You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "Timothee Maret (JIRA)" <ji...@apache.org> on 2016/01/20 05:10:39 UTC

[jira] [Commented] (OAK-3761) Oak crypto API and implementation

    [ https://issues.apache.org/jira/browse/OAK-3761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15107957#comment-15107957 ] 

Timothee Maret commented on OAK-3761:
-------------------------------------

The patch adds two modules, {{oak-crypto-api}} and {{oak-crypto-impl}}.
{{oak-crypto-api}} defines a single {{SymmetricCipher}} interface which contains a single method for decrypting ciphertext.
As suggested by [~chetanm] on oak-dev mailing list, the API does *not* expose the encryption method as of this version.
The API could be extended in the future in order to collect all features of symmetric ciphers (stream cipher, PBE, etc.).

{{oak-crypto-impl}} provides a default implementation of the {{oak-crypto-api}} API module. 
The implementation depends exclusively on security features available on compliant Java SE 7 platforms [0] ({{AES/CBC/PKCS5Padding}}, {{HmacSHA256}}, {{SecureRandom}}).

The (SecretKey) keys required for encryption are stored encrypted (using AES key wrap algorithm) on the file system.
Storing the keys in a keystore may make more sense, however there seems to be no suitable portable keystore as of Java 7.
Indeed, the only required and portable keystore with Java SE 7 compatible platforms is PKCS#12 [0].
The PKCS12 keystore implementation is limited though and, at least on Oracle JRE/JDK 1.7, does not allow to store SecretKey keys (only PrivateKey keys).
Using asymmetric key wrapping (based on a KeyPair from a PKCS12 keystore) is not feasible with Java SE 7 APIs only, indeed there is no API that allow signing certificates (we'd need to setup keys using the JRE tooling external to the JRE).
Oracle JRE/JDK 1.8 and OpenJDK 1.8 or JCEKS keystores (proprietary) with Oracle 1.7 would allow to store SecretKey keys in PKCS12 keystore though.

Finally, the module exposes a simple servlet where which allows to encrypt data.
Access to this servlet is currently not restricted.
Details regarding its usage can be found in the module README.

[0] https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#impl

> Oak crypto API and implementation
> ---------------------------------
>
>                 Key: OAK-3761
>                 URL: https://issues.apache.org/jira/browse/OAK-3761
>             Project: Jackrabbit Oak
>          Issue Type: New Feature
>          Components: security
>    Affects Versions: 1.3.12
>            Reporter: Timothee Maret
>            Assignee: angela
>         Attachments: OAK-3761.patch
>
>
> As discussed in [0], this issue tracks adding a simple API and implementation for encryption/decryption in Oak. 
> [0] http://oak.markmail.org/search/?q=crypto#query:crypto+page:1+mid:iwsfd66lku2dzs2n+state:results



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)