Azure · vcolin7 · Jul 19, 2022 · Jul 18, 2022
@@ -430,7 +430,9 @@ Mono<EncryptResult> encrypt(EncryptParameters encryptParameters, Context context
      * <!-- end com.azure.security.keyvault.keys.cryptography.CryptographyAsyncClient.decrypt#EncryptionAlgorithm-byte -->
      *
      * @param algorithm The algorithm to be used for decryption.
-     * @param ciphertext The content to be decrypted.
+     * @param ciphertext The content to be decrypted. Microsoft recommends you not use CBC without first ensuring the
+     * integrity of the ciphertext using an HMAC, for example.
+     * See https://docs.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more information.
      *
      * @return A {@link Mono} containing the decrypted blob.
      *
@@ -487,7 +489,9 @@ public Mono<DecryptResult> decrypt(EncryptionAlgorithm algorithm, byte[] ciphert
      * </pre>
      * <!-- end com.azure.security.keyvault.keys.cryptography.CryptographyAsyncClient.decrypt#DecryptParameters -->
      *
-     * @param decryptParameters The parameters to use in the decryption operation.
+     * @param decryptParameters The parameters to use in the decryption operation. Microsoft recommends you not use CBC
+     * without first ensuring the integrity of the ciphertext using an HMAC, for example.
+     * See https://docs.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more information.
      *
      * @return A {@link Mono} containing the decrypted blob.
      *

@@ -314,7 +314,9 @@ public EncryptResult encrypt(EncryptParameters encryptParameters, Context contex
      * <!-- end com.azure.security.keyvault.keys.cryptography.CryptographyClient.decrypt#EncryptionAlgorithm-byte -->
      *
      * @param algorithm The algorithm to be used for decryption.
-     * @param ciphertext The content to be decrypted.
+     * @param ciphertext The content to be decrypted. Microsoft recommends you not use CBC without first ensuring the
+     * integrity of the ciphertext using an HMAC, for example.
+     * See https://docs.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more information.
      *
      * @return The {@link DecryptResult} whose {@link DecryptResult#getPlainText() plain text} contains the decrypted
      * content.
@@ -364,7 +366,9 @@ public DecryptResult decrypt(EncryptionAlgorithm algorithm, byte[] ciphertext) {
      * <!-- end com.azure.security.keyvault.keys.cryptography.CryptographyClient.decrypt#EncryptionAlgorithm-byte-Context -->
      *
      * @param algorithm The algorithm to be used for decryption.
-     * @param ciphertext The content to be decrypted.
+     * @param ciphertext The content to be decrypted. Microsoft recommends you not use CBC without first ensuring the
+     * integrity of the ciphertext using an HMAC, for example.
+     * See https://docs.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more information.
      * @param context Additional context that is passed through the {@link HttpPipeline} during the service call.
      *
      * @return The {@link DecryptResult} whose {@link DecryptResult#getPlainText() plain text} contains the decrypted
@@ -418,7 +422,9 @@ public DecryptResult decrypt(EncryptionAlgorithm algorithm, byte[] ciphertext, C
      * </pre>
      * <!-- end com.azure.security.keyvault.keys.cryptography.CryptographyClient.decrypt#DecryptParameters-Context -->
      *
-     * @param decryptParameters The parameters to use in the decryption operation.
+     * @param decryptParameters The parameters to use in the decryption operation. Microsoft recommends you not use CBC
+     * without first ensuring the integrity of the ciphertext using an HMAC, for example.
+     * See https://docs.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more information.
      * @param context Additional context that is passed through the {@link HttpPipeline} during the service call.
      *
      * @return The {@link DecryptResult} whose {@link DecryptResult#getPlainText() plain text} contains the decrypted

@@ -40,7 +40,9 @@ public final class DecryptParameters {
      * Factory method to create an instance of {@link DecryptParameters} with the given parameters for
      * {@link EncryptionAlgorithm#A128CBC}.
      *
-     * @param ciphertext The content to be decrypted.
+     * @param ciphertext The content to be decrypted. Microsoft recommends you not use CBC without first ensuring the
+     * integrity of the ciphertext using an HMAC, for example. See
+     * https://docs.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more information.
      * @param iv Initialization vector for the decryption operation.
      *
      * @return The {@link DecryptParameters}.
@@ -53,7 +55,9 @@ public static DecryptParameters createA128CbcParameters(byte[] ciphertext, byte[
      * Factory method to create an instance of {@link DecryptParameters} with the given parameters for
      * {@link EncryptionAlgorithm#A128CBCPAD}.
      *
-     * @param ciphertext The content to be decrypted.
+     * @param ciphertext The content to be decrypted. Microsoft recommends you not use CBC without first ensuring the
+     * integrity of the ciphertext using an HMAC, for example. See
+     * https://docs.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more information.
      * @param iv Initialization vector for the decryption operation.
      *
      * @return The {@link DecryptParameters}.
@@ -97,7 +101,9 @@ public static DecryptParameters createA128GcmParameters(byte[] ciphertext, byte[
      * Factory method to create an instance of {@link DecryptParameters} with the given parameters for
      * {@link EncryptionAlgorithm#A192CBC}.
      *
-     * @param ciphertext The content to be decrypted.
+     * @param ciphertext The content to be decrypted. Microsoft recommends you not use CBC without first ensuring the
+     * integrity of the ciphertext using an HMAC, for example. See
+     * https://docs.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more information.
      * @param iv Initialization vector for the decryption operation.
      *
      * @return The {@link DecryptParameters}.
@@ -110,7 +116,9 @@ public static DecryptParameters createA192CbcParameters(byte[] ciphertext, byte[
      * Factory method to create an instance of {@link DecryptParameters} with the given parameters for
      * {@link EncryptionAlgorithm#A192CBCPAD}.
      *
-     * @param ciphertext The content to be decrypted.
+     * @param ciphertext The content to be decrypted. Microsoft recommends you not use CBC without first ensuring the
+     * integrity of the ciphertext using an HMAC, for example. See
+     * https://docs.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more information.
      * @param iv Initialization vector for the decryption operation.
      *
      * @return The {@link DecryptParameters}.
@@ -154,7 +162,9 @@ public static DecryptParameters createA192GcmParameters(byte[] ciphertext, byte[
      * Factory method to create an instance of {@link DecryptParameters} with the given parameters for
      * {@link EncryptionAlgorithm#A256CBC}.
      *
-     * @param ciphertext The content to be decrypted.
+     * @param ciphertext The content to be decrypted. Microsoft recommends you not use CBC without first ensuring the
+     * integrity of the ciphertext using an HMAC, for example. See
+     * https://docs.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more information.
      * @param iv Initialization vector for the decryption operation.
      *
      * @return The {@link DecryptParameters}.
@@ -167,7 +177,9 @@ public static DecryptParameters createA256CbcParameters(byte[] ciphertext, byte[
      * Factory method to create an instance of {@link DecryptParameters} with the given parameters for
      * {@link EncryptionAlgorithm#A256CBCPAD}.
      *
-     * @param ciphertext The content to be decrypted.
+     * @param ciphertext The content to be decrypted. Microsoft recommends you not use CBC without first ensuring the
+     * integrity of the ciphertext using an HMAC, for example. See
+     * https://docs.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more information.
      * @param iv Initialization vector for the decryption operation.
      *
      * @return The {@link DecryptParameters}.

@@ -48,7 +48,10 @@ public static EncryptParameters createA128CbcParameters(byte[] plaintext) {
      * {@link EncryptionAlgorithm#A128CBC}.
      *
      * @param plaintext The content to be encrypted.
-     * @param iv Initialization vector for the encryption operation.
+     * @param iv Optional initialization vector for the encryption operation. If you pass your own IV, make sure you
+     * use a cryptographically random, non-repeating IV. If {@code null}, a cryptographically random IV will be
+     * generated by Key Vault for service-side operations. For client-side operations,
+     * {@link java.security.SecureRandom} will be used instead.
      *
      * @return The {@link EncryptParameters}.
      */
@@ -73,7 +76,10 @@ public static EncryptParameters createA128CbcPadParameters(byte[] plaintext) {
      * {@link EncryptionAlgorithm#A128CBCPAD}.
      *
      * @param plaintext The content to be encrypted.
-     * @param iv Initialization vector for the encryption operation.
+     * @param iv Optional initialization vector for the encryption operation. If you pass your own IV, make sure you
+     * use a cryptographically random, non-repeating IV. If {@code null}, a cryptographically random IV will be
+     * generated by Key Vault for service-side operations. For client-side operations,
+     * {@link java.security.SecureRandom} will be used instead.
      *
      * @return The {@link EncryptParameters}.
      */
@@ -123,7 +129,10 @@ public static EncryptParameters createA192CbcParameters(byte[] plaintext) {
      * {@link EncryptionAlgorithm#A192CBC}.
      *
      * @param plaintext The content to be encrypted.
-     * @param iv Initialization vector for the encryption operation.
+     * @param iv Optional initialization vector for the encryption operation. If you pass your own IV, make sure you
+     * use a cryptographically random, non-repeating IV. If {@code null}, a cryptographically random IV will be
+     * generated by Key Vault for service-side operations. For client-side operations,
+     * {@link java.security.SecureRandom} will be used instead.
      *
      * @return The {@link EncryptParameters}.
      */
@@ -148,7 +157,10 @@ public static EncryptParameters createA192CbcPadParameters(byte[] plaintext) {
      * {@link EncryptionAlgorithm#A192CBCPAD}.
      *
      * @param plaintext The content to be encrypted.
-     * @param iv Initialization vector for the encryption operation.
+     * @param iv Optional initialization vector for the encryption operation. If you pass your own IV, make sure you
+     * use a cryptographically random, non-repeating IV. If {@code null}, a cryptographically random IV will be
+     * generated by Key Vault for service-side operations. For client-side operations,
+     * {@link java.security.SecureRandom} will be used instead.
      *
      * @return The {@link EncryptParameters}.
      */
@@ -198,7 +210,10 @@ public static EncryptParameters createA256CbcParameters(byte[] plaintext) {
      * {@link EncryptionAlgorithm#A256CBC}.
      *
      * @param plaintext The content to be encrypted.
-     * @param iv Initialization vector for the encryption operation.
+     * @param iv Optional initialization vector for the encryption operation. If you pass your own IV, make sure you
+     * use a cryptographically random, non-repeating IV. If {@code null}, a cryptographically random IV will be
+     * generated by Key Vault for service-side operations. For client-side operations,
+     * {@link java.security.SecureRandom} will be used instead.
      *
      * @return The {@link EncryptParameters}.
      */
@@ -223,7 +238,10 @@ public static EncryptParameters createA256CbcPadParameters(byte[] plaintext) {
      * {@link EncryptionAlgorithm#A256CBCPAD}.
      *
      * @param plaintext The content to be encrypted.
-     * @param iv Initialization vector for the encryption operation.
+     * @param iv Optional initialization vector for the encryption operation. If you pass your own IV, make sure you
+     * use a cryptographically random, non-repeating IV. If {@code null}, a cryptographically random IV will be
+     * generated by Key Vault for service-side operations. For client-side operations,
+     * {@link java.security.SecureRandom} will be used instead.
      *
      * @return The {@link EncryptParameters}.
      */
@@ -297,7 +315,10 @@ public static EncryptParameters createRsaOaep256Parameters(byte[] plaintext) {
      *
      * @param algorithm The algorithm to be used for encryption.
      * @param plaintext The content to be encrypted.
-     * @param iv Initialization vector for the encryption operation.
+     * @param iv Optional initialization vector for the encryption operation. If you pass your own IV, make sure you
+     * use a cryptographically random, non-repeating IV. If {@code null}, a cryptographically random IV will be
+     * generated by Key Vault for service-side operations. For client-side operations,
+     * {@link java.security.SecureRandom} will be used instead.
      * @param additionalAuthenticatedData Additional data to authenticate when using authenticated crypto algorithms.
      */
     EncryptParameters(EncryptionAlgorithm algorithm, byte[] plaintext, byte[] iv, byte[] additionalAuthenticatedData) {