Package org.forgerock.secrets.vault
Class VaultCipher
- java.lang.Object
-
- javax.crypto.CipherSpi
-
- org.forgerock.secrets.vault.VaultCipher
-
public class VaultCipher extends CipherSpi
Cipher implementation for the Hashicorp Vault transit backend. Supports AES-GCM and ChaCha20-Poly1305 authenticated encryption ciphers and RSA encryption with OAEP padding. While the RSA encryption is compatible with JOSERSA-OAEP-256encryption, the symmetric encryption algorithms are not compatible with JOSE as they lack support for additional authenticated data. Instead the primary use-case for symmetric encryption with Vault would be to decrypt other secrets that are then used locally, such as keystore passwords read from the filesystem.
-
-
Field Summary
Fields Modifier and Type Field Description static OAEPParameterSpecRSA_OAEP_PARAMETERSVault only supports RSA encryption using OAEP and these specific parameters.
-
Constructor Summary
Constructors Constructor Description VaultCipher()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected byte[]engineDoFinal(byte[] input, int inputOffset, int inputLen)protected intengineDoFinal(byte[] input, int inputOffset, int inputLen, byte[] output, int outputOffset)protected intengineGetBlockSize()protected byte[]engineGetIV()protected intengineGetKeySize(Key key)protected intengineGetOutputSize(int inputLen)protected AlgorithmParametersengineGetParameters()protected voidengineInit(int opmode, Key key, AlgorithmParameters params, SecureRandom random)protected voidengineInit(int opmode, Key key, SecureRandom random)protected voidengineInit(int opmode, Key key, AlgorithmParameterSpec params, SecureRandom random)protected voidengineSetMode(String mode)protected voidengineSetPadding(String padding)protected KeyengineUnwrap(byte[] wrappedKey, String wrappedKeyAlgorithm, int wrappedKeyType)protected byte[]engineUpdate(byte[] input, int inputOffset, int inputLen)protected intengineUpdate(byte[] input, int inputOffset, int inputLen, byte[] output, int outputOffset)protected byte[]engineWrap(Key key)-
Methods inherited from class javax.crypto.CipherSpi
engineDoFinal, engineUpdate, engineUpdateAAD, engineUpdateAAD
-
-
-
-
Field Detail
-
RSA_OAEP_PARAMETERS
public static final OAEPParameterSpec RSA_OAEP_PARAMETERS
Vault only supports RSA encryption using OAEP and these specific parameters. These are the same parameters used for JOSERSA-OAEP-256encryption. When encrypting data using Java's built-in encryption capabilities, you should pass these parameters explicitly to ensure compatibility with Vault.
-
-
Method Detail
-
engineSetMode
protected void engineSetMode(String mode)
- Specified by:
engineSetModein classCipherSpi
-
engineSetPadding
protected void engineSetPadding(String padding)
- Specified by:
engineSetPaddingin classCipherSpi
-
engineGetBlockSize
protected int engineGetBlockSize()
- Specified by:
engineGetBlockSizein classCipherSpi
-
engineGetOutputSize
protected int engineGetOutputSize(int inputLen)
- Specified by:
engineGetOutputSizein classCipherSpi
-
engineGetIV
protected byte[] engineGetIV()
- Specified by:
engineGetIVin classCipherSpi
-
engineGetParameters
protected AlgorithmParameters engineGetParameters()
- Specified by:
engineGetParametersin classCipherSpi
-
engineInit
protected void engineInit(int opmode, Key key, SecureRandom random) throws InvalidKeyException- Specified by:
engineInitin classCipherSpi- Throws:
InvalidKeyException
-
engineInit
protected void engineInit(int opmode, Key key, AlgorithmParameterSpec params, SecureRandom random) throws InvalidKeyException, InvalidAlgorithmParameterException- Specified by:
engineInitin classCipherSpi- Throws:
InvalidKeyExceptionInvalidAlgorithmParameterException
-
engineInit
protected void engineInit(int opmode, Key key, AlgorithmParameters params, SecureRandom random) throws InvalidKeyException, InvalidAlgorithmParameterException- Specified by:
engineInitin classCipherSpi- Throws:
InvalidKeyExceptionInvalidAlgorithmParameterException
-
engineUpdate
protected byte[] engineUpdate(byte[] input, int inputOffset, int inputLen)- Specified by:
engineUpdatein classCipherSpi
-
engineUpdate
protected int engineUpdate(byte[] input, int inputOffset, int inputLen, byte[] output, int outputOffset)- Specified by:
engineUpdatein classCipherSpi
-
engineDoFinal
protected byte[] engineDoFinal(byte[] input, int inputOffset, int inputLen) throws BadPaddingException- Specified by:
engineDoFinalin classCipherSpi- Throws:
BadPaddingException
-
engineDoFinal
protected int engineDoFinal(byte[] input, int inputOffset, int inputLen, byte[] output, int outputOffset) throws ShortBufferException, BadPaddingException- Specified by:
engineDoFinalin classCipherSpi- Throws:
ShortBufferExceptionBadPaddingException
-
engineWrap
protected byte[] engineWrap(Key key) throws IllegalBlockSizeException
- Overrides:
engineWrapin classCipherSpi- Throws:
IllegalBlockSizeException
-
engineUnwrap
protected Key engineUnwrap(byte[] wrappedKey, String wrappedKeyAlgorithm, int wrappedKeyType) throws InvalidKeyException
- Overrides:
engineUnwrapin classCipherSpi- Throws:
InvalidKeyException
-
engineGetKeySize
protected int engineGetKeySize(Key key) throws InvalidKeyException
- Overrides:
engineGetKeySizein classCipherSpi- Throws:
InvalidKeyException
-
-