/* * Encrypt private key using Password-based encryption (PBE) * as defined in PKCS#5. * * NOTE: Currently pbeWithSHAAnd3-KeyTripleDES-CBC algorithmID is * used to derive the key and IV. * * @return encrypted private key encoded as EncryptedPrivateKeyInfo */ private byte[] encryptPrivateKey(byte[] data, char[] password) throws IOException, NoSuchAlgorithmException, UnrecoverableKeyException { byte[] key = null; try { // create AlgorithmParameters AlgorithmParameters algParams = getAlgorithmParameters("PBEWithSHA1AndDESede"); // Use JCE SecretKey skey = getPBEKey(password); Cipher cipher = Cipher.getInstance("PBEWithSHA1AndDESede"); cipher.init(Cipher.ENCRYPT_MODE, skey, algParams); byte[] encryptedKey = cipher.doFinal(data); // wrap encrypted private key in EncryptedPrivateKeyInfo // as defined in PKCS#8 AlgorithmId algid = new AlgorithmId(pbeWithSHAAnd3KeyTripleDESCBC_OID, algParams); EncryptedPrivateKeyInfo encrInfo = new EncryptedPrivateKeyInfo(algid, encryptedKey); key = encrInfo.getEncoded(); } catch (Exception e) { UnrecoverableKeyException uke = new UnrecoverableKeyException("Encrypt Private Key failed: " + e.getMessage()); uke.initCause(e); throw uke; } return key; }
/** * Returns the key associated with the given alias, using the given password to recover it. * * @param alias the alias name * @param password the password for recovering the key. This password is used internally as the * key is exported in a PKCS12 format. * @return the requested key, or null if the given alias does not exist or does not identify a * <i>key entry</i>. * @exception NoSuchAlgorithmException if the algorithm for recovering the key cannot be found * @exception UnrecoverableKeyException if the key cannot be recovered (e.g., the given password * is wrong). */ public Key engineGetKey(String alias, char[] password) throws NoSuchAlgorithmException, UnrecoverableKeyException { permissionCheck(); // An empty password is rejected by MacOS API, no private key data // is exported. If no password is passed (as is the case when // this implementation is used as browser keystore in various // deployment scenarios like Webstart, JFX and applets), create // a dummy password so MacOS API is happy. if (password == null || password.length == 0) { // Must not be a char array with only a 0, as this is an empty // string. if (random == null) { random = new SecureRandom(); } password = Long.toString(random.nextLong()).toCharArray(); } Object entry = entries.get(alias.toLowerCase()); if (entry == null || !(entry instanceof KeyEntry)) { return null; } // This call gives us a PKCS12 bag, with the key inside it. byte[] exportedKeyInfo = _getEncodedKeyData(((KeyEntry) entry).keyRef, password); if (exportedKeyInfo == null) { return null; } PrivateKey returnValue = null; try { byte[] pkcs8KeyData = fetchPrivateKeyFromBag(exportedKeyInfo); byte[] encryptedKey; AlgorithmParameters algParams; ObjectIdentifier algOid; try { // get the encrypted private key EncryptedPrivateKeyInfo encrInfo = new EncryptedPrivateKeyInfo(pkcs8KeyData); encryptedKey = encrInfo.getEncryptedData(); // parse Algorithm parameters DerValue val = new DerValue(encrInfo.getAlgorithm().encode()); DerInputStream in = val.toDerInputStream(); algOid = in.getOID(); algParams = parseAlgParameters(in); } catch (IOException ioe) { UnrecoverableKeyException uke = new UnrecoverableKeyException( "Private key not stored as " + "PKCS#8 EncryptedPrivateKeyInfo: " + ioe); uke.initCause(ioe); throw uke; } // Use JCE to decrypt the data using the supplied password. SecretKey skey = getPBEKey(password); Cipher cipher = Cipher.getInstance(algOid.toString()); cipher.init(Cipher.DECRYPT_MODE, skey, algParams); byte[] decryptedPrivateKey = cipher.doFinal(encryptedKey); PKCS8EncodedKeySpec kspec = new PKCS8EncodedKeySpec(decryptedPrivateKey); // Parse the key algorithm and then use a JCA key factory to create the private key. DerValue val = new DerValue(decryptedPrivateKey); DerInputStream in = val.toDerInputStream(); // Ignore this -- version should be 0. int i = in.getInteger(); // Get the Algorithm ID next DerValue[] value = in.getSequence(2); AlgorithmId algId = new AlgorithmId(value[0].getOID()); String algName = algId.getName(); // Get a key factory for this algorithm. It's likely to be 'RSA'. KeyFactory kfac = KeyFactory.getInstance(algName); returnValue = kfac.generatePrivate(kspec); } catch (Exception e) { UnrecoverableKeyException uke = new UnrecoverableKeyException("Get Key failed: " + e.getMessage()); uke.initCause(e); throw uke; } return returnValue; }
@Override public void contextInitialized(ServletContextEvent arg0) { final String S_ProcName = "contextInitialized"; Properties props = System.getProperties(); if (null == CFBamSchemaPool.getSchemaPool()) { try { Context ctx = new InitialContext(); String poolClassName = (String) ctx.lookup("java:comp/env/CFBam24PoolClass"); if ((poolClassName == null) || (poolClassName.length() <= 0)) { throw CFLib.getDefaultExceptionFactory() .newNullArgumentException( getClass(), S_ProcName, 0, "JNDI lookup for CFBam24PoolClass"); } Class poolClass = Class.forName(poolClassName); if (poolClass == null) { throw CFLib.getDefaultExceptionFactory() .newNullArgumentException( getClass(), S_ProcName, 0, "CFBam24PoolClass \"" + poolClassName + "\" not found."); } Object obj = poolClass.newInstance(); if (obj instanceof CFBamSchemaPool) { CFBamSchemaPool newPool = (CFBamSchemaPool) obj; newPool.setConfigurationFile(null); newPool.setJndiName("java:comp/env/CFBam24Connection"); CFBamSchemaPool.setSchemaPool(newPool); } else { throw CFLib.getDefaultExceptionFactory() .newRuntimeException( getClass(), S_ProcName, "Problems constructing an instance of " + poolClassName); } String smtpHost = (String) ctx.lookup("java:comp/env/CFBam24SmtpHost"); if ((smtpHost == null) || (smtpHost.length() <= 0)) { throw CFLib.getDefaultExceptionFactory() .newNullArgumentException( getClass(), S_ProcName, 0, "JNDI lookup for CFBam24SmtpHost"); } props.setProperty("mail.smtp.host", smtpHost); String smtpStartTLS = (String) ctx.lookup("java:comp/env/CFBam24SmtpStartTLS"); if ((smtpHost == null) || (smtpHost.length() <= 0)) { throw CFLib.getDefaultExceptionFactory() .newNullArgumentException( getClass(), S_ProcName, 0, "JNDI lookup for CFBam24SmtpStartTLS"); } props.setProperty("mail.smtp.starttls.enable", smtpStartTLS); String smtpSocketFactoryClass = (String) ctx.lookup("java:comp/env/CFBam24SmtpSocketFactoryClass"); if ((smtpSocketFactoryClass == null) || (smtpSocketFactoryClass.length() <= 0)) { throw CFLib.getDefaultExceptionFactory() .newNullArgumentException( getClass(), S_ProcName, 0, "JNDI lookup for CFBam24SmtpSocketFactoryClass"); } props.setProperty("mail.smtp.socketFactory.class", smtpSocketFactoryClass); props.setProperty("mail.smtp.socketFactory.fallback", "false"); String smtpPort = (String) ctx.lookup("java:comp/env/CFBam24SmtpPort"); if ((smtpPort == null) || (smtpPort.length() <= 0)) { throw CFLib.getDefaultExceptionFactory() .newNullArgumentException( getClass(), S_ProcName, 0, "JNDI lookup for CFBam24SmtpPort"); } props.setProperty("mail.smtp.port", smtpPort); props.setProperty("mail.smtp.socketFactory.port", smtpPort); props.setProperty("mail.smtps.auth", "true"); props.put("mail.smtps.quitwait", "false"); String smtpEmailFrom = (String) ctx.lookup("java:comp/env/CFBam24SmtpEmailFrom"); if ((smtpEmailFrom == null) || (smtpEmailFrom.length() <= 0)) { throw CFLib.getDefaultExceptionFactory() .newNullArgumentException( getClass(), S_ProcName, 0, "JNDI lookup for CFBam24SmtpEmailFrom"); } smtpUsername = (String) ctx.lookup("java:comp/env/CFBam24SmtpUsername"); if ((smtpUsername == null) || (smtpUsername.length() <= 0)) { throw CFLib.getDefaultExceptionFactory() .newNullArgumentException( getClass(), S_ProcName, 0, "JNDI lookup for CFBam24SmtpUsername"); } smtpPassword = (String) ctx.lookup("java:comp/env/CFBam24SmtpPassword"); if ((smtpPassword == null) || (smtpPassword.length() <= 0)) { throw CFLib.getDefaultExceptionFactory() .newNullArgumentException( getClass(), S_ProcName, 0, "JNDI lookup for CFBam24SmtpPassword"); } String serverKeyStore; try { serverKeyStore = (String) ctx.lookup("java:comp/env/CFBam24ServerKeyStore"); } catch (NamingException e) { serverKeyStore = null; } String keyStorePassword; try { keyStorePassword = (String) ctx.lookup("java:comp/env/CFBam24KeyStorePassword"); } catch (NamingException e) { keyStorePassword = null; } String keyName; try { keyName = (String) ctx.lookup("java:comp/env/CFBam24KeyName"); } catch (NamingException e) { keyName = null; } String keyPassword; try { keyPassword = (String) ctx.lookup("java:comp/env/CFBam24KeyPassword"); } catch (NamingException e) { keyPassword = null; } if (((serverKeyStore != null) && (serverKeyStore.length() > 0)) && (keyStorePassword != null) && ((keyName != null) && (keyName.length() > 0)) && (keyPassword != null)) { KeyStore keyStore = null; File keystoreFile = new File(serverKeyStore); if (!keystoreFile.exists()) { throw CFLib.getDefaultExceptionFactory() .newUsageException( getClass(), S_ProcName, "CFBam24ServerKeyStore file \"" + serverKeyStore + "\" does not exist."); } else if (!keystoreFile.isFile()) { throw CFLib.getDefaultExceptionFactory() .newUsageException( getClass(), S_ProcName, "CFBam24ServerKeyStore file \"" + serverKeyStore + "\" is not a file."); } else if (!keystoreFile.canRead()) { throw CFLib.getDefaultExceptionFactory() .newUsageException( getClass(), S_ProcName, "Permission denied attempting to read CFBam24ServerKeyStore file \"" + serverKeyStore + "\"."); } try { keyStore = KeyStore.getInstance("jceks"); char[] caPassword = keyStorePassword.toCharArray(); FileInputStream input = new FileInputStream(serverKeyStore); keyStore.load(input, caPassword); input.close(); Certificate publicKeyCertificate = keyStore.getCertificate(keyName); if (publicKeyCertificate == null) { throw CFLib.getDefaultExceptionFactory() .newUsageException( getClass(), S_ProcName, "Could not read CFBam24KeyName \"" + keyName + "\" from CFBam24ServerKeyStore file \"" + serverKeyStore + "\"."); } publicKey = publicKeyCertificate.getPublicKey(); char[] caKeyPassword = keyPassword.toCharArray(); Key key = keyStore.getKey(keyName, caKeyPassword); if (key instanceof PrivateKey) { privateKey = (PrivateKey) key; } else { throw CFLib.getDefaultExceptionFactory() .newUnsupportedClassException(getClass(), S_ProcName, "key", key, "PrivateKey"); } getServerInfo(); } catch (CertificateException x) { publicKey = null; privateKey = null; throw CFLib.getDefaultExceptionFactory() .newRuntimeException( getClass(), S_ProcName, "Could not open keystore due to CertificateException -- " + x.getMessage(), x); } catch (IOException x) { publicKey = null; privateKey = null; throw CFLib.getDefaultExceptionFactory() .newRuntimeException( getClass(), S_ProcName, "Could not open keystore due to IOException -- " + x.getMessage(), x); } catch (KeyStoreException x) { publicKey = null; privateKey = null; throw CFLib.getDefaultExceptionFactory() .newRuntimeException( getClass(), S_ProcName, "Could not open keystore due to KeyStoreException -- " + x.getMessage(), x); } catch (NoSuchAlgorithmException x) { publicKey = null; privateKey = null; throw CFLib.getDefaultExceptionFactory() .newRuntimeException( getClass(), S_ProcName, "Could not open keystore due to NoSuchAlgorithmException -- " + x.getMessage(), x); } catch (UnrecoverableKeyException x) { publicKey = null; privateKey = null; throw CFLib.getDefaultExceptionFactory() .newRuntimeException( getClass(), S_ProcName, "Could not access key due to UnrecoverableKeyException -- " + x.getMessage(), x); } catch (RuntimeException x) { publicKey = null; privateKey = null; throw x; } } else if ((serverKeyStore != null) || (keyStorePassword != null) || (keyName != null) || (keyPassword != null)) { publicKey = null; privateKey = null; throw CFLib.getDefaultExceptionFactory() .newUsageException( getClass(), S_ProcName, "All or none of CFBam24ServerKeyStore, " + "CFBam24KeyStorePassword, " + "CFBam24KeyName, and " + "CFBam24KeyPassword must be configured"); } else { getServerInfo(); try { serverInfo.initServerKeys(); } catch (Exception x) { throw CFLib.getDefaultExceptionFactory() .newRuntimeException( getClass(), S_ProcName, "Caught " + x.getClass().getName() + " during initServerKeys() -- " + x.getMessage(), x); } } } catch (ClassNotFoundException e) { publicKey = null; privateKey = null; throw CFLib.getDefaultExceptionFactory() .newRuntimeException( getClass(), S_ProcName, "Caught ClassNotFoundException -- " + e.getMessage(), e); } catch (IllegalAccessException e) { publicKey = null; privateKey = null; throw CFLib.getDefaultExceptionFactory() .newRuntimeException( getClass(), S_ProcName, "Caught IllegalAccessException trying to construct newInstance() -- " + e.getMessage(), e); } catch (InstantiationException e) { publicKey = null; privateKey = null; throw CFLib.getDefaultExceptionFactory() .newRuntimeException( getClass(), S_ProcName, "Caught InstantiationException trying to construct newInstance() -- " + e.getMessage(), e); } catch (NamingException e) { publicKey = null; privateKey = null; throw CFLib.getDefaultExceptionFactory() .newRuntimeException( getClass(), S_ProcName, "Caught NamingException -- " + e.getMessage(), e); } } }