/**
* This method returns a EncryptedData structure with all the necessary information to allow
* storage in database. Encryted data is stored in file system without defined file name. Returned
* data must be treated in this way:
*
* <ul>
* <li>key must be stored NOWHERE, only must exist in the shared URL
* <li>id, encryptedPath and encryptedName must be stored in database
* </ul>
*
* With this data this methods builds a NEW KEY based on seed and applying the provided key. KEY
* is the provided key and must be regenerated in each method invocation (one-time use). ID is the
* encrypted seed, using the generated NEW KEY and an initialization vector based on seed itself,
* built by #getIv(String). PATH and NAME is encrypted with the same IV and NEW KEY as the ID.
* With this protocol we are trying to avoid the possibility of recovering encrypted data because
* the original key is never stored, only the owner of the shared URL has such key. So if the
* server is compromised by an attacker, this one could not discover the path of a file associated
* to a database record or decrypt a file content (because the lack of keys).
*
* @param content conted to be encrypted
* @param name file name
* @param seed value used to genererate the AES Initialization Vector
* @param key AES key used for encryption
* @return struct with reference info of encryptation result
* @throws IOException
* @throws FileNotFoundException
*/
protected EncryptedData doEncryptContent(
InputStream content, String name, String seed, byte[] key)
throws IOException, FileNotFoundException {
byte[] iv = getIv(seed);
byte[] encryptedIv = cryptoHelper.encryptIv(iv, key);
byte[] newKey =
Arrays.copyOf(
encryptedIv,
CryptoHelper.KEY_LENGTH
/ 8); // only first key size bytes (from a 16 bytes iv, the encrypted data is
// 128+128, being last 128 padding data
InputStream encryptedStream = cryptoHelper.encrypt(content, iv, newKey);
String targetDirPath = getTargetDirPath();
File targetFile = getTargetFile(targetDirPath);
FileOutputStream fos = new FileOutputStream(targetFile);
IOUtils.copyLarge(encryptedStream, fos, new byte[512]);
byte[] id = encryptString(seed, iv, newKey);
byte[] encryptedPath = encryptString(targetFile.getPath(), iv, newKey);
byte[] encryptedName = encryptString(name, iv, newKey);
EncryptedData ed = new EncryptedData();
ed.setKey(key);
ed.setId(id);
ed.setEncryptedPath(encryptedPath);
ed.setEncryptedName(encryptedName);
return ed;
}
private void btnFirmarMouseClicked(
java.awt.event.MouseEvent evt) { // GEN-FIRST:event_btnFirmarMouseClicked
btnFirmar.setEnabled(false);
this.setCursor(Cursor.WAIT_CURSOR);
try {
if (cbxCardReaders.getSelectedIndex() != 0) {
EncryptedData encryptedData = new EncryptedData();
int slotIndex = (cbxCardReaders.getSelectedIndex() - 1);
byte[] textoaFirmar = tbTextoAFirmar.getText().getBytes("UTF-8");
if (!m_Controller.Firmar(
slotIndex, new String(tbPassword.getPassword()), textoaFirmar, encryptedData)) {
String msg = "PIN Incorrecto";
statusStrip1.setText(msg);
} else {
tbTextFirmado.setText(encryptedData.ToString());
statusStrip1.setText("Texto Firmado Correctamente");
}
} else {
String msg = "Debe Seleccionar un Card Reader";
statusStrip1.setText(msg);
}
} catch (Exception ex) {
System.out.println(ex);
statusStrip1.setText("Ha ocurrido un error: " + ex.getMessage());
} finally {
btnFirmar.setEnabled(true);
this.setCursor(Cursor.DEFAULT_CURSOR);
}
} // GEN-LAST:event_btnFirmarMouseClicked
protected void createDatabaseRecord(EncryptedData ed) throws RuntimeException {
try (Connection conn = coreHelper.getConnection();
PreparedStatement ps =
conn.prepareStatement(coreHelper.getSql(conn.getMetaData(), "insert-id-path-name")); ) {
ps.setString(1, Base64.getEncoder().encodeToString(ed.getId()));
ps.setString(2, Base64.getEncoder().encodeToString(ed.getEncryptedPath()));
ps.setString(3, Base64.getEncoder().encodeToString(ed.getEncryptedName()));
if (1 != ps.executeUpdate()) {
throw new RuntimeException("Cannot insert data");
}
conn.commit();
} catch (SQLException e) {
throw new RuntimeException(e);
}
}
// Can be null? has default?
public KrbAsReq(
EncryptionKey pakey, // ok
KDCOptions options, // ok, new KDCOptions()
PrincipalName cname, // NO and must have realm
PrincipalName sname, // ok, krgtgt@CREALM
KerberosTime from, // ok
KerberosTime till, // ok, will use
KerberosTime rtime, // ok
int[] eTypes, // NO
HostAddresses addresses // ok
) throws KrbException, IOException {
if (options == null) {
options = new KDCOptions();
}
// check if they are valid arguments. The optional fields should be
// consistent with settings in KDCOptions. Mar 17 2000
if (options.get(KDCOptions.FORWARDED)
|| options.get(KDCOptions.PROXY)
|| options.get(KDCOptions.ENC_TKT_IN_SKEY)
|| options.get(KDCOptions.RENEW)
|| options.get(KDCOptions.VALIDATE)) {
// this option is only specified in a request to the
// ticket-granting server
throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS);
}
if (options.get(KDCOptions.POSTDATED)) {
// if (from == null)
// throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS);
} else {
if (from != null) from = null;
}
if (options.get(KDCOptions.RENEWABLE)) {
// if (rtime == null)
// throw new KrbException(Krb5.KRB_AP_ERR_REQ_OPTIONS);
} else {
if (rtime != null) rtime = null;
}
PAData[] paData = null;
if (pakey != null) {
PAEncTSEnc ts = new PAEncTSEnc();
byte[] temp = ts.asn1Encode();
EncryptedData encTs = new EncryptedData(pakey, temp, KeyUsage.KU_PA_ENC_TS);
paData = new PAData[1];
paData[0] = new PAData(Krb5.PA_ENC_TIMESTAMP, encTs.asn1Encode());
}
if (cname.getRealm() == null) {
throw new RealmException(Krb5.REALM_NULL, "default realm not specified ");
}
if (DEBUG) {
System.out.println(">>> KrbAsReq creating message");
}
// check to use addresses in tickets
if (addresses == null && Config.getInstance().useAddresses()) {
addresses = HostAddresses.getLocalAddresses();
}
if (sname == null) {
String realm = cname.getRealmAsString();
sname = PrincipalName.tgsService(realm, realm);
}
if (till == null) {
till = new KerberosTime(0); // Choose KDC maximum allowed
}
// enc-authorization-data and additional-tickets never in AS-REQ
KDCReqBody kdc_req_body =
new KDCReqBody(
options, cname, sname, from, till, rtime, Nonce.value(), eTypes, addresses, null, null);
asReqMessg = new ASReq(paData, kdc_req_body);
}
