[
https://issues.apache.org/jira/browse/OAK-3761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15109237#comment-15109237
]
Timothee Maret commented on OAK-3761:
-------------------------------------
bq. could you also provide some usecases for this apis in Oak ?
The primary driver is to encrypt secrets stored in OSGI configurations (e.g.
OAK-3626).
Typically, an operator who would need to set a secret property in a OSGI
configuration would typically do:
1. Invoke a mechanism to encrypt the cleartext value (with the current patch,
this would be done by invoking the servlet)
2. Store the encrypted value in the OSGI configuration
The component reading the property would invoke the {{SymmetricCipher#decrypt}}
method with the encrypted value and get back the cleartext value
bq. this seems a bit funky to me, does Oak need to provide such servlets ?
There must be a mean to invoke the encryption method.
Currently this is done via the Servlet, however there are alternatives way of
doing it such as:
a. Develop a small companion tool (Java program)
b. Turn the Servlet into a more generic OSGI WebConsolePlugin and thus provide
a UI for it
In the current patch, the encryption method is not part of the
{{SymmetricCipher}} API.
If we want to allow other components to invoke the encryption method then we'd
need to expose the method.
bq. I can't tell how Oak itself is related to this crypto effort, other than
the package name
Good point. The two proposed modules currently do not depend on Oak APIs and
are self contained. I think that's actually a good thing :-).
It can be currently be achieved as the implementation does store its secrets in
the FS rather than in the Oak repository.
Doing so allow to invoke the {{SymmetricCipher}} API *before* the repository is
up.
As noted by [~chetanm] in [0] (in the JIRA issue description section), this is
useful for encrypting things such as the Mongo connection credentials.
> Oak crypto API and implementation
> ---------------------------------
>
> Key: OAK-3761
> URL: https://issues.apache.org/jira/browse/OAK-3761
> Project: Jackrabbit Oak
> Issue Type: New Feature
> Components: security
> Affects Versions: 1.3.12
> Reporter: Timothee Maret
> Assignee: angela
> Attachments: OAK-3761.patch
>
>
> As discussed in [0], this issue tracks adding a simple API and implementation
> for encryption/decryption in Oak.
> [0]
> http://oak.markmail.org/search/?q=crypto#query:crypto+page:1+mid:iwsfd66lku2dzs2n+state:results
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
