This package provides functionality to use KeyStore with support of multiple storage engine by implementing DatabaseKeyStoreRepository.
A DB backed Keystore is very useful in a clustered environment which rely on a keystore. Instead of relying on a file based keystore at each node in the cluster that needs to be kept in sync, a central DB based Keystore is useful.
The core package could be installed through maven with
<dependency>
<groupId>io.github.pilougit.security</groupId>
<artifactId>databasekeystore-core</artifactId>
<version>${lastestversion}</version>
</dependency>To add the provider at runtime use:
import java.security.Security;
import DatabaseKeyStoreProvider;
Security.addProvider(new DatabaseKeyStoreProvider());The provider can also be configured as part of your environment via static registration by adding an entry to the java.security properties file (found in $JAVA_HOME/jre/lib/security/java.security, where $JAVA_HOME is the location of your JDK/JRE distribution). You'll find detailed instructions in the file but basically it comes down to adding a line:
security.provider.<n>=DatabaseKeyStoreProvider
- JPA Storage Engine
- Memory Storage Engine
- Cache Storage Engine
Could be installed through
<dependency>
<groupId>io.github.pilougit.security</groupId>
<artifactId>databasekeystore-jpa</artifactId>
<version>1.0.0</version>
</dependency>The JPA Storage Engine pass by initialize a DatabaseKeyStoreJpaRepository with a entity manager:
EntityManager em=...
KeyStore keystore = KeyStore.getInstance(DatabaseKeyStoreProvider.KEYSTORE, DatabaseKeyStoreProvider.PROVIDER_NAME);
keystore.load(new DatabaseKeyStoreLoadStoreParameter(new DatabaseKeyStoreJpaRepository(em), new AESGcmCipheringKeyService()));
Schema pre prepared for hsqldb database can be created by executing:
create table keyentry(id bigint not null GENERATED BY DEFAULT AS IDENTITY,alias varchar(255) not null, entry LONGVARCHAR not null, primary key (id));
Schema pre prepared for hsqldb database can be created by executing:
create table keyentry(
id bigint AUTO_INCREMENT PRIMARY KEY,
alias varchar(255) not null,
entry LONGTEXT not null
);
CREATE UNIQUE INDEX idx_alias ON keyentry(alias);Schema pre prepared for hsqldb database can be created by executing:
create table keyentry(
id bigserial PRIMARY KEY,
alias varchar(255) not null,
entry TEXT not null
);
CREATE UNIQUE INDEX idx_alias ON keyentry(alias);Could be installed through
<dependency>
<groupId>io.github.pilougit.security</groupId>
<artifactId>databasekeystore-simple</artifactId>
<version>1.0.0</version>
</dependency>It is a simple Map to allow easy mock
Could be installed through
<dependency>
<groupId>io.github.pilougit.security</groupId>
<artifactId>databasekeystore-caffeine</artifactId>
<version>1.0.0</version>
</dependency>To achieve good performance it is possible to create a cache around the key storage engine. The current implementation use caffeine to achieve it.
protected DatabaseKeyStoreRepository getDatabaseKeyStore()
{
Cache<String, DatabaseKeyStoreEntry> cache = Caffeine.newBuilder()
.maximumSize(10_000)
.expireAfterWrite(Duration.ofMinutes(5))
.build();
return new DatabaseKeyStoreCacheRepository(cache,new DatabaseKeyStoreMemoryRepository());
}
...
KeyStore keystore = KeyStore.getInstance(DatabaseKeyStoreProvider.KEYSTORE, DatabaseKeyStoreProvider.PROVIDER_NAME);
keystore.load(new DatabaseKeyStoreLoadStoreParameter(getDatabaseKeyStore(), new AESGcmCipheringKeyService()));Private keys will be stored according to the implementation of CipheringKeyService which is either currently:
- noop ciphering engine NoOpCipheringKeyService
- AES/GCM engine AESGcmCipheringKeyService