Symmetric cipher: key, iv, data -> ciphertext (hazmat surface is raw/unpadded)
@eryx/crypto/hazmat/_crypto Module
Type facade for the optional native crypto backend.
This library keeps the typed hazmat crypto surface available to Luau
callers. In builds without cryptography support,
require("@eryx/crypto/hazmat/_crypto") fails immediately with a
clear capability error.
Summary
Functions
_crypto.aes.new(key: buffer, mode: string, operation: "encrypt" | "decrypt", iv_or_nonce: buffer?) → AesContext
_crypto.aes.ccm_encrypt(key: buffer, nonce: buffer, data: buffer, aad: buffer?, tag_len: number?) → (buffer, buffer)
_crypto.camellia.new(key: buffer, mode: string, operation: "encrypt" | "decrypt", iv_or_nonce: buffer?) → AesContext
_crypto.des.new(key: buffer, mode: string, operation: "encrypt" | "decrypt", iv_or_nonce: buffer?) → AesContext
_crypto.chacha20.new(key: buffer, mode: string, operation: "encrypt" | "decrypt", nonce: buffer) → AesContext
_crypto.kdf.pbkdf2_sha256(password: buffer, salt: buffer, iterations: number, length: number) → buffer
_crypto.kdf.pbkdf2_sha512(password: buffer, salt: buffer, iterations: number, length: number) → buffer
_crypto.rsa.verify_pkcs1(public_pem: string, data: buffer, signature: buffer, hash: string?) → boolean
_crypto.rsa.verify_pss(public_pem: string, data: buffer, signature: buffer, hash: string?) → boolean
API Reference
hash
_crypto.hash.new
hmac
_crypto.hmac.new
aes
_crypto.aes.new
_crypto.aes.new(key: buffer, mode: string, operation: "encrypt" | "decrypt", iv_or_nonce: buffer?) → AesContext
_crypto.aes.ccm_encrypt
_crypto.aes.ccm_encrypt(key: buffer, nonce: buffer, data: buffer, aad: buffer?, tag_len: number?) → (buffer, buffer)
_crypto.aes.ccm_decrypt
_crypto.aes.ccm_decrypt(key: buffer, nonce: buffer, ct: buffer, tag: buffer, aad: buffer?) → buffer
camellia
_crypto.camellia.new
_crypto.camellia.new(key: buffer, mode: string, operation: "encrypt" | "decrypt", iv_or_nonce: buffer?) → AesContext
des
_crypto.des.new
_crypto.des.new(key: buffer, mode: string, operation: "encrypt" | "decrypt", iv_or_nonce: buffer?) → AesContext
chacha20
_crypto.chacha20.new
_crypto.chacha20.new(key: buffer, mode: string, operation: "encrypt" | "decrypt", nonce: buffer) → AesContext
kdf
_crypto.kdf.hkdf_sha256
_crypto.kdf.hkdf_sha256(ikm: buffer, salt: buffer?, info: buffer?, length: number) → buffer
_crypto.kdf.hkdf_sha512
_crypto.kdf.hkdf_sha512(ikm: buffer, salt: buffer?, info: buffer?, length: number) → buffer
_crypto.kdf.pbkdf2_sha256
_crypto.kdf.pbkdf2_sha256(password: buffer, salt: buffer, iterations: number, length: number) → buffer
_crypto.kdf.pbkdf2_sha512
_crypto.kdf.pbkdf2_sha512(password: buffer, salt: buffer, iterations: number, length: number) → buffer
ecc
_crypto.ecc.generate_key
_crypto.ecc.generate_key(curve: string?) → string
_crypto.ecc.get_public_pem
_crypto.ecc.get_public_pem(private_pem: string) → string
_crypto.ecc.sign
_crypto.ecc.sign(private_pem: string, data: buffer, hash: string?) → buffer
_crypto.ecc.verify
_crypto.ecc.verify(public_pem: string, data: buffer, signature: buffer, hash: string?) → boolean
_crypto.ecc.derive
_crypto.ecc.derive(private_pem: string, peer_public_pem: string) → buffer
_crypto.ecc.private_to_der
_crypto.ecc.private_to_der(private_pem: string) → buffer
_crypto.ecc.public_to_der
_crypto.ecc.public_to_der(public_pem: string) → buffer
_crypto.ecc.private_from_der
_crypto.ecc.private_from_der(der: buffer) → string
_crypto.ecc.public_from_der
_crypto.ecc.public_from_der(der: buffer) → string
_crypto.ecc.get_key_bits
_crypto.ecc.get_key_bits(pem: string) → number
_crypto.ecc.get_curve
_crypto.ecc.get_curve(pem: string) → string
rsa
_crypto.rsa.generate_key
_crypto.rsa.generate_key(bits: number?) → string
_crypto.rsa.get_public_pem
_crypto.rsa.get_public_pem(private_pem: string) → string
_crypto.rsa.encrypt_pkcs1
_crypto.rsa.encrypt_pkcs1(public_pem: string, data: buffer) → buffer
_crypto.rsa.decrypt_pkcs1
_crypto.rsa.decrypt_pkcs1(private_pem: string, data: buffer) → buffer
_crypto.rsa.encrypt_oaep
_crypto.rsa.encrypt_oaep(public_pem: string, data: buffer, hash: string?) → buffer
_crypto.rsa.decrypt_oaep
_crypto.rsa.decrypt_oaep(private_pem: string, data: buffer, hash: string?) → buffer
_crypto.rsa.sign_pkcs1
_crypto.rsa.sign_pkcs1(private_pem: string, data: buffer, hash: string?) → buffer
_crypto.rsa.verify_pkcs1
_crypto.rsa.verify_pkcs1(public_pem: string, data: buffer, signature: buffer, hash: string?) → boolean
_crypto.rsa.sign_pss
_crypto.rsa.sign_pss(private_pem: string, data: buffer, hash: string?) → buffer
_crypto.rsa.verify_pss
_crypto.rsa.verify_pss(public_pem: string, data: buffer, signature: buffer, hash: string?) → boolean
_crypto.rsa.private_to_der
_crypto.rsa.private_to_der(private_pem: string) → buffer
_crypto.rsa.public_to_der
_crypto.rsa.public_to_der(public_pem: string) → buffer
_crypto.rsa.private_from_der
_crypto.rsa.private_from_der(der: buffer) → string
_crypto.rsa.public_from_der
_crypto.rsa.public_from_der(der: buffer) → string
_crypto.rsa.get_key_bits
_crypto.rsa.get_key_bits(pem: string) → number
random
_crypto.random.randint
_crypto.random.randint(n: number) → number
_crypto.random.choice
_crypto.random.choice(tbl: { any }) → any
_crypto.random.bits
_crypto.random.bits(n: number) → number
_crypto.random.bytes
_crypto.random.bytes(n: number) → buffer
_crypto.random.hex
_crypto.random.hex(n: number) → string
Types
HashContext
type HashContext = {
update: ((self: HashContext, data: buffer) → ()),
final: ((self: HashContext) → buffer),
close: ((self: HashContext) → ())
}
HashContext:update(data: buffer) → ()
HashContext:final() → buffer
HashContext:close() → ()
HashLib
HmacContext
type HmacContext = {
update: ((self: HmacContext, data: buffer) → ()),
final: ((self: HmacContext) → buffer),
close: ((self: HmacContext) → ())
}
HmacContext:update(data: buffer) → ()
HmacContext:final() → buffer
HmacContext:close() → ()
HmacLib
AesContext
type AesContext = {
update: ((self: AesContext, data: buffer) → buffer),
updateAAD: ((self: AesContext, aad: buffer) → ()),
setTag: ((self: AesContext, tag: buffer) → ()),
getTag: ((self: AesContext) → buffer),
final: ((self: AesContext) → buffer),
close: ((self: AesContext) → ())
}
AesContext:update(data: buffer) → buffer
AesContext:updateAAD(aad: buffer) → ()
AesContext:setTag(tag: buffer) → ()
AesContext:getTag() → buffer
AesContext:final() → buffer
AesContext:close() → ()
AesLib
type AesLib = {
new: (
key: buffer,
mode: string,
operation: "encrypt" | "decrypt",
iv_or_nonce: buffer?
) → AesContext,
ccm_encrypt: (
key: buffer,
nonce: buffer,
data: buffer,
aad: buffer?,
tag_len: number?
) → (buffer, buffer),
ccm_decrypt: (
key: buffer,
nonce: buffer,
ct: buffer,
tag: buffer,
aad: buffer?
) → buffer
}
AesLib.new(key: buffer, mode: string, operation: "encrypt" | "decrypt", iv_or_nonce: buffer?) → AesContext
AesLib.ccm_encrypt(key: buffer, nonce: buffer, data: buffer, aad: buffer?, tag_len: number?) → (buffer, buffer)
AesLib.ccm_decrypt(key: buffer, nonce: buffer, ct: buffer, tag: buffer, aad: buffer?) → buffer
CamelliaLib
type CamelliaLib = {
new: (
key: buffer,
mode: string,
operation: "encrypt" | "decrypt",
iv_or_nonce: buffer?
) → AesContext
}
CamelliaLib.new(key: buffer, mode: string, operation: "encrypt" | "decrypt", iv_or_nonce: buffer?) → AesContext
DesLib
3DES only; key must be 24 bytes
type DesLib = {
new: (
key: buffer,
mode: string,
operation: "encrypt" | "decrypt",
iv_or_nonce: buffer?
) → AesContext
}
DesLib.new(key: buffer, mode: string, operation: "encrypt" | "decrypt", iv_or_nonce: buffer?) → AesContext
ChaCha20Lib
type ChaCha20Lib = {
new: (
key: buffer,
mode: string,
operation: "encrypt" | "decrypt",
nonce: buffer
) → AesContext
}
ChaCha20Lib.new(key: buffer, mode: string, operation: "encrypt" | "decrypt", nonce: buffer) → AesContext
KdfLib
type KdfLib = {
hkdf_sha256: (
ikm: buffer,
salt: buffer?,
info: buffer?,
length: number
) → buffer,
hkdf_sha512: (
ikm: buffer,
salt: buffer?,
info: buffer?,
length: number
) → buffer,
pbkdf2_sha256: (
password: buffer,
salt: buffer,
iterations: number,
length: number
) → buffer,
pbkdf2_sha512: (
password: buffer,
salt: buffer,
iterations: number,
length: number
) → buffer
}
KdfLib.hkdf_sha256(ikm: buffer, salt: buffer?, info: buffer?, length: number) → buffer
KdfLib.hkdf_sha512(ikm: buffer, salt: buffer?, info: buffer?, length: number) → buffer
KdfLib.pbkdf2_sha256(password: buffer, salt: buffer, iterations: number, length: number) → buffer
KdfLib.pbkdf2_sha512(password: buffer, salt: buffer, iterations: number, length: number) → buffer
RsaLib
type RsaLib = {
generate_key: ((bits: number?) → string),
get_public_pem: ((private_pem: string) → string),
encrypt_pkcs1: ((public_pem: string, data: buffer) → buffer),
decrypt_pkcs1: ((private_pem: string, data: buffer) → buffer),
encrypt_oaep: ((public_pem: string, data: buffer, hash: string?) → buffer),
decrypt_oaep: ((private_pem: string, data: buffer, hash: string?) → buffer),
sign_pkcs1: ((private_pem: string, data: buffer, hash: string?) → buffer),
verify_pkcs1: (
public_pem: string,
data: buffer,
signature: buffer,
hash: string?
) → boolean,
sign_pss: ((private_pem: string, data: buffer, hash: string?) → buffer),
verify_pss: (
public_pem: string,
data: buffer,
signature: buffer,
hash: string?
) → boolean,
private_to_der: ((private_pem: string) → buffer),
public_to_der: ((public_pem: string) → buffer),
private_from_der: ((der: buffer) → string),
public_from_der: ((der: buffer) → string),
get_key_bits: ((pem: string) → number)
}
RsaLib.generate_key(bits: number?) → string
RsaLib.get_public_pem(private_pem: string) → string
RsaLib.encrypt_pkcs1(public_pem: string, data: buffer) → buffer
RsaLib.decrypt_pkcs1(private_pem: string, data: buffer) → buffer
RsaLib.encrypt_oaep(public_pem: string, data: buffer, hash: string?) → buffer
RsaLib.decrypt_oaep(private_pem: string, data: buffer, hash: string?) → buffer
RsaLib.sign_pkcs1(private_pem: string, data: buffer, hash: string?) → buffer
RsaLib.verify_pkcs1(public_pem: string, data: buffer, signature: buffer, hash: string?) → boolean
RsaLib.sign_pss(private_pem: string, data: buffer, hash: string?) → buffer
RsaLib.verify_pss(public_pem: string, data: buffer, signature: buffer, hash: string?) → boolean
RsaLib.private_to_der(private_pem: string) → buffer
RsaLib.public_to_der(public_pem: string) → buffer
RsaLib.private_from_der(der: buffer) → string
RsaLib.public_from_der(der: buffer) → string
RsaLib.get_key_bits(pem: string) → number
EccLib
type EccLib = {
generate_key: ((curve: string?) → string),
get_public_pem: ((private_pem: string) → string),
sign: ((private_pem: string, data: buffer, hash: string?) → buffer),
verify: (
public_pem: string,
data: buffer,
signature: buffer,
hash: string?
) → boolean,
derive: ((private_pem: string, peer_public_pem: string) → buffer),
private_to_der: ((private_pem: string) → buffer),
public_to_der: ((public_pem: string) → buffer),
private_from_der: ((der: buffer) → string),
public_from_der: ((der: buffer) → string),
get_key_bits: ((pem: string) → number),
get_curve: ((pem: string) → string)
}
EccLib.generate_key(curve: string?) → string
EccLib.get_public_pem(private_pem: string) → string
EccLib.sign(private_pem: string, data: buffer, hash: string?) → buffer
EccLib.verify(public_pem: string, data: buffer, signature: buffer, hash: string?) → boolean
EccLib.derive(private_pem: string, peer_public_pem: string) → buffer
EccLib.private_to_der(private_pem: string) → buffer
EccLib.public_to_der(public_pem: string) → buffer
EccLib.private_from_der(der: buffer) → string
EccLib.public_from_der(der: buffer) → string
EccLib.get_key_bits(pem: string) → number
EccLib.get_curve(pem: string) → string
RandomLib
type RandomLib = {
randint: ((n: number) → number),
choice: ((tbl: { any }) → any),
bits: ((n: number) → number),
bytes: ((n: number) → buffer),
hex: ((n: number) → string)
}
RandomLib.randint(n: number) → number
RandomLib.choice(tbl: { any }) → any
RandomLib.bits(n: number) → number
RandomLib.bytes(n: number) → buffer
RandomLib.hex(n: number) → string