Class KeyStoreBasedProtectorImpl
- java.lang.Object
-
- com.evolveum.midpoint.prism.impl.crypto.BaseProtector
-
- com.evolveum.midpoint.prism.impl.crypto.KeyStoreBasedProtectorImpl
-
- All Implemented Interfaces:
KeyStoreBasedProtector
,Protector
public class KeyStoreBasedProtectorImpl extends BaseProtector implements KeyStoreBasedProtector
Class that manages encrypted and hashed values. Java Cryptography Extension is needed because this class is using AES-256 for encrypting/decrypting xml data.- Author:
- Radovan Semancik, lazyman
-
-
Field Summary
-
Fields inherited from interface com.evolveum.midpoint.prism.crypto.Protector
XMLSEC_ENCRYPTION_ALGORITHM_AES128_CBC, XMLSEC_ENCRYPTION_ALGORITHM_AES256_CBC, XMLSEC_ENCRYPTION_NS
-
-
Constructor Summary
Constructors Constructor Description KeyStoreBasedProtectorImpl()
KeyStoreBasedProtectorImpl(KeyStoreBasedProtectorBuilder builder)
-
Method Summary
All Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description boolean
areEquivalent(ProtectedStringType a, ProtectedStringType b)
Decides equivalence of two protected data objects (for data management purposes).boolean
compareCleartext(ProtectedStringType a, ProtectedStringType b)
Compare cleartext values protected inside the protected strings.protected <T> byte[]
decryptBytes(ProtectedData<T> protectedData)
<T> void
encrypt(ProtectedData<T> protectedData)
String
getEncryptionAlgorithm()
KeyStore
getKeyStore()
String
getKeyStorePath()
String
getRequestedJceProviderName()
String
getSecretKeyDigest(SecretKey key)
Deprecated.List<TrustManager>
getTrustManagers()
Returns a list of trust managers that will be used to validate communicating party credentials.<T> void
hash(ProtectedData<T> protectedData)
void
init()
boolean
isEncryptedByCurrentKey(@NotNull EncryptedDataType data)
void
setEncryptionAlgorithm(String encryptionAlgorithm)
void
setEncryptionKeyAlias(String encryptionKeyAlias)
void
setKeyStorePassword(String keyStorePassword)
void
setKeyStorePath(String keyStorePath)
void
setRequestedJceProviderName(String requestedJceProviderName)
-
Methods inherited from class com.evolveum.midpoint.prism.impl.crypto.BaseProtector
decrypt, decryptString, encryptString
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface com.evolveum.midpoint.prism.crypto.Protector
decrypt, decryptString, encryptString
-
-
-
-
Constructor Detail
-
KeyStoreBasedProtectorImpl
public KeyStoreBasedProtectorImpl()
-
KeyStoreBasedProtectorImpl
public KeyStoreBasedProtectorImpl(KeyStoreBasedProtectorBuilder builder)
-
-
Method Detail
-
init
public void init()
- Throws:
SystemException
- if jceks keystore is not available ongetKeyStorePath()
-
getRequestedJceProviderName
public String getRequestedJceProviderName()
-
setRequestedJceProviderName
public void setRequestedJceProviderName(String requestedJceProviderName)
-
getEncryptionAlgorithm
public String getEncryptionAlgorithm()
-
setEncryptionAlgorithm
public void setEncryptionAlgorithm(String encryptionAlgorithm)
-
decryptBytes
protected <T> byte[] decryptBytes(ProtectedData<T> protectedData) throws SchemaException, EncryptionException
- Specified by:
decryptBytes
in classBaseProtector
- Throws:
SchemaException
EncryptionException
-
encrypt
public <T> void encrypt(ProtectedData<T> protectedData) throws EncryptionException
- Specified by:
encrypt
in interfaceProtector
- Throws:
EncryptionException
-
getSecretKeyDigest
@Deprecated public String getSecretKeyDigest(SecretKey key) throws EncryptionException
Deprecated.TODO remove, used only in midpoint ninja cmd tool, not part of API- Specified by:
getSecretKeyDigest
in interfaceKeyStoreBasedProtector
- Throws:
EncryptionException
-
getTrustManagers
public List<TrustManager> getTrustManagers()
Description copied from interface:Protector
Returns a list of trust managers that will be used to validate communicating party credentials. (e.g. used to validate remote connector connections).- Specified by:
getTrustManagers
in interfaceProtector
-
getKeyStore
public KeyStore getKeyStore()
- Specified by:
getKeyStore
in interfaceProtector
-
setEncryptionKeyAlias
public void setEncryptionKeyAlias(String encryptionKeyAlias)
- Parameters:
encryptionKeyAlias
- Alias of the encryption keySecretKey
which is used for encryption- Throws:
IllegalArgumentException
- if encryption key digest is null or empty string
-
setKeyStorePassword
public void setKeyStorePassword(String keyStorePassword)
-
setKeyStorePath
public void setKeyStorePath(String keyStorePath)
-
getKeyStorePath
public String getKeyStorePath()
- Specified by:
getKeyStorePath
in interfaceKeyStoreBasedProtector
-
hash
public <T> void hash(ProtectedData<T> protectedData) throws EncryptionException, SchemaException
- Specified by:
hash
in interfaceProtector
- Throws:
EncryptionException
SchemaException
-
compareCleartext
public boolean compareCleartext(ProtectedStringType a, ProtectedStringType b) throws EncryptionException, SchemaException
Description copied from interface:Protector
Compare cleartext values protected inside the protected strings.This method only deals with the equality of the original values (cleartext). If the two protected strings are representation of the same value then true value is returned. In all other cases false value is returned.
Please note that some cases are not decidable. For example it may not be possible to compare two hashed values, e.g. in case that they are using different salt values. SchemaException is thrown in that case.
This method does not deal with any details about the protection. It just deals with equality of the values. E.g. if encrypted and hashed version of the same value is compared, this method returns true. This is ideal for use cases such as checking equality of a password during authentication. But it is not the right algorithm for data management purposes. E.g. it will provide bad results if it is used to decide whether a particular value should be replaced with a new value in a data store. Please see areEquivalent() method.
- Specified by:
compareCleartext
in interfaceProtector
- Throws:
EncryptionException
SchemaException
- See Also:
Protector.areEquivalent(ProtectedStringType, ProtectedStringType)
-
areEquivalent
public boolean areEquivalent(ProtectedStringType a, ProtectedStringType b)
Description copied from interface:Protector
Decides equivalence of two protected data objects (for data management purposes).The concept of equivalence is a very tricky one when it comes to protected (encrypted and hashed) data. We want to compare the original values (cleartext) and not the bytes that are a product of encryption (ciphertext). As many ciphers have randomized initialization vectors, encrypting the same cleartext will produce different ciphertext. Therefore we cannot rely on equality of ciphertexts. On the other hand, we want to allow re-keying. Therefore protected data types that are produced from the same cleartext may still be non-equivalent if a different key was used to create them. Otherwise we want be able to change the key, as the value with old key will be considered equivalent and it may never get replaced.
And all of that is further complicated with hashing. Hash algorithms are often salted, therefore we cannot rely on comparing just the hashes. The situation is a bit easier here as we do not need to deal with the key, but on the other hand we do not have access to a cleartext at all. Therefore all we can do is to look at hashed values and suffer re-salting all the time. But it is better than the alternative, which means never be able to change hashed value. If any more intelligent behavior is expected, it has to be implemented in higher layers of the system where we still have at least one unhashed clear value available.
This method is designed for data management purposes. E.g. it can be used to decide whether to replace certain value in a data store. This method is not suitable for all purposes. E.g. it should NOT be used for password management. This method may return false even if the cleartext in two protected strings is the same, e.g. in case that one is encrypted and the other is hashed. For that purpose see the compareCleartext method.
- Specified by:
areEquivalent
in interfaceProtector
- See Also:
Protector.compareCleartext(ProtectedStringType, ProtectedStringType)
-
isEncryptedByCurrentKey
public boolean isEncryptedByCurrentKey(@NotNull @NotNull EncryptedDataType data) throws EncryptionException
- Specified by:
isEncryptedByCurrentKey
in interfaceProtector
- Throws:
EncryptionException
-
-