| /* |
| * |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, |
| * software distributed under the License is distributed on an |
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| * KIND, either express or implied. See the License for the |
| * specific language governing permissions and limitations |
| * under the License. |
| * |
| */ |
| package org.apache.qpid.server.security.encryption; |
| |
| |
| import java.io.ByteArrayInputStream; |
| import java.io.IOException; |
| import java.nio.charset.StandardCharsets; |
| import java.security.InvalidAlgorithmParameterException; |
| import java.security.InvalidKeyException; |
| import java.security.NoSuchAlgorithmException; |
| import java.security.SecureRandom; |
| |
| import javax.crypto.Cipher; |
| import javax.crypto.CipherInputStream; |
| import javax.crypto.NoSuchPaddingException; |
| import javax.crypto.SecretKey; |
| import javax.crypto.spec.IvParameterSpec; |
| import javax.xml.bind.DatatypeConverter; |
| |
| class AESKeyFileEncrypter implements ConfigurationSecretEncrypter |
| { |
| private static final String CIPHER_NAME = "AES/CBC/PKCS5Padding"; |
| private static final int AES_INITIALIZATION_VECTOR_LENGTH = 16; |
| private static final String AES_ALGORITHM = "AES"; |
| private final SecretKey _secretKey; |
| private final SecureRandom _random = new SecureRandom(); |
| |
| AESKeyFileEncrypter(SecretKey secretKey) |
| { |
| if(secretKey == null) |
| { |
| throw new NullPointerException("A non null secret key must be supplied"); |
| } |
| if(!AES_ALGORITHM.equals(secretKey.getAlgorithm())) |
| { |
| throw new IllegalArgumentException("Provided secret key was for the algorithm: " + secretKey.getAlgorithm() |
| + "when" + AES_ALGORITHM + "was needed."); |
| } |
| _secretKey = secretKey; |
| } |
| |
| @Override |
| public String encrypt(final String unencrypted) |
| { |
| byte[] unencryptedBytes = unencrypted.getBytes(StandardCharsets.UTF_8); |
| try |
| { |
| byte[] ivbytes = new byte[AES_INITIALIZATION_VECTOR_LENGTH]; |
| _random.nextBytes(ivbytes); |
| Cipher cipher = Cipher.getInstance(CIPHER_NAME); |
| cipher.init(Cipher.ENCRYPT_MODE, _secretKey, new IvParameterSpec(ivbytes)); |
| byte[] encryptedBytes = readFromCipherStream(unencryptedBytes, cipher); |
| byte[] output = new byte[AES_INITIALIZATION_VECTOR_LENGTH + encryptedBytes.length]; |
| System.arraycopy(ivbytes, 0, output, 0, AES_INITIALIZATION_VECTOR_LENGTH); |
| System.arraycopy(encryptedBytes, 0, output, AES_INITIALIZATION_VECTOR_LENGTH, encryptedBytes.length); |
| return DatatypeConverter.printBase64Binary(output); |
| } |
| catch (IOException | InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | NoSuchPaddingException e) |
| { |
| throw new IllegalArgumentException("Unable to encrypt secret", e); |
| } |
| } |
| |
| @Override |
| public String decrypt(final String encrypted) |
| { |
| if(!isValidBase64(encrypted)) |
| { |
| throw new IllegalArgumentException("Encrypted value is not valid Base 64 data: '" + encrypted + "'"); |
| } |
| byte[] encryptedBytes = DatatypeConverter.parseBase64Binary(encrypted); |
| try |
| { |
| Cipher cipher = Cipher.getInstance(CIPHER_NAME); |
| |
| IvParameterSpec ivParameterSpec = new IvParameterSpec(encryptedBytes, 0, AES_INITIALIZATION_VECTOR_LENGTH); |
| |
| cipher.init(Cipher.DECRYPT_MODE, _secretKey, ivParameterSpec); |
| |
| return new String(readFromCipherStream(encryptedBytes, |
| AES_INITIALIZATION_VECTOR_LENGTH, |
| encryptedBytes.length - AES_INITIALIZATION_VECTOR_LENGTH, |
| cipher), StandardCharsets.UTF_8); |
| } |
| catch (IOException | InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | NoSuchPaddingException e) |
| { |
| throw new IllegalArgumentException("Unable to decrypt secret", e); |
| } |
| } |
| |
| private boolean isValidBase64(final String encrypted) |
| { |
| return encrypted.matches("^([\\w\\d+/]{4})*([\\w\\d+/]{2}==|[\\w\\d+/]{3}=)?$"); |
| } |
| |
| |
| private byte[] readFromCipherStream(final byte[] unencryptedBytes, final Cipher cipher) throws IOException |
| { |
| return readFromCipherStream(unencryptedBytes, 0, unencryptedBytes.length, cipher); |
| } |
| |
| private byte[] readFromCipherStream(final byte[] unencryptedBytes, int offset, int length, final Cipher cipher) |
| throws IOException |
| { |
| final byte[] encryptedBytes; |
| try (CipherInputStream cipherInputStream = new CipherInputStream(new ByteArrayInputStream(unencryptedBytes, |
| offset, |
| length), cipher)) |
| { |
| byte[] buf = new byte[512]; |
| int pos = 0; |
| int read; |
| while ((read = cipherInputStream.read(buf, pos, buf.length - pos)) != -1) |
| { |
| pos += read; |
| if (pos == buf.length) |
| { |
| byte[] tmp = buf; |
| buf = new byte[buf.length + 512]; |
| System.arraycopy(tmp, 0, buf, 0, tmp.length); |
| } |
| } |
| encryptedBytes = new byte[pos]; |
| System.arraycopy(buf, 0, encryptedBytes, 0, pos); |
| } |
| return encryptedBytes; |
| } |
| |
| |
| |
| } |