ark::crypt

Enums

• HashAlgorithm
  Supported hashing methods.

• HmacGenerationFlags (int32_t)
  Flags you can provide that affect generation of the HMAC.

• SignatureFormat (int32_t)
  Potential signature formats.

• TlsContextMode (int32_t)
  An enumeration of supported TLS context modes (server or client).

Typedefs

Defined in “ark/crypt/jwt.hh”:

• using JwtClaim = std::variant< std::string, std::vector< std::string > >
  A variant a claim can either be a string or an array in our system.

• using JwtDecoderPtr = std::shared_ptr< JwtDecoder >

Defined in “ark/crypt/tls_stream.hh”:

• using TlsStreamPtr = std::shared_ptr< TlsStream >

Classes

• ark::crypt::HashContext
  This class allows you to compute a hash over incoming content that might not all arrive at the same time (for example, to update it with multiple independent data blocks).

• ark::crypt::JwtDecoder
  This class allows you to avoid reparsing the public key each time you want to validate a JWT. It will construct a verifier once, and re-use that each time.

• ark::crypt::JwtDecoderSet
  This class allows you to handle validating and decoding JWT tokens from a set of public keys (such as from JWKS).

• ark::crypt::OpenSslSingleton
  This is used to ensure OpenSSL is only initialized once.

• ark::crypt::SrpClient
  An SRP client a single instance of this can be used to authenticate with a remote SRP source (such as AWS) once.

• ark::crypt::TlsContext
  A TLS context can be used to generate new TLS streams that all have something in common (such as common certificates or key files).

• ark::crypt::TlsStream
  A TLS stream can be used with something (like for example a socket) to establish a secure connection between endpoints.

• ark::crypt::X509Certificate
  Forms a class suitable for constructing X509 certificates.

• ark::crypt::AesEncryptedPair
  AES-encrypted data, produced from one of the APIs in this header file.

• ark::crypt::GeneratedKeyPair
  This is returned when you generate a new key pair, and it contains DER-encoded public and private keys.

• ark::crypt::JwksKeySet
  A structure containing a mapping of JWKS keys for JWT verification.

• ark::crypt::JwtClaims
  Extracted JWT claims.

• ark::crypt::JwtPair
  A structure that is returned when constructing a JWT (for testing purposes).

• ark::crypt::RsaPublicKey
  This is an exponent/modulus pair, each encoded in base64.

Functions

Declared in “ark/crypt/aes.hh”:

• std::string generate_aes_key(size_t key_length)
  Helper function to generate a key for use with AES. Key length is in bytes, and should be either 16, 24, or 32.

• AesEncryptedPair aes_gcm_encrypt_message(const std::string & key, const std::string & data)
  Encrypts the given message with the AES-GCM algorithm, returning the encrypted bytes. Throws on error.

• std::string aes_gcm_decrypt_message(const std::string & key, const AesEncryptedPair & data)
  Decrypts the given message with the AES-GCM algorithm, returning the decrypted bytes. Throws on error.

Declared in “ark/crypt/base62.hh”:

• std::string base62_encode_string(const std::string_view & content)
  Encodes the given string into a base62 string (without line breaks).

• std::string decode_base62_string(const std::string_view & encoded)
  Decodes the given string from a base62 string.

• std::string base62_encode_guid(const core::Guid & guid)
  Encodes the given GUID as a base62 string.

• core::Guid decode_base62_guid(const std::string_view & encoded)
  Decodes the given GUID from a base62 string.

Declared in “ark/crypt/base64.hh”:

• std::string base64_encode_string(const std::string_view & content)
  Encodes the given string into a base64 string (without line breaks).

• std::string decode_base64_string(const std::string_view & encoded)
  Decodes the given string from a base64 string.

• std::string urlsafe_base64_encode_string(const std::string_view & content)
  Encodes the given string into a web-safe base64 string. Essentially base64, without character that make storing in a URL difficult.

• std::string decode_urlsafe_base64_string(const std::string_view & encoded)
  Decodes the given string from a web-safe base64 string.

• std::string urlsafe_base64_encode_guid(const core::Guid & guid)
  Encodes the given string into a web-safe base64 string. Essentially base64, without character that make storing in a URL difficult.

• core::Guid decode_urlsafe_base64_guid(const std::string_view & encoded)
  Decodes the given string from a web-safe base64 string.

Declared in “ark/crypt/crc16.hh”:

• uint16_t compute_crc16_ccitt(const std::string_view & content, uint16_t initial_vector)
  Computes a CCITT CRC16, initializing with the initial_vector provided.

• uint16_t compute_crc16_kermit(const std::string_view & content, uint16_t initial_vector)
  Computes a CCITT Kermit CRC16, initializing with the initial_vector provided.

Declared in “ark/crypt/crc32.hh”:

• uint32_t compute_crc32(const std::string_view & content)
  Computes the CRC32 of the given content.

Declared in “ark/crypt/hash.hh”:

• HashAlgorithm from_string(std::string_view hash)
  Returns the hash algorithm from the given string.

• std::string to_string(HashAlgorithm algorithm)
  Returns the string form of the given hash algorithm.

• std::string compute_hex_hash(HashAlgorithm algorithm, const std::filesystem::path & path)
  Computes a hash of the given file, returning it as a digest (hex-encoded) string suitable for display.

• std::string compute_hex_hash(HashAlgorithm algorithm, const std::string & content)
  Computes a hash of the given string, returning it as a digest (hex-encoded) string suitable for display.

  This is a convenience routine for compute_hex_hash with std::string_view, as otherwise there is ambiguity between this and the path-based API.

• std::string compute_hex_hash(HashAlgorithm algorithm, const std::string_view & content)
  Computes a hash of the given string, returning it as a digest (hex-encoded) string suitable for display.

• std::string compute_raw_hash(HashAlgorithm algorithm, const std::filesystem::path & path)
  Computes a hash of the path, returning a digest (raw bytes) suitable for being placed into a bignum. This is more efficient than reading the file into memory beforehand.

• std::string compute_raw_hash(HashAlgorithm algorithm, const std::string & content)
  Computes a hash of the given string, returning a digest (raw bytes) suitable for being placed into a bignum.

  This is a convenience routine for compute_raw_hash with std::string_view, as otherwise there is ambiguity between this and the path-based API.

• std::string compute_raw_hash(HashAlgorithm algorithm, const std::string_view & content)
  Computes a hash of the given string, returning a digest (raw bytes) suitable for being placed into a bignum.

Declared in “ark/crypt/hex.hh”:

• std::string hex_encode_string(const std::string & content)
  Encodes the given string into a hex string (without line breaks).

• std::string hex_encode_string(const void * content, size_t length)
  Encodes the given string into a hex string (without line breaks).

• std::string decode_hex_string(const std::string & encoded)
  Decodes the given string from a hex string.

Declared in “ark/crypt/hkdf.hh”:

• std::string derived_sha256_hkdf_key(const std::string & secret, const std::string & salt, const std::string & info)
  Returns an HKDF (SHA256) derived key, based on the given secret, salt, and information you are encoding.

Declared in “ark/crypt/hmac.hh”:

• std::string generate_sha256_hmac(const std::string_view & text, const std::string_view & key, HmacGenerationFlags flags)
  Generates a SHA256-based HMAC for the given key and plain text, returning the result as a base64 string.

Declared in “ark/crypt/jwk.hh”:

• std::string encode_jwk_as_pem(const std::string & e, const std::string & n)
  Takes the ’e’ and ’n’ components of a JWK and converts it into a PEM encoded key, suitable for use with our RSA verification routines.

  The assumption is that e and n are in “base64url” encoding (not base64 encoding). Finally, the algorithm used here is RS256.

Declared in “ark/crypt/jwt.hh”:

• JwtClaims decode_jwt(const std::string & token)
  This routine decodes a JWT token without validating it. This will extract all of the common claims for you.

• JwtClaims validate_jwt(const std::string & token, const std::string & public_key)
  This simple API accepts an encoded JWT token, validates it (throwing if the token is invalid either structurally or from a signature), and then returns a parsed structure containing metadata within that token.

• JwtPair generate_jwt(const JwtClaims & claims)
  Generates a JWT from the given data. Useful for testing.

• JwtPair generate_jwt(const JwtClaims & claims, const crypt::GeneratedKeyPair & key_pair)
  Generates a JWT from the given data, signing it with the specified keypair.

Declared in “ark/crypt/key_pair.hh”:

• GeneratedKeyPair generate_rsa_key_pair(size_t bitsize)
  Generates a new RSA keypair, with the specified bitsize.

• RsaPublicKey decode_rsa_public_key(const std::string & public_key)
  Decodes a DER-encoded (in base64) or PEM-encoded public RSA key into its component pieces.

• std::string rsa_sign_message(const std::string & private_key, const std::string & message, SignatureFormat signature_format)
  Signs the given content using the specified private key. It assumes the private key was provided from “generate_rsa_key_pair” (in other words, that is a DER-encoded private key, encoded in base64).

• std::string rsa_sign_message_with_digest(const std::string & private_key, HashAlgorithm digest_algorithm, const std::string & digest, SignatureFormat signature_format)
  Signs a message with a precomputed digest (of the given algorithm type). This can be used to sign things when you already have a digest (and no message content).

• std::string rsa_sign_message(const std::string & private_key, const std::filesystem::path & path, SignatureFormat signature_format)
  Generates a signature/hash for the given path using the speicifed private key. It assumes the private key was provided from “generate_rsa_key_pair” (in other words, that is a DER-encoded private key, encoded in base64).

• bool rsa_verify_message(const std::string & public_key, const std::string & message, const std::string & signature, SignatureFormat signature_format)
  Verifies the given content, returning true if the message and signature can be validated against the given public key. Assumes the public key is a DER-encoded public key (in base64), and that the signature is a base64 encoded signature coming from “rsa_sign_message”.

• bool rsa_verify_message(const std::string & public_key, const std::string_view & message, const std::string & signature, SignatureFormat signature_format)
  Verifies the given content, returning true if the message and signature can be validated against the given public key. Assumes the public key is a DER-encoded public key (in base64), and that the signature is a base64 encoded signature coming from “rsa_sign_message”.

• bool rsa_verify_message(const std::string & public_key, const std::filesystem::path & path, const std::string & signature, SignatureFormat signature_format)
  Verifies the content in the given path. If the signature was provided from rsa_hash_and_sign_path, then this will verify the hash. Otherwise, assumes it is base64-encoded signature coming from “rsa_sign_message”.

• std::string make_public_der_key_pem_key(const std::string & der_key)
  Converts a DER-encoded public key into a PEM-encoded key.

• std::string make_private_der_key_pem_key(const std::string & der_key)
  Converts a DER-encoded private key into a PEM-encoded key.

• std::string generate_fake_pkcs_style_signature(size_t bits)
  Generates a fake RSA-style signature in the PKCS 1.5 format. Useful for pretending that a signature is valid/exists.

Declared in “ark/crypt/token.hh”:

• std::string generate_secret_token()
  Generates a new secret suitable for use in signing tokens.

• std::string create_ark_token(const std::map< std::string, std::string > & values, const std::string & secret)
  Creates a new token from the given set of key/value pairs.

• std::map< std::string, std::string > decode_ark_token(const std::string & token, const std::string & secret)
  Decode the given token. If the signature doesn’t match the secret, or the token structure is invalid in some way, throws. Returns the list of values.