use of org.mozilla.jss.util.Password in project OpenAM by OpenRock.
the class SecureLogHelperJSSImpl method readFromSecretStore.
/**
* Returns matched secret data from from the secret Storage.
* At a time there are only 3 things in logger's secure store file
* - initialkey, currentkey and current signature
* In the verifier secure store file there is just the initial key of the
* logger and the currentKey
* @param filename file for secret storage
* @param dataType The kind of data to be read, whether it is a
* signature or a key
* @param password password for the file
* @return secure data that is matched with dataType
* @throws Exception if it fails to read secret data from secret store
*/
byte[] readFromSecretStore(String filename, String dataType, AMPassword password) throws Exception {
// open input file for reading
FileInputStream infile = null;
infile = new FileInputStream(filename);
// Decode the P12 file
PFX.Template pfxt = new PFX.Template();
PFX pfx = (PFX) pfxt.decode(new BufferedInputStream(infile, 2048));
// Verify the MAC on the PFX. This is important to be sure
// it hasn't been tampered with.
StringBuffer reason = new StringBuffer();
MessageDigest md = MessageDigest.getInstance("SHA");
Password jssPasswd = new Password(new String(md.digest(password.getByteCopy()), "UTF-8").toCharArray());
md.reset();
if (!pfx.verifyAuthSafes(jssPasswd, reason)) {
throw new Exception("AuthSafes failed to verify because: " + reason.toString());
}
AuthenticatedSafes authSafes = pfx.getAuthSafes();
SEQUENCE safeContentsSequence = authSafes.getSequence();
byte[] cryptoData = null;
// Loop over contents of the authenticated safes
for (int i = 0; i < safeContentsSequence.size(); i++) {
// The safeContents may or may not be encrypted. We always send
// the password in. It will get used if it is needed. If the
// decryption of the safeContents fails for some reason (like
// a bad password), then this method will throw an exception
SEQUENCE safeContents = authSafes.getSafeContentsAt(jssPasswd, i);
SafeBag safeBag = null;
ASN1Value val = null;
// Go through all the bags in this SafeContents
for (int j = 0; j < safeContents.size(); j++) {
safeBag = (SafeBag) safeContents.elementAt(j);
// look for bag attributes and then choose the key
SET attribs = safeBag.getBagAttributes();
if (attribs == null) {
Debug.error("Bag has no attributes");
} else {
for (int b = 0; b < attribs.size(); b++) {
Attribute a = (Attribute) attribs.elementAt(b);
if (a.getType().equals(SafeBag.FRIENDLY_NAME)) {
// the friendly name attribute is a nickname
BMPString bs = (BMPString) ((ANY) a.getValues().elementAt(0)).decodeWith(BMPString.getTemplate());
if (dataType.equals(bs.toString())) {
// look at the contents of the bag
val = safeBag.getInterpretedBagContent();
break;
}
}
}
}
}
if (val instanceof ANY)
cryptoData = ((ANY) val).getContents();
}
// Close the file
infile.close();
return cryptoData;
}
use of org.mozilla.jss.util.Password in project OpenAM by OpenRock.
the class SecureLogHelperJSSImpl method writeToSecretStore.
/**
* Writes to the secret Storage. If the data to be written is a key, then
* writes the older signature also. If it is a signature then writes the
* older key also
* @param cryptoMaterial The data to be written to the secret storage
* @param filename The file for secret storage
* @param password The password for the file
* @param dataType The kind of cryptoMaterial, whether it is a signature
* or a key
* @throws Exception if it fails to write secret data from secret store
*/
void writeToSecretStore(byte[] cryptoMaterial, String filename, AMPassword password, String dataType) throws Exception {
byte[] oldDataFromSecretStorage = null;
String oldDataType = null;
MessageDigest md = MessageDigest.getInstance("SHA");
Password jssPasswd = new Password(new String(md.digest(password.getByteCopy()), "UTF-8").toCharArray());
md.reset();
// Do this only when the logger's file is being used
if (filename.equals(logFileName) && loggerInitialized) {
// current signature in the PKCS12 file
if (dataType.equals(currentSignature)) {
oldDataFromSecretStorage = readFromSecretStore(logFileName, currentKey, password);
oldDataType = currentKey;
} else if (dataType.equals(currentKey)) {
// need to read the currentSignature
// for the same reason as above
oldDataFromSecretStorage = readFromSecretStore(logFileName, currentSignature, password);
oldDataType = currentSignature;
}
}
// Start building the new contents by adding the older content first
AuthenticatedSafes newAuthSafes = new AuthenticatedSafes();
if (oldDataFromSecretStorage != null) {
SEQUENCE oldSafeContents = AddToSecretStore(oldDataFromSecretStorage, oldDataType);
// Add the old contents to the existing safe
newAuthSafes.addEncryptedSafeContents(PBEAlgorithm.PBE_SHA1_DES3_CBC, jssPasswd, null, AuthenticatedSafes.DEFAULT_ITERATIONS, oldSafeContents);
}
// not being added for the first time
if ((filename.equals(logFileName)) && !dataType.equals(initialKey) && loggerInitialized) {
byte[] key = readFromSecretStore(filename, initialKey, password);
if (key != null) {
SEQUENCE initialKeySafeContents = AddToSecretStore(key, initialKey);
newAuthSafes.addEncryptedSafeContents(PBEAlgorithm.PBE_SHA1_DES3_CBC, jssPasswd, null, AuthenticatedSafes.DEFAULT_ITERATIONS, initialKeySafeContents);
}
}
if ((filename.equals(verifierFileName)) && !dataType.equals(initialKey) && verifierInitialized) {
byte[] key = readFromSecretStore(filename, initialKey, password);
if (key != null) {
SEQUENCE initialKeySafeContents = AddToSecretStore(key, initialKey);
newAuthSafes.addEncryptedSafeContents(PBEAlgorithm.PBE_SHA1_DES3_CBC, jssPasswd, null, AuthenticatedSafes.DEFAULT_ITERATIONS, initialKeySafeContents);
}
}
// Add the new contents
SEQUENCE encSafeContents = AddToSecretStore(cryptoMaterial, dataType);
// Add the new contents to the existing safe
newAuthSafes.addEncryptedSafeContents(PBEAlgorithm.PBE_SHA1_DES3_CBC, jssPasswd, null, AuthenticatedSafes.DEFAULT_ITERATIONS, encSafeContents);
PFX newpfx = new PFX(newAuthSafes);
newpfx.computeMacData(jssPasswd, null, 5);
// write the new PFX out to the logger
FileOutputStream fos = new FileOutputStream(filename);
newpfx.encode(fos);
fos.close();
}
use of org.mozilla.jss.util.Password in project OpenAM by OpenRock.
the class JSSEncryption method initSymmetricKeysAndInitializationVectors.
private void initSymmetricKeysAndInitializationVectors(String password) {
sKeys = new SymmetricKey[NUM_KEYGEN_ALG];
ivParamSpecs = new IVParameterSpec[NUM_KEYGEN_ALG];
byte[] salt = { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 };
Password pass = new Password(password.toCharArray());
for (int i = 0; i < NUM_KEYGEN_ALG; i++) {
try {
PBEAlgorithm keyAlg = getKeyGenAlg(KEYGEN_ALGS[i]);
KeyGenerator kg = mToken.getKeyGenerator(keyAlg);
PBEKeyGenParams kgp = new PBEKeyGenParams(pass, salt, 5);
kg.initialize(kgp);
sKeys[i] = kg.generate();
ivParamSpecs[i] = new IVParameterSpec(kg.generatePBE_IV());
if (debug.messageEnabled()) {
debug.message("Created symKey successfully : " + KEYGEN_ALGS[i]);
}
} catch (Exception e) {
debug.error("Failed creating symKey : " + KEYGEN_ALGS[i], e);
}
}
pass.clear();
}
Aggregations