Plain-fn DSL over hive-system.protocols/ICrypto. Parameter-object style:
every fn takes a single map keyed under :crypto/*.
Callers depend on this ns + ICrypto, never on a concrete adapter (Tink / caesium / ...). Java interop stays inside the adapters.
Surface (key prefix :crypto/*):
(aead-seal! {:crypto/adapter c :crypto/key k :crypto/plaintext pt :crypto/aad aad}) => Result<{:crypto/ciphertext ^bytes :crypto/iv ^bytes}>
(aead-open! {:crypto/adapter c :crypto/key k :crypto/ciphertext ct :crypto/iv nonce :crypto/aad aad}) => Result<{:crypto/plaintext ^bytes}>
(hpke-seal! {:crypto/adapter c :crypto/pubkey pub :crypto/plaintext pt :crypto/aad aad}) => Result<{:crypto/ciphertext ^bytes}>
(hpke-open! {:crypto/adapter c :crypto/keypair kp :crypto/ciphertext ct :crypto/aad aad}) => Result<{:crypto/plaintext ^bytes}>
(sha256 {:crypto/adapter c :crypto/data ^bytes}) => Result<{:crypto/hash ^bytes :crypto/algorithm :sha256}>
(random-key) -> 32-byte ^bytes (XChaCha20 key) (random-nonce) -> 24-byte ^bytes (XChaCha20 nonce) (random-x25519-keypair) -> {:public 32B :private 32B}
Default :crypto/algorithm keys are filled in by each fn (caller may
override via the same key in the input map).
Plain-fn DSL over `hive-system.protocols/ICrypto`. Parameter-object style:
every fn takes a single map keyed under `:crypto/*`.
Callers depend on this ns + ICrypto, never on a concrete adapter
(Tink / caesium / ...). Java interop stays inside the adapters.
Surface (key prefix `:crypto/*`):
(aead-seal! {:crypto/adapter c :crypto/key k :crypto/plaintext pt :crypto/aad aad})
=> Result<{:crypto/ciphertext ^bytes :crypto/iv ^bytes}>
(aead-open! {:crypto/adapter c :crypto/key k :crypto/ciphertext ct
:crypto/iv nonce :crypto/aad aad})
=> Result<{:crypto/plaintext ^bytes}>
(hpke-seal! {:crypto/adapter c :crypto/pubkey pub
:crypto/plaintext pt :crypto/aad aad})
=> Result<{:crypto/ciphertext ^bytes}>
(hpke-open! {:crypto/adapter c :crypto/keypair kp
:crypto/ciphertext ct :crypto/aad aad})
=> Result<{:crypto/plaintext ^bytes}>
(sha256 {:crypto/adapter c :crypto/data ^bytes})
=> Result<{:crypto/hash ^bytes :crypto/algorithm :sha256}>
(random-key) -> 32-byte ^bytes (XChaCha20 key)
(random-nonce) -> 24-byte ^bytes (XChaCha20 nonce)
(random-x25519-keypair) -> {:public 32B :private 32B}
Default `:crypto/algorithm` keys are filled in by each fn (caller may
override via the same key in the input map).(aead-open! {:crypto/keys [adapter] :as op})Symmetric AEAD open. See ns docstring for input shape.
Symmetric AEAD open. See ns docstring for input shape.
(aead-seal! {:crypto/keys [adapter] :as op})Symmetric AEAD seal. See ns docstring for input shape.
Symmetric AEAD seal. See ns docstring for input shape.
(hpke-open! {:crypto/keys [adapter] :as op})Hybrid public-key open. See ns docstring for input shape.
Hybrid public-key open. See ns docstring for input shape.
(hpke-seal! {:crypto/keys [adapter] :as op})Hybrid public-key seal. See ns docstring for input shape.
Hybrid public-key seal. See ns docstring for input shape.
(kdf-hkdf-sha256 {:crypto/keys [adapter] :as op})HKDF-SHA256 key derivation (RFC 5869). See ns docstring for op-map shape.
Required: :crypto/adapter :crypto/ikm :crypto/length. Optional: :crypto/salt :crypto/info (each ^bytes-or-nil).
Returns Result<{:crypto/key ^bytes :crypto/algorithm :hkdf-sha256}>.
HKDF-SHA256 key derivation (RFC 5869). See ns docstring for op-map shape.
Required: :crypto/adapter :crypto/ikm :crypto/length.
Optional: :crypto/salt :crypto/info (each ^bytes-or-nil).
Returns Result<{:crypto/key ^bytes :crypto/algorithm :hkdf-sha256}>.(pwhash-argon2id {:crypto/keys [adapter] :as op})Argon2id v1.3 password-hash. See ns docstring for op-map shape.
Required: :crypto/adapter :crypto/password :crypto/salt :crypto/ops-limit :crypto/mem-limit :crypto/length.
Returns Result<{:crypto/hash ^bytes :crypto/algorithm :argon2id}>. May return {:error :crypto/unsupported ...} on adapters without native Argon2id (e.g. Tink) — callers must handle that explicitly.
Argon2id v1.3 password-hash. See ns docstring for op-map shape.
Required: :crypto/adapter :crypto/password :crypto/salt
:crypto/ops-limit :crypto/mem-limit :crypto/length.
Returns Result<{:crypto/hash ^bytes :crypto/algorithm :argon2id}>.
May return {:error :crypto/unsupported ...} on adapters without
native Argon2id (e.g. Tink) — callers must handle that explicitly.(random-ed25519-keypair)Generate a fresh Ed25519 issuer keypair. Returns
{:public ^bytes :private ^bytes} (each 32 bytes).
Generate a fresh Ed25519 issuer keypair. Returns
`{:public ^bytes :private ^bytes}` (each 32 bytes).(random-key)Generate a 32-byte cryptographically-strong random AEAD key.
Generate a 32-byte cryptographically-strong random AEAD key.
(random-nonce)Generate a 24-byte cryptographically-strong random XChaCha20 nonce.
Generate a 24-byte cryptographically-strong random XChaCha20 nonce.
(random-x25519-keypair)Generate a fresh x25519 HPKE keypair. Returns
{:public ^bytes :private ^bytes} (each 32 bytes).
Generate a fresh x25519 HPKE keypair. Returns
`{:public ^bytes :private ^bytes}` (each 32 bytes).(sha256 {:crypto/keys [adapter] :as op})SHA-256 hash. See ns docstring.
SHA-256 hash. See ns docstring.
(sign! {:crypto/keys [adapter] :as op})Ed25519 sign :crypto/data with the issuer :crypto/keypair
{:public ^bytes :private ^bytes}. Returns Result<{:crypto/signature ^bytes}>.
Ed25519 sign `:crypto/data` with the issuer `:crypto/keypair`
`{:public ^bytes :private ^bytes}`. Returns Result<{:crypto/signature ^bytes}>.(verify {:crypto/keys [adapter] :as op})Ed25519 verify :crypto/signature against :crypto/data with the issuer
:crypto/pubkey (32-byte ^bytes). Returns Result<{:crypto/valid? boolean}>.
Ed25519 verify `:crypto/signature` against `:crypto/data` with the issuer
`:crypto/pubkey` (32-byte ^bytes). Returns Result<{:crypto/valid? boolean}>.cljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| ← | Move to previous article |
| → | Move to next article |
| Ctrl+/ | Jump to the search field |