1/* 2 * Copyright (c) 1998, 2013, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26package com.sun.crypto.provider; 27 28import java.io.IOException; 29import java.io.Serializable; 30import java.security.Security; 31import java.security.Key; 32import java.security.PrivateKey; 33import java.security.Provider; 34import java.security.KeyFactory; 35import java.security.MessageDigest; 36import java.security.GeneralSecurityException; 37import java.security.NoSuchAlgorithmException; 38import java.security.NoSuchProviderException; 39import java.security.UnrecoverableKeyException; 40import java.security.AlgorithmParameters; 41import java.security.spec.PKCS8EncodedKeySpec; 42 43import javax.crypto.Cipher; 44import javax.crypto.CipherSpi; 45import javax.crypto.SecretKey; 46import javax.crypto.IllegalBlockSizeException; 47import javax.crypto.SealedObject; 48import javax.crypto.spec.*; 49import sun.security.x509.AlgorithmId; 50import sun.security.util.ObjectIdentifier; 51 52/** 53 * This class implements a protection mechanism for private keys. In JCE, we 54 * use a stronger protection mechanism than in the JDK, because we can use 55 * the <code>Cipher</code> class. 56 * Private keys are protected using the JCE mechanism, and are recovered using 57 * either the JDK or JCE mechanism, depending on how the key has been 58 * protected. This allows us to parse Sun's keystore implementation that ships 59 * with JDK 1.2. 60 * 61 * @author Jan Luehe 62 * 63 * 64 * @see JceKeyStore 65 */ 66 67final class KeyProtector { 68 69 // defined by SunSoft (SKI project) 70 private static final String PBE_WITH_MD5_AND_DES3_CBC_OID 71 = "1.3.6.1.4.1.42.2.19.1"; 72 73 // JavaSoft proprietary key-protection algorithm (used to protect private 74 // keys in the keystore implementation that comes with JDK 1.2) 75 private static final String KEY_PROTECTOR_OID = "1.3.6.1.4.1.42.2.17.1.1"; 76 77 private static final int SALT_LEN = 20; // the salt length 78 private static final int DIGEST_LEN = 20; 79 80 // the password used for protecting/recovering keys passed through this 81 // key protector 82 private char[] password; 83 84 KeyProtector(char[] password) { 85 if (password == null) { 86 throw new IllegalArgumentException("password can't be null"); 87 } 88 this.password = password; 89 } 90 91 /** 92 * Protects the given cleartext private key, using the password provided at 93 * construction time. 94 */ 95 byte[] protect(PrivateKey key) 96 throws Exception 97 { 98 // create a random salt (8 bytes) 99 byte[] salt = new byte[8]; 100 SunJCE.getRandom().nextBytes(salt); 101 102 // create PBE parameters from salt and iteration count 103 PBEParameterSpec pbeSpec = new PBEParameterSpec(salt, 20); 104 105 // create PBE key from password 106 PBEKeySpec pbeKeySpec = new PBEKeySpec(this.password); 107 SecretKey sKey = new PBEKey(pbeKeySpec, "PBEWithMD5AndTripleDES"); 108 pbeKeySpec.clearPassword(); 109 110 // encrypt private key 111 PBEWithMD5AndTripleDESCipher cipher; 112 cipher = new PBEWithMD5AndTripleDESCipher(); 113 cipher.engineInit(Cipher.ENCRYPT_MODE, sKey, pbeSpec, null); 114 byte[] plain = key.getEncoded(); 115 byte[] encrKey = cipher.engineDoFinal(plain, 0, plain.length); 116 117 // wrap encrypted private key in EncryptedPrivateKeyInfo 118 // (as defined in PKCS#8) 119 AlgorithmParameters pbeParams = 120 AlgorithmParameters.getInstance("PBE", SunJCE.getInstance()); 121 pbeParams.init(pbeSpec); 122 123 AlgorithmId encrAlg = new AlgorithmId 124 (new ObjectIdentifier(PBE_WITH_MD5_AND_DES3_CBC_OID), pbeParams); 125 return new EncryptedPrivateKeyInfo(encrAlg,encrKey).getEncoded(); 126 } 127 128 /* 129 * Recovers the cleartext version of the given key (in protected format), 130 * using the password provided at construction time. 131 */ 132 Key recover(EncryptedPrivateKeyInfo encrInfo) 133 throws UnrecoverableKeyException, NoSuchAlgorithmException 134 { 135 byte[] plain; 136 137 try { 138 String encrAlg = encrInfo.getAlgorithm().getOID().toString(); 139 if (!encrAlg.equals(PBE_WITH_MD5_AND_DES3_CBC_OID) 140 && !encrAlg.equals(KEY_PROTECTOR_OID)) { 141 throw new UnrecoverableKeyException("Unsupported encryption " 142 + "algorithm"); 143 } 144 145 if (encrAlg.equals(KEY_PROTECTOR_OID)) { 146 // JDK 1.2 style recovery 147 plain = recover(encrInfo.getEncryptedData()); 148 } else { 149 byte[] encodedParams = 150 encrInfo.getAlgorithm().getEncodedParams(); 151 152 // parse the PBE parameters into the corresponding spec 153 AlgorithmParameters pbeParams = 154 AlgorithmParameters.getInstance("PBE"); 155 pbeParams.init(encodedParams); 156 PBEParameterSpec pbeSpec = 157 pbeParams.getParameterSpec(PBEParameterSpec.class); 158 159 // create PBE key from password 160 PBEKeySpec pbeKeySpec = new PBEKeySpec(this.password); 161 SecretKey sKey = 162 new PBEKey(pbeKeySpec, "PBEWithMD5AndTripleDES"); 163 pbeKeySpec.clearPassword(); 164 165 // decrypt private key 166 PBEWithMD5AndTripleDESCipher cipher; 167 cipher = new PBEWithMD5AndTripleDESCipher(); 168 cipher.engineInit(Cipher.DECRYPT_MODE, sKey, pbeSpec, null); 169 plain=cipher.engineDoFinal(encrInfo.getEncryptedData(), 0, 170 encrInfo.getEncryptedData().length); 171 } 172 173 // determine the private-key algorithm, and parse private key 174 // using the appropriate key factory 175 String oidName = new AlgorithmId 176 (new PrivateKeyInfo(plain).getAlgorithm().getOID()).getName(); 177 KeyFactory kFac = KeyFactory.getInstance(oidName); 178 return kFac.generatePrivate(new PKCS8EncodedKeySpec(plain)); 179 180 } catch (NoSuchAlgorithmException ex) { 181 // Note: this catch needed to be here because of the 182 // later catch of GeneralSecurityException 183 throw ex; 184 } catch (IOException ioe) { 185 throw new UnrecoverableKeyException(ioe.getMessage()); 186 } catch (GeneralSecurityException gse) { 187 throw new UnrecoverableKeyException(gse.getMessage()); 188 } 189 } 190 191 /* 192 * Recovers the cleartext version of the given key (in protected format), 193 * using the password provided at construction time. This method implements 194 * the recovery algorithm used by Sun's keystore implementation in 195 * JDK 1.2. 196 */ 197 private byte[] recover(byte[] protectedKey) 198 throws UnrecoverableKeyException, NoSuchAlgorithmException 199 { 200 int i, j; 201 byte[] digest; 202 int numRounds; 203 int xorOffset; // offset in xorKey where next digest will be stored 204 int encrKeyLen; // the length of the encrpyted key 205 206 MessageDigest md = MessageDigest.getInstance("SHA"); 207 208 // Get the salt associated with this key (the first SALT_LEN bytes of 209 // <code>protectedKey</code>) 210 byte[] salt = new byte[SALT_LEN]; 211 System.arraycopy(protectedKey, 0, salt, 0, SALT_LEN); 212 213 // Determine the number of digest rounds 214 encrKeyLen = protectedKey.length - SALT_LEN - DIGEST_LEN; 215 numRounds = encrKeyLen / DIGEST_LEN; 216 if ((encrKeyLen % DIGEST_LEN) != 0) 217 numRounds++; 218 219 // Get the encrypted key portion and store it in "encrKey" 220 byte[] encrKey = new byte[encrKeyLen]; 221 System.arraycopy(protectedKey, SALT_LEN, encrKey, 0, encrKeyLen); 222 223 // Set up the byte array which will be XORed with "encrKey" 224 byte[] xorKey = new byte[encrKey.length]; 225 226 // Convert password to byte array, so that it can be digested 227 byte[] passwdBytes = new byte[password.length * 2]; 228 for (i=0, j=0; i<password.length; i++) { 229 passwdBytes[j++] = (byte)(password[i] >> 8); 230 passwdBytes[j++] = (byte)password[i]; 231 } 232 233 // Compute the digests, and store them in "xorKey" 234 for (i = 0, xorOffset = 0, digest = salt; 235 i < numRounds; 236 i++, xorOffset += DIGEST_LEN) { 237 md.update(passwdBytes); 238 md.update(digest); 239 digest = md.digest(); 240 md.reset(); 241 // Copy the digest into "xorKey" 242 if (i < numRounds - 1) { 243 System.arraycopy(digest, 0, xorKey, xorOffset, 244 digest.length); 245 } else { 246 System.arraycopy(digest, 0, xorKey, xorOffset, 247 xorKey.length - xorOffset); 248 } 249 } 250 251 // XOR "encrKey" with "xorKey", and store the result in "plainKey" 252 byte[] plainKey = new byte[encrKey.length]; 253 for (i = 0; i < plainKey.length; i++) { 254 plainKey[i] = (byte)(encrKey[i] ^ xorKey[i]); 255 } 256 257 // Check the integrity of the recovered key by concatenating it with 258 // the password, digesting the concatenation, and comparing the 259 // result of the digest operation with the digest provided at the end 260 // of <code>protectedKey</code>. If the two digest values are 261 // different, throw an exception. 262 md.update(passwdBytes); 263 java.util.Arrays.fill(passwdBytes, (byte)0x00); 264 passwdBytes = null; 265 md.update(plainKey); 266 digest = md.digest(); 267 md.reset(); 268 for (i = 0; i < digest.length; i++) { 269 if (digest[i] != protectedKey[SALT_LEN + encrKeyLen + i]) { 270 throw new UnrecoverableKeyException("Cannot recover key"); 271 } 272 } 273 return plainKey; 274 } 275 276 /** 277 * Seals the given cleartext key, using the password provided at 278 * construction time 279 */ 280 SealedObject seal(Key key) 281 throws Exception 282 { 283 // create a random salt (8 bytes) 284 byte[] salt = new byte[8]; 285 SunJCE.getRandom().nextBytes(salt); 286 287 // create PBE parameters from salt and iteration count 288 PBEParameterSpec pbeSpec = new PBEParameterSpec(salt, 20); 289 290 // create PBE key from password 291 PBEKeySpec pbeKeySpec = new PBEKeySpec(this.password); 292 SecretKey sKey = new PBEKey(pbeKeySpec, "PBEWithMD5AndTripleDES"); 293 pbeKeySpec.clearPassword(); 294 295 // seal key 296 Cipher cipher; 297 298 PBEWithMD5AndTripleDESCipher cipherSpi; 299 cipherSpi = new PBEWithMD5AndTripleDESCipher(); 300 cipher = new CipherForKeyProtector(cipherSpi, SunJCE.getInstance(), 301 "PBEWithMD5AndTripleDES"); 302 cipher.init(Cipher.ENCRYPT_MODE, sKey, pbeSpec); 303 return new SealedObjectForKeyProtector(key, cipher); 304 } 305 306 /** 307 * Unseals the sealed key. 308 */ 309 Key unseal(SealedObject so) 310 throws NoSuchAlgorithmException, UnrecoverableKeyException 311 { 312 try { 313 // create PBE key from password 314 PBEKeySpec pbeKeySpec = new PBEKeySpec(this.password); 315 SecretKey skey = new PBEKey(pbeKeySpec, "PBEWithMD5AndTripleDES"); 316 pbeKeySpec.clearPassword(); 317 318 SealedObjectForKeyProtector soForKeyProtector = null; 319 if (!(so instanceof SealedObjectForKeyProtector)) { 320 soForKeyProtector = new SealedObjectForKeyProtector(so); 321 } else { 322 soForKeyProtector = (SealedObjectForKeyProtector)so; 323 } 324 AlgorithmParameters params = soForKeyProtector.getParameters(); 325 if (params == null) { 326 throw new UnrecoverableKeyException("Cannot get " + 327 "algorithm parameters"); 328 } 329 PBEWithMD5AndTripleDESCipher cipherSpi; 330 cipherSpi = new PBEWithMD5AndTripleDESCipher(); 331 Cipher cipher = new CipherForKeyProtector(cipherSpi, 332 SunJCE.getInstance(), 333 "PBEWithMD5AndTripleDES"); 334 cipher.init(Cipher.DECRYPT_MODE, skey, params); 335 return (Key)soForKeyProtector.getObject(cipher); 336 } catch (NoSuchAlgorithmException ex) { 337 // Note: this catch needed to be here because of the 338 // later catch of GeneralSecurityException 339 throw ex; 340 } catch (IOException ioe) { 341 throw new UnrecoverableKeyException(ioe.getMessage()); 342 } catch (ClassNotFoundException cnfe) { 343 throw new UnrecoverableKeyException(cnfe.getMessage()); 344 } catch (GeneralSecurityException gse) { 345 throw new UnrecoverableKeyException(gse.getMessage()); 346 } 347 } 348} 349 350 351final class CipherForKeyProtector extends javax.crypto.Cipher { 352 /** 353 * Creates a Cipher object. 354 * 355 * @param cipherSpi the delegate 356 * @param provider the provider 357 * @param transformation the transformation 358 */ 359 protected CipherForKeyProtector(CipherSpi cipherSpi, 360 Provider provider, 361 String transformation) { 362 super(cipherSpi, provider, transformation); 363 } 364} 365