net.shibboleth.utilities.java.support.security

Class DataSealer

java.lang.Object

net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

net.shibboleth.utilities.java.support.security.DataSealer

All Implemented Interfaces:

Component, DestructableComponent, InitializableComponent

public class DataSealer
extends AbstractInitializableComponent

Applies a MAC to time-limited information and encrypts with a symmetric key.

Field Summary

Fields

Modifier and Type	Field and Description
private SecretKey	cipherKey Default key used for encryption.
private String	cipherKeyAlias Keystore alias for the default encryption key.
private String	cipherKeyPassword Password for encryption key(s).
private String	keystorePassword Password for keystore.
private Resource	keystoreResource Keystore resource.
private String	keystoreType Type of keystore to use for access to keys.
private Logger	log Class logger.
private SecureRandom	random Source of secure random data.

Constructor Summary

Constructors

Constructor and Description
DataSealer() Constructor.

Method Summary

Methods

Modifier and Type	Method and Description
void	doInitialize() Performs the initialization of the component.
private String	extractAndCheckDecryptedData(byte[] decryptedBytes) Extract the GZIP'd data and test for expiration before returning it.
SecretKey	getCipherKey() Returns the encryption key.
String	getCipherKeyAlias() Returns the encryption key alias.
String	getCipherKeyPassword() Returns the encryption key password.
String	getKeystorePassword() Returns the keystore password.
Resource	getKeystoreResource() Returns the keystore resource.
String	getKeystoreType() Returns the keystore type.
SecureRandom	getRandom() Returns the pseudorandom generator.
private SecretKey	loadKey(String alias) Load a particular key from the keystore designated by the bean's properties.
void	setCipherKeyAlias(String alias) Sets the default encryption key alias.
void	setCipherKeyPassword(String password) Sets the encryption key password.
void	setKeystorePassword(String password) Sets the keystore password.
void	setKeystoreResource(Resource resource) Sets the keystore resource.
void	setKeystoreType(String type) Sets the keystore type.
void	setRandom(SecureRandom r) Sets the pseudorandom generator.
private void	testEncryption() Run a test over the configured bean properties.
String	unwrap(String wrapped) Decrypts and verifies an encrypted bundle created with wrap(String, long).
String	wrap(String data, long exp) Encodes data into an AEAD-encrypted blob, gzip(exp|data) exp = expiration time of the data; 8 bytes; Big-endian data = the data; a UTF-8-encoded string

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, doDestroy, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

log

@Nonnull
private Logger log

Class logger.

cipherKey

@NonnullAfterInit
private SecretKey cipherKey

Default key used for encryption.

random

@NonnullAfterInit
private SecureRandom random

Source of secure random data.

keystoreType

@NonnullAfterInit
private String keystoreType

Type of keystore to use for access to keys.

keystoreResource

@NonnullAfterInit
private Resource keystoreResource

Keystore resource.

keystorePassword

@NonnullAfterInit
private String keystorePassword

Password for keystore.

cipherKeyAlias

@NonnullAfterInit
private String cipherKeyAlias

Keystore alias for the default encryption key.

cipherKeyPassword

@NonnullAfterInit
private String cipherKeyPassword

Password for encryption key(s).

Constructor Detail

DataSealer

public DataSealer()

Constructor.

Method Detail

doInitialize

public void doInitialize()
                  throws ComponentInitializationException

Performs the initialization of the component. This method is executed within the lock on the object being initialized. The default implementation of this method is a no-op.

Overrides:

doInitialize in class AbstractInitializableComponent

Throws:

ComponentInitializationException - thrown if there is a problem initializing the component

getCipherKey

@NonnullAfterInit
public SecretKey getCipherKey()

Returns the encryption key.

Returns:

the encryption key

getRandom

@NonnullAfterInit
public SecureRandom getRandom()

Returns the pseudorandom generator.

Returns:

the pseudorandom generator

getKeystoreType

@NonnullAfterInit
public String getKeystoreType()

Returns the keystore type.

Returns:

the keystore type.

getKeystoreResource

@NonnullAfterInit
public Resource getKeystoreResource()

Returns the keystore resource.

Returns:

the keystore keystoreResource

getKeystorePassword

@NonnullAfterInit
public String getKeystorePassword()

Returns the keystore password.

Returns:

the keystore password

getCipherKeyAlias

@NonnullAfterInit
public String getCipherKeyAlias()

Returns the encryption key alias.

Returns:

the encryption key alias

getCipherKeyPassword

@NonnullAfterInit
public String getCipherKeyPassword()

Returns the encryption key password.

Returns:

the encryption key password

setRandom

public void setRandom(@Nonnull
             SecureRandom r)

Sets the pseudorandom generator.

Parameters:

r - the pseudorandom generator to set

setKeystoreType

public void setKeystoreType(@Nonnull@NotEmpty
                   String type)

Sets the keystore type.

Parameters:

type - the keystore type to set

setKeystoreResource

public void setKeystoreResource(@Nonnull@NotEmpty
                       Resource resource)

Sets the keystore resource.

Parameters:

resource - the keystore resource to set

setKeystorePassword

public void setKeystorePassword(@Nonnull@NotEmpty
                       String password)

Sets the keystore password.

Parameters:

password - the keystore password to set

setCipherKeyAlias

public void setCipherKeyAlias(@Nonnull@NotEmpty
                     String alias)

Sets the default encryption key alias.

Parameters:

alias - the encryption key alias to set

setCipherKeyPassword

public void setCipherKeyPassword(@Nonnull@NotEmpty
                        String password)

Sets the encryption key password.

Parameters:

password - the encryption key password to set

unwrap

@Nonnull
public String unwrap(@Nonnull@NotEmpty
                    String wrapped)
              throws DataSealerException

Decrypts and verifies an encrypted bundle created with wrap(String, long).

If the data indicates that a non-default key was used, an attempt to load this key from the keystore will be made.

Parameters:

wrapped - the encoded blob

Returns:

the decrypted data, if it's unexpired

Throws:

DataSealerException - if the data cannot be unwrapped and verified

extractAndCheckDecryptedData

@Nonnull
private String extractAndCheckDecryptedData(@Nonnull@NotEmpty
                                          byte[] decryptedBytes)
                                     throws DataSealerException

Extract the GZIP'd data and test for expiration before returning it.

Parameters:

decryptedBytes - the data we are looking at

Returns:

the decoded data if it is valid and unexpired

Throws:

DataSealerException - if the data cannot be unwrapped and verified

wrap

@Nonnull
public String wrap(@Nonnull@NotEmpty
                  String data,
                  long exp)
            throws DataSealerException

Encodes data into an AEAD-encrypted blob, gzip(exp|data)

• exp = expiration time of the data; 8 bytes; Big-endian
• data = the data; a UTF-8-encoded string

As part of encryption, the key alias is supplied as additional authenticated data to the cipher. Afterwards, the encrypted data is prepended by the IV and then again by the alias (in length-prefixed UTF-8 format), which identifies the key used. Finally the result is base64-encoded.

Parameters:

data - the data to wrap

exp - expiration time

Returns:

the encoded blob

Throws:

DataSealerException - if the wrapping operation fails

testEncryption

private void testEncryption()
                     throws DataSealerException

Run a test over the configured bean properties.

Throws:

DataSealerException - if the test fails

loadKey

@Nonnull
private SecretKey loadKey(@Nonnull@NotEmpty
                        String alias)
                   throws GeneralSecurityException,
                          IOException

Load a particular key from the keystore designated by the bean's properties.

Parameters:

alias - alias of the key to load

Returns:

the loaded key

Throws:

GeneralSecurityException - if the load fails due to a security-related issue

IOException - if the load process fails