Class AESBinaryManager
- All Implemented Interfaces:
BinaryManager
The configuration holds the keystore information to retrieve the AES key, or the password that is used to generate a
per-file key using PBKDF2. This configuration comes from the <property name="key">...</property>
of the
binary manager configuration.
The configuration has the form key1=value1,key2=value2,...
where the possible keys are, for keystore use:
- keyStoreType: the keystore type, for instance JCEKS
- keyStoreFile: the path to the keystore, if applicable
- keyStorePassword: the keystore password
- keyAlias: the alias (name) of the key in the keystore
- keyPassword: the key password
And for PBKDF2 use:
- password: the password
To encrypt a binary, an AES key is needed. This key can be retrieved from a keystore, or generated from a password
using PBKDF2 (in which case each stored file contains a different salt for security reasons). The file format is
described in storeAndDigest(InputStream, OutputStream)
.
While the binary is being used by the application, a temporarily-decrypted file is held in a temporary directory. It is removed as soon as possible.
- Since:
- 6.0
-
Nested Class Summary
Modifier and TypeClassDescriptionstatic class
Deprecated.ACipherOutputStream
that also does a digest of the original stream at the same time.Nested classes/interfaces inherited from class org.nuxeo.ecm.core.blob.binary.LocalBinaryManager
LocalBinaryManager.DefaultBinaryGarbageCollector
-
Field Summary
Modifier and TypeFieldDescriptionprotected static final String
Deprecated.protected static final String
Deprecated.protected static final String
Deprecated.protected String
Deprecated.protected static final byte[]
Deprecated.protected static final int
Deprecated.protected String
Deprecated.protected String
Deprecated.protected String
Deprecated.protected String
Deprecated.protected String
Deprecated.protected static final String
Deprecated.protected static final String
Deprecated.protected static final String
Deprecated.protected static final String
Deprecated.protected static final String
Deprecated.protected static final String
Deprecated.Iftrue
, use the insecure AES/CBC/PKCS5Padding for encryption.protected static final String
Deprecated.protected String
Deprecated.protected static final int
Deprecated.protected static final int
Deprecated.protected static final String
Deprecated.protected static final Random
Deprecated.protected static final int
Deprecated.protected static final int
Deprecated.protected boolean
Deprecated.protected boolean
Deprecated.Fields inherited from class org.nuxeo.ecm.core.blob.binary.LocalBinaryManager
CONFIG_FILE, DATA, DEFAULT_PATH, storageDir, TMP, tmpDir, WINDOWS_ABSOLUTE_PATH
Fields inherited from class org.nuxeo.ecm.core.blob.binary.AbstractBinaryManager
blobProviderId, DEFAULT_DEPTH, DEFAULT_DIGEST, descriptor, digestPattern, DIGESTS_BY_LENGTH, garbageCollector, MAX_BUF_SIZE, MD5_DIGEST, MD5_DIGEST_LENGTH, MIN_BUF_SIZE, properties, SHA1_DIGEST, SHA1_DIGEST_LENGTH, SHA256_DIGEST, SHA256_DIGEST_LENGTH
Fields inherited from interface org.nuxeo.ecm.core.blob.binary.BinaryManager
PROP_KEY, PROP_PATH
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionprotected void
clearPassword
(char[] password) Deprecated.Clears a password from memory.protected void
decrypt
(InputStream in, OutputStream out) Deprecated.Decrypts the given input stream into the given output stream.protected Key
generateSecretKey
(byte[] salt) Deprecated.Generates an AES key from the password using PBKDF2.protected Binary
getBinary
(InputStream in) Deprecated.Creates a binary value from the given input stream.Deprecated.Returns aBinary
corresponding to the given digest.protected Cipher
Deprecated.protected AlgorithmParameterSpec
getParameterSpec
(byte[] iv) Deprecated.protected char[]
Deprecated.Gets the password for PBKDF2.protected Key
Deprecated.Gets the AES key from the keystore.void
initialize
(String blobProviderId, Map<String, String> properties) Deprecated.Initializes the binary manager.protected void
initializeOptions
(String options) Deprecated.protected String
Deprecated.storeAndDigest
(InputStream in, OutputStream out) Deprecated.Encrypts the given input stream into the given output stream, while also computing the digest of the input stream.Methods inherited from class org.nuxeo.ecm.core.blob.binary.LocalBinaryManager
atomicMove, close, createGarbageCollector, getFileForDigest, getStorageDir, touch
Methods inherited from class org.nuxeo.ecm.core.blob.binary.AbstractBinaryManager
computeDigestPattern, getBinary, getDefaultDigestAlgorithm, getDescriptor, getDigestAlgorithm, getGarbageCollector, isValidDigest, removeBinaries, setDescriptor, toHexString
-
Field Details
-
FILE_MAGIC
protected static final byte[] FILE_MAGICDeprecated. -
FILE_VERSION_1
protected static final int FILE_VERSION_1Deprecated.- See Also:
-
USE_KEYSTORE
protected static final int USE_KEYSTOREDeprecated.- See Also:
-
USE_PBKDF2
protected static final int USE_PBKDF2Deprecated.- See Also:
-
AES
Deprecated.- See Also:
-
AES_CBC_PKCS5_PADDING
Deprecated.- See Also:
-
AES_GCM_NOPADDING
Deprecated.- See Also:
-
PBKDF2_WITH_HMAC_SHA1
Deprecated.- See Also:
-
PBKDF2_ITERATIONS
protected static final int PBKDF2_ITERATIONSDeprecated.- See Also:
-
PBKDF2_KEY_LENGTH
protected static final int PBKDF2_KEY_LENGTHDeprecated.- See Also:
-
PARAM_PASSWORD
Deprecated.- See Also:
-
PARAM_KEY_STORE_TYPE
Deprecated.- See Also:
-
PARAM_KEY_STORE_FILE
Deprecated.- See Also:
-
PARAM_KEY_STORE_PASSWORD
Deprecated.- See Also:
-
PARAM_KEY_ALIAS
Deprecated.- See Also:
-
PARAM_KEY_PASSWORD
Deprecated.- See Also:
-
PARAM_KEY_USE_INSECURE_CIPHER
Deprecated.Iftrue
, use the insecure AES/CBC/PKCS5Padding for encryption. The default isfalse
, to use AES/GCM/NoPadding.- Since:
- 10.3
- See Also:
-
RANDOM
Deprecated. -
digestAlgorithm
Deprecated. -
usePBKDF2
protected boolean usePBKDF2Deprecated. -
password
Deprecated. -
keyStoreType
Deprecated. -
keyStoreFile
Deprecated. -
keyStorePassword
Deprecated. -
keyAlias
Deprecated. -
keyPassword
Deprecated. -
useInsecureCipher
protected boolean useInsecureCipherDeprecated.
-
-
Constructor Details
-
AESBinaryManager
public AESBinaryManager()Deprecated.
-
-
Method Details
-
initialize
Deprecated.Description copied from interface:BinaryManager
Initializes the binary manager.- Specified by:
initialize
in interfaceBinaryManager
- Overrides:
initialize
in classLocalBinaryManager
- Parameters:
blobProviderId
- the blob provider id for this binary managerproperties
- initialization properties- Throws:
IOException
-
initializeOptions
Deprecated. -
getPassword
protected char[] getPassword()Deprecated.Gets the password for PBKDF2.The caller must clear it from memory when done with it by calling
clearPassword(char[])
. -
clearPassword
protected void clearPassword(char[] password) Deprecated.Clears a password from memory. -
generateSecretKey
Deprecated.Generates an AES key from the password using PBKDF2.- Parameters:
salt
- the salt- Throws:
GeneralSecurityException
-
getSecretKey
Deprecated.Gets the AES key from the keystore.- Throws:
GeneralSecurityException
IOException
-
getBinary
Deprecated.Description copied from class:AbstractBinaryManager
Creates a binary value from the given input stream.- Overrides:
getBinary
in classLocalBinaryManager
- Throws:
IOException
-
getBinary
Deprecated.Description copied from interface:BinaryManager
Returns aBinary
corresponding to the given digest.A
null
is returned if the digest could not be found.- Specified by:
getBinary
in interfaceBinaryManager
- Overrides:
getBinary
in classLocalBinaryManager
- Parameters:
digest
- the digest, ornull
- Returns:
- the corresponding binary
-
storeAndDigest
Deprecated.- Overrides:
storeAndDigest
in classLocalBinaryManager
- Throws:
IOException
-
storeAndDigest
Deprecated.Encrypts the given input stream into the given output stream, while also computing the digest of the input stream.File format version 1 (values are in network order):
- 10 bytes: magic number "NUXEOCRYPT"
- 1 byte: file format version = 1
- 1 byte: use keystore = 1, use PBKDF2 = 2
- if use PBKDF2:
- 4 bytes: salt length = n
- n bytes: salt data
- 4 bytes: IV length = p
- p bytes: IV data
- x bytes: encrypted stream
- Overrides:
storeAndDigest
in classAbstractBinaryManager
- Parameters:
in
- the input stream containing the dataout
- the output stream into write- Returns:
- the digest of the input stream
- Throws:
IOException
-
decrypt
Deprecated.Decrypts the given input stream into the given output stream.- Throws:
IOException
-
getCipher
Deprecated.- Throws:
GeneralSecurityException
-
getParameterSpec
Deprecated.
-
AESBlobProvider
instead