Package org.springframework.vault.core

Class VaultTransitTemplate

java.lang.Object

org.springframework.vault.core.VaultTransitTemplate

All Implemented Interfaces:

VaultTransitOperations

public class VaultTransitTemplate
extends Object
implements VaultTransitOperations

Default implementation of VaultTransitOperations.

Author:

Mark Paluch, Sven Schürmann, Praveendra Singh, Luander Ribeiro, Mikko Koli, My-Lan Aragon, Nanne Baars

Constructor Summary

Constructors

Constructor	Description
VaultTransitTemplate(VaultOperations vaultOperations, String path)	Create a new VaultTransitTemplate given VaultOperations and the mount path.

Method Summary

Modifier and Type	Method	Description
void	configureKey(String keyName, VaultTransitKeyConfiguration keyConfiguration)	Create a new named encryption key given a name.
void	createKey(String keyName)	Create a new named encryption key given a name.
void	createKey(String keyName, VaultTransitKeyCreationRequest createKeyRequest)	Create a new named encryption key given a name and VaultTransitKeyCreationRequest.
String	decrypt(String keyName, String ciphertext)	Decrypts the provided plain text using the named key.
byte[]	decrypt(String keyName, String ciphertext, VaultTransitContext transitContext)	Decrypts the provided ciphertext using the named key.
List<VaultDecryptionResult>	decrypt(String keyName, List<Ciphertext> batchRequest)	Decrypts the provided batch of cipher text using the named key and context.
Plaintext	decrypt(String keyName, Ciphertext ciphertext)	Decrypts the provided cipher text using the named key.
void	deleteKey(String keyName)	Deletes a named encryption key.
String	encrypt(String keyName, byte[] plaintext, VaultTransitContext transitContext)	Encrypts the provided plaintext using the named key.
String	encrypt(String keyName, String plaintext)	Encrypts the provided plain text using the named key.
List<VaultEncryptionResult>	encrypt(String keyName, List<Plaintext> batchRequest)	Encrypts the provided batch of plaintext using the named key and context.
Ciphertext	encrypt(String keyName, Plaintext plaintext)	Encrypts the provided plaintext using the named key.
RawTransitKey	exportKey(String keyName, TransitKeyType type)	Returns the value of the named encryption key.
Hmac	getHmac(String keyName, Plaintext plaintext)	Create a HMAC using keyName of given Plaintext using the default hash algorithm.
Hmac	getHmac(String keyName, VaultHmacRequest hmacRequest)	Create a HMAC using keyName of given VaultHmacRequest using the default hash algorithm.
VaultTransitKey	getKey(String keyName)	Return information about a named encryption key.
List<String>	getKeys()	Get a List of transit key names.
String	rewrap(String keyName, String ciphertext)	Rewrap the provided cipher text using the latest version of the named key.
String	rewrap(String keyName, String ciphertext, VaultTransitContext transitContext)	Rewrap the provided cipher text using the latest version of the named key.
List<VaultEncryptionResult>	rewrap(String keyName, List<Ciphertext> batchRequest)	Rewrap the provided batch of cipher text using the latest version of the named key.
void	rotate(String keyName)	Rotates the version of the named key.
Signature	sign(String keyName, Plaintext plaintext)	Create a cryptographic signature using keyName of the given Plaintext and the default hash algorithm.
Signature	sign(String keyName, VaultSignRequest signRequest)	Create a cryptographic signature using keyName of the given VaultSignRequest and the specified hash algorithm.
String	toString()
boolean	verify(String keyName, Plaintext plainText, Signature signature)	Verify the cryptographic signature using keyName of the given Plaintext and Signature.
SignatureValidation	verify(String keyName, VaultSignatureVerificationRequest verificationRequest)	Verify the cryptographic signature using keyName of the given VaultSignRequest.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Details

VaultTransitTemplate

public VaultTransitTemplate(VaultOperations vaultOperations,
 String path)

Create a new VaultTransitTemplate given VaultOperations and the mount path.

Parameters:

vaultOperations - must not be null.

path - must not be empty or null.

Method Details

createKey

public void createKey(String keyName)

Description copied from interface: VaultTransitOperations

Create a new named encryption key given a name.

Specified by:

createKey in interface VaultTransitOperations

Parameters:

keyName - must not be empty or null.

createKey

public void createKey(String keyName,
 VaultTransitKeyCreationRequest createKeyRequest)

Description copied from interface: VaultTransitOperations

Create a new named encryption key given a name and VaultTransitKeyCreationRequest. The key options set here cannot be changed after key creation.

Specified by:

createKey in interface VaultTransitOperations

Parameters:

keyName - must not be empty or null.

createKeyRequest - must not be null.

getKeys

public List<String> getKeys()

Description copied from interface: VaultTransitOperations

Get a List of transit key names.

Specified by:

getKeys in interface VaultTransitOperations

Returns:

List of transit key names.

configureKey

public void configureKey(String keyName,
 VaultTransitKeyConfiguration keyConfiguration)

Description copied from interface: VaultTransitOperations

Create a new named encryption key given a name.

Specified by:

configureKey in interface VaultTransitOperations

Parameters:

keyName - must not be empty or null.

keyConfiguration - must not be null.

exportKey

@Nullable
public RawTransitKey exportKey(String keyName,
 TransitKeyType type)

Description copied from interface: VaultTransitOperations

Returns the value of the named encryption key. Depending on the type of key, different information may be returned. The key must be exportable to support this operation.

Specified by:

exportKey in interface VaultTransitOperations

Parameters:

keyName - must not be empty or null.

type - must not be null.

Returns:

the RawTransitKey.

getKey

@Nullable
public VaultTransitKey getKey(String keyName)

Description copied from interface: VaultTransitOperations

Return information about a named encryption key.

Specified by:

getKey in interface VaultTransitOperations

Parameters:

keyName - must not be empty or null.

Returns:

the VaultTransitKey.

deleteKey

public void deleteKey(String keyName)

Description copied from interface: VaultTransitOperations

Deletes a named encryption key. It will no longer be possible to decrypt any data encrypted with the named key.

Specified by:

deleteKey in interface VaultTransitOperations

Parameters:

keyName - must not be empty or null.

rotate

public void rotate(String keyName)

Description copied from interface: VaultTransitOperations

Rotates the version of the named key. After rotation, new plain text requests will be encrypted with the new version of the key. To upgrade ciphertext to be encrypted with the latest version of the key, use VaultTransitOperations.rewrap(String, String).

Specified by:

rotate in interface VaultTransitOperations

Parameters:

keyName - must not be empty or null.

See Also:

• VaultTransitOperations.rewrap(String, String)

encrypt

public String encrypt(String keyName,
 String plaintext)

Description copied from interface: VaultTransitOperations

Encrypts the provided plain text using the named key. The given plaintext is encoded into bytes using the default charset. Use VaultTransitOperations.encrypt(String, org.springframework.vault.support.Plaintext) to construct a Plaintext object from bytes to avoid Charset mismatches.

Specified by:

encrypt in interface VaultTransitOperations

Parameters:

keyName - must not be empty or null.

plaintext - must not be empty or null.

Returns:

cipher text.

encrypt

public Ciphertext encrypt(String keyName,
 Plaintext plaintext)

Description copied from interface: VaultTransitOperations

Encrypts the provided plaintext using the named key.

Specified by:

encrypt in interface VaultTransitOperations

Parameters:

keyName - must not be empty or null.

plaintext - must not be null.

Returns:

cipher text.

encrypt

public String encrypt(String keyName,
 byte[] plaintext,
 VaultTransitContext transitContext)

Description copied from interface: VaultTransitOperations

Encrypts the provided plaintext using the named key.

Specified by:

encrypt in interface VaultTransitOperations

Parameters:

keyName - must not be empty or null.

plaintext - must not be empty or null.

transitContext - must not be null. Use VaultTransitContext.empty() if no request options provided.

Returns:

cipher text.

encrypt

public List<VaultEncryptionResult> encrypt(String keyName,
 List<Plaintext> batchRequest)

Description copied from interface: VaultTransitOperations

Encrypts the provided batch of plaintext using the named key and context. The encryption is done using transit backend's batch operation.

Specified by:

encrypt in interface VaultTransitOperations

Parameters:

keyName - must not be empty or null.

batchRequest - a list of Plaintext which includes plain text and an optional context.

Returns:

the encrypted result in the order of batchRequest plaintexts.

decrypt

public String decrypt(String keyName,
 String ciphertext)

Description copied from interface: VaultTransitOperations

Decrypts the provided plain text using the named key. The decoded plaintext is decoded into String the default charset. Use VaultTransitOperations.decrypt(String, org.springframework.vault.support.Ciphertext) to obtain a Ciphertext object that allows to control the Charset for later consumption.

Specified by:

decrypt in interface VaultTransitOperations

Parameters:

keyName - must not be empty or null.

ciphertext - must not be empty or null.

Returns:

plain text.

decrypt

public Plaintext decrypt(String keyName,
 Ciphertext ciphertext)

Description copied from interface: VaultTransitOperations

Decrypts the provided cipher text using the named key.

Specified by:

decrypt in interface VaultTransitOperations

Parameters:

keyName - must not be empty or null.

ciphertext - must not be null.

Returns:

plain text.

decrypt

public byte[] decrypt(String keyName,
 String ciphertext,
 VaultTransitContext transitContext)

Description copied from interface: VaultTransitOperations

Decrypts the provided ciphertext using the named key.

Specified by:

decrypt in interface VaultTransitOperations

Parameters:

keyName - must not be empty or null.

ciphertext - must not be empty or null.

transitContext - must not be null. Use VaultTransitContext.empty() if no request options provided.

Returns:

cipher text.

decrypt

public List<VaultDecryptionResult> decrypt(String keyName,
 List<Ciphertext> batchRequest)

Description copied from interface: VaultTransitOperations

Decrypts the provided batch of cipher text using the named key and context. The* decryption is done using transit backend's batch operation.

Specified by:

decrypt in interface VaultTransitOperations

Parameters:

keyName - must not be empty or null.

batchRequest - a list of Ciphertext which includes plain text and an optional context.

Returns:

the decrypted result in the order of batchRequest ciphertexts.

rewrap

public String rewrap(String keyName,
 String ciphertext)

Description copied from interface: VaultTransitOperations

Rewrap the provided cipher text using the latest version of the named key. Because this never returns plain text, it is possible to delegate this functionality to untrusted users or scripts.

Specified by:

rewrap in interface VaultTransitOperations

Parameters:

keyName - must not be empty or null.

ciphertext - must not be empty or null.

Returns:

cipher text.

See Also:

• VaultTransitOperations.rotate(String)

rewrap

public String rewrap(String keyName,
 String ciphertext,
 VaultTransitContext transitContext)

Description copied from interface: VaultTransitOperations

Rewrap the provided cipher text using the latest version of the named key. Because this never returns plain text, it is possible to delegate this functionality to untrusted users or scripts.

Specified by:

rewrap in interface VaultTransitOperations

Parameters:

keyName - must not be empty or null.

ciphertext - must not be empty or null.

transitContext - must not be null. Use VaultTransitContext.empty() if no request options provided.

Returns:

cipher text.

See Also:

• VaultTransitOperations.rotate(String)

rewrap

public List<VaultEncryptionResult> rewrap(String keyName,
 List<Ciphertext> batchRequest)

Description copied from interface: VaultTransitOperations

Rewrap the provided batch of cipher text using the latest version of the named key.

Specified by:

rewrap in interface VaultTransitOperations

batchRequest - a list of Ciphertext which includes cipher text and a context

Returns:

the rewrapped result in the order of batchRequest ciphertexts.

See Also:

• VaultTransitOperations.rewrap(String, String)

getHmac

public Hmac getHmac(String keyName,
 Plaintext plaintext)

Description copied from interface: VaultTransitOperations

Create a HMAC using keyName of given Plaintext using the default hash algorithm. The key can be of any type supported by transit; the raw key will be marshaled into bytes to be used for the HMAC function. If the key is of a type that supports rotation, the latest (current) version will be used.

Specified by:

getHmac in interface VaultTransitOperations

Parameters:

keyName - must not be empty or null.

plaintext - must not be null.

Returns:

the digest of given data the default hash algorithm and the named key.

getHmac

public Hmac getHmac(String keyName,
 VaultHmacRequest hmacRequest)

Description copied from interface: VaultTransitOperations

Create a HMAC using keyName of given VaultHmacRequest using the default hash algorithm. The key can be of any type supported by transit; the raw key will be marshaled into bytes to be used for the HMAC function. If the key is of a type that supports rotation, configured VaultHmacRequest.getKeyVersion() will be used.

Specified by:

getHmac in interface VaultTransitOperations

Parameters:

keyName - must not be empty or null.

hmacRequest - the VaultHmacRequest, must not be null.

Returns:

the digest of given data the default hash algorithm and the named key.

sign

public Signature sign(String keyName,
 Plaintext plaintext)

Description copied from interface: VaultTransitOperations

Create a cryptographic signature using keyName of the given Plaintext and the default hash algorithm. The key must be of a type that supports signing.

Specified by:

sign in interface VaultTransitOperations

Parameters:

keyName - must not be empty or null.

plaintext - must not be empty or null.

Returns:

Signature for Plaintext.

sign

public Signature sign(String keyName,
 VaultSignRequest signRequest)

Description copied from interface: VaultTransitOperations

Create a cryptographic signature using keyName of the given VaultSignRequest and the specified hash algorithm. The key must be of a type that supports signing.

Specified by:

sign in interface VaultTransitOperations

Parameters:

keyName - must not be empty or null.

signRequest - VaultSignRequest must not be empty or null.

Returns:

Signature for VaultSignRequest.

verify

public boolean verify(String keyName,
 Plaintext plainText,
 Signature signature)

Description copied from interface: VaultTransitOperations

Verify the cryptographic signature using keyName of the given Plaintext and Signature.

Specified by:

verify in interface VaultTransitOperations

Parameters:

keyName - must not be empty or null.

plainText - must not be null.

signature - Signature to be verified, must not be null.

Returns:

true if the signature is valid, false otherwise.

verify

public SignatureValidation verify(String keyName,
 VaultSignatureVerificationRequest verificationRequest)

Description copied from interface: VaultTransitOperations

Verify the cryptographic signature using keyName of the given VaultSignRequest.

Specified by:

verify in interface VaultTransitOperations

Parameters:

keyName - must not be empty or null.

verificationRequest - VaultSignatureVerificationRequest must not be null.

Returns:

the resulting SignatureValidation.

toString

public String toString()

Overrides:

toString in class Object