Class SecretBytes
java.lang.Object
com.cloudbees.plugins.credentials.SecretBytes
- All Implemented Interfaces:
Serializable
An analogue of
Secret
to be used for efficient storage of byte[]
. The serialized form will embed the
salt and padding so no two invocations of getEncryptedData()
will return the same result, but all will
decrypt to the same getPlainData()
. XStream serialization and Stapler form-binding will assume that
the toString()
representation is used (i.e. the Base64 encoded secret bytes wrapped with {
and }
. If the string representation fails to decrypt (and is not wrapped- Since:
- 2.1.5
- See Also:
-
Nested Class Summary
Modifier and TypeClassDescriptionstatic final class
Our XStream converter.static class
-
Field Summary
Modifier and TypeFieldDescriptionstatic final Pattern
Pattern matching a possible output oftoString()
. -
Method Summary
Modifier and TypeMethodDescriptionstatic SecretBytes
decrypt
(byte[] data) Reverse operation ofgetEncryptedData()
.boolean
static SecretBytes
fromBytes
(byte[] data) Deprecated.static SecretBytes
fromRawBytes
(byte[] data) UnlikefromBytes(byte[])
this won't attempt to decrypt this as a secret.static SecretBytes
fromString
(String data) Attempts to treat the given bytes first as a cipher text, and if it doesn't work, treat the given string as the unencrypted BASE-64 encoded byte array.byte[]
Returns the encrypted data.byte[]
Returns the raw unencrypted data.static byte[]
Works just likegetPlainData()
but avoids NPE when the secret is null.int
hashCode()
static boolean
isSecretBytes
(String data) check if the given String is a SecretBytes text by attempting to decrypt ittoString()
static String
Works just liketoString()
but avoids NPE when the secret is null.
-
Field Details
-
ENCRYPTED_VALUE_PATTERN
@Restricted(org.kohsuke.accmod.restrictions.NoExternalUse.class) public static final Pattern ENCRYPTED_VALUE_PATTERNPattern matching a possible output oftoString()
. Basically, any Base64-encoded value. You must then calldecrypt(byte[])
to eliminate false positives.
-
-
Method Details
-
getPlainData
@NonNull public byte[] getPlainData()Returns the raw unencrypted data. The caller is responsible for zeroing out the returnedbyte[]
after use.- Returns:
- the raw unencrypted data.
-
equals
-
hashCode
public int hashCode() -
getEncryptedData
@NonNull public byte[] getEncryptedData()Returns the encrypted data.- Returns:
- the encrypted data.
-
decrypt
Reverse operation ofgetEncryptedData()
. Returns null if the given cipher text was invalid.- Parameters:
data
- the bytes to decrypt.- Returns:
- the secret bytes or
null
if the data was not originally encrypted.
-
getPlainData
Works just likegetPlainData()
but avoids NPE when the secret is null. To be consistent withfromBytes(byte[])
, this method doesn't distinguish empty password and null password.- Parameters:
s
- the secret bytes.- Returns:
- the decrypted bytes.
-
fromBytes
Deprecated.preferfromRawBytes(byte[])
Attempts to treat the given bytes first as a cipher encrypted bytes, and if it doesn't work, treat the given bytes as the unencrypted secret value.Useful for recovering a value from a form field. If the supplied bytes are known to be unencrypted then the caller is responsible for zeroing out the supplied
byte[]
afterwards.- Parameters:
data
- the data to wrap or decrypt.- Returns:
- never null
-
fromRawBytes
UnlikefromBytes(byte[])
this won't attempt to decrypt this as a secret. Always treat this as unencrypted bytes.- Parameters:
data
- the data to wrap- Returns:
- secret bytes
-
fromString
Attempts to treat the given bytes first as a cipher text, and if it doesn't work, treat the given string as the unencrypted BASE-64 encoded byte array.Useful for recovering a value from a form field. Note: the caller is responsible for evicting the data from memory in the event that the data is the unencrypted BASE-64 encoded plain data.
- Parameters:
data
- the string representation to decrypt.- Returns:
- never null
-
isSecretBytes
check if the given String is a SecretBytes text by attempting to decrypt it- Parameters:
data
- the string to check- Returns:
- true if the decryption was successful, false otherwise
-
toString
-
toString
Works just liketoString()
but avoids NPE when the secret is null. To be consistent withfromString(String)
, this method doesn't distinguish empty password and null password.- Parameters:
s
- the secret bytes.- Returns:
- the string representation.
-
fromRawBytes(byte[])