Example 6 with EncryptedValue
use of org.cloudfoundry.credhub.entity.EncryptedValue in project credhub by cloudfoundry-incubator.
the class EncryptionService method encrypt.
public EncryptedValue encrypt(UUID canaryUuid, Key key, String value) throws Exception {
byte[] nonce = generateNonce();
AlgorithmParameterSpec parameterSpec = generateParameterSpec(nonce);
CipherWrapper encryptionCipher = getCipher();
encryptionCipher.init(Cipher.ENCRYPT_MODE, key, parameterSpec);
byte[] encrypted = encryptionCipher.doFinal(value.getBytes(CHARSET));
return new EncryptedValue(canaryUuid, encrypted, nonce);
}
Also used :
EncryptedValue(org.cloudfoundry.credhub.entity.EncryptedValue)
AlgorithmParameterSpec(java.security.spec.AlgorithmParameterSpec)
Example 7 with EncryptedValue
use of org.cloudfoundry.credhub.entity.EncryptedValue in project credhub by cloudfoundry-incubator.
the class EncryptionKeyCanaryMapper method createCanary.
private EncryptionKeyCanary createCanary(KeyProxy keyProxy, EncryptionService encryptionService) {
if (encryptionKeysConfiguration.isKeyCreationEnabled()) {
logger.info("Creating a new active key canary");
EncryptionKeyCanary canary = new EncryptionKeyCanary();
try {
EncryptedValue encryptionData = encryptionService.encrypt(null, keyProxy.getKey(), CANARY_VALUE);
canary.setEncryptedCanaryValue(encryptionData.getEncryptedValue());
canary.setNonce(encryptionData.getNonce());
final List<Byte> salt = keyProxy.getSalt();
final Byte[] saltArray = new Byte[salt.size()];
canary.setSalt(toPrimitive(salt.toArray(saltArray)));
} catch (Exception e) {
throw new RuntimeException(e);
}
return encryptionKeyCanaryDataService.save(canary);
} else {
final EncryptionKeyCanary[] matchingCanary = new EncryptionKeyCanary[1];
timedRetry.retryEverySecondUntil(CANARY_POPULATION_WAIT_SEC, () -> {
for (EncryptionKeyCanary encryptionKeyCanary : encryptionKeyCanaryDataService.findAll()) {
if (keyProxy.matchesCanary(encryptionKeyCanary)) {
matchingCanary[0] = encryptionKeyCanary;
return true;
}
}
logger.info("Waiting for the active key's canary");
return false;
});
if (matchingCanary[0] == null) {
throw new RuntimeException("Timed out waiting for active key canary to be created");
}
return matchingCanary[0];
}
}
Also used :
EncryptionKeyCanary(org.cloudfoundry.credhub.entity.EncryptionKeyCanary)
EncryptedValue(org.cloudfoundry.credhub.entity.EncryptedValue)
Example 8 with EncryptedValue
use of org.cloudfoundry.credhub.entity.EncryptedValue in project credhub by cloudfoundry-incubator.
the class EncryptionKeyRotator method rotate.
public void rotate() {
final long start = System.currentTimeMillis();
logger.info("Starting encryption key rotation.");
int rotatedRecordCount = 0;
final long startingNotRotatedRecordCount = encryptedValueDataService.countAllByCanaryUuid(keySet.getActive().getUuid());
List<UUID> inactiveCanaries = keySet.getInactiveUuids();
Slice<EncryptedValue> valuesEncryptedByOldKey = encryptedValueDataService.findByCanaryUuids(inactiveCanaries);
while (valuesEncryptedByOldKey.hasContent()) {
for (EncryptedValue value : valuesEncryptedByOldKey.getContent()) {
try {
encryptedValueDataService.rotate(value);
rotatedRecordCount++;
} catch (KeyNotFoundException e) {
logger.error("key not found for value, unable to rotate");
}
}
valuesEncryptedByOldKey = encryptedValueDataService.findByCanaryUuids(inactiveCanaries);
}
final long finish = System.currentTimeMillis();
final long duration = finish - start;
final long endingNotRotatedRecordCount = startingNotRotatedRecordCount - rotatedRecordCount;
if (rotatedRecordCount == 0 && endingNotRotatedRecordCount == 0) {
logger.info("Found no records in need of encryption key rotation.");
} else {
logger.info("Finished encryption key rotation in " + duration + " milliseconds. Details:");
logger.info(" Successfully rotated " + rotatedRecordCount + " item(s)");
logger.info(" Skipped " + endingNotRotatedRecordCount + " item(s) due to missing master encryption key(s).");
}
encryptionKeyCanaryMapper.delete(inactiveCanaries);
}
Also used :
UUID(java.util.UUID)
EncryptedValue(org.cloudfoundry.credhub.entity.EncryptedValue)
KeyNotFoundException(org.cloudfoundry.credhub.exceptions.KeyNotFoundException)
Example 9 with EncryptedValue
use of org.cloudfoundry.credhub.entity.EncryptedValue in project credhub by cloudfoundry-incubator.
the class CredentialVersionDataServiceTest method save_givenANewCredential_savesTheCredential.
@Test
public void save_givenANewCredential_savesTheCredential() {
PasswordCredentialVersionData passwordCredentialData = new PasswordCredentialVersionData("/my-credential");
passwordCredentialData.setEncryptedValueData(new EncryptedValue(activeCanaryUuid, "credential-password", ""));
PasswordCredentialVersion credential = new PasswordCredentialVersion(passwordCredentialData);
credential.setEncryptor(encryptor);
CredentialVersion savedCredentialVersion = subject.save(credential);
assertNotNull(savedCredentialVersion);
PasswordCredentialVersion savedPasswordCredential = (PasswordCredentialVersion) subject.findMostRecent("/my-credential");
CredentialVersionData credentialVersionData = credentialVersionRepository.findOneByUuid(savedCredentialVersion.getUuid());
assertThat(savedPasswordCredential.getName(), equalTo(credential.getName()));
assertThat(savedPasswordCredential.getUuid(), equalTo(credential.getUuid()));
assertThat(credentialVersionData.getCredential().getName(), equalTo("/my-credential"));
assertThat(credentialVersionData.getEncryptedValueData().getEncryptedValue(), equalTo("credential-password".getBytes()));
}
Also used :
PasswordCredentialVersionData(org.cloudfoundry.credhub.entity.PasswordCredentialVersionData)
PasswordCredentialVersionData(org.cloudfoundry.credhub.entity.PasswordCredentialVersionData)
CertificateCredentialVersionData(org.cloudfoundry.credhub.entity.CertificateCredentialVersionData)
SshCredentialVersionData(org.cloudfoundry.credhub.entity.SshCredentialVersionData)
ValueCredentialVersionData(org.cloudfoundry.credhub.entity.ValueCredentialVersionData)
CredentialVersionData(org.cloudfoundry.credhub.entity.CredentialVersionData)
EncryptedValue(org.cloudfoundry.credhub.entity.EncryptedValue)
PasswordCredentialVersion(org.cloudfoundry.credhub.domain.PasswordCredentialVersion)
PasswordCredentialVersion(org.cloudfoundry.credhub.domain.PasswordCredentialVersion)
CertificateCredentialVersion(org.cloudfoundry.credhub.domain.CertificateCredentialVersion)
CredentialVersion(org.cloudfoundry.credhub.domain.CredentialVersion)
ValueCredentialVersion(org.cloudfoundry.credhub.domain.ValueCredentialVersion)
SshCredentialVersion(org.cloudfoundry.credhub.domain.SshCredentialVersion)
SpringBootTest(org.springframework.boot.test.context.SpringBootTest)
Test(org.junit.Test)
Example 10 with EncryptedValue
use of org.cloudfoundry.credhub.entity.EncryptedValue in project credhub by cloudfoundry-incubator.
the class CredentialVersionDataServiceTest method save_givenAnExistingCredential_throwsExceptionIfTypeMismatch.
@Test(expected = ParameterizedValidationException.class)
public void save_givenAnExistingCredential_throwsExceptionIfTypeMismatch() {
PasswordCredentialVersionData passwordCredentialData = new PasswordCredentialVersionData("/my-credential-3");
passwordCredentialData.setEncryptedValueData(new EncryptedValue().setEncryptionKeyUuid(activeCanaryUuid).setEncryptedValue(new byte[] {}).setNonce(new byte[] {}));
PasswordCredentialVersion credential = new PasswordCredentialVersion(passwordCredentialData);
subject.save(credential);
ValueCredentialVersionData newCredentialData = new ValueCredentialVersionData();
newCredentialData.setEncryptedValueData(new EncryptedValue().setEncryptionKeyUuid(activeCanaryUuid).setEncryptedValue("some value".getBytes()));
newCredentialData.setCredential(passwordCredentialData.getCredential());
ValueCredentialVersion newCredential = new ValueCredentialVersion(newCredentialData);
subject.save(newCredential);
}
Also used :
ValueCredentialVersion(org.cloudfoundry.credhub.domain.ValueCredentialVersion)
PasswordCredentialVersionData(org.cloudfoundry.credhub.entity.PasswordCredentialVersionData)
EncryptedValue(org.cloudfoundry.credhub.entity.EncryptedValue)
PasswordCredentialVersion(org.cloudfoundry.credhub.domain.PasswordCredentialVersion)
ValueCredentialVersionData(org.cloudfoundry.credhub.entity.ValueCredentialVersionData)
SpringBootTest(org.springframework.boot.test.context.SpringBootTest)
Test(org.junit.Test)
Aggregations
EncryptedValue (org.cloudfoundry.credhub.entity.EncryptedValue)56
Test (org.junit.Test)31
PasswordCredentialVersionData (org.cloudfoundry.credhub.entity.PasswordCredentialVersionData)12
Before (org.junit.Before)11
SpringBootTest (org.springframework.boot.test.context.SpringBootTest)8
CertificateCredentialVersionData (org.cloudfoundry.credhub.entity.CertificateCredentialVersionData)7
Credential (org.cloudfoundry.credhub.entity.Credential)7
UUID (java.util.UUID)6
PasswordCredentialVersion (org.cloudfoundry.credhub.domain.PasswordCredentialVersion)6
ValueCredentialVersionData (org.cloudfoundry.credhub.entity.ValueCredentialVersionData)6
IllegalBlockSizeException (javax.crypto.IllegalBlockSizeException)5
UserCredentialVersionData (org.cloudfoundry.credhub.entity.UserCredentialVersionData)5
StringGenerationParameters (org.cloudfoundry.credhub.request.StringGenerationParameters)5
ProviderException (java.security.ProviderException)4
CertificateCredentialVersion (org.cloudfoundry.credhub.domain.CertificateCredentialVersion)4
ValueCredentialVersion (org.cloudfoundry.credhub.domain.ValueCredentialVersion)4
EncryptionKeyCanary (org.cloudfoundry.credhub.entity.EncryptionKeyCanary)4
ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)3
Key (java.security.Key)3
KeyNotFoundException (org.cloudfoundry.credhub.exceptions.KeyNotFoundException)3
