public class AESBinaryManager extends LocalBinaryManager
The configuration holds the keystore information to retrieve the AES key, or the
password that is used to generate a per-file key using PBKDF2. This configuration comes from the
<property name="key">...</property>
of the binary manager configuration.
The configuration has the form key1=value1,key2=value2,...
where the possible keys are, for keystore use:
And for PBKDF2 use:
To encrypt a binary, an AES key is needed. This key can be retrieved from a keystore, or generated from a password
using PBKDF2 (in which case each stored file contains a different salt for security reasons). The file format is
described in storeAndDigest(InputStream, OutputStream)
.
While the binary is being used by the application, a temporarily-decrypted file is held in a temporary directory. It is removed as soon as possible.
Note: if the Java Cryptographic Extension (JCE) is not configured for 256-bit key length, you may get an exception "java.security.InvalidKeyException: Illegal key size or default parameters". If this is the case, go to Oracle Java SE Downloads and download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for your JDK.
Modifier and Type | Class and Description |
---|---|
static class |
AESBinaryManager.CipherAndDigestOutputStream
A
CipherOutputStream that also does a digest of the original stream at
the same time. |
LocalBinaryManager.DefaultBinaryGarbageCollector
Modifier and Type | Field and Description |
---|---|
protected static String |
AES |
protected static String |
AES_CBC_PKCS5_PADDING |
protected String |
digestAlgorithm |
protected static byte[] |
FILE_MAGIC |
protected static int |
FILE_VERSION_1 |
protected String |
keyAlias |
protected String |
keyPassword |
protected String |
keyStoreFile |
protected String |
keyStorePassword |
protected String |
keyStoreType |
protected static String |
PARAM_KEY_ALIAS |
protected static String |
PARAM_KEY_PASSWORD |
protected static String |
PARAM_KEY_STORE_FILE |
protected static String |
PARAM_KEY_STORE_PASSWORD |
protected static String |
PARAM_KEY_STORE_TYPE |
protected static String |
PARAM_PASSWORD |
protected String |
password |
protected static int |
PBKDF2_ITERATIONS |
protected static int |
PBKDF2_KEY_LENGTH |
protected static String |
PBKDF2_WITH_HMAC_SHA1 |
protected static Random |
RANDOM |
protected static int |
USE_KEYSTORE |
protected static int |
USE_PBKDF2 |
protected boolean |
usePBKDF2 |
CONFIG_FILE, DATA, DEFAULT_PATH, storageDir, TMP, tmpDir, WINDOWS_ABSOLUTE_PATH
blobProviderId, DEFAULT_DEPTH, DEFAULT_DIGEST, descriptor, DIGESTS_BY_LENGTH, garbageCollector, MAX_BUF_SIZE, MD5_DIGEST, MD5_DIGEST_LENGTH, MIN_BUF_SIZE, SHA1_DIGEST, SHA1_DIGEST_LENGTH, SHA256_DIGEST, SHA256_DIGEST_LENGTH
PROP_KEY, PROP_PATH
Constructor and Description |
---|
AESBinaryManager() |
Modifier and Type | Method and Description |
---|---|
protected void |
clearPassword(char[] password)
Clears a password from memory.
|
protected void |
decrypt(InputStream in,
OutputStream out)
Decrypts the given input stream into the given output stream.
|
protected Key |
generateSecretKey(byte[] salt)
Generates an AES key from the password using PBKDF2.
|
protected Binary |
getBinary(InputStream in)
Creates a binary value from the given input stream.
|
Binary |
getBinary(String digest)
Returns a
Binary corresponding to the given digest. |
protected char[] |
getPassword()
Gets the password for PBKDF2.
|
protected Key |
getSecretKey()
Gets the AES key from the keystore.
|
void |
initialize(String blobProviderId,
Map<String,String> properties)
Initializes the binary manager.
|
protected void |
initializeOptions(String options) |
protected static boolean |
setUnlimitedJCEPolicy()
By default the JRE may ship with restricted key length.
|
protected String |
storeAndDigest(InputStream in) |
String |
storeAndDigest(InputStream in,
OutputStream out)
Encrypts the given input stream into the given output stream, while also computing the digest of the input
stream.
|
atomicMove, close, createGarbageCollector, getFileForDigest, getStorageDir, touch
getBinary, getDefaultDigestAlgorithm, getDescriptor, getDigestAlgorithm, getGarbageCollector, removeBinaries, toHexString
protected static final byte[] FILE_MAGIC
protected static final int FILE_VERSION_1
protected static final int USE_KEYSTORE
protected static final int USE_PBKDF2
protected static final String AES
protected static final String AES_CBC_PKCS5_PADDING
protected static final String PBKDF2_WITH_HMAC_SHA1
protected static final int PBKDF2_ITERATIONS
protected static final int PBKDF2_KEY_LENGTH
protected static final String PARAM_PASSWORD
protected static final String PARAM_KEY_STORE_TYPE
protected static final String PARAM_KEY_STORE_FILE
protected static final String PARAM_KEY_STORE_PASSWORD
protected static final String PARAM_KEY_ALIAS
protected static final String PARAM_KEY_PASSWORD
protected String digestAlgorithm
protected boolean usePBKDF2
protected String keyStoreType
protected String keyStoreFile
protected String keyStorePassword
protected String keyPassword
public AESBinaryManager()
protected static boolean setUnlimitedJCEPolicy()
This is not possible anymore since 8u102 and https://bugs.openjdk.java.net/browse/JDK-8149417
public void initialize(String blobProviderId, Map<String,String> properties) throws IOException
BinaryManager
initialize
in interface BinaryManager
initialize
in class LocalBinaryManager
blobProviderId
- the blob provider id for this binary managerproperties
- initialization propertiesIOException
protected void initializeOptions(String options)
protected char[] getPassword()
The caller must clear it from memory when done with it by calling clearPassword(char[])
.
protected void clearPassword(char[] password)
protected Key generateSecretKey(byte[] salt) throws GeneralSecurityException
salt
- the saltGeneralSecurityException
protected Key getSecretKey() throws GeneralSecurityException, IOException
GeneralSecurityException
IOException
protected Binary getBinary(InputStream in) throws IOException
AbstractBinaryManager
getBinary
in class LocalBinaryManager
IOException
public Binary getBinary(String digest)
BinaryManager
Binary
corresponding to the given digest.
A null
is returned if the digest could not be found.
getBinary
in interface BinaryManager
getBinary
in class LocalBinaryManager
digest
- the digest, or null
protected String storeAndDigest(InputStream in) throws IOException
storeAndDigest
in class LocalBinaryManager
IOException
public String storeAndDigest(InputStream in, OutputStream out) throws IOException
File format version 1 (values are in network order):
storeAndDigest
in class AbstractBinaryManager
in
- the input stream containing the datafile
- the file containing the encrypted dataIOException
protected void decrypt(InputStream in, OutputStream out) throws IOException
IOException
Copyright © 2016 Nuxeo SA. All rights reserved.