This is an automated email from the ASF dual-hosted git repository.
vavrtom pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/qpid-broker-j.git
The following commit(s) were added to refs/heads/main by this push:
new 05459dcb32 QPID-8690: [Broker-J] Remove deprecated AESKeyFileEncrypter
(#265)
05459dcb32 is described below
commit 05459dcb3222dc7b4c8276b67abaac7b8a8e6cfa
Author: Daniil Kirilyuk <[email protected]>
AuthorDate: Wed Apr 9 15:16:29 2025 +0200
QPID-8690: [Broker-J] Remove deprecated AESKeyFileEncrypter (#265)
---
.../security/encryption/AESKeyFileEncrypter.java | 115 --------------
.../encryption/AESKeyFileEncrypterFactory.java | 46 ------
.../AESGCMKeyFileEncrypterFactoryTest.java | 10 +-
.../encryption/AESGCMKeyFileEncrypterTest.java | 8 +-
.../encryption/AESKeyFileEncrypterFactoryTest.java | 71 ---------
.../encryption/AESKeyFileEncrypterTest.java | 166 ---------------------
.../AbstractAESKeyFileEncrypterFactoryTest.java | 22 +--
...va-Broker-Security-Configuration-Encryption.xml | 12 +-
8 files changed, 28 insertions(+), 422 deletions(-)
diff --git
a/broker-core/src/main/java/org/apache/qpid/server/security/encryption/AESKeyFileEncrypter.java
b/broker-core/src/main/java/org/apache/qpid/server/security/encryption/AESKeyFileEncrypter.java
deleted file mode 100644
index 9e02cf5774..0000000000
---
a/broker-core/src/main/java/org/apache/qpid/server/security/encryption/AESKeyFileEncrypter.java
+++ /dev/null
@@ -1,115 +0,0 @@
-/*
- *
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.qpid.server.security.encryption;
-
-
-import java.io.IOException;
-import java.nio.charset.StandardCharsets;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
-import java.security.SecureRandom;
-import java.util.Base64;
-
-import javax.crypto.Cipher;
-import javax.crypto.NoSuchPaddingException;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.IvParameterSpec;
-
-import org.apache.qpid.server.util.Strings;
-
-/**
- * Class is deprecated in favor of AESGCMKeyFileEncrypter, it will be deleted
in one of the next releases
- */
-@Deprecated(since = "9.2.0", forRemoval = true)
-class AESKeyFileEncrypter implements ConfigurationSecretEncrypter
-{
- private static final String CIPHER_NAME = "AES/CBC/PKCS5Padding";
- private static final int AES_INITIALIZATION_VECTOR_LENGTH = 16;
- private static final String AES_ALGORITHM = "AES";
- private final SecretKey _secretKey;
- private final SecureRandom _random = new SecureRandom();
-
- AESKeyFileEncrypter(SecretKey secretKey)
- {
- if(secretKey == null)
- {
- throw new NullPointerException("A non null secret key must be
supplied");
- }
- if(!AES_ALGORITHM.equals(secretKey.getAlgorithm()))
- {
- throw new IllegalArgumentException("Provided secret key was for
the algorithm: " + secretKey.getAlgorithm()
- + "when" + AES_ALGORITHM +
"was needed.");
- }
- _secretKey = secretKey;
- }
-
- @Override
- public String encrypt(final String unencrypted)
- {
- byte[] unencryptedBytes = unencrypted.getBytes(StandardCharsets.UTF_8);
- try
- {
- byte[] ivbytes = new byte[AES_INITIALIZATION_VECTOR_LENGTH];
- _random.nextBytes(ivbytes);
- Cipher cipher = Cipher.getInstance(CIPHER_NAME);
- cipher.init(Cipher.ENCRYPT_MODE, _secretKey, new
IvParameterSpec(ivbytes));
- byte[] encryptedBytes =
EncryptionHelper.readFromCipherStream(unencryptedBytes, cipher);
- byte[] output = new byte[AES_INITIALIZATION_VECTOR_LENGTH +
encryptedBytes.length];
- System.arraycopy(ivbytes, 0, output, 0,
AES_INITIALIZATION_VECTOR_LENGTH);
- System.arraycopy(encryptedBytes, 0, output,
AES_INITIALIZATION_VECTOR_LENGTH, encryptedBytes.length);
- return Base64.getEncoder().encodeToString(output);
- }
- catch (IOException | InvalidAlgorithmParameterException |
InvalidKeyException | NoSuchAlgorithmException | NoSuchPaddingException e)
- {
- throw new IllegalArgumentException("Unable to encrypt secret", e);
- }
- }
-
- @Override
- public String decrypt(final String encrypted)
- {
- if(!EncryptionHelper.isValidBase64(encrypted))
- {
- throw new IllegalArgumentException("Encrypted value is not valid
Base 64 data: '" + encrypted + "'");
- }
- byte[] encryptedBytes = Strings.decodeBase64(encrypted);
- try
- {
- Cipher cipher = Cipher.getInstance(CIPHER_NAME);
-
- IvParameterSpec ivParameterSpec = new
IvParameterSpec(encryptedBytes, 0, AES_INITIALIZATION_VECTOR_LENGTH);
-
- cipher.init(Cipher.DECRYPT_MODE, _secretKey, ivParameterSpec);
-
- return new
String(EncryptionHelper.readFromCipherStream(encryptedBytes,
-
AES_INITIALIZATION_VECTOR_LENGTH,
- encryptedBytes.length -
AES_INITIALIZATION_VECTOR_LENGTH,
- cipher),
StandardCharsets.UTF_8);
- }
- catch (IOException | InvalidAlgorithmParameterException |
InvalidKeyException | NoSuchAlgorithmException | NoSuchPaddingException e)
- {
- throw new IllegalArgumentException("Unable to decrypt secret", e);
- }
- }
-
-
-}
diff --git
a/broker-core/src/main/java/org/apache/qpid/server/security/encryption/AESKeyFileEncrypterFactory.java
b/broker-core/src/main/java/org/apache/qpid/server/security/encryption/AESKeyFileEncrypterFactory.java
deleted file mode 100644
index cf48249504..0000000000
---
a/broker-core/src/main/java/org/apache/qpid/server/security/encryption/AESKeyFileEncrypterFactory.java
+++ /dev/null
@@ -1,46 +0,0 @@
-/*
- *
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.qpid.server.security.encryption;
-
-import javax.crypto.spec.SecretKeySpec;
-
-import org.apache.qpid.server.plugin.PluggableService;
-
-/**
- * Class is deprecated in favor of AESGCMKeyFileEncrypterFactory, it will be
deleted in one of the next releases
- */
-@PluggableService
-@Deprecated(since = "9.2.0", forRemoval = true)
-public class AESKeyFileEncrypterFactory extends
AbstractAESKeyFileEncrypterFactory
-{
- public static final String TYPE = "AESKeyFile";
-
- @Override
- public String getType()
- {
- return TYPE;
- }
-
- protected AESKeyFileEncrypter createEncrypter(final SecretKeySpec keySpec)
- {
- return new AESKeyFileEncrypter(keySpec);
- }
-}
diff --git
a/broker-core/src/test/java/org/apache/qpid/server/security/encryption/AESGCMKeyFileEncrypterFactoryTest.java
b/broker-core/src/test/java/org/apache/qpid/server/security/encryption/AESGCMKeyFileEncrypterFactoryTest.java
index ffacd9224b..7c99ccdccf 100644
---
a/broker-core/src/test/java/org/apache/qpid/server/security/encryption/AESGCMKeyFileEncrypterFactoryTest.java
+++
b/broker-core/src/test/java/org/apache/qpid/server/security/encryption/AESGCMKeyFileEncrypterFactoryTest.java
@@ -20,12 +20,13 @@
*/
package org.apache.qpid.server.security.encryption;
-import static
org.apache.qpid.server.security.encryption.AESKeyFileEncrypterFactoryTest.createSecretKey;
import static org.hamcrest.CoreMatchers.equalTo;
import static org.hamcrest.CoreMatchers.instanceOf;
import static org.hamcrest.CoreMatchers.is;
import static org.hamcrest.MatcherAssert.assertThat;
+import java.security.SecureRandom;
+
import javax.crypto.spec.SecretKeySpec;
import org.junit.jupiter.api.BeforeEach;
@@ -56,4 +57,11 @@ public class AESGCMKeyFileEncrypterFactoryTest extends
UnitTestBase
final ConfigurationSecretEncrypter encrypter =
_factory.createEncrypter(secretKey);
assertThat(encrypter, is(instanceOf(AESGCMKeyFileEncrypter.class)));
}
+
+ private SecretKeySpec createSecretKey()
+ {
+ final byte[] keyData = new byte[32];
+ new SecureRandom().nextBytes(keyData);
+ return new SecretKeySpec(keyData, "AES");
+ }
}
diff --git
a/broker-core/src/test/java/org/apache/qpid/server/security/encryption/AESGCMKeyFileEncrypterTest.java
b/broker-core/src/test/java/org/apache/qpid/server/security/encryption/AESGCMKeyFileEncrypterTest.java
index 06242baa17..518fc43d50 100644
---
a/broker-core/src/test/java/org/apache/qpid/server/security/encryption/AESGCMKeyFileEncrypterTest.java
+++
b/broker-core/src/test/java/org/apache/qpid/server/security/encryption/AESGCMKeyFileEncrypterTest.java
@@ -188,10 +188,10 @@ public class AESGCMKeyFileEncrypterTest extends
UnitTestBase
@Test
public void testChangeOfEncryptionToGCM() throws Exception
{
-
createBrokerAndAuthenticationProviderWithEncrypterPassword(AESKeyFileEncrypterFactory.TYPE);
+
createBrokerAndAuthenticationProviderWithEncrypterPassword(AESGCMKeyFileEncrypterFactory.TYPE);
final String aesEncryptedPassword = getEncryptedPasswordFromConfig();
final SecretKeySpec aesSecretKey = new
SecretKeySpec(getBrokerSecretKey(), "AES");
- final AESKeyFileEncrypter cbcEncrypter = new
AESKeyFileEncrypter(aesSecretKey);
+ final AESGCMKeyFileEncrypter cbcEncrypter = new
AESGCMKeyFileEncrypter(aesSecretKey);
final String aesDecryptedPassword =
cbcEncrypter.decrypt(aesEncryptedPassword);
assertEquals(SECRET, aesDecryptedPassword, "Decrypted text doesnt
match original");
_broker.setAttributes(Map.of(
@@ -231,9 +231,9 @@ public class AESGCMKeyFileEncrypterTest extends UnitTestBase
final String gcmDecryptedPassword =
gcmEncrypter.decrypt(gcmEncryptedPassword);
assertEquals(SECRET, gcmDecryptedPassword, "Decrypted text doesnt
match original");
_broker.setAttributes(Map.of(
- Broker.CONFIDENTIAL_CONFIGURATION_ENCRYPTION_PROVIDER,
"AESKeyFile"));
+ Broker.CONFIDENTIAL_CONFIGURATION_ENCRYPTION_PROVIDER,
"AESGCMKeyFile"));
final String cbcEncryptedPassword = getEncryptedPasswordFromConfig();
- final AESKeyFileEncrypter cbcEncrypter = new
AESKeyFileEncrypter(aesSecretKey);
+ final AESGCMKeyFileEncrypter cbcEncrypter = new
AESGCMKeyFileEncrypter(aesSecretKey);
final String cbcDecryptedPassword =
cbcEncrypter.decrypt(cbcEncryptedPassword);
assertEquals(SECRET, cbcDecryptedPassword, "Decrypted text doesnt
match original");
}
diff --git
a/broker-core/src/test/java/org/apache/qpid/server/security/encryption/AESKeyFileEncrypterFactoryTest.java
b/broker-core/src/test/java/org/apache/qpid/server/security/encryption/AESKeyFileEncrypterFactoryTest.java
deleted file mode 100644
index 4e8f5aedf1..0000000000
---
a/broker-core/src/test/java/org/apache/qpid/server/security/encryption/AESKeyFileEncrypterFactoryTest.java
+++ /dev/null
@@ -1,71 +0,0 @@
-/*
- *
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.qpid.server.security.encryption;
-
-import static org.hamcrest.CoreMatchers.equalTo;
-import static org.hamcrest.CoreMatchers.instanceOf;
-import static org.hamcrest.CoreMatchers.is;
-import static org.hamcrest.MatcherAssert.assertThat;
-
-import java.security.SecureRandom;
-
-import javax.crypto.spec.SecretKeySpec;
-
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-
-import org.apache.qpid.test.utils.UnitTestBase;
-
-/**
- * Unit test is deprecated due to deprecation of AESKeyFileEncrypterFactory,
it will be deleted in one of the next releases
- */
-@Deprecated(since = "9.2.0", forRemoval = true)
-public class AESKeyFileEncrypterFactoryTest extends UnitTestBase
-{
- private AESKeyFileEncrypterFactory _factory;
-
- @BeforeEach
- public void setUp() throws Exception
- {
- _factory = new AESKeyFileEncrypterFactory();
- }
-
- @Test
- public void testGetType()
- {
- assertThat(_factory.getType(),
is(equalTo(AESKeyFileEncrypterFactory.TYPE)));
- }
-
- @Test
- public void testCreateEncrypter()
- {
- final SecretKeySpec secretKey = createSecretKey();
- final ConfigurationSecretEncrypter encrypter =
_factory.createEncrypter(secretKey);
- assertThat(encrypter, is(instanceOf(AESKeyFileEncrypter.class)));
- }
-
- static SecretKeySpec createSecretKey()
- {
- final byte[] keyData = new byte[32];
- new SecureRandom().nextBytes(keyData);
- return new SecretKeySpec(keyData, "AES");
- }
-}
diff --git
a/broker-core/src/test/java/org/apache/qpid/server/security/encryption/AESKeyFileEncrypterTest.java
b/broker-core/src/test/java/org/apache/qpid/server/security/encryption/AESKeyFileEncrypterTest.java
deleted file mode 100644
index 6e732c0954..0000000000
---
a/broker-core/src/test/java/org/apache/qpid/server/security/encryption/AESKeyFileEncrypterTest.java
+++ /dev/null
@@ -1,166 +0,0 @@
-/*
- *
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.qpid.server.security.encryption;
-
-import static
org.apache.qpid.server.security.encryption.AbstractAESKeyFileEncrypterFactoryTest.isStrongEncryptionEnabled;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertNotEquals;
-import static org.junit.jupiter.api.Assertions.assertNotNull;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-import static org.junit.jupiter.api.Assumptions.assumeTrue;
-
-import java.nio.charset.StandardCharsets;
-import java.security.SecureRandom;
-import java.util.HashSet;
-import java.util.Random;
-import java.util.Set;
-
-import javax.crypto.SecretKeyFactory;
-import javax.crypto.spec.PBEKeySpec;
-import javax.crypto.spec.SecretKeySpec;
-
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-
-import org.apache.qpid.test.utils.UnitTestBase;
-
-/**
- * Unit test is deprecated due to deprecation of AESKeyFileEncrypter, it will
be deleted in one of the next releases
- */
-@Deprecated(since = "9.2.0", forRemoval = true)
-public class AESKeyFileEncrypterTest extends UnitTestBase
-{
- private final SecureRandom _random = new SecureRandom();
- public static final String PLAINTEXT = "secret";
- private static SecretKeySpec secretKey;
-
- @BeforeEach
- public void setUp() throws Exception
- {
- assumeTrue(isStrongEncryptionEnabled());
- final byte[] keyData = new byte[32];
- _random.nextBytes(keyData);
- secretKey = new SecretKeySpec(keyData, "AES");
- }
-
- @Test
- public void testSimpleEncryptDecrypt()
- {
- doTestSimpleEncryptDecrypt(PLAINTEXT);
- }
-
-
- @Test
- public void testRepeatedEncryptionsReturnDifferentValues()
- {
- final AESKeyFileEncrypter encrypter = new
AESKeyFileEncrypter(secretKey);
-
- final Set<String> encryptions = new HashSet<>();
-
- int iterations = 10;
-
- for (int i = 0; i < iterations; i++)
- {
- encryptions.add(encrypter.encrypt(PLAINTEXT));
- }
-
- assertEquals(iterations, (long) encryptions.size(), "Not all
encryptions were distinct");
-
- for (final String encrypted : encryptions)
- {
- assertEquals(PLAINTEXT, encrypter.decrypt(encrypted), "Not all
encryptions decrypt correctly");
- }
- }
-
- @Test
- public void testCreationFailsOnInvalidSecret() throws Exception
- {
- assertThrows(NullPointerException.class,
- () -> new AESKeyFileEncrypter(null),
- "An encrypter should not be creatable from a null key");
-
- final PBEKeySpec keySpec = new PBEKeySpec("password".toCharArray());
- final SecretKeyFactory factory =
SecretKeyFactory.getInstance("PBEWithMD5AndDES");
-
- assertThrows(IllegalArgumentException.class,
- () -> new AESKeyFileEncrypter(factory.generateSecret(keySpec)),
- "An encrypter should not be creatable from the wrong type of
secret key");
- }
-
- @Test
- public void testEncryptionOfEmptyString()
- {
- doTestSimpleEncryptDecrypt("");
- }
-
- private void doTestSimpleEncryptDecrypt(final String text)
- {
- final AESKeyFileEncrypter encrypter = new
AESKeyFileEncrypter(secretKey);
-
- final String encrypted = encrypter.encrypt(text);
- assertNotNull(encrypted, "Encrypter did not return a result from
encryption");
- assertNotEquals(text, encrypted, "Plain text and encrypted version are
equal");
- final String decrypted = encrypter.decrypt(encrypted);
- assertNotNull(decrypted, "Encrypter did not return a result from
decryption");
- assertEquals(text, decrypted, "Encryption was not reversible");
- }
-
- @Test
- public void testEncryptingNullFails()
- {
- final AESKeyFileEncrypter encrypter = new
AESKeyFileEncrypter(secretKey);
-
- assertThrows(NullPointerException.class,
- () -> encrypter.encrypt(null),
- "Attempting to encrypt null should fail");
- }
-
- @Test
- public void testEncryptingVeryLargeSecret()
- {
- final Random random = new Random();
- final byte[] data = new byte[4096];
- random.nextBytes(data);
- for (int i = 0; i < data.length; i++)
- {
- data[i] = (byte) (data[i] & 0xEF);
- }
- doTestSimpleEncryptDecrypt(new String(data,
StandardCharsets.US_ASCII));
- }
-
- @Test
- public void testDecryptNonsense()
- {
- final AESKeyFileEncrypter encrypter = new
AESKeyFileEncrypter(secretKey);
- assertThrows(NullPointerException.class,
- () -> encrypter.decrypt(null),
- "Should not decrypt a null value");
- assertThrows(IllegalArgumentException.class,
- () -> encrypter.decrypt(""),
- "Should not decrypt the empty String");
- assertThrows(IllegalArgumentException.class,
- () -> encrypter.decrypt("thisisnonsense"),
- "Should not decrypt a small amount of nonsense");
- assertThrows(IllegalArgumentException.class,
- () ->
encrypter.decrypt("thisisn'tvalidBase64!soitshouldfailwithanIllegalArgumentException"),
- "Should not decrypt a larger amount of nonsense");
- }
-}
diff --git
a/broker-core/src/test/java/org/apache/qpid/server/security/encryption/AbstractAESKeyFileEncrypterFactoryTest.java
b/broker-core/src/test/java/org/apache/qpid/server/security/encryption/AbstractAESKeyFileEncrypterFactoryTest.java
index c380ee9d26..b03585ed8a 100644
---
a/broker-core/src/test/java/org/apache/qpid/server/security/encryption/AbstractAESKeyFileEncrypterFactoryTest.java
+++
b/broker-core/src/test/java/org/apache/qpid/server/security/encryption/AbstractAESKeyFileEncrypterFactoryTest.java
@@ -106,7 +106,7 @@ public class AbstractAESKeyFileEncrypterFactoryTest extends
UnitTestBase
@Override
protected ConfigurationSecretEncrypter createEncrypter(final
SecretKeySpec keySpec)
{
- return new AESKeyFileEncrypter(keySpec);
+ return new AESGCMKeyFileEncrypter(keySpec);
}
};
}
@@ -121,7 +121,7 @@ public class AbstractAESKeyFileEncrypterFactoryTest extends
UnitTestBase
doChecks(encrypter, keyFilePathChecker);
- final String pathName = (String)
_broker.getContext().get(AESKeyFileEncrypterFactory.ENCRYPTER_KEY_FILE);
+ final String pathName = (String)
_broker.getContext().get(AESGCMKeyFileEncrypterFactory.ENCRYPTER_KEY_FILE);
// check the context variable was set
assertEquals(keyFilePathChecker.getKeyFile().toString(), pathName);
@@ -150,9 +150,9 @@ public class AbstractAESKeyFileEncrypterFactoryTest extends
UnitTestBase
final String subdirName = getTestName() + File.separator + "test";
final String fileLocation = _tmpDir.toString() + File.separator +
subdirName + File.separator + filename;
-
when(_broker.getContextKeys(eq(false))).thenReturn(Set.of(AESKeyFileEncrypterFactory.ENCRYPTER_KEY_FILE));
+
when(_broker.getContextKeys(eq(false))).thenReturn(Set.of(AESGCMKeyFileEncrypterFactory.ENCRYPTER_KEY_FILE));
when(_broker.getContextValue(eq(String.class),
-
eq(AESKeyFileEncrypterFactory.ENCRYPTER_KEY_FILE))).thenReturn(fileLocation);
+
eq(AESGCMKeyFileEncrypterFactory.ENCRYPTER_KEY_FILE))).thenReturn(fileLocation);
final ConfigurationSecretEncrypter encrypter =
_factory.createEncrypter(_broker);
@@ -169,9 +169,9 @@ public class AbstractAESKeyFileEncrypterFactoryTest extends
UnitTestBase
final String subdirName = getTestName() + File.separator + "test";
final String fileLocation = _tmpDir.toString() + File.separator +
subdirName + File.separator + filename;
-
when(_broker.getContextKeys(eq(false))).thenReturn(Set.of(AESKeyFileEncrypterFactory.ENCRYPTER_KEY_FILE));
+
when(_broker.getContextKeys(eq(false))).thenReturn(Set.of(AESGCMKeyFileEncrypterFactory.ENCRYPTER_KEY_FILE));
when(_broker.getContextValue(eq(String.class),
-
eq(AESKeyFileEncrypterFactory.ENCRYPTER_KEY_FILE))).thenReturn(fileLocation);
+
eq(AESGCMKeyFileEncrypterFactory.ENCRYPTER_KEY_FILE))).thenReturn(fileLocation);
Files.createDirectories(Paths.get(fileLocation));
@@ -189,9 +189,9 @@ public class AbstractAESKeyFileEncrypterFactoryTest extends
UnitTestBase
final String subdirName = getTestName() + File.separator + "test";
final String fileLocation = _tmpDir.toString() + File.separator +
subdirName + File.separator + filename;
-
when(_broker.getContextKeys(eq(false))).thenReturn(Set.of(AESKeyFileEncrypterFactory.ENCRYPTER_KEY_FILE));
+
when(_broker.getContextKeys(eq(false))).thenReturn(Set.of(AESGCMKeyFileEncrypterFactory.ENCRYPTER_KEY_FILE));
when(_broker.getContextValue(eq(String.class),
-
eq(AESKeyFileEncrypterFactory.ENCRYPTER_KEY_FILE))).thenReturn(fileLocation);
+
eq(AESGCMKeyFileEncrypterFactory.ENCRYPTER_KEY_FILE))).thenReturn(fileLocation);
Files.createDirectories(Paths.get(_tmpDir.toString(), subdirName));
@@ -213,9 +213,9 @@ public class AbstractAESKeyFileEncrypterFactoryTest extends
UnitTestBase
final String subdirName = getTestName() + File.separator + "test";
final String fileLocation = _tmpDir.toString() + File.separator +
subdirName + File.separator + filename;
-
when(_broker.getContextKeys(eq(false))).thenReturn(Set.of(AESKeyFileEncrypterFactory.ENCRYPTER_KEY_FILE));
+
when(_broker.getContextKeys(eq(false))).thenReturn(Set.of(AESGCMKeyFileEncrypterFactory.ENCRYPTER_KEY_FILE));
when(_broker.getContextValue(eq(String.class),
-
eq(AESKeyFileEncrypterFactory.ENCRYPTER_KEY_FILE))).thenReturn(fileLocation);
+
eq(AESGCMKeyFileEncrypterFactory.ENCRYPTER_KEY_FILE))).thenReturn(fileLocation);
Files.createDirectories(Paths.get(_tmpDir.toString(), subdirName));
@@ -260,7 +260,7 @@ public class AbstractAESKeyFileEncrypterFactoryTest extends
UnitTestBase
public KeyFilePathChecker()
{
- this(AESKeyFileEncrypterFactory.DEFAULT_KEYS_SUBDIR_NAME,
"Broker_" + getTestName() + ".key");
+ this(AESGCMKeyFileEncrypterFactory.DEFAULT_KEYS_SUBDIR_NAME,
"Broker_" + getTestName() + ".key");
}
public KeyFilePathChecker(final String subdirName, final String
fileName)
diff --git
a/doc/java-broker/src/docbkx/security/Java-Broker-Security-Configuration-Encryption.xml
b/doc/java-broker/src/docbkx/security/Java-Broker-Security-Configuration-Encryption.xml
index 2f5cfe9810..2f9cf51484 100644
---
a/doc/java-broker/src/docbkx/security/Java-Broker-Security-Configuration-Encryption.xml
+++
b/doc/java-broker/src/docbkx/security/Java-Broker-Security-Configuration-Encryption.xml
@@ -26,25 +26,21 @@
Broker's configuration. This is means that items such as
keystore/truststore passwords, JDBC
passwords, and LDAP passwords can be stored in the configuration in a form
that is difficult to
read.</para>
- <para>The Broker ships with an encryptor implementations called
<literal>AESGCMKeyFile</literal> and
- <literal>AESKeyFile</literal>. This uses a securely generated random key
of 256bit
+ <para>The Broker ships with an encryptor implementation called
<literal>AESGCMKeyFile</literal> .
+ This uses a securely generated random key of 256bit
<footnote><para>Java Cryptography Extension (JCE) Unlimited Strength
required</para></footnote>
to encrypt the secrets stored within a key file. Of course, the key itself
must be guarded carefully,
otherwise the passwords encrypted with it may be compromised. For this
reason, the Broker ensures
that the file's permissions allow the file to be read exclusively by the
user account used for running
the Broker.</para>
- <important>
- <para>AESKeyFile encryptor is considered as not safe, it is deprecated and
will be removed in one of the
- next releases. AESGCMKeyFile encryptor should be used instead.</para>
- </important>
<important>
<para>If the keyfile is lost or corrupted, the secrets will be
irrecoverable.</para>
</important>
<section
xml:id="Java-Broker-Security-Configuration-Encryption-Configuration">
<title>Configuration</title>
- <para>The <literal>AESGCMKeyFile</literal> or
<literal>AESKeyFile</literal> encryptor providers are
+ <para>The <literal>AESGCMKeyFile</literal> encryptor provider is
enabled/disabled via the <link
linkend="Java-Broker-Management-Managing-Broker">Broker attributes</link>
- within the Web Management Console. On enabling the provider, any
existing passwords within the
+ within the Web Management Console. On enabling the provider, any
existing passwords within the
configuration will be automatically rewritten in the encrypted
form.</para>
<para>Note that passwords stored by the Authentication Providers <link
linkend="Java-Broker-Security-PlainPasswordFile-Provider">PlainPasswordFile</link>
and.
<link
linkend="Java-Broker-Security-Base64MD5PasswordFile-Provider">PlainPasswordFile</link>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
