com.tangosol.net.security
Class AsymmetricEncryptionFilter

java.lang.Object
  com.tangosol.util.Base
      com.tangosol.net.security.AbstractEncryptionFilter
          com.tangosol.net.security.AsymmetricEncryptionFilter

All Implemented Interfaces:

WrapperStreamFactory, XmlConfigurable

public class AsymmetricEncryptionFilter
extends AbstractEncryptionFilter

Asymmetric encryption filter implementation.

This filter will encrypt the contents with the originators private key so that it may be validated as trusted by the recipient(s).

The filter is configured with a Java KeyStore from which it will retrieve its local certificate and private key.

Each incbound message will have its sender's certificate validated via a call to the validate(Certificate) method. The default implementation simply validates that the certificate exists within the configured keystore, and in the case of X509 certificates that it has not expired. This class may be extended in order to provide custom validation logic.

As this is a fairly expensive filter as is not intended for use on services with high traffic loads. Additionally as it encrypts with the originators private key, it is not intended for transporting sensitive data. It is generally used only to protect the ClusterService (hence cluster membership) via the ClusterEncryptionFilter.

In order to use this filter you must have have configured your JVM with a suitable JCA public key cryptography provider such as the one provided by Bouncy Castle. See the JCA documentation for details on installing and configuring JCA providers.

Author:

mf 2006.08.01

See Also:

setConfig(com.tangosol.run.xml.XmlElement), ClusterEncryptionFilter

Nested Class Summary

class	AsymmetricEncryptionFilter.IdentityInputStream Stream which reads an unencrypted identity header followed by an encrypted payload.
class	AsymmetricEncryptionFilter.IdentityOutputStream Stream which writes an unencrypted identity header followed by an encrypted payload.

Field Summary

static String	DEFAULT_TRANSFORMATION Default transformation
protected Certificate	m_certificateLocal The local Certificate
protected Key	m_keyPrivate The local PrivateKey
protected KeyStore	m_keystore The KeyStore
protected Map	m_mapMemberCertificate Map of Member to their certificates

Fields inherited from class com.tangosol.net.security.AbstractEncryptionFilter

DEFAULT_KEYSTORE_PATH, DEFAULT_KEYSTORE_TYPE, m_specCipherParams, m_sTransformation, m_tlsCipher

Constructor Summary

AsymmetricEncryptionFilter()
Default constructor

Method Summary

byte[]	decryptPrivate(byte[] abEnc) Decrypt the supplied data with the local private key.
byte[]	encryptPrivate(byte[] abData, Member member) Encrypt the supplied data for privacy using the supplied Member's public key.
protected Certificate	getCertificate(Member member) Return the Certificate assocaited with the specified Member.
protected Certificate	getCertificateLocal() Return the filter's certificate.
InputStream	getInputStream(InputStream stream) Requests an InputStream that wraps the passed InputStream.
protected KeyStore	getKeyStore() Return the filter's KeyStore.
OutputStream	getOutputStream(OutputStream stream) Requests an OutputStream that wraps the passed OutputStream.
protected Key	getPrivateKey() Return the filter's private encryption key.
protected void	setCertificate(Member member, Certificate cert) Specify the Certificate assocaited with a Member.
protected void	setCertificateLocal(Certificate cert) Specify the filter's certificate.
void	setConfig(XmlElement xml) Configures the Encryption filter for asymmetric encryption using a private key and Certification from a KeyStore.
protected void	setKeyStore(KeyStore keystore) Specify the filter's KeyStore.
protected void	setPrivateKey(Key key) Specify the filter's private encryption key.
protected void	validate(Certificate cert) Validate the specified Certificate as trusted.

Methods inherited from class com.tangosol.net.security.AbstractEncryptionFilter

ensureSecurityException, ensureSecurityException, getCipher, getCipherParams, getCipherTransformation, getConfig, getKeyStore, makeCipher, setCipherParams, setCipherTransformation

Field Detail

m_keyPrivate

protected Key m_keyPrivate

The local PrivateKey

m_certificateLocal

protected Certificate m_certificateLocal

The local Certificate

m_keystore

protected KeyStore m_keystore

The KeyStore

m_mapMemberCertificate

protected Map m_mapMemberCertificate

Map of Member to their certificates

DEFAULT_TRANSFORMATION

public static final String DEFAULT_TRANSFORMATION

Default transformation

See Also:

Constant Field Values

Constructor Detail

AsymmetricEncryptionFilter

public AsymmetricEncryptionFilter()

Default constructor

Method Detail

getInputStream

public InputStream getInputStream(InputStream stream)

Description copied from interface: WrapperStreamFactory

Requests an InputStream that wraps the passed InputStream.

Parameters:

stream - the java.io.InputStream to be wrapped

Returns:

an InputStream that delegates to ("wraps") the passed InputStream

getOutputStream

public OutputStream getOutputStream(OutputStream stream)

Description copied from interface: WrapperStreamFactory

Requests an OutputStream that wraps the passed OutputStream.

Parameters:

stream - the java.io.OutputStream to be wrapped

Returns:

an OutputStream that delegates to ("wraps") the passed OutputStream

setConfig

public void setConfig(XmlElement xml)

Configures the Encryption filter for asymmetric encryption using a private key and Certification from a KeyStore. Supported configuration parameters include:

• keyAlias - (required) the alias to use in reading the key from the keystore
• keyPassword - (required) the password to use in reading the key
• storeType - the type of KeyStore, defaults to JKS
• store - the path to the KeyStore, defaults to .keystore
• storePassword - the password to use to access the store, defaults to keyPassword
• transformation - the transformation to use, defaults to RSA/NONE/PKCS1Padding

Parameters:

xml - the XML configuration for the object

getCertificate

protected Certificate getCertificate(Member member)

Return the Certificate assocaited with the specified Member.

Parameters:

member - the Member for which to return the certificate

Returns:

the Member's certificate or null if unknown

setCertificate

protected void setCertificate(Member member,
                              Certificate cert)

Specify the Certificate assocaited with a Member.

Parameters:

member - the Member for which to return the certificate

validate

protected void validate(Certificate cert)

Validate the specified Certificate as trusted.

Parameters:

cert - the certificate to validate

Throws:

SecurityException - if certificate is invalid or untrusted

encryptPrivate

public byte[] encryptPrivate(byte[] abData,
                             Member member)

Encrypt the supplied data for privacy using the supplied Member's public key.

Parameters:

abData - the data to be encrypted

member - the Member for which the public key will be used

Returns:

the encrypted data

decryptPrivate

public byte[] decryptPrivate(byte[] abEnc)

Decrypt the supplied data with the local private key.

Parameters:

abEnc - the encrypted data

Returns:

the decrypted data

setPrivateKey

protected void setPrivateKey(Key key)

Specify the filter's private encryption key.

Parameters:

key - the filter's private encryption key

getPrivateKey

protected Key getPrivateKey()

Return the filter's private encryption key.

Returns:

the filter's private encryption key

setCertificateLocal

protected void setCertificateLocal(Certificate cert)

Specify the filter's certificate.

Parameters:

cert - the filter's certificate

getCertificateLocal

protected Certificate getCertificateLocal()

Return the filter's certificate.

Returns:

the filter's certificate

setKeyStore

protected void setKeyStore(KeyStore keystore)

Specify the filter's KeyStore.

Parameters:

keystore - the filter's KeyStore

getKeyStore

protected KeyStore getKeyStore()

Return the filter's KeyStore.

Returns:

the filter's KeyStore