0003405: Default to strong crypto and fall back if not available

JumpMind · Feb 3, 2018 · 09408ed · 09408ed
1 parent 128c158
commit 09408ed
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 31 deletions.
diff --git a/symmetric-util/src/main/java/org/jumpmind/security/SecurityConstants.java b/symmetric-util/src/main/java/org/jumpmind/security/SecurityConstants.java
@@ -46,12 +46,12 @@ public class SecurityConstants {
 
     public static final String PASSWORD_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_.+!*";
 
-	public static final String[] CIPHERS = new String[] { "AES/GCM/PKCS5Padding", "DESede/ECB/PKCS5Padding",
-			"DES/ECB/PKCS5Padding" };
+	public static final String[] CIPHERS = new String[] { "AES/GCM/PKCS5Padding", "AES/GCM/PKCS5Padding",
+			"DESede/ECB/PKCS5Padding", "DES/ECB/PKCS5Padding" };
 
-    public static final String[] KEYSPECS = new String[] { "AES", "DESede", "DES" };
+    public static final String[] KEYSPECS = new String[] { "AES", "AES", "DESede", "DES" };
 
-	public static final int[] BITSIZES = new int[] { 32, 25, 8 };
+	public static final int[] BYTESIZES = new int[] { 32, 16, 25, 8 };
 
     public static final int ITERATION_COUNT = 3;
 

diff --git a/symmetric-util/src/main/java/org/jumpmind/security/SecurityService.java b/symmetric-util/src/main/java/org/jumpmind/security/SecurityService.java
@@ -169,12 +169,12 @@ private String rot13(String text) {
     public Cipher getCipher(int mode) throws Exception {
         if (secretKey == null) {
             secretKey = getSecretKey();
-            log.info("Initialized with " + secretKey.getAlgorithm());
+            log.info("Initialized with {} {}-bit", secretKey.getAlgorithm(), secretKey.getEncoded().length * 8);
         }
         Cipher cipher = Cipher.getInstance(secretKey.getAlgorithm());
         initializeCipher(cipher, mode);
-        log.debug("Using {} algorithm provided by {}.", cipher.getAlgorithm(), cipher.getProvider()
-                .getName());
+        log.debug("Using {} algorithm {}-bit provided by {}.", cipher.getAlgorithm(), 
+        		secretKey.getEncoded().length * 8, cipher.getProvider().getName());
         return cipher;
     }
 
@@ -208,7 +208,6 @@ protected SecretKey getSecretKey() throws Exception {
         if (entry == null) {
             log.debug("Generating secret key");
             entry = new KeyStore.SecretKeyEntry(getDefaultSecretKey());
-            log.info("Generated secret key using " + entry.getSecretKey().getAlgorithm());
             ks.setEntry(SecurityConstants.ALIAS_SYM_SECRET_KEY, entry, param);
             saveKeyStore(ks, password);
         } else {
@@ -234,32 +233,33 @@ public String nextSecureHexString(int len) {
     }
 
     protected SecretKey getDefaultSecretKey() throws Exception {
-        SecureRandom random = new SecureRandom();
-        byte bytes[] = null; 
-
-        try {
-			bytes = new byte[SecurityConstants.BITSIZES[0]];
-			random.nextBytes(bytes);
-        	secretKey = new SecretKeySpec(bytes, SecurityConstants.KEYSPECS[0]);
-            initializeCipher(Cipher.getInstance(SecurityConstants.CIPHERS[0]), Cipher.ENCRYPT_MODE);
-        } catch (Exception e) {
-        	try {
-				bytes = new byte[SecurityConstants.BITSIZES[1]];
-				random.nextBytes(bytes);	
-				SecretKeyFactory kf = SecretKeyFactory.getInstance(SecurityConstants.KEYSPECS[1]);
-				secretKey = kf.generateSecret(new DESedeKeySpec(bytes));
-				initializeCipher(Cipher.getInstance(SecurityConstants.CIPHERS[1]), Cipher.ENCRYPT_MODE);
-        	} catch (Exception ee) {
-				bytes = new byte[SecurityConstants.BITSIZES[2]];
-				random.nextBytes(bytes);		
-				secretKey = new SecretKeySpec(bytes, SecurityConstants.KEYSPECS[2]);
-				initializeCipher(Cipher.getInstance(SecurityConstants.CIPHERS[2]), Cipher.ENCRYPT_MODE);
-        	}
-        }
-
+    	for (int i = 0; i < SecurityConstants.CIPHERS.length; i++) {
+            try {
+            	if (SecurityConstants.CIPHERS[i].startsWith("DESede")) {
+					SecretKeyFactory kf = SecretKeyFactory.getInstance(SecurityConstants.KEYSPECS[i]);
+					secretKey = kf.generateSecret(new DESedeKeySpec(getBytes(SecurityConstants.BYTESIZES[i])));            		
+            	} else {
+            		secretKey = new SecretKeySpec(getBytes(SecurityConstants.BYTESIZES[i]), SecurityConstants.KEYSPECS[i]);
+            	}
+                initializeCipher(Cipher.getInstance(SecurityConstants.CIPHERS[i]), Cipher.ENCRYPT_MODE);
+				log.info("Generated secret key using {} {}", SecurityConstants.CIPHERS[i],
+						SecurityConstants.BYTESIZES[i] * 8);
+                break;
+            } catch (Exception e) {
+            	log.debug("Cannot use {} {}-bit because: {}", SecurityConstants.CIPHERS[i],
+            			SecurityConstants.BYTESIZES[i] * 8, e.getMessage());
+            }
+    	} 
         return secretKey;
     }
 
+    protected byte[] getBytes(int byteSize) {
+    	SecureRandom random = new SecureRandom();
+    	byte[] bytes = new byte[byteSize];
+    	random.nextBytes(bytes);
+    	return bytes;    	
+    }
+
     protected void saveKeyStore(KeyStore ks, String password) throws Exception {
         FileOutputStream os = new FileOutputStream(
                 System.getProperty(SecurityConstants.SYSPROP_KEYSTORE));