com.amazonaws.services.dynamodbv2.datamodeling.encryption

Class DynamoDBEncryptor

java.lang.Object

com.amazonaws.services.dynamodbv2.datamodeling.encryption.DynamoDBEncryptor

All Implemented Interfaces:

ILegacyDynamoDbEncryptor

public class DynamoDBEncryptor
extends java.lang.Object
implements ILegacyDynamoDbEncryptor

The low-level API used by AttributeEncryptor to perform crypto operations on the record attributes.

For guidance on performing a safe data model change procedure, please see DynamoDB Encryption Client Developer Guide: Changing your data model

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	DEFAULT_SIGNING_ALGORITHM_HEADER

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	DynamoDBEncryptor(EncryptionMaterialsProvider provider, java.lang.String descriptionBase)

Method Summary

Modifier and Type	Method and Description
java.util.Map<java.lang.String,java.util.Set<EncryptionFlags>>	allDecryptionFlagsExcept(java.util.Map<java.lang.String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, java.util.Collection<java.lang.String> doNotDecrypt) Returns the decryption flags for all item attributes except for those explicitly specified to be excluded.
java.util.Map<java.lang.String,java.util.Set<EncryptionFlags>>	allDecryptionFlagsExcept(java.util.Map<java.lang.String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, java.lang.String... doNotDecrypt) Returns the decryption flags for all item attributes except for those explicitly specified to be excluded.
java.util.Map<java.lang.String,java.util.Set<EncryptionFlags>>	allEncryptionFlagsExcept(java.util.Map<java.lang.String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, java.util.Collection<java.lang.String> doNotEncrypt) Returns the encryption flags for all item attributes except for those explicitly specified to be excluded.
java.util.Map<java.lang.String,java.util.Set<EncryptionFlags>>	allEncryptionFlagsExcept(java.util.Map<java.lang.String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, java.lang.String... doNotEncrypt) Returns the encryption flags for all item attributes except for those explicitly specified to be excluded.
java.util.Map<java.lang.String,com.amazonaws.services.dynamodbv2.model.AttributeValue>	decryptAllFieldsExcept(java.util.Map<java.lang.String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, EncryptionContext context, java.util.Collection<java.lang.String> doNotDecrypt)
java.util.Map<java.lang.String,com.amazonaws.services.dynamodbv2.model.AttributeValue>	decryptAllFieldsExcept(java.util.Map<java.lang.String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, EncryptionContext context, java.lang.String... doNotDecrypt) Returns a decrypted version of the provided DynamoDb record.
java.util.Map<java.lang.String,com.amazonaws.services.dynamodbv2.model.AttributeValue>	decryptRecord(java.util.Map<java.lang.String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, java.util.Map<java.lang.String,java.util.Set<EncryptionFlags>> attributeActionsOnEncrypt, EncryptionContext context)
java.util.Map<java.lang.String,com.amazonaws.services.dynamodbv2.model.AttributeValue>	encryptAllFieldsExcept(java.util.Map<java.lang.String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, EncryptionContext context, java.util.Collection<java.lang.String> doNotEncrypt)
java.util.Map<java.lang.String,com.amazonaws.services.dynamodbv2.model.AttributeValue>	encryptAllFieldsExcept(java.util.Map<java.lang.String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, EncryptionContext context, java.lang.String... doNotEncrypt) Returns an encrypted version of the provided DynamoDb record.
java.util.Map<java.lang.String,com.amazonaws.services.dynamodbv2.model.AttributeValue>	encryptRecord(java.util.Map<java.lang.String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, java.util.Map<java.lang.String,java.util.Set<EncryptionFlags>> attributeActionsOnEncrypt, EncryptionContext context) Returns the encrypted (and signed) record, which is a map of item attributes.
protected static int	getBlockSize(java.lang.String encryptionMode)
java.util.function.Function<EncryptionContext,EncryptionContext>	getEncryptionContextOverrideOperator()
static DynamoDBEncryptor	getInstance(EncryptionMaterialsProvider provider)
static DynamoDBEncryptor	getInstance(EncryptionMaterialsProvider provider, java.lang.String descriptionbase)
java.lang.String	getMaterialDescriptionFieldName() Get the name of the DynamoDB field used to store metadata used by the DynamoDBEncryptedMapper.
java.lang.String	getSignatureFieldName() Get the name of the DynamoDB field used to store the signature.
java.lang.String	getSigningAlgorithmHeader()
protected static com.amazonaws.services.dynamodbv2.model.AttributeValue	marshallDescription(java.util.Map<java.lang.String,java.lang.String> description) Marshalls the description into a ByteBuffer by outputting each key (modified UTF-8) followed by its value (also in modified UTF-8).
void	setEncryptionContextOverrideOperator(java.util.function.Function<EncryptionContext,EncryptionContext> encryptionContextOverrideOperator)
void	setMaterialDescriptionFieldName(java.lang.String materialDescriptionFieldName) Set the name of the DynamoDB field used to store metadata used by the DynamoDBEncryptedMapper
void	setSignatureFieldName(java.lang.String signatureFieldName) Set the name of the DynamoDB field used to store the signature.
protected static java.util.Map<java.lang.String,java.lang.String>	unmarshallDescription(com.amazonaws.services.dynamodbv2.model.AttributeValue attributeValue)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DEFAULT_SIGNING_ALGORITHM_HEADER

public static final java.lang.String DEFAULT_SIGNING_ALGORITHM_HEADER

See Also:

Constant Field Values

Constructor Detail

DynamoDBEncryptor

protected DynamoDBEncryptor(EncryptionMaterialsProvider provider,
                            java.lang.String descriptionBase)

Method Detail

getInstance

public static DynamoDBEncryptor getInstance(EncryptionMaterialsProvider provider,
                                            java.lang.String descriptionbase)

getInstance

public static DynamoDBEncryptor getInstance(EncryptionMaterialsProvider provider)

decryptAllFieldsExcept

public java.util.Map<java.lang.String,com.amazonaws.services.dynamodbv2.model.AttributeValue> decryptAllFieldsExcept(java.util.Map<java.lang.String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes,
                                                                                                                     EncryptionContext context,
                                                                                                                     java.lang.String... doNotDecrypt)
                                                                                                              throws java.security.GeneralSecurityException

Returns a decrypted version of the provided DynamoDb record. The signature is verified across all provided fields. All fields (except those listed in doNotEncrypt are decrypted.

Parameters:

itemAttributes - the DynamoDbRecord

context - additional information used to successfully select the encryption materials and decrypt the data. This should include (at least) the tableName and the materialDescription.

doNotDecrypt - those fields which should not be encrypted

Returns:

a plaintext version of the DynamoDb record

Throws:

java.security.SignatureException - if the signature is invalid or cannot be verified

java.security.GeneralSecurityException

decryptAllFieldsExcept

public java.util.Map<java.lang.String,com.amazonaws.services.dynamodbv2.model.AttributeValue> decryptAllFieldsExcept(java.util.Map<java.lang.String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes,
                                                                                                                     EncryptionContext context,
                                                                                                                     java.util.Collection<java.lang.String> doNotDecrypt)
                                                                                                              throws java.security.GeneralSecurityException

Throws:

java.security.GeneralSecurityException

See Also:

decryptAllFieldsExcept(Map, EncryptionContext, String...)

allDecryptionFlagsExcept

public java.util.Map<java.lang.String,java.util.Set<EncryptionFlags>> allDecryptionFlagsExcept(java.util.Map<java.lang.String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes,
                                                                                               java.lang.String... doNotDecrypt)

Returns the decryption flags for all item attributes except for those explicitly specified to be excluded.

Parameters:

doNotDecrypt - fields to be excluded

allDecryptionFlagsExcept

public java.util.Map<java.lang.String,java.util.Set<EncryptionFlags>> allDecryptionFlagsExcept(java.util.Map<java.lang.String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes,
                                                                                               java.util.Collection<java.lang.String> doNotDecrypt)

Returns the decryption flags for all item attributes except for those explicitly specified to be excluded.

Parameters:

doNotDecrypt - fields to be excluded

encryptAllFieldsExcept

public java.util.Map<java.lang.String,com.amazonaws.services.dynamodbv2.model.AttributeValue> encryptAllFieldsExcept(java.util.Map<java.lang.String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes,
                                                                                                                     EncryptionContext context,
                                                                                                                     java.lang.String... doNotEncrypt)
                                                                                                              throws java.security.GeneralSecurityException

Returns an encrypted version of the provided DynamoDb record. All fields are signed. All fields (except those listed in doNotEncrypt) are encrypted.

Parameters:

itemAttributes - a DynamoDb Record

context - additional information used to successfully select the encryption materials and encrypt the data. This should include (at least) the tableName.

doNotEncrypt - those fields which should not be encrypted

Returns:

a ciphertext version of the DynamoDb record

Throws:

java.security.GeneralSecurityException

encryptAllFieldsExcept

public java.util.Map<java.lang.String,com.amazonaws.services.dynamodbv2.model.AttributeValue> encryptAllFieldsExcept(java.util.Map<java.lang.String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes,
                                                                                                                     EncryptionContext context,
                                                                                                                     java.util.Collection<java.lang.String> doNotEncrypt)
                                                                                                              throws java.security.GeneralSecurityException

Throws:

java.security.GeneralSecurityException

allEncryptionFlagsExcept

public java.util.Map<java.lang.String,java.util.Set<EncryptionFlags>> allEncryptionFlagsExcept(java.util.Map<java.lang.String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes,
                                                                                               java.lang.String... doNotEncrypt)

Returns the encryption flags for all item attributes except for those explicitly specified to be excluded.

Parameters:

doNotEncrypt - fields to be excluded

allEncryptionFlagsExcept

public java.util.Map<java.lang.String,java.util.Set<EncryptionFlags>> allEncryptionFlagsExcept(java.util.Map<java.lang.String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes,
                                                                                               java.util.Collection<java.lang.String> doNotEncrypt)

Returns the encryption flags for all item attributes except for those explicitly specified to be excluded.

Parameters:

doNotEncrypt - fields to be excluded

decryptRecord

public java.util.Map<java.lang.String,com.amazonaws.services.dynamodbv2.model.AttributeValue> decryptRecord(java.util.Map<java.lang.String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes,
                                                                                                            java.util.Map<java.lang.String,java.util.Set<EncryptionFlags>> attributeActionsOnEncrypt,
                                                                                                            EncryptionContext context)
                                                                                                     throws java.security.GeneralSecurityException

Throws:

java.security.GeneralSecurityException

encryptRecord

public java.util.Map<java.lang.String,com.amazonaws.services.dynamodbv2.model.AttributeValue> encryptRecord(java.util.Map<java.lang.String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes,
                                                                                                            java.util.Map<java.lang.String,java.util.Set<EncryptionFlags>> attributeActionsOnEncrypt,
                                                                                                            EncryptionContext context)
                                                                                                     throws java.security.GeneralSecurityException

Returns the encrypted (and signed) record, which is a map of item attributes. There is no side effect on the input parameters upon calling this method.

Parameters:

itemAttributes - the input record

attributeActionsOnEncrypt - the corresponding encryption flags

context - encryption context

Returns:

a new instance of item attributes encrypted as necessary

Throws:

java.security.GeneralSecurityException - if failed to encrypt the record

getBlockSize

protected static int getBlockSize(java.lang.String encryptionMode)

getSignatureFieldName

public java.lang.String getSignatureFieldName()

Get the name of the DynamoDB field used to store the signature. Defaults to DEFAULT_SIGNATURE_FIELD.

Returns:

the name of the DynamoDB field used to store the signature

setSignatureFieldName

public void setSignatureFieldName(java.lang.String signatureFieldName)

Set the name of the DynamoDB field used to store the signature.

Parameters:

signatureFieldName -

getMaterialDescriptionFieldName

public java.lang.String getMaterialDescriptionFieldName()

Get the name of the DynamoDB field used to store metadata used by the DynamoDBEncryptedMapper. Defaults to DEFAULT_METADATA_FIELD.

Returns:

the name of the DynamoDB field used to store metadata used by the DynamoDBEncryptedMapper

setMaterialDescriptionFieldName

public void setMaterialDescriptionFieldName(java.lang.String materialDescriptionFieldName)

Set the name of the DynamoDB field used to store metadata used by the DynamoDBEncryptedMapper

Parameters:

materialDescriptionFieldName -

marshallDescription

protected static com.amazonaws.services.dynamodbv2.model.AttributeValue marshallDescription(java.util.Map<java.lang.String,java.lang.String> description)

Marshalls the description into a ByteBuffer by outputting each key (modified UTF-8) followed by its value (also in modified UTF-8).

Parameters:

description -

Returns:

the description encoded as an AttributeValue with a ByteBuffer value

See Also:

DataOutput.writeUTF(String)

getSigningAlgorithmHeader

public java.lang.String getSigningAlgorithmHeader()

unmarshallDescription

protected static java.util.Map<java.lang.String,java.lang.String> unmarshallDescription(com.amazonaws.services.dynamodbv2.model.AttributeValue attributeValue)

See Also:

marshallDescription(Map)

setEncryptionContextOverrideOperator

public final void setEncryptionContextOverrideOperator(java.util.function.Function<EncryptionContext,EncryptionContext> encryptionContextOverrideOperator)

Parameters:

encryptionContextOverrideOperator - the nullable operator which will be used to override the EncryptionContext.

See Also:

EncryptionContextOperators

getEncryptionContextOverrideOperator

public final java.util.function.Function<EncryptionContext,EncryptionContext> getEncryptionContextOverrideOperator()

Returns:

the operator used to override the EncryptionContext

See Also:

setEncryptionContextOverrideOperator(Function)