public final class CryptoManagerImpl extends Object implements ConfigurationChangeListener<CryptoManagerCfg>, CryptoManager
CryptoManager implements inter-OpenDJ-instance authentication and authorization using the ADS-based
truststore, and secret key distribution. The interface also provides methods for hashing, encryption, and other kinds
of cryptographic operations.
Note that it also contains methods for compressing and uncompressing data: while these are not strictly cryptographic operations, there are a lot of similarities and it is conceivable at some point that accelerated compression may be available just as it is for cryptographic operations.
Other components of CryptoManager:
| Constructor and Description |
|---|
CryptoManagerImpl(ServerContext serverContext,
CryptoManagerCfg config)
Creates a new instance of this crypto manager object from a given configuration, plus some static member
initialization.
|
| Modifier and Type | Method and Description |
|---|---|
ConfigChangeResult |
applyConfigurationChange(CryptoManagerCfg cfg)
Applies the configuration changes to this change listener.
|
int |
compress(byte[] src,
int srcOff,
int srcLen,
byte[] dst,
int dstOff,
int dstLen)
Attempts to compress the data in the provided source array into the given destination array.
|
byte[] |
decrypt(byte[] data)
Decrypts the data in the provided byte array using cipher specified by the key identifier prologue to the data.
|
byte[] |
digest(byte[] data)
Retrieves a byte array containing a message digest based on the provided data, using the preferred digest
algorithm.
|
byte[] |
digest(InputStream inputStream)
Retrieves a byte array containing a message digest based on the data read from the provided input stream, using
the preferred digest algorithm.
|
byte[] |
digest(String digestAlgorithm,
byte[] data)
Retrieves a byte array containing a message digest based on the provided data, using the requested digest
algorithm.
|
byte[] |
digest(String digestAlgorithm,
InputStream inputStream)
Retrieves a byte array containing a message digest based on the data read from the provided input stream, using
the requested digest algorithm.
|
byte[] |
encrypt(byte[] data)
Encrypts the data in the provided byte array using the preferred cipher transformation.
|
byte[] |
encrypt(String cipherTransformation,
int keyLengthBits,
byte[] data)
Encrypts the data in the provided byte array using the requested cipher algorithm.
|
void |
ensureCipherKeyIsAvailable(String cipherTransformation,
int cipherKeyLength)
Ensures that a key exists for the provided cipher transformation and key length.
|
CipherInputStream |
getCipherInputStream(InputStream inputStream)
Returns a CipherInputStream instantiated with a cipher corresponding to the key identifier prologue to the data.
|
CipherOutputStream |
getCipherOutputStream(OutputStream outputStream)
Writes encrypted data to the provided output stream using the preferred cipher transformation.
|
CipherOutputStream |
getCipherOutputStream(String cipherTransformation,
int keyLengthBits,
OutputStream outputStream)
Writes encrypted data to the provided output stream using the requested cipher transformation.
|
static String |
getInstanceKeyID(byte[] instanceKeyCertificate)
Return the identifier of an instance's instance key.
|
Mac |
getMacEngine(String keyEntryID)
For the specified key entry identifier, instantiate a MAC engine.
|
String |
getMacEngineKeyEntryID()
For the current preferred MAC algorithm and key length, return the identifier of the corresponding key entry.
|
String |
getMacEngineKeyEntryID(String macAlgorithm,
int keyLengthBits)
For the specified MAC algorithm and key length, return the identifier of the corresponding key entry.
|
MessageDigest |
getMessageDigest(String digestAlgorithm)
Retrieves a
MessageDigest object that may be used to generate digests using the specified algorithm. |
MessageDigest |
getPreferredMessageDigest()
Retrieves a
MessageDigest object that may be used to generate digests using the preferred digest
algorithm. |
String |
getPreferredMessageDigestAlgorithm()
Retrieves the name of the preferred message digest algorithm.
|
SortedSet<String> |
getSslCertNicknames()
Get the names of the local certificates to use for SSL.
|
SortedSet<String> |
getSslCipherSuites()
Get the set of enabled SSL cipher suites.
|
SSLContext |
getSslContext(String componentName,
SortedSet<String> sslCertNicknames)
Create an SSL context that may be used for communication to another ADS component.
|
SortedSet<String> |
getSslProtocols()
Get the set of enabled SSL protocols.
|
boolean |
isConfigurationChangeAcceptable(CryptoManagerCfg cfg,
List<LocalizableMessage> unacceptableReasons)
Indicates whether the proposed change to the configuration is acceptable
to this change listener.
|
boolean |
isSslEncryption()
Determine whether SSL encryption is enabled.
|
CryptoSuite |
newCryptoSuite(String cipherTransformation,
int cipherKeyLength,
boolean encrypt)
Return a new
CryptoSuite for the cipher and key. |
int |
uncompress(byte[] src,
int srcOff,
int srcLen,
byte[] dst,
int dstOff,
int dstLen)
Attempts to uncompress the data in the provided source array into the given destination array.
|
public CryptoManagerImpl(ServerContext serverContext, CryptoManagerCfg config) throws InitializationException
serverContext - The server context.config - The configuration of this crypto manager.InitializationException - If a problem occurs while creating this CryptoManager that is not the result of a problem in
the configuration.public boolean isConfigurationChangeAcceptable(CryptoManagerCfg cfg, List<LocalizableMessage> unacceptableReasons)
ConfigurationChangeListenerisConfigurationChangeAcceptable in interface ConfigurationChangeListener<CryptoManagerCfg>cfg - The new configuration containing the changes.unacceptableReasons - A list that can be used to hold messages about why the
provided configuration is not acceptable.true if the proposed change is acceptable,
or false if it is not.public ConfigChangeResult applyConfigurationChange(CryptoManagerCfg cfg)
ConfigurationChangeListenerapplyConfigurationChange in interface ConfigurationChangeListener<CryptoManagerCfg>cfg - The new configuration containing the changes.public static String getInstanceKeyID(byte[] instanceKeyCertificate) throws CryptoManagerException
instanceKeyCertificate - The instance key for which to return an identifier.CryptoManagerException - If there is a problem computing the identifier from the instance key. TODO: Make package-private if
ADSContextHelper can get keyID from ADS TODO: suffix: Issue
https://opends.dev.java.net/issues/show_bug.cgi?id=2442getInstanceKeyID()public String getPreferredMessageDigestAlgorithm()
CryptoManagergetPreferredMessageDigestAlgorithm in interface CryptoManagerpublic MessageDigest getPreferredMessageDigest() throws NoSuchAlgorithmException
CryptoManagerMessageDigest object that may be used to generate digests using the preferred digest
algorithm.getPreferredMessageDigest in interface CryptoManagerMessageDigest object that may be used to generate digests using the preferred digest
algorithm.NoSuchAlgorithmException - If the requested algorithm is not supported or is unavailable.public MessageDigest getMessageDigest(String digestAlgorithm) throws NoSuchAlgorithmException
CryptoManagerMessageDigest object that may be used to generate digests using the specified algorithm.getMessageDigest in interface CryptoManagerdigestAlgorithm - The algorithm to use to generate the message digest.MessageDigest object that may be used to generate digests using the specified algorithm.NoSuchAlgorithmException - If the requested algorithm is not supported or is unavailable.public byte[] digest(byte[] data)
throws NoSuchAlgorithmException
CryptoManagerdigest in interface CryptoManagerdata - The data to be digested.NoSuchAlgorithmException - If the requested algorithm is not supported or is unavailable.public byte[] digest(String digestAlgorithm, byte[] data) throws NoSuchAlgorithmException
CryptoManagerdigest in interface CryptoManagerdigestAlgorithm - The algorithm to use to generate the message digest.data - The data to be digested.NoSuchAlgorithmException - If the requested algorithm is not supported or is unavailable.public byte[] digest(InputStream inputStream) throws IOException, NoSuchAlgorithmException
CryptoManagerdigest in interface CryptoManagerinputStream - The input stream from which the data is to be read.IOException - If a problem occurs while reading data from the provided stream.NoSuchAlgorithmException - If the requested algorithm is not supported or is unavailable.public byte[] digest(String digestAlgorithm, InputStream inputStream) throws IOException, NoSuchAlgorithmException
CryptoManagerdigest in interface CryptoManagerdigestAlgorithm - The algorithm to use to generate the message digest.inputStream - The input stream from which the data is to be read.IOException - If a problem occurs while reading data from the provided stream.NoSuchAlgorithmException - If the requested algorithm is not supported or is unavailable.public String getMacEngineKeyEntryID() throws CryptoManagerException
CryptoManagergetMacEngineKeyEntryID in interface CryptoManagerCryptoManagerException - In case one or more of the key parameters is invalid, or there is a problem instantiating the key
entry in case it does not already exist.public String getMacEngineKeyEntryID(String macAlgorithm, int keyLengthBits) throws CryptoManagerException
CryptoManagergetMacEngineKeyEntryID in interface CryptoManagermacAlgorithm - The algorithm to use for the MAC engine.keyLengthBits - The key length in bits to use with the specified algorithm.CryptoManagerException - In case one or more of the key parameters is invalid, or there is a problem instantiating the key
entry in case it does not already exist.public Mac getMacEngine(String keyEntryID) throws CryptoManagerException
CryptoManagergetMacEngine in interface CryptoManagerkeyEntryID - The identifier of the key entry containing the desired MAC algorithm name and key length.CryptoManagerException - In case the key entry identifier is invalid or there is a problem instantiating the MAC engine from
the parameters in the referenced key entry.public byte[] encrypt(byte[] data)
throws GeneralSecurityException,
CryptoManagerException
CryptoManagerencrypt in interface CryptoManagerdata - The plain-text data to be encrypted.GeneralSecurityException - If a problem occurs while encrypting the data.CryptoManagerException - If a problem occurs managing the encryption key or producing the cipher.public byte[] encrypt(String cipherTransformation, int keyLengthBits, byte[] data) throws GeneralSecurityException, CryptoManagerException
CryptoManagerencrypt in interface CryptoManagercipherTransformation - The algorithm/mode/padding to use for the cipher.keyLengthBits - The length in bits of the encryption key this method is to use. Note the specified key length and
transformation must be compatible.data - The plain-text data to be encrypted.GeneralSecurityException - If a problem occurs while encrypting the data.CryptoManagerException - If a problem occurs managing the encryption key or producing the cipher.public CipherOutputStream getCipherOutputStream(OutputStream outputStream) throws CryptoManagerException
CryptoManagergetCipherOutputStream in interface CryptoManageroutputStream - The output stream to be wrapped by the returned cipher output stream.CryptoManagerException - If a problem occurs managing the encryption key or producing the cipher.public CipherOutputStream getCipherOutputStream(String cipherTransformation, int keyLengthBits, OutputStream outputStream) throws CryptoManagerException
CryptoManagergetCipherOutputStream in interface CryptoManagercipherTransformation - The algorithm/mode/padding to use for the cipher.keyLengthBits - The length in bits of the encryption key this method will generate. Note the specified key length must
be compatible with the transformation.outputStream - The output stream to be wrapped by the returned cipher output stream.CryptoManagerException - If a problem occurs managing the encryption key or producing the cipher.public void ensureCipherKeyIsAvailable(String cipherTransformation, int cipherKeyLength) throws CryptoManagerException
CryptoManagerNewly created keys will be published and propagated to the replication topology.
ensureCipherKeyIsAvailable in interface CryptoManagercipherTransformation - cipher transformation string specificationcipherKeyLength - length of key in bitsCryptoManagerException - If a problem occurs managing the encryption keypublic byte[] decrypt(byte[] data)
throws GeneralSecurityException,
CryptoManagerException
CryptoManagerdecrypt in interface CryptoManagerdata - The cipher-text data to be decrypted.GeneralSecurityException - If a problem occurs while encrypting the data.CryptoManagerException - If a problem occurs reading the key identifier or initialization vector from the data prologue, or
using these values to initialize a Cipher.public CipherInputStream getCipherInputStream(InputStream inputStream) throws CryptoManagerException
CryptoManagergetCipherInputStream in interface CryptoManagerinputStream - The input stream be wrapped with the CipherInputStream.CryptoManagerException - If there is a problem reading the key ID or initialization vector from the input stream, or using
these values to inititalize a Cipher.public int compress(byte[] src,
int srcOff,
int srcLen,
byte[] dst,
int dstOff,
int dstLen)
CryptoManagercompress in interface CryptoManagersrc - The array containing the raw data to compress.srcOff - The start offset of the source data.srcLen - The maximum number of source data bytes to compress.dst - The array into which the compressed data should be written.dstOff - The start offset of the compressed data.dstLen - The maximum number of bytes of compressed data.public int uncompress(byte[] src,
int srcOff,
int srcLen,
byte[] dst,
int dstOff,
int dstLen)
throws DataFormatException
CryptoManageruncompress in interface CryptoManagersrc - The array containing the raw data to compress.srcOff - The start offset of the source data.srcLen - The maximum number of source data bytes to compress.dst - The array into which the compressed data should be written.dstOff - The start offset of the compressed data.dstLen - The maximum number of bytes of compressed data.DataFormatException - If a problem occurs while attempting to uncompress the data.public SSLContext getSslContext(String componentName, SortedSet<String> sslCertNicknames) throws ConfigException
CryptoManagergetSslContext in interface CryptoManagercomponentName - Name of the component to which is associated this SSL Context.sslCertNicknames - The names of the local certificates to use, or null if none is specified.ConfigException - If the context could not be created.public SortedSet<String> getSslCertNicknames()
CryptoManagergetSslCertNicknames in interface CryptoManagerpublic boolean isSslEncryption()
CryptoManagerisSslEncryption in interface CryptoManagerpublic SortedSet<String> getSslProtocols()
CryptoManagergetSslProtocols in interface CryptoManagerpublic SortedSet<String> getSslCipherSuites()
CryptoManagergetSslCipherSuites in interface CryptoManagerpublic CryptoSuite newCryptoSuite(String cipherTransformation, int cipherKeyLength, boolean encrypt)
CryptoManagerCryptoSuite for the cipher and key.newCryptoSuite in interface CryptoManagercipherTransformation - cipher transformation string specificationcipherKeyLength - length of key in bitsencrypt - true if the user of the crypto suite needs encryptionCryptoSuite for the cipher and keyCopyright 2010-2022 ForgeRock AS.