Caesium / libsodium-backed implementation of hive-system.protocols/ICrypto.
Uses parameter-object map signatures (:crypto/* keys) like the rest of
the crypto layer. Loads caesium lazily via requiring-resolve so absence
of native libsodium only fails at construction (->caesium-crypto).
Algorithms supported: :xchacha20-poly1305 — caesium.crypto.aead/xchacha20poly1305-ietf-{encrypt,decrypt}
Caesium / libsodium-backed implementation of `hive-system.protocols/ICrypto`.
Uses parameter-object map signatures (`:crypto/*` keys) like the rest of
the crypto layer. Loads caesium lazily via `requiring-resolve` so absence
of native libsodium only fails at construction (`->caesium-crypto`).
Algorithms supported:
:xchacha20-poly1305 — caesium.crypto.aead/xchacha20poly1305-ietf-{encrypt,decrypt}Plain-fn DSL over hive-system.protocols/ICrypto. Parameter-object style:
every fn takes a single map keyed under :crypto/*.
Callers depend on this ns + ICrypto, never on a concrete adapter (Tink / caesium / ...). Java interop stays inside the adapters.
Surface (key prefix :crypto/*):
(aead-seal! {:crypto/adapter c :crypto/key k :crypto/plaintext pt :crypto/aad aad}) => Result<{:crypto/ciphertext ^bytes :crypto/iv ^bytes}>
(aead-open! {:crypto/adapter c :crypto/key k :crypto/ciphertext ct :crypto/iv nonce :crypto/aad aad}) => Result<{:crypto/plaintext ^bytes}>
(hpke-seal! {:crypto/adapter c :crypto/pubkey pub :crypto/plaintext pt :crypto/aad aad}) => Result<{:crypto/ciphertext ^bytes}>
(hpke-open! {:crypto/adapter c :crypto/keypair kp :crypto/ciphertext ct :crypto/aad aad}) => Result<{:crypto/plaintext ^bytes}>
(sha256 {:crypto/adapter c :crypto/data ^bytes}) => Result<{:crypto/hash ^bytes :crypto/algorithm :sha256}>
(random-key) -> 32-byte ^bytes (XChaCha20 key) (random-nonce) -> 24-byte ^bytes (XChaCha20 nonce) (random-x25519-keypair) -> {:public 32B :private 32B}
Default :crypto/algorithm keys are filled in by each fn (caller may
override via the same key in the input map).
Plain-fn DSL over `hive-system.protocols/ICrypto`. Parameter-object style:
every fn takes a single map keyed under `:crypto/*`.
Callers depend on this ns + ICrypto, never on a concrete adapter
(Tink / caesium / ...). Java interop stays inside the adapters.
Surface (key prefix `:crypto/*`):
(aead-seal! {:crypto/adapter c :crypto/key k :crypto/plaintext pt :crypto/aad aad})
=> Result<{:crypto/ciphertext ^bytes :crypto/iv ^bytes}>
(aead-open! {:crypto/adapter c :crypto/key k :crypto/ciphertext ct
:crypto/iv nonce :crypto/aad aad})
=> Result<{:crypto/plaintext ^bytes}>
(hpke-seal! {:crypto/adapter c :crypto/pubkey pub
:crypto/plaintext pt :crypto/aad aad})
=> Result<{:crypto/ciphertext ^bytes}>
(hpke-open! {:crypto/adapter c :crypto/keypair kp
:crypto/ciphertext ct :crypto/aad aad})
=> Result<{:crypto/plaintext ^bytes}>
(sha256 {:crypto/adapter c :crypto/data ^bytes})
=> Result<{:crypto/hash ^bytes :crypto/algorithm :sha256}>
(random-key) -> 32-byte ^bytes (XChaCha20 key)
(random-nonce) -> 24-byte ^bytes (XChaCha20 nonce)
(random-x25519-keypair) -> {:public 32B :private 32B}
Default `:crypto/algorithm` keys are filled in by each fn (caller may
override via the same key in the input map).Pure-Java HKDF-SHA256 (RFC 5869). Shared by ICrypto adapters so that
crypto-derive-key returns byte-identical bytes regardless of which
adapter resolves the call.
Composed from javax.crypto.Mac HMAC-SHA256 — no native dependency.
Pure-Java HKDF-SHA256 (RFC 5869). Shared by ICrypto adapters so that `crypto-derive-key` returns byte-identical bytes regardless of which adapter resolves the call. Composed from `javax.crypto.Mac` HMAC-SHA256 — no native dependency.
Macro sugar for AEAD ceremonies built on hive-system.crypto.core.
Provided as an opt-in convenience layer on top of the fn DSL — required only when call sites benefit from compact nested-let composition.
Use:
(let-aead [crypto (tink/->tink-crypto) key (core/random-key) {:keys [ciphertext iv]} (core/aead-seal! crypto key pt aad)] (core/aead-open! crypto key ciphertext iv aad))
let-aead short-circuits on the first :error Result — same semantics as
hive-dsl.result/let-ok — but accepts plain (non-Result) values for
adapter / key construction lines.
Macro sugar for AEAD ceremonies built on `hive-system.crypto.core`.
Provided as an opt-in convenience layer on top of the fn DSL — required
only when call sites benefit from compact nested-let composition.
Use:
(let-aead [crypto (tink/->tink-crypto)
key (core/random-key)
{:keys [ciphertext iv]} (core/aead-seal! crypto key pt aad)]
(core/aead-open! crypto key ciphertext iv aad))
`let-aead` short-circuits on the first :error Result — same semantics as
`hive-dsl.result/let-ok` — but accepts plain (non-Result) values for
adapter / key construction lines.Tink-backed implementation of hive-system.protocols/ICrypto.
See hive-system.protocols/ICrypto for the parameter-object contract —
every op receives a single map keyed under :crypto/*.
Algorithms supported: :xchacha20-poly1305 — symmetric AEAD (subtle.XChaCha20Poly1305) :hpke-x25519 — RFC 9180 single-shot HPKE (DHKEM-X25519 + HKDF-SHA256 + ChaCha20-Poly1305) :sha256 — message digest
Tink-backed implementation of `hive-system.protocols/ICrypto`.
See `hive-system.protocols/ICrypto` for the parameter-object contract —
every op receives a single map keyed under `:crypto/*`.
Algorithms supported:
:xchacha20-poly1305 — symmetric AEAD (subtle.XChaCha20Poly1305)
:hpke-x25519 — RFC 9180 single-shot HPKE
(DHKEM-X25519 + HKDF-SHA256 + ChaCha20-Poly1305)
:sha256 — message digestcljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| ← | Move to previous article |
| → | Move to next article |
| Ctrl+/ | Jump to the search field |