Module crypto
ballerina/crypto Ballerina library
2.10.0
Overview
This module provides common cryptographic mechanisms based on different algorithms.
The Ballerina crypto module facilitates APIs to do operations like hashing, HMAC generation, checksum generation, encryption, decryption, signing data digitally, verifying digitally signed data, etc., with different cryptographic algorithms.
Hashes
The crypto module supports generating hashes with 6 different hash algorithms MD5, SHA1, SHA256, SHA384, SHA512, and Keccak256. Also, it supports generating the CRC32B checksum.
HMAC
The crypto module supports generating HMAC with 5 different hash algorithms: MD5, SHA1, SHA256, SHA384, and SHA512.
Decode private/public key
The crypto module supports decoding the RSA private key from a .p12 file and a key file in the PEM format. Also, it supports decoding a public key from a .p12 file and a certificate file in the X509 format. Additionally, this supports building an RSA public key with the modulus and exponent parameters.
Encrypt and decrypt
The crypto module supports both symmetric key encryption/decryption and asymmetric key encryption/decryption. The RSA algorithm can be used for asymmetric-key encryption/decryption with the use of private and public keys. The AES algorithm can be used for symmetric-key encryption/decryption with the use of a shared key.
Sign and verify
The crypto module supports signing data using the RSA private key and verification of the signature using the RSA public key. This supports MD5, SHA1, SHA256, SHA384, and SHA512 digesting algorithms, and ML-DSA-65 post-quantum signature algorithm as well.
Key Derivation Functions (KDF)
The crypto module supports HMAC-based Key Derivation Function (HKDF). HKDF is a key derivation function that uses a Hash-based Message Authentication Code (HMAC) to derive keys.
Key Exchange Mechanisms (KEM)
The crypto module supports Key Exchange Mechanisms (KEM). It includes RSA-KEM and post-quantum ML-KEM-768 for both encapsulation and decapsulation.
Hybrid Public Key Encryption (HPKE)
The crypto module supports Hybrid Public Key Encryption (HPKE). It supports post-quantum ML-KEM-768-HPKE and RSA-KEM-ML-KEM-768-HPKE for encryption and decryption.
Functions
buildRsaPublicKey
Isolated Function
Builds the RSA public key from the given modulus and exponent parameters.
string modulus = "luZFdW1ynitztkWLC6xKegbRWxky..."; string exponent = "AQAB"; crypto:PublicKey publicKey = check crypto:buildRsaPublicKey(modulus, exponent);
crc32b
Isolated Function
function crc32b(byte[] input) returns stringReturns the Hex-encoded CRC32B checksum for the given data.
string stringData = "Hello Ballerina"; byte[] data = stringData.toBytes(); string checksum = crypto:crc32b(data);
Parameters
- input byte[] - The data to generate the checksum for, provided as a byte array
Return Type
- string - The generated CRC32B checksum as a hexadecimal string
decapsulateMlKem768
Isolated Function
function decapsulateMlKem768(byte[] encapsulatedSecret, PrivateKey privateKey) returns byte[]|ErrorDecapsulates the ML-KEM-768 (Kyber768) shared secret used for Key Encapsulation Mechanism (KEM) from the given encapsulation for the given data.
crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey publicKey = check crypto:decodeMlKem768PublicKeyFromTrustStore(keyStore, "keyAlias"); crypto:EncapsulationResult encapsulationResult = check crypto:encapsulateMlKem768(publicKey); byte[] encapsulatedSecret = encapsulationResult.encapsulatedSecret; crypto:PrivateKey privateKey = check crypto:decodeMlKem768PrivateKeyFromKeyStore(keyStore, "keyAlias", "keyStorePassword"); byte[] sharedSecret = check crypto:decapsulateMlKem768(encapsulatedSecret, privateKey);
Parameters
- encapsulatedSecret byte[] - The encapsulated secret, provided as a byte array
- privateKey PrivateKey - The ML-KEM-768 private key used for decryption, provided as a
crypto:PrivateKeyrecord
Return Type
- byte[]|Error - The shared secret as a byte array, or a
crypto:Errorif the encapsulated secret or the private key is invalid
decapsulateRsaKem
Isolated Function
function decapsulateRsaKem(byte[] encapsulatedSecret, PrivateKey privateKey) returns byte[]|ErrorDecapsulates the shared secret used for Key Encapsulation Mechanism (KEM) from the given encapsulation for the given data.
crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromTrustStore(keyStore, "keyAlias"); crypto:EncapsulationResult encapsulationResult = check crypto:encapsulateRsaKem(publicKey); byte[] encapsulatedSecret = encapsulationResult.encapsulatedSecret; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyStorePassword"); byte[] sharedSecret = check crypto:decapsulateRsaKem(encapsulatedSecret, privateKey);
Parameters
- encapsulatedSecret byte[] - The encapsulated secret, provided as a byte array
- privateKey PrivateKey - The RSA private key used for decryption, provided as a
crypto:PrivateKeyrecord
Return Type
- byte[]|Error - The shared secret as a byte array, or a
crypto:Errorif the encapsulated secret or the private key is invalid
decapsulateRsaKemMlKem768
Isolated Function
function decapsulateRsaKemMlKem768(byte[] encapsulatedSecret, PrivateKey rsaPrivateKey, PrivateKey mlkemPrivateKey) returns byte[]|ErrorDecapsulates the shared secret used for Key Encapsulation Mechanism (KEM) using RSA and ML-KEM-768 (Kyber768) private keys.
crypto:KeyStore mlkemKeyStore = { path: "/path/to/mlkem/keyStore.p12", password: "keyStorePassword" }; crypto:KeyStore rsaKeyStore = { path: "/path/to/rsa/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey mlkemPublicKey = check crypto:decodeMlKem768PublicKeyFromTrustStore(mlkemKeyStore, "keyAlias"); crypto:PublicKey rsaPublicKey = check crypto:decodeRsaPublicKeyFromTrustStore(rsaKeyStore, "keyAlias"); crypto:EncapsulationResult encapsulationResult = check crypto:encapsulateRsaKemMlKem768(rsaPublicKey, mlkemPublicKey); byte[] encapsulatedSecret = encapsulationResult.encapsulatedSecret; crypto:PrivateKey mlkemPrivateKey = check crypto:decodeMlKem768PrivateKeyFromKeyStore(mlkemKeyStore, "keyAlias", "keyStorePassword"); crypto:PrivateKey rsaPrivateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(rsaKeyStore, "keyAlias", "keyStorePassword"); byte[] sharedSecret = check crypto:decapsulateRsaKemMlKem768(encapsulatedSecret, rsaPrivateKey, mlkemPrivateKey);
Parameters
- encapsulatedSecret byte[] - The encapsulated secret, provided as a byte array
- rsaPrivateKey PrivateKey - The RSA private key used for decryption, provided as a
crypto:PrivateKeyrecord
- mlkemPrivateKey PrivateKey - The ML-KEM-768 private key used for decryption, provided as a
crypto:PrivateKeyrecord
Return Type
- byte[]|Error - The shared secret as a byte array, or a
crypto:Errorif the encapsulated secret or the private keys are invalid
decodeEcPrivateKeyFromKeyFile
Isolated Function
function decodeEcPrivateKeyFromKeyFile(string keyFile, string? keyPassword) returns PrivateKey|ErrorDecodes the EC private key from the given private key and private key password.
string keyFile = "/path/to/private.key"; crypto:PrivateKey privateKey = check crypto:decodeEcPrivateKeyFromKeyFile(keyFile, "keyPassword");
Parameters
- keyFile string - The private key file path
- keyPassword string? (default ()) - The password used to decrypt the private key file if it is encrypted
Return Type
- PrivateKey|Error - Reference to the private key or else a
crypto:Errorif the private key was unreadable
decodeEcPrivateKeyFromKeyStore
Isolated Function
function decodeEcPrivateKeyFromKeyStore(KeyStore keyStore, string keyAlias, string keyPassword) returns PrivateKey|ErrorDecodes the EC private key from the given PKCS#12 archive file.
crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeEcPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword");
Parameters
- keyStore KeyStore - The KeyStore configurations containing the file path and password
- keyAlias string - The alias of the private key in the KeyStore
- keyPassword string - The password used to access the private key in the KeyStore
Return Type
- PrivateKey|Error - Reference to the private key or else a
crypto:Errorif the private key was unreadable
decodeEcPublicKeyFromCertFile
Isolated Function
Decodes the EC public key from the given public certificate file.
string certFile = "/path/to/public.cert"; crypto:PublicKey publicKey = check crypto:decodeEcPublicKeyFromCertFile(certFile);
Parameters
- certFile string - The certificate file path
decodeEcPublicKeyFromTrustStore
Isolated Function
function decodeEcPublicKeyFromTrustStore(TrustStore trustStore, string keyAlias) returns PublicKey|ErrorDecodes the EC public key from the given PKCS#12 archive file.
crypto:TrustStore trustStore = { path: "/path/tp/truststore.p12", password: "truststorePassword" }; crypto:PublicKey publicKey = check crypto:decodeEcPublicKeyFromTrustStore(trustStore, "keyAlias");
Parameters
- trustStore TrustStore - The trustStore configurations containing the file path and password
- keyAlias string - The alias of the public key in the TrustStore
decodeMlDsa65PrivateKeyFromKeyFile
Isolated Function
function decodeMlDsa65PrivateKeyFromKeyFile(string keyFile, string? keyPassword) returns PrivateKey|ErrorDecodes the ML-DSA-65 (Dilithium3) private key from the given private key and private key password.
string keyFile = "/path/to/private.key"; crypto:PrivateKey privateKey = check crypto:decodeMlDsa65PrivateKeyFromKeyFile(keyFile, "keyPassword");
Parameters
- keyFile string - The private key file path
- keyPassword string? (default ()) - The password used to decrypt the private key file if it is encrypted
Return Type
- PrivateKey|Error - Reference to the private key or else a
crypto:Errorif the private key was unreadable
decodeMlDsa65PrivateKeyFromKeyStore
Isolated Function
function decodeMlDsa65PrivateKeyFromKeyStore(KeyStore keyStore, string keyAlias, string keyPassword) returns PrivateKey|ErrorDecodes the ML-DSA-65 (Dilithium3) private key from the given PKCS#12 archive file.
crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeMlDsa65PrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword");
Parameters
- keyStore KeyStore - The KeyStore configurations containing the file path and password
- keyAlias string - The alias of the private key in the KeyStore
- keyPassword string - The password used to access the private key in the KeyStore
Return Type
- PrivateKey|Error - Reference to the private key or else a
crypto:Errorif the private key was unreadable
decodeMlDsa65PublicKeyFromCertFile
Isolated Function
Decodes the ML-DSA-65 (Dilithium3) public key from the given public certificate file.
string certFile = "/path/to/public.cert"; crypto:PublicKey publicKey = check crypto:decodeMlDsa65PublicKeyFromCertFile(certFile);
Parameters
- certFile string - The certificate file path
decodeMlDsa65PublicKeyFromTrustStore
Isolated Function
function decodeMlDsa65PublicKeyFromTrustStore(TrustStore trustStore, string keyAlias) returns PublicKey|ErrorDecodes the ML-DSA-65 (Dilithium3) public key from the given PKCS#12 archive file.
crypto:TrustStore trustStore = { path: "/path/tp/truststore.p12", password: "truststorePassword" }; crypto:PublicKey publicKey = check crypto:decodeMlDsa65PublicKeyFromTrustStore(trustStore, "keyAlias");
Parameters
- trustStore TrustStore - The trustStore configurations containing the file path and password
- keyAlias string - The alias of the public key in the TrustStore
decodeMlKem768PrivateKeyFromKeyFile
Isolated Function
function decodeMlKem768PrivateKeyFromKeyFile(string keyFile, string? keyPassword) returns PrivateKey|ErrorDecodes the ML-KEM-768 (Kyber768) private key from the given private key and private key password.
string keyFile = "/path/to/private.key"; crypto:PrivateKey privateKey = check crypto:decodeMlKem768PrivateKeyFromKeyFile(keyFile, "keyPassword");
Parameters
- keyFile string - The private key file path
- keyPassword string? (default ()) - The password used to decrypt the private key file if it is encrypted
Return Type
- PrivateKey|Error - Reference to the private key or else a
crypto:Errorif the private key was unreadable
decodeMlKem768PrivateKeyFromKeyStore
Isolated Function
function decodeMlKem768PrivateKeyFromKeyStore(KeyStore keyStore, string keyAlias, string keyPassword) returns PrivateKey|ErrorDecodes the ML-KEM-768 (Kyber768) private key from the given PKCS#12 archive file.
crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeMlKem768PrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword");
Parameters
- keyStore KeyStore - The KeyStore configurations containing the file path and password
- keyAlias string - The alias of the private key in the KeyStore
- keyPassword string - The password used to access the private key in the KeyStore
Return Type
- PrivateKey|Error - Reference to the private key or else a
crypto:Errorif the private key was unreadable
decodeMlKem768PublicKeyFromCertFile
Isolated Function
Decodes the ML-KEM-768 (Kyber768) public key from the given public certificate file.
string certFile = "/path/to/public.cert"; crypto:PublicKey publicKey = check crypto:decodeMlKem768PublicKeyFromCertFile(certFile);
Parameters
- certFile string - The certificate file path
decodeMlKem768PublicKeyFromTrustStore
Isolated Function
function decodeMlKem768PublicKeyFromTrustStore(TrustStore trustStore, string keyAlias) returns PublicKey|ErrorDecodes the ML-KEM-768 (Kyber768) public key from the given PKCS#12 archive file.
crypto:TrustStore trustStore = { path: "/path/tp/truststore.p12", password: "truststorePassword" }; crypto:PublicKey publicKey = check crypto:decodeMlKem768PublicKeyFromTrustStore(trustStore, "keyAlias");
Parameters
- trustStore TrustStore - The trustStore configurations containing the file path and password
- keyAlias string - The alias of the public key in the TrustStore
decodeRsaPrivateKeyFromContent
Isolated Function
function decodeRsaPrivateKeyFromContent(byte[] content, string? keyPassword) returns PrivateKey|ErrorDecodes the RSA private key from the given private key content as a byte array.
byte[] keyFileContent = [45,45,45,45,45,66,69,71,73,78,...]; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromContent(keyFileContent, "keyPassword");
Parameters
- content byte[] - Private key content as a byte array
- keyPassword string? (default ()) - Password of the private key if it is encrypted
Return Type
- PrivateKey|Error - Reference to the private key or else a
crypto:Errorif the private key was unreadable
decodeRsaPrivateKeyFromKeyFile
Isolated Function
function decodeRsaPrivateKeyFromKeyFile(string keyFile, string? keyPassword) returns PrivateKey|ErrorDecodes the RSA private key from the given private key and private key password.
string keyFile = "/path/to/private.key"; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyFile(keyFile, "keyPassword");
Parameters
- keyFile string - The private key file path
- keyPassword string? (default ()) - The password used to decrypt the private key file if it is encrypted
Return Type
- PrivateKey|Error - Reference to the private key or else a
crypto:Errorif the private key was unreadable
decodeRsaPrivateKeyFromKeyStore
Isolated Function
function decodeRsaPrivateKeyFromKeyStore(KeyStore keyStore, string keyAlias, string keyPassword) returns PrivateKey|ErrorDecodes the RSA private key from the given PKCS#12 archive file.
crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword");
Parameters
- keyStore KeyStore - The KeyStore configurations containing the file path and password
- keyAlias string - The alias of the private key in the KeyStore
- keyPassword string - The password used to access the private key in the KeyStore
Return Type
- PrivateKey|Error - Reference to the private key or else a
crypto:Errorif the private key was unreadable
decodeRsaPublicKeyFromCertFile
Isolated Function
Decodes the RSA public key from the given public certificate file.
string certFile = "/path/to/public.cert"; crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromCertFile(certFile);
Parameters
- certFile string - The certificate file path
decodeRsaPublicKeyFromContent
Isolated Function
Decodes the RSA public key from the given public certificate content.
byte[] certContent = [45,45,45,45,45,66,69,71,73,78,...]; crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromContent(certContent);
Parameters
- content byte[] - The certificate content as a byte array
decodeRsaPublicKeyFromTrustStore
Isolated Function
function decodeRsaPublicKeyFromTrustStore(TrustStore trustStore, string keyAlias) returns PublicKey|ErrorDecodes the RSA public key from the given PKCS#12 archive file.
crypto:TrustStore trustStore = { path: "/path/tp/truststore.p12", password: "truststorePassword" }; crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromTrustStore(trustStore, "keyAlias");
Parameters
- trustStore TrustStore - The trustStore configurations containing the file path and password
- keyAlias string - The alias of the public key in the TrustStore
decryptAesCbc
Isolated Function
function decryptAesCbc(byte[] input, byte[] key, byte[] iv, AesPadding padding) returns byte[]|ErrorReturns the AES-CBC-decrypted value for the given AES-CBC-encrypted data.
string dataString = "Hello Ballerina!"; byte[] data = dataString.toBytes(); byte[16] key = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; foreach int i in 0...15 { key[i] = <byte>(check random:createIntInRange(0, 255)); } byte[16] initialVector = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; foreach int i in 0...15 { initialVector[i] = <byte>(check random:createIntInRange(0, 255)); } byte[] cipherText = check crypto:encryptAesCbc(data, key, initialVector); byte[] plainText = check crypto:decryptAesCbc(cipherText, key, initialVector);
Parameters
- input byte[] - The content to be decrypted, provided as a byte array
- key byte[] - The encryption key used for AES-CBC decryption
- iv byte[] - The initialization vector used to initialize the AES-CBC decryption process
- padding AesPadding (default PKCS5) - The padding algorithm to use. Supported value is
PKCS5
Return Type
- byte[]|Error - The decrypted data as a byte array, or a
crypto:Errorif the key, IV, or padding is invalid
decryptAesEcb
Isolated Function
function decryptAesEcb(byte[] input, byte[] key, AesPadding padding) returns byte[]|ErrorReturns the AES-ECB-decrypted value for the given AES-ECB-encrypted data.
string dataString = "Hello Ballerina!"; byte[] data = dataString.toBytes(); byte[16] key = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; foreach int i in 0...15 { key[i] = <byte>(check random:createIntInRange(0, 255)); } byte[] cipherText = check crypto:encryptAesEcb(data, key); byte[] plainText = check crypto:decryptAesEcb(cipherText, key);
Parameters
- input byte[] - The content to be decrypted, provided as a byte array
- key byte[] - The encryption key used for AES-ECB decryption
- padding AesPadding (default PKCS5) - The padding algorithm to use. Supported value is
PKCS5
Return Type
- byte[]|Error - The decrypted data as a byte array, or a
crypto:Errorif the key or padding is invalid
decryptAesGcm
Isolated Function
function decryptAesGcm(byte[] input, byte[] key, byte[] iv, AesPadding padding, int tagSize) returns byte[]|ErrorReturns the AES-GCM-decrypted value for the given AES-GCM-encrypted data.
string dataString = "Hello Ballerina!"; byte[] data = dataString.toBytes(); byte[16] key = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; foreach int i in 0...15 { key[i] = <byte>(check random:createIntInRange(0, 255)); } byte[16] initialVector = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; foreach int i in 0...15 { initialVector[i] = <byte>(check random:createIntInRange(0, 255)); } byte[] cipherText = check crypto:encryptAesGcm(data, key, initialVector); byte[] plainText = check crypto:decryptAesGcm(cipherText, key, initialVector);
Parameters
- input byte[] - The content to be decrypted, provided as a byte array
- key byte[] - The encryption key used for AES-GCM decryption
- iv byte[] - The initialization vector used to initialize the AES-GCM decryption process
- padding AesPadding (default PKCS5) - The padding algorithm to use. Supported value is
PKCS5
- tagSize int (default 128) - The size of the authentication tag in bits. Valid values are 128, 120, 112, 104, or 96
Return Type
- byte[]|Error - The decrypted data as a byte array, or a
crypto:Errorif the key, IV, or tag size is invalid
decryptMlKem768Hpke
Isolated Function
function decryptMlKem768Hpke(byte[] input, byte[] encapsulatedKey, PrivateKey privateKey, AesKeySize symmetricKeySize) returns byte[]|ErrorReturns the ML-KEM-768-AES-hybrid-encrypted value for the given encrypted data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey publicKey = check crypto:decodeMlKem768PublicKeyFromTrustStore(keyStore, "keyAlias"); crypto:HybridEncryptionResult encryptionResult = check crypto:encryptMlKem768Hpke(data, publicKey); byte[] cipherText = encryptionResult.cipherText; byte[] encapsulatedKey = encryptionResult.encapsulatedSecret; crypto:PrivateKey privateKey = check crypto:decodeMlKem768PrivateKeyFromKeyStore(keyStore, "keyAlias", "keyStorePassword"); byte[] decryptedData = check crypto:decryptMlKem768Hpke(cipherText, encapsulatedKey, privateKey);
Parameters
- input byte[] - The content to be decrypted, provided as a byte array
- encapsulatedKey byte[] - The encapsulated secret, provided as a byte array representing the encrypted key material
- privateKey PrivateKey - The MlKem private key used for decryption, provided as a
crypto:PrivateKeyrecord
- symmetricKeySize AesKeySize (default 32) - The length of the symmetric key in bytes
Return Type
- byte[]|Error - The decrypted data as a byte array, or a
crypto:Errorif an error occurs
decryptPgp
Isolated Function
Returns the PGP-decrypted value of the given PGP-encrypted data.
byte[] message = "Hello Ballerina!".toBytes(); byte[] cipherText = check crypto:encryptPgp(message, "public_key.asc"); byte[] passphrase = check io:fileReadBytes("pass_phrase.txt"); byte[] decryptedMessage = check crypto:decryptPgp(cipherText, "private_key.asc", passphrase);
Parameters
- cipherText byte[] - The encrypted content to be decrypted, provided as a byte array
- privateKey string - Path to the private key file in ASCII-armored format
- passphrase byte[] - The passphrase used to unlock the private key
Return Type
- byte[]|Error - The decrypted data as a byte array, or a
crypto:Errorif the key or passphrase is invalid
decryptRsaEcb
Isolated Function
function decryptRsaEcb(byte[] input, PrivateKey|PublicKey key, RsaPadding padding) returns byte[]|ErrorReturns the RSA-decrypted value for the given RSA-encrypted data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromTrustStore(keyStore, "keyAlias"); crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] cipherText = check crypto:encryptRsaEcb(data, publicKey); byte[] plainText = check crypto:decryptRsaEcb(cipherText, privateKey);
Parameters
- input byte[] - The content to be decrypted, provided as a byte array
- key PrivateKey|PublicKey - The RSA key (private or public) used for decryption. The key must be compatible with the RSA algorithm
- padding RsaPadding (default PKCS1) - The padding algorithm to use. Supported values are
PKCS1,OAEPwithMD5andMGF1,OAEPWithSHA1AndMGF1,OAEPWithSHA256AndMGF1,OAEPwithSHA384andMGF1, andOAEPwithSHA512andMGF1
Return Type
- byte[]|Error - The decrypted data as a byte array, or a
crypto:Errorif the key is invalid or an error occurs during decryption
decryptRsaKemMlKem768Hpke
Isolated Function
function decryptRsaKemMlKem768Hpke(byte[] input, byte[] encapsulatedKey, PrivateKey rsaPrivateKey, PrivateKey mlkemPrivateKey, AesKeySize symmetricKeySize) returns byte[]|ErrorReturns the RSA-KEM-ML-KEM-768-AES-hybrid-encrypted value for the given encrypted data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore mlkemKeyStore = { path: "/path/to/mlkem/keyStore.p12", password: "keyStorePassword" }; crypto:KeyStore rsaKeyStore = { path: "/path/to/rsa/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey mlkemPublicKey = check crypto:decodeMlKem768PublicKeyFromTrustStore(mlkemKeyStore, "keyAlias"); crypto:PublicKey rsaPublicKey = check crypto:decodeRsaPublicKeyFromTrustStore(rsaKeyStore, "keyAlias"); crypto:HybridEncryptionResult encryptionResult = check crypto:encryptRsaKemMlKem768Hpke(data, rsaPublicKey, mlkemPublicKey); byte[] cipherText = encryptionResult.cipherText; byte[] encapsulatedKey = encryptionResult.encapsulatedSecret; crypto:PrivateKey mlkemPrivateKey = check crypto:decodeMlKem768PrivateKeyFromKeyStore(mlkemKeyStore, "keyAlias", "keyStorePassword"); crypto:PrivateKey rsaPrivateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(rsaKeyStore, "keyAlias", "keyStorePassword"); byte[] decryptedData = check crypto:decryptRsaKemMlKem768Hpke(cipherText, encapsulatedKey, rsaPrivateKey, mlkemPrivateKey);
Parameters
- input byte[] - The content to be decrypted, provided as a byte array
- encapsulatedKey byte[] - The encapsulated secret, provided as a byte array representing the encrypted key material
- rsaPrivateKey PrivateKey - The RSA private key used for decryption, provided as a
crypto:PrivateKeyrecord
- mlkemPrivateKey PrivateKey - The MlKem private key used for decryption, provided as a
crypto:PrivateKeyrecord
- symmetricKeySize AesKeySize (default 32) - The length of the symmetric key in bytes
Return Type
- byte[]|Error - The decrypted data as a byte array, or a
crypto:Errorif an error occurs
decryptStreamFromPgp
Isolated Function
function decryptStreamFromPgp(stream<byte[], error?> inputStream, string privateKey, byte[] passphrase) returns stream<byte[], Error?>|ErrorReturns the PGP-decrypted stream of the content given in the input stream.
byte[] passphrase = check io:fileReadBytes("pass_phrase.txt"); stream<byte[], error?> inputStream = check io:fileReadBlocksAsStream("pgb_encrypted.txt"); stream<byte[], crypto:Error?>|crypto:Error decryptedStream = crypto:decryptStreamFromPgp(inputStream, "private_key.asc", passphrase);
Parameters
- privateKey string - Path to the private key file in ASCII-armored format
- passphrase byte[] - The passphrase used to unlock the private key
encapsulateMlKem768
Isolated Function
function encapsulateMlKem768(PublicKey publicKey) returns EncapsulationResult|ErrorCreates a shared secret and its encapsulation used for Key Encapsulation Mechanism (KEM) using the ML-KEM-768 (Kyber768) public key.
crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey publicKey = check crypto:decodeMlKem768PublicKeyFromTrustStore(keyStore, "keyAlias"); crypto:EncapsulationResult encapsulationResult = check crypto:encapsulateMlKem768(publicKey);
Parameters
- publicKey PublicKey - The ML-KEM-768 public key used for encapsulation, provided as a
crypto:PublicKeyrecord
Return Type
- EncapsulationResult|Error - The encapsulated secret as a
crypto:EncapsulationResult, or acrypto:Errorif the public key is invalid
encapsulateRsaKem
Isolated Function
function encapsulateRsaKem(PublicKey publicKey) returns EncapsulationResult|ErrorCreates a shared secret and its encapsulation used for Key Encapsulation Mechanism (KEM) using the RSA public key.
crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromTrustStore(keyStore, "keyAlias"); crypto:EncapsulationResult encapsulationResult = check crypto:encapsulateRsaKem(publicKey);
Parameters
- publicKey PublicKey - The RSA public key used for encapsulation, provided as a
crypto:PublicKeyrecord
Return Type
- EncapsulationResult|Error - The encapsulated secret as a
crypto:EncapsulationResult, or acrypto:Errorif the public key is invalid
encapsulateRsaKemMlKem768
Isolated Function
function encapsulateRsaKemMlKem768(PublicKey rsaPublicKey, PublicKey mlkemPublicKey) returns EncapsulationResult|ErrorCreates a shared secret and its encapsulation used for Key Encapsulation Mechanism (KEM) using RSA and ML-KEM-768 (Kyber768) public keys.
crypto:KeyStore mlkemKeyStore = { path: "/path/to/mlkem/keyStore.p12", password: "keyStorePassword" }; crypto:KeyStore rsaKeyStore = { path: "/path/to/rsa/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey mlkemPublicKey = check crypto:decodeMlKem768PublicKeyFromTrustStore(mlkemKeyStore, "keyAlias"); crypto:PublicKey rsaPublicKey = check crypto:decodeRsaPublicKeyFromTrustStore(rsaKeyStore, "keyAlias"); crypto:EncapsulationResult encapsulationResult = check crypto:encapsulateRsaKemMlKem768(rsaPublicKey, mlkemPublicKey);
Parameters
- rsaPublicKey PublicKey - The RSA public key used for encapsulation, provided as a
crypto:PublicKeyrecord
- mlkemPublicKey PublicKey - The ML-KEM-768 public key used for encapsulation, provided as a
crypto:PublicKeyrecord
Return Type
- EncapsulationResult|Error - The encapsulated secret as a
crypto:EncapsulationResult, or acrypto:Errorif the key size or public keys are invalid
encryptAesCbc
Isolated Function
function encryptAesCbc(byte[] input, byte[] key, byte[] iv, AesPadding padding) returns byte[]|ErrorReturns the AES-CBC-encrypted value for the given data.
string dataString = "Hello Ballerina!"; byte[] data = dataString.toBytes(); byte[16] key = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; foreach int i in 0...15 { key[i] = <byte>(check random:createIntInRange(0, 255)); } byte[16] initialVector = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; foreach int i in 0...15 { initialVector[i] = <byte>(check random:createIntInRange(0, 255)); } byte[] cipherText = check crypto:encryptAesCbc(data, key, initialVector);
Parameters
- input byte[] - The content to be encrypted, provided as a byte array
- key byte[] - The encryption key used for AES-CBC encryption
- iv byte[] - The initialization vector used to initialize the AES-CBC encryption process
- padding AesPadding (default PKCS5) - The padding algorithm to use. Supported value is
PKCS5
Return Type
- byte[]|Error - The encrypted data as a byte array, or a
crypto:Errorif the key, IV, or padding is invalid
encryptAesEcb
Isolated Function
function encryptAesEcb(byte[] input, byte[] key, AesPadding padding) returns byte[]|ErrorReturns the AES-ECB-encrypted value for the given data.
string dataString = "Hello Ballerina!"; byte[] data = dataString.toBytes(); byte[16] key = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; foreach int i in 0...15 { key[i] = <byte>(check random:createIntInRange(0, 255)); } byte[] cipherText = check crypto:encryptAesEcb(data, key);
Parameters
- input byte[] - The content to be encrypted, provided as a byte array
- key byte[] - The encryption key used for AES-ECB encryption
- padding AesPadding (default PKCS5) - The padding algorithm to use. Supported value is
PKCS5
Return Type
- byte[]|Error - The encrypted data as a byte array, or a
crypto:Errorif the key or padding is invalid
encryptAesGcm
Isolated Function
function encryptAesGcm(byte[] input, byte[] key, byte[] iv, AesPadding padding, int tagSize) returns byte[]|ErrorReturns the AES-GCM-encrypted value for the given data.
string dataString = "Hello Ballerina!"; byte[] data = dataString.toBytes(); byte[16] key = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; foreach int i in 0...15 { key[i] = <byte>(check random:createIntInRange(0, 255)); } byte[16] initialVector = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; foreach int i in 0...15 { initialVector[i] = <byte>(check random:createIntInRange(0, 255)); } byte[] cipherText = check crypto:encryptAesGcm(data, key, initialVector);
Parameters
- input byte[] - The content to be encrypted, provided as a byte array
- key byte[] - The encryption key used for AES-GCM encryption
- iv byte[] - The initialization vector used to initialize the AES-GCM encryption process
- padding AesPadding (default NONE) - The padding algorithm to use. Supported value is
PKCS5
- tagSize int (default 128) - The size of the authentication tag in bits. Valid values are 128, 120, 112, 104, or 96
Return Type
- byte[]|Error - The encrypted data as a byte array, or a
crypto:Errorif the key, IV, or tag size is invalid
encryptMlKem768Hpke
Isolated Function
function encryptMlKem768Hpke(byte[] input, PublicKey publicKey, AesKeySize symmetricKeySize) returns HybridEncryptionResult|ErrorReturns the ML-KEM-768-AES-hybrid-encrypted value for the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey publicKey = check crypto:decodeMlKem768PublicKeyFromTrustStore(keyStore, "keyAlias"); crypto:HybridEncryptionResult encryptionResult = check crypto:encryptMlKem768Hpke(data, publicKey);
Parameters
- input byte[] - The content to be encrypted, provided as a byte array
- publicKey PublicKey - The public key used for encryption, provided as a
crypto:PublicKeyrecord
- symmetricKeySize AesKeySize (default 32) - The length of the symmetric key in bytes
Return Type
- HybridEncryptionResult|Error - The encrypted data as a
crypto:HybridEncryptionResult, or acrypto:Errorif an error occurs
encryptPgp
Isolated Function
Returns the PGP-encrypted value for the given data.
byte[] message = "Hello Ballerina!".toBytes(); byte[] cipherText = check crypto:encryptPgp(message, "public_key.asc");
Parameters
- plainText byte[] - The content to be encrypted, provided as a byte array
- publicKey string - Path to the public key file in ASCII-armored format
- options *Options - Optional PGP encryption options, such as compression or cipher preferences
Return Type
- byte[]|Error - The encrypted data as a byte array, or a
crypto:Errorif the public key is invalid or an error occurs during encryption
encryptRsaEcb
Isolated Function
function encryptRsaEcb(byte[] input, PrivateKey|PublicKey key, RsaPadding padding) returns byte[]|ErrorReturns the RSA-encrypted value for the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromTrustStore(keyStore, "keyAlias"); byte[] cipherText = check crypto:encryptRsaEcb(data, publicKey);
Parameters
- input byte[] - The content to be encrypted, provided as a byte array
- key PrivateKey|PublicKey - The RSA key (private or public) used for encryption. The key must be compatible with the RSA algorithm
- padding RsaPadding (default PKCS1) - The padding algorithm to use. Supported values are
PKCS1,OAEPwithMD5andMGF1,OAEPWithSHA1AndMGF1,OAEPWithSHA256AndMGF1,OAEPwithSHA384andMGF1, andOAEPwithSHA512andMGF1
Return Type
- byte[]|Error - The encrypted data as a byte array, or a
crypto:Errorif the key is invalid or an error occurs during encryption
encryptRsaKemMlKem768Hpke
Isolated Function
function encryptRsaKemMlKem768Hpke(byte[] input, PublicKey rsaPublicKey, PublicKey mlkemPublicKey, AesKeySize symmetricKeySize) returns HybridEncryptionResult|ErrorReturns the RSA-KEM-ML-KEM-768-AES-hybrid-encrypted value for the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore mlkemKeyStore = { path: "/path/to/mlkem/keyStore.p12", password: "keyStorePassword" }; crypto:KeyStore rsaKeyStore = { path: "/path/to/rsa/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey mlkemPublicKey = check crypto:decodeMlKem768PublicKeyFromTrustStore(mlkemKeyStore, "keyAlias"); crypto:PublicKey rsaPublicKey = check crypto:decodeRsaPublicKeyFromTrustStore(rsaKeyStore, "keyAlias"); crypto:HybridEncryptionResult encryptionResult = check crypto:encryptRsaKemMlKem768Hpke(data, rsaPublicKey, mlkemPublicKey);
Parameters
- input byte[] - The content to be encrypted, provided as a byte array
- rsaPublicKey PublicKey - The RSA public key used for encryption, provided as a
crypto:PublicKeyrecord
- mlkemPublicKey PublicKey - The ML-KEM public key used for encryption, provided as a
crypto:PublicKeyrecord
- symmetricKeySize AesKeySize (default 32) - The length of the symmetric key in bytes
Return Type
- HybridEncryptionResult|Error - The encrypted data as a
crypto:HybridEncryptionResult, or acrypto:Errorif an error occurs
encryptStreamAsPgp
Isolated Function
function encryptStreamAsPgp(stream<byte[], error?> inputStream, string publicKey, *Options options) returns stream<byte[], Error?>|ErrorReturns the PGP-encrypted stream of the content given in the input stream.
stream<byte[], error?> inputStream = check io:fileReadBlocksAsStream("input.txt"); stream<byte[], crypto:Error?>|crypto:Error encryptedStream = crypto:encryptStreamAsPgp(inputStream, "public_key.asc");
hashArgon2
Isolated Function
function hashArgon2(string password, int iterations, int memory, int parallelism) returns string|ErrorReturns an Argon2id hash of the given password with optional parameters.
string password = "mySecurePassword123"; string|crypto:Error hash = crypto:hashArgon2(password);
hashBcrypt
Isolated Function
Returns a BCrypt hash of the given password with optional work factor.
string password = "mySecurePassword123"; string|crypto:Error hash = crypto:hashBcrypt(password);
hashKeccak256
Isolated Function
function hashKeccak256(byte[] input, byte[]? salt) returns byte[]Returns the Keccak-256 hash of the given data.
string dataString = "Hello Ballerina"; byte[] data = dataString.toBytes(); byte[] hash = crypto:hashKeccak256(data);
Parameters
- input byte[] - The data to be hashed, provided as a byte array
- salt byte[]? (default ()) - Optional salt to be added to the input, provided as a byte array
Return Type
- byte[] - The Keccak-256 hash of the input data as a byte array
hashMd5
Isolated Function
function hashMd5(byte[] input, byte[]? salt) returns byte[]Returns the MD5 hash of the given data.
string dataString = "Hello Ballerina"; byte[] data = dataString.toBytes(); byte[] hash = crypto:hashMd5(data);
Parameters
- input byte[] - The data to be hashed, provided as a byte array
- salt byte[]? (default ()) - Optional salt to be added to the input, provided as a byte array
Return Type
- byte[] - The MD5 hash of the input data as a byte array
hashPbkdf2
Isolated Function
function hashPbkdf2(string password, int iterations, HmacAlgorithm algorithm) returns string|ErrorReturns a PBKDF2 hash of the given password with optional parameters.
string password = "mySecurePassword123"; string|crypto:Error hash = crypto:hashPbkdf2(password);
Parameters
- password string - The password string to be hashed
- iterations int (default 10000) - Optional number of iterations. Default is 10000. Must be a positive integer.
- algorithm HmacAlgorithm (default SHA256) - Optional HMAC algorithm (
SHA1,SHA256,SHA512). Default is SHA256
hashSha1
Isolated Function
function hashSha1(byte[] input, byte[]? salt) returns byte[]Returns the SHA-1 hash of the given data.
string dataString = "Hello Ballerina"; byte[] data = dataString.toBytes(); byte[] hash = crypto:hashSha1(data);
Parameters
- input byte[] - The data to be hashed, provided as a byte array
- salt byte[]? (default ()) - Optional salt to be added to the input, provided as a byte array
Return Type
- byte[] - The SHA-1 hash of the input data as a byte array
hashSha256
Isolated Function
function hashSha256(byte[] input, byte[]? salt) returns byte[]Returns the SHA-256 hash of the given data.
string dataString = "Hello Ballerina"; byte[] data = dataString.toBytes(); byte[] hash = crypto:hashSha256(data);
Parameters
- input byte[] - The data to be hashed, provided as a byte array
- salt byte[]? (default ()) - Optional salt to be added to the input, provided as a byte array
Return Type
- byte[] - The SHA-256 hash of the input data as a byte array
hashSha384
Isolated Function
function hashSha384(byte[] input, byte[]? salt) returns byte[]Returns the SHA-384 hash of the given data.
string dataString = "Hello Ballerina"; byte[] data = dataString.toBytes(); byte[] hash = crypto:hashSha384(data);
Parameters
- input byte[] - The data to be hashed, provided as a byte array
- salt byte[]? (default ()) - Optional salt to be added to the input, provided as a byte array
Return Type
- byte[] - The SHA-384 hash of the input data as a byte array
hashSha512
Isolated Function
function hashSha512(byte[] input, byte[]? salt) returns byte[]Returns the SHA-512 hash of the given data.
string dataString = "Hello Ballerina"; byte[] data = dataString.toBytes(); byte[] hash = crypto:hashSha512(data);
Parameters
- input byte[] - The data to be hashed, provided as a byte array
- salt byte[]? (default ()) - Optional salt to be added to the input, provided as a byte array
Return Type
- byte[] - The SHA-512 hash of the input data as a byte array
hkdfSha256
Isolated Function
Returns HKDF (HMAC-based Key Derivation Function) using SHA-256 as the hash function.
string secret = "some-secret"; byte[] key = secret.toBytes(); byte[] hash = crypto:hkdfSha256(key, 32);
Parameters
- input byte[] - The input key material, provided as a byte array
- length int - The length of the output keying material (OKM) in bytes. Must be a positive integer
- salt byte[] (default []) - An optional salt value, provided as a byte array. Defaults to an empty array if not specified
- info byte[] (default []) - An optional context and application-specific information, provided as a byte array. Defaults to an empty array if not specified
Return Type
- byte[]|Error - The derived keying material (OKM) of the specified length as a byte array, or a
crypto:Errorif an error occurs
hmacMd5
Isolated Function
function hmacMd5(byte[] input, byte[] key) returns byte[]|ErrorReturns the HMAC using the MD5 hash function of the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); string secret = "some-secret"; byte[] key = secret.toBytes(); byte[] hmac = check crypto:hmacMd5(data, key);
Parameters
- input byte[] - The data to be hashed, provided as a byte array
- key byte[] - The secret key used for HMAC generation, provided as a byte array
Return Type
- byte[]|Error - The HMAC output as a byte array, or a
crypto:Errorif an error occurred
hmacSha1
Isolated Function
function hmacSha1(byte[] input, byte[] key) returns byte[]|ErrorReturns the HMAC using the SHA-1 hash function of the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); string secret = "some-secret"; byte[] key = secret.toBytes(); byte[] hmac = check crypto:hmacSha1(data, key);
Parameters
- input byte[] - The data to be hashed, provided as a byte array
- key byte[] - The secret key used for HMAC generation, provided as a byte array
Return Type
- byte[]|Error - The HMAC output as a byte array, or a
crypto:Errorif an error occurred
hmacSha256
Isolated Function
function hmacSha256(byte[] input, byte[] key) returns byte[]|ErrorReturns the HMAC using the SHA-256 hash function of the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); string secret = "some-secret"; byte[] key = secret.toBytes(); byte[] hmac = check crypto:hmacSha256(data, key);
Parameters
- input byte[] - The data to be hashed, provided as a byte array
- key byte[] - The secret key used for HMAC generation, provided as a byte array
Return Type
- byte[]|Error - The HMAC output as a byte array, or a
crypto:Errorif an error occurred
hmacSha384
Isolated Function
function hmacSha384(byte[] input, byte[] key) returns byte[]|ErrorReturns the HMAC using the SHA-384 hash function of the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); string secret = "some-secret"; byte[] key = secret.toBytes(); byte[] hmac = check crypto:hmacSha384(data, key);
Parameters
- input byte[] - The data to be hashed, provided as a byte array
- key byte[] - The secret key used for HMAC generation, provided as a byte array
Return Type
- byte[]|Error - The HMAC output as a byte array, or a
crypto:Errorif an error occurred
hmacSha512
Isolated Function
function hmacSha512(byte[] input, byte[] key) returns byte[]|ErrorReturns the HMAC using the SHA-512 hash function of the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); string secret = "some-secret"; byte[] key = secret.toBytes(); byte[] hmac = check crypto:hmacSha512(data, key);
Parameters
- input byte[] - The data to be hashed, provided as a byte array
- key byte[] - The secret key used for HMAC generation, provided as a byte array
Return Type
- byte[]|Error - The HMAC output as a byte array, or a
crypto:Errorif an error occurred
signMlDsa65
Isolated Function
function signMlDsa65(byte[] input, PrivateKey privateKey) returns byte[]|ErrorReturns the MlDsa65 based signature value for the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeMlDsa65PrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signMlDsa65(data, privateKey);
Parameters
- input byte[] - The content to be signed as a byte array
- privateKey PrivateKey - The private key used for signing
Return Type
- byte[]|Error - The generated signature or else a
crypto:Errorif the private key is invalid
signRsaMd5
Isolated Function
function signRsaMd5(byte[] input, PrivateKey privateKey) returns byte[]|ErrorReturns the RSA-MD5 based signature value for the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signRsaMd5(data, privateKey);
Parameters
- input byte[] - The content to be signed as a byte array
- privateKey PrivateKey - The private key used for signing
Return Type
- byte[]|Error - The generated signature or else a
crypto:Errorif the private key is invalid
signRsaSha1
Isolated Function
function signRsaSha1(byte[] input, PrivateKey privateKey) returns byte[]|ErrorReturns the RSA-SHA1 based signature value for the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signRsaSha1(data, privateKey);
Parameters
- input byte[] - The content to be signed as a byte array
- privateKey PrivateKey - The private key used for signing
Return Type
- byte[]|Error - The generated signature or else a
crypto:Errorif the private key is invalid
signRsaSha256
Isolated Function
function signRsaSha256(byte[] input, PrivateKey privateKey) returns byte[]|ErrorReturns the RSA-SHA256 based signature value for the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signRsaSha256(data, privateKey);
Parameters
- input byte[] - The content to be signed as a byte array
- privateKey PrivateKey - The private key used for signing
Return Type
- byte[]|Error - The generated signature or else a
crypto:Errorif the private key is invalid
signRsaSha384
Isolated Function
function signRsaSha384(byte[] input, PrivateKey privateKey) returns byte[]|ErrorReturns the RSA-SHA384 based signature value for the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signRsaSha384(data, privateKey);
Parameters
- input byte[] - The content to be signed as a byte array
- privateKey PrivateKey - The private key used for signing
Return Type
- byte[]|Error - The generated signature or else a
crypto:Errorif the private key is invalid
signRsaSha512
Isolated Function
function signRsaSha512(byte[] input, PrivateKey privateKey) returns byte[]|ErrorReturns the RSA-SHA512 based signature value for the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signRsaSha512(data, privateKey);
Parameters
- input byte[] - The content to be signed as a byte array
- privateKey PrivateKey - The private key used for signing
Return Type
- byte[]|Error - The generated signature or else a
crypto:Errorif the private key is invalid
signRsaSsaPss256
Isolated Function
function signRsaSsaPss256(byte[] input, PrivateKey privateKey) returns byte[]|ErrorReturns the RSASSA-PSS with SHA-256 based signature value for the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signRsaSsaPss256(data, privateKey);
Parameters
- input byte[] - The content to be signed
- privateKey PrivateKey - Private key used for signing
Return Type
- byte[]|Error - The generated signature or else a
crypto:Errorif the private key is invalid
signSha256withEcdsa
Isolated Function
function signSha256withEcdsa(byte[] input, PrivateKey privateKey) returns byte[]|ErrorReturns the SHA256withECDSA based signature value for the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeEcPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signSha256withEcdsa(data, privateKey);
Parameters
- input byte[] - The content to be signed as a byte array
- privateKey PrivateKey - The private key used for signing
Return Type
- byte[]|Error - The generated signature or else a
crypto:Errorif the private key is invalid
signSha384withEcdsa
Isolated Function
function signSha384withEcdsa(byte[] input, PrivateKey privateKey) returns byte[]|ErrorReturns the SHA384withECDSA based signature value for the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeEcPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signSha384withEcdsa(data, privateKey);
Parameters
- input byte[] - The content to be signed as a byte array
- privateKey PrivateKey - The private key used for signing
Return Type
- byte[]|Error - The generated signature or else a
crypto:Errorif the private key is invalid
verifyArgon2
Isolated Function
Verifies if a password matches an Argon2id hashed password.
string password = "mySecurePassword123"; string hashedPassword = "$argon2id$v=19$m=65536,t=3,p=4$c29tZXNhbHQ$hash"; boolean|crypto:Error matches = crypto:verifyArgon2(password, hashedPassword);
verifyBcrypt
Isolated Function
Verifies if a password matches a BCrypt hashed password.
string password = "mySecurePassword123"; string hashedPassword = "$2a$12$LQV3c1yqBWVHxkd0LHAkCOYz6TtxMQJqhN8/LewYpwBAM7RHF.H9m"; boolean|crypto:Error matches = crypto:verifyBcrypt(password, hashedPassword);
verifyMlDsa65Signature
Isolated Function
function verifyMlDsa65Signature(byte[] data, byte[] signature, PublicKey publicKey) returns boolean|ErrorVerifies the MlDsa65 based signature.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeMlDsa65PrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signMlDsa65(data, privateKey); crypto:PublicKey publicKey = check crypto:decodeMlDsa65PublicKeyFromTrustStore(keyStore, "keyAlias"); boolean validity = check crypto:verifyMlDsa65Signature(data, signature, publicKey);
Parameters
- data byte[] - The content to be verified as a byte array
- signature byte[] - The signature value as a byte array
- publicKey PublicKey - The public key used for verification
verifyPbkdf2
Isolated Function
Verifies if a password matches a PBKDF2 hashed password.
string password = "mySecurePassword123"; string hashedPassword = "$pbkdf2-sha256$i=10000$salt$hash"; boolean|crypto:Error matches = crypto:verifyPbkdf2(password, hashedPassword);
verifyRsaMd5Signature
Isolated Function
function verifyRsaMd5Signature(byte[] data, byte[] signature, PublicKey publicKey) returns boolean|ErrorVerifies the RSA-MD5 based signature.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signRsaMd5(data, privateKey); crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromTrustStore(keyStore, "keyAlias"); boolean validity = check crypto:verifyRsaMd5Signature(data, signature, publicKey);
Parameters
- data byte[] - The content to be verified as a byte array
- signature byte[] - The signature value as a byte array
- publicKey PublicKey - The public key used for verification
verifyRsaSha1Signature
Isolated Function
function verifyRsaSha1Signature(byte[] data, byte[] signature, PublicKey publicKey) returns boolean|ErrorVerifies the RSA-SHA1 based signature.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signRsaSha1(data, privateKey); crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromTrustStore(keyStore, "keyAlias"); boolean validity = check crypto:verifyRsaSha1Signature(data, signature, publicKey);
Parameters
- data byte[] - The content to be verified as a byte array
- signature byte[] - The signature value as a byte array
- publicKey PublicKey - The public key used for verification
verifyRsaSha256Signature
Isolated Function
function verifyRsaSha256Signature(byte[] data, byte[] signature, PublicKey publicKey) returns boolean|ErrorVerifies the RSA-SHA256 based signature.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signRsaSha256(data, privateKey); crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromTrustStore(keyStore, "keyAlias"); boolean validity = check crypto:verifyRsaSha256Signature(data, signature, publicKey);
Parameters
- data byte[] - The content to be verified as a byte array
- signature byte[] - The signature value as a byte array
- publicKey PublicKey - The public key used for verification
verifyRsaSha384Signature
Isolated Function
function verifyRsaSha384Signature(byte[] data, byte[] signature, PublicKey publicKey) returns boolean|ErrorVerifies the RSA-SHA384 based signature.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signRsaSha384(data, privateKey); crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromTrustStore(keyStore, "keyAlias"); boolean validity = check crypto:verifyRsaSha384Signature(data, signature, publicKey);
Parameters
- data byte[] - The content to be verified as a byte array
- signature byte[] - The signature value as a byte array
- publicKey PublicKey - The public key used for verification
verifyRsaSha512Signature
Isolated Function
function verifyRsaSha512Signature(byte[] data, byte[] signature, PublicKey publicKey) returns boolean|ErrorVerifies the RSA-SHA512 based signature.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signRsaSha512(data, privateKey); crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromTrustStore(keyStore, "keyAlias"); boolean validity = check crypto:verifyRsaSha512Signature(data, signature, publicKey);
Parameters
- data byte[] - The content to be verified as a byte array
- signature byte[] - The signature value as a byte array
- publicKey PublicKey - The public key used for verification
verifyRsaSsaPss256Signature
Isolated Function
function verifyRsaSsaPss256Signature(byte[] data, byte[] signature, PublicKey publicKey) returns boolean|ErrorVerifies the RSASSA-PSS with SHA-256 based signature.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signRsaSsaPss256(data, privateKey); crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromTrustStore(keyStore, "keyAlias"); boolean validity = check crypto:verifyRsaSsaPss256Signature(data, signature, publicKey);
Parameters
- data byte[] - The content to be verified
- signature byte[] - Signature value
- publicKey PublicKey - Public key used for verification
verifySha256withEcdsaSignature
Isolated Function
function verifySha256withEcdsaSignature(byte[] data, byte[] signature, PublicKey publicKey) returns boolean|ErrorVerifies the SHA256withECDSA based signature.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeEcPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signSha256withEcdsa(data, privateKey); crypto:PublicKey publicKey = check crypto:decodeEcPublicKeyFromTrustStore(keyStore, "keyAlias"); boolean validity = check crypto:verifySha256withEcdsaSignature(data, signature, publicKey);
Parameters
- data byte[] - The content to be verified as a byte array
- signature byte[] - The signature value as a byte array
- publicKey PublicKey - The public key used for verification
verifySha384withEcdsaSignature
Isolated Function
function verifySha384withEcdsaSignature(byte[] data, byte[] signature, PublicKey publicKey) returns boolean|ErrorVerifies the SHA384withECDSA based signature.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeEcPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signSha384withEcdsa(data, privateKey); crypto:PublicKey publicKey = check crypto:decodeEcPublicKeyFromTrustStore(keyStore, "keyAlias"); boolean validity = check crypto:verifySha384withEcdsaSignature(data, signature, publicKey);
Parameters
- data byte[] - The content to be verified as a byte array
- signature byte[] - The signature value as a byte array
- publicKey PublicKey - The public key used for verification
Constants
crypto: MLDSA65
Represents the ML-DSA-65 algorithm.
crypto: MLKEM768
Represents the ML-KEM-768 algorithm.
crypto: NONE
No padding for encryption or decryption.
crypto: OAEPwithMD5andMGF1
The OAEP padding mode with MD5 and MGF1 for RSA encryption and decryption.
crypto: OAEPWithSHA1AndMGF1
The OAEP padding mode with SHA-1 and MGF1 for RSA encryption and decryption.
crypto: OAEPWithSHA256AndMGF1
The OAEP padding mode with SHA-256 and MGF1 for RSA encryption and decryption.
crypto: OAEPwithSHA384andMGF1
The OAEP padding mode with SHA-384 and MGF1 for RSA encryption and decryption.
crypto: OAEPwithSHA512andMGF1
The OAEP padding mode with SHA-512 and MGF1 for RSA encryption and decryption.
crypto: PKCS1
The PKCS1 padding mode for RSA encryption and decryption.
crypto: PKCS5
The PKCS5 padding mode for AES encryption and decryption.
crypto: RSA
Represents the RSA algorithm.
Enums
crypto: CompressionAlgorithmTags
Represents the compression algorithms available in PGP.
Members
UNCOMPRESSED - No compression is applied
ZIP - Uses ZIP compression as defined in RFC 1951
ZLIB - Uses ZLIB compression as defined in RFC 1950
BZIP2 - Uses Burrows–Wheeler algorithm for compression
crypto: HmacAlgorithm
Supported HMAC algorithms for PBKDF2
Members
SHA1
SHA256
SHA512
crypto: SymmetricKeyAlgorithmTags
Represent the symmetric key algorithms available in PGP.
Members
NULL - No encryption is applied
IDEA - Uses the IDEA symmetric key algorithm
TRIPLE_DES - Uses the Triple DES symmetric key algorithm
CAST5 - Uses the CAST5 symmetric key algorithm
BLOWFISH - Uses the Blowfish symmetric key algorithm
SAFER - Uses the SAFER symmetric key algorithm
DES - Uses the DES symmetric key algorithm
AES_128 - Uses the AES 128-bit symmetric key algorithm
AES_192 - Uses the AES 192-bit symmetric key algorithm
AES_256 - Uses the AES 256-bit symmetric key algorithm for high security
TWOFISH - Uses the Twofish symmetric key algorithm
CAMELLIA_128 - Uses the Camellia 128-bit symmetric key algorithm
CAMELLIA_192 - Uses the Camellia 192-bit symmetric key algorithm
CAMELLIA_256
Records
crypto: Certificate
Closed record
Represents the X509 public key certificate information.
Fields
- version0 int - Version number of the certificate
- serial int - Serial number of the certificate
- issuer string - Issuer name of the certificate
- subject string - Subject name of the certificate
- notBefore Utc - The start of the validity period of the certificate
- notAfter Utc - The end of the validity period of the certificate
- signature byte[] - Raw signature bits of the certificate
- signingAlgorithm string - The algorithm used to sign the certificate
crypto: EncapsulationResult
Closed record
Represents the shared secret and its encapsulation used in Key Encapsulation Mechanism (KEM).
Fields
- encapsulatedSecret byte[] - The encapsulated secret, provided as a byte array
crypto: HybridEncryptionResult
Closed record
Represents the encapsulated secret and the ciphertext used in Hybrid Public Key Encryption (HPKE).
Fields
- encapsulatedSecret byte[] - The encapsulated secret as a byte array
- cipherText byte[] - The encrypted data as a byte array
crypto: KeyStore
Closed record
Represents the KeyStore-related configurations.
Fields
- path string - The KeyStore file path
- password string - The KeyStore password
crypto: Options
Closed record
Represents the PGP encryption options.
Fields
- compressionAlgorithm CompressionAlgorithmTags(default ZIP) - Specifies the compression algorithm used for PGP encryption
- symmetricKeyAlgorithm SymmetricKeyAlgorithmTags(default AES_256) - Specifies the symmetric key algorithm used for encryption
- armor boolean(default true) - Indicates whether ASCII armor is enabled for the encrypted output
- withIntegrityCheck boolean(default true) - Indicates whether an integrity check is included in the encryption
crypto: PrivateKey
Closed record
Represents the private key used in cryptographic operations.
Fields
- algorithm KeyAlgorithm - Specifies the cryptographic algorithm used for the private key. Must be one of the supported algorithms (RSA, MLKEM768, MLDSA65)
crypto: PublicKey
Closed record
Represents the public key used in cryptographic operations.
Fields
- algorithm KeyAlgorithm - Specifies the cryptographic algorithm used for the public key. Must be one of the supported algorithms (RSA, MLKEM768, MLDSA65)
- certificate? Certificate - Optional X.509 certificate associated with the public key
crypto: TrustStore
Closed record
Represents the truststore-related configurations.
Fields
- path string - The TrustStore file path
- password string - The TrustStore password
Errors
crypto: Error
Distinct
Represents the error type of the module.
Union types
crypto: AesKeySize
AesKeySize
Represents the supported symmetric key sizes for AES algorithm.
crypto: AesPadding
AesPadding
The padding algorithms supported by AES encryption and decryption.
crypto: RsaPadding
RsaPadding
The padding algorithms supported with RSA encryption and decryption.