/** * The `node:crypto` module provides cryptographic functionality that includes a * set of wrappers for OpenSSL's hash, HMAC, cipher, decipher, sign, and verify * functions. * * ```js * const { createHmac } = await import('node:crypto'); * * const secret = 'abcdefg'; * const hash = createHmac('sha256', secret) * .update('I love cupcakes') * .digest('hex'); * console.log(hash); * // Prints: * // c0fa1bc00531bd78ef38c628449c5102aeabd49b5dc3a2a516ea6ea959d6658e * ``` * @see [source](https://github.com/nodejs/node/blob/v24.x/lib/crypto.js) */ declare module "crypto" { import * as stream from "node:stream"; import { PeerCertificate } from "node:tls"; /** * SPKAC is a Certificate Signing Request mechanism originally implemented by * Netscape and was specified formally as part of HTML5's `keygen` element. * * `` is deprecated since [HTML 5.2](https://www.w3.org/TR/html52/changes.html#features-removed) and new projects * should not use this element anymore. * * The `node:crypto` module provides the `Certificate` class for working with SPKAC * data. The most common usage is handling output generated by the HTML5 `` element. Node.js uses [OpenSSL's SPKAC * implementation](https://www.openssl.org/docs/man3.0/man1/openssl-spkac.html) internally. * @since v0.11.8 */ class Certificate { /** * ```js * const { Certificate } = await import('node:crypto'); * const spkac = getSpkacSomehow(); * const challenge = Certificate.exportChallenge(spkac); * console.log(challenge.toString('utf8')); * // Prints: the challenge as a UTF8 string * ``` * @since v9.0.0 * @param encoding The `encoding` of the `spkac` string. * @return The challenge component of the `spkac` data structure, which includes a public key and a challenge. */ static exportChallenge(spkac: BinaryLike): Buffer; /** * ```js * const { Certificate } = await import('node:crypto'); * const spkac = getSpkacSomehow(); * const publicKey = Certificate.exportPublicKey(spkac); * console.log(publicKey); * // Prints: the public key as * ``` * @since v9.0.0 * @param encoding The `encoding` of the `spkac` string. * @return The public key component of the `spkac` data structure, which includes a public key and a challenge. */ static exportPublicKey(spkac: BinaryLike, encoding?: string): Buffer; /** * ```js * import { Buffer } from 'node:buffer'; * const { Certificate } = await import('node:crypto'); * * const spkac = getSpkacSomehow(); * console.log(Certificate.verifySpkac(Buffer.from(spkac))); * // Prints: true or false * ``` * @since v9.0.0 * @param encoding The `encoding` of the `spkac` string. * @return `true` if the given `spkac` data structure is valid, `false` otherwise. */ static verifySpkac(spkac: NodeJS.ArrayBufferView): boolean; /** * @deprecated * @param spkac * @returns The challenge component of the `spkac` data structure, * which includes a public key and a challenge. */ exportChallenge(spkac: BinaryLike): Buffer; /** * @deprecated * @param spkac * @param encoding The encoding of the spkac string. * @returns The public key component of the `spkac` data structure, * which includes a public key and a challenge. */ exportPublicKey(spkac: BinaryLike, encoding?: string): Buffer; /** * @deprecated * @param spkac * @returns `true` if the given `spkac` data structure is valid, * `false` otherwise. */ verifySpkac(spkac: NodeJS.ArrayBufferView): boolean; } namespace constants { // https://nodejs.org/dist/latest-v24.x/docs/api/crypto.html#crypto-constants const OPENSSL_VERSION_NUMBER: number; /** Applies multiple bug workarounds within OpenSSL. See https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html for detail. */ const SSL_OP_ALL: number; /** Instructs OpenSSL to allow a non-[EC]DHE-based key exchange mode for TLS v1.3 */ const SSL_OP_ALLOW_NO_DHE_KEX: number; /** Allows legacy insecure renegotiation between OpenSSL and unpatched clients or servers. See https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html. */ const SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION: number; /** Attempts to use the server's preferences instead of the client's when selecting a cipher. See https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html. */ const SSL_OP_CIPHER_SERVER_PREFERENCE: number; /** Instructs OpenSSL to use Cisco's version identifier of DTLS_BAD_VER. */ const SSL_OP_CISCO_ANYCONNECT: number; /** Instructs OpenSSL to turn on cookie exchange. */ const SSL_OP_COOKIE_EXCHANGE: number; /** Instructs OpenSSL to add server-hello extension from an early version of the cryptopro draft. */ const SSL_OP_CRYPTOPRO_TLSEXT_BUG: number; /** Instructs OpenSSL to disable a SSL 3.0/TLS 1.0 vulnerability workaround added in OpenSSL 0.9.6d. */ const SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS: number; /** Allows initial connection to servers that do not support RI. */ const SSL_OP_LEGACY_SERVER_CONNECT: number; /** Instructs OpenSSL to disable support for SSL/TLS compression. */ const SSL_OP_NO_COMPRESSION: number; /** Instructs OpenSSL to disable encrypt-then-MAC. */ const SSL_OP_NO_ENCRYPT_THEN_MAC: number; const SSL_OP_NO_QUERY_MTU: number; /** Instructs OpenSSL to disable renegotiation. */ const SSL_OP_NO_RENEGOTIATION: number; /** Instructs OpenSSL to always start a new session when performing renegotiation. */ const SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION: number; /** Instructs OpenSSL to turn off SSL v2 */ const SSL_OP_NO_SSLv2: number; /** Instructs OpenSSL to turn off SSL v3 */ const SSL_OP_NO_SSLv3: number; /** Instructs OpenSSL to disable use of RFC4507bis tickets. */ const SSL_OP_NO_TICKET: number; /** Instructs OpenSSL to turn off TLS v1 */ const SSL_OP_NO_TLSv1: number; /** Instructs OpenSSL to turn off TLS v1.1 */ const SSL_OP_NO_TLSv1_1: number; /** Instructs OpenSSL to turn off TLS v1.2 */ const SSL_OP_NO_TLSv1_2: number; /** Instructs OpenSSL to turn off TLS v1.3 */ const SSL_OP_NO_TLSv1_3: number; /** Instructs OpenSSL server to prioritize ChaCha20-Poly1305 when the client does. This option has no effect if `SSL_OP_CIPHER_SERVER_PREFERENCE` is not enabled. */ const SSL_OP_PRIORITIZE_CHACHA: number; /** Instructs OpenSSL to disable version rollback attack detection. */ const SSL_OP_TLS_ROLLBACK_BUG: number; const ENGINE_METHOD_RSA: number; const ENGINE_METHOD_DSA: number; const ENGINE_METHOD_DH: number; const ENGINE_METHOD_RAND: number; const ENGINE_METHOD_EC: number; const ENGINE_METHOD_CIPHERS: number; const ENGINE_METHOD_DIGESTS: number; const ENGINE_METHOD_PKEY_METHS: number; const ENGINE_METHOD_PKEY_ASN1_METHS: number; const ENGINE_METHOD_ALL: number; const ENGINE_METHOD_NONE: number; const DH_CHECK_P_NOT_SAFE_PRIME: number; const DH_CHECK_P_NOT_PRIME: number; const DH_UNABLE_TO_CHECK_GENERATOR: number; const DH_NOT_SUITABLE_GENERATOR: number; const RSA_PKCS1_PADDING: number; const RSA_SSLV23_PADDING: number; const RSA_NO_PADDING: number; const RSA_PKCS1_OAEP_PADDING: number; const RSA_X931_PADDING: number; const RSA_PKCS1_PSS_PADDING: number; /** Sets the salt length for RSA_PKCS1_PSS_PADDING to the digest size when signing or verifying. */ const RSA_PSS_SALTLEN_DIGEST: number; /** Sets the salt length for RSA_PKCS1_PSS_PADDING to the maximum permissible value when signing data. */ const RSA_PSS_SALTLEN_MAX_SIGN: number; /** Causes the salt length for RSA_PKCS1_PSS_PADDING to be determined automatically when verifying a signature. */ const RSA_PSS_SALTLEN_AUTO: number; const POINT_CONVERSION_COMPRESSED: number; const POINT_CONVERSION_UNCOMPRESSED: number; const POINT_CONVERSION_HYBRID: number; /** Specifies the built-in default cipher list used by Node.js (colon-separated values). */ const defaultCoreCipherList: string; /** Specifies the active default cipher list used by the current Node.js process (colon-separated values). */ const defaultCipherList: string; } interface HashOptions extends stream.TransformOptions { /** * For XOF hash functions such as `shake256`, the * outputLength option can be used to specify the desired output length in bytes. */ outputLength?: number | undefined; } /** @deprecated since v10.0.0 */ const fips: boolean; /** * Creates and returns a `Hash` object that can be used to generate hash digests * using the given `algorithm`. Optional `options` argument controls stream * behavior. For XOF hash functions such as `'shake256'`, the `outputLength` option * can be used to specify the desired output length in bytes. * * The `algorithm` is dependent on the available algorithms supported by the * version of OpenSSL on the platform. Examples are `'sha256'`, `'sha512'`, etc. * On recent releases of OpenSSL, `openssl list -digest-algorithms` will * display the available digest algorithms. * * Example: generating the sha256 sum of a file * * ```js * import { * createReadStream, * } from 'node:fs'; * import { argv } from 'node:process'; * const { * createHash, * } = await import('node:crypto'); * * const filename = argv[2]; * * const hash = createHash('sha256'); * * const input = createReadStream(filename); * input.on('readable', () => { * // Only one element is going to be produced by the * // hash stream. * const data = input.read(); * if (data) * hash.update(data); * else { * console.log(`${hash.digest('hex')} ${filename}`); * } * }); * ``` * @since v0.1.92 * @param options `stream.transform` options */ function createHash(algorithm: string, options?: HashOptions): Hash; /** * Creates and returns an `Hmac` object that uses the given `algorithm` and `key`. * Optional `options` argument controls stream behavior. * * The `algorithm` is dependent on the available algorithms supported by the * version of OpenSSL on the platform. Examples are `'sha256'`, `'sha512'`, etc. * On recent releases of OpenSSL, `openssl list -digest-algorithms` will * display the available digest algorithms. * * The `key` is the HMAC key used to generate the cryptographic HMAC hash. If it is * a `KeyObject`, its type must be `secret`. If it is a string, please consider `caveats when using strings as inputs to cryptographic APIs`. If it was * obtained from a cryptographically secure source of entropy, such as {@link randomBytes} or {@link generateKey}, its length should not * exceed the block size of `algorithm` (e.g., 512 bits for SHA-256). * * Example: generating the sha256 HMAC of a file * * ```js * import { * createReadStream, * } from 'node:fs'; * import { argv } from 'node:process'; * const { * createHmac, * } = await import('node:crypto'); * * const filename = argv[2]; * * const hmac = createHmac('sha256', 'a secret'); * * const input = createReadStream(filename); * input.on('readable', () => { * // Only one element is going to be produced by the * // hash stream. * const data = input.read(); * if (data) * hmac.update(data); * else { * console.log(`${hmac.digest('hex')} ${filename}`); * } * }); * ``` * @since v0.1.94 * @param options `stream.transform` options */ function createHmac(algorithm: string, key: BinaryLike | KeyObject, options?: stream.TransformOptions): Hmac; // https://nodejs.org/api/buffer.html#buffer_buffers_and_character_encodings type BinaryToTextEncoding = "base64" | "base64url" | "hex" | "binary"; type CharacterEncoding = "utf8" | "utf-8" | "utf16le" | "utf-16le" | "latin1"; type LegacyCharacterEncoding = "ascii" | "binary" | "ucs2" | "ucs-2"; type Encoding = BinaryToTextEncoding | CharacterEncoding | LegacyCharacterEncoding; type ECDHKeyFormat = "compressed" | "uncompressed" | "hybrid"; /** * The `Hash` class is a utility for creating hash digests of data. It can be * used in one of two ways: * * * As a `stream` that is both readable and writable, where data is written * to produce a computed hash digest on the readable side, or * * Using the `hash.update()` and `hash.digest()` methods to produce the * computed hash. * * The {@link createHash} method is used to create `Hash` instances. `Hash`objects are not to be created directly using the `new` keyword. * * Example: Using `Hash` objects as streams: * * ```js * const { * createHash, * } = await import('node:crypto'); * * const hash = createHash('sha256'); * * hash.on('readable', () => { * // Only one element is going to be produced by the * // hash stream. * const data = hash.read(); * if (data) { * console.log(data.toString('hex')); * // Prints: * // 6a2da20943931e9834fc12cfe5bb47bbd9ae43489a30726962b576f4e3993e50 * } * }); * * hash.write('some data to hash'); * hash.end(); * ``` * * Example: Using `Hash` and piped streams: * * ```js * import { createReadStream } from 'node:fs'; * import { stdout } from 'node:process'; * const { createHash } = await import('node:crypto'); * * const hash = createHash('sha256'); * * const input = createReadStream('test.js'); * input.pipe(hash).setEncoding('hex').pipe(stdout); * ``` * * Example: Using the `hash.update()` and `hash.digest()` methods: * * ```js * const { * createHash, * } = await import('node:crypto'); * * const hash = createHash('sha256'); * * hash.update('some data to hash'); * console.log(hash.digest('hex')); * // Prints: * // 6a2da20943931e9834fc12cfe5bb47bbd9ae43489a30726962b576f4e3993e50 * ``` * @since v0.1.92 */ class Hash extends stream.Transform { private constructor(); /** * Creates a new `Hash` object that contains a deep copy of the internal state * of the current `Hash` object. * * The optional `options` argument controls stream behavior. For XOF hash * functions such as `'shake256'`, the `outputLength` option can be used to * specify the desired output length in bytes. * * An error is thrown when an attempt is made to copy the `Hash` object after * its `hash.digest()` method has been called. * * ```js * // Calculate a rolling hash. * const { * createHash, * } = await import('node:crypto'); * * const hash = createHash('sha256'); * * hash.update('one'); * console.log(hash.copy().digest('hex')); * * hash.update('two'); * console.log(hash.copy().digest('hex')); * * hash.update('three'); * console.log(hash.copy().digest('hex')); * * // Etc. * ``` * @since v13.1.0 * @param options `stream.transform` options */ copy(options?: HashOptions): Hash; /** * Updates the hash content with the given `data`, the encoding of which * is given in `inputEncoding`. * If `encoding` is not provided, and the `data` is a string, an * encoding of `'utf8'` is enforced. If `data` is a `Buffer`, `TypedArray`, or`DataView`, then `inputEncoding` is ignored. * * This can be called many times with new data as it is streamed. * @since v0.1.92 * @param inputEncoding The `encoding` of the `data` string. */ update(data: BinaryLike): Hash; update(data: string, inputEncoding: Encoding): Hash; /** * Calculates the digest of all of the data passed to be hashed (using the `hash.update()` method). * If `encoding` is provided a string will be returned; otherwise *