypto` module provides cryptographic functionality that includes a set of
- * wrappers for OpenSSL's hash, HMAC, cipher, decipher, sign, and verify functions.
+ * The `node:crypto` module provides cryptographic functionality that includes a
+ * set of wrappers for OpenSSL's hash, HMAC, cipher, decipher, sign, and verify
+ * functions.
  *
  * ```js
- * const { createHmac } = await import('crypto');
+ * const { createHmac } = await import('node:crypto');
  *
  * const secret = 'abcdefg';
  * const hash = createHmac('sha256', secret)
@@ -13,47 +14,73 @@
  * // Prints:
  * //   c0fa1bc00531bd78ef38c628449c5102aeabd49b5dc3a2a516ea6ea959d6658e
  * ```
- * @see [source](https://github.com/nodejs/node/blob/v17.0.0/lib/crypto.js)
+ * @see [source](https://github.com/nodejs/node/blob/v20.2.0/lib/crypto.js)
  */
 declare module 'crypto' {
     import * as stream from 'node:stream';
     import { PeerCertificate } from 'node:tls';
-    interface Certificate {
+    /**
+     * SPKAC is a Certificate Signing Request mechanism originally implemented by
+     * Netscape and was specified formally as part of HTML5's `keygen` element.
+     *
+     * `<keygen>` is deprecated since [HTML 5.2](https://www.w3.org/TR/html52/changes.html#features-removed) and new projects
+     * should not use this element anymore.
+     *
+     * The `node:crypto` module provides the `Certificate` class for working with SPKAC
+     * data. The most common usage is handling output generated by the HTML5`<keygen>` element. Node.js uses [OpenSSL's SPKAC
+     * implementation](https://www.openssl.org/docs/man3.0/man1/openssl-spkac.html) internally.
+     * @since v0.11.8
+     */
+    class Certificate {
         /**
-         * @deprecated
-         * @param spkac
-         * @returns The challenge component of the `spkac` data structure,
-         * which includes a public key and a challenge.
+         * ```js
+         * const { Certificate } = await import('node:crypto');
+         * const spkac = getSpkacSomehow();
+         * const challenge = Certificate.exportChallenge(spkac);
+         * console.log(challenge.toString('utf8'));
+         * // Prints: the challenge as a UTF8 string
+         * ```
+         * @since v9.0.0
+         * @param encoding The `encoding` of the `spkac` string.
+         * @return The challenge component of the `spkac` data structure, which includes a public key and a challenge.
          */
-        exportChallenge(spkac: BinaryLike): Buffer;
+        static exportChallenge(spkac: BinaryLike): Buffer;
         /**
-         * @deprecated
-         * @param spkac
-         * @param encoding The encoding of the spkac string.
-         * @returns The public key component of the `spkac` data structure,
-         * which includes a public key and a challenge.
+         * ```js
+         * const { Certificate } = await import('node:crypto');
+         * const spkac = getSpkacSomehow();
+         * const publicKey = Certificate.exportPublicKey(spkac);
+         * console.log(publicKey);
+         * // Prints: the public key as <Buffer ...>
+         * ```
+         * @since v9.0.0
+         * @param encoding The `encoding` of the `spkac` string.
+         * @return The public key component of the `spkac` data structure, which includes a public key and a challenge.
          */
-        exportPublicKey(spkac: BinaryLike, encoding?: string): Buffer;
+        static exportPublicKey(spkac: BinaryLike, encoding?: string): Buffer;
         /**
-         * @deprecated
-         * @param spkac
-         * @returns `true` if the given `spkac` data structure is valid,
-         * `false` otherwise.
+         * ```js
+         * import { Buffer } from 'node:buffer';
+         * const { Certificate } = await import('node:crypto');
+         *
+         * const spkac = getSpkacSomehow();
+         * console.log(Certificate.verifySpkac(Buffer.from(spkac)));
+         * // Prints: true or false
+         * ```
+         * @since v9.0.0
+         * @param encoding The `encoding` of the `spkac` string.
+         * @return `true` if the given `spkac` data structure is valid, `false` otherwise.
          */
-        verifySpkac(spkac: NodeJS.ArrayBufferView): boolean;
-    }
-    const Certificate: Certificate & {
-        /** @deprecated since v14.9.0 - Use static methods of `crypto.Certificate` instead. */
-        new (): Certificate;
-        /** @deprecated since v14.9.0 - Use static methods of `crypto.Certificate` instead. */
-        (): Certificate;
+        static verifySpkac(spkac: NodeJS.ArrayBufferView): boolean;
         /**
+         * @deprecated
          * @param spkac
          * @returns The challenge component of the `spkac` data structure,
          * which includes a public key and a challenge.
          */
         exportChallenge(spkac: BinaryLike): Buffer;
         /**
+         * @deprecated
          * @param spkac
          * @param encoding The encoding of the spkac string.
          * @returns The public key component of the `spkac` data structure,
@@ -61,14 +88,15 @@ declare module 'crypto' {
          */
         exportPublicKey(spkac: BinaryLike, encoding?: string): Buffer;
         /**
+         * @deprecated
          * @param spkac
          * @returns `true` if the given `spkac` data structure is valid,
          * `false` otherwise.
          */
         verifySpkac(spkac: NodeJS.ArrayBufferView): boolean;
-    };
+    }
     namespace constants {
-        // https://nodejs.org/dist/latest-v10.x/docs/api/crypto.html#crypto_crypto_constants
+        // https://nodejs.org/dist/latest-v20.x/docs/api/crypto.html#crypto-constants
         const OPENSSL_VERSION_NUMBER: number;
         /** Applies multiple bug workarounds within OpenSSL. See https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html for detail. */
         const SSL_OP_ALL: number;
@@ -84,18 +112,8 @@ declare module 'crypto' {
         const SSL_OP_CRYPTOPRO_TLSEXT_BUG: number;
         /** Instructs OpenSSL to disable a SSL 3.0/TLS 1.0 vulnerability workaround added in OpenSSL 0.9.6d. */
         const SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS: number;
-        /** Instructs OpenSSL to always use the tmp_rsa key when performing RSA operations. */
-        const SSL_OP_EPHEMERAL_RSA: number;
         /** Allows initial connection to servers that do not support RI. */
         const SSL_OP_LEGACY_SERVER_CONNECT: number;
-        const SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER: number;
-        const SSL_OP_MICROSOFT_SESS_ID_BUG: number;
-        /** Instructs OpenSSL to disable the workaround for a man-in-the-middle protocol-version vulnerability in the SSL 2.0 server implementation. */
-        const SSL_OP_MSIE_SSLV2_RSA_PADDING: number;
-        const SSL_OP_NETSCAPE_CA_DN_BUG: number;
-        const SSL_OP_NETSCAPE_CHALLENGE_BUG: number;
-        const SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG: number;
-        const SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG: number;
         /** Instructs OpenSSL to disable support for SSL/TLS compression. */
         const SSL_OP_NO_COMPRESSION: number;
         const SSL_OP_NO_QUERY_MTU: number;
@@ -107,16 +125,6 @@ declare module 'crypto' {
         const SSL_OP_NO_TLSv1: number;
         const SSL_OP_NO_TLSv1_1: number;
         const SSL_OP_NO_TLSv1_2: number;
-        const SSL_OP_PKCS1_CHECK_1: number;
-        const SSL_OP_PKCS1_CHECK_2: number;
-        /** Instructs OpenSSL to always create a new key when using temporary/ephemeral DH parameters. */
-        const SSL_OP_SINGLE_DH_USE: number;
-        /** Instructs OpenSSL to always create a new key when using temporary/ephemeral ECDH parameters. */
-        const SSL_OP_SINGLE_ECDH_USE: number;
-        const SSL_OP_SSLEAY_080_CLIENT_DH_BUG: number;
-        const SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG: number;
-        const SSL_OP_TLS_BLOCK_PADDING_BUG: number;
-        const SSL_OP_TLS_D5_BUG: number;
         /** Instructs OpenSSL to disable version rollback attack detection. */
         const SSL_OP_TLS_ROLLBACK_BUG: number;
         const ENGINE_METHOD_RSA: number;
@@ -134,7 +142,6 @@ declare module 'crypto' {
         const DH_CHECK_P_NOT_PRIME: number;
         const DH_UNABLE_TO_CHECK_GENERATOR: number;
         const DH_NOT_SUITABLE_GENERATOR: number;
-        const ALPN_ENABLED: number;
         const RSA_PKCS1_PADDING: number;
         const RSA_SSLV23_PADDING: number;
         const RSA_NO_PADDING: number;
@@ -172,19 +179,19 @@ declare module 'crypto' {
      *
      * The `algorithm` is dependent on the available algorithms supported by the
      * version of OpenSSL on the platform. Examples are `'sha256'`, `'sha512'`, etc.
-     * On recent releases of OpenSSL, `openssl list -digest-algorithms`(`openssl list-message-digest-algorithms` for older versions of OpenSSL) will
+     * On recent releases of OpenSSL, `openssl list -digest-algorithms` will
      * display the available digest algorithms.
      *
      * Example: generating the sha256 sum of a file
      *
      * ```js
      * import {
-     *   createReadStream
-     * } from 'fs';
-     * import { argv } from 'process';
+     *   createReadStream,
+     * } from 'node:fs';
+     * import { argv } from 'node:process';
      * const {
-     *   createHash
-     * } = await import('crypto');
+     *   createHash,
+     * } = await import('node:crypto');
      *
      * const filename = argv[2];
      *
@@ -212,22 +219,24 @@ declare module 'crypto' {
      *
      * The `algorithm` is dependent on the available algorithms supported by the
      * version of OpenSSL on the platform. Examples are `'sha256'`, `'sha512'`, etc.
-     * On recent releases of OpenSSL, `openssl list -digest-algorithms`(`openssl list-message-digest-algorithms` for older versions of OpenSSL) will
+     * On recent releases of OpenSSL, `openssl list -digest-algorithms` will
      * display the available digest algorithms.
      *
      * The `key` is the HMAC key used to generate the cryptographic HMAC hash. If it is
-     * a `KeyObject`, its type must be `secret`.
+     * a `KeyObject`, its type must be `secret`. If it is a string, please consider `caveats when using strings as inputs to cryptographic APIs`. If it was
+     * obtained from a cryptographically secure source of entropy, such as {@link randomBytes} or {@link generateKey}, its length should not
+     * exceed the block size of `algorithm` (e.g., 512 bits for SHA-256).
      *
      * Example: generating the sha256 HMAC of a file
      *
      * ```js
      * import {
-     *   createReadStream
-     * } from 'fs';
-     * import { argv } from 'process';
+     *   createReadStream,
+     * } from 'node:fs';
+     * import { argv } from 'node:process';
      * const {
-     *   createHmac
-     * } = await import('crypto');
+     *   createHmac,
+     * } = await import('node:crypto');
      *
      * const filename = argv[2];
      *
@@ -270,8 +279,8 @@ declare module 'crypto' {
      *
      * ```js
      * const {
-     *   createHash
-     * } = await import('crypto');
+     *   createHash,
+     * } = await import('node:crypto');
      *
      * const hash = createHash('sha256');
      *
@@ -293,9 +302,9 @@ declare module 'crypto' {
      * Example: Using `Hash` and piped streams:
      *
      * ```js
-     * import { createReadStream } from 'fs';
-     * import { stdout } from 'process';
-     * const { createHash } = await import('crypto');
+     * import { createReadStream } from 'node:fs';
+     * import { stdout } from 'node:process';
+     * const { createHash } = await import('node:crypto');
      *
      * const hash = createHash('sha256');
      *
@@ -307,8 +316,8 @@ declare module 'crypto' {
      *
      * ```js
      * const {
-     *   createHash
-     * } = await import('crypto');
+     *   createHash,
+     * } = await import('node:crypto');
      *
      * const hash = createHash('sha256');
      *
@@ -335,8 +344,8 @@ declare module 'crypto' {
          * ```js
          * // Calculate a rolling hash.
          * const {
-         *   createHash
-         * } = await import('crypto');
+         *   createHash,
+         * } = await import('node:crypto');
          *
          * const hash = createHash('sha256');
          *
@@ -395,8 +404,8 @@ declare module 'crypto' {
      *
      * ```js
      * const {
-     *   createHmac
-     * } = await import('crypto');
+     *   createHmac,
+     * } = await import('node:crypto');
      *
      * const hmac = createHmac('sha256', 'a secret');
      *
@@ -418,11 +427,11 @@ declare module 'crypto' {
      * Example: Using `Hmac` and piped streams:
      *
      * ```js
-     * import { createReadStream } from 'fs';
-     * import { stdout } from 'process';
+     * import { createReadStream } from 'node:fs';
+     * import { stdout } from 'node:process';
      * const {
-     *   createHmac
-     * } = await import('crypto');
+     *   createHmac,
+     * } = await import('node:crypto');
      *
      * const hmac = createHmac('sha256', 'a secret');
      *
@@ -434,8 +443,8 @@ declare module 'crypto' {
      *
      * ```js
      * const {
-     *   createHmac
-     * } = await import('crypto');
+     *   createHmac,
+     * } = await import('node:crypto');
      *
      * const hmac = createHmac('sha256', 'a secret');
      *
@@ -529,9 +538,6 @@ declare module 'crypto' {
          */
         namedCurve?: string | undefined;
     }
-    interface JwkKeyExportOptions {
-        format: 'jwk';
-    }
     /**
      * Node.js uses a `KeyObject` class to represent a symmetric or asymmetric key,
      * and each kind of key exposes different functions. The {@link createSecretKey}, {@link createPublicKey} and {@link createPrivateKey} methods are used to create `KeyObject`instances. `KeyObject`
@@ -551,13 +557,13 @@ declare module 'crypto' {
          * Example: Converting a `CryptoKey` instance to a `KeyObject`:
          *
          * ```js
-         * const { webcrypto, KeyObject } = await import('crypto');
-         * const { subtle } = webcrypto;
+         * const { KeyObject } = await import('node:crypto');
+         * const { subtle } = globalThis.crypto;
          *
          * const key = await subtle.generateKey({
          *   name: 'HMAC',
          *   hash: 'SHA-256',
-         *   length: 256
+         *   length: 256,
          * }, true, ['sign', 'verify']);
          *
          * const keyObject = KeyObject.from(key);
@@ -662,25 +668,30 @@ declare module 'crypto' {
      * Creates and returns a `Cipher` object that uses the given `algorithm` and`password`.
      *
      * The `options` argument controls stream behavior and is optional except when a
-     * cipher in CCM or OCB mode is used (e.g. `'aes-128-ccm'`). In that case, the`authTagLength` option is required and specifies the length of the
+     * cipher in CCM or OCB mode (e.g. `'aes-128-ccm'`) is used. In that case, the`authTagLength` option is required and specifies the length of the
      * authentication tag in bytes, see `CCM mode`. In GCM mode, the `authTagLength`option is not required but can be used to set the length of the authentication
      * tag that will be returned by `getAuthTag()` and defaults to 16 bytes.
+     * For `chacha20-poly1305`, the `authTagLength` option defaults to 16 bytes.
      *
      * The `algorithm` is dependent on OpenSSL, examples are `'aes192'`, etc. On
-     * recent OpenSSL releases, `openssl list -cipher-algorithms`(`openssl list-cipher-algorithms` for older versions of OpenSSL) will
+     * recent OpenSSL releases, `openssl list -cipher-algorithms` will
      * display the available cipher algorithms.
      *
      * The `password` is used to derive the cipher key and initialization vector (IV).
      * The value must be either a `'latin1'` encoded string, a `Buffer`, a`TypedArray`, or a `DataView`.
      *
+     * **This function is semantically insecure for all**
+     * **supported ciphers and fatally flawed for ciphers in counter mode (such as CTR,**
+     * **GCM, or CCM).**
+     *
      * The implementation of `crypto.createCipher()` derives keys using the OpenSSL
-     * function [`EVP_BytesToKey`](https://www.openssl.org/docs/man1.1.0/crypto/EVP_BytesToKey.html) with the digest algorithm set to MD5, one
+     * function [`EVP_BytesToKey`](https://www.openssl.org/docs/man3.0/man3/EVP_BytesToKey.html) with the digest algorithm set to MD5, one
      * iteration, and no salt. The lack of salt allows dictionary attacks as the same
      * password always creates the same key. The low iteration count and
      * non-cryptographically secure hash algorithm allow passwords to be tested very
      * rapidly.
      *
-     * In line with OpenSSL's recommendation to use a more modern algorithm instead of [`EVP_BytesToKey`](https://www.openssl.org/docs/man1.1.0/crypto/EVP_BytesToKey.html) it is recommended that
+     * In line with OpenSSL's recommendation to use a more modern algorithm instead of [`EVP_BytesToKey`](https://www.openssl.org/docs/man3.0/man3/EVP_BytesToKey.html) it is recommended that
      * developers derive a key and IV on
      * their own using {@link scrypt} and to use {@link createCipheriv} to create the `Cipher` object. Users should not use ciphers with counter mode
      * (e.g. CTR, GCM, or CCM) in `crypto.createCipher()`. A warning is emitted when
@@ -700,12 +711,13 @@ declare module 'crypto' {
      * initialization vector (`iv`).
      *
      * The `options` argument controls stream behavior and is optional except when a
-     * cipher in CCM or OCB mode is used (e.g. `'aes-128-ccm'`). In that case, the`authTagLength` option is required and specifies the length of the
+     * cipher in CCM or OCB mode (e.g. `'aes-128-ccm'`) is used. In that case, the`authTagLength` option is required and specifies the length of the
      * authentication tag in bytes, see `CCM mode`. In GCM mode, the `authTagLength`option is not required but can be used to set the length of the authentication
      * tag that will be returned by `getAuthTag()` and defaults to 16 bytes.
+     * For `chacha20-poly1305`, the `authTagLength` option defaults to 16 bytes.
      *
      * The `algorithm` is dependent on OpenSSL, examples are `'aes192'`, etc. On
-     * recent OpenSSL releases, `openssl list -cipher-algorithms`(`openssl list-cipher-algorithms` for older versions of OpenSSL) will
+     * recent OpenSSL releases, `openssl list -cipher-algorithms` will
      * display the available cipher algorithms.
      *
      * The `key` is the raw key used by the `algorithm` and `iv` is an [initialization vector](https://en.wikipedia.org/wiki/Initialization_vector). Both arguments must be `'utf8'` encoded
@@ -747,8 +759,8 @@ declare module 'crypto' {
      * const {
      *   scrypt,
      *   randomFill,
-     *   createCipheriv
-     * } = await import('crypto');
+     *   createCipheriv,
+     * } = await import('node:crypto');
      *
      * const algorithm = 'aes-192-cbc';
      * const password = 'Password used to generate key';
@@ -782,17 +794,17 @@ declare module 'crypto' {
      * import {
      *   createReadStream,
      *   createWriteStream,
-     * } from 'fs';
+     * } from 'node:fs';
      *
      * import {
-     *   pipeline
-     * } from 'stream';
+     *   pipeline,
+     * } from 'node:stream';
      *
      * const {
      *   scrypt,
      *   randomFill,
-     *   createCipheriv
-     * } = await import('crypto');
+     *   createCipheriv,
+     * } = await import('node:crypto');
      *
      * const algorithm = 'aes-192-cbc';
      * const password = 'Password used to generate key';
@@ -823,8 +835,8 @@ declare module 'crypto' {
      * const {
      *   scrypt,
      *   randomFill,
-     *   createCipheriv
-     * } = await import('crypto');
+     *   createCipheriv,
+     * } = await import('node:crypto');
      *
      * const algorithm = 'aes-192-cbc';
      * const password = 'Password used to generate key';
@@ -925,17 +937,22 @@ declare module 'crypto' {
      * Creates and returns a `Decipher` object that uses the given `algorithm` and`password` (key).
      *
      * The `options` argument controls stream behavior and is optional except when a
-     * cipher in CCM or OCB mode is used (e.g. `'aes-128-ccm'`). In that case, the`authTagLength` option is required and specifies the length of the
+     * cipher in CCM or OCB mode (e.g. `'aes-128-ccm'`) is used. In that case, the`authTagLength` option is required and specifies the length of the
      * authentication tag in bytes, see `CCM mode`.
+     * For `chacha20-poly1305`, the `authTagLength` option defaults to 16 bytes.
+     *
+     * **This function is semantically insecure for all**
+     * **supported ciphers and fatally flawed for ciphers in counter mode (such as CTR,**
+     * **GCM, or CCM).**
      *
      * The implementation of `crypto.createDecipher()` derives keys using the OpenSSL
-     * function [`EVP_BytesToKey`](https://www.openssl.org/docs/man1.1.0/crypto/EVP_BytesToKey.html) with the digest algorithm set to MD5, one
+     * function [`EVP_BytesToKey`](https://www.openssl.org/docs/man3.0/man3/EVP_BytesToKey.html) with the digest algorithm set to MD5, one
      * iteration, and no salt. The lack of salt allows dictionary attacks as the same
      * password always creates the same key. The low iteration count and
      * non-cryptographically secure hash algorithm allow passwords to be tested very
      * rapidly.
      *
-     * In line with OpenSSL's recommendation to use a more modern algorithm instead of [`EVP_BytesToKey`](https://www.openssl.org/docs/man1.1.0/crypto/EVP_BytesToKey.html) it is recommended that
+     * In line with OpenSSL's recommendation to use a more modern algorithm instead of [`EVP_BytesToKey`](https://www.openssl.org/docs/man3.0/man3/EVP_BytesToKey.html) it is recommended that
      * developers derive a key and IV on
      * their own using {@link scrypt} and to use {@link createDecipheriv} to create the `Decipher` object.
      * @since v0.1.94
@@ -951,12 +968,13 @@ declare module 'crypto' {
      * Creates and returns a `Decipher` object that uses the given `algorithm`, `key`and initialization vector (`iv`).
      *
      * The `options` argument controls stream behavior and is optional except when a
-     * cipher in CCM or OCB mode is used (e.g. `'aes-128-ccm'`). In that case, the`authTagLength` option is required and specifies the length of the
+     * cipher in CCM or OCB mode (e.g. `'aes-128-ccm'`) is used. In that case, the`authTagLength` option is required and specifies the length of the
      * authentication tag in bytes, see `CCM mode`. In GCM mode, the `authTagLength`option is not required but can be used to restrict accepted authentication tags
      * to those with the specified length.
+     * For `chacha20-poly1305`, the `authTagLength` option defaults to 16 bytes.
      *
      * The `algorithm` is dependent on OpenSSL, examples are `'aes192'`, etc. On
-     * recent OpenSSL releases, `openssl list -cipher-algorithms`(`openssl list-cipher-algorithms` for older versions of OpenSSL) will
+     * recent OpenSSL releases, `openssl list -cipher-algorithms` will
      * display the available cipher algorithms.
      *
      * The `key` is the raw key used by the `algorithm` and `iv` is an [initialization vector](https://en.wikipedia.org/wiki/Initialization_vector). Both arguments must be `'utf8'` encoded
@@ -995,11 +1013,11 @@ declare module 'crypto' {
      * Example: Using `Decipher` objects as streams:
      *
      * ```js
-     * import { Buffer } from 'buffer';
+     * import { Buffer } from 'node:buffer';
      * const {
      *   scryptSync,
-     *   createDecipheriv
-     * } = await import('crypto');
+     *   createDecipheriv,
+     * } = await import('node:crypto');
      *
      * const algorithm = 'aes-192-cbc';
      * const password = 'Password used to generate key';
@@ -1014,6 +1032,7 @@ declare module 'crypto' {
      *
      * let decrypted = '';
      * decipher.on('readable', () => {
+     *   let chunk;
      *   while (null !== (chunk = decipher.read())) {
      *     decrypted += chunk.toString('utf8');
      *   }
@@ -1036,12 +1055,12 @@ declare module 'crypto' {
      * import {
      *   createReadStream,
      *   createWriteStream,
-     * } from 'fs';
-     * import { Buffer } from 'buffer';
+     * } from 'node:fs';
+     * import { Buffer } from 'node:buffer';
      * const {
      *   scryptSync,
-     *   createDecipheriv
-     * } = await import('crypto');
+     *   createDecipheriv,
+     * } = await import('node:crypto');
      *
      * const algorithm = 'aes-192-cbc';
      * const password = 'Password used to generate key';
@@ -1061,11 +1080,11 @@ declare module 'crypto' {
      * Example: Using the `decipher.update()` and `decipher.final()` methods:
      *
      * ```js
-     * import { Buffer } from 'buffer';
+     * import { Buffer } from 'node:buffer';
      * const {
      *   scryptSync,
-     *   createDecipheriv
-     * } = await import('crypto');
+     *   createDecipheriv,
+     * } = await import('node:crypto');
      *
      * const algorithm = 'aes-192-cbc';
      * const password = 'Password used to generate key';
@@ -1162,25 +1181,30 @@ declare module 'crypto' {
         format?: KeyFormat | undefined;
         type?: 'pkcs1' | 'pkcs8' | 'sec1' | undefined;
         passphrase?: string | Buffer | undefined;
+        encoding?: string | undefined;
     }
     interface PublicKeyInput {
         key: string | Buffer;
         format?: KeyFormat | undefined;
         type?: 'pkcs1' | 'spki' | undefined;
+        encoding?: string | undefined;
     }
     /**
      * Asynchronously generates a new random secret key of the given `length`. The`type` will determine which validations will be performed on the `length`.
      *
      * ```js
      * const {
-     *   generateKey
-     * } = await import('crypto');
+     *   generateKey,
+     * } = await import('node:crypto');
      *
-     * generateKey('hmac', { length: 64 }, (err, key) => {
+     * generateKey('hmac', { length: 512 }, (err, key) => {
      *   if (err) throw err;
      *   console.log(key.export().toString('hex'));  // 46e..........620
      * });
      * ```
+     *
+     * The size of a generated HMAC key should not exceed the block size of the
+     * underlying hash function. See {@link createHmac} for more information.
      * @since v15.0.0
      * @param type The intended use of the generated secret key. Currently accepted values are `'hmac'` and `'aes'`.
      */
@@ -1196,12 +1220,15 @@ declare module 'crypto' {
      *
      * ```js
      * const {
-     *   generateKeySync
-     * } = await import('crypto');
+     *   generateKeySync,
+     * } = await import('node:crypto');
      *
-     * const key = generateKeySync('hmac', { length: 64 });
+     * const key = generateKeySync('hmac', { length: 512 });
      * console.log(key.export().toString('hex'));  // e89..........41e
      * ```
+     *
+     * The size of a generated HMAC key should not exceed the block size of the
+     * underlying hash function. See {@link createHmac} for more information.
      * @since v15.0.0
      * @param type The intended use of the generated secret key. Currently accepted values are `'hmac'` and `'aes'`.
      */
@@ -1263,7 +1290,7 @@ declare module 'crypto' {
     type DSAEncoding = 'der' | 'ieee-p1363';
     interface SigningOptions {
         /**
-         * @See crypto.constants.RSA_PKCS1_PADDING
+         * @see crypto.constants.RSA_PKCS1_PADDING
          */
         padding?: number | undefined;
         saltLength?: number | undefined;
@@ -1277,6 +1304,7 @@ declare module 'crypto' {
     interface VerifyKeyObjectInput extends SigningOptions {
         key: KeyObject;
     }
+    interface VerifyJsonWebKeyInput extends JsonWebKeyInput, SigningOptions {}
     type KeyLike = string | Buffer | KeyObject;
     /**
      * The `Sign` class is a utility for generating signatures. It can be used in one
@@ -1296,11 +1324,11 @@ declare module 'crypto' {
      * const {
      *   generateKeyPairSync,
      *   createSign,
-     *   createVerify
-     * } = await import('crypto');
+     *   createVerify,
+     * } = await import('node:crypto');
      *
      * const { privateKey, publicKey } = generateKeyPairSync('ec', {
-     *   namedCurve: 'sect239k1'
+     *   namedCurve: 'sect239k1',
      * });
      *
      * const sign = createSign('SHA256');
@@ -1321,8 +1349,8 @@ declare module 'crypto' {
      * const {
      *   generateKeyPairSync,
      *   createSign,
-     *   createVerify
-     * } = await import('crypto');
+     *   createVerify,
+     * } = await import('node:crypto');
      *
      * const { privateKey, publicKey } = generateKeyPairSync('rsa', {
      *   modulusLength: 2048,
@@ -1431,8 +1459,8 @@ declare module 'crypto' {
          * be passed instead of a public key.
          * @since v0.1.92
          */
-        verify(object: KeyLike | VerifyKeyObjectInput | VerifyPublicKeyInput, signature: NodeJS.ArrayBufferView): boolean;
-        verify(object: KeyLike | VerifyKeyObjectInput | VerifyPublicKeyInput, signature: string, signature_format?: BinaryToTextEncoding): boolean;
+        verify(object: KeyLike | VerifyKeyObjectInput | VerifyPublicKeyInput | VerifyJsonWebKeyInput, signature: NodeJS.ArrayBufferView): boolean;
+        verify(object: KeyLike | VerifyKeyObjectInput | VerifyPublicKeyInput | VerifyJsonWebKeyInput, signature: string, signature_format?: BinaryToTextEncoding): boolean;
     }
     /**
      * Creates a `DiffieHellman` key exchange object using the supplied `prime` and an
@@ -1450,10 +1478,10 @@ declare module 'crypto' {
      * @param [generator=2]
      * @param generatorEncoding The `encoding` of the `generator` string.
      */
-    function createDiffieHellman(primeLength: number, generator?: number | NodeJS.ArrayBufferView): DiffieHellman;
-    function createDiffieHellman(prime: NodeJS.ArrayBufferView): DiffieHellman;
-    function createDiffieHellman(prime: string, primeEncoding: BinaryToTextEncoding): DiffieHellman;
-    function createDiffieHellman(prime: string, primeEncoding: BinaryToTextEncoding, generator: number | NodeJS.ArrayBufferView): DiffieHellman;
+    function createDiffieHellman(primeLength: number, generator?: number): DiffieHellman;
+    function createDiffieHellman(prime: ArrayBuffer | NodeJS.ArrayBufferView, generator?: number | ArrayBuffer | NodeJS.ArrayBufferView): DiffieHellman;
+    function createDiffieHellman(prime: ArrayBuffer | NodeJS.ArrayBufferView, generator: string, generatorEncoding: BinaryToTextEncoding): DiffieHellman;
+    function createDiffieHellman(prime: string, primeEncoding: BinaryToTextEncoding, generator?: number | ArrayBuffer | NodeJS.ArrayBufferView): DiffieHellman;
     function createDiffieHellman(prime: string, primeEncoding: BinaryToTextEncoding, generator: string, generatorEncoding: BinaryToTextEncoding): DiffieHellman;
     /**
      * The `DiffieHellman` class is a utility for creating Diffie-Hellman key
@@ -1462,11 +1490,11 @@ declare module 'crypto' {
      * Instances of the `DiffieHellman` class can be created using the {@link createDiffieHellman} function.
      *
      * ```js
-     * import assert from 'assert';
+     * import assert from 'node:assert';
      *
      * const {
-     *   createDiffieHellman
-     * } = await import('crypto');
+     *   createDiffieHellman,
+     * } = await import('node:crypto');
      *
      * // Generate Alice's keys...
      * const alice = createDiffieHellman(2048);
@@ -1510,9 +1538,9 @@ declare module 'crypto' {
          * @param inputEncoding The `encoding` of an `otherPublicKey` string.
          * @param outputEncoding The `encoding` of the return value.
          */
-        computeSecret(otherPublicKey: NodeJS.ArrayBufferView): Buffer;
-        computeSecret(otherPublicKey: string, inputEncoding: BinaryToTextEncoding): Buffer;
-        computeSecret(otherPublicKey: NodeJS.ArrayBufferView, outputEncoding: BinaryToTextEncoding): string;
+        computeSecret(otherPublicKey: NodeJS.ArrayBufferView, inputEncoding?: null, outputEncoding?: null): Buffer;
+        computeSecret(otherPublicKey: string, inputEncoding: BinaryToTextEncoding, outputEncoding?: null): Buffer;
+        computeSecret(otherPublicKey: NodeJS.ArrayBufferView, inputEncoding: null, outputEncoding: BinaryToTextEncoding): string;
         computeSecret(otherPublicKey: string, inputEncoding: BinaryToTextEncoding, outputEncoding: BinaryToTextEncoding): string;
         /**
          * Returns the Diffie-Hellman prime in the specified `encoding`.
@@ -1572,7 +1600,7 @@ declare module 'crypto' {
          * A bit field containing any warnings and/or errors resulting from a check
          * performed during initialization of the `DiffieHellman` object.
          *
-         * The following values are valid for this property (as defined in `constants`module):
+         * The following values are valid for this property (as defined in `node:constants` module):
          *
          * * `DH_CHECK_P_NOT_SAFE_PRIME`
          * * `DH_CHECK_P_NOT_PRIME`
@@ -1582,11 +1610,41 @@ declare module 'crypto' {
          */
         verifyError: number;
     }
+    /**
+     * The `DiffieHellmanGroup` class takes a well-known modp group as its argument.
+     * It works the same as `DiffieHellman`, except that it does not allow changing its keys after creation.
+     * In other words, it does not implement `setPublicKey()` or `setPrivateKey()` methods.
+     *
+     * ```js
+     * const { createDiffieHellmanGroup } = await import('node:crypto');
+     * const dh = createDiffieHellmanGroup('modp1');
+     * ```
+     * The name (e.g. `'modp1'`) is taken from [RFC 2412](https://www.rfc-editor.org/rfc/rfc2412.txt) (modp1 and 2) and [RFC 3526](https://www.rfc-editor.org/rfc/rfc3526.txt):
+     * ```bash
+     * $ perl -ne 'print "$1\n" if /"(modp\d+)"/' src/node_crypto_groups.h
+     * modp1  #  768 bits
+     * modp2  # 1024 bits
+     * modp5  # 1536 bits
+     * modp14 # 2048 bits
+     * modp15 # etc.
+     * modp16
+     * modp17
+     * modp18
+     * ```
+     * @since v0.7.5
+     */
+    const DiffieHellmanGroup: DiffieHellmanGroupConstructor;
+    interface DiffieHellmanGroupConstructor {
+        new (name: string): DiffieHellmanGroup;
+        (name: string): DiffieHellmanGroup;
+        readonly prototype: DiffieHellmanGroup;
+    }
+    type DiffieHellmanGroup = Omit<DiffieHellman, 'setPublicKey' | 'setPrivateKey'>;
     /**
      * Creates a predefined `DiffieHellmanGroup` key exchange object. The
-     * supported groups are: `'modp1'`, `'modp2'`, `'modp5'` (defined in [RFC 2412](https://www.rfc-editor.org/rfc/rfc2412.txt), but see `Caveats`) and `'modp14'`, `'modp15'`,`'modp16'`, `'modp17'`,
-     * `'modp18'` (defined in [RFC 3526](https://www.rfc-editor.org/rfc/rfc3526.txt)). The
-     * returned object mimics the interface of objects created by {@link createDiffieHellman}, but will not allow changing
+     * supported groups are listed in the documentation for `DiffieHellmanGroup`.
+     *
+     * The returned object mimics the interface of objects created by {@link createDiffieHellman}, but will not allow changing
      * the keys (with `diffieHellman.setPublicKey()`, for example). The
      * advantage of using this method is that the parties do not have to
      * generate nor exchange a group modulus beforehand, saving both processor
@@ -1596,8 +1654,8 @@ declare module 'crypto' {
      *
      * ```js
      * const {
-     *   getDiffieHellman
-     * } = await import('crypto');
+     *   getDiffieHellman,
+     * } = await import('node:crypto');
      * const alice = getDiffieHellman('modp14');
      * const bob = getDiffieHellman('modp14');
      *
@@ -1612,7 +1670,12 @@ declare module 'crypto' {
      * ```
      * @since v0.7.5
      */
-    function getDiffieHellman(groupName: string): DiffieHellman;
+    function getDiffieHellman(groupName: string): DiffieHellmanGroup;
+    /**
+     * An alias for {@link getDiffieHellman}
+     * @since v0.9.3
+     */
+    function createDiffieHellmanGroup(name: string): DiffieHellmanGroup;
     /**
      * Provides an asynchronous Password-Based Key Derivation Function 2 (PBKDF2)
      * implementation. A selected HMAC digest algorithm specified by `digest` is
@@ -1622,9 +1685,6 @@ declare module 'crypto' {
      * otherwise `err` will be `null`. By default, the successfully generated`derivedKey` will be passed to the callback as a `Buffer`. An error will be
      * thrown if any of the input arguments specify invalid values or types.
      *
-     * If `digest` is `null`, `'sha1'` will be used. This behavior is deprecated,
-     * please specify a `digest` explicitly.
-     *
      * The `iterations` argument must be a number set as high as possible. The
      * higher the number of iterations, the more secure the derived key will be,
      * but will take a longer amount of time to complete.
@@ -1636,8 +1696,8 @@ declare module 'crypto' {
      *
      * ```js
      * const {
-     *   pbkdf2
-     * } = await import('crypto');
+     *   pbkdf2,
+     * } = await import('node:crypto');
      *
      * pbkdf2('secret', 'salt', 100000, 64, 'sha512', (err, derivedKey) => {
      *   if (err) throw err;
@@ -1645,18 +1705,6 @@ declare module 'crypto' {
      * });
      * ```
      *
-     * The `crypto.DEFAULT_ENCODING` property can be used to change the way the`derivedKey` is passed to the callback. This property, however, has been
-     * deprecated and use should be avoided.
-     *
-     * ```js
-     * import crypto from 'crypto';
-     * crypto.DEFAULT_ENCODING = 'hex';
-     * crypto.pbkdf2('secret', 'salt', 100000, 512, 'sha512', (err, derivedKey) => {
-     *   if (err) throw err;
-     *   console.log(derivedKey);  // '3745e48...aa39b34'
-     * });
-     * ```
-     *
      * An array of supported digest functions can be retrieved using {@link getHashes}.
      *
      * This API uses libuv's threadpool, which can have surprising and
@@ -1672,9 +1720,6 @@ declare module 'crypto' {
      * If an error occurs an `Error` will be thrown, otherwise the derived key will be
      * returned as a `Buffer`.
      *
-     * If `digest` is `null`, `'sha1'` will be used. This behavior is deprecated,
-     * please specify a `digest` explicitly.
-     *
      * The `iterations` argument must be a number set as high as possible. The
      * higher the number of iterations, the more secure the derived key will be,
      * but will take a longer amount of time to complete.
@@ -1686,23 +1731,13 @@ declare module 'crypto' {
      *
      * ```js
      * const {
-     *   pbkdf2Sync
-     * } = await import('crypto');
+     *   pbkdf2Sync,
+     * } = await import('node:crypto');
      *
      * const key = pbkdf2Sync('secret', 'salt', 100000, 64, 'sha512');
      * console.log(key.toString('hex'));  // '3745e48...08d59ae'
      * ```
      *
-     * The `crypto.DEFAULT_ENCODING` property may be used to change the way the`derivedKey` is returned. This property, however, is deprecated and use
-     * should be avoided.
-     *
-     * ```js
-     * import crypto from 'crypto';
-     * crypto.DEFAULT_ENCODING = 'hex';
-     * const key = crypto.pbkdf2Sync('secret', 'salt', 100000, 512, 'sha512');
-     * console.log(key);  // '3745e48...aa39b34'
-     * ```
-     *
      * An array of supported digest functions can be retrieved using {@link getHashes}.
      * @since v0.9.3
      */
@@ -1718,8 +1753,8 @@ declare module 'crypto' {
      * ```js
      * // Asynchronous
      * const {
-     *   randomBytes
-     * } = await import('crypto');
+     *   randomBytes,
+     * } = await import('node:crypto');
      *
      * randomBytes(256, (err, buf) => {
      *   if (err) throw err;
@@ -1734,8 +1769,8 @@ declare module 'crypto' {
      * ```js
      * // Synchronous
      * const {
-     *   randomBytes
-     * } = await import('crypto');
+     *   randomBytes,
+     * } = await import('node:crypto');
      *
      * const buf = randomBytes(256);
      * console.log(
@@ -1776,8 +1811,8 @@ declare module 'crypto' {
      * ```js
      * // Asynchronous
      * const {
-     *   randomInt
-     * } = await import('crypto');
+     *   randomInt,
+     * } = await import('node:crypto');
      *
      * randomInt(3, (err, n) => {
      *   if (err) throw err;
@@ -1788,8 +1823,8 @@ declare module 'crypto' {
      * ```js
      * // Synchronous
      * const {
-     *   randomInt
-     * } = await import('crypto');
+     *   randomInt,
+     * } = await import('node:crypto');
      *
      * const n = randomInt(3);
      * console.log(`Random number chosen from (0, 1, 2): ${n}`);
@@ -1798,8 +1833,8 @@ declare module 'crypto' {
      * ```js
      * // With `min` argument
      * const {
-     *   randomInt
-     * } = await import('crypto');
+     *   randomInt,
+     * } = await import('node:crypto');
      *
      * const n = randomInt(1, 7);
      * console.log(`The dice rolled: ${n}`);
@@ -1817,8 +1852,8 @@ declare module 'crypto' {
      * Synchronous version of {@link randomFill}.
      *
      * ```js
-     * import { Buffer } from 'buffer';
-     * const { randomFillSync } = await import('crypto');
+     * import { Buffer } from 'node:buffer';
+     * const { randomFillSync } = await import('node:crypto');
      *
      * const buf = Buffer.alloc(10);
      * console.log(randomFillSync(buf).toString('hex'));
@@ -1834,8 +1869,8 @@ declare module 'crypto' {
      * Any `ArrayBuffer`, `TypedArray` or `DataView` instance may be passed as`buffer`.
      *
      * ```js
-     * import { Buffer } from 'buffer';
-     * const { randomFillSync } = await import('crypto');
+     * import { Buffer } from 'node:buffer';
+     * const { randomFillSync } = await import('node:crypto');
      *
      * const a = new Uint32Array(10);
      * console.log(Buffer.from(randomFillSync(a).buffer,
@@ -1863,8 +1898,8 @@ declare module 'crypto' {
      * If the `callback` function is not provided, an error will be thrown.
      *
      * ```js
-     * import { Buffer } from 'buffer';
-     * const { randomFill } = await import('crypto');
+     * import { Buffer } from 'node:buffer';
+     * const { randomFill } = await import('node:crypto');
      *
      * const buf = Buffer.alloc(10);
      * randomFill(buf, (err, buf) => {
@@ -1893,8 +1928,8 @@ declare module 'crypto' {
      * distribution and have no meaningful lower or upper bounds.
      *
      * ```js
-     * import { Buffer } from 'buffer';
-     * const { randomFill } = await import('crypto');
+     * import { Buffer } from 'node:buffer';
+     * const { randomFill } = await import('node:crypto');
      *
      * const a = new Uint32Array(10);
      * randomFill(a, (err, buf) => {
@@ -1960,8 +1995,8 @@ declare module 'crypto' {
      *
      * ```js
      * const {
-     *   scrypt
-     * } = await import('crypto');
+     *   scrypt,
+     * } = await import('node:crypto');
      *
      * // Using the factory defaults.
      * scrypt('password', 'salt', 64, (err, derivedKey) => {
@@ -1996,8 +2031,8 @@ declare module 'crypto' {
      *
      * ```js
      * const {
-     *   scryptSync
-     * } = await import('crypto');
+     *   scryptSync,
+     * } = await import('node:crypto');
      * // Using the factory defaults.
      *
      * const key1 = scryptSync('password', 'salt', 64);
@@ -2068,8 +2103,8 @@ declare module 'crypto' {
     /**
      * ```js
      * const {
-     *   getCiphers
-     * } = await import('crypto');
+     *   getCiphers,
+     * } = await import('node:crypto');
      *
      * console.log(getCiphers()); // ['aes-128-cbc', 'aes-128-ccm', ...]
      * ```
@@ -2080,8 +2115,8 @@ declare module 'crypto' {
     /**
      * ```js
      * const {
-     *   getCurves
-     * } = await import('crypto');
+     *   getCurves,
+     * } = await import('node:crypto');
      *
      * console.log(getCurves()); // ['Oakley-EC2N-3', 'Oakley-EC2N-4', ...]
      * ```
@@ -2094,11 +2129,18 @@ declare module 'crypto' {
      * @return `1` if and only if a FIPS compliant crypto provider is currently in use, `0` otherwise. A future semver-major release may change the return type of this API to a {boolean}.
      */
     function getFips(): 1 | 0;
+    /**
+     * Enables the FIPS compliant crypto provider in a FIPS-enabled Node.js build.
+     * Throws an error if FIPS mode is not available.
+     * @since v10.0.0
+     * @param bool `true` to enable FIPS mode.
+     */
+    function setFips(bool: boolean): void;
     /**
      * ```js
      * const {
-     *   getHashes
-     * } = await import('crypto');
+     *   getHashes,
+     * } = await import('node:crypto');
      *
      * console.log(getHashes()); // ['DSA', 'DSA-SHA', 'DSA-SHA1', ...]
      * ```
@@ -2113,11 +2155,11 @@ declare module 'crypto' {
      * Instances of the `ECDH` class can be created using the {@link createECDH} function.
      *
      * ```js
-     * import assert from 'assert';
+     * import assert from 'node:assert';
      *
      * const {
-     *   createECDH
-     * } = await import('crypto');
+     *   createECDH,
+     * } = await import('node:crypto');
      *
      * // Generate Alice's keys...
      * const alice = createECDH('secp521r1');
@@ -2158,8 +2200,8 @@ declare module 'crypto' {
          * ```js
          * const {
          *   createECDH,
-         *   ECDH
-         * } = await import('crypto');
+         *   ECDH,
+         * } = await import('node:crypto');
          *
          * const ecdh = createECDH('secp256k1');
          * ecdh.generateKeys();
@@ -2241,7 +2283,7 @@ declare module 'crypto' {
          * @param [format='uncompressed']
          * @return The EC Diffie-Hellman public key in the specified `encoding` and `format`.
          */
-        getPublicKey(): Buffer;
+        getPublicKey(encoding?: null, format?: ECDHKeyFormat): Buffer;
         getPublicKey(encoding: BinaryToTextEncoding, format?: ECDHKeyFormat): string;
         /**
          * Sets the EC Diffie-Hellman private key.
@@ -2266,28 +2308,33 @@ declare module 'crypto' {
      */
     function createECDH(curveName: string): ECDH;
     /**
-     * This function is based on a constant-time algorithm.
-     * Returns true if `a` is equal to `b`, without leaking timing information that
+     * This function compares the underlying bytes that represent the given`ArrayBuffer`, `TypedArray`, or `DataView` instances using a constant-time
+     * algorithm.
+     *
+     * This function does not leak timing information that
      * would allow an attacker to guess one of the values. This is suitable for
      * comparing HMAC digests or secret values like authentication cookies or [capability urls](https://www.w3.org/TR/capability-urls/).
      *
      * `a` and `b` must both be `Buffer`s, `TypedArray`s, or `DataView`s, and they
-     * must have the same byte length.
+     * must have the same byte length. An error is thrown if `a` and `b` have
+     * different byte lengths.
      *
      * If at least one of `a` and `b` is a `TypedArray` with more than one byte per
      * entry, such as `Uint16Array`, the result will be computed using the platform
      * byte order.
      *
+     * **When both of the inputs are `Float32Array`s or`Float64Array`s, this function might return unexpected results due to IEEE 754**
+     * **encoding of floating-point numbers. In particular, neither `x === y` nor`Object.is(x, y)` implies that the byte representations of two floating-point**
+     * **numbers `x` and `y` are equal.**
+     *
      * Use of `crypto.timingSafeEqual` does not guarantee that the _surrounding_ code
      * is timing-safe. Care should be taken to ensure that the surrounding code does
      * not introduce timing vulnerabilities.
      * @since v6.6.0
      */
     function timingSafeEqual(a: NodeJS.ArrayBufferView, b: NodeJS.ArrayBufferView): boolean;
-    /** @deprecated since v10.0.0 */
-    const DEFAULT_ENCODING: BufferEncoding;
     type KeyType = 'rsa' | 'rsa-pss' | 'dsa' | 'ec' | 'ed25519' | 'ed448' | 'x25519' | 'x448';
-    type KeyFormat = 'pem' | 'der';
+    type KeyFormat = 'pem' | 'der' | 'jwk';
     interface BasePrivateKeyEncodingOptions<T extends KeyFormat> {
         format: T;
         cipher?: string | undefined;
@@ -2483,8 +2530,8 @@ declare module 'crypto' {
      *
      * ```js
      * const {
-     *   generateKeyPairSync
-     * } = await import('crypto');
+     *   generateKeyPairSync,
+     * } = await import('node:crypto');
      *
      * const {
      *   publicKey,
@@ -2493,14 +2540,14 @@ declare module 'crypto' {
      *   modulusLength: 4096,
      *   publicKeyEncoding: {
      *     type: 'spki',
-     *     format: 'pem'
+     *     format: 'pem',
      *   },
      *   privateKeyEncoding: {
      *     type: 'pkcs8',
      *     format: 'pem',
      *     cipher: 'aes-256-cbc',
-     *     passphrase: 'top secret'
-     *   }
+     *     passphrase: 'top secret',
+     *   },
      * });
      * ```
      *
@@ -2562,21 +2609,21 @@ declare module 'crypto' {
      *
      * ```js
      * const {
-     *   generateKeyPair
-     * } = await import('crypto');
+     *   generateKeyPair,
+     * } = await import('node:crypto');
      *
      * generateKeyPair('rsa', {
      *   modulusLength: 4096,
      *   publicKeyEncoding: {
      *     type: 'spki',
-     *     format: 'pem'
+     *     format: 'pem',
      *   },
      *   privateKeyEncoding: {
      *     type: 'pkcs8',
      *     format: 'pem',
      *     cipher: 'aes-256-cbc',
-     *     passphrase: 'top secret'
-     *   }
+     *     passphrase: 'top secret',
+     *   },
      * }, (err, publicKey, privateKey) => {
      *   // Handle errors and use the generated key pair.
      * });
@@ -2898,11 +2945,16 @@ declare module 'crypto' {
      * If the `callback` function is provided this function uses libuv's threadpool.
      * @since v12.0.0
      */
-    function verify(algorithm: string | null | undefined, data: NodeJS.ArrayBufferView, key: KeyLike | VerifyKeyObjectInput | VerifyPublicKeyInput, signature: NodeJS.ArrayBufferView): boolean;
     function verify(
         algorithm: string | null | undefined,
         data: NodeJS.ArrayBufferView,
-        key: KeyLike | VerifyKeyObjectInput | VerifyPublicKeyInput,
+        key: KeyLike | VerifyKeyObjectInput | VerifyPublicKeyInput | VerifyJsonWebKeyInput,
+        signature: NodeJS.ArrayBufferView
+    ): boolean;
+    function verify(
+        algorithm: string | null | undefined,
+        data: NodeJS.ArrayBufferView,
+        key: KeyLike | VerifyKeyObjectInput | VerifyPublicKeyInput | VerifyJsonWebKeyInput,
         signature: NodeJS.ArrayBufferView,
         callback: (error: Error | null, result: boolean) => void
     ): void;
@@ -2972,10 +3024,10 @@ declare module 'crypto' {
      * of the input arguments specify invalid values or types.
      *
      * ```js
-     * import { Buffer } from 'buffer';
+     * import { Buffer } from 'node:buffer';
      * const {
-     *   hkdf
-     * } = await import('crypto');
+     *   hkdf,
+     * } = await import('node:crypto');
      *
      * hkdf('sha512', 'key', 'salt', 'info', 64, (err, derivedKey) => {
      *   if (err) throw err;
@@ -2984,7 +3036,7 @@ declare module 'crypto' {
      * ```
      * @since v15.0.0
      * @param digest The digest algorithm to use.
-     * @param ikm The input keying material. It must be at least one byte in length.
+     * @param ikm The input keying material. Must be provided but can be zero-length.
      * @param salt The salt value. Must be provided but can be zero-length.
      * @param info Additional info value. Must be provided but can be zero-length, and cannot be more than 1024 bytes.
      * @param keylen The length of the key to generate. Must be greater than 0. The maximum allowable value is `255` times the number of bytes produced by the selected digest function (e.g. `sha512`
@@ -3001,17 +3053,17 @@ declare module 'crypto' {
      * types, or if the derived key cannot be generated.
      *
      * ```js
-     * import { Buffer } from 'buffer';
+     * import { Buffer } from 'node:buffer';
      * const {
-     *   hkdfSync
-     * } = await import('crypto');
+     *   hkdfSync,
+     * } = await import('node:crypto');
      *
      * const derivedKey = hkdfSync('sha512', 'key', 'salt', 'info', 64);
      * console.log(Buffer.from(derivedKey).toString('hex'));  // '24156e2...5391653'
      * ```
      * @since v15.0.0
      * @param digest The digest algorithm to use.
-     * @param ikm The input keying material. It must be at least one byte in length.
+     * @param ikm The input keying material. Must be provided but can be zero-length.
      * @param salt The salt value. Must be provided but can be zero-length.
      * @param info Additional info value. Must be provided but can be zero-length, and cannot be more than 1024 bytes.
      * @param keylen The length of the key to generate. Must be greater than 0. The maximum allowable value is `255` times the number of bytes produced by the selected digest function (e.g. `sha512`
@@ -3051,40 +3103,41 @@ declare module 'crypto' {
          */
         disableEntropyCache?: boolean | undefined;
     }
+    type UUID = `${string}-${string}-${string}-${string}-${string}`;
     /**
      * Generates a random [RFC 4122](https://www.rfc-editor.org/rfc/rfc4122.txt) version 4 UUID. The UUID is generated using a
      * cryptographic pseudorandom number generator.
      * @since v15.6.0, v14.17.0
      */
-    function randomUUID(options?: RandomUUIDOptions): string;
+    function randomUUID(options?: RandomUUIDOptions): UUID;
     interface X509CheckOptions {
         /**
          * @default 'always'
          */
-        subject: 'always' | 'never';
+        subject?: 'always' | 'default' | 'never';
         /**
          * @default true
          */
-        wildcards: boolean;
+        wildcards?: boolean;
         /**
          * @default true
          */
-        partialWildcards: boolean;
+        partialWildcards?: boolean;
         /**
          * @default false
          */
-        multiLabelWildcards: boolean;
+        multiLabelWildcards?: boolean;
         /**
          * @default false
          */
-        singleLabelSubdomains: boolean;
+        singleLabelSubdomains?: boolean;
     }
     /**
      * Encapsulates an X509 certificate and provides read-only access to
      * its information.
      *
      * ```js
-     * const { X509Certificate } = await import('crypto');
+     * const { X509Certificate } = await import('node:crypto');
      *
      * const x509 = new X509Certificate('{... pem encoded cert ...}');
      *
@@ -3094,12 +3147,16 @@ declare module 'crypto' {
      */
     class X509Certificate {
         /**
-         * Will be \`true\` if this is a Certificate Authority (ca) certificate.
+         * Will be \`true\` if this is a Certificate Authority (CA) certificate.
          * @since v15.6.0
          */
         readonly ca: boolean;
         /**
          * The SHA-1 fingerprint of this certificate.
+         *
+         * Because SHA-1 is cryptographically broken and because the security of SHA-1 is
+         * significantly worse than that of algorithms that are commonly used to sign
+         * certificates, consider using `x509.fingerprint256` instead.
          * @since v15.6.0
          */
         readonly fingerprint: string;
@@ -3110,23 +3167,53 @@ declare module 'crypto' {
         readonly fingerprint256: string;
         /**
          * The SHA-512 fingerprint of this certificate.
-         * @since v16.14.0
+         *
+         * Because computing the SHA-256 fingerprint is usually faster and because it is
+         * only half the size of the SHA-512 fingerprint, `x509.fingerprint256` may be
+         * a better choice. While SHA-512 presumably provides a higher level of security in
+         * general, the security of SHA-256 matches that of most algorithms that are
+         * commonly used to sign certificates.
+         * @since v17.2.0, v16.14.0
          */
-         readonly fingerprint512: string;
+        readonly fingerprint512: string;
         /**
          * The complete subject of this certificate.
          * @since v15.6.0
          */
         readonly subject: string;
         /**
-         * The subject alternative name specified for this certificate or `undefined`
-         * if not available.
+         * The subject alternative name specified for this certificate.
+         *
+         * This is a comma-separated list of subject alternative names. Each entry begins
+         * with a string identifying the kind of the subject alternative name followed by
+         * a colon and the value associated with the entry.
+         *
+         * Earlier versions of Node.js incorrectly assumed that it is safe to split this
+         * property at the two-character sequence `', '` (see [CVE-2021-44532](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532)). However,
+         * both malicious and legitimate certificates can contain subject alternative names
+         * that include this sequence when represented as a string.
+         *
+         * After the prefix denoting the type of the entry, the remainder of each entry
+         * might be enclosed in quotes to indicate that the value is a JSON string literal.
+         * For backward compatibility, Node.js only uses JSON string literals within this
+         * property when necessary to avoid ambiguity. Third-party code should be prepared
+         * to handle both possible entry formats.
          * @since v15.6.0
          */
         readonly subjectAltName: string | undefined;
         /**
-         * The information access content of this certificate or `undefined` if not
-         * available.
+         * A textual representation of the certificate's authority information access
+         * extension.
+         *
+         * This is a line feed separated list of access descriptions. Each line begins with
+         * the access method and the kind of the access location, followed by a colon and
+         * the value associated with the access location.
+         *
+         * After the prefix denoting the access method and the kind of the access location,
+         * the remainder of each line might be enclosed in quotes to indicate that the
+         * value is a JSON string literal. For backward compatibility, Node.js only uses
+         * JSON string literals within this property when necessary to avoid ambiguity.
+         * Third-party code should be prepared to handle both possible entry formats.
          * @since v15.6.0
          */
         readonly infoAccess: string | undefined;
@@ -3158,6 +3245,10 @@ declare module 'crypto' {
         readonly raw: Buffer;
         /**
          * The serial number of this certificate.
+         *
+         * Serial numbers are assigned by certificate authorities and do not uniquely
+         * identify certificates. Consider using `x509.fingerprint256` as a unique
+         * identifier instead.
          * @since v15.6.0
          */
         readonly serialNumber: string;
@@ -3174,18 +3265,50 @@ declare module 'crypto' {
         constructor(buffer: BinaryLike);
         /**
          * Checks whether the certificate matches the given email address.
+         *
+         * If the `'subject'` option is undefined or set to `'default'`, the certificate
+         * subject is only considered if the subject alternative name extension either does
+         * not exist or does not contain any email addresses.
+         *
+         * If the `'subject'` option is set to `'always'` and if the subject alternative
+         * name extension either does not exist or does not contain a matching email
+         * address, the certificate subject is considered.
+         *
+         * If the `'subject'` option is set to `'never'`, the certificate subject is never
+         * considered, even if the certificate contains no subject alternative names.
          * @since v15.6.0
          * @return Returns `email` if the certificate matches, `undefined` if it does not.
          */
         checkEmail(email: string, options?: Pick<X509CheckOptions, 'subject'>): string | undefined;
         /**
          * Checks whether the certificate matches the given host name.
+         *
+         * If the certificate matches the given host name, the matching subject name is
+         * returned. The returned name might be an exact match (e.g., `foo.example.com`)
+         * or it might contain wildcards (e.g., `*.example.com`). Because host name
+         * comparisons are case-insensitive, the returned subject name might also differ
+         * from the given `name` in capitalization.
+         *
+         * If the `'subject'` option is undefined or set to `'default'`, the certificate
+         * subject is only considered if the subject alternative name extension either does
+         * not exist or does not contain any DNS names. This behavior is consistent with [RFC 2818](https://www.rfc-editor.org/rfc/rfc2818.txt) ("HTTP Over TLS").
+         *
+         * If the `'subject'` option is set to `'always'` and if the subject alternative
+         * name extension either does not exist or does not contain a matching DNS name,
+         * the certificate subject is considered.
+         *
+         * If the `'subject'` option is set to `'never'`, the certificate subject is never
+         * considered, even if the certificate contains no subject alternative names.
          * @since v15.6.0
-         * @return Returns `name` if the certificate matches, `undefined` if it does not.
+         * @return Returns a subject name that matches `name`, or `undefined` if no subject name matches `name`.
          */
         checkHost(name: string, options?: X509CheckOptions): string | undefined;
         /**
          * Checks whether the certificate matches the given IP address (IPv4 or IPv6).
+         *
+         * Only [RFC 5280](https://www.rfc-editor.org/rfc/rfc5280.txt) `iPAddress` subject alternative names are considered, and they
+         * must match the given `ip` address exactly. Other subject alternative names as
+         * well as the subject field of the certificate are ignored.
          * @since v15.6.0
          * @return Returns `ip` if the certificate matches, `undefined` if it does not.
          */
@@ -3307,7 +3430,7 @@ declare module 'crypto' {
     interface CheckPrimeOptions {
         /**
          * The number of Miller-Rabin probabilistic primality iterations to perform.
-         * When the value is 0 (zero), a number of checks is used that yields a false positive rate of at most 2-64 for random input.
+         * When the value is 0 (zero), a number of checks is used that yields a false positive rate of at most `2**-64` for random input.
          * Care must be used when selecting a number of checks.
          * Refer to the OpenSSL documentation for the BN_is_prime_ex function nchecks options for more details.
          *
@@ -3329,8 +3452,517 @@ declare module 'crypto' {
      * @return `true` if the candidate is a prime with an error probability less than `0.25 ** options.checks`.
      */
     function checkPrimeSync(candidate: LargeNumberLike, options?: CheckPrimeOptions): boolean;
+    /**
+     * Load and set the `engine` for some or all OpenSSL functions (selected by flags).
+     *
+     * `engine` could be either an id or a path to the engine's shared library.
+     *
+     * The optional `flags` argument uses `ENGINE_METHOD_ALL` by default. The `flags`is a bit field taking one of or a mix of the following flags (defined in`crypto.constants`):
+     *
+     * * `crypto.constants.ENGINE_METHOD_RSA`
+     * * `crypto.constants.ENGINE_METHOD_DSA`
+     * * `crypto.constants.ENGINE_METHOD_DH`
+     * * `crypto.constants.ENGINE_METHOD_RAND`
+     * * `crypto.constants.ENGINE_METHOD_EC`
+     * * `crypto.constants.ENGINE_METHOD_CIPHERS`
+     * * `crypto.constants.ENGINE_METHOD_DIGESTS`
+     * * `crypto.constants.ENGINE_METHOD_PKEY_METHS`
+     * * `crypto.constants.ENGINE_METHOD_PKEY_ASN1_METHS`
+     * * `crypto.constants.ENGINE_METHOD_ALL`
+     * * `crypto.constants.ENGINE_METHOD_NONE`
+     * @since v0.11.11
+     * @param flags
+     */
+    function setEngine(engine: string, flags?: number): void;
+    /**
+     * A convenient alias for {@link webcrypto.getRandomValues}. This
+     * implementation is not compliant with the Web Crypto spec, to write
+     * web-compatible code use {@link webcrypto.getRandomValues} instead.
+     * @since v17.4.0
+     * @return Returns `typedArray`.
+     */
+    function getRandomValues<T extends webcrypto.BufferSource>(typedArray: T): T;
+    /**
+     * A convenient alias for `crypto.webcrypto.subtle`.
+     * @since v17.4.0
+     */
+    const subtle: webcrypto.SubtleCrypto;
+    /**
+     * An implementation of the Web Crypto API standard.
+     *
+     * See the {@link https://nodejs.org/docs/latest/api/webcrypto.html Web Crypto API documentation} for details.
+     * @since v15.0.0
+     */
+    const webcrypto: webcrypto.Crypto;
     namespace webcrypto {
-        class CryptoKey {} // placeholder
+        type BufferSource = ArrayBufferView | ArrayBuffer;
+        type KeyFormat = 'jwk' | 'pkcs8' | 'raw' | 'spki';
+        type KeyType = 'private' | 'public' | 'secret';
+        type KeyUsage = 'decrypt' | 'deriveBits' | 'deriveKey' | 'encrypt' | 'sign' | 'unwrapKey' | 'verify' | 'wrapKey';
+        type AlgorithmIdentifier = Algorithm | string;
+        type HashAlgorithmIdentifier = AlgorithmIdentifier;
+        type NamedCurve = string;
+        type BigInteger = Uint8Array;
+        interface AesCbcParams extends Algorithm {
+            iv: BufferSource;
+        }
+        interface AesCtrParams extends Algorithm {
+            counter: BufferSource;
+            length: number;
+        }
+        interface AesDerivedKeyParams extends Algorithm {
+            length: number;
+        }
+        interface AesGcmParams extends Algorithm {
+            additionalData?: BufferSource;
+            iv: BufferSource;
+            tagLength?: number;
+        }
+        interface AesKeyAlgorithm extends KeyAlgorithm {
+            length: number;
+        }
+        interface AesKeyGenParams extends Algorithm {
+            length: number;
+        }
+        interface Algorithm {
+            name: string;
+        }
+        interface EcKeyAlgorithm extends KeyAlgorithm {
+            namedCurve: NamedCurve;
+        }
+        interface EcKeyGenParams extends Algorithm {
+            namedCurve: NamedCurve;
+        }
+        interface EcKeyImportParams extends Algorithm {
+            namedCurve: NamedCurve;
+        }
+        interface EcdhKeyDeriveParams extends Algorithm {
+            public: CryptoKey;
+        }
+        interface EcdsaParams extends Algorithm {
+            hash: HashAlgorithmIdentifier;
+        }
+        interface Ed448Params extends Algorithm {
+            context?: BufferSource;
+        }
+        interface HkdfParams extends Algorithm {
+            hash: HashAlgorithmIdentifier;
+            info: BufferSource;
+            salt: BufferSource;
+        }
+        interface HmacImportParams extends Algorithm {
+            hash: HashAlgorithmIdentifier;
+            length?: number;
+        }
+        interface HmacKeyAlgorithm extends KeyAlgorithm {
+            hash: KeyAlgorithm;
+            length: number;
+        }
+        interface HmacKeyGenParams extends Algorithm {
+            hash: HashAlgorithmIdentifier;
+            length?: number;
+        }
+        interface JsonWebKey {
+            alg?: string;
+            crv?: string;
+            d?: string;
+            dp?: string;
+            dq?: string;
+            e?: string;
+            ext?: boolean;
+            k?: string;
+            key_ops?: string[];
+            kty?: string;
+            n?: string;
+            oth?: RsaOtherPrimesInfo[];
+            p?: string;
+            q?: string;
+            qi?: string;
+            use?: string;
+            x?: string;
+            y?: string;
+        }
+        interface KeyAlgorithm {
+            name: string;
+        }
+        interface Pbkdf2Params extends Algorithm {
+            hash: HashAlgorithmIdentifier;
+            iterations: number;
+            salt: BufferSource;
+        }
+        interface RsaHashedImportParams extends Algorithm {
+            hash: HashAlgorithmIdentifier;
+        }
+        interface RsaHashedKeyAlgorithm extends RsaKeyAlgorithm {
+            hash: KeyAlgorithm;
+        }
+        interface RsaHashedKeyGenParams extends RsaKeyGenParams {
+            hash: HashAlgorithmIdentifier;
+        }
+        interface RsaKeyAlgorithm extends KeyAlgorithm {
+            modulusLength: number;
+            publicExponent: BigInteger;
+        }
+        interface RsaKeyGenParams extends Algorithm {
+            modulusLength: number;
+            publicExponent: BigInteger;
+        }
+        interface RsaOaepParams extends Algorithm {
+            label?: BufferSource;
+        }
+        interface RsaOtherPrimesInfo {
+            d?: string;
+            r?: string;
+            t?: string;
+        }
+        interface RsaPssParams extends Algorithm {
+            saltLength: number;
+        }
+        /**
+         * Calling `require('node:crypto').webcrypto` returns an instance of the `Crypto` class.
+         * `Crypto` is a singleton that provides access to the remainder of the crypto API.
+         * @since v15.0.0
+         */
+        interface Crypto {
+            /**
+             * Provides access to the `SubtleCrypto` API.
+             * @since v15.0.0
+             */
+            readonly subtle: SubtleCrypto;
+            /**
+             * Generates cryptographically strong random values.
+             * The given `typedArray` is filled with random values, and a reference to `typedArray` is returned.
+             *
+             * The given `typedArray` must be an integer-based instance of {@link NodeJS.TypedArray}, i.e. `Float32Array` and `Float64Array` are not accepted.
+             *
+             * An error will be thrown if the given `typedArray` is larger than 65,536 bytes.
+             * @since v15.0.0
+             */
+            getRandomValues<T extends Exclude<NodeJS.TypedArray, Float32Array | Float64Array>>(typedArray: T): T;
+            /**
+             * Generates a random {@link https://www.rfc-editor.org/rfc/rfc4122.txt RFC 4122} version 4 UUID.
+             * The UUID is generated using a cryptographic pseudorandom number generator.
+             * @since v16.7.0
+             */
+            randomUUID(): UUID;
+            CryptoKey: CryptoKeyConstructor;
+        }
+        // This constructor throws ILLEGAL_CONSTRUCTOR so it should not be newable.
+        interface CryptoKeyConstructor {
+            /** Illegal constructor */
+            (_: { readonly _: unique symbol }): never; // Allows instanceof to work but not be callable by the user.
+            readonly length: 0;
+            readonly name: 'CryptoKey';
+            readonly prototype: CryptoKey;
+        }
+        /**
+         * @since v15.0.0
+         */
+        interface CryptoKey {
+            /**
+             * An object detailing the algorithm for which the key can be used along with additional algorithm-specific parameters.
+             * @since v15.0.0
+             */
+            readonly algorithm: KeyAlgorithm;
+            /**
+             * When `true`, the {@link CryptoKey} can be extracted using either `subtleCrypto.exportKey()` or `subtleCrypto.wrapKey()`.
+             * @since v15.0.0
+             */
+            readonly extractable: boolean;
+            /**
+             * A string identifying whether the key is a symmetric (`'secret'`) or asymmetric (`'private'` or `'public'`) key.
+             * @since v15.0.0
+             */
+            readonly type: KeyType;
+            /**
+             * An array of strings identifying the operations for which the key may be used.
+             *
+             * The possible usages are:
+             * - `'encrypt'` - The key may be used to encrypt data.
+             * - `'decrypt'` - The key may be used to decrypt data.
+             * - `'sign'` - The key may be used to generate digital signatures.
+             * - `'verify'` - The key may be used to verify digital signatures.
+             * - `'deriveKey'` - The key may be used to derive a new key.
+             * - `'deriveBits'` - The key may be used to derive bits.
+             * - `'wrapKey'` - The key may be used to wrap another key.
+             * - `'unwrapKey'` - The key may be used to unwrap another key.
+             *
+             * Valid key usages depend on the key algorithm (identified by `cryptokey.algorithm.name`).
+             * @since v15.0.0
+             */
+            readonly usages: KeyUsage[];
+        }
+        /**
+         * The `CryptoKeyPair` is a simple dictionary object with `publicKey` and `privateKey` properties, representing an asymmetric key pair.
+         * @since v15.0.0
+         */
+        interface CryptoKeyPair {
+            /**
+             * A {@link CryptoKey} whose type will be `'private'`.
+             * @since v15.0.0
+             */
+            privateKey: CryptoKey;
+            /**
+             * A {@link CryptoKey} whose type will be `'public'`.
+             * @since v15.0.0
+             */
+            publicKey: CryptoKey;
+        }
+        /**
+         * @since v15.0.0
+         */
+        interface SubtleCrypto {
+            /**
+             * Using the method and parameters specified in `algorithm` and the keying material provided by `key`,
+             * `subtle.decrypt()` attempts to decipher the provided `data`. If successful,
+             * the returned promise will be resolved with an `<ArrayBuffer>` containing the plaintext result.
+             *
+             * The algorithms currently supported include:
+             *
+             * - `'RSA-OAEP'`
+             * - `'AES-CTR'`
+             * - `'AES-CBC'`
+             * - `'AES-GCM'`
+             * @since v15.0.0
+             */
+            decrypt(algorithm: AlgorithmIdentifier | RsaOaepParams | AesCtrParams | AesCbcParams | AesGcmParams, key: CryptoKey, data: BufferSource): Promise<ArrayBuffer>;
+            /**
+             * Using the method and parameters specified in `algorithm` and the keying material provided by `baseKey`,
+             * `subtle.deriveBits()` attempts to generate `length` bits.
+             * The Node.js implementation requires that when `length` is a number it must be multiple of `8`.
+             * When `length` is `null` the maximum number of bits for a given algorithm is generated. This is allowed
+             * for the `'ECDH'`, `'X25519'`, and `'X448'` algorithms.
+             * If successful, the returned promise will be resolved with an `<ArrayBuffer>` containing the generated data.
+             *
+             * The algorithms currently supported include:
+             *
+             * - `'ECDH'`
+             * - `'X25519'`
+             * - `'X448'`
+             * - `'HKDF'`
+             * - `'PBKDF2'`
+             * @since v15.0.0
+             */
+            deriveBits(algorithm: EcdhKeyDeriveParams, baseKey: CryptoKey, length: number | null): Promise<ArrayBuffer>;
+            deriveBits(algorithm: AlgorithmIdentifier | HkdfParams | Pbkdf2Params, baseKey: CryptoKey, length: number): Promise<ArrayBuffer>;
+            /**
+             * Using the method and parameters specified in `algorithm`, and the keying material provided by `baseKey`,
+             * `subtle.deriveKey()` attempts to generate a new <CryptoKey>` based on the method and parameters in `derivedKeyAlgorithm`.
+             *
+             * Calling `subtle.deriveKey()` is equivalent to calling `subtle.deriveBits()` to generate raw keying material,
+             * then passing the result into the `subtle.importKey()` method using the `deriveKeyAlgorithm`, `extractable`, and `keyUsages` parameters as input.
+             *
+             * The algorithms currently supported include:
+             *
+             * - `'ECDH'`
+             * - `'X25519'`
+             * - `'X448'`
+             * - `'HKDF'`
+             * - `'PBKDF2'`
+             * @param keyUsages See {@link https://nodejs.org/docs/latest/api/webcrypto.html#cryptokeyusages Key usages}.
+             * @since v15.0.0
+             */
+            deriveKey(
+                algorithm: AlgorithmIdentifier | EcdhKeyDeriveParams | HkdfParams | Pbkdf2Params,
+                baseKey: CryptoKey,
+                derivedKeyAlgorithm: AlgorithmIdentifier | AesDerivedKeyParams | HmacImportParams | HkdfParams | Pbkdf2Params,
+                extractable: boolean,
+                keyUsages: ReadonlyArray<KeyUsage>
+            ): Promise<CryptoKey>;
+            /**
+             * Using the method identified by `algorithm`, `subtle.digest()` attempts to generate a digest of `data`.
+             * If successful, the returned promise is resolved with an `<ArrayBuffer>` containing the computed digest.
+             *
+             * If `algorithm` is provided as a `<string>`, it must be one of:
+             *
+             * - `'SHA-1'`
+             * - `'SHA-256'`
+             * - `'SHA-384'`
+             * - `'SHA-512'`
+             *
+             * If `algorithm` is provided as an `<Object>`, it must have a `name` property whose value is one of the above.
+             * @since v15.0.0
+             */
+            digest(algorithm: AlgorithmIdentifier, data: BufferSource): Promise<ArrayBuffer>;
+            /**
+             * Using the method and parameters specified by `algorithm` and the keying material provided by `key`,
+             * `subtle.encrypt()` attempts to encipher `data`. If successful,
+             * the returned promise is resolved with an `<ArrayBuffer>` containing the encrypted result.
+             *
+             * The algorithms currently supported include:
+             *
+             * - `'RSA-OAEP'`
+             * - `'AES-CTR'`
+             * - `'AES-CBC'`
+             * - `'AES-GCM'`
+             * @since v15.0.0
+             */
+            encrypt(algorithm: AlgorithmIdentifier | RsaOaepParams | AesCtrParams | AesCbcParams | AesGcmParams, key: CryptoKey, data: BufferSource): Promise<ArrayBuffer>;
+            /**
+             * Exports the given key into the specified format, if supported.
+             *
+             * If the `<CryptoKey>` is not extractable, the returned promise will reject.
+             *
+             * When `format` is either `'pkcs8'` or `'spki'` and the export is successful,
+             * the returned promise will be resolved with an `<ArrayBuffer>` containing the exported key data.
+             *
+             * When `format` is `'jwk'` and the export is successful, the returned promise will be resolved with a
+             * JavaScript object conforming to the {@link https://tools.ietf.org/html/rfc7517 JSON Web Key} specification.
+             * @param format Must be one of `'raw'`, `'pkcs8'`, `'spki'`, or `'jwk'`.
+             * @returns `<Promise>` containing `<ArrayBuffer>`.
+             * @since v15.0.0
+             */
+            exportKey(format: 'jwk', key: CryptoKey): Promise<JsonWebKey>;
+            exportKey(format: Exclude<KeyFormat, 'jwk'>, key: CryptoKey): Promise<ArrayBuffer>;
+            /**
+             * Using the method and parameters provided in `algorithm`,
+             * `subtle.generateKey()` attempts to generate new keying material.
+             * Depending the method used, the method may generate either a single `<CryptoKey>` or a `<CryptoKeyPair>`.
+             *
+             * The `<CryptoKeyPair>` (public and private key) generating algorithms supported include:
+             *
+             * - `'RSASSA-PKCS1-v1_5'`
+             * - `'RSA-PSS'`
+             * - `'RSA-OAEP'`
+             * - `'ECDSA'`
+             * - `'Ed25519'`
+             * - `'Ed448'`
+             * - `'ECDH'`
+             * - `'X25519'`
+             * - `'X448'`
+             * The `<CryptoKey>` (secret key) generating algorithms supported include:
+             *
+             * - `'HMAC'`
+             * - `'AES-CTR'`
+             * - `'AES-CBC'`
+             * - `'AES-GCM'`
+             * - `'AES-KW'`
+             * @param keyUsages See {@link https://nodejs.org/docs/latest/api/webcrypto.html#cryptokeyusages Key usages}.
+             * @since v15.0.0
+             */
+            generateKey(algorithm: RsaHashedKeyGenParams | EcKeyGenParams, extractable: boolean, keyUsages: ReadonlyArray<KeyUsage>): Promise<CryptoKeyPair>;
+            generateKey(algorithm: AesKeyGenParams | HmacKeyGenParams | Pbkdf2Params, extractable: boolean, keyUsages: ReadonlyArray<KeyUsage>): Promise<CryptoKey>;
+            generateKey(algorithm: AlgorithmIdentifier, extractable: boolean, keyUsages: KeyUsage[]): Promise<CryptoKeyPair | CryptoKey>;
+            /**
+             * The `subtle.importKey()` method attempts to interpret the provided `keyData` as the given `format`
+             * to create a `<CryptoKey>` instance using the provided `algorithm`, `extractable`, and `keyUsages` arguments.
+             * If the import is successful, the returned promise will be resolved with the created `<CryptoKey>`.
+             *
+             * If importing a `'PBKDF2'` key, `extractable` must be `false`.
+             * @param format Must be one of `'raw'`, `'pkcs8'`, `'spki'`, or `'jwk'`.
+             * @param keyUsages See {@link https://nodejs.org/docs/latest/api/webcrypto.html#cryptokeyusages Key usages}.
+             * @since v15.0.0
+             */
+            importKey(
+                format: 'jwk',
+                keyData: JsonWebKey,
+                algorithm: AlgorithmIdentifier | RsaHashedImportParams | EcKeyImportParams | HmacImportParams | AesKeyAlgorithm,
+                extractable: boolean,
+                keyUsages: ReadonlyArray<KeyUsage>
+            ): Promise<CryptoKey>;
+            importKey(
+                format: Exclude<KeyFormat, 'jwk'>,
+                keyData: BufferSource,
+                algorithm: AlgorithmIdentifier | RsaHashedImportParams | EcKeyImportParams | HmacImportParams | AesKeyAlgorithm,
+                extractable: boolean,
+                keyUsages: KeyUsage[]
+            ): Promise<CryptoKey>;
+            /**
+             * Using the method and parameters given by `algorithm` and the keying material provided by `key`,
+             * `subtle.sign()` attempts to generate a cryptographic signature of `data`. If successful,
+             * the returned promise is resolved with an `<ArrayBuffer>` containing the generated signature.
+             *
+             * The algorithms currently supported include:
+             *
+             * - `'RSASSA-PKCS1-v1_5'`
+             * - `'RSA-PSS'`
+             * - `'ECDSA'`
+             * - `'Ed25519'`
+             * - `'Ed448'`
+             * - `'HMAC'`
+             * @since v15.0.0
+             */
+            sign(algorithm: AlgorithmIdentifier | RsaPssParams | EcdsaParams | Ed448Params, key: CryptoKey, data: BufferSource): Promise<ArrayBuffer>;
+            /**
+             * In cryptography, "wrapping a key" refers to exporting and then encrypting the keying material.
+             * The `subtle.unwrapKey()` method attempts to decrypt a wrapped key and create a `<CryptoKey>` instance.
+             * It is equivalent to calling `subtle.decrypt()` first on the encrypted key data (using the `wrappedKey`, `unwrapAlgo`, and `unwrappingKey` arguments as input)
+             * then passing the results in to the `subtle.importKey()` method using the `unwrappedKeyAlgo`, `extractable`, and `keyUsages` arguments as inputs.
+             * If successful, the returned promise is resolved with a `<CryptoKey>` object.
+             *
+             * The wrapping algorithms currently supported include:
+             *
+             * - `'RSA-OAEP'`
+             * - `'AES-CTR'`
+             * - `'AES-CBC'`
+             * - `'AES-GCM'`
+             * - `'AES-KW'`
+             *
+             * The unwrapped key algorithms supported include:
+             *
+             * - `'RSASSA-PKCS1-v1_5'`
+             * - `'RSA-PSS'`
+             * - `'RSA-OAEP'`
+             * - `'ECDSA'`
+             * - `'Ed25519'`
+             * - `'Ed448'`
+             * - `'ECDH'`
+             * - `'X25519'`
+             * - `'X448'`
+             * - `'HMAC'`
+             * - `'AES-CTR'`
+             * - `'AES-CBC'`
+             * - `'AES-GCM'`
+             * - `'AES-KW'`
+             * @param format Must be one of `'raw'`, `'pkcs8'`, `'spki'`, or `'jwk'`.
+             * @param keyUsages See {@link https://nodejs.org/docs/latest/api/webcrypto.html#cryptokeyusages Key usages}.
+             * @since v15.0.0
+             */
+            unwrapKey(
+                format: KeyFormat,
+                wrappedKey: BufferSource,
+                unwrappingKey: CryptoKey,
+                unwrapAlgorithm: AlgorithmIdentifier | RsaOaepParams | AesCtrParams | AesCbcParams | AesGcmParams,
+                unwrappedKeyAlgorithm: AlgorithmIdentifier | RsaHashedImportParams | EcKeyImportParams | HmacImportParams | AesKeyAlgorithm,
+                extractable: boolean,
+                keyUsages: KeyUsage[]
+            ): Promise<CryptoKey>;
+            /**
+             * Using the method and parameters given in `algorithm` and the keying material provided by `key`,
+             * `subtle.verify()` attempts to verify that `signature` is a valid cryptographic signature of `data`.
+             * The returned promise is resolved with either `true` or `false`.
+             *
+             * The algorithms currently supported include:
+             *
+             * - `'RSASSA-PKCS1-v1_5'`
+             * - `'RSA-PSS'`
+             * - `'ECDSA'`
+             * - `'Ed25519'`
+             * - `'Ed448'`
+             * - `'HMAC'`
+             * @since v15.0.0
+             */
+            verify(algorithm: AlgorithmIdentifier | RsaPssParams | EcdsaParams | Ed448Params, key: CryptoKey, signature: BufferSource, data: BufferSource): Promise<boolean>;
+            /**
+             * In cryptography, "wrapping a key" refers to exporting and then encrypting the keying material.
+             * The `subtle.wrapKey()` method exports the keying material into the format identified by `format`,
+             * then encrypts it using the method and parameters specified by `wrapAlgo` and the keying material provided by `wrappingKey`.
+             * It is the equivalent to calling `subtle.exportKey()` using `format` and `key` as the arguments,
+             * then passing the result to the `subtle.encrypt()` method using `wrappingKey` and `wrapAlgo` as inputs.
+             * If successful, the returned promise will be resolved with an `<ArrayBuffer>` containing the encrypted key data.
+             *
+             * The wrapping algorithms currently supported include:
+             *
+             * - `'RSA-OAEP'`
+             * - `'AES-CTR'`
+             * - `'AES-CBC'`
+             * - `'AES-GCM'`
+             * - `'AES-KW'`
+             * @param format Must be one of `'raw'`, `'pkcs8'`, `'spki'`, or `'jwk'`.
+             * @since v15.0.0
+             */
+            wrapKey(format: KeyFormat, key: CryptoKey, wrappingKey: CryptoKey, wrapAlgorithm: AlgorithmIdentifier | RsaOaepParams | AesCtrParams | AesCbcParams | AesGcmParams): Promise<ArrayBuffer>;
+        }
     }
 }
 declare module 'node:crypto' {