-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 All,
On 11/25/18 10:49, schu...@apache.org wrote: > Author: schultz Date: Sun Nov 25 15:49:28 2018 New Revision: > 1847417 > > URL: http://svn.apache.org/viewvc?rev=1847417&view=rev Log: Add > support for GCM block cipher mode. It's possible that GCM does not need to have the IV pre-pended to the output. I'm investigating... - -chris > Modified: > tomcat/trunk/java/org/apache/catalina/tribes/group/interceptors/Encryp tInterceptor.java > > tomcat/trunk/test/org/apache/catalina/tribes/group/interceptors/TestEncr yptInterceptor.java > tomcat/trunk/webapps/docs/changelog.xml > > Modified: > tomcat/trunk/java/org/apache/catalina/tribes/group/interceptors/Encryp tInterceptor.java > > URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/tribe s/group/interceptors/EncryptInterceptor.java?rev=1847417&r1=1847416&r2=1 847417&view=diff > ====================================================================== ======== > > - --- tomcat/trunk/java/org/apache/catalina/tribes/group/interceptors/EncryptI nterceptor.java (original) > +++ > tomcat/trunk/java/org/apache/catalina/tribes/group/interceptors/Encryp tInterceptor.java > Sun Nov 25 15:49:28 2018 @@ -25,6 +25,7 @@ import > java.util.concurrent.ConcurrentLi > > import javax.crypto.Cipher; import > javax.crypto.NoSuchPaddingException; +import > javax.crypto.spec.GCMParameterSpec; import > javax.crypto.spec.IvParameterSpec; import > javax.crypto.spec.SecretKeySpec; > > @@ -64,7 +65,7 @@ public class EncryptInterceptor extends private > String encryptionKeyString; > > > - private EncryptionManager encryptionManager; + private > BaseEncryptionManager encryptionManager; > > public EncryptInterceptor() { } @@ -300,7 +301,7 @@ public class > EncryptInterceptor extends return result; } > > - private static EncryptionManager > createEncryptionManager(String algorithm, + private static > BaseEncryptionManager createEncryptionManager(String algorithm, > byte[] encryptionKey, String providerName) throws > NoSuchAlgorithmException, NoSuchPaddingException, > NoSuchProviderException { if(null == encryptionKey) @@ -328,29 > +329,31 @@ public class EncryptInterceptor extends } > > // Note: ECB is not an appropriate mode for secure communications. > + if("GCM".equalsIgnoreCase(algorithmMode)) + > return new GCMEncryptionManager(algorithm, new > SecretKeySpec(encryptionKey, algorithmName), providerName); + > if(!("CBC".equalsIgnoreCase(algorithmMode) || > "OFB".equalsIgnoreCase(algorithmMode) || > "CFB".equalsIgnoreCase(algorithmMode))) throw new > IllegalArgumentException(sm.getString("encryptInterceptor.algorithm.un supported-mode", > algorithmMode)); > > - EncryptionManager mgr = new EncryptionManager(algorithm, + > BaseEncryptionManager mgr = new BaseEncryptionManager(algorithm, > new SecretKeySpec(encryptionKey, algorithmName), providerName); > > return mgr; } > > - private static class EncryptionManager { + private static > class BaseEncryptionManager { /** * The fully-specified algorithm > e.g. AES/CBC/PKCS5Padding. */ private final String algorithm; > > /** - * The size of the initialization vector to use for > encryption. This is - * often, but not always, the same as > the block size. + * The block size of the cipher. */ - > private final int ivSize; + private final int blockSize; > > /** * The cryptographic provider name. @@ -375,7 +378,7 @@ public > class EncryptInterceptor extends */ private final > ConcurrentLinkedQueue<SecureRandom> randomPool; > > - public EncryptionManager(String algorithm, SecretKeySpec > secretKey, String providerName) + public > BaseEncryptionManager(String algorithm, SecretKeySpec secretKey, > String providerName) throws NoSuchAlgorithmException, > NoSuchPaddingException, NoSuchProviderException { this.algorithm = > algorithm; this.providerName = providerName; @@ -383,7 +386,7 @@ > public class EncryptInterceptor extends > > cipherPool = new ConcurrentLinkedQueue<>(); Cipher cipher = > createCipher(); - ivSize = cipher.getBlockSize(); + > blockSize = cipher.getBlockSize(); cipherPool.offer(cipher); > randomPool = new ConcurrentLinkedQueue<>(); } @@ -402,8 +405,14 @@ > public class EncryptInterceptor extends return secretKey; } > > - private int getIVSize() { - return ivSize; + > /** + * Gets the size of the initialization vector for the > cipher being used. + * The IV size is often, but not > always, the block size for the cipher. + * + * > @return The size of the initialization vector for this algorithm. + > */ + protected int getIVSize() { + return > blockSize; } > > private String getProviderName() { @@ -474,7 +483,7 @@ public class > EncryptInterceptor extends > > try { cipher = getCipher(); - > cipher.init(Cipher.ENCRYPT_MODE, getSecretKey(), generateIV(iv, 0, > ivSize)); + cipher.init(Cipher.ENCRYPT_MODE, > getSecretKey(), generateIV(iv, 0, getIVSize())); > > // Prepend the IV to the beginning of the encrypted data byte[][] > data = new byte[2][]; @@ -500,6 +509,7 @@ public class > EncryptInterceptor extends private byte[] decrypt(byte[] bytes) > throws GeneralSecurityException { Cipher cipher = null; > > + int ivSize = getIVSize(); AlgorithmParameterSpec IV = > generateIV(bytes, 0, ivSize); > > try { @@ -539,4 +549,22 @@ public class EncryptInterceptor extends > return new IvParameterSpec(ivBytes, offset, length); } } + + > private static class GCMEncryptionManager extends > BaseEncryptionManager + { + public > GCMEncryptionManager(String algorithm, SecretKeySpec secretKey, > String providerName) + throws > NoSuchAlgorithmException, NoSuchPaddingException, > NoSuchProviderException { + super(algorithm, secretKey, > providerName); + } + + @Override + protected > int getIVSize() { + return 12; + } + + > @Override + protected AlgorithmParameterSpec > generateIV(byte[] bytes, int offset, int length) { + > return new GCMParameterSpec(128, bytes, offset, length); + > } + } } > > Modified: > tomcat/trunk/test/org/apache/catalina/tribes/group/interceptors/TestEn cryptInterceptor.java > > URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/tribe s/group/interceptors/TestEncryptInterceptor.java?rev=1847417&r1=1847416& r2=1847417&view=diff > ====================================================================== ======== > > - --- tomcat/trunk/test/org/apache/catalina/tribes/group/interceptors/TestEncr yptInterceptor.java (original) > +++ > tomcat/trunk/test/org/apache/catalina/tribes/group/interceptors/TestEn cryptInterceptor.java > Sun Nov 25 15:49:28 2018 @@ -255,7 +255,6 @@ public class > TestEncryptInterceptor { } > > @Test - @Ignore("GCM mode is unsupported because it requires a > custom initialization vector") public void testGCM() throws > Exception { src.setEncryptionAlgorithm("AES/GCM/PKCS5Padding"); > src.start(Channel.SND_TX_SEQ); > > Modified: tomcat/trunk/webapps/docs/changelog.xml URL: > http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?r ev=1847417&r1=1847416&r2=1847417&view=diff > > ======================================================================== ====== > --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ > tomcat/trunk/webapps/docs/changelog.xml Sun Nov 25 15:49:28 2018 @@ > -163,6 +163,9 @@ Make EncryptInterceptor thread-safe. This makes > this interceptor actually usable. (schultz/markt) </fix> + > <add> + Add support for GCM mode to EncryptInterceptor. > (schultz) + </add> </changelog> </subsection> <subsection > name="Other"> > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlv8HRcACgkQHPApP6U8 pFiLXw/+Nm/GxTsI/9T71pG4y0ATdzrO4+TzXntnVoEesUzH7gU/NooA4iKz1877 VvhIDBdN15as7+8Gr3Za2iO35qIu8Lh5xUOqWqHU89kGrbzuwikoaqwdDziCPWVM N7R09jgn070CbOTtAAHMuRYlZBnKorSZauAFrqI+tsQnghrb5FKC3IGh6PHhPzYf D9XxAjF2YsZGbuWxuwB1vy4zvF4nSIzT5mOyW6qxFgT80Nd7TGG18P/VNBud6KFk YYsMT6bWghy91CmWgn3F+AHZdHBlMMHfUDCmCSmAF4O8QXuu1tBzckIKW5fwkMhY tpvFBQq90mqbadAT4r0lXRRRxRT3d1pgZdjsYWxG7+LMhfTx3xhPy+NT7PQefMHH Su5VR7DK4Q939VwDr6wXSxeiPYxF1pSiH/JXUsvRy3z9GsdRSZAf/W3EmRY950pQ A6LSbdoqGx372AxwQvM82pe2IrYlPQtC25b2EVjRMkpwDacBkpbNTV2U7Wk+G9/T 9ClQc87sEghNvCOwAPj13LunCfR0SVuNInfT7tgFWXsUyg779XIp4JGRN3rJmkl0 kiuRpMJRyaTDo/yzfH93kSFsL+MV7RN+crVyCTeebbUu0VAzRcAMOOqdabha+UYQ rfmf+PJQG4FwsKr+CxqasMkJoUPzcScnZuzsS8Z0VtHUCxPwDfI= =fLXO -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org