Package com.mku.salmon.streams
Class AesStream
java.lang.Object
com.mku.streams.RandomAccessStream
com.mku.salmon.streams.AesStream
Stream wrapper provides AES-256 encryption, decryption, and integrity verification of a data stream.
-
Nested Class Summary
Nested classes/interfaces inherited from class com.mku.streams.RandomAccessStream
RandomAccessStream.SeekOrigin -
Field Summary
Fields inherited from class com.mku.streams.RandomAccessStream
DEFAULT_BUFFER_SIZE -
Constructor Summary
ConstructorsConstructorDescriptionAesStream(byte[] key, byte[] nonce, EncryptionMode encryptionMode, RandomAccessStream baseStream) Instantiate a new encrypted stream with a key, a nonce, and a base stream.AesStream(byte[] key, byte[] nonce, EncryptionMode encryptionMode, RandomAccessStream baseStream, EncryptionFormat format) Instantiate a new encrypted stream with a key, a nonce, a base stream, and optionally store the nonce information in the header, see EncryptionFormat.AesStream(byte[] key, byte[] nonce, EncryptionMode encryptionMode, RandomAccessStream baseStream, EncryptionFormat format, boolean integrity, byte[] hashKey) Instantiate a new encrypted stream with a key, a nonce, a base stream, and optionally enable integrity with a hash key and store the nonce and the integrity information in the header, see EncryptionFormat.AesStream(byte[] key, byte[] nonce, EncryptionMode encryptionMode, RandomAccessStream baseStream, EncryptionFormat format, boolean integrity, byte[] hashKey, int chunkSize) Instantiate a new encrypted stream with a key, a nonce, a base stream, and optionally enable integrity with a hash key and specified chunk size as well as store the nonce and the integrity information in the header, see EncryptionFormat. -
Method Summary
Modifier and TypeMethodDescriptionGet a native buffered stream to use with 3rd party libraries.booleancanRead()If the stream is readable (only if EncryptionMode is EncryptionMode.Decrypt)booleancanSeek()If the stream is seekable (supported only if base stream is seekable).booleancanWrite()If the stream is writable (only if EncryptionMode is EncryptionMode.Encrypt)voidclose()Closes the stream and all resources associated with it (including the base stream).voidflush()Flushes any buffered data to the base stream.static ProviderTypeGet the global AES provider type.intAlign size for performance calculating the integrity when available.longgetBlock()Returns the current block valueintReturns the chunk size used to apply hash signaturebyte[]Returns the current Counter value.Get the encryption mode seeEncryptionMode.byte[]Returns a copy of the hash key.byte[]getKey()Returns a copy of the encryption key.longProvides the length of the actual transformed data (minus the header and integrity data).byte[]getNonce()Returns a copy of the nonce.static longgetOutputSize(EncryptionMode mode, long length, EncryptionFormat format) Get the output size of the data to be transformed (encrypted or decrypted) including header and hashes.static longgetOutputSize(EncryptionMode mode, long length, EncryptionFormat format, int chunkSize) Get the output size of the data to be transformed (encrypted or decrypted) including header and hashes for the specified chunk size.longProvides the position of the stream relative to the data to be transformed.booleanIf the stream has integrity embedded.booleanGet the allowed range write option.booleanCheck if the stream has integrity enabled.intread(byte[] buffer, int offset, int count) Decrypts the data from the baseStream and stores them in the buffer provided.longseek(long offset, RandomAccessStream.SeekOrigin origin) Seek to a specific position on the stream.static voidsetAesProviderType(ProviderType aesProviderType) Set the global AES provider type.voidsetAllowRangeWrite(boolean value) Warning! Allow byte range encryption writes on a current stream.voidsetFailSilently(boolean value) Set to True if you want the stream to fail silently when integrity cannot be verified.voidsetLength(long value) Set the length of the base stream.voidsetPosition(long value) Sets the current position of the stream relative to the data to be transformed.voidwrite(byte[] buffer, int offset, int count) Encrypts the data from the buffer and writes the result to the baseStream.Methods inherited from class com.mku.streams.RandomAccessStream
copyTo, copyTo, copyTo, copyTo
-
Constructor Details
-
AesStream
public AesStream(byte[] key, byte[] nonce, EncryptionMode encryptionMode, RandomAccessStream baseStream) throws IOException Instantiate a new encrypted stream with a key, a nonce, and a base stream.If you read from the stream it will decrypt the data from the baseStream. If you write to the stream it will encrypt the data to the baseStream. The transformation is based on AES CTR Mode.
- Parameters:
key- The AES key that is used to encrypt decryptnonce- The nonce used for the initial counterencryptionMode- Encryption mode Encrypt or Decrypt this cannot change laterbaseStream- The base Stream that will be used to read the data- Throws:
IOException- Thrown if there is an IO error.SecurityException- Thrown if there is a security exceptionIntegrityException- Thrown if the data are corrupt or tampered with.- See Also:
-
AesStream
public AesStream(byte[] key, byte[] nonce, EncryptionMode encryptionMode, RandomAccessStream baseStream, EncryptionFormat format) throws IOException Instantiate a new encrypted stream with a key, a nonce, a base stream, and optionally store the nonce information in the header, see EncryptionFormat.If you read from the stream it will decrypt the data from the baseStream. If you write to the stream it will encrypt the data to the baseStream. The transformation is based on AES CTR Mode.
- Parameters:
key- The AES key that is used to encrypt decryptnonce- The nonce used for the initial counterencryptionMode- Encryption mode Encrypt or Decrypt this cannot change laterbaseStream- The base Stream that will be used to read the dataformat- The format to use, seeEncryptionFormat- Throws:
IOException- Thrown if there is an IO error.SecurityException- Thrown if there is a security exceptionIntegrityException- Thrown if the data are corrupt or tampered with.- See Also:
-
AesStream
public AesStream(byte[] key, byte[] nonce, EncryptionMode encryptionMode, RandomAccessStream baseStream, EncryptionFormat format, boolean integrity, byte[] hashKey) throws IOException Instantiate a new encrypted stream with a key, a nonce, a base stream, and optionally enable integrity with a hash key and store the nonce and the integrity information in the header, see EncryptionFormat.If you read from the stream it will decrypt the data from the baseStream. If you write to the stream it will encrypt the data to the baseStream. The transformation is based on AES CTR Mode.
- Parameters:
key- The AES key that is used to encrypt decryptnonce- The nonce used for the initial counter. If mode is Decrypt and format is Salmon then use null.encryptionMode- Encryption mode Encrypt or Decrypt this cannot change laterbaseStream- The base Stream that will be used to read the dataformat- The format to use, seeEncryptionFormatintegrity- True to enable integrity verificationhashKey- Hash key to be used with integrity- Throws:
IOException- Thrown if there is an IO error.SecurityException- Thrown if there is a security exceptionIntegrityException- Thrown if the data are corrupt or tampered with.- See Also:
-
AesStream
public AesStream(byte[] key, byte[] nonce, EncryptionMode encryptionMode, RandomAccessStream baseStream, EncryptionFormat format, boolean integrity, byte[] hashKey, int chunkSize) throws IOException Instantiate a new encrypted stream with a key, a nonce, a base stream, and optionally enable integrity with a hash key and specified chunk size as well as store the nonce and the integrity information in the header, see EncryptionFormat.If you read from the stream it will decrypt the data from the baseStream. If you write to the stream it will encrypt the data to the baseStream. The transformation is based on AES CTR Mode.
Notes: The initial value of the counter is a result of the concatenation of an 12 byte nonce and an additional 4 bytes counter. The counter is then: incremented every block, encrypted by the key, and xored with the plain text.
- Parameters:
key- The AES key that is used to encrypt decryptnonce- The nonce used for the initial counterencryptionMode- Encryption mode Encrypt or Decrypt this cannot change laterbaseStream- The base Stream that will be used to read the dataformat- The format to use, seeEncryptionFormatintegrity- True to enable integrity verificationhashKey- Hash key to be used with integritychunkSize- the chunk size to be used with integrity- Throws:
IOException- Thrown if there is an IO error.SecurityException- Thrown if there is a security exceptionIntegrityException- Thrown if the data are corrupt or tampered with.- See Also:
-
-
Method Details
-
getAlignSize
public int getAlignSize()Align size for performance calculating the integrity when available.- Overrides:
getAlignSizein classRandomAccessStream- Returns:
- The align size
-
getOutputSize
Get the output size of the data to be transformed (encrypted or decrypted) including header and hashes. This can be used for efficient memory pre-allocation.- Parameters:
mode- TheEncryptionModeEncrypt or Decrypt.length- The length of the data to transform.format- The format to use, seeEncryptionFormat- Returns:
- The size of the output data.
- Throws:
SecurityException- Thrown if there is a security exceptionIntegrityException- Thrown if the data are corrupt or tampered with.
-
getOutputSize
public static long getOutputSize(EncryptionMode mode, long length, EncryptionFormat format, int chunkSize) Get the output size of the data to be transformed (encrypted or decrypted) including header and hashes for the specified chunk size. This can be used for efficient memory pre-allocation.- Parameters:
mode- TheEncryptionModeEncrypt or Decrypt.length- The length of the data to transform.format- The format to use, seeEncryptionFormatchunkSize- the chunk size to be used with integrity- Returns:
- The size of the output data.
- Throws:
SecurityException- Thrown if there is a security exceptionIntegrityException- Thrown if the data are corrupt or tampered with.
-
setAesProviderType
Set the global AES provider type. Supported types:ProviderType.- Parameters:
aesProviderType- The provider Type.
-
getAesProviderType
Get the global AES provider type. Supported types:ProviderType.- Returns:
- The provider Type.
-
getLength
public long getLength()Provides the length of the actual transformed data (minus the header and integrity data).- Specified by:
getLengthin classRandomAccessStream- Returns:
- The length of the stream.
-
getPosition
Provides the position of the stream relative to the data to be transformed.- Specified by:
getPositionin classRandomAccessStream- Returns:
- The current position of the stream.
- Throws:
IOException- Thrown if there is an IO error.
-
setPosition
Sets the current position of the stream relative to the data to be transformed.- Specified by:
setPositionin classRandomAccessStream- Parameters:
value- The new position- Throws:
IOException- Thrown if there is an IO error.
-
canRead
public boolean canRead()If the stream is readable (only if EncryptionMode is EncryptionMode.Decrypt)- Specified by:
canReadin classRandomAccessStream- Returns:
- True if mode is decryption.
-
canSeek
public boolean canSeek()If the stream is seekable (supported only if base stream is seekable).- Specified by:
canSeekin classRandomAccessStream- Returns:
- True if stream is seekable.
-
canWrite
public boolean canWrite()If the stream is writable (only if EncryptionMode is EncryptionMode.Encrypt)- Specified by:
canWritein classRandomAccessStream- Returns:
- True if mode is decryption.
-
hasIntegrity
public boolean hasIntegrity()If the stream has integrity embedded.- Returns:
- True if the stream has integrity embedded.
-
seek
Seek to a specific position on the stream. This does not include the header and any hash Signatures.- Specified by:
seekin classRandomAccessStream- Parameters:
offset- The offset that seek will useorigin- If it is Begin the offset will be the absolute position from the start of the stream If it is Current the offset will be added to the current position of the stream If it is End the offset will be the absolute position starting from the end of the stream.- Returns:
- The position after the seeking was complete.
- Throws:
IOException- Thrown if there is an IO error.
-
setLength
public void setLength(long value) Set the length of the base stream. Currently unsupported.- Specified by:
setLengthin classRandomAccessStream- Parameters:
value- The new length
-
flush
public void flush()Flushes any buffered data to the base stream.- Specified by:
flushin classRandomAccessStream
-
close
Closes the stream and all resources associated with it (including the base stream).- Specified by:
closein classRandomAccessStream- Throws:
IOException- Thrown if there is an IO error.
-
getCounter
public byte[] getCounter()Returns the current Counter value.- Returns:
- The current Counter value.
-
getBlock
public long getBlock()Returns the current block value- Returns:
- The current block
-
getKey
public byte[] getKey()Returns a copy of the encryption key.- Returns:
- The current key
-
getHashKey
public byte[] getHashKey()Returns a copy of the hash key.- Returns:
- The current hash key
-
getNonce
public byte[] getNonce()Returns a copy of the nonce.- Returns:
- The nonce.
-
getChunkSize
public int getChunkSize()Returns the chunk size used to apply hash signature- Returns:
- The chunk size
-
setAllowRangeWrite
public void setAllowRangeWrite(boolean value) Warning! Allow byte range encryption writes on a current stream. Overwriting is not a good idea because it will re-use the same IV. This is not recommended if you use the stream on storing files or generally data if prior version can be inspected by others. You should only use this setting for initial encryption with parallel streams and not for overwriting!- Parameters:
value- True to allow byte range encryption write operations
-
setFailSilently
public void setFailSilently(boolean value) Set to True if you want the stream to fail silently when integrity cannot be verified. In that case read() operations will return -1 instead of raising an exception. This prevents 3rd party code like media players from crashing.- Parameters:
value- True to fail silently.
-
read
Decrypts the data from the baseStream and stores them in the buffer provided.- Specified by:
readin classRandomAccessStream- Parameters:
buffer- The buffer that the data will be stored after decryptionoffset- The start position on the buffer that data will be written.count- The requested count of the data bytes that should be decrypted- Returns:
- The number of data bytes that were decrypted.
- Throws:
IOException- Thrown if there is an IO error.
-
write
Encrypts the data from the buffer and writes the result to the baseStream. If you are using integrity you will need to align all write operations to the chunk size otherwise align to the encryption block size.- Specified by:
writein classRandomAccessStream- Parameters:
buffer- The buffer that contains the data that will be encryptedoffset- The offset in the buffer that the bytes will be encrypted.count- The length of the bytes that will be encrypted.- Throws:
IOException- Thrown if there is an IO error.
-
asReadStream
Get a native buffered stream to use with 3rd party libraries.- Overrides:
asReadStreamin classRandomAccessStream- Returns:
- The native read stream
-
isIntegrityEnabled
public boolean isIntegrityEnabled()Check if the stream has integrity enabled.- Returns:
- True if integrity is enabled
-
getEncryptionMode
Get the encryption mode seeEncryptionMode.- Returns:
- The encryption mode
-
isAllowRangeWrite
public boolean isAllowRangeWrite()Get the allowed range write option. This can check if you can use random access write. This is generally not a good option since it prevents reusing the same nonce/counter.- Returns:
- True if the stream allowed to seek and write.
-