Crypt2 Perl Reference Documentation
CkCrypt2
Current Version: 11.0.0
Chilkat encryption component.
Object Creation
$obj = chilkat::CkCrypt2->new();
Properties
AbortCurrent
$boolVal = $crypt2->get_AbortCurrent();
$crypt2->put_AbortCurrent($boolVal);
When set to 1
, causes the currently running method to abort. Methods that always finish quickly (i.e.have no length file operations or network communications) are not affected. If no method is running, then this property is automatically reset to 0
when the next method is called. When the abort occurs, this property is reset to 0
. Both synchronous and asynchronous method calls can be aborted. (A synchronous method call could be aborted by setting this property from a separate thread.)
BCryptWorkFactor
$intVal = $crypt2->get_BCryptWorkFactor();
$crypt2->put_BCryptWorkFactor($intVal);
The BCrypt work factor to be used for the BCryptHash and BCryptVerify. This is the log2 of the number of rounds of hashing to apply. For example, if the work (cost) factor is 12, then 2^12 rounds of hashing are applied. The purpose of this cost factor is to make the BCrypt computation expensive enought to prevent brute-force attacks. (Any complaints about BCrypt not being fast enough
will be ignored.)
This property must have a value ranging from 4 to 31 inclusive.
The default value is 10.
topBlockSize
$intVal = $crypt2->get_BlockSize();
The block-size (in bytes) of the selected encryption algorithm. For example, if the CryptAlgorithm property is set to aes
, the BlockSize property is automatically set to 16. The block-size for the ARC4 streaming encryption algorithm is 1.
CadesEnabled
$boolVal = $crypt2->get_CadesEnabled();
$crypt2->put_CadesEnabled($boolVal);
Applies to all methods that create PKCS7 signatures. To create a CAdES-BES signature, set this property equal to 1
. The default value of this property is 0
.
CadesSigPolicyHash
# $ckStr is a CkString
$crypt2->get_CadesSigPolicyHash($ckStr);
$strVal = $crypt2->cadesSigPolicyHash();
$crypt2->put_CadesSigPolicyHash($strVal);
This is the base64 hash of the policy document located at the CadesSigPolicyUri. You can use either the SHA256 or SHA1 hash. You may use this online tool to compute the base64 hash: http://tools.chilkat.io/hashFileAtUrl.cshtml>Compute Base64 Hash for CaDES Signature Policy URL
Note: This property applies to all methods that create PKCS7 signatures. To create a CAdES-EPES signature, set the CadesEnabled property = 1
, and also provide values for each of the following properties: CadesSigPolicyHash, CadesSigPolicyId, and CadesSigPolicyUri. For example (in pseudo-code):
cryptObj.CadesSigPolicyId = <code>2.16.76.1.7.1.1.1</code> cryptObj.CadesSigPolicyUri = <code>http://politicas.icpbrasil.gov.br/PA_AD_RB.der</code> cryptObj.CadesSigPolicyHash = <code>rySugyKaMhiMR8Y/o5yuU2A2bF0=</code>Note: Do NOT use the values above. They are only provided as an example to show valid values. For example, the Policy ID is an OID. The Policy URI is a typically a URL to a DER encoded policy file, and the Policy Hash is a base64 encoded hash. top
CadesSigPolicyId
# $ckStr is a CkString
$crypt2->get_CadesSigPolicyId($ckStr);
$strVal = $crypt2->cadesSigPolicyId();
$crypt2->put_CadesSigPolicyId($strVal);
See the description for the CadesSigPolicyHash property above.
topCadesSigPolicyUri
# $ckStr is a CkString
$crypt2->get_CadesSigPolicyUri($ckStr);
$strVal = $crypt2->cadesSigPolicyUri();
$crypt2->put_CadesSigPolicyUri($strVal);
See the description for the CadesSigPolicyHash property above.
topCharset
# $ckStr is a CkString
$crypt2->get_Charset($ckStr);
$strVal = $crypt2->charset();
$crypt2->put_Charset($strVal);
This property specifies the character encoding used to represent text as bytes for encryption and hashing. By default, it uses the computer's ANSI
charset, such as Windows-1252 for locales like the United States, United Kingdom, Western Europe, Australia, and New Zealand.
Most applications are advised to set this property to UTF-8
. Chilkat plans to change its default to UTF-8 in a future major version to align with current standards. The current default of ANSI stems from a time when UTF-8 was not widely adopted.
CipherMode
# $ckStr is a CkString
$crypt2->get_CipherMode($ckStr);
$strVal = $crypt2->cipherMode();
$crypt2->put_CipherMode($strVal);
Controls the cipher mode for block encryption algorithms (AES, Blowfish,TwoFish, DES, 3DES, RC2). Possible values are CBC
(the default) , ECB
, CTR
, OFB
, GCM
, and CFB
. These acronyms have the following meanings:
- CBC: Cipher Block Chaining,
- ECB: Electronic CookBook
- CTR: Counter Mode
- CFB: Cipher Feedback
- OFB: Output Feedback
- GCM: Galois/Counter Mode
- XTS: AES-XTS (starting in Chilkat v9.5.0.91)
(see http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation )
Note: Prior to Chilkat v9.5.0.55, the CFB mode is only implemented for AES, Blowfish, and DES/3DES, and the CTR mode is only implemented for AES.
Starting in v9.5.0.55 CFB and OFB modes are useable with all encryption algorithms, and GCM (Galois/Counter Mode) is available with any cipher having a 16-byte block size, such as AES and Twofish. CFB, OFB, CTR, and GCM modes convert block ciphers into stream ciphers. In these modes of operation, the PaddingScheme property is unused because no padding occurs.
Starting in v9.5.0.91 Chilkat supports AES-XTS mode. XTS mode additionally uses a tweak key and tweak value, which are set via the XtsSetEncodedTweakKey, XtsSetEncodedTweakValue, and XtsSetDataUnitNumber. (The latter two functions provide alternative means of setting the tweak value.) Note: Chilkat fully supports AES-XTS mode with ciphertext-stealing, which means it will correctly encrypt/decrypt data with size not divisible by the block size (i.e. divisible by 16 bytes).
CmsOptions
# $ckStr is a CkString
$crypt2->get_CmsOptions($ckStr);
$strVal = $crypt2->cmsOptions();
$crypt2->put_CmsOptions($strVal);
A JSON string for controlling extra CMS (PKCS7) signature and validation options.
CryptAlgorithm
# $ckStr is a CkString
$crypt2->get_CryptAlgorithm($ckStr);
$strVal = $crypt2->cryptAlgorithm();
$crypt2->put_CryptAlgorithm($strVal);
Selects the encryption algorithm for encrypting and decrypting. Possible values are: chacha20
, pki
, aes
, blowfish2
, des
, 3des
, rc2
, arc4
, twofish
, pbes1
and pbes2
. The pki
encryption algorithm isn't a specific algorithm, but instead tells the component to encrypt/decrypt using public-key encryption (PKCS7/CMS) with digital certificates. The other choices are symmetric encryption algorithms that do not involve digital certificates and public/private keys.
The default value is aes
The original Chilkat implementation of Blowfish (in 2004) has a 4321 byte-swapping issue (the results are 4321 byte-swapped). The newer implementation (in 2006 and named blowfish2
) does not byte swap. This should be used for compatibility with other Blowfish software. If an application needs to decrypt something encrypted with the old 4321 byte-swapped blowfish, set the property to blowfish_old
.
Password-based encryption (PBE) is selected by setting this property to pbes1
or pbes2
. Password-based encryption is defined in the PKCS5 Password-Based Cryptography Standard at https://tools.ietf.org/html/rfc2898. If PBE is used, the underlying encryption algorithm is specified by the PbesAlgorithm property. The underlying encryption (PbesAlgorithm) for PBES1 is limited to 56-bit DES or 64-bit RC2.
Note:The chacha20 algorithm is introduced in Chilkat v9.5.0.55.
DebugLogFilePath
# $ckStr is a CkString
$crypt2->get_DebugLogFilePath($ckStr);
$strVal = $crypt2->debugLogFilePath();
$crypt2->put_DebugLogFilePath($strVal);
If set to a file path, this property logs the LastErrorText of each Chilkat method or property call to the specified file. This logging helps identify the context and history of Chilkat calls leading up to any crash or hang, aiding in debugging.
Enabling the VerboseLogging property provides more detailed information. This property is mainly used for debugging rare instances where a Chilkat method call causes a hang or crash, which should generally not happen.
Possible causes of hangs include:
- A timeout property set to 0, indicating an infinite timeout.
- A hang occurring within an event callback in the application code.
- An internal bug in the Chilkat code causing the hang.
EncodingMode
# $ckStr is a CkString
$crypt2->get_EncodingMode($ckStr);
$strVal = $crypt2->encodingMode();
$crypt2->put_EncodingMode($strVal);
Controls the encoding of binary data to a printable string for many methods. The valid modes are Base64
, modBase64
, base64url
, Base32
, Base58
, UU
, QP
(for quoted-printable), URL
(for url-encoding), Hex
, Q
, B
, url_oauth
, url_rfc1738
, url_rfc2396
, url_rfc3986
, fingerprint
, or decimal
.
The default value is base64
The fingerprint
anddecimal
encodings are introduced in Chilkat v9.5.0.55.
The fingerprint
encoding is a lowercase hex encoding where each hex digit is separated by a colon character. For example: 6a:de:e0:af:56:f8:0c:04:11:5b:ef:4d:49:ad:09:23
The decimal
encoding is for converting large decimal integers to/from a big-endian binary representation. For example, the decimal string 72623859790382856
converts to the bytes 0x01 0x02 0x03 0x04 0x05 0x06 0x07 0x08.
FirstChunk
$boolVal = $crypt2->get_FirstChunk();
$crypt2->put_FirstChunk($boolVal);
Chilkat Crypt2 provides the ability to feed the encryption/decryption methods with chunks of data. This allows a large amount of data, or a data stream, to be fed piecemeal for encrypting or decrypting. It applies to all symmetric algorithms currently supported (AES, Blowfish, Twofish, 3DES, RC2, DES, ARC4), and all algorithms supported in the future.
The default value for both FirstChunk and LastChunk is 1
. This means when an Encrypt* or Decrypt* method is called, it is both the first and last chunk (i.e. it's the entire amount of data to be encrypted or decrypted).
If you wish to feed the data piecemeal, do this:
- Set FirstChunk =
1
, LastChunk =0
for the first chunk of data. - For all
middle
chunks (i.e. all chunks except for the final chunk) set FirstChunk =0
and LastChunk =0
. - For the final chunk, set FirstChunk =
0
and LastChunk =1
There is no need to worry about feeding data according to the block size of the encryption algorithm. For example, AES has a block size of 16 bytes. Data may be fed in chunks of any size. The Chilkat Crypt2 component will buffer the data. When the final chunk is passed, the output is padded to the algorithm's block size according to the PaddingScheme.
HashAlgorithm
# $ckStr is a CkString
$crypt2->get_HashAlgorithm($ckStr);
$strVal = $crypt2->hashAlgorithm();
$crypt2->put_HashAlgorithm($strVal);
Selects the hash algorithm used by methods that create hashes. The valid choices are sha1
, sha256
, sha384
, sha512
, sha3-224
, sha3-256
, sha3-384
, sha3-512
, md2
, md5
, haval
, ripemd128
, ripemd160
,ripemd256
, or ripemd320
.
Note: SHA-2 designates a set of cryptographic hash functions that includes SHA-256, SHA-384, and SHA-512. Chilkat by definition supports SHA-2
because it supports these algorithms.
The default value is sha256
.
Note: The HAVAL hash algorithm is affected by two other properties: HavalRounds and KeyLength.
- The HavalRounds may have values of 3, 4, or 5.
- The KeyLength may have values of 128, 160, 192, 224, or 256.
Note: The sha3-224
, sha3-256
, sha3-384
, sha3-512
algorithms are added in Chilkat v9.5.0.83.
HavalRounds
$intVal = $crypt2->get_HavalRounds();
$crypt2->put_HavalRounds($intVal);
Applies to the HAVAL hash algorithm only and must be set to the integer value 3, 4, or 5. The default value is 3.
topIncludeCertChain
$boolVal = $crypt2->get_IncludeCertChain();
$crypt2->put_IncludeCertChain($boolVal);
Only applies when creating digital signatures. If 1
(the default), then additional certificates (if any) in the chain of authentication are included in the PKCS7 digital signature.
InitialCount
$intVal = $crypt2->get_InitialCount();
$crypt2->put_InitialCount($intVal);
The initial counter for the ChaCha20 encryption algorithm. The default value is 0.
topIterationCount
$intVal = $crypt2->get_IterationCount();
$crypt2->put_IterationCount($intVal);
Iteration count to be used with password-based encryption (PBE). Password-based encryption is defined in the PKCS5 Password-Based Cryptography Standard at http://www.rsa.com/rsalabs/node.asp?id=2127
The purpose of the iteration count is to increase the computation required to encrypt and decrypt. A larger iteration count makes cracking via exhaustive search more difficult. The default value is 1024.
topKeyLength
$intVal = $crypt2->get_KeyLength();
$crypt2->put_KeyLength($intVal);
The key length in bits for symmetric encryption algorithms. The default value is 256.
topLastChunk
$boolVal = $crypt2->get_LastChunk();
$crypt2->put_LastChunk($boolVal);
LastErrorHtml
# $ckStr is a CkString
$crypt2->get_LastErrorHtml($ckStr);
$strVal = $crypt2->lastErrorHtml();
Provides HTML-formatted information about the last called method or property. If a method call fails or behaves unexpectedly, check this property for details. Note that information is available regardless of the method call's success.
topLastErrorText
# $ckStr is a CkString
$crypt2->get_LastErrorText($ckStr);
$strVal = $crypt2->lastErrorText();
Provides plain text information about the last called method or property. If a method call fails or behaves unexpectedly, check this property for details. Note that information is available regardless of the method call's success.
LastErrorXml
# $ckStr is a CkString
$crypt2->get_LastErrorXml($ckStr);
$strVal = $crypt2->lastErrorXml();
Provides XML-formatted information about the last called method or property. If a method call fails or behaves unexpectedly, check this property for details. Note that information is available regardless of the method call's success.
topLastMethodSuccess
$boolVal = $crypt2->get_LastMethodSuccess();
$crypt2->put_LastMethodSuccess($boolVal);
Indicates the success or failure of the most recent method call: 1
means success, 0
means failure. This property remains unchanged by property setters or getters. This method is present to address challenges in checking for null or Nothing returns in certain programming languages.
MacAlgorithm
# $ckStr is a CkString
$crypt2->get_MacAlgorithm($ckStr);
$strVal = $crypt2->macAlgorithm();
$crypt2->put_MacAlgorithm($strVal);
Selects the MAC algorithm to be used for any of the Mac methods, such as MacStringENC, MacBytes, etc. The default value is hmac
. Possible values are hmac
and poly1305
.
NumSignerCerts
$intVal = $crypt2->get_NumSignerCerts();
This property is set when a digital signature is verified. It contains the number of signer certificates. Each signing certificate can be retrieved by calling the GetSignerCert method, passing an index from 0 to NumSignerCerts-1.
OaepHash
# $ckStr is a CkString
$crypt2->get_OaepHash($ckStr);
$strVal = $crypt2->oaepHash();
$crypt2->put_OaepHash($strVal);
Selects the hash algorithm for use within OAEP padding when encrypting using pki
with RSAES-OAEP. The valid choices are sha1
, sha256
, sha384
, sha512
,
The default value is sha256
OaepMgfHash
# $ckStr is a CkString
$crypt2->get_OaepMgfHash($ckStr);
$strVal = $crypt2->oaepMgfHash();
$crypt2->put_OaepMgfHash($strVal);
Selects the MGF hash algorithm for use within OAEP padding when encrypting using pki
with RSAES-OAEP. The valid choices are sha1
, sha256
, sha384
, sha512
, The default is sha256
.
OaepPadding
$boolVal = $crypt2->get_OaepPadding();
$crypt2->put_OaepPadding($boolVal);
Selects the RSA encryption scheme when encrypting using pki
(with a certificate and private key). The default value is 0
, which selects RSAES_PKCS1-V1_5. If set to 1
, then RSAES_OAEP is used.
PaddingScheme
$intVal = $crypt2->get_PaddingScheme();
$crypt2->put_PaddingScheme($intVal);
The padding scheme used by block encryption algorithms such as AES (Rijndael), Blowfish, Twofish, RC2, DES, 3DES, etc. Block encryption algorithms pad encrypted data to a multiple of algorithm's block size. The default value of this property is 0.
Possible values are:
0 = RFC 1423 padding scheme: Each padding byte is set to the number of padding bytes. If the data is already a multiple of algorithm's block size bytes, an extra block is appended each having a value equal to the block size. (for example, if the algorithm's block size is 16, then 16 bytes having the value 0x10 are added.). (This is also known as PKCS5 padding: PKCS #5 padding string consists of a sequence of bytes, each of which is equal to the total number of padding bytes added. )
1 = FIPS81 (Federal Information Processing Standards 81) where the last byte contains the number of padding bytes, including itself, and the other padding bytes are set to random values.
2 = Each padding byte is set to a random value. The decryptor must know how many bytes are in the original unencrypted data.
3 = Pad with NULLs. (If already a multiple of the algorithm's block size, no padding is added).
4 = Pad with SPACE chars(0x20). (If already a multiple of algorithm's block size, no padding is added).
PbesAlgorithm
# $ckStr is a CkString
$crypt2->get_PbesAlgorithm($ckStr);
$strVal = $crypt2->pbesAlgorithm();
$crypt2->put_PbesAlgorithm($strVal);
If the CryptAlgorithm property is set to pbes1
or pbes2
, this property specifies the underlying encryption algorithm to be used with password-based encryption (PBE). Password-based encryption is defined in the PKCS5 Password-Based Cryptography Standard at http://www.rsa.com/rsalabs/node.asp?id=2127
PbesPassword
# $ckStr is a CkString
$crypt2->get_PbesPassword($ckStr);
$strVal = $crypt2->pbesPassword();
$crypt2->put_PbesPassword($strVal);
The password to be used with password-based encryption (PBE). Password-based encryption is defined in the PKCS5 Password-Based Cryptography Standard at http://www.rsa.com/rsalabs/node.asp?id=2127
topPkcs7CryptAlg
# $ckStr is a CkString
$crypt2->get_Pkcs7CryptAlg($ckStr);
$strVal = $crypt2->pkcs7CryptAlg();
$crypt2->put_Pkcs7CryptAlg($strVal);
When the CryptAlgorithm property is PKI
to select PKCS7 public-key encryption, this selects the underlying symmetric encryption algorithm. Possible values are: aes
, des
, 3des
, and rc2
. The default value is aes
.
Rc2EffectiveKeyLength
$intVal = $crypt2->get_Rc2EffectiveKeyLength();
$crypt2->put_Rc2EffectiveKeyLength($intVal);
The effective key length (in bits) for the RC2 encryption algorithm. When RC2 is used, both the KeyLength and Rc2EffectiveKeyLength properties should be set. For RC2, both should be between 8 and 1024 (inclusive).
The default value is 128
topSigningAlg
# $ckStr is a CkString
$crypt2->get_SigningAlg($ckStr);
$strVal = $crypt2->signingAlg();
$crypt2->put_SigningAlg($strVal);
This property selects the signature algorithm for the OpaqueSign*, Sign*, and CreateDetachedSignature, CreateP7M, and CreateP7S methods. The default value is PKCS1-v1_5
. This can be set to RSASSA-PSS
(or simply pss
) to use the RSASSA-PSS signature scheme.
Note: This property only applies when the private key is an RSA private key. It does not apply for ECC or DSA private keys.
SigningAttributes
# $ckStr is a CkString
$crypt2->get_SigningAttributes($ckStr);
$strVal = $crypt2->signingAttributes();
$crypt2->put_SigningAttributes($strVal);
Contains JSON to specify the authenticated (signed) attributes or unauthenticated (unsigned) attributes that are to be included in CMS signatures. The default value is:
{ <code>contentType</code>: 1, <code>signingTime</code>: 1, <code>messageDigest</code>: 1 }
Other possible values that can be added are:
- signingCertificateV2
- signingCertificate
- sMIMECapabilities
- microsoftRecipientInfo
- encrypKeyPref
- cmsAlgorithmProtection
UncommonOptions
# $ckStr is a CkString
$crypt2->get_UncommonOptions($ckStr);
$strVal = $crypt2->uncommonOptions();
$crypt2->put_UncommonOptions($strVal);
This is a catch-all property to be used for uncommon needs. This property defaults to the empty string and should typically remain empty.
Can be set to a list of the following comma separated keywords:
UseConstructedOctets
- Introduced in v9.5.0.83. When creating opaque CMS signatures (signatures that embed the data being signed), will use theconstructed octets
form of the ASN.1 that holds the data. This is to satify some validators that are brittle/fragile/picky and require a particular format, such as for the ICP-Brazil Digital Signature Standard.
UuFilename
# $ckStr is a CkString
$crypt2->get_UuFilename($ckStr);
$strVal = $crypt2->uuFilename();
$crypt2->put_UuFilename($strVal);
When UU encoding, this is the filename to be embedded in UU encoded output. The default is file.dat
. When UU decoding, this is the filename found in the UU encoded input.
UuMode
# $ckStr is a CkString
$crypt2->get_UuMode($ckStr);
$strVal = $crypt2->uuMode();
$crypt2->put_UuMode($strVal);
When UU encoding, this is the file permissions mode to be embedded in UU encoded output. The default is 644
. When UU decoding, this property is set to the mode found in the UU encoded input.
VerboseLogging
$boolVal = $crypt2->get_VerboseLogging();
$crypt2->put_VerboseLogging($boolVal);
If set to 1
, then the contents of LastErrorText (or LastErrorXml, or LastErrorHtml) may contain more verbose information. The default value is 0
. Verbose logging should only be used for debugging. The potentially large quantity of logged information may adversely affect peformance.
Version
# $ckStr is a CkString
$crypt2->get_Version($ckStr);
$strVal = $crypt2->version();
Methods
AddEncryptCert
Adds a certificate for public-key encryption. To enable public-key encryption with digital certificates, set the CryptAlgorithm
property to pki
. Call AddEncryptCert
separately for each certificate you wish to use for encryption.
Any of the Encrypt*
methods will do RSA public-key encryption
when the CryptAlgorithm
is set to the keyword pki
. The output is a PKCS#7 enveloped-data
secure container.
AddPfxSourceBd
Adds a PFX
file to the object's list of sources for locating certificates and private keys during public-key decryption or signing. To add multiple PFX sources, call this method multiple times. bd should contain the bytes of a PFX file (also known as PKCS12
or .p12
).
Note: Information about the certificate(s) needed for public-key decryption
are included in the PKCS#7 enveloped-data
. Chilkat will automatically find a usable certificate and private key from sources like Windows certificate stores, the Apple keychain, or other sources provided by the application.
Returns 1 for success, 0 for failure.
AddPfxSourceFile
# $pfxPassword is a string
$status = $crypt2->AddPfxSourceFile($pfxFilePath, $pfxPassword);
Adds a PFX
file to the object's list of sources for locating certificates and private keys during public-key decryption or signing. To add multiple PFX sources, call this method multiple times.
Note: Information about the certificate(s) needed for public-key decryption
are included in the PKCS#7 enveloped-data
. Chilkat will automatically find a usable certificate and private key from sources like Windows certificate stores, the Apple keychain, or other sources provided by the application.
Returns 1 for success, 0 for failure.
AddSigningCert
Call this method once per certificate to add multiple certificates for signing
. If signing with a single certificate, then the SetSigningCert
or SetSigningCert2
methods can be used instead.
Returns 1 for success, 0 for failure.
AesKeyUnwrap
# $wrappedKeyData is a string
# $encoding is a string
# $outStr is a CkString (output)
$status = $crypt2->AesKeyUnwrap($kek, $wrappedKeyData, $encoding, $outStr);
$retStr = $crypt2->aesKeyUnwrap($kek, $wrappedKeyData, $encoding);
Implements the AES Key Wrap Algorithm
(RFC 3394) for unwrapping. The kek is the Key Encryption Key
(the AES key used to unwrap the wrappedKeyData). The arguments and return value are binary encoded strings using the encoding specified by encoding (which can be base64
, hex
, base64url
, etc.) The full list of supported encodings is available at the link below.
The kek should be an AES key
of 16 bytes
, 24 bytes
, or 32 bytes
(i.e. 128-bits, 192- bits, or 256-bits). For example, if passed as a hex string, then the kek should be 32 chars in length, 48 chars, or 64 chars (because each byte is represented as 2 chars in hex).
The wrappedKeyData contains the data to be unwrapped. The result, if decoded, is 8 bytes less than the wrapped key data. For example, if a 256-bit AES key (32 bytes) is wrapped, the size of the wrapped key data is 40 bytes. Unwrapping restores it to the original 32 bytes.
Returns 1 for success, 0 for failure.
AesKeyUnwrapWithPadding
# $wrappedKeyData is a string
# $encoding is a string
# $outStr is a CkString (output)
$status = $crypt2->AesKeyUnwrapWithPadding($kek, $wrappedKeyData, $encoding, $outStr);
$retStr = $crypt2->aesKeyUnwrapWithPadding($kek, $wrappedKeyData, $encoding);
Implements the AES Key Wrap with Padding Algorithm
(RFC 5649) for unwrapping. The kek is the Key Encryption Key
(the AES key used to unwrap the wrappedKeyData). The arguments and return value are binary encoded strings using the encoding specified by encoding (which can be base64
, hex
, base64url
, etc.)
The kek should be an AES key
of 16 bytes
, 24 bytes
, or 32 bytes
(i.e. 128-bits, 192- bits, or 256-bits). For example, if passed as a hex string, then the kek should be 32 chars in length, 48 chars, or 64 chars (because each byte is represented as 2 chars in hex).
The wrappedKeyData contains the data to be unwrapped.
The unwrapped key is returned as an encoded string (using the encoding specified in encoding).
Returns 1 for success, 0 for failure.
topAesKeyWrap
# $keyData is a string
# $encoding is a string
# $outStr is a CkString (output)
$status = $crypt2->AesKeyWrap($kek, $keyData, $encoding, $outStr);
$retStr = $crypt2->aesKeyWrap($kek, $keyData, $encoding);
Implements the AES Key Wrap Algorithm
(RFC 3394). The kek is the Key Encryption Key
(the AES key used to encrypt the keyData). The arguments and return value are binary encoded strings using the encoding specified by encoding (which can be base64
, hex
, base64url
, etc.) The full list of supported encodings is available at the link below.
The kek should be an AES key
of 16 bytes
, 24 bytes
, or 32 bytes
(i.e. 128-bits, 192- bits, or 256-bits). For example, if passed as a hex string, then the kek should be 32 chars in length, 48 chars, or 64 chars (because each byte is represented as 2 chars in hex).
The keyData contains the data to be key wrapped. It must be a multiple of 64-bits in length. In other words, if the keyData is decoded to binary, it should be a number of bytes that is a multiple of 8.
The return string, if decoded to binary bytes, is equal to the size of the key data + 8 additional bytes.
Returns 1 for success, 0 for failure.
AesKeyWrapWithPadding
# $keyData is a string
# $encoding is a string
# $outStr is a CkString (output)
$status = $crypt2->AesKeyWrapWithPadding($kek, $keyData, $encoding, $outStr);
$retStr = $crypt2->aesKeyWrapWithPadding($kek, $keyData, $encoding);
Implements the AES Key Wrap with Padding Algorithm
(RFC 5649). The kek is the Key Encryption Key
(the AES key used to encrypt the keyData). The arguments and return value are binary encoded strings using the encoding specified by encoding (which can be base64
, hex
, base64url
, etc.)
The kek should be an AES key
of 16 bytes
, 24 bytes
, or 32 bytes
(i.e. 128-bits, 192- bits, or 256-bits). For example, if passed as a hex string, then the kek should be 32 chars in length, 48 chars, or 64 chars (because each byte is represented as 2 chars in hex).
The keyData contains the data to be key wrapped.
Returns the wrapped key using the encoding specified in encoding.
Returns 1 for success, 0 for failure.
topBCryptHash
# $outStr is a CkString (output)
$status = $crypt2->BCryptHash($password, $outStr);
$retStr = $crypt2->bCryptHash($password);
Computes and returns a bcrypt hash of the password. The number of rounds of hashing is determined by the BCryptWorkFactor property.
Starting in v9.5.0.76, if the password is prefixed with $2b$
then the output will use the $2b version of bcrypt. For example, to create a $2b$
bcrypt has for the password secret
, pass in the string $2b$secret
for password.
Returns 1 for success, 0 for failure.
BCryptVerify
# $bcryptHash is a string
$status = $crypt2->BCryptVerify($password, $bcryptHash);
Verifies the password against a previously computed BCrypt hash. Returns 1
if the password matches the bcryptHash. Returns 0
if the password does not match.
Returns 1 for success, 0 for failure.
CkDecryptFile
# $destFile is a string
$status = $crypt2->CkDecryptFile($srcFile, $destFile);
File-to-file decryption. There is no limit to the size of the file that can be decrypted because the component will operate in streaming mode internally.
Returns 1 for success, 0 for failure.
CkDecryptFileAsync (1)
# $srcFile is a string
# $destFile is a string
$ret_task = $crypt2->CkDecryptFileAsync($srcFile, $destFile);
Creates an asynchronous task to call the CkDecryptFile method with the arguments provided.
Returns null
on failure
CkEncryptFile
# $destFile is a string
$status = $crypt2->CkEncryptFile($srcFile, $destFile);
File-to-file encryption. There is no limit to the size of the file that can be encrypted because the component will operate in streaming mode internally.
Returns 1 for success, 0 for failure.
CkEncryptFileAsync (1)
# $srcFile is a string
# $destFile is a string
$ret_task = $crypt2->CkEncryptFileAsync($srcFile, $destFile);
Creates an asynchronous task to call the CkEncryptFile method with the arguments provided.
Returns null
on failure
ClearEncryptCerts
Clears the internal list of digital certificates to be used for public-key encryption.
topClearSigningCerts
CoSign
# $cert is a CkCert
# $bdOut is a CkBinData
$status = $crypt2->CoSign($bdIn, $cert, $bdOut);
Co-sign's an existing CMS signature. bdIn contains the existing CMS signature. If successful, cert is the output co-signed CMS signature.
Returns 1 for success, 0 for failure.
CrcBd
Computes a CRC for data contained in crcAlg, which can be either crc-32
used in the Zip file format, or crc8
for the CRC8 algorithm.
CrcFile
# $path is a string
$retInt = $crypt2->CrcFile($crcAlg, $path);
Calculates a CRC for the contents of a file. To compute the CRC used in the Zip file format, pass CRC-32
for the crcAlg. (The crcAlg argument provides the flexibility to add additional CRC algorithms on an as-needed basis in the future.) A value of 0 is returned if the file is unable to be read. Given that there is a 1 in 4 billion chance of having an actual CRC of 0, an application might choose to react to a 0 return value by testing to see if the file can be opened and read.
Starting in v9.5.0.88, crc8 can be computed by passing CRC8
in crcAlg.
CrcFileAsync (1)
# $crcAlg is a string
# $path is a string
$ret_task = $crypt2->CrcFileAsync($crcAlg, $path);
Creates an asynchronous task to call the CrcFile method with the arguments provided.
Returns null
on failure
CreateDetachedSignature
# $sigFilePath is a string
$status = $crypt2->CreateDetachedSignature($inFilePath, $sigFilePath);
Digitally signs a file and writes the digital signature to a separate output file (a PKCS#7 signature file). The input file (inFilePath) is unmodified. A certificate for signing must be specified by calling SetSigningCert or SetSigningCert2 prior to calling this method.
This method is equivalent to CreateP7S. The CreateP7S method was added to clarify the format of the signature file that is created.
Returns 1 for success, 0 for failure.
topCreateP7M
# $p7mPath is a string
$status = $crypt2->CreateP7M($inFilename, $p7mPath);
Digitally signs a file and creates a .p7m (PKCS #7 Message) file that contains both the signature and original file content. The input file (inFilename) is unmodified. A certificate for signing must be specified by calling SetSigningCert or SetSigningCert2 prior to calling this method.
To sign with a particular hash algorithm, set the HashAlgorithm property. Valid hash algorithms for signing are sha256
, sha1
, sha384
, sha512
, md5
, and md2
.
Note: The CreateP7M method creates an opaque signature. To do the same thing entirely in memory, your application would call any of the OpaqueSign* methods, such as OpaqueSignBd, OpaqueSignString, OpaqueSignStringENC, etc.
Returns 1 for success, 0 for failure.
CreateP7MAsync (1)
# $inFilename is a string
# $p7mPath is a string
$ret_task = $crypt2->CreateP7MAsync($inFilename, $p7mPath);
Creates an asynchronous task to call the CreateP7M method with the arguments provided.
Returns null
on failure
CreateP7S
# $p7sPath is a string
$status = $crypt2->CreateP7S($inFilename, $p7sPath);
Digitally signs a file and creates a .p7s (PKCS #7 Signature) signature file. The input file (inFilename) is unmodified. The output file (p7sPath) contains only the signature and not the original data. A certificate for signing must be specified by calling SetSigningCert or SetSigningCert2 prior to calling this method.
To sign with a particular hash algorithm, set the HashAlgorithm property. Valid hash algorithms for signing are sha256
, sha1
, sha384
, sha512
, md5
, and md2
.
Note: The CreateP7S method creates a detached signature. To do the same thing entirely in memory, your application would call any of the Sign* methods, such as SignBdENC, SignString, SignStringENC, SignSbENC, etc.
Returns 1 for success, 0 for failure.
CreateP7SAsync (1)
# $inFilename is a string
# $p7sPath is a string
$ret_task = $crypt2->CreateP7SAsync($inFilename, $p7sPath);
Creates an asynchronous task to call the CreateP7S method with the arguments provided.
Returns null
on failure
DecodeString
# $charset is a string
# $encoding is a string
# $outStr is a CkString (output)
$status = $crypt2->DecodeString($inStr, $charset, $encoding, $outStr);
$retStr = $crypt2->decodeString($inStr, $charset, $encoding);
Decodes from an encoding back to the original string. The encoding can be set to any of the following strings: base64
, hex
, quoted-printable
, url
, base32
, Q
, B
, url_rc1738
, url_rfc2396
, url_rfc3986
, url_oauth
, uu
, modBase64
, or html
(for HTML entity encoding).
Returns 1 for success, 0 for failure.
DecryptBd
In-place decrypts the contents of bd. The minimal set of properties that should be set before decrypting are: CryptAlgorithm, SecretKey. Other properties that control encryption are: CipherMode, PaddingScheme, KeyLength, IV.
Returns 1 for success, 0 for failure.
DecryptEncoded
# $outStr is a CkString (output)
$status = $crypt2->DecryptEncoded($encodedEncryptedData, $outStr);
$retStr = $crypt2->decryptEncoded($encodedEncryptedData);
Encrypted data is passed to this method as an encoded string (base64, hex, etc.). This method first decodes the input data according to the EncodingMode property setting. It then decrypts and re-encodes using the EncodingMode setting, and returns the decrypted data in encoded string form.
Returns 1 for success, 0 for failure.
DecryptSb
Decrypts the contents of bdIn to sbOut. The decrypted string is appended to sbOut. The minimal set of properties that should be set before ecrypting are: CryptAlgorithm, SecretKey. Other properties that control encryption are: CipherMode, PaddingScheme, KeyLength, IV.
Returns 1 for success, 0 for failure.
DecryptSecureENC
# $secureStr is a CkSecureString
$status = $crypt2->DecryptSecureENC($cipherText, $secureStr);
Identical to DecryptStringENC, except the decrypts the cipherText and appends the decrypted string to the secureStr.
Returns 1 for success, 0 for failure.
DecryptStream
Decrypts a stream. Internally, the strm's source is read, decrypted, and the decrypted data written to the strm's sink. It does this in streaming fashion. Extremely large or even infinite streams can be decrypted with stable ungrowing memory usage.
Returns 1 for success, 0 for failure.
DecryptStreamAsync (1)
Creates an asynchronous task to call the DecryptStream method with the arguments provided.
Returns null
on failure
DecryptStringENC
# $outStr is a CkString (output)
$status = $crypt2->DecryptStringENC($str, $outStr);
$retStr = $crypt2->decryptStringENC($str);
The reverse of EncryptStringENC.
Decrypts string-encoded encrypted data and returns the original string. The property settings used when encrypting the string must match the settings when decrypting. Specifically, the Charset, EncodingMode, CryptAlgorithm, CipherMode, PaddingScheme, KeyLength, IV, and SecretKey properties must match.
Returns 1 for success, 0 for failure.
EncodeInt
# $numBytes is an integer
# $littleEndian is a boolean
# $encoding is a string
# $outStr is a CkString (output)
$status = $crypt2->EncodeInt($value, $numBytes, $littleEndian, $encoding, $outStr);
$retStr = $crypt2->encodeInt($value, $numBytes, $littleEndian, $encoding);
Encodes an integer to N bytes and returns in the specified encoding. If littleEndian is 1
, then little endian byte ordering is used. Otherwise big-endian byte order is used.
Returns 1 for success, 0 for failure.
EncodeString
# $charsetName is a string
# $toEncodingName is a string
# $outStr is a CkString (output)
$status = $crypt2->EncodeString($strToEncode, $charsetName, $toEncodingName, $outStr);
$retStr = $crypt2->encodeString($strToEncode, $charsetName, $toEncodingName);
Encodes a string. The toEncodingName can be set to any of the following strings: base64
, hex
, quoted-printable
, url
, base32
, Q
, B
, url_rc1738
, url_rfc2396
, url_rfc3986
, url_oauth
, uu
, modBase64
, or html
(for HTML entity encoding). The charsetName is important, and usually you'll want to specify ansi
. For example, if the string ABC
is to be encoded to hex
using ANSI, the result will be 414243
. However, if unicode
is used, the result is 410042004300
.
Returns 1 for success, 0 for failure.
EncryptBd
In-place encrypts the contents of bd. The minimal set of properties that should be set before encrypting are: CryptAlgorithm, SecretKey. Other properties that control encryption are: CipherMode, PaddingScheme, KeyLength, IV. When decrypting, all property settings must match otherwise the result is garbled data.
Returns 1 for success, 0 for failure.
EncryptEncoded
# $outStr is a CkString (output)
$status = $crypt2->EncryptEncoded($str, $outStr);
$retStr = $crypt2->encryptEncoded($str);
The input string is first decoded according to the encoding algorithm specified by the EncodingMode property (such as base64, hex, etc.) It is then encrypted according to the encryption algorithm specified by CryptAlgorithm. The resulting encrypted data is encoded (using EncodingMode) and returned.
Returns 1 for success, 0 for failure.
EncryptSb
Encrypts the contents of sbIn to bdOut. The Charset
property determines the actual bytes that are encrypted.
Returns 1 for success, 0 for failure.
EncryptSecureENC
# $outStr is a CkString (output)
$status = $crypt2->EncryptSecureENC($secureStr, $outStr);
$retStr = $crypt2->encryptSecureENC($secureStr);
Identical to EncryptStringENC, except the clear-text contained within the secureStr is encrypted and returned.
Returns 1 for success, 0 for failure.
EncryptStream
Encrypts a stream. Internally, the strm's source is read, encrypted, and the encrypted data written to the strm's sink. It does this in streaming fashion. Extremely large or even infinite streams can be encrypted with stable ungrowing memory usage.
Returns 1 for success, 0 for failure.
EncryptStreamAsync (1)
Creates an asynchronous task to call the EncryptStream method with the arguments provided.
Returns null
on failure
EncryptStringENC
# $outStr is a CkString (output)
$status = $crypt2->EncryptStringENC($str, $outStr);
$retStr = $crypt2->encryptStringENC($str);
Encrypts a string and returns the encrypted bytes as a binary encoded string. The EncodingMode
property determines the binary encoding, such as base64
, hex
, hex_lower
, base64url
, base58
, etc. The Charset
property determines the actual bytes that are encrypted.
Returns 1 for success, 0 for failure.
GenEncodedSecretKey
# $encoding is a string
# $outStr is a CkString (output)
$status = $crypt2->GenEncodedSecretKey($password, $encoding, $outStr);
$retStr = $crypt2->genEncodedSecretKey($password, $encoding);
Important: In the v9.5.0.49 release, a bug involving this method was introduced: The encoding is ignored and instead the encoding used is the current value of the EncodingMode property. The workaround is to make sure the EncodingMode property is set to the value of the desired output encoding. This problem will be fixed in v9.5.0.50.
Identical to the GenerateSecretKey method, except it returns the binary secret key as a string encoded according to encoding, which may be base64
, hex
, url
, etc. Please see the documentation for GenerateSecretKey for more information.
Returns 1 for success, 0 for failure.
topGenerateUuid
$status = $crypt2->GenerateUuid($outStr);
$retStr = $crypt2->generateUuid();
Generates a random UUID string having standard UUID format, such as de305d54-75b4-431b-adb2-eb6b9e546014
.
Note: This generates a version 4 UUID
using random byte values. See RFC 4122.
Returns 1 for success, 0 for failure.
GenRandomBytesENC
# $outStr is a CkString (output)
$status = $crypt2->GenRandomBytesENC($numBytes, $outStr);
$retStr = $crypt2->genRandomBytesENC($numBytes);
Generates numBytes random bytes and returns them as an encoded string. The encoding, such as base64, hex, etc. is controlled by the EncodingMode property.
Returns 1 for success, 0 for failure.
GetEncodedAad
# $outStr is a CkString (output)
$status = $crypt2->GetEncodedAad($encoding, $outStr);
$retStr = $crypt2->getEncodedAad($encoding);
Returns the authenticated additional data as an encoded string. The encoding argument can be set to any of the following strings: base64
, hex
, quoted-printable
, or url
.
The Aad is used when the CipherMode is gcm
(Galois/Counter Mode), which is a mode valid for symmetric ciphers that have a block size of 16 bytes, such as AES or Twofish.
Returns 1 for success, 0 for failure.
GetEncodedAuthTag
# $outStr is a CkString (output)
$status = $crypt2->GetEncodedAuthTag($encoding, $outStr);
$retStr = $crypt2->getEncodedAuthTag($encoding);
Returns the authentication tag as an encoded string. The encoding argument may be set to any of the following strings: base64
, hex
, quoted-printable
, or url
. The authentication tag is an output of authenticated encryption modes such as GCM when encrypting. When GCM mode decrypting, the authenticate tag is set by the application and is the expected result.
The authenticated tag plays a role when the CipherMode is gcm
(Galois/Counter Mode), which is a mode valid for symmetric block ciphers that have a block size of 16 bytes, such as AES or Twofish.
Returns 1 for success, 0 for failure.
GetEncodedIV
# $outIV is a CkString (output)
$status = $crypt2->GetEncodedIV($encoding, $outStr);
$retStr = $crypt2->getEncodedIV($encoding);
Returns the initialization vector as an encoded string. The encoding argument can be set to any of the following strings: base64
, hex
, quoted-printable
, or url
.
Returns 1 for success, 0 for failure.
topGetEncodedKey
# $outKey is a CkString (output)
$status = $crypt2->GetEncodedKey($encoding, $outStr);
$retStr = $crypt2->getEncodedKey($encoding);
Returns the secret key as an encoded string. The encoding argument can be set to any of the following strings: base64
, hex
, quoted-printable
, or url
.
Returns 1 for success, 0 for failure.
topGetEncodedSalt
# $outStr is a CkString (output)
$status = $crypt2->GetEncodedSalt($encoding, $outStr);
$retStr = $crypt2->getEncodedSalt($encoding);
Returns the password-based encryption (PBE) salt bytes as an encoded string. The encoding argument can be set to any of the following strings: base64
, hex
, quoted-printable
, or url
.
Returns 1 for success, 0 for failure.
topGetLastJsonData
Provides information about what transpired in the last method called. For many methods, there is no information. For some methods, details about what transpired can be obtained via LastJsonData. For example, after calling a method to verify a signature, the LastJsonData will return JSON with details about the algorithms used for signature verification.
topGetSignatureSigningTimeStr
# $outStr is a CkString (output)
$status = $crypt2->GetSignatureSigningTimeStr($index, $outStr);
$retStr = $crypt2->getSignatureSigningTimeStr($index);
This method retrieves the signing time of the Nth certificate used in a digital signature, after verification. The first certificate's signing time is at index index 0. The NumSignerCerts property indicates the total number of signing certificates (typically, only one is used).
Note: Before retrieving the signing time for a certificate, use the HasSignatureSigningTime method to check its availability. Skip indices without a signing time.
The signing time is returned in RFC822 string format.
Returns 1 for success, 0 for failure.
GetSignedAttributes
# $pkcs7Der is a CkBinData
# $sbJson is a CkStringBuilder
$status = $crypt2->GetSignedAttributes($signerIndex, $pkcs7Der, $sbJson);
Extracts the signed (authenticated) attributes for the Nth signer. In most cases, a signature has only one signer, and the signerIndex should equal 0 to specify the 1st (and only) signer.
The binary PKCS7 is passed in pkcs7Der. On success, the sbJson will contain the signed attributes in JSON format.
Sample JSON output:
{ <code>signedAttributes</code>: [ { <code>oid</code>: <code>1.2.840.113549.1.9.3</code>, <code>name</code>: <code>Content Type</code> }, { <code>oid</code>: <code>1.2.840.113549.1.9.5</code>, <code>name</code>: <code>Signing Time</code> }, { <code>oid</code>: <code>1.2.840.113549.1.9.4</code>, <code>name</code>: <code>Message Digest</code> }, { <code>oid</code>: <code>1.2.840.113549.1.9.16.2.47</code>, <code>name</code>: <code>Signing Certificate V2</code> } ] }
Returns 1 for success, 0 for failure.
topHashBdENC
# $outStr is a CkString (output)
$status = $crypt2->HashBdENC($bd, $outStr);
$retStr = $crypt2->hashBdENC($bd);
Hashes the bytes in bd and returns the hash as a binary-encoded string. The hash algorithm is determined by the HashAlgorithm
property, while the encoding is specified by the EncodingMode
property. Encoding options include base64
, hex
, base64url
, or others listed at the link below.
Returns 1 for success, 0 for failure.
HashBeginString
$status = $crypt2->HashBeginString($strData);
To hash a large amount of text, start by processing the first chunk using this method. For subsequent chunks, use the HashMoreString
method as needed. Conclude by calling HashFinal
(or HashFinalENC
) to obtain the final result. The hash algorithm is determined by the HashAlgorithm
property setting.
Returns 1 for success, 0 for failure.
HashChunkBd
Start or continue hashing data in chunks. Set firstChunk to 1
for the first chunk, and 0
for subsequent chunks. Finish by calling HashFinalENC
to obtain the result. The hash algorithm used is determined by the HashAlgorithm
property.
Returns 1 for success, 0 for failure.
topHashFileENC
# $outStr is a CkString (output)
$status = $crypt2->HashFileENC($path, $outStr);
$retStr = $crypt2->hashFileENC($path);
Hashes a file and returns the hash as an encoded string.
The hash algorithm is specified by the HashAlgorithm
property, The encoding is controlled by the EncodingMode
property, which can be set to base64
, hex
, base64url
, or any of the encodings listed at the link below.
Any size file is supported because the file is hashed internally in streaming mode (keeping memory usage low and constant).
Returns 1 for success, 0 for failure.
HashFileENCAsync (1)
Creates an asynchronous task to call the HashFileENC method with the arguments provided.
Returns null
on failure
HashFinalENC
$status = $crypt2->HashFinalENC($outStr);
$retStr = $crypt2->hashFinalENC();
Finalizes a multi-step hash computation and returns the hash bytes encoded according to the EncodingMode
property setting.
Returns 1 for success, 0 for failure.
HashMoreString
$status = $crypt2->HashMoreString($strData);
Adds more text to the hash currently under computation. (See HashBeginString
)
Returns 1 for success, 0 for failure.
topHashStringENC
# $outStr is a CkString (output)
$status = $crypt2->HashStringENC($str, $outStr);
$retStr = $crypt2->hashStringENC($str);
Hashes a string and returns the hash bytes as an encoded string.
The hash algorithm is specified by the HashAlgorithm property, The encoding is controlled by the EncodingMode property, which can be set to base64
, hex
, base64url
, or any of the encodings listed at the link below.
The Charset property controls the character encoding of the string that is hashed. Languages such as VB.NET, C#, and Visual Basic work with Unicode strings. If it is desired to hash Unicode directly (2 bytes/char) then set the Charset property to Unicode
. To implicitly convert to another charset before hashing, set the Charset property to the desired charset. For example, if Charset is set to iso-8859-1
, the input string is first implicitly converted to iso-8859-1 (1 byte per character) before hashing. The full list of supported charsets is listed in the EncryptString method description.
Returns 1 for success, 0 for failure.
HasSignatureSigningTime
$retBool = $crypt2->HasSignatureSigningTime($index);
This method can be called after a digital signature has been verified by one of the Verify* methods. Returns 1
if a signing time for the Nth certificate is available and can be retrieved by either the GetSignatureSigningTime or GetSignatureSigningTimeStr methods.
Hotp
# $secretEnc is a string
# $counterHex is a string
# $numDigits is an integer
# $truncOffset is an integer
# $hashAlg is a string
# $outStr is a CkString (output)
$status = $crypt2->Hotp($secret, $secretEnc, $counterHex, $numDigits, $truncOffset, $hashAlg, $outStr);
$retStr = $crypt2->hotp($secret, $secretEnc, $counterHex, $numDigits, $truncOffset, $hashAlg);
Implements RFC 4226: HOTP: An HMAC-Based One-Time Password Algorithm. The arguments to this method are:
- secret: The shared secret in an enocded representation such as base64, hex, ascii, etc.
- secretEnc: The encoding of the shared secret, such as
base64
- counterHex: The 8-byte counter in hexidecimal format.
- numDigits: The number of decimal digits to return.
- truncOffset: Normally set this to -1 for dynamic truncation. Otherwise can be set in the range 0..15.
- hashAlg: Normally set to
sha1
. Can be set to other hash algorithms such assha256
,sha512
, etc.
Returns 1 for success, 0 for failure.
LastDecryptCert
Returns in cert the last certificate used for public-key decryption.
Returns 1 for success, 0 for failure.
topLastSignerCert
Returns the Nth certificate used for signing in cert. This method can be called after verifying a digital signature to get the signer certs. The 1st certificate is at index 0. The NumSignerCerts
property contains the total number of signing certificates. (Typically, a single certificate is used in creating a digital signature.)
Returns 1 for success, 0 for failure.
topLoadTaskCaller
MacBdENC
# $outStr is a CkString (output)
$status = $crypt2->MacBdENC($bd, $outStr);
$retStr = $crypt2->macBdENC($bd);
Computes a Message Authentication Code
(MAC) for the bytes in bd using the algorithm defined in the MacAlgorithm
property. The result is then encoded to a string using the format specified by the EncodingMode
property (e.g., base64, hex). The HashAlgorithm
property setting determines the hash algorithm used internally. (A MAC algorithm like HMAC uses a hash function such as SHA-256 internally, along with a secret key, to create a secure and verifiable digest.)
Returns 1 for success, 0 for failure.
MacStringENC
# $outStr is a CkString (output)
$status = $crypt2->MacStringENC($inText, $outStr);
$retStr = $crypt2->macStringENC($inText);
Computes a Message Authentication Code using the MAC algorithm specified in the MacAlgorithm property. The result is encoded to a string using the encoding (base64, hex, etc.) specified by the EncodingMode property.
Returns 1 for success, 0 for failure.
MySqlAesDecrypt
# $strPassword is a string
# $outStr is a CkString (output)
$status = $crypt2->MySqlAesDecrypt($strEncryptedHex, $strPassword, $outStr);
$retStr = $crypt2->mySqlAesDecrypt($strEncryptedHex, $strPassword);
Matches MySQL's AES_DECRYPT function. strEncryptedHex is a hex-encoded string of the AES encrypted data. The return value is the original unencrypted string.
Returns 1 for success, 0 for failure.
topMySqlAesEncrypt
# $strPassword is a string
# $outStr is a CkString (output)
$status = $crypt2->MySqlAesEncrypt($strData, $strPassword, $outStr);
$retStr = $crypt2->mySqlAesEncrypt($strData, $strPassword);
Matches MySQL's AES_ENCRYPT function. The return value is a hex-encoded string of the encrypted data. The equivalent call in MySQL would look like this: HEX(AES_ENCRYPT('The quick brown fox jumps over the lazy dog','password'))
Returns 1 for success, 0 for failure.
OpaqueSignBd
Digitally signs the contents of bd. If successful, the contents of bd are replaced with the PKCS#7 signed-data
, which embeds the original data within the signature. Ensure a certificate is set using SetSigningCert
before invoking this method. The HashAlgorithm
property specifies the hash algorithm for creating the data's hash during signing.
Returns 1 for success, 0 for failure.
OpaqueSignBdAsync (1)
Creates an asynchronous task to call the OpaqueSignBd method with the arguments provided.
Returns null
on failure
OpaqueSignStringENC
# $outStr is a CkString (output)
$status = $crypt2->OpaqueSignStringENC($str, $outStr);
$retStr = $crypt2->opaqueSignStringENC($str);
Digitally signs a string and returns PKCS#7 signed-data
as a binary encoded string
. The EncodingMode
property determines the binary encoding, such as base64
, hex
, hex_lower
, base64_mime
, etc. The Charset
property determines the actual bytes that are hashed and signed. The HashAlgorithm
property specifies the hash algorithm for creating the data's hash during signing.
Returns 1 for success, 0 for failure.
OpaqueSignStringENCAsync (1)
Creates an asynchronous task to call the OpaqueSignStringENC method with the arguments provided.
Returns null
on failure
OpaqueVerifyBd
The method performs in-place verification of the PKCS#7 signed-data
content of bd. If the signature is successfully verified, the content of bd is replaced with the original data, and the method returns 1
. If verification fails, bd remains unchanged, and the method returns 0
. Afterwards, you can retrieve signer certificates by using the NumSignerCerts
property and the GetSignerCert
method.
Returns 1 for success, 0 for failure.
OpaqueVerifyStringENC
# $outOriginal is a CkString (output)
$status = $crypt2->OpaqueVerifyStringENC($p7s, $outStr);
$retStr = $crypt2->opaqueVerifyStringENC($p7s);
This function verifies a PKCS#7 signed-data
binary-encoded signature and returns the original text data. The EncodingMode
property determines how p7s is decoded to bytes. If the signature does not verify successfully, it returns an empty string. The Charset
property specifies how the original data bytes are converted to characters. You can obtain signer certificates using the NumSignerCerts
property and the GetSignerCert
method.
Returns 1 for success, 0 for failure.
Pbkdf1
# $charset is a string
# $hashAlg is a string
# $salt is a string
# $iterationCount is an integer
# $outputKeyBitLen is an integer
# $encoding is a string
# $outStr is a CkString (output)
$status = $crypt2->Pbkdf1($password, $charset, $hashAlg, $salt, $iterationCount, $outputKeyBitLen, $encoding, $outStr);
$retStr = $crypt2->pbkdf1($password, $charset, $hashAlg, $salt, $iterationCount, $outputKeyBitLen, $encoding);
Implements the PBKDF1 algorithm (Password Based Key Derivation Function #1). The password is converted to the character encoding represented by charset before being passed (internally) to the key derivation function. The hashAlg may be md5
, sha1
, md2
, etc. The salt should be random data at least 8 bytes (64 bits) in length. (The GenRandomBytesENC method is good for generating a random salt value.) The iterationCount should be no less than 1000. The length (in bits) of the derived key output by this method is controlled by outputKeyBitLen. The encoding argument may be base64
, hex
, etc. It controls the encoding of the output, and the expected encoding of the salt. The derived key is returned.
Note: Starting in version 9.5.0.47, if the charset is set to one of the keywords hex
or base64
, then the password will be considered binary data that is hex or base64 encoded. The bytes will be decoded and used directly as a binary password.
Returns 1 for success, 0 for failure.
Pbkdf2
# $charset is a string
# $hashAlg is a string
# $salt is a string
# $iterationCount is an integer
# $outputKeyBitLen is an integer
# $encoding is a string
# $outStr is a CkString (output)
$status = $crypt2->Pbkdf2($password, $charset, $hashAlg, $salt, $iterationCount, $outputKeyBitLen, $encoding, $outStr);
$retStr = $crypt2->pbkdf2($password, $charset, $hashAlg, $salt, $iterationCount, $outputKeyBitLen, $encoding);
Implements the PBKDF2 algorithm as follows:
- Convert password to the character encoding specified by charset before using it in the key derivation function.
- hashAlg specifies the hash algorithm. Options include
sha256
,sha384
,sha512
,md5
,sha1
,md2
, or any algorithm listed in the HashAlgorithm property. - Provide a random salt value that is at least 8 bytes (64 bits) long. Use methods like GenRandomBytesENC to generate this salt value.
- Ensure iterationCount is 1000 or greater.
- Control the length of the derived key output using outputKeyBitLen.
- Set encoding to specify the encoding format for the output and the expected encoding for salt. Options include
base64
andhex
.
The derived key is the output of this process. Internally, PBKDF2 uses a pseudorandom function (PRF), specifically a keyed HMAC. The hash algorithm chosen with hashAlg dictates this PRF; for example, SHA256
uses HMAC-SHA256, while SHA1
uses HMAC-SHA1.
Note: If charset is hex
or base64
, password is treated as binary data. It will be decoded and used directly as a binary password.
SHA256
uses HMAC-SHA256, while SHA1
uses HMAC-SHA1.
PBKDF1 and PBKDF2 are both key derivation functions used to strengthen passwords for cryptographic purposes, but PBKDF2 is the improved version.
- PBKDF1: Older and limited—it can only generate small keys (up to the hash function’s output size), making it less flexible and secure.
- PBKDF2: More advanced—it can generate longer keys, is more resistant to attacks, and is widely recommended for modern security needs.
In short, PBKDF2 is stronger and more versatile than PBKDF1.
Returns 1 for success, 0 for failure.
RandomizeIV
Sets the initialization vector to a random value.
topRandomizeKey
Sets the secret key to a random value.
topReEncode
# $fromEncoding is a string
# $toEncoding is a string
# $outStr is a CkString (output)
$status = $crypt2->ReEncode($encodedData, $fromEncoding, $toEncoding, $outStr);
$retStr = $crypt2->reEncode($encodedData, $fromEncoding, $toEncoding);
This tool allows for conversion between different encodings, such as from base64 to hex. It's particularly useful in programming environments where handling byte arrays is cumbersome. The encodings that can be specified for fromEncoding and toEncoding include: Base64
, base64Url
, modBase64
, Base32
, Base58
, UU
, QP
(quoted-printable), URL
(URL-encoding), Hex
, Q
, B
, url_oauth
, url_rfc1738
, url_rfc2396
, and url_rfc3986
. Note that these encodings are case-insensitive.
Returns 1 for success, 0 for failure.
SetDecryptCert
Sets the digital certificate to be used for decryption when the CryptAlgorithm property is set to PKI
. A private key is required for decryption. Because this method only specifies the certificate, a prerequisite is that the certificate w/ private key must have been pre-installed on the computer. Private keys are stored in the Windows Protected Store (either a user account specific store, or the system-wide store). The Chilkat component will automatically locate and find the certificate's corresponding private key from the protected store when decrypting.
Returns 1 for success, 0 for failure.
topSetDecryptCert2
Sets the digital certificate to be used for decryption when the CryptAlgorithm property is set to PKI
. The private key is supplied in the 2nd argument to this method, so there is no requirement that the certificate be pre-installed on a computer before decrypting (if this method is called).
Returns 1 for success, 0 for failure.
topSetEncodedAad
# $encoding is a string
$status = $crypt2->SetEncodedAad($aadStr, $encoding);
Sets the authenticated additional data from an encoded string. The authenticated additional data (AAD), if any, is used in authenticated encryption modes such as GCM. The aadStr argument can be set to any of the following strings: base64
, hex
, quoted-printable
, ascii
, or url
.
The Aad is used when the CipherMode is gcm
(Galois/Counter Mode), which is a mode valid for symmetric ciphers that have a block size of 16 bytes, such as AES or Twofish.
Returns 1 for success, 0 for failure.
SetEncodedAuthTag
# $encoding is a string
$status = $crypt2->SetEncodedAuthTag($authTagStr, $encoding);
Sets the expected authenticated tag from an encoded string. The authenticated tag is used in authenticated encryption modes such as GCM. An application would set the expected authenticated tag prior to decrypting. The authTagStr argument can be set to any of the following strings: base64
, hex
, quoted-printable
, ascii
, or url
.
The authenticated tag plays a role when the CipherMode is gcm
(Galois/Counter Mode), which is a mode valid for symmetric block ciphers that have a block size of 16 bytes, such as AES or Twofish.
Note: You can set the authenticated tag to the special value FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
(16 0xFF bytes) to prevent Chilkat from checking the auth tag after decrypting.
Returns 1 for success, 0 for failure.
SetEncodedIV
# $encoding is a string
$crypt2->SetEncodedIV($ivStr, $encoding);
Sets the initialization vector from an encoded string. The encoding argument can be set to any of the following strings: base64
, hex
, quoted-printable
, ascii
, or url
.
SetEncodedKey
# $encoding is a string
$crypt2->SetEncodedKey($keyStr, $encoding);
Sets the secret key from an encoded string. The encoding argument can be set to any of the following strings: base64
, hex
, quoted-printable
, ascii
, or url
.
SetEncodedSalt
# $encoding is a string
$crypt2->SetEncodedSalt($saltStr, $encoding);
Sets the password-based encryption (PBE) salt bytes from an encoded string. The encoding argument can be set to any of the following strings: base64
, hex
, quoted-printable
, ascii
, or url
.
SetEncryptCert
Tells the encryption library to use a specific digital certificate for public-key encryption. To encrypt with multiple certificates, call AddEncryptCert once for each certificate. (Calling this method is the equivalent of calling ClearEncryptCerts followed by AddEncryptCert.)
Returns 1 for success, 0 for failure.
SetMacKeyEncoded
# $encoding is a string
$status = $crypt2->SetMacKeyEncoded($key, $encoding);
Sets the MAC key to be used for one of the Mac methods. The encoding can be set to any of the following strings: base64
, hex
, quoted-printable
, or url
.
Returns 1 for success, 0 for failure.
SetMacKeyString
$status = $crypt2->SetMacKeyString($key);
Sets the MAC key to be used for one of the Mac methods.
Returns 1 for success, 0 for failure.
SetSecretKeyViaPassword
$crypt2->SetSecretKeyViaPassword($password);
Accepts a password string and (internally) generates a binary secret key of the appropriate bit length and sets the SecretKey property. This method should only be used if you are using Chilkat for both encryption and decryption because the password-to-secret-key algorithm would need to be identical for the decryption to match the encryption.
There is no minimum or maximum password length. The password string is transformed to a binary secret key by computing the MD5 digest (of the utf-8 password) to obtain 16 bytes. If the KeyLength is greater than 16 bytes, then the MD5 digest of the Base64 encoding of the utf-8 password is added. A max of 32 bytes of key material is generated, and this is truncated to the actual KeyLength required. The example below shows how to manually duplicate the computation.
SetSigningCert
Specifies a certificate to be used when creating PKCS7 digital signatures. Signing requires both a certificate and private key. In this case, the private key is implicitly specified if the certificate originated from a PFX that contains the corresponding private key, or if on a Windows-based computer where the certificate and corresponding private key are pre-installed. (If a PFX file is used, it is provided via the AddPfxSourceFile or AddPfxSourceData methods.)
Returns 1 for success, 0 for failure.
SetSigningCert2
# $privateKey is a CkPrivateKey
$status = $crypt2->SetSigningCert2($cert, $privateKey);
Specifies a digital certificate and private key to be used for creating PKCS7 digital signatures.
Returns 1 for success, 0 for failure.
SetTsaHttpObj
Sets the timestamp authority (TSA) options for cases where a CAdES-T signature is to be created. The http is used to send the requests, and it allows for connection related settings and timeouts to be set. For example, if HTTP or SOCKS proxies are required, these features can be specified on the http.
topSetVerifyCert
Sets the digital certificate to be used in verifying a signature. In virtually all cases, a PKCS7 (CMS) signature already embeds the signing certificate information, and it is not necessary to explicitly call this method to specify the verification certificate. It is only needed in rare cases.
Returns 1 for success, 0 for failure.
SignBdENC
# $outStr is a CkString (output)
$status = $crypt2->SignBdENC($dataToSign, $outStr);
$retStr = $crypt2->signBdENC($dataToSign);
Digitally signs the content in dataToSign and returns a detached
signature (PKCS#7 signed-data
) as a binary-encoded string. The EncodingMode
property determines the binary-encoding. Possible encodings include base64
, base64_mime
, hex
, and hex_lower
. The HashAlgorithm
property specifies the hash algorithm for creating the data's hash during signing.
Returns 1 for success, 0 for failure.
SignBdENCAsync (1)
Creates an asynchronous task to call the SignBdENC method with the arguments provided.
Returns null
on failure
SignHashENC
# $hashAlg is a string
# $hashEncoding is a string
# $outStr is a CkString (output)
$status = $crypt2->SignHashENC($encodedHash, $hashAlg, $hashEncoding, $outStr);
$retStr = $crypt2->signHashENC($encodedHash, $hashAlg, $hashEncoding);
Digitally signs a pre-computed hash and returns a detached
signature (PKCS#7 signed-data
) as a binary-encoded string. The EncodingMode
property determines the binary-encoding. Possible encodings include base64
, base64_mime
, hex
, and hex_lower
encodedHash is a binary-encoded hash to be signed, with its encoding format specified by hashEncoding (e.g., base64
, hex
). hashAlg specifies the hash algorithm (e.g., sha256
, sha1
, sha512
) used for encodedHash.
Returns 1 for success, 0 for failure.
SignHashENCAsync (1)
# $encodedHash is a string
# $hashAlg is a string
# $hashEncoding is a string
$ret_task = $crypt2->SignHashENCAsync($encodedHash, $hashAlg, $hashEncoding);
Creates an asynchronous task to call the SignHashENC method with the arguments provided.
Returns null
on failure
SignSbENC
# $outStr is a CkString (output)
$status = $crypt2->SignSbENC($sb, $outStr);
$retStr = $crypt2->signSbENC($sb);
Digitally signs the text contained in sb and returns a detached
signature (PKCS#7 signed-data
) as a binary-encoded string. The EncodingMode
property determines the binary-encoding. Possible encodings include base64
, base64_mime
, hex
, and hex_lower
. The HashAlgorithm
property specifies the hash algorithm for creating the data's hash during signing. The Charset
property determines the actual bytes that are hashed and signed.
Returns 1 for success, 0 for failure.
SignSbENCAsync (1)
Creates an asynchronous task to call the SignSbENC method with the arguments provided.
Returns null
on failure
SignStringENC
# $outStr is a CkString (output)
$status = $crypt2->SignStringENC($str, $outStr);
$retStr = $crypt2->signStringENC($str);
Digitally signs a string and returns a detached
signature (PKCS#7 signed-data
) as a binary-encoded string. The EncodingMode
property determines the binary-encoding. Possible encodings include base64
, base64_mime
, hex
, and hex_lower
. The HashAlgorithm
property specifies the hash algorithm for creating the data's hash during signing. The Charset
property determines the actual bytes that are hashed and signed.
Returns 1 for success, 0 for failure.
SignStringENCAsync (1)
Creates an asynchronous task to call the SignStringENC method with the arguments provided.
Returns null
on failure
Totp
# $secretEnc is a string
# $t0 is a string
# $tNow is a string
# $tStep is an integer
# $numDigits is an integer
# $truncOffset is an integer
# $hashAlg is a string
# $outStr is a CkString (output)
$status = $crypt2->Totp($secret, $secretEnc, $t0, $tNow, $tStep, $numDigits, $truncOffset, $hashAlg, $outStr);
$retStr = $crypt2->totp($secret, $secretEnc, $t0, $tNow, $tStep, $numDigits, $truncOffset, $hashAlg);
Implements RFC 6238: TOTP: Time-Based One-Time Password Algorithm. The arguments to this method are:
- secret: The shared secret in an enocded representation such as base64, hex, ascii, etc.
- secretEnc: The encoding of the shared secret, such as
base64
- t0: The Unix time to start counting time steps. It is a number in decimal string form. A Unix time is the number of seconds elapsed since midnight UTC of January 1, 1970.
0
is a typical value used for this argument. - tNow: The current Unix time in decimal string form. To use the current system date/time, pass an empty string for this argument.
- tStep: The time step in seconds. A typical value is 30. Note: Both client and server must pre-agree on the secret, the t0, and the tStep.
- numDigits: The number of decimal digits to return.
- truncOffset: Normally set this to -1 for dynamic truncation. Otherwise can be set in the range 0..15.
- hashAlg: Normally set to
sha1
. Can be set to other hash algorithms such assha256
,sha512
, etc.
Returns 1 for success, 0 for failure.
UseCertVault
Adds an XML certificate vault to the object's internal list of sources to be searched for certificates and private keys when encrypting/decrypting or signing/verifying. Unlike the AddPfxSourceData and AddPfxSourceFile methods, only a single XML certificate vault can be used. If UseCertVault is called multiple times, only the last certificate vault will be used, as each call to UseCertVault will replace the certificate vault provided in previous calls.
Returns 1 for success, 0 for failure.
topVerifyBdENC
# $encodedSig is a string
$status = $crypt2->VerifyBdENC($data, $encodedSig);
Verifies a detached digital signature
against the original data contained in data. Returns 1
if the signature is verified. The encodedSig holds a binary-encoded PKCS#7 signed-data
detached signature. The type of binary encoding, such as base64,
hex,
or base64_mime,
is determined by the EncodingMode
property.
Afterwards, you can retrieve signer certificates by using the NumSignerCerts
property and the GetSignerCert
method.
Returns 1 for success, 0 for failure.
VerifyP7M
# $destPath is a string
$status = $crypt2->VerifyP7M($p7mPath, $destPath);
Verifies an opaque digital signature
contained in a .p7m
file and extracts the original data to destPath. Returns 1
if the .p7m is validated and the original data was extracted. Otherwise returns 0
.
Afterwards, you can retrieve signer certificates by using the NumSignerCerts
property and the GetSignerCert
method.
Returns 1 for success, 0 for failure.
VerifyP7S
# $p7sPath is a string
$status = $crypt2->VerifyP7S($originalDataPath, $p7sPath);
Verifies a detached digital signature
contained in a .p7s
file against the original data contained in originalDataPath. Returns 1
if the signature is verified.
Afterwards, you can retrieve signer certificates by using the NumSignerCerts
property and the GetSignerCert
method.
Returns 1 for success, 0 for failure.
VerifySbENC
# $encodedSig is a string
$status = $crypt2->VerifySbENC($sb, $encodedSig);
Verifies a detached digital signature
against the original text contained in sb. Returns 1
if the signature is verified. The encodedSig holds a binary-encoded PKCS#7 signed-data
detached signature. The type of binary encoding, such as base64,
hex,
or base64_mime,
is determined by the EncodingMode
property. The Charset
property determines how the text in sb is converted to bytes for signature validation.
Afterwards, you can retrieve signer certificates by using the NumSignerCerts
property and the GetSignerCert
method.
Returns 1 for success, 0 for failure.
VerifyStringENC
# $encodedSig is a string
$status = $crypt2->VerifyStringENC($str, $encodedSig);
Verifies a detached digital signature
against the original text in str. Returns 1
if the signature is verified. The encodedSig holds a binary-encoded PKCS#7 signed-data
detached signature. The type of binary encoding, such as base64,
hex,
or base64_mime,
is determined by the EncodingMode
property. The Charset
property determines how the text in str is converted to bytes for signature validation.
Afterwards, you can retrieve signer certificates by using the NumSignerCerts
property and the GetSignerCert
method.
Returns 1 for success, 0 for failure.
XtsSetDataUnitNumber
# $hiUint32 is an integer
$crypt2->XtsSetDataUnitNumber($loUint32, $hiUint32);
Sets the XTS-AES mode data unit number. The data unit number is a 64-bit unsigned integer. It is passed in as two 32-bit unsigned integers representing the high and low 32-bits.
Setting the data unit number is one way of setting the tweak value. The tweak value is 16 bytes in length and can alternatively be set by calling XtsSetEncodedTweakValue.
This method sets the tweak value such that the first 8 bytes are composed of the little-endian 64-bit data unit number, followed by 8 zero bytes.
(Unfortunately, Chilkat cannot use 64-bit integers in method arguments because many older programming environments, such as ActiveX, do not support it. Chilkat must present an identical and uniform API across all programming languages.)
XtsSetEncodedTweakKey
# $encoding is a string
$crypt2->XtsSetEncodedTweakKey($key, $encoding);
Sets the XTS-AES mode tweak key from an encoded string. The encoding argument can be set to any of the following strings: base64
, hex
, quoted-printable
, ascii
, or url
. The tweak key should be equal in size to the encryption key. For example, to do 256-bit AES-XTS, the encryption key is 256-bits, and the tweak key is also 256-bits.
XtsSetEncodedTweakValue
# $encoding is a string
$crypt2->XtsSetEncodedTweakValue($tweak, $encoding);
Sets the XTS-AES mode tweak value from an encoded string. The encoding argument can be set to any of the following strings: base64
, hex
, quoted-printable
, ascii
, or url
.
The tweak value must be 16 bytes in length. An application can set the initial tweak value by calling this method, or by calling XtsSetDataUnitNumber (but not both).
Deprecated
AddPfxSourceData Deprecated
# $pfxPassword is a string
$status = $crypt2->AddPfxSourceData($pfxBytes, $pfxPassword);
Adds a PFX
file to the object's list of sources for locating certificates and private keys during public-key decryption or signing. To add multiple PFX sources, call this method multiple times. pfxBytes should contain the bytes of a PFX file (also known as PKCS12
or .p12
).
Returns 1 for success, 0 for failure.
CrcBytes Deprecated
Calculates a CRC for in-memory byte data. To compute the CRC used in the Zip file format, pass CRC-32
(or CRC32, case insensitive) for the crcAlg. (The crcAlg argument provides the flexibility to add additional CRC algorithms on an as-needed basis in the future.)
Starting in v9.5.0.88, crc8 can be computed by passing CRC8
in crcAlg.
Decode
# $encoding is a string
# $outData is a CkByteData (output)
$status = $crypt2->Decode($str, $encoding, $outData);
Applications should instead call BinData.AppendEncoded
to append binary encoded data (such as base64) to a BinData object. The decoded binary bytes can then be obtained from the BinData object.
Decode binary data from an encoded string. The encoding can be set to any of the following strings: base64
, hex
, quoted-printable
, url
, base32
, Q
, B
, url_rc1738
, url_rfc2396
, url_rfc3986
, url_oauth
, uu
, modBase64
, or html
(for HTML entity encoding).
Returns 1 for success, 0 for failure.
DecryptBytes Deprecated
# $outData is a CkByteData (output)
$status = $crypt2->DecryptBytes($data, $outData);
Decrypts a byte array and returns the unencrypted byte array. The property settings used when encrypting the data must match the settings when decrypting. Specifically, the CryptAlgorithm, CipherMode, PaddingScheme, KeyLength, IV, and SecretKey properties must match.
Returns 1 for success, 0 for failure.
DecryptBytesENC Deprecated
# $outData is a CkByteData (output)
$status = $crypt2->DecryptBytesENC($str, $outData);
Decrypts string-encoded encrypted data and returns the unencrypted byte array. Data encrypted with EncryptBytesENC can be decrypted with this method. The property settings used when encrypting the data must match the settings when decrypting. Specifically, the EncodingMode, CryptAlgorithm, CipherMode, PaddingScheme, KeyLength, IV, and SecretKey properties must match.
Returns 1 for success, 0 for failure.
DecryptString Deprecated
# $outStr is a CkString (output)
$status = $crypt2->DecryptString($data, $outStr);
$retStr = $crypt2->decryptString($data);
Decrypts a previously encrypted string, using the Charset
property to interpret the decrypted bytes as characters.
Returns 1 for success, 0 for failure.
Encode Deprecated
# $encoding is a string
# $outStr is a CkString (output)
$status = $crypt2->Encode($byteData, $encoding, $outStr);
$retStr = $crypt2->encode($byteData, $encoding);
Encode binary data to base64, hex, quoted-printable, or URL-encoding. The encoding can be set to any of the following strings: base64
, hex
, quoted-printable
(or qp
), url
, base32
, Q
, B
, url_rc1738
, url_rfc2396
, url_rfc3986
, url_oauth
, uu
, modBase64
, or html
(for HTML entity encoding).
Returns 1 for success, 0 for failure.
EncryptBytes Deprecated
# $outData is a CkByteData (output)
$status = $crypt2->EncryptBytes($data, $outData);
Encrypts a byte array. The minimal set of properties that should be set before encrypting are: CryptAlgorithm, SecretKey. Other properties that control encryption are: CipherMode, PaddingScheme, KeyLength, IV. When decrypting, all property settings must match otherwise garbled data is returned.
Returns 1 for success, 0 for failure.
EncryptBytesENC Deprecated
# $outStr is a CkString (output)
$status = $crypt2->EncryptBytesENC($data, $outStr);
$retStr = $crypt2->encryptBytesENC($data);
Encrypts a byte array and returns the encrypted data as an encoded (printable) string. The minimal set of properties that should be set before encrypting are: CryptAlgorithm, SecretKey, EncodingMode. Other properties that control encryption are: CipherMode, PaddingScheme, KeyLength, IV. When decrypting, all property settings must match otherwise garbled data is returned. The encoding of the string that is returned is controlled by the EncodingMode property, which can be set to Base64
, QP
, or Hex
.
Returns 1 for success, 0 for failure.
EncryptString Deprecated
# $outData is a CkByteData (output)
$status = $crypt2->EncryptString($str, $outData);
Encrypts a string and returns the result as bytes, with the Charset
property determining the specific byte encoding of what gets encrypted.
Returns 1 for success, 0 for failure.
GenerateSecretKey
# $outData is a CkByteData (output)
$status = $crypt2->GenerateSecretKey($password, $outData);
This method is deprecated
and should be avoided because it transforms the password into a binary secret key using a transformation that is undocumented and specific to this Chilkat method. PBKDF2
is a standard and more secure method of generating a binary secret key from a password. An example using PBKDF2 is shown below.
This method converts a string into a byte array matching the bit length of the KeyLength
property. For instance, if KeyLength is 128 bits, the resulting array will be 16 bytes. This byte array can be assigned to the SecretKey
property. For decryption to work, the SecretKey must match exactly. To use password-based encryption, pass the password to this method to generate an appropriate binary secret key for the SecretKey property.
IMPORTANT
: Do not use this method to decrypt data if another party has provided you with the secret key. It is intended to transform a password of any length into a correctly sized binary secret key.
Returns 1 for success, 0 for failure.
GetDecryptCert
This method is deprecated. Application should instead call LastDecryptCert
Returns the last certificate used for public-key decryption.
Returns null
on failure
GetSignerCert
This method is deprecated. Application should instead call LastSignerCert
Gets the Nth certificate used for signing. This method can be called after verifying a digital signature to get the signer certs. The 1st certificate is at index 0. The NumSignerCerts property contains the total number of signing certificates. (Typically, a single certificate is used in creating a digital signature.)
Returns null
on failure
GetSignerCertChain
# $index is an integer
$ret_certChain = $crypt2->GetSignerCertChain($index);
This method is deprecated. Applications can get the cert chain by calling LastSignerCert
to get the certificate object, and then get the certificate chain from the certificate object.
Returns the full certificate chain for the Nth certificate used to for signing. Indexing begins at 0.
Returns null
on failure
HashBeginBytes Deprecated
To hash binary data in chunks, start by hashing the first chunk using this method. For additional chunks, use the HashMoreBytes
method as needed. Complete the process with HashFinal
or HashFinalENC
to obtain the hash result. The hash algorithm used is determined by the HashAlgorithm
property setting.
Returns 1 for success, 0 for failure.
topHashBytes Deprecated
# $outData is a CkByteData (output)
$status = $crypt2->HashBytes($data, $outData);
Hashes a byte array using the algorithm specified by the HashAlgorithm
property.
Returns 1 for success, 0 for failure.
HashBytesENC Deprecated
# $outStr is a CkString (output)
$status = $crypt2->HashBytesENC($data, $outStr);
$retStr = $crypt2->hashBytesENC($data);
Hashes a byte array and returns the hash as a binary encoded string.
The hash algorithm is specified by the HashAlgorithm
property, The encoding is controlled by the EncodingMode
property, which can be set to base64
, hex
, base64url
, or any of the encodings listed at the link below.
Returns 1 for success, 0 for failure.
HashFile Deprecated
# $outBytes is a CkByteData (output)
$status = $crypt2->HashFile($path, $outData);
Hashes a file using the specified HashAlgorithm
and returns the hash bytes. The file is processed in streaming mode, allowing any file size to be hashed efficiently while minimizing memory usage.
Returns 1 for success, 0 for failure.
HashFileAsync Deprecated (1)
Creates an asynchronous task to call the HashFile method with the arguments provided.
Returns null
on failure
HashFinal Deprecated
Finalizes a multi-step hash computation and returns the hash bytes.
Returns 1 for success, 0 for failure.
topHashMoreBytes Deprecated
Adds more bytes to the hash currently under computation. (See HashBeginBytes
)
Returns 1 for success, 0 for failure.
topHashString Deprecated
# $outData is a CkByteData (output)
$status = $crypt2->HashString($str, $outData);
Hashes a string using the Charset
property to determine the bytes and returns the hash.
Returns 1 for success, 0 for failure.
LastJsonData
This method is deprecated. Please use GetLastJsonData
instead.
GetLastJsonData provides details about the most recently executed method. While many methods don't provide additional information, some do, such as after verifying a signature. In such cases, LastJsonData will return JSON with details like the algorithms used in the verification process.
Returns null
on failure
MacBytes Deprecated
# $outBytes is a CkByteData (output)
$status = $crypt2->MacBytes($inBytes, $outData);
Computes a Message Authentication Code
using the algorithm defined in the MacAlgorithm
property. The HashAlgorithm
property setting determines the hash algorithm used internally. (A MAC algorithm like HMAC uses a hash function such as SHA-256 internally, along with a secret key, to create a secure and verifiable digest.)
Returns 1 for success, 0 for failure.
MacBytesENC Deprecated
# $outStr is a CkString (output)
$status = $crypt2->MacBytesENC($inBytes, $outStr);
$retStr = $crypt2->macBytesENC($inBytes);
Computes a Message Authentication Code
using the MAC algorithm specified in the MacAlgorithm
property. The result is encoded to a string using the encoding (base64
, hex
, etc.) specified by the EncodingMode
property.
Returns 1 for success, 0 for failure.
MacString Deprecated
# $outBytes is a CkByteData (output)
$status = $crypt2->MacString($inText, $outData);
Computes a Message Authentication Code
using the specified MacAlgorithm
property. The Charset
property determines the actual bytes presented to the MAC algorithm. The HashAlgorithm
property setting determines the hash algorithm used internally. (A MAC algorithm like HMAC uses a hash function such as SHA-256 internally, along with a secret key, to create a secure and verifiable digest.)
Returns 1 for success, 0 for failure.
OpaqueSignBytes Deprecated
# $outData is a CkByteData (output)
$status = $crypt2->OpaqueSignBytes($data, $outData);
Digitally signs a binary data and returns the signature in PKCS#7 signed-data
format, which embeds the original data within the signature. Ensure a certificate is set using SetSigningCert
before invoking this method. The HashAlgorithm
property specifies the hash algorithm for creating the data's hash during signing.
Returns 1 for success, 0 for failure.
OpaqueSignBytesAsync Deprecated (1)
Creates an asynchronous task to call the OpaqueSignBytes method with the arguments provided.
Returns null
on failure
OpaqueSignBytesENC Deprecated
# $outStr is a CkString (output)
$status = $crypt2->OpaqueSignBytesENC($data, $outStr);
$retStr = $crypt2->opaqueSignBytesENC($data);
Digitally signs a binary data and returns a PKCS#7 signed-data
signature binary-encoded as a string. The returned signature embeds the original data. Ensure to set a certificate by calling SetSigningCert
beforehand. The EncodingMode
property determines the output encoding such as base64
, hex
, base64_mime
, etc. The HashAlgorithm
property specifies the hash algorithm for creating the data's hash during signing.
Returns 1 for success, 0 for failure.
OpaqueSignBytesENCAsync Deprecated (1)
Creates an asynchronous task to call the OpaqueSignBytesENC method with the arguments provided.
Returns null
on failure
OpaqueSignString Deprecated
# $outData is a CkByteData (output)
$status = $crypt2->OpaqueSignString($str, $outData);
Digitally signs a string and returns PKCS#7 signed-data
. The Charset
property determines the actual bytes that are hashed and signed. The HashAlgorithm
property specifies the hash algorithm for creating the data's hash during signing.
Returns 1 for success, 0 for failure.
OpaqueSignStringAsync Deprecated (1)
Creates an asynchronous task to call the OpaqueSignString method with the arguments provided.
Returns null
on failure
OpaqueVerifyBytes Deprecated
# $outOriginal is a CkByteData (output)
$status = $crypt2->OpaqueVerifyBytes($p7s, $outData);
Verifies a PKCS#7 signed-data
signature and returns the original data. If the signature fails verification, the returned data will be empty. Afterwards, you can retrieve signer certificates by using the NumSignerCerts
property and the GetSignerCert
method.
Returns 1 for success, 0 for failure.
OpaqueVerifyBytesENC Deprecated
# $outOriginal is a CkByteData (output)
$status = $crypt2->OpaqueVerifyBytesENC($p7s, $outData);
Verifies a PKCS#7 signed-data
signature and returns the original data. If the signature fails verification, the returned data will be empty. The p7s is a binary-encoded string, using the encoding set by the EncodingMode
property.
Afterwards, you can retrieve signer certificates by using the NumSignerCerts
property and the GetSignerCert
method.
Returns 1 for success, 0 for failure.
OpaqueVerifyString Deprecated
# $outOriginal is a CkString (output)
$status = $crypt2->OpaqueVerifyString($p7s, $outStr);
$retStr = $crypt2->opaqueVerifyString($p7s);
This function verifies a PKCS#7 signed-data
signature and returns the original text data. If the signature does not verify successfully, it returns an empty string. The Charset
property specifies how the original data bytes are converted to characters. You can obtain signer certificates using the NumSignerCerts
property and the GetSignerCert
method.
Returns 1 for success, 0 for failure.
SetMacKeyBytes Deprecated
SignBytes Deprecated
# $outData is a CkByteData (output)
$status = $crypt2->SignBytes($data, $outData);
Digitally signs binary data and returns the binary detached
signature (PKCS#7 signed-data
). The HashAlgorithm
property specifies the hash algorithm for creating the data's hash during signing.
Returns 1 for success, 0 for failure.
SignBytesAsync Deprecated (1)
Creates an asynchronous task to call the SignBytes method with the arguments provided.
Returns null
on failure
SignBytesENC Deprecated
# $outStr is a CkString (output)
$status = $crypt2->SignBytesENC($data, $outStr);
$retStr = $crypt2->signBytesENC($data);
Digitally signs binary data and returns a detached
signature (PKCS#7 signed-data
) as a binary-encoded string. The EncodingMode
property determines the binary-encoding. Possible encodings include base64
, base64_mime
, hex
, and hex_lower
. The HashAlgorithm
property specifies the hash algorithm for creating the data's hash during signing.
Returns 1 for success, 0 for failure.
SignBytesENCAsync Deprecated (1)
Creates an asynchronous task to call the SignBytesENC method with the arguments provided.
Returns null
on failure
SignString Deprecated
# $outData is a CkByteData (output)
$status = $crypt2->SignString($str, $outData);
Digitally signs a string and returns a the binary detached
signature (PKCS#7 signed-data
). The HashAlgorithm
property specifies the hash algorithm for creating the data's hash during signing. The Charset
property determines the actual bytes that are hashed and signed.
Returns 1 for success, 0 for failure.
SignStringAsync Deprecated (1)
Creates an asynchronous task to call the SignString method with the arguments provided.
Returns null
on failure
VerifyBytes Deprecated
Verifies a detached digital signature
against the original binary data. Returns 1
if the signature is verified.
Afterwards, you can retrieve signer certificates by using the NumSignerCerts
property and the GetSignerCert
method.
VerifyBytesENC Deprecated
# $encodedSig is a string
$retBool = $crypt2->VerifyBytesENC($data, $encodedSig);
Verifies a detached digital signature
against the original binary data. Returns 1
if the signature is verified. The encodedSig holds a binary-encoded PKCS#7 signed-data
detached signature. The type of binary encoding, such as base64,
hex,
or base64_mime,
is determined by the EncodingMode
property.
Afterwards, you can retrieve signer certificates by using the NumSignerCerts
property and the GetSignerCert
method.
VerifyDetachedSignature
# $p7sFilename is a string
$retBool = $crypt2->VerifyDetachedSignature($inFilename, $p7sFilename);
This method is the same as VerifyP7S
. Applications should instead call VerifyP7S
.
VerifyString Deprecated
Verifies a detached digital signature
against the original text in str. Returns 1
if the signature is verified. The sig holds a binary PKCS#7 signed-data
detached signature. The Charset
property determines how the text in str is converted to bytes for signature validation.
Afterwards, you can retrieve signer certificates by using the NumSignerCerts
property and the GetSignerCert
method.
Returns 1 for success, 0 for failure.