001/*
002 * (C) Copyright 2006-2019 Nuxeo (http://nuxeo.com/) and others.
003 *
004 * Licensed under the Apache License, Version 2.0 (the "License");
005 * you may not use this file except in compliance with the License.
006 * You may obtain a copy of the License at
007 *
008 *     http://www.apache.org/licenses/LICENSE-2.0
009 *
010 * Unless required by applicable law or agreed to in writing, software
011 * distributed under the License is distributed on an "AS IS" BASIS,
012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013 * See the License for the specific language governing permissions and
014 * limitations under the License.
015 *
016 * Contributors:
017 *     Florent Guillaume
018 */
019package org.nuxeo.ecm.core.blob;
020
021import java.io.IOException;
022import java.util.Map;
023
024import org.nuxeo.ecm.core.blob.AESBlobStore.EncryptingOutputStream;
025
026/**
027 * A blob provider that encrypts binaries on the filesystem using AES.
028 * <p>
029 * To encrypt a binary, an AES key is needed. This key can be retrieved from a keystore, or generated from a password
030 * using PBKDF2 (in which case each stored file contains a different salt for security reasons). The on-disk file format
031 * is described in {@link EncryptingOutputStream}.
032 * <p>
033 * The blob provider configuration holds the keystore information to retrieve the AES key, or the password that is used
034 * to generate a per-file key using PBKDF2.
035 * <p>
036 * For keystore use, the following properties are available:
037 * <ul>
038 * <li>keyStoreType: the keystore type, for instance JCEKS
039 * <li>keyStoreFile: the path to the keystore, if applicable
040 * <li>keyStorePassword: the keystore password
041 * <li>keyAlias: the alias (name) of the key in the keystore
042 * <li>keyPassword: the key password
043 * </ul>
044 * <p>
045 * And for PBKDF2 use:
046 * <ul>
047 * <li>password: the password
048 * </ul>
049 * <p>
050 * For backward compatibility, the properties can also be included in the
051 * {@code <property name="key">prop1=value1,prop2=value2,...</property>} of the blob provider configuration.
052 *
053 * @since 11.1
054 */
055public class AESBlobProvider extends LocalBlobProvider {
056
057    protected AESBlobStoreConfiguration aesConfig;
058
059    @Override
060    protected BlobStore getBlobStore(String blobProviderId, Map<String, String> properties) throws IOException {
061        aesConfig = new AESBlobStoreConfiguration(properties);
062        return super.getBlobStore(blobProviderId, properties);
063    }
064
065    @Override
066    protected BlobStore newBlobStore(String name, KeyStrategy keyStrategy, PathStrategy pathStrategy) {
067        return new AESBlobStore(name, keyStrategy, pathStrategy, aesConfig);
068    }
069
070}