EdgeScript provides built-in cipher functions for encryption, decryption, and digest computation at the CDN edge. Use these functions in your edge scripts to sign requests, verify integrity, or protect sensitive data.
Function overview
| Function | Category | Description |
|---|---|---|
aes_new(config) | AES | Creates an AES object for encryption and decryption |
aes_enc(o, s) | AES | Encrypts plaintext using AES |
aes_dec(o, s) | AES | Decrypts ciphertext using AES |
sha1(s) | Digest | Computes an SHA-1 digest (binary) |
sha2(s, l) | Digest | Computes an SHA-2 digest (binary) |
hmac(k, s, v) | Digest | Computes an HMAC digest (binary) |
hmac_sha1(k, s) | Digest | Computes an HMAC-SHA-1 digest (binary) |
md5(s) | Digest | Computes an MD5 digest (hexadecimal) |
md5_bin(s) | Digest | Computes an MD5 digest (binary) |
aes_new
Creates an Advanced Encryption Standard (AES) object for subsequent encryption and decryption. Pass the returned object to aes_enc() to encrypt or aes_dec() to decrypt.
Syntax
aes_new(config)Parameters
config is a dictionary with the following fields:
| Field | Type | Required | Description |
|---|---|---|---|
key | string | Yes | The encryption key |
cipher_len | integer | Yes | Key length. Valid values: 128, 192, 256 |
cipher_mode | string | Yes | Cipher mode. Valid values: ecb, cbc, ctr, cfb, ofb |
salt | string | No | A salt value |
iv | string | No | The initialization vector |
Return value
Returns an AES object (dictionary type) on success, or false on failure.
Example
The following example creates AES objects in three cipher modes — ECB-128, CBC-256, and OFB-256 — then encrypts and decrypts a plaintext string to verify round-trip correctness.
aes_conf = []
plaintext = ''
if and($http_mode, eq($http_mode, 'ecb-128')) {
set(aes_conf, 'key', 'ab8bfd9f-a1af-4ba2-bbb0-1ee520e3d8bc')
set(aes_conf, 'salt', '1234567890')
set(aes_conf, 'cipher_len', 128)
set(aes_conf, 'cipher_mode', 'ecb')
plaintext = 'hello aes ecb-128'
}
if and($http_mode, eq($http_mode, 'cbc-256')) {
set(aes_conf, 'key', '146ebcc8-392b-4b3a-a720-e7356f62')
set(aes_conf, 'cipher_len', 256)
set(aes_conf, 'cipher_mode', 'cbc')
set(aes_conf, 'iv', '0123456789abcdef')
plaintext = 'hello aes cbc-256'
}
if and($http_mode, eq($http_mode, 'ofb-256')) {
set(aes_conf, 'key', '146ebcc8-392b-4b3a-a720-e7356f62')
set(aes_conf, 'cipher_len', 256)
set(aes_conf, 'cipher_mode', 'ofb')
set(aes_conf, 'iv', tochar(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0))
plaintext = 'hello aes ofb-256'
}
aes_obj = aes_new(aes_conf)
if not(aes_obj) {
say(concat('aes obj failed'))
exit(400)
}
ciphertext = aes_enc(aes_obj, plaintext)
plaintext_reverse = aes_dec(aes_obj, ciphertext)
say(concat('plain: ', plaintext))
say(concat('cipher: ', tohex(ciphertext)))
say(concat('plain_reverse: ', plaintext_reverse))
if ne(plaintext, plaintext_reverse) {
say('plaintext ~= plaintext_reverse')
exit(400)
}aes_enc
Encrypts a plaintext string using AES.
Syntax
aes_enc(o, s)Parameters
| Parameter | Description |
|---|---|
o | The AES object returned by aes_new() |
s | The plaintext to encrypt |
Return value
Returns the ciphertext after the text specified by the s parameter is encrypted.
Example
See the aes_new example for a complete encryption and decryption workflow.
aes_dec
Decrypts a ciphertext string using AES.
Syntax
aes_dec(o, s)Parameters
| Parameter | Description |
|---|---|
o | The AES object returned by aes_new() |
s | The ciphertext to decrypt |
Return value
Returns the plaintext after the text specified by the s parameter is decrypted.
Example
See the aes_new example for a complete encryption and decryption workflow.
sha1
Computes an SHA-1 digest.
Syntax
sha1(s)Parameters
| Parameter | Description |
|---|---|
s | The input string |
Return value
Returns the SHA-1 digest in binary format. Use tohex() to convert it to a hex string.
Example
digest = sha1('hello sha')
say(concat('sha1:', tohex(digest)))Output:
sha1:853789bc783a6b573858b6cc9f913afe82962956sha2
Computes an SHA-2 digest.
Syntax
sha2(s, l)Parameters
| Parameter | Description |
|---|---|
s | The input string |
l | The digest length in bits. Valid values: 224, 256, 384, 512 |
Return value
Returns the SHA-2 digest in binary format. Use tohex() to convert it to a hex string.
Example
digest = sha2('hello sha2', 224)
say(concat('sha2-224:', tohex(digest)))
digest = sha2('hello sha2', 256)
say(concat('sha2-256:', tohex(digest)))
digest = sha2('hello sha2', 384)
say(concat('sha2-384:', tohex(digest)))
digest = sha2('hello sha2', 512)
say(concat('sha2-512:', tohex(digest)))Output:
sha2-224:b24b7effcf53ce815ee7eb73c7382613aba1c334e2a1622655362927
sha2-256:af0425cee23c236b326ed1f008c9c7c143a611859a11e87d66d0a4c3217c7792
sha2-384:bebbdde9efabd4b9cf90856cf30e0b024dd13177d9367d2dcf8d7a04e059f92260f16b21e261358c2271be32086ef35b
sha2-512:a1d1aef051c198c0d26bc03500c177a315fa248cea815e04fbb9a75e5be5061617daab311c5e3d0b215dbfd4e83e73f23081242b0143dcdfce5cd92ec51394f7hmac
Computes an HMAC digest using the specified algorithm.
Syntax
hmac(k, s, v)Parameters
| Parameter | Description |
|---|---|
k | The HMAC key |
s | The input string |
v | The hash algorithm. Valid values: md5, sha1, sha256, sha512 |
Return value
Returns the HMAC digest in binary format. Use tohex() to convert it to a hex string.
Example
k = '146ebcc8-392b-4b3a-a720-e7356f62f87b'
v = 'hello mac'
say(concat('hmac(md5): ', tohex(hmac(k, v, 'md5'))))
say(concat('hmac(sha1): ', tohex(hmac(k, v, 'sha1'))))
say(concat('hmac(sha256): ', tohex(hmac(k, v, 'sha256'))))
say(concat('hmac(sha512): ', tohex(hmac(k, v, 'sha512'))))
say(concat('hmac_sha1(): ', tohex(hmac_sha1(k, v))))Output:
hmac(md5): 358cbfca8ad663b547c83748de2ea778
hmac(sha1): 5555633cef48c3413b68f9330e99357df1cc3d93
hmac(sha256): 7a494543cad3b92ce1e7c4bbc86a8f5212b53e4d661f7830f455847540a85771
hmac(sha512): 59d7c07996ff675b45bd5fd40a6122bb5f40f597357a9b4a9e29da6f5c7cb806798c016fe09cb46457b6df9717d26d0af19896f72eaf4296be03e3681fea59ad
hmac_sha1(): 5555633cef48c3413b68f9330e99357df1cc3d93hmac_sha1
Computes an HMAC-SHA-1 digest.
Syntax
hmac_sha1(k, s)Parameters
| Parameter | Description |
|---|---|
k | The HMAC-SHA-1 key |
s | The input string |
Return value
Returns the HMAC-SHA-1 digest in binary format. Use tohex() to convert it to a hex string.
Example
See the hmac example for sample output that includes hmac_sha1().
md5
Computes an MD5 digest and returns it as a hexadecimal string.
Syntax
md5(s)Parameters
| Parameter | Description |
|---|---|
s | The input string |
Return value
Returns the MD5 digest in hexadecimal format.
Example
say(concat('md5: ', md5('hello md5')))Output:
md5: 741fc6b1878e208346359af502dd11c5md5_bin
Computes an MD5 digest and returns it in binary format. Use this function when you need the raw bytes — for example, as input to another cryptographic operation.
Syntax
md5_bin(s)Parameters
| Parameter | Description |
|---|---|
s | The input string |
Return value
Returns the MD5 digest in binary format. Use tohex() to convert it to a hex string.
Example
say(concat('md5_bin: ', tohex(md5_bin('hello md5'))))Output:
md5_bin: 741fc6b1878e208346359af502dd11c5