private SecretKey getSecretKeyByDigest(String digest) throws EncryptionException { if (digest == null || digest.isEmpty()) { throw new EncryptionException("Key digest must be specified and cannot be blank."); } if (digestToSecretKeyHashMap.containsKey(digest)) { return digestToSecretKeyHashMap.get(digest); } throw new EncryptionException("No key mapped to key digest " + digest + " could be found in the keystore. Keys digests must be recomputed during initialization"); }
private SecretKey getSecretKeyByAlias(String alias) throws EncryptionException { if (alias == null || alias.isEmpty()) { throw new EncryptionException("Key alias must be specified and cannot be blank."); } if (aliasToSecretKeyHashMap.containsKey(alias)) { return aliasToSecretKeyHashMap.get(alias); } throw new EncryptionException("No key mapped to alias " + alias + " could be found in the keystore. Keys by aliases must be recomputed during initialization"); }
/** * TODO remove, used only in midpoint ninja cmd tool, not part of API */ @Deprecated @Override public String getSecretKeyDigest(SecretKey key) throws EncryptionException { for (Map.Entry<String, SecretKey> entry : digestToSecretKeyHashMap.entrySet()) { if (entry.getValue().equals(key)) { return entry.getKey(); } } throw new EncryptionException("Could not find hash for secret key algorithm " + key.getAlgorithm() + ". Hash values for keys must be recomputed during initialization"); }
private boolean compareHashedPbkd(HashedDataType hashedDataType, String algorithmName, char[] clearChars) throws EncryptionException { DigestMethodType digestMethodType = hashedDataType.getDigestMethod(); byte[] salt = digestMethodType.getSalt(); Integer workFactor = digestMethodType.getWorkFactor(); byte[] digestValue = hashedDataType.getDigestValue(); int keyLen = digestValue.length * 8; SecretKeyFactory secretKeyFactory; try { secretKeyFactory = SecretKeyFactory.getInstance(algorithmName); } catch (NoSuchAlgorithmException e) { throw new EncryptionException(e.getMessage(), e); } PBEKeySpec keySpec = new PBEKeySpec(clearChars, salt, workFactor, keyLen); SecretKey key; try { key = secretKeyFactory.generateSecret(keySpec); } catch (InvalidKeySpecException e) { throw new EncryptionException(e.getMessage(), e); } byte[] hashBytes = key.getEncoded(); return Arrays.equals(digestValue, hashBytes); }
private static void encryptProtectedStringType(Protector protector, ProtectedStringType ps, String propName) throws EncryptionException { if (ps == null) { return; } if (ps.isHashed()) { return; } if (ps.getClearValue() != null) { try { protector.encrypt(ps); } catch (EncryptionException e) { throw new EncryptionException("Failed to encrypt value for field " + propName + ": " + e.getMessage(), e); } } }
@Override public String decryptString(ProtectedData<String> protectedString) throws EncryptionException { try { if (!protectedString.isEncrypted()) { return protectedString.getClearValue(); } else { byte[] clearBytes = decryptBytes(protectedString); return ProtectedStringType.bytesToString(clearBytes); } } catch (SchemaException ex){ throw new EncryptionException(ex); } }
if (!f.canRead()) { LOGGER.error("Provided keystore file {} is unreadable.", getKeyStorePath()); throw new EncryptionException("Provided keystore file " + getKeyStorePath() + " is unreadable."); throw new EncryptionException("Couldn't load keystore as resource '" + getKeyStorePath() + "'"); sha1 = MessageDigest.getInstance(KEY_DIGEST_TYPE); } catch (NoSuchAlgorithmException ex) { throw new EncryptionException(ex.getMessage(), ex);
private HashedDataType hashPbkd(ProtectedData<String> protectedData, String algorithmUri, String algorithmName) throws EncryptionException { char[] clearChars = getClearChars(protectedData); byte[] salt = generatePbkdSalt(); int iterations = getPbkdIterations(); SecretKeyFactory secretKeyFactory; try { secretKeyFactory = SecretKeyFactory.getInstance(algorithmName); } catch (NoSuchAlgorithmException e) { throw new EncryptionException(e.getMessage(), e); } PBEKeySpec keySpec = new PBEKeySpec(clearChars, salt, iterations, getPbkdKeyLength()); SecretKey key; try { key = secretKeyFactory.generateSecret(keySpec); } catch (InvalidKeySpecException e) { throw new EncryptionException(e.getMessage(), e); } byte[] hashBytes = key.getEncoded(); HashedDataType hashedDataType = new HashedDataType(); DigestMethodType digestMethod = new DigestMethodType(); digestMethod.setAlgorithm(algorithmUri); digestMethod.setSalt(salt); digestMethod.setWorkFactor(iterations); hashedDataType.setDigestMethod(digestMethod); hashedDataType.setDigestValue(hashBytes); return hashedDataType; }
private static void reencryptProtectedStringType(ProtectedStringType ps, String propName, Holder<Integer> modCountHolder, Protector protector) { if (ps == null) { // nothing to do here } else if (ps.isHashed()) { // nothing to do here } else if (ps.getClearValue() != null) { try { protector.encrypt(ps); increment(modCountHolder); } catch (EncryptionException e) { throw new TunnelException(new EncryptionException("Failed to encrypt value for field " + propName + ": " + e.getMessage(), e)); } } else if (ps.getEncryptedDataType() != null) { try { if (!protector.isEncryptedByCurrentKey(ps.getEncryptedDataType())) { ProtectedStringType reencrypted = protector.encryptString(protector.decryptString(ps)); ps.setEncryptedData(reencrypted.getEncryptedDataType()); increment(modCountHolder); } } catch (EncryptionException e) { throw new TunnelException(new EncryptionException("Failed to check/reencrypt value for field " + propName + ": " + e.getMessage(), e)); } } else { // no clear nor encrypted value } }
protected <T extends ObjectType> List<PrismObject<T>> repoAddObjectsFromFile(File file, Class<T> type, OperationResult parentResult) throws SchemaException, ObjectAlreadyExistsException, IOException { OperationResult result = parentResult.createSubresult(AbstractIntegrationTest.class.getName() + ".addObjectsFromFile"); result.addParam("file", file.getPath()); LOGGER.trace("addObjectsFromFile: {}", file); List<PrismObject<T>> objects = (List) prismContext.parserFor(file).parseObjects(); for (PrismObject<T> object: objects) { try { repoAddObject(object, result); } catch (ObjectAlreadyExistsException e) { throw new ObjectAlreadyExistsException(e.getMessage()+" while adding "+object+" from file "+file, e); } catch (SchemaException e) { new SchemaException(e.getMessage()+" while adding "+object+" from file "+file, e); } catch (EncryptionException e) { new EncryptionException(e.getMessage()+" while adding "+object+" from file "+file, e); } } result.recordSuccess(); return objects; }
protected List<PrismObject> repoAddObjectsFromFile(File file, OperationResult parentResult) throws SchemaException, ObjectAlreadyExistsException, IOException { OperationResult result = parentResult.createSubresult(AbstractIntegrationTest.class.getName() + ".addObjectsFromFile"); result.addParam("file", file.getPath()); LOGGER.trace("addObjectsFromFile: {}", file); List<PrismObject> objects = (List) prismContext.parserFor(file).parseObjects(); for (PrismObject object: objects) { try { repoAddObject(object, result); } catch (ObjectAlreadyExistsException e) { throw new ObjectAlreadyExistsException(e.getMessage()+" while adding "+object+" from file "+file, e); } catch (SchemaException e) { new SchemaException(e.getMessage()+" while adding "+object+" from file "+file, e); } catch (EncryptionException e) { new EncryptionException(e.getMessage()+" while adding "+object+" from file "+file, e); } } result.recordSuccess(); return objects; }
| NoSuchProviderException | IllegalBlockSizeException | BadPaddingException | InvalidAlgorithmParameterException e) { throw new EncryptionException(e.getMessage(), e);
@Override public <T> void encrypt(ProtectedData<T> protectedData) throws EncryptionException { if (protectedData.isEncrypted()) { throw new IllegalArgumentException("Attempt to encrypt protected data that are already encrypted"); } SecretKey key = getSecretKeyByAlias(getEncryptionKeyAlias()); String algorithm = getCipherAlgorithm(); byte[] clearBytes = protectedData.getClearBytes(); byte[] encryptedBytes; try { encryptedBytes = encryptBytes(clearBytes, algorithm, key); } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchPaddingException | NoSuchProviderException | IllegalBlockSizeException | BadPaddingException | InvalidAlgorithmParameterException e) { throw new EncryptionException(e.getMessage(), e); } // Construct encryption types EncryptedDataType encryptedDataType = new EncryptedDataType(); EncryptionMethodType encryptionMethodType = new EncryptionMethodType(); encryptionMethodType.setAlgorithm(algorithm); encryptedDataType.setEncryptionMethod(encryptionMethodType); KeyInfoType keyInfoType = new KeyInfoType(); keyInfoType.setKeyName(getSecretKeyDigest(key)); encryptedDataType.setKeyInfo(keyInfoType); CipherDataType cipherDataType = new CipherDataType(); cipherDataType.setCipherValue(encryptedBytes); encryptedDataType.setCipherData(cipherDataType); protectedData.setEncryptedData(encryptedDataType); protectedData.destroyCleartext(); }