release16.11/framework/entity/src/main/java/org/apache/ofbiz/entity/util/EntityCrypto.java - ofbiz - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  * http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */
 package org.apache.ofbiz.entity.util;

 import java.io.IOException;
 import java.security.Key;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 import java.util.Random;
 import java.util.concurrent.Callable;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentMap;

 import org.apache.commons.codec.binary.Base64;
 import org.apache.shiro.crypto.AesCipherService;
 import org.apache.shiro.crypto.OperationMode;
 import org.apache.shiro.crypto.hash.DefaultHashService;
 import org.apache.shiro.crypto.hash.HashRequest;
 import org.apache.shiro.crypto.hash.HashService;
 import org.apache.ofbiz.base.crypto.DesCrypt;
 import org.apache.ofbiz.base.crypto.HashCrypt;
 import org.apache.ofbiz.base.util.Debug;
 import org.apache.ofbiz.base.util.GeneralException;
 import org.apache.ofbiz.base.util.StringUtil;
 import org.apache.ofbiz.base.util.UtilObject;
 import org.apache.ofbiz.base.util.UtilValidate;
 import org.apache.ofbiz.entity.Delegator;
 import org.apache.ofbiz.entity.EntityCryptoException;
 import org.apache.ofbiz.entity.GenericEntityException;
 import org.apache.ofbiz.entity.GenericValue;
 import org.apache.ofbiz.entity.model.ModelField.EncryptMethod;
 import org.apache.ofbiz.entity.transaction.TransactionUtil;

 public final class EntityCrypto {

     public static final String module = EntityCrypto.class.getName();

     protected final Delegator delegator;
     protected final ConcurrentMap<String, byte[]> keyMap = new ConcurrentHashMap<String, byte[]>();
     protected final StorageHandler[] handlers;

     public EntityCrypto(Delegator delegator, String kekText) throws EntityCryptoException {
         this.delegator = delegator;
         byte[] kek;
         kek = UtilValidate.isNotEmpty(kekText) ? Base64.decodeBase64(kekText) : null;
         handlers = new StorageHandler[] {
             new ShiroStorageHandler(kek),
             new SaltedBase64StorageHandler(kek),
             NormalHashStorageHandler,
             OldFunnyHashStorageHandler,
         };
     }

     public void clearKeyCache() {
         keyMap.clear();
     }

     /** Encrypts an Object into an encrypted hex encoded String */
     @Deprecated
     public String encrypt(String keyName, Object obj) throws EntityCryptoException {
         return encrypt(keyName, EncryptMethod.TRUE, obj);
     }

     /** Encrypts an Object into an encrypted hex encoded String */
     public String encrypt(String keyName, EncryptMethod encryptMethod, Object obj) throws EntityCryptoException {
         try {
             byte[] key = this.findKey(keyName, handlers[0]);
             if (key == null) {
                 EntityCryptoException caught = null;
                 try {
                     this.createKey(keyName, handlers[0], encryptMethod);
                 } catch (EntityCryptoException e) {
                     // either a database read error, or a duplicate key insert
                     // if the latter, try to fetch the value created by the
                     // other thread.
                     caught = e;
                 } finally {
                     try {
                         key = this.findKey(keyName, handlers[0]);
                     } catch (EntityCryptoException e) {
                         // this is bad, couldn't lookup the value, some bad juju
                         // is occurring; rethrow the original exception if available
                         throw caught != null ? caught : e;
                     }
                     if (key == null) {
                         // this is also bad, couldn't find any key
                         throw caught != null ? caught : new EntityCryptoException("could not lookup key (" + keyName + ") after creation");
                     }
                 }
             }
             return handlers[0].encryptValue(encryptMethod, key, UtilObject.getBytes(obj));
         } catch (GeneralException e) {
             throw new EntityCryptoException(e);
         }
     }

     // NOTE: this is definitely for debugging purposes only, do not uncomment in production server for security reasons:
     // if you uncomment this, then change the real decrypt method to _decrypt.
     /*
     public Object decrypt(String keyName, String encryptedString) throws EntityCryptoException {
         Object result = _decrypt(keyName, encryptedString);
         Debug.logInfo("Decrypted value [%s] to result: %s", module, encryptedString, decryptedObj);
         return result;
     }
     */

     /** Decrypts a hex encoded String into an Object */
     public Object decrypt(String keyName, EncryptMethod encryptMethod, String encryptedString) throws EntityCryptoException {
         try {
             return doDecrypt(keyName, encryptMethod, encryptedString, handlers[0]);
         } catch (GeneralException e) {
             Debug.logInfo("Decrypt with DES key from standard key name hash failed, trying old/funny variety of key name hash", module);
             for (int i = 1; i < handlers.length; i++) {
                 try {
                     // try using the old/bad hex encoding approach; this is another path the code may take, ie if there is an exception thrown in decrypt
                     return doDecrypt(keyName, encryptMethod, encryptedString, handlers[i]);
                 } catch (GeneralException e1) {
                     // NOTE: this throws the original exception back, not the new one if it fails using the other approach
                     //throw new EntityCryptoException(e);
                 }
             }
             throw new EntityCryptoException(e);
         }
     }

     protected Object doDecrypt(String keyName, EncryptMethod encryptMethod, String encryptedString, StorageHandler handler) throws GeneralException {
         byte[] key = this.findKey(keyName, handler);
         if (key == null) {
             throw new EntityCryptoException("key(" + keyName + ") not found in database");
         }
         byte[] decryptedBytes = handler.decryptValue(key, encryptMethod, encryptedString);
         try {
             return UtilObject.getObjectException(decryptedBytes);
         } catch (ClassNotFoundException e) {
             throw new GeneralException(e);
         } catch (IOException e) {
             throw new GeneralException(e);
         }
     }

     protected byte[] findKey(String originalKeyName, StorageHandler handler) throws EntityCryptoException {
         String hashedKeyName = handler.getHashedKeyName(originalKeyName);
         String keyMapName = handler.getKeyMapPrefix(hashedKeyName) + hashedKeyName;
         if (keyMap.containsKey(keyMapName)) {
             return keyMap.get(keyMapName);
         }
         // it's ok to run the bulk of this method unlocked or
         // unprotected; since the same result will occur even if
         // multiple threads request the same key, there is no
         // need to protected this block of code.

         GenericValue keyValue = null;
         try {
             keyValue = EntityQuery.use(delegator).from("EntityKeyStore").where("keyName", hashedKeyName).queryOne();
         } catch (GenericEntityException e) {
             throw new EntityCryptoException(e);
         }
         if (keyValue == null || keyValue.get("keyText") == null) {
             return null;
         }
         try {
             byte[] keyBytes = handler.decodeKeyBytes(keyValue.getString("keyText"));
             keyMap.putIfAbsent(keyMapName, keyBytes);
             // Do not remove the next line, it's there to handle the
             // case of multiple threads trying to find the same key
             // both threads will do the findOne call, only one will
             // succeed at the putIfAbsent, but both will then fetch
             // the same value with the following get().
             return keyMap.get(keyMapName);
         } catch (GeneralException e) {
             throw new EntityCryptoException(e);
         }
     }

     protected void createKey(String originalKeyName, StorageHandler handler, EncryptMethod encryptMethod) throws EntityCryptoException {
         String hashedKeyName = handler.getHashedKeyName(originalKeyName);
         Key key = handler.generateNewKey();
         final GenericValue newValue = delegator.makeValue("EntityKeyStore");
         try {
             newValue.set("keyText", handler.encodeKey(key.getEncoded()));
         } catch (GeneralException e) {
             throw new EntityCryptoException(e);
         }
         newValue.set("keyName", hashedKeyName);

         try {
             TransactionUtil.doNewTransaction(new Callable<Void>() {
                 public Void call() throws Exception {
                     delegator.create(newValue);
                     return null;
                 }
             }, "storing encrypted key", 0, true);
         } catch (GenericEntityException e) {
             throw new EntityCryptoException(e);
         }
     }

     protected abstract static class StorageHandler {
         protected abstract Key generateNewKey() throws EntityCryptoException;

         protected abstract String getHashedKeyName(String originalKeyName);
         protected abstract String getKeyMapPrefix(String hashedKeyName);

         protected abstract byte[] decodeKeyBytes(String keyText) throws GeneralException;
         protected abstract String encodeKey(byte[] key) throws GeneralException;

         protected abstract byte[] decryptValue(byte[] key, EncryptMethod encryptMethod, String encryptedString) throws GeneralException;
         protected abstract String encryptValue(EncryptMethod encryptMethod, byte[] key, byte[] objBytes) throws GeneralException;
     }

     protected static final class ShiroStorageHandler extends StorageHandler {
         private final HashService hashService;
         private final AesCipherService cipherService;
         private final AesCipherService saltedCipherService;
         private final byte[] kek;

         protected ShiroStorageHandler(byte[] kek) {
             hashService = new DefaultHashService();
             cipherService = new AesCipherService();
             cipherService.setMode(OperationMode.ECB);
             saltedCipherService = new AesCipherService();
             this.kek = kek;
         }

         @Override
         protected Key generateNewKey() {
             return saltedCipherService.generateNewKey();
         }

         @Override
         protected String getHashedKeyName(String originalKeyName) {
             HashRequest hashRequest = new HashRequest.Builder().setSource(originalKeyName).build();
             return hashService.computeHash(hashRequest).toBase64();
         }

         @Override
         protected String getKeyMapPrefix(String hashedKeyName) {
             return "{shiro}";
         }

         @Override
         protected byte[] decodeKeyBytes(String keyText) throws GeneralException {
             byte[] keyBytes = Base64.decodeBase64(keyText);
             if (kek != null) {
                 keyBytes = saltedCipherService.decrypt(keyBytes, kek).getBytes();
             }
             return keyBytes;
         }

         @Override
         protected String encodeKey(byte[] key) throws GeneralException {
             if (kek != null) {
                 return saltedCipherService.encrypt(key, kek).toBase64();
             } else {
                 return Base64.encodeBase64String(key);
             }
         }

         @Override
         protected byte[] decryptValue(byte[] key, EncryptMethod encryptMethod, String encryptedString) throws GeneralException {
             switch (encryptMethod) {
                 case SALT:
                     return saltedCipherService.decrypt(Base64.decodeBase64(encryptedString), key).getBytes();
                 default:
                     return cipherService.decrypt(Base64.decodeBase64(encryptedString), key).getBytes();
             }
         }

         @Override
         protected String encryptValue(EncryptMethod encryptMethod, byte[] key, byte[] objBytes) throws GeneralException {
             switch (encryptMethod) {
                 case SALT:
                     return saltedCipherService.encrypt(objBytes, key).toBase64();
                 default:
                     return cipherService.encrypt(objBytes, key).toBase64();
             }
         }
     }

     protected static abstract class LegacyStorageHandler extends StorageHandler {
         @Override
         protected Key generateNewKey() throws EntityCryptoException {
             try {
                 return DesCrypt.generateKey();
             } catch (NoSuchAlgorithmException e) {
                 throw new EntityCryptoException(e);
             }
         }

         @Override
         protected byte[] decodeKeyBytes(String keyText) throws GeneralException {
             return StringUtil.fromHexString(keyText);
         }

         @Override
         protected String encodeKey(byte[] key) {
             return StringUtil.toHexString(key);
         }

         @Override
         protected byte[] decryptValue(byte[] key, EncryptMethod encryptMethod, String encryptedString) throws GeneralException {
             return DesCrypt.decrypt(DesCrypt.getDesKey(key), StringUtil.fromHexString(encryptedString));
         }

         @Override
         protected String encryptValue(EncryptMethod encryptMethod, byte[] key, byte[] objBytes) throws GeneralException {
             return StringUtil.toHexString(DesCrypt.encrypt(DesCrypt.getDesKey(key), objBytes));
         }
     };

     protected static final StorageHandler OldFunnyHashStorageHandler = new LegacyStorageHandler() {
         @Override
         protected String getHashedKeyName(String originalKeyName) {
             return HashCrypt.digestHashOldFunnyHex(null, originalKeyName);
         }

         @Override
         protected String getKeyMapPrefix(String hashedKeyName) {
             return "{funny-hash}";
         }
     };

     protected static final StorageHandler NormalHashStorageHandler = new LegacyStorageHandler() {
         @Override
         protected String getHashedKeyName(String originalKeyName) {
             return HashCrypt.digestHash("SHA", originalKeyName.getBytes());
         }

         @Override
         protected String getKeyMapPrefix(String hashedKeyName) {
             return "{normal-hash}";
         }
     };

     protected static final class SaltedBase64StorageHandler extends StorageHandler {
         private final Key kek;

         protected SaltedBase64StorageHandler(byte[] kek) throws EntityCryptoException {
             Key key = null;
             if (kek != null) {
                 try {
                     key = DesCrypt.getDesKey(kek);
                 } catch (GeneralException e) {
                     Debug.logInfo("Invalid key-encryption-key specified for SaltedBase64StorageHandler; the key is probably valid for the newer ShiroStorageHandler", module);
                 }
             }
             this.kek = key;
         }

         @Override
         protected Key generateNewKey() throws EntityCryptoException {
             try {
                 return DesCrypt.generateKey();
             } catch (NoSuchAlgorithmException e) {
                 throw new EntityCryptoException(e);
             }
         }

         @Override
         protected String getHashedKeyName(String originalKeyName) {
             return HashCrypt.digestHash64("SHA", originalKeyName.getBytes());
         }

         @Override
         protected String getKeyMapPrefix(String hashedKeyName) {
             return "{salted-base64}";
         }

         @Override
         protected byte[] decodeKeyBytes(String keyText) throws GeneralException {
             byte[] keyBytes = Base64.decodeBase64(keyText);
             if (kek != null) {
                 keyBytes = DesCrypt.decrypt(kek, keyBytes);
             }
             return keyBytes;
         }

         @Override
         protected String encodeKey(byte[] key) throws GeneralException {
             if (kek != null) {
                 key = DesCrypt.encrypt(kek, key);
             }
             return Base64.encodeBase64String(key);
         }

         @Override
         protected byte[] decryptValue(byte[] key, EncryptMethod encryptMethod, String encryptedString) throws GeneralException {
             byte[] allBytes = DesCrypt.decrypt(DesCrypt.getDesKey(key), Base64.decodeBase64(encryptedString));
             int length = allBytes[0];
             byte[] objBytes = new byte[allBytes.length - 1 - length];
             System.arraycopy(allBytes, 1 + length, objBytes, 0, objBytes.length);
             return objBytes;
         }

         @Override
         protected String encryptValue(EncryptMethod encryptMethod, byte[] key, byte[] objBytes) throws GeneralException {
             byte[] saltBytes;
             switch (encryptMethod) {
                 case SALT:
                     Random random = new SecureRandom();
                     // random length 5-16
                     saltBytes = new byte[5 + random.nextInt(11)];
                     random.nextBytes(saltBytes);
                     break;
                 default:
                     saltBytes = new byte[0];
                     break;
             }
             byte[] allBytes = new byte[1 + saltBytes.length + objBytes.length];
             allBytes[0] = (byte) saltBytes.length;
             System.arraycopy(saltBytes, 0, allBytes, 1, saltBytes.length);
             System.arraycopy(objBytes, 0, allBytes, 1 + saltBytes.length, objBytes.length);
             String result = Base64.encodeBase64String(DesCrypt.encrypt(DesCrypt.getDesKey(key), allBytes));
             return result;
         }
     };
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*/
	package org.apache.ofbiz.entity.util;

	import java.io.IOException;
	import java.security.Key;
	import java.security.NoSuchAlgorithmException;
	import java.security.SecureRandom;
	import java.util.Random;
	import java.util.concurrent.Callable;
	import java.util.concurrent.ConcurrentHashMap;
	import java.util.concurrent.ConcurrentMap;

	import org.apache.commons.codec.binary.Base64;
	import org.apache.shiro.crypto.AesCipherService;
	import org.apache.shiro.crypto.OperationMode;
	import org.apache.shiro.crypto.hash.DefaultHashService;
	import org.apache.shiro.crypto.hash.HashRequest;
	import org.apache.shiro.crypto.hash.HashService;
	import org.apache.ofbiz.base.crypto.DesCrypt;
	import org.apache.ofbiz.base.crypto.HashCrypt;
	import org.apache.ofbiz.base.util.Debug;
	import org.apache.ofbiz.base.util.GeneralException;
	import org.apache.ofbiz.base.util.StringUtil;
	import org.apache.ofbiz.base.util.UtilObject;
	import org.apache.ofbiz.base.util.UtilValidate;
	import org.apache.ofbiz.entity.Delegator;
	import org.apache.ofbiz.entity.EntityCryptoException;
	import org.apache.ofbiz.entity.GenericEntityException;
	import org.apache.ofbiz.entity.GenericValue;
	import org.apache.ofbiz.entity.model.ModelField.EncryptMethod;
	import org.apache.ofbiz.entity.transaction.TransactionUtil;

	public final class EntityCrypto {

	public static final String module = EntityCrypto.class.getName();

	protected final Delegator delegator;
	protected final ConcurrentMap<String, byte[]> keyMap = new ConcurrentHashMap<String, byte[]>();
	protected final StorageHandler[] handlers;

	public EntityCrypto(Delegator delegator, String kekText) throws EntityCryptoException {
	this.delegator = delegator;
	byte[] kek;
	kek = UtilValidate.isNotEmpty(kekText) ? Base64.decodeBase64(kekText) : null;
	handlers = new StorageHandler[] {
	new ShiroStorageHandler(kek),
	new SaltedBase64StorageHandler(kek),
	NormalHashStorageHandler,
	OldFunnyHashStorageHandler,
	};
	}

	public void clearKeyCache() {
	keyMap.clear();
	}

	/** Encrypts an Object into an encrypted hex encoded String */
	@Deprecated
	public String encrypt(String keyName, Object obj) throws EntityCryptoException {
	return encrypt(keyName, EncryptMethod.TRUE, obj);
	}

	/** Encrypts an Object into an encrypted hex encoded String */
	public String encrypt(String keyName, EncryptMethod encryptMethod, Object obj) throws EntityCryptoException {
	try {
	byte[] key = this.findKey(keyName, handlers[0]);
	if (key == null) {
	EntityCryptoException caught = null;
	try {
	this.createKey(keyName, handlers[0], encryptMethod);
	} catch (EntityCryptoException e) {
	// either a database read error, or a duplicate key insert
	// if the latter, try to fetch the value created by the
	// other thread.
	caught = e;
	} finally {
	try {
	key = this.findKey(keyName, handlers[0]);
	} catch (EntityCryptoException e) {
	// this is bad, couldn't lookup the value, some bad juju
	// is occurring; rethrow the original exception if available
	throw caught != null ? caught : e;
	}
	if (key == null) {
	// this is also bad, couldn't find any key
	throw caught != null ? caught : new EntityCryptoException("could not lookup key (" + keyName + ") after creation");
	}
	}
	}
	return handlers[0].encryptValue(encryptMethod, key, UtilObject.getBytes(obj));
	} catch (GeneralException e) {
	throw new EntityCryptoException(e);
	}
	}

	// NOTE: this is definitely for debugging purposes only, do not uncomment in production server for security reasons:
	// if you uncomment this, then change the real decrypt method to _decrypt.
	/*
	public Object decrypt(String keyName, String encryptedString) throws EntityCryptoException {
	Object result = _decrypt(keyName, encryptedString);
	Debug.logInfo("Decrypted value [%s] to result: %s", module, encryptedString, decryptedObj);
	return result;
	}
	*/

	/** Decrypts a hex encoded String into an Object */
	public Object decrypt(String keyName, EncryptMethod encryptMethod, String encryptedString) throws EntityCryptoException {
	try {
	return doDecrypt(keyName, encryptMethod, encryptedString, handlers[0]);
	} catch (GeneralException e) {
	Debug.logInfo("Decrypt with DES key from standard key name hash failed, trying old/funny variety of key name hash", module);
	for (int i = 1; i < handlers.length; i++) {
	try {
	// try using the old/bad hex encoding approach; this is another path the code may take, ie if there is an exception thrown in decrypt
	return doDecrypt(keyName, encryptMethod, encryptedString, handlers[i]);
	} catch (GeneralException e1) {
	// NOTE: this throws the original exception back, not the new one if it fails using the other approach
	//throw new EntityCryptoException(e);
	}
	}
	throw new EntityCryptoException(e);
	}
	}

	protected Object doDecrypt(String keyName, EncryptMethod encryptMethod, String encryptedString, StorageHandler handler) throws GeneralException {
	byte[] key = this.findKey(keyName, handler);
	if (key == null) {
	throw new EntityCryptoException("key(" + keyName + ") not found in database");
	}
	byte[] decryptedBytes = handler.decryptValue(key, encryptMethod, encryptedString);
	try {
	return UtilObject.getObjectException(decryptedBytes);
	} catch (ClassNotFoundException e) {
	throw new GeneralException(e);
	} catch (IOException e) {
	throw new GeneralException(e);
	}
	}

	protected byte[] findKey(String originalKeyName, StorageHandler handler) throws EntityCryptoException {
	String hashedKeyName = handler.getHashedKeyName(originalKeyName);
	String keyMapName = handler.getKeyMapPrefix(hashedKeyName) + hashedKeyName;
	if (keyMap.containsKey(keyMapName)) {
	return keyMap.get(keyMapName);
	}
	// it's ok to run the bulk of this method unlocked or
	// unprotected; since the same result will occur even if
	// multiple threads request the same key, there is no
	// need to protected this block of code.

	GenericValue keyValue = null;
	try {
	keyValue = EntityQuery.use(delegator).from("EntityKeyStore").where("keyName", hashedKeyName).queryOne();
	} catch (GenericEntityException e) {
	throw new EntityCryptoException(e);
	}
	if (keyValue == null \|\| keyValue.get("keyText") == null) {
	return null;
	}
	try {
	byte[] keyBytes = handler.decodeKeyBytes(keyValue.getString("keyText"));
	keyMap.putIfAbsent(keyMapName, keyBytes);
	// Do not remove the next line, it's there to handle the
	// case of multiple threads trying to find the same key
	// both threads will do the findOne call, only one will
	// succeed at the putIfAbsent, but both will then fetch
	// the same value with the following get().
	return keyMap.get(keyMapName);
	} catch (GeneralException e) {
	throw new EntityCryptoException(e);
	}
	}

	protected void createKey(String originalKeyName, StorageHandler handler, EncryptMethod encryptMethod) throws EntityCryptoException {
	String hashedKeyName = handler.getHashedKeyName(originalKeyName);
	Key key = handler.generateNewKey();
	final GenericValue newValue = delegator.makeValue("EntityKeyStore");
	try {
	newValue.set("keyText", handler.encodeKey(key.getEncoded()));
	} catch (GeneralException e) {
	throw new EntityCryptoException(e);
	}
	newValue.set("keyName", hashedKeyName);

	try {
	TransactionUtil.doNewTransaction(new Callable<Void>() {
	public Void call() throws Exception {
	delegator.create(newValue);
	return null;
	}
	}, "storing encrypted key", 0, true);
	} catch (GenericEntityException e) {
	throw new EntityCryptoException(e);
	}
	}

	protected abstract static class StorageHandler {
	protected abstract Key generateNewKey() throws EntityCryptoException;

	protected abstract String getHashedKeyName(String originalKeyName);
	protected abstract String getKeyMapPrefix(String hashedKeyName);

	protected abstract byte[] decodeKeyBytes(String keyText) throws GeneralException;
	protected abstract String encodeKey(byte[] key) throws GeneralException;

	protected abstract byte[] decryptValue(byte[] key, EncryptMethod encryptMethod, String encryptedString) throws GeneralException;
	protected abstract String encryptValue(EncryptMethod encryptMethod, byte[] key, byte[] objBytes) throws GeneralException;
	}

	protected static final class ShiroStorageHandler extends StorageHandler {
	private final HashService hashService;
	private final AesCipherService cipherService;
	private final AesCipherService saltedCipherService;
	private final byte[] kek;

	protected ShiroStorageHandler(byte[] kek) {
	hashService = new DefaultHashService();
	cipherService = new AesCipherService();
	cipherService.setMode(OperationMode.ECB);
	saltedCipherService = new AesCipherService();
	this.kek = kek;
	}

	@Override
	protected Key generateNewKey() {
	return saltedCipherService.generateNewKey();
	}

	@Override
	protected String getHashedKeyName(String originalKeyName) {
	HashRequest hashRequest = new HashRequest.Builder().setSource(originalKeyName).build();
	return hashService.computeHash(hashRequest).toBase64();
	}

	@Override
	protected String getKeyMapPrefix(String hashedKeyName) {
	return "{shiro}";
	}

	@Override
	protected byte[] decodeKeyBytes(String keyText) throws GeneralException {
	byte[] keyBytes = Base64.decodeBase64(keyText);
	if (kek != null) {
	keyBytes = saltedCipherService.decrypt(keyBytes, kek).getBytes();
	}
	return keyBytes;
	}

	@Override
	protected String encodeKey(byte[] key) throws GeneralException {
	if (kek != null) {
	return saltedCipherService.encrypt(key, kek).toBase64();
	} else {
	return Base64.encodeBase64String(key);
	}
	}

	@Override
	protected byte[] decryptValue(byte[] key, EncryptMethod encryptMethod, String encryptedString) throws GeneralException {
	switch (encryptMethod) {
	case SALT:
	return saltedCipherService.decrypt(Base64.decodeBase64(encryptedString), key).getBytes();
	default:
	return cipherService.decrypt(Base64.decodeBase64(encryptedString), key).getBytes();
	}
	}

	@Override
	protected String encryptValue(EncryptMethod encryptMethod, byte[] key, byte[] objBytes) throws GeneralException {
	switch (encryptMethod) {
	case SALT:
	return saltedCipherService.encrypt(objBytes, key).toBase64();
	default:
	return cipherService.encrypt(objBytes, key).toBase64();
	}
	}
	}

	protected static abstract class LegacyStorageHandler extends StorageHandler {
	@Override
	protected Key generateNewKey() throws EntityCryptoException {
	try {
	return DesCrypt.generateKey();
	} catch (NoSuchAlgorithmException e) {
	throw new EntityCryptoException(e);
	}
	}

	@Override
	protected byte[] decodeKeyBytes(String keyText) throws GeneralException {
	return StringUtil.fromHexString(keyText);
	}

	@Override
	protected String encodeKey(byte[] key) {
	return StringUtil.toHexString(key);
	}

	@Override
	protected byte[] decryptValue(byte[] key, EncryptMethod encryptMethod, String encryptedString) throws GeneralException {
	return DesCrypt.decrypt(DesCrypt.getDesKey(key), StringUtil.fromHexString(encryptedString));
	}

	@Override
	protected String encryptValue(EncryptMethod encryptMethod, byte[] key, byte[] objBytes) throws GeneralException {
	return StringUtil.toHexString(DesCrypt.encrypt(DesCrypt.getDesKey(key), objBytes));
	}
	};

	protected static final StorageHandler OldFunnyHashStorageHandler = new LegacyStorageHandler() {
	@Override
	protected String getHashedKeyName(String originalKeyName) {
	return HashCrypt.digestHashOldFunnyHex(null, originalKeyName);
	}

	@Override
	protected String getKeyMapPrefix(String hashedKeyName) {
	return "{funny-hash}";
	}
	};

	protected static final StorageHandler NormalHashStorageHandler = new LegacyStorageHandler() {
	@Override
	protected String getHashedKeyName(String originalKeyName) {
	return HashCrypt.digestHash("SHA", originalKeyName.getBytes());
	}

	@Override
	protected String getKeyMapPrefix(String hashedKeyName) {
	return "{normal-hash}";
	}
	};

	protected static final class SaltedBase64StorageHandler extends StorageHandler {
	private final Key kek;

	protected SaltedBase64StorageHandler(byte[] kek) throws EntityCryptoException {
	Key key = null;
	if (kek != null) {
	try {
	key = DesCrypt.getDesKey(kek);
	} catch (GeneralException e) {
	Debug.logInfo("Invalid key-encryption-key specified for SaltedBase64StorageHandler; the key is probably valid for the newer ShiroStorageHandler", module);
	}
	}
	this.kek = key;
	}

	@Override
	protected Key generateNewKey() throws EntityCryptoException {
	try {
	return DesCrypt.generateKey();
	} catch (NoSuchAlgorithmException e) {
	throw new EntityCryptoException(e);
	}
	}

	@Override
	protected String getHashedKeyName(String originalKeyName) {
	return HashCrypt.digestHash64("SHA", originalKeyName.getBytes());
	}

	@Override
	protected String getKeyMapPrefix(String hashedKeyName) {
	return "{salted-base64}";
	}

	@Override
	protected byte[] decodeKeyBytes(String keyText) throws GeneralException {
	byte[] keyBytes = Base64.decodeBase64(keyText);
	if (kek != null) {
	keyBytes = DesCrypt.decrypt(kek, keyBytes);
	}
	return keyBytes;
	}

	@Override
	protected String encodeKey(byte[] key) throws GeneralException {
	if (kek != null) {
	key = DesCrypt.encrypt(kek, key);
	}
	return Base64.encodeBase64String(key);
	}

	@Override
	protected byte[] decryptValue(byte[] key, EncryptMethod encryptMethod, String encryptedString) throws GeneralException {
	byte[] allBytes = DesCrypt.decrypt(DesCrypt.getDesKey(key), Base64.decodeBase64(encryptedString));
	int length = allBytes[0];
	byte[] objBytes = new byte[allBytes.length - 1 - length];
	System.arraycopy(allBytes, 1 + length, objBytes, 0, objBytes.length);
	return objBytes;
	}

	@Override
	protected String encryptValue(EncryptMethod encryptMethod, byte[] key, byte[] objBytes) throws GeneralException {
	byte[] saltBytes;
	switch (encryptMethod) {
	case SALT:
	Random random = new SecureRandom();
	// random length 5-16
	saltBytes = new byte[5 + random.nextInt(11)];
	random.nextBytes(saltBytes);
	break;
	default:
	saltBytes = new byte[0];
	break;
	}
	byte[] allBytes = new byte[1 + saltBytes.length + objBytes.length];
	allBytes[0] = (byte) saltBytes.length;
	System.arraycopy(saltBytes, 0, allBytes, 1, saltBytes.length);
	System.arraycopy(objBytes, 0, allBytes, 1 + saltBytes.length, objBytes.length);
	String result = Base64.encodeBase64String(DesCrypt.encrypt(DesCrypt.getDesKey(key), allBytes));
	return result;
	}
	};
	}