Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Improved PR about encryption at rest
- Loading branch information
Showing
14 changed files
with
370 additions
and
320 deletions.
There are no files selected for viewing
39 changes: 21 additions & 18 deletions
39
core/src/main/java/com/orientechnologies/orient/core/compression/OCompression.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
131 changes: 63 additions & 68 deletions
131
core/src/main/java/com/orientechnologies/orient/core/compression/impl/OAESCompression.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -1,81 +1,76 @@ | |||
package com.orientechnologies.orient.core.compression.impl; | package com.orientechnologies.orient.core.compression.impl; | ||
|
|
||
import java.security.InvalidKeyException; | |||
import java.security.NoSuchAlgorithmException; | |||
|
|||
import javax.crypto.Cipher; | |||
import javax.crypto.NoSuchPaddingException; | |||
import javax.crypto.spec.SecretKeySpec; | |||
|
|||
import com.orientechnologies.orient.core.config.OGlobalConfiguration; | import com.orientechnologies.orient.core.config.OGlobalConfiguration; | ||
import com.orientechnologies.orient.core.exception.OSecurityException; | import com.orientechnologies.orient.core.exception.OSecurityException; | ||
import com.orientechnologies.orient.core.exception.OStorageException; | |||
import com.orientechnologies.orient.core.serialization.OBase64Utils; | import com.orientechnologies.orient.core.serialization.OBase64Utils; | ||
|
|
||
import javax.crypto.Cipher; | |||
import javax.crypto.spec.SecretKeySpec; | |||
|
|||
/*** | /*** | ||
* @see https://github.com/orientechnologies/orientdb/issues/89 | * Compression implementation that encrypt the content using AES | ||
* | * (https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html). Issue | ||
* @see https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html | * https://github.com/orientechnologies/orientdb/issues/89. | ||
* | * | ||
* @author giastfader | * @author giastfader | ||
* | * | ||
*/ | */ | ||
public class OAESCompression extends OAbstractEncryptedCompression { | public class OAESCompression extends OAbstractEncryptedCompression { | ||
private byte[] key; | // @see https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJCEProvider | ||
|
private final String TRANSFORMATION = "AES/ECB/PKCS5Padding"; // we use ECB because we cannot store the | ||
//@see https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJCEProvider | private final String ALGORITHM_NAME = "AES"; | ||
private final String transformation="AES/ECB/PKCS5Padding"; //we use ECB because we cannot store the Initialization Vector |
|
||
private final String algorithmName="AES"; | private final SecretKeySpec theKey; | ||
|
private final Cipher cipher; | ||
|
|
||
private boolean initialized; | private boolean initialized = false; | ||
|
|
||
|
public static final String NAME = "aes-encrypted"; | ||
public static final OAESCompression INSTANCE = new OAESCompression(); |
|
||
public static final String NAME = "aes-encrypted"; | @Override | ||
|
public String name() { | ||
@Override | return NAME; | ||
public String name() { | } | ||
return NAME; |
|
||
} | public OAESCompression() { | ||
|
initialized = false; | ||
protected OAESCompression(){ |
|
||
super(); | final String configuredKey = OGlobalConfiguration.STORAGE_ENCRYPTION_AES_KEY.getValueAsString(); | ||
} |
|
||
|
if (configuredKey == null) | ||
protected void init() { | throw new OStorageException("AES compression has been selected, but no key was found. Please configure '" | ||
initialized=false; | + OGlobalConfiguration.STORAGE_ENCRYPTION_AES_KEY.getKey() + "' setting or remove AES compression by setting '" | ||
key = OBase64Utils.decode(OGlobalConfiguration.STORAGE_ENCRYPTION_AES_KEY.getValueAsString()); | + OGlobalConfiguration.STORAGE_COMPRESSION_METHOD.getKey() + "=nothing'"); | ||
SecretKeySpec ks = new SecretKeySpec(key, algorithmName); //AES |
|
||
try { | try { | ||
Cipher cipher = Cipher.getInstance(transformation); | final byte[] key = OBase64Utils.decode(configuredKey); | ||
cipher.init(Cipher.ENCRYPT_MODE, ks); |
|
||
} catch (NoSuchAlgorithmException e) { | theKey = new SecretKeySpec(key, ALGORITHM_NAME); // AES | ||
throw new OSecurityException("The AES alghorithm is not available on this platform",e); | cipher = Cipher.getInstance(TRANSFORMATION); | ||
} catch (NoSuchPaddingException e) { |
|
||
throw new OSecurityException(e.getMessage(),e); | } catch (Exception e) { | ||
} catch (InvalidKeyException e) { | throw new OSecurityException( | ||
throw new OSecurityException("Invalid AES key.",e); | "Cannot initialize AES encryption with current key. Assure the key is a BASE64 - 128 oe 256 bits long", e); | ||
} |
|
||
this.initialized=true; | } | ||
} |
|
||
|
this.initialized = true; | ||
public byte[] encryptOrDecrypt(int mode, byte[] input, int offset, int length) throws Throwable { | } | ||
if (!initialized) throw new OSecurityException("aes-encrypted compression is not available"); |
|
||
|
public byte[] encryptOrDecrypt(final int mode, final byte[] input, final int offset, final int length) throws Throwable { | ||
SecretKeySpec ks = new SecretKeySpec(key, algorithmName); | if (!initialized) | ||
Cipher cipher = Cipher.getInstance(transformation); | throw new OSecurityException("AES encryption algorithm is not available"); | ||
cipher.init(mode, ks); |
|
||
|
cipher.init(mode, theKey); | ||
byte[] content; |
|
||
if (offset==0 && length==input.length){ | final byte[] content; | ||
content=input; | if (offset == 0 && length == input.length) { | ||
}else{ | content = input; | ||
content = new byte[length]; | } else { | ||
System.arraycopy(input,offset,content,0,length); | content = new byte[length]; | ||
} | System.arraycopy(input, offset, content, 0, length); | ||
byte[] output=cipher.doFinal(content); | } | ||
return output; | return cipher.doFinal(content); | ||
} | } | ||
|
|||
|
|||
} | } |
84 changes: 38 additions & 46 deletions
84
...ava/com/orientechnologies/orient/core/compression/impl/OAbstractEncryptedCompression.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -1,58 +1,50 @@ | |||
package com.orientechnologies.orient.core.compression.impl; | package com.orientechnologies.orient.core.compression.impl; | ||
|
|
||
import javax.crypto.Cipher; | |||
|
|||
import com.orientechnologies.orient.core.exception.OSecurityException; | import com.orientechnologies.orient.core.exception.OSecurityException; | ||
|
|
||
import javax.crypto.Cipher; | |||
|
|||
/*** | /*** | ||
* @see https://github.com/orientechnologies/orientdb/issues/89 | * Abstract compression implementation for encryption | ||
* | * (https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html). See | ||
* @see https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html | * https://github.com/orientechnologies/orientdb/issues/89 | ||
* | * | ||
* @author giastfader | * @author giastfader | ||
* | * | ||
*/ | */ | ||
public abstract class OAbstractEncryptedCompression extends OAbstractCompression { | public abstract class OAbstractEncryptedCompression extends OAbstractCompression { | ||
|
|
||
@Override | @Override | ||
public abstract String name(); | public abstract String name(); | ||
|
|
||
protected OAbstractEncryptedCompression(){ | @Override | ||
this.init(); | public byte[] compress(final byte[] content, final int offset, final int length) { | ||
} | try { | ||
|
return encryptOrDecrypt(Cipher.ENCRYPT_MODE, content, offset, length); | ||
protected abstract void init(); | } catch (Throwable e) { | ||
|
throw new OSecurityException("Cannot encrypt content", e); | ||
|
} | ||
@Override | }; | ||
public byte[] compress(byte[] content, int offset, int length){ |
|
||
try { | @Override | ||
byte[] encriptedContent = encryptOrDecrypt(Cipher.ENCRYPT_MODE,content, offset, length); | public byte[] uncompress(final byte[] content, final int offset, final int length) { | ||
return encriptedContent; | try { | ||
} catch (Throwable e) { | return encryptOrDecrypt(Cipher.DECRYPT_MODE, content, offset, length); | ||
throw new OSecurityException(e.getMessage(),e); | } catch (Throwable e) { | ||
} | throw new OSecurityException("Cannot decrypt content", e); | ||
}; | } | ||
|
}; | ||
@Override |
|
||
public byte[] uncompress(byte[] content, int offset, int length){ | /*** | ||
try { | * | ||
byte[] decriptedContent = encryptOrDecrypt(Cipher.DECRYPT_MODE,content, offset, length); | * @param mode | ||
return decriptedContent; | * it can be Cipher.ENCRYPT_MODE or Cipher.DECRYPT_MODE | ||
} catch (Throwable e) { | * @param input | ||
throw new OSecurityException(e.getMessage(),e); | * @param offset | ||
} | * @param length | ||
}; | * @return | ||
|
* @throws Throwable | ||
/*** | */ | ||
* | public abstract byte[] encryptOrDecrypt(int mode, byte[] input, int offset, int length) throws Throwable; | ||
* @param mode it can be Cipher.ENCRYPT_MODE or Cipher.DECRYPT_MODE | |||
* @param input | |||
* @param offset | |||
* @param length | |||
* @return | |||
* @throws Throwable | |||
*/ | |||
public abstract byte[] encryptOrDecrypt(int mode, byte[] input, int offset, int length) throws Throwable; | |||
|
|
||
} | } |
Oops, something went wrong.