crypto.pbkdf2(password, salt, iterations, keylen, digest, callback)

版本历史

版本	变更
v18.0.0	将无效回调传给 `callback` 参数现在会抛出 `ERR_INVALID_ARG_TYPE` 而不是 `ERR_INVALID_CALLBACK`。
v15.0.0	密码和盐参数也可以是 ArrayBuffer 实例。
v14.0.0	参数 `iterations` 现在限制为正值。早期版本将其他值视为一。
v8.0.0	现在总是需要 `digest` 参数。
v6.0.0	现在不推荐在不传入 `digest` 参数的情况下调用此函数，并将触发警告。
v6.0.0	`password` 的默认编码，如果它是从 `binary` 更改为 `utf8` 的字符串。
v0.5.5	新增于: v0.5.5

password <string> | <ArrayBuffer> | <Buffer> | <TypedArray> | <DataView>
salt <string> | <ArrayBuffer> | <Buffer> | <TypedArray> | <DataView>
iterations <number>
keylen <number>
digest <string>
callback <Function>
- err <Error>
- derivedKey <Buffer>

提供异步基于密码的密钥派生函数 2 (PBKDF2) 实现。应用由 digest 指定的选定 HMAC 摘要算法以从 password、salt 和 iterations 导出请求字节长度 (keylen) 的密钥。

¥Provides an asynchronous Password-Based Key Derivation Function 2 (PBKDF2) implementation. A selected HMAC digest algorithm specified by digest is applied to derive a key of the requested byte length (keylen) from the password, salt and iterations.

使用两个参数调用提供的 callback 函数：err 和 derivedKey。如果派生密钥时发生错误，err 将被设置；否则 err 将是 null。默认情况下，成功生成的 derivedKey 将作为 Buffer 传给回调。如果任何输入参数指定了无效的值或类型，则会抛出错误。

¥The supplied callback function is called with two arguments: err and derivedKey. If an error occurs while deriving the key, err will be set; otherwise err will be null. By default, the successfully generated derivedKey will be passed to the callback as a Buffer. An error will be thrown if any of the input arguments specify invalid values or types.

iterations 参数必须是尽可能高的数字。迭代次数越多，派生密钥就越安全，但需要更长的时间才能完成。

¥The iterations argument must be a number set as high as possible. The higher the number of iterations, the more secure the derived key will be, but will take a longer amount of time to complete.

salt 应该尽可能唯一。建议盐是随机的，长度至少为 16 字节。详见 NIST SP 800-132。

¥The salt should be as unique as possible. It is recommended that a salt is random and at least 16 bytes long. See NIST SP 800-132 for details.

为 password 或 salt 传递字符串时，请考虑使用字符串作为加密 API 的输入时的注意事项。

¥When passing strings for password or salt, please consider caveats when using strings as inputs to cryptographic APIs.

const {
  pbkdf2,
} = await import('node:crypto');

pbkdf2('secret', 'salt', 100000, 64, 'sha512', (err, derivedKey) => {
  if (err) throw err;
  console.log(derivedKey.toString('hex'));  // '3745e48...08d59ae'
});const {
  pbkdf2,
} = require('node:crypto');

pbkdf2('secret', 'salt', 100000, 64, 'sha512', (err, derivedKey) => {
  if (err) throw err;
  console.log(derivedKey.toString('hex'));  // '3745e48...08d59ae'
});

可以使用 crypto.getHashes() 检索支持的摘要函数数组。

¥An array of supported digest functions can be retrieved using crypto.getHashes().

该 API 使用 libuv 的线程池，这对某些应用可能具有令人惊讶的负面性能影响；有关详细信息，请参阅 UV_THREADPOOL_SIZE 文档。

¥This API uses libuv's threadpool, which can have surprising and negative performance implications for some applications; see the UV_THREADPOOL_SIZE documentation for more information.