public class AwsCrypto extends Object
encryptData(MasterKeyProvider, byte[], Map) and
decryptData(MasterKeyProvider, byte[]) to encrypt/decrypt things.
The core concepts (and classes) in this SDK are:
AwsCrypto provides the primary way to encrypt/decrypt data. It can operate on
byte-arrays, streams, or Strings. This data is encrypted using the
specifed CryptoAlgorithm and a DataKey which is unique to each encrypted message.
This DataKey is then encrypted using one (or more) MasterKeys. The
process is reversed on decryption with the code selecting a copy of the DataKey protected
by a usable MasterKey, decrypting the DataKey, and then decrypted the message.
The main way to get a MasterKey is through the use of a MasterKeyProvider. This
provides a common interface for the AwsEncryptionSdk to find and retrieve MasterKeys.
(Some MasterKeys can also be constructed directly.)
AwsCrypto uses the MasterKeyProvider to determine which MasterKeys should
be used to encrypt the DataKeys by calling
MasterKeyProvider.getMasterKeysForEncryption(MasterKeyRequest) . When more than one
MasterKey is returned, the first MasterKeys is used to create the
DataKeys by calling MasterKey.generateDataKey(CryptoAlgorithm,java.util.Map) .
All of the other MasterKeys are then used to re-encrypt that DataKey with
MasterKey.encryptDataKey(CryptoAlgorithm,java.util.Map,DataKey) . This list of
EncryptedDataKeys (the same DataKey possibly encrypted multiple
times) is stored in the CiphertextHeaders.
AwsCrypto also uses the MasterKeyProvider to decrypt one of the
EncryptedDataKeys from the header to retrieve the actual DataKey
necessary to decrypt the message.
Any place a MasterKeyProvider is used, a MasterKey can be used instead. The
MasterKey will behave as a MasterKeyProvider which is only capable of providing
itself. This is often useful when only one MasterKey is being used.
Note regarding the use of generics: This library makes heavy use of generics to provide type
safety to advanced developers. The great majority of users should be able to just use the
provided type parameters or the ? wildcard.
| Constructor and Description |
|---|
AwsCrypto() |
| Modifier and Type | Method and Description |
|---|---|
<K extends MasterKey<K>> |
createDecryptingStream(MasterKeyProvider<K> provider,
InputStream is)
Returns a
CryptoInputStream which decrypts the data after reading it from the
underlying InputStream. |
<K extends MasterKey<K>> |
createDecryptingStream(MasterKeyProvider<K> provider,
OutputStream os)
Returns a
CryptoOutputStream which decrypts the data prior to passing it onto the
underlying OutputStream. |
<K extends MasterKey<K>> |
createEncryptingStream(MasterKeyProvider<K> provider,
InputStream is)
Returns the equivalent to calling
createEncryptingStream(MasterKeyProvider, InputStream, Map) with an empty
encryptionContext. |
<K extends MasterKey<K>> |
createEncryptingStream(MasterKeyProvider<K> provider,
InputStream is,
Map<String,String> encryptionContext)
Returns a
CryptoInputStream which encrypts the data after reading it from the
underlying InputStream. |
<K extends MasterKey<K>> |
createEncryptingStream(MasterKeyProvider<K> provider,
OutputStream os)
Returns the equivalent to calling
createEncryptingStream(MasterKeyProvider, OutputStream, Map) with an empty
encryptionContext. |
<K extends MasterKey<K>> |
createEncryptingStream(MasterKeyProvider<K> provider,
OutputStream os,
Map<String,String> encryptionContext)
Returns a
CryptoOutputStream which encrypts the data prior to passing it onto the
underlying OutputStream. |
<K extends MasterKey<K>> |
decryptData(MasterKeyProvider<K> provider,
byte[] ciphertext)
Decrypts the provided
ciphertext by requesting that the provider unwrap the
first usable DataKey in the ciphertext and then decrypts the ciphertext using that
DataKey. |
<K extends MasterKey<K>> |
decryptData(MasterKeyProvider<K> provider,
ParsedCiphertext ciphertext) |
<K extends MasterKey<K>> |
decryptString(MasterKeyProvider<K> provider,
String ciphertext)
Base64 decodes the
ciphertext prior to decryption and then treats the results as a
UTF-8 encoded string. |
<K extends MasterKey<K>> |
encryptData(MasterKeyProvider<K> provider,
byte[] plaintext)
Returns the equivalent to calling
encryptData(MasterKeyProvider, byte[], Map) with
an empty encryptionContext. |
<K extends MasterKey<K>> |
encryptData(MasterKeyProvider<K> provider,
byte[] plaintext,
Map<String,String> encryptionContext)
Returns an encrypted form of
plaintext that has been protected with DataKeys that are in turn protected by MasterKeys provided by
provider. |
<K extends MasterKey<K>> |
encryptString(MasterKeyProvider<K> provider,
String plaintext)
Returns the equivalent to calling
encryptString(MasterKeyProvider, String, Map) with
an empty encryptionContext. |
<K extends MasterKey<K>> |
encryptString(MasterKeyProvider<K> provider,
String plaintext,
Map<String,String> encryptionContext)
Calls
encryptData(MasterKeyProvider, byte[], Map) on the UTF-8 encoded bytes of
plaintext and base64 encodes the result. |
<K extends MasterKey<K>> |
estimateCiphertextSize(MasterKeyProvider<K> provider,
int plaintextSize)
Returns the equivalent to calling
estimateCiphertextSize(MasterKeyProvider, int, Map) with an empty
encryptionContext. |
<K extends MasterKey<K>> |
estimateCiphertextSize(MasterKeyProvider<K> provider,
int plaintextSize,
Map<String,String> encryptionContext)
Returns the best estimate for the output length of encrypting a plaintext with the provided
plaintextSize and encryptionContext. |
static CryptoAlgorithm |
getDefaultCryptoAlgorithm()
Returns the
CryptoAlgorithm to be used for encryption when none is explicitly
selected. |
static int |
getDefaultFrameSize()
Returns the frame size to use for encryption when none is explicitly selected.
|
CryptoAlgorithm |
getEncryptionAlgorithm() |
int |
getEncryptionFrameSize() |
void |
setEncryptionAlgorithm(CryptoAlgorithm alg)
Sets the
CryptoAlgorithm to use when encrypting data. |
void |
setEncryptionFrameSize(int frameSize)
Sets the framing size to use when encrypting data.
|
public static CryptoAlgorithm getDefaultCryptoAlgorithm()
CryptoAlgorithm to be used for encryption when none is explicitly
selected. Currently it is CryptoAlgorithm.ALG_AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384.public static int getDefaultFrameSize()
public void setEncryptionAlgorithm(CryptoAlgorithm alg)
CryptoAlgorithm to use when encrypting data. This has no impact on
decryption.public CryptoAlgorithm getEncryptionAlgorithm()
public void setEncryptionFrameSize(int frameSize)
frameSize must be a non-negative multiple of the underlying algorithm's blocksize. If
franeSize is 0, then framing is disabled and the entire plaintext will be encrypted
in a single block.public int getEncryptionFrameSize()
public <K extends MasterKey<K>> long estimateCiphertextSize(MasterKeyProvider<K> provider, int plaintextSize, Map<String,String> encryptionContext)
plaintextSize and encryptionContext. The actual ciphertext may be shorter.public <K extends MasterKey<K>> long estimateCiphertextSize(MasterKeyProvider<K> provider, int plaintextSize)
estimateCiphertextSize(MasterKeyProvider, int, Map) with an empty
encryptionContext.public <K extends MasterKey<K>> CryptoResult<byte[],K> encryptData(MasterKeyProvider<K> provider, byte[] plaintext, Map<String,String> encryptionContext)
plaintext that has been protected with DataKeys that are in turn protected by MasterKeys provided by
provider. This method may add new values to the provided encryptionContext.public <K extends MasterKey<K>> CryptoResult<byte[],K> encryptData(MasterKeyProvider<K> provider, byte[] plaintext)
encryptData(MasterKeyProvider, byte[], Map) with
an empty encryptionContext.public <K extends MasterKey<K>> CryptoResult<String,K> encryptString(MasterKeyProvider<K> provider, String plaintext, Map<String,String> encryptionContext)
encryptData(MasterKeyProvider, byte[], Map) on the UTF-8 encoded bytes of
plaintext and base64 encodes the result.public <K extends MasterKey<K>> CryptoResult<String,K> encryptString(MasterKeyProvider<K> provider, String plaintext)
encryptString(MasterKeyProvider, String, Map) with
an empty encryptionContext.public <K extends MasterKey<K>> CryptoResult<byte[],K> decryptData(MasterKeyProvider<K> provider, byte[] ciphertext)
ciphertext by requesting that the provider unwrap the
first usable DataKey in the ciphertext and then decrypts the ciphertext using that
DataKey.public <K extends MasterKey<K>> CryptoResult<byte[],K> decryptData(MasterKeyProvider<K> provider, ParsedCiphertext ciphertext)
decryptData(MasterKeyProvider, byte[])public <K extends MasterKey<K>> CryptoResult<String,K> decryptString(MasterKeyProvider<K> provider, String ciphertext)
ciphertext prior to decryption and then treats the results as a
UTF-8 encoded string.decryptData(MasterKeyProvider, byte[])public <K extends MasterKey<K>> CryptoOutputStream<K> createEncryptingStream(MasterKeyProvider<K> provider, OutputStream os, Map<String,String> encryptionContext)
CryptoOutputStream which encrypts the data prior to passing it onto the
underlying OutputStream.public <K extends MasterKey<K>> CryptoOutputStream<K> createEncryptingStream(MasterKeyProvider<K> provider, OutputStream os)
createEncryptingStream(MasterKeyProvider, OutputStream, Map) with an empty
encryptionContext.public <K extends MasterKey<K>> CryptoInputStream<K> createEncryptingStream(MasterKeyProvider<K> provider, InputStream is, Map<String,String> encryptionContext)
CryptoInputStream which encrypts the data after reading it from the
underlying InputStream.public <K extends MasterKey<K>> CryptoInputStream<K> createEncryptingStream(MasterKeyProvider<K> provider, InputStream is)
createEncryptingStream(MasterKeyProvider, InputStream, Map) with an empty
encryptionContext.public <K extends MasterKey<K>> CryptoOutputStream<K> createDecryptingStream(MasterKeyProvider<K> provider, OutputStream os)
CryptoOutputStream which decrypts the data prior to passing it onto the
underlying OutputStream.public <K extends MasterKey<K>> CryptoInputStream<K> createDecryptingStream(MasterKeyProvider<K> provider, InputStream is)
CryptoInputStream which decrypts the data after reading it from the
underlying InputStream.Copyright © 2016. All rights reserved.