Package com.cloudbees.plugins.credentials

Class SecretBytes

java.lang.Object

com.cloudbees.plugins.credentials.SecretBytes

All Implemented Interfaces:

Serializable

public class SecretBytes
extends Object
implements Serializable

An analogue of Secret to be used for efficient storage of byte[]. The serialized form will embed the salt and padding so no two invocations of getEncryptedData() will return the same result, but all will decrypt to the same getPlainData(). XStream serialization and Stapler form-binding will assume that the toString() representation is used (i.e. the Base64 encoded secret bytes wrapped with { and }. If the string representation fails to decrypt (and is not wrapped

Since:

2.1.5

See Also:

• Serialized Form

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static final class	SecretBytes.ConverterImpl	Our XStream converter.
static class	SecretBytes.StaplerConverterImpl

Field Summary

Fields

Modifier and Type	Field	Description
static final Pattern	ENCRYPTED_VALUE_PATTERN	Pattern matching a possible output of toString().

Method Summary

Modifier and Type	Method	Description
static SecretBytes	decrypt(byte[] data)	Reverse operation of getEncryptedData().
boolean	equals(Object o)
static SecretBytes	fromBytes(byte[] data)	Deprecated. prefer fromRawBytes(byte[])
static SecretBytes	fromRawBytes(byte[] data)	Unlike fromBytes(byte[]) this won't attempt to decrypt this as a secret.
static SecretBytes	fromString(String data)	Attempts to treat the given bytes first as a cipher text, and if it doesn't work, treat the given string as the unencrypted BASE-64 encoded byte array.
byte[]	getEncryptedData()	Returns the encrypted data.
byte[]	getPlainData()	Returns the raw unencrypted data.
static byte[]	getPlainData(SecretBytes s)	Works just like getPlainData() but avoids NPE when the secret is null.
int	hashCode()
static boolean	isSecretBytes(String data)	check if the given String is a SecretBytes text by attempting to decrypt it
String	toString()
static String	toString(SecretBytes s)	Works just like toString() but avoids NPE when the secret is null.

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Field Details

ENCRYPTED_VALUE_PATTERN

@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class)
public static final Pattern ENCRYPTED_VALUE_PATTERN

Pattern matching a possible output of toString(). Basically, any Base64-encoded value. You must then call decrypt(byte[]) to eliminate false positives.

Method Details

getPlainData

@NonNull
public byte[] getPlainData()

Returns the raw unencrypted data. The caller is responsible for zeroing out the returned byte[] after use.

Returns:

the raw unencrypted data.

equals

public boolean equals(Object o)

Overrides:

equals in class Object

hashCode

public int hashCode()

Overrides:

hashCode in class Object

getEncryptedData

@NonNull
public byte[] getEncryptedData()

Returns the encrypted data.

Returns:

the encrypted data.

decrypt

@CheckForNull
public static SecretBytes decrypt(byte[] data)

Reverse operation of getEncryptedData(). Returns null if the given cipher text was invalid.

Parameters:

data - the bytes to decrypt.

Returns:

the secret bytes or null if the data was not originally encrypted.

getPlainData

@NonNull
public static byte[] getPlainData(@CheckForNull
 SecretBytes s)

Works just like getPlainData() but avoids NPE when the secret is null. To be consistent with fromBytes(byte[]), this method doesn't distinguish empty password and null password.

Parameters:

s - the secret bytes.

Returns:

the decrypted bytes.

fromBytes

@Deprecated
public static SecretBytes fromBytes(byte[] data)

Deprecated.

prefer fromRawBytes(byte[])

Attempts to treat the given bytes first as a cipher encrypted bytes, and if it doesn't work, treat the given bytes as the unencrypted secret value.

Useful for recovering a value from a form field. If the supplied bytes are known to be unencrypted then the caller is responsible for zeroing out the supplied byte[] afterwards.

Parameters:

data - the data to wrap or decrypt.

Returns:

never null

fromRawBytes

public static SecretBytes fromRawBytes(byte[] data)

Unlike fromBytes(byte[]) this won't attempt to decrypt this as a secret. Always treat this as unencrypted bytes.

Parameters:

data - the data to wrap

Returns:

secret bytes

fromString

@NonNull
public static SecretBytes fromString(String data)

Attempts to treat the given bytes first as a cipher text, and if it doesn't work, treat the given string as the unencrypted BASE-64 encoded byte array.

Useful for recovering a value from a form field. Note: the caller is responsible for evicting the data from memory in the event that the data is the unencrypted BASE-64 encoded plain data.

Parameters:

data - the string representation to decrypt.

Returns:

never null

isSecretBytes

public static boolean isSecretBytes(String data)

check if the given String is a SecretBytes text by attempting to decrypt it

Parameters:

data - the string to check

Returns:

true if the decryption was successful, false otherwise

toString

public String toString()

Overrides:

toString in class Object

toString

public static String toString(SecretBytes s)

Works just like toString() but avoids NPE when the secret is null. To be consistent with fromString(String), this method doesn't distinguish empty password and null password.

Parameters:

s - the secret bytes.

Returns:

the string representation.