Repository: wicket Updated Branches: refs/heads/5756-improve-crypt b5307cc09 -> d47373b92
WICKET-5756 Allow to use custom ciphers when using SunJceCrypt class Use random key for the key spec. Add unit tests for crypto algorithms available only in Unlimited Strenght Jurisdiction Policy (http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html) Project: http://git-wip-us.apache.org/repos/asf/wicket/repo Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/d47373b9 Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/d47373b9 Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/d47373b9 Branch: refs/heads/5756-improve-crypt Commit: d47373b926feb23c56bef3351919924dbd0c09bc Parents: b5307cc Author: Martin Tzvetanov Grigorov <[email protected]> Authored: Mon Nov 17 13:48:18 2014 +0200 Committer: Martin Tzvetanov Grigorov <[email protected]> Committed: Mon Nov 17 13:48:18 2014 +0200 ---------------------------------------------------------------------- .../markup/html/form/encryption/CryptTest.java | 7 +- .../apache/wicket/util/crypt/AbstractCrypt.java | 7 +- .../apache/wicket/util/crypt/SunJceCrypt.java | 16 ++- .../wicket/util/crypt/SunJceCryptTest.java | 75 ++++++++++++++ ...UnlimitedStrengthJurisdictionPolicyTest.java | 103 +++++++++++++++++++ 5 files changed, 194 insertions(+), 14 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/wicket/blob/d47373b9/wicket-core/src/test/java/org/apache/wicket/markup/html/form/encryption/CryptTest.java ---------------------------------------------------------------------- diff --git a/wicket-core/src/test/java/org/apache/wicket/markup/html/form/encryption/CryptTest.java b/wicket-core/src/test/java/org/apache/wicket/markup/html/form/encryption/CryptTest.java index 4d019d8..72024c6 100644 --- a/wicket-core/src/test/java/org/apache/wicket/markup/html/form/encryption/CryptTest.java +++ b/wicket-core/src/test/java/org/apache/wicket/markup/html/form/encryption/CryptTest.java @@ -28,21 +28,18 @@ import org.junit.Test; */ public class CryptTest extends WicketTestCase { - /** - * - * - */ @Test public void crypt() { final ICrypt crypt = new SunJceCrypt(); + crypt.setKey("someStableKey"); try { if (crypt.encryptUrlSafe("test") != null) { final String text = "abcdefghijkABC: A test which creates a '/' and/or a '+'"; - final String expectedUrlSafeEncrypted = "g-N_AGk2b3qe70kJ0we4Rsa8getbnPLm6NyE0BCd-go0P-0kuIe6UvAYP7dlzx-9mfmPaMQ5lCk"; + final String expectedUrlSafeEncrypted = "xXMS3UMELV--qVINGVFaYaiqUPOtryc_E4x0MyMFgYl-TgTGKxczTzPvwJrE-4YEVMpl-F3eDAg"; final String encrypted = crypt.encryptUrlSafe(text); assertEquals(expectedUrlSafeEncrypted, encrypted); http://git-wip-us.apache.org/repos/asf/wicket/blob/d47373b9/wicket-util/src/main/java/org/apache/wicket/util/crypt/AbstractCrypt.java ---------------------------------------------------------------------- diff --git a/wicket-util/src/main/java/org/apache/wicket/util/crypt/AbstractCrypt.java b/wicket-util/src/main/java/org/apache/wicket/util/crypt/AbstractCrypt.java index e28db30..9daa2dd 100644 --- a/wicket-util/src/main/java/org/apache/wicket/util/crypt/AbstractCrypt.java +++ b/wicket-util/src/main/java/org/apache/wicket/util/crypt/AbstractCrypt.java @@ -18,6 +18,7 @@ package org.apache.wicket.util.crypt; import java.io.UnsupportedEncodingException; import java.security.GeneralSecurityException; +import java.util.UUID; import javax.crypto.Cipher; @@ -32,9 +33,6 @@ import org.slf4j.LoggerFactory; */ public abstract class AbstractCrypt implements ICrypt { - /** Default encryption key */ - private static final String DEFAULT_ENCRYPTION_KEY = "WiCkEt-CrYpT"; - /** Encoding used to convert java String from and to byte[] */ private static final String CHARACTER_ENCODING = "UTF-8"; @@ -42,13 +40,14 @@ public abstract class AbstractCrypt implements ICrypt private static final Logger log = LoggerFactory.getLogger(AbstractCrypt.class); /** Key used to de-/encrypt the data */ - private String encryptionKey = DEFAULT_ENCRYPTION_KEY; + private String encryptionKey; /** * Constructor */ public AbstractCrypt() { + this.encryptionKey = UUID.randomUUID().toString(); } /** http://git-wip-us.apache.org/repos/asf/wicket/blob/d47373b9/wicket-util/src/main/java/org/apache/wicket/util/crypt/SunJceCrypt.java ---------------------------------------------------------------------- diff --git a/wicket-util/src/main/java/org/apache/wicket/util/crypt/SunJceCrypt.java b/wicket-util/src/main/java/org/apache/wicket/util/crypt/SunJceCrypt.java index 2d54ad9..d1faf34 100644 --- a/wicket-util/src/main/java/org/apache/wicket/util/crypt/SunJceCrypt.java +++ b/wicket-util/src/main/java/org/apache/wicket/util/crypt/SunJceCrypt.java @@ -52,7 +52,7 @@ public class SunJceCrypt extends AbstractCrypt public static final String DEFAULT_CRYPT_METHOD = "PBEWithMD5AndDES"; /** Salt */ - private final static byte[] salt = { (byte)0x15, (byte)0x8c, (byte)0xa3, (byte)0x4a, + public final static byte[] SALT = { (byte)0x15, (byte)0x8c, (byte)0xa3, (byte)0x4a, (byte)0x66, (byte)0x51, (byte)0x2a, (byte)0xbc }; /** The name of encryption method (cipher) */ @@ -106,16 +106,22 @@ public class SunJceCrypt extends AbstractCrypt * @throws GeneralSecurityException */ @Override - protected final byte[] crypt(final byte[] input, final int mode) + protected byte[] crypt(final byte[] input, final int mode) throws GeneralSecurityException { SecretKey key = generateSecretKey(); AlgorithmParameterSpec spec = createParameterSpec(); - Cipher ciph = Cipher.getInstance(cryptMethod); - ciph.init(mode, key, spec); + Cipher ciph = createCipher(cryptMethod, key, spec, mode); return ciph.doFinal(input); } + protected Cipher createCipher(String cryptMethod, SecretKey key, AlgorithmParameterSpec spec, int mode) throws GeneralSecurityException + { + Cipher cipher = Cipher.getInstance(cryptMethod); + cipher.init(mode, key, spec); + return cipher; + } + /** * Generate the de-/encryption key. * <p> @@ -141,7 +147,7 @@ public class SunJceCrypt extends AbstractCrypt */ protected AlgorithmParameterSpec createParameterSpec() { - return new PBEParameterSpec(salt, COUNT); + return new PBEParameterSpec(SALT, COUNT); } /** http://git-wip-us.apache.org/repos/asf/wicket/blob/d47373b9/wicket-util/src/test/java/org/apache/wicket/util/crypt/SunJceCryptTest.java ---------------------------------------------------------------------- diff --git a/wicket-util/src/test/java/org/apache/wicket/util/crypt/SunJceCryptTest.java b/wicket-util/src/test/java/org/apache/wicket/util/crypt/SunJceCryptTest.java new file mode 100644 index 0000000..1d366bd --- /dev/null +++ b/wicket-util/src/test/java/org/apache/wicket/util/crypt/SunJceCryptTest.java @@ -0,0 +1,75 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.wicket.util.crypt; + +import static org.hamcrest.CoreMatchers.equalTo; +import static org.hamcrest.CoreMatchers.is; + +import java.security.GeneralSecurityException; +import java.security.NoSuchAlgorithmException; + +import javax.crypto.Cipher; + +import org.junit.Assert; +import org.junit.Assume; +import org.junit.Test; + +public class SunJceCryptTest extends Assert +{ + /** + * Default encryption uses {@value org.apache.wicket.util.crypt.SunJceCrypt#DEFAULT_CRYPT_METHOD} + */ + @Test + public void defaultEncryption() throws GeneralSecurityException + { + SunJceCrypt crypt = new SunJceCrypt(); + String input = "input"; + byte[] encrypted = crypt.crypt(input.getBytes(), Cipher.ENCRYPT_MODE); + + byte[] decrypted = crypt.crypt(encrypted, Cipher.DECRYPT_MODE); + assertThat(new String(decrypted), is(equalTo(input))); + } + + /** + * Uses <em>PBEWithMD5AndTripleDES</em> if unlimited cryptography is installed + */ + @Test + public void customPBEEncryption() throws GeneralSecurityException + { + boolean unlimitedStrengthJurisdictionPolicyInstalled = isUnlimitedStrengthJurisdictionPolicyInstalled(); + Assume.assumeThat(unlimitedStrengthJurisdictionPolicyInstalled, is(true)); + + SunJceCrypt crypt = new SunJceCrypt("PBEWithMD5AndTripleDES"); + String input = "input"; + byte[] encrypted = crypt.crypt(input.getBytes(), Cipher.ENCRYPT_MODE); + + byte[] decrypted = crypt.crypt(encrypted, Cipher.DECRYPT_MODE); + assertThat(new String(decrypted), is(equalTo(input))); + } + + /** + * Checks whether Oracle Unlimited Strenght Jurisdiction Policy is installed + * Based on http://stackoverflow.com/a/8607735 + * + * @return {@code true} if Unlimited Strenght Jurisdiction Policy is installed + * @throws NoSuchAlgorithmException + */ + static boolean isUnlimitedStrengthJurisdictionPolicyInstalled() throws NoSuchAlgorithmException + { + return Cipher.getMaxAllowedKeyLength("AES") == Integer.MAX_VALUE; + } +} http://git-wip-us.apache.org/repos/asf/wicket/blob/d47373b9/wicket-util/src/test/java/org/apache/wicket/util/crypt/UnlimitedStrengthJurisdictionPolicyTest.java ---------------------------------------------------------------------- diff --git a/wicket-util/src/test/java/org/apache/wicket/util/crypt/UnlimitedStrengthJurisdictionPolicyTest.java b/wicket-util/src/test/java/org/apache/wicket/util/crypt/UnlimitedStrengthJurisdictionPolicyTest.java new file mode 100644 index 0000000..af1b8ce --- /dev/null +++ b/wicket-util/src/test/java/org/apache/wicket/util/crypt/UnlimitedStrengthJurisdictionPolicyTest.java @@ -0,0 +1,103 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.wicket.util.crypt; + +import static org.hamcrest.CoreMatchers.equalTo; +import static org.hamcrest.CoreMatchers.is; + +import java.security.AlgorithmParameters; +import java.security.GeneralSecurityException; +import java.security.spec.KeySpec; + +import javax.crypto.Cipher; +import javax.crypto.SecretKey; +import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.IvParameterSpec; +import javax.crypto.spec.PBEKeySpec; +import javax.crypto.spec.SecretKeySpec; + +import org.junit.Assert; +import org.junit.Assume; +import org.junit.Test; + +/** + * A demo how to create {@link org.apache.wicket.util.crypt.ICrypt} implementation that + * uses <em>PBKDF2WithHmacSHA1</em> for encryption + */ +public class UnlimitedStrengthJurisdictionPolicyTest extends Assert +{ + @Test + public void unlimitedStrengthJurisdictionEncryption() throws GeneralSecurityException + { + boolean unlimitedStrengthJurisdictionPolicyInstalled = SunJceCryptTest.isUnlimitedStrengthJurisdictionPolicyInstalled(); + Assume.assumeThat(unlimitedStrengthJurisdictionPolicyInstalled, is(true)); + + AbstractCrypt crypt = new UnlimitedStrenghtJurisdictionPolicyCrypt(); + + String input1 = "input1"; + byte[] encrypted = crypt.crypt(input1.getBytes(), Cipher.ENCRYPT_MODE); + + String input2 = "input2"; + byte[] encrypted2 = crypt.crypt(input2.getBytes(), Cipher.ENCRYPT_MODE); + + byte[] decrypted = crypt.crypt(encrypted, Cipher.DECRYPT_MODE); + assertThat(new String(decrypted), is(equalTo(input1))); + + byte[] decrypted2 = crypt.crypt(encrypted2, Cipher.DECRYPT_MODE); + assertThat(new String(decrypted2), is(equalTo(input2))); + } + + private static class UnlimitedStrenghtJurisdictionPolicyCrypt extends AbstractCrypt + { + private final Cipher crypter; + private final Cipher decrypter; + + private UnlimitedStrenghtJurisdictionPolicyCrypt() throws GeneralSecurityException + { + SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1"); + KeySpec spec = new PBEKeySpec(getKey().toCharArray(), SunJceCrypt.SALT, 65536, 256); + SecretKey tmp = factory.generateSecret(spec); + SecretKey secret = new SecretKeySpec(tmp.getEncoded(), "AES"); + + crypter = Cipher.getInstance("AES/CBC/PKCS5Padding"); + crypter.init(Cipher.ENCRYPT_MODE, secret); + AlgorithmParameters params = crypter.getParameters(); + byte[] iv = params.getParameterSpec(IvParameterSpec.class).getIV(); + + decrypter = Cipher.getInstance("AES/CBC/PKCS5Padding"); + decrypter.init(Cipher.DECRYPT_MODE, secret, new IvParameterSpec(iv)); + } + + @Override + protected byte[] crypt(byte[] input, int mode) throws GeneralSecurityException + { + byte[] result; + switch (mode) + { + case Cipher.ENCRYPT_MODE: + result = crypter.doFinal(input); + break; + case Cipher.DECRYPT_MODE: + result = decrypter.doFinal(input); + break; + default: + throw new RuntimeException("Wrong crypt mode: " + mode); + } + return result; + } + } +}
