DynamoDBEncryptor (aws-dynamodb-encryption-java

java.lang.Object
- com.amazonaws.services.dynamodbv2.datamodeling.encryption.DynamoDBEncryptor

```
public class DynamoDBEncryptor
extends Object
```
The low-level API used by AttributeEncryptor to perform crypto operations on the record attributes.
For guidance on performing a safe data model change procedure, please see DynamoDB Encryption Client Developer Guide: Changing your data model

Author:

Greg Rubin

Field Summary

Fields
Modifier and Type Field and Description

static String DEFAULT_SIGNING_ALGORITHM_HEADER

Fields
Modifier and Type	Field and Description
`static String`	`DEFAULT_SIGNING_ALGORITHM_HEADER`

Constructor Summary

Constructors
Modifier Constructor and Description

protected DynamoDBEncryptor(EncryptionMaterialsProvider provider, String descriptionBase)

Constructors
Modifier	Constructor and Description
`protected`	`DynamoDBEncryptor(EncryptionMaterialsProvider provider, String descriptionBase)`

Method Summary

All Methods Static Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`Map<String,Set<EncryptionFlags>>`	`allDecryptionFlagsExcept(Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, Collection<String> doNotDecrypt)` Returns the decryption flags for all item attributes except for those explicitly specified to be excluded.
`Map<String,Set<EncryptionFlags>>`	`allDecryptionFlagsExcept(Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, String... doNotDecrypt)` Returns the decryption flags for all item attributes except for those explicitly specified to be excluded.
`Map<String,Set<EncryptionFlags>>`	`allEncryptionFlagsExcept(Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, Collection<String> doNotEncrypt)` Returns the encryption flags for all item attributes except for those explicitly specified to be excluded.
`Map<String,Set<EncryptionFlags>>`	`allEncryptionFlagsExcept(Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, String... doNotEncrypt)` Returns the encryption flags for all item attributes except for those explicitly specified to be excluded.
`Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue>`	`decryptAllFieldsExcept(Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, EncryptionContext context, Collection<String> doNotDecrypt)`
`Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue>`	`decryptAllFieldsExcept(Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, EncryptionContext context, String... doNotDecrypt)` Returns a decrypted version of the provided DynamoDb record.
`Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue>`	`decryptRecord(Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, Map<String,Set<EncryptionFlags>> attributeFlags, EncryptionContext context)`
`Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue>`	`encryptAllFieldsExcept(Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, EncryptionContext context, Collection<String> doNotEncrypt)`
`Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue>`	`encryptAllFieldsExcept(Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, EncryptionContext context, String... doNotEncrypt)` Returns an encrypted version of the provided DynamoDb record.
`Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue>`	`encryptRecord(Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes, Map<String,Set<EncryptionFlags>> attributeFlags, EncryptionContext context)` Returns the encrypted (and signed) record, which is a map of item attributes.
`protected static int`	`getBlockSize(String encryptionMode)`
`Function<EncryptionContext,EncryptionContext>`	`getEncryptionContextOverrideOperator()`
`static DynamoDBEncryptor`	`getInstance(EncryptionMaterialsProvider provider)`
`static DynamoDBEncryptor`	`getInstance(EncryptionMaterialsProvider provider, String descriptionbase)`
`String`	`getMaterialDescriptionFieldName()` Get the name of the DynamoDB field used to store metadata used by the DynamoDBEncryptedMapper.
`String`	`getSignatureFieldName()` Get the name of the DynamoDB field used to store the signature.
`String`	`getSigningAlgorithmHeader()`
`protected static com.amazonaws.services.dynamodbv2.model.AttributeValue`	`marshallDescription(Map<String,String> description)` Marshalls the `description` into a ByteBuffer by outputting each key (modified UTF-8) followed by its value (also in modified UTF-8).
`void`	`setEncryptionContextOverrideOperator(Function<EncryptionContext,EncryptionContext> encryptionContextOverrideOperator)`
`void`	`setMaterialDescriptionFieldName(String materialDescriptionFieldName)` Set the name of the DynamoDB field used to store metadata used by the DynamoDBEncryptedMapper
`void`	`setSignatureFieldName(String signatureFieldName)` Set the name of the DynamoDB field used to store the signature.
`protected static Map<String,String>`	`unmarshallDescription(com.amazonaws.services.dynamodbv2.model.AttributeValue attributeValue)`

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail
- DEFAULT_SIGNING_ALGORITHM_HEADER
```
public static final String DEFAULT_SIGNING_ALGORITHM_HEADER
```
  See Also:
  
  Constant Field Values

Constructor Detail

DynamoDBEncryptor

protected DynamoDBEncryptor(EncryptionMaterialsProvider provider,
                            String descriptionBase)

Method Detail

getInstance

public static DynamoDBEncryptor getInstance(EncryptionMaterialsProvider provider,
                                            String descriptionbase)

getInstance

public static DynamoDBEncryptor getInstance(EncryptionMaterialsProvider provider)

decryptAllFieldsExcept

public Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> decryptAllFieldsExcept(Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes,
                                                                                                 EncryptionContext context,
                                                                                                 String... doNotDecrypt)
                                                                                          throws GeneralSecurityException

Returns a decrypted version of the provided DynamoDb record. The signature is verified across all provided fields. All fields (except those listed in doNotEncrypt are decrypted.

Parameters:: itemAttributes - the DynamoDbRecord; context - additional information used to successfully select the encryption materials and decrypt the data. This should include (at least) the tableName and the materialDescription.; doNotDecrypt - those fields which should not be encrypted
Returns:: a plaintext version of the DynamoDb record
Throws:: SignatureException - if the signature is invalid or cannot be verified; GeneralSecurityException

decryptAllFieldsExcept

public Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> decryptAllFieldsExcept(Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes,
                                                                                                 EncryptionContext context,
                                                                                                 Collection<String> doNotDecrypt)
                                                                                          throws GeneralSecurityException

Throws:: GeneralSecurityException
See Also:: decryptAllFieldsExcept(Map, EncryptionContext, String...)

allDecryptionFlagsExcept

public Map<String,Set<EncryptionFlags>> allDecryptionFlagsExcept(Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes,
                                                                 String... doNotDecrypt)

Returns the decryption flags for all item attributes except for those explicitly specified to be excluded.

Parameters:: doNotDecrypt - fields to be excluded

allDecryptionFlagsExcept

public Map<String,Set<EncryptionFlags>> allDecryptionFlagsExcept(Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes,
                                                                 Collection<String> doNotDecrypt)

Returns the decryption flags for all item attributes except for those explicitly specified to be excluded.

Parameters:: doNotDecrypt - fields to be excluded

encryptAllFieldsExcept

public Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> encryptAllFieldsExcept(Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes,
                                                                                                 EncryptionContext context,
                                                                                                 String... doNotEncrypt)
                                                                                          throws GeneralSecurityException

Returns an encrypted version of the provided DynamoDb record. All fields are signed. All fields (except those listed in doNotEncrypt) are encrypted.

Parameters:: itemAttributes - a DynamoDb Record; context - additional information used to successfully select the encryption materials and encrypt the data. This should include (at least) the tableName.; doNotEncrypt - those fields which should not be encrypted
Returns:: a ciphertext version of the DynamoDb record
Throws:: GeneralSecurityException

encryptAllFieldsExcept

public Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> encryptAllFieldsExcept(Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes,
                                                                                                 EncryptionContext context,
                                                                                                 Collection<String> doNotEncrypt)
                                                                                          throws GeneralSecurityException

Throws:: GeneralSecurityException

allEncryptionFlagsExcept

public Map<String,Set<EncryptionFlags>> allEncryptionFlagsExcept(Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes,
                                                                 String... doNotEncrypt)

Returns the encryption flags for all item attributes except for those explicitly specified to be excluded.

Parameters:: doNotEncrypt - fields to be excluded

allEncryptionFlagsExcept

public Map<String,Set<EncryptionFlags>> allEncryptionFlagsExcept(Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes,
                                                                 Collection<String> doNotEncrypt)

Returns the encryption flags for all item attributes except for those explicitly specified to be excluded.

Parameters:: doNotEncrypt - fields to be excluded

decryptRecord

public Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> decryptRecord(Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes,
                                                                                        Map<String,Set<EncryptionFlags>> attributeFlags,
                                                                                        EncryptionContext context)
                                                                                 throws GeneralSecurityException

Throws:: GeneralSecurityException

encryptRecord

public Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> encryptRecord(Map<String,com.amazonaws.services.dynamodbv2.model.AttributeValue> itemAttributes,
                                                                                        Map<String,Set<EncryptionFlags>> attributeFlags,
                                                                                        EncryptionContext context)
                                                                                 throws GeneralSecurityException

Returns the encrypted (and signed) record, which is a map of item attributes. There is no side effect on the input parameters upon calling this method.

Parameters:: itemAttributes - the input record; attributeFlags - the corresponding encryption flags; context - encryption context
Returns:: a new instance of item attributes encrypted as necessary
Throws:: GeneralSecurityException - if failed to encrypt the record

getBlockSize

protected static int getBlockSize(String encryptionMode)

getSignatureFieldName
```
public String getSignatureFieldName()
```
Get the name of the DynamoDB field used to store the signature. Defaults to DEFAULT_SIGNATURE_FIELD.

Returns:

the name of the DynamoDB field used to store the signature

setSignatureFieldName
```
public void setSignatureFieldName(String signatureFieldName)
```
Set the name of the DynamoDB field used to store the signature.

Parameters:

signatureFieldName -

getMaterialDescriptionFieldName
```
public String getMaterialDescriptionFieldName()
```
Get the name of the DynamoDB field used to store metadata used by the DynamoDBEncryptedMapper. Defaults to DEFAULT_METADATA_FIELD.

Returns:

the name of the DynamoDB field used to store metadata used by the DynamoDBEncryptedMapper

setMaterialDescriptionFieldName
```
public void setMaterialDescriptionFieldName(String materialDescriptionFieldName)
```
Set the name of the DynamoDB field used to store metadata used by the DynamoDBEncryptedMapper

Parameters:

materialDescriptionFieldName -

marshallDescription
```
protected static com.amazonaws.services.dynamodbv2.model.AttributeValue marshallDescription(Map<String,String> description)
```
Marshalls the description into a ByteBuffer by outputting each key (modified UTF-8) followed by its value (also in modified UTF-8).

Parameters:

description -

Returns:

the description encoded as an AttributeValue with a ByteBuffer value

See Also:

DataOutput.writeUTF(String)

getSigningAlgorithmHeader

public String getSigningAlgorithmHeader()

unmarshallDescription

protected static Map<String,String> unmarshallDescription(com.amazonaws.services.dynamodbv2.model.AttributeValue attributeValue)

See Also:: marshallDescription(Map)

setEncryptionContextOverrideOperator
```
public final void setEncryptionContextOverrideOperator(Function<EncryptionContext,EncryptionContext> encryptionContextOverrideOperator)
```
Parameters:

encryptionContextOverrideOperator - the nullable operator which will be used to override the EncryptionContext.

See Also:

EncryptionContextOperators

getEncryptionContextOverrideOperator
```
public final Function<EncryptionContext,EncryptionContext> getEncryptionContextOverrideOperator()
```
Returns:

the operator used to override the EncryptionContext

See Also:

setEncryptionContextOverrideOperator(Function)

Class DynamoDBEncryptor

Field Summary

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Field Detail

DEFAULT_SIGNING_ALGORITHM_HEADER

Constructor Detail

DynamoDBEncryptor

Method Detail

getInstance

getInstance

decryptAllFieldsExcept

decryptAllFieldsExcept

allDecryptionFlagsExcept

allDecryptionFlagsExcept

encryptAllFieldsExcept

encryptAllFieldsExcept

allEncryptionFlagsExcept

allEncryptionFlagsExcept

decryptRecord

encryptRecord

getBlockSize

getSignatureFieldName

setSignatureFieldName

getMaterialDescriptionFieldName

setMaterialDescriptionFieldName

marshallDescription

getSigningAlgorithmHeader

unmarshallDescription

setEncryptionContextOverrideOperator

getEncryptionContextOverrideOperator