Package com.axelor.common.crypto

Class BytesEncryptorPbkdf2Sha256

java.lang.Object
com.axelor.common.crypto.BytesEncryptorPbkdf2Sha256
All Implemented Interfaces:
Encryptor<byte[],byte[]>
public class BytesEncryptorPbkdf2Sha256 extends Object
AES encryptor operating on raw byte arrays using PBKDF2WithHmacSHA256 key derivation, supporting CBC and GCM operation modes.

A fresh 16-byte salt and IV are generated for every Encryptor.encrypt(byte[]) call, ensuring unique ciphertext even for identical plaintext with the same password.

Both CBC and GCM modes share the same binary payload layout. The IV is always randomly generated and stored in the payload regardless of the mode. The IV size differs per mode: 12 bytes for GCM (NIST SP 800-38D recommendation) and 16 bytes for CBC (AES block size): 

 | $AESv1$ (7 bytes) | iterations (4 bytes) | salt_size (1 byte) | iv_size (1 byte) | salt (n bytes) | iv (n bytes) | encrypted_data |

Use the factory methods to select the AES operation mode:

  • gcm(String) — AES/GCM/NoPadding (recommended: provides authenticated encryption)
  • cbc(String) — AES/CBC/PKCS5Padding

The default constructor uses GCM.

  • Field Details

  • Constructor Details

    • BytesEncryptorPbkdf2Sha256

      public BytesEncryptorPbkdf2Sha256(String password)
      Creates a GCM encryptor with the given password.

    • BytesEncryptorPbkdf2Sha256

      public BytesEncryptorPbkdf2Sha256(OperationMode mode, String password)
      Creates an encryptor for the given mode and password

    • BytesEncryptorPbkdf2Sha256

      public BytesEncryptorPbkdf2Sha256(OperationMode mode, String password, int iterations)
      Creates an encryptor for the given mode, password, and iteration count.
      Parameters:
      mode - the AES operation mode (GCM or CBC)
      password - the password used for PBKDF2 key derivation
      iterations - the PBKDF2 iteration count

    • BytesEncryptorPbkdf2Sha256

      public BytesEncryptorPbkdf2Sha256(OperationMode mode, String password, int iterations, int saltSize)
      Creates an encryptor with a custom salt size.
      Parameters:
      mode - the AES operation mode (GCM or CBC)
      password - the password used for PBKDF2 key derivation
      iterations - the PBKDF2 iteration count
      saltSize - the salt length in bytes

  • Method Details

    • gcm

      public static BytesEncryptorPbkdf2Sha256 gcm(String password)
      Creates a GCM encryptor with the given password.

    • cbc

      public static BytesEncryptorPbkdf2Sha256 cbc(String password)
      Creates a CBC encryptor with the given password .

    • getTransformation

      public String getTransformation()
      Returns the JCE transformation string (e.g. AES/GCM/NoPadding) used by this encryptor.

    • isEncrypted

      public boolean isEncrypted(byte[] bytes)
      Description copied from interface: Encryptor
      Check whether the given message is already encrypted or not.
      Specified by:
      isEncrypted in interface Encryptor<byte[],byte[]>
      Parameters:
      bytes - the message to check
      Returns:
      true if encrypted

    • encrypt

      public byte[] encrypt(byte[] bytes)
      Description copied from interface: Encryptor
      Encrypt the given message.
      Specified by:
      encrypt in interface Encryptor<byte[],byte[]>
      Parameters:
      bytes - the message to encrypt
      Returns:
      encrypted message

    • decrypt

      public byte[] decrypt(byte[] bytes)
      Description copied from interface: Encryptor
      Decrypt the given encrypted message.
      Specified by:
      decrypt in interface Encryptor<byte[],byte[]>
      Parameters:
      bytes - the encrypted message to decrypt
      Returns:
      decrypted message