crypto
Module crypto
API
Declarations
ballerina/crypto Ballerina library
Overview
This module provides common cryptographic mechanisms based on different algorithms.
The Ballerina crypto
module facilitates APIs to do operations like hashing, HMAC generation, checksum generation, encryption, decryption, signing data digitally, verifying digitally signed data, etc., with different cryptographic algorithms.
Hashes
The crypto
module supports generating hashes with 5 different hash algorithms MD5, SHA1, SHA256, SHA384, and SHA512. Also, it supports generating the CRC32B checksum.
HMAC
The crypto
module supports generating HMAC with 5 different hash algorithms: MD5, SHA1, SHA256, SHA384, and SHA512.
Decode private/public key
The crypto
module supports decoding the RSA private key from a .p12
file and a key file in the PEM
format. Also, it supports decoding a public key from a .p12
file and a certificate file in the X509
format. Additionally, this supports building an RSA public key with the modulus and exponent parameters.
Encrypt and decrypt
The crypto
module supports both symmetric key encryption/decryption and asymmetric key encryption/decryption. The RSA algorithm can be used for asymmetric-key encryption/decryption with the use of private and public keys. The AES algorithm can be used for symmetric-key encryption/decryption with the use of a shared key.
Sign and verify
The crypto
module supports signing data using the RSA private key and verification of the signature using the RSA public key. This supports MD5, SHA1, SHA256, SHA384, and SHA512 digesting algorithms, and ML-DSA-65 post-quantum signature algorithm as well.
Key Derivation Functions (KDF)
The crypto
module supports HMAC-based Key Derivation Function (HKDF). HKDF is a key derivation function that uses a Hash-based Message Authentication Code (HMAC) to derive keys.
Key Exchange Mechanisms (KEM)
The crypto
module supports Key Exchange Mechanisms (KEM). It includes RSA-KEM and post-quantum ML-KEM-768 for both encapsulation and decapsulation.
Hybrid Public Key Encryption (HPKE)
The crypto
module supports Hybrid Public Key Encryption (HPKE). It supports post-quantum ML-KEM-768-HPKE and RSA-KEM-ML-KEM-768-HPKE for encryption and decryption.
Functions
buildRsaPublicKey
Builds the RSA public key from the given modulus and exponent parameters.
string modulus = "luZFdW1ynitztkWLC6xKegbRWxky..."; string exponent = "AQAB"; crypto:PublicKey publicKey = check crypto:buildRsaPublicKey(modulus, exponent);
crc32b
function crc32b(byte[] input) returns string
Returns the Hex-encoded CRC32B value for the given data.
string stringData = "Hello Ballerina"; byte[] data = stringData.toBytes(); string checksum = crypto:crc32b(data);
Parameters
- input byte[] - Value for checksum generation
Return Type
- string - The generated checksum
decapsulateMlKem768
function decapsulateMlKem768(byte[] encapsulatedSecret, PrivateKey privateKey) returns byte[]|Error
Decapsulates the ML-KEM-768 (Kyber768) shared secret used for Key Encapsulation Mechanism (KEM) from the given encapsulation for the given data.
crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey publicKey = check crypto:decodeMlKem768PublicKeyFromTrustStore(keyStore, "keyAlias"); crypto:EncapsulationResult encapsulationResult = check crypto:encapsulateMlKem768(publicKey); byte[] encapsulatedSecret = encapsulationResult.encapsulatedSecret; crypto:PrivateKey privateKey = check crypto:decodeMlKem768PrivateKeyFromKeyStore(keyStore, "keyAlias", "keyStorePassword"); byte[] sharedSecret = check crypto:decapsulateMlKem768(encapsulatedSecret, privateKey);
Return Type
- byte[]|Error - Shared secret or else a
crypto:Error
if the encapsulatedSecret or the private key is invalid
decapsulateRsaKem
function decapsulateRsaKem(byte[] encapsulatedSecret, PrivateKey privateKey) returns byte[]|Error
Decapsulates the shared secret used for Key Encapsulation Mechanism (KEM) from the given encapsulation for the given data.
crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromTrustStore(keyStore, "keyAlias"); crypto:EncapsulationResult encapsulationResult = check crypto:encapsulateRsaKem(publicKey); byte[] encapsulatedSecret = encapsulationResult.encapsulatedSecret; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyStorePassword"); byte[] sharedSecret = check crypto:decapsulateRsaKem(encapsulatedSecret, privateKey);
Return Type
- byte[]|Error - Shared secret or else a
crypto:Error
if the encapsulatedSecret or the private key is invalid
decapsulateRsaKemMlKem768
function decapsulateRsaKemMlKem768(byte[] encapsulatedSecret, PrivateKey rsaPrivateKey, PrivateKey mlkemPrivateKey) returns byte[]|Error
Decapsulates the shared secret used for Key Encapsulation Mechanism (KEM) using RSA and ML-KEM-768 (Kyber768) private keys.
crypto:KeyStore mlkemKeyStore = { path: "/path/to/mlkem/keyStore.p12", password: "keyStorePassword" }; crypto:KeyStore rsaKeyStore = { path: "/path/to/rsa/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey mlkemPublicKey = check crypto:decodeMlKem768PublicKeyFromTrustStore(mlkemKeyStore, "keyAlias"); crypto:PublicKey rsaPublicKey = check crypto:decodeRsaPublicKeyFromTrustStore(rsaKeyStore, "keyAlias"); crypto:EncapsulationResult encapsulationResult = check crypto:encapsulateRsaKemMlKem768(rsaPublicKey, mlkemPublicKey); byte[] encapsulatedSecret = encapsulationResult.encapsulatedSecret; crypto:PrivateKey mlkemPrivateKey = check crypto:decodeMlKem768PrivateKeyFromKeyStore(mlkemKeyStore, "keyAlias", "keyStorePassword"); crypto:PrivateKey rsaPrivateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(rsaKeyStore, "keyAlias", "keyStorePassword"); byte[] sharedSecret = check crypto:decapsulateRsaKemMlKem768(encapsulatedSecret, rsaPrivateKey, mlkemPrivateKey);
Parameters
- encapsulatedSecret byte[] - Encapsulated secret
- rsaPrivateKey PrivateKey - RSA private key
- mlkemPrivateKey PrivateKey - MlKem private key
Return Type
- byte[]|Error - Shared secret or else a
crypto:Error
if the keysize or private keys are invalid
decodeEcPrivateKeyFromKeyFile
function decodeEcPrivateKeyFromKeyFile(string keyFile, string? keyPassword) returns PrivateKey|Error
Decodes the EC private key from the given private key and private key password.
string keyFile = "/path/to/private.key"; crypto:PrivateKey privateKey = check crypto:decodeEcPrivateKeyFromKeyFile(keyFile, "keyPassword");
Parameters
- keyFile string - Path to the key file
- keyPassword string? (default ()) - Password of the key file if it is encrypted
Return Type
- PrivateKey|Error - Reference to the private key or else a
crypto:Error
if the private key was unreadable
decodeEcPrivateKeyFromKeyStore
function decodeEcPrivateKeyFromKeyStore(KeyStore keyStore, string keyAlias, string keyPassword) returns PrivateKey|Error
Decodes the EC private key from the given PKCS#12 archive file.
crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeEcPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword");
Parameters
- keyStore KeyStore - KeyStore configurations
- keyAlias string - Key alias
- keyPassword string - Key password
Return Type
- PrivateKey|Error - Reference to the private key or else a
crypto:Error
if the private key was unreadable
decodeEcPublicKeyFromCertFile
Decodes the EC public key from the given public certificate file.
string certFile = "/path/to/public.cert"; crypto:PublicKey publicKey = check crypto:decodeEcPublicKeyFromCertFile(certFile);
Parameters
- certFile string - Path to the certificate file
decodeEcPublicKeyFromTrustStore
function decodeEcPublicKeyFromTrustStore(TrustStore trustStore, string keyAlias) returns PublicKey|Error
Decodes the EC public key from the given PKCS#12 archive file.
crypto:TrustStore trustStore = { path: "/path/tp/truststore.p12", password: "truststorePassword" }; crypto:PublicKey publicKey = check crypto:decodeEcPublicKeyFromTrustStore(trustStore, "keyAlias");
decodeMlDsa65PrivateKeyFromKeyFile
function decodeMlDsa65PrivateKeyFromKeyFile(string keyFile, string? keyPassword) returns PrivateKey|Error
Decodes the ML-DSA-65 (Dilithium3) private key from the given private key and private key password.
string keyFile = "/path/to/private.key"; crypto:PrivateKey privateKey = check crypto:decodeMlDsa65PrivateKeyFromKeyFile(keyFile, "keyPassword");
Parameters
- keyFile string - Path to the key file
- keyPassword string? (default ()) - Password of the key file if it is encrypted
Return Type
- PrivateKey|Error - Reference to the private key or else a
crypto:Error
if the private key was unreadable
decodeMlDsa65PrivateKeyFromKeyStore
function decodeMlDsa65PrivateKeyFromKeyStore(KeyStore keyStore, string keyAlias, string keyPassword) returns PrivateKey|Error
Decodes the ML-DSA-65 (Dilithium3) private key from the given PKCS#12 archive file.
crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeMlDsa65PrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword");
Parameters
- keyStore KeyStore - KeyStore configurations
- keyAlias string - Key alias
- keyPassword string - Key password
Return Type
- PrivateKey|Error - Reference to the private key or else a
crypto:Error
if the private key was unreadable
decodeMlDsa65PublicKeyFromCertFile
Decodes the ML-DSA-65 (Dilithium3) public key from the given public certificate file.
string certFile = "/path/to/public.cert"; crypto:PublicKey publicKey = check crypto:decodeMlDsa65PublicKeyFromCertFile(certFile);
Parameters
- certFile string - Path to the certificate file
decodeMlDsa65PublicKeyFromTrustStore
function decodeMlDsa65PublicKeyFromTrustStore(TrustStore trustStore, string keyAlias) returns PublicKey|Error
Decodes the ML-DSA-65 (Dilithium3) public key from the given PKCS#12 archive file.
crypto:TrustStore trustStore = { path: "/path/tp/truststore.p12", password: "truststorePassword" }; crypto:PublicKey publicKey = check crypto:decodeMlDsa65PublicKeyFromTrustStore(trustStore, "keyAlias");
decodeMlKem768PrivateKeyFromKeyFile
function decodeMlKem768PrivateKeyFromKeyFile(string keyFile, string? keyPassword) returns PrivateKey|Error
Decodes the ML-KEM-768 (Kyber768) private key from the given private key and private key password.
string keyFile = "/path/to/private.key"; crypto:PrivateKey privateKey = check crypto:decodeMlKem768PrivateKeyFromKeyFile(keyFile, "keyPassword");
Parameters
- keyFile string - Path to the key file
- keyPassword string? (default ()) - Password of the key file if it is encrypted
Return Type
- PrivateKey|Error - Reference to the private key or else a
crypto:Error
if the private key was unreadable
decodeMlKem768PrivateKeyFromKeyStore
function decodeMlKem768PrivateKeyFromKeyStore(KeyStore keyStore, string keyAlias, string keyPassword) returns PrivateKey|Error
Decodes the ML-KEM-768 (Kyber768) private key from the given PKCS#12 archive file.
crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeMlKem768PrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword");
Parameters
- keyStore KeyStore - KeyStore configurations
- keyAlias string - Key alias
- keyPassword string - Key password
Return Type
- PrivateKey|Error - Reference to the private key or else a
crypto:Error
if the private key was unreadable
decodeMlKem768PublicKeyFromCertFile
Decodes the ML-KEM-768 (Kyber768) public key from the given public certificate file.
string certFile = "/path/to/public.cert"; crypto:PublicKey publicKey = check crypto:decodeMlKem768PublicKeyFromCertFile(certFile);
Parameters
- certFile string - Path to the certificate file
decodeMlKem768PublicKeyFromTrustStore
function decodeMlKem768PublicKeyFromTrustStore(TrustStore trustStore, string keyAlias) returns PublicKey|Error
Decodes the ML-KEM-768 (Kyber768) public key from the given PKCS#12 archive file.
crypto:TrustStore trustStore = { path: "/path/tp/truststore.p12", password: "truststorePassword" }; crypto:PublicKey publicKey = check crypto:decodeMlKem768PublicKeyFromTrustStore(trustStore, "keyAlias");
decodeRsaPrivateKeyFromContent
function decodeRsaPrivateKeyFromContent(byte[] content, string? keyPassword) returns PrivateKey|Error
Decodes the RSA private key from the given private key content as a byte array.
byte[] keyFileContent = [45,45,45,45,45,66,69,71,73,78,...]; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromContent(keyFileContent, "keyPassword");
Parameters
- content byte[] -
- keyPassword string? (default ()) - Password of the private key if it is encrypted
Return Type
- PrivateKey|Error - Reference to the private key or else a
crypto:Error
if the private key was unreadable
decodeRsaPrivateKeyFromKeyFile
function decodeRsaPrivateKeyFromKeyFile(string keyFile, string? keyPassword) returns PrivateKey|Error
Decodes the RSA private key from the given private key and private key password.
string keyFile = "/path/to/private.key"; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyFile(keyFile, "keyPassword");
Parameters
- keyFile string - Path to the key file
- keyPassword string? (default ()) - Password of the key file if it is encrypted
Return Type
- PrivateKey|Error - Reference to the private key or else a
crypto:Error
if the private key was unreadable
decodeRsaPrivateKeyFromKeyStore
function decodeRsaPrivateKeyFromKeyStore(KeyStore keyStore, string keyAlias, string keyPassword) returns PrivateKey|Error
Decodes the RSA private key from the given PKCS#12 archive file.
crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword");
Parameters
- keyStore KeyStore - KeyStore configurations
- keyAlias string - Key alias
- keyPassword string - Key password
Return Type
- PrivateKey|Error - Reference to the private key or else a
crypto:Error
if the private key was unreadable
decodeRsaPublicKeyFromCertFile
Decodes the RSA public key from the given public certificate file.
string certFile = "/path/to/public.cert"; crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromCertFile(certFile);
Parameters
- certFile string - Path to the certificate file
decodeRsaPublicKeyFromContent
Decodes the RSA public key from the given public certificate content.
byte[] certContent = [45,45,45,45,45,66,69,71,73,78,...]; crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromContent(certContent);
Parameters
- content byte[] -
decodeRsaPublicKeyFromTrustStore
function decodeRsaPublicKeyFromTrustStore(TrustStore trustStore, string keyAlias) returns PublicKey|Error
Decodes the RSA public key from the given PKCS#12 archive file.
crypto:TrustStore trustStore = { path: "/path/tp/truststore.p12", password: "truststorePassword" }; crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromTrustStore(trustStore, "keyAlias");
decryptAesCbc
function decryptAesCbc(byte[] input, byte[] key, byte[] iv, AesPadding padding) returns byte[]|Error
Returns the AES-CBC-decrypted value for the given AES-CBC-encrypted data.
string dataString = "Hello Ballerina!"; byte[] data = dataString.toBytes(); byte[16] key = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; foreach int i in 0...15 { key[i] = <byte>(check random:createIntInRange(0, 255)); } byte[16] initialVector = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; foreach int i in 0...15 { initialVector[i] = <byte>(check random:createIntInRange(0, 255)); } byte[] cipherText = check crypto:encryptAesCbc(data, key, initialVector); byte[] plainText = check crypto:decryptAesCbc(cipherText, key, initialVector);
Parameters
- input byte[] - The content to be decrypted
- key byte[] - Encryption key
- iv byte[] - Initialization vector
- padding AesPadding (default PKCS5) - The padding algorithm
Return Type
- byte[]|Error - Decrypted data or else a
crypto:Error
if the key is invalid
decryptAesEcb
function decryptAesEcb(byte[] input, byte[] key, AesPadding padding) returns byte[]|Error
Returns the AES-ECB-decrypted value for the given AES-ECB-encrypted data.
string dataString = "Hello Ballerina!"; byte[] data = dataString.toBytes(); byte[16] key = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; foreach int i in 0...15 { key[i] = <byte>(check random:createIntInRange(0, 255)); } byte[] cipherText = check crypto:encryptAesEcb(data, key); byte[] plainText = check crypto:decryptAesEcb(cipherText, key);
Parameters
- input byte[] - The content to be decrypted
- key byte[] - Encryption key
- padding AesPadding (default PKCS5) - The padding algorithm
Return Type
- byte[]|Error - Decrypted data or else a
crypto:Error
if the key is invalid
decryptAesGcm
function decryptAesGcm(byte[] input, byte[] key, byte[] iv, AesPadding padding, int tagSize) returns byte[]|Error
Returns the AES-GCM-decrypted value for the given AES-GCM-encrypted data.
string dataString = "Hello Ballerina!"; byte[] data = dataString.toBytes(); byte[16] key = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; foreach int i in 0...15 { key[i] = <byte>(check random:createIntInRange(0, 255)); } byte[16] initialVector = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; foreach int i in 0...15 { initialVector[i] = <byte>(check random:createIntInRange(0, 255)); } byte[] cipherText = check crypto:encryptAesGcm(data, key, initialVector); byte[] plainText = check crypto:decryptAesGcm(cipherText, key, initialVector);
Parameters
- input byte[] - The content to be decrypted
- key byte[] - Encryption key
- iv byte[] - Initialization vector
- padding AesPadding (default PKCS5) - The padding algorithm
- tagSize int (default 128) - Tag size
Return Type
- byte[]|Error - Decrypted data or else a
crypto:Error
if the key is invalid
decryptMlKem768Hpke
function decryptMlKem768Hpke(byte[] input, byte[] encapsulatedKey, PrivateKey privateKey, AesKeySize symmetricKeySize) returns byte[]|Error
Returns the ML-KEM-768-AES-hybrid-encrypted value for the given encrypted data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey publicKey = check crypto:decodeMlKem768PublicKeyFromTrustStore(keyStore, "keyAlias"); crypto:HybridEncryptionResult encryptionResult = check crypto:encryptMlKem768Hpke(data, publicKey); byte[] cipherText = encryptionResult.cipherText; byte[] encapsulatedKey = encryptionResult.encapsulatedSecret; crypto:PrivateKey privateKey = check crypto:decodeMlKem768PrivateKeyFromKeyStore(keyStore, "keyAlias", "keyStorePassword"); byte[] decryptedData = check crypto:decryptMlKem768Hpke(cipherText, encapsulatedKey, privateKey);
Parameters
- input byte[] - The content to be decrypted
- encapsulatedKey byte[] - The encapsulated secret
- privateKey PrivateKey - The MlKem private key used for decryption
- symmetricKeySize AesKeySize (default 32) - The length of the symmetric key (in bytes)
Return Type
- byte[]|Error - Decrypted data or else a
crypto:Error
if error occurs
decryptPgp
function decryptPgp(byte[] cipherText, string privateKeyPath, byte[] passphrase) returns byte[]|Error
Returns the PGP-decrypted value of the given PGP-encrypted data.
byte[] message = "Hello Ballerina!".toBytes(); byte[] cipherText = check crypto:encryptPgp(message, "public_key.asc"); byte[] passphrase = check io:fileReadBytes("pass_phrase.txt"); byte[] decryptedMessage = check crypto:decryptPgp(cipherText, "private_key.asc", passphrase);
Parameters
- cipherText byte[] - The encrypted content to be decrypted
- privateKeyPath string - Path to the private key
- passphrase byte[] - passphrase of the private key
Return Type
- byte[]|Error - Decrypted data or else a
crypto:Error
if the key or passphrase is invalid
decryptRsaEcb
function decryptRsaEcb(byte[] input, PrivateKey|PublicKey key, RsaPadding padding) returns byte[]|Error
Returns the RSA-decrypted value for the given RSA-encrypted data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromTrustStore(keyStore, "keyAlias"); crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] cipherText = check crypto:encryptRsaEcb(data, publicKey); byte[] plainText = check crypto:decryptRsaEcb(cipherText, privateKey);
Parameters
- input byte[] - The content to be decrypted
- key PrivateKey|PublicKey - Private or public key used for encryption
- padding RsaPadding (default PKCS1) - The padding algorithm
Return Type
- byte[]|Error - Decrypted data or else a
crypto:Error
if the key is invalid
decryptRsaKemMlKem768Hpke
function decryptRsaKemMlKem768Hpke(byte[] input, byte[] encapsulatedKey, PrivateKey rsaPrivateKey, PrivateKey mlkemPrivateKey, AesKeySize symmetricKeySize) returns byte[]|Error
Returns the RSA-KEM-ML-KEM-768-AES-hybrid-encrypted value for the given encrypted data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore mlkemKeyStore = { path: "/path/to/mlkem/keyStore.p12", password: "keyStorePassword" }; crypto:KeyStore rsaKeyStore = { path: "/path/to/rsa/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey mlkemPublicKey = check crypto:decodeMlKem768PublicKeyFromTrustStore(mlkemKeyStore, "keyAlias"); crypto:PublicKey rsaPublicKey = check crypto:decodeRsaPublicKeyFromTrustStore(rsaKeyStore, "keyAlias"); crypto:HybridEncryptionResult encryptionResult = check crypto:encryptRsaKemMlKem768Hpke(data, rsaPublicKey, mlkemPublicKey); byte[] cipherText = encryptionResult.cipherText; byte[] encapsulatedKey = encryptionResult.encapsulatedSecret; crypto:PrivateKey mlkemPrivateKey = check crypto:decodeMlKem768PrivateKeyFromKeyStore(mlkemKeyStore, "keyAlias", "keyStorePassword"); crypto:PrivateKey rsaPrivateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(rsaKeyStore, "keyAlias", "keyStorePassword"); byte[] decryptedData = check crypto:decryptRsaKemMlKem768Hpke(cipherText, encapsulatedKey, rsaPrivateKey, mlkemPrivateKey);
Parameters
- input byte[] - The content to be decrypted
- encapsulatedKey byte[] - The encapsulated secret
- rsaPrivateKey PrivateKey - The RSA private key used for decryption
- mlkemPrivateKey PrivateKey - The MlKem private key used for decryption
- symmetricKeySize AesKeySize (default 32) - The length of the symmetric key (in bytes)
Return Type
- byte[]|Error - Decrypted data or else a
crypto:Error
if error occurs
encapsulateMlKem768
function encapsulateMlKem768(PublicKey publicKey) returns EncapsulationResult|Error
Creates a shared secret and its encapsulation used for Key Encapsulation Mechanism (KEM) using the ML-KEM-768 (Kyber768) public key.
crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey publicKey = check crypto:decodeMlKem768PublicKeyFromTrustStore(keyStore, "keyAlias"); crypto:EncapsulationResult encapsulationResult = check crypto:encapsulateMlKem768(publicKey);
Parameters
- publicKey PublicKey - Public key
Return Type
- EncapsulationResult|Error - Encapsulated secret or else a
crypto:Error
if the public key is invalid
encapsulateRsaKem
function encapsulateRsaKem(PublicKey publicKey) returns EncapsulationResult|Error
Creates a shared secret and its encapsulation used for Key Encapsulation Mechanism (KEM) using the RSA public key.
crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromTrustStore(keyStore, "keyAlias"); crypto:EncapsulationResult encapsulationResult = check crypto:encapsulateRsaKem(publicKey);
Parameters
- publicKey PublicKey - Public key
Return Type
- EncapsulationResult|Error - Encapsulated secret or else a
crypto:Error
if the public key is invalid
encapsulateRsaKemMlKem768
function encapsulateRsaKemMlKem768(PublicKey rsaPublicKey, PublicKey mlkemPublicKey) returns EncapsulationResult|Error
Creates a shared secret and its encapsulation used for Key Encapsulation Mechanism (KEM) using RSA and ML-KEM-768 (Kyber768) public keys.
crypto:KeyStore mlkemKeyStore = { path: "/path/to/mlkem/keyStore.p12", password: "keyStorePassword" }; crypto:KeyStore rsaKeyStore = { path: "/path/to/rsa/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey mlkemPublicKey = check crypto:decodeMlKem768PublicKeyFromTrustStore(mlkemKeyStore, "keyAlias"); crypto:PublicKey rsaPublicKey = check crypto:decodeRsaPublicKeyFromTrustStore(rsaKeyStore, "keyAlias"); crypto:EncapsulationResult encapsulationResult = check crypto:encapsulateRsaKemMlKem768(rsaPublicKey, mlkemPublicKey);
Return Type
- EncapsulationResult|Error - Encapsulated secret or else a
crypto:Error
if the keysize or public keys are invalid
encryptAesCbc
function encryptAesCbc(byte[] input, byte[] key, byte[] iv, AesPadding padding) returns byte[]|Error
Returns the AES-CBC-encrypted value for the given data.
string dataString = "Hello Ballerina!"; byte[] data = dataString.toBytes(); byte[16] key = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; foreach int i in 0...15 { key[i] = <byte>(check random:createIntInRange(0, 255)); } byte[16] initialVector = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; foreach int i in 0...15 { initialVector[i] = <byte>(check random:createIntInRange(0, 255)); } byte[] cipherText = check crypto:encryptAesCbc(data, key, initialVector);
Parameters
- input byte[] - The content to be encrypted
- key byte[] - Encryption key
- iv byte[] - Initialization vector
- padding AesPadding (default PKCS5) - The padding algorithm
Return Type
- byte[]|Error - Encrypted data or else a
crypto:Error
if the key is invalid
encryptAesEcb
function encryptAesEcb(byte[] input, byte[] key, AesPadding padding) returns byte[]|Error
Returns the AES-ECB-encrypted value for the given data.
string dataString = "Hello Ballerina!"; byte[] data = dataString.toBytes(); byte[16] key = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; foreach int i in 0...15 { key[i] = <byte>(check random:createIntInRange(0, 255)); } byte[] cipherText = check crypto:encryptAesEcb(data, key);
Parameters
- input byte[] - The content to be encrypted
- key byte[] - Encryption key
- padding AesPadding (default PKCS5) - The padding algorithm
Return Type
- byte[]|Error - Encrypted data or else a
crypto:Error
if the key is invalid
encryptAesGcm
function encryptAesGcm(byte[] input, byte[] key, byte[] iv, AesPadding padding, int tagSize) returns byte[]|Error
Returns the AES-GCM-encrypted value for the given data.
string dataString = "Hello Ballerina!"; byte[] data = dataString.toBytes(); byte[16] key = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; foreach int i in 0...15 { key[i] = <byte>(check random:createIntInRange(0, 255)); } byte[16] initialVector = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; foreach int i in 0...15 { initialVector[i] = <byte>(check random:createIntInRange(0, 255)); } byte[] cipherText = check crypto:encryptAesGcm(data, key, initialVector);
Parameters
- input byte[] - The content to be encrypted
- key byte[] - Encryption key
- iv byte[] - Initialization vector
- padding AesPadding (default NONE) - The padding algorithm
- tagSize int (default 128) - Tag size
Return Type
- byte[]|Error - Encrypted data or else a
crypto:Error
if the key is invalid
encryptMlKem768Hpke
function encryptMlKem768Hpke(byte[] input, PublicKey publicKey, AesKeySize symmetricKeySize) returns HybridEncryptionResult|Error
Returns the ML-KEM-768-AES-hybrid-encrypted value for the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey publicKey = check crypto:decodeMlKem768PublicKeyFromTrustStore(keyStore, "keyAlias"); crypto:HybridEncryptionResult encryptionResult = check crypto:encryptMlKem768Hpke(data, publicKey);
Parameters
- input byte[] - The content to be encrypted
- publicKey PublicKey - Public key used for encryption
- symmetricKeySize AesKeySize (default 32) - The length of the symmetric key (in bytes)
Return Type
- HybridEncryptionResult|Error - Encrypted data or else a
crypto:Error
if an error occurs
encryptPgp
Returns the PGP-encrypted value for the given data.
byte[] message = "Hello Ballerina!".toBytes(); byte[] cipherText = check crypto:encryptPgp(message, "public_key.asc");
Parameters
- plainText byte[] - The content to be encrypted
- publicKeyPath string - Path to the public key
- options *Options - PGP encryption options
Return Type
- byte[]|Error - Encrypted data or else a
crypto:Error
if the key is invalid
encryptRsaEcb
function encryptRsaEcb(byte[] input, PrivateKey|PublicKey key, RsaPadding padding) returns byte[]|Error
Returns the RSA-encrypted value for the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromTrustStore(keyStore, "keyAlias"); byte[] cipherText = check crypto:encryptRsaEcb(data, publicKey);
Parameters
- input byte[] - The content to be encrypted
- key PrivateKey|PublicKey - Private or public key used for encryption
- padding RsaPadding (default PKCS1) - The padding algorithm
Return Type
- byte[]|Error - Encrypted data or else a
crypto:Error
if the key is invalid
encryptRsaKemMlKem768Hpke
function encryptRsaKemMlKem768Hpke(byte[] input, PublicKey rsaPublicKey, PublicKey mlkemPublicKey, AesKeySize symmetricKeySize) returns HybridEncryptionResult|Error
Returns the RSA-KEM-ML-KEM-768-AES-hybrid-encrypted value for the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore mlkemKeyStore = { path: "/path/to/mlkem/keyStore.p12", password: "keyStorePassword" }; crypto:KeyStore rsaKeyStore = { path: "/path/to/rsa/keyStore.p12", password: "keyStorePassword" }; crypto:PublicKey mlkemPublicKey = check crypto:decodeMlKem768PublicKeyFromTrustStore(mlkemKeyStore, "keyAlias"); crypto:PublicKey rsaPublicKey = check crypto:decodeRsaPublicKeyFromTrustStore(rsaKeyStore, "keyAlias"); crypto:HybridEncryptionResult encryptionResult = check crypto:encryptRsaKemMlKem768Hpke(data, rsaPublicKey, mlkemPublicKey);
Parameters
- input byte[] - The content to be encrypted
- rsaPublicKey PublicKey - The RSA public key used for encryption
- mlkemPublicKey PublicKey - The MlKem public key used for encryption
- symmetricKeySize AesKeySize (default 32) - The length of the symmetric key (in bytes)
Return Type
- HybridEncryptionResult|Error - Encrypted data or else a
crypto:Error
if an error occurs
hashMd5
function hashMd5(byte[] input, byte[]? salt) returns byte[]
Returns the MD5 hash of the given data.
string dataString = "Hello Ballerina"; byte[] data = dataString.toBytes(); byte[] hash = crypto:hashMd5(data);
Parameters
- input byte[] - Value to be hashed
- salt byte[]? (default ()) - Salt to be added
Return Type
- byte[] - Hashed output
hashSha1
function hashSha1(byte[] input, byte[]? salt) returns byte[]
Returns the SHA-1 hash of the given data.
string dataString = "Hello Ballerina"; byte[] data = dataString.toBytes(); byte[] hash = crypto:hashSha1(data);
Parameters
- input byte[] - Value to be hashed
- salt byte[]? (default ()) - Salt to be added
Return Type
- byte[] - Hashed output
hashSha256
function hashSha256(byte[] input, byte[]? salt) returns byte[]
Returns the SHA-256 hash of the given data.
string dataString = "Hello Ballerina"; byte[] data = dataString.toBytes(); byte[] hash = crypto:hashSha256(data);
Parameters
- input byte[] - Value to be hashed
- salt byte[]? (default ()) - Salt to be added
Return Type
- byte[] - Hashed output
hashSha384
function hashSha384(byte[] input, byte[]? salt) returns byte[]
Returns the SHA-384 hash of the given data.
string dataString = "Hello Ballerina"; byte[] data = dataString.toBytes(); byte[] hash = crypto:hashSha384(data);
Parameters
- input byte[] - Value to be hashed
- salt byte[]? (default ()) - Salt to be added
Return Type
- byte[] - Hashed output
hashSha512
function hashSha512(byte[] input, byte[]? salt) returns byte[]
Returns the SHA-512 hash of the given data.
string dataString = "Hello Ballerina"; byte[] data = dataString.toBytes(); byte[] hash = crypto:hashSha512(data);
Parameters
- input byte[] - Value to be hashed
- salt byte[]? (default ()) - Salt to be added
Return Type
- byte[] - Hashed output
hkdfSha256
Returns HKDF (HMAC-based Key Derivation Function) using SHA-256 as the hash function.
string secret = "some-secret"; byte[] key = secret.toBytes(); byte[] hash = crypto:hkdfSha256(key, 32);
Parameters
- input byte[] - The input key material to derive the key from
- length int - The length of the output keying material (OKM) in bytes
- salt byte[] (default []) - Optional salt value, a non-secret random value
- info byte[] (default []) - Optional context and application-specific information
Return Type
- byte[]|Error - The derived keying material (OKM) of the specified length
hmacMd5
function hmacMd5(byte[] input, byte[] key) returns byte[]|Error
Returns the HMAC using the MD5 hash function of the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); string secret = "some-secret"; byte[] key = secret.toBytes(); byte[] hmac = check crypto:hmacMd5(data, key);
Parameters
- input byte[] - Value to be hashed
- key byte[] - Key used for HMAC generation
Return Type
- byte[]|Error - The HMAC output or a
crypto:Error
if an error occurred
hmacSha1
function hmacSha1(byte[] input, byte[] key) returns byte[]|Error
Returns the HMAC using the SHA-1 hash function of the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); string secret = "some-secret"; byte[] key = secret.toBytes(); byte[] hmac = check crypto:hmacSha1(data, key);
Parameters
- input byte[] - Value to be hashed
- key byte[] - Key used for HMAC generation
Return Type
- byte[]|Error - The HMAC output or a
crypto:Error
if an error occurred
hmacSha256
function hmacSha256(byte[] input, byte[] key) returns byte[]|Error
Returns the HMAC using the SHA-256 hash function of the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); string secret = "some-secret"; byte[] key = secret.toBytes(); byte[] hmac = check crypto:hmacSha256(data, key);
Parameters
- input byte[] - Value to be hashed
- key byte[] - Key used for HMAC generation
Return Type
- byte[]|Error - The HMAC output or a
crypto:Error
if an error occurred
hmacSha384
function hmacSha384(byte[] input, byte[] key) returns byte[]|Error
Returns the HMAC using the SHA-384 hash function of the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); string secret = "some-secret"; byte[] key = secret.toBytes(); byte[] hmac = check crypto:hmacSha384(data, key);
Parameters
- input byte[] - Value to be hashed
- key byte[] - Key used for HMAC generation
Return Type
- byte[]|Error - The HMAC output or a
crypto:Error
if an error occurred
hmacSha512
function hmacSha512(byte[] input, byte[] key) returns byte[]|Error
Returns the HMAC using the SHA-512 hash function of the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); string secret = "some-secret"; byte[] key = secret.toBytes(); byte[] hmac = check crypto:hmacSha512(data, key);
Parameters
- input byte[] - Value to be hashed
- key byte[] - Key used for HMAC generation
Return Type
- byte[]|Error - The HMAC output or a
crypto:Error
if an error occurred
signMlDsa65
function signMlDsa65(byte[] input, PrivateKey privateKey) returns byte[]|Error
Returns the MlDsa65 based signature value for the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeMlDsa65PrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signMlDsa65(data, privateKey);
Parameters
- input byte[] - The content to be signed
- privateKey PrivateKey - Private key used for signing
Return Type
- byte[]|Error - The generated signature or else a
crypto:Error
if the private key is invalid
signRsaMd5
function signRsaMd5(byte[] input, PrivateKey privateKey) returns byte[]|Error
Returns the RSA-MD5 based signature value for the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signRsaMd5(data, privateKey);
Parameters
- input byte[] - The content to be signed
- privateKey PrivateKey - Private key used for signing
Return Type
- byte[]|Error - The generated signature or else a
crypto:Error
if the private key is invalid
signRsaSha1
function signRsaSha1(byte[] input, PrivateKey privateKey) returns byte[]|Error
Returns the RSA-SHA1 based signature value for the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signRsaSha1(data, privateKey);
Parameters
- input byte[] - The content to be signed
- privateKey PrivateKey - Private key used for signing
Return Type
- byte[]|Error - The generated signature or else a
crypto:Error
if the private key is invalid
signRsaSha256
function signRsaSha256(byte[] input, PrivateKey privateKey) returns byte[]|Error
Returns the RSA-SHA256 based signature value for the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signRsaSha256(data, privateKey);
Parameters
- input byte[] - The content to be signed
- privateKey PrivateKey - Private key used for signing
Return Type
- byte[]|Error - The generated signature or else a
crypto:Error
if the private key is invalid
signRsaSha384
function signRsaSha384(byte[] input, PrivateKey privateKey) returns byte[]|Error
Returns the RSA-SHA384 based signature value for the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signRsaSha384(data, privateKey);
Parameters
- input byte[] - The content to be signed
- privateKey PrivateKey - Private key used for signing
Return Type
- byte[]|Error - The generated signature or else a
crypto:Error
if the private key is invalid
signRsaSha512
function signRsaSha512(byte[] input, PrivateKey privateKey) returns byte[]|Error
Returns the RSA-SHA512 based signature value for the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signRsaSha512(data, privateKey);
Parameters
- input byte[] - The content to be signed
- privateKey PrivateKey - Private key used for signing
Return Type
- byte[]|Error - The generated signature or else a
crypto:Error
if the private key is invalid
signSha256withEcdsa
function signSha256withEcdsa(byte[] input, PrivateKey privateKey) returns byte[]|Error
Returns the SHA256withECDSA based signature value for the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeEcPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signSha256withEcdsa(data, privateKey);
Parameters
- input byte[] - The content to be signed
- privateKey PrivateKey - Private key used for signing
Return Type
- byte[]|Error - The generated signature or else a
crypto:Error
if the private key is invalid
signSha384withEcdsa
function signSha384withEcdsa(byte[] input, PrivateKey privateKey) returns byte[]|Error
Returns the SHA384withECDSA based signature value for the given data.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeEcPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signSha384withEcdsa(data, privateKey);
Parameters
- input byte[] - The content to be signed
- privateKey PrivateKey - Private key used for signing
Return Type
- byte[]|Error - The generated signature or else a
crypto:Error
if the private key is invalid
verifyMlDsa65Signature
function verifyMlDsa65Signature(byte[] data, byte[] signature, PublicKey publicKey) returns boolean|Error
Verifies the MlDsa65 based signature.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeMlDsa65PrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signMlDsa65(data, privateKey); crypto:PublicKey publicKey = check crypto:decodeMlDsa65PublicKeyFromTrustStore(keyStore, "keyAlias"); boolean validity = check crypto:verifyMlDsa65Signature(data, signature, publicKey);
Parameters
- data byte[] - The content to be verified
- signature byte[] - Signature value
- publicKey PublicKey - Public key used for verification
verifyRsaMd5Signature
function verifyRsaMd5Signature(byte[] data, byte[] signature, PublicKey publicKey) returns boolean|Error
Verifies the RSA-MD5 based signature.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signRsaMd5(data, privateKey); crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromTrustStore(keyStore, "keyAlias"); boolean validity = check crypto:verifyRsaMd5Signature(data, signature, publicKey);
Parameters
- data byte[] - The content to be verified
- signature byte[] - Signature value
- publicKey PublicKey - Public key used for verification
verifyRsaSha1Signature
function verifyRsaSha1Signature(byte[] data, byte[] signature, PublicKey publicKey) returns boolean|Error
Verifies the RSA-SHA1 based signature.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signRsaSha1(data, privateKey); crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromTrustStore(keyStore, "keyAlias"); boolean validity = check crypto:verifyRsaSha1Signature(data, signature, publicKey);
Parameters
- data byte[] - The content to be verified
- signature byte[] - Signature value
- publicKey PublicKey - Public key used for verification
verifyRsaSha256Signature
function verifyRsaSha256Signature(byte[] data, byte[] signature, PublicKey publicKey) returns boolean|Error
Verifies the RSA-SHA256 based signature.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signRsaSha256(data, privateKey); crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromTrustStore(keyStore, "keyAlias"); boolean validity = check crypto:verifyRsaSha256Signature(data, signature, publicKey);
Parameters
- data byte[] - The content to be verified
- signature byte[] - Signature value
- publicKey PublicKey - Public key used for verification
verifyRsaSha384Signature
function verifyRsaSha384Signature(byte[] data, byte[] signature, PublicKey publicKey) returns boolean|Error
Verifies the RSA-SHA384 based signature.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signRsaSha384(data, privateKey); crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromTrustStore(keyStore, "keyAlias"); boolean validity = check crypto:verifyRsaSha384Signature(data, signature, publicKey);
Parameters
- data byte[] - The content to be verified
- signature byte[] - Signature value
- publicKey PublicKey - Public key used for verification
verifyRsaSha512Signature
function verifyRsaSha512Signature(byte[] data, byte[] signature, PublicKey publicKey) returns boolean|Error
Verifies the RSA-SHA512 based signature.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeRsaPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signRsaSha512(data, privateKey); crypto:PublicKey publicKey = check crypto:decodeRsaPublicKeyFromTrustStore(keyStore, "keyAlias"); boolean validity = check crypto:verifyRsaSha512Signature(data, signature, publicKey);
Parameters
- data byte[] - The content to be verified
- signature byte[] - Signature value
- publicKey PublicKey - Public key used for verification
verifySha256withEcdsaSignature
function verifySha256withEcdsaSignature(byte[] data, byte[] signature, PublicKey publicKey) returns boolean|Error
Verifies the SHA256withECDSA based signature.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeEcPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signSha256withEcdsa(data, privateKey); crypto:PublicKey publicKey = check crypto:decodeEcPublicKeyFromTrustStore(keyStore, "keyAlias"); boolean validity = check crypto:verifySha256withEcdsaSignature(data, signature, publicKey);
Parameters
- data byte[] - The content to be verified
- signature byte[] - Signature value
- publicKey PublicKey - Public key used for verification
verifySha384withEcdsaSignature
function verifySha384withEcdsaSignature(byte[] data, byte[] signature, PublicKey publicKey) returns boolean|Error
Verifies the SHA384withECDSA based signature.
string input = "Hello Ballerina"; byte[] data = input.toBytes(); crypto:KeyStore keyStore = { path: "/path/to/keyStore.p12", password: "keyStorePassword" }; crypto:PrivateKey privateKey = check crypto:decodeEcPrivateKeyFromKeyStore(keyStore, "keyAlias", "keyPassword"); byte[] signature = check crypto:signSha384withEcdsa(data, privateKey); crypto:PublicKey publicKey = check crypto:decodeEcPublicKeyFromTrustStore(keyStore, "keyAlias"); boolean validity = check crypto:verifySha384withEcdsaSignature(data, signature, publicKey);
Parameters
- data byte[] - The content to be verified
- signature byte[] - Signature value
- publicKey PublicKey - Public key used for verification
Constants
crypto: MLDSA65
The ML-DSA-65
algorithm.
crypto: MLKEM768
The ML-KEM-768
algorithm.
crypto: NONE
No padding.
crypto: OAEPwithMD5andMGF1
The OAEPwithMD5andMGF1
padding mode.
crypto: OAEPWithSHA1AndMGF1
The OAEPWithSHA1AndMGF1
padding mode.
crypto: OAEPWithSHA256AndMGF1
The OAEPWithSHA256AndMGF1
padding mode.
crypto: OAEPwithSHA384andMGF1
The OAEPwithSHA384andMGF1
padding mode.
crypto: OAEPwithSHA512andMGF1
The OAEPwithSHA512andMGF1
padding mode.
crypto: PKCS1
The PKCS1
padding mode.
crypto: PKCS5
The PKCS5
padding mode.
crypto: RSA
The RSA
algorithm.
Enums
crypto: CompressionAlgorithmTags
Represents the compression algorithms available in PGP.
Members
crypto: SymmetricKeyAlgorithmTags
Represent the symmetric key algorithms available in PGP.
Members
Records
crypto: Certificate
Represents the X509 public key certificate information.
Fields
- version0 int - Version number
- serial int - Serial number
- issuer string - Issuer name
- subject string - Subject name
- notBefore Utc - Not before validity period of certificate
- notAfter Utc - Not after validity period of certificate
- signature byte[] - Raw signature bits
- signingAlgorithm string - Signature algorithm
crypto: EncapsulationResult
Represents the shared secret and its encapsulation used in Key Encapsulation Mechanism (KEM).
Fields
- encapsulatedSecret byte[] - Encapsulated secret
- sharedSecret byte[] - Shared secret
crypto: HybridEncryptionResult
Represents the encapsulated secret and the ciphertext used in Hybrid Public Key Encryption (HPKE).
Fields
- encapsulatedSecret byte[] - The encapsulated secret
- cipherText byte[] - The encrypted data
crypto: KeyStore
Represents the KeyStore-related configurations.
Fields
- path string - Path to the KeyStore file
- password string - KeyStore password
crypto: Options
Represents the PGP encryption options.
Fields
- compressionAlgorithm CompressionAlgorithmTags(default ZIP) - Specifies the compression algorithm used for PGP encryption
- symmetricKeyAlgorithm SymmetricKeyAlgorithmTags(default AES_256) - Specifies the symmetric key algorithm used for encryption
- armor boolean(default true) - Indicates whether ASCII armor is enabled for the encrypted output
- withIntegrityCheck boolean(default true) - Indicates whether integrity check is included in the encryption
crypto: PrivateKey
Represents the private key used in cryptographic operations.
Fields
- algorithm KeyAlgorithm - Key algorithm
crypto: PublicKey
Represents the public key used in cryptographic operations.
Fields
- algorithm KeyAlgorithm - Key algorithm
- certificate Certificate? - Public key certificate
crypto: TrustStore
Represents the truststore-related configurations.
Fields
- path string - Path to the TrustStore file
- password string - TrustStore password
Errors
crypto: Error
Represents the error type of the module.
Union types
crypto: AesKeySize
AesKeySize
Represent the supported symmetric key sizes for AES algorithm.
crypto: AesPadding
AesPadding
Represents the padding algorithms supported by AES encryption and decryption.
crypto: RsaPadding
RsaPadding
Represents the padding algorithms supported with RSA encryption and decryption.
Import
import ballerina/crypto;
Metadata
Released date: 7 months ago
Version: 2.7.2
License: Apache-2.0
Compatibility
Platform: java17
Ballerina version: 2201.9.0
GraalVM compatible: Yes
Pull count
Total: 872050
Current verison: 129452
Weekly downloads
Keywords
security
hash
hmac
sign
encrypt
decrypt
private key
public key
Contributors
Dependencies