OPENDJ-3086 Acquire and distribute encryption keys when applying config changes to backends
When setting confidentiality for a backend, verify that a key exists for the cipher, generating it if none is available
and making it available across the topology, so that all tasks without the server running will find a key.
| | |
|---|
| | | @Override |
|---|
| | | public boolean isConfigurationChangeAcceptable(PluggableBackendCfg cfg, List<LocalizableMessage> unacceptableReasons) |
|---|
| | | { |
|---|
| | | if (cfg.isConfidentialityEnabled()) |
|---|
| | | { |
|---|
| | | final String cipherTransformation = cfg.getCipherTransformation(); |
|---|
| | | final int keyLength = cfg.getCipherKeyLength(); |
|---|
| | | |
|---|
| | | try |
|---|
| | | { |
|---|
| | | serverContext.getCryptoManager().ensureCipherKeyIsAvailable(cipherTransformation, keyLength); |
|---|
| | | } |
|---|
| | | catch (Exception e) |
|---|
| | | { |
|---|
| | | unacceptableReasons.add(ERR_BACKEND_FAULTY_CRYPTO_TRANSFORMATION.get(cipherTransformation, keyLength, e)); |
|---|
| | | return false; |
|---|
| | | } |
|---|
| | | } |
|---|
| | | else |
|---|
| | | { |
|---|
| | | StringBuilder builder = new StringBuilder(); |
|---|
| | | for (AttributeIndex attributeIndex : attrIndexMap.values()) |
|---|
| | | { |
|---|
| | | if (attributeIndex.isConfidentialityEnabled() && !cfg.isConfidentialityEnabled()) |
|---|
| | | if (attributeIndex.isConfidentialityEnabled()) |
|---|
| | | { |
|---|
| | | if (builder.length() > 0) |
|---|
| | | { |
|---|
| | |
|---|
| | | unacceptableReasons.add(ERR_BACKEND_CANNOT_CHANGE_CONFIDENTIALITY.get(getBaseDN(), builder.toString())); |
|---|
| | | return false; |
|---|
| | | } |
|---|
| | | } |
|---|
| | | return true; |
|---|
| | | } |
|---|
| | | |
|---|
| | |
|---|
| | | return new CipherOutputStream(outputStream, cipher); |
|---|
| | | } |
|---|
| | | |
|---|
| | | @Override |
|---|
| | | public void ensureCipherKeyIsAvailable(String cipherTransformation, int cipherKeyLength) throws CryptoManagerException |
|---|
| | | { |
|---|
| | | getCipherKeyEntry(cipherTransformation, cipherKeyLength); |
|---|
| | | } |
|---|
| | | |
|---|
| | | private CipherKeyEntry getCipherKeyEntry(String cipherTransformation, int keyLengthBits) throws CryptoManagerException |
|---|
| | | { |
|---|
| | | CipherKeyEntry keyEntry = CipherKeyEntry.getCipherKeyEntryOrNull(this, cipherTransformation, keyLengthBits); |
|---|
| | |
|---|
| | | * @param encrypt true if the user of the crypto suite needs encryption |
|---|
| | | */ |
|---|
| | | CryptoSuite newCryptoSuite(String cipherTransformation, int cipherKeyLength, boolean encrypt); |
|---|
| | | |
|---|
| | | /** |
|---|
| | | * Ensures that a key exists for the provided cipher transformation and key length. |
|---|
| | | * If none exists, a new one will be created. |
|---|
| | | *<p> |
|---|
| | | * Newly created keys will be published and propagated to the replication topology. |
|---|
| | | * |
|---|
| | | * @param cipherTransformation cipher transformation string specification |
|---|
| | | * @param cipherKeyLength length of key in bits |
|---|
| | | * @throws CryptoManagerException If a problem occurs managing the encryption key |
|---|
| | | */ |
|---|
| | | void ensureCipherKeyIsAvailable(String cipherTransformation, int cipherKeyLength) throws CryptoManagerException; |
|---|
| | | |
|---|
| | | } |
|---|
| | |
|---|
| | | following indexes have confidentiality still enabled: %s |
|---|
| | | NOTE_CONFIG_INDEX_CONFIDENTIALITY_REQUIRES_REBUILD_607=Changing confidentiality for index '%s' requires the index \ |
|---|
| | | to be rebuilt before it can be used again |
|---|
| | | ERR_BACKEND_FAULTY_CRYPTO_TRANSFORMATION_608=Error while enabling confidentiality with cipher %s, %d bits: %s |
|---|
