be.fgov.ehealth.etee.crypto.encrypt
Interface DataSealer

public interface DataSealer

A DataSealer is a thread safe object that can protect data that must be exchanged between two parties. It provides protection regarding the following aspects of the data:

• Confidentiality : only the addressee intended by the author (also called 'the recipient') can read the sealed data after decryption in the 'data unseal' process.
• Integrity : the data can not be changed unnoticed , i.e. verifications during the data unseal process will reveal any changes made to the data of the author.
• Authenticity : the sealed data contains the information regarding the author of the sealed data.

The protection it provides is intended for a short period, i.e. the time necessary to exchange the data between author and addressee. It is not intented to protect data stored for long periods.

A DataSealer has a strong association with an author, because it signs data with the private authentication key of the author Consequently a DataSealer must be created for each author. Use the DataSealerBuilder to create DataSealers. Once the DataSealer is created, it can be used for several messages, to different addressees. It can be used simultaniously by multiple threads.

To seal the data, i.e. protect the data, you need to pass to the seal operation :

• the dataToSeal.
• One or more encryption credentials. Each credential can be of following type
  • A Certificate (Asymmetric) known to belong to the recipient intented by the author.
  • A PublicKey (Asymmetric) and its (registration)KeyId (Base64 encoded), known to belong to the recipient intented by the author.
  • A SecretKey (Symmetric) and its (registration)KeyId (Base64 encoded), known or accessible by the recipient(s)

You need to pass at least one asymmetric or symmetric key.

The KEK ID will be readible included in the sealed message. In other words, the KEK ID is not encrypted. As such it can be used by the recipient to know which KEK to use in order to decrypt the sealed message. In some circumstances, you don't want to have the real identifier of the KEK of the message in the message. In that case you can pass a dummy value as KEK ID to the seal operation, and use another way of letting your recipient know which KEK to use to decrypt the message.

The dataToSeal can be a byte[] or an InputStream. Use the byte[] for small messages that can be loaded in memory in one take. Use the InputStream for bigger messages.
The result of a seal operation of the DataSealer is a CMS message according to the security policy of the eHealth Platform Belgium regarding End-To-End protection of data to exchange.
Note that one CMS message can have the data sealed for multiple addressees or multiple keys for the same addressee. In that case a Set of EncryptionCredentials must be passed to the seal operation.

See Also:

DataSealerBuilder

Method Summary

byte[]	seal(byte[] dataToSeal, EncryptionCredential... encryptionKeys) Seals the given message so that it can be exchanged safely with the owner(s) of the given encryption credential(s).
byte[]	seal(byte[] dataToSeal, javax.crypto.SecretKey symKek, java.lang.String base64encodedSymKekId) Deprecated. Use seal(byte[], EncryptionCredential...)
byte[]	seal(EncryptionToken etk, byte[] dataToSeal) Deprecated. Use seal(byte[], EncryptionCredential...)
byte[]	seal(EncryptionToken asymKek, byte[] dataToSeal, javax.crypto.SecretKey symKek, java.lang.String base64encodedSymKekId) Deprecated. Use seal(byte[], EncryptionCredential...)
void	seal(EncryptionToken asymKek, java.io.InputStream dataToSeal, java.io.OutputStream sealedData) Deprecated. Use seal(InputStream, OutputStream, EncryptionCredential...)
void	seal(EncryptionToken asymKek, java.io.InputStream dataToSeal, java.io.OutputStream sealedData, javax.crypto.SecretKey symKek, java.lang.String base64encodedSymKekId) Deprecated. Use seal(InputStream, OutputStream, EncryptionCredential...)
void	seal(java.io.InputStream dataToSeal, java.io.OutputStream sealedData, EncryptionCredential... encryptionKeys) Seals the given message so that it can be exchanged safely with the owner(s) of the given encryption credential(s).
void	seal(java.io.InputStream dataToSeal, java.io.OutputStream sealedData, javax.crypto.SecretKey symKek, java.lang.String base64encodedSymKekId) Deprecated. Use seal(InputStream, OutputStream, EncryptionCredential...)
byte[]	seal(java.util.Set<EncryptionToken> asymKeks, byte[] dataToSeal) Deprecated. Use seal(byte[], EncryptionCredential...)
byte[]	seal(java.util.Set<EncryptionToken> asymKeks, byte[] dataToSeal, javax.crypto.SecretKey symKek, java.lang.String base64encodedSymKekId) Deprecated. Use seal(byte[], EncryptionCredential...)
void	seal(java.util.Set<EncryptionToken> asymKeks, java.io.InputStream dataToSeal, java.io.OutputStream sealedData) Deprecated. Use seal(InputStream, OutputStream, EncryptionCredential...)
void	seal(java.util.Set<EncryptionToken> asymKeks, java.io.InputStream dataToSeal, java.io.OutputStream sealedData, javax.crypto.SecretKey symKek, java.lang.String base64encodedSymKekId) Deprecated. Use seal(InputStream, OutputStream, EncryptionCredential...)

Method Detail

seal

byte[] seal(byte[] dataToSeal,
            EncryptionCredential... encryptionKeys)
            throws DataSealerException

Seals the given message so that it can be exchanged safely with the owner(s) of the given encryption credential(s).

Parameters:

dataToSeal - - the data to seal

encryptionKeys - - keys owned or known by the receiver(s) of the message, used to encrypt the data

Returns:

the sealed data

Throws:

DataSealerException - When the CMS message could not be generated.

seal

void seal(java.io.InputStream dataToSeal,
          java.io.OutputStream sealedData,
          EncryptionCredential... encryptionKeys)
          throws DataSealerException

Seals the given message so that it can be exchanged safely with the owner(s) of the given encryption credential(s). Seals the data ready in the given InputStream and writes the sealed result into the given OutputStream.

Parameters:

dataToSeal - the InputStream where the dataToSeal content is read from by the DataSealer. The given InputStream must implement the available() method.

sealedData - the OutputStream to which the sealed result is written by the DataSealer. When the sealing is finished, the OutputStream is not closed in here.

encryptionKeys - - keys owned or known by the receiver(s) of the message, used to encrypt the data

Throws:

DataSealerException - When the CMS message could not be generated.

seal

@Deprecated
byte[] seal(EncryptionToken etk,
                       byte[] dataToSeal)
            throws DataSealerException

Deprecated. Use seal(byte[], EncryptionCredential...)

Seals the given data so that it can be exchanged safely to the owner of the given EncryptionToken.

Parameters:

dataToSeal - - the data to seal

etk - - the EncryptionToken of the addresee

Returns:

the sealed data

Throws:

DataSealerException - When the CMS message could not be generated.

seal

@Deprecated
byte[] seal(EncryptionToken asymKek,
                       byte[] dataToSeal,
                       javax.crypto.SecretKey symKek,
                       java.lang.String base64encodedSymKekId)
            throws DataSealerException

Deprecated. Use seal(byte[], EncryptionCredential...)

Seals the given data so that it can be exchanged safely to the owner of the given EncryptionToken and to the unknown addressee who has access to the SecretKey.

Parameters:

asymKek - - the EncryptionToken of a recipient.

dataToSeal - - the data to seal

symKek - - the symmetric Key Encryption Key

base64encodedSymKekId - - the ID (base64 encoded) of the given SecretKey symKek

Returns:

the sealed data.

Throws:

DataSealerException - When the CMS message could not be generated.

seal

@Deprecated
byte[] seal(java.util.Set<EncryptionToken> asymKeks,
                       byte[] dataToSeal)
            throws DataSealerException

Deprecated. Use seal(byte[], EncryptionCredential...)

Seals the given data so that it can be exchanged safely to the owners of the given EncryptionTokens.

Parameters:

dataToSeal - - the data to seal

asymKeks - - the EncryptionTokens of the addressees

Returns:

the sealed data

Throws:

DataSealerException - When the CMS message could not be generated.

seal

@Deprecated
byte[] seal(java.util.Set<EncryptionToken> asymKeks,
                       byte[] dataToSeal,
                       javax.crypto.SecretKey symKek,
                       java.lang.String base64encodedSymKekId)
            throws DataSealerException

Deprecated. Use seal(byte[], EncryptionCredential...)

Seals the given data so that it can be exchanged safely to the owners of the given EncryptionTokens and to the unknown addressee(s) who has access to the SecretKey.

Parameters:

asymKeks - - the EncryptionTokens of the addressees

dataToSeal - - the data to seal

symKek - - the symmetric Key Encryption Key

base64encodedSymKekId - - the ID (base64 encoded) of the given SecretKey symKek

Returns:

the sealed data

Throws:

DataSealerException - When the CMS message could not be generated.

seal

@Deprecated
byte[] seal(byte[] dataToSeal,
                       javax.crypto.SecretKey symKek,
                       java.lang.String base64encodedSymKekId)
            throws DataSealerException

Deprecated. Use seal(byte[], EncryptionCredential...)

Seals the given data so that it can be exchanged safely to the unknown addressee(s) who has access to the SecretKey.

Parameters:

dataToSeal - - the data to seal

symKek - - the symmetric Key Encryption Key

base64encodedSymKekId - - the ID (base64 encoded) of the given SecretKey symKek

Returns:

the sealed data

Throws:

DataSealerException - When the CMS message could not be generated.

seal

@Deprecated
void seal(EncryptionToken asymKek,
                     java.io.InputStream dataToSeal,
                     java.io.OutputStream sealedData)
          throws DataSealerException

Deprecated. Use seal(InputStream, OutputStream, EncryptionCredential...)

Seals a given message for a known addressee. Seals the data ready in the given InputStream and writes the sealed result into the given OutputStream.

Parameters:

asymKek - - the EncryptionToken of a recipient.

dataToSeal - the InputStream where the dataToSeal content is read from by the DataSealer. The given InputStream must implement the available() method.

sealedData - the OutputStream to which the sealed result is written by the DataSealer. When the sealing is finished, the OutputStream is not closed in here.

Throws:

DataSealerException - When the CMS message could not be generated.

seal

@Deprecated
void seal(java.util.Set<EncryptionToken> asymKeks,
                     java.io.InputStream dataToSeal,
                     java.io.OutputStream sealedData)
          throws DataSealerException

Deprecated. Use seal(InputStream, OutputStream, EncryptionCredential...)

Seals a given message for a set of known addressees.

Parameters:

asymKeks - - the EncryptionTokens of the known addressees

dataToSeal - the InputStream where the dataToSeal content is read from by the DataSealer. The given InputStream must implement the available() method.

sealedData - the OutputStream to which the sealed result is written by the DataSealer. When the sealing is finished, the OutputStream is not closed in here.

Throws:

DataSealerException - When the CMS message could not be generated.

seal

@Deprecated
void seal(EncryptionToken asymKek,
                     java.io.InputStream dataToSeal,
                     java.io.OutputStream sealedData,
                     javax.crypto.SecretKey symKek,
                     java.lang.String base64encodedSymKekId)
          throws DataSealerException

Deprecated. Use seal(InputStream, OutputStream, EncryptionCredential...)

Seals a given message for a known addressee and for unknown addressee(s) who have access to the secret key.

Parameters:

asymKek - - the EncryptionToken of a recipient.

dataToSeal - the InputStream where the dataToSeal content is read from by the DataSealer. The given InputStream must implement the available() method.

sealedData - the OutputStream to which the sealed result is written by the DataSealer. When the sealing is finished, the OutputStream is not closed in here.

symKek - - the symmetric Key Encryption Key

base64encodedSymKekId - - the ID (base64 encoded) of the given SecretKey symKek

Throws:

DataSealerException - When the CMS message could not be generated.

seal

@Deprecated
void seal(java.util.Set<EncryptionToken> asymKeks,
                     java.io.InputStream dataToSeal,
                     java.io.OutputStream sealedData,
                     javax.crypto.SecretKey symKek,
                     java.lang.String base64encodedSymKekId)
          throws DataSealerException

Deprecated. Use seal(InputStream, OutputStream, EncryptionCredential...)

Seals a given message for a set of known addressees and for unknown addressee(s) who have access to the secret key.

Parameters:

asymKeks - - the EncryptionTokens of the known addressees

dataToSeal - the InputStream where the dataToSeal content is read from by the DataSealer. The given InputStream must implement the available() method.

sealedData - the OutputStream to which the sealed result is written by the DataSealer. When the sealing is finished, the OutputStream is not closed in here.

symKek - - the symmetric Key Encryption Key

base64encodedSymKekId - - the ID (base64 encoded) of the given SecretKey symKek

Throws:

DataSealerException - When the CMS message could not be generated.

seal

@Deprecated
void seal(java.io.InputStream dataToSeal,
                     java.io.OutputStream sealedData,
                     javax.crypto.SecretKey symKek,
                     java.lang.String base64encodedSymKekId)
          throws DataSealerException

Deprecated. Use seal(InputStream, OutputStream, EncryptionCredential...)

Seals a given message for unknown addressee(s) who have access to the secret key.

Parameters:

dataToSeal - the InputStream where the dataToSeal content is read from by the DataSealer. The given InputStream must implement the available() method.

sealedData - the OutputStream to which the sealed result is written by the DataSealer. When the sealing is finished, the OutputStream is not closed in here.

symKek - - the symmetric Key Encryption Key

base64encodedSymKekId - - the ID (base64 encoded) of the given SecretKey symKek

Throws:

DataSealerException - When the CMS message could not be generated.