Skip to content

Commit

Permalink
0003405: Default to strong crypto and fall back if not available
Browse files Browse the repository at this point in the history
  • Loading branch information
@erilong
erilong committed Feb 3, 2018
1 parent eef5152 commit a0a6e66
Show file tree
Hide file tree
Showing 5 changed files with 49 additions and 54 deletions.
2 changes: 1 addition & 1 deletion symmetric-assemble/common.gradle
View file
Expand Up @@ -193,7 +193,7 @@ subprojects { subproject ->
springVersion = '4.3.13.RELEASE'
jtdsVersion = '1.2.8'
voltDbVersion = '6.2'
bouncyCastleVersion = '1.58'
bouncyCastleVersion = '1.59'
animalSnifferVersion = '1.10'
jnaVersion = '4.1.0'
jettyVersion = project.property('jetty.version')
Expand Down
Binary file modified symmetric-server/src/main/deploy/security/cacerts
View file
Binary file not shown.
2 changes: 1 addition & 1 deletion symmetric-util/src/main/java/org/jumpmind/security/BouncyCastleSecurityService.java
View file
Expand Up @@ -40,7 +40,7 @@ public class BouncyCastleSecurityService extends SecurityService {

public KeyPair generateRSAKeyPair() throws Exception {
KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA", "BC");
kpGen.initialize(1024, new SecureRandom());
kpGen.initialize(2048, new SecureRandom());
return kpGen.generateKeyPair();
}

Expand Down
9 changes: 8 additions & 1 deletion symmetric-util/src/main/java/org/jumpmind/security/SecurityConstants.java
View file
Expand Up @@ -43,8 +43,15 @@ public class SecurityConstants {
public static final String PREFIX_ENC = "enc:";

public static final String PREFIX_OBF = "obf:";

public static final String PASSWORD_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_.+!*";

public static final String ALGORITHM = System.getProperty("sym.secret.key.defalt.algorithm","PBEWithMD5AndDES");
public static final String[] CIPHERS = new String[] { "AES/GCM/PKCS5Padding", "DESede/ECB/PKCS5Padding",
"DES/ECB/PKCS5Padding" };

public static final String[] KEYSPECS = new String[] { "AES", "DESede", "DES" };

public static final int[] BITSIZES = new int[] { 32, 25, 8 };

public static final int ITERATION_COUNT = 3;

Expand Down
90 changes: 39 additions & 51 deletions symmetric-util/src/main/java/org/jumpmind/security/SecurityService.java
View file
Expand Up @@ -24,18 +24,16 @@
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.KeySpec;

import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.DESedeKeySpec;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.PBEParameterSpec;
import javax.crypto.spec.SecretKeySpec;

import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.NotImplementedException;
Expand All @@ -52,8 +50,6 @@ public class SecurityService implements ISecurityService {

protected SecretKey secretKey;

protected SecureRandom secRand;

protected SecurityService() {
}

Expand Down Expand Up @@ -160,13 +156,9 @@ private String rot13(String text) {
StringBuilder sb = new StringBuilder();
for (int i = 0; i < text.length(); i++) {
char c = text.charAt(i);
if (c >= 'a' && c <= 'm') {
c += 13;
} else if (c >= 'A' && c <= 'M') {
if ((c >= 'a' && c <= 'm') || (c >= 'A' && c <= 'M')) {
c += 13;
} else if (c >= 'n' && c <= 'z') {
c -= 13;
} else if (c >= 'N' && c <= 'Z') {
} else if ((c >= 'n' && c <= 'z') || (c >= 'N' && c <= 'Z')) {
c -= 13;
}
sb.append(c);
Expand All @@ -177,6 +169,7 @@ private String rot13(String text) {
public Cipher getCipher(int mode) throws Exception {
if (secretKey == null) {
secretKey = getSecretKey();
log.info("Initialized with " + secretKey.getAlgorithm());
}
Cipher cipher = Cipher.getInstance(secretKey.getAlgorithm());
initializeCipher(cipher, mode);
Expand All @@ -188,16 +181,15 @@ public Cipher getCipher(int mode) throws Exception {
protected void initializeCipher(Cipher cipher, int mode) throws Exception {
AlgorithmParameterSpec paramSpec = Cipher.getMaxAllowedParameterSpec(cipher.getAlgorithm());

if (paramSpec instanceof PBEParameterSpec
|| (paramSpec == null && cipher.getAlgorithm().startsWith("PBE"))) {
if (paramSpec instanceof PBEParameterSpec || cipher.getAlgorithm().startsWith("PBE")) {
paramSpec = new PBEParameterSpec(SecurityConstants.SALT,
SecurityConstants.ITERATION_COUNT);
cipher.init(mode, secretKey, paramSpec);
} else if (paramSpec instanceof IvParameterSpec) {
paramSpec = new IvParameterSpec(SecurityConstants.SALT);
cipher.init(mode, secretKey, paramSpec);
} else {
cipher.init(mode, secretKey, (AlgorithmParameterSpec) null);
cipher.init(mode, secretKey);
}
}

Expand All @@ -216,6 +208,7 @@ protected SecretKey getSecretKey() throws Exception {
if (entry == null) {
log.debug("Generating secret key");
entry = new KeyStore.SecretKeyEntry(getDefaultSecretKey());
log.info("Generated secret key using " + entry.getSecretKey().getAlgorithm());
ks.setEntry(SecurityConstants.ALIAS_SYM_SECRET_KEY, entry, param);
saveKeyStore(ks, password);
} else {
Expand All @@ -224,51 +217,46 @@ protected SecretKey getSecretKey() throws Exception {
return entry.getSecretKey();
}

private SecureRandom getSecRan() {
if (secRand == null) {
secRand = new SecureRandom();
secRand.setSeed(System.currentTimeMillis());
}
return secRand;
}

public String nextSecureHexString(int len) {
if (len <= 0)
if (len <= 0) {
throw new IllegalArgumentException("length must be positive");
SecureRandom secRan = getSecRan();
MessageDigest alg = null;
try {
alg = MessageDigest.getInstance("SHA-1");
} catch (NoSuchAlgorithmException ex) {
return null;
}
alg.reset();
int numIter = len / 40 + 1;
StringBuffer outBuffer = new StringBuffer();
for (int iter = 1; iter < numIter + 1; iter++) {
byte randomBytes[] = new byte[40];
secRan.nextBytes(randomBytes);
alg.update(randomBytes);
byte hash[] = alg.digest();
for (int i = 0; i < hash.length; i++) {
Integer c = new Integer(hash[i]);
String hex = Integer.toHexString(c.intValue() + 128);
if (hex.length() == 1)
hex = "0" + hex;
outBuffer.append(hex);
}

SecureRandom random = new SecureRandom();
int maxInt = SecurityConstants.PASSWORD_CHARS.length();
char[] password = new char[len];

for (int i = 0; i < len; i++) {
password[i] = SecurityConstants.PASSWORD_CHARS.charAt(random.nextInt(maxInt));
}

return outBuffer.toString().substring(0, len);
return new String(password);
}

protected SecretKey getDefaultSecretKey() throws Exception {
String keyPassword = nextSecureHexString(8);
KeySpec keySpec = new PBEKeySpec(keyPassword.toCharArray(), SecurityConstants.SALT,
SecurityConstants.ITERATION_COUNT, 56);
SecretKey secretKey = SecretKeyFactory.getInstance(SecurityConstants.ALGORITHM)
.generateSecret(keySpec);
SecureRandom random = new SecureRandom();
byte bytes[] = null;

try {
bytes = new byte[SecurityConstants.BITSIZES[0]];
random.nextBytes(bytes);
secretKey = new SecretKeySpec(bytes, SecurityConstants.KEYSPECS[0]);
initializeCipher(Cipher.getInstance(SecurityConstants.CIPHERS[0]), Cipher.ENCRYPT_MODE);
} catch (Exception e) {
try {
bytes = new byte[SecurityConstants.BITSIZES[1]];
random.nextBytes(bytes);
SecretKeyFactory kf = SecretKeyFactory.getInstance(SecurityConstants.KEYSPECS[1]);
secretKey = kf.generateSecret(new DESedeKeySpec(bytes));
initializeCipher(Cipher.getInstance(SecurityConstants.CIPHERS[1]), Cipher.ENCRYPT_MODE);
} catch (Exception ee) {
bytes = new byte[SecurityConstants.BITSIZES[2]];
random.nextBytes(bytes);
secretKey = new SecretKeySpec(bytes, SecurityConstants.KEYSPECS[2]);
initializeCipher(Cipher.getInstance(SecurityConstants.CIPHERS[2]), Cipher.ENCRYPT_MODE);
}
}

return secretKey;
}

Expand Down

0 comments on commit a0a6e66

Please sign in to comment.