com.cosmian.rest.abe

Class Abe

java.lang.Object

com.cosmian.rest.abe.Abe

public class Abe
extends Object

Attribute Based Encryption endpoints

Constructor Summary

Constructors

Constructor and Description
Abe(RestClient rest_client)

Method Summary

Modifier and Type	Method and Description
String[]	createMasterKeyPair(Policy policy) Generate inside the KMS, a master private and public key pair for the Policy
String	createUserDecryptionKey(AccessPolicy accessPolicy, String privateMasterKeyUniqueIdentifier) Create a User Decryption Key for the given AccessPolicy in the KMS
String	destroy(String uniqueIdentifier) Destroy a key in the KMS which makes it unavailable to use in the KMS to perform kmsEncrypt(String, byte[], Attr[]) or kmsDecrypt(String, byte[]) operations.
String	importPrivateMasterKey(String uniqueIdentifier, PrivateKey privateMasterKey, boolean replaceExisting) Import a Private Master Key in the KMS
String	importPublicMasterKey(String uniqueIdentifier, PublicKey publicMasterKey, boolean replaceExisting) Import a Public Master Key in the KMS
String	importUserDecryptionKey(String uniqueIdentifier, PrivateKey userDecryptionKey, boolean replaceExisting) Import a User Decryption Key in the KMS
byte[]	kmsDecrypt(String userDecryptionKeyUniqueIdentifier, byte[] encryptedData) Decrypt the data in the KMS using the given User Decryption Key The encryptedData should be made of 3 parts: - the length of the encrypted header as a u32 in big endian format (4 bytes) - the header - the AES GCM encrypted content
byte[]	kmsDecrypt(String userDecryptionKeyUniqueIdentifier, byte[] encryptedData, Optional<byte[]> authenticationData) Decrypt the data in the KMS using the given User Decryption Key The encryptedData should be made of 3 parts: - the length of the encrypted header as a u32 in big endian format (4 bytes) - the header - the AES GCM encrypted content
byte[]	kmsEncrypt(String publicMasterKeyUniqueIdentifier, byte[] data, Attr[] attributes) Encrypt data in the KMS using the given Policy Attributes (@see Attr) and Public Master Key.
byte[]	kmsEncrypt(String publicMasterKeyUniqueIdentifier, byte[] data, Attr[] attributes, Optional<byte[]> authenticationData) Encrypt data in the KMS using the given Policy Attributes (@see Attr) and Public Master Key.
PrivateKey	retrievePrivateMasterKey(String privateMasterKeyUniqueIdentifier) Retrieve the Master Private Key from the KMS
PublicKey	retrievePublicMasterKey(String publicMasterKeyUniqueIdentifier) Retrieve the Master Public Key from the KMS
PrivateKey	retrieveUserDecryptionKey(String userDecryptionKeyUniqueIdentifier) Retrieve a User Decryption Key from the KMS
String	revokeKey(String keyUniqueIdentifier) Revoke a key in the KMS which makes it unavailable to use in the KMS to perform kmsEncrypt(String, byte[], Attr[]) or kmsDecrypt(String, byte[]) operations.
String	rotateAttributes(String privateMasterKeyUniqueIdentifier, Attr[] policyAttributes) Rotate the given policy attributes.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

Abe

public Abe(RestClient rest_client)

Method Detail

createMasterKeyPair

public String[] createMasterKeyPair(Policy policy)
                             throws CosmianException

Generate inside the KMS, a master private and public key pair for the Policy

Parameters:

policy - the Key Policy

Returns:

a tuple containing the master private key UID and the master public key UID

Throws:

CosmianException - if the creation fails

retrievePrivateMasterKey

public PrivateKey retrievePrivateMasterKey(String privateMasterKeyUniqueIdentifier)
                                    throws CosmianException

Retrieve the Master Private Key from the KMS

Parameters:

privateMasterKeyUniqueIdentifier - the key UID

Returns:

the Private Key

Throws:

CosmianException - if the retrieval fails

importPrivateMasterKey

public String importPrivateMasterKey(String uniqueIdentifier,
                                     PrivateKey privateMasterKey,
                                     boolean replaceExisting)
                              throws CosmianException

Import a Private Master Key in the KMS

Parameters:

uniqueIdentifier - the UID of the key

privateMasterKey - the key

replaceExisting - if a key exists under this UID, replace it

Returns:

the UID of the imported key

Throws:

CosmianException - if the import fails

retrievePublicMasterKey

public PublicKey retrievePublicMasterKey(String publicMasterKeyUniqueIdentifier)
                                  throws CosmianException

Retrieve the Master Public Key from the KMS

Parameters:

publicMasterKeyUniqueIdentifier - the key UID

Returns:

the Public Key

Throws:

CosmianException - if the retrieval fails

importPublicMasterKey

public String importPublicMasterKey(String uniqueIdentifier,
                                    PublicKey publicMasterKey,
                                    boolean replaceExisting)
                             throws CosmianException

Import a Public Master Key in the KMS

Parameters:

uniqueIdentifier - the UID of the key

publicMasterKey - the key

replaceExisting - if a key exists under this UID, replace it

Returns:

the UID of the imported key

Throws:

CosmianException - if the import fails

createUserDecryptionKey

public String createUserDecryptionKey(AccessPolicy accessPolicy,
                                      String privateMasterKeyUniqueIdentifier)
                               throws CosmianException

Create a User Decryption Key for the given AccessPolicy in the KMS

Parameters:

accessPolicy - the AccessPolicy

privateMasterKeyUniqueIdentifier - the UID of the Master Private Key

Returns:

the UID of the newly created key

Throws:

CosmianException - if the creation fails

retrieveUserDecryptionKey

public PrivateKey retrieveUserDecryptionKey(String userDecryptionKeyUniqueIdentifier)
                                     throws CosmianException

Retrieve a User Decryption Key from the KMS

Parameters:

userDecryptionKeyUniqueIdentifier - the key UID

Returns:

the User Decryption Key

Throws:

CosmianException - if the retrieval fails

importUserDecryptionKey

public String importUserDecryptionKey(String uniqueIdentifier,
                                      PrivateKey userDecryptionKey,
                                      boolean replaceExisting)
                               throws CosmianException

Import a User Decryption Key in the KMS

Parameters:

uniqueIdentifier - the UID of the key

userDecryptionKey - the key

replaceExisting - if a key exists under this UID, replace it

Returns:

the UID of the imported key

Throws:

CosmianException - if the import fails

kmsEncrypt

public byte[] kmsEncrypt(String publicMasterKeyUniqueIdentifier,
                         byte[] data,
                         Attr[] attributes)
                  throws CosmianException

Encrypt data in the KMS using the given Policy Attributes (@see Attr) and Public Master Key. The data is encrypted using an hybrid encryption scheme + AÉS 256 GCM. No Metadata is added to the header and no resource uid is used in the AES AEAD scheme. The generated cipher text is made of 3 parts - the length of the encrypted header as a u32 in big endian format (4 bytes) - the header - the AES GCM encrypted content

Parameters:

publicMasterKeyUniqueIdentifier - the UID of the Public Key

data - the data to encrypt

attributes - the Policy Attributes

Returns:

the encrypted data

Throws:

CosmianException - if the encryption fails

kmsEncrypt

public byte[] kmsEncrypt(String publicMasterKeyUniqueIdentifier,
                         byte[] data,
                         Attr[] attributes,
                         Optional<byte[]> authenticationData)
                  throws CosmianException

Encrypt data in the KMS using the given Policy Attributes (@see Attr) and Public Master Key. The data is encrypted using an hybrid encryption scheme + AÉS 256 GCM. The uid is used in the authentication of the AES GCM scheme. The generated cipher text is made of 3 parts - the length of the encrypted header as a u32 in big endian format (4 bytes) - the header - the AES GCM encrypted content

Parameters:

publicMasterKeyUniqueIdentifier - the UID of the Public Key

data - the data to encrypt

attributes - the Policy Attributes

authenticationData - the UID uses in the AEAD of the symmetric scheme

Returns:

the encrypted data

Throws:

CosmianException - if the encryption fails

kmsDecrypt

public byte[] kmsDecrypt(String userDecryptionKeyUniqueIdentifier,
                         byte[] encryptedData)
                  throws CosmianException

Decrypt the data in the KMS using the given User Decryption Key The encryptedData should be made of 3 parts: - the length of the encrypted header as a u32 in big endian format (4 bytes) - the header - the AES GCM encrypted content

Parameters:

userDecryptionKeyUniqueIdentifier - the key UID

encryptedData - the cipher text

Returns:

the clear text data

Throws:

CosmianException - if the decryption fails

kmsDecrypt

public byte[] kmsDecrypt(String userDecryptionKeyUniqueIdentifier,
                         byte[] encryptedData,
                         Optional<byte[]> authenticationData)
                  throws CosmianException

Decrypt the data in the KMS using the given User Decryption Key The encryptedData should be made of 3 parts: - the length of the encrypted header as a u32 in big endian format (4 bytes) - the header - the AES GCM encrypted content

Parameters:

userDecryptionKeyUniqueIdentifier - the key UID

encryptedData - the cipher text

authenticationData - the data to use in the authentication of the symmetric scheme

Returns:

the clear text data

Throws:

CosmianException - if the decryption fails

rotateAttributes

public String rotateAttributes(String privateMasterKeyUniqueIdentifier,
                               Attr[] policyAttributes)
                        throws CosmianException

Rotate the given policy attributes. This will rekey in the KMS:

• the Master Keys
• all User Decryption Keys that contain one of these attributes in their policy and are not rotated.

Non Rekeyed User Decryption Keys cannot decrypt ata encrypted with the rekeyed Master Public Key and the given attributes.
Rekeyed User Decryption Keys however will be able to decrypt data encrypted by the previous Master Public Key and the rekeyed one.
Note: there is a limit on the number of revocations that can be performed which is set in the Policy when Master Keys are created

Parameters:

privateMasterKeyUniqueIdentifier - the UID of the private master key

policyAttributes - the array of Attr

Returns:

the Master Public Key UID

Throws:

CosmianException - if the revocation fails

revokeKey

public String revokeKey(String keyUniqueIdentifier)
                 throws CosmianException

Revoke a key in the KMS which makes it unavailable to use in the KMS to perform kmsEncrypt(String, byte[], Attr[]) or kmsDecrypt(String, byte[]) operations.

If this key is a User Decryption Key, it will not be rekeyed in case of attribute revocation.

Note: this revokes the key **inside** the KMS: it does not prevent an user who has a local copy of a User Decryption Key to perform decryption operations.

Parameters:

keyUniqueIdentifier - the UID of the key to revoke

Returns:

the UID of the revoked key

Throws:

CosmianException - if the revocation fails

destroy

public String destroy(String uniqueIdentifier)
               throws CosmianException

Destroy a key in the KMS which makes it unavailable to use in the KMS to perform kmsEncrypt(String, byte[], Attr[]) or kmsDecrypt(String, byte[]) operations.

Note: this destroy the key **inside** the KMS: it does not prevent an user who has a local copy of a User Decryption Key to perform decryption operations.

Parameters:

uniqueIdentifier - the UID of the key to revoke

Returns:

the UID of the destroyed key

Throws:

CosmianException - if the destruction fails