Example 1 with Password
use of org.mozilla.jss.util.Password in project OpenAM by OpenRock.
the class SecureLogHelperJSSImpl method readFromSecretStore.
/**
* Returns matched secret data from from the secret Storage.
* At a time there are only 3 things in logger's secure store file
* - initialkey, currentkey and current signature
* In the verifier secure store file there is just the initial key of the
* logger and the currentKey
* @param filename file for secret storage
* @param dataType The kind of data to be read, whether it is a
* signature or a key
* @param password password for the file
* @return secure data that is matched with dataType
* @throws Exception if it fails to read secret data from secret store
*/
byte[] readFromSecretStore(String filename, String dataType, AMPassword password) throws Exception {
// open input file for reading
FileInputStream infile = null;
infile = new FileInputStream(filename);
// Decode the P12 file
PFX.Template pfxt = new PFX.Template();
PFX pfx = (PFX) pfxt.decode(new BufferedInputStream(infile, 2048));
// Verify the MAC on the PFX. This is important to be sure
// it hasn't been tampered with.
StringBuffer reason = new StringBuffer();
MessageDigest md = MessageDigest.getInstance("SHA");
Password jssPasswd = new Password(new String(md.digest(password.getByteCopy()), "UTF-8").toCharArray());
md.reset();
if (!pfx.verifyAuthSafes(jssPasswd, reason)) {
throw new Exception("AuthSafes failed to verify because: " + reason.toString());
}
AuthenticatedSafes authSafes = pfx.getAuthSafes();
SEQUENCE safeContentsSequence = authSafes.getSequence();
byte[] cryptoData = null;
// Loop over contents of the authenticated safes
for (int i = 0; i < safeContentsSequence.size(); i++) {
// The safeContents may or may not be encrypted. We always send
// the password in. It will get used if it is needed. If the
// decryption of the safeContents fails for some reason (like
// a bad password), then this method will throw an exception
SEQUENCE safeContents = authSafes.getSafeContentsAt(jssPasswd, i);
SafeBag safeBag = null;
ASN1Value val = null;
// Go through all the bags in this SafeContents
for (int j = 0; j < safeContents.size(); j++) {
safeBag = (SafeBag) safeContents.elementAt(j);
// look for bag attributes and then choose the key
SET attribs = safeBag.getBagAttributes();
if (attribs == null) {
Debug.error("Bag has no attributes");
} else {
for (int b = 0; b < attribs.size(); b++) {
Attribute a = (Attribute) attribs.elementAt(b);
if (a.getType().equals(SafeBag.FRIENDLY_NAME)) {
// the friendly name attribute is a nickname
BMPString bs = (BMPString) ((ANY) a.getValues().elementAt(0)).decodeWith(BMPString.getTemplate());
if (dataType.equals(bs.toString())) {
// look at the contents of the bag
val = safeBag.getInterpretedBagContent();
break;
}
}
}
}
}
if (val instanceof ANY)
cryptoData = ((ANY) val).getContents();
}
// Close the file
infile.close();
return cryptoData;
}
Also used :
PFX(org.mozilla.jss.pkcs12.PFX)
SET(org.mozilla.jss.asn1.SET)
Attribute(org.mozilla.jss.pkix.primitive.Attribute)
BMPString(org.mozilla.jss.asn1.BMPString)
SafeBag(org.mozilla.jss.pkcs12.SafeBag)
ANY(org.mozilla.jss.asn1.ANY)
FileInputStream(java.io.FileInputStream)
AuthenticatedSafes(org.mozilla.jss.pkcs12.AuthenticatedSafes)
ASN1Value(org.mozilla.jss.asn1.ASN1Value)
BufferedInputStream(java.io.BufferedInputStream)
SEQUENCE(org.mozilla.jss.asn1.SEQUENCE)
MessageDigest(java.security.MessageDigest)
BMPString(org.mozilla.jss.asn1.BMPString)
AMPassword(com.sun.identity.security.keystore.AMPassword)
Password(org.mozilla.jss.util.Password)
Example 2 with Password
use of org.mozilla.jss.util.Password in project OpenAM by OpenRock.
the class SecureLogHelperJSSImpl method writeToSecretStore.
/**
* Writes to the secret Storage. If the data to be written is a key, then
* writes the older signature also. If it is a signature then writes the
* older key also
* @param cryptoMaterial The data to be written to the secret storage
* @param filename The file for secret storage
* @param password The password for the file
* @param dataType The kind of cryptoMaterial, whether it is a signature
* or a key
* @throws Exception if it fails to write secret data from secret store
*/
void writeToSecretStore(byte[] cryptoMaterial, String filename, AMPassword password, String dataType) throws Exception {
byte[] oldDataFromSecretStorage = null;
String oldDataType = null;
MessageDigest md = MessageDigest.getInstance("SHA");
Password jssPasswd = new Password(new String(md.digest(password.getByteCopy()), "UTF-8").toCharArray());
md.reset();
// Do this only when the logger's file is being used
if (filename.equals(logFileName) && loggerInitialized) {
// current signature in the PKCS12 file
if (dataType.equals(currentSignature)) {
oldDataFromSecretStorage = readFromSecretStore(logFileName, currentKey, password);
oldDataType = currentKey;
} else if (dataType.equals(currentKey)) {
// need to read the currentSignature
// for the same reason as above
oldDataFromSecretStorage = readFromSecretStore(logFileName, currentSignature, password);
oldDataType = currentSignature;
}
}
// Start building the new contents by adding the older content first
AuthenticatedSafes newAuthSafes = new AuthenticatedSafes();
if (oldDataFromSecretStorage != null) {
SEQUENCE oldSafeContents = AddToSecretStore(oldDataFromSecretStorage, oldDataType);
// Add the old contents to the existing safe
newAuthSafes.addEncryptedSafeContents(PBEAlgorithm.PBE_SHA1_DES3_CBC, jssPasswd, null, AuthenticatedSafes.DEFAULT_ITERATIONS, oldSafeContents);
}
// not being added for the first time
if ((filename.equals(logFileName)) && !dataType.equals(initialKey) && loggerInitialized) {
byte[] key = readFromSecretStore(filename, initialKey, password);
if (key != null) {
SEQUENCE initialKeySafeContents = AddToSecretStore(key, initialKey);
newAuthSafes.addEncryptedSafeContents(PBEAlgorithm.PBE_SHA1_DES3_CBC, jssPasswd, null, AuthenticatedSafes.DEFAULT_ITERATIONS, initialKeySafeContents);
}
}
if ((filename.equals(verifierFileName)) && !dataType.equals(initialKey) && verifierInitialized) {
byte[] key = readFromSecretStore(filename, initialKey, password);
if (key != null) {
SEQUENCE initialKeySafeContents = AddToSecretStore(key, initialKey);
newAuthSafes.addEncryptedSafeContents(PBEAlgorithm.PBE_SHA1_DES3_CBC, jssPasswd, null, AuthenticatedSafes.DEFAULT_ITERATIONS, initialKeySafeContents);
}
}
// Add the new contents
SEQUENCE encSafeContents = AddToSecretStore(cryptoMaterial, dataType);
// Add the new contents to the existing safe
newAuthSafes.addEncryptedSafeContents(PBEAlgorithm.PBE_SHA1_DES3_CBC, jssPasswd, null, AuthenticatedSafes.DEFAULT_ITERATIONS, encSafeContents);
PFX newpfx = new PFX(newAuthSafes);
newpfx.computeMacData(jssPasswd, null, 5);
// write the new PFX out to the logger
FileOutputStream fos = new FileOutputStream(filename);
newpfx.encode(fos);
fos.close();
}
Also used :
PFX(org.mozilla.jss.pkcs12.PFX)
SEQUENCE(org.mozilla.jss.asn1.SEQUENCE)
FileOutputStream(java.io.FileOutputStream)
BMPString(org.mozilla.jss.asn1.BMPString)
MessageDigest(java.security.MessageDigest)
AMPassword(com.sun.identity.security.keystore.AMPassword)
Password(org.mozilla.jss.util.Password)
AuthenticatedSafes(org.mozilla.jss.pkcs12.AuthenticatedSafes)
Example 3 with Password
use of org.mozilla.jss.util.Password in project OpenAM by OpenRock.
the class JSSEncryption method initSymmetricKeysAndInitializationVectors.
private void initSymmetricKeysAndInitializationVectors(String password) {
sKeys = new SymmetricKey[NUM_KEYGEN_ALG];
ivParamSpecs = new IVParameterSpec[NUM_KEYGEN_ALG];
byte[] salt = { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 };
Password pass = new Password(password.toCharArray());
for (int i = 0; i < NUM_KEYGEN_ALG; i++) {
try {
PBEAlgorithm keyAlg = getKeyGenAlg(KEYGEN_ALGS[i]);
KeyGenerator kg = mToken.getKeyGenerator(keyAlg);
PBEKeyGenParams kgp = new PBEKeyGenParams(pass, salt, 5);
kg.initialize(kgp);
sKeys[i] = kg.generate();
ivParamSpecs[i] = new IVParameterSpec(kg.generatePBE_IV());
if (debug.messageEnabled()) {
debug.message("Created symKey successfully : " + KEYGEN_ALGS[i]);
}
} catch (Exception e) {
debug.error("Failed creating symKey : " + KEYGEN_ALGS[i], e);
}
}
pass.clear();
}
Also used :
PBEKeyGenParams(org.mozilla.jss.crypto.PBEKeyGenParams)
IVParameterSpec(org.mozilla.jss.crypto.IVParameterSpec)
PBEAlgorithm(org.mozilla.jss.crypto.PBEAlgorithm)
KeyGenerator(org.mozilla.jss.crypto.KeyGenerator)
Password(org.mozilla.jss.util.Password)
Aggregations
Password (org.mozilla.jss.util.Password)3
AMPassword (com.sun.identity.security.keystore.AMPassword)2
MessageDigest (java.security.MessageDigest)2
BMPString (org.mozilla.jss.asn1.BMPString)2
SEQUENCE (org.mozilla.jss.asn1.SEQUENCE)2
AuthenticatedSafes (org.mozilla.jss.pkcs12.AuthenticatedSafes)2
PFX (org.mozilla.jss.pkcs12.PFX)2
BufferedInputStream (java.io.BufferedInputStream)1
FileInputStream (java.io.FileInputStream)1
FileOutputStream (java.io.FileOutputStream)1
ANY (org.mozilla.jss.asn1.ANY)1
ASN1Value (org.mozilla.jss.asn1.ASN1Value)1
SET (org.mozilla.jss.asn1.SET)1
IVParameterSpec (org.mozilla.jss.crypto.IVParameterSpec)1
KeyGenerator (org.mozilla.jss.crypto.KeyGenerator)1
PBEAlgorithm (org.mozilla.jss.crypto.PBEAlgorithm)1
PBEKeyGenParams (org.mozilla.jss.crypto.PBEKeyGenParams)1
SafeBag (org.mozilla.jss.pkcs12.SafeBag)1
Attribute (org.mozilla.jss.pkix.primitive.Attribute)1
