Author: kiwiwings
Date: Sat Feb 22 00:36:32 2020
New Revision: 1874351
URL: http://svn.apache.org/viewvc?rev=1874351&view=rev
Log:
Remove invalid agile certificate encryption
Removed:
poi/trunk/src/ooxml/testcases/org/apache/poi/poifs/crypt/TestCertificateEncryption.java
Modified:
poi/trunk/src/ooxml/java/org/apache/poi/poifs/crypt/agile/AgileDecryptor.java
poi/trunk/src/ooxml/java/org/apache/poi/poifs/crypt/agile/AgileEncryptionVerifier.java
poi/trunk/src/ooxml/java/org/apache/poi/poifs/crypt/agile/AgileEncryptor.java
poi/trunk/src/ooxml/testcases/org/apache/poi/poifs/crypt/AllPOIFSCryptoTests.java
Modified:
poi/trunk/src/ooxml/java/org/apache/poi/poifs/crypt/agile/AgileDecryptor.java
URL:
http://svn.apache.org/viewvc/poi/trunk/src/ooxml/java/org/apache/poi/poifs/crypt/agile/AgileDecryptor.java?rev=1874351&r1=1874350&r2=1874351&view=diff
==============================================================================
---
poi/trunk/src/ooxml/java/org/apache/poi/poifs/crypt/agile/AgileDecryptor.java
(original)
+++
poi/trunk/src/ooxml/java/org/apache/poi/poifs/crypt/agile/AgileDecryptor.java
Sat Feb 22 00:36:32 2020
@@ -27,14 +27,11 @@ import java.io.IOException;
import java.io.InputStream;
import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
-import java.security.KeyPair;
import java.security.MessageDigest;
-import java.security.cert.X509Certificate;
import java.security.spec.AlgorithmParameterSpec;
import java.util.Arrays;
import javax.crypto.Cipher;
-import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.RC2ParameterSpec;
@@ -49,7 +46,6 @@ import org.apache.poi.poifs.crypt.Decryp
import org.apache.poi.poifs.crypt.EncryptionHeader;
import org.apache.poi.poifs.crypt.EncryptionInfo;
import org.apache.poi.poifs.crypt.HashAlgorithm;
-import
org.apache.poi.poifs.crypt.agile.AgileEncryptionVerifier.AgileCertificateEntry;
import org.apache.poi.poifs.filesystem.DirectoryNode;
import org.apache.poi.poifs.filesystem.DocumentInputStream;
import org.apache.poi.util.LittleEndian;
@@ -90,7 +86,7 @@ public class AgileDecryptor extends Decr
byte[] pwHash = hashPassword(password, ver.getHashAlgorithm(),
ver.getSalt(), ver.getSpinCount());
- /**
+ /*
* encryptedVerifierHashInput: This attribute MUST be generated by
using the following steps:
* 1. Generate a random array of bytes with the number of bytes used
specified by the saltSize
* attribute.
@@ -108,7 +104,7 @@ public class AgileDecryptor extends Decr
MessageDigest hashMD = getMessageDigest(ver.getHashAlgorithm());
byte[] verifierHash = hashMD.digest(verfierInputEnc);
- /**
+ /*
* encryptedVerifierHashValue: This attribute MUST be generated by
using the following steps:
* 1. Obtain the hash value of the random array of bytes generated in
step 1 of the steps for
* encryptedVerifierHashInput.
@@ -123,7 +119,7 @@ public class AgileDecryptor extends Decr
byte[] verifierHashDec = hashInput(ver, pwHash, kHashedVerifierBlock,
ver.getEncryptedVerifierHash(), Cipher.DECRYPT_MODE);
verifierHashDec = getBlock0(verifierHashDec,
ver.getHashAlgorithm().hashSize);
- /**
+ /*
* encryptedKeyValue: This attribute MUST be generated by using the
following steps:
* 1. Generate a random array of bytes that is the same size as
specified by the
* Encryptor.KeyData.keyBits attribute of the parent element.
@@ -140,7 +136,7 @@ public class AgileDecryptor extends Decr
keyspec = getBlock0(keyspec, header.getKeySize()/8);
SecretKeySpec secretKey = new SecretKeySpec(keyspec,
header.getCipherAlgorithm().jceId);
- /**
+ /*
* 1. Obtain the intermediate key by decrypting the encryptedKeyValue
from a KeyEncryptor
* contained within the KeyEncryptors sequence. Use this key for
encryption operations in the
* remaining steps of this section.
@@ -159,7 +155,7 @@ public class AgileDecryptor extends Decr
byte[] hmacKey = cipher.doFinal(header.getEncryptedHmacKey());
hmacKey = getBlock0(hmacKey, header.getHashAlgorithm().hashSize);
- /**
+ /*
* 5. Generate an HMAC, as specified in [RFC2104], of the encrypted
form of the data (message),
* which the DataIntegrity element will verify by using the Salt
generated in step 2 as the key.
* Note that the entire EncryptedPackage stream (1), including the
StreamSize field, MUST be
@@ -183,69 +179,8 @@ public class AgileDecryptor extends Decr
}
}
- /**
- * instead of a password, it's also possible to decrypt via certificate.
- * Warning: this code is experimental and hasn't been validated
- *
- * @see <a
href="http://social.msdn.microsoft.com/Forums/en-US/cc9092bb-0c82-4b5b-ae21-abf643bdb37c/agile-encryption-with-certificates";>Agile
encryption with certificates</a>
- *
- * @param keyPair
- * @param x509
- * @return true, when the data can be successfully decrypted with the
given private key
- * @throws GeneralSecurityException
- */
- public boolean verifyPassword(KeyPair keyPair, X509Certificate x509)
throws GeneralSecurityException {
- AgileEncryptionVerifier ver =
(AgileEncryptionVerifier)getEncryptionInfo().getVerifier();
- AgileEncryptionHeader header =
(AgileEncryptionHeader)getEncryptionInfo().getHeader();
- HashAlgorithm hashAlgo = header.getHashAlgorithm();
- CipherAlgorithm cipherAlgo = header.getCipherAlgorithm();
- int blockSize = header.getBlockSize();
-
- AgileCertificateEntry ace = null;
- for (AgileCertificateEntry aceEntry : ver.getCertificates()) {
- if (x509.equals(aceEntry.x509)) {
- ace = aceEntry;
- break;
- }
- }
- if (ace == null) {
- return false;
- }
-
- Cipher cipher = Cipher.getInstance("RSA");
- cipher.init(Cipher.DECRYPT_MODE, keyPair.getPrivate());
- byte[] keyspec = cipher.doFinal(ace.encryptedKey);
- SecretKeySpec secretKey = new SecretKeySpec(keyspec,
ver.getCipherAlgorithm().jceId);
-
- Mac x509Hmac = CryptoFunctions.getMac(hashAlgo);
- x509Hmac.init(secretKey);
- byte[] certVerifier = x509Hmac.doFinal(ace.x509.getEncoded());
-
- byte[] vec = CryptoFunctions.generateIv(hashAlgo, header.getKeySalt(),
kIntegrityKeyBlock, blockSize);
- cipher = getCipher(secretKey, cipherAlgo, header.getChainingMode(),
vec, Cipher.DECRYPT_MODE);
- byte[] hmacKey = cipher.doFinal(header.getEncryptedHmacKey());
- hmacKey = getBlock0(hmacKey, hashAlgo.hashSize);
-
- vec = CryptoFunctions.generateIv(hashAlgo, header.getKeySalt(),
kIntegrityValueBlock, blockSize);
- cipher = getCipher(secretKey, cipherAlgo, header.getChainingMode(),
vec, Cipher.DECRYPT_MODE);
- byte[] hmacValue = cipher.doFinal(header.getEncryptedHmacValue());
- hmacValue = getBlock0(hmacValue, hashAlgo.hashSize);
-
-
- if (Arrays.equals(ace.certVerifier, certVerifier)) {
- setSecretKey(secretKey);
- setIntegrityHmacKey(hmacKey);
- setIntegrityHmacValue(hmacValue);
- return true;
- } else {
- return false;
- }
- }
-
protected static int getNextBlockSize(int inputLen, int blockSize) {
- int fillSize;
- for (fillSize=blockSize; fillSize<inputLen; fillSize+=blockSize);
- return fillSize;
+ return (int)Math.ceil(inputLen / (double)blockSize) * blockSize;
}
/* package */ static byte[] hashInput(AgileEncryptionVerifier ver, byte[]
pwHash, byte[] blockKey, byte[] inputKey, int cipherMode) {
Modified:
poi/trunk/src/ooxml/java/org/apache/poi/poifs/crypt/agile/AgileEncryptionVerifier.java
URL:
http://svn.apache.org/viewvc/poi/trunk/src/ooxml/java/org/apache/poi/poifs/crypt/agile/AgileEncryptionVerifier.java?rev=1874351&r1=1874350&r2=1874351&view=diff
==============================================================================
---
poi/trunk/src/ooxml/java/org/apache/poi/poifs/crypt/agile/AgileEncryptionVerifier.java
(original)
+++
poi/trunk/src/ooxml/java/org/apache/poi/poifs/crypt/agile/AgileEncryptionVerifier.java
Sat Feb 22 00:36:32 2020
@@ -16,18 +16,11 @@
==================================================================== */
package org.apache.poi.poifs.crypt.agile;
-import java.io.ByteArrayInputStream;
-import java.security.GeneralSecurityException;
-import java.security.cert.CertificateFactory;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
import java.util.Iterator;
-import java.util.List;
import com.microsoft.schemas.office.x2006.encryption.CTKeyEncryptor;
import com.microsoft.schemas.office.x2006.encryption.EncryptionDocument;
import com.microsoft.schemas.office.x2006.encryption.STCipherChaining;
-import
com.microsoft.schemas.office.x2006.keyEncryptor.certificate.CTCertificateKeyEncryptor;
import
com.microsoft.schemas.office.x2006.keyEncryptor.password.CTPasswordKeyEncryptor;
import org.apache.poi.EncryptedDocumentException;
import org.apache.poi.poifs.crypt.ChainingMode;
@@ -40,24 +33,10 @@ import org.apache.poi.poifs.crypt.HashAl
*/
public class AgileEncryptionVerifier extends EncryptionVerifier {
- public static class AgileCertificateEntry {
- X509Certificate x509;
- byte[] encryptedKey;
- byte[] certVerifier;
-
- public AgileCertificateEntry() {}
-
- public AgileCertificateEntry(AgileCertificateEntry other) {
- x509 = other.x509;
- encryptedKey = (other.encryptedKey == null) ? null :
other.encryptedKey.clone();
- certVerifier = (other.certVerifier == null) ? null :
other.certVerifier.clone();
- }
- }
-
- private final List<AgileCertificateEntry> certList = new ArrayList<>();
private int keyBits = -1;
private int blockSize = -1;
+ @SuppressWarnings("unused")
public AgileEncryptionVerifier(String descriptor) {
this(AgileEncryptionInfoBuilder.parseDescriptor(descriptor));
}
@@ -114,24 +93,6 @@ public class AgileEncryptionVerifier ext
default:
throw new EncryptedDocumentException("Unsupported chaining
mode - "+ keyData.getCipherChaining());
}
-
- if (!encList.hasNext()) {
- return;
- }
-
- try {
- CertificateFactory cf = CertificateFactory.getInstance("X.509");
- while (encList.hasNext()) {
- CTCertificateKeyEncryptor certKey =
encList.next().getEncryptedCertificateKey();
- AgileCertificateEntry ace = new AgileCertificateEntry();
- ace.certVerifier = certKey.getCertVerifier();
- ace.encryptedKey = certKey.getEncryptedKeyValue();
- ace.x509 = (X509Certificate)cf.generateCertificate(new
ByteArrayInputStream(certKey.getX509Certificate()));
- certList.add(ace);
- }
- } catch (GeneralSecurityException e) {
- throw new EncryptedDocumentException("can't parse X509
certificate", e);
- }
}
public AgileEncryptionVerifier(CipherAlgorithm cipherAlgorithm,
HashAlgorithm hashAlgorithm, int keyBits, int blockSize, ChainingMode
chainingMode) {
@@ -147,7 +108,6 @@ public class AgileEncryptionVerifier ext
super(other);
keyBits = other.keyBits;
blockSize = other.blockSize;
-
other.certList.stream().map(AgileCertificateEntry::new).forEach(certList::add);
}
@Override
@@ -176,16 +136,6 @@ public class AgileEncryptionVerifier ext
super.setEncryptedKey(encryptedKey);
}
- public void addCertificate(X509Certificate x509) {
- AgileCertificateEntry ace = new AgileCertificateEntry();
- ace.x509 = x509;
- certList.add(ace);
- }
-
- public List<AgileCertificateEntry> getCertificates() {
- return certList;
- }
-
@Override
public AgileEncryptionVerifier copy() {
return new AgileEncryptionVerifier(this);
Modified:
poi/trunk/src/ooxml/java/org/apache/poi/poifs/crypt/agile/AgileEncryptor.java
URL:
http://svn.apache.org/viewvc/poi/trunk/src/ooxml/java/org/apache/poi/poifs/crypt/agile/AgileEncryptor.java?rev=1874351&r1=1874350&r2=1874351&view=diff
==============================================================================
---
poi/trunk/src/ooxml/java/org/apache/poi/poifs/crypt/agile/AgileEncryptor.java
(original)
+++
poi/trunk/src/ooxml/java/org/apache/poi/poifs/crypt/agile/AgileEncryptor.java
Sat Feb 22 00:36:32 2020
@@ -39,7 +39,6 @@ import java.nio.charset.StandardCharsets
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.SecureRandom;
-import java.security.cert.CertificateEncodingException;
import java.util.HashMap;
import java.util.Map;
import java.util.Random;
@@ -58,7 +57,6 @@ import com.microsoft.schemas.office.x200
import com.microsoft.schemas.office.x2006.encryption.STCipherAlgorithm;
import com.microsoft.schemas.office.x2006.encryption.STCipherChaining;
import com.microsoft.schemas.office.x2006.encryption.STHashAlgorithm;
-import
com.microsoft.schemas.office.x2006.keyEncryptor.certificate.CTCertificateKeyEncryptor;
import
com.microsoft.schemas.office.x2006.keyEncryptor.password.CTPasswordKeyEncryptor;
import org.apache.poi.EncryptedDocumentException;
import org.apache.poi.poifs.crypt.ChunkedCipherOutputStream;
@@ -67,8 +65,6 @@ import org.apache.poi.poifs.crypt.DataSp
import org.apache.poi.poifs.crypt.EncryptionInfo;
import org.apache.poi.poifs.crypt.Encryptor;
import org.apache.poi.poifs.crypt.HashAlgorithm;
-import
org.apache.poi.poifs.crypt.agile.AgileEncryptionVerifier.AgileCertificateEntry;
-import org.apache.poi.poifs.crypt.standard.EncryptionRecord;
import org.apache.poi.poifs.filesystem.DirectoryNode;
import org.apache.poi.util.IOUtils;
import org.apache.poi.util.LittleEndian;
@@ -127,7 +123,7 @@ public class AgileEncryptor extends Encr
pwHash = hashPassword(password, ver.getHashAlgorithm(), verifierSalt,
ver.getSpinCount());
- /**
+ /*
* encryptedVerifierHashInput: This attribute MUST be generated by
using the following steps:
* 1. Generate a random array of bytes with the number of bytes used
specified by the saltSize
* attribute.
@@ -144,7 +140,7 @@ public class AgileEncryptor extends Encr
ver.setEncryptedVerifier(encryptedVerifier);
- /**
+ /*
* encryptedVerifierHashValue: This attribute MUST be generated by
using the following steps:
* 1. Obtain the hash value of the random array of bytes generated in
step 1 of the steps for
* encryptedVerifierHashInput.
@@ -161,7 +157,7 @@ public class AgileEncryptor extends Encr
byte[] encryptedVerifierHash = hashInput(ver, pwHash,
kHashedVerifierBlock, hashedVerifier, Cipher.ENCRYPT_MODE);
ver.setEncryptedVerifierHash(encryptedVerifierHash);
- /**
+ /*
* encryptedKeyValue: This attribute MUST be generated by using the
following steps:
* 1. Generate a random array of bytes that is the same size as
specified by the
* Encryptor.KeyData.keyBits attribute of the parent element.
@@ -212,15 +208,6 @@ public class AgileEncryptor extends Encr
byte[] hmacKey = getBlock0(this.integritySalt,
getNextBlockSize(this.integritySalt.length, blockSize));
byte[] encryptedHmacKey = cipher.doFinal(hmacKey);
header.setEncryptedHmacKey(encryptedHmacKey);
-
- cipher = Cipher.getInstance("RSA");
- for (AgileCertificateEntry ace : ver.getCertificates()) {
- cipher.init(Cipher.ENCRYPT_MODE, ace.x509.getPublicKey());
- ace.encryptedKey = cipher.doFinal(getSecretKey().getEncoded());
- Mac x509Hmac =
CryptoFunctions.getMac(header.getHashAlgorithm());
- x509Hmac.init(getSecretKey());
- ace.certVerifier = x509Hmac.doFinal(ace.x509.getEncoded());
- }
} catch (GeneralSecurityException e) {
throw new EncryptedDocumentException(e);
}
@@ -276,8 +263,6 @@ public class AgileEncryptor extends Encr
private final CTKeyEncryptor.Uri.Enum passwordUri =
CTKeyEncryptor.Uri.HTTP_SCHEMAS_MICROSOFT_COM_OFFICE_2006_KEY_ENCRYPTOR_PASSWORD;
- private final CTKeyEncryptor.Uri.Enum certificateUri =
-
CTKeyEncryptor.Uri.HTTP_SCHEMAS_MICROSOFT_COM_OFFICE_2006_KEY_ENCRYPTOR_CERTIFICATE;
protected EncryptionDocument createEncryptionDocument() {
AgileEncryptionVerifier ver =
(AgileEncryptionVerifier)getEncryptionInfo().getVerifier();
@@ -343,19 +328,6 @@ public class AgileEncryptor extends Encr
hmacData.setEncryptedHmacKey(header.getEncryptedHmacKey());
hmacData.setEncryptedHmacValue(header.getEncryptedHmacValue());
- for (AgileCertificateEntry ace : ver.getCertificates()) {
- keyEnc = keyEncList.addNewKeyEncryptor();
- keyEnc.setUri(certificateUri);
- CTCertificateKeyEncryptor certData =
keyEnc.addNewEncryptedCertificateKey();
- try {
- certData.setX509Certificate(ace.x509.getEncoded());
- } catch (CertificateEncodingException e) {
- throw new EncryptedDocumentException(e);
- }
- certData.setEncryptedKeyValue(ace.encryptedKey);
- certData.setCertVerifier(ace.certVerifier);
- }
-
return ed;
}
@@ -372,7 +344,6 @@ public class AgileEncryptor extends Encr
xo.setCharacterEncoding("UTF-8");
Map<String,String> nsMap = new HashMap<>();
nsMap.put(passwordUri.toString(),"p");
- nsMap.put(certificateUri.toString(), "c");
xo.setUseDefaultNamespace();
xo.setSaveSuggestedPrefixes(nsMap);
xo.setSaveNamespacesFirst();
@@ -391,31 +362,6 @@ public class AgileEncryptor extends Encr
}
}
- protected void createEncryptionInfoEntry(DirectoryNode dir, File tmpFile)
- throws IOException, GeneralSecurityException {
- DataSpaceMapUtils.addDefaultDataSpace(dir);
-
- final EncryptionInfo info = getEncryptionInfo();
-
- EncryptionRecord er = new EncryptionRecord(){
- @Override
- public void write(LittleEndianByteArrayOutputStream bos) {
- // EncryptionVersionInfo (4 bytes): A Version structure
(section 2.1.4), where
- // Version.vMajor MUST be 0x0004 and Version.vMinor MUST be
0x0004
- bos.writeShort(info.getVersionMajor());
- bos.writeShort(info.getVersionMinor());
- // Reserved (4 bytes): A value that MUST be 0x00000040
- bos.writeInt(info.getEncryptionFlags());
-
- EncryptionDocument ed = createEncryptionDocument();
- marshallEncryptionDocument(ed, bos);
- }
- };
-
- createEncryptionEntry(dir, "EncryptionInfo", er);
- }
-
-
/**
* 2.3.4.15 Data Encryption (Agile Encryption)
*
@@ -451,8 +397,23 @@ public class AgileEncryptor extends Encr
@Override
protected void createEncryptionInfoEntry(DirectoryNode dir, File
tmpFile)
- throws IOException, GeneralSecurityException {
- AgileEncryptor.this.createEncryptionInfoEntry(dir, tmpFile);
+ throws IOException {
+ DataSpaceMapUtils.addDefaultDataSpace(dir);
+ createEncryptionEntry(dir, "EncryptionInfo",
this::marshallEncryptionRecord);
+ }
+
+ private void
marshallEncryptionRecord(LittleEndianByteArrayOutputStream bos) {
+ final EncryptionInfo info = getEncryptionInfo();
+
+ // EncryptionVersionInfo (4 bytes): A Version structure (section
2.1.4), where
+ // Version.vMajor MUST be 0x0004 and Version.vMinor MUST be 0x0004
+ bos.writeShort(info.getVersionMajor());
+ bos.writeShort(info.getVersionMinor());
+ // Reserved (4 bytes): A value that MUST be 0x00000040
+ bos.writeInt(info.getEncryptionFlags());
+
+ EncryptionDocument ed = createEncryptionDocument();
+ marshallEncryptionDocument(ed, bos);
}
}
Modified:
poi/trunk/src/ooxml/testcases/org/apache/poi/poifs/crypt/AllPOIFSCryptoTests.java
URL:
http://svn.apache.org/viewvc/poi/trunk/src/ooxml/testcases/org/apache/poi/poifs/crypt/AllPOIFSCryptoTests.java?rev=1874351&r1=1874350&r2=1874351&view=diff
==============================================================================
---
poi/trunk/src/ooxml/testcases/org/apache/poi/poifs/crypt/AllPOIFSCryptoTests.java
(original)
+++
poi/trunk/src/ooxml/testcases/org/apache/poi/poifs/crypt/AllPOIFSCryptoTests.java
Sat Feb 22 00:36:32 2020
@@ -30,7 +30,6 @@ import org.junit.runners.Suite;
, TestDecryptor.class
, TestEncryptor.class
, TestAgileEncryptionParameters.class
- , TestCertificateEncryption.class
})
public final class AllPOIFSCryptoTests {
}
\ No newline at end of file
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
