Improved PR about encryption at rest

core/src/main/java/com/orientechnologies/orient/core/compression/OCompression.java

@@ -1,26 +1,29 @@
 /*
-  *
-  *  *  Copyright 2014 Orient Technologies LTD (info(at)orientechnologies.com)
-  *  *
-  *  *  Licensed under the Apache License, Version 2.0 (the "License");
-  *  *  you may not use this file except in compliance with the License.
-  *  *  You may obtain a copy of the License at
-  *  *
-  *  *       http://www.apache.org/licenses/LICENSE-2.0
-  *  *
-  *  *  Unless required by applicable law or agreed to in writing, software
-  *  *  distributed under the License is distributed on an "AS IS" BASIS,
-  *  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  *  *  See the License for the specific language governing permissions and
-  *  *  limitations under the License.
-  *  *
-  *  * For more information: http://www.orientechnologies.com
-  *
-  */
+ *
+ *  *  Copyright 2014 Orient Technologies LTD (info(at)orientechnologies.com)
+ *  *
+ *  *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  *  you may not use this file except in compliance with the License.
+ *  *  You may obtain a copy of the License at
+ *  *
+ *  *       http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  *  Unless required by applicable law or agreed to in writing, software
+ *  *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  *  See the License for the specific language governing permissions and
+ *  *  limitations under the License.
+ *  *
+ *  * For more information: http://www.orientechnologies.com
+ *
+ */
 
 package com.orientechnologies.orient.core.compression;
 
 /**
+ * Interface for compression. This interface is used to compress/uncompress at storage level. This can be used also to implement
+ * encryption at rest.
+ * 
  * @author Andrey Lomakin
  * @since 05.06.13
  */

core/src/main/java/com/orientechnologies/orient/core/compression/OCompressionFactory.java

@@ -1,29 +1,25 @@
 /*
-  *
-  *  *  Copyright 2014 Orient Technologies LTD (info(at)orientechnologies.com)
-  *  *
-  *  *  Licensed under the Apache License, Version 2.0 (the "License");
-  *  *  you may not use this file except in compliance with the License.
-  *  *  You may obtain a copy of the License at
-  *  *
-  *  *       http://www.apache.org/licenses/LICENSE-2.0
-  *  *
-  *  *  Unless required by applicable law or agreed to in writing, software
-  *  *  distributed under the License is distributed on an "AS IS" BASIS,
-  *  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-  *  *  See the License for the specific language governing permissions and
-  *  *  limitations under the License.
-  *  *
-  *  * For more information: http://www.orientechnologies.com
-  *
-  */
+ *
+ *  *  Copyright 2014 Orient Technologies LTD (info(at)orientechnologies.com)
+ *  *
+ *  *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  *  you may not use this file except in compliance with the License.
+ *  *  You may obtain a copy of the License at
+ *  *
+ *  *       http://www.apache.org/licenses/LICENSE-2.0
+ *  *
+ *  *  Unless required by applicable law or agreed to in writing, software
+ *  *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  *  See the License for the specific language governing permissions and
+ *  *  limitations under the License.
+ *  *
+ *  * For more information: http://www.orientechnologies.com
+ *
+ */
 
 package com.orientechnologies.orient.core.compression;
 
-import java.util.HashMap;
-import java.util.Map;
-import java.util.Set;
-
 import com.orientechnologies.orient.core.compression.impl.OAESCompression;
 import com.orientechnologies.orient.core.compression.impl.ODESCompression;
 import com.orientechnologies.orient.core.compression.impl.OGZIPCompression;
@@ -32,6 +28,10 @@
 import com.orientechnologies.orient.core.compression.impl.ONothingCompression;
 import com.orientechnologies.orient.core.compression.impl.OSnappyCompression;
 
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+
 /**
  * @author Andrey Lomakin
  * @since 05.06.13
@@ -42,24 +42,33 @@ public class OCompressionFactory {
   private final Map<String, OCompression> compressions = new HashMap<String, OCompression>();
 
   public OCompressionFactory() {
-    register(OHighZIPCompression.INSTANCE);
-    register(OLowZIPCompression.INSTANCE);
-    register(OGZIPCompression.INSTANCE);
-    register(OSnappyCompression.INSTANCE);
-    register(ONothingCompression.INSTANCE);
-    register(ODESCompression.INSTANCE);
-    register(OAESCompression.INSTANCE);
+    init();
+  }
+
+  public void init() {
+    compressions.clear();
+    register(new OHighZIPCompression());
+    register(new OLowZIPCompression());
+    register(new OGZIPCompression());
+    register(new OSnappyCompression());
+    register(new ONothingCompression());
+    register(new ODESCompression());
+    register(new OAESCompression());
+  }
+
+  public void reinit() {
+    init();
   }
 
-  public OCompression getCompression(String name) {
-    OCompression compression = compressions.get(name);
+  public OCompression getCompression(final String name) {
+    final OCompression compression = compressions.get(name);
     if (compression == null)
-      throw new IllegalArgumentException("Compression with name  " + name + " is absent.");
+      throw new IllegalArgumentException("Compression with name '" + name + "' is absent.");
 
     return compression;
   }
 
-  public void register(OCompression compression) {
+  public void register(final OCompression compression) {
     if (compressions.containsKey(compression.name()))
       throw new IllegalArgumentException("Compression with name " + compression.name() + " was already registered.");
 

core/src/main/java/com/orientechnologies/orient/core/compression/impl/OAESCompression.java

@@ -1,81 +1,76 @@
 package com.orientechnologies.orient.core.compression.impl;
 
-import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
-
-import javax.crypto.Cipher;
-import javax.crypto.NoSuchPaddingException;
-import javax.crypto.spec.SecretKeySpec;
-
 import com.orientechnologies.orient.core.config.OGlobalConfiguration;
 import com.orientechnologies.orient.core.exception.OSecurityException;
+import com.orientechnologies.orient.core.exception.OStorageException;
 import com.orientechnologies.orient.core.serialization.OBase64Utils;
 
+import javax.crypto.Cipher;
+import javax.crypto.spec.SecretKeySpec;
+
 /***
- * @see https://github.com/orientechnologies/orientdb/issues/89
- * 
- * @see https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
+ * Compression implementation that encrypt the content using AES
+ * (https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html). Issue
+ * https://github.com/orientechnologies/orientdb/issues/89.
  * 
  * @author giastfader
  *
  */
 public class OAESCompression extends OAbstractEncryptedCompression {
-	private byte[] key;
-
-	//@see https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJCEProvider
-	private final String  transformation="AES/ECB/PKCS5Padding"; //we use ECB because we cannot store the Initialization Vector 
-	private final String  algorithmName="AES";
-
-
-	private boolean initialized;
-
-
-    public static final OAESCompression INSTANCE = new OAESCompression();
-	public static final String  NAME  = "aes-encrypted";
-
-	@Override
-	public String name() {
-		return NAME;
-	}
-
-	protected OAESCompression(){
-		super();
-	}
-
-	protected void init()  {
-		initialized=false;
-		key = OBase64Utils.decode(OGlobalConfiguration.STORAGE_ENCRYPTION_AES_KEY.getValueAsString());
-		SecretKeySpec ks = new SecretKeySpec(key, algorithmName); //AES
-		try {
-			Cipher cipher = Cipher.getInstance(transformation);
-			cipher.init(Cipher.ENCRYPT_MODE, ks);
-		} catch (NoSuchAlgorithmException e) {
-			throw new OSecurityException("The AES alghorithm is not available on this platform",e);
-		} catch (NoSuchPaddingException e) {
-			throw new OSecurityException(e.getMessage(),e);
-		} catch (InvalidKeyException e) {
-			throw new OSecurityException("Invalid AES key.",e);
-		}
-		this.initialized=true;
-	}
-
-	public   byte[] encryptOrDecrypt(int mode, byte[] input, int offset, int length) throws Throwable {
-		if (!initialized) throw new OSecurityException("aes-encrypted compression is not available");
-
-		SecretKeySpec ks = new SecretKeySpec(key, algorithmName); 
-		Cipher cipher = Cipher.getInstance(transformation); 
-		cipher.init(mode, ks);
-
-		byte[] content;
-        if (offset==0 && length==input.length){
-        	content=input;
-        }else{
-        	content = new byte[length];
-	        System.arraycopy(input,offset,content,0,length);
-        }
-		byte[] output=cipher.doFinal(content);
-		return output;
-	}
-
-
+  // @see https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJCEProvider
+  private final String        TRANSFORMATION = "AES/ECB/PKCS5Padding"; // we use ECB because we cannot store the
+  private final String        ALGORITHM_NAME = "AES";
+
+  private final SecretKeySpec theKey;
+  private final Cipher        cipher;
+
+  private boolean             initialized    = false;
+
+  public static final String  NAME           = "aes-encrypted";
+
+  @Override
+  public String name() {
+    return NAME;
+  }
+
+  public OAESCompression() {
+    initialized = false;
+
+    final String configuredKey = OGlobalConfiguration.STORAGE_ENCRYPTION_AES_KEY.getValueAsString();
+
+    if (configuredKey == null)
+      throw new OStorageException("AES compression has been selected, but no key was found. Please configure '"
+          + OGlobalConfiguration.STORAGE_ENCRYPTION_AES_KEY.getKey() + "' setting or remove AES compression by setting '"
+          + OGlobalConfiguration.STORAGE_COMPRESSION_METHOD.getKey() + "=nothing'");
+
+    try {
+      final byte[] key = OBase64Utils.decode(configuredKey);
+
+      theKey = new SecretKeySpec(key, ALGORITHM_NAME); // AES
+      cipher = Cipher.getInstance(TRANSFORMATION);
+
+    } catch (Exception e) {
+      throw new OSecurityException(
+          "Cannot initialize AES encryption with current key. Assure the key is a BASE64 - 128 oe 256 bits long", e);
+
+    }
+
+    this.initialized = true;
+  }
+
+  public byte[] encryptOrDecrypt(final int mode, final byte[] input, final int offset, final int length) throws Throwable {
+    if (!initialized)
+      throw new OSecurityException("AES encryption algorithm is not available");
+
+    cipher.init(mode, theKey);
+
+    final byte[] content;
+    if (offset == 0 && length == input.length) {
+      content = input;
+    } else {
+      content = new byte[length];
+      System.arraycopy(input, offset, content, 0, length);
+    }
+    return cipher.doFinal(content);
+  }
 }

core/src/main/java/com/orientechnologies/orient/core/compression/impl/OAbstractEncryptedCompression.java

@@ -1,58 +1,50 @@
 package com.orientechnologies.orient.core.compression.impl;
 
-import javax.crypto.Cipher;
-
 import com.orientechnologies.orient.core.exception.OSecurityException;
 
+import javax.crypto.Cipher;
+
 /***
- * @see https://github.com/orientechnologies/orientdb/issues/89
- * 
- * @see https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
+ * Abstract compression implementation for encryption
+ * (https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html). See
+ * https://github.com/orientechnologies/orientdb/issues/89
  * 
  * @author giastfader
  *
  */
 public abstract class OAbstractEncryptedCompression extends OAbstractCompression {
-
-	@Override
-	public abstract String name();
-
-	protected OAbstractEncryptedCompression(){
-		this.init();
-	}
-
-	protected abstract void init();
-
-
-	@Override
-	public  byte[] compress(byte[] content, int offset, int length){
-        try {
-	        byte[] encriptedContent = encryptOrDecrypt(Cipher.ENCRYPT_MODE,content, offset,  length);
-	        return encriptedContent;
-        } catch (Throwable e) {
-			throw new OSecurityException(e.getMessage(),e);
-		} 
-	};
-
-	@Override
-	public  byte[] uncompress(byte[] content, int offset, int length){
-        try {
-	        byte[] decriptedContent = encryptOrDecrypt(Cipher.DECRYPT_MODE,content, offset,  length);
-	        return decriptedContent;
-        } catch (Throwable e) {
-			throw new OSecurityException(e.getMessage(),e);
-		} 
-	};
-
-	/***
-	 * 
-	 * @param mode it can be Cipher.ENCRYPT_MODE or Cipher.DECRYPT_MODE
-	 * @param input
-	 * @param offset
-	 * @param length
-	 * @return
-	 * @throws Throwable
-	 */
-	public abstract byte[] encryptOrDecrypt(int mode, byte[] input, int offset, int length) throws Throwable;
+
+  @Override
+  public abstract String name();
+
+  @Override
+  public byte[] compress(final byte[] content, final int offset, final int length) {
+    try {
+      return encryptOrDecrypt(Cipher.ENCRYPT_MODE, content, offset, length);
+    } catch (Throwable e) {
+      throw new OSecurityException("Cannot encrypt content", e);
+    }
+  };
+
+  @Override
+  public byte[] uncompress(final byte[] content, final int offset, final int length) {
+    try {
+      return encryptOrDecrypt(Cipher.DECRYPT_MODE, content, offset, length);
+    } catch (Throwable e) {
+      throw new OSecurityException("Cannot decrypt content", e);
+    }
+  };
+
+  /***
+   * 
+   * @param mode
+   *          it can be Cipher.ENCRYPT_MODE or Cipher.DECRYPT_MODE
+   * @param input
+   * @param offset
+   * @param length
+   * @return
+   * @throws Throwable
+   */
+  public abstract byte[] encryptOrDecrypt(int mode, byte[] input, int offset, int length) throws Throwable;
 
 }