Package org.silverpeas.core.security.encryption

Class DefaultContentEncryptionService

  • All Implemented Interfaces:
    ContentEncryptionService
    @Service
@Named("contentEncryptionService")
public class DefaultContentEncryptionService
extends Object
implements ContentEncryptionService
    It is the default implementation of the ContentEncryptionService interface in Silverpeas.

    This implementation manages the encryption of the content with the AES-256 cipher and it stores the cipher key into a file after encrypting it with another cryptographic algorithm, CAST-128 (a CAST5 cipher), in order to protect it. The two keys are set together in the key file which is located in an hidden directory. The key file is hidden and readonly.

    It manages the cipher key by maintaining both the actual cipher key used to encrypt and decrypt the content and the previous one so that the cipher of some old contents can be renewed with the new key after decrypting them with the old key.

    This implementation used two additional classes to perform its task: the ConcurrentEncryptionTaskExecutor class to ensure the execution of the different methods are done by following the concurrency policy expected by the ContentEncryptionService interface, and the CryptographicTask class to represent a encryption or a decryption of contents provided by some content iterators (they implement the EncryptionContentIterator interface).

    • Constructor Detail

      • DefaultContentEncryptionService

        protected DefaultContentEncryptionService()

    • Method Detail

      • registerForRenewingContentCipher

        public void registerForRenewingContentCipher​(EncryptionContentIterator iterator)
        Registers the specified iterator on some encrypted contents for which the cipher has to be renewed when the encryption key is updated.

        This method is dedicated to the content management service for providing to the content encryption services a way to access the encrypted contents they manage in order to renew their cipher when the encryption key is updated.

        Specified by:
        registerForRenewingContentCipher in interface ContentEncryptionService
        Parameters:
        iterator - a provider of encrypted content in the form of a EncryptionContentIterator iterator.

      • updateCipherKey

        public void updateCipherKey​(String key)
                     throws CryptoException
        Updates the key to use to encrypt and to decrypt the enciphered content. The key must be in hexadecimal and sized in 256 bits otherwise an AssertionError will be thrown. If no previous key existed, then the cipher key will be created with the specified one and it will be used to encrypt and to decrypt at the demand the content in Silverpeas.

        The update of the key triggers automatically the renew of the cipher of the encrypted contents in Silverpeas with the new cipher key. If one of the cipher renew of one of the encrypted content failed, the key update is rolled-back (the key isn't updated).

        The execution of this method will block any other call of the DefaultContentEncryptionService methods for all of its instances in order to prevent incoherent state of encrypted contents. Any attempts to execute one of the DefaultContentEncryptionService method, whereas this method is running, will raise an IllegalStateException exception.

        Specified by:
        updateCipherKey in interface ContentEncryptionService
        Parameters:
        key - the new symmetric key in hexadecimal.
        Throws:
        CryptoException - if an error while renewing the cipher of the encrypted contents with the new cipher key.

      • encryptContent

        public String[] encryptContent​(String... contentParts)
                        throws CryptoException
        Encrypts the specified content by using the encryption key that was set with the updateCipherKey(String) method.
        Specified by:
        encryptContent in interface ContentEncryptionService
        Parameters:
        contentParts - either the different part of a content to encrypt or several single textual contents to encrypt.

        If the encryption key is is being updated, an IllegalStateException is thrown.

        Returns:
        an array with the different parts of the content, encrypted and in base64, in the same order they were passed as argument of this method.
        Throws:
        CryptoException - the encryption of one of the content (or content part) failed.

      • encryptContent

        public Map<String,​String> encryptContent​(Map<String,​String> content)
                                        throws CryptoException
        Encrypts the specified content by using the encryption key that was set with the updateCipherKey(String) method.

        The content is here in the form of a Map instance in which each entry represents a field or a property of the content. The method returns also a Map with, for each entry, the field or the property encrypted and in base64.

        If the encryption key is is being updated, an IllegalStateException is thrown.

        Specified by:
        encryptContent in interface ContentEncryptionService
        Parameters:
        content - the content to encrypt in the form of a Map instance. Each entry in the Map represents a field/property of the content to encrypt.
        Returns:
        a Map with the different field/property of the content encrypted.
        Throws:
        CryptoException - the encryption of the content failed.

      • encryptContents

        public void encryptContents​(EncryptionContentIterator... iterators)
                     throws CryptoException
        Encrypts the contents provided by the specified iterators.

        This method is for encrypting in batch several and possibly different contents. If there is more than one iterator on contents, each of them will be taken in charge concurrently by a pool of several threads.

        If the encryption key is is being updated, an IllegalStateException is thrown.

        Specified by:
        encryptContents in interface ContentEncryptionService
        Parameters:
        iterators - the iterators on the contents to encrypt.
        Throws:
        CryptoException

      • decryptContent

        public String[] decryptContent​(String... encryptedContentParts)
                        throws CryptoException
        Decrypts the specified encrypted content by using the encryption key that was set with the updateCipherKey(String) method.
        Specified by:
        decryptContent in interface ContentEncryptionService
        Parameters:
        encryptedContentParts - either the different part of an encrypted content to decrypt or several single encrypted textual contents to decrypt.

        If the encryption key is is being updated, an IllegalStateException is thrown.

        Returns:
        an array with the different parts of the decrypted content in the same order they were passed as argument of this method.
        Throws:
        CryptoException - the decryption of one of the encrypted content (or content part) failed.

      • decryptContent

        public Map<String,​String> decryptContent​(Map<String,​String> encryptedContent)
                                        throws CryptoException
        Decrypts the specified encrypted content by using the encryption key that was set with the updateCipherKey(String) method.

        The encrypted content is here in the form of a Map instance in which each entry represents a field or a property of the encrypted content. The method returns also a Map with, for each entry, the field or the property decrypted.

        If the encryption key is is being updated, an IllegalStateException is thrown.

        Specified by:
        decryptContent in interface ContentEncryptionService
        Parameters:
        encryptedContent - the content to decrypt in the form of a Map instance. Each entry in the Map represents a field/property of the content to decrypt.
        Returns:
        a Map with the different field/property of the content decrypted.
        Throws:
        CryptoException - the decryption of the content failed.

      • decryptContents

        public void decryptContents​(EncryptionContentIterator... iterators)
                     throws CryptoException
        Decrypts the encrypted contents provided by the specified iterators.

        This method is for decrypting in batch several and possibly different encrypted contents. If there is more than one iterator on contents, each of them will be taken in charge concurrently by a pool of several threads.

        If the encryption key is is being updated, an IllegalStateException is thrown.

        Specified by:
        decryptContents in interface ContentEncryptionService
        Parameters:
        iterators - the iterators on the contents to decrypt.
        Throws:
        CryptoException

      • renewCipherOfContents

        public void renewCipherOfContents​(EncryptionContentIterator... iterators)
                           throws CryptoException
        Renews explicitly the cipher of the contents provided by the specified iterators.

        This method is mainly for encrypted contents for which the renew of their cipher has failed when the encryption key has been updated.

        The execution of this method will block any other call of the DefaultContentEncryptionService methods for all of its instances in order to prevent incoherent state of encrypted contents. Any attempts to execute one of the DefaultContentEncryptionService method, whereas this method is running, will raise an IllegalStateException exception.

        If it doesn't exist a previous encryption key required to decrypt the contents before encrypting them with the actual encryption key, then nothing is performed by this method and it will return silently.

        Specified by:
        renewCipherOfContents in interface ContentEncryptionService
        Parameters:
        iterators - the iterators on the encrypted contents for which their cipher has to be renewed.
        Throws:
        CryptoException - if an error occurs while renewing the cipher of the contents with the actual encryption key.

      • encryptContent

        protected static Map<String,​String> encryptContent​(Map<String,​String> content,
                                                         Cipher cipher,
                                                         CipherKey key)
                                                  throws CryptoException
        Encrypts the specified content by using the specified cipher with the specified cipher key.
        Parameters:
        content - the content to encrypt in the form of a Map in which each entry is a property or a field of the content.
        cipher - the cipher to encrypt the content.
        key - the cipher key.
        Returns:
        the encrypted content.
        Throws:
        CryptoException - if an error occurs while encrypting the content.

      • decryptContent

        protected static Map<String,​String> decryptContent​(Map<String,​String> encryptedContent,
                                                         Cipher cipher,
                                                         CipherKey key)
                                                  throws CryptoException
        Decrypts the specified content by using the specified cipher with the specified cipher key.
        Parameters:
        encryptedContent - the encrypted content to decrypt in the form of a Map in which each entry is a property or a field of the content.
        cipher - the cipher to decrypt the content.
        key - the cipher key.
        Returns:
        the decrypted content.
        Throws:
        CryptoException - if an error occurs while decrypting the content.

      • getActualCipherKey

        protected static CipherKey getActualCipherKey()
                                       throws CryptoException
        Gets the actual cipher key to use in the content encryption/decryption.
        Returns:
        the asked cipher key.
        Throws:
        CryptoException - if the cipher key cannot be get.

      • getPreviousCipherKey

        protected static CipherKey getPreviousCipherKey()
                                         throws CryptoException
        Gets the previous cipher key that was used in the content encryption/decryption.
        Returns:
        the asked cipher key.
        Throws:
        CryptoException - if the cipher key cannot be get.

      • getCipherForContentEncryption

        protected static Cipher getCipherForContentEncryption()
        Gets the cipher to use to encrypt/decrypt a content.
        Returns:
        the cipher used in the content encryption.