[
https://issues.apache.org/jira/browse/OAK-3761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15107957#comment-15107957
]
Timothee Maret edited comment on OAK-3761 at 1/20/16 4:25 AM:
--------------------------------------------------------------
The patch adds two modules, {{oak-crypto-api}} and {{oak-crypto-impl}}.
{{oak-crypto-api}} defines a single {{SymmetricCipher}} interface which
contains a single method for decrypting ciphertext.
As suggested by [~chetanm] on oak-dev mailing list, the API does *not* expose
the encryption method as of this version.
The API could be extended in the future in order to collect all features of
symmetric ciphers (stream cipher, PBE, etc.).
{{oak-crypto-impl}} provides a default implementation of the {{oak-crypto-api}}
API module.
The implementation depends exclusively on security features available on
compliant Java SE 7 platforms [0] ({{AES/CBC/PKCS5Padding}}, {{HmacSHA256}},
{{SecureRandom}}).
The {{SecretKey}} keys required for encryption are stored encrypted (using AES
key wrap algo) on the file system.
Storing the keys in a keystore may make more sense, however there seems to be
no suitable portable keystore as of Java 7.
Indeed, the only required and portable keystore with Java SE 7 compatible
platforms is {{PKCS12}} [0].
The {{PKCS12}} keystore implementation is limited though and, at least on
Oracle JRE/JDK 1.7, does not allow to store {{SecretKey}} keys (only
{{PrivateKey}} keys).
An alternative could be to use asymmetric key wrapping based on a {{KeyPair}}
obtained from a {{PKCS12}} keystore).
However, this is not feasible with Java SE 7 APIs only as there is no JRE/JDK
API that allows signing certificates (setingup the keys using the JRE tooling
external to the JRE would be feasible but more painful to setup).
Other alternatives would be to either require Oracle JRE/JDK 1.8 and OpenJDK
1.8 or to use JCEKS keystores (proprietary) with Oracle 1.7.
Both approaches would allow to store {{SecretKey}} keys in a keystore.
Finally, the module exposes a simple servlet where which allows to encrypt data.
Access to this servlet is currently not restricted.
Details regarding its usage can be found in the module README.
[0]
https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#impl
was (Author: marett):
The patch adds two modules, {{oak-crypto-api}} and {{oak-crypto-impl}}.
{{oak-crypto-api}} defines a single {{SymmetricCipher}} interface which
contains a single method for decrypting ciphertext.
As suggested by [~chetanm] on oak-dev mailing list, the API does *not* expose
the encryption method as of this version.
The API could be extended in the future in order to collect all features of
symmetric ciphers (stream cipher, PBE, etc.).
{{oak-crypto-impl}} provides a default implementation of the {{oak-crypto-api}}
API module.
The implementation depends exclusively on security features available on
compliant Java SE 7 platforms [0] ({{AES/CBC/PKCS5Padding}}, {{HmacSHA256}},
{{SecureRandom}}).
The (SecretKey) keys required for encryption are stored encrypted (using AES
key wrap algorithm) on the file system.
Storing the keys in a keystore may make more sense, however there seems to be
no suitable portable keystore as of Java 7.
Indeed, the only required and portable keystore with Java SE 7 compatible
platforms is PKCS#12 [0].
The PKCS12 keystore implementation is limited though and, at least on Oracle
JRE/JDK 1.7, does not allow to store SecretKey keys (only PrivateKey keys).
Using asymmetric key wrapping (based on a KeyPair from a PKCS12 keystore) is
not feasible with Java SE 7 APIs only, indeed there is no API that allow
signing certificates (we'd need to setup keys using the JRE tooling external to
the JRE).
Oracle JRE/JDK 1.8 and OpenJDK 1.8 or JCEKS keystores (proprietary) with Oracle
1.7 would allow to store SecretKey keys in PKCS12 keystore though.
Finally, the module exposes a simple servlet where which allows to encrypt data.
Access to this servlet is currently not restricted.
Details regarding its usage can be found in the module README.
[0]
https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#impl
> Oak crypto API and implementation
> ---------------------------------
>
> Key: OAK-3761
> URL: https://issues.apache.org/jira/browse/OAK-3761
> Project: Jackrabbit Oak
> Issue Type: New Feature
> Components: security
> Affects Versions: 1.3.12
> Reporter: Timothee Maret
> Assignee: angela
> Attachments: OAK-3761.patch
>
>
> As discussed in [0], this issue tracks adding a simple API and implementation
> for encryption/decryption in Oak.
> [0]
> http://oak.markmail.org/search/?q=crypto#query:crypto+page:1+mid:iwsfd66lku2dzs2n+state:results
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
