You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by do...@apache.org on 2012/05/05 01:37:06 UTC
svn commit: r1334257 - in /ofbiz/trunk/framework:
base/src/org/ofbiz/base/crypto/ entity/dtd/ entity/entitydef/
entity/src/org/ofbiz/entity/ entity/src/org/ofbiz/entity/config/
entity/src/org/ofbiz/entity/util/
Author: doogie
Date: Fri May 4 23:37:06 2012
New Revision: 1334257
URL: http://svn.apache.org/viewvc?rev=1334257&view=rev
Log:
FEATURE: Add key-encrypting-key support; this is to bring ofbiz *much*
closer to PCI compliance. This key handler is *still* not active.
Modified:
ofbiz/trunk/framework/base/src/org/ofbiz/base/crypto/Main.java
ofbiz/trunk/framework/entity/dtd/entity-config.xsd
ofbiz/trunk/framework/entity/entitydef/entitymodel.xml
ofbiz/trunk/framework/entity/src/org/ofbiz/entity/GenericDelegator.java
ofbiz/trunk/framework/entity/src/org/ofbiz/entity/config/DelegatorInfo.java
ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java
Modified: ofbiz/trunk/framework/base/src/org/ofbiz/base/crypto/Main.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/base/src/org/ofbiz/base/crypto/Main.java?rev=1334257&r1=1334256&r2=1334257&view=diff
==============================================================================
--- ofbiz/trunk/framework/base/src/org/ofbiz/base/crypto/Main.java (original)
+++ ofbiz/trunk/framework/base/src/org/ofbiz/base/crypto/Main.java Fri May 4 23:37:06 2012
@@ -18,6 +18,8 @@
*******************************************************************************/
package org.ofbiz.base.crypto;
+import org.apache.commons.codec.binary.Base64;
+
public class Main {
public static void main(String[] args) throws Exception {
if (args[0].equals("-crypt")) {
@@ -26,6 +28,8 @@ public class Main {
@SuppressWarnings("deprecation")
String digest = HashCrypt.getDigestHash(args[1]);
System.out.println(digest);
+ } else if (args[0].equals("-kek")) {
+ System.out.println(Base64.encodeBase64String(DesCrypt.generateKey().getEncoded()));
}
}
}
Modified: ofbiz/trunk/framework/entity/dtd/entity-config.xsd
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/entity/dtd/entity-config.xsd?rev=1334257&r1=1334256&r2=1334257&view=diff
==============================================================================
--- ofbiz/trunk/framework/entity/dtd/entity-config.xsd (original)
+++ ofbiz/trunk/framework/entity/dtd/entity-config.xsd Fri May 4 23:37:06 2012
@@ -127,6 +127,7 @@ under the License.
<xs:attribute type="xs:string" name="distributed-cache-clear-user-login-id" default="system"/>
<xs:attribute type="xs:string" name="sequenced-id-prefix"/>
<xs:attribute type="xs:string" name="default-group-name" default="org.ofbiz"/>
+ <xs:attribute type="xs:string" name="key-encrypting-key"/>
</xs:attributeGroup>
<xs:element name="group-map">
<xs:complexType>
Modified: ofbiz/trunk/framework/entity/entitydef/entitymodel.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/entity/entitydef/entitymodel.xml?rev=1334257&r1=1334256&r2=1334257&view=diff
==============================================================================
--- ofbiz/trunk/framework/entity/entitydef/entitymodel.xml (original)
+++ ofbiz/trunk/framework/entity/entitydef/entitymodel.xml Fri May 4 23:37:06 2012
@@ -105,6 +105,20 @@ under the License.
<key-map field-name="tenantId"/>
</relation>
</entity>
+ <entity entity-name="TenantKeyEncryptingKey" package-name="org.ofbiz.entity.tenant">
+ <description>
+ There should be one record for each tenant and each group-map for the active delegator.
+ The jdbc fields will override the datasource -> inline-jdbc values for the per-tenant delegator.
+ </description>
+ <field name="tenantId" type="id-ne"/>
+ <field name="keyName" type="id-vlong-ne"></field>
+ <field name="keyText" type="long-varchar"></field>
+ <prim-key field="tenantId"/>
+ <prim-key field="keyName"/>
+ <relation type="one" fk-name="TNTDTSRC_TNT" rel-entity-name="Tenant">
+ <key-map field-name="tenantId"/>
+ </relation>
+ </entity>
<!-- may be no reason for this entity, user is authenticated inside the tenant and this would only be useful to
get a list of tenants per user
<entity entity-name="TenantUserLogin" package-name="org.ofbiz.entity.tenant">
Modified: ofbiz/trunk/framework/entity/src/org/ofbiz/entity/GenericDelegator.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/entity/src/org/ofbiz/entity/GenericDelegator.java?rev=1334257&r1=1334256&r2=1334257&view=diff
==============================================================================
--- ofbiz/trunk/framework/entity/src/org/ofbiz/entity/GenericDelegator.java (original)
+++ ofbiz/trunk/framework/entity/src/org/ofbiz/entity/GenericDelegator.java Fri May 4 23:37:06 2012
@@ -211,6 +211,7 @@ public class GenericDelegator implements
this.setDelegatorNames(delegatorFullName);
this.delegatorInfo = EntityConfigUtil.getDelegatorInfo(delegatorBaseName);
+ String kekText;
// before continuing, if there is a tenantId use the base delegator to see if it is valid
if (UtilValidate.isNotEmpty(this.delegatorTenantId)) {
Delegator baseDelegator = DelegatorFactory.getDelegator(this.delegatorBaseName);
@@ -220,6 +221,14 @@ public class GenericDelegator implements
} else if ("Y".equals(tenant.getString("disabled"))) {
throw new GenericEntityException("No Tenant record found for delegator [" + this.delegatorFullName + "] with tenantId [" + this.delegatorTenantId + "]");
}
+ GenericValue kekValue = baseDelegator.findOne("TenantKeyEncryptingKey", true, "tenantId", getDelegatorTenantId());
+ if (kekValue != null) {
+ kekText = kekValue.getString("keyText");
+ } else {
+ kekText = this.delegatorInfo.kekText;
+ }
+ } else {
+ kekText = this.delegatorInfo.kekText;
}
this.modelReader = ModelReader.getModelReader(delegatorBaseName);
@@ -249,7 +258,7 @@ public class GenericDelegator implements
// NOTE: doing some things before the ECAs and such to make sure it is in place just in case it is used in a service engine startup thing or something
// setup the crypto class; this also after the delegator is in the cache otherwise we get infinite recursion
- this.crypto = new EntityCrypto(this);
+ this.crypto = new EntityCrypto(this, kekText);
}
private void initializeOneGenericHelper(String groupName) {
Modified: ofbiz/trunk/framework/entity/src/org/ofbiz/entity/config/DelegatorInfo.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/entity/src/org/ofbiz/entity/config/DelegatorInfo.java?rev=1334257&r1=1334256&r2=1334257&view=diff
==============================================================================
--- ofbiz/trunk/framework/entity/src/org/ofbiz/entity/config/DelegatorInfo.java (original)
+++ ofbiz/trunk/framework/entity/src/org/ofbiz/entity/config/DelegatorInfo.java Fri May 4 23:37:06 2012
@@ -42,6 +42,7 @@ public class DelegatorInfo extends Named
public String sequencedIdPrefix;
public String defaultGroupName;
public Map<String, String> groupMap = new HashMap<String, String>();
+ public String kekText;
public DelegatorInfo(Element element) {
super(element);
@@ -69,5 +70,6 @@ public class DelegatorInfo extends Named
for (Element groupMapElement: UtilXml.childElementList(element, "group-map")) {
groupMap.put(groupMapElement.getAttribute("group-name"), groupMapElement.getAttribute("datasource-name"));
}
+ this.kekText = element.getAttribute("key-encrypting-key");
}
}
Modified: ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java?rev=1334257&r1=1334256&r2=1334257&view=diff
==============================================================================
--- ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java (original)
+++ ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java Fri May 4 23:37:06 2012
@@ -38,6 +38,7 @@ import org.ofbiz.base.util.Debug;
import org.ofbiz.base.util.GeneralException;
import org.ofbiz.base.util.StringUtil;
import org.ofbiz.base.util.UtilObject;
+import org.ofbiz.base.util.UtilValidate;
import org.ofbiz.entity.EntityCryptoException;
import org.ofbiz.entity.Delegator;
import org.ofbiz.entity.GenericEntityException;
@@ -53,10 +54,16 @@ public final class EntityCrypto {
protected final ConcurrentMap<String, SecretKey> keyMap = new ConcurrentHashMap<String, SecretKey>();
protected final StorageHandler[] handlers;
- public EntityCrypto(Delegator delegator) {
+ public EntityCrypto(Delegator delegator, String kekText) throws EntityCryptoException {
this.delegator = delegator;
+ SecretKey kek;
+ try {
+ kek = UtilValidate.isNotEmpty(kekText) ? DesCrypt.getDesKey(Base64.decodeBase64(kekText)) : null;
+ } catch (GeneralException e) {
+ throw new EntityCryptoException(e);
+ }
handlers = new StorageHandler[] {
- // new SaltedBase64StorageHandler(),
+ // new SaltedBase64StorageHandler(kek),
NormalHashStorageHandler,
OldFunnyHashStorageHandler,
};
@@ -252,6 +259,12 @@ public final class EntityCrypto {
};
protected static final class SaltedBase64StorageHandler extends StorageHandler {
+ private final SecretKey kek;
+
+ protected SaltedBase64StorageHandler(SecretKey kek) {
+ this.kek = kek;
+ }
+
protected String getHashedKeyName(String originalKeyName) {
return HashCrypt.digestHash64("SHA", originalKeyName.getBytes());
}
@@ -260,13 +273,19 @@ public final class EntityCrypto {
return "{salted-base64}";
}
- protected byte[] decodeKeyBytes(String keyText) {
+ protected byte[] decodeKeyBytes(String keyText) throws GeneralException {
byte[] keyBytes = Base64.decodeBase64(keyText);
+ if (kek != null) {
+ keyBytes = DesCrypt.decrypt(kek, keyBytes);
+ }
return keyBytes;
}
- protected String encodeKey(SecretKey key) {
+ protected String encodeKey(SecretKey key) throws GeneralException {
byte[] keyBytes = key.getEncoded();
+ if (kek != null) {
+ keyBytes = DesCrypt.encrypt(kek, keyBytes);
+ }
return Base64.encodeBase64String(keyBytes);
}