Package com.amazonaws.services.dynamodbv2.datamodeling.encryption

Class DynamoDBEncryptor

  • public class DynamoDBEncryptor
extends Object
    The low-level API used by AttributeEncryptor to perform crypto operations on the record attributes.
    Author:
    Greg Rubin

    • Method Detail

      • decryptAllFieldsExcept

        public Map<String,​com.amazonaws.services.dynamodbv2.model.AttributeValue> decryptAllFieldsExcept​(Map<String,​com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes,
                                                                                                       EncryptionContext context,
                                                                                                       String... doNotDecrypt)
                                                                                                throws GeneralSecurityException
        Returns a decrypted version of the provided DynamoDb record. The signature is verified across all provided fields. All fields (except those listed in doNotEncrypt are decrypted.
        Parameters:
        itemAttributes - the DynamoDbRecord
        context - additional information used to successfully select the encryption materials and decrypt the data. This should include (at least) the tableName and the materialDescription.
        doNotDecrypt - those fields which should not be encrypted
        Returns:
        a plaintext version of the DynamoDb record
        Throws:
        SignatureException - if the signature is invalid or cannot be verified
        GeneralSecurityException

      • allDecryptionFlagsExcept

        public Map<String,​Set<EncryptionFlags>> allDecryptionFlagsExcept​(Map<String,​com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes,
                                                                       String... doNotDecrypt)
        Returns the decryption flags for all item attributes except for those explicitly specified to be excluded.
        Parameters:
        doNotDecrypt - fields to be excluded

      • allDecryptionFlagsExcept

        public Map<String,​Set<EncryptionFlags>> allDecryptionFlagsExcept​(Map<String,​com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes,
                                                                       Collection<String> doNotDecrypt)
        Returns the decryption flags for all item attributes except for those explicitly specified to be excluded.
        Parameters:
        doNotDecrypt - fields to be excluded

      • encryptAllFieldsExcept

        public Map<String,​com.amazonaws.services.dynamodbv2.model.AttributeValue> encryptAllFieldsExcept​(Map<String,​com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes,
                                                                                                       EncryptionContext context,
                                                                                                       String... doNotEncrypt)
                                                                                                throws GeneralSecurityException
        Returns an encrypted version of the provided DynamoDb record. All fields are signed. All fields (except those listed in doNotEncrypt) are encrypted.
        Parameters:
        itemAttributes - a DynamoDb Record
        context - additional information used to successfully select the encryption materials and encrypt the data. This should include (at least) the tableName.
        doNotEncrypt - those fields which should not be encrypted
        Returns:
        a ciphertext version of the DynamoDb record
        Throws:
        GeneralSecurityException

      • allEncryptionFlagsExcept

        public Map<String,​Set<EncryptionFlags>> allEncryptionFlagsExcept​(Map<String,​com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes,
                                                                       String... doNotEncrypt)
        Returns the encryption flags for all item attributes except for those explicitly specified to be excluded.
        Parameters:
        doNotEncrypt - fields to be excluded

      • allEncryptionFlagsExcept

        public Map<String,​Set<EncryptionFlags>> allEncryptionFlagsExcept​(Map<String,​com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes,
                                                                       Collection<String> doNotEncrypt)
        Returns the encryption flags for all item attributes except for those explicitly specified to be excluded.
        Parameters:
        doNotEncrypt - fields to be excluded

      • encryptRecord

        public Map<String,​com.amazonaws.services.dynamodbv2.model.AttributeValue> encryptRecord​(Map<String,​com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes,
                                                                                              Map<String,​Set<EncryptionFlags>> attributeFlags,
                                                                                              EncryptionContext context)
                                                                                       throws GeneralSecurityException
        Returns the encrypted (and signed) record, which is a map of item attributes. There is no side effect on the input parameters upon calling this method.
        Parameters:
        itemAttributes - the input record
        attributeFlags - the corresponding encryption flags
        context - encryption context
        Returns:
        a new instance of item attributes encrypted as necessary
        Throws:
        GeneralSecurityException - if failed to encrypt the record

      • getBlockSize

        protected static int getBlockSize​(String encryptionMode)

      • getSignatureFieldName

        public String getSignatureFieldName()
        Get the name of the DynamoDB field used to store the signature. Defaults to DEFAULT_SIGNATURE_FIELD.
        Returns:
        the name of the DynamoDB field used to store the signature

      • setSignatureFieldName

        public void setSignatureFieldName​(String signatureFieldName)
        Set the name of the DynamoDB field used to store the signature.
        Parameters:
        signatureFieldName -

      • getMaterialDescriptionFieldName

        public String getMaterialDescriptionFieldName()
        Get the name of the DynamoDB field used to store metadata used by the DynamoDBEncryptedMapper. Defaults to DEFAULT_METADATA_FIELD.
        Returns:
        the name of the DynamoDB field used to store metadata used by the DynamoDBEncryptedMapper

      • setMaterialDescriptionFieldName

        public void setMaterialDescriptionFieldName​(String materialDescriptionFieldName)
        Set the name of the DynamoDB field used to store metadata used by the DynamoDBEncryptedMapper
        Parameters:
        materialDescriptionFieldName -

      • marshallDescription

        protected static com.amazonaws.services.dynamodbv2.model.AttributeValue marshallDescription​(Map<String,​String> description)
        Marshalls the description into a ByteBuffer by outputting each key (modified UTF-8) followed by its value (also in modified UTF-8).
        Parameters:
        description -
        Returns:
        the description encoded as an AttributeValue with a ByteBuffer value
        See Also:
        DataOutput.writeUTF(String)

      • getSigningAlgorithmHeader

        public String getSigningAlgorithmHeader()

      • unmarshallDescription

        protected static Map<String,​String> unmarshallDescription​(com.amazonaws.services.dynamodbv2.model.AttributeValue attributeValue)
        See Also:
        marshallDescription(Map)

      • setEncryptionContextOverrideOperator

        public final void setEncryptionContextOverrideOperator​(Function<EncryptionContext,​EncryptionContext> encryptionContextOverrideOperator)
        Parameters:
        encryptionContextOverrideOperator - the nullable operator which will be used to override the EncryptionContext.
        See Also:
        EncryptionContextOperators