mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-08-07 17:49:17 +00:00
Fix for ALF-10189:
o Alfresco key store manages keys and backup keys internally o moved key registration and checking into AlfrescoKeyStoreImpl o encryptor thread cache fix resulting from reload of key stores at runtime o more encryption and key store tests o tidy up + more comments o moved hard-coded values to properties file git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@30405 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Steven Glover
@@ -20,8 +20,10 @@ package org.alfresco.encryption;
|
||||
|
||||
import java.io.Serializable;
|
||||
import java.security.InvalidKeyException;
|
||||
import java.security.Key;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
|
||||
import org.alfresco.repo.transaction.RetryingTransactionHelper;
|
||||
import org.alfresco.repo.transaction.RetryingTransactionHelper.RetryingTransactionCallback;
|
||||
@@ -34,6 +36,8 @@ import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
/**
|
||||
* Registered Encryption Keys are stored in the AttributeService directly under a top level key defined by
|
||||
* TOP_LEVEL_KEY (which means that all key aliases must be unique across however many keystores are being used).
|
||||
*
|
||||
* @since 4.0
|
||||
*
|
||||
@@ -46,16 +50,22 @@ public class EncryptionKeysRegistryImpl implements EncryptionKeysRegistry
|
||||
|
||||
private TransactionService transactionService;
|
||||
private AttributeService attributeService;
|
||||
private Encryptor encryptor;
|
||||
private String cipherAlgorithm;
|
||||
private String cipherProvider;
|
||||
|
||||
public void setAttributeService(AttributeService attributeService)
|
||||
{
|
||||
this.attributeService = attributeService;
|
||||
}
|
||||
|
||||
public void setEncryptor(Encryptor encryptor)
|
||||
public void setCipherAlgorithm(String cipherAlgorithm)
|
||||
{
|
||||
this.encryptor = encryptor;
|
||||
this.cipherAlgorithm = cipherAlgorithm;
|
||||
}
|
||||
|
||||
public void setCipherProvider(String cipherProvider)
|
||||
{
|
||||
this.cipherProvider = cipherProvider;
|
||||
}
|
||||
|
||||
public void setTransactionService(TransactionService transactionService)
|
||||
@@ -63,55 +73,87 @@ public class EncryptionKeysRegistryImpl implements EncryptionKeysRegistry
|
||||
this.transactionService = transactionService;
|
||||
}
|
||||
|
||||
public void registerKey(String keyAlias)
|
||||
protected Encryptor getEncryptor(final KeyMap keys)
|
||||
{
|
||||
DefaultEncryptor encryptor = new DefaultEncryptor();
|
||||
encryptor.setCipherAlgorithm(cipherAlgorithm);
|
||||
encryptor.setCipherProvider(cipherProvider);
|
||||
encryptor.setKeyProvider(new KeyProvider()
|
||||
{
|
||||
@Override
|
||||
public Key getKey(String keyAlias)
|
||||
{
|
||||
return keys.getCachedKey(keyAlias).getKey();
|
||||
}
|
||||
});
|
||||
return encryptor;
|
||||
}
|
||||
|
||||
public void init()
|
||||
{
|
||||
}
|
||||
|
||||
public void registerKey(String keyAlias, Key key)
|
||||
{
|
||||
if(isKeyRegistered(keyAlias))
|
||||
{
|
||||
throw new IllegalArgumentException("Key " + keyAlias + " is already registered");
|
||||
}
|
||||
|
||||
// register the key by creating an attribute that stores a guid and its encrypted value
|
||||
String guid = GUID.generate();
|
||||
|
||||
KeyMap keys = new KeyMap();
|
||||
keys.setKey(keyAlias, key);
|
||||
Encryptor encryptor = getEncryptor(keys);
|
||||
Serializable encrypted = encryptor.sealObject(keyAlias, null, guid);
|
||||
KeyCheck keyCheck = new KeyCheck(guid, encrypted);
|
||||
attributeService.createAttribute(keyCheck, TOP_LEVEL_KEY, keyAlias);
|
||||
logger.info("Registered key " + keyAlias);
|
||||
}
|
||||
|
||||
public KeysReport getKeysReport()
|
||||
public void unregisterKey(String keyAlias)
|
||||
{
|
||||
attributeService.removeAttribute(TOP_LEVEL_KEY, keyAlias);
|
||||
}
|
||||
|
||||
public boolean isKeyRegistered(String keyAlias)
|
||||
{
|
||||
return (attributeService.getAttribute(TOP_LEVEL_KEY, keyAlias) != null);
|
||||
}
|
||||
|
||||
public List<String> getRegisteredKeys(final Set<String> keyStoreKeys)
|
||||
{
|
||||
final List<String> registeredKeys = new ArrayList<String>();
|
||||
|
||||
if(attributeService.exists(TOP_LEVEL_KEY))
|
||||
attributeService.getAttributes(new AttributeQueryCallback()
|
||||
{
|
||||
attributeService.getAttributes(new AttributeQueryCallback()
|
||||
public boolean handleAttribute(Long id, Serializable value,
|
||||
Serializable[] keys)
|
||||
{
|
||||
public boolean handleAttribute(Long id, Serializable value,
|
||||
Serializable[] keys)
|
||||
if(value instanceof KeyCheck)
|
||||
{
|
||||
registeredKeys.add((String)value);
|
||||
return true;
|
||||
// Add as a registered key if the keystore contains the key
|
||||
String keyAlias = (String)keys[1];
|
||||
if(keyStoreKeys.contains(keyAlias))
|
||||
{
|
||||
registeredKeys.add(keyAlias);
|
||||
}
|
||||
}
|
||||
|
||||
},
|
||||
TOP_LEVEL_KEY);
|
||||
}
|
||||
|
||||
List<String> keyAliasesChanged = new ArrayList<String>();
|
||||
List<String> keyAliasesUnchanged = new ArrayList<String>();
|
||||
|
||||
for(String keyAlias : registeredKeys)
|
||||
{
|
||||
KEY_STATUS keyStatus = checkKey(keyAlias);
|
||||
if(keyStatus == KEY_STATUS.CHANGED)
|
||||
{
|
||||
keyAliasesChanged.add(keyAlias);
|
||||
else
|
||||
{
|
||||
logger.warn("Unexpected value class in keys registry: " + value.getClass());
|
||||
}
|
||||
return true;
|
||||
}
|
||||
else
|
||||
{
|
||||
keyAliasesUnchanged.add(keyAlias);
|
||||
}
|
||||
}
|
||||
|
||||
return new KeysReport(keyAliasesChanged, keyAliasesUnchanged);
|
||||
},
|
||||
TOP_LEVEL_KEY);
|
||||
|
||||
return registeredKeys;
|
||||
}
|
||||
|
||||
public KEY_STATUS checkKey(String keyAlias)
|
||||
|
||||
public KEY_STATUS checkKey(String keyAlias, Key key)
|
||||
{
|
||||
if(attributeService.exists(TOP_LEVEL_KEY, keyAlias))
|
||||
{
|
||||
@@ -120,6 +162,10 @@ public class EncryptionKeysRegistryImpl implements EncryptionKeysRegistry
|
||||
// check that the key has not changed by decrypting the encrypted guid attribute
|
||||
// comparing against the guid
|
||||
KeyCheck keyCheck = (KeyCheck)attributeService.getAttribute(TOP_LEVEL_KEY, keyAlias);
|
||||
|
||||
KeyMap keys = new KeyMap();
|
||||
keys.setKey(keyAlias, key);
|
||||
Encryptor encryptor = getEncryptor(keys);
|
||||
Serializable storedGUID = encryptor.unsealObject(keyAlias, keyCheck.getEncrypted());
|
||||
return EqualsHelper.nullSafeEquals(storedGUID, keyCheck.getGuid()) ? KEY_STATUS.OK : KEY_STATUS.CHANGED;
|
||||
}
|
||||
@@ -137,14 +183,14 @@ public class EncryptionKeysRegistryImpl implements EncryptionKeysRegistry
|
||||
}
|
||||
|
||||
// note that this removes _all_ keys in the keystore. Use with care.
|
||||
public void removeRegisteredKeys(final AlfrescoKeyStore keyStore)
|
||||
public void removeRegisteredKeys(final Set<String> keys)
|
||||
{
|
||||
RetryingTransactionHelper retryingTransactionHelper = transactionService.getRetryingTransactionHelper();
|
||||
final RetryingTransactionCallback<Void> removeKeysCallback = new RetryingTransactionCallback<Void>()
|
||||
{
|
||||
public Void execute() throws Throwable
|
||||
{
|
||||
for(String keyAlias : keyStore.getKeyAliases())
|
||||
for(String keyAlias : keys)
|
||||
{
|
||||
attributeService.removeAttribute(TOP_LEVEL_KEY, keyAlias);
|
||||
}
|
||||
@@ -161,7 +207,7 @@ public class EncryptionKeysRegistryImpl implements EncryptionKeysRegistry
|
||||
* @since 4.0
|
||||
*
|
||||
*/
|
||||
private static class KeyCheck implements Serializable
|
||||
public static class KeyCheck implements Serializable
|
||||
{
|
||||
private static final long serialVersionUID = 4514315444977162903L;
|
||||
|
||||
@@ -201,4 +247,5 @@ public class EncryptionKeysRegistryImpl implements EncryptionKeysRegistry
|
||||
EqualsHelper.nullSafeEquals(keyCheck.getEncrypted(), getEncrypted());
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user