java.lang.Object
- org.nuxeo.ecm.core.blob.binary.AbstractBinaryManager
- - org.nuxeo.ecm.core.blob.binary.LocalBinaryManager
  - - org.nuxeo.ecm.core.blob.binary.AESBinaryManager

All Implemented Interfaces:

BinaryManager
```
public class AESBinaryManager
extends LocalBinaryManager
```
A binary manager that encrypts binaries on the filesystem using AES.
The configuration holds the keystore information to retrieve the AES key, or the password that is used to generate a per-file key using PBKDF2. This configuration comes from the <property name="key">...</property> of the binary manager configuration.
The configuration has the form key1=value1,key2=value2,... where the possible keys are, for keystore use:
- keyStoreType: the keystore type, for instance JCEKS
- keyStoreFile: the path to the keystore, if applicable
- keyStorePassword: the keystore password
- keyAlias: the alias (name) of the key in the keystore
- keyPassword: the key password
And for PBKDF2 use:
- password: the password
To encrypt a binary, an AES key is needed. This key can be retrieved from a keystore, or generated from a password using PBKDF2 (in which case each stored file contains a different salt for security reasons). The file format is described in storeAndDigest(InputStream, OutputStream).
While the binary is being used by the application, a temporarily-decrypted file is held in a temporary directory. It is removed as soon as possible.
Since:

6.0

Nested Class Summary

Nested Classes
Modifier and Type	Class	Description
`static class`	`AESBinaryManager.CipherAndDigestOutputStream`	A `CipherOutputStream` that also does a digest of the original stream at the same time.

Nested classes/interfaces inherited from class org.nuxeo.ecm.core.blob.binary.LocalBinaryManager
LocalBinaryManager.DefaultBinaryGarbageCollector

Field Summary

Fields
Modifier and Type	Field	Description
`protected static String`	`AES`
`protected static String`	`AES_CBC_PKCS5_PADDING`
`protected static String`	`AES_GCM_NOPADDING`
`protected String`	`digestAlgorithm`
`protected static byte[]`	`FILE_MAGIC`
`protected static int`	`FILE_VERSION_1`
`protected String`	`keyAlias`
`protected String`	`keyPassword`
`protected String`	`keyStoreFile`
`protected String`	`keyStorePassword`
`protected String`	`keyStoreType`
`protected static String`	`PARAM_KEY_ALIAS`
`protected static String`	`PARAM_KEY_PASSWORD`
`protected static String`	`PARAM_KEY_STORE_FILE`
`protected static String`	`PARAM_KEY_STORE_PASSWORD`
`protected static String`	`PARAM_KEY_STORE_TYPE`
`protected static String`	`PARAM_KEY_USE_INSECURE_CIPHER`	If `true`, use the insecure AES/CBC/PKCS5Padding for encryption.
`protected static String`	`PARAM_PASSWORD`
`protected String`	`password`
`protected static int`	`PBKDF2_ITERATIONS`
`protected static int`	`PBKDF2_KEY_LENGTH`
`protected static String`	`PBKDF2_WITH_HMAC_SHA1`
`protected static Random`	`RANDOM`
`protected static int`	`USE_KEYSTORE`
`protected static int`	`USE_PBKDF2`
`protected boolean`	`useInsecureCipher`
`protected boolean`	`usePBKDF2`

Fields inherited from class org.nuxeo.ecm.core.blob.binary.LocalBinaryManager
CONFIG_FILE, DATA, DEFAULT_PATH, storageDir, TMP, tmpDir, WINDOWS_ABSOLUTE_PATH

Fields inherited from class org.nuxeo.ecm.core.blob.binary.AbstractBinaryManager
blobProviderId, DEFAULT_DEPTH, DEFAULT_DIGEST, descriptor, digestPattern, DIGESTS_BY_LENGTH, garbageCollector, MAX_BUF_SIZE, MD5_DIGEST, MD5_DIGEST_LENGTH, MIN_BUF_SIZE, properties, SHA1_DIGEST, SHA1_DIGEST_LENGTH, SHA256_DIGEST, SHA256_DIGEST_LENGTH

Fields inherited from interface org.nuxeo.ecm.core.blob.binary.BinaryManager
PROP_KEY, PROP_PATH

Constructor Summary

Constructors
Constructor Description

AESBinaryManager()

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method	Description
`protected void`	`clearPassword(char[] password)`	Clears a password from memory.
`protected void`	`decrypt(InputStream in, OutputStream out)`	Decrypts the given input stream into the given output stream.
`protected Key`	`generateSecretKey(byte[] salt)`	Generates an AES key from the password using PBKDF2.
`protected Binary`	`getBinary(InputStream in)`	Creates a binary value from the given input stream.
`Binary`	`getBinary(String digest)`	Returns a `Binary` corresponding to the given digest.
`protected Cipher`	`getCipher()`
`protected AlgorithmParameterSpec`	`getParameterSpec(byte[] iv)`
`protected char[]`	`getPassword()`	Gets the password for PBKDF2.
`protected Key`	`getSecretKey()`	Gets the AES key from the keystore.
`void`	`initialize(String blobProviderId, Map<String,String> properties)`	Initializes the binary manager.
`protected void`	`initializeOptions(String options)`
`protected String`	`storeAndDigest(InputStream in)`
`String`	`storeAndDigest(InputStream in, OutputStream out)`	Encrypts the given input stream into the given output stream, while also computing the digest of the input stream.

Methods inherited from class org.nuxeo.ecm.core.blob.binary.LocalBinaryManager
atomicMove, close, createGarbageCollector, getFileForDigest, getStorageDir, touch

Methods inherited from class org.nuxeo.ecm.core.blob.binary.AbstractBinaryManager
computeDigestPattern, getBinary, getDefaultDigestAlgorithm, getDescriptor, getDigestAlgorithm, getGarbageCollector, isValidDigest, removeBinaries, setDescriptor, toHexString

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Field Detail
  - FILE_MAGIC
```
protected static final byte[] FILE_MAGIC
```
  - FILE_VERSION_1
```
protected static final int FILE_VERSION_1
```
    See Also:
    
    Constant Field Values
  - USE_KEYSTORE
```
protected static final int USE_KEYSTORE
```
    See Also:
    
    Constant Field Values
  - USE_PBKDF2
```
protected static final int USE_PBKDF2
```
    See Also:
    
    Constant Field Values
  - AES
```
protected static final String AES
```
    See Also:
    
    Constant Field Values
  - AES_CBC_PKCS5_PADDING
```
protected static final String AES_CBC_PKCS5_PADDING
```
    See Also:
    
    Constant Field Values
  - AES_GCM_NOPADDING
```
protected static final String AES_GCM_NOPADDING
```
    See Also:
    
    Constant Field Values
  - PBKDF2_WITH_HMAC_SHA1
```
protected static final String PBKDF2_WITH_HMAC_SHA1
```
    See Also:
    
    Constant Field Values
  - PBKDF2_ITERATIONS
```
protected static final int PBKDF2_ITERATIONS
```
    See Also:
    
    Constant Field Values
  - PBKDF2_KEY_LENGTH
```
protected static final int PBKDF2_KEY_LENGTH
```
    See Also:
    
    Constant Field Values
  - PARAM_PASSWORD
```
protected static final String PARAM_PASSWORD
```
    See Also:
    
    Constant Field Values
  - PARAM_KEY_STORE_TYPE
```
protected static final String PARAM_KEY_STORE_TYPE
```
    See Also:
    
    Constant Field Values
  - PARAM_KEY_STORE_FILE
```
protected static final String PARAM_KEY_STORE_FILE
```
    See Also:
    
    Constant Field Values
  - PARAM_KEY_STORE_PASSWORD
```
protected static final String PARAM_KEY_STORE_PASSWORD
```
    See Also:
    
    Constant Field Values
  - PARAM_KEY_ALIAS
```
protected static final String PARAM_KEY_ALIAS
```
    See Also:
    
    Constant Field Values
  - PARAM_KEY_PASSWORD
```
protected static final String PARAM_KEY_PASSWORD
```
    See Also:
    
    Constant Field Values
  - PARAM_KEY_USE_INSECURE_CIPHER
```
protected static final String PARAM_KEY_USE_INSECURE_CIPHER
```
    If true, use the insecure AES/CBC/PKCS5Padding for encryption. The default is false, to use AES/GCM/NoPadding.
    
    Since:
    
    10.3
    
    See Also:
    
    Constant Field Values
  - RANDOM
```
protected static final Random RANDOM
```
  - digestAlgorithm
```
protected String digestAlgorithm
```
  - usePBKDF2
```
protected boolean usePBKDF2
```
  - password
```
protected String password
```
  - keyStoreType
```
protected String keyStoreType
```
  - keyStoreFile
```
protected String keyStoreFile
```
  - keyStorePassword
```
protected String keyStorePassword
```
  - keyAlias
```
protected String keyAlias
```
  - keyPassword
```
protected String keyPassword
```
  - useInsecureCipher
```
protected boolean useInsecureCipher
```
- Constructor Detail
  - AESBinaryManager
```
public AESBinaryManager()
```
- Method Detail
  - initialize
```
public void initialize(String blobProviderId,
                       Map<String,String> properties)
                throws IOException
```
    Description copied from interface: BinaryManager
    
    Initializes the binary manager.
    
    Specified by:
    
    initialize in interface BinaryManager
    
    Overrides:
    
    initialize in class LocalBinaryManager
    
    Parameters:
    
    blobProviderId - the blob provider id for this binary manager
    
    properties - initialization properties
    
    Throws:
    
    IOException
  - initializeOptions
```
protected void initializeOptions(String options)
```
  - getPassword
```
protected char[] getPassword()
```
    Gets the password for PBKDF2.
    The caller must clear it from memory when done with it by calling clearPassword(char[]).
  - clearPassword
```
protected void clearPassword(char[] password)
```
    Clears a password from memory.
  - generateSecretKey
```
protected Key generateSecretKey(byte[] salt)
                         throws GeneralSecurityException
```
    Generates an AES key from the password using PBKDF2.
    
    Parameters:
    
    salt - the salt
    
    Throws:
    
    GeneralSecurityException
  - getSecretKey
```
protected Key getSecretKey()
                    throws GeneralSecurityException,
                           IOException
```
    Gets the AES key from the keystore.
    
    Throws:
    
    GeneralSecurityException
    
    IOException
  - getBinary
```
protected Binary getBinary(InputStream in)
                    throws IOException
```
    Description copied from class: AbstractBinaryManager
    
    Creates a binary value from the given input stream.
    
    Overrides:
    
    getBinary in class LocalBinaryManager
    
    Throws:
    
    IOException
  - getBinary
```
public Binary getBinary(String digest)
```
    Description copied from interface: BinaryManager
    
    Returns a Binary corresponding to the given digest.
    A null is returned if the digest could not be found.
    
    Specified by:
    
    getBinary in interface BinaryManager
    
    Overrides:
    
    getBinary in class LocalBinaryManager
    
    Parameters:
    
    digest - the digest, or null
    
    Returns:
    
    the corresponding binary
  - storeAndDigest
```
protected String storeAndDigest(InputStream in)
                         throws IOException
```
    Overrides:
    
    storeAndDigest in class LocalBinaryManager
    
    Throws:
    
    IOException
  - storeAndDigest
```
public String storeAndDigest(InputStream in,
                             OutputStream out)
                      throws IOException
```
    Encrypts the given input stream into the given output stream, while also computing the digest of the input stream.
    File format version 1 (values are in network order):
    
    10 bytes: magic number "NUXEOCRYPT"
    1 byte: file format version = 1
    1 byte: use keystore = 1, use PBKDF2 = 2
    if use PBKDF2:
    
    4 bytes: salt length = n
    n bytes: salt data
    
    4 bytes: IV length = p
    p bytes: IV data
    x bytes: encrypted stream
    Overrides:
    
    storeAndDigest in class AbstractBinaryManager
    
    Parameters:
    
    in - the input stream containing the data
    
    out - the output stream into write
    
    Returns:
    
    the digest of the input stream
    
    Throws:
    
    IOException
  - decrypt
```
protected void decrypt(InputStream in,
                       OutputStream out)
                throws IOException
```
    Decrypts the given input stream into the given output stream.
    
    Throws:
    
    IOException
  - getCipher
```
protected Cipher getCipher()
                    throws GeneralSecurityException
```
    Throws:
    
    GeneralSecurityException
  - getParameterSpec
```
protected AlgorithmParameterSpec getParameterSpec(byte[] iv)
```

Class AESBinaryManager

Nested Class Summary

Nested classes/interfaces inherited from class org.nuxeo.ecm.core.blob.binary.LocalBinaryManager

Field Summary

Fields inherited from class org.nuxeo.ecm.core.blob.binary.LocalBinaryManager

Fields inherited from class org.nuxeo.ecm.core.blob.binary.AbstractBinaryManager

Fields inherited from interface org.nuxeo.ecm.core.blob.binary.BinaryManager

Constructor Summary

Method Summary

Methods inherited from class org.nuxeo.ecm.core.blob.binary.LocalBinaryManager

Methods inherited from class org.nuxeo.ecm.core.blob.binary.AbstractBinaryManager

Methods inherited from class java.lang.Object

Field Detail

FILE_MAGIC

FILE_VERSION_1

USE_KEYSTORE

USE_PBKDF2

AES

AES_CBC_PKCS5_PADDING

AES_GCM_NOPADDING

PBKDF2_WITH_HMAC_SHA1

PBKDF2_ITERATIONS

PBKDF2_KEY_LENGTH

PARAM_PASSWORD

PARAM_KEY_STORE_TYPE

PARAM_KEY_STORE_FILE

PARAM_KEY_STORE_PASSWORD

PARAM_KEY_ALIAS

PARAM_KEY_PASSWORD

PARAM_KEY_USE_INSECURE_CIPHER

RANDOM

digestAlgorithm

usePBKDF2

password

keyStoreType

keyStoreFile

keyStorePassword

keyAlias

keyPassword

useInsecureCipher

Constructor Detail

AESBinaryManager

Method Detail

initialize

initializeOptions

getPassword

clearPassword

generateSecretKey

getSecretKey

getBinary

getBinary

storeAndDigest

storeAndDigest

decrypt

getCipher

getParameterSpec