X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;f=org.argeo.security.core%2Fsrc%2Forg%2Fargeo%2Fsecurity%2Fcrypto%2FPasswordBasedEncryption.java;fp=org.argeo.security.core%2Fsrc%2Forg%2Fargeo%2Fsecurity%2Fcrypto%2FPasswordBasedEncryption.java;h=aec25ac1728225367fefe9b0a3110f00191ca36f;hb=10ed6557c631d5feee8541badd0c9f16a9e791c6;hp=0000000000000000000000000000000000000000;hpb=864072113f7a44fd2a291a4cb50659d6e67f8c29;p=lgpl%2Fargeo-commons.git

diff --git a/org.argeo.security.core/src/org/argeo/security/crypto/PasswordBasedEncryption.java b/org.argeo.security.core/src/org/argeo/security/crypto/PasswordBasedEncryption.java
new file mode 100644
index 000000000..aec25ac17
--- /dev/null
+++ b/org.argeo.security.core/src/org/argeo/security/crypto/PasswordBasedEncryption.java
@@ -0,0 +1,259 @@
+/*
+ * Copyright (C) 2007-2012 Argeo GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *         http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.argeo.security.crypto;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.security.GeneralSecurityException;
+import java.security.InvalidKeyException;
+import java.security.Key;
+import java.security.Security;
+
+import javax.crypto.Cipher;
+import javax.crypto.CipherInputStream;
+import javax.crypto.CipherOutputStream;
+import javax.crypto.SecretKey;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.PBEKeySpec;
+import javax.crypto.spec.SecretKeySpec;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.argeo.ArgeoException;
+import org.argeo.StreamUtils;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+
+/** Simple password based encryption / decryption */
+public class PasswordBasedEncryption {
+	private final static Log log = LogFactory
+			.getLog(PasswordBasedEncryption.class);
+
+	static {
+		Security.addProvider(new BouncyCastleProvider());
+	}
+
+	public final static Integer DEFAULT_ITERATION_COUNT = 1024;
+	/** Stronger with 256, but causes problem with Oracle JVM */
+	public final static Integer DEFAULT_SECRETE_KEY_LENGTH = 256;
+	public final static Integer DEFAULT_SECRETE_KEY_LENGTH_RESTRICTED = 128;
+	public final static String DEFAULT_SECRETE_KEY_FACTORY = "PBKDF2WithHmacSHA1";
+	public final static String DEFAULT_SECRETE_KEY_ENCRYPTION = "AES";
+	public final static String DEFAULT_CIPHER_NAME = "AES/CBC/PKCS5Padding";
+	public final static String DEFAULT_CHARSET = "UTF-8";
+
+	private Integer iterationCount = DEFAULT_ITERATION_COUNT;
+	private Integer secreteKeyLength = DEFAULT_SECRETE_KEY_LENGTH;
+	private String secreteKeyFactoryName = DEFAULT_SECRETE_KEY_FACTORY;
+	private String secreteKeyEncryption = DEFAULT_SECRETE_KEY_ENCRYPTION;
+	private String cipherName = DEFAULT_CIPHER_NAME;
+
+	private static byte[] DEFAULT_SALT_8 = { (byte) 0xA9, (byte) 0x9B,
+			(byte) 0xC8, (byte) 0x32, (byte) 0x56, (byte) 0x35, (byte) 0xE3,
+			(byte) 0x03 };
+	private static byte[] DEFAULT_IV_16 = { (byte) 0xA9, (byte) 0x9B,
+			(byte) 0xC8, (byte) 0x32, (byte) 0x56, (byte) 0x35, (byte) 0xE3,
+			(byte) 0x03, (byte) 0xA9, (byte) 0x9B, (byte) 0xC8, (byte) 0x32,
+			(byte) 0x56, (byte) 0x35, (byte) 0xE3, (byte) 0x03 };
+
+	private Key key;
+	private Cipher ecipher;
+	private Cipher dcipher;
+
+	/**
+	 * Default provider is bouncy castle, in order to have consistent behaviour
+	 * across implementations
+	 */
+	private String securityProviderName = "BC";
+
+	/**
+	 * This is up to the caller to clear the passed array. Neither copy of nor
+	 * reference to the passed array is kept
+	 */
+	public PasswordBasedEncryption(char[] password) {
+		this(password, DEFAULT_SALT_8, DEFAULT_IV_16);
+	}
+
+	/**
+	 * This is up to the caller to clear the passed array. Neither copies of nor
+	 * references to the passed arrays are kept
+	 */
+	public PasswordBasedEncryption(char[] password, byte[] passwordSalt,
+			byte[] initializationVector) {
+		try {
+			initKeyAndCiphers(password, passwordSalt, initializationVector);
+		} catch (InvalidKeyException e) {
+			Integer previousSecreteKeyLength = secreteKeyLength;
+			secreteKeyLength = DEFAULT_SECRETE_KEY_LENGTH_RESTRICTED;
+			log.warn("'" + e.getMessage() + "', will use " + secreteKeyLength
+					+ " secrete key length instead of "
+					+ previousSecreteKeyLength);
+			try {
+				initKeyAndCiphers(password, passwordSalt, initializationVector);
+			} catch (Exception e1) {
+				throw new ArgeoException(
+						"Cannot get secret key (with restricted length)", e1);
+			}
+		} catch (Exception e) {
+			throw new ArgeoException("Cannot get secret key", e);
+		}
+	}
+
+	protected void initKeyAndCiphers(char[] password, byte[] passwordSalt,
+			byte[] initializationVector) throws GeneralSecurityException {
+		byte[] salt = new byte[8];
+		System.arraycopy(passwordSalt, 0, salt, 0, salt.length);
+		// for (int i = 0; i < password.length && i < salt.length; i++)
+		// salt[i] = (byte) password[i];
+		byte[] iv = new byte[16];
+		System.arraycopy(initializationVector, 0, iv, 0, iv.length);
+
+		SecretKeyFactory keyFac = SecretKeyFactory
+				.getInstance(getSecretKeyFactoryName());
+		PBEKeySpec keySpec = new PBEKeySpec(password, salt,
+				getIterationCount(), getKeyLength());
+		String secKeyEncryption = getSecretKeyEncryption();
+		if (secKeyEncryption != null) {
+			SecretKey tmp = keyFac.generateSecret(keySpec);
+			key = new SecretKeySpec(tmp.getEncoded(), getSecretKeyEncryption());
+		} else {
+			key = keyFac.generateSecret(keySpec);
+		}
+		ecipher = Cipher.getInstance(getCipherName(), securityProviderName);
+		ecipher.init(Cipher.ENCRYPT_MODE, key, new IvParameterSpec(iv));
+		dcipher = Cipher.getInstance(getCipherName());
+		dcipher.init(Cipher.DECRYPT_MODE, key, new IvParameterSpec(iv));
+	}
+
+	public void encrypt(InputStream decryptedIn, OutputStream encryptedOut)
+			throws IOException {
+		try {
+			CipherOutputStream out = new CipherOutputStream(encryptedOut,
+					ecipher);
+			StreamUtils.copy(decryptedIn, out);
+			StreamUtils.closeQuietly(out);
+		} catch (IOException e) {
+			throw e;
+		} catch (Exception e) {
+			throw new ArgeoException("Cannot encrypt", e);
+		} finally {
+			StreamUtils.closeQuietly(decryptedIn);
+		}
+	}
+
+	public void decrypt(InputStream encryptedIn, OutputStream decryptedOut)
+			throws IOException {
+		try {
+			CipherInputStream decryptedIn = new CipherInputStream(encryptedIn,
+					dcipher);
+			StreamUtils.copy(decryptedIn, decryptedOut);
+		} catch (IOException e) {
+			throw e;
+		} catch (Exception e) {
+			throw new ArgeoException("Cannot decrypt", e);
+		} finally {
+			StreamUtils.closeQuietly(encryptedIn);
+		}
+	}
+
+	public byte[] encryptString(String str) {
+		ByteArrayOutputStream out = null;
+		ByteArrayInputStream in = null;
+		try {
+			out = new ByteArrayOutputStream();
+			in = new ByteArrayInputStream(str.getBytes(DEFAULT_CHARSET));
+			encrypt(in, out);
+			return out.toByteArray();
+		} catch (Exception e) {
+			throw new ArgeoException("Cannot encrypt", e);
+		} finally {
+			StreamUtils.closeQuietly(out);
+		}
+	}
+
+	/** Closes the input stream */
+	public String decryptAsString(InputStream in) {
+		ByteArrayOutputStream out = null;
+		try {
+			out = new ByteArrayOutputStream();
+			decrypt(in, out);
+			return new String(out.toByteArray(), DEFAULT_CHARSET);
+		} catch (Exception e) {
+			throw new ArgeoException("Cannot decrypt", e);
+		} finally {
+			StreamUtils.closeQuietly(out);
+		}
+	}
+
+	protected Key getKey() {
+		return key;
+	}
+
+	protected Cipher getEcipher() {
+		return ecipher;
+	}
+
+	protected Cipher getDcipher() {
+		return dcipher;
+	}
+
+	protected Integer getIterationCount() {
+		return iterationCount;
+	}
+
+	protected Integer getKeyLength() {
+		return secreteKeyLength;
+	}
+
+	protected String getSecretKeyFactoryName() {
+		return secreteKeyFactoryName;
+	}
+
+	protected String getSecretKeyEncryption() {
+		return secreteKeyEncryption;
+	}
+
+	protected String getCipherName() {
+		return cipherName;
+	}
+
+	public void setIterationCount(Integer iterationCount) {
+		this.iterationCount = iterationCount;
+	}
+
+	public void setSecreteKeyLength(Integer keyLength) {
+		this.secreteKeyLength = keyLength;
+	}
+
+	public void setSecreteKeyFactoryName(String secreteKeyFactoryName) {
+		this.secreteKeyFactoryName = secreteKeyFactoryName;
+	}
+
+	public void setSecreteKeyEncryption(String secreteKeyEncryption) {
+		this.secreteKeyEncryption = secreteKeyEncryption;
+	}
+
+	public void setCipherName(String cipherName) {
+		this.cipherName = cipherName;
+	}
+
+	public void setSecurityProviderName(String securityProviderName) {
+		this.securityProviderName = securityProviderName;
+	}
+}