Skip to content

Latest commit

 

History

History
105 lines (80 loc) · 3.28 KB

cryptography-jce.adoc

File metadata and controls

105 lines (80 loc) · 3.28 KB
Raw

JCE Cryptography

The JCE strategy allows you to use cryptography capabilities in two ways:

  • PBE (Password-based encryption): Encrypt/sign content by providing only an encryption password.

  • Key-based Encryption: Similar to how PGP and XML encryption works, this lets you configure a symmetric or asymmetric key to perform encryption/signing operations.

PBE

This method applies a hash function over the provided password to generate a symmetric key that is compatible with standard encryption algorithms. Because PBE only requires a password, a global configuration element is not needed for the PBE operations.

Example: PBE Encryption
<crypto:jce-encrypt-pbe password="a-Sup3r_Secure-Passw0rd"/>

If no algorithm is specified, PBEWithHmacSHA256AndAES_128 is used.

Example: PBE Decryption
<crypto:jce-decrypt-pbe algorithm="PBEWithHmacSHA256AndAES_128" password="a-Sup3r_Secure-Passw0rd"/>
Example: PBE Signature
<crypto:jce-sign-pbe password="a-Sup3r_Secure-Passw0rd"/>

If no algorithm is specified, PBEWithHmacSHA256 is used.

Example: PBE Signature Validation
<crypto:jce-validate-pbe password="a-Sup3r_Secure-Passw0rd" algorithm="PBEWithHmacSHA256" expected="#[vars.expectedSignature]"/>

The expected parameter defines the signature to compare against when validating a message.

Key-Based Encryption

This section provides key-based encryption examples.

Configuration

In this example, a keystore with different type of keys is defined in a JCE configuration:

Example: JCE Configuration
<crypto:jce-config name="jceConfig" keystore="jce/keys.jceks" password="123456" type="JCEKS">
    <crypto:jce-key-infos>
        <crypto:jce-symmetric-key-info keyId="aes128" alias="aes128" password="123456"/>
        <crypto:jce-symmetric-key-info keyId="blowfish" alias="blowfish" password="123456"/>
        <crypto:jce-symmetric-key-info keyId="hmacsha256" alias="hmacsha256" password="123456"/>
        <crypto:jce-asymmetric-key-info keyId="rsa" alias="myrsakey" password="123456"/>
        <crypto:jce-asymmetric-key-info keyId="dsa" alias="mydsakey" password="123456"/>
    </crypto:jce-key-infos>
</crypto:jce-config>

Asymmetric

Example: Asymmetric Encryption
<crypto:jce-encrypt config-ref="jceConfig" keyId="rsa" algorithm="RSA"/>
Example: Asymmetric Decryption
<crypto:jce-decrypt config-ref="jceConfig" keyId="rsa" algorithm="RSA"/>

Symmetric

Example: Symmetric Encryption
<crypto:jce-encrypt config-ref="jceConfig" keyId="aes128" algorithm="AES"/>
Example: Symmetric Decryption
<crypto:jce-decrypt config-ref="jceConfig" keyId="aes128" algorithm="AES"/>

Signature

Example: Signing a Message
<crypto:jce-sign config-ref="jceConfig" keyId="dsa" algorithm="SHA256withDSA"/>
Example: Validating a Signature
<crypto:jce-validate config-ref="jceConfig" keyId="dsa" algorithm="SHA256withDSA" expected="#[vars.expectedSignature]"/>

The expected parameter defines the signature to compare against when validating a message.