Search in sources :

Example 6 with AMPassword

use of com.sun.identity.security.keystore.AMPassword in project OpenAM by OpenRock.

the class SecureLogHelperJSSImpl method writeToSecretStore.

/**
     * Writes to the secret Storage. If the data to be written is a key, then
     * writes the older signature also. If it is a signature then writes the
     * older key also
     * @param cryptoMaterial The data to be written to the secret storage
     * @param filename The file for secret storage
     * @param password The password for the file
     * @param dataType The kind of cryptoMaterial, whether it is a signature
     * or a key
     * @throws Exception if it fails to write secret data from secret store
     */
void writeToSecretStore(byte[] cryptoMaterial, String filename, AMPassword password, String dataType) throws Exception {
    byte[] oldDataFromSecretStorage = null;
    String oldDataType = null;
    MessageDigest md = MessageDigest.getInstance("SHA");
    Password jssPasswd = new Password(new String(md.digest(password.getByteCopy()), "UTF-8").toCharArray());
    md.reset();
    // Do this only when the logger's file is being used
    if (filename.equals(logFileName) && loggerInitialized) {
        // current signature in the PKCS12 file
        if (dataType.equals(currentSignature)) {
            oldDataFromSecretStorage = readFromSecretStore(logFileName, currentKey, password);
            oldDataType = currentKey;
        } else if (dataType.equals(currentKey)) {
            // need to read the currentSignature 
            // for the same reason as above
            oldDataFromSecretStorage = readFromSecretStore(logFileName, currentSignature, password);
            oldDataType = currentSignature;
        }
    }
    // Start building the new contents by adding the older content first
    AuthenticatedSafes newAuthSafes = new AuthenticatedSafes();
    if (oldDataFromSecretStorage != null) {
        SEQUENCE oldSafeContents = AddToSecretStore(oldDataFromSecretStorage, oldDataType);
        // Add the old contents to the existing safe
        newAuthSafes.addEncryptedSafeContents(PBEAlgorithm.PBE_SHA1_DES3_CBC, jssPasswd, null, AuthenticatedSafes.DEFAULT_ITERATIONS, oldSafeContents);
    }
    // not being added for the first time
    if ((filename.equals(logFileName)) && !dataType.equals(initialKey) && loggerInitialized) {
        byte[] key = readFromSecretStore(filename, initialKey, password);
        if (key != null) {
            SEQUENCE initialKeySafeContents = AddToSecretStore(key, initialKey);
            newAuthSafes.addEncryptedSafeContents(PBEAlgorithm.PBE_SHA1_DES3_CBC, jssPasswd, null, AuthenticatedSafes.DEFAULT_ITERATIONS, initialKeySafeContents);
        }
    }
    if ((filename.equals(verifierFileName)) && !dataType.equals(initialKey) && verifierInitialized) {
        byte[] key = readFromSecretStore(filename, initialKey, password);
        if (key != null) {
            SEQUENCE initialKeySafeContents = AddToSecretStore(key, initialKey);
            newAuthSafes.addEncryptedSafeContents(PBEAlgorithm.PBE_SHA1_DES3_CBC, jssPasswd, null, AuthenticatedSafes.DEFAULT_ITERATIONS, initialKeySafeContents);
        }
    }
    // Add the new contents
    SEQUENCE encSafeContents = AddToSecretStore(cryptoMaterial, dataType);
    // Add the new contents to the existing safe
    newAuthSafes.addEncryptedSafeContents(PBEAlgorithm.PBE_SHA1_DES3_CBC, jssPasswd, null, AuthenticatedSafes.DEFAULT_ITERATIONS, encSafeContents);
    PFX newpfx = new PFX(newAuthSafes);
    newpfx.computeMacData(jssPasswd, null, 5);
    // write the new PFX out to the logger
    FileOutputStream fos = new FileOutputStream(filename);
    newpfx.encode(fos);
    fos.close();
}
Also used : PFX(org.mozilla.jss.pkcs12.PFX) SEQUENCE(org.mozilla.jss.asn1.SEQUENCE) FileOutputStream(java.io.FileOutputStream) BMPString(org.mozilla.jss.asn1.BMPString) MessageDigest(java.security.MessageDigest) AMPassword(com.sun.identity.security.keystore.AMPassword) Password(org.mozilla.jss.util.Password) AuthenticatedSafes(org.mozilla.jss.pkcs12.AuthenticatedSafes)

Example 7 with AMPassword

use of com.sun.identity.security.keystore.AMPassword in project OpenAM by OpenRock.

the class SecureLogHelper method initializeSecureLogHelper.

/**
     * Initialize logger by generating a new MACing key and storing it in
     * the secure storage
     * Also creates a file for the verifier with the same password. This file
     * is overwritten
     * with a new verifier(Auditor) supplied password when the Auditor logs
     * into the system for the first time
     * This method should be called only once for a given initial key
     * @param loggerFileName Logger related JCEKS file
     * @param LoggerPassword The password for the logging JCEKS file
     * @param verFileName : Verifier related JCEKS file
     * @param verifierPassword : The password for the verifier JCEKS file
     * @throws Exception if it fails to initialize SecureLogHelper
     */
public synchronized void initializeSecureLogHelper(String loggerFileName, AMPassword LoggerPassword, String verFileName, AMPassword verifierPassword) throws Exception {
    logFileName = loggerFileName;
    verifierFileName = verFileName;
    loggerPass = LoggerPassword;
    AMPassword tempVerifierPass = verifierPassword;
    loggerInitialized = isInitialized(loggerFileName, loggerPass);
    if (!loggerInitialized) {
        initializeKeyStoreManager(LoggerPassword);
        // Generate an initial  key
        KeyGenerator keygen = KeyGenerator.getInstance("DESede");
        SecretKey k0 = keygen.generateKey();
        currentLoggerKey = k0.getEncoded();
        // Store the key securely
        // Should use a public / private keypair but limitations of JSS
        // prevents this hence using a PKCS12 store to store the key 
        // generated. This key is stored with an initial password. This 
        // password will be changed for the verifier file when the verifier 
        // is initialized ( the Auditor logs in) add initial key to the 
        // secret store. Write twice to the logger's PKCS12 file as the 
        // initialKey remains the same but the currentKey changes
        writeToSecretStore(currentLoggerKey, loggerFileName, loggerPass, initialKey);
        loggerInitialized = true;
        writeToSecretStore(currentLoggerKey, loggerFileName, loggerPass, currentKey);
        writeToSecretStore(currentLoggerKey, verifierFileName, tempVerifierPass, initialKey);
    } else {
        if (Debug.messageEnabled()) {
            Debug.message(logFileName + " Logger Module is already " + " initialized");
        }
        currentLoggerKey = readFromSecretStore(loggerFileName, currentKey, loggerPass);
    }
}
Also used : SecretKey(javax.crypto.SecretKey) AMPassword(com.sun.identity.security.keystore.AMPassword) KeyGenerator(javax.crypto.KeyGenerator)

Aggregations

AMPassword (com.sun.identity.security.keystore.AMPassword)7 IOException (java.io.IOException)2 MessageDigest (java.security.MessageDigest)2 BMPString (org.mozilla.jss.asn1.BMPString)2 SEQUENCE (org.mozilla.jss.asn1.SEQUENCE)2 AuthenticatedSafes (org.mozilla.jss.pkcs12.AuthenticatedSafes)2 PFX (org.mozilla.jss.pkcs12.PFX)2 Password (org.mozilla.jss.util.Password)2 NullLocationException (com.iplanet.log.NullLocationException)1 SSOException (com.iplanet.sso.SSOException)1 SSOToken (com.iplanet.sso.SSOToken)1 SSOTokenManager (com.iplanet.sso.SSOTokenManager)1 AuthPrincipal (com.sun.identity.authentication.internal.AuthPrincipal)1 LogManager (com.sun.identity.log.LogManager)1 Logger (com.sun.identity.log.Logger)1 SecureLogHelper (com.sun.identity.log.secure.SecureLogHelper)1 VerifierList (com.sun.identity.log.secure.VerifierList)1 ConfiguratorException (com.sun.identity.setup.ConfiguratorException)1 BufferedInputStream (java.io.BufferedInputStream)1 File (java.io.File)1