Friday, March 23, 2012

How to Use Crypto support in Adobe CQ / AEM

Use Case: You want to protect sensitive information in OSGI configuration

Solution: CQ > 5.5 (Granite platform) introduces a new crypto cupport service (com.adobe.granite.crypto.CryptoSupport) to protect sensitive information.

To store protected configuration, the Apache Felix Web Console should be used.



to unprotected data you can use CryptoSupport.unprotect(String) method.

Example


@Component
public class Test {
@Reference
private CryptoSupport cryptoSupport;
@Activate
@Modified
private void configure(Map config) {
final String protectedConfig = config.get("password");
final String plainTextConfig;
if (this.cryptoSupport.isProtected(protectedConfig)) {
plainTextConfig = this.cryptoSupport.unprotect(protectedConfig);
} else {
plainTextConfig = protectedConfig;
}
}
}


You can also use crypto support JSON call to get data. For example following curl command will return protected sting you can use

$ curl -uadmin:admin -F datum=password http://localhost:4502/system/console/crypto/.json
{"protected": "{4dd7095d321134b5e6737311fa82afaa335390762e43136ee8acb3897296865d}"}


Note: Crypt generated on one machine will not work on other machine as each one has different Key. In order to make key work across all instance, You can create package of /etc/key and install it in all instances and then restart "com.adobe.granite.crypto" bundle from system console.

If you want to deploy these key as part of code across all instances then first down load hmac and master binary from /etc/key

then create a node under /etc/key in your file system (Code repo)



<?xml version="1.0" encoding="UTF-8"?>
<jcr:root xmlns:sling="http://sling.apache.org/jcr/sling/1.0" xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:rep="internal"
 jcr:mixinTypes="[rep:AccessControllable]"
 hmac="{Binary}"
 hidden="{Boolean}true"
 master="{Binary}"
 jcr:primaryType="sling:Folder"/>

under /etc/key add two files name "hmac.binary" and "master.binary" that you copied from system where secret was generated.

Deploy your code. Make sure to restart "com.adobe.granite.crypto" for very first time you upload these key. (You can also do this using CURL command)

Crypto Suport API: http://dev.day.com/docs/en/cq/current/javadoc/com/adobe/granite/crypto/package-summary.html

7 comments:

  1. Hi ,
    I was trying to get a reference of cryptosupport service in one of the services that I created and it is appearing as unsatisfied

    Reference=cryptoSupport, Unsatisfied
    Service Name: com.adobe.granite.crypto.CryptoSupport
    Multiple: single
    Optional: mandatory
    Policy: static
    No Services bound

    Due to this my original service is also unsatisfied. I am using cq 5.6. I tried using crypto service reference in one of the other services that I had which is working fine and it is causing problems there as well. Is there something specific that needs to be done for this particular service to get its reference. Any tips to resolve this will be really appreciated.

    Thanks

    ReplyDelete
    Replies
    1. Hello Hitesh,

      Can you send me your code example to test ?

      Yogesh

      Delete
  2. Yogesh,

    Thanks for sharing..!!

    I am able to encrypt plain text using Felix console @ http://localhost:4502/system/console/crypto and able to decrypt using this.cryptoSupport.unprotect(protectedConfig);

    i need to use the same same cipher text to get the plain text on various env, but i am not able to update the key which crypto support is using to encrypt/Decrypt the password.

    Can you help in this aspect.

    ReplyDelete
    Replies
    1. Hello Tosheer,

      You mean same plain text is returning different cypher text in different environment ?

      Yogesh

      Delete