3 Stability: 2 - Unstable; API changes are being discussed for
4 future versions. Breaking changes will be minimized. See below.
6 Use `require('crypto')` to access this module.
8 The crypto module offers a way of encapsulating secure credentials to be
9 used as part of a secure HTTPS net or http connection.
11 It also offers a set of wrappers for OpenSSL's hash, hmac, cipher,
12 decipher, sign and verify methods.
15 ## crypto.setEngine(engine, [flags])
17 Load and set engine for some/all OpenSSL functions (selected by flags).
19 `engine` could be either an id or a path to the to the engine's shared library.
21 `flags` is optional and has `ENGINE_METHOD_ALL` value by default. It could take
22 one of or mix of following flags (defined in `constants` module):
27 * `ENGINE_METHOD_RAND`
28 * `ENGINE_METHOD_ECDH`
29 * `ENGINE_METHOD_ECDSA`
30 * `ENGINE_METHOD_CIPHERS`
31 * `ENGINE_METHOD_DIGESTS`
32 * `ENGINE_METHOD_STORE`
33 * `ENGINE_METHOD_PKEY_METH`
34 * `ENGINE_METHOD_PKEY_ASN1_METH`
36 * `ENGINE_METHOD_NONE`
39 ## crypto.getCiphers()
41 Returns an array with the names of the supported ciphers.
45 var ciphers = crypto.getCiphers();
46 console.log(ciphers); // ['AES-128-CBC', 'AES-128-CBC-HMAC-SHA1', ...]
51 Returns an array with the names of the supported hash algorithms.
55 var hashes = crypto.getHashes();
56 console.log(hashes); // ['sha', 'sha1', 'sha1WithRSAEncryption', ...]
59 ## crypto.createCredentials(details)
61 Creates a credentials object, with the optional details being a
64 * `pfx` : A string or buffer holding the PFX or PKCS12 encoded private
65 key, certificate and CA certificates
66 * `key` : A string holding the PEM encoded private key
67 * `passphrase` : A string of passphrase for the private key or pfx
68 * `cert` : A string holding the PEM encoded certificate
69 * `ca` : Either a string or list of strings of PEM encoded CA
70 certificates to trust.
71 * `crl` : Either a string or list of strings of PEM encoded CRLs
72 (Certificate Revocation List)
73 * `ciphers`: A string describing the ciphers to use or exclude.
75 <http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT>
76 for details on the format.
78 If no 'ca' details are given, then node.js will use the default
79 publicly trusted list of CAs as given in
80 <http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt>.
83 ## crypto.createHash(algorithm)
85 Creates and returns a hash object, a cryptographic hash with the given
86 algorithm which can be used to generate hash digests.
88 `algorithm` is dependent on the available algorithms supported by the
89 version of OpenSSL on the platform. Examples are `'sha1'`, `'md5'`,
90 `'sha256'`, `'sha512'`, etc. On recent releases, `openssl
91 list-message-digest-algorithms` will display the available digest
94 Example: this program that takes the sha1 sum of a file
96 var filename = process.argv[2];
97 var crypto = require('crypto');
98 var fs = require('fs');
100 var shasum = crypto.createHash('sha1');
102 var s = fs.ReadStream(filename);
103 s.on('data', function(d) {
107 s.on('end', function() {
108 var d = shasum.digest('hex');
109 console.log(d + ' ' + filename);
114 The class for creating hash digests of data.
116 It is a [stream](stream.html) that is both readable and writable. The
117 written data is used to compute the hash. Once the writable side of
118 the stream is ended, use the `read()` method to get the computed hash
119 digest. The legacy `update` and `digest` methods are also supported.
121 Returned by `crypto.createHash`.
123 ### hash.update(data, [input_encoding])
125 Updates the hash content with the given `data`, the encoding of which
126 is given in `input_encoding` and can be `'utf8'`, `'ascii'` or
127 `'binary'`. If no encoding is provided and the input is a string an
128 encoding of `'binary'` is enforced. If `data` is a `Buffer` then
129 `input_encoding` is ignored.
131 This can be called many times with new data as it is streamed.
133 ### hash.digest([encoding])
135 Calculates the digest of all of the passed data to be hashed. The
136 `encoding` can be `'hex'`, `'binary'` or `'base64'`. If no encoding
137 is provided, then a buffer is returned.
139 Note: `hash` object can not be used after `digest()` method has been
143 ## crypto.createHmac(algorithm, key)
145 Creates and returns a hmac object, a cryptographic hmac with the given
148 It is a [stream](stream.html) that is both readable and writable. The
149 written data is used to compute the hmac. Once the writable side of
150 the stream is ended, use the `read()` method to get the computed
151 digest. The legacy `update` and `digest` methods are also supported.
153 `algorithm` is dependent on the available algorithms supported by
154 OpenSSL - see createHash above. `key` is the hmac key to be used.
158 Class for creating cryptographic hmac content.
160 Returned by `crypto.createHmac`.
162 ### hmac.update(data)
164 Update the hmac content with the given `data`. This can be called
165 many times with new data as it is streamed.
167 ### hmac.digest([encoding])
169 Calculates the digest of all of the passed data to the hmac. The
170 `encoding` can be `'hex'`, `'binary'` or `'base64'`. If no encoding
171 is provided, then a buffer is returned.
173 Note: `hmac` object can not be used after `digest()` method has been
177 ## crypto.createCipher(algorithm, password)
179 Creates and returns a cipher object, with the given algorithm and
182 `algorithm` is dependent on OpenSSL, examples are `'aes192'`, etc. On
183 recent releases, `openssl list-cipher-algorithms` will display the
184 available cipher algorithms. `password` is used to derive key and IV,
185 which must be a `'binary'` encoded string or a [buffer](buffer.html).
187 It is a [stream](stream.html) that is both readable and writable. The
188 written data is used to compute the hash. Once the writable side of
189 the stream is ended, use the `read()` method to get the computed hash
190 digest. The legacy `update` and `digest` methods are also supported.
192 ## crypto.createCipheriv(algorithm, key, iv)
194 Creates and returns a cipher object, with the given algorithm, key and
197 `algorithm` is the same as the argument to `createCipher()`. `key` is
198 the raw key used by the algorithm. `iv` is an [initialization
199 vector](http://en.wikipedia.org/wiki/Initialization_vector).
201 `key` and `iv` must be `'binary'` encoded strings or
202 [buffers](buffer.html).
206 Class for encrypting data.
208 Returned by `crypto.createCipher` and `crypto.createCipheriv`.
210 Cipher objects are [streams](stream.html) that are both readable and
211 writable. The written plain text data is used to produce the
212 encrypted data on the readable side. The legacy `update` and `final`
213 methods are also supported.
215 ### cipher.update(data, [input_encoding], [output_encoding])
217 Updates the cipher with `data`, the encoding of which is given in
218 `input_encoding` and can be `'utf8'`, `'ascii'` or `'binary'`. If no
219 encoding is provided, then a buffer is expected.
220 If `data` is a `Buffer` then `input_encoding` is ignored.
222 The `output_encoding` specifies the output format of the enciphered
223 data, and can be `'binary'`, `'base64'` or `'hex'`. If no encoding is
224 provided, then a buffer is returned.
226 Returns the enciphered contents, and can be called many times with new
227 data as it is streamed.
229 ### cipher.final([output_encoding])
231 Returns any remaining enciphered contents, with `output_encoding`
232 being one of: `'binary'`, `'base64'` or `'hex'`. If no encoding is
233 provided, then a buffer is returned.
235 Note: `cipher` object can not be used after `final()` method has been
238 ### cipher.setAutoPadding(auto_padding=true)
240 You can disable automatic padding of the input data to block size. If
241 `auto_padding` is false, the length of the entire input data must be a
242 multiple of the cipher's block size or `final` will fail. Useful for
243 non-standard padding, e.g. using `0x0` instead of PKCS padding. You
244 must call this before `cipher.final`.
246 ### cipher.getAuthTag()
248 For authenticated encryption modes (currently supported: GCM), this
249 method returns a `Buffer` that represents the _authentication tag_ that
250 has been computed from the given data. Should be called after
251 encryption has been completed using the `final` method!
254 ## crypto.createDecipher(algorithm, password)
256 Creates and returns a decipher object, with the given algorithm and
257 key. This is the mirror of the [createCipher()][] above.
259 ## crypto.createDecipheriv(algorithm, key, iv)
261 Creates and returns a decipher object, with the given algorithm, key
262 and iv. This is the mirror of the [createCipheriv()][] above.
266 Class for decrypting data.
268 Returned by `crypto.createDecipher` and `crypto.createDecipheriv`.
270 Decipher objects are [streams](stream.html) that are both readable and
271 writable. The written enciphered data is used to produce the
272 plain-text data on the the readable side. The legacy `update` and
273 `final` methods are also supported.
275 ### decipher.update(data, [input_encoding], [output_encoding])
277 Updates the decipher with `data`, which is encoded in `'binary'`,
278 `'base64'` or `'hex'`. If no encoding is provided, then a buffer is
280 If `data` is a `Buffer` then `input_encoding` is ignored.
282 The `output_decoding` specifies in what format to return the
283 deciphered plaintext: `'binary'`, `'ascii'` or `'utf8'`. If no
284 encoding is provided, then a buffer is returned.
286 ### decipher.final([output_encoding])
288 Returns any remaining plaintext which is deciphered, with
289 `output_encoding` being one of: `'binary'`, `'ascii'` or `'utf8'`. If
290 no encoding is provided, then a buffer is returned.
292 Note: `decipher` object can not be used after `final()` method has been
295 ### decipher.setAutoPadding(auto_padding=true)
297 You can disable auto padding if the data has been encrypted without
298 standard block padding to prevent `decipher.final` from checking and
299 removing it. Can only work if the input data's length is a multiple of
300 the ciphers block size. You must call this before streaming data to
303 ### decipher.setAuthTag(buffer)
305 For authenticated encryption modes (currently supported: GCM), this
306 method must be used to pass in the received _authentication tag_.
307 If no tag is provided or if the ciphertext has been tampered with,
308 `final` will throw, thus indicating that the ciphertext should
309 be discarded due to failed authentication.
312 ## crypto.createSign(algorithm)
314 Creates and returns a signing object, with the given algorithm. On
315 recent OpenSSL releases, `openssl list-public-key-algorithms` will
316 display the available signing algorithms. Examples are `'RSA-SHA256'`.
320 Class for generating signatures.
322 Returned by `crypto.createSign`.
324 Sign objects are writable [streams](stream.html). The written data is
325 used to generate the signature. Once all of the data has been
326 written, the `sign` method will return the signature. The legacy
327 `update` method is also supported.
329 ### sign.update(data)
331 Updates the sign object with data. This can be called many times
332 with new data as it is streamed.
334 ### sign.sign(private_key, [output_format])
336 Calculates the signature on all the updated data passed through the
339 `private_key` can be an object or a string. If `private_key` is a string, it is
340 treated as the key with no passphrase.
344 * `key` : A string holding the PEM encoded private key
345 * `passphrase` : A string of passphrase for the private key
347 Returns the signature in `output_format` which can be `'binary'`,
348 `'hex'` or `'base64'`. If no encoding is provided, then a buffer is
351 Note: `sign` object can not be used after `sign()` method has been
354 ## crypto.createVerify(algorithm)
356 Creates and returns a verification object, with the given algorithm.
357 This is the mirror of the signing object above.
361 Class for verifying signatures.
363 Returned by `crypto.createVerify`.
365 Verify objects are writable [streams](stream.html). The written data
366 is used to validate against the supplied signature. Once all of the
367 data has been written, the `verify` method will return true if the
368 supplied signature is valid. The legacy `update` method is also
371 ### verifier.update(data)
373 Updates the verifier object with data. This can be called many times
374 with new data as it is streamed.
376 ### verifier.verify(object, signature, [signature_format])
378 Verifies the signed data by using the `object` and `signature`.
379 `object` is a string containing a PEM encoded object, which can be
380 one of RSA public key, DSA public key, or X.509 certificate.
381 `signature` is the previously calculated signature for the data, in
382 the `signature_format` which can be `'binary'`, `'hex'` or `'base64'`.
383 If no encoding is specified, then a buffer is expected.
385 Returns true or false depending on the validity of the signature for
386 the data and public key.
388 Note: `verifier` object can not be used after `verify()` method has been
391 ## crypto.createDiffieHellman(prime_length)
393 Creates a Diffie-Hellman key exchange object and generates a prime of
394 the given bit length. The generator used is `2`.
396 ## crypto.createDiffieHellman(prime, [encoding])
398 Creates a Diffie-Hellman key exchange object using the supplied prime.
399 The generator used is `2`. Encoding can be `'binary'`, `'hex'`, or
400 `'base64'`. If no encoding is specified, then a buffer is expected.
402 ## Class: DiffieHellman
404 The class for creating Diffie-Hellman key exchanges.
406 Returned by `crypto.createDiffieHellman`.
408 ### diffieHellman.generateKeys([encoding])
410 Generates private and public Diffie-Hellman key values, and returns
411 the public key in the specified encoding. This key should be
412 transferred to the other party. Encoding can be `'binary'`, `'hex'`,
413 or `'base64'`. If no encoding is provided, then a buffer is returned.
415 ### diffieHellman.computeSecret(other_public_key, [input_encoding], [output_encoding])
417 Computes the shared secret using `other_public_key` as the other
418 party's public key and returns the computed shared secret. Supplied
419 key is interpreted using specified `input_encoding`, and secret is
420 encoded using specified `output_encoding`. Encodings can be
421 `'binary'`, `'hex'`, or `'base64'`. If the input encoding is not
422 provided, then a buffer is expected.
424 If no output encoding is given, then a buffer is returned.
426 ### diffieHellman.getPrime([encoding])
428 Returns the Diffie-Hellman prime in the specified encoding, which can
429 be `'binary'`, `'hex'`, or `'base64'`. If no encoding is provided,
430 then a buffer is returned.
432 ### diffieHellman.getGenerator([encoding])
434 Returns the Diffie-Hellman generator in the specified encoding, which can
435 be `'binary'`, `'hex'`, or `'base64'`. If no encoding is provided,
436 then a buffer is returned.
438 ### diffieHellman.getPublicKey([encoding])
440 Returns the Diffie-Hellman public key in the specified encoding, which
441 can be `'binary'`, `'hex'`, or `'base64'`. If no encoding is provided,
442 then a buffer is returned.
444 ### diffieHellman.getPrivateKey([encoding])
446 Returns the Diffie-Hellman private key in the specified encoding,
447 which can be `'binary'`, `'hex'`, or `'base64'`. If no encoding is
448 provided, then a buffer is returned.
450 ### diffieHellman.setPublicKey(public_key, [encoding])
452 Sets the Diffie-Hellman public key. Key encoding can be `'binary'`,
453 `'hex'` or `'base64'`. If no encoding is provided, then a buffer is
456 ### diffieHellman.setPrivateKey(private_key, [encoding])
458 Sets the Diffie-Hellman private key. Key encoding can be `'binary'`,
459 `'hex'` or `'base64'`. If no encoding is provided, then a buffer is
462 ## crypto.getDiffieHellman(group_name)
464 Creates a predefined Diffie-Hellman key exchange object. The
465 supported groups are: `'modp1'`, `'modp2'`, `'modp5'` (defined in [RFC
466 2412][]) and `'modp14'`, `'modp15'`, `'modp16'`, `'modp17'`,
467 `'modp18'` (defined in [RFC 3526][]). The returned object mimics the
468 interface of objects created by [crypto.createDiffieHellman()][]
469 above, but will not allow to change the keys (with
470 [diffieHellman.setPublicKey()][] for example). The advantage of using
471 this routine is that the parties don't have to generate nor exchange
472 group modulus beforehand, saving both processor and communication
475 Example (obtaining a shared secret):
477 var crypto = require('crypto');
478 var alice = crypto.getDiffieHellman('modp5');
479 var bob = crypto.getDiffieHellman('modp5');
481 alice.generateKeys();
484 var alice_secret = alice.computeSecret(bob.getPublicKey(), null, 'hex');
485 var bob_secret = bob.computeSecret(alice.getPublicKey(), null, 'hex');
487 /* alice_secret and bob_secret should be the same */
488 console.log(alice_secret == bob_secret);
490 ## crypto.pbkdf2(password, salt, iterations, keylen, [digest], callback)
492 Asynchronous PBKDF2 function. Applies the selected HMAC digest function
493 (default: SHA1) to derive a key of the requested length from the password,
494 salt and number of iterations. The callback gets two arguments:
499 crypto.pbkdf2('secret', 'salt', 4096, 512, 'sha256', function(err, key) {
502 console.log(key.toString('hex')); // 'c5e478d...1469e50'
505 You can get a list of supported digest functions with
506 [crypto.getHashes()](#crypto_crypto_gethashes).
508 ## crypto.pbkdf2Sync(password, salt, iterations, keylen, [digest])
510 Synchronous PBKDF2 function. Returns derivedKey or throws error.
512 ## crypto.randomBytes(size, [callback])
514 Generates cryptographically strong pseudo-random data. Usage:
517 crypto.randomBytes(256, function(ex, buf) {
519 console.log('Have %d bytes of random data: %s', buf.length, buf);
524 var buf = crypto.randomBytes(256);
525 console.log('Have %d bytes of random data: %s', buf.length, buf);
528 // most likely, entropy sources are drained
531 NOTE: Will throw error or invoke callback with error, if there is not enough
532 accumulated entropy to generate cryptographically strong data. In other words,
533 `crypto.randomBytes` without callback will not block even if all entropy sources
536 ## crypto.pseudoRandomBytes(size, [callback])
538 Generates *non*-cryptographically strong pseudo-random data. The data
539 returned will be unique if it is sufficiently long, but is not
540 necessarily unpredictable. For this reason, the output of this
541 function should never be used where unpredictability is important,
542 such as in the generation of encryption keys.
544 Usage is otherwise identical to `crypto.randomBytes`.
546 ## Class: Certificate
548 The class used for working with signed public key & challenges. The most
549 common usage for this series of functions is when dealing with the `<keygen>`
550 element. http://www.openssl.org/docs/apps/spkac.html
552 Returned by `crypto.Certificate`.
554 ### Certificate.verifySpkac(spkac)
556 Returns true of false based on the validity of the SPKAC.
558 ### Certificate.exportChallenge(spkac)
560 Exports the encoded public key from the supplied SPKAC.
562 ### Certificate.exportPublicKey(spkac)
564 Exports the encoded challenge associated with the SPKAC.
566 ## crypto.DEFAULT_ENCODING
568 The default encoding to use for functions that can take either strings
569 or buffers. The default value is `'buffer'`, which makes it default
570 to using Buffer objects. This is here to make the crypto module more
571 easily compatible with legacy programs that expected `'binary'` to be
572 the default encoding.
574 Note that new programs will probably expect buffers, so only use this
575 as a temporary measure.
577 ## Recent API Changes
579 The Crypto module was added to Node before there was the concept of a
580 unified Stream API, and before there were Buffer objects for handling
583 As such, the streaming classes don't have the typical methods found on
584 other Node classes, and many methods accepted and returned
585 Binary-encoded strings by default rather than Buffers. This was
586 changed to use Buffers by default instead.
588 This is a breaking change for some use cases, but not all.
590 For example, if you currently use the default arguments to the Sign
591 class, and then pass the results to the Verify class, without ever
592 inspecting the data, then it will continue to work as before. Where
593 you once got a binary string and then presented the binary string to
594 the Verify object, you'll now get a Buffer, and present the Buffer to
597 However, if you were doing things with the string data that will not
598 work properly on Buffers (such as, concatenating them, storing in
599 databases, etc.), or you are passing binary strings to the crypto
600 functions without an encoding argument, then you will need to start
601 providing encoding arguments to specify which encoding you'd like to
602 use. To switch to the previous style of using binary strings by
603 default, set the `crypto.DEFAULT_ENCODING` field to 'binary'. Note
604 that new programs will probably expect buffers, so only use this as a
608 [createCipher()]: #crypto_crypto_createcipher_algorithm_password
609 [createCipheriv()]: #crypto_crypto_createcipheriv_algorithm_key_iv
610 [crypto.createDiffieHellman()]: #crypto_crypto_creatediffiehellman_prime_encoding
611 [diffieHellman.setPublicKey()]: #crypto_diffiehellman_setpublickey_public_key_encoding
612 [RFC 2412]: http://www.rfc-editor.org/rfc/rfc2412.txt
613 [RFC 3526]: http://www.rfc-editor.org/rfc/rfc3526.txt