org.apache.nifi.security.repository.stream.aes

Class RepositoryObjectAESCTREncryptor

java.lang.Object

org.apache.nifi.security.repository.AbstractAESEncryptor

org.apache.nifi.security.repository.stream.aes.RepositoryObjectAESCTREncryptor

All Implemented Interfaces:

RepositoryObjectEncryptor, RepositoryObjectStreamEncryptor

public class RepositoryObjectAESCTREncryptor
extends AbstractAESEncryptor
implements RepositoryObjectStreamEncryptor

This implementation of the RepositoryObjectStreamEncryptor handles streaming data by accepting OutputStream and InputStream parameters and returning custom implementations which wrap the normal behavior with encryption/decryption logic transparently. This class should be used when a repository needs to persist and retrieve streaming data (i.e. content claims). For repositories handling limited blocks of data with the length known a priori (i.e. provenance records or flowfile attribute maps), use the RepositoryObjectAESGCMEncryptor which will provide authenticated encryption.

Field Summary

Fields

Modifier and Type	Field and Description
private static String	ALGORITHM
private static byte[]	EM_START_SENTINEL
private static org.slf4j.Logger	logger
private static List<String>	SUPPORTED_VERSIONS
private static String	VERSION

Fields inherited from class org.apache.nifi.security.repository.AbstractAESEncryptor

aesKeyedCipherProvider, EMPTY_IV, IV_LENGTH, keyProvider

Constructor Summary

Constructors

Constructor and Description
RepositoryObjectAESCTREncryptor()

Method Summary

Modifier and Type	Method and Description
InputStream	decrypt(InputStream encryptedInputStream, String streamId) Returns an InputStream which decrypts the content of the provided InputStream.
OutputStream	encrypt(OutputStream plainStream, String streamId, String keyId) Returns an OutputStream which encrypts the content of the provided OutputStream.
String	getNextKeyId() Returns a valid key identifier for this encryptor (valid for encryption and decryption) or throws an exception if none are available.

Methods inherited from class org.apache.nifi.security.repository.AbstractAESEncryptor

initialize, prepareObjectForDecryption

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.nifi.security.repository.stream.RepositoryObjectStreamEncryptor

initialize

Field Detail

logger

private static final org.slf4j.Logger logger

EM_START_SENTINEL

private static final byte[] EM_START_SENTINEL

ALGORITHM

private static String ALGORITHM

VERSION

private static final String VERSION

See Also:

Constant Field Values

SUPPORTED_VERSIONS

private static final List<String> SUPPORTED_VERSIONS

Constructor Detail

RepositoryObjectAESCTREncryptor

public RepositoryObjectAESCTREncryptor()

Method Detail

encrypt

public OutputStream encrypt(OutputStream plainStream,
                            String streamId,
                            String keyId)
                     throws EncryptionException

Returns an OutputStream which encrypts the content of the provided OutputStream. This method works on streams to allow for streaming data rather than blocks of bytes of a known length. It is recommended to use this for data like flowfile content claims, rather than provenance records or flowfile attribute maps.

Specified by:

encrypt in interface RepositoryObjectStreamEncryptor

Parameters:

plainStream - the plain OutputStream which is being written to

streamId - an identifier for this stream (eventId, generated, etc.)

keyId - the ID of the key to use

Returns:

a stream which will encrypt the data and include the RepositoryObjectEncryptionMetadata

Throws:

EncryptionException - if there is an issue encrypting this streaming repository object

decrypt

public InputStream decrypt(InputStream encryptedInputStream,
                           String streamId)
                    throws EncryptionException

Returns an InputStream which decrypts the content of the provided InputStream. The provided InputStream must contain a valid RepositoryObjectEncryptionMetadata object at the start of the stream. This method works on streams to allow for streaming data rather than blocks of bytes of a known length. It is recommended to use this for data like flowfile content claims, rather than provenance records or flowfile attribute maps.

Specified by:

decrypt in interface RepositoryObjectStreamEncryptor

Parameters:

encryptedInputStream - the encrypted InputStream (starting with the plaintext ROEM) which is being read from

streamId - an identifier for this stream (eventId, generated, etc.)

Returns:

a stream which will decrypt the data based on the data in the RepositoryObjectEncryptionMetadata

Throws:

EncryptionException - if there is an issue decrypting this streaming repository object

getNextKeyId

public String getNextKeyId()
                    throws KeyManagementException

Returns a valid key identifier for this encryptor (valid for encryption and decryption) or throws an exception if none are available.

Specified by:

getNextKeyId in interface RepositoryObjectStreamEncryptor

Returns:

the key ID

Throws:

KeyManagementException - if no available key IDs are valid for both operations