Package org.opends.server.crypto

Class CryptoManager

java.lang.Object

org.opends.server.crypto.CryptoManager

All Implemented Interfaces:

ConfigurationChangeListener<CryptoManagerCfg>

public final class CryptoManager
extends Object
implements ConfigurationChangeListener<CryptoManagerCfg>

This class implements part of the Directory Server cryptographic framework. CryptoManager manages the server Master Key, used for wrapping cipher keys, and distribution of cipher keys through modifications in cn=admin data. It should only be used when cipher keys need to be exchanged using replication, such as reversible password storage schemes, all other uses of encryption should use CryptoManager.CipherService instead.

Other components of CryptoManager:

See Also:

CryptoManagerSync, CryptoManager.CipherService, GetSymmetricKeyExtendedOperation

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	CryptoManager.CipherService	Provides cryptographic related operations and key management.
class	CryptoManager.MacService	Generates a MAC to use for authenticating data and provides an encoding for storing and reuse.

Constructor Summary

Constructors

Constructor	Description
CryptoManager(ServerContext serverContext, CryptoManagerCfg config)	Creates a new instance of this crypto manager object from a given configuration, plus some static member initialization.

Method Summary

Modifier and Type	Method	Description
ConfigChangeResult	applyConfigurationChange(CryptoManagerCfg cfg)	Applies the configuration changes to this change listener.
byte[]	decryptUsingReplicatedKey(byte[] data)	Decrypts the data in the provided byte array using cipher specified by the key identifier prologue to the data.
byte[]	encryptUsingReplicatedKey(String cipherTransformation, int keyLengthBits, byte[] data)	Encrypts the data in the provided byte array using the requested cipher algorithm.
byte[]	getDeploymentPepper()	Returns the secret deployment-wide pepper which can be used as additional salt when hashing passwords and other secrets.
boolean	isConfigurationChangeAcceptable(CryptoManagerCfg cfg, List<LocalizableMessage> unacceptableReasons)	Indicates whether the proposed change to the configuration is acceptable to this change listener.
CryptoManager.CipherService	newCipherService()	Return a new CryptoManager.CipherService to provide cryptographic primitives and keys.
CryptoManager.MacService	newMacService()	Generates a new MAC service with the default algorithm and key length.
CryptoManager.MacService	newMacService(Entry entry)	Generates a new MAC service from the provided information in the LDAP Entry.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

CryptoManager

public CryptoManager(ServerContext serverContext,
                     CryptoManagerCfg config)
              throws InitializationException

Creates a new instance of this crypto manager object from a given configuration, plus some static member initialization.

Parameters:

serverContext - The server context.

config - The configuration of this crypto manager.

Throws:

InitializationException - If a problem occurs while creating this CryptoManager that is not the result of a problem in the configuration.

Method Detail

isConfigurationChangeAcceptable

public boolean isConfigurationChangeAcceptable(CryptoManagerCfg cfg,
                                               List<LocalizableMessage> unacceptableReasons)

Description copied from interface: ConfigurationChangeListener

Indicates whether the proposed change to the configuration is acceptable to this change listener.

Specified by:

isConfigurationChangeAcceptable in interface ConfigurationChangeListener<CryptoManagerCfg>

Parameters:

cfg - The new configuration containing the changes.

unacceptableReasons - A list that can be used to hold messages about why the provided configuration is not acceptable.

Returns:

Returns true if the proposed change is acceptable, or false if it is not.

applyConfigurationChange

public ConfigChangeResult applyConfigurationChange(CryptoManagerCfg cfg)

Description copied from interface: ConfigurationChangeListener

Applies the configuration changes to this change listener.

Specified by:

applyConfigurationChange in interface ConfigurationChangeListener<CryptoManagerCfg>

Parameters:

cfg - The new configuration containing the changes.

Returns:

Returns information about the result of changing the configuration.

encryptUsingReplicatedKey

public byte[] encryptUsingReplicatedKey(String cipherTransformation,
                                        int keyLengthBits,
                                        byte[] data)
                                 throws GeneralSecurityException,
                                        CryptoManagerException

Encrypts the data in the provided byte array using the requested cipher algorithm.

It should only be used when cipher keys are exchanged by replication of cn=admin data, such as reversible password storage schemes. All other uses of encryption should use CryptoManager.CipherService instead.

Parameters:

cipherTransformation - The algorithm/mode/padding to use for the cipher.

keyLengthBits - The length in bits of the encryption key this method is to use. Note the specified key length and transformation must be compatible.

data - The plain-text data to be encrypted.

Returns:

A byte array containing the encrypted representation of the provided data.

Throws:

GeneralSecurityException - If a problem occurs while encrypting the data.

CryptoManagerException - If a problem occurs managing the encryption key or producing the cipher.

decryptUsingReplicatedKey

public byte[] decryptUsingReplicatedKey(byte[] data)
                                 throws GeneralSecurityException,
                                        CryptoManagerException

Decrypts the data in the provided byte array using cipher specified by the key identifier prologue to the data. cipher.

It should only be used when cipher keys are exchanged by replication of cn=admin data, such as reversible password storage schemes. All other uses of encryption should use CryptoManager.CipherService instead.

Parameters:

data - The cipher-text data to be decrypted.

Returns:

A byte array containing the clear-text representation of the provided data.

Throws:

GeneralSecurityException - If a problem occurs while encrypting the data.

CryptoManagerException - If a problem occurs reading the key identifier or initialization vector from the data prologue, or using these values to initialize a Cipher.

newCipherService

public CryptoManager.CipherService newCipherService()

Return a new CryptoManager.CipherService to provide cryptographic primitives and keys.

Returns:

a new CryptoManager.CipherService to provide cryptographic primitives and keys

getDeploymentPepper

public byte[] getDeploymentPepper()

Returns the secret deployment-wide pepper which can be used as additional salt when hashing passwords and other secrets.

Returns:

The secret deployment-wide pepper.

newMacService

public CryptoManager.MacService newMacService()
                                       throws CryptoManagerException

Generates a new MAC service with the default algorithm and key length.

Returns:

a new MAC service with the default algorithm and key length

Throws:

CryptoManagerException - if an error occurs

newMacService

public CryptoManager.MacService newMacService(Entry entry)
                                       throws CryptoManagerException

Generates a new MAC service from the provided information in the LDAP Entry.

Parameters:

entry - the LDAP entry

Returns:

a new MAC service with the default algorithm and key length

Throws:

CryptoManagerException - if an error occurs