Package org.opends.server.crypto

Class CryptoManager

java.lang.Object
org.opends.server.crypto.CryptoManager
All Implemented Interfaces:
ConfigurationChangeListener<CryptoManagerCfg>
public final class CryptoManager extends Object implements ConfigurationChangeListener<CryptoManagerCfg>
This class implements part of the Directory Server cryptographic framework. CryptoManager manages the server Master Key, used for wrapping cipher keys, and distribution of cipher keys through modifications in cn=admin data. It should only be used when cipher keys need to be exchanged using replication, such as reversible password storage schemes, all other uses of encryption should use CryptoManager.CipherService instead.

Other components of CryptoManager:

See Also:

  • Constructor Details

    • CryptoManager

      public CryptoManager(ServerContext serverContext, CryptoManagerCfg config) throws InitializationException
      Creates a new instance of this crypto manager object from a given configuration, plus some static member initialization.
      Parameters:
      serverContext - The server context.
      config - The configuration of this crypto manager.
      Throws:
      InitializationException - If a problem occurs while creating this CryptoManager that is not the result of a problem in the configuration.

  • Method Details

    • isConfigurationChangeAcceptable

      public boolean isConfigurationChangeAcceptable(CryptoManagerCfg cfg, List<LocalizableMessage> unacceptableReasons)
      Description copied from interface: ConfigurationChangeListener
      Indicates whether the proposed change to the configuration is acceptable to this change listener.
      Specified by:
      isConfigurationChangeAcceptable in interface ConfigurationChangeListener<CryptoManagerCfg>
      Parameters:
      cfg - The new configuration containing the changes.
      unacceptableReasons - A list that can be used to hold messages about why the provided configuration is not acceptable.
      Returns:
      Returns true if the proposed change is acceptable, or false if it is not.

    • applyConfigurationChange

      public ConfigChangeResult applyConfigurationChange(CryptoManagerCfg cfg)
      Description copied from interface: ConfigurationChangeListener
      Applies the configuration changes to this change listener.
      Specified by:
      applyConfigurationChange in interface ConfigurationChangeListener<CryptoManagerCfg>
      Parameters:
      cfg - The new configuration containing the changes.
      Returns:
      Returns information about the result of changing the configuration.

    • encryptUsingReplicatedKey

      public byte[] encryptUsingReplicatedKey(String cipherTransformation, int keyLengthBits, byte[] data) throws GeneralSecurityException, CryptoManagerException
      Encrypts the data in the provided byte array using the requested cipher algorithm.

      It should only be used when cipher keys are exchanged by replication of cn=admin data, such as reversible password storage schemes. All other uses of encryption should use CryptoManager.CipherService instead.

      Parameters:
      cipherTransformation - The algorithm/mode/padding to use for the cipher.
      keyLengthBits - The length in bits of the encryption key this method is to use. Note the specified key length and transformation must be compatible.
      data - The plain-text data to be encrypted.
      Returns:
      A byte array containing the encrypted representation of the provided data.
      Throws:
      GeneralSecurityException - If a problem occurs while encrypting the data.
      CryptoManagerException - If a problem occurs managing the encryption key or producing the cipher.

    • decryptUsingReplicatedKey

      public byte[] decryptUsingReplicatedKey(byte[] data) throws GeneralSecurityException, CryptoManagerException
      Decrypts the data in the provided byte array using cipher specified by the key identifier prologue to the data. cipher.

      It should only be used when cipher keys are exchanged by replication of cn=admin data, such as reversible password storage schemes. All other uses of encryption should use CryptoManager.CipherService instead.

      Parameters:
      data - The cipher-text data to be decrypted.
      Returns:
      A byte array containing the clear-text representation of the provided data.
      Throws:
      GeneralSecurityException - If a problem occurs while encrypting the data.
      CryptoManagerException - If a problem occurs reading the key identifier or initialization vector from the data prologue, or using these values to initialize a Cipher.

    • newCipherService

      public CryptoManager.CipherService newCipherService()
      Return a new CryptoManager.CipherService to provide cryptographic primitives and keys.
      Returns:
      a new CryptoManager.CipherService to provide cryptographic primitives and keys

    • getDeploymentPepper

      public byte[] getDeploymentPepper()
      Returns the secret deployment-wide pepper which can be used as additional salt when hashing passwords and other secrets.
      Returns:
      The secret deployment-wide pepper.

    • newMacService

      public CryptoManager.MacService newMacService() throws CryptoManagerException
      Generates a new MAC service with the default algorithm and key length.
      Returns:
      a new MAC service with the default algorithm and key length
      Throws:
      CryptoManagerException - if an error occurs

    • newMacService

      public CryptoManager.MacService newMacService(Entry entry) throws CryptoManagerException
      Generates a new MAC service from the provided information in the LDAP Entry.
      Parameters:
      entry - the LDAP entry
      Returns:
      a new MAC service with the default algorithm and key length
      Throws:
      CryptoManagerException - if an error occurs