• Home
• org.apache.cayenne
• cayenne-crypto
• 4.0.M3
• source code
• JceksKeySource.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.apache.cayenne.crypto.key.JceksKeySource Maven / Gradle / Ivy

/*****************************************************************
 *   Licensed to the Apache Software Foundation (ASF) under one
 *  or more contributor license agreements.  See the NOTICE file
 *  distributed with this work for additional information
 *  regarding copyright ownership.  The ASF licenses this file
 *  to you under the Apache License, Version 2.0 (the
 *  "License"); you may not use this file except in compliance
 *  with the License.  You may obtain a copy of the License at
 *
 *    http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing,
 *  software distributed under the License is distributed on an
 *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 *  KIND, either express or implied.  See the License for the
 *  specific language governing permissions and limitations
 *  under the License.
 ****************************************************************/
package org.apache.cayenne.crypto.key;

import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;

import org.apache.cayenne.crypto.CayenneCryptoException;
import org.apache.cayenne.crypto.CryptoConstants;
import org.apache.cayenne.di.Inject;

/**
 * A {@link KeySource} based on a Java "jceks" KeyStore. Uses
 * {@link CryptoConstants#KEYSTORE_URL} to locate the keystore and
 * {@link CryptoConstants#KEY_PASSWORD} to read the secret key.
 * 
 * @since 4.0
 */
public class JceksKeySource implements KeySource {

	// this is the only standard keystore type that supports storing secret keys
	private static final String JCEKS_KEYSTORE_TYPE = "jceks";
	private static final Key NULL_KEY = new Key() {

		private static final long serialVersionUID = 4755682444381893880L;

		@Override
		public String getFormat() {
			throw new UnsupportedOperationException();
		}

		@Override
		public byte[] getEncoded() {
			throw new UnsupportedOperationException();
		}

		@Override
		public String getAlgorithm() {
			throw new UnsupportedOperationException();
		}
	};

	private KeyStore keyStore;
	private char[] keyPassword;
	private String defaultKeyAlias;

	// caching the keys may not be a good idea for security reasons, but
	// re-reading the key from KeyStore for every select row creates a huge
	// bottleneck... And considering we are caching keystore password, it
	// probably doesn't make things that much worse
	private ConcurrentMap keyCache;

	public JceksKeySource(@Inject(CryptoConstants.PROPERTIES_MAP) Map properties,
			@Inject(CryptoConstants.CREDENTIALS_MAP) Map credentials) {

		String keyStoreUrl = properties.get(CryptoConstants.KEYSTORE_URL);
		if (keyStoreUrl == null) {
			throw new CayenneCryptoException("KeyStore URL is not set. Property name: " + CryptoConstants.KEYSTORE_URL);
		}

		this.keyPassword = credentials.get(CryptoConstants.KEY_PASSWORD);
		// NULL password is valid, though not secure .. so no NULL validation

		try {
			this.keyStore = createKeyStore(keyStoreUrl);
		} catch (Exception e) {
			throw new CayenneCryptoException("Error loading keystore at " + keyStoreUrl, e);
		}

		this.defaultKeyAlias = properties.get(CryptoConstants.ENCRYPTION_KEY_ALIAS);
		if (defaultKeyAlias == null) {
			throw new CayenneCryptoException("Default key alias is not set. Property name: "
					+ CryptoConstants.ENCRYPTION_KEY_ALIAS);
		}

		this.keyCache = new ConcurrentHashMap<>();
	}

	private KeyStore createKeyStore(String keyStoreUrl) throws KeyStoreException, IOException,
			NoSuchAlgorithmException, CertificateException {

		KeyStore keyStore = KeyStore.getInstance(JCEKS_KEYSTORE_TYPE);

		URL url = new URL(keyStoreUrl);

		try (InputStream in = url.openStream();) {
			keyStore.load(in, null);
		}

		return keyStore;
	}

	@Override
	public Key getKey(String alias) {

		Key key = keyCache.get(alias);
		if (key == null) {

			Key newKey = createKey(alias);
			Key oldKey = keyCache.putIfAbsent(alias, newKey);
			key = oldKey != null ? oldKey : newKey;
		}

		return key == NULL_KEY ? null : key;
	}

	protected Key createKey(String alias) {
		try {
			Key key = keyStore.getKey(alias, keyPassword);
			return key != null ? key : NULL_KEY;
		} catch (Exception e) {
			throw new CayenneCryptoException("Error accessing key for alias: " + alias, e);
		}
	}

	@Override
	public String getDefaultKeyAlias() {
		return defaultKeyAlias;
	}
}