Package org.springframework.vault.core
Interface ReactiveVaultTransitOperations
- All Known Implementing Classes:
ReactiveVaultTransitTemplate
public interface ReactiveVaultTransitOperations
* Interface that specifies operations using the
transit
backend.- Since:
- 3.1
- Author:
- James Luke
- See Also:
-
Method Summary
Modifier and TypeMethodDescriptionconfigureKey
(String keyName, VaultTransitKeyConfiguration keyConfiguration) Create a new named encryption key given aname
.Create a new named encryption key given aname
.createKey
(String keyName, VaultTransitKeyCreationRequest createKeyRequest) Create a new named encryption key given aname
andVaultTransitKeyCreationRequest
.Decrypts the provided plain text using the named key.Mono<byte[]>
decrypt
(String keyName, String ciphertext, VaultTransitContext transitContext) Decrypts the providedciphertext
using the named key.decrypt
(String keyName, List<Ciphertext> batchRequest) Decrypts the provided batch of cipher text using the named key and context.decrypt
(String keyName, Ciphertext ciphertext) Decrypts the provided cipher text using the named key.Deletes a named encryption key.encrypt
(String keyName, byte[] plaintext, VaultTransitContext transitRequest) Encrypts the providedplaintext
using the named key.Encrypts the provided plain text using the named key.Encrypts the provided batch ofplaintext
using the named key and context.Encrypts the providedplaintext
using the named key.exportKey
(String keyName, TransitKeyType type) Returns the value of the named encryption key.Create a HMAC usingkeyName
of givenPlaintext
using the default hash algorithm.getHmac
(String keyName, VaultHmacRequest request) Create a HMAC usingkeyName
of givenVaultHmacRequest
using the default hash algorithm.Return information about a named encryption key.getKeys()
Get aFlux
of transit key names.Rewrap the provided cipher text using the latest version of the named key.rewrap
(String keyName, String ciphertext, VaultTransitContext transitContext) Rewrap the provided cipher text using the latest version of the named key.Rotates the version of the named key.Create a cryptographic signature usingkeyName
of the givenPlaintext
and the default hash algorithm.sign
(String keyName, VaultSignRequest request) Create a cryptographic signature usingkeyName
of the givenVaultSignRequest
and the specified hash algorithm.verify
(String keyName, VaultSignatureVerificationRequest request) Verify the cryptographic signature usingkeyName
of the givenVaultSignRequest
.
-
Method Details
-
createKey
Create a new named encryption key given aname
.- Parameters:
keyName
- must not be empty or null.
-
createKey
Create a new named encryption key given aname
andVaultTransitKeyCreationRequest
. The key options set here cannot be changed after key creation.- Parameters:
keyName
- must not be empty or null.createKeyRequest
- must not be null.
-
getKeys
Get aFlux
of transit key names.- Returns:
Flux
of transit key names.
-
configureKey
Create a new named encryption key given aname
.- Parameters:
keyName
- must not be empty or null.keyConfiguration
- must not be null.
-
exportKey
Returns the value of the named encryption key. Depending on the type of key, different information may be returned. The key must be exportable to support this operation.- Parameters:
keyName
- must not be empty or null.type
- must not be null.- Returns:
- the
RawTransitKey
. Empty if key does not exist
-
getKey
Return information about a named encryption key.- Parameters:
keyName
- must not be empty or null.- Returns:
- the
VaultTransitKey
. Empty if key does not exist.
-
deleteKey
Deletes a named encryption key. It will no longer be possible to decrypt any data encrypted with the named key.- Parameters:
keyName
- must not be empty or null.
-
rotate
Rotates the version of the named key. After rotation, new plain text requests will be encrypted with the new version of the key. To upgrade ciphertext to be encrypted with the latest version of the key, userewrap(String, String)
.- Parameters:
keyName
- must not be empty or null.- See Also:
-
encrypt
Encrypts the provided plain text using the named key. The givenplaintext
is encoded into bytes using thedefault charset
. Useencrypt(String, org.springframework.vault.support.Plaintext)
to construct aPlaintext
object from bytes to avoidCharset
mismatches.- Parameters:
keyName
- must not be empty or null.plaintext
- must not be empty or null.- Returns:
- cipher text.
-
encrypt
Encrypts the providedplaintext
using the named key.- Parameters:
keyName
- must not be empty or null.plaintext
- must not be null.- Returns:
- cipher text.
-
encrypt
Encrypts the providedplaintext
using the named key.- Parameters:
keyName
- must not be empty or null.plaintext
- must not be empty or null.transitRequest
- must not be null. UseVaultTransitContext.empty()
if no request options provided.- Returns:
- cipher text.
-
encrypt
Encrypts the provided batch ofplaintext
using the named key and context. The encryption is done using transit backend's batch operation.- Parameters:
keyName
- must not be empty or null.batchRequest
- a list ofPlaintext
which includes plain text and an optional context.- Returns:
- the encrypted result in the order of
batchRequest
plaintexts.
-
decrypt
Decrypts the provided plain text using the named key. The decodedplaintext
is decoded intoString
thedefault charset
. Usedecrypt(String, org.springframework.vault.support.Ciphertext)
to obtain aCiphertext
object that allows to control theCharset
for later consumption.- Parameters:
keyName
- must not be empty or null.ciphertext
- must not be empty or null.- Returns:
- plain text.
-
decrypt
Decrypts the provided cipher text using the named key.- Parameters:
keyName
- must not be empty or null.ciphertext
- must not be null.- Returns:
- plain text.
-
decrypt
Decrypts the providedciphertext
using the named key.- Parameters:
keyName
- must not be empty or null.ciphertext
- must not be empty or null.transitContext
- must not be null. UseVaultTransitContext.empty()
if no request options provided.- Returns:
- cipher text.
-
decrypt
Decrypts the provided batch of cipher text using the named key and context. The* decryption is done using transit backend's batch operation.- Parameters:
keyName
- must not be empty or null.batchRequest
- a list ofCiphertext
which includes plain text and an optional context.- Returns:
- the decrypted result in the order of
batchRequest
ciphertexts.
-
rewrap
Rewrap the provided cipher text using the latest version of the named key. Because this never returns plain text, it is possible to delegate this functionality to untrusted users or scripts.- Parameters:
keyName
- must not be empty or null.ciphertext
- must not be empty or null.- Returns:
- cipher text.
- See Also:
-
rewrap
Rewrap the provided cipher text using the latest version of the named key. Because this never returns plain text, it is possible to delegate this functionality to untrusted users or scripts.- Parameters:
keyName
- must not be empty or null.ciphertext
- must not be empty or null.transitContext
- must not be null. UseVaultTransitContext.empty()
if no request options provided.- Returns:
- cipher text.
- See Also:
-
getHmac
Create a HMAC usingkeyName
of givenPlaintext
using the default hash algorithm. The key can be of any type supported by transit; the raw key will be marshaled into bytes to be used for the HMAC function. If the key is of a type that supports rotation, the latest (current) version will be used.- Parameters:
keyName
- must not be empty or null.plaintext
- must not be null.- Returns:
- the digest of given data the default hash algorithm and the named key.
-
getHmac
Create a HMAC usingkeyName
of givenVaultHmacRequest
using the default hash algorithm. The key can be of any type supported by transit; the raw key will be marshaled into bytes to be used for the HMAC function. If the key is of a type that supports rotation, configuredVaultHmacRequest.getKeyVersion()
will be used.- Parameters:
keyName
- must not be empty or null.request
- theVaultHmacRequest
, must not be null.- Returns:
- the digest of given data the default hash algorithm and the named key.
-
sign
Create a cryptographic signature usingkeyName
of the givenPlaintext
and the default hash algorithm. The key must be of a type that supports signing.- Parameters:
keyName
- must not be empty or null.plaintext
- must not be empty or null.- Returns:
- Signature for
Plaintext
.
-
sign
Create a cryptographic signature usingkeyName
of the givenVaultSignRequest
and the specified hash algorithm. The key must be of a type that supports signing.- Parameters:
keyName
- must not be empty or null.request
-VaultSignRequest
must not be empty or null.- Returns:
- Signature for
VaultSignRequest
.
-
verify
- Parameters:
keyName
- must not be empty or null.plaintext
- must not be null.signature
- Signature to be verified, must not be null.- Returns:
- true if the signature is valid, false otherwise.
-
verify
Verify the cryptographic signature usingkeyName
of the givenVaultSignRequest
.- Parameters:
keyName
- must not be empty or null.request
-VaultSignatureVerificationRequest
must not be null.- Returns:
- the resulting
SignatureValidation
.
-