[
https://issues.apache.org/jira/browse/OAK-3761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15107957#comment-15107957
]
Timothee Maret commented on OAK-3761:
-------------------------------------
The patch adds two modules, {{oak-crypto-api}} and {{oak-crypto-impl}}.
{{oak-crypto-api}} defines a single {{SymmetricCipher}} interface which
contains a single method for decrypting ciphertext.
As suggested by [~chetanm] on oak-dev mailing list, the API does *not* expose
the encryption method as of this version.
The API could be extended in the future in order to collect all features of
symmetric ciphers (stream cipher, PBE, etc.).
{{oak-crypto-impl}} provides a default implementation of the {{oak-crypto-api}}
API module.
The implementation depends exclusively on security features available on
compliant Java SE 7 platforms [0] ({{AES/CBC/PKCS5Padding}}, {{HmacSHA256}},
{{SecureRandom}}).
The (SecretKey) keys required for encryption are stored encrypted (using AES
key wrap algorithm) on the file system.
Storing the keys in a keystore may make more sense, however there seems to be
no suitable portable keystore as of Java 7.
Indeed, the only required and portable keystore with Java SE 7 compatible
platforms is PKCS#12 [0].
The PKCS12 keystore implementation is limited though and, at least on Oracle
JRE/JDK 1.7, does not allow to store SecretKey keys (only PrivateKey keys).
Using asymmetric key wrapping (based on a KeyPair from a PKCS12 keystore) is
not feasible with Java SE 7 APIs only, indeed there is no API that allow
signing certificates (we'd need to setup keys using the JRE tooling external to
the JRE).
Oracle JRE/JDK 1.8 and OpenJDK 1.8 or JCEKS keystores (proprietary) with Oracle
1.7 would allow to store SecretKey keys in PKCS12 keystore though.
Finally, the module exposes a simple servlet where which allows to encrypt data.
Access to this servlet is currently not restricted.
Details regarding its usage can be found in the module README.
[0]
https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#impl
> Oak crypto API and implementation
> ---------------------------------
>
> Key: OAK-3761
> URL: https://issues.apache.org/jira/browse/OAK-3761
> Project: Jackrabbit Oak
> Issue Type: New Feature
> Components: security
> Affects Versions: 1.3.12
> Reporter: Timothee Maret
> Assignee: angela
> Attachments: OAK-3761.patch
>
>
> As discussed in [0], this issue tracks adding a simple API and implementation
> for encryption/decryption in Oak.
> [0]
> http://oak.markmail.org/search/?q=crypto#query:crypto+page:1+mid:iwsfd66lku2dzs2n+state:results
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
