diff options
Diffstat (limited to 'id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java')
| -rw-r--r-- | id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java | 84 |
1 files changed, 68 insertions, 16 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java index cfc371f03..acc2a7273 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SessionEncrytionUtil.java @@ -1,33 +1,79 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ package at.gv.egovernment.moa.id.util; +import iaik.security.cipher.PBEKey; +import iaik.security.spec.PBEKeyAndParameterSpec; + +import java.security.SecureRandom; import java.security.spec.KeySpec; import javax.crypto.Cipher; +import javax.crypto.KeyGenerator; import javax.crypto.SecretKey; import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.PBEKeySpec; import javax.crypto.spec.SecretKeySpec; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; +import at.gv.egovernment.moa.id.data.EncryptedData; import at.gv.egovernment.moa.logging.Logger; public class SessionEncrytionUtil { - static SecretKey secret = null; - + private static final String CIPHER_MODE = "AES/CBC/PKCS5Padding"; + private static final String KEYNAME = "AES"; + + static private SecretKey secret = null; + static { try { String key = AuthConfigurationProvider.getInstance().getMOASessionEncryptionKey(); if (key != null) { - SecretKeyFactory factory; - factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1"); - KeySpec spec = new PBEKeySpec(key.toCharArray(), "TestSALT".getBytes(), 1024, 128); - SecretKey tmp = factory.generateSecret(spec); - secret = new SecretKeySpec(tmp.getEncoded(), "AES"); + PBEKeySpec keySpec = new PBEKeySpec(key.toCharArray()); + SecretKeyFactory factory = SecretKeyFactory.getInstance("PKCS#5", "IAIK"); + PBEKey pbeKey = (PBEKey)factory.generateSecret(keySpec); + + SecureRandom random = new SecureRandom(); + KeyGenerator pbkdf2 = KeyGenerator.getInstance("PBKDF2", "IAIK"); + + PBEKeyAndParameterSpec parameterSpec = + new PBEKeyAndParameterSpec(pbeKey.getEncoded(), + "TestSALT".getBytes(), + 2000, + 16); + + pbkdf2.init(parameterSpec, random); + SecretKey derivedKey = pbkdf2.generateKey(); + + SecretKeySpec spec = new SecretKeySpec(derivedKey.getEncoded(), KEYNAME); + SecretKeyFactory kf = SecretKeyFactory.getInstance(KEYNAME, "IAIK"); + secret = kf.generateSecret(spec); } else { Logger.warn("MOASession encryption is deaktivated."); @@ -39,41 +85,47 @@ public class SessionEncrytionUtil { } - public static byte[] encrypt(byte[] data) throws BuildException { + public static EncryptedData encrypt(byte[] data) throws BuildException { Cipher cipher; if (secret != null) { try { - cipher = Cipher.getInstance("AES/ECB/"+"ISO10126Padding"); + cipher = Cipher.getInstance(CIPHER_MODE, "IAIK"); cipher.init(Cipher.ENCRYPT_MODE, secret); Logger.debug("Encrypt MOASession"); - return cipher.doFinal(data); + + byte[] encdata = cipher.doFinal(data); + byte[] iv = cipher.getIV(); + + return new EncryptedData(encdata, iv); } catch (Exception e) { Logger.warn("MOASession is not encrypted",e); throw new BuildException("MOASession is not encrypted", new Object[]{}, e); } } else - return data; + return new EncryptedData(data, null); } - public static byte[] decrypt(byte[] data) throws BuildException { + public static byte[] decrypt(EncryptedData data) throws BuildException { Cipher cipher; if (secret != null) { try { - cipher = Cipher.getInstance("AES/ECB/"+"ISO10126Padding"); - cipher.init(Cipher.DECRYPT_MODE, secret); + IvParameterSpec iv = new IvParameterSpec(data.getIv()); + + cipher = Cipher.getInstance(CIPHER_MODE, "IAIK"); + cipher.init(Cipher.DECRYPT_MODE, secret, iv); Logger.debug("Decrypt MOASession"); - return cipher.doFinal(data); + return cipher.doFinal(data.getEncData()); } catch (Exception e) { Logger.warn("MOASession is not decrypted",e); throw new BuildException("MOASession is not decrypted", new Object[]{}, e); } } else - return data; + return data.getEncData(); } } |