org.opends.server.crypto
Class CryptoManagerImpl

java.lang.Object
  org.opends.server.crypto.CryptoManagerImpl

All Implemented Interfaces:

ConfigurationChangeListener<CryptoManagerCfg>, CryptoManager

public class CryptoManagerImpl
extends java.lang.Object
implements ConfigurationChangeListener<CryptoManagerCfg>, CryptoManager

This class implements the Directory Server cryptographic framework, which is described in the CrytpoManager design document. CryptoManager implements inter-OpenDS-instance authentication and authorization using the ADS-based truststore, and secret key distribution. The interface also provides methods for hashing, encryption, and other kinds of cryptographic operations.

Note that it also contains methods for compressing and uncompressing data: while these are not strictly cryptographic operations, there are a lot of similarities and it is conceivable at some point that accelerated compression may be available just as it is for cryptographic operations.

Other components of CryptoManager:

See Also:

"src/admin/defn/org/opends/server/admin/std\ /CryptoManagerConfiguration.xml", CryptoManagerSync, GetSymmetricKeyExtendedOperation

Constructor Summary

CryptoManagerImpl(CryptoManagerCfg cfg)
Creates a new instance of this crypto manager object from a given configuration, plus some static member initialization.

Method Summary

ConfigChangeResult	applyConfigurationChange(CryptoManagerCfg cfg) Applies the configuration changes to this change listener.
int	compress(byte[] src, byte[] dst) Attempts to compress the data in the provided source array into the given destination array.
byte[]	decrypt(byte[] data) Decrypts the data in the provided byte array using cipher specified by the key identifier prologue to the data.
byte[]	digest(byte[] data) Retrieves a byte array containing a message digest based on the provided data, using the preferred digest algorithm.
byte[]	digest(java.io.InputStream inputStream) Retrieves a byte array containing a message digest based on the data read from the provided input stream, using the preferred digest algorithm.
byte[]	digest(java.lang.String digestAlgorithm, byte[] data) Retrieves a byte array containing a message digest based on the provided data, using the requested digest algorithm.
byte[]	digest(java.lang.String digestAlgorithm, java.io.InputStream inputStream) Retrieves a byte array containing a message digest based on the data read from the provided input stream, using the requested digest algorithm.
byte[]	encrypt(byte[] data) Encrypts the data in the provided byte array using the preferred cipher transformation.
byte[]	encrypt(java.lang.String cipherTransformation, int keyLengthBits, byte[] data) Encrypts the data in the provided byte array using the requested cipher algorithm.
javax.crypto.CipherInputStream	getCipherInputStream(java.io.InputStream inputStream) Returns a CipherInputStream instantiated with a cipher corresponding to the key identifier prologue to the data.
javax.crypto.CipherOutputStream	getCipherOutputStream(java.io.OutputStream outputStream) Writes encrypted data to the provided output stream using the preferred cipher transformation.
javax.crypto.CipherOutputStream	getCipherOutputStream(java.lang.String cipherTransformation, int keyLengthBits, java.io.OutputStream outputStream) Writes encrypted data to the provided output stream using the requested cipher transformation.
static java.lang.String	getInstanceKeyID(byte[] instanceKeyCertificate) Return the identifier of an instance's instance key.
javax.crypto.Mac	getMacEngine(java.lang.String keyEntryID) For the specified key entry identifier, instantiate a MAC engine.
java.lang.String	getMacEngineKeyEntryID() For the current preferred MAC algorithm and key length, return the identifier of the corresponding key entry.
java.lang.String	getMacEngineKeyEntryID(java.lang.String macAlgorithm, int keyLengthBits) For the specified MAC algorithm and key length, return the identifier of the corresponding key entry.
java.security.MessageDigest	getMessageDigest(java.lang.String digestAlgorithm) Retrieves a MessageDigest object that may be used to generate digests using the specified algorithm.
java.security.MessageDigest	getPreferredMessageDigest() Retrieves a MessageDigest object that may be used to generate digests using the preferred digest algorithm.
java.lang.String	getPreferredMessageDigestAlgorithm() Retrieves the name of the preferred message digest algorithm.
java.lang.String	getSslCertNickname() Get the name of the local certificate to use for SSL.
java.util.SortedSet<java.lang.String>	getSslCipherSuites() Get the set of enabled SSL cipher suites.
javax.net.ssl.SSLContext	getSslContext(java.lang.String sslCertNickname) Create an SSL context that may be used for communication to another ADS component.
java.util.SortedSet<java.lang.String>	getSslProtocols() Get the set of enabled SSL protocols.
boolean	isConfigurationChangeAcceptable(CryptoManagerCfg cfg, java.util.List<Message> unacceptableReasons) Indicates whether the proposed change to the configuration is acceptable to this change listener.
boolean	isSslEncryption() Determine whether SSL encryption is enabled.
int	uncompress(byte[] src, byte[] dst) Attempts to uncompress the data in the provided source array into the given destination array.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

CryptoManagerImpl

public CryptoManagerImpl(CryptoManagerCfg cfg)
                  throws ConfigException,
                         InitializationException

Creates a new instance of this crypto manager object from a given configuration, plus some static member initialization.

Parameters:

cfg - The configuration of this crypto manager.

Throws:

ConfigException - If a problem occurs while creating this CryptoManager that is a result of a problem in the configuration.

InitializationException - If a problem occurs while creating this CryptoManager that is not the result of a problem in the configuration.

Method Detail

isConfigurationChangeAcceptable

public boolean isConfigurationChangeAcceptable(CryptoManagerCfg cfg,
                                               java.util.List<Message> unacceptableReasons)

Indicates whether the proposed change to the configuration is acceptable to this change listener.

Specified by:

isConfigurationChangeAcceptable in interface ConfigurationChangeListener<CryptoManagerCfg>

Parameters:

cfg - The new configuration containing the changes.

unacceptableReasons - A list that can be used to hold messages about why the provided configuration is not acceptable.

Returns:

Returns true if the proposed change is acceptable, or false if it is not.

applyConfigurationChange

public ConfigChangeResult applyConfigurationChange(CryptoManagerCfg cfg)

Applies the configuration changes to this change listener.

Specified by:

applyConfigurationChange in interface ConfigurationChangeListener<CryptoManagerCfg>

Parameters:

cfg - The new configuration containing the changes.

Returns:

Returns information about the result of changing the configuration.

getInstanceKeyID

public static java.lang.String getInstanceKeyID(byte[] instanceKeyCertificate)
                                         throws CryptoManagerException

Return the identifier of an instance's instance key. An instance-key identifier is a hex string of the MD5 hash of an instance's instance-key public-key certificate.

Parameters:

instanceKeyCertificate - The instance key for which to return an identifier.

Returns:

The identifier of the supplied instance key.

Throws:

CryptoManagerException - If there is a problem computing the identifier from the instance key. TODO: Make package-private if ADSContextHelper can get keyID from ADS TODO: suffix: Issue https://opends.dev.java.net/issues/show_bug.cgi?id=2442

See Also:

getInstanceKeyID()

getPreferredMessageDigestAlgorithm

public java.lang.String getPreferredMessageDigestAlgorithm()

Retrieves the name of the preferred message digest algorithm.

Specified by:

getPreferredMessageDigestAlgorithm in interface CryptoManager

Returns:

The name of the preferred message digest algorithm

getPreferredMessageDigest

public java.security.MessageDigest getPreferredMessageDigest()
                                                      throws java.security.NoSuchAlgorithmException

Retrieves a MessageDigest object that may be used to generate digests using the preferred digest algorithm.

Specified by:

getPreferredMessageDigest in interface CryptoManager

Returns:

A MessageDigest object that may be used to generate digests using the preferred digest algorithm.

Throws:

java.security.NoSuchAlgorithmException - If the requested algorithm is not supported or is unavailable.

getMessageDigest

public java.security.MessageDigest getMessageDigest(java.lang.String digestAlgorithm)
                                             throws java.security.NoSuchAlgorithmException

Retrieves a MessageDigest object that may be used to generate digests using the specified algorithm.

Specified by:

getMessageDigest in interface CryptoManager

Parameters:

digestAlgorithm - The algorithm to use to generate the message digest.

Returns:

A MessageDigest object that may be used to generate digests using the specified algorithm.

Throws:

java.security.NoSuchAlgorithmException - If the requested algorithm is not supported or is unavailable.

digest

public byte[] digest(byte[] data)
              throws java.security.NoSuchAlgorithmException

Retrieves a byte array containing a message digest based on the provided data, using the preferred digest algorithm.

Specified by:

digest in interface CryptoManager

Parameters:

data - The data to be digested.

Returns:

A byte array containing the generated message digest.

Throws:

java.security.NoSuchAlgorithmException - If the requested algorithm is not supported or is unavailable.

digest

public byte[] digest(java.lang.String digestAlgorithm,
                     byte[] data)
              throws java.security.NoSuchAlgorithmException

Retrieves a byte array containing a message digest based on the provided data, using the requested digest algorithm.

Specified by:

digest in interface CryptoManager

Parameters:

digestAlgorithm - The algorithm to use to generate the message digest.

data - The data to be digested.

Returns:

A byte array containing the generated message digest.

Throws:

java.security.NoSuchAlgorithmException - If the requested algorithm is not supported or is unavailable.

digest

public byte[] digest(java.io.InputStream inputStream)
              throws java.io.IOException,
                     java.security.NoSuchAlgorithmException

Retrieves a byte array containing a message digest based on the data read from the provided input stream, using the preferred digest algorithm. Data will be read until the end of the stream is reached.

Specified by:

digest in interface CryptoManager

Parameters:

inputStream - The input stream from which the data is to be read.

Returns:

A byte array containing the generated message digest.

Throws:

java.io.IOException - If a problem occurs while reading data from the provided stream.

java.security.NoSuchAlgorithmException - If the requested algorithm is not supported or is unavailable.

digest

public byte[] digest(java.lang.String digestAlgorithm,
                     java.io.InputStream inputStream)
              throws java.io.IOException,
                     java.security.NoSuchAlgorithmException

Retrieves a byte array containing a message digest based on the data read from the provided input stream, using the requested digest algorithm. Data will be read until the end of the stream is reached.

Specified by:

digest in interface CryptoManager

Parameters:

digestAlgorithm - The algorithm to use to generate the message digest.

inputStream - The input stream from which the data is to be read.

Returns:

A byte array containing the generated message digest.

Throws:

java.io.IOException - If a problem occurs while reading data from the provided stream.

java.security.NoSuchAlgorithmException - If the requested algorithm is not supported or is unavailable.

getMacEngineKeyEntryID

public java.lang.String getMacEngineKeyEntryID()
                                        throws CryptoManagerException

For the current preferred MAC algorithm and key length, return the identifier of the corresponding key entry. Note: the result (key identifier) might change across invocations, due to either of the perferred parameters changing, or because the original key was marked compromised and a replacement key generated.

Specified by:

getMacEngineKeyEntryID in interface CryptoManager

Returns:

A String representation of the identifier of a key entry corresponding to the preferred MAC algorithm and key length.

Throws:

CryptoManagerException - In case one or more of the key parameters is invalid, or there is a problem instantiating the key entry in case it does not already exist.

getMacEngineKeyEntryID

public java.lang.String getMacEngineKeyEntryID(java.lang.String macAlgorithm,
                                               int keyLengthBits)
                                        throws CryptoManagerException

For the specified MAC algorithm and key length, return the identifier of the corresponding key entry. Note: the result (key identifier) might change across invocations, due to either of the perferred parameters changing, or because the original key was marked compromised and a replacement key generated.

Specified by:

getMacEngineKeyEntryID in interface CryptoManager

Parameters:

macAlgorithm - The algorithm to use for the MAC engine.

keyLengthBits - The key length in bits to use with the specified algorithm.

Returns:

A String representation of the identifier of a key entry corresponding to the specified MAC algorithm and key length.

Throws:

CryptoManagerException - In case one or more of the key parameters is invalid, or there is a problem instantiating the key entry in case it does not already exist.

getMacEngine

public javax.crypto.Mac getMacEngine(java.lang.String keyEntryID)
                              throws CryptoManagerException

For the specified key entry identifier, instantiate a MAC engine.

Specified by:

getMacEngine in interface CryptoManager

Parameters:

keyEntryID - The identifier of the key entry containing the desired MAC algorithm name and key length.

Returns:

The MAC engine instantiated with the parameters from the referenced key entry, or null if no such entry exists.

Throws:

CryptoManagerException - In case the key entry identifier is invalid or there is a problem instantiating the MAC engine from the parameters in the referenced key entry.

encrypt

public byte[] encrypt(byte[] data)
               throws java.security.GeneralSecurityException,
                      CryptoManagerException

Encrypts the data in the provided byte array using the preferred cipher transformation.

Specified by:

encrypt in interface CryptoManager

Parameters:

data - The plain-text data to be encrypted.

Returns:

A byte array containing the encrypted representation of the provided data.

Throws:

java.security.GeneralSecurityException - If a problem occurs while encrypting the data.

CryptoManagerException - If a problem occurs managing the encryption key or producing the cipher.

encrypt

public byte[] encrypt(java.lang.String cipherTransformation,
                      int keyLengthBits,
                      byte[] data)
               throws java.security.GeneralSecurityException,
                      CryptoManagerException

Encrypts the data in the provided byte array using the requested cipher algorithm.

Specified by:

encrypt in interface CryptoManager

Parameters:

cipherTransformation - The algorithm/mode/padding to use for the cipher.

keyLengthBits - The length in bits of the encryption key this method is to use. Note the specified key length and transformation must be compatible.

data - The plain-text data to be encrypted.

Returns:

A byte array containing the encrypted representation of the provided data.

Throws:

java.security.GeneralSecurityException - If a problem occurs while encrypting the data.

CryptoManagerException - If a problem occurs managing the encryption key or producing the cipher.

getCipherOutputStream

public javax.crypto.CipherOutputStream getCipherOutputStream(java.io.OutputStream outputStream)
                                                      throws CryptoManagerException

Writes encrypted data to the provided output stream using the preferred cipher transformation.

Specified by:

getCipherOutputStream in interface CryptoManager

Parameters:

outputStream - The output stream to be wrapped by the returned cipher output stream.

Returns:

The output stream wrapped with a CipherOutputStream.

Throws:

CryptoManagerException - If a problem occurs managing the encryption key or producing the cipher.

getCipherOutputStream

public javax.crypto.CipherOutputStream getCipherOutputStream(java.lang.String cipherTransformation,
                                                             int keyLengthBits,
                                                             java.io.OutputStream outputStream)
                                                      throws CryptoManagerException

Writes encrypted data to the provided output stream using the requested cipher transformation.

Specified by:

getCipherOutputStream in interface CryptoManager

Parameters:

cipherTransformation - The algorithm/mode/padding to use for the cipher.

keyLengthBits - The length in bits of the encryption key this method will generate. Note the specified key length must be compatible with the transformation.

outputStream - The output stream to be wrapped by the returned cipher output stream.

Returns:

The output stream wrapped with a CipherOutputStream.

Throws:

CryptoManagerException - If a problem occurs managing the encryption key or producing the cipher.

decrypt

public byte[] decrypt(byte[] data)
               throws java.security.GeneralSecurityException,
                      CryptoManagerException

Decrypts the data in the provided byte array using cipher specified by the key identifier prologue to the data. cipher.

Specified by:

decrypt in interface CryptoManager

Parameters:

data - The cipher-text data to be decrypted.

Returns:

A byte array containing the clear-text representation of the provided data.

Throws:

java.security.GeneralSecurityException - If a problem occurs while encrypting the data.

CryptoManagerException - If a problem occurs reading the key identifier or initialization vector from the data prologue, or using these values to initialize a Cipher.

getCipherInputStream

public javax.crypto.CipherInputStream getCipherInputStream(java.io.InputStream inputStream)
                                                    throws CryptoManagerException

Returns a CipherInputStream instantiated with a cipher corresponding to the key identifier prologue to the data.

Specified by:

getCipherInputStream in interface CryptoManager

Parameters:

inputStream - The input stream be wrapped with the CipherInputStream.

Returns:

The CiperInputStream instantiated as specified.

Throws:

CryptoManagerException - If there is a problem reading the key ID or initialization vector from the input stream, or using these values to inititalize a Cipher.

compress

public int compress(byte[] src,
                    byte[] dst)

Attempts to compress the data in the provided source array into the given destination array. If the compressed data will fit into the destination array, then this method will return the number of bytes of compressed data in the array. Otherwise, it will return -1 to indicate that the compression was not successful. Note that if -1 is returned, then the data in the destination array should be considered invalid.

Specified by:

compress in interface CryptoManager

Parameters:

src - The array containing the raw data to compress.

dst - The array into which the compressed data should be written.

Returns:

The number of bytes of compressed data, or -1 if it was not possible to actually compress the data.

uncompress

public int uncompress(byte[] src,
                      byte[] dst)
               throws java.util.zip.DataFormatException

Attempts to uncompress the data in the provided source array into the given destination array. If the uncompressed data will fit into the given destination array, then this method will return the number of bytes of uncompressed data written into the destination buffer. Otherwise, it will return a negative value to indicate that the destination buffer was not large enough. The absolute value of that negative return value will indicate the buffer size required to fully decompress the data. Note that if a negative value is returned, then the data in the destination array should be considered invalid.

Specified by:

uncompress in interface CryptoManager

Parameters:

src - The array containing the compressed data.

dst - The array into which the uncompressed data should be written.

Returns:

A positive value containing the number of bytes of uncompressed data written into the destination buffer, or a negative value whose absolute value is the size of the destination buffer required to fully decompress the provided data.

Throws:

java.util.zip.DataFormatException - If a problem occurs while attempting to uncompress the data.

getSslContext

public javax.net.ssl.SSLContext getSslContext(java.lang.String sslCertNickname)
                                       throws ConfigException

Create an SSL context that may be used for communication to another ADS component.

Specified by:

getSslContext in interface CryptoManager

Parameters:

sslCertNickname - The name of the local certificate to use, or null if none is specified.

Returns:

A new SSL Context.

Throws:

ConfigException - If the context could not be created.

getSslCertNickname

public java.lang.String getSslCertNickname()

Get the name of the local certificate to use for SSL.

Specified by:

getSslCertNickname in interface CryptoManager

Returns:

The name of the local certificate to use for SSL.

isSslEncryption

public boolean isSslEncryption()

Determine whether SSL encryption is enabled.

Specified by:

isSslEncryption in interface CryptoManager

Returns:

true if SSL encryption is enabled.

getSslProtocols

public java.util.SortedSet<java.lang.String> getSslProtocols()

Get the set of enabled SSL protocols.

Specified by:

getSslProtocols in interface CryptoManager

Returns:

The set of enabled SSL protocols.

getSslCipherSuites

public java.util.SortedSet<java.lang.String> getSslCipherSuites()

Get the set of enabled SSL cipher suites.

Specified by:

getSslCipherSuites in interface CryptoManager

Returns:

The set of enabled SSL cipher suites.