Module crypto
ballerina/crypto Ballerina library
2.8.0
Overview
This module provides common cryptographic mechanisms based on different algorithms.
The Ballerina crypto module facilitates APIs to do operations like hashing, HMAC generation, checksum generation, encryption, decryption, signing data digitally, verifying digitally signed data, etc., with different cryptographic algorithms.
Hashes
The crypto module supports generating hashes with 6 different hash algorithms MD5, SHA1, SHA256, SHA384, SHA512, and Keccak256. Also, it supports generating the CRC32B checksum.
HMAC
The crypto module supports generating HMAC with 5 different hash algorithms: MD5, SHA1, SHA256, SHA384, and SHA512.
Decode private/public key
The crypto module supports decoding the RSA private key from a .p12 file and a key file in the PEM format. Also, it supports decoding a public key from a .p12 file and a certificate file in the X509 format. Additionally, this supports building an RSA public key with the modulus and exponent parameters.
Encrypt and decrypt
The crypto module supports both symmetric key encryption/decryption and asymmetric key encryption/decryption. The RSA algorithm can be used for asymmetric-key encryption/decryption with the use of private and public keys. The AES algorithm can be used for symmetric-key encryption/decryption with the use of a shared key.
Sign and verify
The crypto module supports signing data using the RSA private key and verification of the signature using the RSA public key. This supports MD5, SHA1, SHA256, SHA384, and SHA512 digesting algorithms, and ML-DSA-65 post-quantum signature algorithm as well.
Key Derivation Functions (KDF)
The crypto module supports HMAC-based Key Derivation Function (HKDF). HKDF is a key derivation function that uses a Hash-based Message Authentication Code (HMAC) to derive keys.
Key Exchange Mechanisms (KEM)
The crypto module supports Key Exchange Mechanisms (KEM). It includes RSA-KEM and post-quantum ML-KEM-768 for both encapsulation and decapsulation.
Hybrid Public Key Encryption (HPKE)
The crypto module supports Hybrid Public Key Encryption (HPKE). It supports post-quantum ML-KEM-768-HPKE and RSA-KEM-ML-KEM-768-HPKE for encryption and decryption.
Functions
buildRsaPublicKey
Isolated Function
Builds the RSA public key from the given modulus and exponent parameters.
string modulus = "luZFdW1ynitztkWLC6xKegbRWxky..."; string exponent = "AQAB"; crypto:PublicKey publicKey = check crypto:buildRsaPublicKey(modulus, exponent);
crc32b
Isolated Function
function crc32b(byte[] input) returns stringReturns the Hex-encoded CRC32B value for the given data.
string stringData = "Hello Ballerina"; byte[] data = stringData.toBytes(); string checksum = crypto:crc32b(data);
Parameters
- input byte[] - Value for checksum generation
Return Type
- string - The generated checksum
decapsulateMlKem768
Isolated Function
function decapsulateMlKem768(byte[] encapsulatedSecret, PrivateKey privateKey) returns byte[]|ErrorDecapsulates the ML-KEM-768 (Kyber768) shared secret used for Key Encapsulation Mechanism (KEM) from the given encapsulation for the given data.
crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey publicKey = check crypto:decodeMlKem768PublicKeyFromTrustStore(keyStore, "keyAlias"); crypto:EncapsulationResult encapsulationResult = check crypto:encapsulateMlKem768(publicKey); byte[] encapsulatedSecret = encapsulationResult.encapsulatedSecret; crypto:PrivateKey privateKey = check crypto:decodeMlKem768PrivateKeyFromKeyStore(keyStore, "keyAlias", "keyStorePassword"); byte[] sharedSecret = check crypto:decapsulateMlKem768(encapsulatedSecret, privateKey);
Return Type
- byte[]|Error - Shared secret or else a
crypto:Errorif the encapsulatedSecret or the private key is invalid
decapsulateRsaKem
Isolated Function
function decapsulateRsaKem(byte[] encapsulatedSecret, PrivateKey privateKey) returns byte[]|ErrorDecapsulates the shared secret used for Key Encapsulation Mechanism (KEM) from the given encapsulation for the given data.
crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromTrustStore(keyStore, "keyAlias"); crypto:EncapsulationResult encapsulationResult = check crypto:encapsulateRsaKem(publicKey); byte[] encapsulatedSecret = encapsulationResult.encapsulatedSecret; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyStorePassword"); byte[] sharedSecret = check crypto:decapsulateRsaKem(encapsulatedSecret, privateKey);
Return Type
- byte[]|Error - Shared secret or else a
crypto:Errorif the encapsulatedSecret or the private key is invalid
decapsulateRsaKemMlKem768
Isolated Function
function decapsulateRsaKemMlKem768(byte[] encapsulatedSecret, PrivateKey rsaPrivateKey, PrivateKey mlkemPrivateKey) returns byte[]|ErrorDecapsulates the shared secret used for Key Encapsulation Mechanism (KEM) using RSA and ML-KEM-768 (Kyber768) private keys.
crypto:KeyStore mlkemKeyStore = { path: "/path/to/mlkem/keyStore.p12", password: "keyStorePassword" }; crypto:KeyStore rsaKeyStore = { path: "/path/to/rsa/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey mlkemPublicKey = check crypto:decodeMlKem768PublicKeyFromTrustStore(mlkemKeyStore, "keyAlias"); crypto:PublicKey rsaPublicKey = check crypto:decodeRsaPublicKeyFromTrustStore(rsaKeyStore, "keyAlias"); crypto:EncapsulationResult encapsulationResult = check crypto:encapsulateRsaKemMlKem768(rsaPublicKey, mlkemPublicKey); byte[] encapsulatedSecret = encapsulationResult.encapsulatedSecret; crypto:PrivateKey mlkemPrivateKey = check crypto:decodeMlKem768PrivateKeyFromKeyStore(mlkemKeyStore, "keyAlias", "keyStorePassword"); crypto:PrivateKey rsaPrivateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(rsaKeyStore, "keyAlias", "keyStorePassword"); byte[] sharedSecret = check crypto:decapsulateRsaKemMlKem768(encapsulatedSecret, rsaPrivateKey, mlkemPrivateKey);
Parameters
- encapsulatedSecret byte[] - Encapsulated secret
- rsaPrivateKey PrivateKey - RSA private key
- mlkemPrivateKey PrivateKey - MlKem private key
Return Type
- byte[]|Error - Shared secret or else a
crypto:Errorif the keysize or private keys are invalid
decodeEcPrivateKeyFromKeyFile
Isolated Function
function decodeEcPrivateKeyFromKeyFile(string keyFile, string? keyPassword) returns PrivateKey|ErrorDecodes the EC private key from the given private key and private key password.
string keyFile = "/path/to/private.key"; crypto:PrivateKey privateKey = check crypto:decodeEcPrivateKeyFromKeyFile(keyFile, "keyPassword");
Parameters
- keyFile string - Path to the key file
- keyPassword string? (default ()) - Password of the key file if it is encrypted
Return Type
- PrivateKey|Error - Reference to the private key or else a
crypto:Errorif the private key was unreadable
decodeEcPrivateKeyFromKeyStore
Isolated Function
function decodeEcPrivateKeyFromKeyStore(KeyStore keyStore, string keyAlias, string keyPassword) returns PrivateKey|ErrorDecodes the EC private key from the given PKCS#12 archive file.
crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeEcPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword");
Parameters
- keyStore KeyStore - KeyStore configurations
- keyAlias string - Key alias
- keyPassword string - Key password
Return Type
- PrivateKey|Error - Reference to the private key or else a
crypto:Errorif the private key was unreadable
decodeEcPublicKeyFromCertFile
Isolated Function
Decodes the EC public key from the given public certificate file.
string certFile = "/path/to/public.cert"; crypto:PublicKey publicKey = check crypto:decodeEcPublicKeyFromCertFile(certFile);
Parameters
- certFile string - Path to the certificate file
decodeEcPublicKeyFromTrustStore
Isolated Function
function decodeEcPublicKeyFromTrustStore(TrustStore trustStore, string keyAlias) returns PublicKey|ErrorDecodes the EC public key from the given PKCS#12 archive file.
crypto:TrustStore trustStore = { path: "/path/tp/truststore.p12", password: "truststorePassword" }; crypto:PublicKey publicKey = check crypto:decodeEcPublicKeyFromTrustStore(trustStore, "keyAlias");
decodeMlDsa65PrivateKeyFromKeyFile
Isolated Function
function decodeMlDsa65PrivateKeyFromKeyFile(string keyFile, string? keyPassword) returns PrivateKey|ErrorDecodes the ML-DSA-65 (Dilithium3) private key from the given private key and private key password.
string keyFile = "/path/to/private.key"; crypto:PrivateKey privateKey = check crypto:decodeMlDsa65PrivateKeyFromKeyFile(keyFile, "keyPassword");
Parameters
- keyFile string - Path to the key file
- keyPassword string? (default ()) - Password of the key file if it is encrypted
Return Type
- PrivateKey|Error - Reference to the private key or else a
crypto:Errorif the private key was unreadable
decodeMlDsa65PrivateKeyFromKeyStore
Isolated Function
function decodeMlDsa65PrivateKeyFromKeyStore(KeyStore keyStore, string keyAlias, string keyPassword) returns PrivateKey|ErrorDecodes the ML-DSA-65 (Dilithium3) private key from the given PKCS#12 archive file.
crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeMlDsa65PrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword");
Parameters
- keyStore KeyStore - KeyStore configurations
- keyAlias string - Key alias
- keyPassword string - Key password
Return Type
- PrivateKey|Error - Reference to the private key or else a
crypto:Errorif the private key was unreadable
decodeMlDsa65PublicKeyFromCertFile
Isolated Function
Decodes the ML-DSA-65 (Dilithium3) public key from the given public certificate file.
string certFile = "/path/to/public.cert"; crypto:PublicKey publicKey = check crypto:decodeMlDsa65PublicKeyFromCertFile(certFile);
Parameters
- certFile string - Path to the certificate file
decodeMlDsa65PublicKeyFromTrustStore
Isolated Function
function decodeMlDsa65PublicKeyFromTrustStore(TrustStore trustStore, string keyAlias) returns PublicKey|ErrorDecodes the ML-DSA-65 (Dilithium3) public key from the given PKCS#12 archive file.
crypto:TrustStore trustStore = { path: "/path/tp/truststore.p12", password: "truststorePassword" }; crypto:PublicKey publicKey = check crypto:decodeMlDsa65PublicKeyFromTrustStore(trustStore, "keyAlias");
decodeMlKem768PrivateKeyFromKeyFile
Isolated Function
function decodeMlKem768PrivateKeyFromKeyFile(string keyFile, string? keyPassword) returns PrivateKey|ErrorDecodes the ML-KEM-768 (Kyber768) private key from the given private key and private key password.
string keyFile = "/path/to/private.key"; crypto:PrivateKey privateKey = check crypto:decodeMlKem768PrivateKeyFromKeyFile(keyFile, "keyPassword");
Parameters
- keyFile string - Path to the key file
- keyPassword string? (default ()) - Password of the key file if it is encrypted
Return Type
- PrivateKey|Error - Reference to the private key or else a
crypto:Errorif the private key was unreadable
decodeMlKem768PrivateKeyFromKeyStore
Isolated Function
function decodeMlKem768PrivateKeyFromKeyStore(KeyStore keyStore, string keyAlias, string keyPassword) returns PrivateKey|ErrorDecodes the ML-KEM-768 (Kyber768) private key from the given PKCS#12 archive file.
crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeMlKem768PrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword");
Parameters
- keyStore KeyStore - KeyStore configurations
- keyAlias string - Key alias
- keyPassword string - Key password
Return Type
- PrivateKey|Error - Reference to the private key or else a
crypto:Errorif the private key was unreadable
decodeMlKem768PublicKeyFromCertFile
Isolated Function
Decodes the ML-KEM-768 (Kyber768) public key from the given public certificate file.
string certFile = "/path/to/public.cert"; crypto:PublicKey publicKey = check crypto:decodeMlKem768PublicKeyFromCertFile(certFile);
Parameters
- certFile string - Path to the certificate file
decodeMlKem768PublicKeyFromTrustStore
Isolated Function
function decodeMlKem768PublicKeyFromTrustStore(TrustStore trustStore, string keyAlias) returns PublicKey|ErrorDecodes the ML-KEM-768 (Kyber768) public key from the given PKCS#12 archive file.
crypto:TrustStore trustStore = { path: "/path/tp/truststore.p12", password: "truststorePassword" }; crypto:PublicKey publicKey = check crypto:decodeMlKem768PublicKeyFromTrustStore(trustStore, "keyAlias");
decodeRsaPrivateKeyFromContent
Isolated Function
function decodeRsaPrivateKeyFromContent(byte[] content, string? keyPassword) returns PrivateKey|ErrorDecodes the RSA private key from the given private key content as a byte array.
byte[] keyFileContent = [45,45,45,45,45,66,69,71,73,78,...]; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromContent(keyFileContent, "keyPassword");
Parameters
- content byte[] - Private key content as a byte array
- keyPassword string? (default ()) - Password of the private key if it is encrypted
Return Type
- PrivateKey|Error - Reference to the private key or else a
crypto:Errorif the private key was unreadable
decodeRsaPrivateKeyFromKeyFile
Isolated Function
function decodeRsaPrivateKeyFromKeyFile(string keyFile, string? keyPassword) returns PrivateKey|ErrorDecodes the RSA private key from the given private key and private key password.
string keyFile = "/path/to/private.key"; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyFile(keyFile, "keyPassword");
Parameters
- keyFile string - Path to the key file
- keyPassword string? (default ()) - Password of the key file if it is encrypted
Return Type
- PrivateKey|Error - Reference to the private key or else a
crypto:Errorif the private key was unreadable
decodeRsaPrivateKeyFromKeyStore
Isolated Function
function decodeRsaPrivateKeyFromKeyStore(KeyStore keyStore, string keyAlias, string keyPassword) returns PrivateKey|ErrorDecodes the RSA private key from the given PKCS#12 archive file.
crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword");
Parameters
- keyStore KeyStore - KeyStore configurations
- keyAlias string - Key alias
- keyPassword string - Key password
Return Type
- PrivateKey|Error - Reference to the private key or else a
crypto:Errorif the private key was unreadable
decodeRsaPublicKeyFromCertFile
Isolated Function
Decodes the RSA public key from the given public certificate file.
string certFile = "/path/to/public.cert"; crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromCertFile(certFile);
Parameters
- certFile string - Path to the certificate file
decodeRsaPublicKeyFromContent
Isolated Function
Decodes the RSA public key from the given public certificate content.
byte[] certContent = [45,45,45,45,45,66,69,71,73,78,...]; crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromContent(certContent);
Parameters
- content byte[] - The certificate content as a byte array
decodeRsaPublicKeyFromTrustStore
Isolated Function
function decodeRsaPublicKeyFromTrustStore(TrustStore trustStore, string keyAlias) returns PublicKey|ErrorDecodes the RSA public key from the given PKCS#12 archive file.
crypto:TrustStore trustStore = { path: "/path/tp/truststore.p12", password: "truststorePassword" }; crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromTrustStore(trustStore, "keyAlias");
decryptAesCbc
Isolated Function
function decryptAesCbc(byte[] input, byte[] key, byte[] iv, AesPadding padding) returns byte[]|ErrorReturns the AES-CBC-decrypted value for the given AES-CBC-encrypted data.
string dataString = "Hello Ballerina!"; byte[] data = dataString.toBytes(); byte[16] key = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; foreach int i in 0...15 { key[i] = <byte>(check random:createIntInRange(0, 255)); } byte[16] initialVector = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; foreach int i in 0...15 { initialVector[i] = <byte>(check random:createIntInRange(0, 255)); } byte[] cipherText = check crypto:encryptAesCbc(data, key, initialVector); byte[] plainText = check crypto:decryptAesCbc(cipherText, key, initialVector);
Parameters
- input byte[] - The content to be decrypted
- key byte[] - Encryption key
- iv byte[] - Initialization vector
- padding AesPadding (default PKCS5) - The padding algorithm
Return Type
- byte[]|Error - Decrypted data or else a
crypto:Errorif the key is invalid
decryptAesEcb
Isolated Function
function decryptAesEcb(byte[] input, byte[] key, AesPadding padding) returns byte[]|ErrorReturns the AES-ECB-decrypted value for the given AES-ECB-encrypted data.
string dataString = "Hello Ballerina!"; byte[] data = dataString.toBytes(); byte[16] key = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; foreach int i in 0...15 { key[i] = <byte>(check random:createIntInRange(0, 255)); } byte[] cipherText = check crypto:encryptAesEcb(data, key); byte[] plainText = check crypto:decryptAesEcb(cipherText, key);
Parameters
- input byte[] - The content to be decrypted
- key byte[] - Encryption key
- padding AesPadding (default PKCS5) - The padding algorithm
Return Type
- byte[]|Error - Decrypted data or else a
crypto:Errorif the key is invalid
decryptAesGcm
Isolated Function
function decryptAesGcm(byte[] input, byte[] key, byte[] iv, AesPadding padding, int tagSize) returns byte[]|ErrorReturns the AES-GCM-decrypted value for the given AES-GCM-encrypted data.
string dataString = "Hello Ballerina!"; byte[] data = dataString.toBytes(); byte[16] key = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; foreach int i in 0...15 { key[i] = <byte>(check random:createIntInRange(0, 255)); } byte[16] initialVector = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; foreach int i in 0...15 { initialVector[i] = <byte>(check random:createIntInRange(0, 255)); } byte[] cipherText = check crypto:encryptAesGcm(data, key, initialVector); byte[] plainText = check crypto:decryptAesGcm(cipherText, key, initialVector);
Parameters
- input byte[] - The content to be decrypted
- key byte[] - Encryption key
- iv byte[] - Initialization vector
- padding AesPadding (default PKCS5) - The padding algorithm
- tagSize int (default 128) - Tag size
Return Type
- byte[]|Error - Decrypted data or else a
crypto:Errorif the key is invalid
decryptMlKem768Hpke
Isolated Function
function decryptMlKem768Hpke(byte[] input, byte[] encapsulatedKey, PrivateKey privateKey, AesKeySize symmetricKeySize) returns byte[]|ErrorReturns the ML-KEM-768-AES-hybrid-encrypted value for the given encrypted data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey publicKey = check crypto:decodeMlKem768PublicKeyFromTrustStore(keyStore, "keyAlias"); crypto:HybridEncryptionResult encryptionResult = check crypto:encryptMlKem768Hpke(data, publicKey); byte[] cipherText = encryptionResult.cipherText; byte[] encapsulatedKey = encryptionResult.encapsulatedSecret; crypto:PrivateKey privateKey = check crypto:decodeMlKem768PrivateKeyFromKeyStore(keyStore, "keyAlias", "keyStorePassword"); byte[] decryptedData = check crypto:decryptMlKem768Hpke(cipherText, encapsulatedKey, privateKey);
Parameters
- input byte[] - The content to be decrypted
- encapsulatedKey byte[] - The encapsulated secret
- privateKey PrivateKey - The MlKem private key used for decryption
- symmetricKeySize AesKeySize (default 32) - The length of the symmetric key (in bytes)
Return Type
- byte[]|Error - Decrypted data or else a
crypto:Errorif error occurs
decryptPgp
Isolated Function
Returns the PGP-decrypted value of the given PGP-encrypted data.
byte[] message = "Hello Ballerina!".toBytes(); byte[] cipherText = check crypto:encryptPgp(message, "public_key.asc"); byte[] passphrase = check io:fileReadBytes("pass_phrase.txt"); byte[] decryptedMessage = check crypto:decryptPgp(cipherText, "private_key.asc", passphrase);
Parameters
- cipherText byte[] - The encrypted content to be decrypted
- privateKey string - Path to the private key
- passphrase byte[] - passphrase of the private key
Return Type
- byte[]|Error - Decrypted data or else a
crypto:Errorif the key or passphrase is invalid
decryptRsaEcb
Isolated Function
function decryptRsaEcb(byte[] input, PrivateKey|PublicKey key, RsaPadding padding) returns byte[]|ErrorReturns the RSA-decrypted value for the given RSA-encrypted data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromTrustStore(keyStore, "keyAlias"); crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] cipherText = check crypto:encryptRsaEcb(data, publicKey); byte[] plainText = check crypto:decryptRsaEcb(cipherText, privateKey);
Parameters
- input byte[] - The content to be decrypted
- key PrivateKey|PublicKey - Private or public key used for encryption
- padding RsaPadding (default PKCS1) - The padding algorithm
Return Type
- byte[]|Error - Decrypted data or else a
crypto:Errorif the key is invalid
decryptRsaKemMlKem768Hpke
Isolated Function
function decryptRsaKemMlKem768Hpke(byte[] input, byte[] encapsulatedKey, PrivateKey rsaPrivateKey, PrivateKey mlkemPrivateKey, AesKeySize symmetricKeySize) returns byte[]|ErrorReturns the RSA-KEM-ML-KEM-768-AES-hybrid-encrypted value for the given encrypted data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore mlkemKeyStore = { path: "/path/to/mlkem/keyStore.p12", password: "keyStorePassword" }; crypto:KeyStore rsaKeyStore = { path: "/path/to/rsa/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey mlkemPublicKey = check crypto:decodeMlKem768PublicKeyFromTrustStore(mlkemKeyStore, "keyAlias"); crypto:PublicKey rsaPublicKey = check crypto:decodeRsaPublicKeyFromTrustStore(rsaKeyStore, "keyAlias"); crypto:HybridEncryptionResult encryptionResult = check crypto:encryptRsaKemMlKem768Hpke(data, rsaPublicKey, mlkemPublicKey); byte[] cipherText = encryptionResult.cipherText; byte[] encapsulatedKey = encryptionResult.encapsulatedSecret; crypto:PrivateKey mlkemPrivateKey = check crypto:decodeMlKem768PrivateKeyFromKeyStore(mlkemKeyStore, "keyAlias", "keyStorePassword"); crypto:PrivateKey rsaPrivateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(rsaKeyStore, "keyAlias", "keyStorePassword"); byte[] decryptedData = check crypto:decryptRsaKemMlKem768Hpke(cipherText, encapsulatedKey, rsaPrivateKey, mlkemPrivateKey);
Parameters
- input byte[] - The content to be decrypted
- encapsulatedKey byte[] - The encapsulated secret
- rsaPrivateKey PrivateKey - The RSA private key used for decryption
- mlkemPrivateKey PrivateKey - The MlKem private key used for decryption
- symmetricKeySize AesKeySize (default 32) - The length of the symmetric key (in bytes)
Return Type
- byte[]|Error - Decrypted data or else a
crypto:Errorif error occurs
decryptStreamFromPgp
Isolated Function
function decryptStreamFromPgp(stream<byte[], error?> inputStream, string privateKey, byte[] passphrase) returns stream<byte[], Error?>|ErrorReturns the PGP-decrypted stream of the content given in the input stream.
byte[] passphrase = check io:fileReadBytes("pass_phrase.txt"); stream<byte[], error?> inputStream = check io:fileReadBlocksAsStream("pgb_encrypted.txt"); stream<byte[], crypto:Error?>|crypto:Error decryptedStream = crypto:decryptStreamFromPgp(inputStream, "private_key.asc", passphrase);
Parameters
- privateKey string - Path to the private key
- passphrase byte[] - passphrase of the private key
encapsulateMlKem768
Isolated Function
function encapsulateMlKem768(PublicKey publicKey) returns EncapsulationResult|ErrorCreates a shared secret and its encapsulation used for Key Encapsulation Mechanism (KEM) using the ML-KEM-768 (Kyber768) public key.
crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey publicKey = check crypto:decodeMlKem768PublicKeyFromTrustStore(keyStore, "keyAlias"); crypto:EncapsulationResult encapsulationResult = check crypto:encapsulateMlKem768(publicKey);
Parameters
- publicKey PublicKey - Public key
Return Type
- EncapsulationResult|Error - Encapsulated secret or else a
crypto:Errorif the public key is invalid
encapsulateRsaKem
Isolated Function
function encapsulateRsaKem(PublicKey publicKey) returns EncapsulationResult|ErrorCreates a shared secret and its encapsulation used for Key Encapsulation Mechanism (KEM) using the RSA public key.
crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromTrustStore(keyStore, "keyAlias"); crypto:EncapsulationResult encapsulationResult = check crypto:encapsulateRsaKem(publicKey);
Parameters
- publicKey PublicKey - Public key
Return Type
- EncapsulationResult|Error - Encapsulated secret or else a
crypto:Errorif the public key is invalid
encapsulateRsaKemMlKem768
Isolated Function
function encapsulateRsaKemMlKem768(PublicKey rsaPublicKey, PublicKey mlkemPublicKey) returns EncapsulationResult|ErrorCreates a shared secret and its encapsulation used for Key Encapsulation Mechanism (KEM) using RSA and ML-KEM-768 (Kyber768) public keys.
crypto:KeyStore mlkemKeyStore = { path: "/path/to/mlkem/keyStore.p12", password: "keyStorePassword" }; crypto:KeyStore rsaKeyStore = { path: "/path/to/rsa/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey mlkemPublicKey = check crypto:decodeMlKem768PublicKeyFromTrustStore(mlkemKeyStore, "keyAlias"); crypto:PublicKey rsaPublicKey = check crypto:decodeRsaPublicKeyFromTrustStore(rsaKeyStore, "keyAlias"); crypto:EncapsulationResult encapsulationResult = check crypto:encapsulateRsaKemMlKem768(rsaPublicKey, mlkemPublicKey);
Return Type
- EncapsulationResult|Error - Encapsulated secret or else a
crypto:Errorif the keysize or public keys are invalid
encryptAesCbc
Isolated Function
function encryptAesCbc(byte[] input, byte[] key, byte[] iv, AesPadding padding) returns byte[]|ErrorReturns the AES-CBC-encrypted value for the given data.
string dataString = "Hello Ballerina!"; byte[] data = dataString.toBytes(); byte[16] key = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; foreach int i in 0...15 { key[i] = <byte>(check random:createIntInRange(0, 255)); } byte[16] initialVector = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; foreach int i in 0...15 { initialVector[i] = <byte>(check random:createIntInRange(0, 255)); } byte[] cipherText = check crypto:encryptAesCbc(data, key, initialVector);
Parameters
- input byte[] - The content to be encrypted
- key byte[] - Encryption key
- iv byte[] - Initialization vector
- padding AesPadding (default PKCS5) - The padding algorithm
Return Type
- byte[]|Error - Encrypted data or else a
crypto:Errorif the key is invalid
encryptAesEcb
Isolated Function
function encryptAesEcb(byte[] input, byte[] key, AesPadding padding) returns byte[]|ErrorReturns the AES-ECB-encrypted value for the given data.
string dataString = "Hello Ballerina!"; byte[] data = dataString.toBytes(); byte[16] key = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; foreach int i in 0...15 { key[i] = <byte>(check random:createIntInRange(0, 255)); } byte[] cipherText = check crypto:encryptAesEcb(data, key);
Parameters
- input byte[] - The content to be encrypted
- key byte[] - Encryption key
- padding AesPadding (default PKCS5) - The padding algorithm
Return Type
- byte[]|Error - Encrypted data or else a
crypto:Errorif the key is invalid
encryptAesGcm
Isolated Function
function encryptAesGcm(byte[] input, byte[] key, byte[] iv, AesPadding padding, int tagSize) returns byte[]|ErrorReturns the AES-GCM-encrypted value for the given data.
string dataString = "Hello Ballerina!"; byte[] data = dataString.toBytes(); byte[16] key = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; foreach int i in 0...15 { key[i] = <byte>(check random:createIntInRange(0, 255)); } byte[16] initialVector = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; foreach int i in 0...15 { initialVector[i] = <byte>(check random:createIntInRange(0, 255)); } byte[] cipherText = check crypto:encryptAesGcm(data, key, initialVector);
Parameters
- input byte[] - The content to be encrypted
- key byte[] - Encryption key
- iv byte[] - Initialization vector
- padding AesPadding (default NONE) - The padding algorithm
- tagSize int (default 128) - Tag size
Return Type
- byte[]|Error - Encrypted data or else a
crypto:Errorif the key is invalid
encryptMlKem768Hpke
Isolated Function
function encryptMlKem768Hpke(byte[] input, PublicKey publicKey, AesKeySize symmetricKeySize) returns HybridEncryptionResult|ErrorReturns the ML-KEM-768-AES-hybrid-encrypted value for the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey publicKey = check crypto:decodeMlKem768PublicKeyFromTrustStore(keyStore, "keyAlias"); crypto:HybridEncryptionResult encryptionResult = check crypto:encryptMlKem768Hpke(data, publicKey);
Parameters
- input byte[] - The content to be encrypted
- publicKey PublicKey - Public key used for encryption
- symmetricKeySize AesKeySize (default 32) - The length of the symmetric key (in bytes)
Return Type
- HybridEncryptionResult|Error - Encrypted data or else a
crypto:Errorif an error occurs
encryptPgp
Isolated Function
Returns the PGP-encrypted value for the given data.
byte[] message = "Hello Ballerina!".toBytes(); byte[] cipherText = check crypto:encryptPgp(message, "public_key.asc");
Parameters
- plainText byte[] - The content to be encrypted
- publicKey string - Path to the public key
- options *Options - PGP encryption options
Return Type
- byte[]|Error - Encrypted data or else a
crypto:Errorif the key is invalid
encryptRsaEcb
Isolated Function
function encryptRsaEcb(byte[] input, PrivateKey|PublicKey key, RsaPadding padding) returns byte[]|ErrorReturns the RSA-encrypted value for the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromTrustStore(keyStore, "keyAlias"); byte[] cipherText = check crypto:encryptRsaEcb(data, publicKey);
Parameters
- input byte[] - The content to be encrypted
- key PrivateKey|PublicKey - Private or public key used for encryption
- padding RsaPadding (default PKCS1) - The padding algorithm
Return Type
- byte[]|Error - Encrypted data or else a
crypto:Errorif the key is invalid
encryptRsaKemMlKem768Hpke
Isolated Function
function encryptRsaKemMlKem768Hpke(byte[] input, PublicKey rsaPublicKey, PublicKey mlkemPublicKey, AesKeySize symmetricKeySize) returns HybridEncryptionResult|ErrorReturns the RSA-KEM-ML-KEM-768-AES-hybrid-encrypted value for the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore mlkemKeyStore = { path: "/path/to/mlkem/keyStore.p12", password: "keyStorePassword" }; crypto:KeyStore rsaKeyStore = { path: "/path/to/rsa/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey mlkemPublicKey = check crypto:decodeMlKem768PublicKeyFromTrustStore(mlkemKeyStore, "keyAlias"); crypto:PublicKey rsaPublicKey = check crypto:decodeRsaPublicKeyFromTrustStore(rsaKeyStore, "keyAlias"); crypto:HybridEncryptionResult encryptionResult = check crypto:encryptRsaKemMlKem768Hpke(data, rsaPublicKey, mlkemPublicKey);
Parameters
- input byte[] - The content to be encrypted
- rsaPublicKey PublicKey - The RSA public key used for encryption
- mlkemPublicKey PublicKey - The MlKem public key used for encryption
- symmetricKeySize AesKeySize (default 32) - The length of the symmetric key (in bytes)
Return Type
- HybridEncryptionResult|Error - Encrypted data or else a
crypto:Errorif an error occurs
encryptStreamAsPgp
Isolated Function
function encryptStreamAsPgp(stream<byte[], error?> inputStream, string publicKey, *Options options) returns stream<byte[], Error?>|ErrorReturns the PGP-encrypted stream of the content given in the input stream.
stream<byte[], error?> inputStream = check io:fileReadBlocksAsStream("input.txt"); stream<byte[], crypto:Error?>|crypto:Error encryptedStream = crypto:encryptStreamAsPgp(inputStream, "public_key.asc");
hashArgon2
Isolated Function
function hashArgon2(string password, int iterations, int memory, int parallelism) returns string|ErrorReturns an Argon2id hash of the given password with optional parameters.
string password = "mySecurePassword123"; string|crypto:Error hash = crypto:hashArgon2(password);
hashBcrypt
Isolated Function
Returns a BCrypt hash of the given password with optional work factor.
string password = "mySecurePassword123"; string|crypto:Error hash = crypto:hashBcrypt(password);
hashKeccak256
Isolated Function
function hashKeccak256(byte[] input, byte[]? salt) returns byte[]Returns the Keccak-256 hash of the given data.
string dataString = "Hello Ballerina"; byte[] data = dataString.toBytes(); byte[] hash = crypto:hashKeccak256(data);
Parameters
- input byte[] - Value to be hashed
- salt byte[]? (default ()) - Salt to be added
Return Type
- byte[] - Hashed output
hashMd5
Isolated Function
function hashMd5(byte[] input, byte[]? salt) returns byte[]Returns the MD5 hash of the given data.
string dataString = "Hello Ballerina"; byte[] data = dataString.toBytes(); byte[] hash = crypto:hashMd5(data);
Parameters
- input byte[] - Value to be hashed
- salt byte[]? (default ()) - Salt to be added
Return Type
- byte[] - Hashed output
hashSha1
Isolated Function
function hashSha1(byte[] input, byte[]? salt) returns byte[]Returns the SHA-1 hash of the given data.
string dataString = "Hello Ballerina"; byte[] data = dataString.toBytes(); byte[] hash = crypto:hashSha1(data);
Parameters
- input byte[] - Value to be hashed
- salt byte[]? (default ()) - Salt to be added
Return Type
- byte[] - Hashed output
hashSha256
Isolated Function
function hashSha256(byte[] input, byte[]? salt) returns byte[]Returns the SHA-256 hash of the given data.
string dataString = "Hello Ballerina"; byte[] data = dataString.toBytes(); byte[] hash = crypto:hashSha256(data);
Parameters
- input byte[] - Value to be hashed
- salt byte[]? (default ()) - Salt to be added
Return Type
- byte[] - Hashed output
hashSha384
Isolated Function
function hashSha384(byte[] input, byte[]? salt) returns byte[]Returns the SHA-384 hash of the given data.
string dataString = "Hello Ballerina"; byte[] data = dataString.toBytes(); byte[] hash = crypto:hashSha384(data);
Parameters
- input byte[] - Value to be hashed
- salt byte[]? (default ()) - Salt to be added
Return Type
- byte[] - Hashed output
hashSha512
Isolated Function
function hashSha512(byte[] input, byte[]? salt) returns byte[]Returns the SHA-512 hash of the given data.
string dataString = "Hello Ballerina"; byte[] data = dataString.toBytes(); byte[] hash = crypto:hashSha512(data);
Parameters
- input byte[] - Value to be hashed
- salt byte[]? (default ()) - Salt to be added
Return Type
- byte[] - Hashed output
hkdfSha256
Isolated Function
Returns HKDF (HMAC-based Key Derivation Function) using SHA-256 as the hash function.
string secret = "some-secret"; byte[] key = secret.toBytes(); byte[] hash = crypto:hkdfSha256(key, 32);
Parameters
- input byte[] - The input key material to derive the key from
- length int - The length of the output keying material (OKM) in bytes
- salt byte[] (default []) - Optional salt value, a non-secret random value
- info byte[] (default []) - Optional context and application-specific information
Return Type
- byte[]|Error - The derived keying material (OKM) of the specified length
hmacMd5
Isolated Function
function hmacMd5(byte[] input, byte[] key) returns byte[]|ErrorReturns the HMAC using the MD5 hash function of the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); string secret = "some-secret"; byte[] key = secret.toBytes(); byte[] hmac = check crypto:hmacMd5(data, key);
Parameters
- input byte[] - Value to be hashed
- key byte[] - Key used for HMAC generation
Return Type
- byte[]|Error - The HMAC output or a
crypto:Errorif an error occurred
hmacSha1
Isolated Function
function hmacSha1(byte[] input, byte[] key) returns byte[]|ErrorReturns the HMAC using the SHA-1 hash function of the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); string secret = "some-secret"; byte[] key = secret.toBytes(); byte[] hmac = check crypto:hmacSha1(data, key);
Parameters
- input byte[] - Value to be hashed
- key byte[] - Key used for HMAC generation
Return Type
- byte[]|Error - The HMAC output or a
crypto:Errorif an error occurred
hmacSha256
Isolated Function
function hmacSha256(byte[] input, byte[] key) returns byte[]|ErrorReturns the HMAC using the SHA-256 hash function of the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); string secret = "some-secret"; byte[] key = secret.toBytes(); byte[] hmac = check crypto:hmacSha256(data, key);
Parameters
- input byte[] - Value to be hashed
- key byte[] - Key used for HMAC generation
Return Type
- byte[]|Error - The HMAC output or a
crypto:Errorif an error occurred
hmacSha384
Isolated Function
function hmacSha384(byte[] input, byte[] key) returns byte[]|ErrorReturns the HMAC using the SHA-384 hash function of the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); string secret = "some-secret"; byte[] key = secret.toBytes(); byte[] hmac = check crypto:hmacSha384(data, key);
Parameters
- input byte[] - Value to be hashed
- key byte[] - Key used for HMAC generation
Return Type
- byte[]|Error - The HMAC output or a
crypto:Errorif an error occurred
hmacSha512
Isolated Function
function hmacSha512(byte[] input, byte[] key) returns byte[]|ErrorReturns the HMAC using the SHA-512 hash function of the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); string secret = "some-secret"; byte[] key = secret.toBytes(); byte[] hmac = check crypto:hmacSha512(data, key);
Parameters
- input byte[] - Value to be hashed
- key byte[] - Key used for HMAC generation
Return Type
- byte[]|Error - The HMAC output or a
crypto:Errorif an error occurred
signMlDsa65
Isolated Function
function signMlDsa65(byte[] input, PrivateKey privateKey) returns byte[]|ErrorReturns the MlDsa65 based signature value for the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeMlDsa65PrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signMlDsa65(data, privateKey);
Parameters
- input byte[] - The content to be signed
- privateKey PrivateKey - Private key used for signing
Return Type
- byte[]|Error - The generated signature or else a
crypto:Errorif the private key is invalid
signRsaMd5
Isolated Function
function signRsaMd5(byte[] input, PrivateKey privateKey) returns byte[]|ErrorReturns the RSA-MD5 based signature value for the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signRsaMd5(data, privateKey);
Parameters
- input byte[] - The content to be signed
- privateKey PrivateKey - Private key used for signing
Return Type
- byte[]|Error - The generated signature or else a
crypto:Errorif the private key is invalid
signRsaSha1
Isolated Function
function signRsaSha1(byte[] input, PrivateKey privateKey) returns byte[]|ErrorReturns the RSA-SHA1 based signature value for the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signRsaSha1(data, privateKey);
Parameters
- input byte[] - The content to be signed
- privateKey PrivateKey - Private key used for signing
Return Type
- byte[]|Error - The generated signature or else a
crypto:Errorif the private key is invalid
signRsaSha256
Isolated Function
function signRsaSha256(byte[] input, PrivateKey privateKey) returns byte[]|ErrorReturns the RSA-SHA256 based signature value for the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signRsaSha256(data, privateKey);
Parameters
- input byte[] - The content to be signed
- privateKey PrivateKey - Private key used for signing
Return Type
- byte[]|Error - The generated signature or else a
crypto:Errorif the private key is invalid
signRsaSha384
Isolated Function
function signRsaSha384(byte[] input, PrivateKey privateKey) returns byte[]|ErrorReturns the RSA-SHA384 based signature value for the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signRsaSha384(data, privateKey);
Parameters
- input byte[] - The content to be signed
- privateKey PrivateKey - Private key used for signing
Return Type
- byte[]|Error - The generated signature or else a
crypto:Errorif the private key is invalid
signRsaSha512
Isolated Function
function signRsaSha512(byte[] input, PrivateKey privateKey) returns byte[]|ErrorReturns the RSA-SHA512 based signature value for the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signRsaSha512(data, privateKey);
Parameters
- input byte[] - The content to be signed
- privateKey PrivateKey - Private key used for signing
Return Type
- byte[]|Error - The generated signature or else a
crypto:Errorif the private key is invalid
signSha256withEcdsa
Isolated Function
function signSha256withEcdsa(byte[] input, PrivateKey privateKey) returns byte[]|ErrorReturns the SHA256withECDSA based signature value for the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeEcPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signSha256withEcdsa(data, privateKey);
Parameters
- input byte[] - The content to be signed
- privateKey PrivateKey - Private key used for signing
Return Type
- byte[]|Error - The generated signature or else a
crypto:Errorif the private key is invalid
signSha384withEcdsa
Isolated Function
function signSha384withEcdsa(byte[] input, PrivateKey privateKey) returns byte[]|ErrorReturns the SHA384withECDSA based signature value for the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeEcPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signSha384withEcdsa(data, privateKey);
Parameters
- input byte[] - The content to be signed
- privateKey PrivateKey - Private key used for signing
Return Type
- byte[]|Error - The generated signature or else a
crypto:Errorif the private key is invalid
verifyArgon2
Isolated Function
Verifies if a password matches an Argon2id hashed password.
string password = "mySecurePassword123"; string hashedPassword = "$argon2id$v=19$m=65536,t=3,p=4$c29tZXNhbHQ$hash"; boolean|crypto:Error matches = crypto:verifyArgon2(password, hashedPassword);
verifyBcrypt
Isolated Function
Verifies if a password matches a BCrypt hashed password.
string password = "mySecurePassword123"; string hashedPassword = "$2a$12$LQV3c1yqBWVHxkd0LHAkCOYz6TtxMQJqhN8/LewYpwBAM7RHF.H9m"; boolean|crypto:Error matches = crypto:verifyBcrypt(password, hashedPassword);
verifyMlDsa65Signature
Isolated Function
function verifyMlDsa65Signature(byte[] data, byte[] signature, PublicKey publicKey) returns boolean|ErrorVerifies the MlDsa65 based signature.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeMlDsa65PrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signMlDsa65(data, privateKey); crypto:PublicKey publicKey = check crypto:decodeMlDsa65PublicKeyFromTrustStore(keyStore, "keyAlias"); boolean validity = check crypto:verifyMlDsa65Signature(data, signature, publicKey);
Parameters
- data byte[] - The content to be verified
- signature byte[] - Signature value
- publicKey PublicKey - Public key used for verification
verifyRsaMd5Signature
Isolated Function
function verifyRsaMd5Signature(byte[] data, byte[] signature, PublicKey publicKey) returns boolean|ErrorVerifies the RSA-MD5 based signature.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signRsaMd5(data, privateKey); crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromTrustStore(keyStore, "keyAlias"); boolean validity = check crypto:verifyRsaMd5Signature(data, signature, publicKey);
Parameters
- data byte[] - The content to be verified
- signature byte[] - Signature value
- publicKey PublicKey - Public key used for verification
verifyRsaSha1Signature
Isolated Function
function verifyRsaSha1Signature(byte[] data, byte[] signature, PublicKey publicKey) returns boolean|ErrorVerifies the RSA-SHA1 based signature.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signRsaSha1(data, privateKey); crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromTrustStore(keyStore, "keyAlias"); boolean validity = check crypto:verifyRsaSha1Signature(data, signature, publicKey);
Parameters
- data byte[] - The content to be verified
- signature byte[] - Signature value
- publicKey PublicKey - Public key used for verification
verifyRsaSha256Signature
Isolated Function
function verifyRsaSha256Signature(byte[] data, byte[] signature, PublicKey publicKey) returns boolean|ErrorVerifies the RSA-SHA256 based signature.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signRsaSha256(data, privateKey); crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromTrustStore(keyStore, "keyAlias"); boolean validity = check crypto:verifyRsaSha256Signature(data, signature, publicKey);
Parameters
- data byte[] - The content to be verified
- signature byte[] - Signature value
- publicKey PublicKey - Public key used for verification
verifyRsaSha384Signature
Isolated Function
function verifyRsaSha384Signature(byte[] data, byte[] signature, PublicKey publicKey) returns boolean|ErrorVerifies the RSA-SHA384 based signature.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signRsaSha384(data, privateKey); crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromTrustStore(keyStore, "keyAlias"); boolean validity = check crypto:verifyRsaSha384Signature(data, signature, publicKey);
Parameters
- data byte[] - The content to be verified
- signature byte[] - Signature value
- publicKey PublicKey - Public key used for verification
verifyRsaSha512Signature
Isolated Function
function verifyRsaSha512Signature(byte[] data, byte[] signature, PublicKey publicKey) returns boolean|ErrorVerifies the RSA-SHA512 based signature.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signRsaSha512(data, privateKey); crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromTrustStore(keyStore, "keyAlias"); boolean validity = check crypto:verifyRsaSha512Signature(data, signature, publicKey);
Parameters
- data byte[] - The content to be verified
- signature byte[] - Signature value
- publicKey PublicKey - Public key used for verification
verifySha256withEcdsaSignature
Isolated Function
function verifySha256withEcdsaSignature(byte[] data, byte[] signature, PublicKey publicKey) returns boolean|ErrorVerifies the SHA256withECDSA based signature.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeEcPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signSha256withEcdsa(data, privateKey); crypto:PublicKey publicKey = check crypto:decodeEcPublicKeyFromTrustStore(keyStore, "keyAlias"); boolean validity = check crypto:verifySha256withEcdsaSignature(data, signature, publicKey);
Parameters
- data byte[] - The content to be verified
- signature byte[] - Signature value
- publicKey PublicKey - Public key used for verification
verifySha384withEcdsaSignature
Isolated Function
function verifySha384withEcdsaSignature(byte[] data, byte[] signature, PublicKey publicKey) returns boolean|ErrorVerifies the SHA384withECDSA based signature.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeEcPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signSha384withEcdsa(data, privateKey); crypto:PublicKey publicKey = check crypto:decodeEcPublicKeyFromTrustStore(keyStore, "keyAlias"); boolean validity = check crypto:verifySha384withEcdsaSignature(data, signature, publicKey);
Parameters
- data byte[] - The content to be verified
- signature byte[] - Signature value
- publicKey PublicKey - Public key used for verification
Constants
crypto: MLDSA65
The ML-DSA-65 algorithm.
crypto: MLKEM768
The ML-KEM-768 algorithm.
crypto: NONE
No padding.
crypto: OAEPwithMD5andMGF1
The OAEPwithMD5andMGF1 padding mode.
crypto: OAEPWithSHA1AndMGF1
The OAEPWithSHA1AndMGF1 padding mode.
crypto: OAEPWithSHA256AndMGF1
The OAEPWithSHA256AndMGF1 padding mode.
crypto: OAEPwithSHA384andMGF1
The OAEPwithSHA384andMGF1 padding mode.
crypto: OAEPwithSHA512andMGF1
The OAEPwithSHA512andMGF1 padding mode.
crypto: PKCS1
The PKCS1 padding mode.
crypto: PKCS5
The PKCS5 padding mode.
crypto: RSA
The RSA algorithm.
Enums
crypto: CompressionAlgorithmTags
Represents the compression algorithms available in PGP.
Members
UNCOMPRESSED - No compression
ZIP - Uses (RFC 1951) compression
ZLIB - Uses (RFC 1950) compression
BZIP2 - Uses Burrows–Wheeler algorithm
crypto: SymmetricKeyAlgorithmTags
Represent the symmetric key algorithms available in PGP.
Members
NULL - No encryption
IDEA - IDEA symmetric key algorithm
TRIPLE_DES - Triple DES symmetric key algorithm
CAST5 - CAST5 symmetric key algorithm
BLOWFISH - Blowfish symmetric key algorithm
SAFER - SAFER symmetric key algorithm
DES - DES symmetric key algorithm
AES_128 - AES 128-bit symmetric key algorithm
AES_192 - AES 192-bit symmetric key algorithm
AES_256 - AES 256-bit symmetric key algorithm
TWOFISH - Twofish symmetric key algorithm
CAMELLIA_128 - Camellia 128-bit symmetric key algorithm
CAMELLIA_192 - Camellia 192-bit symmetric key algorithm
CAMELLIA_256
Records
crypto: Certificate
Closed record
Represents the X509 public key certificate information.
Fields
- version0 int - Version number
- serial int - Serial number
- issuer string - Issuer name
- subject string - Subject name
- notBefore Utc - Not before validity period of certificate
- notAfter Utc - Not after validity period of certificate
- signature byte[] - Raw signature bits
- signingAlgorithm string - Signature algorithm
crypto: EncapsulationResult
Closed record
Represents the shared secret and its encapsulation used in Key Encapsulation Mechanism (KEM).
Fields
- encapsulatedSecret byte[] - Encapsulated secret
crypto: HybridEncryptionResult
Closed record
Represents the encapsulated secret and the ciphertext used in Hybrid Public Key Encryption (HPKE).
Fields
- encapsulatedSecret byte[] - The encapsulated secret
- cipherText byte[] - The encrypted data
crypto: KeyStore
Closed record
Represents the KeyStore-related configurations.
Fields
- path string - Path to the KeyStore file
- password string - KeyStore password
crypto: Options
Closed record
Represents the PGP encryption options.
Fields
- compressionAlgorithm CompressionAlgorithmTags(default ZIP) - Specifies the compression algorithm used for PGP encryption
- symmetricKeyAlgorithm SymmetricKeyAlgorithmTags(default AES_256) - Specifies the symmetric key algorithm used for encryption
- armor boolean(default true) - Indicates whether ASCII armor is enabled for the encrypted output
- withIntegrityCheck boolean(default true) - Indicates whether integrity check is included in the encryption
crypto: PrivateKey
Closed record
Represents the private key used in cryptographic operations.
Fields
- algorithm KeyAlgorithm - Key algorithm
crypto: PublicKey
Closed record
Represents the public key used in cryptographic operations.
Fields
- algorithm KeyAlgorithm - Key algorithm
- certificate? Certificate - Public key certificate
crypto: TrustStore
Closed record
Represents the truststore-related configurations.
Fields
- path string - Path to the TrustStore file
- password string - TrustStore password
Errors
crypto: Error
Distinct
Represents the error type of the module.
Union types
crypto: AesKeySize
AesKeySize
Represent the supported symmetric key sizes for AES algorithm.
crypto: AesPadding
AesPadding
Represents the padding algorithms supported by AES encryption and decryption.
crypto: RsaPadding
RsaPadding
Represents the padding algorithms supported with RSA encryption and decryption.