Class StandardPBEByteEncryptor
- All Implemented Interfaces:
ByteEncryptor
,CleanablePasswordBased
,PasswordBased
,PBEByteCleanablePasswordEncryptor
,PBEByteEncryptor
Standard implementation of the PBEByteEncryptor
interface.
This class lets the user specify the algorithm, provider and
the initialization vector (IV) generator to be used for
encryption, the password to use,
the number of hashing iterations and the salt generator
that will be applied for obtaining the encryption key.
This class is thread-safe.
Configuration
The algorithm, provider, IV generator, password, key-obtention iterations and salt generator can take values in any of these ways:
- Using its default values (except for password).
- Setting a
PBEConfig
object which provides new configuration values. - Calling the corresponding setAlgorithm(...), setProvider(...), setProviderName(...), setIvGenerator(...), setPassword(...), setKeyObtentionIterations(...) or setSaltGenerator(...) methods.
- First, the default values are considered (except for password).
- Then, if a
PBEConfig
object has been set with setConfig(...), the non-null values returned by its getX() methods override the default values. - Finally, if the corresponding setX(...) method has been called on the encryptor itself for any of the configuration parameters, the values set by these calls override all of the above.
Initialization
Before it is ready to encrypt, an object of this class has to be initialized. Initialization happens:
- When initialize() is called.
- When encrypt(...) or decrypt(...) are called for the first time, if initialize() has not been called before.
Usage
An encryptor may be used for:
- Encrypting messages, by calling the encrypt(...) method.
- Decrypting messages, by calling the decrypt(...) method.
To learn more about the mechanisms involved in encryption, read PKCS #5: Password-Based Cryptography Standard.
- Since:
- 1.0
-
Field Summary
FieldsModifier and TypeFieldDescriptionprivate String
private boolean
private PBEConfig
private Cipher
static final String
The default algorithm to be used if none specified: PBEWithMD5AndDES.static final int
The default IV size, only used if the chosen encryption algorithm is not a block algorithm and thus block size cannot be used as IV size.static final int
The default number of hashing iterations applied for obtaining the encryption key from the specified password, set to 1000.static final int
The default salt size, only used if the chosen encryption algorithm is not a block algorithm and thus block size cannot be used as salt size.private Cipher
private byte[]
private boolean
private boolean
private IvGenerator
private boolean
private int
private SecretKey
private int
private boolean
private char[]
private boolean
private Provider
private String
private boolean
private boolean
private SaltGenerator
private boolean
private int
-
Constructor Summary
ConstructorsConstructorDescriptionCreates a new instance of StandardPBEByteEncryptor. -
Method Summary
Modifier and TypeMethodDescriptionprivate PBEParameterSpec
buildPBEParameterSpec
(byte[] salt, byte[] iv) private static void
cleanPassword
(char[] password) (package private) StandardPBEByteEncryptor[]
cloneAndInitializeEncryptor
(int size) byte[]
decrypt
(byte[] encryptedMessage) Decrypts a message using the specified configuration.byte[]
encrypt
(byte[] message) Encrypts a message using the specified configuration.private void
void
Initialize the encryptor.boolean
Returns true if the encryptor has already been initialized, false if not.
Initialization happens:private void
void
setAlgorithm
(String algorithm) Sets the algorithm to be used for encryption, like PBEWithMD5AndDES.void
Sets aPBEConfig
object for the encryptor.void
setIvGenerator
(IvGenerator ivGenerator) Sets the IV generator to be used.void
setKeyObtentionIterations
(int keyObtentionIterations) Set the number of hashing iterations applied to obtain the encryption key.void
setPassword
(String password) Sets the password to be used.void
setPasswordCharArray
(char[] password) Sets the password to be used, as a char[].void
setProvider
(Provider provider) Sets the security provider to be asked for the encryption algorithm.void
setProviderName
(String providerName) Sets the name of the security provider to be asked for the encryption algorithm.void
setSaltGenerator
(SaltGenerator saltGenerator) Sets the salt generator to be used.
-
Field Details
-
DEFAULT_ALGORITHM
The default algorithm to be used if none specified: PBEWithMD5AndDES.- See Also:
-
DEFAULT_KEY_OBTENTION_ITERATIONS
public static final int DEFAULT_KEY_OBTENTION_ITERATIONSThe default number of hashing iterations applied for obtaining the encryption key from the specified password, set to 1000.- See Also:
-
DEFAULT_SALT_SIZE_BYTES
public static final int DEFAULT_SALT_SIZE_BYTESThe default salt size, only used if the chosen encryption algorithm is not a block algorithm and thus block size cannot be used as salt size.- See Also:
-
DEFAULT_IV_SIZE_BYTES
public static final int DEFAULT_IV_SIZE_BYTESThe default IV size, only used if the chosen encryption algorithm is not a block algorithm and thus block size cannot be used as IV size.- See Also:
-
algorithm
-
providerName
-
provider
-
password
private char[] password -
keyObtentionIterations
private int keyObtentionIterations -
saltGenerator
-
saltSizeBytes
private int saltSizeBytes -
ivGenerator
-
ivSizeBytes
private int ivSizeBytes -
config
-
algorithmSet
private boolean algorithmSet -
passwordSet
private boolean passwordSet -
iterationsSet
private boolean iterationsSet -
saltGeneratorSet
private boolean saltGeneratorSet -
ivGeneratorSet
private boolean ivGeneratorSet -
providerNameSet
private boolean providerNameSet -
providerSet
private boolean providerSet -
initialized
private boolean initialized -
key
-
encryptCipher
-
decryptCipher
-
optimizingDueFixedSalt
private boolean optimizingDueFixedSalt -
fixedSaltInUse
private byte[] fixedSaltInUse
-
-
Constructor Details
-
StandardPBEByteEncryptor
public StandardPBEByteEncryptor()Creates a new instance of StandardPBEByteEncryptor.
-
-
Method Details
-
setConfig
Sets a
PBEConfig
object for the encryptor. If this config object is set, it will be asked values for:- Algorithm
- Security Provider (or provider name)
- Password
- Hashing iterations for obtaining the encryption key
- Salt generator
- IV generator
The non-null values it returns will override the default ones, and will be overriden by any values specified with a setX method.
- Parameters:
config
- the PBEConfig object to be used as the source for configuration parameters.
-
setAlgorithm
Sets the algorithm to be used for encryption, like PBEWithMD5AndDES.
This algorithm has to be supported by your JCE provider (if you specify one, or the default JVM provider if you don't) and, if it is supported, you can also specify mode and padding for it, like ALGORITHM/MODE/PADDING.
- Parameters:
algorithm
- the name of the algorithm to be used.
-
setPassword
Sets the password to be used.
There is no default value for password, so not setting this parameter either from a
PBEConfig
object or from a call to setPassword will result in an EncryptionInitializationException being thrown during initialization.- Specified by:
setPassword
in interfacePasswordBased
- Parameters:
password
- the password to be used.
-
setPasswordCharArray
public void setPasswordCharArray(char[] password) Sets the password to be used, as a char[].
This allows the password to be specified as a cleanable char[] instead of a String, in extreme security conscious environments in which no copy of the password as an immutable String should be kept in memory.
Important: the array specified as a parameter WILL BE COPIED in order to be stored as encryptor configuration. The caller of this method will therefore be responsible for its cleaning (jasypt will only clean the internally stored copy).
There is no default value for password, so not setting this parameter either from a
PBEConfig
object or from a call to setPassword will result in an EncryptionInitializationException being thrown during initialization.- Specified by:
setPasswordCharArray
in interfaceCleanablePasswordBased
- Parameters:
password
- the password to be used.- Since:
- 1.8
-
setKeyObtentionIterations
public void setKeyObtentionIterations(int keyObtentionIterations) Set the number of hashing iterations applied to obtain the encryption key.
This mechanism is explained in PKCS #5: Password-Based Cryptography Standard.
- Parameters:
keyObtentionIterations
- the number of iterations
-
setSaltGenerator
Sets the salt generator to be used. If no salt generator is specified, an instance of
RandomSaltGenerator
will be used.- Parameters:
saltGenerator
- the salt generator to be used.
-
setIvGenerator
Sets the IV generator to be used. If no IV generator is specified, an instance of
NoIvGenerator
will be used.- Parameters:
ivGenerator
- the IV generator to be used.
-
setProviderName
Sets the name of the security provider to be asked for the encryption algorithm. This security provider has to be registered beforehand at the JVM security framework.
The provider can also be set with the
setProvider(Provider)
method, in which case it will not be necessary neither registering the provider beforehand, nor calling thissetProviderName(String)
method to specify a provider name.Note that a call to
setProvider(Provider)
overrides any value set by this method.If no provider name / provider is explicitly set, the default JVM provider will be used.
- Parameters:
providerName
- the name of the security provider to be asked for the encryption algorithm.- Since:
- 1.3
-
setProvider
Sets the security provider to be asked for the encryption algorithm. The provider does not have to be registered at the security infrastructure beforehand, and its being used here will not result in its being registered.
If this method is called, calling
setProviderName(String)
becomes unnecessary.If no provider name / provider is explicitly set, the default JVM provider will be used.
- Parameters:
provider
- the provider to be asked for the chosen algorithm- Since:
- 1.3
-
cloneAndInitializeEncryptor
-
isInitialized
public boolean isInitialized()Returns true if the encryptor has already been initialized, false if not.
Initialization happens:- When initialize is called.
- When encrypt or decrypt are called for the first time, if initialize has not been called before.
Once an encryptor has been initialized, trying to change its configuration will result in an AlreadyInitializedException being thrown.
- Returns:
- true if the encryptor has already been initialized, false if not.
-
initialize
public void initialize()Initialize the encryptor.
This operation will consist in determining the actual configuration values to be used, and then initializing the encryptor with them.
These values are decided by applying the following priorities:- First, the default values are considered (except for password).
- Then, if a
PBEConfig
object has been set with setConfig, the non-null values returned by its getX methods override the default values. - Finally, if the corresponding setX method has been called on the encryptor itself for any of the configuration parameters, the values set by these calls override all of the above.
Once an encryptor has been initialized, trying to change its configuration will result in an AlreadyInitializedException being thrown.
- Throws:
EncryptionInitializationException
- if initialization could not be correctly done (for example, no password has been set).
-
resolveConfigurationPassword
private void resolveConfigurationPassword() -
cleanPassword
private static void cleanPassword(char[] password) -
encrypt
Encrypts a message using the specified configuration.
The mechanisms applied to perform the encryption operation are described in PKCS #5: Password-Based Cryptography Standard.
This encryptor uses a salt and IV for each encryption operation. Sizes of the salt and IV depends on the algorithm being used. The salt and the IV, if generated by a random generator, they are also appended unencrypted at the beginning of the results so that a decryption operation can be performed.
If a random salt generator is used, two encryption results for the same message will always be different (except in the case of random salt coincidence). This may enforce security by difficulting brute force attacks on sets of data at a time and forcing attackers to perform a brute force attack on each separate piece of encrypted data. The same is applied if a random IV generator is used.
- Specified by:
encrypt
in interfaceByteEncryptor
- Parameters:
message
- the byte array message to be encrypted- Returns:
- the result of encryption
- Throws:
EncryptionOperationNotPossibleException
- if the encryption operation fails, ommitting any further information about the cause for security reasons.EncryptionInitializationException
- if initialization could not be correctly done (for example, no password has been set).
-
decrypt
Decrypts a message using the specified configuration.
The mechanisms applied to perform the decryption operation are described in PKCS #5: Password-Based Cryptography Standard.
If a random salt generator is used, this decryption operation will expect to find an unencrypted salt at the beginning of the encrypted input, so that the decryption operation can be correctly performed (there is no other way of knowing it).
If a random IV generator is used, this decryption operation will expect to find an unencrypted IV at the beginning of the encrypted input, so that the decryption operation can be correctly performed (there is no other way of knowing it).
- Specified by:
decrypt
in interfaceByteEncryptor
- Parameters:
encryptedMessage
- the byte array message to be decrypted- Returns:
- the result of decryption
- Throws:
EncryptionOperationNotPossibleException
- if the decryption operation fails, ommitting any further information about the cause for security reasons.EncryptionInitializationException
- if initialization could not be correctly done (for example, no password has been set).
-
buildPBEParameterSpec
-
handleInvalidKeyException
-