public final class StandardPBEStringEncryptor extends Object implements PBEStringCleanablePasswordEncryptor
Standard implementation of the PBEStringEncryptor
interface.
This class lets the user specify the algorithm (and provider) to be used for
encryption, the password to use,
the number of hashing iterations and the salt generator
that will be applied for obtaining
the encryption key.
This class avoids byte-conversion problems related to the fact of different platforms having different default charsets, and returns encryption results in the form of BASE64-encoded or HEXADECIMAL ASCII Strings.
This class is thread-safe.
Configuration
The algorithm, provider, password, key-obtention iterations and salt generator can take values in any of these ways:
PBEConfig
object which provides new
configuration values.PBEConfig
object has been set with
setConfig(...), the non-null values returned by its
getX() methods override the default values.
Initialization
Before it is ready to encrypt, an object of this class has to be initialized. Initialization happens:
Usage
An encryptor may be used for:
To learn more about the mechanisms involved in encryption, read PKCS #5: Password-Based Cryptography Standard.
Modifier and Type | Field and Description |
---|---|
static String |
DEFAULT_STRING_OUTPUT_TYPE
Default type of String output.
|
Constructor and Description |
---|
StandardPBEStringEncryptor()
Creates a new instance of StandardPBEStringEncryptor.
|
Modifier and Type | Method and Description |
---|---|
String |
decrypt(String encryptedMessage)
Decrypts a message using the specified configuration.
|
String |
encrypt(String message)
Encrypts a message using the specified configuration.
|
void |
initialize()
Initialize the encryptor.
|
boolean |
isInitialized()
Returns true if the encryptor has already been initialized, false if
not.
Initialization happens: |
void |
setAlgorithm(String algorithm)
Sets the algorithm to be used for encryption, like
PBEWithMD5AndDES.
|
void |
setConfig(PBEConfig config)
Sets a
PBEConfig object
for the encryptor. |
void |
setKeyObtentionIterations(int keyObtentionIterations)
Set the number of hashing iterations applied to obtain the
encryption key.
|
void |
setPassword(String password)
Sets the password to be used.
|
void |
setPasswordCharArray(char[] password)
Sets the password to be used, as a char[].
|
void |
setProvider(Provider provider)
Sets the security provider to be asked for the encryption algorithm.
|
void |
setProviderName(String providerName)
Sets the name of the security provider to be asked for the
encryption algorithm.
|
void |
setSaltGenerator(SaltGenerator saltGenerator)
Sets the salt generator to be used.
|
void |
setStringOutputType(String stringOutputType)
Sets the the form in which String output
will be encoded.
|
public static final String DEFAULT_STRING_OUTPUT_TYPE
Default type of String output. Set to BASE64.
public StandardPBEStringEncryptor()
public void setConfig(PBEConfig config)
Sets a PBEConfig
object
for the encryptor. If this config
object is set, it will be asked values for:
The non-null values it returns will override the default ones, and will be overriden by any values specified with a setX method.
config
- the PBEConfig object to be used as the
source for configuration parameters.public void setAlgorithm(String algorithm)
Sets the algorithm to be used for encryption, like PBEWithMD5AndDES.
This algorithm has to be supported by your JCE provider (if you specify one, or the default JVM provider if you don't) and, if it is supported, you can also specify mode and padding for it, like ALGORITHM/MODE/PADDING.
algorithm
- the name of the algorithm to be used.public void setPassword(String password)
Sets the password to be used.
There is no default value for password, so not setting
this parameter either from a
PBEConfig
object or from
a call to setPassword will result in an
EncryptionInitializationException being thrown during initialization.
setPassword
in interface PasswordBased
password
- the password to be used.public void setPasswordCharArray(char[] password)
Sets the password to be used, as a char[].
This allows the password to be specified as a cleanable char[] instead of a String, in extreme security conscious environments in which no copy of the password as an immutable String should be kept in memory.
Important: the array specified as a parameter WILL BE COPIED in order to be stored as encryptor configuration. The caller of this method will therefore be responsible for its cleaning (jasypt will only clean the internally stored copy).
There is no default value for password, so not setting
this parameter either from a
PBEConfig
object or from
a call to setPassword will result in an
EncryptionInitializationException being thrown during initialization.
setPasswordCharArray
in interface CleanablePasswordBased
password
- the password to be used.public void setKeyObtentionIterations(int keyObtentionIterations)
Set the number of hashing iterations applied to obtain the encryption key.
This mechanism is explained in PKCS #5: Password-Based Cryptography Standard.
keyObtentionIterations
- the number of iterationspublic void setSaltGenerator(SaltGenerator saltGenerator)
Sets the salt generator to be used. If no salt generator is specified,
an instance of RandomSaltGenerator
will be used.
saltGenerator
- the salt generator to be used.public void setProviderName(String providerName)
Sets the name of the security provider to be asked for the encryption algorithm. This security provider has to be registered beforehand at the JVM security framework.
The provider can also be set with the setProvider(Provider)
method, in which case it will not be necessary neither registering
the provider beforehand,
nor calling this setProviderName(String)
method to specify
a provider name.
Note that a call to setProvider(Provider)
overrides any value
set by this method.
If no provider name / provider is explicitly set, the default JVM provider will be used.
providerName
- the name of the security provider to be asked
for the encryption algorithm.public void setProvider(Provider provider)
Sets the security provider to be asked for the encryption algorithm. The provider does not have to be registered at the security infrastructure beforehand, and its being used here will not result in its being registered.
If this method is called, calling setProviderName(String)
becomes unnecessary.
If no provider name / provider is explicitly set, the default JVM provider will be used.
provider
- the provider to be asked for the chosen algorithmpublic void setStringOutputType(String stringOutputType)
Sets the the form in which String output will be encoded. Available encoding types are:
If not set, null will be returned.
stringOutputType
- the string output type.public boolean isInitialized()
Returns true if the encryptor has already been initialized, false if
not.
Initialization happens:
Once an encryptor has been initialized, trying to change its configuration will result in an AlreadyInitializedException being thrown.
public void initialize()
Initialize the encryptor.
This operation will consist in determining the actual configuration
values to be used, and then initializing the encryptor with them.
These values are decided by applying the following priorities:
PBEConfig
object has been set with
setConfig, the non-null values returned by its
getX methods override the default values.Once an encryptor has been initialized, trying to change its configuration will result in an AlreadyInitializedException being thrown.
EncryptionInitializationException
- if initialization could not
be correctly done (for example, no password has been set).public String encrypt(String message)
Encrypts a message using the specified configuration.
The Strings returned by this method are BASE64-encoded (default) or HEXADECIMAL ASCII Strings.The mechanisms applied to perform the encryption operation are described in PKCS #5: Password-Based Cryptography Standard.
This encryptor uses a salt for each encryption operation. The size of the salt depends on the algorithm being used. This salt is used for creating the encryption key and, if generated by a random generator, it is also appended unencrypted at the beginning of the results so that a decryption operation can be performed.
If a random salt generator is used, two encryption results for the same message will always be different (except in the case of random salt coincidence). This may enforce security by difficulting brute force attacks on sets of data at a time and forcing attackers to perform a brute force attack on each separate piece of encrypted data.
encrypt
in interface StringEncryptor
message
- the String message to be encryptedEncryptionOperationNotPossibleException
- if the encryption
operation fails, ommitting any further information about the
cause for security reasons.EncryptionInitializationException
- if initialization could not
be correctly done (for example, no password has been set).public String decrypt(String encryptedMessage)
Decrypts a message using the specified configuration.
This method expects to receive a BASE64-encoded (default) or HEXADECIMAL ASCII String.
The mechanisms applied to perform the decryption operation are described in PKCS #5: Password-Based Cryptography Standard.
If a random salt generator is used, this decryption operation will expect to find an unencrypted salt at the beginning of the encrypted input, so that the decryption operation can be correctly performed (there is no other way of knowing it).
decrypt
in interface StringEncryptor
encryptedMessage
- the String message to be decryptedEncryptionOperationNotPossibleException
- if the decryption
operation fails, ommitting any further information about the
cause for security reasons.EncryptionInitializationException
- if initialization could not
be correctly done (for example, no password has been set).Copyright © 2017 JBoss by Red Hat. All rights reserved.