use of com.sun.identity.security.keystore.AMPassword in project OpenAM by OpenRock.
the class SecureLogHelperJSSImpl method writeToSecretStore.
/**
* Writes to the secret Storage. If the data to be written is a key, then
* writes the older signature also. If it is a signature then writes the
* older key also
* @param cryptoMaterial The data to be written to the secret storage
* @param filename The file for secret storage
* @param password The password for the file
* @param dataType The kind of cryptoMaterial, whether it is a signature
* or a key
* @throws Exception if it fails to write secret data from secret store
*/
void writeToSecretStore(byte[] cryptoMaterial, String filename, AMPassword password, String dataType) throws Exception {
byte[] oldDataFromSecretStorage = null;
String oldDataType = null;
MessageDigest md = MessageDigest.getInstance("SHA");
Password jssPasswd = new Password(new String(md.digest(password.getByteCopy()), "UTF-8").toCharArray());
md.reset();
// Do this only when the logger's file is being used
if (filename.equals(logFileName) && loggerInitialized) {
// current signature in the PKCS12 file
if (dataType.equals(currentSignature)) {
oldDataFromSecretStorage = readFromSecretStore(logFileName, currentKey, password);
oldDataType = currentKey;
} else if (dataType.equals(currentKey)) {
// need to read the currentSignature
// for the same reason as above
oldDataFromSecretStorage = readFromSecretStore(logFileName, currentSignature, password);
oldDataType = currentSignature;
}
}
// Start building the new contents by adding the older content first
AuthenticatedSafes newAuthSafes = new AuthenticatedSafes();
if (oldDataFromSecretStorage != null) {
SEQUENCE oldSafeContents = AddToSecretStore(oldDataFromSecretStorage, oldDataType);
// Add the old contents to the existing safe
newAuthSafes.addEncryptedSafeContents(PBEAlgorithm.PBE_SHA1_DES3_CBC, jssPasswd, null, AuthenticatedSafes.DEFAULT_ITERATIONS, oldSafeContents);
}
// not being added for the first time
if ((filename.equals(logFileName)) && !dataType.equals(initialKey) && loggerInitialized) {
byte[] key = readFromSecretStore(filename, initialKey, password);
if (key != null) {
SEQUENCE initialKeySafeContents = AddToSecretStore(key, initialKey);
newAuthSafes.addEncryptedSafeContents(PBEAlgorithm.PBE_SHA1_DES3_CBC, jssPasswd, null, AuthenticatedSafes.DEFAULT_ITERATIONS, initialKeySafeContents);
}
}
if ((filename.equals(verifierFileName)) && !dataType.equals(initialKey) && verifierInitialized) {
byte[] key = readFromSecretStore(filename, initialKey, password);
if (key != null) {
SEQUENCE initialKeySafeContents = AddToSecretStore(key, initialKey);
newAuthSafes.addEncryptedSafeContents(PBEAlgorithm.PBE_SHA1_DES3_CBC, jssPasswd, null, AuthenticatedSafes.DEFAULT_ITERATIONS, initialKeySafeContents);
}
}
// Add the new contents
SEQUENCE encSafeContents = AddToSecretStore(cryptoMaterial, dataType);
// Add the new contents to the existing safe
newAuthSafes.addEncryptedSafeContents(PBEAlgorithm.PBE_SHA1_DES3_CBC, jssPasswd, null, AuthenticatedSafes.DEFAULT_ITERATIONS, encSafeContents);
PFX newpfx = new PFX(newAuthSafes);
newpfx.computeMacData(jssPasswd, null, 5);
// write the new PFX out to the logger
FileOutputStream fos = new FileOutputStream(filename);
newpfx.encode(fos);
fos.close();
}
use of com.sun.identity.security.keystore.AMPassword in project OpenAM by OpenRock.
the class SecureLogHelper method initializeSecureLogHelper.
/**
* Initialize logger by generating a new MACing key and storing it in
* the secure storage
* Also creates a file for the verifier with the same password. This file
* is overwritten
* with a new verifier(Auditor) supplied password when the Auditor logs
* into the system for the first time
* This method should be called only once for a given initial key
* @param loggerFileName Logger related JCEKS file
* @param LoggerPassword The password for the logging JCEKS file
* @param verFileName : Verifier related JCEKS file
* @param verifierPassword : The password for the verifier JCEKS file
* @throws Exception if it fails to initialize SecureLogHelper
*/
public synchronized void initializeSecureLogHelper(String loggerFileName, AMPassword LoggerPassword, String verFileName, AMPassword verifierPassword) throws Exception {
logFileName = loggerFileName;
verifierFileName = verFileName;
loggerPass = LoggerPassword;
AMPassword tempVerifierPass = verifierPassword;
loggerInitialized = isInitialized(loggerFileName, loggerPass);
if (!loggerInitialized) {
initializeKeyStoreManager(LoggerPassword);
// Generate an initial key
KeyGenerator keygen = KeyGenerator.getInstance("DESede");
SecretKey k0 = keygen.generateKey();
currentLoggerKey = k0.getEncoded();
// Store the key securely
// Should use a public / private keypair but limitations of JSS
// prevents this hence using a PKCS12 store to store the key
// generated. This key is stored with an initial password. This
// password will be changed for the verifier file when the verifier
// is initialized ( the Auditor logs in) add initial key to the
// secret store. Write twice to the logger's PKCS12 file as the
// initialKey remains the same but the currentKey changes
writeToSecretStore(currentLoggerKey, loggerFileName, loggerPass, initialKey);
loggerInitialized = true;
writeToSecretStore(currentLoggerKey, loggerFileName, loggerPass, currentKey);
writeToSecretStore(currentLoggerKey, verifierFileName, tempVerifierPass, initialKey);
} else {
if (Debug.messageEnabled()) {
Debug.message(logFileName + " Logger Module is already " + " initialized");
}
currentLoggerKey = readFromSecretStore(loggerFileName, currentKey, loggerPass);
}
}
Aggregations