|
|
|
# Crypto
|
|
|
|
|
|
|
|
Stability: 2 - Stable
|
|
|
|
|
|
|
|
The `crypto` module provides cryptographic functionality that includes a set of
|
|
|
|
wrappers for OpenSSL's hash, HMAC, cipher, decipher, sign and verify functions.
|
|
|
|
|
|
|
|
Use `require('crypto')` to access this module.
|
|
|
|
|
|
|
|
```js
|
|
|
|
const crypto = require('crypto');
|
|
|
|
|
|
|
|
const secret = 'abcdefg';
|
|
|
|
const hash = crypto.createHmac('sha256', secret)
|
|
|
|
.update('I love cupcakes')
|
|
|
|
.digest('hex');
|
|
|
|
console.log(hash);
|
|
|
|
// Prints:
|
|
|
|
// c0fa1bc00531bd78ef38c628449c5102aeabd49b5dc3a2a516ea6ea959d6658e
|
|
|
|
```
|
|
|
|
|
|
|
|
## Determining if crypto support is unavailable
|
|
|
|
|
|
|
|
It is possible for Node.js to be built without including support for the
|
|
|
|
`crypto` module. In such cases, calling `require('crypto')` will result in an
|
|
|
|
error being thrown.
|
|
|
|
|
|
|
|
```js
|
|
|
|
var crypto;
|
|
|
|
try {
|
|
|
|
crypto = require('crypto');
|
|
|
|
} catch (err) {
|
|
|
|
console.log('crypto support is disabled!');
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
## Class: Certificate
|
|
|
|
|
|
|
|
SPKAC is a Certificate Signing Request mechanism originally implemented by
|
|
|
|
Netscape and now specified formally as part of [HTML5's `keygen` element][].
|
|
|
|
|
|
|
|
The `crypto` module provides the `Certificate` class for working with SPKAC
|
|
|
|
data. The most common usage is handling output generated by the HTML5
|
|
|
|
`<keygen>` element. Node.js uses [OpenSSL's SPKAC implementation][] internally.
|
|
|
|
|
|
|
|
### new crypto.Certificate()
|
|
|
|
|
|
|
|
Instances of the `Certificate` class can be created using the `new` keyword
|
|
|
|
or by calling `crypto.Certificate()` as a function:
|
|
|
|
|
|
|
|
```js
|
|
|
|
const crypto = require('crypto');
|
|
|
|
|
|
|
|
const cert1 = new crypto.Certificate();
|
|
|
|
const cert2 = crypto.Certificate();
|
|
|
|
```
|
|
|
|
|
|
|
|
### certificate.exportChallenge(spkac)
|
|
|
|
|
|
|
|
The `spkac` data structure includes a public key and a challenge. The
|
|
|
|
`certificate.exportChallenge()` returns the challenge component in the
|
|
|
|
form of a Node.js [`Buffer`][]. The `spkac` argument can be either a string
|
|
|
|
or a [`Buffer`][].
|
|
|
|
|
|
|
|
```js
|
|
|
|
const cert = require('crypto').Certificate();
|
|
|
|
const spkac = getSpkacSomehow();
|
|
|
|
const challenge = cert.exportChallenge(spkac);
|
|
|
|
console.log(challenge.toString('utf8'));
|
|
|
|
// Prints the challenge as a UTF8 string
|
|
|
|
```
|
|
|
|
|
|
|
|
### certificate.exportPublicKey(spkac)
|
|
|
|
|
|
|
|
The `spkac` data structure includes a public key and a challenge. The
|
|
|
|
`certificate.exportPublicKey()` returns the public key component in the
|
|
|
|
form of a Node.js [`Buffer`][]. The `spkac` argument can be either a string
|
|
|
|
or a [`Buffer`][].
|
|
|
|
|
|
|
|
```js
|
|
|
|
const cert = require('crypto').Certificate();
|
|
|
|
const spkac = getSpkacSomehow();
|
|
|
|
const publicKey = cert.exportPublicKey(spkac);
|
|
|
|
console.log(publicKey);
|
|
|
|
// Prints the public key as <Buffer ...>
|
|
|
|
```
|
|
|
|
|
|
|
|
### certificate.verifySpkac(spkac)
|
|
|
|
|
|
|
|
Returns `true` if the given `spkac` data structure is valid, `false` otherwise.
|
|
|
|
The `spkac` argument must be a Node.js [`Buffer`][].
|
|
|
|
|
|
|
|
```js
|
|
|
|
const cert = require('crypto').Certificate();
|
|
|
|
const spkac = getSpkacSomehow();
|
|
|
|
console.log(cert.verifySpkac(Buffer.from(spkac)));
|
|
|
|
// Prints true or false
|
|
|
|
```
|
|
|
|
|
|
|
|
## Class: Cipher
|
|
|
|
|
|
|
|
Instances of the `Cipher` class are used to encrypt data. The class can be
|
|
|
|
used in one of two ways:
|
|
|
|
|
|
|
|
- As a [stream][] that is both readable and writable, where plain unencrypted
|
|
|
|
data is written to produce encrypted data on the readable side, or
|
|
|
|
- Using the [`cipher.update()`][] and [`cipher.final()`][] methods to produce
|
|
|
|
the encrypted data.
|
|
|
|
|
|
|
|
The [`crypto.createCipher()`][] or [`crypto.createCipheriv()`][] methods are
|
|
|
|
used to create `Cipher` instances. `Cipher` objects are not to be created
|
|
|
|
directly using the `new` keyword.
|
|
|
|
|
|
|
|
Example: Using `Cipher` objects as streams:
|
|
|
|
|
|
|
|
```js
|
|
|
|
const crypto = require('crypto');
|
|
|
|
const cipher = crypto.createCipher('aes192', 'a password');
|
|
|
|
|
|
|
|
var encrypted = '';
|
|
|
|
cipher.on('readable', () => {
|
|
|
|
var data = cipher.read();
|
|
|
|
if (data)
|
|
|
|
encrypted += data.toString('hex');
|
|
|
|
});
|
|
|
|
cipher.on('end', () => {
|
|
|
|
console.log(encrypted);
|
|
|
|
// Prints: ca981be48e90867604588e75d04feabb63cc007a8f8ad89b10616ed84d815504
|
|
|
|
});
|
|
|
|
|
|
|
|
cipher.write('some clear text data');
|
|
|
|
cipher.end();
|
|
|
|
```
|
|
|
|
|
|
|
|
Example: Using `Cipher` and piped streams:
|
|
|
|
|
|
|
|
```js
|
|
|
|
const crypto = require('crypto');
|
|
|
|
const fs = require('fs');
|
|
|
|
const cipher = crypto.createCipher('aes192', 'a password');
|
|
|
|
|
|
|
|
const input = fs.createReadStream('test.js');
|
|
|
|
const output = fs.createWriteStream('test.enc');
|
|
|
|
|
|
|
|
input.pipe(cipher).pipe(output);
|
|
|
|
```
|
|
|
|
|
|
|
|
Example: Using the [`cipher.update()`][] and [`cipher.final()`][] methods:
|
|
|
|
|
|
|
|
```js
|
|
|
|
const crypto = require('crypto');
|
|
|
|
const cipher = crypto.createCipher('aes192', 'a password');
|
|
|
|
|
|
|
|
var encrypted = cipher.update('some clear text data', 'utf8', 'hex');
|
|
|
|
encrypted += cipher.final('hex');
|
|
|
|
console.log(encrypted);
|
|
|
|
// Prints: ca981be48e90867604588e75d04feabb63cc007a8f8ad89b10616ed84d815504
|
|
|
|
```
|
|
|
|
|
|
|
|
### cipher.final([output_encoding])
|
|
|
|
|
|
|
|
Returns any remaining enciphered contents. If `output_encoding`
|
|
|
|
parameter is one of `'latin1'`, `'base64'` or `'hex'`, a string is returned.
|
|
|
|
If an `output_encoding` is not provided, a [`Buffer`][] is returned.
|
|
|
|
|
|
|
|
Once the `cipher.final()` method has been called, the `Cipher` object can no
|
|
|
|
longer be used to encrypt data. Attempts to call `cipher.final()` more than
|
|
|
|
once will result in an error being thrown.
|
|
|
|
|
|
|
|
### cipher.setAAD(buffer)
|
|
|
|
|
|
|
|
When using an authenticated encryption mode (only `GCM` is currently
|
|
|
|
supported), the `cipher.setAAD()` method sets the value used for the
|
|
|
|
_additional authenticated data_ (AAD) input parameter.
|
|
|
|
|
|
|
|
### cipher.getAuthTag()
|
|
|
|
|
|
|
|
When using an authenticated encryption mode (only `GCM` is currently
|
|
|
|
supported), the `cipher.getAuthTag()` method returns a [`Buffer`][] containing
|
|
|
|
the _authentication tag_ that has been computed from the given data.
|
|
|
|
|
|
|
|
The `cipher.getAuthTag()` method should only be called after encryption has
|
|
|
|
been completed using the [`cipher.final()`][] method.
|
|
|
|
|
|
|
|
### cipher.setAutoPadding(auto_padding=true)
|
|
|
|
|
|
|
|
When using block encryption algorithms, the `Cipher` class will automatically
|
|
|
|
add padding to the input data to the appropriate block size. To disable the
|
|
|
|
default padding call `cipher.setAutoPadding(false)`.
|
|
|
|
|
|
|
|
When `auto_padding` is `false`, the length of the entire input data must be a
|
|
|
|
multiple of the cipher's block size or [`cipher.final()`][] will throw an Error.
|
|
|
|
Disabling automatic padding is useful for non-standard padding, for instance
|
|
|
|
using `0x0` instead of PKCS padding.
|
|
|
|
|
|
|
|
The `cipher.setAutoPadding()` method must be called before [`cipher.final()`][].
|
|
|
|
|
|
|
|
### cipher.update(data[, input_encoding][, output_encoding])
|
|
|
|
|
|
|
|
Updates the cipher with `data`. If the `input_encoding` argument is given,
|
|
|
|
it's value must be one of `'utf8'`, `'ascii'`, or `'latin1'` and the `data`
|
|
|
|
argument is a string using the specified encoding. If the `input_encoding`
|
|
|
|
argument is not given, `data` must be a [`Buffer`][]. If `data` is a
|
|
|
|
[`Buffer`][] then `input_encoding` is ignored.
|
|
|
|
|
|
|
|
The `output_encoding` specifies the output format of the enciphered
|
|
|
|
data, and can be `'latin1'`, `'base64'` or `'hex'`. If the `output_encoding`
|
|
|
|
is specified, a string using the specified encoding is returned. If no
|
|
|
|
`output_encoding` is provided, a [`Buffer`][] is returned.
|
|
|
|
|
|
|
|
The `cipher.update()` method can be called multiple times with new data until
|
|
|
|
[`cipher.final()`][] is called. Calling `cipher.update()` after
|
|
|
|
[`cipher.final()`][] will result in an error being thrown.
|
|
|
|
|
|
|
|
## Class: Decipher
|
|
|
|
|
|
|
|
Instances of the `Decipher` class are used to decrypt data. The class can be
|
|
|
|
used in one of two ways:
|
|
|
|
|
|
|
|
- As a [stream][] that is both readable and writable, where plain encrypted
|
|
|
|
data is written to produce unencrypted data on the readable side, or
|
|
|
|
- Using the [`decipher.update()`][] and [`decipher.final()`][] methods to
|
|
|
|
produce the unencrypted data.
|
|
|
|
|
|
|
|
The [`crypto.createDecipher()`][] or [`crypto.createDecipheriv()`][] methods are
|
|
|
|
used to create `Decipher` instances. `Decipher` objects are not to be created
|
|
|
|
directly using the `new` keyword.
|
|
|
|
|
|
|
|
Example: Using `Decipher` objects as streams:
|
|
|
|
|
|
|
|
```js
|
|
|
|
const crypto = require('crypto');
|
|
|
|
const decipher = crypto.createDecipher('aes192', 'a password');
|
|
|
|
|
|
|
|
var decrypted = '';
|
|
|
|
decipher.on('readable', () => {
|
|
|
|
var data = decipher.read();
|
|
|
|
if (data)
|
|
|
|
decrypted += data.toString('utf8');
|
|
|
|
});
|
|
|
|
decipher.on('end', () => {
|
|
|
|
console.log(decrypted);
|
|
|
|
// Prints: some clear text data
|
|
|
|
});
|
|
|
|
|
|
|
|
var encrypted = 'ca981be48e90867604588e75d04feabb63cc007a8f8ad89b10616ed84d815504';
|
|
|
|
decipher.write(encrypted, 'hex');
|
|
|
|
decipher.end();
|
|
|
|
```
|
|
|
|
|
|
|
|
Example: Using `Decipher` and piped streams:
|
|
|
|
|
|
|
|
```js
|
|
|
|
const crypto = require('crypto');
|
|
|
|
const fs = require('fs');
|
|
|
|
const decipher = crypto.createDecipher('aes192', 'a password');
|
|
|
|
|
|
|
|
const input = fs.createReadStream('test.enc');
|
|
|
|
const output = fs.createWriteStream('test.js');
|
|
|
|
|
|
|
|
input.pipe(decipher).pipe(output);
|
|
|
|
```
|
|
|
|
|
|
|
|
Example: Using the [`decipher.update()`][] and [`decipher.final()`][] methods:
|
|
|
|
|
|
|
|
```js
|
|
|
|
const crypto = require('crypto');
|
|
|
|
const decipher = crypto.createDecipher('aes192', 'a password');
|
|
|
|
|
|
|
|
var encrypted = 'ca981be48e90867604588e75d04feabb63cc007a8f8ad89b10616ed84d815504';
|
|
|
|
var decrypted = decipher.update(encrypted, 'hex', 'utf8');
|
|
|
|
decrypted += decipher.final('utf8');
|
|
|
|
console.log(decrypted);
|
|
|
|
// Prints: some clear text data
|
|
|
|
```
|
|
|
|
|
|
|
|
### decipher.final([output_encoding])
|
|
|
|
|
|
|
|
Returns any remaining deciphered contents. If `output_encoding`
|
|
|
|
parameter is one of `'latin1'`, `'base64'` or `'hex'`, a string is returned.
|
|
|
|
If an `output_encoding` is not provided, a [`Buffer`][] is returned.
|
|
|
|
|
|
|
|
Once the `decipher.final()` method has been called, the `Decipher` object can
|
|
|
|
no longer be used to decrypt data. Attempts to call `decipher.final()` more
|
|
|
|
than once will result in an error being thrown.
|
|
|
|
|
|
|
|
### decipher.setAAD(buffer)
|
|
|
|
|
|
|
|
When using an authenticated encryption mode (only `GCM` is currently
|
|
|
|
supported), the `cipher.setAAD()` method sets the value used for the
|
|
|
|
_additional authenticated data_ (AAD) input parameter.
|
|
|
|
|
|
|
|
### decipher.setAuthTag(buffer)
|
|
|
|
|
|
|
|
When using an authenticated encryption mode (only `GCM` is currently
|
|
|
|
supported), the `decipher.setAuthTag()` method is used to pass in the
|
|
|
|
received _authentication tag_. If no tag is provided, or if the cipher text
|
|
|
|
has been tampered with, [`decipher.final()`][] with throw, indicating that the
|
|
|
|
cipher text should be discarded due to failed authentication.
|
|
|
|
|
|
|
|
### decipher.setAutoPadding(auto_padding=true)
|
|
|
|
|
|
|
|
When data has been encrypted without standard block padding, calling
|
|
|
|
`decipher.setAutoPadding(false)` will disable automatic padding to prevent
|
|
|
|
[`decipher.final()`][] from checking for and removing padding.
|
|
|
|
|
|
|
|
Turning auto padding off will only work if the input data's length is a
|
|
|
|
multiple of the ciphers block size.
|
|
|
|
|
|
|
|
The `decipher.setAutoPadding()` method must be called before
|
|
|
|
[`decipher.update()`][].
|
|
|
|
|
|
|
|
### decipher.update(data[, input_encoding][, output_encoding])
|
|
|
|
|
|
|
|
Updates the decipher with `data`. If the `input_encoding` argument is given,
|
|
|
|
it's value must be one of `'latin1'`, `'base64'`, or `'hex'` and the `data`
|
|
|
|
argument is a string using the specified encoding. If the `input_encoding`
|
|
|
|
argument is not given, `data` must be a [`Buffer`][]. If `data` is a
|
|
|
|
[`Buffer`][] then `input_encoding` is ignored.
|
|
|
|
|
|
|
|
The `output_encoding` specifies the output format of the enciphered
|
|
|
|
data, and can be `'latin1'`, `'ascii'` or `'utf8'`. If the `output_encoding`
|
|
|
|
is specified, a string using the specified encoding is returned. If no
|
|
|
|
`output_encoding` is provided, a [`Buffer`][] is returned.
|
|
|
|
|
|
|
|
The `decipher.update()` method can be called multiple times with new data until
|
|
|
|
[`decipher.final()`][] is called. Calling `decipher.update()` after
|
|
|
|
[`decipher.final()`][] will result in an error being thrown.
|
|
|
|
|
|
|
|
## Class: DiffieHellman
|
|
|
|
|
|
|
|
The `DiffieHellman` class is a utility for creating Diffie-Hellman key
|
|
|
|
exchanges.
|
|
|
|
|
|
|
|
Instances of the `DiffieHellman` class can be created using the
|
|
|
|
[`crypto.createDiffieHellman()`][] function.
|
|
|
|
|
|
|
|
```js
|
|
|
|
const crypto = require('crypto');
|
|
|
|
const assert = require('assert');
|
|
|
|
|
|
|
|
// Generate Alice's keys...
|
|
|
|
const alice = crypto.createDiffieHellman(2048);
|
|
|
|
const alice_key = alice.generateKeys();
|
|
|
|
|
|
|
|
// Generate Bob's keys...
|
|
|
|
const bob = crypto.createDiffieHellman(alice.getPrime(), alice.getGenerator());
|
|
|
|
const bob_key = bob.generateKeys();
|
|
|
|
|
|
|
|
// Exchange and generate the secret...
|
|
|
|
const alice_secret = alice.computeSecret(bob_key);
|
|
|
|
const bob_secret = bob.computeSecret(alice_key);
|
|
|
|
|
|
|
|
// OK
|
|
|
|
assert.equal(alice_secret.toString('hex'), bob_secret.toString('hex'));
|
|
|
|
```
|
|
|
|
|
|
|
|
### diffieHellman.computeSecret(other_public_key[, input_encoding][, output_encoding])
|
|
|
|
|
|
|
|
Computes the shared secret using `other_public_key` as the other
|
|
|
|
party's public key and returns the computed shared secret. The supplied
|
|
|
|
key is interpreted using the specified `input_encoding`, and secret is
|
|
|
|
encoded using specified `output_encoding`. Encodings can be
|
|
|
|
`'latin1'`, `'hex'`, or `'base64'`. If the `input_encoding` is not
|
|
|
|
provided, `other_public_key` is expected to be a [`Buffer`][].
|
|
|
|
|
|
|
|
If `output_encoding` is given a string is returned; otherwise, a
|
|
|
|
[`Buffer`][] is returned.
|
|
|
|
|
|
|
|
### diffieHellman.generateKeys([encoding])
|
|
|
|
|
|
|
|
Generates private and public Diffie-Hellman key values, and returns
|
|
|
|
the public key in the specified `encoding`. This key should be
|
|
|
|
transferred to the other party. Encoding can be `'latin1'`, `'hex'`,
|
|
|
|
or `'base64'`. If `encoding` is provided a string is returned; otherwise a
|
|
|
|
[`Buffer`][] is returned.
|
|
|
|
|
|
|
|
### diffieHellman.getGenerator([encoding])
|
|
|
|
|
|
|
|
Returns the Diffie-Hellman generator in the specified `encoding`, which can
|
|
|
|
be `'latin1'`, `'hex'`, or `'base64'`. If `encoding` is provided a string is
|
|
|
|
returned; otherwise a [`Buffer`][] is returned.
|
|
|
|
|
|
|
|
### diffieHellman.getPrime([encoding])
|
|
|
|
|
|
|
|
Returns the Diffie-Hellman prime in the specified `encoding`, which can
|
|
|
|
be `'latin1'`, `'hex'`, or `'base64'`. If `encoding` is provided a string is
|
|
|
|
returned; otherwise a [`Buffer`][] is returned.
|
|
|
|
|
|
|
|
### diffieHellman.getPrivateKey([encoding])
|
|
|
|
|
|
|
|
Returns the Diffie-Hellman private key in the specified `encoding`,
|
|
|
|
which can be `'latin1'`, `'hex'`, or `'base64'`. If `encoding` is provided a
|
|
|
|
string is returned; otherwise a [`Buffer`][] is returned.
|
|
|
|
|
|
|
|
### diffieHellman.getPublicKey([encoding])
|
|
|
|
|
|
|
|
Returns the Diffie-Hellman public key in the specified `encoding`, which
|
|
|
|
can be `'latin1'`, `'hex'`, or `'base64'`. If `encoding` is provided a
|
|
|
|
string is returned; otherwise a [`Buffer`][] is returned.
|
|
|
|
|
|
|
|
### diffieHellman.setPrivateKey(private_key[, encoding])
|
|
|
|
|
|
|
|
Sets the Diffie-Hellman private key. If the `encoding` argument is provided
|
|
|
|
and is either `'latin1'`, `'hex'`, or `'base64'`, `private_key` is expected
|
|
|
|
to be a string. If no `encoding` is provided, `private_key` is expected
|
|
|
|
to be a [`Buffer`][].
|
|
|
|
|
|
|
|
### diffieHellman.setPublicKey(public_key[, encoding])
|
|
|
|
|
|
|
|
Sets the Diffie-Hellman public key. If the `encoding` argument is provided
|
|
|
|
and is either `'latin1'`, `'hex'` or `'base64'`, `public_key` is expected
|
|
|
|
to be a string. If no `encoding` is provided, `public_key` is expected
|
|
|
|
to be a [`Buffer`][].
|
|
|
|
|
|
|
|
### diffieHellman.verifyError
|
|
|
|
|
|
|
|
A bit field containing any warnings and/or errors resulting from a check
|
|
|
|
performed during initialization of the `DiffieHellman` object.
|
|
|
|
|
|
|
|
The following values are valid for this property (as defined in `constants`
|
|
|
|
module):
|
|
|
|
|
|
|
|
* `DH_CHECK_P_NOT_SAFE_PRIME`
|
|
|
|
* `DH_CHECK_P_NOT_PRIME`
|
|
|
|
* `DH_UNABLE_TO_CHECK_GENERATOR`
|
|
|
|
* `DH_NOT_SUITABLE_GENERATOR`
|
|
|
|
|
|
|
|
## Class: ECDH
|
|
|
|
|
|
|
|
The `ECDH` class is a utility for creating Elliptic Curve Diffie-Hellman (ECDH)
|
|
|
|
key exchanges.
|
|
|
|
|
|
|
|
Instances of the `ECDH` class can be created using the
|
|
|
|
[`crypto.createECDH()`][] function.
|
|
|
|
|
|
|
|
```js
|
|
|
|
const crypto = require('crypto');
|
|
|
|
const assert = require('assert');
|
|
|
|
|
|
|
|
// Generate Alice's keys...
|
|
|
|
const alice = crypto.createECDH('secp521r1');
|
|
|
|
const alice_key = alice.generateKeys();
|
|
|
|
|
|
|
|
// Generate Bob's keys...
|
|
|
|
const bob = crypto.createECDH('secp521r1');
|
|
|
|
const bob_key = bob.generateKeys();
|
|
|
|
|
|
|
|
// Exchange and generate the secret...
|
|
|
|
const alice_secret = alice.computeSecret(bob_key);
|
|
|
|
const bob_secret = bob.computeSecret(alice_key);
|
|
|
|
|
|
|
|
assert(alice_secret, bob_secret);
|
|
|
|
// OK
|
|
|
|
```
|
|
|
|
|
|
|
|
### ecdh.computeSecret(other_public_key[, input_encoding][, output_encoding])
|
|
|
|
|
|
|
|
Computes the shared secret using `other_public_key` as the other
|
|
|
|
party's public key and returns the computed shared secret. The supplied
|
|
|
|
key is interpreted using specified `input_encoding`, and the returned secret
|
|
|
|
is encoded using the specified `output_encoding`. Encodings can be
|
|
|
|
`'latin1'`, `'hex'`, or `'base64'`. If the `input_encoding` is not
|
|
|
|
provided, `other_public_key` is expected to be a [`Buffer`][].
|
|
|
|
|
|
|
|
If `output_encoding` is given a string will be returned; otherwise a
|
|
|
|
[`Buffer`][] is returned.
|
|
|
|
|
|
|
|
### ecdh.generateKeys([encoding[, format]])
|
|
|
|
|
|
|
|
Generates private and public EC Diffie-Hellman key values, and returns
|
|
|
|
the public key in the specified `format` and `encoding`. This key should be
|
|
|
|
transferred to the other party.
|
|
|
|
|
|
|
|
The `format` arguments specifies point encoding and can be `'compressed'`,
|
|
|
|
`'uncompressed'`, or `'hybrid'`. If `format` is not specified, the point will
|
|
|
|
be returned in `'uncompressed'` format.
|
|
|
|
|
|
|
|
The `encoding` argument can be `'latin1'`, `'hex'`, or `'base64'`. If
|
|
|
|
`encoding` is provided a string is returned; otherwise a [`Buffer`][]
|
|
|
|
is returned.
|
|
|
|
|
|
|
|
### ecdh.getPrivateKey([encoding])
|
|
|
|
|
|
|
|
Returns the EC Diffie-Hellman private key in the specified `encoding`,
|
|
|
|
which can be `'latin1'`, `'hex'`, or `'base64'`. If `encoding` is provided
|
|
|
|
a string is returned; otherwise a [`Buffer`][] is returned.
|
|
|
|
|
|
|
|
### ecdh.getPublicKey([encoding[, format]])
|
|
|
|
|
|
|
|
Returns the EC Diffie-Hellman public key in the specified `encoding` and
|
|
|
|
`format`.
|
|
|
|
|
|
|
|
The `format` argument specifies point encoding and can be `'compressed'`,
|
|
|
|
`'uncompressed'`, or `'hybrid'`. If `format` is not specified the point will be
|
|
|
|
returned in `'uncompressed'` format.
|
|
|
|
|
|
|
|
The `encoding` argument can be `'latin1'`, `'hex'`, or `'base64'`. If
|
|
|
|
`encoding` is specified, a string is returned; otherwise a [`Buffer`][] is
|
|
|
|
returned.
|
|
|
|
|
|
|
|
### ecdh.setPrivateKey(private_key[, encoding])
|
|
|
|
|
|
|
|
Sets the EC Diffie-Hellman private key. The `encoding` can be `'latin1'`,
|
|
|
|
`'hex'` or `'base64'`. If `encoding` is provided, `private_key` is expected
|
|
|
|
to be a string; otherwise `private_key` is expected to be a [`Buffer`][]. If
|
|
|
|
`private_key` is not valid for the curve specified when the `ECDH` object was
|
|
|
|
created, an error is thrown. Upon setting the private key, the associated
|
|
|
|
public point (key) is also generated and set in the ECDH object.
|
|
|
|
|
|
|
|
### ecdh.setPublicKey(public_key[, encoding])
|
|
|
|
|
|
|
|
Stability: 0 - Deprecated
|
|
|
|
|
|
|
|
Sets the EC Diffie-Hellman public key. Key encoding can be `'latin1'`,
|
|
|
|
`'hex'` or `'base64'`. If `encoding` is provided `public_key` is expected to
|
|
|
|
be a string; otherwise a [`Buffer`][] is expected.
|
|
|
|
|
|
|
|
Note that there is not normally a reason to call this method because `ECDH`
|
|
|
|
only requires a private key and the other party's public key to compute the
|
|
|
|
shared secret. Typically either [`ecdh.generateKeys()`][] or
|
|
|
|
[`ecdh.setPrivateKey()`][] will be called. The [`ecdh.setPrivateKey()`][] method
|
|
|
|
attempts to generate the public point/key associated with the private key being
|
|
|
|
set.
|
|
|
|
|
|
|
|
Example (obtaining a shared secret):
|
|
|
|
|
|
|
|
```js
|
|
|
|
const crypto = require('crypto');
|
|
|
|
const alice = crypto.createECDH('secp256k1');
|
|
|
|
const bob = crypto.createECDH('secp256k1');
|
|
|
|
|
|
|
|
// Note: This is a shortcut way to specify one of Alice's previous private
|
|
|
|
// keys. It would be unwise to use such a predictable private key in a real
|
|
|
|
// application.
|
|
|
|
alice.setPrivateKey(
|
|
|
|
crypto.createHash('sha256').update('alice', 'utf8').digest()
|
|
|
|
);
|
|
|
|
|
|
|
|
// Bob uses a newly generated cryptographically strong
|
|
|
|
// pseudorandom key pair bob.generateKeys();
|
|
|
|
|
|
|
|
const alice_secret = alice.computeSecret(bob.getPublicKey(), null, 'hex');
|
|
|
|
const bob_secret = bob.computeSecret(alice.getPublicKey(), null, 'hex');
|
|
|
|
|
|
|
|
// alice_secret and bob_secret should be the same shared secret value
|
|
|
|
console.log(alice_secret === bob_secret);
|
|
|
|
```
|
|
|
|
|
|
|
|
## Class: Hash
|
|
|
|
|
|
|
|
The `Hash` class is a utility for creating hash digests of data. It can be
|
|
|
|
used in one of two ways:
|
|
|
|
|
|
|
|
- As a [stream][] that is both readable and writable, where data is written
|
|
|
|
to produce a computed hash digest on the readable side, or
|
|
|
|
- Using the [`hash.update()`][] and [`hash.digest()`][] methods to produce the
|
|
|
|
computed hash.
|
|
|
|
|
|
|
|
The [`crypto.createHash()`][] method is used to create `Hash` instances. `Hash`
|
|
|
|
objects are not to be created directly using the `new` keyword.
|
|
|
|
|
|
|
|
Example: Using `Hash` objects as streams:
|
|
|
|
|
|
|
|
```js
|
|
|
|
const crypto = require('crypto');
|
|
|
|
const hash = crypto.createHash('sha256');
|
|
|
|
|
|
|
|
hash.on('readable', () => {
|
|
|
|
var data = hash.read();
|
|
|
|
if (data)
|
|
|
|
console.log(data.toString('hex'));
|
|
|
|
// Prints:
|
|
|
|
// 6a2da20943931e9834fc12cfe5bb47bbd9ae43489a30726962b576f4e3993e50
|
|
|
|
});
|
|
|
|
|
|
|
|
hash.write('some data to hash');
|
|
|
|
hash.end();
|
|
|
|
```
|
|
|
|
|
|
|
|
Example: Using `Hash` and piped streams:
|
|
|
|
|
|
|
|
```js
|
|
|
|
const crypto = require('crypto');
|
|
|
|
const fs = require('fs');
|
|
|
|
const hash = crypto.createHash('sha256');
|
|
|
|
|
|
|
|
const input = fs.createReadStream('test.js');
|
|
|
|
input.pipe(hash).pipe(process.stdout);
|
|
|
|
```
|
|
|
|
|
|
|
|
Example: Using the [`hash.update()`][] and [`hash.digest()`][] methods:
|
|
|
|
|
|
|
|
```js
|
|
|
|
const crypto = require('crypto');
|
|
|
|
const hash = crypto.createHash('sha256');
|
|
|
|
|
|
|
|
hash.update('some data to hash');
|
|
|
|
console.log(hash.digest('hex'));
|
|
|
|
// Prints:
|
|
|
|
// 6a2da20943931e9834fc12cfe5bb47bbd9ae43489a30726962b576f4e3993e50
|
|
|
|
```
|
|
|
|
|
|
|
|
### hash.digest([encoding])
|
|
|
|
|
|
|
|
Calculates the digest of all of the data passed to be hashed (using the
|
|
|
|
[`hash.update()`][] method). The `encoding` can be `'hex'`, `'latin1'` or
|
|
|
|
`'base64'`. If `encoding` is provided a string will be returned; otherwise
|
|
|
|
a [`Buffer`][] is returned.
|
|
|
|
|
|
|
|
The `Hash` object can not be used again after `hash.digest()` method has been
|
|
|
|
called. Multiple calls will cause an error to be thrown.
|
|
|
|
|
|
|
|
### hash.update(data[, input_encoding])
|
|
|
|
|
|
|
|
Updates the hash content with the given `data`, the encoding of which
|
|
|
|
is given in `input_encoding` and can be `'utf8'`, `'ascii'` or
|
|
|
|
`'latin1'`. If `encoding` is not provided, and the `data` is a string, an
|
|
|
|
encoding of `'utf8'` is enforced. If `data` is a [`Buffer`][] then
|
|
|
|
`input_encoding` is ignored.
|
|
|
|
|
|
|
|
This can be called many times with new data as it is streamed.
|
|
|
|
|
|
|
|
## Class: Hmac
|
|
|
|
|
|
|
|
The `Hmac` Class is a utility for creating cryptographic HMAC digests. It can
|
|
|
|
be used in one of two ways:
|
|
|
|
|
|
|
|
- As a [stream][] that is both readable and writable, where data is written
|
|
|
|
to produce a computed HMAC digest on the readable side, or
|
|
|
|
- Using the [`hmac.update()`][] and [`hmac.digest()`][] methods to produce the
|
|
|
|
computed HMAC digest.
|
|
|
|
|
|
|
|
The [`crypto.createHmac()`][] method is used to create `Hmac` instances. `Hmac`
|
|
|
|
objects are not to be created directly using the `new` keyword.
|
|
|
|
|
|
|
|
Example: Using `Hmac` objects as streams:
|
|
|
|
|
|
|
|
```js
|
|
|
|
const crypto = require('crypto');
|
|
|
|
const hmac = crypto.createHmac('sha256', 'a secret');
|
|
|
|
|
|
|
|
hmac.on('readable', () => {
|
|
|
|
var data = hmac.read();
|
|
|
|
if (data)
|
|
|
|
console.log(data.toString('hex'));
|
|
|
|
// Prints:
|
|
|
|
// 7fd04df92f636fd450bc841c9418e5825c17f33ad9c87c518115a45971f7f77e
|
|
|
|
});
|
|
|
|
|
|
|
|
hmac.write('some data to hash');
|
|
|
|
hmac.end();
|
|
|
|
```
|
|
|
|
|
|
|
|
Example: Using `Hmac` and piped streams:
|
|
|
|
|
|
|
|
```js
|
|
|
|
const crypto = require('crypto');
|
|
|
|
const fs = require('fs');
|
|
|
|
const hmac = crypto.createHmac('sha256', 'a secret');
|
|
|
|
|
|
|
|
const input = fs.createReadStream('test.js');
|
|
|
|
input.pipe(hmac).pipe(process.stdout);
|
|
|
|
```
|
|
|
|
|
|
|
|
Example: Using the [`hmac.update()`][] and [`hmac.digest()`][] methods:
|
|
|
|
|
|
|
|
```js
|
|
|
|
const crypto = require('crypto');
|
|
|
|
const hmac = crypto.createHmac('sha256', 'a secret');
|
|
|
|
|
|
|
|
hmac.update('some data to hash');
|
|
|
|
console.log(hmac.digest('hex'));
|
|
|
|
// Prints:
|
|
|
|
// 7fd04df92f636fd450bc841c9418e5825c17f33ad9c87c518115a45971f7f77e
|
|
|
|
```
|
|
|
|
|
|
|
|
### hmac.digest([encoding])
|
|
|
|
|
|
|
|
Calculates the HMAC digest of all of the data passed using [`hmac.update()`][].
|
|
|
|
The `encoding` can be `'hex'`, `'latin1'` or `'base64'`. If `encoding` is
|
|
|
|
provided a string is returned; otherwise a [`Buffer`][] is returned;
|
|
|
|
|
|
|
|
The `Hmac` object can not be used again after `hmac.digest()` has been
|
|
|
|
called. Multiple calls to `hmac.digest()` will result in an error being thrown.
|
|
|
|
|
|
|
|
### hmac.update(data[, input_encoding])
|
|
|
|
|
|
|
|
Updates the `Hmac` content with the given `data`, the encoding of which
|
|
|
|
is given in `input_encoding` and can be `'utf8'`, `'ascii'` or
|
|
|
|
`'latin1'`. If `encoding` is not provided, and the `data` is a string, an
|
|
|
|
encoding of `'utf8'` is enforced. If `data` is a [`Buffer`][] then
|
|
|
|
`input_encoding` is ignored.
|
|
|
|
|
|
|
|
This can be called many times with new data as it is streamed.
|
|
|
|
|
|
|
|
## Class: Sign
|
|
|
|
|
|
|
|
The `Sign` Class is a utility for generating signatures. It can be used in one
|
|
|
|
of two ways:
|
|
|
|
|
|
|
|
- As a writable [stream][], where data to be signed is written and the
|
|
|
|
[`sign.sign()`][] method is used to generate and return the signature, or
|
|
|
|
- Using the [`sign.update()`][] and [`sign.sign()`][] methods to produce the
|
|
|
|
signature.
|
|
|
|
|
|
|
|
The [`crypto.createSign()`][] method is used to create `Sign` instances. `Sign`
|
|
|
|
objects are not to be created directly using the `new` keyword.
|
|
|
|
|
|
|
|
Example: Using `Sign` objects as streams:
|
|
|
|
|
|
|
|
```js
|
|
|
|
const crypto = require('crypto');
|
|
|
|
const sign = crypto.createSign('RSA-SHA256');
|
|
|
|
|
|
|
|
sign.write('some data to sign');
|
|
|
|
sign.end();
|
|
|
|
|
|
|
|
const private_key = getPrivateKeySomehow();
|
|
|
|
console.log(sign.sign(private_key, 'hex'));
|
|
|
|
// Prints the calculated signature
|
|
|
|
```
|
|
|
|
|
|
|
|
Example: Using the [`sign.update()`][] and [`sign.sign()`][] methods:
|
|
|
|
|
|
|
|
```js
|
|
|
|
const crypto = require('crypto');
|
|
|
|
const sign = crypto.createSign('RSA-SHA256');
|
|
|
|
|
|
|
|
sign.update('some data to sign');
|
|
|
|
|
|
|
|
const private_key = getPrivateKeySomehow();
|
|
|
|
console.log(sign.sign(private_key, 'hex'));
|
|
|
|
// Prints the calculated signature
|
|
|
|
```
|
|
|
|
|
|
|
|
A `Sign` instance can also be created by just passing in the digest
|
|
|
|
algorithm name, in which case OpenSSL will infer the full signature algorithm
|
|
|
|
from the type of the PEM-formatted private key, including algorithms that
|
|
|
|
do not have directly exposed name constants, e.g. 'ecdsa-with-SHA256'.
|
|
|
|
|
|
|
|
Example: signing using ECDSA with SHA256
|
|
|
|
|
|
|
|
```js
|
|
|
|
const crypto = require('crypto');
|
|
|
|
const sign = crypto.createSign('sha256');
|
|
|
|
|
|
|
|
sign.update('some data to sign');
|
|
|
|
|
|
|
|
const private_key = '-----BEGIN EC PRIVATE KEY-----\n' +
|
|
|
|
'MHcCAQEEIF+jnWY1D5kbVYDNvxxo/Y+ku2uJPDwS0r/VuPZQrjjVoAoGCCqGSM49\n' +
|
|
|
|
'AwEHoUQDQgAEurOxfSxmqIRYzJVagdZfMMSjRNNhB8i3mXyIMq704m2m52FdfKZ2\n' +
|
|
|
|
'pQhByd5eyj3lgZ7m7jbchtdgyOF8Io/1ng==\n' +
|
|
|
|
'-----END EC PRIVATE KEY-----\n';
|
|
|
|
|
|
|
|
console.log(sign.sign(private_key).toString('hex'));
|
|
|
|
```
|
|
|
|
|
|
|
|
### sign.sign(private_key[, output_format])
|
|
|
|
|
|
|
|
Calculates the signature on all the data passed through using either
|
|
|
|
[`sign.update()`][] or [`sign.write()`][stream-writable-write].
|
|
|
|
|
|
|
|
The `private_key` argument can be an object or a string. If `private_key` is a
|
|
|
|
string, it is treated as a raw key with no passphrase. If `private_key` is an
|
|
|
|
object, it is interpreted as a hash containing two properties:
|
|
|
|
|
|
|
|
* `key` : {String} - PEM encoded private key
|
|
|
|
* `passphrase` : {String} - passphrase for the private key
|
|
|
|
|
|
|
|
The `output_format` can specify one of `'latin1'`, `'hex'` or `'base64'`. If
|
|
|
|
`output_format` is provided a string is returned; otherwise a [`Buffer`][] is
|
|
|
|
returned.
|
|
|
|
|
|
|
|
The `Sign` object can not be again used after `sign.sign()` method has been
|
|
|
|
called. Multiple calls to `sign.sign()` will result in an error being thrown.
|
|
|
|
|
|
|
|
### sign.update(data[, input_encoding])
|
|
|
|
|
|
|
|
Updates the `Sign` content with the given `data`, the encoding of which
|
|
|
|
is given in `input_encoding` and can be `'utf8'`, `'ascii'` or
|
|
|
|
`'latin1'`. If `encoding` is not provided, and the `data` is a string, an
|
|
|
|
encoding of `'utf8'` is enforced. If `data` is a [`Buffer`][] then
|
|
|
|
`input_encoding` is ignored.
|
|
|
|
|
|
|
|
This can be called many times with new data as it is streamed.
|
|
|
|
|
|
|
|
## Class: Verify
|
|
|
|
|
|
|
|
The `Verify` class is a utility for verifying signatures. It can be used in one
|
|
|
|
of two ways:
|
|
|
|
|
|
|
|
- As a writable [stream][] where written data is used to validate against the
|
|
|
|
supplied signature, or
|
|
|
|
- Using the [`verify.update()`][] and [`verify.verify()`][] methods to verify
|
|
|
|
the signature.
|
|
|
|
|
|
|
|
The [`crypto.createSign()`][] method is used to create `Sign` instances.
|
|
|
|
`Sign` objects are not to be created directly using the `new` keyword.
|
|
|
|
|
|
|
|
Example: Using `Verify` objects as streams:
|
|
|
|
|
|
|
|
```js
|
|
|
|
const crypto = require('crypto');
|
|
|
|
const verify = crypto.createVerify('RSA-SHA256');
|
|
|
|
|
|
|
|
verify.write('some data to sign');
|
|
|
|
verify.end();
|
|
|
|
|
|
|
|
const public_key = getPublicKeySomehow();
|
|
|
|
const signature = getSignatureToVerify();
|
|
|
|
console.log(verify.verify(public_key, signature));
|
|
|
|
// Prints true or false
|
|
|
|
```
|
|
|
|
|
|
|
|
Example: Using the [`verify.update()`][] and [`verify.verify()`][] methods:
|
|
|
|
|
|
|
|
```js
|
|
|
|
const crypto = require('crypto');
|
|
|
|
const verify = crypto.createVerify('RSA-SHA256');
|
|
|
|
|
|
|
|
verify.update('some data to sign');
|
|
|
|
|
|
|
|
const public_key = getPublicKeySomehow();
|
|
|
|
const signature = getSignatureToVerify();
|
|
|
|
console.log(verify.verify(public_key, signature));
|
|
|
|
// Prints true or false
|
|
|
|
```
|
|
|
|
|
|
|
|
### verifier.update(data[, input_encoding])
|
|
|
|
|
|
|
|
Updates the `Verify` content with the given `data`, the encoding of which
|
|
|
|
is given in `input_encoding` and can be `'utf8'`, `'ascii'` or
|
|
|
|
`'latin1'`. If `encoding` is not provided, and the `data` is a string, an
|
|
|
|
encoding of `'utf8'` is enforced. If `data` is a [`Buffer`][] then
|
|
|
|
`input_encoding` is ignored.
|
|
|
|
|
|
|
|
This can be called many times with new data as it is streamed.
|
|
|
|
|
|
|
|
### verifier.verify(object, signature[, signature_format])
|
|
|
|
|
|
|
|
Verifies the provided data using the given `object` and `signature`.
|
|
|
|
The `object` argument is a string containing a PEM encoded object, which can be
|
|
|
|
one an RSA public key, a DSA public key, or an X.509 certificate.
|
|
|
|
The `signature` argument is the previously calculated signature for the data, in
|
|
|
|
the `signature_format` which can be `'latin1'`, `'hex'` or `'base64'`.
|
|
|
|
If a `signature_format` is specified, the `signature` is expected to be a
|
|
|
|
string; otherwise `signature` is expected to be a [`Buffer`][].
|
|
|
|
|
|
|
|
Returns `true` or `false` depending on the validity of the signature for
|
|
|
|
the data and public key.
|
|
|
|
|
|
|
|
The `verifier` object can not be used again after `verify.verify()` has been
|
|
|
|
called. Multiple calls to `verify.verify()` will result in an error being
|
|
|
|
thrown.
|
|
|
|
|
|
|
|
## `crypto` module methods and properties
|
|
|
|
|
|
|
|
## crypto.constants
|
|
|
|
|
|
|
|
Returns an object containing commonly used constants for crypto and security
|
|
|
|
related operations. The specific constants currently defined are described in
|
|
|
|
[Crypto Constants][].
|
|
|
|
|
|
|
|
### crypto.DEFAULT_ENCODING
|
|
|
|
|
|
|
|
The default encoding to use for functions that can take either strings
|
|
|
|
or [buffers][`Buffer`]. The default value is `'buffer'`, which makes methods
|
|
|
|
default to [`Buffer`][] objects.
|
|
|
|
|
|
|
|
The `crypto.DEFAULT_ENCODING` mechanism is provided for backwards compatibility
|
|
|
|
with legacy programs that expect `'latin1'` to be the default encoding.
|
|
|
|
|
|
|
|
New applications should expect the default to be `'buffer'`. This property may
|
|
|
|
become deprecated in a future Node.js release.
|
|
|
|
|
|
|
|
### crypto.fips
|
|
|
|
|
|
|
|
Property for checking and controlling whether a FIPS compliant crypto provider is
|
|
|
|
currently in use. Setting to true requires a FIPS build of Node.js.
|
|
|
|
|
|
|
|
### crypto.createCipher(algorithm, password)
|
|
|
|
|
|
|
|
Creates and returns a `Cipher` object that uses the given `algorithm` and
|
|
|
|
`password`.
|
|
|
|
|
|
|
|
The `algorithm` is dependent on OpenSSL, examples are `'aes192'`, etc. On
|
|
|
|
recent OpenSSL releases, `openssl list-cipher-algorithms` will display the
|
|
|
|
available cipher algorithms.
|
|
|
|
|
|
|
|
The `password` is used to derive the cipher key and initialization vector (IV).
|
|
|
|
The value must be either a `'latin1'` encoded string or a [`Buffer`][].
|
|
|
|
|
|
|
|
The implementation of `crypto.createCipher()` derives keys using the OpenSSL
|
|
|
|
function [`EVP_BytesToKey`][] with the digest algorithm set to MD5, one
|
|
|
|
iteration, and no salt. The lack of salt allows dictionary attacks as the same
|
|
|
|
password always creates the same key. The low iteration count and
|
|
|
|
non-cryptographically secure hash algorithm allow passwords to be tested very
|
|
|
|
rapidly.
|
|
|
|
|
|
|
|
In line with OpenSSL's recommendation to use pbkdf2 instead of
|
|
|
|
[`EVP_BytesToKey`][] it is recommended that developers derive a key and IV on
|
|
|
|
their own using [`crypto.pbkdf2()`][] and to use [`crypto.createCipheriv()`][]
|
|
|
|
to create the `Cipher` object.
|
|
|
|
|
|
|
|
### crypto.createCipheriv(algorithm, key, iv)
|
|
|
|
|
|
|
|
Creates and returns a `Cipher` object, with the given `algorithm`, `key` and
|
|
|
|
initialization vector (`iv`).
|
|
|
|
|
|
|
|
The `algorithm` is dependent on OpenSSL, examples are `'aes192'`, etc. On
|
|
|
|
recent OpenSSL releases, `openssl list-cipher-algorithms` will display the
|
|
|
|
available cipher algorithms.
|
|
|
|
|
|
|
|
The `key` is the raw key used by the `algorithm` and `iv` is an
|
|
|
|
[initialization vector][]. Both arguments must be `'latin1'` encoded strings or
|
|
|
|
[buffers][`Buffer`].
|
|
|
|
|
|
|
|
### crypto.createCredentials(details)
|
|
|
|
|
|
|
|
Stability: 0 - Deprecated: Use [`tls.createSecureContext()`][] instead.
|
|
|
|
|
|
|
|
The `crypto.createCredentials()` method is a deprecated alias for creating
|
|
|
|
and returning a `tls.SecureContext` object. The `crypto.createCredentials()`
|
|
|
|
method should not be used.
|
|
|
|
|
|
|
|
The optional `details` argument is a hash object with keys:
|
|
|
|
|
|
|
|
* `pfx` : {String|Buffer} - PFX or PKCS12 encoded private
|
|
|
|
key, certificate and CA certificates
|
|
|
|
* `key` : {String} - PEM encoded private key
|
|
|
|
* `passphrase` : {String} - passphrase for the private key or PFX
|
|
|
|
* `cert` : {String} - PEM encoded certificate
|
|
|
|
* `ca` : {String|Array} - Either a string or array of strings of PEM encoded CA
|
|
|
|
certificates to trust.
|
|
|
|
* `crl` : {String|Array} - Either a string or array of strings of PEM encoded CRLs
|
|
|
|
(Certificate Revocation List)
|
|
|
|
* `ciphers`: {String} using the [OpenSSL cipher list format][] describing the
|
|
|
|
cipher algorithms to use or exclude.
|
|
|
|
|
|
|
|
If no 'ca' details are given, Node.js will use Mozilla's default
|
|
|
|
[publicly trusted list of CAs][].
|
|
|
|
|
|
|
|
### crypto.createDecipher(algorithm, password)
|
|
|
|
|
|
|
|
Creates and returns a `Decipher` object that uses the given `algorithm` and
|
|
|
|
`password` (key).
|
|
|
|
|
|
|
|
The implementation of `crypto.createDecipher()` derives keys using the OpenSSL
|
|
|
|
function [`EVP_BytesToKey`][] with the digest algorithm set to MD5, one
|
|
|
|
iteration, and no salt. The lack of salt allows dictionary attacks as the same
|
|
|
|
password always creates the same key. The low iteration count and
|
|
|
|
non-cryptographically secure hash algorithm allow passwords to be tested very
|
|
|
|
rapidly.
|
|
|
|
|
|
|
|
In line with OpenSSL's recommendation to use pbkdf2 instead of
|
|
|
|
[`EVP_BytesToKey`][] it is recommended that developers derive a key and IV on
|
|
|
|
their own using [`crypto.pbkdf2()`][] and to use [`crypto.createDecipheriv()`][]
|
|
|
|
to create the `Decipher` object.
|
|
|
|
|
|
|
|
### crypto.createDecipheriv(algorithm, key, iv)
|
|
|
|
|
|
|
|
Creates and returns a `Decipher` object that uses the given `algorithm`, `key`
|
|
|
|
and initialization vector (`iv`).
|
|
|
|
|
|
|
|
The `algorithm` is dependent on OpenSSL, examples are `'aes192'`, etc. On
|
|
|
|
recent OpenSSL releases, `openssl list-cipher-algorithms` will display the
|
|
|
|
available cipher algorithms.
|
|
|
|
|
|
|
|
The `key` is the raw key used by the `algorithm` and `iv` is an
|
|
|
|
[initialization vector][]. Both arguments must be `'latin1'` encoded strings or
|
|
|
|
[buffers][`Buffer`].
|
|
|
|
|
|
|
|
### crypto.createDiffieHellman(prime[, prime_encoding][, generator][, generator_encoding])
|
|
|
|
|
|
|
|
Creates a `DiffieHellman` key exchange object using the supplied `prime` and an
|
|
|
|
optional specific `generator`.
|
|
|
|
|
|
|
|
The `generator` argument can be a number, string, or [`Buffer`][]. If
|
|
|
|
`generator` is not specified, the value `2` is used.
|
|
|
|
|
|
|
|
The `prime_encoding` and `generator_encoding` arguments can be `'latin1'`,
|
|
|
|
`'hex'`, or `'base64'`.
|
|
|
|
|
|
|
|
If `prime_encoding` is specified, `prime` is expected to be a string; otherwise
|
|
|
|
a [`Buffer`][] is expected.
|
|
|
|
|
|
|
|
If `generator_encoding` is specified, `generator` is expected to be a string;
|
|
|
|
otherwise either a number or [`Buffer`][] is expected.
|
|
|
|
|
|
|
|
### crypto.createDiffieHellman(prime_length[, generator])
|
|
|
|
|
|
|
|
Creates a `DiffieHellman` key exchange object and generates a prime of
|
|
|
|
`prime_length` bits using an optional specific numeric `generator`.
|
|
|
|
If `generator` is not specified, the value `2` is used.
|
|
|
|
|
|
|
|
### crypto.createECDH(curve_name)
|
|
|
|
|
|
|
|
Creates an Elliptic Curve Diffie-Hellman (`ECDH`) key exchange object using a
|
|
|
|
predefined curve specified by the `curve_name` string. Use
|
|
|
|
[`crypto.getCurves()`][] to obtain a list of available curve names. On recent
|
|
|
|
OpenSSL releases, `openssl ecparam -list_curves` will also display the name
|
|
|
|
and description of each available elliptic curve.
|
|
|
|
|
|
|
|
### crypto.createHash(algorithm)
|
|
|
|
|
|
|
|
Creates and returns a `Hash` object that can be used to generate hash digests
|
|
|
|
using the given `algorithm`.
|
|
|
|
|
|
|
|
The `algorithm` is dependent on the available algorithms supported by the
|
|
|
|
version of OpenSSL on the platform. Examples are `'sha256'`, `'sha512'`, etc.
|
|
|
|
On recent releases of OpenSSL, `openssl list-message-digest-algorithms` will
|
|
|
|
display the available digest algorithms.
|
|
|
|
|
|
|
|
Example: generating the sha256 sum of a file
|
|
|
|
|
|
|
|
```js
|
|
|
|
const filename = process.argv[2];
|
|
|
|
const crypto = require('crypto');
|
|
|
|
const fs = require('fs');
|
|
|
|
|
|
|
|
const hash = crypto.createHash('sha256');
|
|
|
|
|
|
|
|
const input = fs.createReadStream(filename);
|
|
|
|
input.on('readable', () => {
|
|
|
|
var data = input.read();
|
|
|
|
if (data)
|
|
|
|
hash.update(data);
|
|
|
|
else {
|
|
|
|
console.log(`${hash.digest('hex')} ${filename}`);
|
|
|
|
}
|
|
|
|
});
|
|
|
|
```
|
|
|
|
|
|
|
|
### crypto.createHmac(algorithm, key)
|
|
|
|
|
|
|
|
Creates and returns an `Hmac` object that uses the given `algorithm` and `key`.
|
|
|
|
|
|
|
|
The `algorithm` is dependent on the available algorithms supported by the
|
|
|
|
version of OpenSSL on the platform. Examples are `'sha256'`, `'sha512'`, etc.
|
|
|
|
On recent releases of OpenSSL, `openssl list-message-digest-algorithms` will
|
|
|
|
display the available digest algorithms.
|
|
|
|
|
|
|
|
The `key` is the HMAC key used to generate the cryptographic HMAC hash.
|
|
|
|
|
|
|
|
Example: generating the sha256 HMAC of a file
|
|
|
|
|
|
|
|
```js
|
|
|
|
const filename = process.argv[2];
|
|
|
|
const crypto = require('crypto');
|
|
|
|
const fs = require('fs');
|
|
|
|
|
|
|
|
const hmac = crypto.createHmac('sha256', 'a secret');
|
|
|
|
|
|
|
|
const input = fs.createReadStream(filename);
|
|
|
|
input.on('readable', () => {
|
|
|
|
var data = input.read();
|
|
|
|
if (data)
|
|
|
|
hmac.update(data);
|
|
|
|
else {
|
|
|
|
console.log(`${hmac.digest('hex')} ${filename}`);
|
|
|
|
}
|
|
|
|
});
|
|
|
|
```
|
|
|
|
|
|
|
|
### crypto.createSign(algorithm)
|
|
|
|
|
|
|
|
Creates and returns a `Sign` object that uses the given `algorithm`. On
|
|
|
|
recent OpenSSL releases, `openssl list-public-key-algorithms` will
|
|
|
|
display the available signing algorithms. One example is `'RSA-SHA256'`.
|
|
|
|
|
|
|
|
### crypto.createVerify(algorithm)
|
|
|
|
|
|
|
|
Creates and returns a `Verify` object that uses the given algorithm. On
|
|
|
|
recent OpenSSL releases, `openssl list-public-key-algorithms` will
|
|
|
|
display the available signing algorithms. One example is `'RSA-SHA256'`.
|
|
|
|
|
|
|
|
### crypto.getCiphers()
|
|
|
|
|
|
|
|
Returns an array with the names of the supported cipher algorithms.
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
```js
|
|
|
|
const ciphers = crypto.getCiphers();
|
|
|
|
console.log(ciphers); // ['aes-128-cbc', 'aes-128-ccm', ...]
|
|
|
|
```
|
|
|
|
|
|
|
|
### crypto.getCurves()
|
|
|
|
|
|
|
|
Returns an array with the names of the supported elliptic curves.
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
```js
|
|
|
|
const curves = crypto.getCurves();
|
|
|
|
console.log(curves); // ['secp256k1', 'secp384r1', ...]
|
|
|
|
```
|
|
|
|
|
|
|
|
### crypto.getDiffieHellman(group_name)
|
|
|
|
|
|
|
|
Creates a predefined `DiffieHellman` key exchange object. The
|
|
|
|
supported groups are: `'modp1'`, `'modp2'`, `'modp5'` (defined in
|
|
|
|
[RFC 2412][], but see [Caveats][]) and `'modp14'`, `'modp15'`,
|
|
|
|
`'modp16'`, `'modp17'`, `'modp18'` (defined in [RFC 3526][]). The
|
|
|
|
returned object mimics the interface of objects created by
|
|
|
|
[`crypto.createDiffieHellman()`][], but will not allow changing
|
|
|
|
the keys (with [`diffieHellman.setPublicKey()`][] for example). The
|
|
|
|
advantage of using this method is that the parties do not have to
|
|
|
|
generate nor exchange a group modulus beforehand, saving both processor
|
|
|
|
and communication time.
|
|
|
|
|
|
|
|
Example (obtaining a shared secret):
|
|
|
|
|
|
|
|
```js
|
|
|
|
const crypto = require('crypto');
|
|
|
|
const alice = crypto.getDiffieHellman('modp14');
|
|
|
|
const bob = crypto.getDiffieHellman('modp14');
|
|
|
|
|
|
|
|
alice.generateKeys();
|
|
|
|
bob.generateKeys();
|
|
|
|
|
|
|
|
const alice_secret = alice.computeSecret(bob.getPublicKey(), null, 'hex');
|
|
|
|
const bob_secret = bob.computeSecret(alice.getPublicKey(), null, 'hex');
|
|
|
|
|
|
|
|
/* alice_secret and bob_secret should be the same */
|
|
|
|
console.log(alice_secret == bob_secret);
|
|
|
|
```
|
|
|
|
|
|
|
|
### crypto.getHashes()
|
|
|
|
|
|
|
|
Returns an array with the names of the supported hash algorithms.
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
```js
|
|
|
|
const hashes = crypto.getHashes();
|
|
|
|
console.log(hashes); // ['sha', 'sha1', 'sha1WithRSAEncryption', ...]
|
|
|
|
```
|
|
|
|
|
|
|
|
### crypto.pbkdf2(password, salt, iterations, keylen, digest, callback)
|
|
|
|
|
|
|
|
Provides an asynchronous Password-Based Key Derivation Function 2 (PBKDF2)
|
|
|
|
implementation. A selected HMAC digest algorithm specified by `digest` is
|
|
|
|
applied to derive a key of the requested byte length (`keylen`) from the
|
|
|
|
`password`, `salt` and `iterations`.
|
|
|
|
|
|
|
|
The supplied `callback` function is called with two arguments: `err` and
|
|
|
|
`derivedKey`. If an error occurs, `err` will be set; otherwise `err` will be
|
|
|
|
null. The successfully generated `derivedKey` will be passed as a [`Buffer`][].
|
|
|
|
|
|
|
|
The `iterations` argument must be a number set as high as possible. The
|
|
|
|
higher the number of iterations, the more secure the derived key will be,
|
|
|
|
but will take a longer amount of time to complete.
|
|
|
|
|
|
|
|
The `salt` should also be as unique as possible. It is recommended that the
|
|
|
|
salts are random and their lengths are greater than 16 bytes. See
|
|
|
|
[NIST SP 800-132][] for details.
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
```js
|
|
|
|
const crypto = require('crypto');
|
|
|
|
crypto.pbkdf2('secret', 'salt', 100000, 512, 'sha512', (err, key) => {
|
|
|
|
if (err) throw err;
|
|
|
|
console.log(key.toString('hex')); // 'c5e478d...1469e50'
|
|
|
|
});
|
|
|
|
```
|
|
|
|
|
|
|
|
An array of supported digest functions can be retrieved using
|
|
|
|
[`crypto.getHashes()`][].
|
|
|
|
|
|
|
|
### crypto.pbkdf2Sync(password, salt, iterations, keylen, digest)
|
|
|
|
|
|
|
|
Provides a synchronous Password-Based Key Derivation Function 2 (PBKDF2)
|
|
|
|
implementation. A selected HMAC digest algorithm specified by `digest` is
|
|
|
|
applied to derive a key of the requested byte length (`keylen`) from the
|
|
|
|
`password`, `salt` and `iterations`.
|
|
|
|
|
|
|
|
If an error occurs an Error will be thrown, otherwise the derived key will be
|
|
|
|
returned as a [`Buffer`][].
|
|
|
|
|
|
|
|
The `iterations` argument must be a number set as high as possible. The
|
|
|
|
higher the number of iterations, the more secure the derived key will be,
|
|
|
|
but will take a longer amount of time to complete.
|
|
|
|
|
|
|
|
The `salt` should also be as unique as possible. It is recommended that the
|
|
|
|
salts are random and their lengths are greater than 16 bytes. See
|
|
|
|
[NIST SP 800-132][] for details.
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
```js
|
|
|
|
const crypto = require('crypto');
|
|
|
|
const key = crypto.pbkdf2Sync('secret', 'salt', 100000, 512, 'sha512');
|
|
|
|
console.log(key.toString('hex')); // 'c5e478d...1469e50'
|
|
|
|
```
|
|
|
|
|
|
|
|
An array of supported digest functions can be retrieved using
|
|
|
|
[`crypto.getHashes()`][].
|
|
|
|
|
|
|
|
### crypto.privateDecrypt(private_key, buffer)
|
|
|
|
|
|
|
|
Decrypts `buffer` with `private_key`.
|
|
|
|
|
|
|
|
`private_key` can be an object or a string. If `private_key` is a string, it is
|
|
|
|
treated as the key with no passphrase and will use `RSA_PKCS1_OAEP_PADDING`.
|
|
|
|
If `private_key` is an object, it is interpreted as a hash object with the
|
|
|
|
keys:
|
|
|
|
|
|
|
|
* `key` : {String} - PEM encoded private key
|
|
|
|
* `passphrase` : {String} - Optional passphrase for the private key
|
|
|
|
* `padding` : An optional padding value, one of the following:
|
|
|
|
* `crypto.constants.RSA_NO_PADDING`
|
|
|
|
* `crypto.constants.RSA_PKCS1_PADDING`
|
|
|
|
* `crypto.constants.RSA_PKCS1_OAEP_PADDING`
|
|
|
|
|
|
|
|
All paddings are defined in `crypto.constants`.
|
|
|
|
|
|
|
|
### crypto.privateEncrypt(private_key, buffer)
|
|
|
|
|
|
|
|
Encrypts `buffer` with `private_key`.
|
|
|
|
|
|
|
|
`private_key` can be an object or a string. If `private_key` is a string, it is
|
|
|
|
treated as the key with no passphrase and will use `RSA_PKCS1_PADDING`.
|
|
|
|
If `private_key` is an object, it is interpreted as a hash object with the
|
|
|
|
keys:
|
|
|
|
|
|
|
|
* `key` : {String} - PEM encoded private key
|
|
|
|
* `passphrase` : {String} - Optional passphrase for the private key
|
|
|
|
* `padding` : An optional padding value, one of the following:
|
|
|
|
* `crypto.constants.RSA_NO_PADDING`
|
|
|
|
* `crypto.constants.RSA_PKCS1_PADDING`
|
|
|
|
* `crypto.constants.RSA_PKCS1_OAEP_PADDING`
|
|
|
|
|
|
|
|
All paddings are defined in `crypto.constants`.
|
|
|
|
|
|
|
|
### crypto.publicDecrypt(public_key, buffer)
|
|
|
|
|
|
|
|
Decrypts `buffer` with `public_key`.
|
|
|
|
|
|
|
|
`public_key` can be an object or a string. If `public_key` is a string, it is
|
|
|
|
treated as the key with no passphrase and will use `RSA_PKCS1_PADDING`.
|
|
|
|
If `public_key` is an object, it is interpreted as a hash object with the
|
|
|
|
keys:
|
|
|
|
|
|
|
|
* `key` : {String} - PEM encoded public key
|
|
|
|
* `passphrase` : {String} - Optional passphrase for the private key
|
|
|
|
* `padding` : An optional padding value, one of the following:
|
|
|
|
* `crypto.constants.RSA_NO_PADDING`
|
|
|
|
* `crypto.constants.RSA_PKCS1_PADDING`
|
|
|
|
* `crypto.constants.RSA_PKCS1_OAEP_PADDING`
|
|
|
|
|
|
|
|
Because RSA public keys can be derived from private keys, a private key may
|
|
|
|
be passed instead of a public key.
|
|
|
|
|
|
|
|
All paddings are defined in `crypto.constants`.
|
|
|
|
|
|
|
|
### crypto.publicEncrypt(public_key, buffer)
|
|
|
|
|
|
|
|
Encrypts `buffer` with `public_key`.
|
|
|
|
|
|
|
|
`public_key` can be an object or a string. If `public_key` is a string, it is
|
|
|
|
treated as the key with no passphrase and will use `RSA_PKCS1_OAEP_PADDING`.
|
|
|
|
If `public_key` is an object, it is interpreted as a hash object with the
|
|
|
|
keys:
|
|
|
|
|
|
|
|
* `key` : {String} - PEM encoded public key
|
|
|
|
* `passphrase` : {String} - Optional passphrase for the private key
|
|
|
|
* `padding` : An optional padding value, one of the following:
|
|
|
|
* `crypto.constants.RSA_NO_PADDING`
|
|
|
|
* `crypto.constants.RSA_PKCS1_PADDING`
|
|
|
|
* `crypto.constants.RSA_PKCS1_OAEP_PADDING`
|
|
|
|
|
|
|
|
Because RSA public keys can be derived from private keys, a private key may
|
|
|
|
be passed instead of a public key.
|
|
|
|
|
|
|
|
All paddings are defined in `crypto.constants`.
|
|
|
|
|
|
|
|
### crypto.randomBytes(size[, callback])
|
|
|
|
|
|
|
|
Generates cryptographically strong pseudo-random data. The `size` argument
|
|
|
|
is a number indicating the number of bytes to generate.
|
|
|
|
|
|
|
|
If a `callback` function is provided, the bytes are generated asynchronously
|
|
|
|
and the `callback` function is invoked with two arguments: `err` and `buf`.
|
|
|
|
If an error occurs, `err` will be an Error object; otherwise it is null. The
|
|
|
|
`buf` argument is a [`Buffer`][] containing the generated bytes.
|
|
|
|
|
|
|
|
```js
|
|
|
|
// Asynchronous
|
|
|
|
const crypto = require('crypto');
|
|
|
|
crypto.randomBytes(256, (err, buf) => {
|
|
|
|
if (err) throw err;
|
|
|
|
console.log(`${buf.length} bytes of random data: ${buf.toString('hex')}`);
|
|
|
|
});
|
|
|
|
```
|
|
|
|
|
|
|
|
If the `callback` function is not provided, the random bytes are generated
|
|
|
|
synchronously and returned as a [`Buffer`][]. An error will be thrown if
|
|
|
|
there is a problem generating the bytes.
|
|
|
|
|
|
|
|
```js
|
|
|
|
// Synchronous
|
|
|
|
const buf = crypto.randomBytes(256);
|
|
|
|
console.log(
|
|
|
|
`${buf.length} bytes of random data: ${buf.toString('hex')}`);
|
|
|
|
```
|
|
|
|
|
|
|
|
The `crypto.randomBytes()` method will block until there is sufficient entropy.
|
|
|
|
This should normally never take longer than a few milliseconds. The only time
|
|
|
|
when generating the random bytes may conceivably block for a longer period of
|
|
|
|
time is right after boot, when the whole system is still low on entropy.
|
|
|
|
|
|
|
|
### crypto.setEngine(engine[, flags])
|
|
|
|
|
|
|
|
Load and set the `engine` for some or all OpenSSL functions (selected by flags).
|
|
|
|
|
|
|
|
`engine` could be either an id or a path to the engine's shared library.
|
|
|
|
|
|
|
|
The optional `flags` argument uses `ENGINE_METHOD_ALL` by default. The `flags`
|
|
|
|
is a bit field taking one of or a mix of the following flags (defined in
|
|
|
|
`crypto.constants`):
|
|
|
|
|
|
|
|
* `crypto.constants.ENGINE_METHOD_RSA`
|
|
|
|
* `crypto.constants.ENGINE_METHOD_DSA`
|
|
|
|
* `crypto.constants.ENGINE_METHOD_DH`
|
|
|
|
* `crypto.constants.ENGINE_METHOD_RAND`
|
|
|
|
* `crypto.constants.ENGINE_METHOD_ECDH`
|
|
|
|
* `crypto.constants.ENGINE_METHOD_ECDSA`
|
|
|
|
* `crypto.constants.ENGINE_METHOD_CIPHERS`
|
|
|
|
* `crypto.constants.ENGINE_METHOD_DIGESTS`
|
|
|
|
* `crypto.constants.ENGINE_METHOD_STORE`
|
|
|
|
* `crypto.constants.ENGINE_METHOD_PKEY_METHS`
|
|
|
|
* `crypto.constants.ENGINE_METHOD_PKEY_ASN1_METHS`
|
|
|
|
* `crypto.constants.ENGINE_METHOD_ALL`
|
|
|
|
* `crypto.constants.ENGINE_METHOD_NONE`
|
|
|
|
|
|
|
|
## Notes
|
|
|
|
|
|
|
|
### Legacy Streams API (pre Node.js v0.10)
|
|
|
|
|
|
|
|
The Crypto module was added to Node.js before there was the concept of a
|
|
|
|
unified Stream API, and before there were [`Buffer`][] objects for handling
|
|
|
|
binary data. As such, the many of the `crypto` defined classes have methods not
|
|
|
|
typically found on other Node.js classes that implement the [streams][stream]
|
|
|
|
API (e.g. `update()`, `final()`, or `digest()`). Also, many methods accepted
|
|
|
|
and returned `'latin1'` encoded strings by default rather than Buffers. This
|
|
|
|
default was changed after Node.js v0.8 to use [`Buffer`][] objects by default
|
|
|
|
instead.
|
|
|
|
|
|
|
|
### Recent ECDH Changes
|
|
|
|
|
|
|
|
Usage of `ECDH` with non-dynamically generated key pairs has been simplified.
|
|
|
|
Now, [`ecdh.setPrivateKey()`][] can be called with a preselected private key
|
|
|
|
and the associated public point (key) will be computed and stored in the object.
|
|
|
|
This allows code to only store and provide the private part of the EC key pair.
|
|
|
|
[`ecdh.setPrivateKey()`][] now also validates that the private key is valid for
|
|
|
|
the selected curve.
|
|
|
|
|
|
|
|
The [`ecdh.setPublicKey()`][] method is now deprecated as its inclusion in the
|
|
|
|
API is not useful. Either a previously stored private key should be set, which
|
|
|
|
automatically generates the associated public key, or [`ecdh.generateKeys()`][]
|
|
|
|
should be called. The main drawback of using [`ecdh.setPublicKey()`][] is that
|
|
|
|
it can be used to put the ECDH key pair into an inconsistent state.
|
|
|
|
|
|
|
|
### Support for weak or compromised algorithms
|
|
|
|
|
|
|
|
The `crypto` module still supports some algorithms which are already
|
|
|
|
compromised and are not currently recommended for use. The API also allows
|
|
|
|
the use of ciphers and hashes with a small key size that are considered to be
|
|
|
|
too weak for safe use.
|
|
|
|
|
|
|
|
Users should take full responsibility for selecting the crypto
|
|
|
|
algorithm and key size according to their security requirements.
|
|
|
|
|
|
|
|
Based on the recommendations of [NIST SP 800-131A][]:
|
|
|
|
|
|
|
|
- MD5 and SHA-1 are no longer acceptable where collision resistance is
|
|
|
|
required such as digital signatures.
|
|
|
|
- The key used with RSA, DSA and DH algorithms is recommended to have
|
|
|
|
at least 2048 bits and that of the curve of ECDSA and ECDH at least
|
|
|
|
224 bits, to be safe to use for several years.
|
|
|
|
- The DH groups of `modp1`, `modp2` and `modp5` have a key size
|
|
|
|
smaller than 2048 bits and are not recommended.
|
|
|
|
|
|
|
|
See the reference for other recommendations and details.
|
|
|
|
|
|
|
|
## Crypto Constants
|
|
|
|
|
|
|
|
The following constants exported by `crypto.constants` apply to various uses of
|
|
|
|
the `crypto`, `tls`, and `https` modules and are generally specific to OpenSSL.
|
|
|
|
|
|
|
|
### OpenSSL Options
|
|
|
|
|
|
|
|
<table>
|
|
|
|
<tr>
|
|
|
|
<th>Constant</th>
|
|
|
|
<th>Description</th>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>SSL_OP_ALL</code></td>
|
|
|
|
<td>Applies multiple bug workarounds within OpenSSL. See
|
|
|
|
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_options.html for
|
|
|
|
detail.</td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION</code></td>
|
|
|
|
<td>Allows legacy insecure renegotiation between OpenSSL and unpatched
|
|
|
|
clients or servers. See
|
|
|
|
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_options.html.</td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>SSL_OP_CIPHER_SERVER_PREFERENCE</code></td>
|
|
|
|
<td>Uses the server's preferences instead of the clients when selecting a
|
|
|
|
cipher. See
|
|
|
|
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_options.html.</td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>SSL_OP_CISCO_ANYCONNECT</code></td>
|
|
|
|
<td>Instructs OpenSSL to use Cisco's "speshul" version of DTLS_BAD_VER.</td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>SSL_OP_COOKIE_EXCHANGE</code></td>
|
|
|
|
<td>Instructs OpenSSL to turn on cookie exchange.</td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>SSL_OP_CRYPTOPRO_TLSEXT_BUG</code></td>
|
|
|
|
<td>Instructs OpenSSL to add server-hello extension from an early version
|
|
|
|
of the cryptopro draft.</td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS</code></td>
|
|
|
|
<td>Instructs OpenSSL to disable a SSL 3.0/TLS 1.0 vulnerability
|
|
|
|
workaround added in OpenSSL 0.9.6d.</td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>SSL_OP_EPHEMERAL_RSA</code></td>
|
|
|
|
<td>Instructs OpenSSL to always use the tmp_rsa key when performing RSA
|
|
|
|
operations.</td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>SSL_OP_LEGACY_SERVER_CONNECT</code></td>
|
|
|
|
<td>Allow initial connection to servers that do not support RI.</td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER</code></td>
|
|
|
|
<td></td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>SSL_OP_MICROSOFT_SESS_ID_BUG</code></td>
|
|
|
|
<td></td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>SSL_OP_MSIE_SSLV2_RSA_PADDING</code></td>
|
|
|
|
<td>Instructs OpenSSL to disable the workaround for a man-in-the-middle
|
|
|
|
protocol-version vulnerability in the SSL 2.0 server implementation.</td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>SSL_OP_NETSCAPE_CA_DN_BUG</code></td>
|
|
|
|
<td></td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>SSL_OP_NETSCAPE_CHALLENGE_BUG</code></td>
|
|
|
|
<td></td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG</code></td>
|
|
|
|
<td></td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG</code></td>
|
|
|
|
<td></td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>SSL_OP_NO_COMPRESSION</code></td>
|
|
|
|
<td>Instructs OpenSSL to disable support for SSL/TLS compression.</td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>SSL_OP_NO_QUERY_MTU</code></td>
|
|
|
|
<td></td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION</code></td>
|
|
|
|
<td>Instructs OpenSSL to always start a new session when performing
|
|
|
|
renegotiation.</td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>SSL_OP_NO_SSLv2</code></td>
|
|
|
|
<td>Instructs OpenSSL to turn off SSL v2</td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>SSL_OP_NO_SSLv3</code></td>
|
|
|
|
<td>Instructs OpenSSL to turn off SSL v3</td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>SSL_OP_NO_TICKET</code></td>
|
|
|
|
<td>Instructs OpenSSL to disable use of RFC4507bis tickets.</td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>SSL_OP_NO_TLSv1</code></td>
|
|
|
|
<td>Instructs OpenSSL to turn off TLS v1</td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>SSL_OP_NO_TLSv1_1</code></td>
|
|
|
|
<td>Instructs OpenSSL to turn off TLS v1.1</td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>SSL_OP_NO_TLSv1_2</code></td>
|
|
|
|
<td>Instructs OpenSSL to turn off TLS v1.2</td>
|
|
|
|
</tr>
|
|
|
|
<td><code>SSL_OP_PKCS1_CHECK_1</code></td>
|
|
|
|
<td></td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>SSL_OP_PKCS1_CHECK_2</code></td>
|
|
|
|
<td></td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>SSL_OP_SINGLE_DH_USE</code></td>
|
|
|
|
<td>Instructs OpenSSL to always create a new key when using
|
|
|
|
temporary/ephemeral DH parameters.</td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>SSL_OP_SINGLE_ECDH_USE</code></td>
|
|
|
|
<td>Instructs OpenSSL to always create a new key when using
|
|
|
|
temporary/ephemeral ECDH parameters.</td>
|
|
|
|
</tr>
|
|
|
|
<td><code>SSL_OP_SSLEAY_080_CLIENT_DH_BUG</code></td>
|
|
|
|
<td></td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG</code></td>
|
|
|
|
<td></td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>SSL_OP_TLS_BLOCK_PADDING_BUG</code></td>
|
|
|
|
<td></td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>SSL_OP_TLS_D5_BUG</code></td>
|
|
|
|
<td></td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>SSL_OP_TLS_ROLLBACK_BUG</code></td>
|
|
|
|
<td>Instructs OpenSSL to disable version rollback attack detection.</td>
|
|
|
|
</tr>
|
|
|
|
</table>
|
|
|
|
|
|
|
|
### OpenSSL Engine Constants
|
|
|
|
|
|
|
|
<table>
|
|
|
|
<tr>
|
|
|
|
<th>Constant</th>
|
|
|
|
<th>Description</th>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>ENGINE_METHOD_RSA</code></td>
|
|
|
|
<td>Limit engine usage to RSA</td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>ENGINE_METHOD_DSA</code></td>
|
|
|
|
<td>Limit engine usage to DSA</td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>ENGINE_METHOD_DH</code></td>
|
|
|
|
<td>Limit engine usage to DH</td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>ENGINE_METHOD_RAND</code></td>
|
|
|
|
<td>Limit engine usage to RAND</td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>ENGINE_METHOD_ECDH</code></td>
|
|
|
|
<td>Limit engine usage to ECDH</td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>ENGINE_METHOD_ECDSA</code></td>
|
|
|
|
<td>Limit engine usage to ECDSA</td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>ENGINE_METHOD_CIPHERS</code></td>
|
|
|
|
<td>Limit engine usage to CIPHERS</td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>ENGINE_METHOD_DIGESTS</code></td>
|
|
|
|
<td>Limit engine usage to DIGESTS</td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>ENGINE_METHOD_STORE</code></td>
|
|
|
|
<td>Limit engine usage to STORE</td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>ENGINE_METHOD_PKEY_METHS</code></td>
|
|
|
|
<td>Limit engine usage to PKEY_METHDS</td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>ENGINE_METHOD_PKEY_ASN1_METHS</code></td>
|
|
|
|
<td>Limit engine usage to PKEY_ASN1_METHS</td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>ENGINE_METHOD_ALL</code></td>
|
|
|
|
<td></td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>ENGINE_METHOD_NONE</code></td>
|
|
|
|
<td></td>
|
|
|
|
</tr>
|
|
|
|
</table>
|
|
|
|
|
|
|
|
### Other OpenSSL Constants
|
|
|
|
|
|
|
|
<table>
|
|
|
|
<tr>
|
|
|
|
<th>Constant</th>
|
|
|
|
<th>Description</th>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>DH_CHECK_P_NOT_SAFE_PRIME</code></td>
|
|
|
|
<td></td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>DH_CHECK_P_NOT_PRIME</code></td>
|
|
|
|
<td></td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>DH_UNABLE_TO_CHECK_GENERATOR</code></td>
|
|
|
|
<td></td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>DH_NOT_SUITABLE_GENERATOR</code></td>
|
|
|
|
<td></td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>NPN_ENABLED</code></td>
|
|
|
|
<td></td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>ALPN_ENABLED</code></td>
|
|
|
|
<td></td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>RSA_PKCS1_PADDING</code></td>
|
|
|
|
<td></td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>RSA_SSLV23_PADDING</code></td>
|
|
|
|
<td></td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>RSA_NO_PADDING</code></td>
|
|
|
|
<td></td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>RSA_PKCS1_OAEP_PADDING</code></td>
|
|
|
|
<td></td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>RSA_X931_PADDING</code></td>
|
|
|
|
<td></td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>RSA_PKCS1_PSS_PADDING</code></td>
|
|
|
|
<td></td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>POINT_CONVERSION_COMPRESSED</code></td>
|
|
|
|
<td></td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>POINT_CONVERSION_UNCOMPRESSED</code></td>
|
|
|
|
<td></td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>POINT_CONVERSION_HYBRID</code></td>
|
|
|
|
<td></td>
|
|
|
|
</tr>
|
|
|
|
</table>
|
|
|
|
|
|
|
|
### Node.js Crypto Constants
|
|
|
|
|
|
|
|
<table>
|
|
|
|
<tr>
|
|
|
|
<th>Constant</th>
|
|
|
|
<th>Description</th>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>defaultCoreCipherList</code></td>
|
|
|
|
<td>Specifies the built-in default cipher list used by Node.js.</td>
|
|
|
|
</tr>
|
|
|
|
<tr>
|
|
|
|
<td><code>defaultCipherList</code></td>
|
|
|
|
<td>Specifies the active default cipher list used by the current Node.js
|
|
|
|
process.</td>
|
|
|
|
</tr>
|
|
|
|
</table>
|
|
|
|
|
|
|
|
|
|
|
|
[`Buffer`]: buffer.html
|
|
|
|
[`cipher.final()`]: #crypto_cipher_final_output_encoding
|
|
|
|
[`cipher.update()`]: #crypto_cipher_update_data_input_encoding_output_encoding
|
|
|
|
[`crypto.createCipher()`]: #crypto_crypto_createcipher_algorithm_password
|
|
|
|
[`crypto.createCipheriv()`]: #crypto_crypto_createcipheriv_algorithm_key_iv
|
|
|
|
[`crypto.createDecipher()`]: #crypto_crypto_createdecipher_algorithm_password
|
|
|
|
[`crypto.createDecipheriv()`]: #crypto_crypto_createdecipheriv_algorithm_key_iv
|
|
|
|
[`crypto.createDiffieHellman()`]: #crypto_crypto_creatediffiehellman_prime_prime_encoding_generator_generator_encoding
|
|
|
|
[`crypto.createECDH()`]: #crypto_crypto_createecdh_curve_name
|
|
|
|
[`crypto.createHash()`]: #crypto_crypto_createhash_algorithm
|
|
|
|
[`crypto.createHmac()`]: #crypto_crypto_createhmac_algorithm_key
|
|
|
|
[`crypto.createSign()`]: #crypto_crypto_createsign_algorithm
|
|
|
|
[`crypto.getCurves()`]: #crypto_crypto_getcurves
|
|
|
|
[`crypto.getHashes()`]: #crypto_crypto_gethashes
|
|
|
|
[`crypto.pbkdf2()`]: #crypto_crypto_pbkdf2_password_salt_iterations_keylen_digest_callback
|
|
|
|
[`decipher.final()`]: #crypto_decipher_final_output_encoding
|
|
|
|
[`decipher.update()`]: #crypto_decipher_update_data_input_encoding_output_encoding
|
|
|
|
[`diffieHellman.setPublicKey()`]: #crypto_diffiehellman_setpublickey_public_key_encoding
|
|
|
|
[`ecdh.generateKeys()`]: #crypto_ecdh_generatekeys_encoding_format
|
|
|
|
[`ecdh.setPrivateKey()`]: #crypto_ecdh_setprivatekey_private_key_encoding
|
|
|
|
[`ecdh.setPublicKey()`]: #crypto_ecdh_setpublickey_public_key_encoding
|
|
|
|
[`EVP_BytesToKey`]: https://www.openssl.org/docs/crypto/EVP_BytesToKey.html
|
|
|
|
[`hash.digest()`]: #crypto_hash_digest_encoding
|
|
|
|
[`hash.update()`]: #crypto_hash_update_data_input_encoding
|
|
|
|
[`hmac.digest()`]: #crypto_hmac_digest_encoding
|
|
|
|
[`hmac.update()`]: #crypto_hmac_update_data_input_encoding
|
|
|
|
[`sign.sign()`]: #crypto_sign_sign_private_key_output_format
|
|
|
|
[`sign.update()`]: #crypto_sign_update_data_input_encoding
|
|
|
|
[`tls.createSecureContext()`]: tls.html#tls_tls_createsecurecontext_options
|
|
|
|
[`verify.update()`]: #crypto_verifier_update_data_input_encoding
|
|
|
|
[`verify.verify()`]: #crypto_verifier_verify_object_signature_signature_format
|
|
|
|
[Caveats]: #crypto_support_for_weak_or_compromised_algorithms
|
|
|
|
[HTML5's `keygen` element]: http://www.w3.org/TR/html5/forms.html#the-keygen-element
|
|
|
|
[initialization vector]: https://en.wikipedia.org/wiki/Initialization_vector
|
|
|
|
[NIST SP 800-131A]: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf
|
|
|
|
[NIST SP 800-132]: http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf
|
|
|
|
[OpenSSL cipher list format]: https://www.openssl.org/docs/apps/ciphers.html#CIPHER-LIST-FORMAT
|
|
|
|
[OpenSSL's SPKAC implementation]: https://www.openssl.org/docs/apps/spkac.html
|
|
|
|
[publicly trusted list of CAs]: https://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt
|
|
|
|
[RFC 2412]: https://www.rfc-editor.org/rfc/rfc2412.txt
|
|
|
|
[RFC 3526]: https://www.rfc-editor.org/rfc/rfc3526.txt
|
|
|
|
[stream]: stream.html
|
|
|
|
[stream-writable-write]: stream.html#stream_writable_write_chunk_encoding_callback
|
|
|
|
[Crypto Constants]: #crypto_crypto_constants
|