Cryptography

edit

Functions

  • Argon2CheckHash()

    Returns hash of input using Argon2.

  • Argon2Hash()

    Generates an Argon2 password hash with OWASP-recommended defaults (argon2id, 19 MB memory, 2 iterations). Use this instead of the deprecated GenerateArgon2Hash().

  • Argon2Verify()

    Verifies a password against an Argon2 hash. Use this instead of the deprecated Argon2CheckHash() / VerifyArgon2Hash().

  • BCryptHash()

    Generates a BCrypt password hash. Use this instead of the deprecated GenerateBCryptHash().

  • BCryptVerify()

    Verifies a password against a BCrypt hash. Use this instead of the deprecated VerifyBCryptHash().

  • CertificateInfo()

    Extracts information from an X.509 certificate.

  • CertificateToPem()

    Converts a Java X509Certificate to PEM format.

  • Cfusion_decrypt()

    Decrypts the given string, alias for function call decrypt(string,key,"cfmx_compat","hex")

  • Cfusion_encrypt()

    Encrypts the given string, alias for function call encrypt(string,key,"cfmx_compat","hex")

  • CSRFGenerateToken()

    Provides a random token and stores it in the session.

  • CSRFVerifyToken()

    Validates the given token against the same stored in the session for a specific key.

  • Decrypt()

    Decrypts a string that is encrypted with the Encrypt function.

  • DecryptBinary()

    Decrypts the given binary with the optional parameters

  • Encrypt()

    Encrypts a string. Uses a symmetric key-based algorithm, in which the same key is used to encrypt and decrypt a string.

  • EncryptBinary()

    Encrypts binary data using a specific algorithm and encoding method.

  • Generate3DESKey()

    Generates a secure key value for use in the encrypt function with the 3DES algorithm.

  • GenerateArgon2Hash()

    Returns hash of input using Argon2.

  • GenerateBCryptHash()

    Deprecated: renamed to BCryptHash() for consistency with the {Algorithm}Hash/{Algorithm}Verify naming pattern. Same defaults (cost=10), functionally identical.

  • GenerateBlake2bHash()

    Generates a Blake2b hash. Blake2b is optimized for 64-bit platforms, faster than SHA-256 while being at least as secure.

  • GenerateBlake2sHash()

    Generates a Blake2s hash. Blake2s is optimized for 32-bit platforms and embedded systems.

  • GenerateBlake3Hash()

    Generates a Blake3 hash. Blake3 is the latest in the Blake family - very fast, parallelizable, and supports arbitrary output lengths (XOF).

  • GenerateCSR()

    Generates a PKCS 10 Certificate Signing Request (CSR). Returns a PEM-encoded CSR for submission to a Certificate Authority.

  • GenerateHKDFKey()

    Generates derived key material using HKDF (HMAC-based Key Derivation Function). Used in TLS 1.3, Signal Protocol, etc.

  • GenerateKeyPair()

    Generates a cryptographic key pair (public/private) for the specified algorithm.

  • GenerateKeystore()

    Generates a Java keystore with a key pair and self-signed certificate.

  • GeneratePBKDFkey()

    Implementation of Password-Based Key-Derivation Function (PBKDF).

  • GenerateRSAkeys()

    Generates a secure keys (private and public) for use in the encrypt function with the RSA algorithm.

  • GenerateSCryptHash()

    Deprecated: renamed to SCryptHash() for consistency with the {Algorithm}Hash/{Algorithm}Verify naming pattern. Same defaults (N=16384, r=8, p=1), functionally identical.

  • GenerateSecretKey()

    Gets a secure key value for use in the encrypt function.

  • GenerateSelfSignedCertificate()

    Generates a self-signed X.509 certificate.

  • GenerateSignature()

    Creates a digital signature using a private key.

  • GetKeyPairFromKeystore()

    Extracts a key pair and certificate from a Java keystore (ACF compatible).

  • Hash()

    Returns the one-way hash of a variable-length input string based on the algorithm, producing a fixed-length string.

  • Hash40()

    This function only exists for backward compatibility to Lucee 4.0

  • HKDFExpand()

    Performs the Expand phase of HKDF to derive key material from a PRK. Use after HKDFExtract.

  • HKDFExtract()

    Performs the Extract phase of HKDF to create a Pseudo-Random Key (PRK). Use with HKDFExpand to derive multiple keys.

  • HMAC()

    Creates a hash-based message authentication code (HMAC)

  • HOTPGenerate()

    Generates an HOTP code for a given secret and counter (RFC 4226).

  • HOTPVerify()

    Verifies an HOTP code against a secret and counter (RFC 4226). Optional window for counter desync tolerance.

  • JwksLoad()

    Loads a JWKS (JSON Web Key Set) from a URL or JSON string. Returns an array of JWK structs, each suitable for passing to JwkToKey().

  • JwkToKey()

    Converts a JWK (JSON Web Key) struct or JSON string to a Java key object. Returns PublicKey, PrivateKey, or SecretKey depending on the JWK contents.

  • JwtDecode()

    Decodes a JWT without verifying the signature. Useful for debugging and inspection. WARNING: Do not trust decoded claims without verification!

  • JwtSign()

    Creates a signed JWT (JWS). Supports HMAC (HS256/384/512), RSA (RS256/384/512, PS256/384/512), and ECDSA (ES256/384/512) algorithms.

  • JwtVerify()

    Verifies a signed JWT and returns the claims. Validates signature, expiration, not-before, issuer, and audience.

  • KeystoreList()

    Lists all aliases in a Java keystore.

  • KeyToJwk()

    Converts a Java key object, PEM string, or key pair struct to a JWK (JSON Web Key) struct. Supports RSA, EC, Ed25519, and symmetric keys.

  • KeyToPem()

    Converts a Java key object or Base64-encoded key to PEM format.

  • KyberDecapsulate()

    Performs Kyber (ML-KEM) key decapsulation to recover a shared secret. Post-quantum secure key exchange.

  • KyberEncapsulate()

    Performs Kyber (ML-KEM) key encapsulation to create a shared secret. Post-quantum secure key exchange.

  • PemToCertificate()

    Parses a PEM-encoded certificate string into a Java X509Certificate object.

  • PemToKey()

    Parses a PEM-encoded key string into a Java key object.

  • Randomize()

    Seeds the pseudo-random number generator with an integer number, ensuring repeatable number patterns.

  • RandRange()

    Generates a random integer between two specified numbers.

  • SCryptHash()

    Generates an SCrypt password hash. Use this instead of the deprecated GenerateSCryptHash().

  • SCryptVerify()

    Verifies a password against an SCrypt hash. Use this instead of the deprecated VerifySCryptHash().

  • SSLCertificateList()

    Returns a list of SSL certificates. If a host is specified, it lists the certificates available for that specific host. If no host is specified, it lists all certificates stored in the KeyStore.

  • TOTPGenerateUri()

    Generates an otpauth:// URI for TOTP, suitable for QR code generation with authenticator apps.

  • TOTPSecret()

    Generates a random TOTP/HOTP secret, returned as a Base32-encoded string suitable for use with authenticator apps.

  • TOTPVerify()

    Verifies a TOTP code against a shared secret (RFC 6238). Supports configurable time window for clock skew tolerance.

  • ValidateKeyPair()

    Validates that a public and private key form a matching pair.

  • VerifyArgon2Hash()

    Deprecated: renamed to Argon2Verify() for consistency with the {Algorithm}Hash/{Algorithm}Verify naming pattern. Functionally identical. Originally from extension-argon2.

  • VerifyBCryptHash()

    Deprecated: renamed to BCryptVerify() for consistency with the {Algorithm}Hash/{Algorithm}Verify naming pattern. Functionally identical.

  • VerifySCryptHash()

    Deprecated: renamed to SCryptVerify() for consistency with the {Algorithm}Hash/{Algorithm}Verify naming pattern. Functionally identical.

  • VerifySignature()

    Verifies a digital signature using a public key.

Guides