client-encryption-java/src/main/java/com/mastercard/developer/encryption/EncryptionConfig.java at 96f1427ee33e53091e05fd8a993a9f8b0f723691 · Mastercard/client-encryption-java · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
package com.mastercard.developer.encryption;

import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.util.Collections;
import java.util.Map;

public abstract class EncryptionConfig {

    protected EncryptionConfig() {
    }

    /**
     * The different methods of encryption
     */
    public enum Scheme {
        LEGACY,
        JWE
    }

    /**
     * The encryption scheme to be used
     */
    Scheme scheme = Scheme.LEGACY;

    /**
     * The SHA-256 hex-encoded digest of the key used for encryption (optional, the digest will be
     * automatically computed if this field is null or empty).
     * Example: "c3f8ef7053c4fb306f7476e7d1956f0aa992ff9dfdd5244b912a1d377ff3a84f"
     */
    String encryptionKeyFingerprint;

    /**
     * A certificate object whose public key will be used for encryption.
     */
    Certificate encryptionCertificate;

    /**
     * A public key will be used for request encryption.
     */
    PublicKey encryptionKey;

    /**
     * A private key object to be used for decryption.
     */
    PrivateKey decryptionKey;


    /**
     * IV size in bytes
     */

    Integer ivSize = 16;

    /**
     * Enable HMAC authentication tag verification for AES-CBC mode (A128CBC-HS256).
     * When true, authentication tags are verified during decryption.
     * Default is false for backward compatibility with systems that don't compute HMAC tags.
     * Set to true to enable proper HMAC verification according to JWE spec.
     */
    Boolean enableCbcHmacVerification = false;

    /**
     * A list of JSON paths to encrypt in request payloads.
     * Example:
     * <pre>
     * new HashMap<>() {
     *     {
     *         put("$.path.to.element.to.be.encrypted", "$.path.to.object.where.to.store.encryption.fields");
     *     }
     * }
     * </pre>
     */
    Map<String, String> encryptionPaths = Collections.emptyMap();

    /**
     * A list of JSON paths to decrypt in response payloads.
     * Example:
     * <pre>
     * new HashMap<>() {
     *     {
     *         put("$.path.to.object.with.encryption.fields", "$.path.where.to.write.decrypted.element");
     *     }
     * }
     * </pre>
     */
    Map<String, String> decryptionPaths = Collections.emptyMap();

    /**
     * The name of the payload field where to write/read the encrypted data value.
     */
    String encryptedValueFieldName = null;

    public String getEncryptionKeyFingerprint() { return encryptionKeyFingerprint; }

    public Certificate getEncryptionCertificate() {
        return encryptionCertificate;
    }

    public PublicKey getEncryptionKey() {
        if (encryptionKey != null) {
            return encryptionKey;
        }
        return encryptionCertificate.getPublicKey();
    }

    public PrivateKey getDecryptionKey() {
        return decryptionKey;
    }

    public Scheme getScheme() { return scheme; }

    Map<String, String> getEncryptionPaths() {
        return encryptionPaths;
    }

    Map<String, String> getDecryptionPaths() {
        return decryptionPaths;
    }

    String getEncryptedValueFieldName() {
        return encryptedValueFieldName;
    }

    public Integer getIVSize() { return ivSize; }

    public Boolean getEnableCbcHmacVerification() { return enableCbcHmacVerification; }
}