-
Notifications
You must be signed in to change notification settings - Fork 36
/
CryptoStreamFactory.java
139 lines (119 loc) · 5.63 KB
/
CryptoStreamFactory.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
/*
* (c) Copyright 2017 Palantir Technologies Inc. All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.palantir.crypto2.io;
import com.google.common.annotations.VisibleForTesting;
import com.palantir.crypto2.cipher.ApacheCiphers;
import com.palantir.crypto2.cipher.SeekableCipher;
import com.palantir.crypto2.cipher.SeekableCipherFactory;
import com.palantir.crypto2.keys.KeyMaterial;
import com.palantir.seekio.SeekableInput;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.util.Properties;
import javax.crypto.Cipher;
import javax.crypto.CipherOutputStream;
import javax.crypto.SecretKey;
import org.apache.commons.crypto.stream.CtrCryptoOutputStream;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public final class CryptoStreamFactory {
private static final Logger log = LoggerFactory.getLogger(CryptoStreamFactory.class);
private static final Properties PROPS = ApacheCiphers.forceOpenSsl(new Properties());
private static final String AES_ALGORITHM = "AES/CTR/NoPadding";
private CryptoStreamFactory() {}
/**
* Returns a {@link SeekableInput} that decrypts the given SeekableInput using the given {@link KeyMaterial} and
* cipher {@code algorithm}. When OpenSSL is available an implementation that uses AES-NI will be returned.
*/
public static SeekableInput decrypt(SeekableInput encryptedInput, KeyMaterial keyMaterial, String algorithm) {
return decrypt(encryptedInput, keyMaterial, algorithm, false);
}
@SuppressWarnings("CatchBlockLogException")
@VisibleForTesting
static SeekableInput decrypt(
SeekableInput encryptedInput, KeyMaterial keyMaterial, String algorithm, boolean forceJce) {
if (!algorithm.equals(AES_ALGORITHM) || forceJce) {
return new DecryptingSeekableInput(encryptedInput, SeekableCipherFactory.getCipher(algorithm, keyMaterial));
}
try {
return new ApacheCtrDecryptingSeekableInput(encryptedInput, keyMaterial);
} catch (IOException e) {
log.warn("Unable to initialize cipher with OpenSSL falling back to JCE implementation");
return new DecryptingSeekableInput(encryptedInput, SeekableCipherFactory.getCipher(algorithm, keyMaterial));
}
}
/**
* Returns an {@link InputStream} that decrypts the given InputStream using the given {@link KeyMaterial} and
* cipher {@code algorithm}. When OpenSSL is available an implementation that uses AES-NI will be returned.
*/
public static InputStream decrypt(InputStream input, KeyMaterial keyMaterial, String algorithm) {
return new DefaultSeekableInputStream(decrypt(new StreamSeekableInput(input), keyMaterial, algorithm));
}
/**
* Returns an {@link OutputStream} that encrypts the given OutputStream using the given {@link KeyMaterial} and
* cipher {@code algorithm}. When OpenSSL is available an implementation that uses AES-NI will be returned.
*/
public static OutputStream encrypt(OutputStream output, KeyMaterial keyMaterial, String algorithm) {
return encrypt(output, keyMaterial, algorithm, false);
}
@SuppressWarnings("CatchBlockLogException")
@VisibleForTesting
static OutputStream encrypt(OutputStream output, KeyMaterial keyMaterial, String algorithm, boolean forceJce) {
if (!algorithm.equals(AES_ALGORITHM) || forceJce) {
return createDefaultEncryptedStream(output, keyMaterial, algorithm);
}
try {
return createApacheEncryptedStream(output, keyMaterial);
} catch (IOException e) {
log.warn("Unable to initialize cipher with OpenSSL, falling back to JCE implementation");
return createDefaultEncryptedStream(output, keyMaterial, algorithm);
}
}
private static OutputStream createApacheEncryptedStream(OutputStream output, KeyMaterial keyMaterial)
throws IOException {
SecretKey secretKey = keyMaterial.getSecretKey();
byte[] iv = keyMaterial.getIv();
return new CtrCryptoOutputStream(PROPS, output, secretKey.getEncoded(), iv);
}
private static OutputStream createDefaultEncryptedStream(OutputStream output, KeyMaterial keyMaterial,
String algorithm) {
SeekableCipher cipher = SeekableCipherFactory.getCipher(algorithm, keyMaterial);
return new CipherOutputStream(output, cipher.initCipher(Cipher.ENCRYPT_MODE));
}
private static class StreamSeekableInput implements SeekableInput {
private final InputStream input;
StreamSeekableInput(InputStream input) {
this.input = input;
}
@Override
public void seek(long offset) {
throw new UnsupportedOperationException();
}
@Override
public long getPos() {
throw new UnsupportedOperationException();
}
@Override
public int read(byte[] bytes, int offset, int length) throws IOException {
return input.read(bytes, offset, length);
}
@Override
public void close() throws IOException {
input.close();
}
}
}