cayenne-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Huss <johnth...@gmail.com>
Subject Re: cayenne-crypto
Date Thu, 17 Jul 2014 18:42:55 GMT
In cases where CayenneFilter is being used, the ServerRuntime is created
internally by Cayenne. How to I add in the crypto module?

Module crypto = new CryptoModuleBuilder().keyStore(keyFile,
> keyPassword.toCharArray(), alias).build();

Perhaps CayenneFilter needs to expose a method that can be overridden to
add modules to the set of modules declared in the web.xml?

John




On Tue, Apr 22, 2014 at 5:07 PM, John Huss <johnthuss@gmail.com> wrote:

> I'm giving this a try.  Looks like you have to specify the AES algorithm
> when creating the store, so the command is like this:
>
> keytool -genseckey -keystore /tmp/ks1.jceks -storetype JCEKS *-keyalg AES
> -keysize 256* -alias mykey
>
>
> On Fri, Apr 4, 2014 at 7:21 AM, Andrus Adamchik <andrus@objectstyle.org>
> wrote:
>
>> So the crypto module is done and available on trunk. Here is a minimal
>> configuration that will do AES/CBC encryption:
>>
>> 1. Create a keystore and generate a secret key in it:
>>
>>   keytool -genseckey -keystore /tmp/ks1.jceks -storetype JCEKS -alias
>> mykey
>>
>> 2. Start Cayenne with crypto:
>>
>>   // this can also be a URL or a String representing URL
>>   File keyStore = new File("/tmp/ks1.jceks”);
>>
>>   // obtain this somehow
>>   char[] keyPassword = ..
>>
>>   // “mykey” is the key alias in #1
>>   Module crypto = new CryptoModuleBuilder().keyStore(keyStore,
>> keyPassword, “mykey").build();
>>
>>   // this will enable encryption/decryption for all columns matching
>> ^CRYPTO_ regex
>>   // those must be either character or binary columns
>>   ServerRuntime  runtime = new ServerRuntime(“cayenne-myproject.xml",
>> crypto);
>>
>>
>> So just 3 lines of code give you the encryption. Of course it is fully
>> customizable. See ‘CryptoModuleBuilder’ for what can be extended. Also the
>> code is pretty raw, so it may break or may be refactored as we find bugs. I
>> still need to study the performance and tweak as needed. Also there are
>> certain strategies are not yet available. E.g. we only support block
>> ciphers in CBC mode (as this is what I am planning to use in my apps). We
>> will add support for ECB and also streaming ciphers eventually.
>>
>> But … everyone is free to give it a try ;)
>>
>> Andrus
>>
>>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message