7 Miscellaneous Utilities
7.1 Main Utilities
The utilities in this section are provided by the main crypto module.
7.1.1 Input to Cryptographic Operations
bytes? —
no conversion needed string? —
converted to bytes via string->bytes/utf-8 input-port? —
read until eof is returned (but the port is not closed) bytes-slice? —
represents a subsequence of a bytestring
struct
(struct bytes-range (bs start end))
bs : bytes? start : exact-nonnegative-integer? end : exact-nonnegative-integer?
Changed in version 1.9 of package crypto-lib: Converted to alias for slice. Previously, bytes-range was a distinct struct type.
7.1.2 Random Bytes
procedure
(crypto-random-bytes n) → bytes?
n : exact-nonnegative-integer?
Added in version 1.2 of package crypto-lib.
7.1.3 Security Strength Levels
Note: The security strength of a cryptographic primitive is generally not the same as its key size or its output size. Furthermore, reasoning in terms of security bits requires considering all parts of a system: for example, if a message has only 20 bits of entropy, then taking the SHA-512 of it still only has 20 bits of entropy.
Added in version 1.8 of package crypto-lib.
value
security-level/c : contract? = (integer-in 0 5)
Level
Bits
Includes*
0
< 80
SHA-1
1
≥ 80 but < 112
RSA≥1024, ECC≥160
2
≥ 112 but < 128
RSA≥2048, ECC≥224, SHA-224
3
≥ 128 but < 192
RSA≥3072, ECC≥256, SHA-256
4
≥ 192 but < 256
RSA≥7680, ECC≥384, SHA-384
5
≥ 256
RSA≥15360, ECC≥512, SHA-512
Added in version 1.8 of package crypto-lib.
procedure
(security-level->strength level) → security-strength/c
level : security-level/c
Added in version 1.8 of package crypto-lib.
procedure
(security-strength->level strength) → security-level/c
strength : security-strength/c
Added in version 1.8 of package crypto-lib.
7.2 PEM Reading
(require crypto/pem) | package: crypto-lib |
Added in version 1.7 of package crypto-lib.
procedure
(read-pem in [decode #:only only-kinds])
→ (or/c (cons/c bytes? any/c) eof) in : input-port? decode : (-> bytes? any/c) = base64-decode only-kinds : (or/c #f (listof bytes?)) = #f
For example, the encapsulation boundaries for an X.509 certificate are lines consisting of #"-----BEGIN CERTIFICATE-----" and #"-----END CERTIFICATE-----", and the label returned is #"CERTIFICATE".
Note: This format is the PEM-based “textual encoding” [RFC7468] used for encoding cryptographic keys, certificates, etc. It is commonly called “PEM” although it is not completely compatible with the original PEM format.
7.3 Bech32 Encoding and Decoding
(require crypto/util/bech32) | package: crypto-lib |
Added in version 1.9 of package crypto-lib.
This module implements an encoder and decoder for the Bech32 format, which is used by the age encryption tool to encode X25519 public and private keys.
procedure
(bech32-encode hrp data) → string?
hrp : string? data : bytes?
> (bech32-encode "age" #"1234567890abcdef1234567890UVWXYZ") "age1xyerxdp4xcmnswfsv93xxer9vccnyve5x5mrwwpexp24v46ct9dq3wvnf4"
procedure
(bech32-decode s) → (list/c string? bytes?)
s : string?
If s is not a well-formed Bech32 string, an exception is raised. In particular, s must be between 8 and 90 characters long, it must not contain a mixture of lowercase and uppercase letters, and it must end with a valid checksum.
> (bech32-decode "age1xyerxdp4xcmnswfsv93xxer9vccnyve5x5mrwwpexp24v46ct9dq3wvnf4") '("age" #"1234567890abcdef1234567890UVWXYZ")
> (bech32-decode "age1xyerxdp4xcmnswfsv93xxer9vccnyve5x5mrwwpexp24v46ct9dq3wvnf") bech32-decode: invalid checksum
7.4 age Encryption
(require crypto/util/age) | package: crypto-lib |
Added in version 1.9 of package crypto-lib.
Implementation of age-encryption.org/v1, compatible with the age encryption tool.
X25519 keys can be imported and exported in age-compatible format using pk-key->datum and datum->pk-key with the 'age/v1-public and 'age/v1-private format symbols.
procedure
(age-encrypt recips data) → bytes?
recips : (listof (or/c pk-key? (list/c 'scrypt bytes?))) data : (or/c input-port? bytes?)
procedure
(age-decrypt idents enc-data) → bytes?
idents : (listof (or/c private-key? bytes?)) enc-data : (or/c input-port? bytes?)
If decryption fails, an exception is raised.