@ProviderType public interface CryptoSupport
CryptoSupport
provides a simple API to encrypt and decrypt
binary and string data.
This interface is not intended to be implemented by consumers. To use the API get the service from the service registry under the name "com.adobe.granite.crypto.CryptoSupport".
Modifier and Type | Field and Description |
---|---|
static java.lang.String |
NAME
Name of the Encryption/Decryption service which may be used securily
store sensitive data.
|
Modifier and Type | Method and Description |
---|---|
java.security.KeyPair |
createKeyPair(java.lang.String algorithm)
Generates a key pair.
|
byte[] |
decrypt(byte[] cipherText)
Decrypts the given
cipherText data into plain text. |
byte[] |
decrypt(byte[] key,
byte[] cipherText)
Decrypts the given
cipherText data into plain text. |
byte[] |
encrypt(byte[] plainText)
Encrypts the given
plainText data into a cipher text. |
byte[] |
encrypt(byte[] key,
byte[] plainText)
Encrypts the given
plainText data into a cipher text. |
byte[] |
hmac_sha256(byte[] text)
Generate HMAC bytes given some text.
|
byte[] |
hmac_sha256(byte[] key,
byte[] text)
Generate HMAC bytes given a key and some text.
|
boolean |
isProtected(java.lang.String text)
Returns
true if the given string is to be considered
protected by the protect(String) method and can be converted to
plain text by calling the unprotect(String) method. |
void |
nextRandomBytes(byte[] bytes)
Fill the byte buffer with securely-generated pseudo-random bytes.
|
java.lang.String |
protect(byte[] key,
java.lang.String plainText)
Encrypts the given
plainText data into a cipher text. |
java.lang.String |
protect(java.lang.String plainText)
Encrypts the given
plainText data into a cipher text. |
byte[] |
sign(byte[] text,
java.security.PrivateKey privateKey,
java.lang.String algorithm)
Sign some data using the given private key
|
java.security.cert.Certificate |
sign(java.security.cert.Certificate issuerCertificate,
java.security.KeyPair keyPair,
javax.security.auth.x500.X500Principal subject,
long before,
long after)
Sign a
Certificate either using a provided issuer certificate or using the Certificate subject
as issuer (self signed). |
java.lang.String |
unprotect(byte[] key,
java.lang.String cipherText)
Unprotects the given string such that the resulting plain text string if
given to the
protect(byte[], String) returns the protected string given
to this method. |
java.lang.String |
unprotect(java.lang.String cipherText)
Unprotects the given string such that the resulting plain text string if
given to the
protect(String) returns the protected string given
to this method. |
byte[] |
unwrapKey(byte[] wrappedKeyData)
Unwraps the given
wrappedKey using a symmetric key wrap algorithm. |
byte[] |
unwrapKey(byte[] kek,
byte[] wrappedKeyData)
Unwraps the given
wrappedKey using a symmetric key wrap algorithm. |
boolean |
verify(byte[] text,
byte[] signedText,
java.security.PublicKey publicKey,
java.lang.String algorithm)
Perform a signature verification with the given public key.
|
byte[] |
wrapKey(byte[] keyData)
Wraps the given
keyData using a symmetric key wrap algorithm. |
byte[] |
wrapKey(byte[] kek,
byte[] keyData)
Wraps the given
keyData using a symmetric key wrap algorithm. |
static final java.lang.String NAME
byte[] encrypt(byte[] plainText) throws CryptoException
plainText
data into a cipher text.
Note that this method and the decrypt(byte[])
method provide
full round trip support:
decrypt(encrypt(plainText)).equals(plainText) == true
Please note, that calling this method twice on the same
plainText
does not return the same cipher text:
encrypt(plainText).equals(encrypt(plainText)) == false
plainText
- The plain text data to encryptCryptoException
- If any problem occurrs encrypting the plain text
data. The Throwable.getCause()
method may
provide additional information on the encryption failure.byte[] decrypt(byte[] cipherText) throws CryptoException
cipherText
data into plain text.
Note that this method and the encrypt(byte[])
method provide
full round trip support:
decrypt(encrypt(plainText)).equals(plainText) == true
cipherText
- The encrypted data to decryptCryptoException
- If any problem occurrs decrypting the cipher
text. The Throwable.getCause()
method may
provide additional information on the decryption failure.byte[] encrypt(byte[] key, byte[] plainText) throws CryptoException
plainText
data into a cipher text.
Note that this method and the decrypt(byte [], byte[])
method provide
full round trip support:
decrypt(encrypt(key,plainText)).equals(key,plainText) == true
Please note that the implementation will not clear the byte[] key.
Please note, that calling this method twice on the same
plainText
does not return the same cipher text:
encrypt(key, plainText).equals(encrypt(key, plainText)) == false
key
- The bytes used to seed the algorithm. This must be a non-
null
, non empty array of bytes. If the array is
larger than 512 elements, only the first 512 entries are used.plainText
- The plain text data to encryptCryptoException
- If any problem occurrs encrypting the plain text
data. The Throwable.getCause()
method may
provide additional information on the encryption failure.byte[] decrypt(byte[] key, byte[] cipherText) throws CryptoException
cipherText
data into plain text.
Please note that the implementation will not clear the byte[] key.
Note that this method and the encrypt(byte [], byte[])
method provide
full round trip support:
decrypt(encrypt(key, plainText)).equals(key, plainText) == true
key
- The bytes used to seed the algorithm. This must be a non-
null
, non empty array of bytes. If the array is
larger than 512 elements, only the first 512 entries are used.cipherText
- The encrypted data to decryptCryptoException
- If any problem occurrs decrypting the cipher
text. The Throwable.getCause()
method may
provide additional information on the decryption failure.boolean isProtected(java.lang.String text)
true
if the given string is to be considered
protected by the protect(String)
method and can be converted to
plain text by calling the unprotect(String)
method.text
- the string to test for protectiontrue
if the given string is to be considered protected by
the protect(String)
method and can be converted to plain text by
calling the unprotect(String)
methodjava.lang.String protect(java.lang.String plainText) throws CryptoException
plainText
data into a cipher text.
This method is like encrypt(byte[])
but for character data.
Note that this method and the unprotect(String)
method provide
full round trip support:
unprotect(protect(plainText)).equals(plainText) == true
Please note, that calling this method twice on the same
plainText
does not return the same cipher text:
protect(plainText).equals(protect(plainText)) == false
plainText
- The plain text data to encryptCryptoException
- If any problem occurrs encrypting the plain text
data. The Throwable.getCause()
method may
provide additional information on the encryption failure.java.lang.String unprotect(java.lang.String cipherText) throws CryptoException
protect(String)
returns the protected string given
to this method.
Note that this method and the protect(String)
method provide
full round trip support:
unprotect(protect(plainText)).equals(plainText) == true
cipherText
- The encrypted data to decryptCryptoException
- If any problem occurrs decrypting the cipher
text. The Throwable.getCause()
method may
provide additional information on the decryption failure.
Particularly this exception may be thrown if the
cipherText
has obviously not been protected by
the protect(String)
method and
isProtected(String)
would return false
.java.lang.String protect(byte[] key, java.lang.String plainText) throws CryptoException
plainText
data into a cipher text.
This method is like encrypt(byte[], byte[])
but for character data.
Please note that the implementation will not clear the byte[] key.
Note that this method and the unprotect(byte[], String)
method provide
full round trip support:
unprotect(protect(key, plainText)).equals(key, plainText) == true
Please note, that calling this method twice on the same
plainText
does not return the same cipher text:
protect(key, plainText).equals(protect(key, plainText)) == false
key
- The bytes used to seed the algorithm. This must be a non-
null
, non empty array of bytes. If the array is
larger than 512 elements, only the first 512 entries are used.plainText
- The plain text data to encryptCryptoException
- If any problem occurrs encrypting the plain text
data. The Throwable.getCause()
method may
provide additional information on the encryption failure.java.lang.String unprotect(byte[] key, java.lang.String cipherText) throws CryptoException
protect(byte[], String)
returns the protected string given
to this method.
Please note that the implementation will not clear the byte[] key.
Note that this method and the protect(byte[], String)
method provide
full round trip support:
unprotect(protect(key, plainText)).equals(key, plainText) == true
key
- The bytes used to seed the algorithm. This must be a non-
null
, non empty array of bytes. If the array is
larger than 512 elements, only the first 512 entries are used.cipherText
- The encrypted data to decryptCryptoException
- If any problem occurrs decrypting the cipher
text. The Throwable.getCause()
method may
provide additional information on the decryption failure.
Particularly this exception may be thrown if the
cipherText
has obviously not been protected by
the protect(String)
method and
isProtected(String)
would return false
.byte[] wrapKey(byte[] kek, byte[] keyData) throws CryptoException
keyData
using a symmetric key wrap algorithm.
Note that this method and the unwrapKey(byte[], byte[])
method provide
full round trip support:
unwrapKey(wrapKey(kek,keyData)).equals(kek,keyData) == true
Please note that the implementation will not clear the byte[] key.
Please note, that unlike for encryption methods, calling this method
twice with the same keyData
may return the same cipher text.
kek
- the key-encryption key used to seed the key wrap algorithm.
This must be a non-null
, non empty array of bytes.
Refer to the implementation for supported algorithm and key lengths.keyData
- The key data to be wrapped.
This must ve a non-null
, non empty array of bytes.
Refer to the implementation for limitations regarding the size.CryptoException
- If any problem occurs wrapping the key data.
The Throwable.getCause()
method may
provide additional information on the wrapping failure.byte[] wrapKey(byte[] keyData) throws CryptoException
keyData
using a symmetric key wrap algorithm.
Note that the kek the key-encryption key used to seed the key wrap algorithm is selected by the implementation.
Note that this method and the unwrapKey(byte[])
method provide
full round trip support:
unwrapKey(wrapKey(keyData)).equals(keyData) == true
Please note that the implementation will not clear the byte[] key.
Please note, that unlike for encryption methods, calling this method
twice with the same keyData
may return the same cipher text.
keyData
- The key data to be wrapped.
This must ve a non-null
, non empty array of bytes.
Refer to the implementation for limitations regarding the size.CryptoException
- If any problem occurs wrapping the key data.
The Throwable.getCause()
method may
provide additional information on the wrapping failure.byte[] unwrapKey(byte[] kek, byte[] wrappedKeyData) throws CryptoException
wrappedKey
using a symmetric key wrap algorithm.
Note that this method and the wrapKey(byte[], byte[])
method provide
full round trip support:
unwrapKey(wrapKey(kek,keyData)).equals(kek,keyData) == true
Please note that the implementation will not clear the byte[] key.
kek
- the key-encryption key used to seed the key wrap algorithm.
This must be a non-null
, non empty array of bytes.
Refer to the implementation for supported algorithm and key lengths.wrappedKeyData
- The key data to be wrapped.
This must ve a non-null
, non empty array of bytes.
Refer to the implementation for limitations regarding the size.CryptoException
- If any problem occurs wrapping the key data.
The Throwable.getCause()
method may
provide additional information on the wrapping failure.byte[] unwrapKey(byte[] wrappedKeyData) throws CryptoException
wrappedKey
using a symmetric key wrap algorithm.
Note that the kek the key-encryption key used to seed the key wrap algorithm is selected by the implementation.
Note that this method and the wrapKey(byte[])
method provide
full round trip support:
unwrapKey(wrapKey(keyData)).equals(keyData) == true
Please note that the implementation will not clear the byte[] key.
wrappedKeyData
- The key data to be wrapped.
This must ve a non-null
, non empty array of bytes.
Refer to the implementation for limitations regarding the size.CryptoException
- If any problem occurs wrapping the key data.
The Throwable.getCause()
method may
provide additional information on the wrapping failure.void nextRandomBytes(byte[] bytes) throws CryptoException
bytes
- Buffer to fill with random bytes.CryptoException
- If any problem occurrs calculating the random
data. The Throwable.getCause()
method may
provide additional information on the failure.byte[] hmac_sha256(byte[] key, byte[] text) throws CryptoException
The implementation is expected to implement the keyed hashing function using SHA-256 as the hash algorithm. See RFC 2104 for the HMAC specification.
Please note that the implementation will not clear the byte[] key.
If a string of character is to be hashed, it is suggested but not required to convert the String to a byte array using UTF-8.
key
- The bytes used to seed the algorithm. This must be a non-
null
, non empty array of bytes. If the array is
larger than 512 elements, only the first 512 entries are used.text
- The clear text to apply the hash algorithm to.CryptoException
- If any problem occurrs calculating the hash code
of the text. The Throwable.getCause()
method
may provide additional information on the failure.java.lang.IllegalArgumentException
- if the key
or
text
is null
or an empty array.byte[] hmac_sha256(byte[] text) throws CryptoException
The implementation is expected to implement the keyed hashing function using SHA-256 as the hash algorithm. See RFC 2104 for the HMAC specification.
If a string of character is to be hashed, it is suggested but not required to convert the String to a byte array using UTF-8.
text
- The clear text to apply the hash algorithm to.CryptoException
- If any problem occurrs calculating the hash code
of the text. The Throwable.getCause()
method
may provide additional information on the failure.java.lang.IllegalArgumentException
- if the key
or
text
is null
or an empty array.java.security.KeyPair createKeyPair(java.lang.String algorithm) throws CryptoException
algorithm
- the standard string name of the algorithmCryptoException
- If any problem occurs creating the
key pair. The Throwable.getCause()
method may
provide additional information on the encryption failure.java.lang.IllegalArgumentException
- if the algorithm
is null
or incorrect.java.security.cert.Certificate sign(java.security.cert.Certificate issuerCertificate, java.security.KeyPair keyPair, javax.security.auth.x500.X500Principal subject, long before, long after) throws CryptoException
Certificate
either using a provided issuer certificate or using the Certificate
subject
as issuer (self signed).issuerCertificate
- the Certificate
of the issuer or null
to self-sign the certificate.keyPair
- the key pair containing the certificate subject PublicKey
and the
issuer PrivateKey
key.subject
- the subject of the certificate to be issuedbefore
- the notBefore
UTC timestamp for the certificate validity periodafter
- the notAfter
UTC timestamp for the certificate validity periodCertificate
CryptoException
- if any problem occurs when signingbyte[] sign(byte[] text, java.security.PrivateKey privateKey, java.lang.String algorithm) throws CryptoException
Please note that the implementation will not clear the private key.
text
- the clear text to signprivateKey
- the private key used to sign the clear textalgorithm
- the standard string name of the algorithmCryptoException
- If any problem occurs signing the
clear text. The Throwable.getCause()
method may
provide additional information on the encryption failure.java.lang.IllegalArgumentException
- if the algorithm
or
privateKey
is null
or incorrect.boolean verify(byte[] text, byte[] signedText, java.security.PublicKey publicKey, java.lang.String algorithm) throws CryptoException
Please note that the implementation will not clear the public key.
text
- The clear text which has been signedsignedText
- the signed text to be verifiedpublicKey
- the public key used to verify the signaturealgorithm
- the standard string name of the algorithmtrue
if the alleged signature (signedText) is the actual
signature of the specified data (text)CryptoException
- If any problem occurs verifying the
signed text. The Throwable.getCause()
method may
provide additional information on the encryption failure.java.lang.IllegalArgumentException
- if the algorithm
or
publicKey
is null
or incorrect.Copyright © 2010 - 2020 Adobe. All Rights Reserved