com.amazonaws.services.dynamodbv2.datamodeling.encryption

Interface DelegatedKey

All Superinterfaces:

javax.security.auth.Destroyable, java.security.Key, javax.crypto.SecretKey, java.io.Serializable

public interface DelegatedKey
extends javax.crypto.SecretKey

Identifies keys which should not be used directly with Cipher but instead contain their own cryptographic logic. This can be used to wrap more complex logic, HSM integration, or service-calls.

Most delegated keys will only support a subset of these operations. (For example, AES keys will generally not support sign(byte[], String) or verify(byte[], byte[], String) and HMAC keys will generally not support anything except sign and verify.) UnsupportedOperationException should be thrown in these cases.

Field Summary

Fields inherited from interface javax.crypto.SecretKey

serialVersionUID

Method Summary

Modifier and Type	Method and Description
byte[]	decrypt(byte[] cipherText, byte[] additionalAssociatedData, java.lang.String algorithm) Decrypts the provided ciphertext and returns a byte-array containing the plaintext.
byte[]	encrypt(byte[] plainText, byte[] additionalAssociatedData, java.lang.String algorithm) Encrypts the provided plaintext and returns a byte-array containing the ciphertext.
byte[]	sign(byte[] dataToSign, java.lang.String algorithm) Calculates and returns a signature for dataToSign.
java.security.Key	unwrap(byte[] wrappedKey, java.lang.String wrappedKeyAlgorithm, int wrappedKeyType, byte[] additionalAssociatedData, java.lang.String algorithm) Unwraps (decrypts) the provided wrappedKey to recover the original key.
boolean	verify(byte[] dataToSign, byte[] signature, java.lang.String algorithm) Checks the provided signature for correctness.
byte[]	wrap(java.security.Key key, byte[] additionalAssociatedData, java.lang.String algorithm) Wraps (encrypts) the provided key to make it safe for storage or transmission.

Methods inherited from interface java.security.Key

getAlgorithm, getEncoded, getFormat

Methods inherited from interface javax.security.auth.Destroyable

destroy, isDestroyed

Method Detail

encrypt

byte[] encrypt(byte[] plainText,
               byte[] additionalAssociatedData,
               java.lang.String algorithm)
        throws java.security.InvalidKeyException,
               javax.crypto.IllegalBlockSizeException,
               javax.crypto.BadPaddingException,
               java.security.NoSuchAlgorithmException,
               javax.crypto.NoSuchPaddingException

Encrypts the provided plaintext and returns a byte-array containing the ciphertext.

Parameters:

plainText -

additionalAssociatedData - Optional additional data which must then also be provided for successful decryption. Both null and arrays of length 0 are treated identically. Not all keys will support this parameter.

algorithm - the transformation to be used when encrypting the data

Returns:

ciphertext the ciphertext produced by this encryption operation

Throws:

java.lang.UnsupportedOperationException - if encryption is not supported or if additionalAssociatedData is provided, but not supported.

java.security.InvalidKeyException

javax.crypto.IllegalBlockSizeException

javax.crypto.BadPaddingException

java.security.NoSuchAlgorithmException

javax.crypto.NoSuchPaddingException

decrypt

byte[] decrypt(byte[] cipherText,
               byte[] additionalAssociatedData,
               java.lang.String algorithm)
        throws java.security.InvalidKeyException,
               javax.crypto.IllegalBlockSizeException,
               javax.crypto.BadPaddingException,
               java.security.NoSuchAlgorithmException,
               javax.crypto.NoSuchPaddingException,
               java.security.InvalidAlgorithmParameterException

Decrypts the provided ciphertext and returns a byte-array containing the plaintext.

Parameters:

cipherText -

additionalAssociatedData - Optional additional data which was provided during encryption. Both null and arrays of length 0 are treated identically. Not all keys will support this parameter.

algorithm - the transformation to be used when decrypting the data

Returns:

plaintext the result of decrypting the input ciphertext

Throws:

java.lang.UnsupportedOperationException - if decryption is not supported or if additionalAssociatedData is provided, but not supported.

java.security.InvalidKeyException

javax.crypto.IllegalBlockSizeException

javax.crypto.BadPaddingException

java.security.NoSuchAlgorithmException

javax.crypto.NoSuchPaddingException

java.security.InvalidAlgorithmParameterException

wrap

byte[] wrap(java.security.Key key,
            byte[] additionalAssociatedData,
            java.lang.String algorithm)
     throws java.security.InvalidKeyException,
            java.security.NoSuchAlgorithmException,
            javax.crypto.NoSuchPaddingException,
            javax.crypto.IllegalBlockSizeException

Wraps (encrypts) the provided key to make it safe for storage or transmission.

Parameters:

key -

additionalAssociatedData - Optional additional data which must then also be provided for successful unwrapping. Both null and arrays of length 0 are treated identically. Not all keys will support this parameter.

algorithm - the transformation to be used when wrapping the key

Returns:

the wrapped key

Throws:

java.lang.UnsupportedOperationException - if wrapping is not supported or if additionalAssociatedData is provided, but not supported.

java.security.InvalidKeyException

java.security.NoSuchAlgorithmException

javax.crypto.NoSuchPaddingException

javax.crypto.IllegalBlockSizeException

unwrap

java.security.Key unwrap(byte[] wrappedKey,
                         java.lang.String wrappedKeyAlgorithm,
                         int wrappedKeyType,
                         byte[] additionalAssociatedData,
                         java.lang.String algorithm)
                  throws java.security.NoSuchAlgorithmException,
                         javax.crypto.NoSuchPaddingException,
                         java.security.InvalidKeyException

Unwraps (decrypts) the provided wrappedKey to recover the original key.

Parameters:

wrappedKey -

additionalAssociatedData - Optional additional data which was provided during wrapping. Both null and arrays of length 0 are treated identically. Not all keys will support this parameter.

algorithm - the transformation to be used when unwrapping the key

Returns:

the unwrapped key

Throws:

java.lang.UnsupportedOperationException - if wrapping is not supported or if additionalAssociatedData is provided, but not supported.

java.security.NoSuchAlgorithmException

javax.crypto.NoSuchPaddingException

java.security.InvalidKeyException

sign

byte[] sign(byte[] dataToSign,
            java.lang.String algorithm)
     throws java.security.GeneralSecurityException

Calculates and returns a signature for dataToSign.

Parameters:

dataToSign -

algorithm -

Returns:

the signature

Throws:

java.lang.UnsupportedOperationException - if signing is not supported

java.security.GeneralSecurityException

verify

boolean verify(byte[] dataToSign,
               byte[] signature,
               java.lang.String algorithm)

Checks the provided signature for correctness.

Parameters:

dataToSign -

signature -

algorithm -

Returns:

true if and only if the signature matches the dataToSign.

Throws:

java.lang.UnsupportedOperationException - if signature validation is not supported