public class AwsCrypto extends Object
encryptData(MasterKeyProvider, byte[], Map) and
decryptData(MasterKeyProvider, byte[]) to encrypt/decrypt things.
The core concepts (and classes) in this SDK are:
AwsCrypto provides the primary way to encrypt/decrypt data. It can operate on
byte-arrays, streams, or Strings. This data is encrypted using the
specifed CryptoAlgorithm and a DataKey which is unique to each encrypted message.
This DataKey is then encrypted using one (or more) MasterKeys. The
process is reversed on decryption with the code selecting a copy of the DataKey protected
by a usable MasterKey, decrypting the DataKey, and then decrypted the message.
The main way to get a MasterKey is through the use of a MasterKeyProvider. This
provides a common interface for the AwsEncryptionSdk to find and retrieve MasterKeys.
(Some MasterKeys can also be constructed directly.)
AwsCrypto uses the MasterKeyProvider to determine which MasterKeys should
be used to encrypt the DataKeys by calling
MasterKeyProvider.getMasterKeysForEncryption(MasterKeyRequest) . When more than one
MasterKey is returned, the first MasterKeys is used to create the
DataKeys by calling MasterKey.generateDataKey(CryptoAlgorithm,java.util.Map) .
All of the other MasterKeys are then used to re-encrypt that DataKey with
MasterKey.encryptDataKey(CryptoAlgorithm,java.util.Map,DataKey) . This list of
EncryptedDataKeys (the same DataKey possibly encrypted multiple
times) is stored in the CiphertextHeaders.
AwsCrypto also uses the MasterKeyProvider to decrypt one of the
EncryptedDataKeys from the header to retrieve the actual DataKey
necessary to decrypt the message.
Any place a MasterKeyProvider is used, a MasterKey can be used instead. The
MasterKey will behave as a MasterKeyProvider which is only capable of providing
itself. This is often useful when only one MasterKey is being used.
Note regarding the use of generics: This library makes heavy use of generics to provide type
safety to advanced developers. The great majority of users should be able to just use the
provided type parameters or the ? wildcard.
| Constructor and Description |
|---|
AwsCrypto() |
| Modifier and Type | Method and Description |
|---|---|
CryptoInputStream<?> |
createDecryptingStream(CryptoMaterialsManager materialsManager,
InputStream is)
Returns a
CryptoInputStream which decrypts the data after reading it from the
underlying InputStream. |
CryptoOutputStream<?> |
createDecryptingStream(CryptoMaterialsManager materialsManager,
OutputStream os)
Returns a
CryptoOutputStream which decrypts the data prior to passing it onto the
underlying OutputStream. |
<K extends MasterKey<K>> |
createDecryptingStream(MasterKeyProvider<K> provider,
InputStream is)
Returns a
CryptoInputStream which decrypts the data after reading it from the
underlying InputStream. |
<K extends MasterKey<K>> |
createDecryptingStream(MasterKeyProvider<K> provider,
OutputStream os)
Returns a
CryptoOutputStream which decrypts the data prior to passing it onto the
underlying OutputStream. |
CryptoInputStream<?> |
createEncryptingStream(CryptoMaterialsManager materialsManager,
InputStream is)
Returns the equivalent to calling
createEncryptingStream(CryptoMaterialsManager, InputStream, Map) with an empty
encryptionContext. |
CryptoInputStream<?> |
createEncryptingStream(CryptoMaterialsManager materialsManager,
InputStream is,
Map<String,String> encryptionContext)
Returns a
CryptoInputStream which encrypts the data after reading it from the
underlying InputStream. |
CryptoOutputStream<?> |
createEncryptingStream(CryptoMaterialsManager materialsManager,
OutputStream os)
Returns the equivalent to calling
createEncryptingStream(CryptoMaterialsManager, OutputStream, Map) with an empty
encryptionContext. |
CryptoOutputStream<?> |
createEncryptingStream(CryptoMaterialsManager materialsManager,
OutputStream os,
Map<String,String> encryptionContext)
Returns a
CryptoOutputStream which encrypts the data prior to passing it onto the
underlying OutputStream. |
<K extends MasterKey<K>> |
createEncryptingStream(MasterKeyProvider<K> provider,
InputStream is)
Returns the equivalent to calling
createEncryptingStream(MasterKeyProvider, InputStream, Map) with an empty
encryptionContext. |
<K extends MasterKey<K>> |
createEncryptingStream(MasterKeyProvider<K> provider,
InputStream is,
Map<String,String> encryptionContext)
Returns a
CryptoInputStream which encrypts the data after reading it from the
underlying InputStream. |
<K extends MasterKey<K>> |
createEncryptingStream(MasterKeyProvider<K> provider,
OutputStream os)
Returns the equivalent to calling
createEncryptingStream(MasterKeyProvider, OutputStream, Map) with an empty
encryptionContext. |
<K extends MasterKey<K>> |
createEncryptingStream(MasterKeyProvider<K> provider,
OutputStream os,
Map<String,String> encryptionContext)
Returns a
CryptoOutputStream which encrypts the data prior to passing it onto the
underlying OutputStream. |
CryptoResult<byte[],?> |
decryptData(CryptoMaterialsManager materialsManager,
byte[] ciphertext)
Decrypts the provided ciphertext by delegating to the provided materialsManager to obtain the decrypted
DataKey. |
CryptoResult<byte[],?> |
decryptData(CryptoMaterialsManager materialsManager,
ParsedCiphertext ciphertext) |
<K extends MasterKey<K>> |
decryptData(MasterKeyProvider<K> provider,
byte[] ciphertext)
Decrypts the provided
ciphertext by requesting that the provider unwrap any
usable DataKey in the ciphertext and then decrypts the ciphertext using that
DataKey. |
<K extends MasterKey<K>> |
decryptData(MasterKeyProvider<K> provider,
ParsedCiphertext ciphertext) |
CryptoResult<String,?> |
decryptString(CryptoMaterialsManager provider,
String ciphertext)
Base64 decodes the
ciphertext prior to decryption and then treats the results as a
UTF-8 encoded string. |
<K extends MasterKey<K>> |
decryptString(MasterKeyProvider<K> provider,
String ciphertext)
Base64 decodes the
ciphertext prior to decryption and then treats the results as a
UTF-8 encoded string. |
CryptoResult<byte[],?> |
encryptData(CryptoMaterialsManager materialsManager,
byte[] plaintext)
Returns the equivalent to calling
encryptData(CryptoMaterialsManager, byte[], Map) with
an empty encryptionContext. |
CryptoResult<byte[],?> |
encryptData(CryptoMaterialsManager materialsManager,
byte[] plaintext,
Map<String,String> encryptionContext)
Returns an encrypted form of
plaintext that has been protected with DataKeys that are in turn protected by the given CryptoMaterialsProvider. |
<K extends MasterKey<K>> |
encryptData(MasterKeyProvider<K> provider,
byte[] plaintext)
Returns the equivalent to calling
encryptData(MasterKeyProvider, byte[], Map) with
an empty encryptionContext. |
<K extends MasterKey<K>> |
encryptData(MasterKeyProvider<K> provider,
byte[] plaintext,
Map<String,String> encryptionContext)
Returns an encrypted form of
plaintext that has been protected with DataKeys that are in turn protected by MasterKeys provided by
provider. |
CryptoResult<String,?> |
encryptString(CryptoMaterialsManager materialsManager,
String plaintext)
Returns the equivalent to calling
encryptString(CryptoMaterialsManager, String, Map) with
an empty encryptionContext. |
CryptoResult<String,?> |
encryptString(CryptoMaterialsManager materialsManager,
String plaintext,
Map<String,String> encryptionContext)
Calls
encryptData(CryptoMaterialsManager, byte[], Map) on the UTF-8 encoded bytes of
plaintext and base64 encodes the result. |
<K extends MasterKey<K>> |
encryptString(MasterKeyProvider<K> provider,
String plaintext)
Returns the equivalent to calling
encryptString(MasterKeyProvider, String, Map) with
an empty encryptionContext. |
<K extends MasterKey<K>> |
encryptString(MasterKeyProvider<K> provider,
String plaintext,
Map<String,String> encryptionContext)
Calls
encryptData(MasterKeyProvider, byte[], Map) on the UTF-8 encoded bytes of
plaintext and base64 encodes the result. |
long |
estimateCiphertextSize(CryptoMaterialsManager materialsManager,
int plaintextSize)
Returns the equivalent to calling
estimateCiphertextSize(CryptoMaterialsManager, int, Map) with an empty
encryptionContext. |
long |
estimateCiphertextSize(CryptoMaterialsManager materialsManager,
int plaintextSize,
Map<String,String> encryptionContext)
Returns the best estimate for the output length of encrypting a plaintext with the provided
plaintextSize and encryptionContext. |
<K extends MasterKey<K>> |
estimateCiphertextSize(MasterKeyProvider<K> provider,
int plaintextSize)
Returns the equivalent to calling
estimateCiphertextSize(MasterKeyProvider, int, Map) with an empty
encryptionContext. |
<K extends MasterKey<K>> |
estimateCiphertextSize(MasterKeyProvider<K> provider,
int plaintextSize,
Map<String,String> encryptionContext)
Returns the best estimate for the output length of encrypting a plaintext with the provided
plaintextSize and encryptionContext. |
static CryptoAlgorithm |
getDefaultCryptoAlgorithm()
Returns the
CryptoAlgorithm to be used for encryption when none is explicitly
selected. |
static int |
getDefaultFrameSize()
Returns the frame size to use for encryption when none is explicitly selected.
|
CryptoAlgorithm |
getEncryptionAlgorithm() |
int |
getEncryptionFrameSize() |
void |
setEncryptionAlgorithm(CryptoAlgorithm alg)
Sets the
CryptoAlgorithm to use when encrypting data. |
void |
setEncryptionFrameSize(int frameSize)
Sets the framing size to use when encrypting data.
|
public static CryptoAlgorithm getDefaultCryptoAlgorithm()
CryptoAlgorithm to be used for encryption when none is explicitly
selected. Currently it is CryptoAlgorithm.ALG_AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384.public static int getDefaultFrameSize()
public void setEncryptionAlgorithm(CryptoAlgorithm alg)
CryptoAlgorithm to use when encrypting data. This has no impact on
decryption.public CryptoAlgorithm getEncryptionAlgorithm()
public void setEncryptionFrameSize(int frameSize)
frameSize is 0, then framing is disabled and the entire plaintext will be encrypted
in a single block.
Note that during encryption arrays of this size will be allocated. Using extremely large frame sizes may pose
compatibility issues when the decryptor is running on 32-bit systems. Additionally, Java VM limits may set a
platform-specific upper bound to frame sizes.public int getEncryptionFrameSize()
public <K extends MasterKey<K>> long estimateCiphertextSize(MasterKeyProvider<K> provider, int plaintextSize, Map<String,String> encryptionContext)
plaintextSize and encryptionContext. The actual ciphertext may be shorter.
This method is equivalent to calling estimateCiphertextSize(CryptoMaterialsManager, int, Map) with a
DefaultCryptoMaterialsManager based on the given provider.public long estimateCiphertextSize(CryptoMaterialsManager materialsManager, int plaintextSize, Map<String,String> encryptionContext)
plaintextSize and encryptionContext. The actual ciphertext may be shorter.public <K extends MasterKey<K>> long estimateCiphertextSize(MasterKeyProvider<K> provider, int plaintextSize)
estimateCiphertextSize(MasterKeyProvider, int, Map) with an empty
encryptionContext.public long estimateCiphertextSize(CryptoMaterialsManager materialsManager, int plaintextSize)
estimateCiphertextSize(CryptoMaterialsManager, int, Map) with an empty
encryptionContext.public <K extends MasterKey<K>> CryptoResult<byte[],K> encryptData(MasterKeyProvider<K> provider, byte[] plaintext, Map<String,String> encryptionContext)
plaintext that has been protected with DataKeys that are in turn protected by MasterKeys provided by
provider.
This method is equivalent to calling encryptData(CryptoMaterialsManager, byte[], Map) using a
DefaultCryptoMaterialsManager based on the given provider.public CryptoResult<byte[],?> encryptData(CryptoMaterialsManager materialsManager, byte[] plaintext, Map<String,String> encryptionContext)
plaintext that has been protected with DataKeys that are in turn protected by the given CryptoMaterialsProvider.public <K extends MasterKey<K>> CryptoResult<byte[],K> encryptData(MasterKeyProvider<K> provider, byte[] plaintext)
encryptData(MasterKeyProvider, byte[], Map) with
an empty encryptionContext.public CryptoResult<byte[],?> encryptData(CryptoMaterialsManager materialsManager, byte[] plaintext)
encryptData(CryptoMaterialsManager, byte[], Map) with
an empty encryptionContext.public <K extends MasterKey<K>> CryptoResult<String,K> encryptString(MasterKeyProvider<K> provider, String plaintext, Map<String,String> encryptionContext)
encryptData(MasterKeyProvider, byte[], Map) on the UTF-8 encoded bytes of
plaintext and base64 encodes the result.public CryptoResult<String,?> encryptString(CryptoMaterialsManager materialsManager, String plaintext, Map<String,String> encryptionContext)
encryptData(CryptoMaterialsManager, byte[], Map) on the UTF-8 encoded bytes of
plaintext and base64 encodes the result.public <K extends MasterKey<K>> CryptoResult<String,K> encryptString(MasterKeyProvider<K> provider, String plaintext)
encryptString(MasterKeyProvider, String, Map) with
an empty encryptionContext.public CryptoResult<String,?> encryptString(CryptoMaterialsManager materialsManager, String plaintext)
encryptString(CryptoMaterialsManager, String, Map) with
an empty encryptionContext.public <K extends MasterKey<K>> CryptoResult<byte[],K> decryptData(MasterKeyProvider<K> provider, byte[] ciphertext)
ciphertext by requesting that the provider unwrap any
usable DataKey in the ciphertext and then decrypts the ciphertext using that
DataKey.public CryptoResult<byte[],?> decryptData(CryptoMaterialsManager materialsManager, byte[] ciphertext)
DataKey.materialsManager - ciphertext - public <K extends MasterKey<K>> CryptoResult<byte[],K> decryptData(MasterKeyProvider<K> provider, ParsedCiphertext ciphertext)
decryptData(MasterKeyProvider, byte[])public CryptoResult<byte[],?> decryptData(CryptoMaterialsManager materialsManager, ParsedCiphertext ciphertext)
public <K extends MasterKey<K>> CryptoResult<String,K> decryptString(MasterKeyProvider<K> provider, String ciphertext)
ciphertext prior to decryption and then treats the results as a
UTF-8 encoded string.decryptData(MasterKeyProvider, byte[])public CryptoResult<String,?> decryptString(CryptoMaterialsManager provider, String ciphertext)
ciphertext prior to decryption and then treats the results as a
UTF-8 encoded string.public <K extends MasterKey<K>> CryptoOutputStream<K> createEncryptingStream(MasterKeyProvider<K> provider, OutputStream os, Map<String,String> encryptionContext)
CryptoOutputStream which encrypts the data prior to passing it onto the
underlying OutputStream.public CryptoOutputStream<?> createEncryptingStream(CryptoMaterialsManager materialsManager, OutputStream os, Map<String,String> encryptionContext)
CryptoOutputStream which encrypts the data prior to passing it onto the
underlying OutputStream.public <K extends MasterKey<K>> CryptoOutputStream<K> createEncryptingStream(MasterKeyProvider<K> provider, OutputStream os)
createEncryptingStream(MasterKeyProvider, OutputStream, Map) with an empty
encryptionContext.public CryptoOutputStream<?> createEncryptingStream(CryptoMaterialsManager materialsManager, OutputStream os)
createEncryptingStream(CryptoMaterialsManager, OutputStream, Map) with an empty
encryptionContext.public <K extends MasterKey<K>> CryptoInputStream<K> createEncryptingStream(MasterKeyProvider<K> provider, InputStream is, Map<String,String> encryptionContext)
CryptoInputStream which encrypts the data after reading it from the
underlying InputStream.public CryptoInputStream<?> createEncryptingStream(CryptoMaterialsManager materialsManager, InputStream is, Map<String,String> encryptionContext)
CryptoInputStream which encrypts the data after reading it from the
underlying InputStream.public <K extends MasterKey<K>> CryptoInputStream<K> createEncryptingStream(MasterKeyProvider<K> provider, InputStream is)
createEncryptingStream(MasterKeyProvider, InputStream, Map) with an empty
encryptionContext.public CryptoInputStream<?> createEncryptingStream(CryptoMaterialsManager materialsManager, InputStream is)
createEncryptingStream(CryptoMaterialsManager, InputStream, Map) with an empty
encryptionContext.public <K extends MasterKey<K>> CryptoOutputStream<K> createDecryptingStream(MasterKeyProvider<K> provider, OutputStream os)
CryptoOutputStream which decrypts the data prior to passing it onto the
underlying OutputStream.public <K extends MasterKey<K>> CryptoInputStream<K> createDecryptingStream(MasterKeyProvider<K> provider, InputStream is)
CryptoInputStream which decrypts the data after reading it from the
underlying InputStream.public CryptoOutputStream<?> createDecryptingStream(CryptoMaterialsManager materialsManager, OutputStream os)
CryptoOutputStream which decrypts the data prior to passing it onto the
underlying OutputStream.public CryptoInputStream<?> createDecryptingStream(CryptoMaterialsManager materialsManager, InputStream is)
CryptoInputStream which decrypts the data after reading it from the
underlying InputStream.Copyright © 2018. All rights reserved.