CoherenceTM v3.4
Copyright© 2000-2008 by Oracle Corporation

com.tangosol.net.security
Class AsymmetricEncryptionFilter

java.lang.Object
  extended by com.tangosol.util.Base
      extended by com.tangosol.net.security.AbstractEncryptionFilter
          extended by com.tangosol.net.security.AsymmetricEncryptionFilter
All Implemented Interfaces:
WrapperStreamFactory, XmlConfigurable

public class AsymmetricEncryptionFilter
extends AbstractEncryptionFilter

Asymmetric encryption filter implementation.

This filter will sign messages (encrypt with the originators private key) so that it may be validated as both trusted and authentic by the recipient(s).

The filter is configured with a Java KeyStore from which it will retrieve its local certificate and private key.

Each inbound message will have its sender's certificate validated via a call to the validate(Certificate) method. The default implementation simply validates that the certificate exists within the configured KeyStore, and in the case of X509 certificates that it has not expired.

As this is a fairly expensive filter as is not intended for use on services with high traffic loads. Additionally as it only signs the data it is not intended for transporting secret data. It is generally used only to protect the ClusterService (hence cluster membership) via the ClusterEncryptionFilter.

In order to use this filter you must have have configured your JVM with a suitable JCA public key cryptography provider such as the one provided by Bouncy Castle. See the JCA documentation for details on installing and configuring JCA providers.

This class may be extended in order to provide custom validation logic. A custom version only needs to provide alternate implementations of the setConfig() and validate() methods. See the documentation on these methods for customization details.

Author:
mf 2006.08.01
See Also:
setConfig(com.tangosol.run.xml.XmlElement), validate(java.security.cert.Certificate), ClusterEncryptionFilter

Nested Class Summary
 class AsymmetricEncryptionFilter.IdentityInputStream
          Stream which reads an unencrypted identity header followed by an encrypted payload.
 class AsymmetricEncryptionFilter.IdentityOutputStream
          Stream which writes an unencrypted identity header followed by an encrypted payload.
 
Field Summary
static java.lang.String DEFAULT_TRANSFORMATION
          Default transformation
protected  java.security.cert.Certificate m_certificateLocal
          The local Certificate
protected  java.security.Key m_keyPrivate
          The local PrivateKey
protected  java.security.KeyStore m_keystore
          The KeyStore
protected  java.util.Map m_mapMemberCertificate
          Map of Member to their certificates
 
Fields inherited from class com.tangosol.net.security.AbstractEncryptionFilter
DEFAULT_KEYSTORE_PATH, DEFAULT_KEYSTORE_TYPE, m_specCipherParams, m_sTransformation, m_tlsCipher
 
Constructor Summary
AsymmetricEncryptionFilter()
          Default constructor
 
Method Summary
 byte[] decryptPrivate(byte[] abEnc)
          Decrypt the supplied data with the local private key.
 byte[] encryptPrivate(byte[] abData, Member member)
          Encrypt the supplied data for privacy using the supplied Member's public key.
protected  java.security.cert.Certificate getCertificate(Member member)
          Return the Certificate assocaited with the specified Member.
protected  java.security.cert.Certificate getCertificateLocal()
          Return the filter's certificate.
 java.io.InputStream getInputStream(java.io.InputStream stream)
          Requests an InputStream that wraps the passed InputStream.
protected  java.security.KeyStore getKeyStore()
          Return the filter's KeyStore.
 java.io.OutputStream getOutputStream(java.io.OutputStream stream)
          Requests an OutputStream that wraps the passed OutputStream.
protected  java.security.Key getPrivateKey()
          Return the filter's private encryption key.
protected  void setCertificate(Member member, java.security.cert.Certificate cert)
          Specify the Certificate assocaited with a Member.
protected  void setCertificateLocal(java.security.cert.Certificate cert)
          Specify the filter's certificate.
 void setConfig(XmlElement xml)
          Configures the Encryption filter for asymmetric encryption using a private key and Certificate from a KeyStore.
protected  void setKeyStore(java.security.KeyStore keystore)
          Specify the filter's KeyStore.
protected  void setPrivateKey(java.security.Key key)
          Specify the filter's private encryption key.
protected  void validate(java.security.cert.Certificate cert)
          Validate the specified Certificate as trusted.
 
Methods inherited from class com.tangosol.net.security.AbstractEncryptionFilter
ensureSecurityException, ensureSecurityException, getCipher, getCipherParams, getCipherTransformation, getConfig, getKeyStore, makeCipher, setCipherParams, setCipherTransformation
 

Field Detail

m_keyPrivate

protected java.security.Key m_keyPrivate
The local PrivateKey


m_certificateLocal

protected java.security.cert.Certificate m_certificateLocal
The local Certificate


m_keystore

protected java.security.KeyStore m_keystore
The KeyStore


m_mapMemberCertificate

protected java.util.Map m_mapMemberCertificate
Map of Member to their certificates


DEFAULT_TRANSFORMATION

public static final java.lang.String DEFAULT_TRANSFORMATION
Default transformation

See Also:
Constant Field Values
Constructor Detail

AsymmetricEncryptionFilter

public AsymmetricEncryptionFilter()
Default constructor

Method Detail

getInputStream

public java.io.InputStream getInputStream(java.io.InputStream stream)
Description copied from interface: WrapperStreamFactory
Requests an InputStream that wraps the passed InputStream.

Parameters:
stream - the java.io.InputStream to be wrapped
Returns:
an InputStream that delegates to ("wraps") the passed InputStream

getOutputStream

public java.io.OutputStream getOutputStream(java.io.OutputStream stream)
Description copied from interface: WrapperStreamFactory
Requests an OutputStream that wraps the passed OutputStream.

Parameters:
stream - the java.io.OutputStream to be wrapped
Returns:
an OutputStream that delegates to ("wraps") the passed OutputStream

setConfig

public void setConfig(XmlElement xml)
Configures the Encryption filter for asymmetric encryption using a private key and Certificate from a KeyStore. Supported configuration parameters include:

If customizing this filter to provide alternate Certificate loading and validation logic this method may be overridden to load any necessary custom configuration parameters. The custom implementation is not required to utilize the above configuration parameters, or to call the default implementation of setConfig. Any custom implementation which does not make a call to the default implementation must at least call the following methods:

Parameters:
xml - the XmlElement containing the filter's configuration parameters
See Also:
setPrivateKey(java.security.Key), setCertificateLocal(java.security.cert.Certificate), AbstractEncryptionFilter.setCipherTransformation(java.lang.String), DEFAULT_TRANSFORMATION

getCertificate

protected java.security.cert.Certificate getCertificate(Member member)
Return the Certificate assocaited with the specified Member.

Parameters:
member - the Member for which to return the certificate
Returns:
the Member's certificate or null if unknown

setCertificate

protected void setCertificate(Member member,
                              java.security.cert.Certificate cert)
Specify the Certificate assocaited with a Member.

Parameters:
member - the Member for which to return the certificate

validate

protected void validate(java.security.cert.Certificate cert)
Validate the specified Certificate as trusted.

The default implementation validates that they supplied Certificate exists within the local KeyStore, and in the case of X509 Certs, that it has not expired. Custom implementation of this class may override this method to provide an alternate means of validating the Certificate.

Parameters:
cert - the certificate to validate
Throws:
java.lang.SecurityException - if certificate is invalid or untrusted

encryptPrivate

public byte[] encryptPrivate(byte[] abData,
                             Member member)
Encrypt the supplied data for privacy using the supplied Member's public key.

Parameters:
abData - the data to be encrypted
member - the Member for which the public key will be used
Returns:
the encrypted data

decryptPrivate

public byte[] decryptPrivate(byte[] abEnc)
Decrypt the supplied data with the local private key.

Parameters:
abEnc - the encrypted data
Returns:
the decrypted data

setPrivateKey

protected void setPrivateKey(java.security.Key key)
Specify the filter's private encryption key.

Parameters:
key - the filter's private encryption key

getPrivateKey

protected java.security.Key getPrivateKey()
Return the filter's private encryption key.

Returns:
the filter's private encryption key

setCertificateLocal

protected void setCertificateLocal(java.security.cert.Certificate cert)
Specify the filter's certificate.

Parameters:
cert - the filter's certificate

getCertificateLocal

protected java.security.cert.Certificate getCertificateLocal()
Return the filter's certificate.

Returns:
the filter's certificate

setKeyStore

protected void setKeyStore(java.security.KeyStore keystore)
Specify the filter's KeyStore.

Parameters:
keystore - the filter's KeyStore

getKeyStore

protected java.security.KeyStore getKeyStore()
Return the filter's KeyStore.

Returns:
the filter's KeyStore

CoherenceTM v3.4
Copyright© 2000-2008 by Oracle Corporation