Package org.forgerock.secrets.vault

Class VaultCipher

java.lang.Object

javax.crypto.CipherSpi

org.forgerock.secrets.vault.VaultCipher

public class VaultCipher
extends CipherSpi

Cipher implementation for the Hashicorp Vault transit backend. Supports AES-GCM and ChaCha20-Poly1305 authenticated encryption ciphers and RSA encryption with OAEP padding. While the RSA encryption is compatible with JOSE RSA-OAEP-256 encryption, the symmetric encryption algorithms are not compatible with JOSE as they lack support for additional authenticated data. Instead the primary use-case for symmetric encryption with Vault would be to decrypt other secrets that are then used locally, such as keystore passwords read from the filesystem.

Field Summary

Fields

Modifier and Type	Field	Description
static final OAEPParameterSpec	RSA_OAEP_PARAMETERS	Vault only supports RSA encryption using OAEP and these specific parameters.

Constructor Summary

Constructors

Constructor	Description
VaultCipher()

Method Summary

Modifier and Type	Method	Description
protected byte[]	engineDoFinal(byte[] input, int inputOffset, int inputLen)
protected int	engineDoFinal(byte[] input, int inputOffset, int inputLen, byte[] output, int outputOffset)
protected int	engineGetBlockSize()
protected byte[]	engineGetIV()
protected int	engineGetKeySize(Key key)
protected int	engineGetOutputSize(int inputLen)
protected AlgorithmParameters	engineGetParameters()
protected void	engineInit(int opmode, Key key, AlgorithmParameters params, SecureRandom random)
protected void	engineInit(int opmode, Key key, SecureRandom random)
protected void	engineInit(int opmode, Key key, AlgorithmParameterSpec params, SecureRandom random)
protected void	engineSetMode(String mode)
protected void	engineSetPadding(String padding)
protected Key	engineUnwrap(byte[] wrappedKey, String wrappedKeyAlgorithm, int wrappedKeyType)
protected byte[]	engineUpdate(byte[] input, int inputOffset, int inputLen)
protected int	engineUpdate(byte[] input, int inputOffset, int inputLen, byte[] output, int outputOffset)
protected byte[]	engineWrap(Key key)

Methods inherited from class javax.crypto.CipherSpi

engineDoFinal, engineUpdate, engineUpdateAAD, engineUpdateAAD

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

RSA_OAEP_PARAMETERS

public static final OAEPParameterSpec RSA_OAEP_PARAMETERS

Vault only supports RSA encryption using OAEP and these specific parameters. These are the same parameters used for JOSE RSA-OAEP-256 encryption. When encrypting data using Java's built-in encryption capabilities, you should pass these parameters explicitly to ensure compatibility with Vault.

Constructor Details

VaultCipher

public VaultCipher()

Method Details

engineSetMode

protected void engineSetMode(String mode)

Specified by:

engineSetMode in class CipherSpi

engineSetPadding

protected void engineSetPadding(String padding)

Specified by:

engineSetPadding in class CipherSpi

engineGetBlockSize

protected int engineGetBlockSize()

Specified by:

engineGetBlockSize in class CipherSpi

engineGetOutputSize

protected int engineGetOutputSize(int inputLen)

Specified by:

engineGetOutputSize in class CipherSpi

engineGetIV

protected byte[] engineGetIV()

Specified by:

engineGetIV in class CipherSpi

engineGetParameters

protected AlgorithmParameters engineGetParameters()

Specified by:

engineGetParameters in class CipherSpi

engineInit

protected void engineInit(int opmode,
 Key key,
 SecureRandom random)
                   throws InvalidKeyException

Specified by:

engineInit in class CipherSpi

Throws:

InvalidKeyException

engineInit

protected void engineInit(int opmode,
 Key key,
 AlgorithmParameterSpec params,
 SecureRandom random)
                   throws InvalidKeyException,
InvalidAlgorithmParameterException

Specified by:

engineInit in class CipherSpi

Throws:

InvalidKeyException

InvalidAlgorithmParameterException

engineInit

protected void engineInit(int opmode,
 Key key,
 AlgorithmParameters params,
 SecureRandom random)
                   throws InvalidKeyException,
InvalidAlgorithmParameterException

Specified by:

engineInit in class CipherSpi

Throws:

InvalidKeyException

InvalidAlgorithmParameterException

engineUpdate

protected byte[] engineUpdate(byte[] input,
 int inputOffset,
 int inputLen)

Specified by:

engineUpdate in class CipherSpi

engineUpdate

protected int engineUpdate(byte[] input,
 int inputOffset,
 int inputLen,
 byte[] output,
 int outputOffset)

Specified by:

engineUpdate in class CipherSpi

engineDoFinal

protected byte[] engineDoFinal(byte[] input,
 int inputOffset,
 int inputLen)
                        throws BadPaddingException

Specified by:

engineDoFinal in class CipherSpi

Throws:

BadPaddingException

engineDoFinal

protected int engineDoFinal(byte[] input,
 int inputOffset,
 int inputLen,
 byte[] output,
 int outputOffset)
                     throws ShortBufferException,
BadPaddingException

Specified by:

engineDoFinal in class CipherSpi

Throws:

ShortBufferException

BadPaddingException

engineWrap

protected byte[] engineWrap(Key key)
                     throws IllegalBlockSizeException

Overrides:

engineWrap in class CipherSpi

Throws:

IllegalBlockSizeException

engineUnwrap

protected Key engineUnwrap(byte[] wrappedKey,
 String wrappedKeyAlgorithm,
 int wrappedKeyType)
                    throws InvalidKeyException

Overrides:

engineUnwrap in class CipherSpi

Throws:

InvalidKeyException

engineGetKeySize

protected int engineGetKeySize(Key key)
                        throws InvalidKeyException

Overrides:

engineGetKeySize in class CipherSpi

Throws:

InvalidKeyException