Sign inDemoInstall


Package Overview
File Explorer

Advanced tools

Install Socket

Detect and block malicious and high-risk dependencies



A library for finding and using SSH public keys

Version published
Install size
89.7 kB

Package description

What is sshpk?

The sshpk npm package is a tool for parsing and generating SSH public and private keys. It supports various key types, including RSA, DSA, ECDSA, and Ed25519. It can also handle certificate formats such as SSH, X.509, and others. The package is useful for applications that need to manage or interact with SSH keys and certificates.

What are sshpk's main functionalities?

Parsing SSH keys

This feature allows you to parse SSH public keys from strings or files. The code sample demonstrates how to read an SSH public key from a file and parse it using sshpk.

const sshpk = require('sshpk');
const fs = require('fs');

const keyData = fs.readFileSync('path/to/ssh/', 'utf-8');
const key = sshpk.parseKey(keyData, 'ssh');

Generating SSH keys

This feature enables the generation of new SSH keys. The code sample shows how to generate a new RSA key with a 2048-bit length.

const sshpk = require('sshpk');

const key = sshpk.generateKey('rsa', 2048);

Converting keys to different formats

This feature allows you to convert SSH keys to different formats, such as PEM. The code sample demonstrates how to parse an SSH key and then convert it to PEM format.

const sshpk = require('sshpk');
const fs = require('fs');

const keyData = fs.readFileSync('path/to/ssh/', 'utf-8');
const key = sshpk.parseKey(keyData, 'ssh');
const pemKey = key.toBuffer('pem');

Fingerprinting keys

This feature is used to generate a fingerprint of an SSH key, which can be used for verifying identity. The code sample shows how to parse an SSH key and generate its fingerprint using SHA-256.

const sshpk = require('sshpk');
const fs = require('fs');

const keyData = fs.readFileSync('path/to/ssh/', 'utf-8');
const key = sshpk.parseKey(keyData, 'ssh');
const fingerprint = key.fingerprint('sha256').toString();

Other packages similar to sshpk




Parse, convert, fingerprint and use SSH public keys in pure node -- no ssh-keygen or other external dependencies.

Supports RSA, DSA and ECDSA (nistp-*) key types. Can also parse SSH private keys in PEM format and output their public half.

This library has been extracted from node-http-signature (work by Mark Cavage and Dave Eddy) and node-ssh-fingerprint (work by Dave Eddy), with some additions (including ECDSA support) by Alex Wilson.


npm install sshpk


var sshpk = require('sshpk');

var fs = require('fs');

/* Read in an OpenSSH-format public key */
var keyPub = fs.readFileSync('');
var key = sshpk.parseKey(keyPub, 'ssh');

/* Get metadata about the key */
console.log('type => %s', key.type);
console.log('size => %d bits', key.size);
console.log('comment => %s', key.comment);

/* Compute key fingerprints, in new OpenSSH (>6.7) format, and old MD5 */
console.log('fingerprint => %s', key.fingerprint().toString());
console.log('old-style fingerprint => %s', key.fingerprint('md5').toString());

Example output:

type => rsa
size => 2048 bits
comment =>
fingerprint => SHA256:PYC9kPVC6J873CSIbfp0LwYeczP/W4ffObNCuDJ1u5w
old-style fingerprint => a0:c8:ad:6c:32:9a:32:fa:59:cc:a9:8c:0a:0d:6e:bd

More examples: converting between formats:

/* Read in a PEM public key (PKCS#8) */
var keyPem = fs.readFileSync('id_rsa.pem');
var key = sshpk.parseKey(keyPem, 'pem');

/* Read in an OpenSSH/PEM *private* key, will load just the public half */
var keyPriv = fs.readFileSync('id_ecdsa');
var key = sshpk.parseKey(keyPriv, 'pem');

/* Convert to PEM PKCS#8 public key format */
var pemBuf = key.toBuffer('pem');

/* Convert to SSH public key format (and return as a string) */
var sshKey = key.toString('ssh');

/* Make a crypto.Verifier with this key */
var v = key.createVerify('sha1');
v.update('some data here');
var valid = v.verify(signature);

Matching fingerprints with keys:

var fp = sshpk.parseFingerprint('SHA256:PYC9kPVC6J873CSIbfp0LwYeczP/W4ffObNCuDJ1u5w');

var keys = [sshpk.parseKey(...), sshpk.parseKey(...), ...];

keys.forEach(function (key) {
	if (fp.matches(key))
		console.log('found it!');


parseKey(data[, format = 'ssh'[, name]])

Parses a key from a given data format and returns a new Key object.


  • data -- Either a Buffer or String, containing the key
  • format -- String name of format to use, valid options are pem (supports both PKCS#1 and PKCS#8), rfc4253 (raw OpenSSH wire format, as returned by ssh-agent, for example), ssh (OpenSSH format)
  • name -- Optional name for the key being parsed (eg. the filename that was opened). Used to generate Error messages


String, the type of key. Valid options are rsa, dsa, ecdsa.


Integer, "size" of the key in bits. For RSA/DSA this is the size of the modulus; for ECDSA this is the bit size of the curve in use.


Optional string, a key comment used by some formats (eg the ssh format).


Only present if this.type === 'ecdsa', string containing the name of the named curve used with this key. Possible values include nistp256, nistp384 and nistp521.

Key#toBuffer([format = 'ssh'])

Convert the key into a given data format and return the serialized key as a Buffer.


  • format -- String name of format to use, valid options are pem, rfc4253, ssh

Key#toString([format = 'ssh])

Same as this.toBuffer(format).toString().

Key#fingerprint([algorithm = 'sha256'])

Creates a new Fingerprint object representing this Key's fingerprint.


  • algorithm -- String name of hash algorithm to use, valid options are md5, sha1, sha256, sha384, sha512


Creates a crypto.Verifier specialized to use this Key (and the correct public key algorithm to match it). The returned Verifier has the same API as a regular one, except that the verify() function takes only the target signature as an argument.


  • hashAlgorithm -- optional String name of hash algorithm to use, any supported by OpenSSL are valid, usually including sha1, sha256.

v.verify(signature[, format]) Parameters

  • signature -- either a Signature object, or a Buffer or String
  • format -- optional String, name of format to interpret given String with. Not valid if signature is a Signature or Buffer.

parseFingerprint(fingerprint[, algorithms])

Pre-parses a fingerprint, creating a Fingerprint object that can be used to quickly locate a key by using the Fingerprint#matches function.


  • fingerprint -- String, the fingerprint value, in any supported format
  • algorithms -- Optional list of strings, names of hash algorithms to limit support to. If fingerprint uses a hash algorithm not on this list, throws InvalidAlgorithmError.


Returns a fingerprint as a string, in the given format.


  • format -- Optional String, format to use, valid options are hex and base64. If this Fingerprint uses the md5 algorithm, the default format is hex. Otherwise, the default is base64.


Verifies whether or not this Fingerprint matches a given Key. This function uses double-hashing to avoid leaking timing information. Returns a boolean.


  • key -- a Key object, the key to match this fingerprint against

parseSignature(signature, algorithm, format)

Parses a signature in a given format, createing a Signature object. Useful for converting between the SSH and ASN.1 (PKCS/OpenSSL) signature formats for DSA and ECDSA.

A Signature object can also be passed to a verifier produced by Key#createVerify() and it will automatically be converted into the correct format for verification.


  • signature -- a Buffer (binary) or String (base64), data of the actual signature in the given format
  • algorithm -- a String, name of the algorithm to be used, possible values are rsa, dsa and ecdsa
  • format -- a String, either asn1 or ssh

Signature#toBuffer([format = 'asn1'])

Converts a Signature to the given format and returns it as a Buffer.


  • format -- a String, either asn1 or ssh

Signature#toString([format = 'asn1'])

Same as this.toBuffer(format).toString('base64').



The specified algorithm is not valid, either because it is not supported, or because it was not included on a list of allowed algorithms.

Thrown by Fingerprint.parse, Key#fingerprint.


  • algorithm -- the algorithm that could not be validated


The fingerprint string given could not be parsed as a supported fingerprint format, or the specified fingerprint format is invalid.

Thrown by Fingerprint.parse, Fingerprint#toString.


  • fingerprint -- if caused by a fingerprint, the string value given
  • format -- if caused by an invalid format specification, the string value given


The key data given could not be parsed as a valid key.


  • keyName -- name that was given to Key#parse
  • format -- the format that was trying to parse the key
  • innerErr -- the inner Error thrown by the format parser


Last updated on 28 Sep 2015

Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.


Related posts

SocketSocket SOC 2 Logo


  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc