|
| 1 | +/* |
| 2 | + * Copyright 2014-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. |
| 3 | + * |
| 4 | + * Licensed under the Apache License, Version 2.0 (the "License"). |
| 5 | + * You may not use this file except in compliance with the License. |
| 6 | + * A copy of the License is located at |
| 7 | + * |
| 8 | + * http://aws.amazon.com/apache2.0 |
| 9 | + * |
| 10 | + * or in the "license" file accompanying this file. This file is distributed |
| 11 | + * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either |
| 12 | + * express or implied. See the License for the specific language governing |
| 13 | + * permissions and limitations under the License. |
| 14 | + */ |
| 15 | +package software.amazon.cryptools.dynamodbencryptionclientsdk2.encryption; |
| 16 | + |
| 17 | +import java.security.GeneralSecurityException; |
| 18 | +import java.security.InvalidAlgorithmParameterException; |
| 19 | +import java.security.InvalidKeyException; |
| 20 | +import java.security.Key; |
| 21 | +import java.security.NoSuchAlgorithmException; |
| 22 | + |
| 23 | +import javax.crypto.BadPaddingException; |
| 24 | +import javax.crypto.Cipher; |
| 25 | +import javax.crypto.IllegalBlockSizeException; |
| 26 | +import javax.crypto.NoSuchPaddingException; |
| 27 | +import javax.crypto.SecretKey; |
| 28 | + |
| 29 | +/** |
| 30 | + * Identifies keys which should not be used directly with {@link Cipher} but |
| 31 | + * instead contain their own cryptographic logic. This can be used to wrap more |
| 32 | + * complex logic, HSM integration, or service-calls. |
| 33 | + * |
| 34 | + * <p> |
| 35 | + * Most delegated keys will only support a subset of these operations. (For |
| 36 | + * example, AES keys will generally not support {@link #sign(byte[], String)} or |
| 37 | + * {@link #verify(byte[], byte[], String)} and HMAC keys will generally not |
| 38 | + * support anything except <code>sign</code> and <code>verify</code>.) |
| 39 | + * {@link UnsupportedOperationException} should be thrown in these cases. |
| 40 | + * |
| 41 | + * @author Greg Rubin |
| 42 | + */ |
| 43 | +public interface DelegatedKey extends SecretKey { |
| 44 | + /** |
| 45 | + * Encrypts the provided plaintext and returns a byte-array containing the ciphertext. |
| 46 | + * |
| 47 | + * @param plainText |
| 48 | + * @param additionalAssociatedData |
| 49 | + * Optional additional data which must then also be provided for successful |
| 50 | + * decryption. Both <code>null</code> and arrays of length 0 are treated identically. |
| 51 | + * Not all keys will support this parameter. |
| 52 | + * @param algorithm |
| 53 | + * the transformation to be used when encrypting the data |
| 54 | + * @return ciphertext the ciphertext produced by this encryption operation |
| 55 | + * @throws UnsupportedOperationException |
| 56 | + * if encryption is not supported or if <code>additionalAssociatedData</code> is |
| 57 | + * provided, but not supported. |
| 58 | + */ |
| 59 | + byte[] encrypt(byte[] plainText, byte[] additionalAssociatedData, String algorithm) |
| 60 | + throws InvalidKeyException, IllegalBlockSizeException, BadPaddingException, NoSuchAlgorithmException, |
| 61 | + NoSuchPaddingException; |
| 62 | + |
| 63 | + /** |
| 64 | + * Decrypts the provided ciphertext and returns a byte-array containing the |
| 65 | + * plaintext. |
| 66 | + * |
| 67 | + * @param cipherText |
| 68 | + * @param additionalAssociatedData |
| 69 | + * Optional additional data which was provided during encryption. |
| 70 | + * Both <code>null</code> and arrays of length 0 are treated |
| 71 | + * identically. Not all keys will support this parameter. |
| 72 | + * @param algorithm |
| 73 | + * the transformation to be used when decrypting the data |
| 74 | + * @return plaintext the result of decrypting the input ciphertext |
| 75 | + * @throws UnsupportedOperationException |
| 76 | + * if decryption is not supported or if |
| 77 | + * <code>additionalAssociatedData</code> is provided, but not |
| 78 | + * supported. |
| 79 | + */ |
| 80 | + byte[] decrypt(byte[] cipherText, byte[] additionalAssociatedData, String algorithm) |
| 81 | + throws InvalidKeyException, IllegalBlockSizeException, BadPaddingException, NoSuchAlgorithmException, |
| 82 | + NoSuchPaddingException, InvalidAlgorithmParameterException; |
| 83 | + |
| 84 | + /** |
| 85 | + * Wraps (encrypts) the provided <code>key</code> to make it safe for |
| 86 | + * storage or transmission. |
| 87 | + * |
| 88 | + * @param key |
| 89 | + * @param additionalAssociatedData |
| 90 | + * Optional additional data which must then also be provided for |
| 91 | + * successful unwrapping. Both <code>null</code> and arrays of |
| 92 | + * length 0 are treated identically. Not all keys will support |
| 93 | + * this parameter. |
| 94 | + * @param algorithm |
| 95 | + * the transformation to be used when wrapping the key |
| 96 | + * @return the wrapped key |
| 97 | + * @throws UnsupportedOperationException |
| 98 | + * if wrapping is not supported or if |
| 99 | + * <code>additionalAssociatedData</code> is provided, but not |
| 100 | + * supported. |
| 101 | + */ |
| 102 | + byte[] wrap(Key key, byte[] additionalAssociatedData, String algorithm) throws InvalidKeyException, |
| 103 | + NoSuchAlgorithmException, NoSuchPaddingException, IllegalBlockSizeException; |
| 104 | + |
| 105 | + /** |
| 106 | + * Unwraps (decrypts) the provided <code>wrappedKey</code> to recover the |
| 107 | + * original key. |
| 108 | + * |
| 109 | + * @param wrappedKey |
| 110 | + * @param additionalAssociatedData |
| 111 | + * Optional additional data which was provided during wrapping. |
| 112 | + * Both <code>null</code> and arrays of length 0 are treated |
| 113 | + * identically. Not all keys will support this parameter. |
| 114 | + * @param algorithm |
| 115 | + * the transformation to be used when unwrapping the key |
| 116 | + * @return the unwrapped key |
| 117 | + * @throws UnsupportedOperationException |
| 118 | + * if wrapping is not supported or if |
| 119 | + * <code>additionalAssociatedData</code> is provided, but not |
| 120 | + * supported. |
| 121 | + */ |
| 122 | + Key unwrap(byte[] wrappedKey, String wrappedKeyAlgorithm, int wrappedKeyType, |
| 123 | + byte[] additionalAssociatedData, String algorithm) throws NoSuchAlgorithmException, NoSuchPaddingException, |
| 124 | + InvalidKeyException; |
| 125 | + |
| 126 | + /** |
| 127 | + * Calculates and returns a signature for <code>dataToSign</code>. |
| 128 | + * |
| 129 | + * @param dataToSign |
| 130 | + * @param algorithm |
| 131 | + * @return the signature |
| 132 | + * @throws UnsupportedOperationException if signing is not supported |
| 133 | + */ |
| 134 | + byte[] sign(byte[] dataToSign, String algorithm) throws GeneralSecurityException; |
| 135 | + |
| 136 | + /** |
| 137 | + * Checks the provided signature for correctness. |
| 138 | + * |
| 139 | + * @param dataToSign |
| 140 | + * @param signature |
| 141 | + * @param algorithm |
| 142 | + * @return true if and only if the <code>signature</code> matches the <code>dataToSign</code>. |
| 143 | + * @throws UnsupportedOperationException if signature validation is not supported |
| 144 | + */ |
| 145 | + boolean verify(byte[] dataToSign, byte[] signature, String algorithm); |
| 146 | +} |
0 commit comments