com.amazonaws.encryptionsdk.jce

Class JceMasterKey

java.lang.Object

com.amazonaws.encryptionsdk.MasterKeyProvider<K>

com.amazonaws.encryptionsdk.MasterKey<JceMasterKey>

com.amazonaws.encryptionsdk.jce.JceMasterKey

public abstract class JceMasterKey
extends MasterKey<JceMasterKey>

Represents a MasterKey backed by one (or more) JCE Keys. Instances of this should only be acquired using getInstance(SecretKey, String, String, String) or getInstance(PublicKey, PrivateKey, String, String, String).

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	JceMasterKey(Key wrappingKey, Key unwrappingKey, String providerName, String keyId)

Method Summary

Modifier and Type	Method and Description
protected DataKey<JceMasterKey>	actualDecrypt(CryptoAlgorithm algorithm, EncryptedDataKey edk, Map<String,String> encryptionContext)
protected static boolean	arrayPrefixEquals(byte[] a, byte[] b, int len)
protected abstract Cipher	buildUnwrappingCipher(Key key, byte[] extraInfo, int offset, Map<String,String> encryptionContext)
protected abstract com.amazonaws.encryptionsdk.jce.JceMasterKey.WrappingData	buildWrappingCipher(Key key, Map<String,String> encryptionContext)
DataKey<JceMasterKey>	decryptDataKey(CryptoAlgorithm algorithm, Collection<? extends EncryptedDataKey> encryptedDataKeys, Map<String,String> encryptionContext) Iterates through encryptedDataKeys and returns the first one which can be successfully decrypted.
DataKey<JceMasterKey>	encryptDataKey(CryptoAlgorithm algorithm, Map<String,String> encryptionContext, DataKey<?> dataKey) Returns a new copy of the provided dataKey which is protected by this MasterKey for use with algorithm and associated with the provided encryptionContext.
protected DataKey<JceMasterKey>	encryptRawKey(SecretKey key, byte[] rawKey, Map<String,String> encryptionContext)
DataKey<JceMasterKey>	generateDataKey(CryptoAlgorithm algorithm, Map<String,String> encryptionContext) Generates a new DataKey which is protected by this MasterKey for use with algorithm and associated with the provided encryptionContext.
static JceMasterKey	getInstance(PublicKey wrappingKey, PrivateKey unwrappingKey, String provider, String keyId, String wrappingAlgorithm) Returns a JceMasterKey backed by unwrappingKey and wrappingKey using wrappingAlgorithm.
static JceMasterKey	getInstance(SecretKey key, String provider, String keyId, String wrappingAlgorithm) Returns a JceMasterKey backed by key using wrappingAlgorithm.
String	getKeyId()
String	getProviderId()

Methods inherited from class com.amazonaws.encryptionsdk.MasterKey

canProvide, equals, getDefaultProviderId, getMasterKey, getMasterKeysForEncryption, hashCode, toString

Methods inherited from class com.amazonaws.encryptionsdk.MasterKeyProvider

buildCannotDecryptDksException, buildCannotDecryptDksException, buildCannotDecryptDksException, getMasterKey

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Constructor Detail

JceMasterKey

protected JceMasterKey(Key wrappingKey,
                       Key unwrappingKey,
                       String providerName,
                       String keyId)

Method Detail

getInstance

public static JceMasterKey getInstance(SecretKey key,
                                       String provider,
                                       String keyId,
                                       String wrappingAlgorithm)

Returns a JceMasterKey backed by key using wrappingAlgorithm. Currently "AES/GCM/NoPadding" is the only supported value for wrappingAlgorithm.

Parameters:

key - key used to wrap/unwrap (encrypt/decrypt) DataKeys

provider -

keyId -

wrappingAlgorithm -

Returns:

getInstance

public static JceMasterKey getInstance(PublicKey wrappingKey,
                                       PrivateKey unwrappingKey,
                                       String provider,
                                       String keyId,
                                       String wrappingAlgorithm)

Returns a JceMasterKey backed by unwrappingKey and wrappingKey using wrappingAlgorithm. Currently only RSA algorithms are supported for wrappingAlgorithm. wrappingAlgorithm. If unwrappingKey is null then the returned JceMasterKey can only be used for encryption.

Parameters:

wrappingKey - key used to wrap (encrypt) DataKeys

unwrappingKey - (Optional) key used to unwrap (decrypt) DataKeys.

getProviderId

public String getProviderId()

Specified by:

getProviderId in class MasterKey<JceMasterKey>

getKeyId

public String getKeyId()

Specified by:

getKeyId in class MasterKey<JceMasterKey>

generateDataKey

public DataKey<JceMasterKey> generateDataKey(CryptoAlgorithm algorithm,
                                             Map<String,String> encryptionContext)

Description copied from class: MasterKey

Generates a new DataKey which is protected by this MasterKey for use with algorithm and associated with the provided encryptionContext.

Specified by:

generateDataKey in class MasterKey<JceMasterKey>

encryptDataKey

public DataKey<JceMasterKey> encryptDataKey(CryptoAlgorithm algorithm,
                                            Map<String,String> encryptionContext,
                                            DataKey<?> dataKey)

Description copied from class: MasterKey

Returns a new copy of the provided dataKey which is protected by this MasterKey for use with algorithm and associated with the provided encryptionContext.

Specified by:

encryptDataKey in class MasterKey<JceMasterKey>

encryptRawKey

protected DataKey<JceMasterKey> encryptRawKey(SecretKey key,
                                              byte[] rawKey,
                                              Map<String,String> encryptionContext)

decryptDataKey

public DataKey<JceMasterKey> decryptDataKey(CryptoAlgorithm algorithm,
                                            Collection<? extends EncryptedDataKey> encryptedDataKeys,
                                            Map<String,String> encryptionContext)
                                     throws UnsupportedProviderException,
                                            AwsCryptoException

Description copied from class: MasterKeyProvider

Iterates through encryptedDataKeys and returns the first one which can be successfully decrypted.

Specified by:

decryptDataKey in class MasterKeyProvider<JceMasterKey>

Returns:

a DataKey if one can be decrypted, otherwise returns null

Throws:

UnsupportedProviderException - if the encryptedDataKey is associated with an unsupported provider

CannotUnwrapDataKeyException - if the encryptedDataKey cannot be decrypted

AwsCryptoException

actualDecrypt

protected DataKey<JceMasterKey> actualDecrypt(CryptoAlgorithm algorithm,
                                              EncryptedDataKey edk,
                                              Map<String,String> encryptionContext)
                                       throws GeneralSecurityException

Throws:

GeneralSecurityException

arrayPrefixEquals

protected static boolean arrayPrefixEquals(byte[] a,
                                           byte[] b,
                                           int len)

buildWrappingCipher

protected abstract com.amazonaws.encryptionsdk.jce.JceMasterKey.WrappingData buildWrappingCipher(Key key,
                                                                                                 Map<String,String> encryptionContext)
                                                                                          throws GeneralSecurityException

Throws:

GeneralSecurityException

buildUnwrappingCipher

protected abstract Cipher buildUnwrappingCipher(Key key,
                                                byte[] extraInfo,
                                                int offset,
                                                Map<String,String> encryptionContext)
                                         throws GeneralSecurityException

Throws:

GeneralSecurityException