Java tutorial
/* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, * software distributed under the License is distributed on an * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. */ package org.apache.ofbiz.entity.util; import java.io.IOException; import java.security.Key; import java.security.NoSuchAlgorithmException; import java.security.SecureRandom; import java.util.Random; import java.util.concurrent.Callable; import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ConcurrentMap; import org.apache.commons.codec.binary.Base64; import org.apache.shiro.crypto.AesCipherService; import org.apache.shiro.crypto.OperationMode; import org.apache.shiro.crypto.hash.DefaultHashService; import org.apache.shiro.crypto.hash.HashRequest; import org.apache.shiro.crypto.hash.HashService; import org.apache.ofbiz.base.crypto.DesCrypt; import org.apache.ofbiz.base.crypto.HashCrypt; import org.apache.ofbiz.base.util.Debug; import org.apache.ofbiz.base.util.GeneralException; import org.apache.ofbiz.base.util.StringUtil; import org.apache.ofbiz.base.util.UtilObject; import org.apache.ofbiz.base.util.UtilValidate; import org.apache.ofbiz.entity.Delegator; import org.apache.ofbiz.entity.EntityCryptoException; import org.apache.ofbiz.entity.GenericEntityException; import org.apache.ofbiz.entity.GenericValue; import org.apache.ofbiz.entity.model.ModelField.EncryptMethod; import org.apache.ofbiz.entity.transaction.TransactionUtil; public final class EntityCrypto { public static final String module = EntityCrypto.class.getName(); protected final Delegator delegator; protected final ConcurrentMap<String, byte[]> keyMap = new ConcurrentHashMap<String, byte[]>(); protected final StorageHandler[] handlers; public EntityCrypto(Delegator delegator, String kekText) throws EntityCryptoException { this.delegator = delegator; byte[] kek; kek = UtilValidate.isNotEmpty(kekText) ? Base64.decodeBase64(kekText) : null; handlers = new StorageHandler[] { new ShiroStorageHandler(kek), new SaltedBase64StorageHandler(kek), NormalHashStorageHandler, OldFunnyHashStorageHandler, }; } public void clearKeyCache() { keyMap.clear(); } /** Encrypts an Object into an encrypted hex encoded String */ @Deprecated public String encrypt(String keyName, Object obj) throws EntityCryptoException { return encrypt(keyName, EncryptMethod.TRUE, obj); } /** Encrypts an Object into an encrypted hex encoded String */ public String encrypt(String keyName, EncryptMethod encryptMethod, Object obj) throws EntityCryptoException { try { byte[] key = this.findKey(keyName, handlers[0]); if (key == null) { EntityCryptoException caught = null; try { this.createKey(keyName, handlers[0], encryptMethod); } catch (EntityCryptoException e) { // either a database read error, or a duplicate key insert // if the latter, try to fetch the value created by the // other thread. caught = e; } finally { try { key = this.findKey(keyName, handlers[0]); } catch (EntityCryptoException e) { // this is bad, couldn't lookup the value, some bad juju // is occurring; rethrow the original exception if available throw caught != null ? caught : e; } if (key == null) { // this is also bad, couldn't find any key throw caught != null ? caught : new EntityCryptoException( "could not lookup key (" + keyName + ") after creation"); } } } return handlers[0].encryptValue(encryptMethod, key, UtilObject.getBytes(obj)); } catch (GeneralException e) { throw new EntityCryptoException(e); } } // NOTE: this is definitely for debugging purposes only, do not uncomment in production server for security reasons: // if you uncomment this, then change the real decrypt method to _decrypt. /* public Object decrypt(String keyName, String encryptedString) throws EntityCryptoException { Object result = _decrypt(keyName, encryptedString); Debug.logInfo("Decrypted value [%s] to result: %s", module, encryptedString, decryptedObj); return result; } */ /** Decrypts a hex encoded String into an Object */ public Object decrypt(String keyName, EncryptMethod encryptMethod, String encryptedString) throws EntityCryptoException { try { return doDecrypt(keyName, encryptMethod, encryptedString, handlers[0]); } catch (GeneralException e) { Debug.logInfo( "Decrypt with DES key from standard key name hash failed, trying old/funny variety of key name hash", module); for (int i = 1; i < handlers.length; i++) { try { // try using the old/bad hex encoding approach; this is another path the code may take, ie if there is an exception thrown in decrypt return doDecrypt(keyName, encryptMethod, encryptedString, handlers[i]); } catch (GeneralException e1) { // NOTE: this throws the original exception back, not the new one if it fails using the other approach //throw new EntityCryptoException(e); } } throw new EntityCryptoException(e); } } protected Object doDecrypt(String keyName, EncryptMethod encryptMethod, String encryptedString, StorageHandler handler) throws GeneralException { byte[] key = this.findKey(keyName, handler); if (key == null) { throw new EntityCryptoException("key(" + keyName + ") not found in database"); } byte[] decryptedBytes = handler.decryptValue(key, encryptMethod, encryptedString); try { return UtilObject.getObjectException(decryptedBytes); } catch (ClassNotFoundException e) { throw new GeneralException(e); } catch (IOException e) { throw new GeneralException(e); } } protected byte[] findKey(String originalKeyName, StorageHandler handler) throws EntityCryptoException { String hashedKeyName = handler.getHashedKeyName(originalKeyName); String keyMapName = handler.getKeyMapPrefix(hashedKeyName) + hashedKeyName; if (keyMap.containsKey(keyMapName)) { return keyMap.get(keyMapName); } // it's ok to run the bulk of this method unlocked or // unprotected; since the same result will occur even if // multiple threads request the same key, there is no // need to protected this block of code. GenericValue keyValue = null; try { keyValue = EntityQuery.use(delegator).from("EntityKeyStore").where("keyName", hashedKeyName).queryOne(); } catch (GenericEntityException e) { throw new EntityCryptoException(e); } if (keyValue == null || keyValue.get("keyText") == null) { return null; } try { byte[] keyBytes = handler.decodeKeyBytes(keyValue.getString("keyText")); keyMap.putIfAbsent(keyMapName, keyBytes); // Do not remove the next line, it's there to handle the // case of multiple threads trying to find the same key // both threads will do the findOne call, only one will // succeed at the putIfAbsent, but both will then fetch // the same value with the following get(). return keyMap.get(keyMapName); } catch (GeneralException e) { throw new EntityCryptoException(e); } } protected void createKey(String originalKeyName, StorageHandler handler, EncryptMethod encryptMethod) throws EntityCryptoException { String hashedKeyName = handler.getHashedKeyName(originalKeyName); Key key = handler.generateNewKey(); final GenericValue newValue = delegator.makeValue("EntityKeyStore"); try { newValue.set("keyText", handler.encodeKey(key.getEncoded())); } catch (GeneralException e) { throw new EntityCryptoException(e); } newValue.set("keyName", hashedKeyName); try { TransactionUtil.doNewTransaction(new Callable<Void>() { public Void call() throws Exception { delegator.create(newValue); return null; } }, "storing encrypted key", 0, true); } catch (GenericEntityException e) { throw new EntityCryptoException(e); } } protected abstract static class StorageHandler { protected abstract Key generateNewKey() throws EntityCryptoException; protected abstract String getHashedKeyName(String originalKeyName); protected abstract String getKeyMapPrefix(String hashedKeyName); protected abstract byte[] decodeKeyBytes(String keyText) throws GeneralException; protected abstract String encodeKey(byte[] key) throws GeneralException; protected abstract byte[] decryptValue(byte[] key, EncryptMethod encryptMethod, String encryptedString) throws GeneralException; protected abstract String encryptValue(EncryptMethod encryptMethod, byte[] key, byte[] objBytes) throws GeneralException; } protected static final class ShiroStorageHandler extends StorageHandler { private final HashService hashService; private final AesCipherService cipherService; private final AesCipherService saltedCipherService; private final byte[] kek; protected ShiroStorageHandler(byte[] kek) { hashService = new DefaultHashService(); cipherService = new AesCipherService(); cipherService.setMode(OperationMode.ECB); saltedCipherService = new AesCipherService(); this.kek = kek; } @Override protected Key generateNewKey() { return saltedCipherService.generateNewKey(); } @Override protected String getHashedKeyName(String originalKeyName) { HashRequest hashRequest = new HashRequest.Builder().setSource(originalKeyName).build(); return hashService.computeHash(hashRequest).toBase64(); } @Override protected String getKeyMapPrefix(String hashedKeyName) { return "{shiro}"; } @Override protected byte[] decodeKeyBytes(String keyText) throws GeneralException { byte[] keyBytes = Base64.decodeBase64(keyText); if (kek != null) { keyBytes = saltedCipherService.decrypt(keyBytes, kek).getBytes(); } return keyBytes; } @Override protected String encodeKey(byte[] key) throws GeneralException { if (kek != null) { return saltedCipherService.encrypt(key, kek).toBase64(); } else { return Base64.encodeBase64String(key); } } @Override protected byte[] decryptValue(byte[] key, EncryptMethod encryptMethod, String encryptedString) throws GeneralException { switch (encryptMethod) { case SALT: return saltedCipherService.decrypt(Base64.decodeBase64(encryptedString), key).getBytes(); default: return cipherService.decrypt(Base64.decodeBase64(encryptedString), key).getBytes(); } } @Override protected String encryptValue(EncryptMethod encryptMethod, byte[] key, byte[] objBytes) throws GeneralException { switch (encryptMethod) { case SALT: return saltedCipherService.encrypt(objBytes, key).toBase64(); default: return cipherService.encrypt(objBytes, key).toBase64(); } } } protected static abstract class LegacyStorageHandler extends StorageHandler { @Override protected Key generateNewKey() throws EntityCryptoException { try { return DesCrypt.generateKey(); } catch (NoSuchAlgorithmException e) { throw new EntityCryptoException(e); } } @Override protected byte[] decodeKeyBytes(String keyText) throws GeneralException { return StringUtil.fromHexString(keyText); } @Override protected String encodeKey(byte[] key) { return StringUtil.toHexString(key); } @Override protected byte[] decryptValue(byte[] key, EncryptMethod encryptMethod, String encryptedString) throws GeneralException { return DesCrypt.decrypt(DesCrypt.getDesKey(key), StringUtil.fromHexString(encryptedString)); } @Override protected String encryptValue(EncryptMethod encryptMethod, byte[] key, byte[] objBytes) throws GeneralException { return StringUtil.toHexString(DesCrypt.encrypt(DesCrypt.getDesKey(key), objBytes)); } }; protected static final StorageHandler OldFunnyHashStorageHandler = new LegacyStorageHandler() { @Override protected String getHashedKeyName(String originalKeyName) { return HashCrypt.digestHashOldFunnyHex(null, originalKeyName); } @Override protected String getKeyMapPrefix(String hashedKeyName) { return "{funny-hash}"; } }; protected static final StorageHandler NormalHashStorageHandler = new LegacyStorageHandler() { @Override protected String getHashedKeyName(String originalKeyName) { return HashCrypt.digestHash("SHA", originalKeyName.getBytes()); } @Override protected String getKeyMapPrefix(String hashedKeyName) { return "{normal-hash}"; } }; protected static final class SaltedBase64StorageHandler extends StorageHandler { private final Key kek; protected SaltedBase64StorageHandler(byte[] kek) throws EntityCryptoException { Key key = null; if (kek != null) { try { key = DesCrypt.getDesKey(kek); } catch (GeneralException e) { Debug.logInfo( "Invalid key-encryption-key specified for SaltedBase64StorageHandler; the key is probably valid for the newer ShiroStorageHandler", module); } } this.kek = key; } @Override protected Key generateNewKey() throws EntityCryptoException { try { return DesCrypt.generateKey(); } catch (NoSuchAlgorithmException e) { throw new EntityCryptoException(e); } } @Override protected String getHashedKeyName(String originalKeyName) { return HashCrypt.digestHash64("SHA", originalKeyName.getBytes()); } @Override protected String getKeyMapPrefix(String hashedKeyName) { return "{salted-base64}"; } @Override protected byte[] decodeKeyBytes(String keyText) throws GeneralException { byte[] keyBytes = Base64.decodeBase64(keyText); if (kek != null) { keyBytes = DesCrypt.decrypt(kek, keyBytes); } return keyBytes; } @Override protected String encodeKey(byte[] key) throws GeneralException { if (kek != null) { key = DesCrypt.encrypt(kek, key); } return Base64.encodeBase64String(key); } @Override protected byte[] decryptValue(byte[] key, EncryptMethod encryptMethod, String encryptedString) throws GeneralException { byte[] allBytes = DesCrypt.decrypt(DesCrypt.getDesKey(key), Base64.decodeBase64(encryptedString)); int length = allBytes[0]; byte[] objBytes = new byte[allBytes.length - 1 - length]; System.arraycopy(allBytes, 1 + length, objBytes, 0, objBytes.length); return objBytes; } @Override protected String encryptValue(EncryptMethod encryptMethod, byte[] key, byte[] objBytes) throws GeneralException { byte[] saltBytes; switch (encryptMethod) { case SALT: Random random = new SecureRandom(); // random length 5-16 saltBytes = new byte[5 + random.nextInt(11)]; random.nextBytes(saltBytes); break; default: saltBytes = new byte[0]; break; } byte[] allBytes = new byte[1 + saltBytes.length + objBytes.length]; allBytes[0] = (byte) saltBytes.length; System.arraycopy(saltBytes, 0, allBytes, 1, saltBytes.length); System.arraycopy(objBytes, 0, allBytes, 1 + saltBytes.length, objBytes.length); String result = Base64.encodeBase64String(DesCrypt.encrypt(DesCrypt.getDesKey(key), allBytes)); return result; } }; }