Crypt2 C Reference Documentation

Crypt2

Current Version: 11.0.0

Chilkat encryption component.

Create/Dispose

HCkCrypt2 instance = CkCrypt2_Create();
// ...
CkCrypt2_Dispose(instance);
HCkCrypt2 CkCrypt2_Create(void);

Creates an instance of the HCkCrypt2 object and returns a handle ("void *" pointer). The handle is passed in the 1st argument for the functions listed on this page.

void CkCrypt2_Dispose(HCkCrypt2 handle);

Objects created by calling CkCrypt2_Create must be freed by calling this method. A memory leak occurs if a handle is not disposed by calling this function. Also, any handle returned by a Chilkat "C" function must also be freed by the application by calling the appropriate Dispose method, such as CkCrypt2_Dispose.

Callback Functions

void CkCrypt2_setAbortCheck(HCkCrypt2 cHandle, BOOL (*fnAbortCheck)(void));

Provides the opportunity for a method call to be aborted. If TRUE is returned, the operation in progress is aborted. Return FALSE to allow the current method call to continue. This callback function is called periodically based on the value of the HeartbeatMs property. (If HeartbeatMs is 0, then no callbacks are made.) As an example, to make 5 AbortCheck callbacks per second, set the HeartbeatMs property equal to 200.

void CkCrypt2_setPercentDone(HCkCrypt2 cHandle, BOOL (*fnPercentDone)(int pctDone));

Provides the percentage completed for any method that involves network communications or time-consuming processing (assuming it is a method where a percentage completion can be measured). This callback is only called when it is possible to know a percentage completion, and when it makes sense to express the operation as a percentage completed. The pctDone argument will have a value from 1 to 100. For methods that complete very quickly, the number of PercentDone callbacks will vary, but the final callback should have a value of 100. For long running operations, no more than one callback per percentage point will occur (for example: 1, 2, 3, ... 98, 99, 100).

This callback counts as an AbortCheck callback, and takes the place of the AbortCheck event when it fires.

The return value indicates whether the method call should be aborted, or whether it should proceed. Return TRUE to abort, and FALSE to proceed.

void CkCrypt2_setProgressInfo(HCkCrypt2 cHandle, void (*fnProgressInfo)(const char *name, const char *value));

This is a general callback that provides name/value information about what is happening at certain points during a method call. To see the information provided in ProgressInfo callbacks, if any, write code to handle this event and log the name/value pairs. Most are self-explanatory.

void CkCrypt2_setTaskCompleted(HCkCrypt2 cHandle, void (*fnTaskCompleted)(HCkTask hTask));

Called in the background thread when an asynchronous task completes. (Note: When an async method is running, all callbacks are in the background thread.)

Properties

AbortCurrent
BOOL CkCrypt2_getAbortCurrent(HCkCrypt2 cHandle);
void CkCrypt2_putAbortCurrent(HCkCrypt2 cHandle, BOOL newVal);
Introduced in version 9.5.0.58

When set to TRUE, causes the currently running method to abort. Methods that always finish quickly (i.e.have no length file operations or network communications) are not affected. If no method is running, then this property is automatically reset to FALSE when the next method is called. When the abort occurs, this property is reset to FALSE. Both synchronous and asynchronous method calls can be aborted. (A synchronous method call could be aborted by setting this property from a separate thread.)

top
BCryptWorkFactor
int CkCrypt2_getBCryptWorkFactor(HCkCrypt2 cHandle);
void CkCrypt2_putBCryptWorkFactor(HCkCrypt2 cHandle, int newVal);
Introduced in version 9.5.0.65

The BCrypt work factor to be used for the BCryptHash and BCryptVerify. This is the log2 of the number of rounds of hashing to apply. For example, if the work (cost) factor is 12, then 2^12 rounds of hashing are applied. The purpose of this cost factor is to make the BCrypt computation expensive enought to prevent brute-force attacks. (Any complaints about BCrypt not being fast enough will be ignored.)

This property must have a value ranging from 4 to 31 inclusive.

The default value is 10.

top
BlockSize
int CkCrypt2_getBlockSize(HCkCrypt2 cHandle);

The block-size (in bytes) of the selected encryption algorithm. For example, if the CryptAlgorithm property is set to aes, the BlockSize property is automatically set to 16. The block-size for the ARC4 streaming encryption algorithm is 1.

top
CadesEnabled
BOOL CkCrypt2_getCadesEnabled(HCkCrypt2 cHandle);
void CkCrypt2_putCadesEnabled(HCkCrypt2 cHandle, BOOL newVal);

Applies to all methods that create PKCS7 signatures. To create a CAdES-BES signature, set this property equal to TRUE. The default value of this property is FALSE.

top
CadesSigPolicyHash
void CkCrypt2_getCadesSigPolicyHash(HCkCrypt2 cHandle, HCkString retval);
void CkCrypt2_putCadesSigPolicyHash(HCkCrypt2 cHandle, const char *newVal);
const char *CkCrypt2_cadesSigPolicyHash(HCkCrypt2 cHandle);

This is the base64 hash of the policy document located at the CadesSigPolicyUri. You can use either the SHA256 or SHA1 hash. You may use this online tool to compute the base64 hash: http://tools.chilkat.io/hashFileAtUrl.cshtml>Compute Base64 Hash for CaDES Signature Policy URL

Note: This property applies to all methods that create PKCS7 signatures. To create a CAdES-EPES signature, set the CadesEnabled property = TRUE, and also provide values for each of the following properties: CadesSigPolicyHash, CadesSigPolicyId, and CadesSigPolicyUri. For example (in pseudo-code):

cryptObj.CadesSigPolicyId = <code>2.16.76.1.7.1.1.1</code>
cryptObj.CadesSigPolicyUri = <code>http://politicas.icpbrasil.gov.br/PA_AD_RB.der</code>
cryptObj.CadesSigPolicyHash = <code>rySugyKaMhiMR8Y/o5yuU2A2bF0=</code>
Note: Do NOT use the values above. They are only provided as an example to show valid values. For example, the Policy ID is an OID. The Policy URI is a typically a URL to a DER encoded policy file, and the Policy Hash is a base64 encoded hash.

top
CadesSigPolicyId
void CkCrypt2_getCadesSigPolicyId(HCkCrypt2 cHandle, HCkString retval);
void CkCrypt2_putCadesSigPolicyId(HCkCrypt2 cHandle, const char *newVal);
const char *CkCrypt2_cadesSigPolicyId(HCkCrypt2 cHandle);

See the description for the CadesSigPolicyHash property above.

top
CadesSigPolicyUri
void CkCrypt2_getCadesSigPolicyUri(HCkCrypt2 cHandle, HCkString retval);
void CkCrypt2_putCadesSigPolicyUri(HCkCrypt2 cHandle, const char *newVal);
const char *CkCrypt2_cadesSigPolicyUri(HCkCrypt2 cHandle);

See the description for the CadesSigPolicyHash property above.

top
Charset
void CkCrypt2_getCharset(HCkCrypt2 cHandle, HCkString retval);
void CkCrypt2_putCharset(HCkCrypt2 cHandle, const char *newVal);
const char *CkCrypt2_charset(HCkCrypt2 cHandle);

This property specifies the character encoding used to represent text as bytes for encryption and hashing. By default, it uses the computer's ANSI charset, such as Windows-1252 for locales like the United States, United Kingdom, Western Europe, Australia, and New Zealand.

Most applications are advised to set this property to UTF-8. Chilkat plans to change its default to UTF-8 in a future major version to align with current standards. The current default of ANSI stems from a time when UTF-8 was not widely adopted.

top
CipherMode
void CkCrypt2_getCipherMode(HCkCrypt2 cHandle, HCkString retval);
void CkCrypt2_putCipherMode(HCkCrypt2 cHandle, const char *newVal);
const char *CkCrypt2_cipherMode(HCkCrypt2 cHandle);

Sets the cipher mode for block encryption algorithms (AES, Blowfish,TwoFish, DES, 3DES, RC2). Possible values are CBC (the default) , ECB, CTR, OFB, GCM, and CFB. These acronyms have the following meanings:

  • CBC: Cipher Block Chaining,
  • ECB: Electronic CookBook
  • CTR: Counter Mode
  • CFB: Cipher Feedback
  • OFB: Output Feedback
  • GCM: Galois/Counter Mode
  • XTS: AES-XTS (starting in Chilkat v9.5.0.91, only works with AES encryption)

Prior to Chilkat v9.5.0.55, the CFB mode is only implemented for AES, Blowfish, and DES/3DES, and the CTR mode is only implemented for AES.

Starting in v9.5.0.55 CFB and OFB modes are useable with all encryption algorithms, and GCM (Galois/Counter Mode) is available with any cipher having a 16-byte block size, such as AES and Twofish. CFB, OFB, CTR, and GCM modes convert block ciphers into stream ciphers. In these modes of operation, the PaddingScheme property is unused because no padding occurs.

Starting in v9.5.0.91 Chilkat supports AES-XTS mode. XTS mode additionally uses a tweak key and tweak value, which are set via the XtsSetEncodedTweakKey, XtsSetEncodedTweakValue, and XtsSetDataUnitNumber. (The latter two functions provide alternative means of setting the tweak value.) Note: Chilkat fully supports AES-XTS mode with ciphertext-stealing, which means it will correctly encrypt/decrypt data with size not divisible by the block size (i.e. divisible by 16 bytes).

More Information and Examples
top
CmsOptions
void CkCrypt2_getCmsOptions(HCkCrypt2 cHandle, HCkString retval);
void CkCrypt2_putCmsOptions(HCkCrypt2 cHandle, const char *newVal);
const char *CkCrypt2_cmsOptions(HCkCrypt2 cHandle);
Introduced in version 9.5.0.78

A JSON string for controlling extra CMS (PKCS7) signature and validation options.

More Information and Examples
top
CryptAlgorithm
void CkCrypt2_getCryptAlgorithm(HCkCrypt2 cHandle, HCkString retval);
void CkCrypt2_putCryptAlgorithm(HCkCrypt2 cHandle, const char *newVal);
const char *CkCrypt2_cryptAlgorithm(HCkCrypt2 cHandle);

Selects the encryption algorithm for encrypting and decrypting. Possible values are: chacha20, pki, aes, blowfish2, des, 3des, rc2, arc4, twofish, pbes1 and pbes2. The pki encryption algorithm isn't a specific algorithm, but instead tells the component to encrypt/decrypt using public-key encryption (PKCS7/CMS) with digital certificates. The other choices are symmetric encryption algorithms that do not involve digital certificates and public/private keys.

The default value is aes

The original Chilkat implementation of Blowfish (in 2004) has a 4321 byte-swapping issue (the results are 4321 byte-swapped). The newer implementation (in 2006 and named blowfish2) does not byte swap. This should be used for compatibility with other Blowfish software. If an application needs to decrypt something encrypted with the old 4321 byte-swapped blowfish, set the property to blowfish_old.

Password-based encryption (PBE) is selected by setting this property to pbes1 or pbes2. Password-based encryption is defined in the PKCS5 Password-Based Cryptography Standard at https://tools.ietf.org/html/rfc2898. If PBE is used, the underlying encryption algorithm is specified by the PbesAlgorithm property. The underlying encryption (PbesAlgorithm) for PBES1 is limited to 56-bit DES or 64-bit RC2.

Note:The chacha20 algorithm is introduced in Chilkat v9.5.0.55.

top
DebugLogFilePath
void CkCrypt2_getDebugLogFilePath(HCkCrypt2 cHandle, HCkString retval);
void CkCrypt2_putDebugLogFilePath(HCkCrypt2 cHandle, const char *newVal);
const char *CkCrypt2_debugLogFilePath(HCkCrypt2 cHandle);

If set to a file path, this property logs the LastErrorText of each Chilkat method or property call to the specified file. This logging helps identify the context and history of Chilkat calls leading up to any crash or hang, aiding in debugging.

Enabling the VerboseLogging property provides more detailed information. This property is mainly used for debugging rare instances where a Chilkat method call causes a hang or crash, which should generally not happen.

Possible causes of hangs include:

  • A timeout property set to 0, indicating an infinite timeout.
  • A hang occurring within an event callback in the application code.
  • An internal bug in the Chilkat code causing the hang.

More Information and Examples
top
EncodingMode
void CkCrypt2_getEncodingMode(HCkCrypt2 cHandle, HCkString retval);
void CkCrypt2_putEncodingMode(HCkCrypt2 cHandle, const char *newVal);
const char *CkCrypt2_encodingMode(HCkCrypt2 cHandle);

Controls the encoding of binary data to a printable string for many methods. The valid modes are Base64, modBase64, base64url, Base32, Base58, UU, QP (for quoted-printable), URL (for url-encoding), Hex, Q, B, url_oauth, url_rfc1738, url_rfc2396, url_rfc3986, fingerprint, or decimal.

The default value is base64

The fingerprint anddecimal encodings are introduced in Chilkat v9.5.0.55.

The fingerprint encoding is a lowercase hex encoding where each hex digit is separated by a colon character. For example: 6a:de:e0:af:56:f8:0c:04:11:5b:ef:4d:49:ad:09:23

The decimal encoding is for converting large decimal integers to/from a big-endian binary representation. For example, the decimal string 72623859790382856 converts to the bytes 0x01 0x02 0x03 0x04 0x05 0x06 0x07 0x08.

More Information and Examples
top
FirstChunk
BOOL CkCrypt2_getFirstChunk(HCkCrypt2 cHandle);
void CkCrypt2_putFirstChunk(HCkCrypt2 cHandle, BOOL newVal);

Using the FirstChunk and LastChunk properties is the way to do streaming encryption or decryption with Chilkat.

By default, both FirstChunk and LastChunk are set to TRUE, indicating that the data passed to the encryption or decryption method is the full amount. To process data in multiple chunks, adjust these settings as follows:

1. For the first chunk, set FirstChunk = TRUE and LastChunk = FALSE.
2. For intermediate chunks, set both FirstChunk = FALSE and LastChunk = FALSE.
3. For the final chunk, set FirstChunk = FALSE and LastChunk = TRUE.

You can feed data chunks of any size, regardless of the encryption algorithm's block size (e.g., 16 bytes for AES). Chilkat will handle buffering and, upon receiving the final chunk, pad the output to the appropriate block size according to the selected PaddingScheme.

top
HashAlgorithm
void CkCrypt2_getHashAlgorithm(HCkCrypt2 cHandle, HCkString retval);
void CkCrypt2_putHashAlgorithm(HCkCrypt2 cHandle, const char *newVal);
const char *CkCrypt2_hashAlgorithm(HCkCrypt2 cHandle);

Selects the hash algorithm used by methods that create hashes. The valid choices are sha1, sha256, sha384, sha512, sha3-224, sha3-256, sha3-384, sha3-512, md2, md5, haval, ripemd128, ripemd160,ripemd256, or ripemd320.

Note: SHA-2 designates a set of cryptographic hash functions that includes SHA-256, SHA-384, and SHA-512. Chilkat by definition supports SHA-2 because it supports these algorithms.

The default value is sha256.

Note: The HAVAL hash algorithm is affected by two other properties: HavalRounds and KeyLength.

  • The HavalRounds may have values of 3, 4, or 5.
  • The KeyLength may have values of 128, 160, 192, 224, or 256.

Note: The sha3-224, sha3-256, sha3-384, sha3-512 algorithms are added in Chilkat v9.5.0.83.

More Information and Examples
top
HavalRounds
int CkCrypt2_getHavalRounds(HCkCrypt2 cHandle);
void CkCrypt2_putHavalRounds(HCkCrypt2 cHandle, int newVal);

Applies to the HAVAL hash algorithm only and must be set to the integer value 3, 4, or 5. The default value is 3.

top
HeartbeatMs
int CkCrypt2_getHeartbeatMs(HCkCrypt2 cHandle);
void CkCrypt2_putHeartbeatMs(HCkCrypt2 cHandle, int newVal);

The number of milliseconds between each AbortCheck event callback. The AbortCheck callback allows an application to abort some methods call prior to completion. If HeartbeatMs is 0 (the default), no AbortCheck event callbacks will fire.

The methods with event callbacks are: CkDecryptFile, CkEncryptFile, HashFile, and HashFileENC.

top
IncludeCertChain
BOOL CkCrypt2_getIncludeCertChain(HCkCrypt2 cHandle);
void CkCrypt2_putIncludeCertChain(HCkCrypt2 cHandle, BOOL newVal);

Only applies when creating digital signatures. If TRUE (the default), then additional certificates (if any) in the chain of authentication are included in the PKCS7 digital signature.

top
InitialCount
int CkCrypt2_getInitialCount(HCkCrypt2 cHandle);
void CkCrypt2_putInitialCount(HCkCrypt2 cHandle, int newVal);
Introduced in version 9.5.0.55

The initial counter for the ChaCha20 encryption algorithm. The default value is 0.

top
IterationCount
int CkCrypt2_getIterationCount(HCkCrypt2 cHandle);
void CkCrypt2_putIterationCount(HCkCrypt2 cHandle, int newVal);

Iteration count to be used with password-based encryption (PBE). Password-based encryption is defined in the PKCS5 Password-Based Cryptography Standard at http://www.rsa.com/rsalabs/node.asp?id=2127

The purpose of the iteration count is to increase the computation required to encrypt and decrypt. A larger iteration count makes cracking via exhaustive search more difficult. The default value is 1024.

top
KeyLength
int CkCrypt2_getKeyLength(HCkCrypt2 cHandle);
void CkCrypt2_putKeyLength(HCkCrypt2 cHandle, int newVal);

The key length in bits for symmetric encryption algorithms. The default value is 256.

top
LastChunk
BOOL CkCrypt2_getLastChunk(HCkCrypt2 cHandle);
void CkCrypt2_putLastChunk(HCkCrypt2 cHandle, BOOL newVal);

See the documentation for the FirstChunk property.

top
LastErrorHtml
void CkCrypt2_getLastErrorHtml(HCkCrypt2 cHandle, HCkString retval);
const char *CkCrypt2_lastErrorHtml(HCkCrypt2 cHandle);

Provides HTML-formatted information about the last called method or property. If a method call fails or behaves unexpectedly, check this property for details. Note that information is available regardless of the method call's success.

top
LastErrorText
void CkCrypt2_getLastErrorText(HCkCrypt2 cHandle, HCkString retval);
const char *CkCrypt2_lastErrorText(HCkCrypt2 cHandle);

Provides plain text information about the last called method or property. If a method call fails or behaves unexpectedly, check this property for details. Note that information is available regardless of the method call's success.

top
LastErrorXml
void CkCrypt2_getLastErrorXml(HCkCrypt2 cHandle, HCkString retval);
const char *CkCrypt2_lastErrorXml(HCkCrypt2 cHandle);

Provides XML-formatted information about the last called method or property. If a method call fails or behaves unexpectedly, check this property for details. Note that information is available regardless of the method call's success.

top
LastMethodSuccess
BOOL CkCrypt2_getLastMethodSuccess(HCkCrypt2 cHandle);
void CkCrypt2_putLastMethodSuccess(HCkCrypt2 cHandle, BOOL newVal);

Indicates the success or failure of the most recent method call: TRUE means success, FALSE means failure. This property remains unchanged by property setters or getters. This method is present to address challenges in checking for null or Nothing returns in certain programming languages.

top
MacAlgorithm
void CkCrypt2_getMacAlgorithm(HCkCrypt2 cHandle, HCkString retval);
void CkCrypt2_putMacAlgorithm(HCkCrypt2 cHandle, const char *newVal);
const char *CkCrypt2_macAlgorithm(HCkCrypt2 cHandle);
Introduced in version 9.5.0.55

Selects the MAC algorithm to be used for any of the Mac methods, such as MacStringENC, MacBytes, etc. The default value is hmac. Possible values are hmac and poly1305.

More Information and Examples
top
NumSignerCerts
int CkCrypt2_getNumSignerCerts(HCkCrypt2 cHandle);

This property is set when a digital signature is verified. It contains the number of signer certificates. Each signing certificate can be retrieved by calling the GetSignerCert method, passing an index from 0 to NumSignerCerts-1.

top
OaepHash
void CkCrypt2_getOaepHash(HCkCrypt2 cHandle, HCkString retval);
void CkCrypt2_putOaepHash(HCkCrypt2 cHandle, const char *newVal);
const char *CkCrypt2_oaepHash(HCkCrypt2 cHandle);
Introduced in version 9.5.0.67

Selects the hash algorithm for use within OAEP padding when encrypting using pki with RSAES-OAEP. The valid choices are sha1, sha256, sha384, sha512,

The default value is sha256

top
OaepMgfHash
void CkCrypt2_getOaepMgfHash(HCkCrypt2 cHandle, HCkString retval);
void CkCrypt2_putOaepMgfHash(HCkCrypt2 cHandle, const char *newVal);
const char *CkCrypt2_oaepMgfHash(HCkCrypt2 cHandle);
Introduced in version 9.5.0.71

Selects the MGF hash algorithm for use within OAEP padding when encrypting using pki with RSAES-OAEP. The valid choices are sha1, sha256, sha384, sha512, The default is sha256.

top
OaepPadding
BOOL CkCrypt2_getOaepPadding(HCkCrypt2 cHandle);
void CkCrypt2_putOaepPadding(HCkCrypt2 cHandle, BOOL newVal);
Introduced in version 9.5.0.67

Selects the RSA encryption scheme when encrypting using pki (with a certificate and private key). The default value is FALSE, which selects RSAES_PKCS1-V1_5. If set to TRUE, then RSAES_OAEP is used.

top
PaddingScheme
int CkCrypt2_getPaddingScheme(HCkCrypt2 cHandle);
void CkCrypt2_putPaddingScheme(HCkCrypt2 cHandle, int newVal);

The padding scheme used by block encryption algorithms such as AES (Rijndael), Blowfish, Twofish, RC2, DES, 3DES, etc. Block encryption algorithms pad encrypted data to a multiple of algorithm's block size. The default value of this property is 0.

Possible values are:

0 = RFC 1423 padding scheme: Each padding byte is set to the number of padding bytes. If the data is already a multiple of algorithm's block size bytes, an extra block is appended each having a value equal to the block size. (for example, if the algorithm's block size is 16, then 16 bytes having the value 0x10 are added.). (This is also known as PKCS5 padding: PKCS #5 padding string consists of a sequence of bytes, each of which is equal to the total number of padding bytes added. )

1 = FIPS81 (Federal Information Processing Standards 81) where the last byte contains the number of padding bytes, including itself, and the other padding bytes are set to random values.

2 = Each padding byte is set to a random value. The decryptor must know how many bytes are in the original unencrypted data.

3 = Pad with NULLs. (If already a multiple of the algorithm's block size, no padding is added).

4 = Pad with SPACE chars(0x20). (If already a multiple of algorithm's block size, no padding is added).

More Information and Examples
top
PbesAlgorithm
void CkCrypt2_getPbesAlgorithm(HCkCrypt2 cHandle, HCkString retval);
void CkCrypt2_putPbesAlgorithm(HCkCrypt2 cHandle, const char *newVal);
const char *CkCrypt2_pbesAlgorithm(HCkCrypt2 cHandle);

If the CryptAlgorithm property is set to pbes1 or pbes2, this property specifies the underlying encryption algorithm to be used with password-based encryption (PBE). Password-based encryption is defined in the PKCS5 Password-Based Cryptography Standard at http://www.rsa.com/rsalabs/node.asp?id=2127

top
PbesPassword
void CkCrypt2_getPbesPassword(HCkCrypt2 cHandle, HCkString retval);
void CkCrypt2_putPbesPassword(HCkCrypt2 cHandle, const char *newVal);
const char *CkCrypt2_pbesPassword(HCkCrypt2 cHandle);

The password to be used with password-based encryption (PBE). Password-based encryption is defined in the PKCS5 Password-Based Cryptography Standard at http://www.rsa.com/rsalabs/node.asp?id=2127

top
Pkcs7CryptAlg
void CkCrypt2_getPkcs7CryptAlg(HCkCrypt2 cHandle, HCkString retval);
void CkCrypt2_putPkcs7CryptAlg(HCkCrypt2 cHandle, const char *newVal);
const char *CkCrypt2_pkcs7CryptAlg(HCkCrypt2 cHandle);

When the CryptAlgorithm property is PKI to select PKCS7 public-key encryption, this selects the underlying symmetric encryption algorithm. Possible values are: aes, des, 3des, and rc2. The default value is aes.

top
Rc2EffectiveKeyLength
int CkCrypt2_getRc2EffectiveKeyLength(HCkCrypt2 cHandle);
void CkCrypt2_putRc2EffectiveKeyLength(HCkCrypt2 cHandle, int newVal);

The effective key length (in bits) for the RC2 encryption algorithm. When RC2 is used, both the KeyLength and Rc2EffectiveKeyLength properties should be set. For RC2, both should be between 8 and 1024 (inclusive).

The default value is 128

top
SigningAlg
void CkCrypt2_getSigningAlg(HCkCrypt2 cHandle, HCkString retval);
void CkCrypt2_putSigningAlg(HCkCrypt2 cHandle, const char *newVal);
const char *CkCrypt2_signingAlg(HCkCrypt2 cHandle);
Introduced in version 9.5.0.67

This property selects the signature algorithm for the OpaqueSign*, Sign*, and CreateDetachedSignature, CreateP7M, and CreateP7S methods. The default value is PKCS1-v1_5. This can be set to RSASSA-PSS (or simply pss) to use the RSASSA-PSS signature scheme.

Note: This property only applies when the private key is an RSA private key. It does not apply for ECC or DSA private keys.

top
SigningAttributes
void CkCrypt2_getSigningAttributes(HCkCrypt2 cHandle, HCkString retval);
void CkCrypt2_putSigningAttributes(HCkCrypt2 cHandle, const char *newVal);
const char *CkCrypt2_signingAttributes(HCkCrypt2 cHandle);
Introduced in version 9.5.0.75

Contains JSON to specify the authenticated (signed) attributes or unauthenticated (unsigned) attributes that are to be included in CMS signatures. The default value is:

{
    <code>contentType</code>: 1,
    <code>signingTime</code>: 1,
    <code>messageDigest</code>: 1
}

Other possible values that can be added are:

  • signingCertificateV2
  • signingCertificate
  • sMIMECapabilities
  • microsoftRecipientInfo
  • encrypKeyPref
  • cmsAlgorithmProtection
Contact Chilkat (support@chilkatsoft.com) about other signed/unsigned attributes that may be needed for CAdES signatures.

More Information and Examples
top
UncommonOptions
void CkCrypt2_getUncommonOptions(HCkCrypt2 cHandle, HCkString retval);
void CkCrypt2_putUncommonOptions(HCkCrypt2 cHandle, const char *newVal);
const char *CkCrypt2_uncommonOptions(HCkCrypt2 cHandle);
Introduced in version 9.5.0.83

This is a catch-all property to be used for uncommon needs. This property defaults to the empty string and should typically remain empty.

Can be set to a list of the following comma separated keywords:

  • UseConstructedOctets - Introduced in v9.5.0.83. When creating opaque CMS signatures (signatures that embed the data being signed), will use the constructed octets form of the ASN.1 that holds the data. This is to satify some validators that are brittle/fragile/picky and require a particular format, such as for the ICP-Brazil Digital Signature Standard.

top
Utf8
BOOL CkCrypt2_getUtf8(HCkCrypt2 cHandle);
void CkCrypt2_putUtf8(HCkCrypt2 cHandle, BOOL newVal);

When set to TRUE, all const char * arguments and return values are interpreted as UTF-8 strings. When set to FALSE, they are interpreted as ANSI strings.

In Chilkat v11.0.0 and later, the default value is TRUE. Before v11.0.0, it was FALSE.

top
UuFilename
void CkCrypt2_getUuFilename(HCkCrypt2 cHandle, HCkString retval);
void CkCrypt2_putUuFilename(HCkCrypt2 cHandle, const char *newVal);
const char *CkCrypt2_uuFilename(HCkCrypt2 cHandle);

When UU encoding, this is the filename to be embedded in UU encoded output. The default is file.dat. When UU decoding, this is the filename found in the UU encoded input.

More Information and Examples
top
UuMode
void CkCrypt2_getUuMode(HCkCrypt2 cHandle, HCkString retval);
void CkCrypt2_putUuMode(HCkCrypt2 cHandle, const char *newVal);
const char *CkCrypt2_uuMode(HCkCrypt2 cHandle);

When UU encoding, this is the file permissions mode to be embedded in UU encoded output. The default is 644. When UU decoding, this property is set to the mode found in the UU encoded input.

top
VerboseLogging
BOOL CkCrypt2_getVerboseLogging(HCkCrypt2 cHandle);
void CkCrypt2_putVerboseLogging(HCkCrypt2 cHandle, BOOL newVal);

If set to TRUE, then the contents of LastErrorText (or LastErrorXml, or LastErrorHtml) may contain more verbose information. The default value is FALSE. Verbose logging should only be used for debugging. The potentially large quantity of logged information may adversely affect peformance.

top
Version
void CkCrypt2_getVersion(HCkCrypt2 cHandle, HCkString retval);
const char *CkCrypt2_version(HCkCrypt2 cHandle);

Version of the component/library, such as "10.1.0"

More Information and Examples
top

Methods

AddEncryptCert
void CkCrypt2_AddEncryptCert(HCkCrypt2 cHandle, HCkCert cert);

Adds a certificate for public-key encryption. To enable public-key encryption with digital certificates, set the CryptAlgorithm property to pki. Call AddEncryptCert separately for each certificate you wish to use for encryption.

Any of the Encrypt* methods will do RSA public-key encryption when the CryptAlgorithm is set to the keyword pki. The output is a PKCS#7 enveloped-data secure container.

top
AddPfxSourceBd
BOOL CkCrypt2_AddPfxSourceBd(HCkCrypt2 cHandle, HCkBinData bd, const char *password);
Introduced in version 11.0.0

Adds a PFX file to the object's list of sources for locating certificates and private keys during public-key decryption or signing. To add multiple PFX sources, call this method multiple times. bd should contain the bytes of a PFX file (also known as PKCS12 or .p12).

Note: Information about the certificate(s) needed for public-key decryption are included in the PKCS#7 enveloped-data. Chilkat will automatically find a usable certificate and private key from sources like Windows certificate stores, the Apple keychain, or other sources provided by the application.

Returns TRUE for success, FALSE for failure.

More Information and Examples
top
AddPfxSourceFile
BOOL CkCrypt2_AddPfxSourceFile(HCkCrypt2 cHandle, const char *pfxFilePath, const char *pfxPassword);

Adds a PFX file to the object's list of sources for locating certificates and private keys during public-key decryption or signing. To add multiple PFX sources, call this method multiple times.

Note: Information about the certificate(s) needed for public-key decryption are included in the PKCS#7 enveloped-data. Chilkat will automatically find a usable certificate and private key from sources like Windows certificate stores, the Apple keychain, or other sources provided by the application.

Returns TRUE for success, FALSE for failure.

More Information and Examples
top
AddSigningCert
BOOL CkCrypt2_AddSigningCert(HCkCrypt2 cHandle, HCkCert cert);
Introduced in version 9.5.0.83

Call this method once per certificate to add multiple certificates for signing. If signing with a single certificate, then the SetSigningCert or SetSigningCert2 methods can be used instead.

Returns TRUE for success, FALSE for failure.

top
AesKeyUnwrap
BOOL CkCrypt2_AesKeyUnwrap(HCkCrypt2 cHandle, const char *kek, const char *wrappedKeyData, const char *encoding, HCkString outStr);
const char *CkCrypt2_aesKeyUnwrap(HCkCrypt2 cHandle, const char *kek, const char *wrappedKeyData, const char *encoding);
Introduced in version 9.5.0.66

Implements the AES Key Wrap Algorithm (RFC 3394) for unwrapping. The kek is the Key Encryption Key (the AES key used to unwrap the wrappedKeyData). The arguments and return value are binary encoded strings using the encoding specified by encoding (which can be base64, hex, base64url, etc.) The full list of supported encodings is available at the link below.

The kek should be an AES key of 16 bytes, 24 bytes, or 32 bytes (i.e. 128-bits, 192- bits, or 256-bits). For example, if passed as a hex string, then the kek should be 32 chars in length, 48 chars, or 64 chars (because each byte is represented as 2 chars in hex).

The wrappedKeyData contains the data to be unwrapped. The result, if decoded, is 8 bytes less than the wrapped key data. For example, if a 256-bit AES key (32 bytes) is wrapped, the size of the wrapped key data is 40 bytes. Unwrapping restores it to the original 32 bytes.

Returns TRUE for success, FALSE for failure.

top
AesKeyUnwrapWithPadding
BOOL CkCrypt2_AesKeyUnwrapWithPadding(HCkCrypt2 cHandle, const char *kek, const char *wrappedKeyData, const char *encoding, HCkString outStr);
const char *CkCrypt2_aesKeyUnwrapWithPadding(HCkCrypt2 cHandle, const char *kek, const char *wrappedKeyData, const char *encoding);
Introduced in version 9.5.0.96

Implements the AES Key Wrap with Padding Algorithm (RFC 5649) for unwrapping. The kek is the Key Encryption Key (the AES key used to unwrap the wrappedKeyData). The arguments and return value are binary encoded strings using the encoding specified by encoding (which can be base64, hex, base64url, etc.)

The kek should be an AES key of 16 bytes, 24 bytes, or 32 bytes (i.e. 128-bits, 192- bits, or 256-bits). For example, if passed as a hex string, then the kek should be 32 chars in length, 48 chars, or 64 chars (because each byte is represented as 2 chars in hex).

The wrappedKeyData contains the data to be unwrapped.

The unwrapped key is returned as an encoded string (using the encoding specified in encoding).

Returns TRUE for success, FALSE for failure.

top
AesKeyWrap
BOOL CkCrypt2_AesKeyWrap(HCkCrypt2 cHandle, const char *kek, const char *keyData, const char *encoding, HCkString outStr);
const char *CkCrypt2_aesKeyWrap(HCkCrypt2 cHandle, const char *kek, const char *keyData, const char *encoding);
Introduced in version 9.5.0.66

Implements the AES Key Wrap Algorithm (RFC 3394). The kek is the Key Encryption Key (the AES key used to encrypt the keyData). The arguments and return value are binary encoded strings using the encoding specified by encoding (which can be base64, hex, base64url, etc.) The full list of supported encodings is available at the link below.

The kek should be an AES key of 16 bytes, 24 bytes, or 32 bytes (i.e. 128-bits, 192- bits, or 256-bits). For example, if passed as a hex string, then the kek should be 32 chars in length, 48 chars, or 64 chars (because each byte is represented as 2 chars in hex).

The keyData contains the data to be key wrapped. It must be a multiple of 64-bits in length. In other words, if the keyData is decoded to binary, it should be a number of bytes that is a multiple of 8.

The return string, if decoded to binary bytes, is equal to the size of the key data + 8 additional bytes.

Returns TRUE for success, FALSE for failure.

top
AesKeyWrapWithPadding
BOOL CkCrypt2_AesKeyWrapWithPadding(HCkCrypt2 cHandle, const char *kek, const char *keyData, const char *encoding, HCkString outStr);
const char *CkCrypt2_aesKeyWrapWithPadding(HCkCrypt2 cHandle, const char *kek, const char *keyData, const char *encoding);
Introduced in version 9.5.0.96

Implements the AES Key Wrap with Padding Algorithm (RFC 5649). The kek is the Key Encryption Key (the AES key used to encrypt the keyData). The arguments and return value are binary encoded strings using the encoding specified by encoding (which can be base64, hex, base64url, etc.)

The kek should be an AES key of 16 bytes, 24 bytes, or 32 bytes (i.e. 128-bits, 192- bits, or 256-bits). For example, if passed as a hex string, then the kek should be 32 chars in length, 48 chars, or 64 chars (because each byte is represented as 2 chars in hex).

The keyData contains the data to be key wrapped.

Returns the wrapped key using the encoding specified in encoding.

Returns TRUE for success, FALSE for failure.

top
BCryptHash
BOOL CkCrypt2_BCryptHash(HCkCrypt2 cHandle, const char *password, HCkString outStr);
const char *CkCrypt2_bCryptHash(HCkCrypt2 cHandle, const char *password);
Introduced in version 9.5.0.65

Computes and returns a bcrypt hash of the password. The number of rounds of hashing is determined by the BCryptWorkFactor property.

Starting in v9.5.0.76, if the password is prefixed with $2b$ then the output will use the $2b version of bcrypt. For example, to create a $2b$ bcrypt has for the password secret, pass in the string $2b$secret for password.

Returns TRUE for success, FALSE for failure.

More Information and Examples
top
BCryptVerify
BOOL CkCrypt2_BCryptVerify(HCkCrypt2 cHandle, const char *password, const char *bcryptHash);
Introduced in version 9.5.0.65

Verifies the password against a previously computed BCrypt hash. Returns TRUE if the password matches the bcryptHash. Returns FALSE if the password does not match.

Returns TRUE for success, FALSE for failure.

top
CkDecryptFile
BOOL CkCrypt2_CkDecryptFile(HCkCrypt2 cHandle, const char *srcFile, const char *destFile);

File-to-file decryption that supports files of any size by using internal streaming mode.

Returns TRUE for success, FALSE for failure.

More Information and Examples
top
CkDecryptFileAsync (1)
HCkTask CkCrypt2_CkDecryptFileAsync(HCkCrypt2 cHandle, const char *srcFile, const char *destFile);

Creates an asynchronous task to call the CkDecryptFile method with the arguments provided.

Returns NULL on failure

top
CkEncryptFile
BOOL CkCrypt2_CkEncryptFile(HCkCrypt2 cHandle, const char *srcFile, const char *destFile);

File-to-file encryption that operates in streaming mode, allowing it to encrypt files of any size.

Returns TRUE for success, FALSE for failure.

top
CkEncryptFileAsync (1)
HCkTask CkCrypt2_CkEncryptFileAsync(HCkCrypt2 cHandle, const char *srcFile, const char *destFile);

Creates an asynchronous task to call the CkEncryptFile method with the arguments provided.

Returns NULL on failure

top
ClearEncryptCerts
void CkCrypt2_ClearEncryptCerts(HCkCrypt2 cHandle);

Clears the internal list of digital certificates to be used for public-key encryption.

More Information and Examples
top
ClearSigningCerts
void CkCrypt2_ClearSigningCerts(HCkCrypt2 cHandle);
Introduced in version 9.5.0.83

Clears the set of certificates to be used in signing.

Returns TRUE for success, FALSE for failure.

More Information and Examples
top
CoSign
BOOL CkCrypt2_CoSign(HCkCrypt2 cHandle, HCkBinData bdIn, HCkCert cert, HCkBinData bdOut);
Introduced in version 9.5.0.89

Co-sign's an existing CMS signature. bdIn contains the existing CMS signature. If successful, cert is the output co-signed CMS signature.

Returns TRUE for success, FALSE for failure.

More Information and Examples
top
CrcBd
unsigned long CkCrypt2_CrcBd(HCkCrypt2 cHandle, const char *crcAlg, HCkBinData bd);
Introduced in version 11.0.0

Computes a CRC for data contained in crcAlg, which can be either crc-32 used in the Zip file format, or crc8 for the CRC8 algorithm.

More Information and Examples
top
CrcFile
unsigned long CkCrypt2_CrcFile(HCkCrypt2 cHandle, const char *crcAlg, const char *path);
Introduced in version 9.5.0.38

Calculates the CRC for a file's contents using the CRC algorithm specified by crcAlg. Possible algorithms are:

  • crc-32 - This is the CRC used in the Zip file format.
  • crc8

More Information and Examples
top
CrcFileAsync (1)
HCkTask CkCrypt2_CrcFileAsync(HCkCrypt2 cHandle, const char *crcAlg, const char *path);
Introduced in version 9.5.0.38

Creates an asynchronous task to call the CrcFile method with the arguments provided.

Returns NULL on failure

top
CreateP7M
BOOL CkCrypt2_CreateP7M(HCkCrypt2 cHandle, const char *inFilename, const char *p7mPath);

Signs the contents of inFilename and writes the enveloping (i.e. opaque) PKCS7 signature (.p7m) to p7mPath.

In a PKCS#7/CMS signature, the signer computes a cryptographic hash (e.g. SHA-256) of the data, then uses their private key to sign that hash.

The signature = Sign( Hash(data) )

This signed hash is what gets stored in the signature file. For enveloping/opaque signatures, the signed data is also stored in the signature file.

Set the HashAlgorithm property to specify the hash algorithmg. The valid options are sha256, sha1, sha384, and sha512.

Returns TRUE for success, FALSE for failure.

top
CreateP7MAsync (1)
HCkTask CkCrypt2_CreateP7MAsync(HCkCrypt2 cHandle, const char *inFilename, const char *p7mPath);

Creates an asynchronous task to call the CreateP7M method with the arguments provided.

Returns NULL on failure

top
CreateP7S
BOOL CkCrypt2_CreateP7S(HCkCrypt2 cHandle, const char *inFilename, const char *p7sPath);

Signs the contents of inFilename and writes the detached PKCS7 signature (.p7s) to p7sPath.

In a PKCS#7/CMS detached signature, the signer computes a cryptographic hash (e.g. SHA-256) of the data, then uses their private key to sign that hash.

The signature = Sign( Hash(data) )

This signed hash is what gets stored in the signature file.

Set the HashAlgorithm property to specify the hash algorithmg. The valid options are sha256, sha1, sha384, and sha512.

Returns TRUE for success, FALSE for failure.

top
CreateP7SAsync (1)
HCkTask CkCrypt2_CreateP7SAsync(HCkCrypt2 cHandle, const char *inFilename, const char *p7sPath);

Creates an asynchronous task to call the CreateP7S method with the arguments provided.

Returns NULL on failure

top
DecodeString
BOOL CkCrypt2_DecodeString(HCkCrypt2 cHandle, const char *inStr, const char *charset, const char *encoding, HCkString outStr);
const char *CkCrypt2_decodeString(HCkCrypt2 cHandle, const char *inStr, const char *charset, const char *encoding);

Decodes from an encoding back to the original string. The encoding can be set to any of the following strings: base64, hex, quoted-printable, url, base32, Q, B, url_rc1738, url_rfc2396, url_rfc3986, url_oauth, uu, modBase64, or html (for HTML entity encoding).

Returns TRUE for success, FALSE for failure.

top
DecryptBd
BOOL CkCrypt2_DecryptBd(HCkCrypt2 cHandle, HCkBinData bd);
Introduced in version 9.5.0.67

Decrypts the contents of bd. This method can do either symmetric key decryption or CMS public key decryption (e.g., PKCS#7 EnvelopedData).

Before calling this method for symmetric key decryption (e.g., AES, ChaCha20, Blowfish, etc.), ensure the following setup:

  1. Define the encryption algorithm using the CryptAlgorithm property.
  2. Specify the encryption key length with the KeyLength property.
  3. Establish the cipher mode through the CipherMode property.
  4. Use the SetEncodedIV method to set the IV, if needed by the cipher mode.
  5. Set the encryption key with the SetEncodedKey method.
  6. Ensure the PaddingScheme property matches the encryptor's value.

When calling this method for public key decryption (i.e. decrypting a PKCS7 CMS message), the following setup is required:

  1. The CryptAlgorithm property should be set to the string "pki".
  2. Optionally specify the certificate to be used for decryption by calling SetDecryptCert. If SetDecryptCert is not called, then Chilkat will automatically search certificate sources (Windows certificate stores, Apple keychain, etc.) for the required certificate.

Returns TRUE for success, FALSE for failure.

top
DecryptEncoded
BOOL CkCrypt2_DecryptEncoded(HCkCrypt2 cHandle, const char *encodedEncryptedData, HCkString outStr);
const char *CkCrypt2_decryptEncoded(HCkCrypt2 cHandle, const char *encodedEncryptedData);

Decrypts encoded encrypted data, and returns the decrypted data as a binary encoded string. For example:

Input → Decode EncodingMode → Decrypt → Encode EncodingMode → Output

The encoding (e.g. base64, hex, etc.) is determined by the EncodingMode property.

This method supports symmetric key and public key decryption. For more information on properties that affect decryption, such as CryptAlgorithm, CipherMode, etc., refer to the DecryptBd method documentation.

Returns TRUE for success, FALSE for failure.

More Information and Examples
top
DecryptSb
BOOL CkCrypt2_DecryptSb(HCkCrypt2 cHandle, HCkBinData bdIn, HCkStringBuilder sbOut);
Introduced in version 9.5.0.67

This function is intended for use when the expected decrypted output is text. It decrypts the contents of bdIn and appends the resulting string to sbOut. Ensure that the Charset property, such as utf-8, matches the one used during encryption to interpret the decrypted bytes correctly as characters.

Input → Decrypt → Interpret Bytes according to Charset → Append to StringBuilder

This method supports symmetric key and public key decryption. For more information on properties that affect decryption, such as CryptAlgorithm, CipherMode, etc., refer to the DecryptBd method documentation.

Returns TRUE for success, FALSE for failure.

top
DecryptSecureENC
BOOL CkCrypt2_DecryptSecureENC(HCkCrypt2 cHandle, const char *cipherText, HCkSecureString secureStr);
Introduced in version 9.5.0.71

This function is intended for use when the expected decrypted output is text. It decrypts binary encoded encrypted bytes passed in cipherText and appends the resulting string to secureStr. Ensure that the Charset property, such as utf-8, matches the one used during encryption to interpret the decrypted bytes correctly as characters.

Input → Decode using EncodingMode → Decrypt → Interpret Bytes according to Charset → Append to Secure String

The encoding (e.g. base64, hex, etc.) is determined by the EncodingMode property.

This method supports symmetric key and public key decryption. For more information on properties that affect decryption, such as CryptAlgorithm, CipherMode, etc., refer to the DecryptBd method documentation.

Returns TRUE for success, FALSE for failure.

More Information and Examples
top
DecryptStringENC
BOOL CkCrypt2_DecryptStringENC(HCkCrypt2 cHandle, const char *str, HCkString outStr);
const char *CkCrypt2_decryptStringENC(HCkCrypt2 cHandle, const char *str);

This function is intended for use when the expected decrypted output is text. It decrypts binary encoded encrypted bytes passed in str and appends the resulting string to ARG2. Ensure that the Charset property, such as utf-8, matches the one used during encryption to interpret the decrypted bytes correctly as characters.

Input → Decode using EncodingMode → Decrypt → Interpret Bytes according to Charset → Output

The encoding (e.g. base64, hex, etc.) is determined by the EncodingMode property.

This method supports symmetric key and public key decryption. For more information on properties that affect decryption, such as CryptAlgorithm, CipherMode, etc., refer to the DecryptBd method documentation.

Returns TRUE for success, FALSE for failure.

top
EncodeBytes
BOOL CkCrypt2_EncodeBytes(HCkCrypt2 cHandle, const unsigned char *pByteData, unsigned long szByteData, const char *encoding, HCkString outStr);
const char *CkCrypt2_encodeBytes(HCkCrypt2 cHandle, const unsigned char *pByteData, unsigned long szByteData, const char *encoding);

Encode binary data to base64, hex, quoted-printable, or URL-encoding. The encoding can be set to any of the following strings: base64, hex, quoted-printable, url, base32, Q, B, url_rc1738, url_rfc2396, url_rfc3986, url_oauth, uu, modBase64, or html (for HTML entity encoding).

The pByteData points to the bytes to be encoded. The szByteData specifies the number of bytes to encode.

Returns TRUE for success, FALSE for failure.

More Information and Examples
top
EncodeInt
BOOL CkCrypt2_EncodeInt(HCkCrypt2 cHandle, int value, int numBytes, BOOL littleEndian, const char *encoding, HCkString outStr);
const char *CkCrypt2_encodeInt(HCkCrypt2 cHandle, int value, int numBytes, BOOL littleEndian, const char *encoding);
Introduced in version 9.5.0.77

Encodes an integer to N bytes and returns in the specified encoding. If littleEndian is TRUE, then little-endian byte ordering is used. Otherwise big-endian byte order is used.

Returns TRUE for success, FALSE for failure.

top
EncodeString
BOOL CkCrypt2_EncodeString(HCkCrypt2 cHandle, const char *strToEncode, const char *charsetName, const char *toEncodingName, HCkString outStr);
const char *CkCrypt2_encodeString(HCkCrypt2 cHandle, const char *strToEncode, const char *charsetName, const char *toEncodingName);

Encodes a string. The toEncodingName can be set to any of the following strings: base64, hex, quoted-printable, url, base32, Q, B, url_rc1738, url_rfc2396, url_rfc3986, url_oauth, uu, modBase64, or html (for HTML entity encoding). The charsetName is important, and usually you'll want to specify ansi. For example, if the string ABC is to be encoded to hex using ANSI, the result will be 414243. However, if unicode is used, the result is 410042004300.

Returns TRUE for success, FALSE for failure.

top
EncryptBd
BOOL CkCrypt2_EncryptBd(HCkCrypt2 cHandle, HCkBinData bd);
Introduced in version 9.5.0.67

Encrypts the contents of bd. This method can do either symmetric key encryption or CMS public key encryption (e.g., PKCS#7 EnvelopedData).

Before calling this method for symmetric key encryption (e.g., AES, ChaCha20, Blowfish, etc.), ensure the following setup:

  1. Define the encryption algorithm using the CryptAlgorithm property.
  2. Specify the encryption key length with the KeyLength property.
  3. Establish the cipher mode through the CipherMode property.
  4. Use the SetEncodedIV method to set the IV, if needed by the cipher mode.
  5. Set the encryption key with the SetEncodedKey method.
  6. Set the PaddingScheme property if needing something different than the default.

When calling this method for public key encryption (i.e. creating a PKCS7 CMS message), the following setup is required:

  1. The CryptAlgorithm property should be set to the string "pki".
  2. To specify the encryption certificate, use SetEncryptCert. For multiple certificates, call AddEncryptCert for each one.

Returns TRUE for success, FALSE for failure.

top
EncryptEncoded
BOOL CkCrypt2_EncryptEncoded(HCkCrypt2 cHandle, const char *str, HCkString outStr);
const char *CkCrypt2_encryptEncoded(HCkCrypt2 cHandle, const char *str);

Encrypts binary-encoded data and returns it as a binary-encoded string. For example:

Input → Decode EncodingMode → Encrypt → Encode EncodingMode → Output

The encoding (e.g. base64, hex, etc.) is determined by the EncodingMode property.

This method supports symmetric key and public key decryption. For more information on properties that affect decryption, such as CryptAlgorithm, CipherMode, etc., refer to the method documentation.

Returns TRUE for success, FALSE for failure.

top
EncryptSb
BOOL CkCrypt2_EncryptSb(HCkCrypt2 cHandle, HCkStringBuilder sbIn, HCkBinData bdOut);
Introduced in version 9.5.0.67

Encrypts text and appends the encrypted bytes in bdOut. The Charset property, such as utf-8, determines the actual bytes that are encrypted.

StringBuilder → Get bytes according to Charset → Encrypt → Append to BinData

This method supports symmetric key and public key encryption. For more information on properties that affect encryption, such as CryptAlgorithm, CipherMode, etc., refer to the EncryptBd method documentation.

Returns TRUE for success, FALSE for failure.

top
EncryptSecureENC
BOOL CkCrypt2_EncryptSecureENC(HCkCrypt2 cHandle, HCkSecureString secureStr, HCkString outStr);
const char *CkCrypt2_encryptSecureENC(HCkCrypt2 cHandle, HCkSecureString secureStr);
Introduced in version 9.5.0.71

Identical to EncryptStringENC, except the clear-text contained within the secureStr is encrypted and returned.

Returns TRUE for success, FALSE for failure.

More Information and Examples
top
EncryptStringENC
BOOL CkCrypt2_EncryptStringENC(HCkCrypt2 cHandle, const char *str, HCkString outStr);
const char *CkCrypt2_encryptStringENC(HCkCrypt2 cHandle, const char *str);

Encrypts a string and returns the encrypted bytes as a binary encoded string. The EncodingMode property determines the binary encoding, such as base64, hex, hex_lower, base64url, base58, etc. The Charset property determines the actual bytes that are encrypted.

Returns TRUE for success, FALSE for failure.

top
GenEncodedSecretKey
BOOL CkCrypt2_GenEncodedSecretKey(HCkCrypt2 cHandle, const char *password, const char *encoding, HCkString outStr);
const char *CkCrypt2_genEncodedSecretKey(HCkCrypt2 cHandle, const char *password, const char *encoding);

Important: In the v9.5.0.49 release, a bug involving this method was introduced: The encoding is ignored and instead the encoding used is the current value of the EncodingMode property. The workaround is to make sure the EncodingMode property is set to the value of the desired output encoding. This problem will be fixed in v9.5.0.50.

Identical to the GenerateSecretKey method, except it returns the binary secret key as a string encoded according to encoding, which may be base64, hex, url, etc. Please see the documentation for GenerateSecretKey for more information.

Returns TRUE for success, FALSE for failure.

top
GenerateUuid
BOOL CkCrypt2_GenerateUuid(HCkCrypt2 cHandle, HCkString outStr);
const char *CkCrypt2_generateUuid(HCkCrypt2 cHandle);
Introduced in version 9.5.0.55

Generates a random UUID string having standard UUID format, such as de305d54-75b4-431b-adb2-eb6b9e546014.

Note: This generates a version 4 UUID using random byte values. See RFC 4122.

Returns TRUE for success, FALSE for failure.

More Information and Examples
top
GenRandomBytesENC
BOOL CkCrypt2_GenRandomBytesENC(HCkCrypt2 cHandle, int numBytes, HCkString outStr);
const char *CkCrypt2_genRandomBytesENC(HCkCrypt2 cHandle, int numBytes);

Generates numBytes random bytes and returns them as an encoded string. The encoding, such as base64, hex, etc. is controlled by the EncodingMode property.

Returns TRUE for success, FALSE for failure.

More Information and Examples
top
GetEncodedAad
BOOL CkCrypt2_GetEncodedAad(HCkCrypt2 cHandle, const char *encoding, HCkString outStr);
const char *CkCrypt2_getEncodedAad(HCkCrypt2 cHandle, const char *encoding);
Introduced in version 9.5.0.55

Returns the authenticated additional data as an encoded string. The encoding argument can be set to any of the following strings: base64, hex, quoted-printable, or url.

The Aad is used when the CipherMode is gcm (Galois/Counter Mode), which is a mode valid for symmetric ciphers that have a block size of 16 bytes, such as AES or Twofish.

Returns TRUE for success, FALSE for failure.

More Information and Examples
top
GetEncodedAuthTag
BOOL CkCrypt2_GetEncodedAuthTag(HCkCrypt2 cHandle, const char *encoding, HCkString outStr);
const char *CkCrypt2_getEncodedAuthTag(HCkCrypt2 cHandle, const char *encoding);
Introduced in version 9.5.0.55

Returns the authentication tag as an encoded string. The encoding argument may be set to any of the following strings: base64, hex, quoted-printable, or url. The authentication tag is an output of authenticated encryption modes such as GCM when encrypting. When GCM mode decrypting, the authenticate tag is set by the application and is the expected result.

The authenticated tag plays a role when the CipherMode is gcm (Galois/Counter Mode), which is a mode valid for symmetric block ciphers that have a block size of 16 bytes, such as AES or Twofish.

Returns TRUE for success, FALSE for failure.

More Information and Examples
top
GetEncodedIV
BOOL CkCrypt2_GetEncodedIV(HCkCrypt2 cHandle, const char *encoding, HCkString outIV);
const char *CkCrypt2_getEncodedIV(HCkCrypt2 cHandle, const char *encoding);

Returns the initialization vector as an encoded string. The encoding argument can be set to any of the following strings: base64, hex, quoted-printable, or url.

Returns TRUE for success, FALSE for failure.

top
GetEncodedKey
BOOL CkCrypt2_GetEncodedKey(HCkCrypt2 cHandle, const char *encoding, HCkString outKey);
const char *CkCrypt2_getEncodedKey(HCkCrypt2 cHandle, const char *encoding);

Returns the secret key as an encoded string. The encoding argument can be set to any of the following strings: base64, hex, quoted-printable, or url.

Returns TRUE for success, FALSE for failure.

top
GetEncodedSalt
BOOL CkCrypt2_GetEncodedSalt(HCkCrypt2 cHandle, const char *encoding, HCkString outStr);
const char *CkCrypt2_getEncodedSalt(HCkCrypt2 cHandle, const char *encoding);

Returns the password-based encryption (PBE) salt bytes as an encoded string. The encoding argument can be set to any of the following strings: base64, hex, quoted-printable, or url.

Returns TRUE for success, FALSE for failure.

top
GetLastJsonData
void CkCrypt2_GetLastJsonData(HCkCrypt2 cHandle, HCkJsonObject json);
Introduced in version 11.0.0

Provides information about what transpired in the last method called. For many methods, there is no information. For some methods, details about what transpired can be obtained via LastJsonData. For example, after calling a method to verify a signature, the LastJsonData will return JSON with details about the algorithms used for signature verification.

top
GetSignatureSigningTimeStr
BOOL CkCrypt2_GetSignatureSigningTimeStr(HCkCrypt2 cHandle, int index, HCkString outStr);
const char *CkCrypt2_getSignatureSigningTimeStr(HCkCrypt2 cHandle, int index);

This method retrieves the signing time of the Nth certificate used in a digital signature, after verification. The first certificate's signing time is at index index 0. The NumSignerCerts property indicates the total number of signing certificates (typically, only one is used).

Note: Before retrieving the signing time for a certificate, use the HasSignatureSigningTime method to check its availability. Skip indices without a signing time.

The signing time is returned in RFC822 string format.

Returns TRUE for success, FALSE for failure.

top
GetSignedAttributes
BOOL CkCrypt2_GetSignedAttributes(HCkCrypt2 cHandle, int signerIndex, HCkBinData pkcs7Der, HCkStringBuilder sbJson);
Introduced in version 9.5.0.75

Extracts the signed (authenticated) attributes for the Nth signer. In most cases, a signature has only one signer, and the signerIndex should equal 0 to specify the 1st (and only) signer.

The binary PKCS7 is passed in pkcs7Der. On success, the sbJson will contain the signed attributes in JSON format.

Sample JSON output:

{
  <code>signedAttributes</code>: [
    {
      <code>oid</code>: <code>1.2.840.113549.1.9.3</code>,
      <code>name</code>: <code>Content Type</code>
    },
    {
      <code>oid</code>: <code>1.2.840.113549.1.9.5</code>,
      <code>name</code>: <code>Signing Time</code>
    },
    {
      <code>oid</code>: <code>1.2.840.113549.1.9.4</code>,
      <code>name</code>: <code>Message Digest</code>
    },
    {
      <code>oid</code>: <code>1.2.840.113549.1.9.16.2.47</code>,
      <code>name</code>: <code>Signing Certificate V2</code>
    }
  ]
}

Returns TRUE for success, FALSE for failure.

top
HashBdENC
BOOL CkCrypt2_HashBdENC(HCkCrypt2 cHandle, HCkBinData bd, HCkString outStr);
const char *CkCrypt2_hashBdENC(HCkCrypt2 cHandle, HCkBinData bd);
Introduced in version 9.5.0.66

Hashes the bytes in bd and returns the hash as a binary-encoded string. The hash algorithm is determined by the HashAlgorithm property, while the encoding is specified by the EncodingMode property. Encoding options include base64, hex, base64url, or others listed at the link below.

Returns TRUE for success, FALSE for failure.

top
HashBeginBytes2
BOOL CkCrypt2_HashBeginBytes2(HCkCrypt2 cHandle, const unsigned char *pByteData, unsigned long szByteData);
Introduced in version 9.5.0.82

The same as HashBeginBytes except the binary data is passed via a pointer and length.

Returns TRUE for success, FALSE for failure.

top
HashBeginString
BOOL CkCrypt2_HashBeginString(HCkCrypt2 cHandle, const char *strData);

To hash a large amount of text, start by processing the first chunk using this method. For subsequent chunks, use the HashMoreString method as needed. Conclude by calling HashFinal (or HashFinalENC) to obtain the final result. The hash algorithm is determined by the HashAlgorithm property setting.

Returns TRUE for success, FALSE for failure.

More Information and Examples
top
HashChunkBd
BOOL CkCrypt2_HashChunkBd(HCkCrypt2 cHandle, BOOL firstChunk, HCkBinData bd);
Introduced in version 11.1.0

Start or continue hashing data in chunks. Set firstChunk to TRUE for the first chunk, and FALSE for subsequent chunks. Finish by calling HashFinalENC to obtain the result. The hash algorithm used is determined by the HashAlgorithm property.

Returns TRUE for success, FALSE for failure.

top
HashFileENC
BOOL CkCrypt2_HashFileENC(HCkCrypt2 cHandle, const char *path, HCkString outStr);
const char *CkCrypt2_hashFileENC(HCkCrypt2 cHandle, const char *path);

Hashes a file and returns the hash as an encoded string.

The hash algorithm is specified by the HashAlgorithm property, The encoding is controlled by the EncodingMode property, which can be set to base64, hex, base64url, or any of the encodings listed at the link below.

Any size file is supported because the file is hashed internally in streaming mode (keeping memory usage low and constant).

Returns TRUE for success, FALSE for failure.

top
HashFileENCAsync (1)
HCkTask CkCrypt2_HashFileENCAsync(HCkCrypt2 cHandle, const char *path);

Creates an asynchronous task to call the HashFileENC method with the arguments provided.

Returns NULL on failure

top
HashFinalENC
BOOL CkCrypt2_HashFinalENC(HCkCrypt2 cHandle, HCkString outStr);
const char *CkCrypt2_hashFinalENC(HCkCrypt2 cHandle);

Finalizes a multi-step hash computation and returns the hash bytes encoded according to the EncodingMode property setting.

Returns TRUE for success, FALSE for failure.

More Information and Examples
top
HashMoreBytes2
BOOL CkCrypt2_HashMoreBytes2(HCkCrypt2 cHandle, const unsigned char *pByteData, unsigned long szByteData);
Introduced in version 9.5.0.82

The same as HashMoreBytes except the binary data is passed via a pointer and length.

Returns TRUE for success, FALSE for failure.

top
HashMoreString
BOOL CkCrypt2_HashMoreString(HCkCrypt2 cHandle, const char *strData);

Adds more text to the hash currently under computation. (See HashBeginString)

Returns TRUE for success, FALSE for failure.

top
HashStringENC
BOOL CkCrypt2_HashStringENC(HCkCrypt2 cHandle, const char *str, HCkString outStr);
const char *CkCrypt2_hashStringENC(HCkCrypt2 cHandle, const char *str);

Hashes a string and returns the hash bytes as an encoded string.

The hash algorithm is specified by the HashAlgorithm property, The encoding is controlled by the EncodingMode property, which can be set to base64, hex, base64url, or any of the encodings listed at the link below.

The Charset property controls the character encoding of the string that is hashed. Languages such as VB.NET, C#, and Visual Basic work with Unicode strings. If it is desired to hash Unicode directly (2 bytes/char) then set the Charset property to Unicode. To implicitly convert to another charset before hashing, set the Charset property to the desired charset. For example, if Charset is set to iso-8859-1, the input string is first implicitly converted to iso-8859-1 (1 byte per character) before hashing. The full list of supported charsets is listed in the EncryptString method description.

Returns TRUE for success, FALSE for failure.

top
HasSignatureSigningTime
BOOL CkCrypt2_HasSignatureSigningTime(HCkCrypt2 cHandle, int index);

This method can be called after a digital signature has been verified by one of the Verify* methods. Returns TRUE if a signing time for the Nth certificate is available and can be retrieved by either the GetSignatureSigningTime or GetSignatureSigningTimeStr methods.

top
Hotp
BOOL CkCrypt2_Hotp(HCkCrypt2 cHandle, const char *secret, const char *secretEnc, const char *counterHex, int numDigits, int truncOffset, const char *hashAlg, HCkString outStr);
const char *CkCrypt2_hotp(HCkCrypt2 cHandle, const char *secret, const char *secretEnc, const char *counterHex, int numDigits, int truncOffset, const char *hashAlg);
Introduced in version 9.5.0.77

Implements RFC 4226: HOTP: An HMAC-Based One-Time Password Algorithm. The arguments to this method are:

  • secret: The shared secret in an enocded representation such as base64, hex, ascii, etc.
  • secretEnc: The encoding of the shared secret, such as base64
  • counterHex: The 8-byte counter in hexidecimal format.
  • numDigits: The number of decimal digits to return.
  • truncOffset: Normally set this to -1 for dynamic truncation. Otherwise can be set in the range 0..15.
  • hashAlg: Normally set to sha1. Can be set to other hash algorithms such as sha256, sha512, etc.

Returns TRUE for success, FALSE for failure.

top
LastDecryptCert
BOOL CkCrypt2_LastDecryptCert(HCkCrypt2 cHandle, HCkCert cert);
Introduced in version 11.0.0

Returns in cert the last certificate used for public-key decryption.

Returns TRUE for success, FALSE for failure.

top
LastSignerCert
BOOL CkCrypt2_LastSignerCert(HCkCrypt2 cHandle, int index, HCkCert cert);
Introduced in version 11.0.0

Returns the Nth certificate used for signing in cert. This method can be called after verifying a digital signature to get the signer certs. The 1st certificate is at index 0. The NumSignerCerts property contains the total number of signing certificates. (Typically, a single certificate is used in creating a digital signature.)

Returns TRUE for success, FALSE for failure.

top
LoadTaskCaller
BOOL CkCrypt2_LoadTaskCaller(HCkCrypt2 cHandle, HCkTask task);
Introduced in version 9.5.0.80

Loads the caller of the task's async method.

Returns TRUE for success, FALSE for failure.

top
MacBdENC
BOOL CkCrypt2_MacBdENC(HCkCrypt2 cHandle, HCkBinData bd, HCkString outStr);
const char *CkCrypt2_macBdENC(HCkCrypt2 cHandle, HCkBinData bd);
Introduced in version 9.5.0.66

Computes a Message Authentication Code (MAC) for the bytes in bd using the algorithm defined in the MacAlgorithm property. The result is then encoded to a string using the format specified by the EncodingMode property (e.g., base64, hex). The HashAlgorithm property setting determines the hash algorithm used internally. (A MAC algorithm like HMAC uses a hash function such as SHA-256 internally, along with a secret key, to create a secure and verifiable digest.)

Returns TRUE for success, FALSE for failure.

top
MacStringENC
BOOL CkCrypt2_MacStringENC(HCkCrypt2 cHandle, const char *inText, HCkString outStr);
const char *CkCrypt2_macStringENC(HCkCrypt2 cHandle, const char *inText);
Introduced in version 9.5.0.55

Computes a Message Authentication Code using the MAC algorithm specified in the MacAlgorithm property. The result is encoded to a string using the encoding (base64, hex, etc.) specified by the EncodingMode property.

Returns TRUE for success, FALSE for failure.

top
MySqlAesDecrypt
BOOL CkCrypt2_MySqlAesDecrypt(HCkCrypt2 cHandle, const char *strEncryptedHex, const char *strPassword, HCkString outStr);
const char *CkCrypt2_mySqlAesDecrypt(HCkCrypt2 cHandle, const char *strEncryptedHex, const char *strPassword);

Matches MySQL's AES_DECRYPT function. strEncryptedHex is a hex-encoded string of the AES encrypted data. The return value is the original unencrypted string.

Returns TRUE for success, FALSE for failure.

top
MySqlAesEncrypt
BOOL CkCrypt2_MySqlAesEncrypt(HCkCrypt2 cHandle, const char *strData, const char *strPassword, HCkString outStr);
const char *CkCrypt2_mySqlAesEncrypt(HCkCrypt2 cHandle, const char *strData, const char *strPassword);

Matches MySQL's AES_ENCRYPT function. The return value is a hex-encoded string of the encrypted data. The equivalent call in MySQL would look like this: HEX(AES_ENCRYPT('The quick brown fox jumps over the lazy dog','password'))

Returns TRUE for success, FALSE for failure.

More Information and Examples
top
OpaqueSignBd
BOOL CkCrypt2_OpaqueSignBd(HCkCrypt2 cHandle, HCkBinData bd);
Introduced in version 9.5.0.67

Digitally signs the contents of bd. If successful, the contents of bd are replaced with the PKCS#7 signed-data, which embeds the original data within the signature. Ensure a certificate is set using SetSigningCert before invoking this method. The HashAlgorithm property specifies the hash algorithm for creating the data's hash during signing.

Returns TRUE for success, FALSE for failure.

top
OpaqueSignBdAsync (1)
HCkTask CkCrypt2_OpaqueSignBdAsync(HCkCrypt2 cHandle, HCkBinData bd);
Introduced in version 9.5.0.67

Creates an asynchronous task to call the OpaqueSignBd method with the arguments provided.

Returns NULL on failure

top
OpaqueSignStringENC
BOOL CkCrypt2_OpaqueSignStringENC(HCkCrypt2 cHandle, const char *str, HCkString outStr);
const char *CkCrypt2_opaqueSignStringENC(HCkCrypt2 cHandle, const char *str);

Digitally signs a string and returns PKCS#7 signed-data as a binary encoded string. The EncodingMode property determines the binary encoding, such as base64, hex, hex_lower, base64_mime, etc. The Charset property determines the actual bytes that are hashed and signed. The HashAlgorithm property specifies the hash algorithm for creating the data's hash during signing.

Returns TRUE for success, FALSE for failure.

top
OpaqueSignStringENCAsync (1)
HCkTask CkCrypt2_OpaqueSignStringENCAsync(HCkCrypt2 cHandle, const char *str);

Creates an asynchronous task to call the OpaqueSignStringENC method with the arguments provided.

Returns NULL on failure

top
OpaqueVerifyBd
BOOL CkCrypt2_OpaqueVerifyBd(HCkCrypt2 cHandle, HCkBinData bd);
Introduced in version 9.5.0.67

The method performs in-place verification of the PKCS#7 signed-data content of bd. If the signature is successfully verified, the content of bd is replaced with the original data, and the method returns TRUE. If verification fails, bd remains unchanged, and the method returns FALSE. Afterwards, you can retrieve signer certificates by using the NumSignerCerts property and the GetSignerCert method.

Returns TRUE for success, FALSE for failure.

top
OpaqueVerifyStringENC
BOOL CkCrypt2_OpaqueVerifyStringENC(HCkCrypt2 cHandle, const char *p7m, HCkString outOriginal);
const char *CkCrypt2_opaqueVerifyStringENC(HCkCrypt2 cHandle, const char *p7m);

This function verifies a PKCS#7 signed-data binary-encoded signature and returns the original text data. The EncodingMode property determines how p7m is decoded to bytes. If the signature does not verify successfully, it returns an empty string. The Charset property specifies how the original data bytes are converted to characters. You can obtain signer certificates using the NumSignerCerts property and the GetSignerCert method.

Returns TRUE for success, FALSE for failure.

top
Pbkdf1
BOOL CkCrypt2_Pbkdf1(HCkCrypt2 cHandle, const char *password, const char *charset, const char *hashAlg, const char *salt, int iterationCount, int outputKeyBitLen, const char *encoding, HCkString outStr);
const char *CkCrypt2_pbkdf1(HCkCrypt2 cHandle, const char *password, const char *charset, const char *hashAlg, const char *salt, int iterationCount, int outputKeyBitLen, const char *encoding);

Implements the PBKDF1 algorithm (Password Based Key Derivation Function #1). The password is converted to the character encoding represented by charset before being passed (internally) to the key derivation function. The hashAlg may be md5, sha1, md2, etc. The salt should be random data at least 8 bytes (64 bits) in length. (The GenRandomBytesENC method is good for generating a random salt value.) The iterationCount should be no less than 1000. The length (in bits) of the derived key output by this method is controlled by outputKeyBitLen. The encoding argument may be base64, hex, etc. It controls the encoding of the output, and the expected encoding of the salt. The derived key is returned.

Note: Starting in version 9.5.0.47, if the charset is set to one of the keywords hex or base64, then the password will be considered binary data that is hex or base64 encoded. The bytes will be decoded and used directly as a binary password.

Returns TRUE for success, FALSE for failure.

More Information and Examples
top
Pbkdf2
BOOL CkCrypt2_Pbkdf2(HCkCrypt2 cHandle, const char *password, const char *charset, const char *hashAlg, const char *salt, int iterationCount, int outputKeyBitLen, const char *encoding, HCkString outStr);
const char *CkCrypt2_pbkdf2(HCkCrypt2 cHandle, const char *password, const char *charset, const char *hashAlg, const char *salt, int iterationCount, int outputKeyBitLen, const char *encoding);

Implements the PBKDF2 algorithm as follows:

  1. Convert password to the character encoding specified by charset before using it in the key derivation function.
  2. hashAlg specifies the hash algorithm. Options include sha256, sha384, sha512, md5, sha1, md2, or any algorithm listed in the HashAlgorithm property.
  3. Provide a random salt value that is at least 8 bytes (64 bits) long. Use methods like GenRandomBytesENC to generate this salt value.
  4. Ensure iterationCount is 1000 or greater.
  5. Control the length of the derived key output using outputKeyBitLen.
  6. Set encoding to specify the encoding format for the output and the expected encoding for salt. Options include base64 and hex.

The derived key is the output of this process. Internally, PBKDF2 uses a pseudorandom function (PRF), specifically a keyed HMAC. The hash algorithm chosen with hashAlg dictates this PRF; for example, SHA256 uses HMAC-SHA256, while SHA1 uses HMAC-SHA1.

Note: If charset is hex or base64, password is treated as binary data. It will be decoded and used directly as a binary password. SHA256 uses HMAC-SHA256, while SHA1 uses HMAC-SHA1.

PBKDF1 and PBKDF2 are both key derivation functions used to strengthen passwords for cryptographic purposes, but PBKDF2 is the improved version.

  • PBKDF1: Older and limited—it can only generate small keys (up to the hash function’s output size), making it less flexible and secure.
  • PBKDF2: More advanced—it can generate longer keys, is more resistant to attacks, and is widely recommended for modern security needs.

In short, PBKDF2 is stronger and more versatile than PBKDF1.

Returns TRUE for success, FALSE for failure.

top
RandomizeIV
void CkCrypt2_RandomizeIV(HCkCrypt2 cHandle);

Sets the initialization vector to a random value.

top
RandomizeKey
void CkCrypt2_RandomizeKey(HCkCrypt2 cHandle);

Sets the secret key to a random value.

top
ReEncode
BOOL CkCrypt2_ReEncode(HCkCrypt2 cHandle, const char *encodedData, const char *fromEncoding, const char *toEncoding, HCkString outStr);
const char *CkCrypt2_reEncode(HCkCrypt2 cHandle, const char *encodedData, const char *fromEncoding, const char *toEncoding);

This tool allows for conversion between different encodings, such as from base64 to hex. It's particularly useful in programming environments where handling byte arrays is cumbersome. The encodings that can be specified for fromEncoding and toEncoding include: Base64, base64Url, modBase64, Base32, Base58, UU, QP (quoted-printable), URL (URL-encoding), Hex, Q, B, url_oauth, url_rfc1738, url_rfc2396, and url_rfc3986. Note that these encodings are case-insensitive.

Returns TRUE for success, FALSE for failure.

top
SetDecryptCert
BOOL CkCrypt2_SetDecryptCert(HCkCrypt2 cHandle, HCkCert cert);

Sets the digital certificate to be used for decryption when the CryptAlgorithm property is set to PKI. A private key is required for decryption. Because this method only specifies the certificate, a prerequisite is that the certificate w/ private key must have been pre-installed on the computer. Private keys are stored in the Windows Protected Store (either a user account specific store, or the system-wide store). The Chilkat component will automatically locate and find the certificate's corresponding private key from the protected store when decrypting.

Returns TRUE for success, FALSE for failure.

top
SetDecryptCert2
BOOL CkCrypt2_SetDecryptCert2(HCkCrypt2 cHandle, HCkCert cert, HCkPrivateKey key);

Sets the digital certificate to be used for decryption when the CryptAlgorithm property is set to PKI. The private key is supplied in the 2nd argument to this method, so there is no requirement that the certificate be pre-installed on a computer before decrypting (if this method is called).

Returns TRUE for success, FALSE for failure.

top
SetEncodedAad
BOOL CkCrypt2_SetEncodedAad(HCkCrypt2 cHandle, const char *aadStr, const char *encoding);
Introduced in version 9.5.0.55

Sets the authenticated additional data from an encoded string. The authenticated additional data (AAD), if any, is used in authenticated encryption modes such as GCM. The aadStr argument can be set to any of the following strings: base64, hex, quoted-printable, ascii, or url.

The Aad is used when the CipherMode is gcm (Galois/Counter Mode), which is a mode valid for symmetric ciphers that have a block size of 16 bytes, such as AES or Twofish.

Returns TRUE for success, FALSE for failure.

More Information and Examples
top
SetEncodedAuthTag
BOOL CkCrypt2_SetEncodedAuthTag(HCkCrypt2 cHandle, const char *authTagStr, const char *encoding);
Introduced in version 9.5.0.55

Sets the expected authenticated tag from an encoded string. The authenticated tag is used in authenticated encryption modes such as GCM. An application would set the expected authenticated tag prior to decrypting. The authTagStr argument can be set to any of the following strings: base64, hex, quoted-printable, ascii, or url.

The authenticated tag plays a role when the CipherMode is gcm (Galois/Counter Mode), which is a mode valid for symmetric block ciphers that have a block size of 16 bytes, such as AES or Twofish.

Note: You can set the authenticated tag to the special value FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF (16 0xFF bytes) to prevent Chilkat from checking the auth tag after decrypting.

Returns TRUE for success, FALSE for failure.

More Information and Examples
top
SetEncodedIV
void CkCrypt2_SetEncodedIV(HCkCrypt2 cHandle, const char *ivStr, const char *encoding);

Sets the initialization vector from an encoded string. The encoding argument can be set to any of the following strings: base64, hex, quoted-printable, ascii, or url.

top
SetEncodedKey
void CkCrypt2_SetEncodedKey(HCkCrypt2 cHandle, const char *keyStr, const char *encoding);

Sets the secret key from an encoded string. The encoding argument can be set to any of the following strings: base64, hex, quoted-printable, ascii, or url.

More Information and Examples
top
SetEncodedSalt
void CkCrypt2_SetEncodedSalt(HCkCrypt2 cHandle, const char *saltStr, const char *encoding);

Sets the password-based encryption (PBE) salt bytes from an encoded string. The encoding argument can be set to any of the following strings: base64, hex, quoted-printable, ascii, or url.

top
SetEncryptCert
BOOL CkCrypt2_SetEncryptCert(HCkCrypt2 cHandle, HCkCert cert);

Tells the encryption library to use a specific digital certificate for public-key encryption. To encrypt with multiple certificates, call AddEncryptCert once for each certificate. (Calling this method is the equivalent of calling ClearEncryptCerts followed by AddEncryptCert.)

Returns TRUE for success, FALSE for failure.

top
SetIV
void CkCrypt2_SetIV(HCkCrypt2 cHandle, const unsigned char *pByteData, unsigned long szByteData);

Sets the initialization vector for a symmetric encryption algorithm (such as AES, BlowFish, TwoFish, DES, etc.). IV's are used in CBC mode (Cipher-Block-Chaining), but are not used in ECB mode (Electronic Cookbook). The length of the IV should equal the block size of the algorithm. (It is not equal to the key length). For AES and TwoFish, the block size (and thus IV size) is always 16 bytes. For Blowfish it's 8 bytes. For DES and 3DES it's 8 bytes.

top
SetMacKeyEncoded
BOOL CkCrypt2_SetMacKeyEncoded(HCkCrypt2 cHandle, const char *key, const char *encoding);
Introduced in version 9.5.0.55

Sets the MAC key to be used for one of the Mac methods. The encoding can be set to any of the following strings: base64, hex, quoted-printable, or url.

Returns TRUE for success, FALSE for failure.

More Information and Examples
top
SetMacKeyString
BOOL CkCrypt2_SetMacKeyString(HCkCrypt2 cHandle, const char *key);
Introduced in version 9.5.0.55

Sets the MAC key to be used for one of the Mac methods.

Returns TRUE for success, FALSE for failure.

More Information and Examples
top
SetSecretKey
void CkCrypt2_SetSecretKey(HCkCrypt2 cHandle, const unsigned char *pByteData, unsigned long szByteData);

Sets the value of the SecretKey property.

top
SetSecretKeyViaPassword
void CkCrypt2_SetSecretKeyViaPassword(HCkCrypt2 cHandle, const char *password);

Accepts a password string and (internally) generates a binary secret key of the appropriate bit length and sets the SecretKey property. This method should only be used if you are using Chilkat for both encryption and decryption because the password-to-secret-key algorithm would need to be identical for the decryption to match the encryption.

There is no minimum or maximum password length. The password string is transformed to a binary secret key by computing the MD5 digest (of the utf-8 password) to obtain 16 bytes. If the KeyLength is greater than 16 bytes, then the MD5 digest of the Base64 encoding of the utf-8 password is added. A max of 32 bytes of key material is generated, and this is truncated to the actual KeyLength required. The example below shows how to manually duplicate the computation.

top
SetSigningCert
BOOL CkCrypt2_SetSigningCert(HCkCrypt2 cHandle, HCkCert cert);

Specifies a certificate to be used when creating PKCS7 digital signatures. Signing requires both a certificate and private key. In this case, the private key is implicitly specified if the certificate originated from a PFX that contains the corresponding private key, or if on a Windows-based computer where the certificate and corresponding private key are pre-installed. (If a PFX file is used, it is provided via the AddPfxSourceFile or AddPfxSourceData methods.)

Returns TRUE for success, FALSE for failure.

top
SetSigningCert2
BOOL CkCrypt2_SetSigningCert2(HCkCrypt2 cHandle, HCkCert cert, HCkPrivateKey privateKey);

Specifies a digital certificate and private key to be used for creating PKCS7 digital signatures.

Returns TRUE for success, FALSE for failure.

top
SetTsaHttpObj
void CkCrypt2_SetTsaHttpObj(HCkCrypt2 cHandle, HCkHttp http);

Sets the timestamp authority (TSA) options for cases where a CAdES-T signature is to be created. The http is used to send the requests, and it allows for connection related settings and timeouts to be set. For example, if HTTP or SOCKS proxies are required, these features can be specified on the http.

top
SetVerifyCert
BOOL CkCrypt2_SetVerifyCert(HCkCrypt2 cHandle, HCkCert cert);

Sets the digital certificate to be used in verifying a signature. In virtually all cases, a PKCS7 (CMS) signature already embeds the signing certificate information, and it is not necessary to explicitly call this method to specify the verification certificate. It is only needed in rare cases.

Returns TRUE for success, FALSE for failure.

top
SignBdENC
BOOL CkCrypt2_SignBdENC(HCkCrypt2 cHandle, HCkBinData dataToSign, HCkString outStr);
const char *CkCrypt2_signBdENC(HCkCrypt2 cHandle, HCkBinData dataToSign);
Introduced in version 9.5.0.67

Digitally signs the content in dataToSign and returns a detached signature (PKCS#7 signed-data) as a binary-encoded string. The EncodingMode property determines the binary-encoding. Possible encodings include base64, base64_mime, hex, and hex_lower. The HashAlgorithm property specifies the hash algorithm for creating the data's hash during signing.

Returns TRUE for success, FALSE for failure.

top
SignBdENCAsync (1)
HCkTask CkCrypt2_SignBdENCAsync(HCkCrypt2 cHandle, HCkBinData dataToSign);
Introduced in version 9.5.0.67

Creates an asynchronous task to call the SignBdENC method with the arguments provided.

Returns NULL on failure

top
SignHashENC
BOOL CkCrypt2_SignHashENC(HCkCrypt2 cHandle, const char *encodedHash, const char *hashAlg, const char *hashEncoding, HCkString outStr);
const char *CkCrypt2_signHashENC(HCkCrypt2 cHandle, const char *encodedHash, const char *hashAlg, const char *hashEncoding);
Introduced in version 9.5.0.90

Digitally signs a pre-computed hash and returns a detached signature (PKCS#7 signed-data) as a binary-encoded string. The EncodingMode property determines the binary-encoding. Possible encodings include base64, base64_mime, hex, and hex_lower

encodedHash is a binary-encoded hash to be signed, with its encoding format specified by hashEncoding (e.g., base64, hex). hashAlg specifies the hash algorithm (e.g., sha256, sha1, sha512) used for encodedHash.

Returns TRUE for success, FALSE for failure.

top
SignHashENCAsync (1)
HCkTask CkCrypt2_SignHashENCAsync(HCkCrypt2 cHandle, const char *encodedHash, const char *hashAlg, const char *hashEncoding);
Introduced in version 9.5.0.90

Creates an asynchronous task to call the SignHashENC method with the arguments provided.

Returns NULL on failure

top
SignSbENC
BOOL CkCrypt2_SignSbENC(HCkCrypt2 cHandle, HCkStringBuilder sb, HCkString outStr);
const char *CkCrypt2_signSbENC(HCkCrypt2 cHandle, HCkStringBuilder sb);
Introduced in version 9.5.0.67

Digitally signs the text contained in sb and returns a detached signature (PKCS#7 signed-data) as a binary-encoded string. The EncodingMode property determines the binary-encoding. Possible encodings include base64, base64_mime, hex, and hex_lower. The HashAlgorithm property specifies the hash algorithm for creating the data's hash during signing. The Charset property determines the actual bytes that are hashed and signed.

Returns TRUE for success, FALSE for failure.

top
SignSbENCAsync (1)
HCkTask CkCrypt2_SignSbENCAsync(HCkCrypt2 cHandle, HCkStringBuilder sb);
Introduced in version 9.5.0.67

Creates an asynchronous task to call the SignSbENC method with the arguments provided.

Returns NULL on failure

top
SignStringENC
BOOL CkCrypt2_SignStringENC(HCkCrypt2 cHandle, const char *str, HCkString outStr);
const char *CkCrypt2_signStringENC(HCkCrypt2 cHandle, const char *str);

Digitally signs a string and returns a detached signature (PKCS#7 signed-data) as a binary-encoded string. The EncodingMode property determines the binary-encoding. Possible encodings include base64, base64_mime, hex, and hex_lower. The HashAlgorithm property specifies the hash algorithm for creating the data's hash during signing. The Charset property determines the actual bytes that are hashed and signed.

Returns TRUE for success, FALSE for failure.

top
SignStringENCAsync (1)
HCkTask CkCrypt2_SignStringENCAsync(HCkCrypt2 cHandle, const char *str);

Creates an asynchronous task to call the SignStringENC method with the arguments provided.

Returns NULL on failure

top
Totp
BOOL CkCrypt2_Totp(HCkCrypt2 cHandle, const char *secret, const char *secretEnc, const char *t0, const char *tNow, int tStep, int numDigits, int truncOffset, const char *hashAlg, HCkString outStr);
const char *CkCrypt2_totp(HCkCrypt2 cHandle, const char *secret, const char *secretEnc, const char *t0, const char *tNow, int tStep, int numDigits, int truncOffset, const char *hashAlg);
Introduced in version 9.5.0.77

Implements RFC 6238: TOTP: Time-Based One-Time Password Algorithm. The arguments to this method are:

  • secret: The shared secret in an enocded representation such as base64, hex, ascii, etc.
  • secretEnc: The encoding of the shared secret, such as base64
  • t0: The Unix time to start counting time steps. It is a number in decimal string form. A Unix time is the number of seconds elapsed since midnight UTC of January 1, 1970. 0 is a typical value used for this argument.
  • tNow: The current Unix time in decimal string form. To use the current system date/time, pass an empty string for this argument.
  • tStep: The time step in seconds. A typical value is 30. Note: Both client and server must pre-agree on the secret, the t0, and the tStep.
  • numDigits: The number of decimal digits to return.
  • truncOffset: Normally set this to -1 for dynamic truncation. Otherwise can be set in the range 0..15.
  • hashAlg: Normally set to sha1. Can be set to other hash algorithms such as sha256, sha512, etc.

Returns TRUE for success, FALSE for failure.

top
UseCertVault
BOOL CkCrypt2_UseCertVault(HCkCrypt2 cHandle, HCkXmlCertVault vault);
Introduced in version 9.5.0.40

Adds an XML certificate vault to the object's internal list of sources to be searched for certificates and private keys when encrypting/decrypting or signing/verifying. Unlike the AddPfxSourceData and AddPfxSourceFile methods, only a single XML certificate vault can be used. If UseCertVault is called multiple times, only the last certificate vault will be used, as each call to UseCertVault will replace the certificate vault provided in previous calls.

Returns TRUE for success, FALSE for failure.

top
VerifyBdENC
BOOL CkCrypt2_VerifyBdENC(HCkCrypt2 cHandle, HCkBinData data, const char *encodedSig);
Introduced in version 9.5.0.67

Verifies a detached digital signature against the original data contained in data. Returns TRUE if the signature is verified. The encodedSig holds a binary-encoded PKCS#7 signed-data detached signature. The type of binary encoding, such as base64, hex, or base64_mime, is determined by the EncodingMode property.

Afterwards, you can retrieve signer certificates by using the NumSignerCerts property and the GetSignerCert method.

Returns TRUE for success, FALSE for failure.

top
VerifyP7M
BOOL CkCrypt2_VerifyP7M(HCkCrypt2 cHandle, const char *p7mPath, const char *destPath);

Verifies an opaque digital signature contained in a .p7m file and extracts the original data to destPath. Returns TRUE if the .p7m is validated and the original data was extracted. Otherwise returns FALSE.

Afterwards, you can retrieve signer certificates by using the NumSignerCerts property and the GetSignerCert method.

Returns TRUE for success, FALSE for failure.

top
VerifyP7S
BOOL CkCrypt2_VerifyP7S(HCkCrypt2 cHandle, const char *originalDataPath, const char *p7sPath);

Verifies a detached digital signature contained in a .p7s file against the original data contained in originalDataPath. Returns TRUE if the signature is verified.

Afterwards, you can retrieve signer certificates by using the NumSignerCerts property and the GetSignerCert method.

Returns TRUE for success, FALSE for failure.

top
VerifySbENC
BOOL CkCrypt2_VerifySbENC(HCkCrypt2 cHandle, HCkStringBuilder sb, const char *encodedSig);
Introduced in version 9.5.0.67

Verifies a detached digital signature against the original text contained in sb. Returns TRUE if the signature is verified. The encodedSig holds a binary-encoded PKCS#7 signed-data detached signature. The type of binary encoding, such as base64, hex, or base64_mime, is determined by the EncodingMode property. The Charset property determines how the text in sb is converted to bytes for signature validation.

Afterwards, you can retrieve signer certificates by using the NumSignerCerts property and the GetSignerCert method.

Returns TRUE for success, FALSE for failure.

top
VerifyStringENC
BOOL CkCrypt2_VerifyStringENC(HCkCrypt2 cHandle, const char *str, const char *encodedSig);

Verifies a detached digital signature against the original text in str. Returns TRUE if the signature is verified. The encodedSig holds a binary-encoded PKCS#7 signed-data detached signature. The type of binary encoding, such as base64, hex, or base64_mime, is determined by the EncodingMode property. The Charset property determines how the text in str is converted to bytes for signature validation.

Afterwards, you can retrieve signer certificates by using the NumSignerCerts property and the GetSignerCert method.

Returns TRUE for success, FALSE for failure.

top
XtsSetDataUnitNumber
void CkCrypt2_XtsSetDataUnitNumber(HCkCrypt2 cHandle, unsigned long loUint32, unsigned long hiUint32);
Introduced in version 9.5.0.91

Sets the XTS-AES mode data unit number. The data unit number is a 64-bit unsigned integer. It is passed in as two 32-bit unsigned integers representing the high and low 32-bits.

Setting the data unit number is one way of setting the tweak value. The tweak value is 16 bytes in length and can alternatively be set by calling XtsSetEncodedTweakValue.

This method sets the tweak value such that the first 8 bytes are composed of the little-endian 64-bit data unit number, followed by 8 zero bytes.

(Unfortunately, Chilkat cannot use 64-bit integers in method arguments because many older programming environments, such as ActiveX, do not support it. Chilkat must present an identical and uniform API across all programming languages.)

top
XtsSetEncodedTweakKey
void CkCrypt2_XtsSetEncodedTweakKey(HCkCrypt2 cHandle, const char *key, const char *encoding);
Introduced in version 9.5.0.91

Sets the XTS-AES mode tweak key from an encoded string. The encoding argument can be set to any of the following strings: base64, hex, quoted-printable, ascii, or url. The tweak key should be equal in size to the encryption key. For example, to do 256-bit AES-XTS, the encryption key is 256-bits, and the tweak key is also 256-bits.

More Information and Examples
top
XtsSetEncodedTweakValue
void CkCrypt2_XtsSetEncodedTweakValue(HCkCrypt2 cHandle, const char *tweak, const char *encoding);
Introduced in version 9.5.0.91

Sets the XTS-AES mode tweak value from an encoded string. The encoding argument can be set to any of the following strings: base64, hex, quoted-printable, ascii, or url.

The tweak value must be 16 bytes in length. An application can set the initial tweak value by calling this method, or by calling XtsSetDataUnitNumber (but not both).

More Information and Examples
top

Deprecated

AddPfxSourceData Deprecated
BOOL CkCrypt2_AddPfxSourceData(HCkCrypt2 cHandle, HCkByteData pfxBytes, const char *pfxPassword);

Adds a PFX file to the object's list of sources for locating certificates and private keys during public-key decryption or signing. To add multiple PFX sources, call this method multiple times. pfxBytes should contain the bytes of a PFX file (also known as PKCS12 or .p12).

Returns TRUE for success, FALSE for failure.

top
CrcBytes Deprecated
unsigned long CkCrypt2_CrcBytes(HCkCrypt2 cHandle, const char *crcAlg, HCkByteData byteData);
Introduced in version 9.5.0.38

Calculates a CRC for byte data in memory using the CRC algorithm specified by crcAlg. Possible algorithms are:

  • crc-32 - This is the CRC used in the Zip file format.
  • crc8

top
Decode
BOOL CkCrypt2_Decode(HCkCrypt2 cHandle, const char *str, const char *encoding, HCkByteData outData);
This method is deprecated.

Applications should instead call BinData.AppendEncoded to append binary encoded data (such as base64) to a BinData object. The decoded binary bytes can then be obtained from the BinData object.

Decode binary data from an encoded string. The encoding can be set to any of the following strings: base64, hex, quoted-printable, url, base32, Q, B, url_rc1738, url_rfc2396, url_rfc3986, url_oauth, uu, modBase64, or html (for HTML entity encoding).

Returns TRUE for success, FALSE for failure.

top
DecryptBytes Deprecated
BOOL CkCrypt2_DecryptBytes(HCkCrypt2 cHandle, HCkByteData data, HCkByteData outData);

Decrypts a byte array and returns the unencrypted byte array. The property settings used when encrypting the data must match the settings when decrypting. Specifically, the CryptAlgorithm, CipherMode, PaddingScheme, KeyLength, IV, and SecretKey properties must match.

Returns TRUE for success, FALSE for failure.

top
DecryptBytes2 Deprecated
BOOL CkCrypt2_DecryptBytes2(HCkCrypt2 cHandle, const unsigned char *pByteData, unsigned long szByteData, HCkByteData outBytes);
Introduced in version 9.5.0.82

The same as DecryptBytes except the binary data is passed via a pointer and length.

Returns TRUE for success, FALSE for failure.

top
DecryptBytesENC Deprecated
BOOL CkCrypt2_DecryptBytesENC(HCkCrypt2 cHandle, const char *str, HCkByteData outData);

Decrypts string-encoded encrypted data and returns the unencrypted byte array. Data encrypted with EncryptBytesENC can be decrypted with this method. The property settings used when encrypting the data must match the settings when decrypting. Specifically, the EncodingMode, CryptAlgorithm, CipherMode, PaddingScheme, KeyLength, IV, and SecretKey properties must match.

Returns TRUE for success, FALSE for failure.

top
DecryptStream
BOOL CkCrypt2_DecryptStream(HCkCrypt2 cHandle, HCkStream strm);
Introduced in version 9.5.0.56
This method is deprecated.

This method is deprecated. Applications should implement streaming decryption by using the FirstChunk and LastChunk properties.

Returns TRUE for success, FALSE for failure.

More Information and Examples
top
DecryptStreamAsync (1)
HCkTask CkCrypt2_DecryptStreamAsync(HCkCrypt2 cHandle, HCkStream strm);
Introduced in version 9.5.0.56
This method is deprecated.

Creates an asynchronous task to call the DecryptStream method with the arguments provided.

Returns NULL on failure

top
DecryptString Deprecated
BOOL CkCrypt2_DecryptString(HCkCrypt2 cHandle, HCkByteData data, HCkString outStr);
const char *CkCrypt2_decryptString(HCkCrypt2 cHandle, HCkByteData data);

Decrypts a previously encrypted string, using the Charset property to interpret the decrypted bytes as characters.

Returns TRUE for success, FALSE for failure.

top
Encode Deprecated
BOOL CkCrypt2_Encode(HCkCrypt2 cHandle, HCkByteData byteData, const char *encoding, HCkString outStr);
const char *CkCrypt2_encode(HCkCrypt2 cHandle, HCkByteData byteData, const char *encoding);

Encode binary data to base64, hex, quoted-printable, or URL-encoding. The encoding can be set to any of the following strings: base64, hex, quoted-printable (or qp), url, base32, Q, B, url_rc1738, url_rfc2396, url_rfc3986, url_oauth, uu, modBase64, or html (for HTML entity encoding).

Returns TRUE for success, FALSE for failure.

top
EncryptBytes Deprecated
BOOL CkCrypt2_EncryptBytes(HCkCrypt2 cHandle, HCkByteData data, HCkByteData outData);

Encrypts a byte array. The minimal set of properties that should be set before encrypting are: CryptAlgorithm, SecretKey. Other properties that control encryption are: CipherMode, PaddingScheme, KeyLength, IV. When decrypting, all property settings must match otherwise garbled data is returned.

Returns TRUE for success, FALSE for failure.

top
EncryptBytes2 Deprecated
BOOL CkCrypt2_EncryptBytes2(HCkCrypt2 cHandle, const unsigned char *pByteData, unsigned long szByteData, HCkByteData outBytes);
Introduced in version 9.5.0.82

The same as EncryptBytes except the binary data is passed via a pointer and length.

Returns TRUE for success, FALSE for failure.

top
EncryptBytesENC Deprecated
BOOL CkCrypt2_EncryptBytesENC(HCkCrypt2 cHandle, HCkByteData data, HCkString outStr);
const char *CkCrypt2_encryptBytesENC(HCkCrypt2 cHandle, HCkByteData data);

Encrypts a byte array and returns the encrypted data as an encoded (printable) string. The minimal set of properties that should be set before encrypting are: CryptAlgorithm, SecretKey, EncodingMode. Other properties that control encryption are: CipherMode, PaddingScheme, KeyLength, IV. When decrypting, all property settings must match otherwise garbled data is returned. The encoding of the string that is returned is controlled by the EncodingMode property, which can be set to Base64, QP, or Hex.

Returns TRUE for success, FALSE for failure.

top
EncryptStream
BOOL CkCrypt2_EncryptStream(HCkCrypt2 cHandle, HCkStream strm);
Introduced in version 9.5.0.56
This method is deprecated.

This method is deprecated. Applications should implement streaming encryption or decryption by using the FirstChunk and LastChunk properties.

Returns TRUE for success, FALSE for failure.

More Information and Examples
top
EncryptStreamAsync (1)
HCkTask CkCrypt2_EncryptStreamAsync(HCkCrypt2 cHandle, HCkStream strm);
Introduced in version 9.5.0.56
This method is deprecated.

Creates an asynchronous task to call the EncryptStream method with the arguments provided.

Returns NULL on failure

top
EncryptString Deprecated
BOOL CkCrypt2_EncryptString(HCkCrypt2 cHandle, const char *str, HCkByteData outData);

Encrypts a string and returns the result as bytes, with the Charset property determining the specific byte encoding of what gets encrypted.

Returns TRUE for success, FALSE for failure.

top
GenerateSecretKey
BOOL CkCrypt2_GenerateSecretKey(HCkCrypt2 cHandle, const char *password, HCkByteData outData);
This method is deprecated and replaced by Pbkdf2

This method is deprecated and should be avoided because it transforms the password into a binary secret key using a transformation that is undocumented and specific to this Chilkat method. PBKDF2 is a standard and more secure method of generating a binary secret key from a password. An example using PBKDF2 is shown below.

This method converts a string into a byte array matching the bit length of the KeyLength property. For instance, if KeyLength is 128 bits, the resulting array will be 16 bytes. This byte array can be assigned to the SecretKey property. For decryption to work, the SecretKey must match exactly. To use password-based encryption, pass the password to this method to generate an appropriate binary secret key for the SecretKey property.

IMPORTANT: Do not use this method to decrypt data if another party has provided you with the secret key. It is intended to transform a password of any length into a correctly sized binary secret key.

Returns TRUE for success, FALSE for failure.

top
GetDecryptCert
HCkCert CkCrypt2_GetDecryptCert(HCkCrypt2 cHandle);
Introduced in version 9.5.0.46
This method is deprecated.

This method is deprecated. Application should instead call LastDecryptCert

Returns the last certificate used for public-key decryption.

Returns NULL on failure

top
GetSignerCert
HCkCert CkCrypt2_GetSignerCert(HCkCrypt2 cHandle, int index);
This method is deprecated.

This method is deprecated. Application should instead call LastSignerCert

Gets the Nth certificate used for signing. This method can be called after verifying a digital signature to get the signer certs. The 1st certificate is at index 0. The NumSignerCerts property contains the total number of signing certificates. (Typically, a single certificate is used in creating a digital signature.)

Returns NULL on failure

top
GetSignerCertChain
HCkCertChain CkCrypt2_GetSignerCertChain(HCkCrypt2 cHandle, int index);
Introduced in version 9.5.0.40
This method is deprecated.

This method is deprecated. Applications can get the cert chain by calling LastSignerCert to get the certificate object, and then get the certificate chain from the certificate object.

Returns the full certificate chain for the Nth certificate used to for signing. Indexing begins at 0.

Returns NULL on failure

top
HashBeginBytes Deprecated
BOOL CkCrypt2_HashBeginBytes(HCkCrypt2 cHandle, HCkByteData data);

To hash binary data in chunks, start by hashing the first chunk using this method. For additional chunks, use the HashMoreBytes method as needed. Complete the process with HashFinal or HashFinalENC to obtain the hash result. The hash algorithm used is determined by the HashAlgorithm property setting.

Returns TRUE for success, FALSE for failure.

top
HashBytes Deprecated
BOOL CkCrypt2_HashBytes(HCkCrypt2 cHandle, HCkByteData data, HCkByteData outData);

Hashes a byte array using the algorithm specified by the HashAlgorithm property.

Returns TRUE for success, FALSE for failure.

top
HashBytes2 Deprecated
BOOL CkCrypt2_HashBytes2(HCkCrypt2 cHandle, const unsigned char *pByteData, unsigned long szByteData, HCkByteData outBytes);
Introduced in version 9.5.0.82

The same as HashBytes except the binary data is passed via a pointer and length.

Returns TRUE for success, FALSE for failure.

top
HashBytesENC Deprecated
BOOL CkCrypt2_HashBytesENC(HCkCrypt2 cHandle, HCkByteData data, HCkString outStr);
const char *CkCrypt2_hashBytesENC(HCkCrypt2 cHandle, HCkByteData data);

Hashes a byte array and returns the hash as a binary encoded string.

The hash algorithm is specified by the HashAlgorithm property, The encoding is controlled by the EncodingMode property, which can be set to base64, hex, base64url, or any of the encodings listed at the link below.

Returns TRUE for success, FALSE for failure.

top
HashFile Deprecated
BOOL CkCrypt2_HashFile(HCkCrypt2 cHandle, const char *path, HCkByteData outBytes);
This method is deprecated and replaced by HashFileENC

Hashes a file using the specified HashAlgorithm and returns the hash bytes. The file is processed in streaming mode, allowing any file size to be hashed efficiently while minimizing memory usage.

Returns TRUE for success, FALSE for failure.

top
HashFileAsync Deprecated (1)
HCkTask CkCrypt2_HashFileAsync(HCkCrypt2 cHandle, const char *path);
This method is deprecated and replaced by HashFileENC

Creates an asynchronous task to call the HashFile method with the arguments provided.

Returns NULL on failure

top
HashFinal Deprecated
BOOL CkCrypt2_HashFinal(HCkCrypt2 cHandle, HCkByteData outBytes);
This method is deprecated and replaced by HashFinalENC

Finalizes a multi-step hash computation and returns the hash bytes.

Returns TRUE for success, FALSE for failure.

top
HashMoreBytes Deprecated
BOOL CkCrypt2_HashMoreBytes(HCkCrypt2 cHandle, HCkByteData data);
Introduced in version 9.5.0.82

Adds more bytes to the hash currently under computation. (See HashBeginBytes)

Returns TRUE for success, FALSE for failure.

top
HashString Deprecated
BOOL CkCrypt2_HashString(HCkCrypt2 cHandle, const char *str, HCkByteData outData);
This method is deprecated and replaced by HashStringENC

Hashes a string using the Charset property to determine the bytes and returns the hash.

Returns TRUE for success, FALSE for failure.

top
LastJsonData
HCkJsonObject CkCrypt2_LastJsonData(HCkCrypt2 cHandle);
Introduced in version 9.5.0.70
This method is deprecated and replaced by GetLastJsonData

This method is deprecated. Please use GetLastJsonData instead. GetLastJsonData provides details about the most recently executed method. While many methods don't provide additional information, some do, such as after verifying a signature. In such cases, LastJsonData will return JSON with details like the algorithms used in the verification process.

Returns NULL on failure

top
MacBytes Deprecated
BOOL CkCrypt2_MacBytes(HCkCrypt2 cHandle, HCkByteData inBytes, HCkByteData outBytes);
Introduced in version 9.5.0.55
This method is deprecated and replaced by MacBdENC

Computes a Message Authentication Code using the algorithm defined in the MacAlgorithm property. The HashAlgorithm property setting determines the hash algorithm used internally. (A MAC algorithm like HMAC uses a hash function such as SHA-256 internally, along with a secret key, to create a secure and verifiable digest.)

Returns TRUE for success, FALSE for failure.

top
MacBytes2 Deprecated
BOOL CkCrypt2_MacBytes2(HCkCrypt2 cHandle, const unsigned char *pByteData, unsigned long szByteData, HCkByteData outBytes);
Introduced in version 9.5.0.82

The same as MacBytes except the binary data is passed via a pointer and length.

Returns TRUE for success, FALSE for failure.

top
MacBytesENC Deprecated
BOOL CkCrypt2_MacBytesENC(HCkCrypt2 cHandle, HCkByteData inBytes, HCkString outStr);
const char *CkCrypt2_macBytesENC(HCkCrypt2 cHandle, HCkByteData inBytes);
This method is deprecated and replaced by MacBdENC

Computes a Message Authentication Code using the MAC algorithm specified in the MacAlgorithm property. The result is encoded to a string using the encoding (base64, hex, etc.) specified by the EncodingMode property.

Returns TRUE for success, FALSE for failure.

top
MacString Deprecated
BOOL CkCrypt2_MacString(HCkCrypt2 cHandle, const char *inText, HCkByteData outBytes);
Introduced in version 9.5.0.55
This method is deprecated and replaced by MacStringENC

Computes a Message Authentication Code using the specified MacAlgorithm property. The Charset property determines the actual bytes presented to the MAC algorithm. The HashAlgorithm property setting determines the hash algorithm used internally. (A MAC algorithm like HMAC uses a hash function such as SHA-256 internally, along with a secret key, to create a secure and verifiable digest.)

Returns TRUE for success, FALSE for failure.

top
OpaqueSignBytes Deprecated
BOOL CkCrypt2_OpaqueSignBytes(HCkCrypt2 cHandle, HCkByteData data, HCkByteData outData);
This method is deprecated and replaced by OpaqueSignBd

Digitally signs a binary data and returns the signature in PKCS#7 signed-data format, which embeds the original data within the signature. Ensure a certificate is set using SetSigningCert before invoking this method. The HashAlgorithm property specifies the hash algorithm for creating the data's hash during signing.

Returns TRUE for success, FALSE for failure.

top
OpaqueSignBytesAsync Deprecated (1)
HCkTask CkCrypt2_OpaqueSignBytesAsync(HCkCrypt2 cHandle, HCkByteData data);
This method is deprecated and replaced by OpaqueSignBd

Creates an asynchronous task to call the OpaqueSignBytes method with the arguments provided.

Returns NULL on failure

top
OpaqueSignBytes2 Deprecated
BOOL CkCrypt2_OpaqueSignBytes2(HCkCrypt2 cHandle, const unsigned char *pByteData, unsigned long szByteData, HCkByteData outBytes);
Introduced in version 9.5.0.82

The same as OpaqueSignBytes except the binary data is passed via a pointer and length.

Returns TRUE for success, FALSE for failure.

top
OpaqueSignBytesENC Deprecated
BOOL CkCrypt2_OpaqueSignBytesENC(HCkCrypt2 cHandle, HCkByteData data, HCkString outStr);
const char *CkCrypt2_opaqueSignBytesENC(HCkCrypt2 cHandle, HCkByteData data);

Digitally signs a binary data and returns a PKCS#7 signed-data signature binary-encoded as a string. The returned signature embeds the original data. Ensure to set a certificate by calling SetSigningCert beforehand. The EncodingMode property determines the output encoding such as base64, hex, base64_mime, etc. The HashAlgorithm property specifies the hash algorithm for creating the data's hash during signing.

Returns TRUE for success, FALSE for failure.

top
OpaqueSignBytesENCAsync Deprecated (1)
HCkTask CkCrypt2_OpaqueSignBytesENCAsync(HCkCrypt2 cHandle, HCkByteData data);

Creates an asynchronous task to call the OpaqueSignBytesENC method with the arguments provided.

Returns NULL on failure

top
OpaqueSignString Deprecated
BOOL CkCrypt2_OpaqueSignString(HCkCrypt2 cHandle, const char *str, HCkByteData outData);

Digitally signs a string and returns PKCS#7 signed-data. The Charset property determines the actual bytes that are hashed and signed. The HashAlgorithm property specifies the hash algorithm for creating the data's hash during signing.

Returns TRUE for success, FALSE for failure.

top
OpaqueSignStringAsync Deprecated (1)
HCkTask CkCrypt2_OpaqueSignStringAsync(HCkCrypt2 cHandle, const char *str);

Creates an asynchronous task to call the OpaqueSignString method with the arguments provided.

Returns NULL on failure

top
OpaqueVerifyBytes Deprecated
BOOL CkCrypt2_OpaqueVerifyBytes(HCkCrypt2 cHandle, HCkByteData p7m, HCkByteData outOriginal);

Verifies a PKCS#7 signed-data signature and returns the original data. If the signature fails verification, the returned data will be empty. Afterwards, you can retrieve signer certificates by using the NumSignerCerts property and the GetSignerCert method.

Returns TRUE for success, FALSE for failure.

top
OpaqueVerifyBytes2 Deprecated
BOOL CkCrypt2_OpaqueVerifyBytes2(HCkCrypt2 cHandle, const unsigned char *pByteData, unsigned long szByteData, HCkByteData outBytes);
Introduced in version 9.5.0.82

The same as OpaqueVerifyBytes except the binary data is passed via a pointer and length.

Returns TRUE for success, FALSE for failure.

top
OpaqueVerifyBytesENC Deprecated
BOOL CkCrypt2_OpaqueVerifyBytesENC(HCkCrypt2 cHandle, const char *p7m, HCkByteData outOriginal);

Verifies a PKCS#7 signed-data signature and returns the original data. If the signature fails verification, the returned data will be empty. The p7m is a binary-encoded string, using the encoding set by the EncodingMode property. Afterwards, you can retrieve signer certificates by using the NumSignerCerts property and the GetSignerCert method.

Returns TRUE for success, FALSE for failure.

top
OpaqueVerifyString Deprecated
BOOL CkCrypt2_OpaqueVerifyString(HCkCrypt2 cHandle, HCkByteData p7m, HCkString outOriginal);
const char *CkCrypt2_opaqueVerifyString(HCkCrypt2 cHandle, HCkByteData p7m);

This function verifies a PKCS#7 signed-data signature and returns the original text data. If the signature does not verify successfully, it returns an empty string. The Charset property specifies how the original data bytes are converted to characters. You can obtain signer certificates using the NumSignerCerts property and the GetSignerCert method.

Returns TRUE for success, FALSE for failure.

top
SetMacKeyBytes Deprecated
BOOL CkCrypt2_SetMacKeyBytes(HCkCrypt2 cHandle, HCkByteData keyBytes);
Introduced in version 9.5.0.55
This method is deprecated and replaced by SetMacKeyEncoded

Sets the MAC key to be used for one of the Mac methods.

Returns TRUE for success, FALSE for failure.

top
SignBytes Deprecated
BOOL CkCrypt2_SignBytes(HCkCrypt2 cHandle, HCkByteData data, HCkByteData outData);

Digitally signs binary data and returns the binary detached signature (PKCS#7 signed-data). The HashAlgorithm property specifies the hash algorithm for creating the data's hash during signing.

Returns TRUE for success, FALSE for failure.

top
SignBytesAsync Deprecated (1)
HCkTask CkCrypt2_SignBytesAsync(HCkCrypt2 cHandle, HCkByteData data);

Creates an asynchronous task to call the SignBytes method with the arguments provided.

Returns NULL on failure

top
SignBytes2 Deprecated
BOOL CkCrypt2_SignBytes2(HCkCrypt2 cHandle, const unsigned char *pByteData, unsigned long szByteData, HCkByteData outBytes);
Introduced in version 9.5.0.82

The same as SignBytes except the binary data is passed via a pointer and length.

Returns TRUE for success, FALSE for failure.

top
SignBytesENC Deprecated
BOOL CkCrypt2_SignBytesENC(HCkCrypt2 cHandle, HCkByteData data, HCkString outStr);
const char *CkCrypt2_signBytesENC(HCkCrypt2 cHandle, HCkByteData data);

Digitally signs binary data and returns a detached signature (PKCS#7 signed-data) as a binary-encoded string. The EncodingMode property determines the binary-encoding. Possible encodings include base64, base64_mime, hex, and hex_lower. The HashAlgorithm property specifies the hash algorithm for creating the data's hash during signing.

Returns TRUE for success, FALSE for failure.

top
SignBytesENCAsync Deprecated (1)
HCkTask CkCrypt2_SignBytesENCAsync(HCkCrypt2 cHandle, HCkByteData data);

Creates an asynchronous task to call the SignBytesENC method with the arguments provided.

Returns NULL on failure

top
SignString Deprecated
BOOL CkCrypt2_SignString(HCkCrypt2 cHandle, const char *str, HCkByteData outData);

Digitally signs a string and returns a the binary detached signature (PKCS#7 signed-data). The HashAlgorithm property specifies the hash algorithm for creating the data's hash during signing. The Charset property determines the actual bytes that are hashed and signed.

Returns TRUE for success, FALSE for failure.

top
SignStringAsync Deprecated (1)
HCkTask CkCrypt2_SignStringAsync(HCkCrypt2 cHandle, const char *str);

Creates an asynchronous task to call the SignString method with the arguments provided.

Returns NULL on failure

top
VerifyBytes Deprecated
BOOL CkCrypt2_VerifyBytes(HCkCrypt2 cHandle, HCkByteData data, HCkByteData sig);

Verifies a detached digital signature against the original binary data. Returns TRUE if the signature is verified.

Afterwards, you can retrieve signer certificates by using the NumSignerCerts property and the GetSignerCert method.

top
VerifyBytesENC Deprecated
BOOL CkCrypt2_VerifyBytesENC(HCkCrypt2 cHandle, HCkByteData data, const char *encodedSig);

Verifies a detached digital signature against the original binary data. Returns TRUE if the signature is verified. The encodedSig holds a binary-encoded PKCS#7 signed-data detached signature. The type of binary encoding, such as base64, hex, or base64_mime, is determined by the EncodingMode property.

Afterwards, you can retrieve signer certificates by using the NumSignerCerts property and the GetSignerCert method.

top
VerifyDetachedSignature
BOOL CkCrypt2_VerifyDetachedSignature(HCkCrypt2 cHandle, const char *inFilename, const char *p7sFilename);
This method is deprecated and replaced by VerifyP7S

This method is the same as VerifyP7S. Applications should instead call VerifyP7S.

More Information and Examples
top
VerifyString Deprecated
BOOL CkCrypt2_VerifyString(HCkCrypt2 cHandle, const char *str, HCkByteData sig);

Verifies a detached digital signature against the original text in str. Returns TRUE if the signature is verified. The sig holds a binary PKCS#7 signed-data detached signature. The Charset property determines how the text in str is converted to bytes for signature validation.

Afterwards, you can retrieve signer certificates by using the NumSignerCerts property and the GetSignerCert method.

Returns TRUE for success, FALSE for failure.

top