-
Notifications
You must be signed in to change notification settings - Fork 460
EncryptionRecipes
Demonstrates how to use different encryption and signing algorithms in Apex
Group Encryption Recipes
public static final AES_KEYBlob
public static final HMAC_KEYBlob
public static final DIGITAL_SIGNATURE_PRIVATE_KEYBlob
public static final DIGITAL_SIGNATURE_PUBLIC_KEYBlob
AURAENABLED
Encrypts data using AES algorithm, which needs a symmetric key to be shared with the receiver. In this case the initialization vector is managed by Salesforce.
public static Blob encryptAES256WithManagedIVRecipe(Blob dataToEncrypt)| Name | Type | Description |
|---|---|---|
| dataToEncrypt | Blob | Blob that contains the data to encrypt |
Blob
Blob dataToEncrypt = Blob.valueOf('Test data');
Blob encryptedData = EncryptionRecipes.encryptAES256WithManagedIVRecipe(dataToEncrypt);
System.debug(EncodingUtil.base64Encode(encryptedData));AURAENABLED
Encrypts data using AES algorithm, which needs a symmetric key to be shared with the receiver. In this case the initialization vector will be the first 128 bits (16 bytes) of the received data.
public static Blob decryptAES256WithManagedIVRecipe(Blob dataToDecrypt)| Name | Type | Description |
|---|---|---|
| dataToDecrypt | Blob | Blob that contains the data to be decrypted |
Blob
Blob decryptedData = EncryptionRecipes.decryptAES256WithManagedIVRecipe(encryptedData);
System.debug(decryptedData.toString());AURAENABLED
Encrypts data using AES algorithm, which needs a symmetric key to be shared with the receiver. In this case the initialization vector is specified by the sender. It needs to be random and 16 bytes (128 bits).
public static Blob encryptAES256Recipe(Blob dataToEncrypt, Blob initializationVector)| Name | Type | Description |
|---|---|---|
| dataToEncrypt | Blob | Blob that contains the data to encrypt |
| initializationVector | Blob |
Blob
Blob initializationVector = EncryptionRecipes.generateInitializationVector();
Blob dataToEncrypt = Blob.valueOf('Test data');
Blob encryptedData = EncryptionRecipes.encryptAES256Recipe(dataToEncrypt, initializationVector);
System.debug(EncodingUtil.base64Encode(encryptedData));AURAENABLED
Encrypts data using AES algorithm, which needs a symmetric key to be shared with the receiver. In this case the sender needs to share the initialization vector with the receiver.
public static Blob decryptAES256Recipe(Blob dataToDecrypt)| Name | Type | Description |
|---|---|---|
| dataToDecrypt | Blob | Blob that contains the data to be decrypted |
Blob
Blob decryptedData = EncryptionRecipes.decryptAES256Recipe(encryptedData);
System.debug(decryptedData.toString());Aux method to generate a random initialization vector.
public static Blob generateInitializationVector()Blob
AURAENABLED
Generates one-way hash digest that can be checked in destination to ensure integrity.
public static Blob generateSHA512HashRecipe(Blob dataToHash)| Name | Type | Description |
|---|---|---|
| dataToHash | Blob |
Blob
Blob dataToHash = Blob.valueOf('Test data');
Blob hash = EncryptionRecipes.generateSHA512HashRecipe();
System.debug(EncodingUtil.base64Encode(hash));AURAENABLED
Recomputes hash digest for and compares it with the received one, throwing an exception if they're not equal.
public static void checkSHA512HashRecipe(Blob hash, Blob dataToCheck)| Name | Type | Description |
|---|---|---|
| hash | Blob | Blob that contains the received hash |
| dataToCheck | Blob | Blob that contains the data to check the hash for |
void
try {
EncryptionRecipes.checkSHA512HashRecipe(hash, corruptedData);
} catch(Exception e) {
// Should log exception
System.debug(e.getMessage());
}AURAENABLED
Generates one-way HMAC (using a symmetric key) that can be checked in destination to ensure integrity and authenticity.
public static Blob generateHMACSHA512Recipe(Blob dataToHmac)| Name | Type | Description |
|---|---|---|
| dataToHmac | Blob | Blob that contains some data for which to generate an HMAC |
Blob
Blob dataToHmac = Blob.valueOf('Test data');
Blob hmac = EncryptionRecipes.generateHMACSHA512Recipe();
System.debug(EncodingUtil.base64Encode(hmac));AURAENABLED
Recomputes HMAC using the symmetric key and compares it with the received one, throwing an exception if they're not equal.
public static void checkHMACSHA512Recipe(Blob hmac, Blob dataToCheck)| Name | Type | Description |
|---|---|---|
| hmac | Blob | Blob that contains the received hmac |
| dataToCheck | Blob | Blob that contains the data to check the hmac for |
void
try {
EncryptionRecipes.checkHMACSHA512Recipe(hmac, corruptedData);
} catch(Exception e) {
// Should log exception
System.debug(e.getMessage());
}AURAENABLED
Generates one-way Digital Signature (encrypted with an asymmetric key) that can be checked in destination to ensure integrity, authenticity and non-repudiation.
public static Blob generateRSASHA512DigitalSignatureRecipe(Blob dataToSign)| Name | Type | Description |
|---|---|---|
| dataToSign | Blob | Blob that contains some data to sign |
Blob
Blob dataToSign = Blob.valueOf('Test data');
Blob signature = EncryptionRecipes.generateRSASHA512DigitalSignatureRecipe();
System.debug(EncodingUtil.base64Encode(signature));AURAENABLED
Recomputes Digital Signature for and compares it with the received one, throwing an exception if they're not equal.
public static void checkRSASHA512DigitalSignatureRecipe(Blob signature, Blob dataToCheck)| Name | Type | Description |
|---|---|---|
| signature | Blob | Blob that contains the received signature |
| dataToCheck | Blob | Blob that contains the data to check the signature for |
void
try {
EncryptionRecipes.checkRSASHA512DigitalSignatureRecipe(signature, corruptedData);
} catch(Exception e) {
// Should log exception
System.debug(e.getMessage());
}AURAENABLED
Encrypts the message with AES and then generates Digital Signature (encrypted with an asymmetric key) that can be checked in destination. This ensure confidentiality, integrity, authenticity and non-repudiation.
public static EncryptedAndSignedData encryptAES256AndGenerateRSASHA512DigitalSignRecipe(Blob dataToEncryptAndSign)| Name | Type | Description |
|---|---|---|
| dataToEncryptAndSign | Blob | Blob that contains some data to encrypt and sign |
EncryptedAndSignedData
Blob dataToEncryptAndSign = Blob.valueOf('Test data');
EncryptedAndSignedData wrapper = EncryptionRecipes.encryptAES256AndGenerateRSASHA512DigitalSignRecipe();
System.debug(EncodingUtil.base64Encode(wrapper.encryptedData));
System.debug(EncodingUtil.base64Encode(wrapper.signature));AURAENABLED
Decrypts the message and verifies its Digital Signature.
public static Blob decryptAES256AndCheckRSASHA512DigitalSignRecipe(Blob signature, Blob dataToDecryptAndCheck)| Name | Type | Description |
|---|---|---|
| signature | Blob | Blob that contains the received signature |
| dataToDecryptAndCheck | Blob | Blob that contains the data to check the signature for |
Blob
Decrypted data
try {
EncryptionRecipes.decryptAES256AndCheckRSASHA512DigitalSignRecipe(signature, corruptedData);
} catch(Exception e) {
// Should log exception
System.debug(e.getMessage());
}Comparisons which involve cryptography need to be performed in constant time using specialized functions to avoid timing attack effects. https://en.wikipedia.org/wiki/Timing_attack
public static boolean areEqualConstantTime(String first, String second)| Name | Type | Description |
|---|---|---|
| first | String | first String to compare |
| second | String | second String to compare |
boolean
True if strings are equal
Internal custom exception class
public encryptedDataBlob
public signatureBlob
| Value | Description |
|---|---|
| AES128 | |
| AES192 | |
| AES256 |
| Value | Description |
|---|---|
| MD5 | |
| SHA1 | |
| SHA256 | |
| SHA512 |
| Value | Description |
|---|---|
| HMACMD5 | |
| HMACSHA1 | |
| HMACSHA256 | |
| HMACSHA512 |
| Value | Description |
|---|---|
| RSA | |
| RSA_SHA1 | |
| RSA_SHA256 | |
| RSA_SHA384 | |
| RSA_SHA512 | |
| ECDSA_SHA256 | |
| ECDSA_SHA384 | |
| ECDSA_SHA512 |