You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@ofbiz.apache.org by do...@apache.org on 2012/05/07 23:27:32 UTC

svn commit: r1335268 - /ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java

Author: doogie
Date: Mon May  7 21:27:32 2012
New Revision: 1335268

URL: http://svn.apache.org/viewvc?rev=1335268&view=rev
Log:
FEATURE: Key-encrypting-key(kek) support is now enabled.  To enable
support for this, run:

java org.ofbiz.base.crypto.Main -kek

and paste that value as a new attribute in entityengine.xml, <delegator
key-encrypting-key="$kekText"/>.  Make certain to add that attribute to
*all* delegators that share the same datasources.

ps: That java command should really be added to build.xml.

Modified:
    ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java

Modified: ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java?rev=1335268&r1=1335267&r2=1335268&view=diff
==============================================================================
--- ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java (original)
+++ ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java Mon May  7 21:27:32 2012
@@ -63,7 +63,7 @@ public final class EntityCrypto {
             throw new EntityCryptoException(e);
         }
         handlers = new StorageHandler[] {
-            // new SaltedBase64StorageHandler(kek),
+            new SaltedBase64StorageHandler(kek),
             NormalHashStorageHandler,
             OldFunnyHashStorageHandler,
         };

Re: svn commit: r1335268 - /ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java

Posted by Jacques Le Roux <ja...@les7arts.com>.

I'd be interested by some comments here also :)

Jacques

Hans Bakker wrote:
> Hi Adam,
> 
> thanks for adding this feature i would really love to use it, however is
> it possible to provide more info than the information below? As far as i
> can see:
> 
> 1. generate a kek text with the "./ant gen-kek" command
> 2. add this text to entity-engine.xml :
> <delegator key-encrypting-key="$kekText"/>
> (is that at the root level? not yet added to the xsd?)
> 3. add this text to the TenantKeyEncryptingKey entity for the related tenant
> does this affect the postgres datasource password?
> 
> Is this all? How about existing tenants? how can we use this feature for
> that?
> 
> Thanks in advance for your help,
> 
> regards,
> Hans
> 
> On 05/08/2012 04:27 AM, doogie@apache.org wrote:
>> Author: doogie
>> Date: Mon May  7 21:27:32 2012
>> New Revision: 1335268
>> 
>> URL: http://svn.apache.org/viewvc?rev=1335268&view=rev
>> Log:
>> FEATURE: Key-encrypting-key(kek) support is now enabled.  To enable
>> support for this, run:
>> 
>> java org.ofbiz.base.crypto.Main -kek
>> 
>> and paste that value as a new attribute in entityengine.xml,<delegator
>> key-encrypting-key="$kekText"/>.  Make certain to add that attribute to
>> *all* delegators that share the same datasources.
>> 
>> ps: That java command should really be added to build.xml.
>> 
>> Modified:
>>      ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java
>> 
>> Modified: ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java
>> URL:
>> http://svn.apache.org/viewvc/ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java?rev=1335268&r1=1335267&r2=1335268&view=diff
>> ============================================================================== ---
>> ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java (original) +++
>> ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java Mon May  7 21:27:32 2012 @@ -63,7 +63,7 @@ public final
>>               class EntityCrypto { throw new EntityCryptoException(e);
>>           }
>>           handlers = new StorageHandler[] {
>> -            // new SaltedBase64StorageHandler(kek),
>> +            new SaltedBase64StorageHandler(kek),
>>               NormalHashStorageHandler,
>>               OldFunnyHashStorageHandler,
>>           };

Re: svn commit: r1335268 - /ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java

Posted by Hans Bakker <ma...@antwebsystems.com>.

Hi Adam,

thanks for adding this feature i would really love to use it, however is 
it possible to provide more info than the information below? As far as i 
can see:

1. generate a kek text with the "./ant gen-kek" command
2. add this text to entity-engine.xml :
<delegator key-encrypting-key="$kekText"/>
(is that at the root level? not yet added to the xsd?)
3. add this text to the TenantKeyEncryptingKey entity for the related tenant
does this affect the postgres datasource password?

Is this all? How about existing tenants? how can we use this feature for 
that?

Thanks in advance for your help,

regards,
Hans

On 05/08/2012 04:27 AM, doogie@apache.org wrote:
> Author: doogie
> Date: Mon May  7 21:27:32 2012
> New Revision: 1335268
>
> URL: http://svn.apache.org/viewvc?rev=1335268&view=rev
> Log:
> FEATURE: Key-encrypting-key(kek) support is now enabled.  To enable
> support for this, run:
>
> java org.ofbiz.base.crypto.Main -kek
>
> and paste that value as a new attribute in entityengine.xml,<delegator
> key-encrypting-key="$kekText"/>.  Make certain to add that attribute to
> *all* delegators that share the same datasources.
>
> ps: That java command should really be added to build.xml.
>
> Modified:
>      ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java
>
> Modified: ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java?rev=1335268&r1=1335267&r2=1335268&view=diff
> ==============================================================================
> --- ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java (original)
> +++ ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java Mon May  7 21:27:32 2012
> @@ -63,7 +63,7 @@ public final class EntityCrypto {
>               throw new EntityCryptoException(e);
>           }
>           handlers = new StorageHandler[] {
> -            // new SaltedBase64StorageHandler(kek),
> +            new SaltedBase64StorageHandler(kek),
>               NormalHashStorageHandler,
>               OldFunnyHashStorageHandler,
>           };
>
>

Re: svn commit: r1335268 - /ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java

Posted by Adam Heath <do...@brainfood.com>.

On 05/07/2012 04:27 PM, doogie@apache.org wrote:
> Author: doogie
> Date: Mon May  7 21:27:32 2012
> New Revision: 1335268
> 
> URL: http://svn.apache.org/viewvc?rev=1335268&view=rev
> Log:
> FEATURE: Key-encrypting-key(kek) support is now enabled.  To enable
> support for this, run:
> 
> java org.ofbiz.base.crypto.Main -kek
> 
> and paste that value as a new attribute in entityengine.xml, <delegator
> key-encrypting-key="$kekText"/>.  Make certain to add that attribute to
> *all* delegators that share the same datasources.
> 
> ps: That java command should really be added to build.xml.

I could use some help here.

* We need to get the documentation updated for this.
* Add mention of this to the monthly features.
* Backport to 12.04(other old branches?).  It also requires the
HashCrypt changes.
* Testing.
* top-level build.xml calling crypto.Main -kek.

The steps to enable kek for new installs:

* Before creation of the database(basically, before load-demo(or other
load command):
  * run crypto.Main -kek
  * modify entityengine.xml:
  * <delegator ... key-encrypting-key="$kekText"/>
* create database, load data.
* For each tenant, before running the first time, create a
TenantKeyEncryptingKey, with kekText set to crypto.Main -kek(a new
value for each tenant).

During an upgrade, it's almost the same.  However, you might want to
create the TenantKeyEncryptingKey table by hand beforehand.  If the
kek value is created before any new data is written to the database,
then everything will just happen for free.

I made a database copy of a 595296-era ofbiz install, posted
localpostnew at it, generated key-encrypting-key="$kekText", started
ofbiz, went to webtools, editting a CreditCard, without changing
anything, then verified in the database that CreditCard.cardNumber was
different(base64), and a new entry in EntityKeyStore(base64) was
added.  I verified that the existing value(using hex encoding) was
readable before enabling the kek handler in EntityCrypt, and that it
was still readable after enabling the handler.

> Modified:
>     ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java
> 
> Modified: ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java
> URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java?rev=1335268&r1=1335267&r2=1335268&view=diff
> ==============================================================================
> --- ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java (original)
> +++ ofbiz/trunk/framework/entity/src/org/ofbiz/entity/util/EntityCrypto.java Mon May  7 21:27:32 2012
> @@ -63,7 +63,7 @@ public final class EntityCrypto {
>              throw new EntityCryptoException(e);
>          }
>          handlers = new StorageHandler[] {
> -            // new SaltedBase64StorageHandler(kek),
> +            new SaltedBase64StorageHandler(kek),
>              NormalHashStorageHandler,
>              OldFunnyHashStorageHandler,
>          };
> 
>