Skip to content
Browse files

crypto: fix key object wrapping in sync keygen

PR-URL: #25326
Fixes: #25322
Reviewed-By: Ben Noordhuis <>
Reviewed-By: Colin Ihrig <>
Reviewed-By: Sam Roberts <>
Reviewed-By: James M Snell <>
  • Loading branch information...
tniessen authored and addaleax committed Jan 3, 2019
1 parent 456f76a commit 32e45b20da0b9a17f4d27d81e86997e800c9ac3a
Showing with 29 additions and 15 deletions.
  1. +9 −14 doc/api/
  2. +5 −1 lib/internal/crypto/keygen.js
  3. +15 −0 test/parallel/test-crypto-keygen.js
@@ -1951,27 +1951,22 @@ changes:
- `publicExponent`: {number} Public exponent (RSA). **Default:** `0x10001`.
- `divisorLength`: {number} Size of `q` in bits (DSA).
- `namedCurve`: {string} Name of the curve to use (EC).
- `publicKeyEncoding`: {Object}
- `type`: {string} Must be one of `'pkcs1'` (RSA only) or `'spki'`.
- `format`: {string} Must be `'pem'` or `'der'`.
- `privateKeyEncoding`: {Object}
- `type`: {string} Must be one of `'pkcs1'` (RSA only), `'pkcs8'` or
`'sec1'` (EC only).
- `format`: {string} Must be `'pem'` or `'der'`.
- `cipher`: {string} If specified, the private key will be encrypted with
the given `cipher` and `passphrase` using PKCS#5 v2.0 password based
- `passphrase`: {string | Buffer} The passphrase to use for encryption, see
- `publicKeyEncoding`: {Object} See [`keyObject.export()`][].
- `privateKeyEncoding`: {Object} See [`keyObject.export()`][].
* Returns: {Object}
- `publicKey`: {string | Buffer | KeyObject}
- `privateKey`: {string | Buffer | KeyObject}

Generates a new asymmetric key pair of the given `type`. Only RSA, DSA and EC
are currently supported.

It is recommended to encode public keys as `'spki'` and private keys as
`'pkcs8'` with encryption:
If a `publicKeyEncoding` or `privateKeyEncoding` was specified, this function
behaves as if [`keyObject.export()`][] had been called on its result. Otherwise,
the respective part of the key is returned as a [`KeyObject`].

When encoding public keys, it is recommended to use `'spki'`. When encoding
private keys, it is recommended to use `'pks8'` with a strong passphrase, and to
keep the passphrase confidential.

const { generateKeyPairSync } = require('crypto');
@@ -74,7 +74,11 @@ function handleError(impl, wrap) {
if (err !== undefined)
throw err;

return { publicKey, privateKey };
// If no encoding was chosen, return key objects instead.
return {
publicKey: wrapKey(publicKey, PublicKeyObject),
privateKey: wrapKey(privateKey, PrivateKeyObject)

function parseKeyEncoding(keyType, options) {
@@ -95,6 +95,21 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
testSignVerify(publicKey, privateKey);

// Test sync key generation with key objects.
const { publicKey, privateKey } = generateKeyPairSync('rsa', {
modulusLength: 512

assert.strictEqual(typeof publicKey, 'object');
assert.strictEqual(publicKey.type, 'public');
assert.strictEqual(publicKey.asymmetricKeyType, 'rsa');

assert.strictEqual(typeof privateKey, 'object');
assert.strictEqual(privateKey.type, 'private');
assert.strictEqual(privateKey.asymmetricKeyType, 'rsa');

const publicKeyEncoding = {
type: 'pkcs1',

0 comments on commit 32e45b2

Please sign in to comment.
You can’t perform that action at this time.