Cumulus4j API
(1.1.0)

org.cumulus4j.keymanager.back.shared
Class KeyEncryptionUtil

java.lang.Object
  extended by org.cumulus4j.keymanager.back.shared.KeyEncryptionUtil

public final class KeyEncryptionUtil
extends Object

Utility class to en- & decrypt symmetric secret keys using asymmetric encryption.

TODO the MAC algorithm should be communicated between key-manager and app-server (maybe the app-server specifies it, but with the possibility that the key-manager can override, i.e. use another one?! thus requiring the GetKeyResponse to tell the app-server, which one was actually used - or maybe encode this into the binary result here? Or maybe only specify it here on the key-manager-side (and encode in the binary)? less work and probably sufficient).

Author:
Marco หงุ่ยตระกูล-Schulze - marco at nightlabs dot de

Method Summary
static byte[] decryptKey(Cipher decrypter, byte[] keyEncodedEncrypted)
          Decrypt a previously encrypted secret key and verify its integrity via a MAC.
static byte[] encryptKey(byte[] key, Cipher encrypter)
          Encrypt the given symmetric secret key with the given Cipher.
static byte[] encryptKey(byte[] key, String keyEncryptionTransformation, byte[] keyEncryptionPublicKey)
          Encrypt the given symmetric secret key.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Method Detail

encryptKey

public static byte[] encryptKey(byte[] key,
                                Cipher encrypter)
                         throws CryptoException,
                                NoSuchAlgorithmException
Encrypt the given symmetric secret key with the given Cipher. The key will be protected against manipulation/corruption by a MAC.

Parameters:
key - the symmetric secret key to be encrypted.
encrypter - the cipher used for encryption.
Returns:
the key together with the MAC's key + IV - all encrypted.
Throws:
CryptoException - in case the encryption fails.
NoSuchAlgorithmException - in case a crypto algorithm's name (e.g. for the MAC) does not exist in the CryptoRegistry.
See Also:
encryptKey(byte[], String, byte[])

encryptKey

public static byte[] encryptKey(byte[] key,
                                String keyEncryptionTransformation,
                                byte[] keyEncryptionPublicKey)
                         throws GeneralSecurityException,
                                IOException,
                                CryptoException
Encrypt the given symmetric secret key. The key will be protected against manipulation/corruption by a MAC (the algorithm is currently hard-coded, but this might be changed, soon).

Parameters:
key - the symmetric secret key to be encrypted.
keyEncryptionTransformation - the transformation to be used to encrypt (see CryptoRegistry.createCipher(String)).
keyEncryptionPublicKey - the public key to be used to encrypt the given key.
Returns:
the key together with the MAC's key + IV - all encrypted.
Throws:
GeneralSecurityException - if there's a problem obtaining the cipher from the CryptoRegistry.
IOException - if decoding the public key from its binary representation fails.
CryptoException - in case the encryption fails.
See Also:
encryptKey(byte[], Cipher), decryptKey(Cipher, byte[])

decryptKey

public static byte[] decryptKey(Cipher decrypter,
                                byte[] keyEncodedEncrypted)
                         throws CryptoException,
                                IOException,
                                NoSuchAlgorithmException
Decrypt a previously encrypted secret key and verify its integrity via a MAC.

Parameters:
decrypter - the cipher to be used for decryption (already initialised with key + IV).
keyEncodedEncrypted - the encrypted key as produced by encryptKey(byte[], Cipher)
Returns:
the decrypted secret key (as originally passed to encryptKey(byte[], Cipher).
Throws:
CryptoException - if decryption failed.
IOException - if data cannot be read or is corrupted - e.g. if MAC verification failed.
NoSuchAlgorithmException - if the CryptoRegistry does not know the (MAC) algorithm.
See Also:
encryptKey(byte[], Cipher), encryptKey(byte[], String, byte[])

Cumulus4j API
(1.1.0)

Copyright © 2013 NightLabs Consulting GmbH. All Rights Reserved.