Crypt2 CkPython Reference Documentation

CkCrypt2

Current Version: 11.0.0
Requires Chilkat Bundle License

Chilkat encryption component.

Object Creation

obj = chilkat.CkCrypt2()

Properties

AbortCurrent
# boolVal is a boolean
boolVal = crypt2.get_AbortCurrent();
crypt2.put_AbortCurrent(boolVal);
Introduced in version 9.5.0.58

Setting this property to True will abort the current method, but only for those methods having an Async alternative. The property automatically resets to False at the start of each method and after an abort. Both synchronous and asynchronous methods can be aborted; synchronous methods require setting this property from another thread.

top
BCryptWorkFactor
# intVal is an integer
intVal = crypt2.get_BCryptWorkFactor();
crypt2.put_BCryptWorkFactor(intVal);
Introduced in version 9.5.0.65

The BCrypt work factor determines the computational cost of BCryptHash and BCryptVerify . It represents the base-2 logarithm of the number of hashing rounds. For instance, a work factor of 12 corresponds to 2^12 hashing rounds. This cost factor is designed to make computations challenging enough to deter brute-force attacks. The work factor must be set between 4 and 31, inclusive, with a default value of 10.

top
BlockSize
# intVal is an integer
intVal = crypt2.get_BlockSize();

This property indicates the block size in bytes for the chosen encryption algorithm. For instance, if the CryptAlgorithm is set to AES, the BlockSize is automatically set to 16 bytes. In contrast, the block size for the ChaCha20 streaming algorithm is 1 byte.

top
CadesEnabled
# boolVal is a boolean
boolVal = crypt2.get_CadesEnabled();
crypt2.put_CadesEnabled(boolVal);

This property applies to all PKCS7 signature creation methods. When set to True, it ensures the inclusion of required attributes (such as content-type, message-digest, and signing-certificate-v2) to qualify the signature as at least a CAdES-BES signature. By default, this property is set to False.

More Information and Examples
Explaining CAdES-BES SignaturesCAdES BES Detached SignatureCAdES BES Attached (Opaque) Signature
top
CadesSigPolicyHash
# strVal is a string
# ckStr is a CkString
crypt2.get_CadesSigPolicyHash(ckStr);
strVal = crypt2.cadesSigPolicyHash();
crypt2.put_CadesSigPolicyHash(strVal);

This property is for PKCS7 CMS signatures that wish to include CAdES signature policy attributes. Set it to the base64-encoded hash of the policy document at the CadesSigPolicyUri using either SHA256 or SHA1.

More Information and Examples
Online Tool to Hash a Document at a URLCAdES Signature Policy - Meaning and Purpose
top
CadesSigPolicyId
# strVal is a string
# ckStr is a CkString
crypt2.get_CadesSigPolicyId(ckStr);
strVal = crypt2.cadesSigPolicyId();
crypt2.put_CadesSigPolicyId(strVal);

This property is for PKCS7 CMS signatures that wish to include CAdES signature policy attributes. The CAdES Signature Policy ID is an object identifier (OID) included in a CAdES signature that specifies the exact signature policy the signer followed. It is the OID associated with the policy URL. An example OID would look like this: 2.16.840.1.101.3.2.1.48.1

An application that wishes to include signature policy attributes should set all three properties: CadesSigPolicyHash , CadesSigPolicyUri , and CadesSigPolicyId .

More Information and Examples
CAdES Signature Policy - Meaning and Purpose
top
CadesSigPolicyUri
# strVal is a string
# ckStr is a CkString
crypt2.get_CadesSigPolicyUri(ckStr);
strVal = crypt2.cadesSigPolicyUri();
crypt2.put_CadesSigPolicyUri(strVal);

This property is for PKCS7 CMS signatures that wish to include CAdES signature policy attributes. The signature policy URI in a CAdES digital signature is a link that points to a document describing the rules and conditions under which the signature was created. Typically the Signature Policy URI in a CAdES signature points to a .der file, not a PDF or human-readable document. For example: http://example.com/policies/my-policy.der

More Information and Examples
CAdES Signature Policy - Meaning and Purpose
top
Charset
# strVal is a string
# ckStr is a CkString
crypt2.get_Charset(ckStr);
strVal = crypt2.charset();
crypt2.put_Charset(strVal);

This property specifies the character encoding used to represent text as bytes for encryption and hashing. By default, it uses the computer's ANSI charset, such as Windows-1252 for locales like the United States, United Kingdom, Western Europe, Australia, and New Zealand.

Most applications are advised to set this property to UTF-8. Chilkat plans to change its default to UTF-8 in a future major version to align with current standards. The current default of ANSI stems from a time when UTF-8 was not widely adopted.

More Information and Examples
Charset Matters when Encrypting TextCharset Matters when Hashing TextCharacter Encodings (Charsets) Supported by ChilkatANSI Charset ExplainedUsing "hex" or "base64" for encoded binary data input.
top
CipherMode
# strVal is a string
# ckStr is a CkString
crypt2.get_CipherMode(ckStr);
strVal = crypt2.cipherMode();
crypt2.put_CipherMode(strVal);

Sets the cipher mode for block encryption algorithms (AES, Blowfish,TwoFish, DES, 3DES, RC2). Possible values are CBC (the default) , ECB, CTR, OFB, GCM, and CFB. These acronyms have the following meanings:

  • CBC: Cipher Block Chaining,
  • ECB: Electronic CookBook
  • CTR: Counter Mode
  • CFB: Cipher Feedback
  • OFB: Output Feedback
  • GCM: Galois/Counter Mode
  • XTS: AES-XTS (starting in Chilkat v9.5.0.91, only works with AES encryption)

The GCM (Galois/Counter Mode) is available with any cipher having a 16-byte block size, such as AES. The CFB, OFB, CTR, and GCM modes convert block ciphers into stream ciphers. In these modes of operation, the PaddingScheme property is unused because no padding occurs.

Starting in v9.5.0.91 Chilkat supports AES-XTS mode. XTS mode additionally uses a tweak key and tweak value, which are set via the XtsSetEncodedTweakKey, XtsSetEncodedTweakValue, and XtsSetDataUnitNumber. (The latter two functions provide alternative means of setting the tweak value.) Chilkat fully supports AES-XTS mode with ciphertext-stealing, which means it will correctly encrypt/decrypt data with size not divisible by the block size (i.e. divisible by 16 bytes).

More Information and Examples
More About Block Encryption Cipher ModesAES XTS Mode
top
CmsOptions
# strVal is a string
# ckStr is a CkString
crypt2.get_CmsOptions(ckStr);
strVal = crypt2.cmsOptions();
crypt2.put_CmsOptions(strVal);
Introduced in version 9.5.0.78

A JSON string to manage additional CMS (PKCS7) signature and validation options. Possible options are:

  • boolean OmitAlgorithmIdNull: Set this JSON member to true to omit the explicit NULL within an AlgorithmIdentifier ASN.1 within the PKCS7. This should almost never be used, but helps for rare cases where a validator dislikes the explicit NULL being present.
  • boolean ValidateTimestampTokens: Tells Chilkat to also validate the timestamp tokens when validating a signature that includes a timestamp.
  • boolean ConstructedOctets: When set to true, tells Chilkat to use the ASN.1 constructed octets format for the data contained in the CMS (PKCS7) signed-data.
  • boolean CanonicalizeITIDA: This applies to Egypt ITIDA, which requires signed documents in a CAdES-BES CMS format, using ITIDA’s JSON canonicalization (for JSON payloads), with only the Base64‑encoded signature attached—not the original data itself. When set to true, Chilkat will automatically do the special ITIDA JSON canonicalization.

More Information and Examples
Verify the Timestamp Server Token (if any) while Validating a CMS SignatureAlgorithm Identifier ASN.1 StructureCMS (PKCS7) signed-data Constructed OctetsEgypt ITIDA CMS Signatures with JSON CanonicalizationCreate Egypt ITIDA CAdES-BES .p7s Signature
top
CryptAlgorithm
# strVal is a string
# ckStr is a CkString
crypt2.get_CryptAlgorithm(ckStr);
strVal = crypt2.cryptAlgorithm();
crypt2.put_CryptAlgorithm(strVal);

Selects the encryption algorithm for encrypting and decrypting. Possible values are:

Algorithm Type Symmetric? Key Size(s) Block/Stream Mode of Operation Notes
aes Block cipher ✔ Yes 128, 192, 256 bits Block (128-bit) CBC, CTR, GCM, etc. Widely used, FIPS-approved
pki (Public-Key Encryption) Asymmetric ✗ No 1024–4096+ bits N/A N/A Used for key exchange, not bulk data
chacha20 Stream cipher ✔ Yes 256 bits Stream N/A High speed, secure, designed for simplicity
des Block cipher ✔ Yes 56 bits Block (64-bit) ECB, CBC, etc. Deprecated, insecure
3des Block cipher ✔ Yes 112 or 168 bits Block (64-bit) ECB, CBC, etc. Legacy use, weak by modern standards
rc2 Block cipher ✔ Yes 40–128 bits (variable) Block (64-bit) ECB, CBC, etc. Obsolete, variable strength
blowfish2 (Blowfish) Block cipher ✔ Yes 32–448 bits (variable) Block (64-bit) ECB, CBC, etc. Fast, but 64-bit block size is a limitation
twofish Block cipher ✔ Yes Up to 256 bits Block (128-bit) ECB, CBC, etc. AES finalist, secure and flexible
pbes1 Key derivation ✔ Yes Based on underlying cipher Block (varies) PKCS#5 v1.5 Obsolete, uses DES/RC2
pbes2 Key derivation ✔ Yes Based on underlying cipher Block (varies) PKCS#5 v2.0 Modern, supports AES, SHA, etc.
arc4 (RC4) Stream cipher ✔ Yes 40–2048 bits (variable) Stream N/A Deprecated, insecure due to biases

More Information and Examples
ChaCha20 EncryptionExplaining PCKS7/CMS Encryption vs RSA EncryptionExplaining PBES2 Encryption
top
DebugLogFilePath
# strVal is a string
# ckStr is a CkString
crypt2.get_DebugLogFilePath(ckStr);
strVal = crypt2.debugLogFilePath();
crypt2.put_DebugLogFilePath(strVal);

If set to a file path, this property logs the LastErrorText of each Chilkat method or property call to the specified file. This logging helps identify the context and history of Chilkat calls leading up to any crash or hang, aiding in debugging.

Enabling the VerboseLogging property provides more detailed information. This property is mainly used for debugging rare instances where a Chilkat method call causes a hang or crash, which should generally not happen.

Possible causes of hangs include:

  • A timeout property set to 0, indicating an infinite timeout.
  • A hang occurring within an event callback in the application code.
  • An internal bug in the Chilkat code causing the hang.

More Information and Examples
Example showing how to use DebugLogFilePath.
top
EncodingMode
# strVal is a string
# ckStr is a CkString
crypt2.get_EncodingMode(ckStr);
strVal = crypt2.encodingMode();
crypt2.put_EncodingMode(strVal);

The EncodingMode property specifies the binary encoding format (e.g., base64, hex, base58, base64url) used by functions ending in "ENC", like EncryptStringENC and DecryptStringENC. For encryption functions, EncodingMode determines the encoding of the output. For decryption functions, it specifies the encoding of the input data.

A list of supported binary encodings is available at the link below.

The default value is base64

More Information and Examples
Binary Encodings Supported by Chilkat
top
FirstChunk
# boolVal is a boolean
boolVal = crypt2.get_FirstChunk();
crypt2.put_FirstChunk(boolVal);

Using the FirstChunk and LastChunk properties is the way to do streaming encryption or decryption with Chilkat.

By default, both FirstChunk and LastChunk are set to True, indicating that the data passed to the encryption or decryption method is the full amount. To process data in multiple chunks, adjust these settings as follows:

1. For the first chunk, set FirstChunk = True and LastChunk = False.
2. For intermediate chunks, set both FirstChunk = False and LastChunk = False.
3. For the final chunk, set FirstChunk = False and LastChunk = True.

You can feed data chunks of any size, regardless of the encryption algorithm's block size (e.g., 16 bytes for AES). Chilkat will handle buffering and, upon receiving the final chunk, pad the output to the appropriate block size according to the selected PaddingScheme.

More Information and Examples
Encrypting Data in ChunksEncrypt File in Chunks using AES CBC
top
HashAlgorithm
# strVal is a string
# ckStr is a CkString
crypt2.get_HashAlgorithm(ckStr);
strVal = crypt2.hashAlgorithm();
crypt2.put_HashAlgorithm(strVal);

Selects the hash algorithm used by methods that create hashes. The valid choices are sha256, sha384, sha512, sha3-224, sha3-256, sha3-384, sha3-512, sha1, md2, md5, haval, ripemd128, ripemd160,ripemd256, or ripemd320.

(Chilkat supports SHA-2 because it includes the SHA-256, SHA-384, and SHA-512 hash functions.)

The default value is sha256.

Note: The HAVAL hash algorithm is affected by two other properties: HavalRounds and KeyLength .

  • The HavalRounds may have values of 3, 4, or 5.
  • For HAVAL hashing, the KeyLength can be 128, 160, 192, 224, or 256.

More Information and Examples
SHA3 Hash to Match Test Vectors
top
HavalRounds
# intVal is an integer
intVal = crypt2.get_HavalRounds();
crypt2.put_HavalRounds(intVal);

Applies to the HAVAL hash algorithm only and must be set to the integer value 3, 4, or 5. The default value is 3.

top
IncludeCertChain
# boolVal is a boolean
boolVal = crypt2.get_IncludeCertChain();
crypt2.put_IncludeCertChain(boolVal);

Only applies when creating digital signatures. If True (the default), then additional certificates (if any) in the chain of authentication are included in the PKCS7 digital signature.

top
InitialCount
# intVal is an integer
intVal = crypt2.get_InitialCount();
crypt2.put_InitialCount(intVal);
Introduced in version 9.5.0.55

The initial counter for the ChaCha20 encryption algorithm. The default value is 0.

top
IterationCount
# intVal is an integer
intVal = crypt2.get_IterationCount();
crypt2.put_IterationCount(intVal);

Iteration count to be used with password-based encryption (PBE). Password-based encryption is defined in the PKCS5 Password-Based Cryptography Standard at http://www.rsa.com/rsalabs/node.asp?id=2127

The purpose of the iteration count is to increase the computation required to encrypt and decrypt. A larger iteration count makes cracking via exhaustive search more difficult. The default value is 1024.

top
KeyLength
# intVal is an integer
intVal = crypt2.get_KeyLength();
crypt2.put_KeyLength(intVal);

The key length in bits for symmetric encryption algorithms. The default value is 256.

top
LastChunk
# boolVal is a boolean
boolVal = crypt2.get_LastChunk();
crypt2.put_LastChunk(boolVal);

See the documentation for the FirstChunk property.

More Information and Examples
Encrypting/decrypting a data stream.Encrypt File in Chunks using AES CBC
top
LastErrorHtml
# strVal is a string
# ckStr is a CkString
crypt2.get_LastErrorHtml(ckStr);
strVal = crypt2.lastErrorHtml();

Provides HTML-formatted information about the last called method or property. If a method call fails or behaves unexpectedly, check this property for details. Note that information is available regardless of the method call's success.

top
LastErrorText
# strVal is a string
# ckStr is a CkString
crypt2.get_LastErrorText(ckStr);
strVal = crypt2.lastErrorText();

Provides plain text information about the last called method or property. If a method call fails or behaves unexpectedly, check this property for details. Note that information is available regardless of the method call's success.

More Information and Examples
Concept of LastErrorTextLastErrorText Standard Information
top
LastErrorXml
# strVal is a string
# ckStr is a CkString
crypt2.get_LastErrorXml(ckStr);
strVal = crypt2.lastErrorXml();

Provides XML-formatted information about the last called method or property. If a method call fails or behaves unexpectedly, check this property for details. Note that information is available regardless of the method call's success.

top
LastMethodSuccess
# boolVal is a boolean
boolVal = crypt2.get_LastMethodSuccess();
crypt2.put_LastMethodSuccess(boolVal);

Indicates the success or failure of the most recent method call: True means success, False means failure. This property remains unchanged by property setters or getters. This method is present to address challenges in checking for null or Nothing returns in certain programming languages.

top
MacAlgorithm
# strVal is a string
# ckStr is a CkString
crypt2.get_MacAlgorithm(ckStr);
strVal = crypt2.macAlgorithm();
crypt2.put_MacAlgorithm(strVal);
Introduced in version 9.5.0.55

Selects the MAC algorithm to be used for any of the Mac methods, such as MacStringENC, MacBytes, etc. The default value is hmac. Possible values are hmac and poly1305.

More Information and Examples
Poly1305 MACDemonstrates HMAC SHA256
top
NumSignerCerts
# intVal is an integer
intVal = crypt2.get_NumSignerCerts();

This property is set when a digital signature is verified. It contains the number of signer certificates. Each signing certificate can be retrieved by calling the GetSignerCert method, passing an index from 0 to NumSignerCerts-1.

More Information and Examples
Verify Opaque Signature and Retrieve Signing Certificates
top
OaepHash
# strVal is a string
# ckStr is a CkString
crypt2.get_OaepHash(ckStr);
strVal = crypt2.oaepHash();
crypt2.put_OaepHash(strVal);
Introduced in version 9.5.0.67

Selects the hash algorithm for use within OAEP padding when encrypting using pki with RSAES-OAEP. The valid choices are sha1, sha256, sha384, sha512,

The default value is sha256

More Information and Examples
RSAES-OAEP Encrypt String with AES-128 Content Encryption and SHA256
top
OaepMgfHash
# strVal is a string
# ckStr is a CkString
crypt2.get_OaepMgfHash(ckStr);
strVal = crypt2.oaepMgfHash();
crypt2.put_OaepMgfHash(strVal);
Introduced in version 9.5.0.71

Selects the MGF hash algorithm for use within OAEP padding when encrypting using pki with RSAES-OAEP. The valid choices are sha1, sha256, sha384, sha512, The default is sha256.

top
OaepPadding
# boolVal is a boolean
boolVal = crypt2.get_OaepPadding();
crypt2.put_OaepPadding(boolVal);
Introduced in version 9.5.0.67

Selects the RSA encryption scheme when encrypting using pki (with a certificate and private key). The default value is False, which selects RSAES_PKCS1-V1_5. If set to True, then RSAES_OAEP is used.

More Information and Examples
RSAES-OAEP Encrypt String with AES-128 Content Encryption and SHA256
top
PaddingScheme
# intVal is an integer
intVal = crypt2.get_PaddingScheme();
crypt2.put_PaddingScheme(intVal);

The padding scheme used by block encryption algorithms such as AES (Rijndael), Blowfish, Twofish, RC2, DES, 3DES, etc. Block encryption algorithms pad encrypted data to a multiple of algorithm's block size. The default value of this property is 0.

Possible values are:

0 = RFC 1423 padding scheme: Each padding byte is set to the number of padding bytes. If the data is already a multiple of algorithm's block size bytes, an extra block is appended each having a value equal to the block size. (for example, if the algorithm's block size is 16, then 16 bytes having the value 0x10 are added.). (This is also known as PKCS5 padding: PKCS #5 padding string consists of a sequence of bytes, each of which is equal to the total number of padding bytes added. )

1 = FIPS81 (Federal Information Processing Standards 81) where the last byte contains the number of padding bytes, including itself, and the other padding bytes are set to random values.

2 = Each padding byte is set to a random value. The decryptor must know how many bytes are in the original unencrypted data.

3 = Pad with NULLs. (If already a multiple of the algorithm's block size, no padding is added).

4 = Pad with SPACE chars(0x20). (If already a multiple of algorithm's block size, no padding is added).

More Information and Examples
Debugging Symmetric Encryption such as AES
top
PbesAlgorithm
# strVal is a string
# ckStr is a CkString
crypt2.get_PbesAlgorithm(ckStr);
strVal = crypt2.pbesAlgorithm();
crypt2.put_PbesAlgorithm(strVal);

If the CryptAlgorithm property is set to pbes1 or pbes2, this property specifies the underlying encryption algorithm to be used with password-based encryption (PBE). Password-based encryption is defined in the PKCS5 Password-Based Cryptography Standard at http://www.rsa.com/rsalabs/node.asp?id=2127

top
PbesPassword
# strVal is a string
# ckStr is a CkString
crypt2.get_PbesPassword(ckStr);
strVal = crypt2.pbesPassword();
crypt2.put_PbesPassword(strVal);

The password to be used with password-based encryption (PBE). Password-based encryption is defined in the PKCS5 Password-Based Cryptography Standard at http://www.rsa.com/rsalabs/node.asp?id=2127

top
Pkcs7CryptAlg
# strVal is a string
# ckStr is a CkString
crypt2.get_Pkcs7CryptAlg(ckStr);
strVal = crypt2.pkcs7CryptAlg();
crypt2.put_Pkcs7CryptAlg(strVal);

When the CryptAlgorithm property is PKI to select PKCS7 public-key encryption, this selects the underlying symmetric encryption algorithm. Possible values are: aes, des, 3des, and rc2. The default value is aes.

More Information and Examples
RSAES-OAEP Encrypt String with AES-128 Content Encryption and SHA256
top
Rc2EffectiveKeyLength
# intVal is an integer
intVal = crypt2.get_Rc2EffectiveKeyLength();
crypt2.put_Rc2EffectiveKeyLength(intVal);

The effective key length (in bits) for the RC2 encryption algorithm. When RC2 is used, both the KeyLength and Rc2EffectiveKeyLength properties should be set. For RC2, both should be between 8 and 1024 (inclusive).

The default value is 128

top
SigningAlg
# strVal is a string
# ckStr is a CkString
crypt2.get_SigningAlg(ckStr);
strVal = crypt2.signingAlg();
crypt2.put_SigningAlg(strVal);
Introduced in version 9.5.0.67

This property selects the signature algorithm for the OpaqueSign*, Sign*, and CreateDetachedSignature, CreateP7M, and CreateP7S methods. The default value is PKCS1-v1_5. This can be set to RSASSA-PSS (or simply pss) to use the RSASSA-PSS signature scheme.

Note: This property only applies when the private key is an RSA private key. It does not apply for ECC or DSA private keys.

More Information and Examples
RSASSA-PSS Sign String to Create Base64 PCKS7 Signature
top
SigningAttributes
# strVal is a string
# ckStr is a CkString
crypt2.get_SigningAttributes(ckStr);
strVal = crypt2.signingAttributes();
crypt2.put_SigningAttributes(strVal);
Introduced in version 9.5.0.75

Contains JSON to specify the authenticated (signed) attributes or unauthenticated (unsigned) attributes that are to be included in CMS signatures. The default value is: 

{
    "contentType": 1,
    "signingTime": 1,
    "messageDigest": 1
}

Other possible values that can be added are:

  • signingCertificateV2
  • signingCertificate
  • sMIMECapabilities
  • microsoftRecipientInfo
  • encrypKeyPref
  • cmsAlgorithmProtection
Contact Chilkat (support@chilkatsoft.com) about other signed/unsigned attributes that may be needed for CAdES signatures.

More Information and Examples
Create a CAdES-T Signature
top
UncommonOptions
# strVal is a string
# ckStr is a CkString
crypt2.get_UncommonOptions(ckStr);
strVal = crypt2.uncommonOptions();
crypt2.put_UncommonOptions(strVal);
Introduced in version 9.5.0.83

This is a catch-all property to be used for uncommon needs. This property defaults to the empty string and should typically remain empty.

Can be set to a list of the following comma separated keywords:

  • UseConstructedOctets - Introduced in v9.5.0.83. When creating opaque CMS signatures (signatures that embed the data being signed), will use the constructed octets form of the ASN.1 that holds the data. This is to satify some validators that are brittle/fragile/picky and require a particular format, such as for the ICP-Brazil Digital Signature Standard.

top
UuFilename
# strVal is a string
# ckStr is a CkString
crypt2.get_UuFilename(ckStr);
strVal = crypt2.uuFilename();
crypt2.put_UuFilename(strVal);

When UU encoding, this is the filename to be embedded in UU encoded output. The default is file.dat. When UU decoding, this is the filename found in the UU encoded input.

More Information and Examples
UU Encoding and Decoding
top
UuMode
# strVal is a string
# ckStr is a CkString
crypt2.get_UuMode(ckStr);
strVal = crypt2.uuMode();
crypt2.put_UuMode(strVal);

When UU encoding, this is the file permissions mode to be embedded in UU encoded output. The default is 644. When UU decoding, this property is set to the mode found in the UU encoded input.

top
VerboseLogging
# boolVal is a boolean
boolVal = crypt2.get_VerboseLogging();
crypt2.put_VerboseLogging(boolVal);

If set to True, then the contents of LastErrorText (or LastErrorXml, or LastErrorHtml) may contain more verbose information. The default value is False. Verbose logging should only be used for debugging. The potentially large quantity of logged information may adversely affect peformance.

top
Version
# strVal is a string
# ckStr is a CkString
crypt2.get_Version(ckStr);
strVal = crypt2.version();

Version of the component/library, such as "10.1.0"

More Information and Examples
How to get the Chilkat version at runtime.
top

Methods

AddEncryptCert
# cert is a CkCert
crypt2.AddEncryptCert(cert);

Adds a certificate for public-key encryption. To enable public-key encryption with digital certificates, set the CryptAlgorithm property to pki. Call AddEncryptCert separately for each certificate you wish to use for encryption.

Any of the Encrypt* methods will do RSA public-key encryption when the CryptAlgorithm is set to the keyword pki. The output is a PKCS#7 enveloped-data secure container.

More Information and Examples
Public Key Encryption to Multiple RecipientsExplaining PKCS#7 Enveloped DataEncrypt a file to a PKCS7 encrypted message using multiple certificates from different users
top
AddPfxSourceBd
# bd is a CkBinData
# password is a string
status = crypt2.AddPfxSourceBd(bd, password);
Introduced in version 11.0.0

Adds a PFX file to the object's list of sources for locating certificates and private keys during public-key decryption or signing. To add multiple PFX sources, call this method multiple times. bd should contain the bytes of a PFX file (also known as PKCS12 or .p12).

Note: Information about the certificate(s) needed for public-key decryption are included in the PKCS#7 enveloped-data. Chilkat will automatically find a usable certificate and private key from sources like Windows certificate stores, the Apple keychain, or other sources provided by the application.

Returns True for success, False for failure.

More Information and Examples
Example: Crypt2.AddPfxSourceBd method
top
AddPfxSourceFile
# pfxFilePath is a string
# pfxPassword is a string
status = crypt2.AddPfxSourceFile(pfxFilePath, pfxPassword);

Adds a PFX file to the object's list of sources for locating certificates and private keys during public-key decryption or signing. To add multiple PFX sources, call this method multiple times.

Note: Information about the certificate(s) needed for public-key decryption are included in the PKCS#7 enveloped-data. Chilkat will automatically find a usable certificate and private key from sources like Windows certificate stores, the Apple keychain, or other sources provided by the application.

Returns True for success, False for failure.

More Information and Examples
Example: Crypt2.AddPfxSourceFile method
top
AddSigningCert
# cert is a CkCert
status = crypt2.AddSigningCert(cert);
Introduced in version 9.5.0.83

Call this method once per certificate to add multiple certificates for signing. If signing with a single certificate, then the SetSigningCert or SetSigningCert2 methods can be used instead.

Returns True for success, False for failure.

More Information and Examples
PKCS#7 signed-data with Multiple SignersCreate CMS Signed File (PDF) with Multiple Signing Certificates
top
AesKeyUnwrap
# kek is a string
# wrappedKeyData is a string
# encoding is a string
# outStr is a CkString (output)
status = crypt2.AesKeyUnwrap(kek, wrappedKeyData, encoding, outStr);
retStr = crypt2.aesKeyUnwrap(kek, wrappedKeyData, encoding);
Introduced in version 9.5.0.66

Implements the AES Key Wrap Algorithm (RFC 3394) for unwrapping. The kek is the Key Encryption Key (the AES key used to unwrap the wrappedKeyData). The arguments and return value are binary encoded strings using the encoding specified by encoding (which can be base64, hex, base64url, etc.) The full list of supported encodings is available at the link below.

The kek should be an AES key of 16 bytes, 24 bytes, or 32 bytes (i.e. 128-bits, 192- bits, or 256-bits). For example, if passed as a hex string, then the kek should be 32 chars in length, 48 chars, or 64 chars (because each byte is represented as 2 chars in hex).

The wrappedKeyData contains the data to be unwrapped. The result, if decoded, is 8 bytes less than the wrapped key data. For example, if a 256-bit AES key (32 bytes) is wrapped, the size of the wrapped key data is 40 bytes. Unwrapping restores it to the original 32 bytes.

Returns True for success, False for failure.

More Information and Examples
AES Key Wrap / UnwrapExplaining AES Key Wrap With Padding vs Without Padding
top
AesKeyUnwrapWithPadding
# kek is a string
# wrappedKeyData is a string
# encoding is a string
# outStr is a CkString (output)
status = crypt2.AesKeyUnwrapWithPadding(kek, wrappedKeyData, encoding, outStr);
retStr = crypt2.aesKeyUnwrapWithPadding(kek, wrappedKeyData, encoding);
Introduced in version 9.5.0.96

Implements the AES Key Wrap with Padding Algorithm (RFC 5649) for unwrapping. The kek is the Key Encryption Key (the AES key used to unwrap the wrappedKeyData). The arguments and return value are binary encoded strings using the encoding specified by encoding (which can be base64, hex, base64url, etc.)

The kek should be an AES key of 16 bytes, 24 bytes, or 32 bytes (i.e. 128-bits, 192- bits, or 256-bits). For example, if passed as a hex string, then the kek should be 32 chars in length, 48 chars, or 64 chars (because each byte is represented as 2 chars in hex).

The wrappedKeyData contains the data to be unwrapped.

The unwrapped key is returned as an encoded string (using the encoding specified in encoding).

Returns True for success, False for failure.

More Information and Examples
Explaining AES Key Wrap With Padding vs Without Padding
top
AesKeyWrap
# kek is a string
# keyData is a string
# encoding is a string
# outStr is a CkString (output)
status = crypt2.AesKeyWrap(kek, keyData, encoding, outStr);
retStr = crypt2.aesKeyWrap(kek, keyData, encoding);
Introduced in version 9.5.0.66

Implements the AES Key Wrap Algorithm (RFC 3394). The kek is the Key Encryption Key (the AES key used to encrypt the keyData). The arguments and return value are binary encoded strings using the encoding specified by encoding (which can be base64, hex, base64url, etc.) The full list of supported encodings is available at the link below.

The kek should be an AES key of 16 bytes, 24 bytes, or 32 bytes (i.e. 128-bits, 192- bits, or 256-bits). For example, if passed as a hex string, then the kek should be 32 chars in length, 48 chars, or 64 chars (because each byte is represented as 2 chars in hex).

The keyData contains the data to be key wrapped. It must be a multiple of 64-bits in length. In other words, if the keyData is decoded to binary, it should be a number of bytes that is a multiple of 8.

The return string, if decoded to binary bytes, is equal to the size of the key data + 8 additional bytes.

Returns True for success, False for failure.

More Information and Examples
AES Key Wrap / UnwrapExplaining AES Key Wrap With Padding vs Without Padding
top
AesKeyWrapWithPadding
# kek is a string
# keyData is a string
# encoding is a string
# outStr is a CkString (output)
status = crypt2.AesKeyWrapWithPadding(kek, keyData, encoding, outStr);
retStr = crypt2.aesKeyWrapWithPadding(kek, keyData, encoding);
Introduced in version 9.5.0.96

Implements the AES Key Wrap with Padding Algorithm (RFC 5649). The kek is the Key Encryption Key (the AES key used to encrypt the keyData). The arguments and return value are binary encoded strings using the encoding specified by encoding (which can be base64, hex, base64url, etc.)

The kek should be an AES key of 16 bytes, 24 bytes, or 32 bytes (i.e. 128-bits, 192- bits, or 256-bits). For example, if passed as a hex string, then the kek should be 32 chars in length, 48 chars, or 64 chars (because each byte is represented as 2 chars in hex).

The keyData contains the data to be key wrapped.

Returns the wrapped key using the encoding specified in encoding.

Returns True for success, False for failure.

More Information and Examples
Explaining AES Key Wrap With Padding vs Without Padding
top
BCryptHash
# password is a string
# outStr is a CkString (output)
status = crypt2.BCryptHash(password, outStr);
retStr = crypt2.bCryptHash(password);
Introduced in version 9.5.0.65

Computes and returns a bcrypt hash of the password. The number of rounds of hashing is determined by the BCryptWorkFactor property.

Starting in v9.5.0.76, if the password is prefixed with $2b$ then the output will use the $2b version of bcrypt. For example, to create a $2b$ bcrypt has for the password secret, pass in the string $2b$secret for password.

Returns True for success, False for failure.

More Information and Examples
BCrypt Hash a Password
top
BCryptVerify
# password is a string
# bcryptHash is a string
status = crypt2.BCryptVerify(password, bcryptHash);
Introduced in version 9.5.0.65

Verifies the password against a previously computed BCrypt hash. Returns True if the password matches the bcryptHash. Returns False if the password does not match.

Returns True for success, False for failure.

More Information and Examples
BCrypt Verify a Password (Check if Password is Correct)
top
CkDecryptFile
# srcFile is a string
# destFile is a string
status = crypt2.CkDecryptFile(srcFile, destFile);

File-to-file decryption that supports files of any size by using internal streaming mode.

Returns True for success, False for failure.

More Information and Examples
AES Encrypt and Decrypt a File
top
CkDecryptFileAsync (1)
# returns a CkTask
# srcFile is a string
# destFile is a string
ret_task = crypt2.CkDecryptFileAsync(srcFile, destFile);

Creates an asynchronous task to call the CkDecryptFile method with the arguments provided.

Returns None on failure

top
CkEncryptFile
# srcFile is a string
# destFile is a string
status = crypt2.CkEncryptFile(srcFile, destFile);

File-to-file encryption that operates in streaming mode, allowing it to encrypt files of any size.

Returns True for success, False for failure.

More Information and Examples
AES Encrypt and Decrypt a FileEncrypt File using X.509 Certificate using AES in CBC ModeAES GCM Encrypt and Decrypt a File
top
CkEncryptFileAsync (1)
# returns a CkTask
# srcFile is a string
# destFile is a string
ret_task = crypt2.CkEncryptFileAsync(srcFile, destFile);

Creates an asynchronous task to call the CkEncryptFile method with the arguments provided.

Returns None on failure

top
ClearEncryptCerts
crypt2.ClearEncryptCerts();

Clears the internal list of digital certificates to be used for public-key encryption.

More Information and Examples
Example: Crypt2.ClearEncryptCerts method
top
ClearSigningCerts
status = crypt2.ClearSigningCerts();
Introduced in version 9.5.0.83

Clears the set of certificates to be used in signing.

Returns True for success, False for failure.

More Information and Examples
Example: Crypt2.ClearSigningCerts method
top
CoSign
# bdIn is a CkBinData
# cert is a CkCert
# bdOut is a CkBinData
status = crypt2.CoSign(bdIn, cert, bdOut);
Introduced in version 9.5.0.89

Co-sign's an existing CMS signature. bdIn contains the existing CMS signature. If successful, cert is the output co-signed CMS signature.

Returns True for success, False for failure.

More Information and Examples
CoSign PKCS7/CMS Signed Data
top
CrcBd
# crcAlg is a string
# bd is a CkBinData
retInt = crypt2.CrcBd(crcAlg, bd);
Introduced in version 11.0.0

Computes a CRC for data contained in crcAlg, which can be either crc-32 used in the Zip file format, or crc8 for the CRC8 algorithm.

More Information and Examples
Example: Crypt2.CrcBd method
top
CrcFile
# crcAlg is a string
# path is a string
retInt = crypt2.CrcFile(crcAlg, path);
Introduced in version 9.5.0.38

Calculates the CRC for a file's contents using the CRC algorithm specified by crcAlg. Possible algorithms are:

  • crc-32 - This is the CRC used in the Zip file format.
  • crc8

More Information and Examples
Example: Crypt2.CrcFile method
top
CrcFileAsync (1)
# returns a CkTask
# crcAlg is a string
# path is a string
ret_task = crypt2.CrcFileAsync(crcAlg, path);
Introduced in version 9.5.0.38

Creates an asynchronous task to call the CrcFile method with the arguments provided.

Returns None on failure

top
CreateP7M
# inFilename is a string
# p7mPath is a string
status = crypt2.CreateP7M(inFilename, p7mPath);

Signs the contents of inFilename and writes the enveloping (i.e. opaque) PKCS7 signature (.p7m) to p7mPath.

In a PKCS#7/CMS signature, the signer computes a cryptographic hash (e.g. SHA-256) of the data, then uses their private key to sign that hash.

The signature = Sign( Hash(data) )

This signed hash is what gets stored in the signature file. For enveloping/opaque signatures, the signed data is also stored in the signature file.

Set the HashAlgorithm property to specify the hash algorithmg. The valid options are sha256, sha1, sha384, and sha512.

Returns True for success, False for failure.

More Information and Examples
What is an Enveloping PKCS7 CMS Signature?.p7s vs .p7mOnline Tool to Examine a .p7m and Generate Code that Duplicates the .p7mCAdES BES Attached (Opaque) SignatureExamine the Contents of a .p7m by Converting to XMLCreate P7M Using Pre-Installed Windows CertificateCreate a CAdES-T SignatureConvert PDF to pdf.p7s (Digitally Signed)
top
CreateP7MAsync (1)
# returns a CkTask
# inFilename is a string
# p7mPath is a string
ret_task = crypt2.CreateP7MAsync(inFilename, p7mPath);

Creates an asynchronous task to call the CreateP7M method with the arguments provided.

Returns None on failure

top
CreateP7S
# inFilename is a string
# p7sPath is a string
status = crypt2.CreateP7S(inFilename, p7sPath);

Signs the contents of inFilename and writes the detached PKCS7 signature (.p7s) to p7sPath.

In a PKCS#7/CMS detached signature, the signer computes a cryptographic hash (e.g. SHA-256) of the data, then uses their private key to sign that hash.

The signature = Sign( Hash(data) )

This signed hash is what gets stored in the signature file.

Set the HashAlgorithm property to specify the hash algorithmg. The valid options are sha256, sha1, sha384, and sha512.

Returns True for success, False for failure.

More Information and Examples
What is a Detached PKCS7 CMS Signature?CAdES BES Detached Signature
top
CreateP7SAsync (1)
# returns a CkTask
# inFilename is a string
# p7sPath is a string
ret_task = crypt2.CreateP7SAsync(inFilename, p7sPath);

Creates an asynchronous task to call the CreateP7S method with the arguments provided.

Returns None on failure

top
DecodeString
# inStr is a string
# charset is a string
# encoding is a string
# outStr is a CkString (output)
status = crypt2.DecodeString(inStr, charset, encoding, outStr);
retStr = crypt2.decodeString(inStr, charset, encoding);

Decodes from an encoding back to the original string. The encoding can be set to any of the following strings: base64, hex, quoted-printable, url, base32, Q, B, url_rc1738, url_rfc2396, url_rfc3986, url_oauth, uu, modBase64, or html (for HTML entity encoding).

Returns True for success, False for failure.

More Information and Examples
Example: Crypt2.DecodeString methodUU Encoding and Decoding
top
DecryptBd
# bd is a CkBinData
status = crypt2.DecryptBd(bd);
Introduced in version 9.5.0.67

Decrypts the contents of bd. This method can do either symmetric key decryption or CMS public key decryption (e.g., PKCS#7 EnvelopedData).

Before calling this method for symmetric key decryption (e.g., AES, ChaCha20, Blowfish, etc.), ensure the following setup:

  1. Define the encryption algorithm using the CryptAlgorithm property.
  2. Specify the encryption key length with the KeyLength property.
  3. Establish the cipher mode through the CipherMode property.
  4. Use the SetEncodedIV method to set the IV, if needed by the cipher mode.
  5. Set the encryption key with the SetEncodedKey method.
  6. Ensure the PaddingScheme property matches the encryptor's value.

When calling this method for public key decryption (i.e. decrypting a PKCS7 CMS message), the following setup is required:

  1. The CryptAlgorithm property should be set to the string "pki".
  2. Optionally specify the certificate to be used for decryption by calling SetDecryptCert. If SetDecryptCert is not called, then Chilkat will automatically search certificate sources (Windows certificate stores, Apple keychain, etc.) for the required certificate.

Returns True for success, False for failure.

More Information and Examples
Example for both AES-128 and ChaCha20 to Encrypt Binary DataRSAES-OAEP Encrypt/Decrypt Binary Data with AES-128 and SHA56openssl enc decryptDuplicate SQL Server ENCRYPTBYPASSPHRASE
top
DecryptEncoded
# encodedEncryptedData is a string
# outStr is a CkString (output)
status = crypt2.DecryptEncoded(encodedEncryptedData, outStr);
retStr = crypt2.decryptEncoded(encodedEncryptedData);

Decrypts encoded encrypted data, and returns the decrypted data as a binary encoded string. For example:

InputDecode EncodingModeDecryptEncode EncodingModeOutput

The encoding (e.g. base64, hex, etc.) is determined by the EncodingMode property.

This method supports symmetric key and public key decryption. For more information on properties that affect decryption, such as CryptAlgorithm, CipherMode, etc., refer to the DecryptBd method documentation.

Returns True for success, False for failure.

More Information and Examples
AEAD AES 128-bit GCM
top
DecryptSb
# bdIn is a CkBinData
# sbOut is a CkStringBuilder
status = crypt2.DecryptSb(bdIn, sbOut);
Introduced in version 9.5.0.67

This function is intended for use when the expected decrypted output is text. It decrypts the contents of bdIn and appends the resulting string to sbOut. Ensure that the Charset property, such as utf-8, matches the one used during encryption to interpret the decrypted bytes correctly as characters.

InputDecryptInterpret Bytes according to CharsetAppend to StringBuilder

This method supports symmetric key and public key decryption. For more information on properties that affect decryption, such as CryptAlgorithm, CipherMode, etc., refer to the DecryptBd method documentation.

Returns True for success, False for failure.

More Information and Examples
Importance of Charset when Encrypting or Decrypting TextAES and CHACHA20 Encrypt/Decrypt Text
top
DecryptSecureENC
# cipherText is a string
# secureStr is a CkSecureString
status = crypt2.DecryptSecureENC(cipherText, secureStr);
Introduced in version 9.5.0.71

This function is intended for use when the expected decrypted output is text. It decrypts binary encoded encrypted bytes passed in cipherText and appends the resulting string to secureStr. Ensure that the Charset property, such as utf-8, matches the one used during encryption to interpret the decrypted bytes correctly as characters.

InputDecode using EncodingModeDecryptInterpret Bytes according to CharsetAppend to Secure String

The encoding (e.g. base64, hex, etc.) is determined by the EncodingMode property.

This method supports symmetric key and public key decryption. For more information on properties that affect decryption, such as CryptAlgorithm, CipherMode, etc., refer to the DecryptBd method documentation.

Returns True for success, False for failure.

More Information and Examples
Encrypt / Decrypt Secure Strings
top
DecryptStringENC
# str is a string
# outStr is a CkString (output)
status = crypt2.DecryptStringENC(str, outStr);
retStr = crypt2.decryptStringENC(str);

This function is intended for use when the expected decrypted output is text. It decrypts binary encoded encrypted bytes passed in str and appends the resulting string to ARG2. Ensure that the Charset property, such as utf-8, matches the one used during encryption to interpret the decrypted bytes correctly as characters.

InputDecode using EncodingModeDecryptInterpret Bytes according to CharsetOutput

The encoding (e.g. base64, hex, etc.) is determined by the EncodingMode property.

This method supports symmetric key and public key decryption. For more information on properties that affect decryption, such as CryptAlgorithm, CipherMode, etc., refer to the DecryptBd method documentation.

Returns True for success, False for failure.

More Information and Examples
Example: Crypt2.DecryptStringENC methodExplaining the Importance of the CharsetSupported Binary Encodings
top
EncodeInt
# value is an integer
# numBytes is an integer
# littleEndian is a boolean
# encoding is a string
# outStr is a CkString (output)
status = crypt2.EncodeInt(value, numBytes, littleEndian, encoding, outStr);
retStr = crypt2.encodeInt(value, numBytes, littleEndian, encoding);
Introduced in version 9.5.0.77

Encodes an integer to N bytes and returns in the specified encoding. If littleEndian is True, then little-endian byte ordering is used. Otherwise big-endian byte order is used.

Returns True for success, False for failure.

More Information and Examples
Encode Integer to Hex or Base64 using N BytesSupported Binary Encodings
top
EncodeString
# strToEncode is a string
# charsetName is a string
# toEncodingName is a string
# outStr is a CkString (output)
status = crypt2.EncodeString(strToEncode, charsetName, toEncodingName, outStr);
retStr = crypt2.encodeString(strToEncode, charsetName, toEncodingName);

Encodes a string. The toEncodingName can be set to any of the following strings: base64, hex, quoted-printable, url, base32, Q, B, url_rc1738, url_rfc2396, url_rfc3986, url_oauth, uu, modBase64, or html (for HTML entity encoding). The charsetName is important, and usually you'll want to specify ansi. For example, if the string ABC is to be encoded to hex using ANSI, the result will be 414243. However, if unicode is used, the result is 410042004300.

Returns True for success, False for failure.

More Information and Examples
Example: Crypt2.EncodeString methodSupported Binary Encodings
top
EncryptBd
# bd is a CkBinData
status = crypt2.EncryptBd(bd);
Introduced in version 9.5.0.67

Encrypts the contents of bd. This method can do either symmetric key encryption or CMS public key encryption (e.g., PKCS#7 EnvelopedData).

Before calling this method for symmetric key encryption (e.g., AES, ChaCha20, Blowfish, etc.), ensure the following setup:

  1. Define the encryption algorithm using the CryptAlgorithm property.
  2. Specify the encryption key length with the KeyLength property.
  3. Establish the cipher mode through the CipherMode property.
  4. Use the SetEncodedIV method to set the IV, if needed by the cipher mode.
  5. Set the encryption key with the SetEncodedKey method.
  6. Set the PaddingScheme property if needing something different than the default.

When calling this method for public key encryption (i.e. creating a PKCS7 CMS message), the following setup is required:

  1. The CryptAlgorithm property should be set to the string "pki".
  2. To specify the encryption certificate, use SetEncryptCert. For multiple certificates, call AddEncryptCert for each one.

Returns True for success, False for failure.

More Information and Examples
Example for both AES-128 and ChaCha20 to Encrypt Binary DataRSAES-OAEP Encrypt/Decrypt Binary Data with AES-128 and SHA56
top
EncryptEncoded
# str is a string
# outStr is a CkString (output)
status = crypt2.EncryptEncoded(str, outStr);
retStr = crypt2.encryptEncoded(str);

Encrypts binary-encoded data and returns it as a binary-encoded string. For example:

InputDecode EncodingModeEncryptEncode EncodingModeOutput

The encoding (e.g. base64, hex, etc.) is determined by the EncodingMode property.

This method supports symmetric key and public key decryption. For more information on properties that affect decryption, such as CryptAlgorithm, CipherMode, etc., refer to the method documentation.

Returns True for success, False for failure.

More Information and Examples
Example: Crypt2.EncryptEncoded methodAEAD AES 128-bit GCM
top
EncryptSb
# sbIn is a CkStringBuilder
# bdOut is a CkBinData
status = crypt2.EncryptSb(sbIn, bdOut);
Introduced in version 9.5.0.67

Encrypts text and appends the encrypted bytes in bdOut. The Charset property, such as utf-8, determines the actual bytes that are encrypted.

StringBuilderGet bytes according to CharsetEncryptAppend to BinData

This method supports symmetric key and public key encryption. For more information on properties that affect encryption, such as CryptAlgorithm, CipherMode, etc., refer to the EncryptBd method documentation.

Returns True for success, False for failure.

More Information and Examples
Example: Crypt2.EncryptSb methodImportance of Charset when Encrypting or Decrypting TextAES and CHACHA20 Encrypt/Decrypt Text
top
EncryptSecureENC
# secureStr is a CkSecureString
# outStr is a CkString (output)
status = crypt2.EncryptSecureENC(secureStr, outStr);
retStr = crypt2.encryptSecureENC(secureStr);
Introduced in version 9.5.0.71

Encrypts the secure string and returns the encrypted bytes as a binary encoded string. The Charset property determines the actual bytes that are encrypted.

SecureStringGet bytes according to CharsetEncryptEncode using EncodingModeOutput

The encoding (e.g. base64, hex, etc.) is determined by the EncodingMode property.

This method supports symmetric key and public key encryption. For more information on properties that affect encryption, such as CryptAlgorithm, CipherMode, etc., refer to the EncryptBd method documentation.

Returns True for success, False for failure.

More Information and Examples
Encrypt / Decrypt Secure StringsSupported Binary EncodingsImportance of Charset when Encrypting or Decrypting Text
top
EncryptStringENC
# str is a string
# outStr is a CkString (output)
status = crypt2.EncryptStringENC(str, outStr);
retStr = crypt2.encryptStringENC(str);

Encrypts the str and returns the encrypted bytes as a binary encoded string. The Charset property determines the actual bytes that are encrypted.

InputGet bytes according to CharsetEncryptEncode using EncodingModeOutput

The encoding (e.g. base64, hex, etc.) is determined by the EncodingMode property.

This method supports symmetric key and public key encryption. For more information on properties that affect encryption, such as CryptAlgorithm, CipherMode, etc., refer to the EncryptBd method documentation.

Returns True for success, False for failure.

More Information and Examples
Supported Binary EncodingsImportance of Charset when Encrypting or Decrypting TextAES Encryption ExampleBlowfish Encryption Example3DES Encryption ExampleARC4 Encryption ExamplePBES1 Password-Based EncryptionPBES2 Password-Based EncryptionRC2 Encryption ExampleTwofish Encryption Example
top
GenerateUuid
# outStr is a CkString (output)
status = crypt2.GenerateUuid(outStr);
retStr = crypt2.generateUuid();
Introduced in version 9.5.0.55

Generates a random UUID string having standard UUID format, such as de305d54-75b4-431b-adb2-eb6b9e546014.

Note: This generates a version 4 UUID using random byte values. See RFC 4122.

Returns True for success, False for failure.

More Information and Examples
Generate UUID
top
GenRandomBytesENC
# numBytes is an integer
# outStr is a CkString (output)
status = crypt2.GenRandomBytesENC(numBytes, outStr);
retStr = crypt2.genRandomBytesENC(numBytes);

Generates numBytes random bytes and returns them as an encoded string. The encoding format (e.g., base64, hex) is determined by the EncodingMode property. It utilizes the Fortuna cryptographically secure random number generator, auto-seeded by an OS-dependent secure entropy source.

Returns True for success, False for failure.

More Information and Examples
Example: Crypt2.GenRandomBytesENC methodSupported Binary Encodings
top
GetEncodedAuthTag
# encoding is a string
# outStr is a CkString (output)
status = crypt2.GetEncodedAuthTag(encoding, outStr);
retStr = crypt2.getEncodedAuthTag(encoding);
Introduced in version 9.5.0.55

When encrypting in GCM mode, Chilkat generates the GCM authentication tag. The application can then use this method to retrieve the tag, which should be sent to the decrypting party along with the encrypted data. For further details on GCM authenticated encryption, please refer to the web pages linked below.

Returns True for success, False for failure.

More Information and Examples
Explaining the AES-GCM Authentication TagAES-GCM OverviewExplaining Authenticated Encryption, such as AES-GCMAEAD AES 128-bit GCM
top
GetEncodedIV
# encoding is a string
# outIV is a CkString (output)
status = crypt2.GetEncodedIV(encoding, outStr);
retStr = crypt2.getEncodedIV(encoding);

This method retrieves the IV set by the application during the last call to SetEncodedIV or RandomizeIV.

Returns True for success, False for failure.

top
GetLastJsonData
# json is a CkJsonObject
crypt2.GetLastJsonData(json);
Introduced in version 11.0.0

Offers details on the last method executed. While many methods provide no information, some do through GetLastJsonData. For instance, after invoking a signature verification method, GetLastJsonData will return JSON detailing the algorithms used.

More Information and Examples
Verify a .p7m and GetLastJsonData
top
GetSignatureSigningTimeStr
# index is an integer
# outStr is a CkString (output)
status = crypt2.GetSignatureSigningTimeStr(index, outStr);
retStr = crypt2.getSignatureSigningTimeStr(index);

This method retrieves the signing time of the Nth certificate in a digital signature after verification. The signing time for the first certificate is at index 0. The NumSignerCerts property indicates the total number of signing certificates, although typically only one is used. Note: Before accessing the signing time, use the HasSignatureSigningTime method to verify its availability, and skip indices lacking a signing time. The signing time is returned in RFC822 string format.

Returns True for success, False for failure.

More Information and Examples
Example: Crypt2.GetSignatureSigningTimeStr methodExplaining the Signing Time Authenticated Attribute in PKCS7 Signatures
top
GetSignedAttributes
# signerIndex is an integer
# pkcs7Der is a CkBinData
# sbJson is a CkStringBuilder
status = crypt2.GetSignedAttributes(signerIndex, pkcs7Der, sbJson);
Introduced in version 9.5.0.75

Extracts the signed (authenticated) attributes for the Nth signer, where signerIndex is typically 0, as most signatures have only one signer. Provide the binary PKCS7 in pkcs7Der. If successful, sbJson will hold the signed attributes in JSON format.

Sample JSON output: 

{
  "signedAttributes": [
    {
      "oid": "1.2.840.113549.1.9.3",
      "name": "Content Type"
    },
    {
      "oid": "1.2.840.113549.1.9.5",
      "name": "Signing Time"
    },
    {
      "oid": "1.2.840.113549.1.9.4"
      "name": "Message Digest"
    },
    {
      "oid": "1.2.840.113549.1.9.16.2.47",
      "name": "Signing Certificate V2"
    }
  ]
}

Returns True for success, False for failure.

More Information and Examples
Example: Crypt2.GetSignedAttributes method
top
HashBdENC
# bd is a CkBinData
# outStr is a CkString (output)
status = crypt2.HashBdENC(bd, outStr);
retStr = crypt2.hashBdENC(bd);
Introduced in version 9.5.0.66

Hashes the bytes in bd and returns the hash as a binary-encoded string. The hash algorithm is determined by the HashAlgorithm property, while the encoding is specified by the EncodingMode property. Encoding options include base64, hex, base64url, or others listed at the link below.

Returns True for success, False for failure.

More Information and Examples
Binary Encodings Supported by ChilkatSOAP WS-Security UsernameTokenSHA256 Hash the Bytes Represented in a Hex String
top
HashBeginString
# strData is a string
status = crypt2.HashBeginString(strData);

To hash a large amount of text, start by processing the first chunk using this method. For subsequent chunks, use the HashMoreString method as needed. Conclude by calling HashFinalENC to obtain the final result. The hash algorithm is determined by the HashAlgorithm property setting.

Returns True for success, False for failure.

More Information and Examples
Example: Crypt2.HashBeginString methodImportance of Charset when Hashing Text
top
HashChunkBd
# firstChunk is a boolean
# bd is a CkBinData
status = crypt2.HashChunkBd(firstChunk, bd);
Introduced in version 11.1.0

Start or continue hashing data in chunks. Set firstChunk to True for the first chunk, and False for subsequent chunks. Finish by calling HashFinalENC to obtain the result. The hash algorithm used is determined by the HashAlgorithm property.

Returns True for success, False for failure.

top
HashFileENC
# path is a string
# outStr is a CkString (output)
status = crypt2.HashFileENC(path, outStr);
retStr = crypt2.hashFileENC(path);

Hashes a file and returns the hash as an encoded string.

The hash algorithm is specified by the HashAlgorithm property, The encoding is controlled by the EncodingMode property, which can be set to base64, hex, base64url, or any of the encodings listed at the link below.

Any size file is supported because the file is hashed internally in streaming mode (keeping memory usage low and constant).

Returns True for success, False for failure.

More Information and Examples
Supported Binary EncodingsCompute Hash for a File (Example)
top
HashFileENCAsync (1)
# returns a CkTask
# path is a string
ret_task = crypt2.HashFileENCAsync(path);

Creates an asynchronous task to call the HashFileENC method with the arguments provided.

Returns None on failure

top
HashFinalENC
# outStr is a CkString (output)
status = crypt2.HashFinalENC(outStr);
retStr = crypt2.hashFinalENC();

Finalizes a multi-step hash computation and returns the hash bytes encoded according to the EncodingMode property setting.

Returns True for success, False for failure.

More Information and Examples
Supported Binary EncodingsExample: Hashing Text in Chunks
top
HashMoreString
# strData is a string
status = crypt2.HashMoreString(strData);

Adds more text to the hash currently under computation. (See HashBeginString)

Returns True for success, False for failure.

More Information and Examples
Example: Hashing Text in Chunks
top
HashStringENC
# str is a string
# outStr is a CkString (output)
status = crypt2.HashStringENC(str, outStr);
retStr = crypt2.hashStringENC(str);

Hashes the str and returns the hash as a binary encoded string. The Charset property determines the actual bytes that are hashed.

InputGet bytes according to CharsetHashEncode using EncodingModeOutput

The encoding (e.g. base64, hex, etc.) is determined by the EncodingMode property.

The hash algorithm is determined by the HashAlgorithm property.

Returns True for success, False for failure.

More Information and Examples
Example: Crypt2.HashStringENC methodImportance of Charset when Hashing TextSupported Binary Encodings
top
HasSignatureSigningTime
# index is an integer
retBool = crypt2.HasSignatureSigningTime(index);

After verifying a digital signature with a signature verification method, you can call this method. It returns True if the signing time for the Nth certificate is available and can be accessed using the GetSignatureSigningTimeStr method.

More Information and Examples
Example: Crypt2.HasSignatureSigningTime method
top
Hotp
# secret is a string
# secretEnc is a string
# counterHex is a string
# numDigits is an integer
# truncOffset is an integer
# hashAlg is a string
# outStr is a CkString (output)
status = crypt2.Hotp(secret, secretEnc, counterHex, numDigits, truncOffset, hashAlg, outStr);
retStr = crypt2.hotp(secret, secretEnc, counterHex, numDigits, truncOffset, hashAlg);
Introduced in version 9.5.0.77

Implements RFC 4226: HOTP: An HMAC-Based One-Time Password Algorithm. The arguments to this method are:

  • secret: The shared secret in an enocded representation such as base64, hex, ascii, etc.
  • secretEnc: The encoding of the shared secret, such as base64
  • counterHex: The 8-byte counter in hexidecimal format.
  • numDigits: The number of decimal digits to return.
  • truncOffset: Normally set this to -1 for dynamic truncation. Otherwise can be set in the range 0..15.
  • hashAlg: Normally set to sha1. Can be set to other hash algorithms such as sha256, sha512, etc.

Returns True for success, False for failure.

More Information and Examples
HOTP Algorithm: HMAC-Based One-Time Password Algorithm
top
LastDecryptCert
# cert is a CkCert
status = crypt2.LastDecryptCert(cert);
Introduced in version 11.0.0

Returns in cert the last certificate used for public-key decryption.

Returns True for success, False for failure.

More Information and Examples
Decrypt PKCS7 (CMS) EnvelopedData
top
LastSignerCert
# index is an integer
# cert is a CkCert
status = crypt2.LastSignerCert(index, cert);
Introduced in version 11.0.0

Retrieves the Nth certificate used for signing in cert, where the first certificate is at index 0. Use this method after verifying a digital signature to access the signer certificates. The NumSignerCerts property indicates the total number of signing certificates. Usually, only one certificate is used when creating a digital signature.

Returns True for success, False for failure.

More Information and Examples
Example: Crypt2.LastSignerCert method
top
LoadTaskCaller
# task is a CkTask
status = crypt2.LoadTaskCaller(task);
Introduced in version 9.5.0.80

Loads the caller of the task's async method.

Returns True for success, False for failure.

top
MacBdENC
# bd is a CkBinData
# outStr is a CkString (output)
status = crypt2.MacBdENC(bd, outStr);
retStr = crypt2.macBdENC(bd);
Introduced in version 9.5.0.66

Generates a Message Authentication Code (MAC) for the bytes in bd using the algorithm defined by the MacAlgorithm property. The resulting MAC is encoded into a string based on the EncodingMode property (e.g., base64 or hex). The HashAlgorithm property determines the internal hash function. Before generating the MAC, specify the secret key using SetMacKeyEncoded .

Returns True for success, False for failure.

More Information and Examples
Supported Binary EncodingsHMAC Hex StringAES-CMAC
top
MacStringENC
# inText is a string
# outStr is a CkString (output)
status = crypt2.MacStringENC(inText, outStr);
retStr = crypt2.macStringENC(inText);
Introduced in version 9.5.0.55

Computes a Message Authentication Code (MAC) and returns it as a binary encoded string. The MAC algorithm is defined by the MacAlgorithm property. The Charset property determines the actual bytes that are hashed.

InputGet bytes according to CharsetMACEncode using EncodingModeOutput

The encoding (e.g. base64, hex, etc.) is determined by the EncodingMode property.

The hash algorithm is determined by the HashAlgorithm property. The secret key must be set beforehand by calling SetMacKeyEncoded .

Returns True for success, False for failure.

More Information and Examples
Importance of Charset when Hashing TextSupported Binary EncodingsDemonstrates HMAC SHA256AES-CMAC
top
MySqlAesDecrypt
# strEncryptedHex is a string
# strPassword is a string
# outStr is a CkString (output)
status = crypt2.MySqlAesDecrypt(strEncryptedHex, strPassword, outStr);
retStr = crypt2.mySqlAesDecrypt(strEncryptedHex, strPassword);

Matches MySQL's AES_DECRYPT function. strEncryptedHex is a hex-encoded AES-encrypted string, and the return value is the original unencrypted string.

Returns True for success, False for failure.

More Information and Examples
Match MySQL AES_DECRYPT Function
top
MySqlAesEncrypt
# strData is a string
# strPassword is a string
# outStr is a CkString (output)
status = crypt2.MySqlAesEncrypt(strData, strPassword, outStr);
retStr = crypt2.mySqlAesEncrypt(strData, strPassword);

This function replicates MySQL's AES_ENCRYPT, returning the encrypted data as a hex-encoded string. In MySQL, this is done using: HEX(AES_ENCRYPT('The quick brown fox jumps over the lazy dog', 'password')).

Returns True for success, False for failure.

More Information and Examples
Match MySQL AES_ENCRYPT Function
top
OpaqueSignBd
# bd is a CkBinData
status = crypt2.OpaqueSignBd(bd);
Introduced in version 9.5.0.67

Digitally signs the contents of bd. If successful, the contents of bd are replaced with the PKCS#7 signed-data, which embeds the original data within the signature. Ensure a certificate is set using SetSigningCert before invoking this method. The HashAlgorithm property specifies the hash algorithm for creating the data's hash during signing.

Returns True for success, False for failure.

More Information and Examples
About PKCS#7 signed-data FormatRSASSA-PSS Sign Binary DataSign String to create a CAdES-T SignatureCreate ICP-Brasil Compliant CMS Signature
top
OpaqueSignBdAsync (1)
# returns a CkTask
# bd is a CkBinData
ret_task = crypt2.OpaqueSignBdAsync(bd);
Introduced in version 9.5.0.67

Creates an asynchronous task to call the OpaqueSignBd method with the arguments provided.

Returns None on failure

top
OpaqueSignStringENC
# str is a string
# outStr is a CkString (output)
status = crypt2.OpaqueSignStringENC(str, outStr);
retStr = crypt2.opaqueSignStringENC(str);

Digitally signs a string and returns PKCS#7 signed-data as a binary encoded string. The EncodingMode property determines the binary encoding, such as base64, hex, hex_lower, base64_mime, etc. The Charset property determines the actual bytes that are hashed and signed. The HashAlgorithm property specifies the hash algorithm for creating the data's hash during signing.

Returns True for success, False for failure.

More Information and Examples
About PKCS#7 signed-data FormatWhy Charset Matters in Digital SignaturesSupported Binary EncodingsCreate and Verify an Opaque PKCS7/CMS SignaturePKCS7 Sign Text using RSA 2048, SHA256, Base64 Output
top
OpaqueSignStringENCAsync (1)
# returns a CkTask
# str is a string
ret_task = crypt2.OpaqueSignStringENCAsync(str);

Creates an asynchronous task to call the OpaqueSignStringENC method with the arguments provided.

Returns None on failure

top
OpaqueVerifyBd
# bd is a CkBinData
status = crypt2.OpaqueVerifyBd(bd);
Introduced in version 9.5.0.67

The method performs in-place verification of the PKCS#7 signed-data content of bd. If the signature is successfully verified, the content of bd is replaced with the original data, and the method returns True. If verification fails, bd remains unchanged, and the method returns False. Afterwards, you can retrieve signer certificates by using the NumSignerCerts property and the LastSignerCert method.

Returns True for success, False for failure.

More Information and Examples
About PKCS#7 signed-data FormatRSASSA-PSS Sign Binary DataExtract XML from FatturaPA .p7m
top
OpaqueVerifyStringENC
# p7m is a string
# outOriginal is a CkString (output)
status = crypt2.OpaqueVerifyStringENC(p7m, outStr);
retStr = crypt2.opaqueVerifyStringENC(p7m);

This function verifies a PKCS#7 signed-data binary-encoded signature and returns the original text data. The EncodingMode property determines how p7m is decoded to bytes. If the signature does not verify successfully, it returns an empty string. The Charset property specifies how the original data bytes are converted to characters. You can obtain signer certificates using the NumSignerCerts property and the LastSignerCert method.

Returns True for success, False for failure.

More Information and Examples
About PKCS#7 signed-data FormatSupported Binary EncodingsWhy Charset Matters in Digital SignaturesCreate and Verify an Opaque PKCS7/CMS Signature
top
Pbkdf1
# password is a string
# charset is a string
# hashAlg is a string
# salt is a string
# iterationCount is an integer
# outputKeyBitLen is an integer
# encoding is a string
# outStr is a CkString (output)
status = crypt2.Pbkdf1(password, charset, hashAlg, salt, iterationCount, outputKeyBitLen, encoding, outStr);
retStr = crypt2.pbkdf1(password, charset, hashAlg, salt, iterationCount, outputKeyBitLen, encoding);

This function implements the PBKDF1 (Password-Based Key Derivation Function #1) algorithm. Follow these guidelines to use it:

  1. password (the password) is first converted using the character encoding specified by charset before being processed by the key derivation function.
  2. hashAlg specifies the hash function to use, such as md5, sha1, or md2.
  3. salt represents the salt, which should be random data of at least 8 bytes (64 bits). You can use the GenRandomBytesENC method to generate this.
  4. iterationCount sets the iteration count, which must be a minimum of 1000.
  5. outputKeyBitLen determines the length (in bits) of the derived key.
  6. encoding defines the output encoding format, such as base64 or hex, and also the expected encoding of salt (the salt).

The function returns the derived key.

Note: If charset is specified as hex or base64, the password (password) will be treated as binary data encoded in that format. It will be decoded into binary form and used directly as such.

Returns True for success, False for failure.

More Information and Examples
PBKDF1 - Derive Key from PasswordMore About PBKDF1
top
Pbkdf2
# password is a string
# charset is a string
# hashAlg is a string
# salt is a string
# iterationCount is an integer
# outputKeyBitLen is an integer
# encoding is a string
# outStr is a CkString (output)
status = crypt2.Pbkdf2(password, charset, hashAlg, salt, iterationCount, outputKeyBitLen, encoding, outStr);
retStr = crypt2.pbkdf2(password, charset, hashAlg, salt, iterationCount, outputKeyBitLen, encoding);

Implements the PBKDF2 algorithm as follows:

  1. Convert password to the character encoding specified by charset before using it in the key derivation function.
  2. hashAlg specifies the hash algorithm. Options include sha256, sha384, sha512, md5, sha1, md2, or any algorithm listed in the HashAlgorithm property.
  3. Provide a random salt value that is at least 8 bytes (64 bits) long. Use methods like GenRandomBytesENC to generate this salt value.
  4. Ensure iterationCount is 1000 or greater.
  5. Control the length of the derived key output using outputKeyBitLen.
  6. Set encoding to specify the encoding format for the output and the expected encoding for salt. Options include base64 and hex.

The derived key is the output of this process. Internally, PBKDF2 uses a pseudorandom function (PRF), specifically a keyed HMAC. The hash algorithm chosen with hashAlg dictates this PRF; for example, SHA256 uses HMAC-SHA256, while SHA1 uses HMAC-SHA1.

Note: If charset is hex or base64, password is treated as binary data. It will be decoded and used directly as a binary password. SHA256 uses HMAC-SHA256, while SHA1 uses HMAC-SHA1.

PBKDF1 and PBKDF2 are both key derivation functions used to strengthen passwords for cryptographic purposes, but PBKDF2 is the improved version.

  • PBKDF1: Older and limited—it can only generate small keys (up to the hash function’s output size), making it less flexible and secure.
  • PBKDF2: More advanced—it can generate longer keys, is more resistant to attacks, and is widely recommended for modern security needs.

In short, PBKDF2 is stronger and more versatile than PBKDF1.

Returns True for success, False for failure.

More Information and Examples
More about PBKDF2 Key DerivationPBKDF2 - Derive Key from PasswordWPA Key Calculation from PassPhrase to HexDuplicate .NET's Rfc2898DeriveBytes FunctionalityAES 256-bit CBC using PBKDF2 Generated Secret KeyBIP39 Compute Binary Seed from Mnemonic
top
RandomizeIV
crypt2.RandomizeIV();

Sets the initialization vector (IV) to a random value. The CryptAlgorithm property should be set prior to calling this method.

A random IV is used in symmetric encryption (like AES-CBC or AES-GCM) to ensure that encrypting the same plaintext with the same key produces different ciphertext each time. This prevents attackers from recognizing patterns in encrypted data and strengthens security.

Why use a random IV?

  • It ensures semantic security (i.e. same plaintext never results in same ciphertext).
  • Prevents replay and pattern attacks.
  • Especially important in modes like CBC and GCM.

How is the IV sent to the decrypting party?

The IV is not secret, but it must be available for decryption. Common methods:

  • Prepended to the ciphertext (e.g., IV || ciphertext)
  • Sent in a separate field (e.g., JSON field, HTTP header)
  • Concatenated and encoded (e.g., base64 of IV + ciphertext)

At the receiving side, the decryptor extracts the IV and uses it with the shared key to decrypt the ciphertext correctly.

More Information and Examples
Example: Using a random initialization vector for AES GCM encryption
top
ReEncode
# encodedData is a string
# fromEncoding is a string
# toEncoding is a string
# outStr is a CkString (output)
status = crypt2.ReEncode(encodedData, fromEncoding, toEncoding, outStr);
retStr = crypt2.reEncode(encodedData, fromEncoding, toEncoding);

This method converts between different encodings, such as from base64 to hex. Each argument can be any binary encoding supported by Chilkat.

Returns True for success, False for failure.

More Information and Examples
How to Convert from One Binary Encoding to AnotherSupported Binary Encodings
top
SetDecryptCert
# cert is a CkCert
status = crypt2.SetDecryptCert(cert);

Sets the digital certificate for decryption when the CryptAlgorithm property is set to "pki". This method requires that the certificate has a private key.

Returns True for success, False for failure.

More Information and Examples
Example: Crypt2.SetDecryptCert methodCertificates and Private Keys (Files and Sources)
top
SetDecryptCert2
# cert is a CkCert
# key is a CkPrivateKey
status = crypt2.SetDecryptCert2(cert, key);

Sets the digital certificate and associated private key for decryption when the CryptAlgorithm property is set to "pki". The private key must be the one that matches the certificate's public key.

Returns True for success, False for failure.

More Information and Examples
Example: Crypt2.SetDecryptCert2 method
top
SetEncodedAad
# aadStr is a string
# encoding is a string
status = crypt2.SetEncodedAad(aadStr, encoding);
Introduced in version 9.5.0.55

Sets the optional authenticated additional data (AAD) for AES encryption in GCM mode. The data is provided as a binary-encoded string using the specified encoding, and any binary encoding supported by Chilkat can be used.

In GCM (Galois/Counter Mode) encryption, AAD (Additional Authenticated Data) is optional input that is not encrypted but is authenticated along with the ciphertext. It's used to verify integrity of associated data like headers or metadata. If AAD is modified, decryption will fail due to authentication tag mismatch.

Returns True for success, False for failure.

More Information and Examples
AEAD AES 128-bit GCM
top
SetEncodedAuthTag
# authTagStr is a string
# encoding is a string
status = crypt2.SetEncodedAuthTag(authTagStr, encoding);
Introduced in version 9.5.0.55

In GCM mode, the authentication tag is a short value (e.g. 16 bytes) generated during encryption that ensures the integrity and authenticity of both the ciphertext and any AAD. It must be verified during decryption to confirm the data hasn't been altered.

When decrypting AES-GCM, applications must call this method to provide the expected authentication tag.

To prevent Chilkat from checking the authentication tag after decryption, you can set the authentication tag to the special hex value FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF (16 bytes of 0xFF).

Returns True for success, False for failure.

More Information and Examples
Explaining the AES-GCM Authentication TagAES-GCM OverviewExplaining Authenticated Encryption, such as AES-GCMAEAD AES 128-bit GCM
top
SetEncodedIV
# ivStr is a string
# encoding is a string
crypt2.SetEncodedIV(ivStr, encoding);

Sets the initialization vector used in symmetric encrpytion (AES, Blowish, etc.) from a binary-encoded string using any Chilkat-supported encoding method (e.g., base64, hex).

An Initialization Vector (IV) is a random or unique value used in symmetric encryption to ensure that encrypting the same plaintext multiple times produces different ciphertexts. It prevents pattern leakage.

Cipher Modes That Require an IV:

  • CBC (Cipher Block Chaining)
  • CFB (Cipher Feedback)
  • OFB (Output Feedback)
  • CTR (Counter Mode)
  • GCM (Galois/Counter Mode)

ECB (Electronic Codebook) does *not* use an IV, which makes it less secure.

More Information and Examples
IV Length and Algorithm Block SizeExample: Crypt2.SetEncodedIV methodSupported Binary Encodings
top
SetEncodedKey
# keyStr is a string
# encoding is a string
crypt2.SetEncodedKey(keyStr, encoding);

Sets the encryption key used in symmetric encrpytion (AES, Blowfish, etc.) from a binary-encoded string using any Chilkat-supported encoding method (e.g., base64, hex).

The key must have a byte size equal to the KeyLength property. For instance, a KeyLength of 128 bits requires a 16-byte key, and a KeyLength of 256 bits requires a 32-byte key.

More Information and Examples
Generate Encryption KeySupported Binary Encodings
top
SetEncodedSalt
# saltStr is a string
# encoding is a string
crypt2.SetEncodedSalt(saltStr, encoding);

Sets the pbes2 or pbes1 salt bytes from a binary-encoded string using any Chilkat-supported encoding method (e.g., base64, hex).

More Information and Examples
PBES2 Password-Based EncryptionSupported Binary EncodingsExplaining PBES2 Encryption
top
SetEncryptCert
# cert is a CkCert
status = crypt2.SetEncryptCert(cert);

Instructs the encryption library to use a specified digital certificate for public-key encryption. To encrypt using multiple certificates, call AddEncryptCert for each one. This action is equivalent to calling ClearEncryptCerts before AddEncryptCert .

Returns True for success, False for failure.

More Information and Examples
Encrypt File using Recipient's CertificateCreate PKCS7 (CMS) EnvelopedDataRSAES-OAEP Encrypt String with AES-128 Content Encryption and SHA256
top
SetMacKeyEncoded
# key is a string
# encoding is a string
status = crypt2.SetMacKeyEncoded(key, encoding);
Introduced in version 9.5.0.55

Sets the MAC key from a binary-encoded string using any Chilkat-supported encoding method (e.g., base64, hex).

Returns True for success, False for failure.

More Information and Examples
Poly1305 MACMAC Key AmbiguitySupported Binary Encodings
top
SetMacKeyString
# key is a string
status = crypt2.SetMacKeyString(key);
Introduced in version 9.5.0.55

Sets the MAC key from a string. The Charset property determines the actual bytes used for the MAC key.

Returns True for success, False for failure.

More Information and Examples
Mac Key AmbiguityHMAC Example using SetMacKeyString
top
SetSigningCert
# cert is a CkCert
status = crypt2.SetSigningCert(cert);

Sets the digital certificate to be used for signing. Signing requires that the certificate has a private key.

Returns True for success, False for failure.

More Information and Examples
Example: Crypt2.SetSigningCert methodPKCS7 Sign Text using RSA 2048, SHA256, Base64 OutputA3/A4 Certificate to Create and Verify an Opaque PKCS7/CMS Signature
top
SetSigningCert2
# cert is a CkCert
# privateKey is a CkPrivateKey
status = crypt2.SetSigningCert2(cert, privateKey);

Sets the digital certificate and associated private key for signing. The private key must be the one that matches the certificate's public key.

Returns True for success, False for failure.

More Information and Examples
Example: Crypt2.SetSigningCert2 methodCreate and Verify an Opaque PKCS7/CMS SignatureDuplicate OpenSSL smime Command
top
SetTsaHttpObj
# http is a CkHttp
crypt2.SetTsaHttpObj(http);

If timestamp server communications are needed for signing and special Internet settings like a proxy server are necessary, this method can provide an Http object configured with these settings.

More Information and Examples
Configure HTTP Object to use Proxy for Communicating with Timestamp Server
top
SetVerifyCert
# cert is a CkCert
status = crypt2.SetVerifyCert(cert);

Assigns the digital certificate for signature verification. Typically, a PKCS7 (CMS) signature includes the signing certificate information, making it unnecessary to call this method explicitly. This is only required in rare instances.

Returns True for success, False for failure.

top
SignBdENC
# dataToSign is a CkBinData
# outStr is a CkString (output)
status = crypt2.SignBdENC(dataToSign, outStr);
retStr = crypt2.signBdENC(dataToSign);
Introduced in version 9.5.0.67

Digitally signs the content in dataToSign and returns a detached signature (PKCS#7 signed-data) as a binary-encoded string. The EncodingMode property determines the binary-encoding. Possible encodings include base64, base64_mime, hex, and hex_lower. The HashAlgorithm property specifies the hash algorithm for creating the data's hash during signing.

Returns True for success, False for failure.

More Information and Examples
About PKCS#7 signed-data FormatSupported Binary EncodingsRSASSA-PSS Sign Binary Data
top
SignBdENCAsync (1)
# returns a CkTask
# dataToSign is a CkBinData
ret_task = crypt2.SignBdENCAsync(dataToSign);
Introduced in version 9.5.0.67

Creates an asynchronous task to call the SignBdENC method with the arguments provided.

Returns None on failure

top
SignHashENC
# encodedHash is a string
# hashAlg is a string
# hashEncoding is a string
# outStr is a CkString (output)
status = crypt2.SignHashENC(encodedHash, hashAlg, hashEncoding, outStr);
retStr = crypt2.signHashENC(encodedHash, hashAlg, hashEncoding);
Introduced in version 9.5.0.90

Digitally signs a pre-computed hash and returns a detached signature (PKCS#7 signed-data) as a binary-encoded string. The EncodingMode property determines the binary-encoding. Possible encodings include base64, base64_mime, hex, and hex_lower

encodedHash is a binary-encoded hash to be signed, with its encoding format specified by hashEncoding (e.g., base64, hex). hashAlg specifies the hash algorithm (e.g., sha256, sha1, sha512) used for encodedHash.

Returns True for success, False for failure.

More Information and Examples
About PKCS#7 signed-data FormatSupported Binary EncodingsDigital Signatures Actually Sign the Hash of the DataCMS Sign Hash
top
SignHashENCAsync (1)
# returns a CkTask
# encodedHash is a string
# hashAlg is a string
# hashEncoding is a string
ret_task = crypt2.SignHashENCAsync(encodedHash, hashAlg, hashEncoding);
Introduced in version 9.5.0.90

Creates an asynchronous task to call the SignHashENC method with the arguments provided.

Returns None on failure

top
SignSbENC
# sb is a CkStringBuilder
# outStr is a CkString (output)
status = crypt2.SignSbENC(sb, outStr);
retStr = crypt2.signSbENC(sb);
Introduced in version 9.5.0.67

Digitally signs the text contained in sb and returns a detached signature (PKCS#7 signed-data) as a binary-encoded string. The EncodingMode property determines the binary-encoding. Possible encodings include base64, base64_mime, hex, and hex_lower. The HashAlgorithm property specifies the hash algorithm for creating the data's hash during signing. The Charset property determines the actual bytes that are hashed and signed.

Returns True for success, False for failure.

More Information and Examples
About PKCS#7 signed-data FormatWhy Charset Matters in Digital SignaturesSupported Binary EncodingsRSASSA-PSS Sign Text
top
SignSbENCAsync (1)
# returns a CkTask
# sb is a CkStringBuilder
ret_task = crypt2.SignSbENCAsync(sb);
Introduced in version 9.5.0.67

Creates an asynchronous task to call the SignSbENC method with the arguments provided.

Returns None on failure

top
SignStringENC
# str is a string
# outStr is a CkString (output)
status = crypt2.SignStringENC(str, outStr);
retStr = crypt2.signStringENC(str);

Digitally signs a string and returns a detached signature (PKCS#7 signed-data) as a binary-encoded string. The EncodingMode property determines the binary-encoding. Possible encodings include base64, base64_mime, hex, and hex_lower. The HashAlgorithm property specifies the hash algorithm for creating the data's hash during signing. The Charset property determines the actual bytes that are hashed and signed.

Returns True for success, False for failure.

More Information and Examples
About PKCS#7 signed-data FormatWhy Charset Matters in Digital SignaturesSupported Binary EncodingsRSASSA-PSS Sign String to Create Base64 PCKS7 Signature
top
SignStringENCAsync (1)
# returns a CkTask
# str is a string
ret_task = crypt2.SignStringENCAsync(str);

Creates an asynchronous task to call the SignStringENC method with the arguments provided.

Returns None on failure

top
Totp
# secret is a string
# secretEnc is a string
# t0 is a string
# tNow is a string
# tStep is an integer
# numDigits is an integer
# truncOffset is an integer
# hashAlg is a string
# outStr is a CkString (output)
status = crypt2.Totp(secret, secretEnc, t0, tNow, tStep, numDigits, truncOffset, hashAlg, outStr);
retStr = crypt2.totp(secret, secretEnc, t0, tNow, tStep, numDigits, truncOffset, hashAlg);
Introduced in version 9.5.0.77

Implements RFC 6238: TOTP: Time-Based One-Time Password Algorithm. The arguments to this method are:

  • secret: The shared secret in an enocded representation such as base64, hex, ascii, etc.
  • secretEnc: The encoding of the shared secret, such as base64
  • t0: The Unix time to start counting time steps. It is a number in decimal string form. A Unix time is the number of seconds elapsed since midnight UTC of January 1, 1970. 0 is a typical value used for this argument.
  • tNow: The current Unix time in decimal string form. To use the current system date/time, pass an empty string for this argument.
  • tStep: The time step in seconds. A typical value is 30. Note: Both client and server must pre-agree on the secret, the t0, and the tStep.
  • numDigits: The number of decimal digits to return.
  • truncOffset: Normally set this to -1 for dynamic truncation. Otherwise can be set in the range 0..15.
  • hashAlg: Normally set to sha1. Can be set to other hash algorithms such as sha256, sha512, etc.

Returns True for success, False for failure.

More Information and Examples
TOTP Algorithm: Time-Based One-Time Password AlgorithmGoogle Authenticator AlgorithmGenerate TOTP using Base32 Secret (6 Digits, Time-based, 30-second period)
top
UseCertVault
# vault is a CkXmlCertVault
status = crypt2.UseCertVault(vault);
Introduced in version 9.5.0.40

Adds an XML certificate vault to the object's internal list of sources to be searched for certificates and private keys when encrypting/decrypting or signing/verifying. Unlike the AddPfxSourceData and AddPfxSourceFile methods, only a single XML certificate vault can be used. If UseCertVault is called multiple times, only the last certificate vault will be used, as each call to UseCertVault will replace the certificate vault provided in previous calls.

Returns True for success, False for failure.

top
VerifyBdENC
# data is a CkBinData
# encodedSig is a string
status = crypt2.VerifyBdENC(data, encodedSig);
Introduced in version 9.5.0.67

Verifies a detached digital signature against the original data contained in data. Returns True if the signature is verified. The encodedSig holds a binary-encoded PKCS#7 signed-data detached signature. The type of binary encoding, such as base64, hex, or base64_mime, is determined by the EncodingMode property.

Afterwards, you can retrieve signer certificates by using the NumSignerCerts property and the LastSignerCert method.

Returns True for success, False for failure.

More Information and Examples
About PKCS#7 signed-data FormatSupported Binary EncodingsRSASSA-PSS Sign Binary Data
top
VerifyP7M
# p7mPath is a string
# destPath is a string
status = crypt2.VerifyP7M(p7mPath, destPath);

Verifies an opaque digital signature contained in a .p7m file and extracts the original data to destPath. Returns True if the .p7m is validated and the original data was extracted. Otherwise returns False.

Afterwards, you can retrieve signer certificates by using the NumSignerCerts property and the LastSignerCert method.

Returns True for success, False for failure.

More Information and Examples
About PKCS#7 signed-data FormatExtract a File from a .p7m (PKCS7 Signed-Data)CAdES BES Attached (Opaque) SignatureCreate P7M Using Pre-Installed Windows Certificate
top
VerifyP7S
# originalDataPath is a string
# p7sPath is a string
status = crypt2.VerifyP7S(originalDataPath, p7sPath);

Verifies a detached digital signature contained in a .p7s file against the original data contained in originalDataPath. Returns True if the signature is verified.

Afterwards, you can retrieve signer certificates by using the NumSignerCerts property and the LastSignerCert method.

Returns True for success, False for failure.

More Information and Examples
About PKCS#7 signed-data FormatCAdES BES Detached Signature
top
VerifySbENC
# sb is a CkStringBuilder
# encodedSig is a string
status = crypt2.VerifySbENC(sb, encodedSig);
Introduced in version 9.5.0.67

Verifies a detached digital signature against the original text contained in sb. Returns True if the signature is verified. The encodedSig holds a binary-encoded PKCS#7 signed-data detached signature. The type of binary encoding, such as base64, hex, or base64_mime, is determined by the EncodingMode property. The Charset property determines how the text in sb is converted to bytes for signature validation.

Afterwards, you can retrieve signer certificates by using the NumSignerCerts property and the LastSignerCert method.

Returns True for success, False for failure.

More Information and Examples
About PKCS#7 signed-data FormatWhy Charset Matters in Digital SignaturesSupported Binary EncodingsRSASSA-PSS Sign Text
top
VerifyStringENC
# str is a string
# encodedSig is a string
status = crypt2.VerifyStringENC(str, encodedSig);

Verifies a detached digital signature against the original text in str. Returns True if the signature is verified. The encodedSig holds a binary-encoded PKCS#7 signed-data detached signature. The type of binary encoding, such as base64, hex, or base64_mime, is determined by the EncodingMode property. The Charset property determines how the text in str is converted to bytes for signature validation.

Afterwards, you can retrieve signer certificates by using the NumSignerCerts property and the LastSignerCert method.

Returns True for success, False for failure.

More Information and Examples
About PKCS#7 signed-data FormatWhy Charset Matters in Digital SignaturesSupported Binary EncodingsRSASSA-PSS Sign String to Create Base64 PCKS7 Signature
top
XtsSetDataUnitNumber
# loUint32 is an integer
# hiUint32 is an integer
crypt2.XtsSetDataUnitNumber(loUint32, hiUint32);
Introduced in version 9.5.0.91

Sets the XTS-AES mode data unit number. The data unit number is a 64-bit unsigned integer. It is passed in as two 32-bit unsigned integers representing the high and low 32-bits.

Setting the data unit number is one way of setting the tweak value. The tweak value is 16 bytes in length and can alternatively be set by calling XtsSetEncodedTweakValue.

This method sets the tweak value such that the first 8 bytes are composed of the little-endian 64-bit data unit number, followed by 8 zero bytes.

(Unfortunately, Chilkat cannot use 64-bit integers in method arguments because many older programming environments, such as ActiveX, do not support it. Chilkat must present an identical and uniform API across all programming languages.)

More Information and Examples
AES XTS Mode where Tweak Value is Data Unit Number
top
XtsSetEncodedTweakKey
# key is a string
# encoding is a string
crypt2.XtsSetEncodedTweakKey(key, encoding);
Introduced in version 9.5.0.91

Sets the XTS-AES mode tweak key from an encoded string. The encoding argument can be set to any of the following strings: base64, hex, quoted-printable, ascii, or url. The tweak key should be equal in size to the encryption key. For example, to do 256-bit AES-XTS, the encryption key is 256-bits, and the tweak key is also 256-bits.

More Information and Examples
AES XTS Mode
top
XtsSetEncodedTweakValue
# tweak is a string
# encoding is a string
crypt2.XtsSetEncodedTweakValue(tweak, encoding);
Introduced in version 9.5.0.91

Sets the XTS-AES mode tweak value from an encoded string. The encoding argument can be set to any of the following strings: base64, hex, quoted-printable, ascii, or url.

The tweak value must be 16 bytes in length. An application can set the initial tweak value by calling this method, or by calling XtsSetDataUnitNumber (but not both).

More Information and Examples
AES XTS Mode
top

Deprecated

AddPfxSourceData Deprecated
# pfxBytes is a CkByteData
# pfxPassword is a string
status = crypt2.AddPfxSourceData(pfxBytes, pfxPassword);

Adds a PFX file to the object's list of sources for locating certificates and private keys during public-key decryption or signing. To add multiple PFX sources, call this method multiple times. pfxBytes should contain the bytes of a PFX file (also known as PKCS12 or .p12).

Returns True for success, False for failure.

More Information and Examples
Workaround for the deprecated Crypt2.AddPfxSourceData method
top
CrcBytes Deprecated
# crcAlg is a string
# byteData is a CkByteData
retInt = crypt2.CrcBytes(crcAlg, byteData);
Introduced in version 9.5.0.38

Calculates a CRC for byte data in memory using the CRC algorithm specified by crcAlg. Possible algorithms are:

  • crc-32 - This is the CRC used in the Zip file format.
  • crc8

More Information and Examples
Workaround for the deprecated Crypt2.CrcBytes method
top
Decode
# str is a string
# encoding is a string
# outData is a CkByteData (output)
status = crypt2.Decode(str, encoding, outData);
This method is deprecated.

Applications should instead call BinData.AppendEncoded to append binary encoded data (such as base64) to a BinData object. The decoded binary bytes can then be obtained from the BinData object.

Decode binary data from an encoded string. The encoding can be set to any of the following strings: base64, hex, quoted-printable, url, base32, Q, B, url_rc1738, url_rfc2396, url_rfc3986, url_oauth, uu, modBase64, or html (for HTML entity encoding).

Returns True for success, False for failure.

More Information and Examples
Workaround for the deprecated Crypt2.Decode method
top
DecryptBytes Deprecated
# data is a CkByteData
# outData is a CkByteData (output)
status = crypt2.DecryptBytes(data, outData);

Decrypts a byte array and returns the unencrypted byte array. The property settings used when encrypting the data must match the settings when decrypting. Specifically, the CryptAlgorithm, CipherMode, PaddingScheme, KeyLength, IV, and SecretKey properties must match.

Returns True for success, False for failure.

More Information and Examples
Workaround for the deprecated Crypt2.DecryptBytes method
top
DecryptBytesENC Deprecated
# str is a string
# outData is a CkByteData (output)
status = crypt2.DecryptBytesENC(str, outData);

Decrypts string-encoded encrypted data and returns the unencrypted byte array. Data encrypted with EncryptBytesENC can be decrypted with this method. The property settings used when encrypting the data must match the settings when decrypting. Specifically, the EncodingMode, CryptAlgorithm, CipherMode, PaddingScheme, KeyLength, IV, and SecretKey properties must match.

Returns True for success, False for failure.

More Information and Examples
Workaround for the deprecated Crypt2.DecryptBytesENC methodSupported Binary Encodings
top
DecryptStream
# strm is a CkStream
status = crypt2.DecryptStream(strm);
Introduced in version 9.5.0.56
This method is deprecated.

This method is deprecated. Applications should implement streaming decryption by using the FirstChunk and LastChunk properties.

Returns True for success, False for failure.

More Information and Examples
Streaming Encryption
top
DecryptStreamAsync (1)
# returns a CkTask
# strm is a CkStream
ret_task = crypt2.DecryptStreamAsync(strm);
Introduced in version 9.5.0.56
This method is deprecated.

Creates an asynchronous task to call the DecryptStream method with the arguments provided.

Returns None on failure

top
DecryptString Deprecated
# data is a CkByteData
# outStr is a CkString (output)
status = crypt2.DecryptString(data, outStr);
retStr = crypt2.decryptString(data);

Decrypts a previously encrypted string, using the Charset property to interpret the decrypted bytes as characters.

Returns True for success, False for failure.

More Information and Examples
Workaround for the deprecated EncryptString and DecryptString methodsExplaining the Importance of the Charset
top
Encode Deprecated
# byteData is a CkByteData
# encoding is a string
# outStr is a CkString (output)
status = crypt2.Encode(byteData, encoding, outStr);
retStr = crypt2.encode(byteData, encoding);

Encode binary data to base64, hex, quoted-printable, or URL-encoding. The encoding can be set to any of the following strings: base64, hex, quoted-printable (or qp), url, base32, Q, B, url_rc1738, url_rfc2396, url_rfc3986, url_oauth, uu, modBase64, or html (for HTML entity encoding).

Returns True for success, False for failure.

More Information and Examples
Workaround for the deprecated Crypt2.Encode method
top
EncryptBytes Deprecated
# data is a CkByteData
# outData is a CkByteData (output)
status = crypt2.EncryptBytes(data, outData);

Encrypts a byte array. The minimal set of properties that should be set before encrypting are: CryptAlgorithm, SecretKey. Other properties that control encryption are: CipherMode, PaddingScheme, KeyLength, IV. When decrypting, all property settings must match otherwise garbled data is returned.

Returns True for success, False for failure.

More Information and Examples
Workaround for the deprecated Crypt2.EncryptBytes method
top
EncryptBytesENC Deprecated
# data is a CkByteData
# outStr is a CkString (output)
status = crypt2.EncryptBytesENC(data, outStr);
retStr = crypt2.encryptBytesENC(data);

Encrypts a byte array and returns the encrypted data as an encoded (printable) string. The minimal set of properties that should be set before encrypting are: CryptAlgorithm, SecretKey, EncodingMode. Other properties that control encryption are: CipherMode, PaddingScheme, KeyLength, IV. When decrypting, all property settings must match otherwise garbled data is returned. The encoding of the string that is returned is controlled by the EncodingMode property, which can be set to Base64, QP, or Hex.

Returns True for success, False for failure.

More Information and Examples
Workaround for the deprecated Crypt2.EncryptBytesENC methodSupported Binary Encodings
top
EncryptStream
# strm is a CkStream
status = crypt2.EncryptStream(strm);
Introduced in version 9.5.0.56
This method is deprecated.

This method is deprecated. Applications should implement streaming encryption or decryption by using the FirstChunk and LastChunk properties.

Returns True for success, False for failure.

More Information and Examples
Streaming Encryption
top
EncryptStreamAsync (1)
# returns a CkTask
# strm is a CkStream
ret_task = crypt2.EncryptStreamAsync(strm);
Introduced in version 9.5.0.56
This method is deprecated.

Creates an asynchronous task to call the EncryptStream method with the arguments provided.

Returns None on failure

top
EncryptString Deprecated
# str is a string
# outData is a CkByteData (output)
status = crypt2.EncryptString(str, outData);

Encrypts a string and returns the result as bytes, with the Charset property determining the specific byte encoding of what gets encrypted.

Returns True for success, False for failure.

More Information and Examples
Explaining the Importance of the CharsetWorkaround for the deprecated EncryptString and DecryptString methods
top
GenEncodedSecretKey
# password is a string
# encoding is a string
# outStr is a CkString (output)
status = crypt2.GenEncodedSecretKey(password, encoding, outStr);
retStr = crypt2.genEncodedSecretKey(password, encoding);
This method is deprecated.

This method is deprecated and should be avoided because it transforms the password into a binary secret key using a transformation that is undocumented and specific to this Chilkat method. PBKDF2 is a standard and more secure method of generating a binary secret key from a password.

Returns True for success, False for failure.

top
GenerateSecretKey
# password is a string
# outData is a CkByteData (output)
status = crypt2.GenerateSecretKey(password, outData);
This method is deprecated and replaced by Pbkdf2

This method is deprecated and should be avoided because it transforms the password into a binary secret key using a transformation that is undocumented and specific to this Chilkat method. PBKDF2 is a standard and more secure method of generating a binary secret key from a password. An example using PBKDF2 is shown below.

This method converts a string into a byte array matching the bit length of the KeyLength property. For instance, if KeyLength is 128 bits, the resulting array will be 16 bytes. This byte array can be assigned to the SecretKey property. For decryption to work, the SecretKey must match exactly. To use password-based encryption, pass the password to this method to generate an appropriate binary secret key for the SecretKey property.

IMPORTANT: Do not use this method to decrypt data if another party has provided you with the secret key. It is intended to transform a password of any length into a correctly sized binary secret key.

Returns True for success, False for failure.

More Information and Examples
Deriving a 256-bit AES Secret Key from a Password Using SHA256PBKDF2 - Derive Key from Password
top
GetDecryptCert
# returns a CkCert
ret_cert = crypt2.GetDecryptCert();
Introduced in version 9.5.0.46
This method is deprecated.

This method is deprecated. Application should instead call LastDecryptCert

Returns the last certificate used for public-key decryption.

Returns None on failure

More Information and Examples
Transition from Crypt2.GetDecryptCert to Crypt2.LastDecryptCert
top
GetEncodedAad
# encoding is a string
# outStr is a CkString (output)
status = crypt2.GetEncodedAad(encoding, outStr);
retStr = crypt2.getEncodedAad(encoding);
Introduced in version 9.5.0.55
This method is deprecated.

This method retrieves the authenticated additional data (AAD) set by the application during the last call to SetEncodedAad. However, using this method is redundant (and therefore deprecated), as the application can store and retrieve the AAD independently after calling SetEncodedAad.

Returns True for success, False for failure.

top
GetEncodedKey
# encoding is a string
# outKey is a CkString (output)
status = crypt2.GetEncodedKey(encoding, outStr);
retStr = crypt2.getEncodedKey(encoding);
This method is deprecated.

This method retrieves the symmetric encryption secret key set by the application during the last call to SetEncodedKey or RandomizeKey. However, using this method is redundant (and therefore deprecated), as the application can store and retrieve the key independently after calling SetEncodedKey.

Returns True for success, False for failure.

top
GetEncodedSalt
# encoding is a string
# outStr is a CkString (output)
status = crypt2.GetEncodedSalt(encoding, outStr);
retStr = crypt2.getEncodedSalt(encoding);
This method is deprecated.

This method retrieves the password-based encryption (PBE) salt set by the application during the last call to SetEncodedSalt. However, using this method is redundant (and therefore deprecated), as the application can store and retrieve the salt independently after calling SetEncodedSalt.

Returns True for success, False for failure.

top
GetSignerCert
# returns a CkCert
# index is an integer
ret_cert = crypt2.GetSignerCert(index);
This method is deprecated.

This method is deprecated. Application should instead call LastSignerCert

Gets the Nth certificate used for signing. This method can be called after verifying a digital signature to get the signer certs. The 1st certificate is at index 0. The NumSignerCerts property contains the total number of signing certificates. (Typically, a single certificate is used in creating a digital signature.)

Returns None on failure

More Information and Examples
Transition from Crypt2.GetSignerCert to Crypt2.LastSignerCertVerify Opaque Signature and Retrieve Signing Certificates
top
GetSignerCertChain
# returns a CkCertChain
# index is an integer
ret_certChain = crypt2.GetSignerCertChain(index);
Introduced in version 9.5.0.40
This method is deprecated.

This method is deprecated. Applications can get the cert chain by calling LastSignerCert to get the certificate object, and then get the certificate chain from the certificate object.

Returns the full certificate chain for the Nth certificate used to for signing. Indexing begins at 0.

Returns None on failure

More Information and Examples
Transition from Crypt2.GetSignerCertChain to Crypt2.LastSignerCertVerify Opaque Signature and Retrieve Signing Certificates
top
HashBeginBytes Deprecated
# data is a CkByteData
status = crypt2.HashBeginBytes(data);

To hash binary data in chunks, start by hashing the first chunk using this method. For additional chunks, use the HashMoreBytes method as needed. Complete the process with HashFinal or HashFinalENC to obtain the hash result. The hash algorithm used is determined by the HashAlgorithm property setting.

Returns True for success, False for failure.

top
HashBytes Deprecated
# data is a CkByteData
# outData is a CkByteData (output)
status = crypt2.HashBytes(data, outData);

Hashes a byte array using the algorithm specified by the HashAlgorithm property.

Returns True for success, False for failure.

More Information and Examples
Workaround for the deprecated Crypt2.HashBytes method
top
HashBytesENC Deprecated
# data is a CkByteData
# outStr is a CkString (output)
status = crypt2.HashBytesENC(data, outStr);
retStr = crypt2.hashBytesENC(data);

Hashes a byte array and returns the hash as a binary encoded string.

The hash algorithm is specified by the HashAlgorithm property, The encoding is controlled by the EncodingMode property, which can be set to base64, hex, base64url, or any of the encodings listed at the link below.

Returns True for success, False for failure.

More Information and Examples
Workaround for the deprecated Crypt2.HashBytesENC methodSupported Binary Encodings
top
HashFile Deprecated
# path is a string
# outBytes is a CkByteData (output)
status = crypt2.HashFile(path, outData);
This method is deprecated and replaced by HashFileENC

Hashes a file using the specified HashAlgorithm and returns the hash bytes. The file is processed in streaming mode, allowing any file size to be hashed efficiently while minimizing memory usage.

Returns True for success, False for failure.

More Information and Examples
Workaround for the deprecated Crypt2.HashFile method
top
HashFileAsync Deprecated (1)
# returns a CkTask
# path is a string
ret_task = crypt2.HashFileAsync(path);
This method is deprecated and replaced by HashFileENC

Creates an asynchronous task to call the HashFile method with the arguments provided.

Returns None on failure

top
HashFinal Deprecated
# outBytes is a CkByteData (output)
status = crypt2.HashFinal(outData);
This method is deprecated and replaced by HashFinalENC

Finalizes a multi-step hash computation and returns the hash bytes.

Returns True for success, False for failure.

top
HashMoreBytes Deprecated
# data is a CkByteData
status = crypt2.HashMoreBytes(data);
Introduced in version 9.5.0.82

Adds more bytes to the hash currently under computation. (See HashBeginBytes)

Returns True for success, False for failure.

top
HashString Deprecated
# str is a string
# outData is a CkByteData (output)
status = crypt2.HashString(str, outData);
This method is deprecated and replaced by HashStringENC

Hashes a string using the Charset property to determine the bytes and returns the hash.

Returns True for success, False for failure.

More Information and Examples
Workaround for the deprecated Crypt2.HashString methodImportance of Charset when Hashing Text
top
LastJsonData
# returns a CkJsonObject
ret_jsonObject = crypt2.LastJsonData();
Introduced in version 9.5.0.70
This method is deprecated and replaced by GetLastJsonData

This method is deprecated. Please use GetLastJsonData instead. GetLastJsonData provides details about the most recently executed method. While many methods don't provide additional information, some do, such as after verifying a signature. In such cases, LastJsonData will return JSON with details like the algorithms used in the verification process.

Returns None on failure

More Information and Examples
Transition from Crypt2.LastJsonData to Crypt2.GetLastJsonDataVerify a .p7m and get Algorithm Information
top
MacBytes Deprecated
# inBytes is a CkByteData
# outBytes is a CkByteData (output)
status = crypt2.MacBytes(inBytes, outData);
Introduced in version 9.5.0.55
This method is deprecated and replaced by MacBdENC

Computes a Message Authentication Code using the algorithm defined in the MacAlgorithm property. The HashAlgorithm property setting determines the hash algorithm used internally. (A MAC algorithm like HMAC uses a hash function such as SHA-256 internally, along with a secret key, to create a secure and verifiable digest.)

Returns True for success, False for failure.

More Information and Examples
Workaround for the deprecated Crypt2.MacBytes method
top
MacBytesENC Deprecated
# inBytes is a CkByteData
# outStr is a CkString (output)
status = crypt2.MacBytesENC(inBytes, outStr);
retStr = crypt2.macBytesENC(inBytes);
This method is deprecated and replaced by MacBdENC

Computes a Message Authentication Code using the MAC algorithm specified in the MacAlgorithm property. The result is encoded to a string using the encoding (base64, hex, etc.) specified by the EncodingMode property.

Returns True for success, False for failure.

More Information and Examples
Workaround for the deprecated Crypt2.MacBytesENC methodSupported Binary Encodings
top
MacString Deprecated
# inText is a string
# outBytes is a CkByteData (output)
status = crypt2.MacString(inText, outData);
Introduced in version 9.5.0.55
This method is deprecated and replaced by MacStringENC

Computes a Message Authentication Code using the specified MacAlgorithm property. The Charset property determines the actual bytes presented to the MAC algorithm. The HashAlgorithm property setting determines the hash algorithm used internally. (A MAC algorithm like HMAC uses a hash function such as SHA-256 internally, along with a secret key, to create a secure and verifiable digest.)

Returns True for success, False for failure.

More Information and Examples
Workaround for the deprecated Crypt2.MacString methodImportance of Charset when Hashing Text
top
OpaqueSignBytes Deprecated
# data is a CkByteData
# outData is a CkByteData (output)
status = crypt2.OpaqueSignBytes(data, outData);
This method is deprecated and replaced by OpaqueSignBd

Digitally signs a binary data and returns the signature in PKCS#7 signed-data format, which embeds the original data within the signature. Ensure a certificate is set using SetSigningCert before invoking this method. The HashAlgorithm property specifies the hash algorithm for creating the data's hash during signing.

Returns True for success, False for failure.

More Information and Examples
Workaround for the deprecated Crypt2.OpaqueSignBytes methodAbout PKCS#7 signed-data Format
top
OpaqueSignBytesAsync Deprecated (1)
# returns a CkTask
# data is a CkByteData
ret_task = crypt2.OpaqueSignBytesAsync(data);
This method is deprecated and replaced by OpaqueSignBd

Creates an asynchronous task to call the OpaqueSignBytes method with the arguments provided.

Returns None on failure

top
OpaqueSignBytesENC Deprecated
# data is a CkByteData
# outStr is a CkString (output)
status = crypt2.OpaqueSignBytesENC(data, outStr);
retStr = crypt2.opaqueSignBytesENC(data);

Digitally signs a binary data and returns a PKCS#7 signed-data signature binary-encoded as a string. The returned signature embeds the original data. Ensure to set a certificate by calling SetSigningCert beforehand. The EncodingMode property determines the output encoding such as base64, hex, base64_mime, etc. The HashAlgorithm property specifies the hash algorithm for creating the data's hash during signing.

Returns True for success, False for failure.

More Information and Examples
Workaround for the deprecated Crypt2.OpaqueSignBytesENC methodSupported Binary EncodingsAbout PKCS#7 signed-data Format
top
OpaqueSignBytesENCAsync Deprecated (1)
# returns a CkTask
# data is a CkByteData
ret_task = crypt2.OpaqueSignBytesENCAsync(data);

Creates an asynchronous task to call the OpaqueSignBytesENC method with the arguments provided.

Returns None on failure

top
OpaqueSignString Deprecated
# str is a string
# outData is a CkByteData (output)
status = crypt2.OpaqueSignString(str, outData);

Digitally signs a string and returns PKCS#7 signed-data. The Charset property determines the actual bytes that are hashed and signed. The HashAlgorithm property specifies the hash algorithm for creating the data's hash during signing.

Returns True for success, False for failure.

More Information and Examples
Workaround for the deprecated Crypt2.OpaqueSignString methodWhy Charset Matters in Digital SignaturesAbout PKCS#7 signed-data Format
top
OpaqueSignStringAsync Deprecated (1)
# returns a CkTask
# str is a string
ret_task = crypt2.OpaqueSignStringAsync(str);

Creates an asynchronous task to call the OpaqueSignString method with the arguments provided.

Returns None on failure

top
OpaqueVerifyBytes Deprecated
# p7m is a CkByteData
# outOriginal is a CkByteData (output)
status = crypt2.OpaqueVerifyBytes(p7m, outData);

Verifies a PKCS#7 signed-data signature and returns the original data. If the signature fails verification, the returned data will be empty. Afterwards, you can retrieve signer certificates by using the NumSignerCerts property and the LastSignerCert method.

Returns True for success, False for failure.

More Information and Examples
Workaround for the deprecated Crypt2.OpaqueVerifyBytes methodAbout PKCS#7 signed-data Format
top
OpaqueVerifyBytesENC Deprecated
# p7m is a string
# outOriginal is a CkByteData (output)
status = crypt2.OpaqueVerifyBytesENC(p7m, outData);

Verifies a PKCS#7 signed-data signature and returns the original data. If the signature fails verification, the returned data will be empty. The p7m is a binary-encoded string, using the encoding set by the EncodingMode property. Afterwards, you can retrieve signer certificates by using the NumSignerCerts property and the LastSignerCert method.

Returns True for success, False for failure.

More Information and Examples
Workaround for the deprecated Crypt2.OpaqueVerifyBytesENC methodAbout PKCS#7 signed-data FormatSupported Binary Encodings
top
OpaqueVerifyString Deprecated
# p7m is a CkByteData
# outOriginal is a CkString (output)
status = crypt2.OpaqueVerifyString(p7m, outStr);
retStr = crypt2.opaqueVerifyString(p7m);

This function verifies a PKCS#7 signed-data signature and returns the original text data. If the signature does not verify successfully, it returns an empty string. The Charset property specifies how the original data bytes are converted to characters. You can obtain signer certificates using the NumSignerCerts property and the LastSignerCert method.

Returns True for success, False for failure.

More Information and Examples
Workaround for the deprecated Crypt2.OpaqueVerifyString methodAbout PKCS#7 signed-data FormatWhy Charset Matters in Digital Signatures
top
RandomizeKey
crypt2.RandomizeKey();
This method is deprecated and replaced by GenRandomBytesENC

Sets the secret key to a random value. This method should be replaced by calling GenRandomBytesENC followed by SetEncodedKey .

More Information and Examples
Transition from Crypt2.RandomizeKey to Crypt2.GenRandomBytesENC
top
SetMacKeyBytes Deprecated
# keyBytes is a CkByteData
status = crypt2.SetMacKeyBytes(keyBytes);
Introduced in version 9.5.0.55
This method is deprecated and replaced by SetMacKeyEncoded

Sets the MAC key to be used for one of the Mac methods.

Returns True for success, False for failure.

More Information and Examples
Workaround for the deprecated Crypt2.SetMacKeyBytes method
top
SetSecretKeyViaPassword
# password is a string
crypt2.SetSecretKeyViaPassword(password);
This method is deprecated and replaced by Pbkdf2

This method, created over 15 years ago, is cryptographically insecure. Applications should use PBKDF2 for generating secret keys, as demonstrated below.

This method accepts a password string to generate a binary secret key of the necessary bit length, setting the SecretKey property. It should only be used when using Chilkat for both encryption and decryption, as the password-to-secret-key algorithm must match to ensure compatibility.

There is no restriction on password length. The password is converted into a binary secret key by generating an MD5 digest of the UTF-8 encoded password, producing 16 bytes. If the required KeyLength exceeds 16 bytes, the MD5 digest of the Base64 encoded UTF-8 password is appended, generating up to 32 bytes of key material. This is then truncated to meet the necessary KeyLength. Below is an example of how to replicate this computation manually.

More Information and Examples
Example: Key Derivation using PBDKF2More about PBKDF2 Key DerivationManually Duplicate SetSecretKeyViaPasswordopenssl enc decrypt
top
SignBytes Deprecated
# data is a CkByteData
# outData is a CkByteData (output)
status = crypt2.SignBytes(data, outData);

Digitally signs binary data and returns the binary detached signature (PKCS#7 signed-data). The HashAlgorithm property specifies the hash algorithm for creating the data's hash during signing.

Returns True for success, False for failure.

More Information and Examples
Workaround for the deprecated Crypt2.SignBytes methodAbout PKCS#7 signed-data Format
top
SignBytesAsync Deprecated (1)
# returns a CkTask
# data is a CkByteData
ret_task = crypt2.SignBytesAsync(data);

Creates an asynchronous task to call the SignBytes method with the arguments provided.

Returns None on failure

top
SignBytesENC Deprecated
# data is a CkByteData
# outStr is a CkString (output)
status = crypt2.SignBytesENC(data, outStr);
retStr = crypt2.signBytesENC(data);

Digitally signs binary data and returns a detached signature (PKCS#7 signed-data) as a binary-encoded string. The EncodingMode property determines the binary-encoding. Possible encodings include base64, base64_mime, hex, and hex_lower. The HashAlgorithm property specifies the hash algorithm for creating the data's hash during signing.

Returns True for success, False for failure.

More Information and Examples
Workaround for the deprecated Crypt2.SignBytesENC methodAbout PKCS#7 signed-data FormatSupported Binary Encodings
top
SignBytesENCAsync Deprecated (1)
# returns a CkTask
# data is a CkByteData
ret_task = crypt2.SignBytesENCAsync(data);

Creates an asynchronous task to call the SignBytesENC method with the arguments provided.

Returns None on failure

top
SignString Deprecated
# str is a string
# outData is a CkByteData (output)
status = crypt2.SignString(str, outData);

Digitally signs a string and returns a the binary detached signature (PKCS#7 signed-data). The HashAlgorithm property specifies the hash algorithm for creating the data's hash during signing. The Charset property determines the actual bytes that are hashed and signed.

Returns True for success, False for failure.

More Information and Examples
Workaround for the deprecated Crypt2.SignString methodAbout PKCS#7 signed-data FormatWhy Charset Matters in Digital Signatures
top
SignStringAsync Deprecated (1)
# returns a CkTask
# str is a string
ret_task = crypt2.SignStringAsync(str);

Creates an asynchronous task to call the SignString method with the arguments provided.

Returns None on failure

top
VerifyBytes Deprecated
# data is a CkByteData
# sig is a CkByteData
retBool = crypt2.VerifyBytes(data, sig);

Verifies a detached digital signature against the original binary data. Returns True if the signature is verified.

Afterwards, you can retrieve signer certificates by using the NumSignerCerts property and the LastSignerCert method.

More Information and Examples
Workaround for the deprecated Crypt2.VerifyBytes methodAbout PKCS#7 signed-data Format
top
VerifyBytesENC Deprecated
# data is a CkByteData
# encodedSig is a string
retBool = crypt2.VerifyBytesENC(data, encodedSig);

Verifies a detached digital signature against the original binary data. Returns True if the signature is verified. The encodedSig holds a binary-encoded PKCS#7 signed-data detached signature. The type of binary encoding, such as base64, hex, or base64_mime, is determined by the EncodingMode property.

Afterwards, you can retrieve signer certificates by using the NumSignerCerts property and the LastSignerCert method.

More Information and Examples
Workaround for the deprecated Crypt2.VerifyBytesENC methodAbout PKCS#7 signed-data FormatSupported Binary Encodings
top
VerifyDetachedSignature
# inFilename is a string
# p7sFilename is a string
retBool = crypt2.VerifyDetachedSignature(inFilename, p7sFilename);
This method is deprecated and replaced by VerifyP7S

This method is the same as VerifyP7S. Applications should instead call VerifyP7S.

More Information and Examples
About PKCS#7 signed-data Format
top
VerifyString Deprecated
# str is a string
# sig is a CkByteData
status = crypt2.VerifyString(str, sig);

Verifies a detached digital signature against the original text in str. Returns True if the signature is verified. The sig holds a binary PKCS#7 signed-data detached signature. The Charset property determines how the text in str is converted to bytes for signature validation.

Afterwards, you can retrieve signer certificates by using the NumSignerCerts property and the LastSignerCert method.

Returns True for success, False for failure.

More Information and Examples
Workaround for the deprecated Crypt2.VerifyString methodAbout PKCS#7 signed-data FormatWhy Charset Matters in Digital Signatures
top