Web Crypto API | Node.js v23.11.0 Documentation (original) (raw)

Node.js provides an implementation of the standard Web Crypto API.

Use globalThis.crypto or require('node:crypto').webcrypto to access this module.

`const { subtle } = globalThis.crypto;

(async function() {

const key = await subtle.generateKey({ name: 'HMAC', hash: 'SHA-256', length: 256, }, true, ['sign', 'verify']);

const enc = new TextEncoder(); const message = enc.encode('I love cupcakes');

const digest = await subtle.sign({ name: 'HMAC', }, key, message);

})();`

Examples#

Generating keys#

The class can be used to generate symmetric (secret) keys or asymmetric key pairs (public key and private key).

AES keys#

`const { subtle } = globalThis.crypto;

async function generateAesKey(length = 256) { const key = await subtle.generateKey({ name: 'AES-CBC', length, }, true, ['encrypt', 'decrypt']);

return key; }`

ECDSA key pairs#

`const { subtle } = globalThis.crypto;

async function generateEcKey(namedCurve = 'P-521') { const { publicKey, privateKey, } = await subtle.generateKey({ name: 'ECDSA', namedCurve, }, true, ['sign', 'verify']);

return { publicKey, privateKey }; }`

Ed25519/X25519 key pairs#

`const { subtle } = globalThis.crypto;

async function generateEd25519Key() { return subtle.generateKey({ name: 'Ed25519', }, true, ['sign', 'verify']); }

async function generateX25519Key() { return subtle.generateKey({ name: 'X25519', }, true, ['deriveKey']); }`

HMAC keys#

`const { subtle } = globalThis.crypto;

async function generateHmacKey(hash = 'SHA-256') { const key = await subtle.generateKey({ name: 'HMAC', hash, }, true, ['sign', 'verify']);

return key; }`

RSA key pairs#

`const { subtle } = globalThis.crypto; const publicExponent = new Uint8Array([1, 0, 1]);

async function generateRsaKey(modulusLength = 2048, hash = 'SHA-256') { const { publicKey, privateKey, } = await subtle.generateKey({ name: 'RSASSA-PKCS1-v1_5', modulusLength, publicExponent, hash, }, true, ['sign', 'verify']);

return { publicKey, privateKey }; }`

Encryption and decryption#

`const crypto = globalThis.crypto;

async function aesEncrypt(plaintext) { const ec = new TextEncoder(); const key = await generateAesKey(); const iv = crypto.getRandomValues(new Uint8Array(16));

const ciphertext = await crypto.subtle.encrypt({ name: 'AES-CBC', iv, }, key, ec.encode(plaintext));

return { key, iv, ciphertext, }; }

async function aesDecrypt(ciphertext, key, iv) { const dec = new TextDecoder(); const plaintext = await crypto.subtle.decrypt({ name: 'AES-CBC', iv, }, key, ciphertext);

return dec.decode(plaintext); }`

Exporting and importing keys#

`const { subtle } = globalThis.crypto;

async function generateAndExportHmacKey(format = 'jwk', hash = 'SHA-512') { const key = await subtle.generateKey({ name: 'HMAC', hash, }, true, ['sign', 'verify']);

return subtle.exportKey(format, key); }

async function importHmacKey(keyData, format = 'jwk', hash = 'SHA-512') { const key = await subtle.importKey(format, keyData, { name: 'HMAC', hash, }, true, ['sign', 'verify']);

return key; }`

Wrapping and unwrapping keys#

`const { subtle } = globalThis.crypto;

async function generateAndWrapHmacKey(format = 'jwk', hash = 'SHA-512') { const [ key, wrappingKey, ] = await Promise.all([ subtle.generateKey({ name: 'HMAC', hash, }, true, ['sign', 'verify']), subtle.generateKey({ name: 'AES-KW', length: 256, }, true, ['wrapKey', 'unwrapKey']), ]);

const wrappedKey = await subtle.wrapKey(format, key, wrappingKey, 'AES-KW');

return { wrappedKey, wrappingKey }; }

async function unwrapHmacKey( wrappedKey, wrappingKey, format = 'jwk', hash = 'SHA-512') {

const key = await subtle.unwrapKey( format, wrappedKey, wrappingKey, 'AES-KW', { name: 'HMAC', hash }, true, ['sign', 'verify']);

return key; }`

Sign and verify#

`const { subtle } = globalThis.crypto;

async function sign(key, data) { const ec = new TextEncoder(); const signature = await subtle.sign('RSASSA-PKCS1-v1_5', key, ec.encode(data)); return signature; }

async function verify(key, signature, data) { const ec = new TextEncoder(); const verified = await subtle.verify( 'RSASSA-PKCS1-v1_5', key, signature, ec.encode(data)); return verified; }`

Deriving bits and keys#

`const { subtle } = globalThis.crypto;

async function pbkdf2(pass, salt, iterations = 1000, length = 256) { const ec = new TextEncoder(); const key = await subtle.importKey( 'raw', ec.encode(pass), 'PBKDF2', false, ['deriveBits']); const bits = await subtle.deriveBits({ name: 'PBKDF2', hash: 'SHA-512', salt: ec.encode(salt), iterations, }, key, length); return bits; }

async function pbkdf2Key(pass, salt, iterations = 1000, length = 256) { const ec = new TextEncoder(); const keyMaterial = await subtle.importKey( 'raw', ec.encode(pass), 'PBKDF2', false, ['deriveKey']); const key = await subtle.deriveKey({ name: 'PBKDF2', hash: 'SHA-512', salt: ec.encode(salt), iterations, }, keyMaterial, { name: 'AES-GCM', length, }, true, ['encrypt', 'decrypt']); return key; }`

Digest#

`const { subtle } = globalThis.crypto;

async function digest(data, algorithm = 'SHA-512') { const ec = new TextEncoder(); const digest = await subtle.digest(algorithm, ec.encode(data)); return digest; }`

Algorithm matrix#

The table details the algorithms supported by the Node.js Web Crypto API implementation and the APIs supported for each:

Algorithm generateKey exportKey importKey encrypt decrypt wrapKey unwrapKey deriveBits deriveKey sign verify digest
'RSASSA-PKCS1-v1_5'
'RSA-PSS'
'RSA-OAEP'
'ECDSA'
'Ed25519'
'Ed448' 1
'ECDH'
'X25519'
'X448' 1
'AES-CTR'
'AES-CBC'
'AES-GCM'
'AES-KW'
'HMAC'
'HKDF'
'PBKDF2'
'SHA-1'
'SHA-256'
'SHA-384'
'SHA-512'

Class: Crypto#

Added in: v15.0.0

globalThis.crypto is an instance of the Cryptoclass. Crypto is a singleton that provides access to the remainder of the crypto API.

crypto.subtle#

Added in: v15.0.0

Provides access to the SubtleCrypto API.

crypto.getRandomValues(typedArray)#

Added in: v15.0.0

Generates cryptographically strong random values. The given typedArray is filled with random values, and a reference to typedArray is returned.

The given typedArray must be an integer-based instance of , i.e. Float32Array and Float64Array are not accepted.

An error will be thrown if the given typedArray is larger than 65,536 bytes.

crypto.randomUUID()#

Added in: v16.7.0

Generates a random RFC 4122 version 4 UUID. The UUID is generated using a cryptographic pseudorandom number generator.

Class: CryptoKey#

Added in: v15.0.0

cryptoKey.extractable#

Added in: v15.0.0

When true, the can be extracted using eithersubtleCrypto.exportKey() or subtleCrypto.wrapKey().

Read-only.

cryptoKey.type#

Added in: v15.0.0

A string identifying whether the key is a symmetric ('secret') or asymmetric ('private' or 'public') key.

cryptoKey.usages#

Added in: v15.0.0

An array of strings identifying the operations for which the key may be used.

The possible usages are:

Valid key usages depend on the key algorithm (identified bycryptokey.algorithm.name).

Supported Key Algorithm 'encrypt' 'decrypt' 'sign' 'verify' 'deriveKey' 'deriveBits' 'wrapKey' 'unwrapKey'
'AES-CBC'
'AES-CTR'
'AES-GCM'
'AES-KW'
'ECDH'
'X25519'
'X448' 1
'ECDSA'
'Ed25519'
'Ed448' 1
'HDKF'
'HMAC'
'PBKDF2'
'RSA-OAEP'
'RSA-PSS'
'RSASSA-PKCS1-v1_5'

Class: CryptoKeyPair#

Added in: v15.0.0

The CryptoKeyPair is a simple dictionary object with publicKey andprivateKey properties, representing an asymmetric key pair.

Class: SubtleCrypto#

Added in: v15.0.0

subtle.deriveBits(algorithm, baseKey[, length])#

Using the method and parameters specified in algorithm and the keying material provided by baseKey, subtle.deriveBits() attempts to generatelength bits.

When length is not provided or null the maximum number of bits for a given algorithm is generated. This is allowed for the 'ECDH', 'X25519', and 'X448'algorithms, for other algorithms length is required to be a number.

If successful, the returned promise will be resolved with an containing the generated data.

The algorithms currently supported include:

subtle.deriveKey(algorithm, baseKey, derivedKeyAlgorithm, extractable, keyUsages)#

Using the method and parameters specified in algorithm, and the keying material provided by baseKey, subtle.deriveKey() attempts to generate a new based on the method and parameters in derivedKeyAlgorithm.

Calling subtle.deriveKey() is equivalent to calling subtle.deriveBits() to generate raw keying material, then passing the result into thesubtle.importKey() method using the deriveKeyAlgorithm, extractable, andkeyUsages parameters as input.

The algorithms currently supported include:

subtle.exportKey(format, key)#

Exports the given key into the specified format, if supported.

If the is not extractable, the returned promise will reject.

When format is either 'pkcs8' or 'spki' and the export is successful, the returned promise will be resolved with an containing the exported key data.

When format is 'jwk' and the export is successful, the returned promise will be resolved with a JavaScript object conforming to the JSON Web Keyspecification.

Supported Key Algorithm 'spki' 'pkcs8' 'jwk' 'raw'
'AES-CBC'
'AES-CTR'
'AES-GCM'
'AES-KW'
'ECDH'
'ECDSA'
'Ed25519'
'Ed448' 1
'HMAC'
'RSA-OAEP'
'RSA-PSS'
'RSASSA-PKCS1-v1_5'

subtle.importKey(format, keyData, algorithm, extractable, keyUsages)#

The subtle.importKey() method attempts to interpret the provided keyDataas the given format to create a instance using the providedalgorithm, extractable, and keyUsages arguments. If the import is successful, the returned promise will be resolved with the created .

If importing a 'PBKDF2' key, extractable must be false.

The algorithms currently supported include:

Supported Key Algorithm 'spki' 'pkcs8' 'jwk' 'raw'
'AES-CBC'
'AES-CTR'
'AES-GCM'
'AES-KW'
'ECDH'
'X25519'
'X448' 1
'ECDSA'
'Ed25519'
'Ed448' 1
'HDKF'
'HMAC'
'PBKDF2'
'RSA-OAEP'
'RSA-PSS'
'RSASSA-PKCS1-v1_5'

subtle.unwrapKey(format, wrappedKey, unwrappingKey, unwrapAlgo, unwrappedKeyAlgo, extractable, keyUsages)#

Added in: v15.0.0

In cryptography, "wrapping a key" refers to exporting and then encrypting the keying material. The subtle.unwrapKey() method attempts to decrypt a wrapped key and create a instance. It is equivalent to callingsubtle.decrypt() first on the encrypted key data (using the wrappedKey,unwrapAlgo, and unwrappingKey arguments as input) then passing the results in to the subtle.importKey() method using the unwrappedKeyAlgo,extractable, and keyUsages arguments as inputs. If successful, the returned promise is resolved with a object.

The wrapping algorithms currently supported include:

The unwrapped key algorithms supported include:

subtle.wrapKey(format, key, wrappingKey, wrapAlgo)#

Added in: v15.0.0

In cryptography, "wrapping a key" refers to exporting and then encrypting the keying material. The subtle.wrapKey() method exports the keying material into the format identified by format, then encrypts it using the method and parameters specified by wrapAlgo and the keying material provided bywrappingKey. It is the equivalent to calling subtle.exportKey() usingformat and key as the arguments, then passing the result to thesubtle.encrypt() method using wrappingKey and wrapAlgo as inputs. If successful, the returned promise will be resolved with an containing the encrypted key data.

The wrapping algorithms currently supported include:

Algorithm parameters#

The algorithm parameter objects define the methods and parameters used by the various methods. While described here as "classes", they are simple JavaScript dictionary objects.

Class: AlgorithmIdentifier#

Added in: v15.0.0

algorithmIdentifier.name#

Added in: v15.0.0

Class: AesDerivedKeyParams#

Added in: v15.0.0

aesDerivedKeyParams.name#

Added in: v15.0.0

aesDerivedKeyParams.length#

Added in: v15.0.0

The length of the AES key to be derived. This must be either 128, 192, or 256.

Class: AesCbcParams#

Added in: v15.0.0

aesCbcParams.iv#

Added in: v15.0.0

Provides the initialization vector. It must be exactly 16-bytes in length and should be unpredictable and cryptographically random.

aesCbcParams.name#

Added in: v15.0.0

Class: AesCtrParams#

Added in: v15.0.0

aesCtrParams.counter#

Added in: v15.0.0

The initial value of the counter block. This must be exactly 16 bytes long.

The AES-CTR method uses the rightmost length bits of the block as the counter and the remaining bits as the nonce.

aesCtrParams.length#

Added in: v15.0.0

aesCtrParams.name#

Added in: v15.0.0

Class: AesGcmParams#

Added in: v15.0.0

aesGcmParams.additionalData#

Added in: v15.0.0

With the AES-GCM method, the additionalData is extra input that is not encrypted but is included in the authentication of the data. The use ofadditionalData is optional.

aesGcmParams.iv#

Added in: v15.0.0

The initialization vector must be unique for every encryption operation using a given key.

Ideally, this is a deterministic 12-byte value that is computed in such a way that it is guaranteed to be unique across all invocations that use the same key. Alternatively, the initialization vector may consist of at least 12 cryptographically random bytes. For more information on constructing initialization vectors for AES-GCM, refer to Section 8 of NIST SP 800-38D.

aesGcmParams.name#

Added in: v15.0.0

aesGcmParams.tagLength#

Added in: v15.0.0

Class: AesKeyGenParams#

Added in: v15.0.0

aesKeyGenParams.length#

Added in: v15.0.0

The length of the AES key to be generated. This must be either 128, 192, or 256.

aesKeyGenParams.name#

Added in: v15.0.0

Class: EcdhKeyDeriveParams#

Added in: v15.0.0

ecdhKeyDeriveParams.name#

Added in: v15.0.0

ecdhKeyDeriveParams.public#

Added in: v15.0.0

ECDH key derivation operates by taking as input one parties private key and another parties public key -- using both to generate a common shared secret. The ecdhKeyDeriveParams.public property is set to the other parties public key.

Class: EcdsaParams#

Added in: v15.0.0

ecdsaParams.hash#

Added in: v15.0.0

If represented as a , the value must be one of:

If represented as an , the object must have a name property whose value is one of the above listed values.

ecdsaParams.name#

Added in: v15.0.0

Class: EcKeyGenParams#

Added in: v15.0.0

ecKeyGenParams.name#

Added in: v15.0.0

ecKeyGenParams.namedCurve#

Added in: v15.0.0

Class: EcKeyImportParams#

Added in: v15.0.0

ecKeyImportParams.name#

Added in: v15.0.0

ecKeyImportParams.namedCurve#

Added in: v15.0.0

Class: Ed448Params#

Added in: v15.0.0

ed448Params.name#

Added in: v18.4.0, v16.17.0

ed448Params.context#

Added in: v18.4.0, v16.17.0

The context member represents the optional context data to associate with the message. The Node.js Web Crypto API implementation only supports zero-length context which is equivalent to not providing context at all.

Class: HkdfParams#

Added in: v15.0.0

hkdfParams.hash#

Added in: v15.0.0

If represented as a , the value must be one of:

If represented as an , the object must have a name property whose value is one of the above listed values.

hkdfParams.name#

Added in: v15.0.0

hkdfParams.salt#

Added in: v15.0.0

The salt value significantly improves the strength of the HKDF algorithm. It should be random or pseudorandom and should be the same length as the output of the digest function (for instance, if using 'SHA-256' as the digest, the salt should be 256-bits of random data).

Class: HmacImportParams#

Added in: v15.0.0

hmacImportParams.hash#

Added in: v15.0.0

If represented as a , the value must be one of:

If represented as an , the object must have a name property whose value is one of the above listed values.

hmacImportParams.length#

Added in: v15.0.0

The optional number of bits in the HMAC key. This is optional and should be omitted for most cases.

hmacImportParams.name#

Added in: v15.0.0

Class: HmacKeyGenParams#

Added in: v15.0.0

hmacKeyGenParams.hash#

Added in: v15.0.0

If represented as a , the value must be one of:

If represented as an , the object must have a name property whose value is one of the above listed values.

hmacKeyGenParams.length#

Added in: v15.0.0

The number of bits to generate for the HMAC key. If omitted, the length will be determined by the hash algorithm used. This is optional and should be omitted for most cases.

hmacKeyGenParams.name#

Added in: v15.0.0

Class: Pbkdf2Params#

Added in: v15.0.0

pbkdb2Params.hash#

Added in: v15.0.0

If represented as a , the value must be one of:

If represented as an , the object must have a name property whose value is one of the above listed values.

pbkdf2Params.iterations#

Added in: v15.0.0

The number of iterations the PBKDF2 algorithm should make when deriving bits.

pbkdf2Params.name#

Added in: v15.0.0

Class: RsaHashedImportParams#

Added in: v15.0.0

rsaHashedImportParams.hash#

Added in: v15.0.0

If represented as a , the value must be one of:

If represented as an , the object must have a name property whose value is one of the above listed values.

rsaHashedImportParams.name#

Added in: v15.0.0

Class: RsaHashedKeyGenParams#

Added in: v15.0.0

rsaHashedKeyGenParams.hash#

Added in: v15.0.0

If represented as a , the value must be one of:

If represented as an , the object must have a name property whose value is one of the above listed values.

rsaHashedKeyGenParams.modulusLength#

Added in: v15.0.0

The length in bits of the RSA modulus. As a best practice, this should be at least 2048.

rsaHashedKeyGenParams.name#

Added in: v15.0.0

rsaHashedKeyGenParams.publicExponent#

Added in: v15.0.0

The RSA public exponent. This must be a containing a big-endian, unsigned integer that must fit within 32-bits. The may contain an arbitrary number of leading zero-bits. The value must be a prime number. Unless there is reason to use a different value, use new Uint8Array([1, 0, 1])(65537) as the public exponent.

Class: RsaOaepParams#

Added in: v15.0.0

rsaOaepParams.label#

Added in: v15.0.0

An additional collection of bytes that will not be encrypted, but will be bound to the generated ciphertext.

The rsaOaepParams.label parameter is optional.

rsaOaepParams.name#

Added in: v15.0.0

Class: RsaPssParams#

Added in: v15.0.0

rsaPssParams.name#

Added in: v15.0.0