import java.io.Reader;
import java.io.Writer;
import java.security.AccessController;
+import java.security.MessageDigest;
import java.util.Arrays;
import java.util.Iterator;
* Setup the keyring persistently, {@link #isSetup()} must return true
* afterwards
*/
- protected abstract void setup();
+ protected abstract void setup(char[] password);
/** Populates the key spec callback */
protected abstract void handleKeySpecCallback(PBEKeySpecCallback pbeCallback);
try {
writer = new OutputStreamWriter(out, charset);
writer.write(arr);
+ writer.flush();
in = new ByteArrayInputStream(out.toByteArray());
set(path, in);
} catch (IOException e) {
this.charset = charset;
}
+ protected static byte[] hash(char[] password, byte[] salt,
+ Integer iterationCount) {
+ ByteArrayOutputStream out = null;
+ OutputStreamWriter writer = null;
+ try {
+ out = new ByteArrayOutputStream();
+ writer = new OutputStreamWriter(out, "UTF-8");
+ writer.write(password);
+ MessageDigest pwDigest = MessageDigest.getInstance("SHA-256");
+ pwDigest.reset();
+ pwDigest.update(salt);
+ byte[] btPass = pwDigest.digest(out.toByteArray());
+ for (int i = 0; i < iterationCount; i++) {
+ pwDigest.reset();
+ btPass = pwDigest.digest(btPass);
+ }
+ return btPass;
+ } catch (Exception e) {
+ throw new ArgeoException("Cannot hash", e);
+ } finally {
+ StreamUtils.closeQuietly(out);
+ StreamUtils.closeQuietly(writer);
+ }
+
+ }
+
class KeyringCallbackHandler implements CallbackHandler {
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
defaultCallbackHandler.handle(dialogCbs);
}
- if (passwordCb.getPassword() != null)// not cancelled
- setup();
+ if (passwordCb.getPassword() != null) {// not cancelled
+ setup(passwordCb.getPassword());
+ }
}
if (passwordCb.getPassword() != null)
byte[] salt = { (byte) 0xc7, (byte) 0x73, (byte) 0x21, (byte) 0x8c,
(byte) 0x7e, (byte) 0xc8, (byte) 0xee, (byte) 0x99 };
+ byte[] iv = { (byte) 0xc7, (byte) 0x73, (byte) 0x21, (byte) 0x8c,
+ (byte) 0x7e, (byte) 0xc8, (byte) 0xee, (byte) 0x99,
+ (byte) 0xc7, (byte) 0x73, (byte) 0x21, (byte) 0x8c,
+ (byte) 0x7e, (byte) 0xc8, (byte) 0xee, (byte) 0x99 };
int count = 1024;
// int keyLength = 256;
SecretKey tmp = keyFac.generateSecret(pbeKeySpec);
SecretKey secret = new SecretKeySpec(tmp.getEncoded(), "AES");
Cipher ecipher = Cipher.getInstance(cipherAlgorithm);
- ecipher.init(Cipher.ENCRYPT_MODE, secret);
- AlgorithmParameters params = ecipher.getParameters();
- byte[] iv = params.getParameterSpec(IvParameterSpec.class).getIV();
+ ecipher.init(Cipher.ENCRYPT_MODE, secret, new IvParameterSpec(iv));
+
+ // decrypt
+ keyFac = SecretKeyFactory.getInstance(secretKeyAlgorithm);
+ pbeKeySpec = new PBEKeySpec(password.toCharArray(), salt, count,
+ keyLength);
+ tmp = keyFac.generateSecret(pbeKeySpec);
+ secret = new SecretKeySpec(tmp.getEncoded(), "AES");
+ // AlgorithmParameters params = ecipher.getParameters();
+ // byte[] iv = params.getParameterSpec(IvParameterSpec.class).getIV();
Cipher dcipher = Cipher.getInstance(cipherAlgorithm);
dcipher.init(Cipher.DECRYPT_MODE, secret, new IvParameterSpec(iv));
package org.argeo.jcr.security;
import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
import java.io.InputStream;
+import java.io.OutputStream;
+import java.security.AlgorithmParameters;
+import java.security.SecureRandom;
import javax.crypto.Cipher;
import javax.crypto.CipherInputStream;
+import javax.crypto.CipherOutputStream;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import javax.jcr.Binary;
}
@Override
- protected void setup() {
+ protected void setup(char[] password) {
Binary binary = null;
InputStream in = null;
try {
binary = session.getValueFactory().createBinary(in);
keyring.setProperty(ARGEO_SALT, binary);
- Long iterationCount = username.length() * 200l;
+ Integer iterationCount = username.length() * 200;
keyring.setProperty(ARGEO_ITERATION_COUNT, iterationCount);
// default algo
keyring.setProperty(ARGEO_SECRET_KEY_ENCRYPTION, "AES");
keyring.setProperty(ARGEO_CIPHER, "AES/CBC/PKCS5Padding");
+ // encrypted password hash
+ // IOUtils.closeQuietly(in);
+ // JcrUtils.closeQuietly(binary);
+ // byte[] btPass = hash(password, salt, iterationCount);
+ // in = new ByteArrayInputStream(btPass);
+ // binary = session.getValueFactory().createBinary(in);
+ // keyring.setProperty(ARGEO_PASSWORD, binary);
+
notYetSavedKeyring.set(keyring);
- } catch (RepositoryException e) {
+ } catch (Exception e) {
throw new ArgeoException("Cannot setup keyring", e);
} finally {
JcrUtils.closeQuietly(binary);
keyring = notYetSavedKeyring.get();
else
throw new ArgeoException("Keyring not setup");
+
pbeCallback.set(keyring.getProperty(ARGEO_SECRET_KEY_FACTORY)
.getString(), JcrUtils.getBinaryAsBytes(keyring
.getProperty(ARGEO_SALT)),
Binary binary = null;
InputStream in = null;
+ // ByteArrayOutputStream out = null;
+ // OutputStream encrypted = null;
try {
Cipher cipher = createCipher();
throw new ArgeoException("No node at " + path);
Node node = session.getNode(path);
node.addMixin(ArgeoTypes.ARGEO_ENCRYPTED);
- cipher.init(Cipher.ENCRYPT_MODE, secretKey);
- byte[] iv = cipher.getIV();
- if (iv != null) {
- JcrUtils.setBinaryAsBytes(node, ARGEO_IV, iv);
- }
+ SecureRandom random = new SecureRandom();
+ byte[] iv = new byte[16];
+ random.nextBytes(iv);
+ cipher.init(Cipher.ENCRYPT_MODE, secretKey, new IvParameterSpec(iv));
+ // AlgorithmParameters params = cipher.getParameters();
+ // byte[] iv =
+ // params.getParameterSpec(IvParameterSpec.class).getIV();
+ // if (iv != null)
+ JcrUtils.setBinaryAsBytes(node, ARGEO_IV, iv);
+
+ // out = new ByteArrayOutputStream();
+ // // encrypted = new CipherOutputStream(out, cipher);
+ // IOUtils.copy(unencrypted, out);
+ // byte[] unenc = out.toByteArray();
+ // byte[] crypted = cipher.doFinal(unenc);
+
+ // Cipher decipher = createCipher();
+ // decipher.init(Cipher.DECRYPT_MODE, secretKey, new
+ // IvParameterSpec(
+ // iv));
+ // byte[] decrypted = decipher.doFinal(crypted);
+ // System.out.println("Password :'" + new String(decrypted) + "'");
+
+ // JcrUtils.setBinaryAsBytes(node, Property.JCR_DATA, crypted);
+
in = new CipherInputStream(unencrypted, cipher);
binary = session.getValueFactory().createBinary(in);
node.setProperty(Property.JCR_DATA, binary);
} catch (Exception e) {
throw new ArgeoException("Cannot encrypt", e);
} finally {
- IOUtils.closeQuietly(in);
+ // IOUtils.closeQuietly(out);
+ // IOUtils.closeQuietly(encrypted);
IOUtils.closeQuietly(unencrypted);
+ IOUtils.closeQuietly(in);
JcrUtils.closeQuietly(binary);
}
}
} else {
cipher.init(Cipher.DECRYPT_MODE, secretKey);
}
+
+ // byte[] arr = JcrUtils.getBinaryAsBytes(node
+ // .getProperty(Property.JCR_DATA));
+ // byte[] arr2 = cipher.doFinal(arr);
+ //
+ // return new ByteArrayInputStream(arr2);
+
binary = node.getProperty(Property.JCR_DATA).getBinary();
encrypted = binary.getStream();
return new CipherInputStream(encrypted, cipher);
} catch (Exception e) {
throw new ArgeoException("Cannot decrypt", e);
} finally {
- // IOUtils.closeQuietly(encrypted);
+ IOUtils.closeQuietly(encrypted);
JcrUtils.closeQuietly(binary);
}
}