Package org.nuxeo.ecm.core.blob.binary

Class AESBinaryManager

java.lang.Object

org.nuxeo.ecm.core.blob.binary.AbstractBinaryManager

org.nuxeo.ecm.core.blob.binary.LocalBinaryManager

org.nuxeo.ecm.core.blob.binary.AESBinaryManager

All Implemented Interfaces:

BinaryManager

@Deprecated(since="2023.9")
public class AESBinaryManager
extends LocalBinaryManager

Deprecated.

since 2023.9, use AESBlobProvider instead

A binary manager that encrypts binaries on the filesystem using AES.

The configuration holds the keystore information to retrieve the AES key, or the password that is used to generate a per-file key using PBKDF2. This configuration comes from the <property name="key">...</property> of the binary manager configuration.

The configuration has the form key1=value1,key2=value2,... where the possible keys are, for keystore use:

• keyStoreType: the keystore type, for instance JCEKS
• keyStoreFile: the path to the keystore, if applicable
• keyStorePassword: the keystore password
• keyAlias: the alias (name) of the key in the keystore
• keyPassword: the key password

And for PBKDF2 use:

• password: the password

To encrypt a binary, an AES key is needed. This key can be retrieved from a keystore, or generated from a password using PBKDF2 (in which case each stored file contains a different salt for security reasons). The file format is described in storeAndDigest(InputStream, OutputStream).

While the binary is being used by the application, a temporarily-decrypted file is held in a temporary directory. It is removed as soon as possible.

Since:

6.0

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	AESBinaryManager.CipherAndDigestOutputStream	Deprecated. A CipherOutputStream that also does a digest of the original stream at the same time.

Nested classes/interfaces inherited from class org.nuxeo.ecm.core.blob.binary.LocalBinaryManager

LocalBinaryManager.DefaultBinaryGarbageCollector

Field Summary

Fields

Modifier and Type	Field	Description
protected static final String	AES	Deprecated.
protected static final String	AES_CBC_PKCS5_PADDING	Deprecated.
protected static final String	AES_GCM_NOPADDING	Deprecated.
protected String	digestAlgorithm	Deprecated.
protected static final byte[]	FILE_MAGIC	Deprecated.
protected static final int	FILE_VERSION_1	Deprecated.
protected String	keyAlias	Deprecated.
protected String	keyPassword	Deprecated.
protected String	keyStoreFile	Deprecated.
protected String	keyStorePassword	Deprecated.
protected String	keyStoreType	Deprecated.
protected static final String	PARAM_KEY_ALIAS	Deprecated.
protected static final String	PARAM_KEY_PASSWORD	Deprecated.
protected static final String	PARAM_KEY_STORE_FILE	Deprecated.
protected static final String	PARAM_KEY_STORE_PASSWORD	Deprecated.
protected static final String	PARAM_KEY_STORE_TYPE	Deprecated.
protected static final String	PARAM_KEY_USE_INSECURE_CIPHER	Deprecated. If true, use the insecure AES/CBC/PKCS5Padding for encryption.
protected static final String	PARAM_PASSWORD	Deprecated.
protected String	password	Deprecated.
protected static final int	PBKDF2_ITERATIONS	Deprecated.
protected static final int	PBKDF2_KEY_LENGTH	Deprecated.
protected static final String	PBKDF2_WITH_HMAC_SHA1	Deprecated.
protected static final Random	RANDOM	Deprecated.
protected static final int	USE_KEYSTORE	Deprecated.
protected static final int	USE_PBKDF2	Deprecated.
protected boolean	useInsecureCipher	Deprecated.
protected boolean	usePBKDF2	Deprecated.

Fields inherited from class org.nuxeo.ecm.core.blob.binary.LocalBinaryManager

CONFIG_FILE, DATA, DEFAULT_PATH, storageDir, TMP, tmpDir, WINDOWS_ABSOLUTE_PATH

Fields inherited from class org.nuxeo.ecm.core.blob.binary.AbstractBinaryManager

blobProviderId, DEFAULT_DEPTH, DEFAULT_DIGEST, descriptor, digestPattern, DIGESTS_BY_LENGTH, garbageCollector, MAX_BUF_SIZE, MD5_DIGEST, MD5_DIGEST_LENGTH, MIN_BUF_SIZE, properties, SHA1_DIGEST, SHA1_DIGEST_LENGTH, SHA256_DIGEST, SHA256_DIGEST_LENGTH

Fields inherited from interface org.nuxeo.ecm.core.blob.binary.BinaryManager

PROP_KEY, PROP_PATH

Constructor Summary

Constructors

Constructor	Description
AESBinaryManager()	Deprecated.

Method Summary

Modifier and Type	Method	Description
protected void	clearPassword(char[] password)	Deprecated. Clears a password from memory.
protected void	decrypt(InputStream in, OutputStream out)	Deprecated. Decrypts the given input stream into the given output stream.
protected Key	generateSecretKey(byte[] salt)	Deprecated. Generates an AES key from the password using PBKDF2.
protected Binary	getBinary(InputStream in)	Deprecated. Creates a binary value from the given input stream.
Binary	getBinary(String digest)	Deprecated. Returns a Binary corresponding to the given digest.
protected Cipher	getCipher()	Deprecated.
protected AlgorithmParameterSpec	getParameterSpec(byte[] iv)	Deprecated.
protected char[]	getPassword()	Deprecated. Gets the password for PBKDF2.
protected Key	getSecretKey()	Deprecated. Gets the AES key from the keystore.
void	initialize(String blobProviderId, Map<String,String> properties)	Deprecated. Initializes the binary manager.
protected void	initializeOptions(String options)	Deprecated.
protected String	storeAndDigest(InputStream in)	Deprecated.
String	storeAndDigest(InputStream in, OutputStream out)	Deprecated. Encrypts the given input stream into the given output stream, while also computing the digest of the input stream.

Methods inherited from class org.nuxeo.ecm.core.blob.binary.LocalBinaryManager

atomicMove, close, createGarbageCollector, getFileForDigest, getStorageDir, touch

Methods inherited from class org.nuxeo.ecm.core.blob.binary.AbstractBinaryManager

computeDigestPattern, getBinary, getDefaultDigestAlgorithm, getDescriptor, getDigestAlgorithm, getGarbageCollector, isValidDigest, removeBinaries, setDescriptor, toHexString

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

FILE_MAGIC

protected static final byte[] FILE_MAGIC

Deprecated.

FILE_VERSION_1

protected static final int FILE_VERSION_1

Deprecated.

See Also:

• Constant Field Values

USE_KEYSTORE

protected static final int USE_KEYSTORE

Deprecated.

See Also:

• Constant Field Values

USE_PBKDF2

protected static final int USE_PBKDF2

Deprecated.

See Also:

• Constant Field Values

AES

protected static final String AES

Deprecated.

See Also:

• Constant Field Values

AES_CBC_PKCS5_PADDING

protected static final String AES_CBC_PKCS5_PADDING

Deprecated.

See Also:

• Constant Field Values

AES_GCM_NOPADDING

protected static final String AES_GCM_NOPADDING

Deprecated.

See Also:

• Constant Field Values

PBKDF2_WITH_HMAC_SHA1

protected static final String PBKDF2_WITH_HMAC_SHA1

Deprecated.

See Also:

• Constant Field Values

PBKDF2_ITERATIONS

protected static final int PBKDF2_ITERATIONS

Deprecated.

See Also:

• Constant Field Values

PBKDF2_KEY_LENGTH

protected static final int PBKDF2_KEY_LENGTH

Deprecated.

See Also:

• Constant Field Values

PARAM_PASSWORD

protected static final String PARAM_PASSWORD

Deprecated.

See Also:

• Constant Field Values

PARAM_KEY_STORE_TYPE

protected static final String PARAM_KEY_STORE_TYPE

Deprecated.

See Also:

• Constant Field Values

PARAM_KEY_STORE_FILE

protected static final String PARAM_KEY_STORE_FILE

Deprecated.

See Also:

• Constant Field Values

PARAM_KEY_STORE_PASSWORD

protected static final String PARAM_KEY_STORE_PASSWORD

Deprecated.

See Also:

• Constant Field Values

PARAM_KEY_ALIAS

protected static final String PARAM_KEY_ALIAS

Deprecated.

See Also:

• Constant Field Values

PARAM_KEY_PASSWORD

protected static final String PARAM_KEY_PASSWORD

Deprecated.

See Also:

• Constant Field Values

PARAM_KEY_USE_INSECURE_CIPHER

protected static final String PARAM_KEY_USE_INSECURE_CIPHER

Deprecated.

If true, use the insecure AES/CBC/PKCS5Padding for encryption. The default is false, to use AES/GCM/NoPadding.

Since:

10.3

See Also:

• Constant Field Values

RANDOM

protected static final Random RANDOM

Deprecated.

digestAlgorithm

protected String digestAlgorithm

Deprecated.

usePBKDF2

protected boolean usePBKDF2

Deprecated.

password

protected String password

Deprecated.

keyStoreType

protected String keyStoreType

Deprecated.

keyStoreFile

protected String keyStoreFile

Deprecated.

keyStorePassword

protected String keyStorePassword

Deprecated.

keyAlias

protected String keyAlias

Deprecated.

keyPassword

protected String keyPassword

Deprecated.

useInsecureCipher

protected boolean useInsecureCipher

Deprecated.

Constructor Details

AESBinaryManager

public AESBinaryManager()

Deprecated.

Method Details

initialize

public void initialize(String blobProviderId,
 Map<String,String> properties)
                throws IOException

Deprecated.

Description copied from interface: BinaryManager

Initializes the binary manager.

Specified by:

initialize in interface BinaryManager

Overrides:

initialize in class LocalBinaryManager

Parameters:

blobProviderId - the blob provider id for this binary manager

properties - initialization properties

Throws:

IOException

initializeOptions

protected void initializeOptions(String options)

Deprecated.

getPassword

protected char[] getPassword()

Deprecated.

Gets the password for PBKDF2.

The caller must clear it from memory when done with it by calling clearPassword(char[]).

clearPassword

protected void clearPassword(char[] password)

Deprecated.

Clears a password from memory.

generateSecretKey

protected Key generateSecretKey(byte[] salt)
                         throws GeneralSecurityException

Deprecated.

Generates an AES key from the password using PBKDF2.

Parameters:

salt - the salt

Throws:

GeneralSecurityException

getSecretKey

protected Key getSecretKey()
                    throws GeneralSecurityException,
IOException

Deprecated.

Gets the AES key from the keystore.

Throws:

GeneralSecurityException

IOException

getBinary

protected Binary getBinary(InputStream in)
                    throws IOException

Deprecated.

Description copied from class: AbstractBinaryManager

Creates a binary value from the given input stream.

Overrides:

getBinary in class LocalBinaryManager

Throws:

IOException

getBinary

public Binary getBinary(String digest)

Deprecated.

Description copied from interface: BinaryManager

Returns a Binary corresponding to the given digest.

A null is returned if the digest could not be found.

Specified by:

getBinary in interface BinaryManager

Overrides:

getBinary in class LocalBinaryManager

Parameters:

digest - the digest, or null

Returns:

the corresponding binary

storeAndDigest

protected String storeAndDigest(InputStream in)
                         throws IOException

Deprecated.

Overrides:

storeAndDigest in class LocalBinaryManager

Throws:

IOException

storeAndDigest

public String storeAndDigest(InputStream in,
 OutputStream out)
                      throws IOException

Deprecated.

Encrypts the given input stream into the given output stream, while also computing the digest of the input stream.

File format version 1 (values are in network order):

• 10 bytes: magic number "NUXEOCRYPT"
• 1 byte: file format version = 1
• 1 byte: use keystore = 1, use PBKDF2 = 2
• if use PBKDF2:
  • 4 bytes: salt length = n
  • n bytes: salt data
• 4 bytes: IV length = p
• p bytes: IV data
• x bytes: encrypted stream

Overrides:

storeAndDigest in class AbstractBinaryManager

Parameters:

in - the input stream containing the data

out - the output stream into write

Returns:

the digest of the input stream

Throws:

IOException

decrypt

protected void decrypt(InputStream in,
 OutputStream out)
                throws IOException

Deprecated.

Decrypts the given input stream into the given output stream.

Throws:

IOException

getCipher

protected Cipher getCipher()
                    throws GeneralSecurityException

Deprecated.

Throws:

GeneralSecurityException

getParameterSpec

protected AlgorithmParameterSpec getParameterSpec(byte[] iv)

Deprecated.