public final class StandardPBEByteEncryptor extends Object implements PBEByteCleanablePasswordEncryptor
Standard implementation of the PBEByteEncryptor
interface.
This class lets the user specify the algorithm (and provider) to be used for
encryption, the password to use,
the number of hashing iterations and the salt generator
that will be applied for obtaining
the encryption key.
This class is thread-safe.
Configuration
The algorithm, provider, password, key-obtention iterations and salt generator can take values in any of these ways:
PBEConfig
object which provides new
configuration values.PBEConfig
object has been set with
setConfig(...), the non-null values returned by its
getX() methods override the default values.
Initialization
Before it is ready to encrypt, an object of this class has to be initialized. Initialization happens:
Usage
An encryptor may be used for:
To learn more about the mechanisms involved in encryption, read PKCS #5: Password-Based Cryptography Standard.
Modifier and Type | Field and Description |
---|---|
static String |
DEFAULT_ALGORITHM
The default algorithm to be used if none specified: PBEWithMD5AndDES.
|
static int |
DEFAULT_KEY_OBTENTION_ITERATIONS
The default number of hashing iterations applied for obtaining the
encryption key from the specified password, set to 1000.
|
static int |
DEFAULT_SALT_SIZE_BYTES
The default salt size, only used if the chosen encryption algorithm
is not a block algorithm and thus block size cannot be used as salt size.
|
Constructor and Description |
---|
StandardPBEByteEncryptor()
Creates a new instance of StandardPBEByteEncryptor.
|
Modifier and Type | Method and Description |
---|---|
byte[] |
decrypt(byte[] encryptedMessage)
Decrypts a message using the specified configuration.
|
byte[] |
encrypt(byte[] message)
Encrypts a message using the specified configuration.
|
void |
initialize()
Initialize the encryptor.
|
boolean |
isInitialized()
Returns true if the encryptor has already been initialized, false if
not.
Initialization happens: |
void |
setAlgorithm(String algorithm)
Sets the algorithm to be used for encryption, like
PBEWithMD5AndDES.
|
void |
setConfig(PBEConfig config)
Sets a
PBEConfig object
for the encryptor. |
void |
setKeyObtentionIterations(int keyObtentionIterations)
Set the number of hashing iterations applied to obtain the
encryption key.
|
void |
setPassword(String password)
Sets the password to be used.
|
void |
setPasswordCharArray(char[] password)
Sets the password to be used, as a char[].
|
void |
setProvider(Provider provider)
Sets the security provider to be asked for the encryption algorithm.
|
void |
setProviderName(String providerName)
Sets the name of the security provider to be asked for the
encryption algorithm.
|
void |
setSaltGenerator(SaltGenerator saltGenerator)
Sets the salt generator to be used.
|
public static final String DEFAULT_ALGORITHM
public static final int DEFAULT_KEY_OBTENTION_ITERATIONS
public static final int DEFAULT_SALT_SIZE_BYTES
public StandardPBEByteEncryptor()
public void setConfig(PBEConfig config)
Sets a PBEConfig
object
for the encryptor. If this config
object is set, it will be asked values for:
The non-null values it returns will override the default ones, and will be overriden by any values specified with a setX method.
config
- the PBEConfig object to be used as the
source for configuration parameters.public void setAlgorithm(String algorithm)
Sets the algorithm to be used for encryption, like PBEWithMD5AndDES.
This algorithm has to be supported by your JCE provider (if you specify one, or the default JVM provider if you don't) and, if it is supported, you can also specify mode and padding for it, like ALGORITHM/MODE/PADDING.
algorithm
- the name of the algorithm to be used.public void setPassword(String password)
Sets the password to be used.
There is no default value for password, so not setting
this parameter either from a
PBEConfig
object or from
a call to setPassword will result in an
EncryptionInitializationException being thrown during initialization.
setPassword
in interface PasswordBased
password
- the password to be used.public void setPasswordCharArray(char[] password)
Sets the password to be used, as a char[].
This allows the password to be specified as a cleanable char[] instead of a String, in extreme security conscious environments in which no copy of the password as an immutable String should be kept in memory.
Important: the array specified as a parameter WILL BE COPIED in order to be stored as encryptor configuration. The caller of this method will therefore be responsible for its cleaning (jasypt will only clean the internally stored copy).
There is no default value for password, so not setting
this parameter either from a
PBEConfig
object or from
a call to setPassword will result in an
EncryptionInitializationException being thrown during initialization.
setPasswordCharArray
in interface CleanablePasswordBased
password
- the password to be used.public void setKeyObtentionIterations(int keyObtentionIterations)
Set the number of hashing iterations applied to obtain the encryption key.
This mechanism is explained in PKCS #5: Password-Based Cryptography Standard.
keyObtentionIterations
- the number of iterationspublic void setSaltGenerator(SaltGenerator saltGenerator)
Sets the salt generator to be used. If no salt generator is specified,
an instance of RandomSaltGenerator
will be used.
saltGenerator
- the salt generator to be used.public void setProviderName(String providerName)
Sets the name of the security provider to be asked for the encryption algorithm. This security provider has to be registered beforehand at the JVM security framework.
The provider can also be set with the setProvider(Provider)
method, in which case it will not be necessary neither registering
the provider beforehand,
nor calling this setProviderName(String)
method to specify
a provider name.
Note that a call to setProvider(Provider)
overrides any value
set by this method.
If no provider name / provider is explicitly set, the default JVM provider will be used.
providerName
- the name of the security provider to be asked
for the encryption algorithm.public void setProvider(Provider provider)
Sets the security provider to be asked for the encryption algorithm. The provider does not have to be registered at the security infrastructure beforehand, and its being used here will not result in its being registered.
If this method is called, calling setProviderName(String)
becomes unnecessary.
If no provider name / provider is explicitly set, the default JVM provider will be used.
provider
- the provider to be asked for the chosen algorithmpublic boolean isInitialized()
Returns true if the encryptor has already been initialized, false if
not.
Initialization happens:
Once an encryptor has been initialized, trying to change its configuration will result in an AlreadyInitializedException being thrown.
public void initialize()
Initialize the encryptor.
This operation will consist in determining the actual configuration
values to be used, and then initializing the encryptor with them.
These values are decided by applying the following priorities:
PBEConfig
object has been set with
setConfig, the non-null values returned by its
getX methods override the default values.Once an encryptor has been initialized, trying to change its configuration will result in an AlreadyInitializedException being thrown.
EncryptionInitializationException
- if initialization could not
be correctly done (for example, no password has been set).public byte[] encrypt(byte[] message) throws EncryptionOperationNotPossibleException
Encrypts a message using the specified configuration.
The mechanisms applied to perform the encryption operation are described in PKCS #5: Password-Based Cryptography Standard.
This encryptor uses a salt for each encryption operation. The size of the salt depends on the algorithm being used. This salt is used for creating the encryption key and, if generated by a random generator, it is also appended unencrypted at the beginning of the results so that a decryption operation can be performed.
If a random salt generator is used, two encryption results for the same message will always be different (except in the case of random salt coincidence). This may enforce security by difficulting brute force attacks on sets of data at a time and forcing attackers to perform a brute force attack on each separate piece of encrypted data.
encrypt
in interface ByteEncryptor
message
- the byte array message to be encryptedEncryptionOperationNotPossibleException
- if the encryption
operation fails, ommitting any further information about the
cause for security reasons.EncryptionInitializationException
- if initialization could not
be correctly done (for example, no password has been set).public byte[] decrypt(byte[] encryptedMessage) throws EncryptionOperationNotPossibleException
Decrypts a message using the specified configuration.
The mechanisms applied to perform the decryption operation are described in PKCS #5: Password-Based Cryptography Standard.
If a random salt generator is used, this decryption operation will expect to find an unencrypted salt at the beginning of the encrypted input, so that the decryption operation can be correctly performed (there is no other way of knowing it).
decrypt
in interface ByteEncryptor
encryptedMessage
- the byte array message to be decryptedEncryptionOperationNotPossibleException
- if the decryption
operation fails, ommitting any further information about the
cause for security reasons.EncryptionInitializationException
- if initialization could not
be correctly done (for example, no password has been set).Copyright © 2017 JBoss by Red Hat. All rights reserved.