-
Notifications
You must be signed in to change notification settings - Fork 466
EncryptionRecipes
Demonstrates how to use different encryption and signing algorithms in Apex
Group Encryption Recipes
AURAENABLED
Encrypts data using AES algorithm, which needs a symmetric key to be shared with the receiver. In this case the initialization vector is managed by Salesforce.
Param | Description |
---|---|
dataToEncrypt |
Blob that contains the data to encrypt |
Type | Description |
---|---|
Blob |
Blob |
Blob dataToEncrypt = Blob.valueOf('Test data');
Blob encryptedData = EncryptionRecipes.encryptAES256WithManagedIVRecipe(dataToEncrypt);
System.debug(EncodingUtil.base64Encode(encryptedData));
AURAENABLED
Encrypts data using AES algorithm, which needs a symmetric key to be shared with the receiver. In this case the initialization vector will be the first 128 bits (16 bytes) of the received data.
Param | Description |
---|---|
dataToDecrypt |
Blob that contains the data to be decrypted |
Type | Description |
---|---|
Blob |
Blob |
Blob decryptedData = EncryptionRecipes.decryptAES256WithManagedIVRecipe(encryptedData);
System.debug(decryptedData.toString());
AURAENABLED
Encrypts data using AES algorithm, which needs a symmetric key to be shared with the receiver. In this case the initialization vector is specified by the sender. It needs to be random and 16 bytes (128 bits).
Param | Description |
---|---|
dataToEncrypt |
Blob that contains the data to encrypt |
Type | Description |
---|---|
Blob |
Blob |
Blob initializationVector = EncryptionRecipes.generateInitializationVector();
Blob dataToEncrypt = Blob.valueOf('Test data');
Blob encryptedData = EncryptionRecipes.encryptAES256Recipe(dataToEncrypt, initializationVector);
System.debug(EncodingUtil.base64Encode(encryptedData));
AURAENABLED
Encrypts data using AES algorithm, which needs a symmetric key to be shared with the receiver. In this case the sender needs to share the initialization vector with the receiver.
Param | Description |
---|---|
dataToDecrypt |
Blob that contains the data to be decrypted |
Type | Description |
---|---|
Blob |
Blob |
Blob decryptedData = EncryptionRecipes.decryptAES256Recipe(encryptedData);
System.debug(decryptedData.toString());
Aux method to generate a random initialization vector.
Type | Description |
---|---|
Blob |
Blob |
AURAENABLED
Generates one-way hash digest that can be checked in destination to ensure integrity.
Param | Description |
---|---|
dataToHmac |
Blob that contains some data for which to generate a hash |
Type | Description |
---|---|
Blob |
Blob |
Blob dataToHash = Blob.valueOf('Test data');
Blob hash = EncryptionRecipes.generateSHA512HashRecipe();
System.debug(EncodingUtil.base64Encode(hash));
AURAENABLED
Recomputes hash digest for and compares it with the received one, throwing an exception if they're not equal.
Param | Description |
---|---|
hash |
Blob that contains the received hash |
dataToCheck |
Blob that contains the data to check the hash for |
Type | Description |
---|---|
void |
void |
try {
EncryptionRecipes.checkSHA512HashRecipe(hash, corruptedData);
} catch(Exception e) {
// Should log exception
System.debug(e.getMessage());
}
AURAENABLED
Generates one-way HMAC (using a symmetric key) that can be checked in destination to ensure integrity and authenticity.
Param | Description |
---|---|
dataToHmac |
Blob that contains some data for which to generate an HMAC |
Type | Description |
---|---|
Blob |
Blob |
Blob dataToHmac = Blob.valueOf('Test data');
Blob hmac = EncryptionRecipes.generateHMACSHA512Recipe();
System.debug(EncodingUtil.base64Encode(hmac));
AURAENABLED
Recomputes HMAC using the symmetric key and compares it with the received one, throwing an exception if they're not equal.
Param | Description |
---|---|
hmac |
Blob that contains the received hmac |
dataToCheck |
Blob that contains the data to check the hmac for |
Type | Description |
---|---|
void |
void |
try {
EncryptionRecipes.checkHMACSHA512Recipe(hmac, corruptedData);
} catch(Exception e) {
// Should log exception
System.debug(e.getMessage());
}
AURAENABLED
Generates one-way Digital Signature (encrypted with an asymmetric key) that can be checked in destination to ensure integrity, authenticity and non-repudiation.
Param | Description |
---|---|
dataToSign |
Blob that contains some data to sign |
Type | Description |
---|---|
Blob |
Blob |
Blob dataToSign = Blob.valueOf('Test data');
Blob signature = EncryptionRecipes.generateRSASHA512DigitalSignatureRecipe();
System.debug(EncodingUtil.base64Encode(signature));
AURAENABLED
Recomputes Digital Signature for and compares it with the received one, throwing an exception if they're not equal.
Param | Description |
---|---|
signature |
Blob that contains the received signature |
dataToCheck |
Blob that contains the data to check the signature for |
Type | Description |
---|---|
void |
void |
try {
EncryptionRecipes.checkRSASHA512DigitalSignatureRecipe(signature, corruptedData);
} catch(Exception e) {
// Should log exception
System.debug(e.getMessage());
}
public static EncryptedAndSignedData encryptAES256AndGenerateRSASHA512DigitalSignRecipe(Blob dataToEncryptAndSign)
AURAENABLED
Encrypts the message with AES and then generates Digital Signature (encrypted with an asymmetric key) that can be checked in destination. This ensure confidentiality, integrity, authenticity and non-repudiation.
Param | Description |
---|---|
dataToEncryptAndSign |
Blob that contains some data to encrypt and sign |
Type | Description |
---|---|
EncryptedAndSignedData |
Blob |
Blob dataToEncryptAndSign = Blob.valueOf('Test data');
EncryptedAndSignedData wrapper = EncryptionRecipes.encryptAES256AndGenerateRSASHA512DigitalSignRecipe();
System.debug(EncodingUtil.base64Encode(wrapper.encryptedData));
System.debug(EncodingUtil.base64Encode(wrapper.signature));
public static Blob decryptAES256AndCheckRSASHA512DigitalSignRecipe(Blob signature, Blob dataToDecryptAndCheck)
AURAENABLED
Decrypts the message and verifies its Digital Signature.
Param | Description |
---|---|
signature |
Blob that contains the received signature |
dataToDecryptAndCheck |
Blob that contains the data to check the signature for |
Type | Description |
---|---|
Blob |
Blob decrypted data |
try {
EncryptionRecipes.decryptAES256AndCheckRSASHA512DigitalSignRecipe(signature, corruptedData);
} catch(Exception e) {
// Should log exception
System.debug(e.getMessage());
}
Comparisons which involve cryptography need to be performed in constant time using specialized functions to avoid timing attack effects. https://en.wikipedia.org/wiki/Timing_attack
Param | Description |
---|---|
first |
first String to compare |
second |
second String to compare |
Type | Description |
---|---|
boolean |
Boolean strings are equal |
Internal custom exception class
Inheritance
CryptographicException