private boolean passwordIsValid(PBEKeySpec password) { try { return password.getPassword().length > 0; } catch (IllegalStateException | NullPointerException e) { return false; } }
private byte[] decryptPBE(byte[] cipherBytes) { PBECipherProvider pbecp = (PBECipherProvider) cipherProvider; final EncryptionMethod encryptionMethod = EncryptionMethod.forAlgorithm(algorithm); // Extract salt int saltLength = CipherUtility.getSaltLengthForAlgorithm(algorithm); byte[] salt = new byte[saltLength]; System.arraycopy(cipherBytes, 0, salt, 0, saltLength); byte[] actualCipherBytes = Arrays.copyOfRange(cipherBytes, saltLength, cipherBytes.length); // Determine necessary key length int keyLength = CipherUtility.parseKeyLengthFromAlgorithm(algorithm); // Generate cipher try { Cipher cipher = pbecp.getCipher(encryptionMethod, new String(password.getPassword()), salt, keyLength, false); // Write IV if necessary (allows for future use of PBKDF2, Bcrypt, or Scrypt) // byte[] iv = new byte[0]; // if (cipherProvider instanceof RandomIVPBECipherProvider) { // iv = cipher.getIV(); // } // Decrypt the plaintext return cipher.doFinal(actualCipherBytes); } catch (Exception e) { throw new EncryptionException("Could not decrypt sensitive value", e); } }
passwordsEqual = CryptoUtils.constantTimeEquals(a.getPassword(), b.getPassword()); } catch (IllegalStateException e) { logger.warn("Encountered an error trying to compare password equality (one or more passwords have been cleared)");
private byte[] encryptPBE(String plaintext) { PBECipherProvider pbecp = (PBECipherProvider) cipherProvider; final EncryptionMethod encryptionMethod = EncryptionMethod.forAlgorithm(algorithm); // Generate salt byte[] salt; // NiFi legacy code determined the salt length based on the cipher block size if (pbecp instanceof org.apache.nifi.security.util.crypto.NiFiLegacyCipherProvider) { salt = ((org.apache.nifi.security.util.crypto.NiFiLegacyCipherProvider) pbecp).generateSalt(encryptionMethod); } else { salt = pbecp.generateSalt(); } // Determine necessary key length int keyLength = CipherUtility.parseKeyLengthFromAlgorithm(algorithm); // Generate cipher try { Cipher cipher = pbecp.getCipher(encryptionMethod, new String(password.getPassword()), salt, keyLength, true); // Write IV if necessary (allows for future use of PBKDF2, Bcrypt, or Scrypt) // byte[] iv = new byte[0]; // if (cipherProvider instanceof RandomIVPBECipherProvider) { // iv = cipher.getIV(); // } // Encrypt the plaintext byte[] cipherBytes = cipher.doFinal(plaintext.getBytes(StandardCharsets.UTF_8)); // Combine the output // byte[] rawBytes = CryptoUtils.concatByteArrays(salt, iv, cipherBytes); return CryptoUtils.concatByteArrays(salt, cipherBytes); } catch (Exception e) { throw new EncryptionException("Could not encrypt sensitive value", e); } }
RandomIVPBECipherProvider rivpcp = (RandomIVPBECipherProvider) cipherProvider; byte[] iv = rivpcp.readIV(in); cipher = rivpcp.getCipher(encryptionMethod, new String(password.getPassword()), salt, iv, keyLength, false); } else { cipher = cipherProvider.getCipher(encryptionMethod, new String(password.getPassword()), salt, keyLength, false);
@Override public void process(final InputStream in, final OutputStream out) throws IOException { // Initialize cipher provider PBECipherProvider cipherProvider = (PBECipherProvider) CipherProviderFactory.getCipherProvider(kdf); // Generate salt byte[] salt; // NiFi legacy code determined the salt length based on the cipher block size if (cipherProvider instanceof org.apache.nifi.security.util.crypto.NiFiLegacyCipherProvider) { salt = ((org.apache.nifi.security.util.crypto.NiFiLegacyCipherProvider) cipherProvider).generateSalt(encryptionMethod); } else { salt = cipherProvider.generateSalt(); } // Write to output stream cipherProvider.writeSalt(salt, out); // Determine necessary key length int keyLength = CipherUtility.parseKeyLengthFromAlgorithm(encryptionMethod.getAlgorithm()); // Generate cipher try { Cipher cipher = cipherProvider.getCipher(encryptionMethod, new String(password.getPassword()), salt, keyLength, true); // Write IV if necessary if (cipherProvider instanceof RandomIVPBECipherProvider) { ((RandomIVPBECipherProvider) cipherProvider).writeIV(cipher.getIV(), out); } CipherUtility.processStreams(cipher, in, out); } catch (Exception e) { throw new ProcessException(e); } } }
KeyStore.SecretKeyEntry keystoreEntry = (KeyStore.SecretKeyEntry) keystore.getEntry(setting, password); PBEKeySpec keySpec = (PBEKeySpec) keyFactory.getKeySpec(keystoreEntry.getSecretKey(), PBEKeySpec.class); char[] chars = keySpec.getPassword(); keySpec.clearPassword();
public char[] getPassword() { return pbeKeySpec.getPassword(); }
public char[] getPassword() { return pbeKeySpec.getPassword(); }
public char[] getPassword() { return pbeKeySpec.getPassword(); }
public char[] getPassword() { return pbeKeySpec.getPassword(); }
public char[] getPassword() { return pbeKeySpec.getPassword(); }
public char[] getPassword() { return pbeKeySpec.getPassword(); }
private static byte[] convertPassword(int type, PBEKeySpec keySpec) { byte[] key; if (type == PKCS12) { key = PBEParametersGenerator.PKCS12PasswordToBytes(keySpec.getPassword()); } else if (type == PKCS5S2_UTF8 || type == PKCS5S1_UTF8) { key = PBEParametersGenerator.PKCS5PasswordToUTF8Bytes(keySpec.getPassword()); } else { key = PBEParametersGenerator.PKCS5PasswordToBytes(keySpec.getPassword()); } return key; } }
private static byte[] convertPassword(int type, PBEKeySpec keySpec) { byte[] key; if (type == PKCS12) { key = PBEParametersGenerator.PKCS12PasswordToBytes(keySpec.getPassword()); } else if (type == PKCS5S2_UTF8 || type == PKCS5S1_UTF8) { key = PBEParametersGenerator.PKCS5PasswordToUTF8Bytes(keySpec.getPassword()); } else { key = PBEParametersGenerator.PKCS5PasswordToBytes(keySpec.getPassword()); } return key; } }
private static byte[] convertPassword(int type, PBEKeySpec keySpec) { byte[] key; if (type == PKCS12) { key = PBEParametersGenerator.PKCS12PasswordToBytes(keySpec.getPassword()); } else if (type == PKCS5S2_UTF8 || type == PKCS5S1_UTF8) { key = PBEParametersGenerator.PKCS5PasswordToUTF8Bytes(keySpec.getPassword()); } else { key = PBEParametersGenerator.PKCS5PasswordToBytes(keySpec.getPassword()); } return key; } }
private static byte[] convertPassword(int type, PBEKeySpec keySpec) { byte[] key; if (type == PKCS12) { key = PBEParametersGenerator.PKCS12PasswordToBytes(keySpec.getPassword()); } else if (type == PKCS5S2_UTF8 || type == PKCS5S1_UTF8) { key = PBEParametersGenerator.PKCS5PasswordToUTF8Bytes(keySpec.getPassword()); } else { key = PBEParametersGenerator.PKCS5PasswordToBytes(keySpec.getPassword()); } return key; } }
@Override public Credentials getCredentials(String alias) { try { KeyStore.PasswordProtection keyStorePP = new KeyStore.PasswordProtection(m_password); SecretKeyFactory factory = SecretKeyFactory.getInstance("PBE"); KeyStore.SecretKeyEntry ske = (KeyStore.SecretKeyEntry)m_keystore.getEntry(alias, keyStorePP); if (ske == null) { return null; } PBEKeySpec keySpec = (PBEKeySpec)factory.getKeySpec(ske.getSecretKey(), PBEKeySpec.class); return fromBase64EncodedByteArray(new String(keySpec.getPassword()).getBytes()); } catch (KeyStoreException | InvalidKeySpecException | NoSuchAlgorithmException | IOException | ClassNotFoundException | UnrecoverableEntryException e) { throw Throwables.propagate(e); } }
@Override public Credentials getCredentials(String alias) { try { KeyStore.PasswordProtection keyStorePP = new KeyStore.PasswordProtection(m_password); SecretKeyFactory factory = SecretKeyFactory.getInstance("PBE"); KeyStore.SecretKeyEntry ske = (KeyStore.SecretKeyEntry)m_keystore.getEntry(alias, keyStorePP); if (ske == null) { return null; } PBEKeySpec keySpec = (PBEKeySpec)factory.getKeySpec(ske.getSecretKey(), PBEKeySpec.class); return fromBase64EncodedByteArray(new String(keySpec.getPassword()).getBytes()); } catch (KeyStoreException | InvalidKeySpecException | NoSuchAlgorithmException | IOException | ClassNotFoundException | UnrecoverableEntryException e) { throw Throwables.propagate(e); } }
@Override public SecureString getString(String setting) throws GeneralSecurityException { KeyStore.Entry entry = keystore.get().getEntry(setting, keystorePassword.get()); if (settingTypes.get(setting) != KeyType.STRING || entry instanceof KeyStore.SecretKeyEntry == false) { throw new IllegalStateException("Secret setting " + setting + " is not a string"); } // TODO: only allow getting a setting once? KeyStore.SecretKeyEntry secretKeyEntry = (KeyStore.SecretKeyEntry) entry; PBEKeySpec keySpec = (PBEKeySpec) stringFactory.getKeySpec(secretKeyEntry.getSecretKey(), PBEKeySpec.class); SecureString value = new SecureString(keySpec.getPassword()); keySpec.clearPassword(); return value; }