mixin

Crypto

const mixin Crypto

Crypto defines a pluggable mixin for cryptography capabilities in Fantom. Use cur to access the current Crypto instance.

 fields cur

Get the installed crypto implementation for this runtime

 methods genKeyPair

Generate an asymmetric key pair with the given algorithm and key size (in bits)

 loadCertsForUri

Attempt to load the full certificate chain for the given uri

 loadJwksForUri

Import JSON Web Key Set from a Uri

jwks := Crypto.cur.loadJwksForUri(`https://example.com/jwks.json`)

 loadKeyStore

Load a KeyStore from the given file

 loadPem

Load the next PEM-encoded object from the input stream

 certSigner

Obtain a builder that can be used to configure signing options for generating a signed certificate from a CSR

 genCsr

Generate a Certificate Signing Request (CSR)

 digest

Get a Digest for the given algorithm

 loadJwk

Load a JSON Web Key (Jwk) from a Map

 loadX509

Load all X.509 certificates from the given input stream

 certSigner abstract CertSigner certSigner(Csr csr)

Obtain a builder that can be used to configure signing options for generating a signed certificate from a CSR.

cert := Crypto.cur.certSigner(csr)
  .ca(caKeys, "cn=example,ou=example.org,o=Example Inc,c=US")
  .notAfter(Date.today + 365day)
  .sign

 cur const static Crypto : cur

Get the installed crypto implementation for this runtime.

 digest abstract Digest digest(Str algorithm)

Get a Digest for the given algorithm.

buf := Crypto.cur.digest("SHA-256").update("foo".toBuf).digest

 genCsr abstract Csr genCsr(KeyPair keys, Str subjectDn, Str:Obj opts)

Generate a Certificate Signing Request (CSR). The subjectDn must be a valid X.500 distinguised name as defined in RFC4514.

By default, the implementation should choose a "strong" signing algorithm for signing the CSR. All implementations must support the algorithm option with one of the following values:

  • sha256WithRSAEncryption
  • sha512WithRSAEncryption
// Generate a csr signed with the default algorithm
csr := Crypto.cur.genCsr(pair, "cn=test")

// Generate a csr signed with SHA-512
csr := Crypto.cru.genCsr(pair, "cn=test", ["algorithm": "sha512WithRSAEncryption"])

 genKeyPair abstract KeyPair genKeyPair(Str algorithm, Int bits)

Generate an asymmetric key pair with the given algorithm and key size (in bits). Throws Err if the algorithm or key size is not supported.

pair := Crypto.cur.genKeyPair("RSA", 2048)

 loadCertsForUri virtual Cert[] loadCertsForUri(Uri uri)

Attempt to load the full certificate chain for the given uri. If the certificate chain cannot be obtained, throw an Err.

This is an optional operation and implementations may throw UnsupportedErr.

certs := Crypto.cur.loadCertForUri(`https://my.server.com/`)

 loadJwk abstract Jwk? loadJwk(Str:Obj map)

Load a JSON Web Key (Jwk) from a Map.

Throws an error if unable to determine the JWK type.

jwkRsa  := Crypto.cur.loadJwk(["kty":"RSA", "alg":"RS256", ...])
jwkEc   := Crypto.cur.loadJwk(["kty":"EC", "alg":"ES256", ...])
jwkHmac := Crypto.cur.loadJwk(["kty":"oct", "alg":"HS256", ...])

 loadJwksForUri abstract Jwk[] loadJwksForUri(Uri uri, Int maxKeys)

Import JSON Web Key Set from a Uri

jwks := Crypto.cur.loadJwksForUri(`https://example.com/jwks.json`)

 loadKeyStore abstract KeyStore loadKeyStore(File? file, Str:Obj opts)

Load a KeyStore from the given file. If file is null, then a new, empty keystore in the PKCS12 format will be returned. The keystore format is determined by the file extension:

  • .p12, .pfx: PKCS12 format
  • .jks: Java KeyStore (JAVA only)

If the file does not have an extension, then PKCS12 format will be assumed. Other formats may be supported depending on the runtime implementation. Throws an Err if the format is not supported or there is a problem loading the keystore.

The following options may be supported by the implementation:

  • password: (Str) - the password used to unlock the keystore or perform integrity checks.
ks := Crypto.cur.loadKeyStore(`keystore.p12`, ["password":"changeit"])

 loadPem abstract Obj? loadPem(InStream in, Str algorithm)

Load the next PEM-encoded object from the input stream. Returns one of the following depending on the PEM encoding:

For PKCS#8, the algorithm argument will be used for decoding. This argument is ignored for PKCS#1 where the alogithm is inferred.

Returns null if there are no more PEM objects to decode. The input stream will be closed in this case.

key  := Crypto.cur.loadPem(`server.key`) as PrivKey
cert := Crypto.cur.loadPem(`server.pem`) as Cert

 loadX509 abstract Cert[] loadX509(InStream in)

Load all X.509 certificates from the given input stream.

The stream will be closed after reading the certificates.

cert := Crypto.cur.loadX509(`server.cert`).first

 Haxall 4.0.5 ∙ 24-Feb-2026 14:33 EST