rahad-media-downloader 2.1.12 → 2.1.14

Sign up to get free protection for your applications and to get access to all the features.
Files changed (233) hide show
  1. package/.cache/replit/modules/nodejs-20.res +1 -0
  2. package/.cache/replit/modules/replit.res +1 -0
  3. package/.cache/typescript/5.4/node_modules/.package-lock.json +185 -0
  4. package/.cache/typescript/5.4/node_modules/@types/caseless/LICENSE +21 -0
  5. package/.cache/typescript/5.4/node_modules/@types/caseless/README.md +48 -0
  6. package/.cache/typescript/5.4/node_modules/@types/caseless/index.d.ts +29 -0
  7. package/.cache/typescript/5.4/node_modules/@types/caseless/package.json +35 -0
  8. package/.cache/typescript/5.4/node_modules/@types/domhandler/LICENSE +21 -0
  9. package/.cache/typescript/5.4/node_modules/@types/domhandler/README.md +92 -0
  10. package/.cache/typescript/5.4/node_modules/@types/domhandler/index.d.ts +73 -0
  11. package/.cache/typescript/5.4/node_modules/@types/domhandler/package.json +25 -0
  12. package/.cache/typescript/5.4/node_modules/@types/domutils/LICENSE +21 -0
  13. package/.cache/typescript/5.4/node_modules/@types/domutils/README.md +15 -0
  14. package/.cache/typescript/5.4/node_modules/@types/domutils/index.d.ts +124 -0
  15. package/.cache/typescript/5.4/node_modules/@types/domutils/package.json +27 -0
  16. package/.cache/typescript/5.4/node_modules/@types/htmlparser2/LICENSE +21 -0
  17. package/.cache/typescript/5.4/node_modules/@types/htmlparser2/README.md +15 -0
  18. package/.cache/typescript/5.4/node_modules/@types/htmlparser2/index.d.ts +120 -0
  19. package/.cache/typescript/5.4/node_modules/@types/htmlparser2/package.json +45 -0
  20. package/.cache/typescript/5.4/node_modules/@types/node/LICENSE +21 -0
  21. package/.cache/typescript/5.4/node_modules/@types/node/README.md +15 -0
  22. package/.cache/typescript/5.4/node_modules/@types/node/assert/strict.d.ts +8 -0
  23. package/.cache/typescript/5.4/node_modules/@types/node/assert.d.ts +1040 -0
  24. package/.cache/typescript/5.4/node_modules/@types/node/async_hooks.d.ts +541 -0
  25. package/.cache/typescript/5.4/node_modules/@types/node/buffer.d.ts +2363 -0
  26. package/.cache/typescript/5.4/node_modules/@types/node/child_process.d.ts +1542 -0
  27. package/.cache/typescript/5.4/node_modules/@types/node/cluster.d.ts +578 -0
  28. package/.cache/typescript/5.4/node_modules/@types/node/console.d.ts +452 -0
  29. package/.cache/typescript/5.4/node_modules/@types/node/constants.d.ts +19 -0
  30. package/.cache/typescript/5.4/node_modules/@types/node/crypto.d.ts +4522 -0
  31. package/.cache/typescript/5.4/node_modules/@types/node/dgram.d.ts +596 -0
  32. package/.cache/typescript/5.4/node_modules/@types/node/diagnostics_channel.d.ts +545 -0
  33. package/.cache/typescript/5.4/node_modules/@types/node/dns/promises.d.ts +473 -0
  34. package/.cache/typescript/5.4/node_modules/@types/node/dns.d.ts +853 -0
  35. package/.cache/typescript/5.4/node_modules/@types/node/dom-events.d.ts +124 -0
  36. package/.cache/typescript/5.4/node_modules/@types/node/domain.d.ts +170 -0
  37. package/.cache/typescript/5.4/node_modules/@types/node/events.d.ts +884 -0
  38. package/.cache/typescript/5.4/node_modules/@types/node/fs/promises.d.ts +1245 -0
  39. package/.cache/typescript/5.4/node_modules/@types/node/fs.d.ts +4317 -0
  40. package/.cache/typescript/5.4/node_modules/@types/node/globals.d.ts +411 -0
  41. package/.cache/typescript/5.4/node_modules/@types/node/globals.global.d.ts +1 -0
  42. package/.cache/typescript/5.4/node_modules/@types/node/http.d.ts +1889 -0
  43. package/.cache/typescript/5.4/node_modules/@types/node/http2.d.ts +2418 -0
  44. package/.cache/typescript/5.4/node_modules/@types/node/https.d.ts +550 -0
  45. package/.cache/typescript/5.4/node_modules/@types/node/index.d.ts +89 -0
  46. package/.cache/typescript/5.4/node_modules/@types/node/inspector.d.ts +2746 -0
  47. package/.cache/typescript/5.4/node_modules/@types/node/module.d.ts +315 -0
  48. package/.cache/typescript/5.4/node_modules/@types/node/net.d.ts +996 -0
  49. package/.cache/typescript/5.4/node_modules/@types/node/os.d.ts +495 -0
  50. package/.cache/typescript/5.4/node_modules/@types/node/package.json +217 -0
  51. package/.cache/typescript/5.4/node_modules/@types/node/path.d.ts +191 -0
  52. package/.cache/typescript/5.4/node_modules/@types/node/perf_hooks.d.ts +645 -0
  53. package/.cache/typescript/5.4/node_modules/@types/node/process.d.ts +1747 -0
  54. package/.cache/typescript/5.4/node_modules/@types/node/punycode.d.ts +117 -0
  55. package/.cache/typescript/5.4/node_modules/@types/node/querystring.d.ts +153 -0
  56. package/.cache/typescript/5.4/node_modules/@types/node/readline/promises.d.ts +150 -0
  57. package/.cache/typescript/5.4/node_modules/@types/node/readline.d.ts +540 -0
  58. package/.cache/typescript/5.4/node_modules/@types/node/repl.d.ts +430 -0
  59. package/.cache/typescript/5.4/node_modules/@types/node/sea.d.ts +153 -0
  60. package/.cache/typescript/5.4/node_modules/@types/node/stream/consumers.d.ts +12 -0
  61. package/.cache/typescript/5.4/node_modules/@types/node/stream/promises.d.ts +83 -0
  62. package/.cache/typescript/5.4/node_modules/@types/node/stream/web.d.ts +367 -0
  63. package/.cache/typescript/5.4/node_modules/@types/node/stream.d.ts +1707 -0
  64. package/.cache/typescript/5.4/node_modules/@types/node/string_decoder.d.ts +67 -0
  65. package/.cache/typescript/5.4/node_modules/@types/node/test.d.ts +1470 -0
  66. package/.cache/typescript/5.4/node_modules/@types/node/timers/promises.d.ts +97 -0
  67. package/.cache/typescript/5.4/node_modules/@types/node/timers.d.ts +240 -0
  68. package/.cache/typescript/5.4/node_modules/@types/node/tls.d.ts +1217 -0
  69. package/.cache/typescript/5.4/node_modules/@types/node/trace_events.d.ts +197 -0
  70. package/.cache/typescript/5.4/node_modules/@types/node/tty.d.ts +208 -0
  71. package/.cache/typescript/5.4/node_modules/@types/node/url.d.ts +944 -0
  72. package/.cache/typescript/5.4/node_modules/@types/node/util.d.ts +2276 -0
  73. package/.cache/typescript/5.4/node_modules/@types/node/v8.d.ts +764 -0
  74. package/.cache/typescript/5.4/node_modules/@types/node/vm.d.ts +921 -0
  75. package/.cache/typescript/5.4/node_modules/@types/node/wasi.d.ts +181 -0
  76. package/.cache/typescript/5.4/node_modules/@types/node/worker_threads.d.ts +691 -0
  77. package/.cache/typescript/5.4/node_modules/@types/node/zlib.d.ts +530 -0
  78. package/.cache/typescript/5.4/node_modules/@types/node-fetch/LICENSE +21 -0
  79. package/.cache/typescript/5.4/node_modules/@types/node-fetch/README.md +15 -0
  80. package/.cache/typescript/5.4/node_modules/@types/node-fetch/externals.d.ts +32 -0
  81. package/.cache/typescript/5.4/node_modules/@types/node-fetch/index.d.ts +238 -0
  82. package/.cache/typescript/5.4/node_modules/@types/node-fetch/package.json +83 -0
  83. package/.cache/typescript/5.4/node_modules/@types/qs/LICENSE +21 -0
  84. package/.cache/typescript/5.4/node_modules/@types/qs/README.md +15 -0
  85. package/.cache/typescript/5.4/node_modules/@types/qs/index.d.ts +79 -0
  86. package/.cache/typescript/5.4/node_modules/@types/qs/package.json +65 -0
  87. package/.cache/typescript/5.4/node_modules/@types/request/LICENSE +21 -0
  88. package/.cache/typescript/5.4/node_modules/@types/request/README.md +15 -0
  89. package/.cache/typescript/5.4/node_modules/@types/request/index.d.ts +395 -0
  90. package/.cache/typescript/5.4/node_modules/@types/request/node_modules/form-data/License +19 -0
  91. package/.cache/typescript/5.4/node_modules/@types/request/node_modules/form-data/README.md +350 -0
  92. package/.cache/typescript/5.4/node_modules/@types/request/node_modules/form-data/README.md.bak +350 -0
  93. package/.cache/typescript/5.4/node_modules/@types/request/node_modules/form-data/index.d.ts +51 -0
  94. package/.cache/typescript/5.4/node_modules/@types/request/node_modules/form-data/lib/browser.js +2 -0
  95. package/.cache/typescript/5.4/node_modules/@types/request/node_modules/form-data/lib/form_data.js +483 -0
  96. package/.cache/typescript/5.4/node_modules/@types/request/node_modules/form-data/lib/populate.js +10 -0
  97. package/.cache/typescript/5.4/node_modules/@types/request/node_modules/form-data/package.json +68 -0
  98. package/.cache/typescript/5.4/node_modules/@types/request/package.json +70 -0
  99. package/.cache/typescript/5.4/node_modules/@types/tough-cookie/LICENSE +21 -0
  100. package/.cache/typescript/5.4/node_modules/@types/tough-cookie/README.md +15 -0
  101. package/.cache/typescript/5.4/node_modules/@types/tough-cookie/index.d.ts +321 -0
  102. package/.cache/typescript/5.4/node_modules/@types/tough-cookie/package.json +35 -0
  103. package/.cache/typescript/5.4/node_modules/asynckit/LICENSE +21 -0
  104. package/.cache/typescript/5.4/node_modules/asynckit/README.md +233 -0
  105. package/.cache/typescript/5.4/node_modules/asynckit/bench.js +76 -0
  106. package/.cache/typescript/5.4/node_modules/asynckit/index.js +6 -0
  107. package/.cache/typescript/5.4/node_modules/asynckit/lib/abort.js +29 -0
  108. package/.cache/typescript/5.4/node_modules/asynckit/lib/async.js +34 -0
  109. package/.cache/typescript/5.4/node_modules/asynckit/lib/defer.js +26 -0
  110. package/.cache/typescript/5.4/node_modules/asynckit/lib/iterate.js +75 -0
  111. package/.cache/typescript/5.4/node_modules/asynckit/lib/readable_asynckit.js +91 -0
  112. package/.cache/typescript/5.4/node_modules/asynckit/lib/readable_parallel.js +25 -0
  113. package/.cache/typescript/5.4/node_modules/asynckit/lib/readable_serial.js +25 -0
  114. package/.cache/typescript/5.4/node_modules/asynckit/lib/readable_serial_ordered.js +29 -0
  115. package/.cache/typescript/5.4/node_modules/asynckit/lib/state.js +37 -0
  116. package/.cache/typescript/5.4/node_modules/asynckit/lib/streamify.js +141 -0
  117. package/.cache/typescript/5.4/node_modules/asynckit/lib/terminator.js +29 -0
  118. package/.cache/typescript/5.4/node_modules/asynckit/package.json +63 -0
  119. package/.cache/typescript/5.4/node_modules/asynckit/parallel.js +43 -0
  120. package/.cache/typescript/5.4/node_modules/asynckit/serial.js +17 -0
  121. package/.cache/typescript/5.4/node_modules/asynckit/serialOrdered.js +75 -0
  122. package/.cache/typescript/5.4/node_modules/asynckit/stream.js +21 -0
  123. package/.cache/typescript/5.4/node_modules/combined-stream/License +19 -0
  124. package/.cache/typescript/5.4/node_modules/combined-stream/Readme.md +138 -0
  125. package/.cache/typescript/5.4/node_modules/combined-stream/lib/combined_stream.js +208 -0
  126. package/.cache/typescript/5.4/node_modules/combined-stream/package.json +25 -0
  127. package/.cache/typescript/5.4/node_modules/combined-stream/yarn.lock +17 -0
  128. package/.cache/typescript/5.4/node_modules/delayed-stream/License +19 -0
  129. package/.cache/typescript/5.4/node_modules/delayed-stream/Makefile +7 -0
  130. package/.cache/typescript/5.4/node_modules/delayed-stream/Readme.md +141 -0
  131. package/.cache/typescript/5.4/node_modules/delayed-stream/lib/delayed_stream.js +107 -0
  132. package/.cache/typescript/5.4/node_modules/delayed-stream/package.json +27 -0
  133. package/.cache/typescript/5.4/node_modules/domelementtype/LICENSE +11 -0
  134. package/.cache/typescript/5.4/node_modules/domelementtype/index.js +15 -0
  135. package/.cache/typescript/5.4/node_modules/domelementtype/package.json +16 -0
  136. package/.cache/typescript/5.4/node_modules/domelementtype/readme.md +1 -0
  137. package/.cache/typescript/5.4/node_modules/domhandler/.travis.yml +6 -0
  138. package/.cache/typescript/5.4/node_modules/domhandler/LICENSE +11 -0
  139. package/.cache/typescript/5.4/node_modules/domhandler/index.js +217 -0
  140. package/.cache/typescript/5.4/node_modules/domhandler/lib/element.js +20 -0
  141. package/.cache/typescript/5.4/node_modules/domhandler/lib/node.js +44 -0
  142. package/.cache/typescript/5.4/node_modules/domhandler/package.json +41 -0
  143. package/.cache/typescript/5.4/node_modules/domhandler/readme.md +116 -0
  144. package/.cache/typescript/5.4/node_modules/domhandler/test/cases/01-basic.json +57 -0
  145. package/.cache/typescript/5.4/node_modules/domhandler/test/cases/02-single_tag_1.json +21 -0
  146. package/.cache/typescript/5.4/node_modules/domhandler/test/cases/03-single_tag_2.json +21 -0
  147. package/.cache/typescript/5.4/node_modules/domhandler/test/cases/04-unescaped_in_script.json +27 -0
  148. package/.cache/typescript/5.4/node_modules/domhandler/test/cases/05-tags_in_comment.json +18 -0
  149. package/.cache/typescript/5.4/node_modules/domhandler/test/cases/06-comment_in_script.json +18 -0
  150. package/.cache/typescript/5.4/node_modules/domhandler/test/cases/07-unescaped_in_style.json +20 -0
  151. package/.cache/typescript/5.4/node_modules/domhandler/test/cases/08-extra_spaces_in_tag.json +20 -0
  152. package/.cache/typescript/5.4/node_modules/domhandler/test/cases/09-unquoted_attrib.json +20 -0
  153. package/.cache/typescript/5.4/node_modules/domhandler/test/cases/10-singular_attribute.json +15 -0
  154. package/.cache/typescript/5.4/node_modules/domhandler/test/cases/11-text_outside_tags.json +40 -0
  155. package/.cache/typescript/5.4/node_modules/domhandler/test/cases/12-text_only.json +11 -0
  156. package/.cache/typescript/5.4/node_modules/domhandler/test/cases/13-comment_in_text.json +19 -0
  157. package/.cache/typescript/5.4/node_modules/domhandler/test/cases/14-comment_in_text_in_script.json +18 -0
  158. package/.cache/typescript/5.4/node_modules/domhandler/test/cases/15-non-verbose.json +22 -0
  159. package/.cache/typescript/5.4/node_modules/domhandler/test/cases/16-normalize_whitespace.json +47 -0
  160. package/.cache/typescript/5.4/node_modules/domhandler/test/cases/17-xml_namespace.json +18 -0
  161. package/.cache/typescript/5.4/node_modules/domhandler/test/cases/18-enforce_empty_tags.json +16 -0
  162. package/.cache/typescript/5.4/node_modules/domhandler/test/cases/19-ignore_empty_tags.json +20 -0
  163. package/.cache/typescript/5.4/node_modules/domhandler/test/cases/20-template_script_tags.json +20 -0
  164. package/.cache/typescript/5.4/node_modules/domhandler/test/cases/21-conditional_comments.json +15 -0
  165. package/.cache/typescript/5.4/node_modules/domhandler/test/cases/22-lowercase_tags.json +41 -0
  166. package/.cache/typescript/5.4/node_modules/domhandler/test/cases/23-dom-lvl1.json +131 -0
  167. package/.cache/typescript/5.4/node_modules/domhandler/test/cases/24-with-start-indices.json +85 -0
  168. package/.cache/typescript/5.4/node_modules/domhandler/test/cases/25-with-end-indices.json +86 -0
  169. package/.cache/typescript/5.4/node_modules/domhandler/test/tests.js +60 -0
  170. package/.cache/typescript/5.4/node_modules/form-data/License +19 -0
  171. package/.cache/typescript/5.4/node_modules/form-data/README.md.bak +358 -0
  172. package/.cache/typescript/5.4/node_modules/form-data/Readme.md +358 -0
  173. package/.cache/typescript/5.4/node_modules/form-data/index.d.ts +62 -0
  174. package/.cache/typescript/5.4/node_modules/form-data/lib/browser.js +2 -0
  175. package/.cache/typescript/5.4/node_modules/form-data/lib/form_data.js +501 -0
  176. package/.cache/typescript/5.4/node_modules/form-data/lib/populate.js +10 -0
  177. package/.cache/typescript/5.4/node_modules/form-data/package.json +68 -0
  178. package/.cache/typescript/5.4/node_modules/mime-db/HISTORY.md +507 -0
  179. package/.cache/typescript/5.4/node_modules/mime-db/LICENSE +23 -0
  180. package/.cache/typescript/5.4/node_modules/mime-db/README.md +100 -0
  181. package/.cache/typescript/5.4/node_modules/mime-db/db.json +8519 -0
  182. package/.cache/typescript/5.4/node_modules/mime-db/index.js +12 -0
  183. package/.cache/typescript/5.4/node_modules/mime-db/package.json +60 -0
  184. package/.cache/typescript/5.4/node_modules/mime-types/HISTORY.md +397 -0
  185. package/.cache/typescript/5.4/node_modules/mime-types/LICENSE +23 -0
  186. package/.cache/typescript/5.4/node_modules/mime-types/README.md +113 -0
  187. package/.cache/typescript/5.4/node_modules/mime-types/index.js +188 -0
  188. package/.cache/typescript/5.4/node_modules/mime-types/package.json +44 -0
  189. package/.cache/typescript/5.4/node_modules/types-registry/README.md +2 -0
  190. package/.cache/typescript/5.4/node_modules/types-registry/index.json +1 -0
  191. package/.cache/typescript/5.4/node_modules/types-registry/package.json +20 -0
  192. package/.cache/typescript/5.4/node_modules/undici-types/README.md +6 -0
  193. package/.cache/typescript/5.4/node_modules/undici-types/agent.d.ts +31 -0
  194. package/.cache/typescript/5.4/node_modules/undici-types/api.d.ts +43 -0
  195. package/.cache/typescript/5.4/node_modules/undici-types/balanced-pool.d.ts +18 -0
  196. package/.cache/typescript/5.4/node_modules/undici-types/cache.d.ts +36 -0
  197. package/.cache/typescript/5.4/node_modules/undici-types/client.d.ts +97 -0
  198. package/.cache/typescript/5.4/node_modules/undici-types/connector.d.ts +34 -0
  199. package/.cache/typescript/5.4/node_modules/undici-types/content-type.d.ts +21 -0
  200. package/.cache/typescript/5.4/node_modules/undici-types/cookies.d.ts +28 -0
  201. package/.cache/typescript/5.4/node_modules/undici-types/diagnostics-channel.d.ts +67 -0
  202. package/.cache/typescript/5.4/node_modules/undici-types/dispatcher.d.ts +241 -0
  203. package/.cache/typescript/5.4/node_modules/undici-types/errors.d.ts +128 -0
  204. package/.cache/typescript/5.4/node_modules/undici-types/fetch.d.ts +209 -0
  205. package/.cache/typescript/5.4/node_modules/undici-types/file.d.ts +39 -0
  206. package/.cache/typescript/5.4/node_modules/undici-types/filereader.d.ts +54 -0
  207. package/.cache/typescript/5.4/node_modules/undici-types/formdata.d.ts +108 -0
  208. package/.cache/typescript/5.4/node_modules/undici-types/global-dispatcher.d.ts +9 -0
  209. package/.cache/typescript/5.4/node_modules/undici-types/global-origin.d.ts +7 -0
  210. package/.cache/typescript/5.4/node_modules/undici-types/handlers.d.ts +9 -0
  211. package/.cache/typescript/5.4/node_modules/undici-types/header.d.ts +4 -0
  212. package/.cache/typescript/5.4/node_modules/undici-types/index.d.ts +63 -0
  213. package/.cache/typescript/5.4/node_modules/undici-types/interceptors.d.ts +5 -0
  214. package/.cache/typescript/5.4/node_modules/undici-types/mock-agent.d.ts +50 -0
  215. package/.cache/typescript/5.4/node_modules/undici-types/mock-client.d.ts +25 -0
  216. package/.cache/typescript/5.4/node_modules/undici-types/mock-errors.d.ts +12 -0
  217. package/.cache/typescript/5.4/node_modules/undici-types/mock-interceptor.d.ts +93 -0
  218. package/.cache/typescript/5.4/node_modules/undici-types/mock-pool.d.ts +25 -0
  219. package/.cache/typescript/5.4/node_modules/undici-types/package.json +55 -0
  220. package/.cache/typescript/5.4/node_modules/undici-types/patch.d.ts +71 -0
  221. package/.cache/typescript/5.4/node_modules/undici-types/pool-stats.d.ts +19 -0
  222. package/.cache/typescript/5.4/node_modules/undici-types/pool.d.ts +28 -0
  223. package/.cache/typescript/5.4/node_modules/undici-types/proxy-agent.d.ts +30 -0
  224. package/.cache/typescript/5.4/node_modules/undici-types/readable.d.ts +61 -0
  225. package/.cache/typescript/5.4/node_modules/undici-types/webidl.d.ts +220 -0
  226. package/.cache/typescript/5.4/node_modules/undici-types/websocket.d.ts +131 -0
  227. package/.cache/typescript/5.4/package-lock.json +197 -0
  228. package/.cache/typescript/5.4/package.json +1 -0
  229. package/README.md +61 -2
  230. package/index.js +1 -1
  231. package/package.json +11 -2
  232. package/.cache/replit/modules/nodejs-20:v36-20240502-f4453db.res +0 -1
  233. package/.cache/replit/modules/replit:v9-20240429-0325cbb.res +0 -1
@@ -0,0 +1,4522 @@
1
+ /**
2
+ * The `node:crypto` module provides cryptographic functionality that includes a
3
+ * set of wrappers for OpenSSL's hash, HMAC, cipher, decipher, sign, and verify
4
+ * functions.
5
+ *
6
+ * ```js
7
+ * const { createHmac } = await import('node:crypto');
8
+ *
9
+ * const secret = 'abcdefg';
10
+ * const hash = createHmac('sha256', secret)
11
+ * .update('I love cupcakes')
12
+ * .digest('hex');
13
+ * console.log(hash);
14
+ * // Prints:
15
+ * // c0fa1bc00531bd78ef38c628449c5102aeabd49b5dc3a2a516ea6ea959d6658e
16
+ * ```
17
+ * @see [source](https://github.com/nodejs/node/blob/v20.12.2/lib/crypto.js)
18
+ */
19
+ declare module "crypto" {
20
+ import * as stream from "node:stream";
21
+ import { PeerCertificate } from "node:tls";
22
+ /**
23
+ * SPKAC is a Certificate Signing Request mechanism originally implemented by
24
+ * Netscape and was specified formally as part of HTML5's `keygen` element.
25
+ *
26
+ * `<keygen>` is deprecated since [HTML 5.2](https://www.w3.org/TR/html52/changes.html#features-removed) and new projects
27
+ * should not use this element anymore.
28
+ *
29
+ * The `node:crypto` module provides the `Certificate` class for working with SPKAC
30
+ * data. The most common usage is handling output generated by the HTML5 `<keygen>` element. Node.js uses [OpenSSL's SPKAC
31
+ * implementation](https://www.openssl.org/docs/man3.0/man1/openssl-spkac.html) internally.
32
+ * @since v0.11.8
33
+ */
34
+ class Certificate {
35
+ /**
36
+ * ```js
37
+ * const { Certificate } = await import('node:crypto');
38
+ * const spkac = getSpkacSomehow();
39
+ * const challenge = Certificate.exportChallenge(spkac);
40
+ * console.log(challenge.toString('utf8'));
41
+ * // Prints: the challenge as a UTF8 string
42
+ * ```
43
+ * @since v9.0.0
44
+ * @param encoding The `encoding` of the `spkac` string.
45
+ * @return The challenge component of the `spkac` data structure, which includes a public key and a challenge.
46
+ */
47
+ static exportChallenge(spkac: BinaryLike): Buffer;
48
+ /**
49
+ * ```js
50
+ * const { Certificate } = await import('node:crypto');
51
+ * const spkac = getSpkacSomehow();
52
+ * const publicKey = Certificate.exportPublicKey(spkac);
53
+ * console.log(publicKey);
54
+ * // Prints: the public key as <Buffer ...>
55
+ * ```
56
+ * @since v9.0.0
57
+ * @param encoding The `encoding` of the `spkac` string.
58
+ * @return The public key component of the `spkac` data structure, which includes a public key and a challenge.
59
+ */
60
+ static exportPublicKey(spkac: BinaryLike, encoding?: string): Buffer;
61
+ /**
62
+ * ```js
63
+ * import { Buffer } from 'node:buffer';
64
+ * const { Certificate } = await import('node:crypto');
65
+ *
66
+ * const spkac = getSpkacSomehow();
67
+ * console.log(Certificate.verifySpkac(Buffer.from(spkac)));
68
+ * // Prints: true or false
69
+ * ```
70
+ * @since v9.0.0
71
+ * @param encoding The `encoding` of the `spkac` string.
72
+ * @return `true` if the given `spkac` data structure is valid, `false` otherwise.
73
+ */
74
+ static verifySpkac(spkac: NodeJS.ArrayBufferView): boolean;
75
+ /**
76
+ * @deprecated
77
+ * @param spkac
78
+ * @returns The challenge component of the `spkac` data structure,
79
+ * which includes a public key and a challenge.
80
+ */
81
+ exportChallenge(spkac: BinaryLike): Buffer;
82
+ /**
83
+ * @deprecated
84
+ * @param spkac
85
+ * @param encoding The encoding of the spkac string.
86
+ * @returns The public key component of the `spkac` data structure,
87
+ * which includes a public key and a challenge.
88
+ */
89
+ exportPublicKey(spkac: BinaryLike, encoding?: string): Buffer;
90
+ /**
91
+ * @deprecated
92
+ * @param spkac
93
+ * @returns `true` if the given `spkac` data structure is valid,
94
+ * `false` otherwise.
95
+ */
96
+ verifySpkac(spkac: NodeJS.ArrayBufferView): boolean;
97
+ }
98
+ namespace constants {
99
+ // https://nodejs.org/dist/latest-v20.x/docs/api/crypto.html#crypto-constants
100
+ const OPENSSL_VERSION_NUMBER: number;
101
+ /** Applies multiple bug workarounds within OpenSSL. See https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html for detail. */
102
+ const SSL_OP_ALL: number;
103
+ /** Instructs OpenSSL to allow a non-[EC]DHE-based key exchange mode for TLS v1.3 */
104
+ const SSL_OP_ALLOW_NO_DHE_KEX: number;
105
+ /** Allows legacy insecure renegotiation between OpenSSL and unpatched clients or servers. See https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html. */
106
+ const SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION: number;
107
+ /** Attempts to use the server's preferences instead of the client's when selecting a cipher. See https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html. */
108
+ const SSL_OP_CIPHER_SERVER_PREFERENCE: number;
109
+ /** Instructs OpenSSL to use Cisco's version identifier of DTLS_BAD_VER. */
110
+ const SSL_OP_CISCO_ANYCONNECT: number;
111
+ /** Instructs OpenSSL to turn on cookie exchange. */
112
+ const SSL_OP_COOKIE_EXCHANGE: number;
113
+ /** Instructs OpenSSL to add server-hello extension from an early version of the cryptopro draft. */
114
+ const SSL_OP_CRYPTOPRO_TLSEXT_BUG: number;
115
+ /** Instructs OpenSSL to disable a SSL 3.0/TLS 1.0 vulnerability workaround added in OpenSSL 0.9.6d. */
116
+ const SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS: number;
117
+ /** Allows initial connection to servers that do not support RI. */
118
+ const SSL_OP_LEGACY_SERVER_CONNECT: number;
119
+ /** Instructs OpenSSL to disable support for SSL/TLS compression. */
120
+ const SSL_OP_NO_COMPRESSION: number;
121
+ /** Instructs OpenSSL to disable encrypt-then-MAC. */
122
+ const SSL_OP_NO_ENCRYPT_THEN_MAC: number;
123
+ const SSL_OP_NO_QUERY_MTU: number;
124
+ /** Instructs OpenSSL to disable renegotiation. */
125
+ const SSL_OP_NO_RENEGOTIATION: number;
126
+ /** Instructs OpenSSL to always start a new session when performing renegotiation. */
127
+ const SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION: number;
128
+ /** Instructs OpenSSL to turn off SSL v2 */
129
+ const SSL_OP_NO_SSLv2: number;
130
+ /** Instructs OpenSSL to turn off SSL v3 */
131
+ const SSL_OP_NO_SSLv3: number;
132
+ /** Instructs OpenSSL to disable use of RFC4507bis tickets. */
133
+ const SSL_OP_NO_TICKET: number;
134
+ /** Instructs OpenSSL to turn off TLS v1 */
135
+ const SSL_OP_NO_TLSv1: number;
136
+ /** Instructs OpenSSL to turn off TLS v1.1 */
137
+ const SSL_OP_NO_TLSv1_1: number;
138
+ /** Instructs OpenSSL to turn off TLS v1.2 */
139
+ const SSL_OP_NO_TLSv1_2: number;
140
+ /** Instructs OpenSSL to turn off TLS v1.3 */
141
+ const SSL_OP_NO_TLSv1_3: number;
142
+ /** Instructs OpenSSL server to prioritize ChaCha20-Poly1305 when the client does. This option has no effect if `SSL_OP_CIPHER_SERVER_PREFERENCE` is not enabled. */
143
+ const SSL_OP_PRIORITIZE_CHACHA: number;
144
+ /** Instructs OpenSSL to disable version rollback attack detection. */
145
+ const SSL_OP_TLS_ROLLBACK_BUG: number;
146
+ const ENGINE_METHOD_RSA: number;
147
+ const ENGINE_METHOD_DSA: number;
148
+ const ENGINE_METHOD_DH: number;
149
+ const ENGINE_METHOD_RAND: number;
150
+ const ENGINE_METHOD_EC: number;
151
+ const ENGINE_METHOD_CIPHERS: number;
152
+ const ENGINE_METHOD_DIGESTS: number;
153
+ const ENGINE_METHOD_PKEY_METHS: number;
154
+ const ENGINE_METHOD_PKEY_ASN1_METHS: number;
155
+ const ENGINE_METHOD_ALL: number;
156
+ const ENGINE_METHOD_NONE: number;
157
+ const DH_CHECK_P_NOT_SAFE_PRIME: number;
158
+ const DH_CHECK_P_NOT_PRIME: number;
159
+ const DH_UNABLE_TO_CHECK_GENERATOR: number;
160
+ const DH_NOT_SUITABLE_GENERATOR: number;
161
+ const RSA_PKCS1_PADDING: number;
162
+ const RSA_SSLV23_PADDING: number;
163
+ const RSA_NO_PADDING: number;
164
+ const RSA_PKCS1_OAEP_PADDING: number;
165
+ const RSA_X931_PADDING: number;
166
+ const RSA_PKCS1_PSS_PADDING: number;
167
+ /** Sets the salt length for RSA_PKCS1_PSS_PADDING to the digest size when signing or verifying. */
168
+ const RSA_PSS_SALTLEN_DIGEST: number;
169
+ /** Sets the salt length for RSA_PKCS1_PSS_PADDING to the maximum permissible value when signing data. */
170
+ const RSA_PSS_SALTLEN_MAX_SIGN: number;
171
+ /** Causes the salt length for RSA_PKCS1_PSS_PADDING to be determined automatically when verifying a signature. */
172
+ const RSA_PSS_SALTLEN_AUTO: number;
173
+ const POINT_CONVERSION_COMPRESSED: number;
174
+ const POINT_CONVERSION_UNCOMPRESSED: number;
175
+ const POINT_CONVERSION_HYBRID: number;
176
+ /** Specifies the built-in default cipher list used by Node.js (colon-separated values). */
177
+ const defaultCoreCipherList: string;
178
+ /** Specifies the active default cipher list used by the current Node.js process (colon-separated values). */
179
+ const defaultCipherList: string;
180
+ }
181
+ interface HashOptions extends stream.TransformOptions {
182
+ /**
183
+ * For XOF hash functions such as `shake256`, the
184
+ * outputLength option can be used to specify the desired output length in bytes.
185
+ */
186
+ outputLength?: number | undefined;
187
+ }
188
+ /** @deprecated since v10.0.0 */
189
+ const fips: boolean;
190
+ /**
191
+ * Creates and returns a `Hash` object that can be used to generate hash digests
192
+ * using the given `algorithm`. Optional `options` argument controls stream
193
+ * behavior. For XOF hash functions such as `'shake256'`, the `outputLength` option
194
+ * can be used to specify the desired output length in bytes.
195
+ *
196
+ * The `algorithm` is dependent on the available algorithms supported by the
197
+ * version of OpenSSL on the platform. Examples are `'sha256'`, `'sha512'`, etc.
198
+ * On recent releases of OpenSSL, `openssl list -digest-algorithms` will
199
+ * display the available digest algorithms.
200
+ *
201
+ * Example: generating the sha256 sum of a file
202
+ *
203
+ * ```js
204
+ * import {
205
+ * createReadStream,
206
+ * } from 'node:fs';
207
+ * import { argv } from 'node:process';
208
+ * const {
209
+ * createHash,
210
+ * } = await import('node:crypto');
211
+ *
212
+ * const filename = argv[2];
213
+ *
214
+ * const hash = createHash('sha256');
215
+ *
216
+ * const input = createReadStream(filename);
217
+ * input.on('readable', () => {
218
+ * // Only one element is going to be produced by the
219
+ * // hash stream.
220
+ * const data = input.read();
221
+ * if (data)
222
+ * hash.update(data);
223
+ * else {
224
+ * console.log(`${hash.digest('hex')} ${filename}`);
225
+ * }
226
+ * });
227
+ * ```
228
+ * @since v0.1.92
229
+ * @param options `stream.transform` options
230
+ */
231
+ function createHash(algorithm: string, options?: HashOptions): Hash;
232
+ /**
233
+ * Creates and returns an `Hmac` object that uses the given `algorithm` and `key`.
234
+ * Optional `options` argument controls stream behavior.
235
+ *
236
+ * The `algorithm` is dependent on the available algorithms supported by the
237
+ * version of OpenSSL on the platform. Examples are `'sha256'`, `'sha512'`, etc.
238
+ * On recent releases of OpenSSL, `openssl list -digest-algorithms` will
239
+ * display the available digest algorithms.
240
+ *
241
+ * The `key` is the HMAC key used to generate the cryptographic HMAC hash. If it is
242
+ * a `KeyObject`, its type must be `secret`. If it is a string, please consider `caveats when using strings as inputs to cryptographic APIs`. If it was
243
+ * obtained from a cryptographically secure source of entropy, such as {@link randomBytes} or {@link generateKey}, its length should not
244
+ * exceed the block size of `algorithm` (e.g., 512 bits for SHA-256).
245
+ *
246
+ * Example: generating the sha256 HMAC of a file
247
+ *
248
+ * ```js
249
+ * import {
250
+ * createReadStream,
251
+ * } from 'node:fs';
252
+ * import { argv } from 'node:process';
253
+ * const {
254
+ * createHmac,
255
+ * } = await import('node:crypto');
256
+ *
257
+ * const filename = argv[2];
258
+ *
259
+ * const hmac = createHmac('sha256', 'a secret');
260
+ *
261
+ * const input = createReadStream(filename);
262
+ * input.on('readable', () => {
263
+ * // Only one element is going to be produced by the
264
+ * // hash stream.
265
+ * const data = input.read();
266
+ * if (data)
267
+ * hmac.update(data);
268
+ * else {
269
+ * console.log(`${hmac.digest('hex')} ${filename}`);
270
+ * }
271
+ * });
272
+ * ```
273
+ * @since v0.1.94
274
+ * @param options `stream.transform` options
275
+ */
276
+ function createHmac(algorithm: string, key: BinaryLike | KeyObject, options?: stream.TransformOptions): Hmac;
277
+ // https://nodejs.org/api/buffer.html#buffer_buffers_and_character_encodings
278
+ type BinaryToTextEncoding = "base64" | "base64url" | "hex" | "binary";
279
+ type CharacterEncoding = "utf8" | "utf-8" | "utf16le" | "utf-16le" | "latin1";
280
+ type LegacyCharacterEncoding = "ascii" | "binary" | "ucs2" | "ucs-2";
281
+ type Encoding = BinaryToTextEncoding | CharacterEncoding | LegacyCharacterEncoding;
282
+ type ECDHKeyFormat = "compressed" | "uncompressed" | "hybrid";
283
+ /**
284
+ * The `Hash` class is a utility for creating hash digests of data. It can be
285
+ * used in one of two ways:
286
+ *
287
+ * * As a `stream` that is both readable and writable, where data is written
288
+ * to produce a computed hash digest on the readable side, or
289
+ * * Using the `hash.update()` and `hash.digest()` methods to produce the
290
+ * computed hash.
291
+ *
292
+ * The {@link createHash} method is used to create `Hash` instances. `Hash`objects are not to be created directly using the `new` keyword.
293
+ *
294
+ * Example: Using `Hash` objects as streams:
295
+ *
296
+ * ```js
297
+ * const {
298
+ * createHash,
299
+ * } = await import('node:crypto');
300
+ *
301
+ * const hash = createHash('sha256');
302
+ *
303
+ * hash.on('readable', () => {
304
+ * // Only one element is going to be produced by the
305
+ * // hash stream.
306
+ * const data = hash.read();
307
+ * if (data) {
308
+ * console.log(data.toString('hex'));
309
+ * // Prints:
310
+ * // 6a2da20943931e9834fc12cfe5bb47bbd9ae43489a30726962b576f4e3993e50
311
+ * }
312
+ * });
313
+ *
314
+ * hash.write('some data to hash');
315
+ * hash.end();
316
+ * ```
317
+ *
318
+ * Example: Using `Hash` and piped streams:
319
+ *
320
+ * ```js
321
+ * import { createReadStream } from 'node:fs';
322
+ * import { stdout } from 'node:process';
323
+ * const { createHash } = await import('node:crypto');
324
+ *
325
+ * const hash = createHash('sha256');
326
+ *
327
+ * const input = createReadStream('test.js');
328
+ * input.pipe(hash).setEncoding('hex').pipe(stdout);
329
+ * ```
330
+ *
331
+ * Example: Using the `hash.update()` and `hash.digest()` methods:
332
+ *
333
+ * ```js
334
+ * const {
335
+ * createHash,
336
+ * } = await import('node:crypto');
337
+ *
338
+ * const hash = createHash('sha256');
339
+ *
340
+ * hash.update('some data to hash');
341
+ * console.log(hash.digest('hex'));
342
+ * // Prints:
343
+ * // 6a2da20943931e9834fc12cfe5bb47bbd9ae43489a30726962b576f4e3993e50
344
+ * ```
345
+ * @since v0.1.92
346
+ */
347
+ class Hash extends stream.Transform {
348
+ private constructor();
349
+ /**
350
+ * Creates a new `Hash` object that contains a deep copy of the internal state
351
+ * of the current `Hash` object.
352
+ *
353
+ * The optional `options` argument controls stream behavior. For XOF hash
354
+ * functions such as `'shake256'`, the `outputLength` option can be used to
355
+ * specify the desired output length in bytes.
356
+ *
357
+ * An error is thrown when an attempt is made to copy the `Hash` object after
358
+ * its `hash.digest()` method has been called.
359
+ *
360
+ * ```js
361
+ * // Calculate a rolling hash.
362
+ * const {
363
+ * createHash,
364
+ * } = await import('node:crypto');
365
+ *
366
+ * const hash = createHash('sha256');
367
+ *
368
+ * hash.update('one');
369
+ * console.log(hash.copy().digest('hex'));
370
+ *
371
+ * hash.update('two');
372
+ * console.log(hash.copy().digest('hex'));
373
+ *
374
+ * hash.update('three');
375
+ * console.log(hash.copy().digest('hex'));
376
+ *
377
+ * // Etc.
378
+ * ```
379
+ * @since v13.1.0
380
+ * @param options `stream.transform` options
381
+ */
382
+ copy(options?: HashOptions): Hash;
383
+ /**
384
+ * Updates the hash content with the given `data`, the encoding of which
385
+ * is given in `inputEncoding`.
386
+ * If `encoding` is not provided, and the `data` is a string, an
387
+ * encoding of `'utf8'` is enforced. If `data` is a `Buffer`, `TypedArray`, or`DataView`, then `inputEncoding` is ignored.
388
+ *
389
+ * This can be called many times with new data as it is streamed.
390
+ * @since v0.1.92
391
+ * @param inputEncoding The `encoding` of the `data` string.
392
+ */
393
+ update(data: BinaryLike): Hash;
394
+ update(data: string, inputEncoding: Encoding): Hash;
395
+ /**
396
+ * Calculates the digest of all of the data passed to be hashed (using the `hash.update()` method).
397
+ * If `encoding` is provided a string will be returned; otherwise
398
+ * a `Buffer` is returned.
399
+ *
400
+ * The `Hash` object can not be used again after `hash.digest()` method has been
401
+ * called. Multiple calls will cause an error to be thrown.
402
+ * @since v0.1.92
403
+ * @param encoding The `encoding` of the return value.
404
+ */
405
+ digest(): Buffer;
406
+ digest(encoding: BinaryToTextEncoding): string;
407
+ }
408
+ /**
409
+ * The `Hmac` class is a utility for creating cryptographic HMAC digests. It can
410
+ * be used in one of two ways:
411
+ *
412
+ * * As a `stream` that is both readable and writable, where data is written
413
+ * to produce a computed HMAC digest on the readable side, or
414
+ * * Using the `hmac.update()` and `hmac.digest()` methods to produce the
415
+ * computed HMAC digest.
416
+ *
417
+ * The {@link createHmac} method is used to create `Hmac` instances. `Hmac`objects are not to be created directly using the `new` keyword.
418
+ *
419
+ * Example: Using `Hmac` objects as streams:
420
+ *
421
+ * ```js
422
+ * const {
423
+ * createHmac,
424
+ * } = await import('node:crypto');
425
+ *
426
+ * const hmac = createHmac('sha256', 'a secret');
427
+ *
428
+ * hmac.on('readable', () => {
429
+ * // Only one element is going to be produced by the
430
+ * // hash stream.
431
+ * const data = hmac.read();
432
+ * if (data) {
433
+ * console.log(data.toString('hex'));
434
+ * // Prints:
435
+ * // 7fd04df92f636fd450bc841c9418e5825c17f33ad9c87c518115a45971f7f77e
436
+ * }
437
+ * });
438
+ *
439
+ * hmac.write('some data to hash');
440
+ * hmac.end();
441
+ * ```
442
+ *
443
+ * Example: Using `Hmac` and piped streams:
444
+ *
445
+ * ```js
446
+ * import { createReadStream } from 'node:fs';
447
+ * import { stdout } from 'node:process';
448
+ * const {
449
+ * createHmac,
450
+ * } = await import('node:crypto');
451
+ *
452
+ * const hmac = createHmac('sha256', 'a secret');
453
+ *
454
+ * const input = createReadStream('test.js');
455
+ * input.pipe(hmac).pipe(stdout);
456
+ * ```
457
+ *
458
+ * Example: Using the `hmac.update()` and `hmac.digest()` methods:
459
+ *
460
+ * ```js
461
+ * const {
462
+ * createHmac,
463
+ * } = await import('node:crypto');
464
+ *
465
+ * const hmac = createHmac('sha256', 'a secret');
466
+ *
467
+ * hmac.update('some data to hash');
468
+ * console.log(hmac.digest('hex'));
469
+ * // Prints:
470
+ * // 7fd04df92f636fd450bc841c9418e5825c17f33ad9c87c518115a45971f7f77e
471
+ * ```
472
+ * @since v0.1.94
473
+ */
474
+ class Hmac extends stream.Transform {
475
+ private constructor();
476
+ /**
477
+ * Updates the `Hmac` content with the given `data`, the encoding of which
478
+ * is given in `inputEncoding`.
479
+ * If `encoding` is not provided, and the `data` is a string, an
480
+ * encoding of `'utf8'` is enforced. If `data` is a `Buffer`, `TypedArray`, or`DataView`, then `inputEncoding` is ignored.
481
+ *
482
+ * This can be called many times with new data as it is streamed.
483
+ * @since v0.1.94
484
+ * @param inputEncoding The `encoding` of the `data` string.
485
+ */
486
+ update(data: BinaryLike): Hmac;
487
+ update(data: string, inputEncoding: Encoding): Hmac;
488
+ /**
489
+ * Calculates the HMAC digest of all of the data passed using `hmac.update()`.
490
+ * If `encoding` is
491
+ * provided a string is returned; otherwise a `Buffer` is returned;
492
+ *
493
+ * The `Hmac` object can not be used again after `hmac.digest()` has been
494
+ * called. Multiple calls to `hmac.digest()` will result in an error being thrown.
495
+ * @since v0.1.94
496
+ * @param encoding The `encoding` of the return value.
497
+ */
498
+ digest(): Buffer;
499
+ digest(encoding: BinaryToTextEncoding): string;
500
+ }
501
+ type KeyObjectType = "secret" | "public" | "private";
502
+ interface KeyExportOptions<T extends KeyFormat> {
503
+ type: "pkcs1" | "spki" | "pkcs8" | "sec1";
504
+ format: T;
505
+ cipher?: string | undefined;
506
+ passphrase?: string | Buffer | undefined;
507
+ }
508
+ interface JwkKeyExportOptions {
509
+ format: "jwk";
510
+ }
511
+ interface JsonWebKey {
512
+ crv?: string | undefined;
513
+ d?: string | undefined;
514
+ dp?: string | undefined;
515
+ dq?: string | undefined;
516
+ e?: string | undefined;
517
+ k?: string | undefined;
518
+ kty?: string | undefined;
519
+ n?: string | undefined;
520
+ p?: string | undefined;
521
+ q?: string | undefined;
522
+ qi?: string | undefined;
523
+ x?: string | undefined;
524
+ y?: string | undefined;
525
+ [key: string]: unknown;
526
+ }
527
+ interface AsymmetricKeyDetails {
528
+ /**
529
+ * Key size in bits (RSA, DSA).
530
+ */
531
+ modulusLength?: number | undefined;
532
+ /**
533
+ * Public exponent (RSA).
534
+ */
535
+ publicExponent?: bigint | undefined;
536
+ /**
537
+ * Name of the message digest (RSA-PSS).
538
+ */
539
+ hashAlgorithm?: string | undefined;
540
+ /**
541
+ * Name of the message digest used by MGF1 (RSA-PSS).
542
+ */
543
+ mgf1HashAlgorithm?: string | undefined;
544
+ /**
545
+ * Minimal salt length in bytes (RSA-PSS).
546
+ */
547
+ saltLength?: number | undefined;
548
+ /**
549
+ * Size of q in bits (DSA).
550
+ */
551
+ divisorLength?: number | undefined;
552
+ /**
553
+ * Name of the curve (EC).
554
+ */
555
+ namedCurve?: string | undefined;
556
+ }
557
+ /**
558
+ * Node.js uses a `KeyObject` class to represent a symmetric or asymmetric key,
559
+ * and each kind of key exposes different functions. The {@link createSecretKey}, {@link createPublicKey} and {@link createPrivateKey} methods are used to create `KeyObject`instances. `KeyObject`
560
+ * objects are not to be created directly using the `new`keyword.
561
+ *
562
+ * Most applications should consider using the new `KeyObject` API instead of
563
+ * passing keys as strings or `Buffer`s due to improved security features.
564
+ *
565
+ * `KeyObject` instances can be passed to other threads via `postMessage()`.
566
+ * The receiver obtains a cloned `KeyObject`, and the `KeyObject` does not need to
567
+ * be listed in the `transferList` argument.
568
+ * @since v11.6.0
569
+ */
570
+ class KeyObject {
571
+ private constructor();
572
+ /**
573
+ * Example: Converting a `CryptoKey` instance to a `KeyObject`:
574
+ *
575
+ * ```js
576
+ * const { KeyObject } = await import('node:crypto');
577
+ * const { subtle } = globalThis.crypto;
578
+ *
579
+ * const key = await subtle.generateKey({
580
+ * name: 'HMAC',
581
+ * hash: 'SHA-256',
582
+ * length: 256,
583
+ * }, true, ['sign', 'verify']);
584
+ *
585
+ * const keyObject = KeyObject.from(key);
586
+ * console.log(keyObject.symmetricKeySize);
587
+ * // Prints: 32 (symmetric key size in bytes)
588
+ * ```
589
+ * @since v15.0.0
590
+ */
591
+ static from(key: webcrypto.CryptoKey): KeyObject;
592
+ /**
593
+ * For asymmetric keys, this property represents the type of the key. Supported key
594
+ * types are:
595
+ *
596
+ * * `'rsa'` (OID 1.2.840.113549.1.1.1)
597
+ * * `'rsa-pss'` (OID 1.2.840.113549.1.1.10)
598
+ * * `'dsa'` (OID 1.2.840.10040.4.1)
599
+ * * `'ec'` (OID 1.2.840.10045.2.1)
600
+ * * `'x25519'` (OID 1.3.101.110)
601
+ * * `'x448'` (OID 1.3.101.111)
602
+ * * `'ed25519'` (OID 1.3.101.112)
603
+ * * `'ed448'` (OID 1.3.101.113)
604
+ * * `'dh'` (OID 1.2.840.113549.1.3.1)
605
+ *
606
+ * This property is `undefined` for unrecognized `KeyObject` types and symmetric
607
+ * keys.
608
+ * @since v11.6.0
609
+ */
610
+ asymmetricKeyType?: KeyType | undefined;
611
+ /**
612
+ * For asymmetric keys, this property represents the size of the embedded key in
613
+ * bytes. This property is `undefined` for symmetric keys.
614
+ */
615
+ asymmetricKeySize?: number | undefined;
616
+ /**
617
+ * This property exists only on asymmetric keys. Depending on the type of the key,
618
+ * this object contains information about the key. None of the information obtained
619
+ * through this property can be used to uniquely identify a key or to compromise
620
+ * the security of the key.
621
+ *
622
+ * For RSA-PSS keys, if the key material contains a `RSASSA-PSS-params` sequence,
623
+ * the `hashAlgorithm`, `mgf1HashAlgorithm`, and `saltLength` properties will be
624
+ * set.
625
+ *
626
+ * Other key details might be exposed via this API using additional attributes.
627
+ * @since v15.7.0
628
+ */
629
+ asymmetricKeyDetails?: AsymmetricKeyDetails | undefined;
630
+ /**
631
+ * For symmetric keys, the following encoding options can be used:
632
+ *
633
+ * For public keys, the following encoding options can be used:
634
+ *
635
+ * For private keys, the following encoding options can be used:
636
+ *
637
+ * The result type depends on the selected encoding format, when PEM the
638
+ * result is a string, when DER it will be a buffer containing the data
639
+ * encoded as DER, when [JWK](https://tools.ietf.org/html/rfc7517) it will be an object.
640
+ *
641
+ * When [JWK](https://tools.ietf.org/html/rfc7517) encoding format was selected, all other encoding options are
642
+ * ignored.
643
+ *
644
+ * PKCS#1, SEC1, and PKCS#8 type keys can be encrypted by using a combination of
645
+ * the `cipher` and `format` options. The PKCS#8 `type` can be used with any`format` to encrypt any key algorithm (RSA, EC, or DH) by specifying a`cipher`. PKCS#1 and SEC1 can only be
646
+ * encrypted by specifying a `cipher`when the PEM `format` is used. For maximum compatibility, use PKCS#8 for
647
+ * encrypted private keys. Since PKCS#8 defines its own
648
+ * encryption mechanism, PEM-level encryption is not supported when encrypting
649
+ * a PKCS#8 key. See [RFC 5208](https://www.rfc-editor.org/rfc/rfc5208.txt) for PKCS#8 encryption and [RFC 1421](https://www.rfc-editor.org/rfc/rfc1421.txt) for
650
+ * PKCS#1 and SEC1 encryption.
651
+ * @since v11.6.0
652
+ */
653
+ export(options: KeyExportOptions<"pem">): string | Buffer;
654
+ export(options?: KeyExportOptions<"der">): Buffer;
655
+ export(options?: JwkKeyExportOptions): JsonWebKey;
656
+ /**
657
+ * Returns `true` or `false` depending on whether the keys have exactly the same
658
+ * type, value, and parameters. This method is not [constant time](https://en.wikipedia.org/wiki/Timing_attack).
659
+ * @since v17.7.0, v16.15.0
660
+ * @param otherKeyObject A `KeyObject` with which to compare `keyObject`.
661
+ */
662
+ equals(otherKeyObject: KeyObject): boolean;
663
+ /**
664
+ * For secret keys, this property represents the size of the key in bytes. This
665
+ * property is `undefined` for asymmetric keys.
666
+ * @since v11.6.0
667
+ */
668
+ symmetricKeySize?: number | undefined;
669
+ /**
670
+ * Depending on the type of this `KeyObject`, this property is either`'secret'` for secret (symmetric) keys, `'public'` for public (asymmetric) keys
671
+ * or `'private'` for private (asymmetric) keys.
672
+ * @since v11.6.0
673
+ */
674
+ type: KeyObjectType;
675
+ }
676
+ type CipherCCMTypes = "aes-128-ccm" | "aes-192-ccm" | "aes-256-ccm" | "chacha20-poly1305";
677
+ type CipherGCMTypes = "aes-128-gcm" | "aes-192-gcm" | "aes-256-gcm";
678
+ type CipherOCBTypes = "aes-128-ocb" | "aes-192-ocb" | "aes-256-ocb";
679
+ type BinaryLike = string | NodeJS.ArrayBufferView;
680
+ type CipherKey = BinaryLike | KeyObject;
681
+ interface CipherCCMOptions extends stream.TransformOptions {
682
+ authTagLength: number;
683
+ }
684
+ interface CipherGCMOptions extends stream.TransformOptions {
685
+ authTagLength?: number | undefined;
686
+ }
687
+ interface CipherOCBOptions extends stream.TransformOptions {
688
+ authTagLength: number;
689
+ }
690
+ /**
691
+ * Creates and returns a `Cipher` object that uses the given `algorithm` and`password`.
692
+ *
693
+ * The `options` argument controls stream behavior and is optional except when a
694
+ * cipher in CCM or OCB mode (e.g. `'aes-128-ccm'`) is used. In that case, the`authTagLength` option is required and specifies the length of the
695
+ * authentication tag in bytes, see `CCM mode`. In GCM mode, the `authTagLength`option is not required but can be used to set the length of the authentication
696
+ * tag that will be returned by `getAuthTag()` and defaults to 16 bytes.
697
+ * For `chacha20-poly1305`, the `authTagLength` option defaults to 16 bytes.
698
+ *
699
+ * The `algorithm` is dependent on OpenSSL, examples are `'aes192'`, etc. On
700
+ * recent OpenSSL releases, `openssl list -cipher-algorithms` will
701
+ * display the available cipher algorithms.
702
+ *
703
+ * The `password` is used to derive the cipher key and initialization vector (IV).
704
+ * The value must be either a `'latin1'` encoded string, a `Buffer`, a`TypedArray`, or a `DataView`.
705
+ *
706
+ * **This function is semantically insecure for all**
707
+ * **supported ciphers and fatally flawed for ciphers in counter mode (such as CTR,**
708
+ * **GCM, or CCM).**
709
+ *
710
+ * The implementation of `crypto.createCipher()` derives keys using the OpenSSL
711
+ * function [`EVP_BytesToKey`](https://www.openssl.org/docs/man3.0/man3/EVP_BytesToKey.html) with the digest algorithm set to MD5, one
712
+ * iteration, and no salt. The lack of salt allows dictionary attacks as the same
713
+ * password always creates the same key. The low iteration count and
714
+ * non-cryptographically secure hash algorithm allow passwords to be tested very
715
+ * rapidly.
716
+ *
717
+ * In line with OpenSSL's recommendation to use a more modern algorithm instead of [`EVP_BytesToKey`](https://www.openssl.org/docs/man3.0/man3/EVP_BytesToKey.html) it is recommended that
718
+ * developers derive a key and IV on
719
+ * their own using {@link scrypt} and to use {@link createCipheriv} to create the `Cipher` object. Users should not use ciphers with counter mode
720
+ * (e.g. CTR, GCM, or CCM) in `crypto.createCipher()`. A warning is emitted when
721
+ * they are used in order to avoid the risk of IV reuse that causes
722
+ * vulnerabilities. For the case when IV is reused in GCM, see [Nonce-Disrespecting Adversaries](https://github.com/nonce-disrespect/nonce-disrespect) for details.
723
+ * @since v0.1.94
724
+ * @deprecated Since v10.0.0 - Use {@link createCipheriv} instead.
725
+ * @param options `stream.transform` options
726
+ */
727
+ function createCipher(algorithm: CipherCCMTypes, password: BinaryLike, options: CipherCCMOptions): CipherCCM;
728
+ /** @deprecated since v10.0.0 use `createCipheriv()` */
729
+ function createCipher(algorithm: CipherGCMTypes, password: BinaryLike, options?: CipherGCMOptions): CipherGCM;
730
+ /** @deprecated since v10.0.0 use `createCipheriv()` */
731
+ function createCipher(algorithm: string, password: BinaryLike, options?: stream.TransformOptions): Cipher;
732
+ /**
733
+ * Creates and returns a `Cipher` object, with the given `algorithm`, `key` and
734
+ * initialization vector (`iv`).
735
+ *
736
+ * The `options` argument controls stream behavior and is optional except when a
737
+ * cipher in CCM or OCB mode (e.g. `'aes-128-ccm'`) is used. In that case, the`authTagLength` option is required and specifies the length of the
738
+ * authentication tag in bytes, see `CCM mode`. In GCM mode, the `authTagLength`option is not required but can be used to set the length of the authentication
739
+ * tag that will be returned by `getAuthTag()` and defaults to 16 bytes.
740
+ * For `chacha20-poly1305`, the `authTagLength` option defaults to 16 bytes.
741
+ *
742
+ * The `algorithm` is dependent on OpenSSL, examples are `'aes192'`, etc. On
743
+ * recent OpenSSL releases, `openssl list -cipher-algorithms` will
744
+ * display the available cipher algorithms.
745
+ *
746
+ * The `key` is the raw key used by the `algorithm` and `iv` is an [initialization vector](https://en.wikipedia.org/wiki/Initialization_vector). Both arguments must be `'utf8'` encoded
747
+ * strings,`Buffers`, `TypedArray`, or `DataView`s. The `key` may optionally be
748
+ * a `KeyObject` of type `secret`. If the cipher does not need
749
+ * an initialization vector, `iv` may be `null`.
750
+ *
751
+ * When passing strings for `key` or `iv`, please consider `caveats when using strings as inputs to cryptographic APIs`.
752
+ *
753
+ * Initialization vectors should be unpredictable and unique; ideally, they will be
754
+ * cryptographically random. They do not have to be secret: IVs are typically just
755
+ * added to ciphertext messages unencrypted. It may sound contradictory that
756
+ * something has to be unpredictable and unique, but does not have to be secret;
757
+ * remember that an attacker must not be able to predict ahead of time what a
758
+ * given IV will be.
759
+ * @since v0.1.94
760
+ * @param options `stream.transform` options
761
+ */
762
+ function createCipheriv(
763
+ algorithm: CipherCCMTypes,
764
+ key: CipherKey,
765
+ iv: BinaryLike,
766
+ options: CipherCCMOptions,
767
+ ): CipherCCM;
768
+ function createCipheriv(
769
+ algorithm: CipherOCBTypes,
770
+ key: CipherKey,
771
+ iv: BinaryLike,
772
+ options: CipherOCBOptions,
773
+ ): CipherOCB;
774
+ function createCipheriv(
775
+ algorithm: CipherGCMTypes,
776
+ key: CipherKey,
777
+ iv: BinaryLike,
778
+ options?: CipherGCMOptions,
779
+ ): CipherGCM;
780
+ function createCipheriv(
781
+ algorithm: string,
782
+ key: CipherKey,
783
+ iv: BinaryLike | null,
784
+ options?: stream.TransformOptions,
785
+ ): Cipher;
786
+ /**
787
+ * Instances of the `Cipher` class are used to encrypt data. The class can be
788
+ * used in one of two ways:
789
+ *
790
+ * * As a `stream` that is both readable and writable, where plain unencrypted
791
+ * data is written to produce encrypted data on the readable side, or
792
+ * * Using the `cipher.update()` and `cipher.final()` methods to produce
793
+ * the encrypted data.
794
+ *
795
+ * The {@link createCipher} or {@link createCipheriv} methods are
796
+ * used to create `Cipher` instances. `Cipher` objects are not to be created
797
+ * directly using the `new` keyword.
798
+ *
799
+ * Example: Using `Cipher` objects as streams:
800
+ *
801
+ * ```js
802
+ * const {
803
+ * scrypt,
804
+ * randomFill,
805
+ * createCipheriv,
806
+ * } = await import('node:crypto');
807
+ *
808
+ * const algorithm = 'aes-192-cbc';
809
+ * const password = 'Password used to generate key';
810
+ *
811
+ * // First, we'll generate the key. The key length is dependent on the algorithm.
812
+ * // In this case for aes192, it is 24 bytes (192 bits).
813
+ * scrypt(password, 'salt', 24, (err, key) => {
814
+ * if (err) throw err;
815
+ * // Then, we'll generate a random initialization vector
816
+ * randomFill(new Uint8Array(16), (err, iv) => {
817
+ * if (err) throw err;
818
+ *
819
+ * // Once we have the key and iv, we can create and use the cipher...
820
+ * const cipher = createCipheriv(algorithm, key, iv);
821
+ *
822
+ * let encrypted = '';
823
+ * cipher.setEncoding('hex');
824
+ *
825
+ * cipher.on('data', (chunk) => encrypted += chunk);
826
+ * cipher.on('end', () => console.log(encrypted));
827
+ *
828
+ * cipher.write('some clear text data');
829
+ * cipher.end();
830
+ * });
831
+ * });
832
+ * ```
833
+ *
834
+ * Example: Using `Cipher` and piped streams:
835
+ *
836
+ * ```js
837
+ * import {
838
+ * createReadStream,
839
+ * createWriteStream,
840
+ * } from 'node:fs';
841
+ *
842
+ * import {
843
+ * pipeline,
844
+ * } from 'node:stream';
845
+ *
846
+ * const {
847
+ * scrypt,
848
+ * randomFill,
849
+ * createCipheriv,
850
+ * } = await import('node:crypto');
851
+ *
852
+ * const algorithm = 'aes-192-cbc';
853
+ * const password = 'Password used to generate key';
854
+ *
855
+ * // First, we'll generate the key. The key length is dependent on the algorithm.
856
+ * // In this case for aes192, it is 24 bytes (192 bits).
857
+ * scrypt(password, 'salt', 24, (err, key) => {
858
+ * if (err) throw err;
859
+ * // Then, we'll generate a random initialization vector
860
+ * randomFill(new Uint8Array(16), (err, iv) => {
861
+ * if (err) throw err;
862
+ *
863
+ * const cipher = createCipheriv(algorithm, key, iv);
864
+ *
865
+ * const input = createReadStream('test.js');
866
+ * const output = createWriteStream('test.enc');
867
+ *
868
+ * pipeline(input, cipher, output, (err) => {
869
+ * if (err) throw err;
870
+ * });
871
+ * });
872
+ * });
873
+ * ```
874
+ *
875
+ * Example: Using the `cipher.update()` and `cipher.final()` methods:
876
+ *
877
+ * ```js
878
+ * const {
879
+ * scrypt,
880
+ * randomFill,
881
+ * createCipheriv,
882
+ * } = await import('node:crypto');
883
+ *
884
+ * const algorithm = 'aes-192-cbc';
885
+ * const password = 'Password used to generate key';
886
+ *
887
+ * // First, we'll generate the key. The key length is dependent on the algorithm.
888
+ * // In this case for aes192, it is 24 bytes (192 bits).
889
+ * scrypt(password, 'salt', 24, (err, key) => {
890
+ * if (err) throw err;
891
+ * // Then, we'll generate a random initialization vector
892
+ * randomFill(new Uint8Array(16), (err, iv) => {
893
+ * if (err) throw err;
894
+ *
895
+ * const cipher = createCipheriv(algorithm, key, iv);
896
+ *
897
+ * let encrypted = cipher.update('some clear text data', 'utf8', 'hex');
898
+ * encrypted += cipher.final('hex');
899
+ * console.log(encrypted);
900
+ * });
901
+ * });
902
+ * ```
903
+ * @since v0.1.94
904
+ */
905
+ class Cipher extends stream.Transform {
906
+ private constructor();
907
+ /**
908
+ * Updates the cipher with `data`. If the `inputEncoding` argument is given,
909
+ * the `data`argument is a string using the specified encoding. If the `inputEncoding`argument is not given, `data` must be a `Buffer`, `TypedArray`, or`DataView`. If `data` is a `Buffer`,
910
+ * `TypedArray`, or `DataView`, then`inputEncoding` is ignored.
911
+ *
912
+ * The `outputEncoding` specifies the output format of the enciphered
913
+ * data. If the `outputEncoding`is specified, a string using the specified encoding is returned. If no`outputEncoding` is provided, a `Buffer` is returned.
914
+ *
915
+ * The `cipher.update()` method can be called multiple times with new data until `cipher.final()` is called. Calling `cipher.update()` after `cipher.final()` will result in an error being
916
+ * thrown.
917
+ * @since v0.1.94
918
+ * @param inputEncoding The `encoding` of the data.
919
+ * @param outputEncoding The `encoding` of the return value.
920
+ */
921
+ update(data: BinaryLike): Buffer;
922
+ update(data: string, inputEncoding: Encoding): Buffer;
923
+ update(data: NodeJS.ArrayBufferView, inputEncoding: undefined, outputEncoding: Encoding): string;
924
+ update(data: string, inputEncoding: Encoding | undefined, outputEncoding: Encoding): string;
925
+ /**
926
+ * Once the `cipher.final()` method has been called, the `Cipher` object can no
927
+ * longer be used to encrypt data. Attempts to call `cipher.final()` more than
928
+ * once will result in an error being thrown.
929
+ * @since v0.1.94
930
+ * @param outputEncoding The `encoding` of the return value.
931
+ * @return Any remaining enciphered contents. If `outputEncoding` is specified, a string is returned. If an `outputEncoding` is not provided, a {@link Buffer} is returned.
932
+ */
933
+ final(): Buffer;
934
+ final(outputEncoding: BufferEncoding): string;
935
+ /**
936
+ * When using block encryption algorithms, the `Cipher` class will automatically
937
+ * add padding to the input data to the appropriate block size. To disable the
938
+ * default padding call `cipher.setAutoPadding(false)`.
939
+ *
940
+ * When `autoPadding` is `false`, the length of the entire input data must be a
941
+ * multiple of the cipher's block size or `cipher.final()` will throw an error.
942
+ * Disabling automatic padding is useful for non-standard padding, for instance
943
+ * using `0x0` instead of PKCS padding.
944
+ *
945
+ * The `cipher.setAutoPadding()` method must be called before `cipher.final()`.
946
+ * @since v0.7.1
947
+ * @param [autoPadding=true]
948
+ * @return for method chaining.
949
+ */
950
+ setAutoPadding(autoPadding?: boolean): this;
951
+ }
952
+ interface CipherCCM extends Cipher {
953
+ setAAD(
954
+ buffer: NodeJS.ArrayBufferView,
955
+ options: {
956
+ plaintextLength: number;
957
+ },
958
+ ): this;
959
+ getAuthTag(): Buffer;
960
+ }
961
+ interface CipherGCM extends Cipher {
962
+ setAAD(
963
+ buffer: NodeJS.ArrayBufferView,
964
+ options?: {
965
+ plaintextLength: number;
966
+ },
967
+ ): this;
968
+ getAuthTag(): Buffer;
969
+ }
970
+ interface CipherOCB extends Cipher {
971
+ setAAD(
972
+ buffer: NodeJS.ArrayBufferView,
973
+ options?: {
974
+ plaintextLength: number;
975
+ },
976
+ ): this;
977
+ getAuthTag(): Buffer;
978
+ }
979
+ /**
980
+ * Creates and returns a `Decipher` object that uses the given `algorithm` and`password` (key).
981
+ *
982
+ * The `options` argument controls stream behavior and is optional except when a
983
+ * cipher in CCM or OCB mode (e.g. `'aes-128-ccm'`) is used. In that case, the`authTagLength` option is required and specifies the length of the
984
+ * authentication tag in bytes, see `CCM mode`.
985
+ * For `chacha20-poly1305`, the `authTagLength` option defaults to 16 bytes.
986
+ *
987
+ * **This function is semantically insecure for all**
988
+ * **supported ciphers and fatally flawed for ciphers in counter mode (such as CTR,**
989
+ * **GCM, or CCM).**
990
+ *
991
+ * The implementation of `crypto.createDecipher()` derives keys using the OpenSSL
992
+ * function [`EVP_BytesToKey`](https://www.openssl.org/docs/man3.0/man3/EVP_BytesToKey.html) with the digest algorithm set to MD5, one
993
+ * iteration, and no salt. The lack of salt allows dictionary attacks as the same
994
+ * password always creates the same key. The low iteration count and
995
+ * non-cryptographically secure hash algorithm allow passwords to be tested very
996
+ * rapidly.
997
+ *
998
+ * In line with OpenSSL's recommendation to use a more modern algorithm instead of [`EVP_BytesToKey`](https://www.openssl.org/docs/man3.0/man3/EVP_BytesToKey.html) it is recommended that
999
+ * developers derive a key and IV on
1000
+ * their own using {@link scrypt} and to use {@link createDecipheriv} to create the `Decipher` object.
1001
+ * @since v0.1.94
1002
+ * @deprecated Since v10.0.0 - Use {@link createDecipheriv} instead.
1003
+ * @param options `stream.transform` options
1004
+ */
1005
+ function createDecipher(algorithm: CipherCCMTypes, password: BinaryLike, options: CipherCCMOptions): DecipherCCM;
1006
+ /** @deprecated since v10.0.0 use `createDecipheriv()` */
1007
+ function createDecipher(algorithm: CipherGCMTypes, password: BinaryLike, options?: CipherGCMOptions): DecipherGCM;
1008
+ /** @deprecated since v10.0.0 use `createDecipheriv()` */
1009
+ function createDecipher(algorithm: string, password: BinaryLike, options?: stream.TransformOptions): Decipher;
1010
+ /**
1011
+ * Creates and returns a `Decipher` object that uses the given `algorithm`, `key`and initialization vector (`iv`).
1012
+ *
1013
+ * The `options` argument controls stream behavior and is optional except when a
1014
+ * cipher in CCM or OCB mode (e.g. `'aes-128-ccm'`) is used. In that case, the`authTagLength` option is required and specifies the length of the
1015
+ * authentication tag in bytes, see `CCM mode`. In GCM mode, the `authTagLength`option is not required but can be used to restrict accepted authentication tags
1016
+ * to those with the specified length.
1017
+ * For `chacha20-poly1305`, the `authTagLength` option defaults to 16 bytes.
1018
+ *
1019
+ * The `algorithm` is dependent on OpenSSL, examples are `'aes192'`, etc. On
1020
+ * recent OpenSSL releases, `openssl list -cipher-algorithms` will
1021
+ * display the available cipher algorithms.
1022
+ *
1023
+ * The `key` is the raw key used by the `algorithm` and `iv` is an [initialization vector](https://en.wikipedia.org/wiki/Initialization_vector). Both arguments must be `'utf8'` encoded
1024
+ * strings,`Buffers`, `TypedArray`, or `DataView`s. The `key` may optionally be
1025
+ * a `KeyObject` of type `secret`. If the cipher does not need
1026
+ * an initialization vector, `iv` may be `null`.
1027
+ *
1028
+ * When passing strings for `key` or `iv`, please consider `caveats when using strings as inputs to cryptographic APIs`.
1029
+ *
1030
+ * Initialization vectors should be unpredictable and unique; ideally, they will be
1031
+ * cryptographically random. They do not have to be secret: IVs are typically just
1032
+ * added to ciphertext messages unencrypted. It may sound contradictory that
1033
+ * something has to be unpredictable and unique, but does not have to be secret;
1034
+ * remember that an attacker must not be able to predict ahead of time what a given
1035
+ * IV will be.
1036
+ * @since v0.1.94
1037
+ * @param options `stream.transform` options
1038
+ */
1039
+ function createDecipheriv(
1040
+ algorithm: CipherCCMTypes,
1041
+ key: CipherKey,
1042
+ iv: BinaryLike,
1043
+ options: CipherCCMOptions,
1044
+ ): DecipherCCM;
1045
+ function createDecipheriv(
1046
+ algorithm: CipherOCBTypes,
1047
+ key: CipherKey,
1048
+ iv: BinaryLike,
1049
+ options: CipherOCBOptions,
1050
+ ): DecipherOCB;
1051
+ function createDecipheriv(
1052
+ algorithm: CipherGCMTypes,
1053
+ key: CipherKey,
1054
+ iv: BinaryLike,
1055
+ options?: CipherGCMOptions,
1056
+ ): DecipherGCM;
1057
+ function createDecipheriv(
1058
+ algorithm: string,
1059
+ key: CipherKey,
1060
+ iv: BinaryLike | null,
1061
+ options?: stream.TransformOptions,
1062
+ ): Decipher;
1063
+ /**
1064
+ * Instances of the `Decipher` class are used to decrypt data. The class can be
1065
+ * used in one of two ways:
1066
+ *
1067
+ * * As a `stream` that is both readable and writable, where plain encrypted
1068
+ * data is written to produce unencrypted data on the readable side, or
1069
+ * * Using the `decipher.update()` and `decipher.final()` methods to
1070
+ * produce the unencrypted data.
1071
+ *
1072
+ * The {@link createDecipher} or {@link createDecipheriv} methods are
1073
+ * used to create `Decipher` instances. `Decipher` objects are not to be created
1074
+ * directly using the `new` keyword.
1075
+ *
1076
+ * Example: Using `Decipher` objects as streams:
1077
+ *
1078
+ * ```js
1079
+ * import { Buffer } from 'node:buffer';
1080
+ * const {
1081
+ * scryptSync,
1082
+ * createDecipheriv,
1083
+ * } = await import('node:crypto');
1084
+ *
1085
+ * const algorithm = 'aes-192-cbc';
1086
+ * const password = 'Password used to generate key';
1087
+ * // Key length is dependent on the algorithm. In this case for aes192, it is
1088
+ * // 24 bytes (192 bits).
1089
+ * // Use the async `crypto.scrypt()` instead.
1090
+ * const key = scryptSync(password, 'salt', 24);
1091
+ * // The IV is usually passed along with the ciphertext.
1092
+ * const iv = Buffer.alloc(16, 0); // Initialization vector.
1093
+ *
1094
+ * const decipher = createDecipheriv(algorithm, key, iv);
1095
+ *
1096
+ * let decrypted = '';
1097
+ * decipher.on('readable', () => {
1098
+ * let chunk;
1099
+ * while (null !== (chunk = decipher.read())) {
1100
+ * decrypted += chunk.toString('utf8');
1101
+ * }
1102
+ * });
1103
+ * decipher.on('end', () => {
1104
+ * console.log(decrypted);
1105
+ * // Prints: some clear text data
1106
+ * });
1107
+ *
1108
+ * // Encrypted with same algorithm, key and iv.
1109
+ * const encrypted =
1110
+ * 'e5f79c5915c02171eec6b212d5520d44480993d7d622a7c4c2da32f6efda0ffa';
1111
+ * decipher.write(encrypted, 'hex');
1112
+ * decipher.end();
1113
+ * ```
1114
+ *
1115
+ * Example: Using `Decipher` and piped streams:
1116
+ *
1117
+ * ```js
1118
+ * import {
1119
+ * createReadStream,
1120
+ * createWriteStream,
1121
+ * } from 'node:fs';
1122
+ * import { Buffer } from 'node:buffer';
1123
+ * const {
1124
+ * scryptSync,
1125
+ * createDecipheriv,
1126
+ * } = await import('node:crypto');
1127
+ *
1128
+ * const algorithm = 'aes-192-cbc';
1129
+ * const password = 'Password used to generate key';
1130
+ * // Use the async `crypto.scrypt()` instead.
1131
+ * const key = scryptSync(password, 'salt', 24);
1132
+ * // The IV is usually passed along with the ciphertext.
1133
+ * const iv = Buffer.alloc(16, 0); // Initialization vector.
1134
+ *
1135
+ * const decipher = createDecipheriv(algorithm, key, iv);
1136
+ *
1137
+ * const input = createReadStream('test.enc');
1138
+ * const output = createWriteStream('test.js');
1139
+ *
1140
+ * input.pipe(decipher).pipe(output);
1141
+ * ```
1142
+ *
1143
+ * Example: Using the `decipher.update()` and `decipher.final()` methods:
1144
+ *
1145
+ * ```js
1146
+ * import { Buffer } from 'node:buffer';
1147
+ * const {
1148
+ * scryptSync,
1149
+ * createDecipheriv,
1150
+ * } = await import('node:crypto');
1151
+ *
1152
+ * const algorithm = 'aes-192-cbc';
1153
+ * const password = 'Password used to generate key';
1154
+ * // Use the async `crypto.scrypt()` instead.
1155
+ * const key = scryptSync(password, 'salt', 24);
1156
+ * // The IV is usually passed along with the ciphertext.
1157
+ * const iv = Buffer.alloc(16, 0); // Initialization vector.
1158
+ *
1159
+ * const decipher = createDecipheriv(algorithm, key, iv);
1160
+ *
1161
+ * // Encrypted using same algorithm, key and iv.
1162
+ * const encrypted =
1163
+ * 'e5f79c5915c02171eec6b212d5520d44480993d7d622a7c4c2da32f6efda0ffa';
1164
+ * let decrypted = decipher.update(encrypted, 'hex', 'utf8');
1165
+ * decrypted += decipher.final('utf8');
1166
+ * console.log(decrypted);
1167
+ * // Prints: some clear text data
1168
+ * ```
1169
+ * @since v0.1.94
1170
+ */
1171
+ class Decipher extends stream.Transform {
1172
+ private constructor();
1173
+ /**
1174
+ * Updates the decipher with `data`. If the `inputEncoding` argument is given,
1175
+ * the `data`argument is a string using the specified encoding. If the `inputEncoding`argument is not given, `data` must be a `Buffer`. If `data` is a `Buffer` then `inputEncoding` is
1176
+ * ignored.
1177
+ *
1178
+ * The `outputEncoding` specifies the output format of the enciphered
1179
+ * data. If the `outputEncoding`is specified, a string using the specified encoding is returned. If no`outputEncoding` is provided, a `Buffer` is returned.
1180
+ *
1181
+ * The `decipher.update()` method can be called multiple times with new data until `decipher.final()` is called. Calling `decipher.update()` after `decipher.final()` will result in an error
1182
+ * being thrown.
1183
+ * @since v0.1.94
1184
+ * @param inputEncoding The `encoding` of the `data` string.
1185
+ * @param outputEncoding The `encoding` of the return value.
1186
+ */
1187
+ update(data: NodeJS.ArrayBufferView): Buffer;
1188
+ update(data: string, inputEncoding: Encoding): Buffer;
1189
+ update(data: NodeJS.ArrayBufferView, inputEncoding: undefined, outputEncoding: Encoding): string;
1190
+ update(data: string, inputEncoding: Encoding | undefined, outputEncoding: Encoding): string;
1191
+ /**
1192
+ * Once the `decipher.final()` method has been called, the `Decipher` object can
1193
+ * no longer be used to decrypt data. Attempts to call `decipher.final()` more
1194
+ * than once will result in an error being thrown.
1195
+ * @since v0.1.94
1196
+ * @param outputEncoding The `encoding` of the return value.
1197
+ * @return Any remaining deciphered contents. If `outputEncoding` is specified, a string is returned. If an `outputEncoding` is not provided, a {@link Buffer} is returned.
1198
+ */
1199
+ final(): Buffer;
1200
+ final(outputEncoding: BufferEncoding): string;
1201
+ /**
1202
+ * When data has been encrypted without standard block padding, calling`decipher.setAutoPadding(false)` will disable automatic padding to prevent `decipher.final()` from checking for and
1203
+ * removing padding.
1204
+ *
1205
+ * Turning auto padding off will only work if the input data's length is a
1206
+ * multiple of the ciphers block size.
1207
+ *
1208
+ * The `decipher.setAutoPadding()` method must be called before `decipher.final()`.
1209
+ * @since v0.7.1
1210
+ * @param [autoPadding=true]
1211
+ * @return for method chaining.
1212
+ */
1213
+ setAutoPadding(auto_padding?: boolean): this;
1214
+ }
1215
+ interface DecipherCCM extends Decipher {
1216
+ setAuthTag(buffer: NodeJS.ArrayBufferView): this;
1217
+ setAAD(
1218
+ buffer: NodeJS.ArrayBufferView,
1219
+ options: {
1220
+ plaintextLength: number;
1221
+ },
1222
+ ): this;
1223
+ }
1224
+ interface DecipherGCM extends Decipher {
1225
+ setAuthTag(buffer: NodeJS.ArrayBufferView): this;
1226
+ setAAD(
1227
+ buffer: NodeJS.ArrayBufferView,
1228
+ options?: {
1229
+ plaintextLength: number;
1230
+ },
1231
+ ): this;
1232
+ }
1233
+ interface DecipherOCB extends Decipher {
1234
+ setAuthTag(buffer: NodeJS.ArrayBufferView): this;
1235
+ setAAD(
1236
+ buffer: NodeJS.ArrayBufferView,
1237
+ options?: {
1238
+ plaintextLength: number;
1239
+ },
1240
+ ): this;
1241
+ }
1242
+ interface PrivateKeyInput {
1243
+ key: string | Buffer;
1244
+ format?: KeyFormat | undefined;
1245
+ type?: "pkcs1" | "pkcs8" | "sec1" | undefined;
1246
+ passphrase?: string | Buffer | undefined;
1247
+ encoding?: string | undefined;
1248
+ }
1249
+ interface PublicKeyInput {
1250
+ key: string | Buffer;
1251
+ format?: KeyFormat | undefined;
1252
+ type?: "pkcs1" | "spki" | undefined;
1253
+ encoding?: string | undefined;
1254
+ }
1255
+ /**
1256
+ * Asynchronously generates a new random secret key of the given `length`. The`type` will determine which validations will be performed on the `length`.
1257
+ *
1258
+ * ```js
1259
+ * const {
1260
+ * generateKey,
1261
+ * } = await import('node:crypto');
1262
+ *
1263
+ * generateKey('hmac', { length: 512 }, (err, key) => {
1264
+ * if (err) throw err;
1265
+ * console.log(key.export().toString('hex')); // 46e..........620
1266
+ * });
1267
+ * ```
1268
+ *
1269
+ * The size of a generated HMAC key should not exceed the block size of the
1270
+ * underlying hash function. See {@link createHmac} for more information.
1271
+ * @since v15.0.0
1272
+ * @param type The intended use of the generated secret key. Currently accepted values are `'hmac'` and `'aes'`.
1273
+ */
1274
+ function generateKey(
1275
+ type: "hmac" | "aes",
1276
+ options: {
1277
+ length: number;
1278
+ },
1279
+ callback: (err: Error | null, key: KeyObject) => void,
1280
+ ): void;
1281
+ /**
1282
+ * Synchronously generates a new random secret key of the given `length`. The`type` will determine which validations will be performed on the `length`.
1283
+ *
1284
+ * ```js
1285
+ * const {
1286
+ * generateKeySync,
1287
+ * } = await import('node:crypto');
1288
+ *
1289
+ * const key = generateKeySync('hmac', { length: 512 });
1290
+ * console.log(key.export().toString('hex')); // e89..........41e
1291
+ * ```
1292
+ *
1293
+ * The size of a generated HMAC key should not exceed the block size of the
1294
+ * underlying hash function. See {@link createHmac} for more information.
1295
+ * @since v15.0.0
1296
+ * @param type The intended use of the generated secret key. Currently accepted values are `'hmac'` and `'aes'`.
1297
+ */
1298
+ function generateKeySync(
1299
+ type: "hmac" | "aes",
1300
+ options: {
1301
+ length: number;
1302
+ },
1303
+ ): KeyObject;
1304
+ interface JsonWebKeyInput {
1305
+ key: JsonWebKey;
1306
+ format: "jwk";
1307
+ }
1308
+ /**
1309
+ * Creates and returns a new key object containing a private key. If `key` is a
1310
+ * string or `Buffer`, `format` is assumed to be `'pem'`; otherwise, `key`must be an object with the properties described above.
1311
+ *
1312
+ * If the private key is encrypted, a `passphrase` must be specified. The length
1313
+ * of the passphrase is limited to 1024 bytes.
1314
+ * @since v11.6.0
1315
+ */
1316
+ function createPrivateKey(key: PrivateKeyInput | string | Buffer | JsonWebKeyInput): KeyObject;
1317
+ /**
1318
+ * Creates and returns a new key object containing a public key. If `key` is a
1319
+ * string or `Buffer`, `format` is assumed to be `'pem'`; if `key` is a `KeyObject`with type `'private'`, the public key is derived from the given private key;
1320
+ * otherwise, `key` must be an object with the properties described above.
1321
+ *
1322
+ * If the format is `'pem'`, the `'key'` may also be an X.509 certificate.
1323
+ *
1324
+ * Because public keys can be derived from private keys, a private key may be
1325
+ * passed instead of a public key. In that case, this function behaves as if {@link createPrivateKey} had been called, except that the type of the
1326
+ * returned `KeyObject` will be `'public'` and that the private key cannot be
1327
+ * extracted from the returned `KeyObject`. Similarly, if a `KeyObject` with type`'private'` is given, a new `KeyObject` with type `'public'` will be returned
1328
+ * and it will be impossible to extract the private key from the returned object.
1329
+ * @since v11.6.0
1330
+ */
1331
+ function createPublicKey(key: PublicKeyInput | string | Buffer | KeyObject | JsonWebKeyInput): KeyObject;
1332
+ /**
1333
+ * Creates and returns a new key object containing a secret key for symmetric
1334
+ * encryption or `Hmac`.
1335
+ * @since v11.6.0
1336
+ * @param encoding The string encoding when `key` is a string.
1337
+ */
1338
+ function createSecretKey(key: NodeJS.ArrayBufferView): KeyObject;
1339
+ function createSecretKey(key: string, encoding: BufferEncoding): KeyObject;
1340
+ /**
1341
+ * Creates and returns a `Sign` object that uses the given `algorithm`. Use {@link getHashes} to obtain the names of the available digest algorithms.
1342
+ * Optional `options` argument controls the `stream.Writable` behavior.
1343
+ *
1344
+ * In some cases, a `Sign` instance can be created using the name of a signature
1345
+ * algorithm, such as `'RSA-SHA256'`, instead of a digest algorithm. This will use
1346
+ * the corresponding digest algorithm. This does not work for all signature
1347
+ * algorithms, such as `'ecdsa-with-SHA256'`, so it is best to always use digest
1348
+ * algorithm names.
1349
+ * @since v0.1.92
1350
+ * @param options `stream.Writable` options
1351
+ */
1352
+ function createSign(algorithm: string, options?: stream.WritableOptions): Sign;
1353
+ type DSAEncoding = "der" | "ieee-p1363";
1354
+ interface SigningOptions {
1355
+ /**
1356
+ * @see crypto.constants.RSA_PKCS1_PADDING
1357
+ */
1358
+ padding?: number | undefined;
1359
+ saltLength?: number | undefined;
1360
+ dsaEncoding?: DSAEncoding | undefined;
1361
+ }
1362
+ interface SignPrivateKeyInput extends PrivateKeyInput, SigningOptions {}
1363
+ interface SignKeyObjectInput extends SigningOptions {
1364
+ key: KeyObject;
1365
+ }
1366
+ interface VerifyPublicKeyInput extends PublicKeyInput, SigningOptions {}
1367
+ interface VerifyKeyObjectInput extends SigningOptions {
1368
+ key: KeyObject;
1369
+ }
1370
+ interface VerifyJsonWebKeyInput extends JsonWebKeyInput, SigningOptions {}
1371
+ type KeyLike = string | Buffer | KeyObject;
1372
+ /**
1373
+ * The `Sign` class is a utility for generating signatures. It can be used in one
1374
+ * of two ways:
1375
+ *
1376
+ * * As a writable `stream`, where data to be signed is written and the `sign.sign()` method is used to generate and return the signature, or
1377
+ * * Using the `sign.update()` and `sign.sign()` methods to produce the
1378
+ * signature.
1379
+ *
1380
+ * The {@link createSign} method is used to create `Sign` instances. The
1381
+ * argument is the string name of the hash function to use. `Sign` objects are not
1382
+ * to be created directly using the `new` keyword.
1383
+ *
1384
+ * Example: Using `Sign` and `Verify` objects as streams:
1385
+ *
1386
+ * ```js
1387
+ * const {
1388
+ * generateKeyPairSync,
1389
+ * createSign,
1390
+ * createVerify,
1391
+ * } = await import('node:crypto');
1392
+ *
1393
+ * const { privateKey, publicKey } = generateKeyPairSync('ec', {
1394
+ * namedCurve: 'sect239k1',
1395
+ * });
1396
+ *
1397
+ * const sign = createSign('SHA256');
1398
+ * sign.write('some data to sign');
1399
+ * sign.end();
1400
+ * const signature = sign.sign(privateKey, 'hex');
1401
+ *
1402
+ * const verify = createVerify('SHA256');
1403
+ * verify.write('some data to sign');
1404
+ * verify.end();
1405
+ * console.log(verify.verify(publicKey, signature, 'hex'));
1406
+ * // Prints: true
1407
+ * ```
1408
+ *
1409
+ * Example: Using the `sign.update()` and `verify.update()` methods:
1410
+ *
1411
+ * ```js
1412
+ * const {
1413
+ * generateKeyPairSync,
1414
+ * createSign,
1415
+ * createVerify,
1416
+ * } = await import('node:crypto');
1417
+ *
1418
+ * const { privateKey, publicKey } = generateKeyPairSync('rsa', {
1419
+ * modulusLength: 2048,
1420
+ * });
1421
+ *
1422
+ * const sign = createSign('SHA256');
1423
+ * sign.update('some data to sign');
1424
+ * sign.end();
1425
+ * const signature = sign.sign(privateKey);
1426
+ *
1427
+ * const verify = createVerify('SHA256');
1428
+ * verify.update('some data to sign');
1429
+ * verify.end();
1430
+ * console.log(verify.verify(publicKey, signature));
1431
+ * // Prints: true
1432
+ * ```
1433
+ * @since v0.1.92
1434
+ */
1435
+ class Sign extends stream.Writable {
1436
+ private constructor();
1437
+ /**
1438
+ * Updates the `Sign` content with the given `data`, the encoding of which
1439
+ * is given in `inputEncoding`.
1440
+ * If `encoding` is not provided, and the `data` is a string, an
1441
+ * encoding of `'utf8'` is enforced. If `data` is a `Buffer`, `TypedArray`, or`DataView`, then `inputEncoding` is ignored.
1442
+ *
1443
+ * This can be called many times with new data as it is streamed.
1444
+ * @since v0.1.92
1445
+ * @param inputEncoding The `encoding` of the `data` string.
1446
+ */
1447
+ update(data: BinaryLike): this;
1448
+ update(data: string, inputEncoding: Encoding): this;
1449
+ /**
1450
+ * Calculates the signature on all the data passed through using either `sign.update()` or `sign.write()`.
1451
+ *
1452
+ * If `privateKey` is not a `KeyObject`, this function behaves as if`privateKey` had been passed to {@link createPrivateKey}. If it is an
1453
+ * object, the following additional properties can be passed:
1454
+ *
1455
+ * If `outputEncoding` is provided a string is returned; otherwise a `Buffer` is returned.
1456
+ *
1457
+ * The `Sign` object can not be again used after `sign.sign()` method has been
1458
+ * called. Multiple calls to `sign.sign()` will result in an error being thrown.
1459
+ * @since v0.1.92
1460
+ */
1461
+ sign(privateKey: KeyLike | SignKeyObjectInput | SignPrivateKeyInput): Buffer;
1462
+ sign(
1463
+ privateKey: KeyLike | SignKeyObjectInput | SignPrivateKeyInput,
1464
+ outputFormat: BinaryToTextEncoding,
1465
+ ): string;
1466
+ }
1467
+ /**
1468
+ * Creates and returns a `Verify` object that uses the given algorithm.
1469
+ * Use {@link getHashes} to obtain an array of names of the available
1470
+ * signing algorithms. Optional `options` argument controls the`stream.Writable` behavior.
1471
+ *
1472
+ * In some cases, a `Verify` instance can be created using the name of a signature
1473
+ * algorithm, such as `'RSA-SHA256'`, instead of a digest algorithm. This will use
1474
+ * the corresponding digest algorithm. This does not work for all signature
1475
+ * algorithms, such as `'ecdsa-with-SHA256'`, so it is best to always use digest
1476
+ * algorithm names.
1477
+ * @since v0.1.92
1478
+ * @param options `stream.Writable` options
1479
+ */
1480
+ function createVerify(algorithm: string, options?: stream.WritableOptions): Verify;
1481
+ /**
1482
+ * The `Verify` class is a utility for verifying signatures. It can be used in one
1483
+ * of two ways:
1484
+ *
1485
+ * * As a writable `stream` where written data is used to validate against the
1486
+ * supplied signature, or
1487
+ * * Using the `verify.update()` and `verify.verify()` methods to verify
1488
+ * the signature.
1489
+ *
1490
+ * The {@link createVerify} method is used to create `Verify` instances.`Verify` objects are not to be created directly using the `new` keyword.
1491
+ *
1492
+ * See `Sign` for examples.
1493
+ * @since v0.1.92
1494
+ */
1495
+ class Verify extends stream.Writable {
1496
+ private constructor();
1497
+ /**
1498
+ * Updates the `Verify` content with the given `data`, the encoding of which
1499
+ * is given in `inputEncoding`.
1500
+ * If `inputEncoding` is not provided, and the `data` is a string, an
1501
+ * encoding of `'utf8'` is enforced. If `data` is a `Buffer`, `TypedArray`, or`DataView`, then `inputEncoding` is ignored.
1502
+ *
1503
+ * This can be called many times with new data as it is streamed.
1504
+ * @since v0.1.92
1505
+ * @param inputEncoding The `encoding` of the `data` string.
1506
+ */
1507
+ update(data: BinaryLike): Verify;
1508
+ update(data: string, inputEncoding: Encoding): Verify;
1509
+ /**
1510
+ * Verifies the provided data using the given `object` and `signature`.
1511
+ *
1512
+ * If `object` is not a `KeyObject`, this function behaves as if`object` had been passed to {@link createPublicKey}. If it is an
1513
+ * object, the following additional properties can be passed:
1514
+ *
1515
+ * The `signature` argument is the previously calculated signature for the data, in
1516
+ * the `signatureEncoding`.
1517
+ * If a `signatureEncoding` is specified, the `signature` is expected to be a
1518
+ * string; otherwise `signature` is expected to be a `Buffer`,`TypedArray`, or `DataView`.
1519
+ *
1520
+ * The `verify` object can not be used again after `verify.verify()` has been
1521
+ * called. Multiple calls to `verify.verify()` will result in an error being
1522
+ * thrown.
1523
+ *
1524
+ * Because public keys can be derived from private keys, a private key may
1525
+ * be passed instead of a public key.
1526
+ * @since v0.1.92
1527
+ */
1528
+ verify(
1529
+ object: KeyLike | VerifyKeyObjectInput | VerifyPublicKeyInput | VerifyJsonWebKeyInput,
1530
+ signature: NodeJS.ArrayBufferView,
1531
+ ): boolean;
1532
+ verify(
1533
+ object: KeyLike | VerifyKeyObjectInput | VerifyPublicKeyInput | VerifyJsonWebKeyInput,
1534
+ signature: string,
1535
+ signature_format?: BinaryToTextEncoding,
1536
+ ): boolean;
1537
+ }
1538
+ /**
1539
+ * Creates a `DiffieHellman` key exchange object using the supplied `prime` and an
1540
+ * optional specific `generator`.
1541
+ *
1542
+ * The `generator` argument can be a number, string, or `Buffer`. If`generator` is not specified, the value `2` is used.
1543
+ *
1544
+ * If `primeEncoding` is specified, `prime` is expected to be a string; otherwise
1545
+ * a `Buffer`, `TypedArray`, or `DataView` is expected.
1546
+ *
1547
+ * If `generatorEncoding` is specified, `generator` is expected to be a string;
1548
+ * otherwise a number, `Buffer`, `TypedArray`, or `DataView` is expected.
1549
+ * @since v0.11.12
1550
+ * @param primeEncoding The `encoding` of the `prime` string.
1551
+ * @param [generator=2]
1552
+ * @param generatorEncoding The `encoding` of the `generator` string.
1553
+ */
1554
+ function createDiffieHellman(primeLength: number, generator?: number): DiffieHellman;
1555
+ function createDiffieHellman(
1556
+ prime: ArrayBuffer | NodeJS.ArrayBufferView,
1557
+ generator?: number | ArrayBuffer | NodeJS.ArrayBufferView,
1558
+ ): DiffieHellman;
1559
+ function createDiffieHellman(
1560
+ prime: ArrayBuffer | NodeJS.ArrayBufferView,
1561
+ generator: string,
1562
+ generatorEncoding: BinaryToTextEncoding,
1563
+ ): DiffieHellman;
1564
+ function createDiffieHellman(
1565
+ prime: string,
1566
+ primeEncoding: BinaryToTextEncoding,
1567
+ generator?: number | ArrayBuffer | NodeJS.ArrayBufferView,
1568
+ ): DiffieHellman;
1569
+ function createDiffieHellman(
1570
+ prime: string,
1571
+ primeEncoding: BinaryToTextEncoding,
1572
+ generator: string,
1573
+ generatorEncoding: BinaryToTextEncoding,
1574
+ ): DiffieHellman;
1575
+ /**
1576
+ * The `DiffieHellman` class is a utility for creating Diffie-Hellman key
1577
+ * exchanges.
1578
+ *
1579
+ * Instances of the `DiffieHellman` class can be created using the {@link createDiffieHellman} function.
1580
+ *
1581
+ * ```js
1582
+ * import assert from 'node:assert';
1583
+ *
1584
+ * const {
1585
+ * createDiffieHellman,
1586
+ * } = await import('node:crypto');
1587
+ *
1588
+ * // Generate Alice's keys...
1589
+ * const alice = createDiffieHellman(2048);
1590
+ * const aliceKey = alice.generateKeys();
1591
+ *
1592
+ * // Generate Bob's keys...
1593
+ * const bob = createDiffieHellman(alice.getPrime(), alice.getGenerator());
1594
+ * const bobKey = bob.generateKeys();
1595
+ *
1596
+ * // Exchange and generate the secret...
1597
+ * const aliceSecret = alice.computeSecret(bobKey);
1598
+ * const bobSecret = bob.computeSecret(aliceKey);
1599
+ *
1600
+ * // OK
1601
+ * assert.strictEqual(aliceSecret.toString('hex'), bobSecret.toString('hex'));
1602
+ * ```
1603
+ * @since v0.5.0
1604
+ */
1605
+ class DiffieHellman {
1606
+ private constructor();
1607
+ /**
1608
+ * Generates private and public Diffie-Hellman key values unless they have been
1609
+ * generated or computed already, and returns
1610
+ * the public key in the specified `encoding`. This key should be
1611
+ * transferred to the other party.
1612
+ * If `encoding` is provided a string is returned; otherwise a `Buffer` is returned.
1613
+ *
1614
+ * This function is a thin wrapper around [`DH_generate_key()`](https://www.openssl.org/docs/man3.0/man3/DH_generate_key.html). In particular,
1615
+ * once a private key has been generated or set, calling this function only updates
1616
+ * the public key but does not generate a new private key.
1617
+ * @since v0.5.0
1618
+ * @param encoding The `encoding` of the return value.
1619
+ */
1620
+ generateKeys(): Buffer;
1621
+ generateKeys(encoding: BinaryToTextEncoding): string;
1622
+ /**
1623
+ * Computes the shared secret using `otherPublicKey` as the other
1624
+ * party's public key and returns the computed shared secret. The supplied
1625
+ * key is interpreted using the specified `inputEncoding`, and secret is
1626
+ * encoded using specified `outputEncoding`.
1627
+ * If the `inputEncoding` is not
1628
+ * provided, `otherPublicKey` is expected to be a `Buffer`,`TypedArray`, or `DataView`.
1629
+ *
1630
+ * If `outputEncoding` is given a string is returned; otherwise, a `Buffer` is returned.
1631
+ * @since v0.5.0
1632
+ * @param inputEncoding The `encoding` of an `otherPublicKey` string.
1633
+ * @param outputEncoding The `encoding` of the return value.
1634
+ */
1635
+ computeSecret(otherPublicKey: NodeJS.ArrayBufferView, inputEncoding?: null, outputEncoding?: null): Buffer;
1636
+ computeSecret(otherPublicKey: string, inputEncoding: BinaryToTextEncoding, outputEncoding?: null): Buffer;
1637
+ computeSecret(
1638
+ otherPublicKey: NodeJS.ArrayBufferView,
1639
+ inputEncoding: null,
1640
+ outputEncoding: BinaryToTextEncoding,
1641
+ ): string;
1642
+ computeSecret(
1643
+ otherPublicKey: string,
1644
+ inputEncoding: BinaryToTextEncoding,
1645
+ outputEncoding: BinaryToTextEncoding,
1646
+ ): string;
1647
+ /**
1648
+ * Returns the Diffie-Hellman prime in the specified `encoding`.
1649
+ * If `encoding` is provided a string is
1650
+ * returned; otherwise a `Buffer` is returned.
1651
+ * @since v0.5.0
1652
+ * @param encoding The `encoding` of the return value.
1653
+ */
1654
+ getPrime(): Buffer;
1655
+ getPrime(encoding: BinaryToTextEncoding): string;
1656
+ /**
1657
+ * Returns the Diffie-Hellman generator in the specified `encoding`.
1658
+ * If `encoding` is provided a string is
1659
+ * returned; otherwise a `Buffer` is returned.
1660
+ * @since v0.5.0
1661
+ * @param encoding The `encoding` of the return value.
1662
+ */
1663
+ getGenerator(): Buffer;
1664
+ getGenerator(encoding: BinaryToTextEncoding): string;
1665
+ /**
1666
+ * Returns the Diffie-Hellman public key in the specified `encoding`.
1667
+ * If `encoding` is provided a
1668
+ * string is returned; otherwise a `Buffer` is returned.
1669
+ * @since v0.5.0
1670
+ * @param encoding The `encoding` of the return value.
1671
+ */
1672
+ getPublicKey(): Buffer;
1673
+ getPublicKey(encoding: BinaryToTextEncoding): string;
1674
+ /**
1675
+ * Returns the Diffie-Hellman private key in the specified `encoding`.
1676
+ * If `encoding` is provided a
1677
+ * string is returned; otherwise a `Buffer` is returned.
1678
+ * @since v0.5.0
1679
+ * @param encoding The `encoding` of the return value.
1680
+ */
1681
+ getPrivateKey(): Buffer;
1682
+ getPrivateKey(encoding: BinaryToTextEncoding): string;
1683
+ /**
1684
+ * Sets the Diffie-Hellman public key. If the `encoding` argument is provided,`publicKey` is expected
1685
+ * to be a string. If no `encoding` is provided, `publicKey` is expected
1686
+ * to be a `Buffer`, `TypedArray`, or `DataView`.
1687
+ * @since v0.5.0
1688
+ * @param encoding The `encoding` of the `publicKey` string.
1689
+ */
1690
+ setPublicKey(publicKey: NodeJS.ArrayBufferView): void;
1691
+ setPublicKey(publicKey: string, encoding: BufferEncoding): void;
1692
+ /**
1693
+ * Sets the Diffie-Hellman private key. If the `encoding` argument is provided,`privateKey` is expected
1694
+ * to be a string. If no `encoding` is provided, `privateKey` is expected
1695
+ * to be a `Buffer`, `TypedArray`, or `DataView`.
1696
+ *
1697
+ * This function does not automatically compute the associated public key. Either `diffieHellman.setPublicKey()` or `diffieHellman.generateKeys()` can be
1698
+ * used to manually provide the public key or to automatically derive it.
1699
+ * @since v0.5.0
1700
+ * @param encoding The `encoding` of the `privateKey` string.
1701
+ */
1702
+ setPrivateKey(privateKey: NodeJS.ArrayBufferView): void;
1703
+ setPrivateKey(privateKey: string, encoding: BufferEncoding): void;
1704
+ /**
1705
+ * A bit field containing any warnings and/or errors resulting from a check
1706
+ * performed during initialization of the `DiffieHellman` object.
1707
+ *
1708
+ * The following values are valid for this property (as defined in `node:constants` module):
1709
+ *
1710
+ * * `DH_CHECK_P_NOT_SAFE_PRIME`
1711
+ * * `DH_CHECK_P_NOT_PRIME`
1712
+ * * `DH_UNABLE_TO_CHECK_GENERATOR`
1713
+ * * `DH_NOT_SUITABLE_GENERATOR`
1714
+ * @since v0.11.12
1715
+ */
1716
+ verifyError: number;
1717
+ }
1718
+ /**
1719
+ * The `DiffieHellmanGroup` class takes a well-known modp group as its argument.
1720
+ * It works the same as `DiffieHellman`, except that it does not allow changing its keys after creation.
1721
+ * In other words, it does not implement `setPublicKey()` or `setPrivateKey()` methods.
1722
+ *
1723
+ * ```js
1724
+ * const { createDiffieHellmanGroup } = await import('node:crypto');
1725
+ * const dh = createDiffieHellmanGroup('modp1');
1726
+ * ```
1727
+ * The name (e.g. `'modp1'`) is taken from [RFC 2412](https://www.rfc-editor.org/rfc/rfc2412.txt) (modp1 and 2) and [RFC 3526](https://www.rfc-editor.org/rfc/rfc3526.txt):
1728
+ * ```bash
1729
+ * $ perl -ne 'print "$1\n" if /"(modp\d+)"/' src/node_crypto_groups.h
1730
+ * modp1 # 768 bits
1731
+ * modp2 # 1024 bits
1732
+ * modp5 # 1536 bits
1733
+ * modp14 # 2048 bits
1734
+ * modp15 # etc.
1735
+ * modp16
1736
+ * modp17
1737
+ * modp18
1738
+ * ```
1739
+ * @since v0.7.5
1740
+ */
1741
+ const DiffieHellmanGroup: DiffieHellmanGroupConstructor;
1742
+ interface DiffieHellmanGroupConstructor {
1743
+ new(name: string): DiffieHellmanGroup;
1744
+ (name: string): DiffieHellmanGroup;
1745
+ readonly prototype: DiffieHellmanGroup;
1746
+ }
1747
+ type DiffieHellmanGroup = Omit<DiffieHellman, "setPublicKey" | "setPrivateKey">;
1748
+ /**
1749
+ * Creates a predefined `DiffieHellmanGroup` key exchange object. The
1750
+ * supported groups are listed in the documentation for `DiffieHellmanGroup`.
1751
+ *
1752
+ * The returned object mimics the interface of objects created by {@link createDiffieHellman}, but will not allow changing
1753
+ * the keys (with `diffieHellman.setPublicKey()`, for example). The
1754
+ * advantage of using this method is that the parties do not have to
1755
+ * generate nor exchange a group modulus beforehand, saving both processor
1756
+ * and communication time.
1757
+ *
1758
+ * Example (obtaining a shared secret):
1759
+ *
1760
+ * ```js
1761
+ * const {
1762
+ * getDiffieHellman,
1763
+ * } = await import('node:crypto');
1764
+ * const alice = getDiffieHellman('modp14');
1765
+ * const bob = getDiffieHellman('modp14');
1766
+ *
1767
+ * alice.generateKeys();
1768
+ * bob.generateKeys();
1769
+ *
1770
+ * const aliceSecret = alice.computeSecret(bob.getPublicKey(), null, 'hex');
1771
+ * const bobSecret = bob.computeSecret(alice.getPublicKey(), null, 'hex');
1772
+ *
1773
+ * // aliceSecret and bobSecret should be the same
1774
+ * console.log(aliceSecret === bobSecret);
1775
+ * ```
1776
+ * @since v0.7.5
1777
+ */
1778
+ function getDiffieHellman(groupName: string): DiffieHellmanGroup;
1779
+ /**
1780
+ * An alias for {@link getDiffieHellman}
1781
+ * @since v0.9.3
1782
+ */
1783
+ function createDiffieHellmanGroup(name: string): DiffieHellmanGroup;
1784
+ /**
1785
+ * Provides an asynchronous Password-Based Key Derivation Function 2 (PBKDF2)
1786
+ * implementation. A selected HMAC digest algorithm specified by `digest` is
1787
+ * applied to derive a key of the requested byte length (`keylen`) from the`password`, `salt` and `iterations`.
1788
+ *
1789
+ * The supplied `callback` function is called with two arguments: `err` and`derivedKey`. If an error occurs while deriving the key, `err` will be set;
1790
+ * otherwise `err` will be `null`. By default, the successfully generated`derivedKey` will be passed to the callback as a `Buffer`. An error will be
1791
+ * thrown if any of the input arguments specify invalid values or types.
1792
+ *
1793
+ * The `iterations` argument must be a number set as high as possible. The
1794
+ * higher the number of iterations, the more secure the derived key will be,
1795
+ * but will take a longer amount of time to complete.
1796
+ *
1797
+ * The `salt` should be as unique as possible. It is recommended that a salt is
1798
+ * random and at least 16 bytes long. See [NIST SP 800-132](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf) for details.
1799
+ *
1800
+ * When passing strings for `password` or `salt`, please consider `caveats when using strings as inputs to cryptographic APIs`.
1801
+ *
1802
+ * ```js
1803
+ * const {
1804
+ * pbkdf2,
1805
+ * } = await import('node:crypto');
1806
+ *
1807
+ * pbkdf2('secret', 'salt', 100000, 64, 'sha512', (err, derivedKey) => {
1808
+ * if (err) throw err;
1809
+ * console.log(derivedKey.toString('hex')); // '3745e48...08d59ae'
1810
+ * });
1811
+ * ```
1812
+ *
1813
+ * An array of supported digest functions can be retrieved using {@link getHashes}.
1814
+ *
1815
+ * This API uses libuv's threadpool, which can have surprising and
1816
+ * negative performance implications for some applications; see the `UV_THREADPOOL_SIZE` documentation for more information.
1817
+ * @since v0.5.5
1818
+ */
1819
+ function pbkdf2(
1820
+ password: BinaryLike,
1821
+ salt: BinaryLike,
1822
+ iterations: number,
1823
+ keylen: number,
1824
+ digest: string,
1825
+ callback: (err: Error | null, derivedKey: Buffer) => void,
1826
+ ): void;
1827
+ /**
1828
+ * Provides a synchronous Password-Based Key Derivation Function 2 (PBKDF2)
1829
+ * implementation. A selected HMAC digest algorithm specified by `digest` is
1830
+ * applied to derive a key of the requested byte length (`keylen`) from the`password`, `salt` and `iterations`.
1831
+ *
1832
+ * If an error occurs an `Error` will be thrown, otherwise the derived key will be
1833
+ * returned as a `Buffer`.
1834
+ *
1835
+ * The `iterations` argument must be a number set as high as possible. The
1836
+ * higher the number of iterations, the more secure the derived key will be,
1837
+ * but will take a longer amount of time to complete.
1838
+ *
1839
+ * The `salt` should be as unique as possible. It is recommended that a salt is
1840
+ * random and at least 16 bytes long. See [NIST SP 800-132](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf) for details.
1841
+ *
1842
+ * When passing strings for `password` or `salt`, please consider `caveats when using strings as inputs to cryptographic APIs`.
1843
+ *
1844
+ * ```js
1845
+ * const {
1846
+ * pbkdf2Sync,
1847
+ * } = await import('node:crypto');
1848
+ *
1849
+ * const key = pbkdf2Sync('secret', 'salt', 100000, 64, 'sha512');
1850
+ * console.log(key.toString('hex')); // '3745e48...08d59ae'
1851
+ * ```
1852
+ *
1853
+ * An array of supported digest functions can be retrieved using {@link getHashes}.
1854
+ * @since v0.9.3
1855
+ */
1856
+ function pbkdf2Sync(
1857
+ password: BinaryLike,
1858
+ salt: BinaryLike,
1859
+ iterations: number,
1860
+ keylen: number,
1861
+ digest: string,
1862
+ ): Buffer;
1863
+ /**
1864
+ * Generates cryptographically strong pseudorandom data. The `size` argument
1865
+ * is a number indicating the number of bytes to generate.
1866
+ *
1867
+ * If a `callback` function is provided, the bytes are generated asynchronously
1868
+ * and the `callback` function is invoked with two arguments: `err` and `buf`.
1869
+ * If an error occurs, `err` will be an `Error` object; otherwise it is `null`. The`buf` argument is a `Buffer` containing the generated bytes.
1870
+ *
1871
+ * ```js
1872
+ * // Asynchronous
1873
+ * const {
1874
+ * randomBytes,
1875
+ * } = await import('node:crypto');
1876
+ *
1877
+ * randomBytes(256, (err, buf) => {
1878
+ * if (err) throw err;
1879
+ * console.log(`${buf.length} bytes of random data: ${buf.toString('hex')}`);
1880
+ * });
1881
+ * ```
1882
+ *
1883
+ * If the `callback` function is not provided, the random bytes are generated
1884
+ * synchronously and returned as a `Buffer`. An error will be thrown if
1885
+ * there is a problem generating the bytes.
1886
+ *
1887
+ * ```js
1888
+ * // Synchronous
1889
+ * const {
1890
+ * randomBytes,
1891
+ * } = await import('node:crypto');
1892
+ *
1893
+ * const buf = randomBytes(256);
1894
+ * console.log(
1895
+ * `${buf.length} bytes of random data: ${buf.toString('hex')}`);
1896
+ * ```
1897
+ *
1898
+ * The `crypto.randomBytes()` method will not complete until there is
1899
+ * sufficient entropy available.
1900
+ * This should normally never take longer than a few milliseconds. The only time
1901
+ * when generating the random bytes may conceivably block for a longer period of
1902
+ * time is right after boot, when the whole system is still low on entropy.
1903
+ *
1904
+ * This API uses libuv's threadpool, which can have surprising and
1905
+ * negative performance implications for some applications; see the `UV_THREADPOOL_SIZE` documentation for more information.
1906
+ *
1907
+ * The asynchronous version of `crypto.randomBytes()` is carried out in a single
1908
+ * threadpool request. To minimize threadpool task length variation, partition
1909
+ * large `randomBytes` requests when doing so as part of fulfilling a client
1910
+ * request.
1911
+ * @since v0.5.8
1912
+ * @param size The number of bytes to generate. The `size` must not be larger than `2**31 - 1`.
1913
+ * @return if the `callback` function is not provided.
1914
+ */
1915
+ function randomBytes(size: number): Buffer;
1916
+ function randomBytes(size: number, callback: (err: Error | null, buf: Buffer) => void): void;
1917
+ function pseudoRandomBytes(size: number): Buffer;
1918
+ function pseudoRandomBytes(size: number, callback: (err: Error | null, buf: Buffer) => void): void;
1919
+ /**
1920
+ * Return a random integer `n` such that `min <= n < max`. This
1921
+ * implementation avoids [modulo bias](https://en.wikipedia.org/wiki/Fisher%E2%80%93Yates_shuffle#Modulo_bias).
1922
+ *
1923
+ * The range (`max - min`) must be less than 2**48. `min` and `max` must
1924
+ * be [safe integers](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Number/isSafeInteger).
1925
+ *
1926
+ * If the `callback` function is not provided, the random integer is
1927
+ * generated synchronously.
1928
+ *
1929
+ * ```js
1930
+ * // Asynchronous
1931
+ * const {
1932
+ * randomInt,
1933
+ * } = await import('node:crypto');
1934
+ *
1935
+ * randomInt(3, (err, n) => {
1936
+ * if (err) throw err;
1937
+ * console.log(`Random number chosen from (0, 1, 2): ${n}`);
1938
+ * });
1939
+ * ```
1940
+ *
1941
+ * ```js
1942
+ * // Synchronous
1943
+ * const {
1944
+ * randomInt,
1945
+ * } = await import('node:crypto');
1946
+ *
1947
+ * const n = randomInt(3);
1948
+ * console.log(`Random number chosen from (0, 1, 2): ${n}`);
1949
+ * ```
1950
+ *
1951
+ * ```js
1952
+ * // With `min` argument
1953
+ * const {
1954
+ * randomInt,
1955
+ * } = await import('node:crypto');
1956
+ *
1957
+ * const n = randomInt(1, 7);
1958
+ * console.log(`The dice rolled: ${n}`);
1959
+ * ```
1960
+ * @since v14.10.0, v12.19.0
1961
+ * @param [min=0] Start of random range (inclusive).
1962
+ * @param max End of random range (exclusive).
1963
+ * @param callback `function(err, n) {}`.
1964
+ */
1965
+ function randomInt(max: number): number;
1966
+ function randomInt(min: number, max: number): number;
1967
+ function randomInt(max: number, callback: (err: Error | null, value: number) => void): void;
1968
+ function randomInt(min: number, max: number, callback: (err: Error | null, value: number) => void): void;
1969
+ /**
1970
+ * Synchronous version of {@link randomFill}.
1971
+ *
1972
+ * ```js
1973
+ * import { Buffer } from 'node:buffer';
1974
+ * const { randomFillSync } = await import('node:crypto');
1975
+ *
1976
+ * const buf = Buffer.alloc(10);
1977
+ * console.log(randomFillSync(buf).toString('hex'));
1978
+ *
1979
+ * randomFillSync(buf, 5);
1980
+ * console.log(buf.toString('hex'));
1981
+ *
1982
+ * // The above is equivalent to the following:
1983
+ * randomFillSync(buf, 5, 5);
1984
+ * console.log(buf.toString('hex'));
1985
+ * ```
1986
+ *
1987
+ * Any `ArrayBuffer`, `TypedArray` or `DataView` instance may be passed as`buffer`.
1988
+ *
1989
+ * ```js
1990
+ * import { Buffer } from 'node:buffer';
1991
+ * const { randomFillSync } = await import('node:crypto');
1992
+ *
1993
+ * const a = new Uint32Array(10);
1994
+ * console.log(Buffer.from(randomFillSync(a).buffer,
1995
+ * a.byteOffset, a.byteLength).toString('hex'));
1996
+ *
1997
+ * const b = new DataView(new ArrayBuffer(10));
1998
+ * console.log(Buffer.from(randomFillSync(b).buffer,
1999
+ * b.byteOffset, b.byteLength).toString('hex'));
2000
+ *
2001
+ * const c = new ArrayBuffer(10);
2002
+ * console.log(Buffer.from(randomFillSync(c)).toString('hex'));
2003
+ * ```
2004
+ * @since v7.10.0, v6.13.0
2005
+ * @param buffer Must be supplied. The size of the provided `buffer` must not be larger than `2**31 - 1`.
2006
+ * @param [offset=0]
2007
+ * @param [size=buffer.length - offset]
2008
+ * @return The object passed as `buffer` argument.
2009
+ */
2010
+ function randomFillSync<T extends NodeJS.ArrayBufferView>(buffer: T, offset?: number, size?: number): T;
2011
+ /**
2012
+ * This function is similar to {@link randomBytes} but requires the first
2013
+ * argument to be a `Buffer` that will be filled. It also
2014
+ * requires that a callback is passed in.
2015
+ *
2016
+ * If the `callback` function is not provided, an error will be thrown.
2017
+ *
2018
+ * ```js
2019
+ * import { Buffer } from 'node:buffer';
2020
+ * const { randomFill } = await import('node:crypto');
2021
+ *
2022
+ * const buf = Buffer.alloc(10);
2023
+ * randomFill(buf, (err, buf) => {
2024
+ * if (err) throw err;
2025
+ * console.log(buf.toString('hex'));
2026
+ * });
2027
+ *
2028
+ * randomFill(buf, 5, (err, buf) => {
2029
+ * if (err) throw err;
2030
+ * console.log(buf.toString('hex'));
2031
+ * });
2032
+ *
2033
+ * // The above is equivalent to the following:
2034
+ * randomFill(buf, 5, 5, (err, buf) => {
2035
+ * if (err) throw err;
2036
+ * console.log(buf.toString('hex'));
2037
+ * });
2038
+ * ```
2039
+ *
2040
+ * Any `ArrayBuffer`, `TypedArray`, or `DataView` instance may be passed as`buffer`.
2041
+ *
2042
+ * While this includes instances of `Float32Array` and `Float64Array`, this
2043
+ * function should not be used to generate random floating-point numbers. The
2044
+ * result may contain `+Infinity`, `-Infinity`, and `NaN`, and even if the array
2045
+ * contains finite numbers only, they are not drawn from a uniform random
2046
+ * distribution and have no meaningful lower or upper bounds.
2047
+ *
2048
+ * ```js
2049
+ * import { Buffer } from 'node:buffer';
2050
+ * const { randomFill } = await import('node:crypto');
2051
+ *
2052
+ * const a = new Uint32Array(10);
2053
+ * randomFill(a, (err, buf) => {
2054
+ * if (err) throw err;
2055
+ * console.log(Buffer.from(buf.buffer, buf.byteOffset, buf.byteLength)
2056
+ * .toString('hex'));
2057
+ * });
2058
+ *
2059
+ * const b = new DataView(new ArrayBuffer(10));
2060
+ * randomFill(b, (err, buf) => {
2061
+ * if (err) throw err;
2062
+ * console.log(Buffer.from(buf.buffer, buf.byteOffset, buf.byteLength)
2063
+ * .toString('hex'));
2064
+ * });
2065
+ *
2066
+ * const c = new ArrayBuffer(10);
2067
+ * randomFill(c, (err, buf) => {
2068
+ * if (err) throw err;
2069
+ * console.log(Buffer.from(buf).toString('hex'));
2070
+ * });
2071
+ * ```
2072
+ *
2073
+ * This API uses libuv's threadpool, which can have surprising and
2074
+ * negative performance implications for some applications; see the `UV_THREADPOOL_SIZE` documentation for more information.
2075
+ *
2076
+ * The asynchronous version of `crypto.randomFill()` is carried out in a single
2077
+ * threadpool request. To minimize threadpool task length variation, partition
2078
+ * large `randomFill` requests when doing so as part of fulfilling a client
2079
+ * request.
2080
+ * @since v7.10.0, v6.13.0
2081
+ * @param buffer Must be supplied. The size of the provided `buffer` must not be larger than `2**31 - 1`.
2082
+ * @param [offset=0]
2083
+ * @param [size=buffer.length - offset]
2084
+ * @param callback `function(err, buf) {}`.
2085
+ */
2086
+ function randomFill<T extends NodeJS.ArrayBufferView>(
2087
+ buffer: T,
2088
+ callback: (err: Error | null, buf: T) => void,
2089
+ ): void;
2090
+ function randomFill<T extends NodeJS.ArrayBufferView>(
2091
+ buffer: T,
2092
+ offset: number,
2093
+ callback: (err: Error | null, buf: T) => void,
2094
+ ): void;
2095
+ function randomFill<T extends NodeJS.ArrayBufferView>(
2096
+ buffer: T,
2097
+ offset: number,
2098
+ size: number,
2099
+ callback: (err: Error | null, buf: T) => void,
2100
+ ): void;
2101
+ interface ScryptOptions {
2102
+ cost?: number | undefined;
2103
+ blockSize?: number | undefined;
2104
+ parallelization?: number | undefined;
2105
+ N?: number | undefined;
2106
+ r?: number | undefined;
2107
+ p?: number | undefined;
2108
+ maxmem?: number | undefined;
2109
+ }
2110
+ /**
2111
+ * Provides an asynchronous [scrypt](https://en.wikipedia.org/wiki/Scrypt) implementation. Scrypt is a password-based
2112
+ * key derivation function that is designed to be expensive computationally and
2113
+ * memory-wise in order to make brute-force attacks unrewarding.
2114
+ *
2115
+ * The `salt` should be as unique as possible. It is recommended that a salt is
2116
+ * random and at least 16 bytes long. See [NIST SP 800-132](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf) for details.
2117
+ *
2118
+ * When passing strings for `password` or `salt`, please consider `caveats when using strings as inputs to cryptographic APIs`.
2119
+ *
2120
+ * The `callback` function is called with two arguments: `err` and `derivedKey`.`err` is an exception object when key derivation fails, otherwise `err` is`null`. `derivedKey` is passed to the
2121
+ * callback as a `Buffer`.
2122
+ *
2123
+ * An exception is thrown when any of the input arguments specify invalid values
2124
+ * or types.
2125
+ *
2126
+ * ```js
2127
+ * const {
2128
+ * scrypt,
2129
+ * } = await import('node:crypto');
2130
+ *
2131
+ * // Using the factory defaults.
2132
+ * scrypt('password', 'salt', 64, (err, derivedKey) => {
2133
+ * if (err) throw err;
2134
+ * console.log(derivedKey.toString('hex')); // '3745e48...08d59ae'
2135
+ * });
2136
+ * // Using a custom N parameter. Must be a power of two.
2137
+ * scrypt('password', 'salt', 64, { N: 1024 }, (err, derivedKey) => {
2138
+ * if (err) throw err;
2139
+ * console.log(derivedKey.toString('hex')); // '3745e48...aa39b34'
2140
+ * });
2141
+ * ```
2142
+ * @since v10.5.0
2143
+ */
2144
+ function scrypt(
2145
+ password: BinaryLike,
2146
+ salt: BinaryLike,
2147
+ keylen: number,
2148
+ callback: (err: Error | null, derivedKey: Buffer) => void,
2149
+ ): void;
2150
+ function scrypt(
2151
+ password: BinaryLike,
2152
+ salt: BinaryLike,
2153
+ keylen: number,
2154
+ options: ScryptOptions,
2155
+ callback: (err: Error | null, derivedKey: Buffer) => void,
2156
+ ): void;
2157
+ /**
2158
+ * Provides a synchronous [scrypt](https://en.wikipedia.org/wiki/Scrypt) implementation. Scrypt is a password-based
2159
+ * key derivation function that is designed to be expensive computationally and
2160
+ * memory-wise in order to make brute-force attacks unrewarding.
2161
+ *
2162
+ * The `salt` should be as unique as possible. It is recommended that a salt is
2163
+ * random and at least 16 bytes long. See [NIST SP 800-132](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf) for details.
2164
+ *
2165
+ * When passing strings for `password` or `salt`, please consider `caveats when using strings as inputs to cryptographic APIs`.
2166
+ *
2167
+ * An exception is thrown when key derivation fails, otherwise the derived key is
2168
+ * returned as a `Buffer`.
2169
+ *
2170
+ * An exception is thrown when any of the input arguments specify invalid values
2171
+ * or types.
2172
+ *
2173
+ * ```js
2174
+ * const {
2175
+ * scryptSync,
2176
+ * } = await import('node:crypto');
2177
+ * // Using the factory defaults.
2178
+ *
2179
+ * const key1 = scryptSync('password', 'salt', 64);
2180
+ * console.log(key1.toString('hex')); // '3745e48...08d59ae'
2181
+ * // Using a custom N parameter. Must be a power of two.
2182
+ * const key2 = scryptSync('password', 'salt', 64, { N: 1024 });
2183
+ * console.log(key2.toString('hex')); // '3745e48...aa39b34'
2184
+ * ```
2185
+ * @since v10.5.0
2186
+ */
2187
+ function scryptSync(password: BinaryLike, salt: BinaryLike, keylen: number, options?: ScryptOptions): Buffer;
2188
+ interface RsaPublicKey {
2189
+ key: KeyLike;
2190
+ padding?: number | undefined;
2191
+ }
2192
+ interface RsaPrivateKey {
2193
+ key: KeyLike;
2194
+ passphrase?: string | undefined;
2195
+ /**
2196
+ * @default 'sha1'
2197
+ */
2198
+ oaepHash?: string | undefined;
2199
+ oaepLabel?: NodeJS.TypedArray | undefined;
2200
+ padding?: number | undefined;
2201
+ }
2202
+ /**
2203
+ * Encrypts the content of `buffer` with `key` and returns a new `Buffer` with encrypted content. The returned data can be decrypted using
2204
+ * the corresponding private key, for example using {@link privateDecrypt}.
2205
+ *
2206
+ * If `key` is not a `KeyObject`, this function behaves as if`key` had been passed to {@link createPublicKey}. If it is an
2207
+ * object, the `padding` property can be passed. Otherwise, this function uses`RSA_PKCS1_OAEP_PADDING`.
2208
+ *
2209
+ * Because RSA public keys can be derived from private keys, a private key may
2210
+ * be passed instead of a public key.
2211
+ * @since v0.11.14
2212
+ */
2213
+ function publicEncrypt(key: RsaPublicKey | RsaPrivateKey | KeyLike, buffer: NodeJS.ArrayBufferView): Buffer;
2214
+ /**
2215
+ * Decrypts `buffer` with `key`.`buffer` was previously encrypted using
2216
+ * the corresponding private key, for example using {@link privateEncrypt}.
2217
+ *
2218
+ * If `key` is not a `KeyObject`, this function behaves as if`key` had been passed to {@link createPublicKey}. If it is an
2219
+ * object, the `padding` property can be passed. Otherwise, this function uses`RSA_PKCS1_PADDING`.
2220
+ *
2221
+ * Because RSA public keys can be derived from private keys, a private key may
2222
+ * be passed instead of a public key.
2223
+ * @since v1.1.0
2224
+ */
2225
+ function publicDecrypt(key: RsaPublicKey | RsaPrivateKey | KeyLike, buffer: NodeJS.ArrayBufferView): Buffer;
2226
+ /**
2227
+ * Decrypts `buffer` with `privateKey`. `buffer` was previously encrypted using
2228
+ * the corresponding public key, for example using {@link publicEncrypt}.
2229
+ *
2230
+ * If `privateKey` is not a `KeyObject`, this function behaves as if`privateKey` had been passed to {@link createPrivateKey}. If it is an
2231
+ * object, the `padding` property can be passed. Otherwise, this function uses`RSA_PKCS1_OAEP_PADDING`.
2232
+ * @since v0.11.14
2233
+ */
2234
+ function privateDecrypt(privateKey: RsaPrivateKey | KeyLike, buffer: NodeJS.ArrayBufferView): Buffer;
2235
+ /**
2236
+ * Encrypts `buffer` with `privateKey`. The returned data can be decrypted using
2237
+ * the corresponding public key, for example using {@link publicDecrypt}.
2238
+ *
2239
+ * If `privateKey` is not a `KeyObject`, this function behaves as if`privateKey` had been passed to {@link createPrivateKey}. If it is an
2240
+ * object, the `padding` property can be passed. Otherwise, this function uses`RSA_PKCS1_PADDING`.
2241
+ * @since v1.1.0
2242
+ */
2243
+ function privateEncrypt(privateKey: RsaPrivateKey | KeyLike, buffer: NodeJS.ArrayBufferView): Buffer;
2244
+ /**
2245
+ * ```js
2246
+ * const {
2247
+ * getCiphers,
2248
+ * } = await import('node:crypto');
2249
+ *
2250
+ * console.log(getCiphers()); // ['aes-128-cbc', 'aes-128-ccm', ...]
2251
+ * ```
2252
+ * @since v0.9.3
2253
+ * @return An array with the names of the supported cipher algorithms.
2254
+ */
2255
+ function getCiphers(): string[];
2256
+ /**
2257
+ * ```js
2258
+ * const {
2259
+ * getCurves,
2260
+ * } = await import('node:crypto');
2261
+ *
2262
+ * console.log(getCurves()); // ['Oakley-EC2N-3', 'Oakley-EC2N-4', ...]
2263
+ * ```
2264
+ * @since v2.3.0
2265
+ * @return An array with the names of the supported elliptic curves.
2266
+ */
2267
+ function getCurves(): string[];
2268
+ /**
2269
+ * @since v10.0.0
2270
+ * @return `1` if and only if a FIPS compliant crypto provider is currently in use, `0` otherwise. A future semver-major release may change the return type of this API to a {boolean}.
2271
+ */
2272
+ function getFips(): 1 | 0;
2273
+ /**
2274
+ * Enables the FIPS compliant crypto provider in a FIPS-enabled Node.js build.
2275
+ * Throws an error if FIPS mode is not available.
2276
+ * @since v10.0.0
2277
+ * @param bool `true` to enable FIPS mode.
2278
+ */
2279
+ function setFips(bool: boolean): void;
2280
+ /**
2281
+ * ```js
2282
+ * const {
2283
+ * getHashes,
2284
+ * } = await import('node:crypto');
2285
+ *
2286
+ * console.log(getHashes()); // ['DSA', 'DSA-SHA', 'DSA-SHA1', ...]
2287
+ * ```
2288
+ * @since v0.9.3
2289
+ * @return An array of the names of the supported hash algorithms, such as `'RSA-SHA256'`. Hash algorithms are also called "digest" algorithms.
2290
+ */
2291
+ function getHashes(): string[];
2292
+ /**
2293
+ * The `ECDH` class is a utility for creating Elliptic Curve Diffie-Hellman (ECDH)
2294
+ * key exchanges.
2295
+ *
2296
+ * Instances of the `ECDH` class can be created using the {@link createECDH} function.
2297
+ *
2298
+ * ```js
2299
+ * import assert from 'node:assert';
2300
+ *
2301
+ * const {
2302
+ * createECDH,
2303
+ * } = await import('node:crypto');
2304
+ *
2305
+ * // Generate Alice's keys...
2306
+ * const alice = createECDH('secp521r1');
2307
+ * const aliceKey = alice.generateKeys();
2308
+ *
2309
+ * // Generate Bob's keys...
2310
+ * const bob = createECDH('secp521r1');
2311
+ * const bobKey = bob.generateKeys();
2312
+ *
2313
+ * // Exchange and generate the secret...
2314
+ * const aliceSecret = alice.computeSecret(bobKey);
2315
+ * const bobSecret = bob.computeSecret(aliceKey);
2316
+ *
2317
+ * assert.strictEqual(aliceSecret.toString('hex'), bobSecret.toString('hex'));
2318
+ * // OK
2319
+ * ```
2320
+ * @since v0.11.14
2321
+ */
2322
+ class ECDH {
2323
+ private constructor();
2324
+ /**
2325
+ * Converts the EC Diffie-Hellman public key specified by `key` and `curve` to the
2326
+ * format specified by `format`. The `format` argument specifies point encoding
2327
+ * and can be `'compressed'`, `'uncompressed'` or `'hybrid'`. The supplied key is
2328
+ * interpreted using the specified `inputEncoding`, and the returned key is encoded
2329
+ * using the specified `outputEncoding`.
2330
+ *
2331
+ * Use {@link getCurves} to obtain a list of available curve names.
2332
+ * On recent OpenSSL releases, `openssl ecparam -list_curves` will also display
2333
+ * the name and description of each available elliptic curve.
2334
+ *
2335
+ * If `format` is not specified the point will be returned in `'uncompressed'`format.
2336
+ *
2337
+ * If the `inputEncoding` is not provided, `key` is expected to be a `Buffer`,`TypedArray`, or `DataView`.
2338
+ *
2339
+ * Example (uncompressing a key):
2340
+ *
2341
+ * ```js
2342
+ * const {
2343
+ * createECDH,
2344
+ * ECDH,
2345
+ * } = await import('node:crypto');
2346
+ *
2347
+ * const ecdh = createECDH('secp256k1');
2348
+ * ecdh.generateKeys();
2349
+ *
2350
+ * const compressedKey = ecdh.getPublicKey('hex', 'compressed');
2351
+ *
2352
+ * const uncompressedKey = ECDH.convertKey(compressedKey,
2353
+ * 'secp256k1',
2354
+ * 'hex',
2355
+ * 'hex',
2356
+ * 'uncompressed');
2357
+ *
2358
+ * // The converted key and the uncompressed public key should be the same
2359
+ * console.log(uncompressedKey === ecdh.getPublicKey('hex'));
2360
+ * ```
2361
+ * @since v10.0.0
2362
+ * @param inputEncoding The `encoding` of the `key` string.
2363
+ * @param outputEncoding The `encoding` of the return value.
2364
+ * @param [format='uncompressed']
2365
+ */
2366
+ static convertKey(
2367
+ key: BinaryLike,
2368
+ curve: string,
2369
+ inputEncoding?: BinaryToTextEncoding,
2370
+ outputEncoding?: "latin1" | "hex" | "base64" | "base64url",
2371
+ format?: "uncompressed" | "compressed" | "hybrid",
2372
+ ): Buffer | string;
2373
+ /**
2374
+ * Generates private and public EC Diffie-Hellman key values, and returns
2375
+ * the public key in the specified `format` and `encoding`. This key should be
2376
+ * transferred to the other party.
2377
+ *
2378
+ * The `format` argument specifies point encoding and can be `'compressed'` or`'uncompressed'`. If `format` is not specified, the point will be returned in`'uncompressed'` format.
2379
+ *
2380
+ * If `encoding` is provided a string is returned; otherwise a `Buffer` is returned.
2381
+ * @since v0.11.14
2382
+ * @param encoding The `encoding` of the return value.
2383
+ * @param [format='uncompressed']
2384
+ */
2385
+ generateKeys(): Buffer;
2386
+ generateKeys(encoding: BinaryToTextEncoding, format?: ECDHKeyFormat): string;
2387
+ /**
2388
+ * Computes the shared secret using `otherPublicKey` as the other
2389
+ * party's public key and returns the computed shared secret. The supplied
2390
+ * key is interpreted using specified `inputEncoding`, and the returned secret
2391
+ * is encoded using the specified `outputEncoding`.
2392
+ * If the `inputEncoding` is not
2393
+ * provided, `otherPublicKey` is expected to be a `Buffer`, `TypedArray`, or`DataView`.
2394
+ *
2395
+ * If `outputEncoding` is given a string will be returned; otherwise a `Buffer` is returned.
2396
+ *
2397
+ * `ecdh.computeSecret` will throw an`ERR_CRYPTO_ECDH_INVALID_PUBLIC_KEY` error when `otherPublicKey`lies outside of the elliptic curve. Since `otherPublicKey` is
2398
+ * usually supplied from a remote user over an insecure network,
2399
+ * be sure to handle this exception accordingly.
2400
+ * @since v0.11.14
2401
+ * @param inputEncoding The `encoding` of the `otherPublicKey` string.
2402
+ * @param outputEncoding The `encoding` of the return value.
2403
+ */
2404
+ computeSecret(otherPublicKey: NodeJS.ArrayBufferView): Buffer;
2405
+ computeSecret(otherPublicKey: string, inputEncoding: BinaryToTextEncoding): Buffer;
2406
+ computeSecret(otherPublicKey: NodeJS.ArrayBufferView, outputEncoding: BinaryToTextEncoding): string;
2407
+ computeSecret(
2408
+ otherPublicKey: string,
2409
+ inputEncoding: BinaryToTextEncoding,
2410
+ outputEncoding: BinaryToTextEncoding,
2411
+ ): string;
2412
+ /**
2413
+ * If `encoding` is specified, a string is returned; otherwise a `Buffer` is
2414
+ * returned.
2415
+ * @since v0.11.14
2416
+ * @param encoding The `encoding` of the return value.
2417
+ * @return The EC Diffie-Hellman in the specified `encoding`.
2418
+ */
2419
+ getPrivateKey(): Buffer;
2420
+ getPrivateKey(encoding: BinaryToTextEncoding): string;
2421
+ /**
2422
+ * The `format` argument specifies point encoding and can be `'compressed'` or`'uncompressed'`. If `format` is not specified the point will be returned in`'uncompressed'` format.
2423
+ *
2424
+ * If `encoding` is specified, a string is returned; otherwise a `Buffer` is
2425
+ * returned.
2426
+ * @since v0.11.14
2427
+ * @param encoding The `encoding` of the return value.
2428
+ * @param [format='uncompressed']
2429
+ * @return The EC Diffie-Hellman public key in the specified `encoding` and `format`.
2430
+ */
2431
+ getPublicKey(encoding?: null, format?: ECDHKeyFormat): Buffer;
2432
+ getPublicKey(encoding: BinaryToTextEncoding, format?: ECDHKeyFormat): string;
2433
+ /**
2434
+ * Sets the EC Diffie-Hellman private key.
2435
+ * If `encoding` is provided, `privateKey` is expected
2436
+ * to be a string; otherwise `privateKey` is expected to be a `Buffer`,`TypedArray`, or `DataView`.
2437
+ *
2438
+ * If `privateKey` is not valid for the curve specified when the `ECDH` object was
2439
+ * created, an error is thrown. Upon setting the private key, the associated
2440
+ * public point (key) is also generated and set in the `ECDH` object.
2441
+ * @since v0.11.14
2442
+ * @param encoding The `encoding` of the `privateKey` string.
2443
+ */
2444
+ setPrivateKey(privateKey: NodeJS.ArrayBufferView): void;
2445
+ setPrivateKey(privateKey: string, encoding: BinaryToTextEncoding): void;
2446
+ }
2447
+ /**
2448
+ * Creates an Elliptic Curve Diffie-Hellman (`ECDH`) key exchange object using a
2449
+ * predefined curve specified by the `curveName` string. Use {@link getCurves} to obtain a list of available curve names. On recent
2450
+ * OpenSSL releases, `openssl ecparam -list_curves` will also display the name
2451
+ * and description of each available elliptic curve.
2452
+ * @since v0.11.14
2453
+ */
2454
+ function createECDH(curveName: string): ECDH;
2455
+ /**
2456
+ * This function compares the underlying bytes that represent the given`ArrayBuffer`, `TypedArray`, or `DataView` instances using a constant-time
2457
+ * algorithm.
2458
+ *
2459
+ * This function does not leak timing information that
2460
+ * would allow an attacker to guess one of the values. This is suitable for
2461
+ * comparing HMAC digests or secret values like authentication cookies or [capability urls](https://www.w3.org/TR/capability-urls/).
2462
+ *
2463
+ * `a` and `b` must both be `Buffer`s, `TypedArray`s, or `DataView`s, and they
2464
+ * must have the same byte length. An error is thrown if `a` and `b` have
2465
+ * different byte lengths.
2466
+ *
2467
+ * If at least one of `a` and `b` is a `TypedArray` with more than one byte per
2468
+ * entry, such as `Uint16Array`, the result will be computed using the platform
2469
+ * byte order.
2470
+ *
2471
+ * **When both of the inputs are `Float32Array`s or`Float64Array`s, this function might return unexpected results due to IEEE 754**
2472
+ * **encoding of floating-point numbers. In particular, neither `x === y` nor`Object.is(x, y)` implies that the byte representations of two floating-point**
2473
+ * **numbers `x` and `y` are equal.**
2474
+ *
2475
+ * Use of `crypto.timingSafeEqual` does not guarantee that the _surrounding_ code
2476
+ * is timing-safe. Care should be taken to ensure that the surrounding code does
2477
+ * not introduce timing vulnerabilities.
2478
+ * @since v6.6.0
2479
+ */
2480
+ function timingSafeEqual(a: NodeJS.ArrayBufferView, b: NodeJS.ArrayBufferView): boolean;
2481
+ type KeyType = "rsa" | "rsa-pss" | "dsa" | "ec" | "ed25519" | "ed448" | "x25519" | "x448";
2482
+ type KeyFormat = "pem" | "der" | "jwk";
2483
+ interface BasePrivateKeyEncodingOptions<T extends KeyFormat> {
2484
+ format: T;
2485
+ cipher?: string | undefined;
2486
+ passphrase?: string | undefined;
2487
+ }
2488
+ interface KeyPairKeyObjectResult {
2489
+ publicKey: KeyObject;
2490
+ privateKey: KeyObject;
2491
+ }
2492
+ interface ED25519KeyPairKeyObjectOptions {}
2493
+ interface ED448KeyPairKeyObjectOptions {}
2494
+ interface X25519KeyPairKeyObjectOptions {}
2495
+ interface X448KeyPairKeyObjectOptions {}
2496
+ interface ECKeyPairKeyObjectOptions {
2497
+ /**
2498
+ * Name of the curve to use
2499
+ */
2500
+ namedCurve: string;
2501
+ /**
2502
+ * Must be `'named'` or `'explicit'`. Default: `'named'`.
2503
+ */
2504
+ paramEncoding?: "explicit" | "named" | undefined;
2505
+ }
2506
+ interface RSAKeyPairKeyObjectOptions {
2507
+ /**
2508
+ * Key size in bits
2509
+ */
2510
+ modulusLength: number;
2511
+ /**
2512
+ * Public exponent
2513
+ * @default 0x10001
2514
+ */
2515
+ publicExponent?: number | undefined;
2516
+ }
2517
+ interface RSAPSSKeyPairKeyObjectOptions {
2518
+ /**
2519
+ * Key size in bits
2520
+ */
2521
+ modulusLength: number;
2522
+ /**
2523
+ * Public exponent
2524
+ * @default 0x10001
2525
+ */
2526
+ publicExponent?: number | undefined;
2527
+ /**
2528
+ * Name of the message digest
2529
+ */
2530
+ hashAlgorithm?: string;
2531
+ /**
2532
+ * Name of the message digest used by MGF1
2533
+ */
2534
+ mgf1HashAlgorithm?: string;
2535
+ /**
2536
+ * Minimal salt length in bytes
2537
+ */
2538
+ saltLength?: string;
2539
+ }
2540
+ interface DSAKeyPairKeyObjectOptions {
2541
+ /**
2542
+ * Key size in bits
2543
+ */
2544
+ modulusLength: number;
2545
+ /**
2546
+ * Size of q in bits
2547
+ */
2548
+ divisorLength: number;
2549
+ }
2550
+ interface RSAKeyPairOptions<PubF extends KeyFormat, PrivF extends KeyFormat> {
2551
+ /**
2552
+ * Key size in bits
2553
+ */
2554
+ modulusLength: number;
2555
+ /**
2556
+ * Public exponent
2557
+ * @default 0x10001
2558
+ */
2559
+ publicExponent?: number | undefined;
2560
+ publicKeyEncoding: {
2561
+ type: "pkcs1" | "spki";
2562
+ format: PubF;
2563
+ };
2564
+ privateKeyEncoding: BasePrivateKeyEncodingOptions<PrivF> & {
2565
+ type: "pkcs1" | "pkcs8";
2566
+ };
2567
+ }
2568
+ interface RSAPSSKeyPairOptions<PubF extends KeyFormat, PrivF extends KeyFormat> {
2569
+ /**
2570
+ * Key size in bits
2571
+ */
2572
+ modulusLength: number;
2573
+ /**
2574
+ * Public exponent
2575
+ * @default 0x10001
2576
+ */
2577
+ publicExponent?: number | undefined;
2578
+ /**
2579
+ * Name of the message digest
2580
+ */
2581
+ hashAlgorithm?: string;
2582
+ /**
2583
+ * Name of the message digest used by MGF1
2584
+ */
2585
+ mgf1HashAlgorithm?: string;
2586
+ /**
2587
+ * Minimal salt length in bytes
2588
+ */
2589
+ saltLength?: string;
2590
+ publicKeyEncoding: {
2591
+ type: "spki";
2592
+ format: PubF;
2593
+ };
2594
+ privateKeyEncoding: BasePrivateKeyEncodingOptions<PrivF> & {
2595
+ type: "pkcs8";
2596
+ };
2597
+ }
2598
+ interface DSAKeyPairOptions<PubF extends KeyFormat, PrivF extends KeyFormat> {
2599
+ /**
2600
+ * Key size in bits
2601
+ */
2602
+ modulusLength: number;
2603
+ /**
2604
+ * Size of q in bits
2605
+ */
2606
+ divisorLength: number;
2607
+ publicKeyEncoding: {
2608
+ type: "spki";
2609
+ format: PubF;
2610
+ };
2611
+ privateKeyEncoding: BasePrivateKeyEncodingOptions<PrivF> & {
2612
+ type: "pkcs8";
2613
+ };
2614
+ }
2615
+ interface ECKeyPairOptions<PubF extends KeyFormat, PrivF extends KeyFormat> extends ECKeyPairKeyObjectOptions {
2616
+ publicKeyEncoding: {
2617
+ type: "pkcs1" | "spki";
2618
+ format: PubF;
2619
+ };
2620
+ privateKeyEncoding: BasePrivateKeyEncodingOptions<PrivF> & {
2621
+ type: "sec1" | "pkcs8";
2622
+ };
2623
+ }
2624
+ interface ED25519KeyPairOptions<PubF extends KeyFormat, PrivF extends KeyFormat> {
2625
+ publicKeyEncoding: {
2626
+ type: "spki";
2627
+ format: PubF;
2628
+ };
2629
+ privateKeyEncoding: BasePrivateKeyEncodingOptions<PrivF> & {
2630
+ type: "pkcs8";
2631
+ };
2632
+ }
2633
+ interface ED448KeyPairOptions<PubF extends KeyFormat, PrivF extends KeyFormat> {
2634
+ publicKeyEncoding: {
2635
+ type: "spki";
2636
+ format: PubF;
2637
+ };
2638
+ privateKeyEncoding: BasePrivateKeyEncodingOptions<PrivF> & {
2639
+ type: "pkcs8";
2640
+ };
2641
+ }
2642
+ interface X25519KeyPairOptions<PubF extends KeyFormat, PrivF extends KeyFormat> {
2643
+ publicKeyEncoding: {
2644
+ type: "spki";
2645
+ format: PubF;
2646
+ };
2647
+ privateKeyEncoding: BasePrivateKeyEncodingOptions<PrivF> & {
2648
+ type: "pkcs8";
2649
+ };
2650
+ }
2651
+ interface X448KeyPairOptions<PubF extends KeyFormat, PrivF extends KeyFormat> {
2652
+ publicKeyEncoding: {
2653
+ type: "spki";
2654
+ format: PubF;
2655
+ };
2656
+ privateKeyEncoding: BasePrivateKeyEncodingOptions<PrivF> & {
2657
+ type: "pkcs8";
2658
+ };
2659
+ }
2660
+ interface KeyPairSyncResult<T1 extends string | Buffer, T2 extends string | Buffer> {
2661
+ publicKey: T1;
2662
+ privateKey: T2;
2663
+ }
2664
+ /**
2665
+ * Generates a new asymmetric key pair of the given `type`. RSA, RSA-PSS, DSA, EC,
2666
+ * Ed25519, Ed448, X25519, X448, and DH are currently supported.
2667
+ *
2668
+ * If a `publicKeyEncoding` or `privateKeyEncoding` was specified, this function
2669
+ * behaves as if `keyObject.export()` had been called on its result. Otherwise,
2670
+ * the respective part of the key is returned as a `KeyObject`.
2671
+ *
2672
+ * When encoding public keys, it is recommended to use `'spki'`. When encoding
2673
+ * private keys, it is recommended to use `'pkcs8'` with a strong passphrase,
2674
+ * and to keep the passphrase confidential.
2675
+ *
2676
+ * ```js
2677
+ * const {
2678
+ * generateKeyPairSync,
2679
+ * } = await import('node:crypto');
2680
+ *
2681
+ * const {
2682
+ * publicKey,
2683
+ * privateKey,
2684
+ * } = generateKeyPairSync('rsa', {
2685
+ * modulusLength: 4096,
2686
+ * publicKeyEncoding: {
2687
+ * type: 'spki',
2688
+ * format: 'pem',
2689
+ * },
2690
+ * privateKeyEncoding: {
2691
+ * type: 'pkcs8',
2692
+ * format: 'pem',
2693
+ * cipher: 'aes-256-cbc',
2694
+ * passphrase: 'top secret',
2695
+ * },
2696
+ * });
2697
+ * ```
2698
+ *
2699
+ * The return value `{ publicKey, privateKey }` represents the generated key pair.
2700
+ * When PEM encoding was selected, the respective key will be a string, otherwise
2701
+ * it will be a buffer containing the data encoded as DER.
2702
+ * @since v10.12.0
2703
+ * @param type Must be `'rsa'`, `'rsa-pss'`, `'dsa'`, `'ec'`, `'ed25519'`, `'ed448'`, `'x25519'`, `'x448'`, or `'dh'`.
2704
+ */
2705
+ function generateKeyPairSync(
2706
+ type: "rsa",
2707
+ options: RSAKeyPairOptions<"pem", "pem">,
2708
+ ): KeyPairSyncResult<string, string>;
2709
+ function generateKeyPairSync(
2710
+ type: "rsa",
2711
+ options: RSAKeyPairOptions<"pem", "der">,
2712
+ ): KeyPairSyncResult<string, Buffer>;
2713
+ function generateKeyPairSync(
2714
+ type: "rsa",
2715
+ options: RSAKeyPairOptions<"der", "pem">,
2716
+ ): KeyPairSyncResult<Buffer, string>;
2717
+ function generateKeyPairSync(
2718
+ type: "rsa",
2719
+ options: RSAKeyPairOptions<"der", "der">,
2720
+ ): KeyPairSyncResult<Buffer, Buffer>;
2721
+ function generateKeyPairSync(type: "rsa", options: RSAKeyPairKeyObjectOptions): KeyPairKeyObjectResult;
2722
+ function generateKeyPairSync(
2723
+ type: "rsa-pss",
2724
+ options: RSAPSSKeyPairOptions<"pem", "pem">,
2725
+ ): KeyPairSyncResult<string, string>;
2726
+ function generateKeyPairSync(
2727
+ type: "rsa-pss",
2728
+ options: RSAPSSKeyPairOptions<"pem", "der">,
2729
+ ): KeyPairSyncResult<string, Buffer>;
2730
+ function generateKeyPairSync(
2731
+ type: "rsa-pss",
2732
+ options: RSAPSSKeyPairOptions<"der", "pem">,
2733
+ ): KeyPairSyncResult<Buffer, string>;
2734
+ function generateKeyPairSync(
2735
+ type: "rsa-pss",
2736
+ options: RSAPSSKeyPairOptions<"der", "der">,
2737
+ ): KeyPairSyncResult<Buffer, Buffer>;
2738
+ function generateKeyPairSync(type: "rsa-pss", options: RSAPSSKeyPairKeyObjectOptions): KeyPairKeyObjectResult;
2739
+ function generateKeyPairSync(
2740
+ type: "dsa",
2741
+ options: DSAKeyPairOptions<"pem", "pem">,
2742
+ ): KeyPairSyncResult<string, string>;
2743
+ function generateKeyPairSync(
2744
+ type: "dsa",
2745
+ options: DSAKeyPairOptions<"pem", "der">,
2746
+ ): KeyPairSyncResult<string, Buffer>;
2747
+ function generateKeyPairSync(
2748
+ type: "dsa",
2749
+ options: DSAKeyPairOptions<"der", "pem">,
2750
+ ): KeyPairSyncResult<Buffer, string>;
2751
+ function generateKeyPairSync(
2752
+ type: "dsa",
2753
+ options: DSAKeyPairOptions<"der", "der">,
2754
+ ): KeyPairSyncResult<Buffer, Buffer>;
2755
+ function generateKeyPairSync(type: "dsa", options: DSAKeyPairKeyObjectOptions): KeyPairKeyObjectResult;
2756
+ function generateKeyPairSync(
2757
+ type: "ec",
2758
+ options: ECKeyPairOptions<"pem", "pem">,
2759
+ ): KeyPairSyncResult<string, string>;
2760
+ function generateKeyPairSync(
2761
+ type: "ec",
2762
+ options: ECKeyPairOptions<"pem", "der">,
2763
+ ): KeyPairSyncResult<string, Buffer>;
2764
+ function generateKeyPairSync(
2765
+ type: "ec",
2766
+ options: ECKeyPairOptions<"der", "pem">,
2767
+ ): KeyPairSyncResult<Buffer, string>;
2768
+ function generateKeyPairSync(
2769
+ type: "ec",
2770
+ options: ECKeyPairOptions<"der", "der">,
2771
+ ): KeyPairSyncResult<Buffer, Buffer>;
2772
+ function generateKeyPairSync(type: "ec", options: ECKeyPairKeyObjectOptions): KeyPairKeyObjectResult;
2773
+ function generateKeyPairSync(
2774
+ type: "ed25519",
2775
+ options: ED25519KeyPairOptions<"pem", "pem">,
2776
+ ): KeyPairSyncResult<string, string>;
2777
+ function generateKeyPairSync(
2778
+ type: "ed25519",
2779
+ options: ED25519KeyPairOptions<"pem", "der">,
2780
+ ): KeyPairSyncResult<string, Buffer>;
2781
+ function generateKeyPairSync(
2782
+ type: "ed25519",
2783
+ options: ED25519KeyPairOptions<"der", "pem">,
2784
+ ): KeyPairSyncResult<Buffer, string>;
2785
+ function generateKeyPairSync(
2786
+ type: "ed25519",
2787
+ options: ED25519KeyPairOptions<"der", "der">,
2788
+ ): KeyPairSyncResult<Buffer, Buffer>;
2789
+ function generateKeyPairSync(type: "ed25519", options?: ED25519KeyPairKeyObjectOptions): KeyPairKeyObjectResult;
2790
+ function generateKeyPairSync(
2791
+ type: "ed448",
2792
+ options: ED448KeyPairOptions<"pem", "pem">,
2793
+ ): KeyPairSyncResult<string, string>;
2794
+ function generateKeyPairSync(
2795
+ type: "ed448",
2796
+ options: ED448KeyPairOptions<"pem", "der">,
2797
+ ): KeyPairSyncResult<string, Buffer>;
2798
+ function generateKeyPairSync(
2799
+ type: "ed448",
2800
+ options: ED448KeyPairOptions<"der", "pem">,
2801
+ ): KeyPairSyncResult<Buffer, string>;
2802
+ function generateKeyPairSync(
2803
+ type: "ed448",
2804
+ options: ED448KeyPairOptions<"der", "der">,
2805
+ ): KeyPairSyncResult<Buffer, Buffer>;
2806
+ function generateKeyPairSync(type: "ed448", options?: ED448KeyPairKeyObjectOptions): KeyPairKeyObjectResult;
2807
+ function generateKeyPairSync(
2808
+ type: "x25519",
2809
+ options: X25519KeyPairOptions<"pem", "pem">,
2810
+ ): KeyPairSyncResult<string, string>;
2811
+ function generateKeyPairSync(
2812
+ type: "x25519",
2813
+ options: X25519KeyPairOptions<"pem", "der">,
2814
+ ): KeyPairSyncResult<string, Buffer>;
2815
+ function generateKeyPairSync(
2816
+ type: "x25519",
2817
+ options: X25519KeyPairOptions<"der", "pem">,
2818
+ ): KeyPairSyncResult<Buffer, string>;
2819
+ function generateKeyPairSync(
2820
+ type: "x25519",
2821
+ options: X25519KeyPairOptions<"der", "der">,
2822
+ ): KeyPairSyncResult<Buffer, Buffer>;
2823
+ function generateKeyPairSync(type: "x25519", options?: X25519KeyPairKeyObjectOptions): KeyPairKeyObjectResult;
2824
+ function generateKeyPairSync(
2825
+ type: "x448",
2826
+ options: X448KeyPairOptions<"pem", "pem">,
2827
+ ): KeyPairSyncResult<string, string>;
2828
+ function generateKeyPairSync(
2829
+ type: "x448",
2830
+ options: X448KeyPairOptions<"pem", "der">,
2831
+ ): KeyPairSyncResult<string, Buffer>;
2832
+ function generateKeyPairSync(
2833
+ type: "x448",
2834
+ options: X448KeyPairOptions<"der", "pem">,
2835
+ ): KeyPairSyncResult<Buffer, string>;
2836
+ function generateKeyPairSync(
2837
+ type: "x448",
2838
+ options: X448KeyPairOptions<"der", "der">,
2839
+ ): KeyPairSyncResult<Buffer, Buffer>;
2840
+ function generateKeyPairSync(type: "x448", options?: X448KeyPairKeyObjectOptions): KeyPairKeyObjectResult;
2841
+ /**
2842
+ * Generates a new asymmetric key pair of the given `type`. RSA, RSA-PSS, DSA, EC,
2843
+ * Ed25519, Ed448, X25519, X448, and DH are currently supported.
2844
+ *
2845
+ * If a `publicKeyEncoding` or `privateKeyEncoding` was specified, this function
2846
+ * behaves as if `keyObject.export()` had been called on its result. Otherwise,
2847
+ * the respective part of the key is returned as a `KeyObject`.
2848
+ *
2849
+ * It is recommended to encode public keys as `'spki'` and private keys as`'pkcs8'` with encryption for long-term storage:
2850
+ *
2851
+ * ```js
2852
+ * const {
2853
+ * generateKeyPair,
2854
+ * } = await import('node:crypto');
2855
+ *
2856
+ * generateKeyPair('rsa', {
2857
+ * modulusLength: 4096,
2858
+ * publicKeyEncoding: {
2859
+ * type: 'spki',
2860
+ * format: 'pem',
2861
+ * },
2862
+ * privateKeyEncoding: {
2863
+ * type: 'pkcs8',
2864
+ * format: 'pem',
2865
+ * cipher: 'aes-256-cbc',
2866
+ * passphrase: 'top secret',
2867
+ * },
2868
+ * }, (err, publicKey, privateKey) => {
2869
+ * // Handle errors and use the generated key pair.
2870
+ * });
2871
+ * ```
2872
+ *
2873
+ * On completion, `callback` will be called with `err` set to `undefined` and`publicKey` / `privateKey` representing the generated key pair.
2874
+ *
2875
+ * If this method is invoked as its `util.promisify()` ed version, it returns
2876
+ * a `Promise` for an `Object` with `publicKey` and `privateKey` properties.
2877
+ * @since v10.12.0
2878
+ * @param type Must be `'rsa'`, `'rsa-pss'`, `'dsa'`, `'ec'`, `'ed25519'`, `'ed448'`, `'x25519'`, `'x448'`, or `'dh'`.
2879
+ */
2880
+ function generateKeyPair(
2881
+ type: "rsa",
2882
+ options: RSAKeyPairOptions<"pem", "pem">,
2883
+ callback: (err: Error | null, publicKey: string, privateKey: string) => void,
2884
+ ): void;
2885
+ function generateKeyPair(
2886
+ type: "rsa",
2887
+ options: RSAKeyPairOptions<"pem", "der">,
2888
+ callback: (err: Error | null, publicKey: string, privateKey: Buffer) => void,
2889
+ ): void;
2890
+ function generateKeyPair(
2891
+ type: "rsa",
2892
+ options: RSAKeyPairOptions<"der", "pem">,
2893
+ callback: (err: Error | null, publicKey: Buffer, privateKey: string) => void,
2894
+ ): void;
2895
+ function generateKeyPair(
2896
+ type: "rsa",
2897
+ options: RSAKeyPairOptions<"der", "der">,
2898
+ callback: (err: Error | null, publicKey: Buffer, privateKey: Buffer) => void,
2899
+ ): void;
2900
+ function generateKeyPair(
2901
+ type: "rsa",
2902
+ options: RSAKeyPairKeyObjectOptions,
2903
+ callback: (err: Error | null, publicKey: KeyObject, privateKey: KeyObject) => void,
2904
+ ): void;
2905
+ function generateKeyPair(
2906
+ type: "rsa-pss",
2907
+ options: RSAPSSKeyPairOptions<"pem", "pem">,
2908
+ callback: (err: Error | null, publicKey: string, privateKey: string) => void,
2909
+ ): void;
2910
+ function generateKeyPair(
2911
+ type: "rsa-pss",
2912
+ options: RSAPSSKeyPairOptions<"pem", "der">,
2913
+ callback: (err: Error | null, publicKey: string, privateKey: Buffer) => void,
2914
+ ): void;
2915
+ function generateKeyPair(
2916
+ type: "rsa-pss",
2917
+ options: RSAPSSKeyPairOptions<"der", "pem">,
2918
+ callback: (err: Error | null, publicKey: Buffer, privateKey: string) => void,
2919
+ ): void;
2920
+ function generateKeyPair(
2921
+ type: "rsa-pss",
2922
+ options: RSAPSSKeyPairOptions<"der", "der">,
2923
+ callback: (err: Error | null, publicKey: Buffer, privateKey: Buffer) => void,
2924
+ ): void;
2925
+ function generateKeyPair(
2926
+ type: "rsa-pss",
2927
+ options: RSAPSSKeyPairKeyObjectOptions,
2928
+ callback: (err: Error | null, publicKey: KeyObject, privateKey: KeyObject) => void,
2929
+ ): void;
2930
+ function generateKeyPair(
2931
+ type: "dsa",
2932
+ options: DSAKeyPairOptions<"pem", "pem">,
2933
+ callback: (err: Error | null, publicKey: string, privateKey: string) => void,
2934
+ ): void;
2935
+ function generateKeyPair(
2936
+ type: "dsa",
2937
+ options: DSAKeyPairOptions<"pem", "der">,
2938
+ callback: (err: Error | null, publicKey: string, privateKey: Buffer) => void,
2939
+ ): void;
2940
+ function generateKeyPair(
2941
+ type: "dsa",
2942
+ options: DSAKeyPairOptions<"der", "pem">,
2943
+ callback: (err: Error | null, publicKey: Buffer, privateKey: string) => void,
2944
+ ): void;
2945
+ function generateKeyPair(
2946
+ type: "dsa",
2947
+ options: DSAKeyPairOptions<"der", "der">,
2948
+ callback: (err: Error | null, publicKey: Buffer, privateKey: Buffer) => void,
2949
+ ): void;
2950
+ function generateKeyPair(
2951
+ type: "dsa",
2952
+ options: DSAKeyPairKeyObjectOptions,
2953
+ callback: (err: Error | null, publicKey: KeyObject, privateKey: KeyObject) => void,
2954
+ ): void;
2955
+ function generateKeyPair(
2956
+ type: "ec",
2957
+ options: ECKeyPairOptions<"pem", "pem">,
2958
+ callback: (err: Error | null, publicKey: string, privateKey: string) => void,
2959
+ ): void;
2960
+ function generateKeyPair(
2961
+ type: "ec",
2962
+ options: ECKeyPairOptions<"pem", "der">,
2963
+ callback: (err: Error | null, publicKey: string, privateKey: Buffer) => void,
2964
+ ): void;
2965
+ function generateKeyPair(
2966
+ type: "ec",
2967
+ options: ECKeyPairOptions<"der", "pem">,
2968
+ callback: (err: Error | null, publicKey: Buffer, privateKey: string) => void,
2969
+ ): void;
2970
+ function generateKeyPair(
2971
+ type: "ec",
2972
+ options: ECKeyPairOptions<"der", "der">,
2973
+ callback: (err: Error | null, publicKey: Buffer, privateKey: Buffer) => void,
2974
+ ): void;
2975
+ function generateKeyPair(
2976
+ type: "ec",
2977
+ options: ECKeyPairKeyObjectOptions,
2978
+ callback: (err: Error | null, publicKey: KeyObject, privateKey: KeyObject) => void,
2979
+ ): void;
2980
+ function generateKeyPair(
2981
+ type: "ed25519",
2982
+ options: ED25519KeyPairOptions<"pem", "pem">,
2983
+ callback: (err: Error | null, publicKey: string, privateKey: string) => void,
2984
+ ): void;
2985
+ function generateKeyPair(
2986
+ type: "ed25519",
2987
+ options: ED25519KeyPairOptions<"pem", "der">,
2988
+ callback: (err: Error | null, publicKey: string, privateKey: Buffer) => void,
2989
+ ): void;
2990
+ function generateKeyPair(
2991
+ type: "ed25519",
2992
+ options: ED25519KeyPairOptions<"der", "pem">,
2993
+ callback: (err: Error | null, publicKey: Buffer, privateKey: string) => void,
2994
+ ): void;
2995
+ function generateKeyPair(
2996
+ type: "ed25519",
2997
+ options: ED25519KeyPairOptions<"der", "der">,
2998
+ callback: (err: Error | null, publicKey: Buffer, privateKey: Buffer) => void,
2999
+ ): void;
3000
+ function generateKeyPair(
3001
+ type: "ed25519",
3002
+ options: ED25519KeyPairKeyObjectOptions | undefined,
3003
+ callback: (err: Error | null, publicKey: KeyObject, privateKey: KeyObject) => void,
3004
+ ): void;
3005
+ function generateKeyPair(
3006
+ type: "ed448",
3007
+ options: ED448KeyPairOptions<"pem", "pem">,
3008
+ callback: (err: Error | null, publicKey: string, privateKey: string) => void,
3009
+ ): void;
3010
+ function generateKeyPair(
3011
+ type: "ed448",
3012
+ options: ED448KeyPairOptions<"pem", "der">,
3013
+ callback: (err: Error | null, publicKey: string, privateKey: Buffer) => void,
3014
+ ): void;
3015
+ function generateKeyPair(
3016
+ type: "ed448",
3017
+ options: ED448KeyPairOptions<"der", "pem">,
3018
+ callback: (err: Error | null, publicKey: Buffer, privateKey: string) => void,
3019
+ ): void;
3020
+ function generateKeyPair(
3021
+ type: "ed448",
3022
+ options: ED448KeyPairOptions<"der", "der">,
3023
+ callback: (err: Error | null, publicKey: Buffer, privateKey: Buffer) => void,
3024
+ ): void;
3025
+ function generateKeyPair(
3026
+ type: "ed448",
3027
+ options: ED448KeyPairKeyObjectOptions | undefined,
3028
+ callback: (err: Error | null, publicKey: KeyObject, privateKey: KeyObject) => void,
3029
+ ): void;
3030
+ function generateKeyPair(
3031
+ type: "x25519",
3032
+ options: X25519KeyPairOptions<"pem", "pem">,
3033
+ callback: (err: Error | null, publicKey: string, privateKey: string) => void,
3034
+ ): void;
3035
+ function generateKeyPair(
3036
+ type: "x25519",
3037
+ options: X25519KeyPairOptions<"pem", "der">,
3038
+ callback: (err: Error | null, publicKey: string, privateKey: Buffer) => void,
3039
+ ): void;
3040
+ function generateKeyPair(
3041
+ type: "x25519",
3042
+ options: X25519KeyPairOptions<"der", "pem">,
3043
+ callback: (err: Error | null, publicKey: Buffer, privateKey: string) => void,
3044
+ ): void;
3045
+ function generateKeyPair(
3046
+ type: "x25519",
3047
+ options: X25519KeyPairOptions<"der", "der">,
3048
+ callback: (err: Error | null, publicKey: Buffer, privateKey: Buffer) => void,
3049
+ ): void;
3050
+ function generateKeyPair(
3051
+ type: "x25519",
3052
+ options: X25519KeyPairKeyObjectOptions | undefined,
3053
+ callback: (err: Error | null, publicKey: KeyObject, privateKey: KeyObject) => void,
3054
+ ): void;
3055
+ function generateKeyPair(
3056
+ type: "x448",
3057
+ options: X448KeyPairOptions<"pem", "pem">,
3058
+ callback: (err: Error | null, publicKey: string, privateKey: string) => void,
3059
+ ): void;
3060
+ function generateKeyPair(
3061
+ type: "x448",
3062
+ options: X448KeyPairOptions<"pem", "der">,
3063
+ callback: (err: Error | null, publicKey: string, privateKey: Buffer) => void,
3064
+ ): void;
3065
+ function generateKeyPair(
3066
+ type: "x448",
3067
+ options: X448KeyPairOptions<"der", "pem">,
3068
+ callback: (err: Error | null, publicKey: Buffer, privateKey: string) => void,
3069
+ ): void;
3070
+ function generateKeyPair(
3071
+ type: "x448",
3072
+ options: X448KeyPairOptions<"der", "der">,
3073
+ callback: (err: Error | null, publicKey: Buffer, privateKey: Buffer) => void,
3074
+ ): void;
3075
+ function generateKeyPair(
3076
+ type: "x448",
3077
+ options: X448KeyPairKeyObjectOptions | undefined,
3078
+ callback: (err: Error | null, publicKey: KeyObject, privateKey: KeyObject) => void,
3079
+ ): void;
3080
+ namespace generateKeyPair {
3081
+ function __promisify__(
3082
+ type: "rsa",
3083
+ options: RSAKeyPairOptions<"pem", "pem">,
3084
+ ): Promise<{
3085
+ publicKey: string;
3086
+ privateKey: string;
3087
+ }>;
3088
+ function __promisify__(
3089
+ type: "rsa",
3090
+ options: RSAKeyPairOptions<"pem", "der">,
3091
+ ): Promise<{
3092
+ publicKey: string;
3093
+ privateKey: Buffer;
3094
+ }>;
3095
+ function __promisify__(
3096
+ type: "rsa",
3097
+ options: RSAKeyPairOptions<"der", "pem">,
3098
+ ): Promise<{
3099
+ publicKey: Buffer;
3100
+ privateKey: string;
3101
+ }>;
3102
+ function __promisify__(
3103
+ type: "rsa",
3104
+ options: RSAKeyPairOptions<"der", "der">,
3105
+ ): Promise<{
3106
+ publicKey: Buffer;
3107
+ privateKey: Buffer;
3108
+ }>;
3109
+ function __promisify__(type: "rsa", options: RSAKeyPairKeyObjectOptions): Promise<KeyPairKeyObjectResult>;
3110
+ function __promisify__(
3111
+ type: "rsa-pss",
3112
+ options: RSAPSSKeyPairOptions<"pem", "pem">,
3113
+ ): Promise<{
3114
+ publicKey: string;
3115
+ privateKey: string;
3116
+ }>;
3117
+ function __promisify__(
3118
+ type: "rsa-pss",
3119
+ options: RSAPSSKeyPairOptions<"pem", "der">,
3120
+ ): Promise<{
3121
+ publicKey: string;
3122
+ privateKey: Buffer;
3123
+ }>;
3124
+ function __promisify__(
3125
+ type: "rsa-pss",
3126
+ options: RSAPSSKeyPairOptions<"der", "pem">,
3127
+ ): Promise<{
3128
+ publicKey: Buffer;
3129
+ privateKey: string;
3130
+ }>;
3131
+ function __promisify__(
3132
+ type: "rsa-pss",
3133
+ options: RSAPSSKeyPairOptions<"der", "der">,
3134
+ ): Promise<{
3135
+ publicKey: Buffer;
3136
+ privateKey: Buffer;
3137
+ }>;
3138
+ function __promisify__(
3139
+ type: "rsa-pss",
3140
+ options: RSAPSSKeyPairKeyObjectOptions,
3141
+ ): Promise<KeyPairKeyObjectResult>;
3142
+ function __promisify__(
3143
+ type: "dsa",
3144
+ options: DSAKeyPairOptions<"pem", "pem">,
3145
+ ): Promise<{
3146
+ publicKey: string;
3147
+ privateKey: string;
3148
+ }>;
3149
+ function __promisify__(
3150
+ type: "dsa",
3151
+ options: DSAKeyPairOptions<"pem", "der">,
3152
+ ): Promise<{
3153
+ publicKey: string;
3154
+ privateKey: Buffer;
3155
+ }>;
3156
+ function __promisify__(
3157
+ type: "dsa",
3158
+ options: DSAKeyPairOptions<"der", "pem">,
3159
+ ): Promise<{
3160
+ publicKey: Buffer;
3161
+ privateKey: string;
3162
+ }>;
3163
+ function __promisify__(
3164
+ type: "dsa",
3165
+ options: DSAKeyPairOptions<"der", "der">,
3166
+ ): Promise<{
3167
+ publicKey: Buffer;
3168
+ privateKey: Buffer;
3169
+ }>;
3170
+ function __promisify__(type: "dsa", options: DSAKeyPairKeyObjectOptions): Promise<KeyPairKeyObjectResult>;
3171
+ function __promisify__(
3172
+ type: "ec",
3173
+ options: ECKeyPairOptions<"pem", "pem">,
3174
+ ): Promise<{
3175
+ publicKey: string;
3176
+ privateKey: string;
3177
+ }>;
3178
+ function __promisify__(
3179
+ type: "ec",
3180
+ options: ECKeyPairOptions<"pem", "der">,
3181
+ ): Promise<{
3182
+ publicKey: string;
3183
+ privateKey: Buffer;
3184
+ }>;
3185
+ function __promisify__(
3186
+ type: "ec",
3187
+ options: ECKeyPairOptions<"der", "pem">,
3188
+ ): Promise<{
3189
+ publicKey: Buffer;
3190
+ privateKey: string;
3191
+ }>;
3192
+ function __promisify__(
3193
+ type: "ec",
3194
+ options: ECKeyPairOptions<"der", "der">,
3195
+ ): Promise<{
3196
+ publicKey: Buffer;
3197
+ privateKey: Buffer;
3198
+ }>;
3199
+ function __promisify__(type: "ec", options: ECKeyPairKeyObjectOptions): Promise<KeyPairKeyObjectResult>;
3200
+ function __promisify__(
3201
+ type: "ed25519",
3202
+ options: ED25519KeyPairOptions<"pem", "pem">,
3203
+ ): Promise<{
3204
+ publicKey: string;
3205
+ privateKey: string;
3206
+ }>;
3207
+ function __promisify__(
3208
+ type: "ed25519",
3209
+ options: ED25519KeyPairOptions<"pem", "der">,
3210
+ ): Promise<{
3211
+ publicKey: string;
3212
+ privateKey: Buffer;
3213
+ }>;
3214
+ function __promisify__(
3215
+ type: "ed25519",
3216
+ options: ED25519KeyPairOptions<"der", "pem">,
3217
+ ): Promise<{
3218
+ publicKey: Buffer;
3219
+ privateKey: string;
3220
+ }>;
3221
+ function __promisify__(
3222
+ type: "ed25519",
3223
+ options: ED25519KeyPairOptions<"der", "der">,
3224
+ ): Promise<{
3225
+ publicKey: Buffer;
3226
+ privateKey: Buffer;
3227
+ }>;
3228
+ function __promisify__(
3229
+ type: "ed25519",
3230
+ options?: ED25519KeyPairKeyObjectOptions,
3231
+ ): Promise<KeyPairKeyObjectResult>;
3232
+ function __promisify__(
3233
+ type: "ed448",
3234
+ options: ED448KeyPairOptions<"pem", "pem">,
3235
+ ): Promise<{
3236
+ publicKey: string;
3237
+ privateKey: string;
3238
+ }>;
3239
+ function __promisify__(
3240
+ type: "ed448",
3241
+ options: ED448KeyPairOptions<"pem", "der">,
3242
+ ): Promise<{
3243
+ publicKey: string;
3244
+ privateKey: Buffer;
3245
+ }>;
3246
+ function __promisify__(
3247
+ type: "ed448",
3248
+ options: ED448KeyPairOptions<"der", "pem">,
3249
+ ): Promise<{
3250
+ publicKey: Buffer;
3251
+ privateKey: string;
3252
+ }>;
3253
+ function __promisify__(
3254
+ type: "ed448",
3255
+ options: ED448KeyPairOptions<"der", "der">,
3256
+ ): Promise<{
3257
+ publicKey: Buffer;
3258
+ privateKey: Buffer;
3259
+ }>;
3260
+ function __promisify__(type: "ed448", options?: ED448KeyPairKeyObjectOptions): Promise<KeyPairKeyObjectResult>;
3261
+ function __promisify__(
3262
+ type: "x25519",
3263
+ options: X25519KeyPairOptions<"pem", "pem">,
3264
+ ): Promise<{
3265
+ publicKey: string;
3266
+ privateKey: string;
3267
+ }>;
3268
+ function __promisify__(
3269
+ type: "x25519",
3270
+ options: X25519KeyPairOptions<"pem", "der">,
3271
+ ): Promise<{
3272
+ publicKey: string;
3273
+ privateKey: Buffer;
3274
+ }>;
3275
+ function __promisify__(
3276
+ type: "x25519",
3277
+ options: X25519KeyPairOptions<"der", "pem">,
3278
+ ): Promise<{
3279
+ publicKey: Buffer;
3280
+ privateKey: string;
3281
+ }>;
3282
+ function __promisify__(
3283
+ type: "x25519",
3284
+ options: X25519KeyPairOptions<"der", "der">,
3285
+ ): Promise<{
3286
+ publicKey: Buffer;
3287
+ privateKey: Buffer;
3288
+ }>;
3289
+ function __promisify__(
3290
+ type: "x25519",
3291
+ options?: X25519KeyPairKeyObjectOptions,
3292
+ ): Promise<KeyPairKeyObjectResult>;
3293
+ function __promisify__(
3294
+ type: "x448",
3295
+ options: X448KeyPairOptions<"pem", "pem">,
3296
+ ): Promise<{
3297
+ publicKey: string;
3298
+ privateKey: string;
3299
+ }>;
3300
+ function __promisify__(
3301
+ type: "x448",
3302
+ options: X448KeyPairOptions<"pem", "der">,
3303
+ ): Promise<{
3304
+ publicKey: string;
3305
+ privateKey: Buffer;
3306
+ }>;
3307
+ function __promisify__(
3308
+ type: "x448",
3309
+ options: X448KeyPairOptions<"der", "pem">,
3310
+ ): Promise<{
3311
+ publicKey: Buffer;
3312
+ privateKey: string;
3313
+ }>;
3314
+ function __promisify__(
3315
+ type: "x448",
3316
+ options: X448KeyPairOptions<"der", "der">,
3317
+ ): Promise<{
3318
+ publicKey: Buffer;
3319
+ privateKey: Buffer;
3320
+ }>;
3321
+ function __promisify__(type: "x448", options?: X448KeyPairKeyObjectOptions): Promise<KeyPairKeyObjectResult>;
3322
+ }
3323
+ /**
3324
+ * Calculates and returns the signature for `data` using the given private key and
3325
+ * algorithm. If `algorithm` is `null` or `undefined`, then the algorithm is
3326
+ * dependent upon the key type (especially Ed25519 and Ed448).
3327
+ *
3328
+ * If `key` is not a `KeyObject`, this function behaves as if `key` had been
3329
+ * passed to {@link createPrivateKey}. If it is an object, the following
3330
+ * additional properties can be passed:
3331
+ *
3332
+ * If the `callback` function is provided this function uses libuv's threadpool.
3333
+ * @since v12.0.0
3334
+ */
3335
+ function sign(
3336
+ algorithm: string | null | undefined,
3337
+ data: NodeJS.ArrayBufferView,
3338
+ key: KeyLike | SignKeyObjectInput | SignPrivateKeyInput,
3339
+ ): Buffer;
3340
+ function sign(
3341
+ algorithm: string | null | undefined,
3342
+ data: NodeJS.ArrayBufferView,
3343
+ key: KeyLike | SignKeyObjectInput | SignPrivateKeyInput,
3344
+ callback: (error: Error | null, data: Buffer) => void,
3345
+ ): void;
3346
+ /**
3347
+ * Verifies the given signature for `data` using the given key and algorithm. If `algorithm` is `null` or `undefined`, then the algorithm is dependent upon the
3348
+ * key type (especially Ed25519 and Ed448).
3349
+ *
3350
+ * If `key` is not a `KeyObject`, this function behaves as if `key` had been
3351
+ * passed to {@link createPublicKey}. If it is an object, the following
3352
+ * additional properties can be passed:
3353
+ *
3354
+ * The `signature` argument is the previously calculated signature for the `data`.
3355
+ *
3356
+ * Because public keys can be derived from private keys, a private key or a public
3357
+ * key may be passed for `key`.
3358
+ *
3359
+ * If the `callback` function is provided this function uses libuv's threadpool.
3360
+ * @since v12.0.0
3361
+ */
3362
+ function verify(
3363
+ algorithm: string | null | undefined,
3364
+ data: NodeJS.ArrayBufferView,
3365
+ key: KeyLike | VerifyKeyObjectInput | VerifyPublicKeyInput | VerifyJsonWebKeyInput,
3366
+ signature: NodeJS.ArrayBufferView,
3367
+ ): boolean;
3368
+ function verify(
3369
+ algorithm: string | null | undefined,
3370
+ data: NodeJS.ArrayBufferView,
3371
+ key: KeyLike | VerifyKeyObjectInput | VerifyPublicKeyInput | VerifyJsonWebKeyInput,
3372
+ signature: NodeJS.ArrayBufferView,
3373
+ callback: (error: Error | null, result: boolean) => void,
3374
+ ): void;
3375
+ /**
3376
+ * Computes the Diffie-Hellman secret based on a `privateKey` and a `publicKey`.
3377
+ * Both keys must have the same `asymmetricKeyType`, which must be one of `'dh'`(for Diffie-Hellman), `'ec'` (for ECDH), `'x448'`, or `'x25519'` (for ECDH-ES).
3378
+ * @since v13.9.0, v12.17.0
3379
+ */
3380
+ function diffieHellman(options: { privateKey: KeyObject; publicKey: KeyObject }): Buffer;
3381
+ /**
3382
+ * A utility for creating one-shot hash digests of data. It can be faster than the object-based `crypto.createHash()` when hashing a smaller amount of data
3383
+ * (<= 5MB) that's readily available. If the data can be big or if it is streamed, it's still recommended to use `crypto.createHash()` instead. The `algorithm`
3384
+ * is dependent on the available algorithms supported by the version of OpenSSL on the platform. Examples are `'sha256'`, `'sha512'`, etc. On recent releases
3385
+ * of OpenSSL, `openssl list -digest-algorithms` will display the available digest algorithms.
3386
+ *
3387
+ * Example:
3388
+ *
3389
+ * ```js
3390
+ * const crypto = require('node:crypto');
3391
+ * const { Buffer } = require('node:buffer');
3392
+ *
3393
+ * // Hashing a string and return the result as a hex-encoded string.
3394
+ * const string = 'Node.js';
3395
+ * // 10b3493287f831e81a438811a1ffba01f8cec4b7
3396
+ * console.log(crypto.hash('sha1', string));
3397
+ *
3398
+ * // Encode a base64-encoded string into a Buffer, hash it and return
3399
+ * // the result as a buffer.
3400
+ * const base64 = 'Tm9kZS5qcw==';
3401
+ * // <Buffer 10 b3 49 32 87 f8 31 e8 1a 43 88 11 a1 ff ba 01 f8 ce c4 b7>
3402
+ * console.log(crypto.hash('sha1', Buffer.from(base64, 'base64'), 'buffer'));
3403
+ * ```
3404
+ * @since v21.7.0, v20.12.0
3405
+ * @param data When `data` is a string, it will be encoded as UTF-8 before being hashed. If a different input encoding is desired for a string input, user
3406
+ * could encode the string into a `TypedArray` using either `TextEncoder` or `Buffer.from()` and passing the encoded `TypedArray` into this API instead.
3407
+ * @param [outputEncoding='hex'] [Encoding](https://nodejs.org/docs/latest-v20.x/api/buffer.html#buffers-and-character-encodings) used to encode the returned digest.
3408
+ */
3409
+ function hash(algorithm: string, data: BinaryLike, outputEncoding?: BinaryToTextEncoding): string;
3410
+ function hash(algorithm: string, data: BinaryLike, outputEncoding: "buffer"): Buffer;
3411
+ function hash(
3412
+ algorithm: string,
3413
+ data: BinaryLike,
3414
+ outputEncoding?: BinaryToTextEncoding | "buffer",
3415
+ ): string | Buffer;
3416
+ type CipherMode = "cbc" | "ccm" | "cfb" | "ctr" | "ecb" | "gcm" | "ocb" | "ofb" | "stream" | "wrap" | "xts";
3417
+ interface CipherInfoOptions {
3418
+ /**
3419
+ * A test key length.
3420
+ */
3421
+ keyLength?: number | undefined;
3422
+ /**
3423
+ * A test IV length.
3424
+ */
3425
+ ivLength?: number | undefined;
3426
+ }
3427
+ interface CipherInfo {
3428
+ /**
3429
+ * The name of the cipher.
3430
+ */
3431
+ name: string;
3432
+ /**
3433
+ * The nid of the cipher.
3434
+ */
3435
+ nid: number;
3436
+ /**
3437
+ * The block size of the cipher in bytes.
3438
+ * This property is omitted when mode is 'stream'.
3439
+ */
3440
+ blockSize?: number | undefined;
3441
+ /**
3442
+ * The expected or default initialization vector length in bytes.
3443
+ * This property is omitted if the cipher does not use an initialization vector.
3444
+ */
3445
+ ivLength?: number | undefined;
3446
+ /**
3447
+ * The expected or default key length in bytes.
3448
+ */
3449
+ keyLength: number;
3450
+ /**
3451
+ * The cipher mode.
3452
+ */
3453
+ mode: CipherMode;
3454
+ }
3455
+ /**
3456
+ * Returns information about a given cipher.
3457
+ *
3458
+ * Some ciphers accept variable length keys and initialization vectors. By default,
3459
+ * the `crypto.getCipherInfo()` method will return the default values for these
3460
+ * ciphers. To test if a given key length or iv length is acceptable for given
3461
+ * cipher, use the `keyLength` and `ivLength` options. If the given values are
3462
+ * unacceptable, `undefined` will be returned.
3463
+ * @since v15.0.0
3464
+ * @param nameOrNid The name or nid of the cipher to query.
3465
+ */
3466
+ function getCipherInfo(nameOrNid: string | number, options?: CipherInfoOptions): CipherInfo | undefined;
3467
+ /**
3468
+ * HKDF is a simple key derivation function defined in RFC 5869\. The given `ikm`,`salt` and `info` are used with the `digest` to derive a key of `keylen` bytes.
3469
+ *
3470
+ * The supplied `callback` function is called with two arguments: `err` and`derivedKey`. If an errors occurs while deriving the key, `err` will be set;
3471
+ * otherwise `err` will be `null`. The successfully generated `derivedKey` will
3472
+ * be passed to the callback as an [ArrayBuffer](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/ArrayBuffer). An error will be thrown if any
3473
+ * of the input arguments specify invalid values or types.
3474
+ *
3475
+ * ```js
3476
+ * import { Buffer } from 'node:buffer';
3477
+ * const {
3478
+ * hkdf,
3479
+ * } = await import('node:crypto');
3480
+ *
3481
+ * hkdf('sha512', 'key', 'salt', 'info', 64, (err, derivedKey) => {
3482
+ * if (err) throw err;
3483
+ * console.log(Buffer.from(derivedKey).toString('hex')); // '24156e2...5391653'
3484
+ * });
3485
+ * ```
3486
+ * @since v15.0.0
3487
+ * @param digest The digest algorithm to use.
3488
+ * @param ikm The input keying material. Must be provided but can be zero-length.
3489
+ * @param salt The salt value. Must be provided but can be zero-length.
3490
+ * @param info Additional info value. Must be provided but can be zero-length, and cannot be more than 1024 bytes.
3491
+ * @param keylen The length of the key to generate. Must be greater than 0. The maximum allowable value is `255` times the number of bytes produced by the selected digest function (e.g. `sha512`
3492
+ * generates 64-byte hashes, making the maximum HKDF output 16320 bytes).
3493
+ */
3494
+ function hkdf(
3495
+ digest: string,
3496
+ irm: BinaryLike | KeyObject,
3497
+ salt: BinaryLike,
3498
+ info: BinaryLike,
3499
+ keylen: number,
3500
+ callback: (err: Error | null, derivedKey: ArrayBuffer) => void,
3501
+ ): void;
3502
+ /**
3503
+ * Provides a synchronous HKDF key derivation function as defined in RFC 5869\. The
3504
+ * given `ikm`, `salt` and `info` are used with the `digest` to derive a key of`keylen` bytes.
3505
+ *
3506
+ * The successfully generated `derivedKey` will be returned as an [ArrayBuffer](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/ArrayBuffer).
3507
+ *
3508
+ * An error will be thrown if any of the input arguments specify invalid values or
3509
+ * types, or if the derived key cannot be generated.
3510
+ *
3511
+ * ```js
3512
+ * import { Buffer } from 'node:buffer';
3513
+ * const {
3514
+ * hkdfSync,
3515
+ * } = await import('node:crypto');
3516
+ *
3517
+ * const derivedKey = hkdfSync('sha512', 'key', 'salt', 'info', 64);
3518
+ * console.log(Buffer.from(derivedKey).toString('hex')); // '24156e2...5391653'
3519
+ * ```
3520
+ * @since v15.0.0
3521
+ * @param digest The digest algorithm to use.
3522
+ * @param ikm The input keying material. Must be provided but can be zero-length.
3523
+ * @param salt The salt value. Must be provided but can be zero-length.
3524
+ * @param info Additional info value. Must be provided but can be zero-length, and cannot be more than 1024 bytes.
3525
+ * @param keylen The length of the key to generate. Must be greater than 0. The maximum allowable value is `255` times the number of bytes produced by the selected digest function (e.g. `sha512`
3526
+ * generates 64-byte hashes, making the maximum HKDF output 16320 bytes).
3527
+ */
3528
+ function hkdfSync(
3529
+ digest: string,
3530
+ ikm: BinaryLike | KeyObject,
3531
+ salt: BinaryLike,
3532
+ info: BinaryLike,
3533
+ keylen: number,
3534
+ ): ArrayBuffer;
3535
+ interface SecureHeapUsage {
3536
+ /**
3537
+ * The total allocated secure heap size as specified using the `--secure-heap=n` command-line flag.
3538
+ */
3539
+ total: number;
3540
+ /**
3541
+ * The minimum allocation from the secure heap as specified using the `--secure-heap-min` command-line flag.
3542
+ */
3543
+ min: number;
3544
+ /**
3545
+ * The total number of bytes currently allocated from the secure heap.
3546
+ */
3547
+ used: number;
3548
+ /**
3549
+ * The calculated ratio of `used` to `total` allocated bytes.
3550
+ */
3551
+ utilization: number;
3552
+ }
3553
+ /**
3554
+ * @since v15.6.0
3555
+ */
3556
+ function secureHeapUsed(): SecureHeapUsage;
3557
+ interface RandomUUIDOptions {
3558
+ /**
3559
+ * By default, to improve performance,
3560
+ * Node.js will pre-emptively generate and persistently cache enough
3561
+ * random data to generate up to 128 random UUIDs. To generate a UUID
3562
+ * without using the cache, set `disableEntropyCache` to `true`.
3563
+ *
3564
+ * @default `false`
3565
+ */
3566
+ disableEntropyCache?: boolean | undefined;
3567
+ }
3568
+ type UUID = `${string}-${string}-${string}-${string}-${string}`;
3569
+ /**
3570
+ * Generates a random [RFC 4122](https://www.rfc-editor.org/rfc/rfc4122.txt) version 4 UUID. The UUID is generated using a
3571
+ * cryptographic pseudorandom number generator.
3572
+ * @since v15.6.0, v14.17.0
3573
+ */
3574
+ function randomUUID(options?: RandomUUIDOptions): UUID;
3575
+ interface X509CheckOptions {
3576
+ /**
3577
+ * @default 'always'
3578
+ */
3579
+ subject?: "always" | "default" | "never";
3580
+ /**
3581
+ * @default true
3582
+ */
3583
+ wildcards?: boolean;
3584
+ /**
3585
+ * @default true
3586
+ */
3587
+ partialWildcards?: boolean;
3588
+ /**
3589
+ * @default false
3590
+ */
3591
+ multiLabelWildcards?: boolean;
3592
+ /**
3593
+ * @default false
3594
+ */
3595
+ singleLabelSubdomains?: boolean;
3596
+ }
3597
+ /**
3598
+ * Encapsulates an X509 certificate and provides read-only access to
3599
+ * its information.
3600
+ *
3601
+ * ```js
3602
+ * const { X509Certificate } = await import('node:crypto');
3603
+ *
3604
+ * const x509 = new X509Certificate('{... pem encoded cert ...}');
3605
+ *
3606
+ * console.log(x509.subject);
3607
+ * ```
3608
+ * @since v15.6.0
3609
+ */
3610
+ class X509Certificate {
3611
+ /**
3612
+ * Will be \`true\` if this is a Certificate Authority (CA) certificate.
3613
+ * @since v15.6.0
3614
+ */
3615
+ readonly ca: boolean;
3616
+ /**
3617
+ * The SHA-1 fingerprint of this certificate.
3618
+ *
3619
+ * Because SHA-1 is cryptographically broken and because the security of SHA-1 is
3620
+ * significantly worse than that of algorithms that are commonly used to sign
3621
+ * certificates, consider using `x509.fingerprint256` instead.
3622
+ * @since v15.6.0
3623
+ */
3624
+ readonly fingerprint: string;
3625
+ /**
3626
+ * The SHA-256 fingerprint of this certificate.
3627
+ * @since v15.6.0
3628
+ */
3629
+ readonly fingerprint256: string;
3630
+ /**
3631
+ * The SHA-512 fingerprint of this certificate.
3632
+ *
3633
+ * Because computing the SHA-256 fingerprint is usually faster and because it is
3634
+ * only half the size of the SHA-512 fingerprint, `x509.fingerprint256` may be
3635
+ * a better choice. While SHA-512 presumably provides a higher level of security in
3636
+ * general, the security of SHA-256 matches that of most algorithms that are
3637
+ * commonly used to sign certificates.
3638
+ * @since v17.2.0, v16.14.0
3639
+ */
3640
+ readonly fingerprint512: string;
3641
+ /**
3642
+ * The complete subject of this certificate.
3643
+ * @since v15.6.0
3644
+ */
3645
+ readonly subject: string;
3646
+ /**
3647
+ * The subject alternative name specified for this certificate.
3648
+ *
3649
+ * This is a comma-separated list of subject alternative names. Each entry begins
3650
+ * with a string identifying the kind of the subject alternative name followed by
3651
+ * a colon and the value associated with the entry.
3652
+ *
3653
+ * Earlier versions of Node.js incorrectly assumed that it is safe to split this
3654
+ * property at the two-character sequence `', '` (see [CVE-2021-44532](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532)). However,
3655
+ * both malicious and legitimate certificates can contain subject alternative names
3656
+ * that include this sequence when represented as a string.
3657
+ *
3658
+ * After the prefix denoting the type of the entry, the remainder of each entry
3659
+ * might be enclosed in quotes to indicate that the value is a JSON string literal.
3660
+ * For backward compatibility, Node.js only uses JSON string literals within this
3661
+ * property when necessary to avoid ambiguity. Third-party code should be prepared
3662
+ * to handle both possible entry formats.
3663
+ * @since v15.6.0
3664
+ */
3665
+ readonly subjectAltName: string | undefined;
3666
+ /**
3667
+ * A textual representation of the certificate's authority information access
3668
+ * extension.
3669
+ *
3670
+ * This is a line feed separated list of access descriptions. Each line begins with
3671
+ * the access method and the kind of the access location, followed by a colon and
3672
+ * the value associated with the access location.
3673
+ *
3674
+ * After the prefix denoting the access method and the kind of the access location,
3675
+ * the remainder of each line might be enclosed in quotes to indicate that the
3676
+ * value is a JSON string literal. For backward compatibility, Node.js only uses
3677
+ * JSON string literals within this property when necessary to avoid ambiguity.
3678
+ * Third-party code should be prepared to handle both possible entry formats.
3679
+ * @since v15.6.0
3680
+ */
3681
+ readonly infoAccess: string | undefined;
3682
+ /**
3683
+ * An array detailing the key usages for this certificate.
3684
+ * @since v15.6.0
3685
+ */
3686
+ readonly keyUsage: string[];
3687
+ /**
3688
+ * The issuer identification included in this certificate.
3689
+ * @since v15.6.0
3690
+ */
3691
+ readonly issuer: string;
3692
+ /**
3693
+ * The issuer certificate or `undefined` if the issuer certificate is not
3694
+ * available.
3695
+ * @since v15.9.0
3696
+ */
3697
+ readonly issuerCertificate?: X509Certificate | undefined;
3698
+ /**
3699
+ * The public key `KeyObject` for this certificate.
3700
+ * @since v15.6.0
3701
+ */
3702
+ readonly publicKey: KeyObject;
3703
+ /**
3704
+ * A `Buffer` containing the DER encoding of this certificate.
3705
+ * @since v15.6.0
3706
+ */
3707
+ readonly raw: Buffer;
3708
+ /**
3709
+ * The serial number of this certificate.
3710
+ *
3711
+ * Serial numbers are assigned by certificate authorities and do not uniquely
3712
+ * identify certificates. Consider using `x509.fingerprint256` as a unique
3713
+ * identifier instead.
3714
+ * @since v15.6.0
3715
+ */
3716
+ readonly serialNumber: string;
3717
+ /**
3718
+ * The date/time from which this certificate is considered valid.
3719
+ * @since v15.6.0
3720
+ */
3721
+ readonly validFrom: string;
3722
+ /**
3723
+ * The date/time until which this certificate is considered valid.
3724
+ * @since v15.6.0
3725
+ */
3726
+ readonly validTo: string;
3727
+ constructor(buffer: BinaryLike);
3728
+ /**
3729
+ * Checks whether the certificate matches the given email address.
3730
+ *
3731
+ * If the `'subject'` option is undefined or set to `'default'`, the certificate
3732
+ * subject is only considered if the subject alternative name extension either does
3733
+ * not exist or does not contain any email addresses.
3734
+ *
3735
+ * If the `'subject'` option is set to `'always'` and if the subject alternative
3736
+ * name extension either does not exist or does not contain a matching email
3737
+ * address, the certificate subject is considered.
3738
+ *
3739
+ * If the `'subject'` option is set to `'never'`, the certificate subject is never
3740
+ * considered, even if the certificate contains no subject alternative names.
3741
+ * @since v15.6.0
3742
+ * @return Returns `email` if the certificate matches, `undefined` if it does not.
3743
+ */
3744
+ checkEmail(email: string, options?: Pick<X509CheckOptions, "subject">): string | undefined;
3745
+ /**
3746
+ * Checks whether the certificate matches the given host name.
3747
+ *
3748
+ * If the certificate matches the given host name, the matching subject name is
3749
+ * returned. The returned name might be an exact match (e.g., `foo.example.com`)
3750
+ * or it might contain wildcards (e.g., `*.example.com`). Because host name
3751
+ * comparisons are case-insensitive, the returned subject name might also differ
3752
+ * from the given `name` in capitalization.
3753
+ *
3754
+ * If the `'subject'` option is undefined or set to `'default'`, the certificate
3755
+ * subject is only considered if the subject alternative name extension either does
3756
+ * not exist or does not contain any DNS names. This behavior is consistent with [RFC 2818](https://www.rfc-editor.org/rfc/rfc2818.txt) ("HTTP Over TLS").
3757
+ *
3758
+ * If the `'subject'` option is set to `'always'` and if the subject alternative
3759
+ * name extension either does not exist or does not contain a matching DNS name,
3760
+ * the certificate subject is considered.
3761
+ *
3762
+ * If the `'subject'` option is set to `'never'`, the certificate subject is never
3763
+ * considered, even if the certificate contains no subject alternative names.
3764
+ * @since v15.6.0
3765
+ * @return Returns a subject name that matches `name`, or `undefined` if no subject name matches `name`.
3766
+ */
3767
+ checkHost(name: string, options?: X509CheckOptions): string | undefined;
3768
+ /**
3769
+ * Checks whether the certificate matches the given IP address (IPv4 or IPv6).
3770
+ *
3771
+ * Only [RFC 5280](https://www.rfc-editor.org/rfc/rfc5280.txt) `iPAddress` subject alternative names are considered, and they
3772
+ * must match the given `ip` address exactly. Other subject alternative names as
3773
+ * well as the subject field of the certificate are ignored.
3774
+ * @since v15.6.0
3775
+ * @return Returns `ip` if the certificate matches, `undefined` if it does not.
3776
+ */
3777
+ checkIP(ip: string): string | undefined;
3778
+ /**
3779
+ * Checks whether this certificate was issued by the given `otherCert`.
3780
+ * @since v15.6.0
3781
+ */
3782
+ checkIssued(otherCert: X509Certificate): boolean;
3783
+ /**
3784
+ * Checks whether the public key for this certificate is consistent with
3785
+ * the given private key.
3786
+ * @since v15.6.0
3787
+ * @param privateKey A private key.
3788
+ */
3789
+ checkPrivateKey(privateKey: KeyObject): boolean;
3790
+ /**
3791
+ * There is no standard JSON encoding for X509 certificates. The`toJSON()` method returns a string containing the PEM encoded
3792
+ * certificate.
3793
+ * @since v15.6.0
3794
+ */
3795
+ toJSON(): string;
3796
+ /**
3797
+ * Returns information about this certificate using the legacy `certificate object` encoding.
3798
+ * @since v15.6.0
3799
+ */
3800
+ toLegacyObject(): PeerCertificate;
3801
+ /**
3802
+ * Returns the PEM-encoded certificate.
3803
+ * @since v15.6.0
3804
+ */
3805
+ toString(): string;
3806
+ /**
3807
+ * Verifies that this certificate was signed by the given public key.
3808
+ * Does not perform any other validation checks on the certificate.
3809
+ * @since v15.6.0
3810
+ * @param publicKey A public key.
3811
+ */
3812
+ verify(publicKey: KeyObject): boolean;
3813
+ }
3814
+ type LargeNumberLike = NodeJS.ArrayBufferView | SharedArrayBuffer | ArrayBuffer | bigint;
3815
+ interface GeneratePrimeOptions {
3816
+ add?: LargeNumberLike | undefined;
3817
+ rem?: LargeNumberLike | undefined;
3818
+ /**
3819
+ * @default false
3820
+ */
3821
+ safe?: boolean | undefined;
3822
+ bigint?: boolean | undefined;
3823
+ }
3824
+ interface GeneratePrimeOptionsBigInt extends GeneratePrimeOptions {
3825
+ bigint: true;
3826
+ }
3827
+ interface GeneratePrimeOptionsArrayBuffer extends GeneratePrimeOptions {
3828
+ bigint?: false | undefined;
3829
+ }
3830
+ /**
3831
+ * Generates a pseudorandom prime of `size` bits.
3832
+ *
3833
+ * If `options.safe` is `true`, the prime will be a safe prime -- that is,`(prime - 1) / 2` will also be a prime.
3834
+ *
3835
+ * The `options.add` and `options.rem` parameters can be used to enforce additional
3836
+ * requirements, e.g., for Diffie-Hellman:
3837
+ *
3838
+ * * If `options.add` and `options.rem` are both set, the prime will satisfy the
3839
+ * condition that `prime % add = rem`.
3840
+ * * If only `options.add` is set and `options.safe` is not `true`, the prime will
3841
+ * satisfy the condition that `prime % add = 1`.
3842
+ * * If only `options.add` is set and `options.safe` is set to `true`, the prime
3843
+ * will instead satisfy the condition that `prime % add = 3`. This is necessary
3844
+ * because `prime % add = 1` for `options.add > 2` would contradict the condition
3845
+ * enforced by `options.safe`.
3846
+ * * `options.rem` is ignored if `options.add` is not given.
3847
+ *
3848
+ * Both `options.add` and `options.rem` must be encoded as big-endian sequences
3849
+ * if given as an `ArrayBuffer`, `SharedArrayBuffer`, `TypedArray`, `Buffer`, or`DataView`.
3850
+ *
3851
+ * By default, the prime is encoded as a big-endian sequence of octets
3852
+ * in an [ArrayBuffer](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/ArrayBuffer). If the `bigint` option is `true`, then a
3853
+ * [bigint](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/BigInt) is provided.
3854
+ * @since v15.8.0
3855
+ * @param size The size (in bits) of the prime to generate.
3856
+ */
3857
+ function generatePrime(size: number, callback: (err: Error | null, prime: ArrayBuffer) => void): void;
3858
+ function generatePrime(
3859
+ size: number,
3860
+ options: GeneratePrimeOptionsBigInt,
3861
+ callback: (err: Error | null, prime: bigint) => void,
3862
+ ): void;
3863
+ function generatePrime(
3864
+ size: number,
3865
+ options: GeneratePrimeOptionsArrayBuffer,
3866
+ callback: (err: Error | null, prime: ArrayBuffer) => void,
3867
+ ): void;
3868
+ function generatePrime(
3869
+ size: number,
3870
+ options: GeneratePrimeOptions,
3871
+ callback: (err: Error | null, prime: ArrayBuffer | bigint) => void,
3872
+ ): void;
3873
+ /**
3874
+ * Generates a pseudorandom prime of `size` bits.
3875
+ *
3876
+ * If `options.safe` is `true`, the prime will be a safe prime -- that is,`(prime - 1) / 2` will also be a prime.
3877
+ *
3878
+ * The `options.add` and `options.rem` parameters can be used to enforce additional
3879
+ * requirements, e.g., for Diffie-Hellman:
3880
+ *
3881
+ * * If `options.add` and `options.rem` are both set, the prime will satisfy the
3882
+ * condition that `prime % add = rem`.
3883
+ * * If only `options.add` is set and `options.safe` is not `true`, the prime will
3884
+ * satisfy the condition that `prime % add = 1`.
3885
+ * * If only `options.add` is set and `options.safe` is set to `true`, the prime
3886
+ * will instead satisfy the condition that `prime % add = 3`. This is necessary
3887
+ * because `prime % add = 1` for `options.add > 2` would contradict the condition
3888
+ * enforced by `options.safe`.
3889
+ * * `options.rem` is ignored if `options.add` is not given.
3890
+ *
3891
+ * Both `options.add` and `options.rem` must be encoded as big-endian sequences
3892
+ * if given as an `ArrayBuffer`, `SharedArrayBuffer`, `TypedArray`, `Buffer`, or`DataView`.
3893
+ *
3894
+ * By default, the prime is encoded as a big-endian sequence of octets
3895
+ * in an [ArrayBuffer](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/ArrayBuffer). If the `bigint` option is `true`, then a
3896
+ * [bigint](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/BigInt) is provided.
3897
+ * @since v15.8.0
3898
+ * @param size The size (in bits) of the prime to generate.
3899
+ */
3900
+ function generatePrimeSync(size: number): ArrayBuffer;
3901
+ function generatePrimeSync(size: number, options: GeneratePrimeOptionsBigInt): bigint;
3902
+ function generatePrimeSync(size: number, options: GeneratePrimeOptionsArrayBuffer): ArrayBuffer;
3903
+ function generatePrimeSync(size: number, options: GeneratePrimeOptions): ArrayBuffer | bigint;
3904
+ interface CheckPrimeOptions {
3905
+ /**
3906
+ * The number of Miller-Rabin probabilistic primality iterations to perform.
3907
+ * When the value is 0 (zero), a number of checks is used that yields a false positive rate of at most `2**-64` for random input.
3908
+ * Care must be used when selecting a number of checks.
3909
+ * Refer to the OpenSSL documentation for the BN_is_prime_ex function nchecks options for more details.
3910
+ *
3911
+ * @default 0
3912
+ */
3913
+ checks?: number | undefined;
3914
+ }
3915
+ /**
3916
+ * Checks the primality of the `candidate`.
3917
+ * @since v15.8.0
3918
+ * @param candidate A possible prime encoded as a sequence of big endian octets of arbitrary length.
3919
+ */
3920
+ function checkPrime(value: LargeNumberLike, callback: (err: Error | null, result: boolean) => void): void;
3921
+ function checkPrime(
3922
+ value: LargeNumberLike,
3923
+ options: CheckPrimeOptions,
3924
+ callback: (err: Error | null, result: boolean) => void,
3925
+ ): void;
3926
+ /**
3927
+ * Checks the primality of the `candidate`.
3928
+ * @since v15.8.0
3929
+ * @param candidate A possible prime encoded as a sequence of big endian octets of arbitrary length.
3930
+ * @return `true` if the candidate is a prime with an error probability less than `0.25 ** options.checks`.
3931
+ */
3932
+ function checkPrimeSync(candidate: LargeNumberLike, options?: CheckPrimeOptions): boolean;
3933
+ /**
3934
+ * Load and set the `engine` for some or all OpenSSL functions (selected by flags).
3935
+ *
3936
+ * `engine` could be either an id or a path to the engine's shared library.
3937
+ *
3938
+ * The optional `flags` argument uses `ENGINE_METHOD_ALL` by default. The `flags`is a bit field taking one of or a mix of the following flags (defined in`crypto.constants`):
3939
+ *
3940
+ * * `crypto.constants.ENGINE_METHOD_RSA`
3941
+ * * `crypto.constants.ENGINE_METHOD_DSA`
3942
+ * * `crypto.constants.ENGINE_METHOD_DH`
3943
+ * * `crypto.constants.ENGINE_METHOD_RAND`
3944
+ * * `crypto.constants.ENGINE_METHOD_EC`
3945
+ * * `crypto.constants.ENGINE_METHOD_CIPHERS`
3946
+ * * `crypto.constants.ENGINE_METHOD_DIGESTS`
3947
+ * * `crypto.constants.ENGINE_METHOD_PKEY_METHS`
3948
+ * * `crypto.constants.ENGINE_METHOD_PKEY_ASN1_METHS`
3949
+ * * `crypto.constants.ENGINE_METHOD_ALL`
3950
+ * * `crypto.constants.ENGINE_METHOD_NONE`
3951
+ * @since v0.11.11
3952
+ * @param flags
3953
+ */
3954
+ function setEngine(engine: string, flags?: number): void;
3955
+ /**
3956
+ * A convenient alias for {@link webcrypto.getRandomValues}. This
3957
+ * implementation is not compliant with the Web Crypto spec, to write
3958
+ * web-compatible code use {@link webcrypto.getRandomValues} instead.
3959
+ * @since v17.4.0
3960
+ * @return Returns `typedArray`.
3961
+ */
3962
+ function getRandomValues<T extends webcrypto.BufferSource>(typedArray: T): T;
3963
+ /**
3964
+ * A convenient alias for `crypto.webcrypto.subtle`.
3965
+ * @since v17.4.0
3966
+ */
3967
+ const subtle: webcrypto.SubtleCrypto;
3968
+ /**
3969
+ * An implementation of the Web Crypto API standard.
3970
+ *
3971
+ * See the {@link https://nodejs.org/docs/latest/api/webcrypto.html Web Crypto API documentation} for details.
3972
+ * @since v15.0.0
3973
+ */
3974
+ const webcrypto: webcrypto.Crypto;
3975
+ namespace webcrypto {
3976
+ type BufferSource = ArrayBufferView | ArrayBuffer;
3977
+ type KeyFormat = "jwk" | "pkcs8" | "raw" | "spki";
3978
+ type KeyType = "private" | "public" | "secret";
3979
+ type KeyUsage =
3980
+ | "decrypt"
3981
+ | "deriveBits"
3982
+ | "deriveKey"
3983
+ | "encrypt"
3984
+ | "sign"
3985
+ | "unwrapKey"
3986
+ | "verify"
3987
+ | "wrapKey";
3988
+ type AlgorithmIdentifier = Algorithm | string;
3989
+ type HashAlgorithmIdentifier = AlgorithmIdentifier;
3990
+ type NamedCurve = string;
3991
+ type BigInteger = Uint8Array;
3992
+ interface AesCbcParams extends Algorithm {
3993
+ iv: BufferSource;
3994
+ }
3995
+ interface AesCtrParams extends Algorithm {
3996
+ counter: BufferSource;
3997
+ length: number;
3998
+ }
3999
+ interface AesDerivedKeyParams extends Algorithm {
4000
+ length: number;
4001
+ }
4002
+ interface AesGcmParams extends Algorithm {
4003
+ additionalData?: BufferSource;
4004
+ iv: BufferSource;
4005
+ tagLength?: number;
4006
+ }
4007
+ interface AesKeyAlgorithm extends KeyAlgorithm {
4008
+ length: number;
4009
+ }
4010
+ interface AesKeyGenParams extends Algorithm {
4011
+ length: number;
4012
+ }
4013
+ interface Algorithm {
4014
+ name: string;
4015
+ }
4016
+ interface EcKeyAlgorithm extends KeyAlgorithm {
4017
+ namedCurve: NamedCurve;
4018
+ }
4019
+ interface EcKeyGenParams extends Algorithm {
4020
+ namedCurve: NamedCurve;
4021
+ }
4022
+ interface EcKeyImportParams extends Algorithm {
4023
+ namedCurve: NamedCurve;
4024
+ }
4025
+ interface EcdhKeyDeriveParams extends Algorithm {
4026
+ public: CryptoKey;
4027
+ }
4028
+ interface EcdsaParams extends Algorithm {
4029
+ hash: HashAlgorithmIdentifier;
4030
+ }
4031
+ interface Ed448Params extends Algorithm {
4032
+ context?: BufferSource;
4033
+ }
4034
+ interface HkdfParams extends Algorithm {
4035
+ hash: HashAlgorithmIdentifier;
4036
+ info: BufferSource;
4037
+ salt: BufferSource;
4038
+ }
4039
+ interface HmacImportParams extends Algorithm {
4040
+ hash: HashAlgorithmIdentifier;
4041
+ length?: number;
4042
+ }
4043
+ interface HmacKeyAlgorithm extends KeyAlgorithm {
4044
+ hash: KeyAlgorithm;
4045
+ length: number;
4046
+ }
4047
+ interface HmacKeyGenParams extends Algorithm {
4048
+ hash: HashAlgorithmIdentifier;
4049
+ length?: number;
4050
+ }
4051
+ interface JsonWebKey {
4052
+ alg?: string;
4053
+ crv?: string;
4054
+ d?: string;
4055
+ dp?: string;
4056
+ dq?: string;
4057
+ e?: string;
4058
+ ext?: boolean;
4059
+ k?: string;
4060
+ key_ops?: string[];
4061
+ kty?: string;
4062
+ n?: string;
4063
+ oth?: RsaOtherPrimesInfo[];
4064
+ p?: string;
4065
+ q?: string;
4066
+ qi?: string;
4067
+ use?: string;
4068
+ x?: string;
4069
+ y?: string;
4070
+ }
4071
+ interface KeyAlgorithm {
4072
+ name: string;
4073
+ }
4074
+ interface Pbkdf2Params extends Algorithm {
4075
+ hash: HashAlgorithmIdentifier;
4076
+ iterations: number;
4077
+ salt: BufferSource;
4078
+ }
4079
+ interface RsaHashedImportParams extends Algorithm {
4080
+ hash: HashAlgorithmIdentifier;
4081
+ }
4082
+ interface RsaHashedKeyAlgorithm extends RsaKeyAlgorithm {
4083
+ hash: KeyAlgorithm;
4084
+ }
4085
+ interface RsaHashedKeyGenParams extends RsaKeyGenParams {
4086
+ hash: HashAlgorithmIdentifier;
4087
+ }
4088
+ interface RsaKeyAlgorithm extends KeyAlgorithm {
4089
+ modulusLength: number;
4090
+ publicExponent: BigInteger;
4091
+ }
4092
+ interface RsaKeyGenParams extends Algorithm {
4093
+ modulusLength: number;
4094
+ publicExponent: BigInteger;
4095
+ }
4096
+ interface RsaOaepParams extends Algorithm {
4097
+ label?: BufferSource;
4098
+ }
4099
+ interface RsaOtherPrimesInfo {
4100
+ d?: string;
4101
+ r?: string;
4102
+ t?: string;
4103
+ }
4104
+ interface RsaPssParams extends Algorithm {
4105
+ saltLength: number;
4106
+ }
4107
+ /**
4108
+ * Calling `require('node:crypto').webcrypto` returns an instance of the `Crypto` class.
4109
+ * `Crypto` is a singleton that provides access to the remainder of the crypto API.
4110
+ * @since v15.0.0
4111
+ */
4112
+ interface Crypto {
4113
+ /**
4114
+ * Provides access to the `SubtleCrypto` API.
4115
+ * @since v15.0.0
4116
+ */
4117
+ readonly subtle: SubtleCrypto;
4118
+ /**
4119
+ * Generates cryptographically strong random values.
4120
+ * The given `typedArray` is filled with random values, and a reference to `typedArray` is returned.
4121
+ *
4122
+ * The given `typedArray` must be an integer-based instance of {@link NodeJS.TypedArray}, i.e. `Float32Array` and `Float64Array` are not accepted.
4123
+ *
4124
+ * An error will be thrown if the given `typedArray` is larger than 65,536 bytes.
4125
+ * @since v15.0.0
4126
+ */
4127
+ getRandomValues<T extends Exclude<NodeJS.TypedArray, Float32Array | Float64Array>>(typedArray: T): T;
4128
+ /**
4129
+ * Generates a random {@link https://www.rfc-editor.org/rfc/rfc4122.txt RFC 4122} version 4 UUID.
4130
+ * The UUID is generated using a cryptographic pseudorandom number generator.
4131
+ * @since v16.7.0
4132
+ */
4133
+ randomUUID(): UUID;
4134
+ CryptoKey: CryptoKeyConstructor;
4135
+ }
4136
+ // This constructor throws ILLEGAL_CONSTRUCTOR so it should not be newable.
4137
+ interface CryptoKeyConstructor {
4138
+ /** Illegal constructor */
4139
+ (_: { readonly _: unique symbol }): never; // Allows instanceof to work but not be callable by the user.
4140
+ readonly length: 0;
4141
+ readonly name: "CryptoKey";
4142
+ readonly prototype: CryptoKey;
4143
+ }
4144
+ /**
4145
+ * @since v15.0.0
4146
+ */
4147
+ interface CryptoKey {
4148
+ /**
4149
+ * An object detailing the algorithm for which the key can be used along with additional algorithm-specific parameters.
4150
+ * @since v15.0.0
4151
+ */
4152
+ readonly algorithm: KeyAlgorithm;
4153
+ /**
4154
+ * When `true`, the {@link CryptoKey} can be extracted using either `subtleCrypto.exportKey()` or `subtleCrypto.wrapKey()`.
4155
+ * @since v15.0.0
4156
+ */
4157
+ readonly extractable: boolean;
4158
+ /**
4159
+ * A string identifying whether the key is a symmetric (`'secret'`) or asymmetric (`'private'` or `'public'`) key.
4160
+ * @since v15.0.0
4161
+ */
4162
+ readonly type: KeyType;
4163
+ /**
4164
+ * An array of strings identifying the operations for which the key may be used.
4165
+ *
4166
+ * The possible usages are:
4167
+ * - `'encrypt'` - The key may be used to encrypt data.
4168
+ * - `'decrypt'` - The key may be used to decrypt data.
4169
+ * - `'sign'` - The key may be used to generate digital signatures.
4170
+ * - `'verify'` - The key may be used to verify digital signatures.
4171
+ * - `'deriveKey'` - The key may be used to derive a new key.
4172
+ * - `'deriveBits'` - The key may be used to derive bits.
4173
+ * - `'wrapKey'` - The key may be used to wrap another key.
4174
+ * - `'unwrapKey'` - The key may be used to unwrap another key.
4175
+ *
4176
+ * Valid key usages depend on the key algorithm (identified by `cryptokey.algorithm.name`).
4177
+ * @since v15.0.0
4178
+ */
4179
+ readonly usages: KeyUsage[];
4180
+ }
4181
+ /**
4182
+ * The `CryptoKeyPair` is a simple dictionary object with `publicKey` and `privateKey` properties, representing an asymmetric key pair.
4183
+ * @since v15.0.0
4184
+ */
4185
+ interface CryptoKeyPair {
4186
+ /**
4187
+ * A {@link CryptoKey} whose type will be `'private'`.
4188
+ * @since v15.0.0
4189
+ */
4190
+ privateKey: CryptoKey;
4191
+ /**
4192
+ * A {@link CryptoKey} whose type will be `'public'`.
4193
+ * @since v15.0.0
4194
+ */
4195
+ publicKey: CryptoKey;
4196
+ }
4197
+ /**
4198
+ * @since v15.0.0
4199
+ */
4200
+ interface SubtleCrypto {
4201
+ /**
4202
+ * Using the method and parameters specified in `algorithm` and the keying material provided by `key`,
4203
+ * `subtle.decrypt()` attempts to decipher the provided `data`. If successful,
4204
+ * the returned promise will be resolved with an `<ArrayBuffer>` containing the plaintext result.
4205
+ *
4206
+ * The algorithms currently supported include:
4207
+ *
4208
+ * - `'RSA-OAEP'`
4209
+ * - `'AES-CTR'`
4210
+ * - `'AES-CBC'`
4211
+ * - `'AES-GCM'`
4212
+ * @since v15.0.0
4213
+ */
4214
+ decrypt(
4215
+ algorithm: AlgorithmIdentifier | RsaOaepParams | AesCtrParams | AesCbcParams | AesGcmParams,
4216
+ key: CryptoKey,
4217
+ data: BufferSource,
4218
+ ): Promise<ArrayBuffer>;
4219
+ /**
4220
+ * Using the method and parameters specified in `algorithm` and the keying material provided by `baseKey`,
4221
+ * `subtle.deriveBits()` attempts to generate `length` bits.
4222
+ * The Node.js implementation requires that when `length` is a number it must be multiple of `8`.
4223
+ * When `length` is `null` the maximum number of bits for a given algorithm is generated. This is allowed
4224
+ * for the `'ECDH'`, `'X25519'`, and `'X448'` algorithms.
4225
+ * If successful, the returned promise will be resolved with an `<ArrayBuffer>` containing the generated data.
4226
+ *
4227
+ * The algorithms currently supported include:
4228
+ *
4229
+ * - `'ECDH'`
4230
+ * - `'X25519'`
4231
+ * - `'X448'`
4232
+ * - `'HKDF'`
4233
+ * - `'PBKDF2'`
4234
+ * @since v15.0.0
4235
+ */
4236
+ deriveBits(algorithm: EcdhKeyDeriveParams, baseKey: CryptoKey, length: number | null): Promise<ArrayBuffer>;
4237
+ deriveBits(
4238
+ algorithm: AlgorithmIdentifier | HkdfParams | Pbkdf2Params,
4239
+ baseKey: CryptoKey,
4240
+ length: number,
4241
+ ): Promise<ArrayBuffer>;
4242
+ /**
4243
+ * Using the method and parameters specified in `algorithm`, and the keying material provided by `baseKey`,
4244
+ * `subtle.deriveKey()` attempts to generate a new <CryptoKey>` based on the method and parameters in `derivedKeyAlgorithm`.
4245
+ *
4246
+ * Calling `subtle.deriveKey()` is equivalent to calling `subtle.deriveBits()` to generate raw keying material,
4247
+ * then passing the result into the `subtle.importKey()` method using the `deriveKeyAlgorithm`, `extractable`, and `keyUsages` parameters as input.
4248
+ *
4249
+ * The algorithms currently supported include:
4250
+ *
4251
+ * - `'ECDH'`
4252
+ * - `'X25519'`
4253
+ * - `'X448'`
4254
+ * - `'HKDF'`
4255
+ * - `'PBKDF2'`
4256
+ * @param keyUsages See {@link https://nodejs.org/docs/latest/api/webcrypto.html#cryptokeyusages Key usages}.
4257
+ * @since v15.0.0
4258
+ */
4259
+ deriveKey(
4260
+ algorithm: AlgorithmIdentifier | EcdhKeyDeriveParams | HkdfParams | Pbkdf2Params,
4261
+ baseKey: CryptoKey,
4262
+ derivedKeyAlgorithm:
4263
+ | AlgorithmIdentifier
4264
+ | AesDerivedKeyParams
4265
+ | HmacImportParams
4266
+ | HkdfParams
4267
+ | Pbkdf2Params,
4268
+ extractable: boolean,
4269
+ keyUsages: readonly KeyUsage[],
4270
+ ): Promise<CryptoKey>;
4271
+ /**
4272
+ * Using the method identified by `algorithm`, `subtle.digest()` attempts to generate a digest of `data`.
4273
+ * If successful, the returned promise is resolved with an `<ArrayBuffer>` containing the computed digest.
4274
+ *
4275
+ * If `algorithm` is provided as a `<string>`, it must be one of:
4276
+ *
4277
+ * - `'SHA-1'`
4278
+ * - `'SHA-256'`
4279
+ * - `'SHA-384'`
4280
+ * - `'SHA-512'`
4281
+ *
4282
+ * If `algorithm` is provided as an `<Object>`, it must have a `name` property whose value is one of the above.
4283
+ * @since v15.0.0
4284
+ */
4285
+ digest(algorithm: AlgorithmIdentifier, data: BufferSource): Promise<ArrayBuffer>;
4286
+ /**
4287
+ * Using the method and parameters specified by `algorithm` and the keying material provided by `key`,
4288
+ * `subtle.encrypt()` attempts to encipher `data`. If successful,
4289
+ * the returned promise is resolved with an `<ArrayBuffer>` containing the encrypted result.
4290
+ *
4291
+ * The algorithms currently supported include:
4292
+ *
4293
+ * - `'RSA-OAEP'`
4294
+ * - `'AES-CTR'`
4295
+ * - `'AES-CBC'`
4296
+ * - `'AES-GCM'`
4297
+ * @since v15.0.0
4298
+ */
4299
+ encrypt(
4300
+ algorithm: AlgorithmIdentifier | RsaOaepParams | AesCtrParams | AesCbcParams | AesGcmParams,
4301
+ key: CryptoKey,
4302
+ data: BufferSource,
4303
+ ): Promise<ArrayBuffer>;
4304
+ /**
4305
+ * Exports the given key into the specified format, if supported.
4306
+ *
4307
+ * If the `<CryptoKey>` is not extractable, the returned promise will reject.
4308
+ *
4309
+ * When `format` is either `'pkcs8'` or `'spki'` and the export is successful,
4310
+ * the returned promise will be resolved with an `<ArrayBuffer>` containing the exported key data.
4311
+ *
4312
+ * When `format` is `'jwk'` and the export is successful, the returned promise will be resolved with a
4313
+ * JavaScript object conforming to the {@link https://tools.ietf.org/html/rfc7517 JSON Web Key} specification.
4314
+ * @param format Must be one of `'raw'`, `'pkcs8'`, `'spki'`, or `'jwk'`.
4315
+ * @returns `<Promise>` containing `<ArrayBuffer>`.
4316
+ * @since v15.0.0
4317
+ */
4318
+ exportKey(format: "jwk", key: CryptoKey): Promise<JsonWebKey>;
4319
+ exportKey(format: Exclude<KeyFormat, "jwk">, key: CryptoKey): Promise<ArrayBuffer>;
4320
+ /**
4321
+ * Using the method and parameters provided in `algorithm`,
4322
+ * `subtle.generateKey()` attempts to generate new keying material.
4323
+ * Depending the method used, the method may generate either a single `<CryptoKey>` or a `<CryptoKeyPair>`.
4324
+ *
4325
+ * The `<CryptoKeyPair>` (public and private key) generating algorithms supported include:
4326
+ *
4327
+ * - `'RSASSA-PKCS1-v1_5'`
4328
+ * - `'RSA-PSS'`
4329
+ * - `'RSA-OAEP'`
4330
+ * - `'ECDSA'`
4331
+ * - `'Ed25519'`
4332
+ * - `'Ed448'`
4333
+ * - `'ECDH'`
4334
+ * - `'X25519'`
4335
+ * - `'X448'`
4336
+ * The `<CryptoKey>` (secret key) generating algorithms supported include:
4337
+ *
4338
+ * - `'HMAC'`
4339
+ * - `'AES-CTR'`
4340
+ * - `'AES-CBC'`
4341
+ * - `'AES-GCM'`
4342
+ * - `'AES-KW'`
4343
+ * @param keyUsages See {@link https://nodejs.org/docs/latest/api/webcrypto.html#cryptokeyusages Key usages}.
4344
+ * @since v15.0.0
4345
+ */
4346
+ generateKey(
4347
+ algorithm: RsaHashedKeyGenParams | EcKeyGenParams,
4348
+ extractable: boolean,
4349
+ keyUsages: readonly KeyUsage[],
4350
+ ): Promise<CryptoKeyPair>;
4351
+ generateKey(
4352
+ algorithm: AesKeyGenParams | HmacKeyGenParams | Pbkdf2Params,
4353
+ extractable: boolean,
4354
+ keyUsages: readonly KeyUsage[],
4355
+ ): Promise<CryptoKey>;
4356
+ generateKey(
4357
+ algorithm: AlgorithmIdentifier,
4358
+ extractable: boolean,
4359
+ keyUsages: KeyUsage[],
4360
+ ): Promise<CryptoKeyPair | CryptoKey>;
4361
+ /**
4362
+ * The `subtle.importKey()` method attempts to interpret the provided `keyData` as the given `format`
4363
+ * to create a `<CryptoKey>` instance using the provided `algorithm`, `extractable`, and `keyUsages` arguments.
4364
+ * If the import is successful, the returned promise will be resolved with the created `<CryptoKey>`.
4365
+ *
4366
+ * If importing a `'PBKDF2'` key, `extractable` must be `false`.
4367
+ * @param format Must be one of `'raw'`, `'pkcs8'`, `'spki'`, or `'jwk'`.
4368
+ * @param keyUsages See {@link https://nodejs.org/docs/latest/api/webcrypto.html#cryptokeyusages Key usages}.
4369
+ * @since v15.0.0
4370
+ */
4371
+ importKey(
4372
+ format: "jwk",
4373
+ keyData: JsonWebKey,
4374
+ algorithm:
4375
+ | AlgorithmIdentifier
4376
+ | RsaHashedImportParams
4377
+ | EcKeyImportParams
4378
+ | HmacImportParams
4379
+ | AesKeyAlgorithm,
4380
+ extractable: boolean,
4381
+ keyUsages: readonly KeyUsage[],
4382
+ ): Promise<CryptoKey>;
4383
+ importKey(
4384
+ format: Exclude<KeyFormat, "jwk">,
4385
+ keyData: BufferSource,
4386
+ algorithm:
4387
+ | AlgorithmIdentifier
4388
+ | RsaHashedImportParams
4389
+ | EcKeyImportParams
4390
+ | HmacImportParams
4391
+ | AesKeyAlgorithm,
4392
+ extractable: boolean,
4393
+ keyUsages: KeyUsage[],
4394
+ ): Promise<CryptoKey>;
4395
+ /**
4396
+ * Using the method and parameters given by `algorithm` and the keying material provided by `key`,
4397
+ * `subtle.sign()` attempts to generate a cryptographic signature of `data`. If successful,
4398
+ * the returned promise is resolved with an `<ArrayBuffer>` containing the generated signature.
4399
+ *
4400
+ * The algorithms currently supported include:
4401
+ *
4402
+ * - `'RSASSA-PKCS1-v1_5'`
4403
+ * - `'RSA-PSS'`
4404
+ * - `'ECDSA'`
4405
+ * - `'Ed25519'`
4406
+ * - `'Ed448'`
4407
+ * - `'HMAC'`
4408
+ * @since v15.0.0
4409
+ */
4410
+ sign(
4411
+ algorithm: AlgorithmIdentifier | RsaPssParams | EcdsaParams | Ed448Params,
4412
+ key: CryptoKey,
4413
+ data: BufferSource,
4414
+ ): Promise<ArrayBuffer>;
4415
+ /**
4416
+ * In cryptography, "wrapping a key" refers to exporting and then encrypting the keying material.
4417
+ * The `subtle.unwrapKey()` method attempts to decrypt a wrapped key and create a `<CryptoKey>` instance.
4418
+ * It is equivalent to calling `subtle.decrypt()` first on the encrypted key data (using the `wrappedKey`, `unwrapAlgo`, and `unwrappingKey` arguments as input)
4419
+ * then passing the results in to the `subtle.importKey()` method using the `unwrappedKeyAlgo`, `extractable`, and `keyUsages` arguments as inputs.
4420
+ * If successful, the returned promise is resolved with a `<CryptoKey>` object.
4421
+ *
4422
+ * The wrapping algorithms currently supported include:
4423
+ *
4424
+ * - `'RSA-OAEP'`
4425
+ * - `'AES-CTR'`
4426
+ * - `'AES-CBC'`
4427
+ * - `'AES-GCM'`
4428
+ * - `'AES-KW'`
4429
+ *
4430
+ * The unwrapped key algorithms supported include:
4431
+ *
4432
+ * - `'RSASSA-PKCS1-v1_5'`
4433
+ * - `'RSA-PSS'`
4434
+ * - `'RSA-OAEP'`
4435
+ * - `'ECDSA'`
4436
+ * - `'Ed25519'`
4437
+ * - `'Ed448'`
4438
+ * - `'ECDH'`
4439
+ * - `'X25519'`
4440
+ * - `'X448'`
4441
+ * - `'HMAC'`
4442
+ * - `'AES-CTR'`
4443
+ * - `'AES-CBC'`
4444
+ * - `'AES-GCM'`
4445
+ * - `'AES-KW'`
4446
+ * @param format Must be one of `'raw'`, `'pkcs8'`, `'spki'`, or `'jwk'`.
4447
+ * @param keyUsages See {@link https://nodejs.org/docs/latest/api/webcrypto.html#cryptokeyusages Key usages}.
4448
+ * @since v15.0.0
4449
+ */
4450
+ unwrapKey(
4451
+ format: KeyFormat,
4452
+ wrappedKey: BufferSource,
4453
+ unwrappingKey: CryptoKey,
4454
+ unwrapAlgorithm: AlgorithmIdentifier | RsaOaepParams | AesCtrParams | AesCbcParams | AesGcmParams,
4455
+ unwrappedKeyAlgorithm:
4456
+ | AlgorithmIdentifier
4457
+ | RsaHashedImportParams
4458
+ | EcKeyImportParams
4459
+ | HmacImportParams
4460
+ | AesKeyAlgorithm,
4461
+ extractable: boolean,
4462
+ keyUsages: KeyUsage[],
4463
+ ): Promise<CryptoKey>;
4464
+ /**
4465
+ * Using the method and parameters given in `algorithm` and the keying material provided by `key`,
4466
+ * `subtle.verify()` attempts to verify that `signature` is a valid cryptographic signature of `data`.
4467
+ * The returned promise is resolved with either `true` or `false`.
4468
+ *
4469
+ * The algorithms currently supported include:
4470
+ *
4471
+ * - `'RSASSA-PKCS1-v1_5'`
4472
+ * - `'RSA-PSS'`
4473
+ * - `'ECDSA'`
4474
+ * - `'Ed25519'`
4475
+ * - `'Ed448'`
4476
+ * - `'HMAC'`
4477
+ * @since v15.0.0
4478
+ */
4479
+ verify(
4480
+ algorithm: AlgorithmIdentifier | RsaPssParams | EcdsaParams | Ed448Params,
4481
+ key: CryptoKey,
4482
+ signature: BufferSource,
4483
+ data: BufferSource,
4484
+ ): Promise<boolean>;
4485
+ /**
4486
+ * In cryptography, "wrapping a key" refers to exporting and then encrypting the keying material.
4487
+ * The `subtle.wrapKey()` method exports the keying material into the format identified by `format`,
4488
+ * then encrypts it using the method and parameters specified by `wrapAlgo` and the keying material provided by `wrappingKey`.
4489
+ * It is the equivalent to calling `subtle.exportKey()` using `format` and `key` as the arguments,
4490
+ * then passing the result to the `subtle.encrypt()` method using `wrappingKey` and `wrapAlgo` as inputs.
4491
+ * If successful, the returned promise will be resolved with an `<ArrayBuffer>` containing the encrypted key data.
4492
+ *
4493
+ * The wrapping algorithms currently supported include:
4494
+ *
4495
+ * - `'RSA-OAEP'`
4496
+ * - `'AES-CTR'`
4497
+ * - `'AES-CBC'`
4498
+ * - `'AES-GCM'`
4499
+ * - `'AES-KW'`
4500
+ * @param format Must be one of `'raw'`, `'pkcs8'`, `'spki'`, or `'jwk'`.
4501
+ * @since v15.0.0
4502
+ */
4503
+ wrapKey(
4504
+ format: KeyFormat,
4505
+ key: CryptoKey,
4506
+ wrappingKey: CryptoKey,
4507
+ wrapAlgorithm: AlgorithmIdentifier | RsaOaepParams | AesCtrParams | AesCbcParams | AesGcmParams,
4508
+ ): Promise<ArrayBuffer>;
4509
+ }
4510
+ }
4511
+
4512
+ global {
4513
+ var crypto: typeof globalThis extends {
4514
+ crypto: infer T;
4515
+ onmessage: any;
4516
+ } ? T
4517
+ : webcrypto.Crypto;
4518
+ }
4519
+ }
4520
+ declare module "node:crypto" {
4521
+ export * from "crypto";
4522
+ }