class CipherMap extends Object
Strong encrypted storage backend used for encrypting a Map at rest. The must consist only of standard java class types. Serialization and deseralization provided by YamlOperator.
In general, this class uses algorithms processes recommended by NIST FIPS in FIPS 180-4, FIPS 186-4, FIPS 197, and FIPS 198-1. FIPS 202 was considered but not currently used. The author of this class made a best-effort towards understanding these standards and implementing them in code. However, there's no warranty on correctness or 3rd party certification. As a reminder, please reference the license of this project before use.
Some other high level details include.
To run this example, clone Jervis and execute ./gradlew console to bring up a Groovy Console with the classpath set up.
import net.gleske.jervis.tools.CipherMap
import java.time.Instant
Map plainTextMap = [hello: 'world']
Long time(Closure c) {
Instant before = Instant.now()
c()
Instant after = Instant.now()
after.epochSecond - before.epochSecond
}
def cmap1 = new CipherMap(new File('src/test/resources/rsa_keys/good_id_rsa_4096'))
Long timing = time {
cmap1.plainMap = plainTextMap
}
println("Time encrypting: ${timing} second(s)")
def cmap2 = new CipherMap(new File('src/test/resources/rsa_keys/good_id_rsa_4096'))
timing = time {
cmap2 << cmap1.toString()
cmap2.plainMap
}
println("Time to load from String and decrypt: ${timing} second(s)")
// re-encrypt with stronger security
def cmap3 = new CipherMap(new File('src/test/resources/rsa_keys/good_id_rsa_4096').text)
cmap3.hash_iterations = 100100
timing = time {
cmap3.plainMap = cmap1.plainMap
}
println("Time migrating to stronger encryption with 100100 hash iterations: ${timing} second(s)")
println(['\n', '='*80, 'Encrypted contents with CipherMap toString()'.with { ' '*(40 - it.size()/2) + it }, '='*80, "\n${cmap3}"].join('\n'))
Type | Name and description |
---|---|
Integer |
hash_iterations Customize the number of SHA-256 hash iterations performed during AES encryption operations. |
Long |
rotate_time_limit The time limit in seconds before AES secret and IV need to be rotated. |
Constructor and description |
---|
CipherMap
(String privateKey) Instantiates a new CipherMap object with the given private key. |
CipherMap
(String privateKey, Integer hash_iterations) Instantiates a new CipherMap object with the given private key. |
CipherMap
(File privateKey) Instantiates a new CipherMap object with the given private key. |
CipherMap
(File privateKey, Integer hash_iterations) Instantiates a new CipherMap object with the given private key. |
Type Params | Return Type | Name and description |
---|---|---|
|
Map |
getPlainMap() Decrypts the encrypted map and returns the object. |
|
void |
leftShift(def input) Load or append to this object enciphered text. |
|
void |
setPlainMap(Map obj) Encrypts the object and stores it for later retrieval as enciphered text. |
|
String |
toString() Returns an encrypted object as text meant for storing at rest. |
Customize the number of SHA-256 hash iterations performed during AES encryption operations.
The time limit in seconds before AES secret and IV need to be rotated. Once it reaches this age then new secrets will be generated. Default: 2592000 seconds (number of seconds in 30 days).
Instantiates a new CipherMap object with the given private key. This is used for asymmetric encryption wrapping symmetric encryption.
privateKey
- A PKCS1 or PKCS8 private key PEM.Instantiates a new CipherMap object with the given private key. This is used for asymmetric encryption wrapping symmetric encryption.
privateKey
- A PKCS1 or PKCS8 private key PEM.hash_iterations
- Customize the hash iterations on instantiation.Instantiates a new CipherMap object with the given private key. This is used for asymmetric encryption wrapping symmetric encryption.
privateKey
- A PKCS1 or PKCS8 private key.Instantiates a new CipherMap object with the given private key. This is used for asymmetric encryption wrapping symmetric encryption.
privateKey
- A PKCS1 or PKCS8 private key.hash_iterations
- Customize the hash iterations on instantiation.Decrypts the encrypted map and returns the object.
Load or append to this object enciphered text. There are three behaviors depending on the object type passed.
input
- A String to load or a CipherMap to append.Encrypts the object and stores it for later retrieval as enciphered text. Before encryption occurs, the age of the AES-256 secret and IV is checked and rotated if beyond a certain age.
obj
- The plain java object to be encrypted. The object is
serialized by YamlOperator and must only consist of standard
java classes.Returns an encrypted object as text meant for storing at rest.
age: AES encrypted timestamp
cipher:
- asymmetrically encrypted AES secret
- asymmetrically encrypted AES IV
data: AES encrypted data
signature: RS256 Base64URL signature.
Jervis API documentation.