public class CryptoManagerImpl extends Object implements org.forgerock.opendj.config.server.ConfigurationChangeListener<org.forgerock.opendj.server.config.server.CryptoManagerCfg>, CryptoManager
CryptoManager
implements
inter-OpenDJ-instance authentication and authorization using the
ADS-based truststore, and secret key distribution. The interface also
provides methods for hashing, encryption, and other kinds of
cryptographic operations.
Note that it also contains methods for compressing and uncompressing data: while these are not strictly cryptographic operations, there are a lot of similarities and it is conceivable at some point that accelerated compression may be available just as it is for cryptographic operations.
Other components of CryptoManager:
Constructor and Description |
---|
CryptoManagerImpl(ServerContext serverContext,
org.forgerock.opendj.server.config.server.CryptoManagerCfg config)
Creates a new instance of this crypto manager object from a given
configuration, plus some static member initialization.
|
Modifier and Type | Method and Description |
---|---|
org.forgerock.opendj.config.server.ConfigChangeResult |
applyConfigurationChange(org.forgerock.opendj.server.config.server.CryptoManagerCfg cfg) |
int |
compress(byte[] src,
int srcOff,
int srcLen,
byte[] dst,
int dstOff,
int dstLen)
Attempts to compress the data in the provided source array into
the given destination array.
|
byte[] |
decrypt(byte[] data)
Decrypts the data in the provided byte array using cipher
specified by the key identifier prologue to the data.
|
byte[] |
digest(byte[] data)
Retrieves a byte array containing a message digest based on the
provided data, using the preferred digest algorithm.
|
byte[] |
digest(InputStream inputStream)
Retrieves a byte array containing a message digest based on the
data read from the provided input stream, using the preferred
digest algorithm.
|
byte[] |
digest(String digestAlgorithm,
byte[] data)
Retrieves a byte array containing a message digest based on the
provided data, using the requested digest algorithm.
|
byte[] |
digest(String digestAlgorithm,
InputStream inputStream)
Retrieves a byte array containing a message digest based on the
data read from the provided input stream, using the requested
digest algorithm.
|
byte[] |
encrypt(byte[] data)
Encrypts the data in the provided byte array using the preferred
cipher transformation.
|
byte[] |
encrypt(String cipherTransformation,
int keyLengthBits,
byte[] data)
Encrypts the data in the provided byte array using the requested
cipher algorithm.
|
void |
ensureCipherKeyIsAvailable(String cipherTransformation,
int cipherKeyLength)
Ensures that a key exists for the provided cipher transformation and key length.
|
CipherInputStream |
getCipherInputStream(InputStream inputStream)
Returns a CipherInputStream instantiated with a cipher
corresponding to the key identifier prologue to the data.
|
CipherOutputStream |
getCipherOutputStream(OutputStream outputStream)
Writes encrypted data to the provided output stream using the
preferred cipher transformation.
|
CipherOutputStream |
getCipherOutputStream(String cipherTransformation,
int keyLengthBits,
OutputStream outputStream)
Writes encrypted data to the provided output stream using the
requested cipher transformation.
|
static String |
getInstanceKeyID(byte[] instanceKeyCertificate)
Return the identifier of an instance's instance key.
|
Mac |
getMacEngine(String keyEntryID)
For the specified key entry identifier, instantiate a MAC engine.
|
String |
getMacEngineKeyEntryID()
For the current preferred MAC algorithm and key length, return
the identifier of the corresponding key entry.
|
String |
getMacEngineKeyEntryID(String macAlgorithm,
int keyLengthBits)
For the specified MAC algorithm and key length, return
the identifier of the corresponding key entry.
|
MessageDigest |
getMessageDigest(String digestAlgorithm)
Retrieves a
MessageDigest object that may be used to
generate digests using the specified algorithm. |
MessageDigest |
getPreferredMessageDigest()
Retrieves a
MessageDigest object that may be used to
generate digests using the preferred digest algorithm. |
String |
getPreferredMessageDigestAlgorithm()
Retrieves the name of the preferred message digest algorithm.
|
SortedSet<String> |
getSslCertNicknames()
Get the names of the local certificates to use for SSL.
|
SortedSet<String> |
getSslCipherSuites()
Get the set of enabled SSL cipher suites.
|
SSLContext |
getSslContext(String componentName,
SortedSet<String> sslCertNicknames)
Create an SSL context that may be used for communication to
another ADS component.
|
SortedSet<String> |
getSslProtocols()
Get the set of enabled SSL protocols.
|
boolean |
isConfigurationChangeAcceptable(org.forgerock.opendj.server.config.server.CryptoManagerCfg cfg,
List<LocalizableMessage> unacceptableReasons) |
boolean |
isSslEncryption()
Determine whether SSL encryption is enabled.
|
CryptoSuite |
newCryptoSuite(String cipherTransformation,
int cipherKeyLength,
boolean encrypt)
Return a new
CryptoSuite for the cipher and key. |
int |
uncompress(byte[] src,
int srcOff,
int srcLen,
byte[] dst,
int dstOff,
int dstLen)
Attempts to uncompress the data in the provided source array into
the given destination array.
|
public CryptoManagerImpl(ServerContext serverContext, org.forgerock.opendj.server.config.server.CryptoManagerCfg config) throws org.forgerock.opendj.config.server.ConfigException, InitializationException
serverContext
- The server context.config
- The configuration of this crypto manager.org.forgerock.opendj.config.server.ConfigException
- If a problem occurs while creating this CryptoManager
that is a result of a problem in the configuration.InitializationException
- If a problem occurs while creating this CryptoManager
that is not the result of a problem in the configuration.public boolean isConfigurationChangeAcceptable(org.forgerock.opendj.server.config.server.CryptoManagerCfg cfg, List<LocalizableMessage> unacceptableReasons)
isConfigurationChangeAcceptable
in interface org.forgerock.opendj.config.server.ConfigurationChangeListener<org.forgerock.opendj.server.config.server.CryptoManagerCfg>
public org.forgerock.opendj.config.server.ConfigChangeResult applyConfigurationChange(org.forgerock.opendj.server.config.server.CryptoManagerCfg cfg)
applyConfigurationChange
in interface org.forgerock.opendj.config.server.ConfigurationChangeListener<org.forgerock.opendj.server.config.server.CryptoManagerCfg>
public static String getInstanceKeyID(byte[] instanceKeyCertificate) throws CryptoManagerException
instanceKeyCertificate
- The instance key for which to
return an identifier.CryptoManagerException
- If there is a problem computing
the identifier from the instance key.
TODO: Make package-private if ADSContextHelper can get keyID from ADS
TODO: suffix: Issue https://opends.dev.java.net/issues/show_bug.cgi?id=2442getInstanceKeyID()
public String getPreferredMessageDigestAlgorithm()
CryptoManager
getPreferredMessageDigestAlgorithm
in interface CryptoManager
public MessageDigest getPreferredMessageDigest() throws NoSuchAlgorithmException
CryptoManager
MessageDigest
object that may be used to
generate digests using the preferred digest algorithm.getPreferredMessageDigest
in interface CryptoManager
MessageDigest
object that may be used to
generate digests using the preferred digest algorithm.NoSuchAlgorithmException
- If the requested
algorithm is not supported or is unavailable.public MessageDigest getMessageDigest(String digestAlgorithm) throws NoSuchAlgorithmException
CryptoManager
MessageDigest
object that may be used to
generate digests using the specified algorithm.getMessageDigest
in interface CryptoManager
digestAlgorithm
- The algorithm to use to generate the
message digest.MessageDigest
object that may be used to
generate digests using the specified algorithm.NoSuchAlgorithmException
- If the requested
algorithm is not supported or is unavailable.public byte[] digest(byte[] data) throws NoSuchAlgorithmException
CryptoManager
digest
in interface CryptoManager
data
- The data to be digested.NoSuchAlgorithmException
- If the requested
algorithm is not supported or is unavailable.public byte[] digest(String digestAlgorithm, byte[] data) throws NoSuchAlgorithmException
CryptoManager
digest
in interface CryptoManager
digestAlgorithm
- The algorithm to use to generate the
message digest.data
- The data to be digested.NoSuchAlgorithmException
- If the requested
algorithm is not supported or is unavailable.public byte[] digest(InputStream inputStream) throws IOException, NoSuchAlgorithmException
CryptoManager
digest
in interface CryptoManager
inputStream
- The input stream from which the data is to
be read.IOException
- If a problem occurs while reading
data from the provided stream.NoSuchAlgorithmException
- If the requested
algorithm is not supported or is unavailable.public byte[] digest(String digestAlgorithm, InputStream inputStream) throws IOException, NoSuchAlgorithmException
CryptoManager
digest
in interface CryptoManager
digestAlgorithm
- The algorithm to use to generate the
message digest.inputStream
- The input stream from which the data is
to be read.IOException
- If a problem occurs while reading
data from the provided stream.NoSuchAlgorithmException
- If the requested
algorithm is not supported or is unavailable.public String getMacEngineKeyEntryID() throws CryptoManagerException
CryptoManager
getMacEngineKeyEntryID
in interface CryptoManager
CryptoManagerException
- In case one or more of the key
parameters is invalid, or there is a problem instantiating the
key entry in case it does not already exist.public String getMacEngineKeyEntryID(String macAlgorithm, int keyLengthBits) throws CryptoManagerException
CryptoManager
getMacEngineKeyEntryID
in interface CryptoManager
macAlgorithm
- The algorithm to use for the MAC engine.keyLengthBits
- The key length in bits to use with the
specified algorithm.CryptoManagerException
- In case one or more of the key
parameters is invalid, or there is a problem instantiating the
key entry in case it does not already exist.public Mac getMacEngine(String keyEntryID) throws CryptoManagerException
CryptoManager
getMacEngine
in interface CryptoManager
keyEntryID
- The identifier of the key entry containing the
desired MAC algorithm name and key length.CryptoManagerException
- In case the key entry identifier
is invalid or there is a problem instantiating the MAC engine
from the parameters in the referenced key entry.public byte[] encrypt(byte[] data) throws GeneralSecurityException, CryptoManagerException
CryptoManager
encrypt
in interface CryptoManager
data
- The plain-text data to be encrypted.GeneralSecurityException
- If a problem
occurs while encrypting the data.CryptoManagerException
- If a problem occurs managing the
encryption key or producing the cipher.public byte[] encrypt(String cipherTransformation, int keyLengthBits, byte[] data) throws GeneralSecurityException, CryptoManagerException
CryptoManager
encrypt
in interface CryptoManager
cipherTransformation
- The algorithm/mode/padding to use
for the cipher.keyLengthBits
- The length in bits of the encryption key
this method is to use. Note the specified key length and
transformation must be compatible.data
- The plain-text data to be encrypted.GeneralSecurityException
- If a problem
occurs while encrypting the data.CryptoManagerException
- If a problem occurs managing the
encryption key or producing the cipher.public CipherOutputStream getCipherOutputStream(OutputStream outputStream) throws CryptoManagerException
CryptoManager
getCipherOutputStream
in interface CryptoManager
outputStream
- The output stream to be wrapped by the
returned cipher output stream.CryptoManagerException
- If a problem occurs managing the
encryption key or producing the cipher.public CipherOutputStream getCipherOutputStream(String cipherTransformation, int keyLengthBits, OutputStream outputStream) throws CryptoManagerException
CryptoManager
getCipherOutputStream
in interface CryptoManager
cipherTransformation
- The algorithm/mode/padding to use
for the cipher.keyLengthBits
- The length in bits of the encryption key
this method will generate. Note the specified key length
must be compatible with the transformation.outputStream
- The output stream to be wrapped by the
returned cipher output stream.CryptoManagerException
- If a problem occurs managing the
encryption key or producing the cipher.public void ensureCipherKeyIsAvailable(String cipherTransformation, int cipherKeyLength) throws CryptoManagerException
CryptoManager
Newly created keys will be published and propagated to the replication topology.
ensureCipherKeyIsAvailable
in interface CryptoManager
cipherTransformation
- cipher transformation string specificationcipherKeyLength
- length of key in bitsCryptoManagerException
- If a problem occurs managing the encryption keypublic byte[] decrypt(byte[] data) throws GeneralSecurityException, CryptoManagerException
CryptoManager
decrypt
in interface CryptoManager
data
- The cipher-text data to be decrypted.GeneralSecurityException
- If a problem
occurs while encrypting the data.CryptoManagerException
- If a problem occurs reading the
key identifier or initialization vector from the data
prologue, or using these values to initialize a Cipher.public CipherInputStream getCipherInputStream(InputStream inputStream) throws CryptoManagerException
CryptoManager
getCipherInputStream
in interface CryptoManager
inputStream
- The input stream be wrapped with the
CipherInputStream.CryptoManagerException
- If there is a problem reading the
key ID or initialization vector from the input stream,
or using these values to inititalize a Cipher.public int compress(byte[] src, int srcOff, int srcLen, byte[] dst, int dstOff, int dstLen)
CryptoManager
compress
in interface CryptoManager
src
- The array containing the raw data to compress.srcOff
- The start offset of the source data.srcLen
- The maximum number of source data bytes to
compress.dst
- The array into which the compressed data should be
written.dstOff
- The start offset of the compressed data.dstLen
- The maximum number of bytes of compressed data.public int uncompress(byte[] src, int srcOff, int srcLen, byte[] dst, int dstOff, int dstLen) throws DataFormatException
CryptoManager
uncompress
in interface CryptoManager
src
- The array containing the raw data to compress.srcOff
- The start offset of the source data.srcLen
- The maximum number of source data bytes to
compress.dst
- The array into which the compressed data should be
written.dstOff
- The start offset of the compressed data.dstLen
- The maximum number of bytes of compressed data.DataFormatException
- If a problem occurs
while attempting to uncompress the data.public SSLContext getSslContext(String componentName, SortedSet<String> sslCertNicknames) throws org.forgerock.opendj.config.server.ConfigException
CryptoManager
getSslContext
in interface CryptoManager
componentName
- Name of the component to which is associated this SSL Context.sslCertNicknames
- The names of the local certificates to use,
or null if none is specified.org.forgerock.opendj.config.server.ConfigException
- If the context
could not be created.public SortedSet<String> getSslCertNicknames()
CryptoManager
getSslCertNicknames
in interface CryptoManager
public boolean isSslEncryption()
CryptoManager
isSslEncryption
in interface CryptoManager
public SortedSet<String> getSslProtocols()
CryptoManager
getSslProtocols
in interface CryptoManager
public SortedSet<String> getSslCipherSuites()
CryptoManager
getSslCipherSuites
in interface CryptoManager
public CryptoSuite newCryptoSuite(String cipherTransformation, int cipherKeyLength, boolean encrypt)
CryptoManager
CryptoSuite
for the cipher and key.newCryptoSuite
in interface CryptoManager
cipherTransformation
- cipher transformation string specificationcipherKeyLength
- length of key in bitsencrypt
- true if the user of the crypto suite needs encryptionCryptoSuite
for the cipher and keyCopyright © 2010-2017 ForgeRock AS. All Rights Reserved.