throw new AssertionError("Error while hashing a password: " + e.getMessage(), e); } finally { spec.clearPassword();
/** * Generates an AES key from the password using PBKDF2. * * @param salt the salt */ protected Key generateSecretKey(byte[] salt) throws GeneralSecurityException { char[] password = getPassword(); SecretKeyFactory factory = SecretKeyFactory.getInstance(PBKDF2_WITH_HMAC_SHA1); PBEKeySpec spec = new PBEKeySpec(password, salt, PBKDF2_ITERATIONS, PBKDF2_KEY_LENGTH); clearPassword(password); Key derived = factory.generateSecret(spec); spec.clearPassword(); return new SecretKeySpec(derived.getEncoded(), AES); }
PBEKeySpec keySpec = (PBEKeySpec) keyFactory.getKeySpec(keystoreEntry.getSecretKey(), PBEKeySpec.class); char[] chars = keySpec.getPassword(); keySpec.clearPassword();
@Override public void clear() { if (key != null) key.clearPassword(); }
public void clear() { if (key != null) key.clearPassword(); }
@Override public byte[] hash(char[] chars, byte[] salt) { final PBEKeySpec spec = new PBEKeySpec(chars, salt, 2048, 512); final byte[] encoded = generateSecretKey(spec).getEncoded(); spec.clearPassword(); return encoded; }
@Override public byte[] hash(char[] chars, byte[] salt) { final PBEKeySpec spec = new PBEKeySpec(chars, salt, 2048, 512); final byte[] encoded = generateSecretKey(spec).getEncoded(); spec.clearPassword(); return encoded; }
spec.clearPassword(); return result;
protected final SecretKey secretKey(final PasswordUsage usage) throws Exception { try (Password password = passwordProtection().password(usage)) { final PBEKeySpec ks = new PBEKeySpec(password.characters()); try { return SecretKeyFactory.getInstance(algorithm()).generateSecret(ks); } finally { ks.clearPassword(); } } } }
/** * */ public String createPasswordKey(char[] password, byte[] salt, int iterations) throws GeneralSecurityException { if (hashAlgorithm != null) { PBEKeySpec passwordKeySpec = new PBEKeySpec(password, salt, iterations, 256); SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(hashAlgorithm); SecretKey passwordKey = secretKeyFactory.generateSecret(passwordKeySpec); passwordKeySpec.clearPassword(); return BinTools.bin2hex(passwordKey.getEncoded()); } else { PBKDF2Parameters params = new PBKDF2Parameters("HmacSHA1", "ISO-8859-1", salt, iterations); PBKDF2 pbkdf2 = new PBKDF2Engine(params); return BinTools.bin2hex(pbkdf2.deriveKey(new String(password))); } }
/** * */ public String createPasswordKey(char[] password, byte[] salt, int iterations) throws GeneralSecurityException { if (hashAlgorithm != null) { PBEKeySpec passwordKeySpec = new PBEKeySpec(password, salt, iterations, 256); SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(hashAlgorithm); SecretKey passwordKey = secretKeyFactory.generateSecret(passwordKeySpec); passwordKeySpec.clearPassword(); return BinTools.bin2hex(passwordKey.getEncoded()); } else { PBKDF2Parameters params = new PBKDF2Parameters("HmacSHA1", "ISO-8859-1", salt, iterations); PBKDF2 pbkdf2 = new PBKDF2Engine(params); return BinTools.bin2hex(pbkdf2.deriveKey(new String(password))); } }
PBEKeySpec keySpec = (PBEKeySpec) keyFactory.getKeySpec(keystoreEntry.getSecretKey(), PBEKeySpec.class); char[] chars = keySpec.getPassword(); keySpec.clearPassword();
PBEKeySpec keySpec = (PBEKeySpec) keyFactory.getKeySpec(keystoreEntry.getSecretKey(), PBEKeySpec.class); char[] chars = keySpec.getPassword(); keySpec.clearPassword();
PBEKeySpec passwordSpec = new PBEKeySpec(password); SecretKey passwordKey = passwordFactory.generateSecret(passwordSpec); passwordSpec.clearPassword();
PBEParameterSpec pbeParameterSpec = new PBEParameterSpec(salt, iterationCount); cipher.init(Cipher.ENCRYPT_MODE, pbeKey, pbeParameterSpec); pbeKeySpec.clearPassword();
PBEKeySpec passwordSpec = new PBEKeySpec(password); SecretKey passwordKey = passwordFactory.generateSecret(passwordSpec); passwordSpec.clearPassword();
@Override public InputStream getFile(String setting) throws GeneralSecurityException { KeyStore.Entry entry = keystore.get().getEntry(setting, keystorePassword.get()); if (settingTypes.get(setting) != KeyType.FILE || entry instanceof KeyStore.SecretKeyEntry == false) { throw new IllegalStateException("Secret setting " + setting + " is not a file"); } KeyStore.SecretKeyEntry secretKeyEntry = (KeyStore.SecretKeyEntry) entry; PBEKeySpec keySpec = (PBEKeySpec) fileFactory.getKeySpec(secretKeyEntry.getSecretKey(), PBEKeySpec.class); // The PBE keyspec gives us chars, we first convert to bytes, then decode base64 inline. char[] chars = keySpec.getPassword(); byte[] bytes = new byte[chars.length]; for (int i = 0; i < bytes.length; ++i) { bytes[i] = (byte)chars[i]; // PBE only stores the lower 8 bits, so this narrowing is ok } keySpec.clearPassword(); // wipe the original copy InputStream bytesStream = new ByteArrayInputStream(bytes) { @Override public void close() throws IOException { super.close(); Arrays.fill(bytes, (byte)0); // wipe our second copy when the stream is exhausted } }; return Base64.getDecoder().wrap(bytesStream); }
@Override public SecureString getString(String setting) throws GeneralSecurityException { KeyStore.Entry entry = keystore.get().getEntry(setting, keystorePassword.get()); if (settingTypes.get(setting) != KeyType.STRING || entry instanceof KeyStore.SecretKeyEntry == false) { throw new IllegalStateException("Secret setting " + setting + " is not a string"); } // TODO: only allow getting a setting once? KeyStore.SecretKeyEntry secretKeyEntry = (KeyStore.SecretKeyEntry) entry; PBEKeySpec keySpec = (PBEKeySpec) stringFactory.getKeySpec(secretKeyEntry.getSecretKey(), PBEKeySpec.class); SecureString value = new SecureString(keySpec.getPassword()); keySpec.clearPassword(); return value; }