5 The `crypto` module provides cryptographic functionality that includes a set of
6 wrappers for OpenSSL's hash, HMAC, cipher, decipher, sign and verify functions.
8 Use `require('crypto')` to access this module.
11 const crypto = require('crypto');
13 const secret = 'abcdefg';
14 const hash = crypto.createHmac('sha256', secret)
15 .update('I love cupcakes')
19 // c0fa1bc00531bd78ef38c628449c5102aeabd49b5dc3a2a516ea6ea959d6658e
24 SPKAC is a Certificate Signing Request mechanism originally implemented by
25 Netscape and now specified formally as part of [HTML5's `keygen` element][].
27 The `crypto` module provides the `Certificate` class for working with SPKAC
28 data. The most common usage is handling output generated by the HTML5
29 `<keygen>` element. Node.js uses [OpenSSL's SPKAC implementation][] internally.
31 ### new crypto.Certificate()
33 Instances of the `Certificate` class can be created using the `new` keyword
34 or by calling `crypto.Certificate()` as a function:
37 const crypto = require('crypto');
39 const cert1 = new crypto.Certificate();
40 const cert2 = crypto.Certificate();
43 ### certificate.exportChallenge(spkac)
45 The `spkac` data structure includes a public key and a challenge. The
46 `certificate.exportChallenge()` returns the challenge component in the
47 form of a Node.js [`Buffer`][]. The `spkac` argument can be either a string
51 const cert = require('crypto').Certificate();
52 const spkac = getSpkacSomehow();
53 const challenge = cert.exportChallenge(spkac);
54 console.log(challenge.toString('utf8'));
55 // Prints the challenge as a UTF8 string
58 ### certificate.exportPublicKey(spkac)
60 The `spkac` data structure includes a public key and a challenge. The
61 `certificate.exportPublicKey()` returns the public key component in the
62 form of a Node.js [`Buffer`][]. The `spkac` argument can be either a string
66 const cert = require('crypto').Certificate();
67 const spkac = getSpkacSomehow();
68 const publicKey = cert.exportPublicKey(spkac);
69 console.log(publicKey);
70 // Prints the public key as <Buffer ...>
73 ### certificate.verifySpkac(spkac)
75 Returns `true` if the given `spkac` data structure is valid, `false` otherwise.
76 The `spkac` argument must be a Node.js [`Buffer`][].
79 const cert = require('crypto').Certificate();
80 const spkac = getSpkacSomehow();
81 console.log(cert.verifySpkac(new Buffer(spkac)));
82 // Prints true or false
87 Instances of the `Cipher` class are used to encrypt data. The class can be
88 used in one of two ways:
90 - As a [stream][] that is both readable and writable, where plain unencrypted
91 data is written to produce encrypted data on the readable side, or
92 - Using the [`cipher.update()`][] and [`cipher.final()`][] methods to produce
95 The [`crypto.createCipher()`][] or [`crypto.createCipheriv()`][] methods are
96 used to create `Cipher` instances. `Cipher` objects are not to be created
97 directly using the `new` keyword.
99 Example: Using `Cipher` objects as streams:
102 const crypto = require('crypto');
103 const cipher = crypto.createCipher('aes192', 'a password');
106 cipher.on('readable', () => {
107 var data = cipher.read();
109 encrypted += data.toString('hex');
111 cipher.on('end', () => {
112 console.log(encrypted);
113 // Prints: ca981be48e90867604588e75d04feabb63cc007a8f8ad89b10616ed84d815504
116 cipher.write('some clear text data');
120 Example: Using `Cipher` and piped streams:
123 const crypto = require('crypto');
124 const fs = require('fs');
125 const cipher = crypto.createCipher('aes192', 'a password');
127 const input = fs.createReadStream('test.js');
128 const output = fs.createWriteStream('test.enc');
130 input.pipe(cipher).pipe(output);
133 Example: Using the [`cipher.update()`][] and [`cipher.final()`][] methods:
136 const crypto = require('crypto');
137 const cipher = crypto.createCipher('aes192', 'a password');
139 var encrypted = cipher.update('some clear text data', 'utf8', 'hex');
140 encrypted += cipher.final('hex');
141 console.log(encrypted);
142 // Prints: ca981be48e90867604588e75d04feabb63cc007a8f8ad89b10616ed84d815504
145 ### cipher.final([output_encoding])
147 Returns any remaining enciphered contents. If `output_encoding`
148 parameter is one of `'binary'`, `'base64'` or `'hex'`, a string is returned.
149 If an `output_encoding` is not provided, a [`Buffer`][] is returned.
151 Once the `cipher.final()` method has been called, the `Cipher` object can no
152 longer be used to encrypt data. Attempts to call `cipher.final()` more than
153 once will result in an error being thrown.
155 ### cipher.setAAD(buffer)
157 When using an authenticated encryption mode (only `GCM` is currently
158 supported), the `cipher.setAAD()` method sets the value used for the
159 _additional authenticated data_ (AAD) input parameter.
161 ### cipher.getAuthTag()
163 When using an authenticated encryption mode (only `GCM` is currently
164 supported), the `cipher.getAuthTag()` method returns a [`Buffer`][] containing
165 the _authentication tag_ that has been computed from the given data.
167 The `cipher.getAuthTag()` method should only be called after encryption has
168 been completed using the [`cipher.final()`][] method.
170 ### cipher.setAutoPadding(auto_padding=true)
172 When using block encryption algorithms, the `Cipher` class will automatically
173 add padding to the input data to the appropriate block size. To disable the
174 default padding call `cipher.setAutoPadding(false)`.
176 When `auto_padding` is `false`, the length of the entire input data must be a
177 multiple of the cipher's block size or [`cipher.final()`][] will throw an Error.
178 Disabling automatic padding is useful for non-standard padding, for instance
179 using `0x0` instead of PKCS padding.
181 The `cipher.setAutoPadding()` method must be called before [`cipher.final()`][].
183 ### cipher.update(data[, input_encoding][, output_encoding])
185 Updates the cipher with `data`. If the `input_encoding` argument is given,
186 it's value must be one of `'utf8'`, `'ascii'`, or `'binary'` and the `data`
187 argument is a string using the specified encoding. If the `input_encoding`
188 argument is not given, `data` must be a [`Buffer`][]. If `data` is a
189 [`Buffer`][] then `input_encoding` is ignored.
191 The `output_encoding` specifies the output format of the enciphered
192 data, and can be `'binary'`, `'base64'` or `'hex'`. If the `output_encoding`
193 is specified, a string using the specified encoding is returned. If no
194 `output_encoding` is provided, a [`Buffer`][] is returned.
196 The `cipher.update()` method can be called multiple times with new data until
197 [`cipher.final()`][] is called. Calling `cipher.update()` after
198 [`cipher.final()`][] will result in an error being thrown.
202 Instances of the `Decipher` class are used to decrypt data. The class can be
203 used in one of two ways:
205 - As a [stream][] that is both readable and writable, where plain encrypted
206 data is written to produce unencrypted data on the readable side, or
207 - Using the [`decipher.update()`][] and [`decipher.final()`][] methods to
208 produce the unencrypted data.
210 The [`crypto.createDecipher()`][] or [`crypto.createDecipheriv()`][] methods are
211 used to create `Decipher` instances. `Decipher` objects are not to be created
212 directly using the `new` keyword.
214 Example: Using `Decipher` objects as streams:
217 const crypto = require('crypto');
218 const decipher = crypto.createDecipher('aes192', 'a password');
221 decipher.on('readable', () => {
222 var data = decipher.read();
224 decrypted += data.toString('utf8');
226 decipher.on('end', () => {
227 console.log(decrypted);
228 // Prints: some clear text data
231 var encrypted = 'ca981be48e90867604588e75d04feabb63cc007a8f8ad89b10616ed84d815504';
232 decipher.write(encrypted, 'hex');
236 Example: Using `Decipher` and piped streams:
239 const crypto = require('crypto');
240 const fs = require('fs');
241 const decipher = crypto.createDecipher('aes192', 'a password');
243 const input = fs.createReadStream('test.enc');
244 const output = fs.createWriteStream('test.js');
246 input.pipe(decipher).pipe(output);
249 Example: Using the [`decipher.update()`][] and [`decipher.final()`][] methods:
252 const crypto = require('crypto');
253 const decipher = crypto.createDecipher('aes192', 'a password');
255 var encrypted = 'ca981be48e90867604588e75d04feabb63cc007a8f8ad89b10616ed84d815504';
256 var decrypted = decipher.update(encrypted, 'hex', 'utf8');
257 decrypted += decipher.final('utf8');
258 console.log(decrypted);
259 // Prints: some clear text data
262 ### decipher.final([output_encoding])
264 Returns any remaining deciphered contents. If `output_encoding`
265 parameter is one of `'binary'`, `'base64'` or `'hex'`, a string is returned.
266 If an `output_encoding` is not provided, a [`Buffer`][] is returned.
268 Once the `decipher.final()` method has been called, the `Decipher` object can
269 no longer be used to decrypt data. Attempts to call `decipher.final()` more
270 than once will result in an error being thrown.
272 ### decipher.setAAD(buffer)
274 When using an authenticated encryption mode (only `GCM` is currently
275 supported), the `cipher.setAAD()` method sets the value used for the
276 _additional authenticated data_ (AAD) input parameter.
278 ### decipher.setAuthTag(buffer)
280 When using an authenticated encryption mode (only `GCM` is currently
281 supported), the `decipher.setAuthTag()` method is used to pass in the
282 received _authentication tag_. If no tag is provided, or if the cipher text
283 has been tampered with, [`decipher.final()`][] with throw, indicating that the
284 cipher text should be discarded due to failed authentication.
286 ### decipher.setAutoPadding(auto_padding=true)
288 When data has been encrypted without standard block padding, calling
289 `decipher.setAuthPadding(false)` will disable automatic padding to prevent
290 [`decipher.final()`][] from checking for and removing padding.
292 Turning auto padding off will only work if the input data's length is a
293 multiple of the ciphers block size.
295 The `decipher.setAutoPadding()` method must be called before
296 [`decipher.update()`][].
298 ### decipher.update(data[, input_encoding][, output_encoding])
300 Updates the decipher with `data`. If the `input_encoding` argument is given,
301 it's value must be one of `'binary'`, `'base64'`, or `'hex'` and the `data`
302 argument is a string using the specified encoding. If the `input_encoding`
303 argument is not given, `data` must be a [`Buffer`][]. If `data` is a
304 [`Buffer`][] then `input_encoding` is ignored.
306 The `output_encoding` specifies the output format of the enciphered
307 data, and can be `'binary'`, `'ascii'` or `'utf8'`. If the `output_encoding`
308 is specified, a string using the specified encoding is returned. If no
309 `output_encoding` is provided, a [`Buffer`][] is returned.
311 The `decipher.update()` method can be called multiple times with new data until
312 [`decipher.final()`][] is called. Calling `decipher.update()` after
313 [`decipher.final()`][] will result in an error being thrown.
315 ## Class: DiffieHellman
317 The `DiffieHellman` class is a utility for creating Diffie-Hellman key
320 Instances of the `DiffieHellman` class can be created using the
321 [`crypto.createDiffieHellman()`][] function.
324 const crypto = require('crypto');
325 const assert = require('assert');
327 // Generate Alice's keys...
328 const alice = crypto.createDiffieHellman(11);
329 const alice_key = alice.generateKeys();
331 // Generate Bob's keys...
332 const bob = crypto.createDiffieHellman(11);
333 const bob_key = bob.generateKeys();
335 // Exchange and generate the secret...
336 const alice_secret = alice.computeSecret(bob_key);
337 const bob_secret = bob.computeSecret(alice_key);
339 assert(alice_secret, bob_secret);
343 ### diffieHellman.computeSecret(other_public_key[, input_encoding][, output_encoding])
345 Computes the shared secret using `other_public_key` as the other
346 party's public key and returns the computed shared secret. The supplied
347 key is interpreted using the specified `input_encoding`, and secret is
348 encoded using specified `output_encoding`. Encodings can be
349 `'binary'`, `'hex'`, or `'base64'`. If the `input_encoding` is not
350 provided, `other_public_key` is expected to be a [`Buffer`][].
352 If `output_encoding` is given a string is returned; otherwise, a
353 [`Buffer`][] is returned.
355 ### diffieHellman.generateKeys([encoding])
357 Generates private and public Diffie-Hellman key values, and returns
358 the public key in the specified `encoding`. This key should be
359 transferred to the other party. Encoding can be `'binary'`, `'hex'`,
360 or `'base64'`. If `encoding` is provided a string is returned; otherwise a
361 [`Buffer`][] is returned.
363 ### diffieHellman.getGenerator([encoding])
365 Returns the Diffie-Hellman generator in the specified `encoding`, which can
366 be `'binary'`, `'hex'`, or `'base64'`. If `encoding` is provided a string is
367 returned; otherwise a [`Buffer`][] is returned.
369 ### diffieHellman.getPrime([encoding])
371 Returns the Diffie-Hellman prime in the specified `encoding`, which can
372 be `'binary'`, `'hex'`, or `'base64'`. If `encoding` is provided a string is
373 returned; otherwise a [`Buffer`][] is returned.
375 ### diffieHellman.getPrivateKey([encoding])
377 Returns the Diffie-Hellman private key in the specified `encoding`,
378 which can be `'binary'`, `'hex'`, or `'base64'`. If `encoding` is provided a
379 string is returned; otherwise a [`Buffer`][] is returned.
381 ### diffieHellman.getPublicKey([encoding])
383 Returns the Diffie-Hellman public key in the specified `encoding`, which
384 can be `'binary'`, `'hex'`, or `'base64'`. If `encoding` is provided a
385 string is returned; otherwise a [`Buffer`][] is returned.
387 ### diffieHellman.setPrivateKey(private_key[, encoding])
389 Sets the Diffie-Hellman private key. If the `encoding` argument is provided
390 and is either `'binary'`, `'hex'`, or `'base64'`, `private_key` is expected
391 to be a string. If no `encoding` is provided, `private_key` is expected
392 to be a [`Buffer`][].
394 ### diffieHellman.setPublicKey(public_key[, encoding])
396 Sets the Diffie-Hellman public key. If the `encoding` argument is provided
397 and is either `'binary'`, `'hex'` or `'base64'`, `public_key` is expected
398 to be a string. If no `encoding` is provided, `public_key` is expected
399 to be a [`Buffer`][].
401 ### diffieHellman.verifyError
403 A bit field containing any warnings and/or errors resulting from a check
404 performed during initialization of the `DiffieHellman` object.
406 The following values are valid for this property (as defined in `constants`
409 * `DH_CHECK_P_NOT_SAFE_PRIME`
410 * `DH_CHECK_P_NOT_PRIME`
411 * `DH_UNABLE_TO_CHECK_GENERATOR`
412 * `DH_NOT_SUITABLE_GENERATOR`
416 The `ECDH` class is a utility for creating Elliptic Curve Diffie-Hellman (ECDH)
419 Instances of the `ECDH` class can be created using the
420 [`crypto.createECDH()`][] function.
423 const crypto = require('crypto');
424 const assert = require('assert');
426 // Generate Alice's keys...
427 const alice = crypto.createECDH('secp521r1');
428 const alice_key = alice.generateKeys();
430 // Generate Bob's keys...
431 const bob = crypto.createECDH('secp521r1');
432 const bob_key = bob.generateKeys();
434 // Exchange and generate the secret...
435 const alice_secret = alice.computeSecret(bob_key);
436 const bob_secret = bob.computeSecret(alice_key);
438 assert(alice_secret, bob_secret);
442 ### ecdh.computeSecret(other_public_key[, input_encoding][, output_encoding])
444 Computes the shared secret using `other_public_key` as the other
445 party's public key and returns the computed shared secret. The supplied
446 key is interpreted using specified `input_encoding`, and the returned secret
447 is encoded using the specified `output_encoding`. Encodings can be
448 `'binary'`, `'hex'`, or `'base64'`. If the `input_encoding` is not
449 provided, `other_public_key` is expected to be a [`Buffer`][].
451 If `output_encoding` is given a string will be returned; otherwise a
452 [`Buffer`][] is returned.
454 ### ecdh.generateKeys([encoding[, format]])
456 Generates private and public EC Diffie-Hellman key values, and returns
457 the public key in the specified `format` and `encoding`. This key should be
458 transferred to the other party.
460 The `format` arguments specifies point encoding and can be `'compressed'`,
461 `'uncompressed'`, or `'hybrid'`. If `format` is not specified, the point will
462 be returned in `'uncompressed'` format.
464 The `encoding` argument can be `'binary'`, `'hex'`, or `'base64'`. If
465 `encoding` is provided a string is returned; otherwise a [`Buffer`][]
468 ### ecdh.getPrivateKey([encoding])
470 Returns the EC Diffie-Hellman private key in the specified `encoding`,
471 which can be `'binary'`, `'hex'`, or `'base64'`. If `encoding` is provided
472 a string is returned; otherwise a [`Buffer`][] is returned.
474 ### ecdh.getPublicKey([encoding[, format]])
476 Returns the EC Diffie-Hellman public key in the specified `encoding` and
479 The `format` argument specifies point encoding and can be `'compressed'`,
480 `'uncompressed'`, or `'hybrid'`. If `format` is not specified the point will be
481 returned in `'uncompressed'` format.
483 The `encoding` argument can be `'binary'`, `'hex'`, or `'base64'`. If
484 `encoding` is specified, a string is returned; otherwise a [`Buffer`][] is
487 ### ecdh.setPrivateKey(private_key[, encoding])
489 Sets the EC Diffie-Hellman private key. The `encoding` can be `'binary'`,
490 `'hex'` or `'base64'`. If `encoding` is provided, `private_key` is expected
491 to be a string; otherwise `private_key` is expected to be a [`Buffer`][]. If
492 `private_key` is not valid for the curve specified when the `ECDH` object was
493 created, an error is thrown. Upon setting the private key, the associated
494 public point (key) is also generated and set in the ECDH object.
496 ### ecdh.setPublicKey(public_key[, encoding])
498 Stability: 0 - Deprecated
500 Sets the EC Diffie-Hellman public key. Key encoding can be `'binary'`,
501 `'hex'` or `'base64'`. If `encoding` is provided `public_key` is expected to
502 be a string; otherwise a [`Buffer`][] is expected.
504 Note that there is not normally a reason to call this method because `ECDH`
505 only requires a private key and the other party's public key to compute the
506 shared secret. Typically either [`ecdh.generateKeys()`][] or
507 [`ecdh.setPrivateKey()`][] will be called. The [`ecdh.setPrivateKey()`][] method
508 attempts to generate the public point/key associated with the private key being
511 Example (obtaining a shared secret):
514 const crypto = require('crypto');
515 const alice = crypto.createECDH('secp256k1');
516 const bob = crypto.createECDH('secp256k1');
518 // Note: This is a shortcut way to specify one of Alice's previous private
519 // keys. It would be unwise to use such a predictable private key in a real
522 crypto.createHash('sha256').update('alice', 'utf8').digest()
525 // Bob uses a newly generated cryptographically strong
526 // pseudorandom key pair bob.generateKeys();
528 const alice_secret = alice.computeSecret(bob.getPublicKey(), null, 'hex');
529 const bob_secret = bob.computeSecret(alice.getPublicKey(), null, 'hex');
531 // alice_secret and bob_secret should be the same shared secret value
532 console.log(alice_secret === bob_secret);
537 The `Hash` class is a utility for creating hash digests of data. It can be
538 used in one of two ways:
540 - As a [stream][] that is both readable and writable, where data is written
541 to produce a computed hash digest on the readable side, or
542 - Using the [`hash.update()`][] and [`hash.digest()`][] methods to produce the
545 The [`crypto.createHash()`][] method is used to create `Hash` instances. `Hash`
546 objects are not to be created directly using the `new` keyword.
548 Example: Using `Hash` objects as streams:
551 const crypto = require('crypto');
552 const hash = crypto.createHash('sha256');
554 hash.on('readable', () => {
555 var data = hash.read();
557 console.log(data.toString('hex'));
559 // 6a2da20943931e9834fc12cfe5bb47bbd9ae43489a30726962b576f4e3993e50
562 hash.write('some data to hash');
566 Example: Using `Hash` and piped streams:
569 const crypto = require('crypto');
570 const fs = require('fs');
571 const hash = crypto.createHash('sha256');
573 const input = fs.createReadStream('test.js');
574 input.pipe(hash).pipe(process.stdout);
577 Example: Using the [`hash.update()`][] and [`hash.digest()`][] methods:
580 const crypto = require('crypto');
581 const hash = crypto.createHash('sha256');
583 hash.update('some data to hash');
584 console.log(hash.digest('hex'));
586 // 6a2da20943931e9834fc12cfe5bb47bbd9ae43489a30726962b576f4e3993e50
589 ### hash.digest([encoding])
591 Calculates the digest of all of the data passed to be hashed (using the
592 [`hash.update()`][] method). The `encoding` can be `'hex'`, `'binary'` or
593 `'base64'`. If `encoding` is provided a string will be returned; otherwise
594 a [`Buffer`][] is returned.
596 The `Hash` object can not be used again after `hash.digest()` method has been
597 called. Multiple calls will cause an error to be thrown.
599 ### hash.update(data[, input_encoding])
601 Updates the hash content with the given `data`, the encoding of which
602 is given in `input_encoding` and can be `'utf8'`, `'ascii'` or
603 `'binary'`. If `encoding` is not provided, and the `data` is a string, an
604 encoding of `'binary'` is enforced. If `data` is a [`Buffer`][] then
605 `input_encoding` is ignored.
607 This can be called many times with new data as it is streamed.
611 The `Hmac` Class is a utility for creating cryptographic HMAC digests. It can
612 be used in one of two ways:
614 - As a [stream][] that is both readable and writable, where data is written
615 to produce a computed HMAC digest on the readable side, or
616 - Using the [`hmac.update()`][] and [`hmac.digest()`][] methods to produce the
617 computed HMAC digest.
619 The [`crypto.createHmac()`][] method is used to create `Hmac` instances. `Hmac`
620 objects are not to be created directly using the `new` keyword.
622 Example: Using `Hmac` objects as streams:
625 const crypto = require('crypto');
626 const hmac = crypto.createHmac('sha256', 'a secret');
628 hmac.on('readable', () => {
629 var data = hmac.read();
631 console.log(data.toString('hex'));
633 // 7fd04df92f636fd450bc841c9418e5825c17f33ad9c87c518115a45971f7f77e
636 hmac.write('some data to hash');
640 Example: Using `Hmac` and piped streams:
643 const crypto = require('crypto');
644 const fs = require('fs');
645 const hmac = crypto.createHmac('sha256', 'a secret');
647 const input = fs.createReadStream('test.js');
648 input.pipe(hmac).pipe(process.stdout);
651 Example: Using the [`hmac.update()`][] and [`hmac.digest()`][] methods:
654 const crypto = require('crypto');
655 const hmac = crypto.createHmac('sha256', 'a secret');
657 hmac.update('some data to hash');
658 console.log(hmac.digest('hex'));
660 // 7fd04df92f636fd450bc841c9418e5825c17f33ad9c87c518115a45971f7f77e
663 ### hmac.digest([encoding])
665 Calculates the HMAC digest of all of the data passed using [`hmac.update()`][].
666 The `encoding` can be `'hex'`, `'binary'` or `'base64'`. If `encoding` is
667 provided a string is returned; otherwise a [`Buffer`][] is returned;
669 The `Hmac` object can not be used again after `hmac.digest()` has been
670 called. Multiple calls to `hmac.digest()` will result in an error being thrown.
672 ### hmac.update(data[, input_encoding])
674 Updates the `Hmac` content with the given `data`, the encoding of which
675 is given in `input_encoding` and can be `'utf8'`, `'ascii'` or
676 `'binary'`. If `encoding` is not provided, and the `data` is a string, an
677 encoding of `'utf8'` is enforced. If `data` is a [`Buffer`][] then
678 `input_encoding` is ignored.
680 This can be called many times with new data as it is streamed.
684 The `Sign` Class is a utility for generating signatures. It can be used in one
687 - As a writable [stream][], where data to be signed is written and the
688 [`sign.sign()`][] method is used to generate and return the signature, or
689 - Using the [`sign.update()`][] and [`sign.sign()`][] methods to produce the
692 The [`crypto.createSign()`][] method is used to create `Sign` instances. `Sign`
693 objects are not to be created directly using the `new` keyword.
695 Example: Using `Sign` objects as streams:
698 const crypto = require('crypto');
699 const sign = crypto.createSign('RSA-SHA256');
701 sign.write('some data to sign');
704 const private_key = getPrivateKeySomehow();
705 console.log(sign.sign(private_key, 'hex'));
706 // Prints the calculated signature
709 Example: Using the [`sign.update()`][] and [`sign.sign()`][] methods:
712 const crypto = require('crypto');
713 const sign = crypto.createSign('RSA-SHA256');
715 sign.update('some data to sign');
717 const private_key = getPrivateKeySomehow();
718 console.log(sign.sign(private_key, 'hex'));
719 // Prints the calculated signature
722 ### sign.sign(private_key[, output_format])
724 Calculates the signature on all the data passed through using either
725 [`sign.update()`][] or [`sign.write()`][stream-writable-write].
727 The `private_key` argument can be an object or a string. If `private_key` is a
728 string, it is treated as a raw key with no passphrase. If `private_key` is an
729 object, it is interpreted as a hash containing two properties:
731 * `key` : {String} - PEM encoded private key
732 * `passphrase` : {String} - passphrase for the private key
734 The `output_format` can specify one of `'binary'`, `'hex'` or `'base64'`. If
735 `output_format` is provided a string is returned; otherwise a [`Buffer`][] is
738 The `Sign` object can not be again used after `sign.sign()` method has been
739 called. Multiple calls to `sign.sign()` will result in an error being thrown.
741 ### sign.update(data[, input_encoding])
743 Updates the `Sign` content with the given `data`, the encoding of which
744 is given in `input_encoding` and can be `'utf8'`, `'ascii'` or
745 `'binary'`. If `encoding` is not provided, and the `data` is a string, an
746 encoding of `'utf8'` is enforced. If `data` is a [`Buffer`][] then
747 `input_encoding` is ignored.
749 This can be called many times with new data as it is streamed.
753 The `Verify` class is a utility for verifying signatures. It can be used in one
756 - As a writable [stream][] where written data is used to validate against the
757 supplied signature, or
758 - Using the [`verify.update()`][] and [`verify.verify()`][] methods to verify
761 The [`crypto.createSign()`][] method is used to create `Sign` instances.
762 `Sign` objects are not to be created directly using the `new` keyword.
764 Example: Using `Verify` objects as streams:
767 const crypto = require('crypto');
768 const verify = crypto.createVerify('RSA-SHA256');
770 verify.write('some data to sign');
773 const public_key = getPublicKeySomehow();
774 const signature = getSignatureToVerify();
775 console.log(sign.verify(public_key, signature));
776 // Prints true or false
779 Example: Using the [`verify.update()`][] and [`verify.verify()`][] methods:
782 const crypto = require('crypto');
783 const verify = crypto.createVerify('RSA-SHA256');
785 verify.update('some data to sign');
787 const public_key = getPublicKeySomehow();
788 const signature = getSignatureToVerify();
789 console.log(verify.verify(public_key, signature));
790 // Prints true or false
793 ### verifier.update(data[, input_encoding])
795 Updates the `Verify` content with the given `data`, the encoding of which
796 is given in `input_encoding` and can be `'utf8'`, `'ascii'` or
797 `'binary'`. If `encoding` is not provided, and the `data` is a string, an
798 encoding of `'utf8'` is enforced. If `data` is a [`Buffer`][] then
799 `input_encoding` is ignored.
801 This can be called many times with new data as it is streamed.
803 ### verifier.verify(object, signature[, signature_format])
805 Verifies the provided data using the given `object` and `signature`.
806 The `object` argument is a string containing a PEM encoded object, which can be
807 one an RSA public key, a DSA public key, or an X.509 certificate.
808 The `signature` argument is the previously calculated signature for the data, in
809 the `signature_format` which can be `'binary'`, `'hex'` or `'base64'`.
810 If a `signature_format` is specified, the `signature` is expected to be a
811 string; otherwise `signature` is expected to be a [`Buffer`][].
813 Returns `true` or `false` depending on the validity of the signature for
814 the data and public key.
816 The `verifier` object can not be used again after `verify.verify()` has been
817 called. Multiple calls to `verify.verify()` will result in an error being
820 ## `crypto` module methods and properties
822 ### crypto.DEFAULT_ENCODING
824 The default encoding to use for functions that can take either strings
825 or [buffers][`Buffer`]. The default value is `'buffer'`, which makes methods
826 default to [`Buffer`][] objects.
828 The `crypto.DEFAULT_ENCODING` mechanism is provided for backwards compatibility
829 with legacy programs that expect `'binary'` to be the default encoding.
831 New applications should expect the default to be `'buffer'`. This property may
832 become deprecated in a future Node.js release.
834 ### crypto.createCipher(algorithm, password)
836 Creates and returns a `Cipher` object that uses the given `algorithm` and
839 The `algorithm` is dependent on OpenSSL, examples are `'aes192'`, etc. On
840 recent OpenSSL releases, `openssl list-cipher-algorithms` will display the
841 available cipher algorithms.
843 The `password` is used to derive the cipher key and initialization vector (IV).
844 The value must be either a `'binary'` encoded string or a [`Buffer`][].
846 The implementation of `crypto.createCipher()` derives keys using the OpenSSL
847 function [`EVP_BytesToKey`][] with the digest algorithm set to MD5, one
848 iteration, and no salt. The lack of salt allows dictionary attacks as the same
849 password always creates the same key. The low iteration count and
850 non-cryptographically secure hash algorithm allow passwords to be tested very
853 In line with OpenSSL's recommendation to use pbkdf2 instead of
854 [`EVP_BytesToKey`][] it is recommended that developers derive a key and IV on
855 their own using [`crypto.pbkdf2()`][] and to use [`crypto.createCipheriv()`][]
856 to create the `Cipher` object.
858 ### crypto.createCipheriv(algorithm, key, iv)
860 Creates and returns a `Cipher` object, with the given `algorithm`, `key` and
861 initialization vector (`iv`).
863 The `algorithm` is dependent on OpenSSL, examples are `'aes192'`, etc. On
864 recent OpenSSL releases, `openssl list-cipher-algorithms` will display the
865 available cipher algorithms.
867 The `key` is the raw key used by the `algorithm` and `iv` is an
868 [initialization vector][]. Both arguments must be `'binary'` encoded strings or
871 ### crypto.createCredentials(details)
873 Stability: 0 - Deprecated: Use [`tls.createSecureContext()`][] instead.
875 The `crypto.createCredentials()` method is a deprecated alias for creating
876 and returning a `tls.SecureContext` object. The `crypto.createCredentials()`
877 method should not be used.
879 The optional `details` argument is a hash object with keys:
881 * `pfx` : {String|Buffer} - PFX or PKCS12 encoded private
882 key, certificate and CA certificates
883 * `key` : {String} - PEM encoded private key
884 * `passphrase` : {String} - passphrase for the private key or PFX
885 * `cert` : {String} - PEM encoded certificate
886 * `ca` : {String|Array} - Either a string or array of strings of PEM encoded CA
887 certificates to trust.
888 * `crl` : {String|Array} - Either a string or array of strings of PEM encoded CRLs
889 (Certificate Revocation List)
890 * `ciphers`: {String} using the [OpenSSL cipher list format][] describing the
891 cipher algorithms to use or exclude.
893 If no 'ca' details are given, Node.js will use Mozilla's default
894 [publicly trusted list of CAs][].
896 ### crypto.createDecipher(algorithm, password)
898 Creates and returns a `Decipher` object that uses the given `algorithm` and
901 The implementation of `crypto.createDecipher()` derives keys using the OpenSSL
902 function [`EVP_BytesToKey`][] with the digest algorithm set to MD5, one
903 iteration, and no salt. The lack of salt allows dictionary attacks as the same
904 password always creates the same key. The low iteration count and
905 non-cryptographically secure hash algorithm allow passwords to be tested very
908 In line with OpenSSL's recommendation to use pbkdf2 instead of
909 [`EVP_BytesToKey`][] it is recommended that developers derive a key and IV on
910 their own using [`crypto.pbkdf2()`][] and to use [`crypto.createDecipheriv()`][]
911 to create the `Decipher` object.
913 ### crypto.createDecipheriv(algorithm, key, iv)
915 Creates and returns a `Decipher` object that uses the given `algorithm`, `key`
916 and initialization vector (`iv`).
918 The `algorithm` is dependent on OpenSSL, examples are `'aes192'`, etc. On
919 recent OpenSSL releases, `openssl list-cipher-algorithms` will display the
920 available cipher algorithms.
922 The `key` is the raw key used by the `algorithm` and `iv` is an
923 [initialization vector][]. Both arguments must be `'binary'` encoded strings or
926 ### crypto.createDiffieHellman(prime[, prime_encoding][, generator][, generator_encoding])
928 Creates a `DiffieHellman` key exchange object using the supplied `prime` and an
929 optional specific `generator`.
931 The `generator` argument can be a number, string, or [`Buffer`][]. If
932 `generator` is not specified, the value `2` is used.
934 The `prime_encoding` and `generator_encoding` arguments can be `'binary'`,
935 `'hex'`, or `'base64'`.
937 If `prime_encoding` is specified, `prime` is expected to be a string; otherwise
938 a [`Buffer`][] is expected.
940 If `generator_encoding` is specified, `generator` is expected to be a string;
941 otherwise either a number or [`Buffer`][] is expected.
943 ### crypto.createDiffieHellman(prime_length[, generator])
945 Creates a `DiffieHellman` key exchange object and generates a prime of
946 `prime_length` bits using an optional specific numeric `generator`.
947 If `generator` is not specified, the value `2` is used.
949 ### crypto.createECDH(curve_name)
951 Creates an Elliptic Curve Diffie-Hellman (`ECDH`) key exchange object using a
952 predefined curve specified by the `curve_name` string. Use
953 [`crypto.getCurves()`][] to obtain a list of available curve names. On recent
954 OpenSSL releases, `openssl ecparam -list_curves` will also display the name
955 and description of each available elliptic curve.
957 ### crypto.createHash(algorithm)
959 Creates and returns a `Hash` object that can be used to generate hash digests
960 using the given `algorithm`.
962 The `algorithm` is dependent on the available algorithms supported by the
963 version of OpenSSL on the platform. Examples are `'sha256'`, `'sha512'`, etc.
964 On recent releases of OpenSSL, `openssl list-message-digest-algorithms` will
965 display the available digest algorithms.
967 Example: generating the sha256 sum of a file
970 const filename = process.argv[2];
971 const crypto = require('crypto');
972 const fs = require('fs');
974 const hash = crypto.createHash('sha256');
976 const input = fs.createReadStream(filename);
977 input.on('readable', () => {
978 var data = input.read();
982 console.log(`${hash.digest('hex')} ${filename}`);
987 ### crypto.createHmac(algorithm, key)
989 Creates and returns an `Hmac` object that uses the given `algorithm` and `key`.
991 The `algorithm` is dependent on the available algorithms supported by the
992 version of OpenSSL on the platform. Examples are `'sha256'`, `'sha512'`, etc.
993 On recent releases of OpenSSL, `openssl list-message-digest-algorithms` will
994 display the available digest algorithms.
996 The `key` is the HMAC key used to generate the cryptographic HMAC hash.
998 Example: generating the sha256 HMAC of a file
1001 const filename = process.argv[2];
1002 const crypto = require('crypto');
1003 const fs = require('fs');
1005 const hmac = crypto.createHmac('sha256', 'a secret');
1007 const input = fs.createReadStream(filename);
1008 input.on('readable', () => {
1009 var data = input.read();
1013 console.log(`${hmac.digest('hex')} ${filename}`);
1018 ### crypto.createSign(algorithm)
1020 Creates and returns a `Sign` object that uses the given `algorithm`. On
1021 recent OpenSSL releases, `openssl list-public-key-algorithms` will
1022 display the available signing algorithms. One example is `'RSA-SHA256'`.
1024 ### crypto.createVerify(algorithm)
1026 Creates and returns a `Verify` object that uses the given algorithm. On
1027 recent OpenSSL releases, `openssl list-public-key-algorithms` will
1028 display the available signing algorithms. One example is `'RSA-SHA256'`.
1030 ### crypto.getCiphers()
1032 Returns an array with the names of the supported cipher algorithms.
1037 const ciphers = crypto.getCiphers();
1038 console.log(ciphers); // ['aes-128-cbc', 'aes-128-ccm', ...]
1041 ### crypto.getCurves()
1043 Returns an array with the names of the supported elliptic curves.
1048 const curves = crypto.getCurves();
1049 console.log(curves); // ['secp256k1', 'secp384r1', ...]
1052 ### crypto.getDiffieHellman(group_name)
1054 Creates a predefined `DiffieHellman` key exchange object. The
1055 supported groups are: `'modp1'`, `'modp2'`, `'modp5'` (defined in
1056 [RFC 2412][], but see [Caveats][]) and `'modp14'`, `'modp15'`,
1057 `'modp16'`, `'modp17'`, `'modp18'` (defined in [RFC 3526][]). The
1058 returned object mimics the interface of objects created by
1059 [`crypto.createDiffieHellman()`][], but will not allow changing
1060 the keys (with [`diffieHellman.setPublicKey()`][] for example). The
1061 advantage of using this method is that the parties do not have to
1062 generate nor exchange a group modulus beforehand, saving both processor
1063 and communication time.
1065 Example (obtaining a shared secret):
1068 const crypto = require('crypto');
1069 const alice = crypto.getDiffieHellman('modp14');
1070 const bob = crypto.getDiffieHellman('modp14');
1072 alice.generateKeys();
1075 const alice_secret = alice.computeSecret(bob.getPublicKey(), null, 'hex');
1076 const bob_secret = bob.computeSecret(alice.getPublicKey(), null, 'hex');
1078 /* alice_secret and bob_secret should be the same */
1079 console.log(alice_secret == bob_secret);
1082 ### crypto.getHashes()
1084 Returns an array with the names of the supported hash algorithms.
1089 const hashes = crypto.getHashes();
1090 console.log(hashes); // ['sha', 'sha1', 'sha1WithRSAEncryption', ...]
1093 ### crypto.pbkdf2(password, salt, iterations, keylen[, digest], callback)
1095 Provides an asynchronous Password-Based Key Derivation Function 2 (PBKDF2)
1096 implementation. A selected HMAC digest algorithm specified by `digest` is
1097 applied to derive a key of the requested byte length (`keylen`) from the
1098 `password`, `salt` and `iterations`. If the `digest` algorithm is not specified,
1099 a default of `'sha1'` is used.
1101 The supplied `callback` function is called with two arguments: `err` and
1102 `derivedKey`. If an error occurs, `err` will be set; otherwise `err` will be
1103 null. The successfully generated `derivedKey` will be passed as a [`Buffer`][].
1105 The `iterations` argument must be a number set as high as possible. The
1106 higher the number of iterations, the more secure the derived key will be,
1107 but will take a longer amount of time to complete.
1109 The `salt` should also be as unique as possible. It is recommended that the
1110 salts are random and their lengths are greater than 16 bytes. See
1111 [NIST SP 800-132][] for details.
1116 const crypto = require('crypto');
1117 crypto.pbkdf2('secret', 'salt', 100000, 512, 'sha512', (err, key) => {
1119 console.log(key.toString('hex')); // 'c5e478d...1469e50'
1123 An array of supported digest functions can be retrieved using
1124 [`crypto.getHashes()`][].
1126 ### crypto.pbkdf2Sync(password, salt, iterations, keylen[, digest])
1128 Provides a synchronous Password-Based Key Derivation Function 2 (PBKDF2)
1129 implementation. A selected HMAC digest algorithm specified by `digest` is
1130 applied to derive a key of the requested byte length (`keylen`) from the
1131 `password`, `salt` and `iterations`. If the `digest` algorithm is not specified,
1132 a default of `'sha1'` is used.
1134 If an error occurs an Error will be thrown, otherwise the derived key will be
1135 returned as a [`Buffer`][].
1137 The `iterations` argument must be a number set as high as possible. The
1138 higher the number of iterations, the more secure the derived key will be,
1139 but will take a longer amount of time to complete.
1141 The `salt` should also be as unique as possible. It is recommended that the
1142 salts are random and their lengths are greater than 16 bytes. See
1143 [NIST SP 800-132][] for details.
1148 const crypto = require('crypto');
1149 const key = crypto.pbkdf2Sync('secret', 'salt', 100000, 512, 'sha512');
1150 console.log(key.toString('hex')); // 'c5e478d...1469e50'
1153 An array of supported digest functions can be retrieved using
1154 [`crypto.getHashes()`][].
1156 ### crypto.privateDecrypt(private_key, buffer)
1158 Decrypts `buffer` with `private_key`.
1160 `private_key` can be an object or a string. If `private_key` is a string, it is
1161 treated as the key with no passphrase and will use `RSA_PKCS1_OAEP_PADDING`.
1162 If `private_key` is an object, it is interpreted as a hash object with the
1165 * `key` : {String} - PEM encoded private key
1166 * `passphrase` : {String} - Optional passphrase for the private key
1167 * `padding` : An optional padding value, one of the following:
1168 * `constants.RSA_NO_PADDING`
1169 * `constants.RSA_PKCS1_PADDING`
1170 * `constants.RSA_PKCS1_OAEP_PADDING`
1172 All paddings are defined in the `constants` module.
1174 ### crypto.privateEncrypt(private_key, buffer)
1176 Encrypts `buffer` with `private_key`.
1178 `private_key` can be an object or a string. If `private_key` is a string, it is
1179 treated as the key with no passphrase and will use `RSA_PKCS1_PADDING`.
1180 If `private_key` is an object, it is interpreted as a hash object with the
1183 * `key` : {String} - PEM encoded private key
1184 * `passphrase` : {String} - Optional passphrase for the private key
1185 * `padding` : An optional padding value, one of the following:
1186 * `constants.RSA_NO_PADDING`
1187 * `constants.RSA_PKCS1_PADDING`
1188 * `constants.RSA_PKCS1_OAEP_PADDING`
1190 All paddings are defined in the `constants` module.
1192 ### crypto.publicDecrypt(public_key, buffer)
1194 Decrypts `buffer` with `public_key`.
1196 `public_key` can be an object or a string. If `public_key` is a string, it is
1197 treated as the key with no passphrase and will use `RSA_PKCS1_PADDING`.
1198 If `public_key` is an object, it is interpreted as a hash object with the
1201 * `key` : {String} - PEM encoded public key
1202 * `passphrase` : {String} - Optional passphrase for the private key
1203 * `padding` : An optional padding value, one of the following:
1204 * `constants.RSA_NO_PADDING`
1205 * `constants.RSA_PKCS1_PADDING`
1206 * `constants.RSA_PKCS1_OAEP_PADDING`
1208 Because RSA public keys can be derived from private keys, a private key may
1209 be passed instead of a public key.
1211 All paddings are defined in the `constants` module.
1213 ### crypto.publicEncrypt(public_key, buffer)
1215 Encrypts `buffer` with `public_key`.
1217 `public_key` can be an object or a string. If `public_key` is a string, it is
1218 treated as the key with no passphrase and will use `RSA_PKCS1_OAEP_PADDING`.
1219 If `public_key` is an object, it is interpreted as a hash object with the
1222 * `key` : {String} - PEM encoded public key
1223 * `passphrase` : {String} - Optional passphrase for the private key
1224 * `padding` : An optional padding value, one of the following:
1225 * `constants.RSA_NO_PADDING`
1226 * `constants.RSA_PKCS1_PADDING`
1227 * `constants.RSA_PKCS1_OAEP_PADDING`
1229 Because RSA public keys can be derived from private keys, a private key may
1230 be passed instead of a public key.
1232 All paddings are defined in the `constants` module.
1234 ### crypto.randomBytes(size[, callback])
1236 Generates cryptographically strong pseudo-random data. The `size` argument
1237 is a number indicating the number of bytes to generate.
1239 If a `callback` function is provided, the bytes are generated asynchronously
1240 and the `callback` function is invoked with two arguments: `err` and `buf`.
1241 If an error occurs, `err` will be an Error object; otherwise it is null. The
1242 `buf` argument is a [`Buffer`][] containing the generated bytes.
1246 const crypto = require('crypto');
1247 crypto.randomBytes(256, (err, buf) => {
1249 console.log(`${buf.length} bytes of random data: ${buf.toString('hex')}`);
1253 If the `callback` function is not provided, the random bytes are generated
1254 synchronously and returned as a [`Buffer`][]. An error will be thrown if
1255 there is a problem generating the bytes.
1259 const buf = crypto.randomBytes(256);
1261 `${buf.length} bytes of random data: ${buf.toString('hex')}`);
1264 The `crypto.randomBytes()` method will block until there is sufficient entropy.
1265 This should normally never take longer than a few milliseconds. The only time
1266 when generating the random bytes may conceivably block for a longer period of
1267 time is right after boot, when the whole system is still low on entropy.
1269 ### crypto.setEngine(engine[, flags])
1271 Load and set the `engine` for some or all OpenSSL functions (selected by flags).
1273 `engine` could be either an id or a path to the engine's shared library.
1275 The optional `flags` argument uses `ENGINE_METHOD_ALL` by default. The `flags`
1276 is a bit field taking one of or a mix of the following flags (defined in the
1277 `constants` module):
1279 * `ENGINE_METHOD_RSA`
1280 * `ENGINE_METHOD_DSA`
1281 * `ENGINE_METHOD_DH`
1282 * `ENGINE_METHOD_RAND`
1283 * `ENGINE_METHOD_ECDH`
1284 * `ENGINE_METHOD_ECDSA`
1285 * `ENGINE_METHOD_CIPHERS`
1286 * `ENGINE_METHOD_DIGESTS`
1287 * `ENGINE_METHOD_STORE`
1288 * `ENGINE_METHOD_PKEY_METH`
1289 * `ENGINE_METHOD_PKEY_ASN1_METH`
1290 * `ENGINE_METHOD_ALL`
1291 * `ENGINE_METHOD_NONE`
1295 ### Legacy Streams API (pre Node.js v0.10)
1297 The Crypto module was added to Node.js before there was the concept of a
1298 unified Stream API, and before there were [`Buffer`][] objects for handling
1299 binary data. As such, the many of the `crypto` defined classes have methods not
1300 typically found on other Node.js classes that implement the [streams][stream]
1301 API (e.g. `update()`, `final()`, or `digest()`). Also, many methods accepted
1302 and returned `'binary'` encoded strings by default rather than Buffers. This
1303 default was changed after Node.js v0.8 to use [`Buffer`][] objects by default
1306 ### Recent ECDH Changes
1308 Usage of `ECDH` with non-dynamically generated key pairs has been simplified.
1309 Now, [`ecdh.setPrivateKey()`][] can be called with a preselected private key
1310 and the associated public point (key) will be computed and stored in the object.
1311 This allows code to only store and provide the private part of the EC key pair.
1312 [`ecdh.setPrivateKey()`][] now also validates that the private key is valid for
1315 The [`ecdh.setPublicKey()`][] method is now deprecated as its inclusion in the
1316 API is not useful. Either a previously stored private key should be set, which
1317 automatically generates the associated public key, or [`ecdh.generateKeys()`][]
1318 should be called. The main drawback of using [`ecdh.setPublicKey()`][] is that
1319 it can be used to put the ECDH key pair into an inconsistent state.
1321 ### Support for weak or compromised algorithms
1323 The `crypto` module still supports some algorithms which are already
1324 compromised and are not currently recommended for use. The API also allows
1325 the use of ciphers and hashes with a small key size that are considered to be
1326 too weak for safe use.
1328 Users should take full responsibility for selecting the crypto
1329 algorithm and key size according to their security requirements.
1331 Based on the recommendations of [NIST SP 800-131A][]:
1333 - MD5 and SHA-1 are no longer acceptable where collision resistance is
1334 required such as digital signatures.
1335 - The key used with RSA, DSA and DH algorithms is recommended to have
1336 at least 2048 bits and that of the curve of ECDSA and ECDH at least
1337 224 bits, to be safe to use for several years.
1338 - The DH groups of `modp1`, `modp2` and `modp5` have a key size
1339 smaller than 2048 bits and are not recommended.
1341 See the reference for other recommendations and details.
1343 [`Buffer`]: buffer.html
1344 [`cipher.final()`]: #crypto_cipher_final_output_encoding
1345 [`cipher.update()`]: #crypto_cipher_update_data_input_encoding_output_encoding
1346 [`crypto.createCipher()`]: #crypto_crypto_createcipher_algorithm_password
1347 [`crypto.createCipheriv()`]: #crypto_crypto_createcipheriv_algorithm_key_iv
1348 [`crypto.createDecipher()`]: #crypto_crypto_createdecipher_algorithm_password
1349 [`crypto.createDecipheriv()`]: #crypto_crypto_createdecipheriv_algorithm_key_iv
1350 [`crypto.createDiffieHellman()`]: #crypto_crypto_creatediffiehellman_prime_prime_encoding_generator_generator_encoding
1351 [`crypto.createECDH()`]: #crypto_crypto_createecdh_curve_name
1352 [`crypto.createHash()`]: #crypto_crypto_createhash_algorithm
1353 [`crypto.createHmac()`]: #crypto_crypto_createhmac_algorithm_key
1354 [`crypto.createSign()`]: #crypto_crypto_createsign_algorithm
1355 [`crypto.getCurves()`]: #crypto_crypto_getcurves
1356 [`crypto.getHashes()`]: #crypto_crypto_gethashes
1357 [`crypto.pbkdf2()`]: #crypto_crypto_pbkdf2_password_salt_iterations_keylen_digest_callback
1358 [`decipher.final()`]: #crypto_decipher_final_output_encoding
1359 [`decipher.update()`]: #crypto_decipher_update_data_input_encoding_output_encoding
1360 [`diffieHellman.setPublicKey()`]: #crypto_diffiehellman_setpublickey_public_key_encoding
1361 [`ecdh.generateKeys()`]: #crypto_ecdh_generatekeys_encoding_format
1362 [`ecdh.setPrivateKey()`]: #crypto_ecdh_setprivatekey_private_key_encoding
1363 [`ecdh.setPublicKey()`]: #crypto_ecdh_setpublickey_public_key_encoding
1364 [`EVP_BytesToKey`]: https://www.openssl.org/docs/crypto/EVP_BytesToKey.html
1365 [`hash.digest()`]: #crypto_hash_digest_encoding
1366 [`hash.update()`]: #crypto_hash_update_data_input_encoding
1367 [`hmac.digest()`]: #crypto_hmac_digest_encoding
1368 [`hmac.update()`]: #crypto_hmac_update_data
1369 [`sign.sign()`]: #crypto_sign_sign_private_key_output_format
1370 [`sign.update()`]: #crypto_sign_update_data
1371 [`tls.createSecureContext()`]: tls.html#tls_tls_createsecurecontext_details
1372 [`verify.update()`]: #crypto_verifier_update_data
1373 [`verify.verify()`]: #crypto_verifier_verify_object_signature_signature_format
1374 [Caveats]: #crypto_support_for_weak_or_compromised_algorithms
1375 [HTML5's `keygen` element]: http://www.w3.org/TR/html5/forms.html#the-keygen-element
1376 [initialization vector]: https://en.wikipedia.org/wiki/Initialization_vector
1377 [NIST SP 800-131A]: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf
1378 [NIST SP 800-132]: http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf
1379 [OpenSSL cipher list format]: https://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT
1380 [OpenSSL's SPKAC implementation]: https://www.openssl.org/docs/apps/spkac.html
1381 [publicly trusted list of CAs]: https://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt
1382 [RFC 2412]: https://www.rfc-editor.org/rfc/rfc2412.txt
1383 [RFC 3526]: https://www.rfc-editor.org/rfc/rfc3526.txt
1384 [stream]: stream.html
1385 [stream-writable-write]: stream.html#stream_writable_write_chunk_encoding_callback