camel-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ningji...@apache.org
Subject git commit: CAMEL-7083 Log a warning when default encryption keys used with thanks to Colm
Date Sun, 22 Dec 2013 03:45:51 GMT
Updated Branches:
  refs/heads/camel-2.11.x 54e8aae8b -> 38e2271a3


CAMEL-7083 Log a warning when default encryption keys used with thanks to Colm

Conflicts:
	components/camel-shiro/src/main/java/org/apache/camel/component/shiro/security/ShiroSecurityTokenInjector.java


Project: http://git-wip-us.apache.org/repos/asf/camel/repo
Commit: http://git-wip-us.apache.org/repos/asf/camel/commit/38e2271a
Tree: http://git-wip-us.apache.org/repos/asf/camel/tree/38e2271a
Diff: http://git-wip-us.apache.org/repos/asf/camel/diff/38e2271a

Branch: refs/heads/camel-2.11.x
Commit: 38e2271a3c743d20d059ab128afd83bc7b375d1d
Parents: 54e8aae
Author: Willem Jiang <willem.jiang@gmail.com>
Authored: Sun Dec 22 11:03:06 2013 +0800
Committer: Willem Jiang <willem.jiang@gmail.com>
Committed: Sun Dec 22 11:45:32 2013 +0800

----------------------------------------------------------------------
 .../shiro/security/ShiroSecurityTokenInjector.java     |  7 +++++++
 .../dataformat/xmlsecurity/XMLSecurityDataFormat.java  | 13 ++++++++++---
 2 files changed, 17 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/camel/blob/38e2271a/components/camel-shiro/src/main/java/org/apache/camel/component/shiro/security/ShiroSecurityTokenInjector.java
----------------------------------------------------------------------
diff --git a/components/camel-shiro/src/main/java/org/apache/camel/component/shiro/security/ShiroSecurityTokenInjector.java
b/components/camel-shiro/src/main/java/org/apache/camel/component/shiro/security/ShiroSecurityTokenInjector.java
index 9ced6dc..60292f3 100644
--- a/components/camel-shiro/src/main/java/org/apache/camel/component/shiro/security/ShiroSecurityTokenInjector.java
+++ b/components/camel-shiro/src/main/java/org/apache/camel/component/shiro/security/ShiroSecurityTokenInjector.java
@@ -27,8 +27,12 @@ import org.apache.camel.util.IOHelper;
 import org.apache.shiro.crypto.AesCipherService;
 import org.apache.shiro.crypto.CipherService;
 import org.apache.shiro.util.ByteSource;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 public class ShiroSecurityTokenInjector implements Processor {
+    private static final Logger LOG = LoggerFactory.getLogger(ShiroSecurityTokenInjector.class);
+                                                              
     private final byte[] bits128 = {
         (byte) 0x08, (byte) 0x09, (byte) 0x0A, (byte) 0x0B,
         (byte) 0x0C, (byte) 0x0D, (byte) 0x0E, (byte) 0x0F,
@@ -57,6 +61,9 @@ public class ShiroSecurityTokenInjector implements Processor {
     }
 
     public ByteSource encrypt() throws Exception {
+        if (passPhrase == bits128) {
+            LOG.warn("Using the default encryption key is not secure");
+        }
         ByteArrayOutputStream stream = new ByteArrayOutputStream();
         ObjectOutput serialStream = new ObjectOutputStream(stream);
         try {

http://git-wip-us.apache.org/repos/asf/camel/blob/38e2271a/components/camel-xmlsecurity/src/main/java/org/apache/camel/dataformat/xmlsecurity/XMLSecurityDataFormat.java
----------------------------------------------------------------------
diff --git a/components/camel-xmlsecurity/src/main/java/org/apache/camel/dataformat/xmlsecurity/XMLSecurityDataFormat.java
b/components/camel-xmlsecurity/src/main/java/org/apache/camel/dataformat/xmlsecurity/XMLSecurityDataFormat.java
index abca6bb..3766a78 100755
--- a/components/camel-xmlsecurity/src/main/java/org/apache/camel/dataformat/xmlsecurity/XMLSecurityDataFormat.java
+++ b/components/camel-xmlsecurity/src/main/java/org/apache/camel/dataformat/xmlsecurity/XMLSecurityDataFormat.java
@@ -40,6 +40,8 @@ import javax.crypto.spec.DESedeKeySpec;
 import javax.crypto.spec.SecretKeySpec;
 import javax.xml.transform.dom.DOMSource;
 
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
@@ -97,7 +99,9 @@ public class XMLSecurityDataFormat implements DataFormat, CamelContextAware
{
      */
     @Deprecated
     public static final String XML_ENC_KEY_STORE_ALIAS = "CamelXmlEncryptionKeyAlias";
-        
+    
+    private static final Logger LOG = LoggerFactory.getLogger(XMLSecurityDataFormat.class);
+    private static final String DEFAULT_KEY = "Just another 24 Byte key";
 
     private String xmlCipherAlgorithm;
     private String keyCipherAlgorithm;
@@ -124,7 +128,7 @@ public class XMLSecurityDataFormat implements DataFormat, CamelContextAware
{
     public XMLSecurityDataFormat() {
         this.xmlCipherAlgorithm = XMLCipher.TRIPLEDES;
         // set a default pass phrase as its required
-        this.passPhrase = "Just another 24 Byte key".getBytes();
+        this.passPhrase = DEFAULT_KEY.getBytes();
         this.secureTag = "";
         this.secureTagContents = true;
 
@@ -630,10 +634,13 @@ public class XMLSecurityDataFormat implements DataFormat, CamelContextAware
{
             } else {
                 secretKey = new SecretKeySpec(passPhrase, "AES");
             }
+            if (Arrays.equals(passPhrase, DEFAULT_KEY.getBytes())) {
+                LOG.warn("Using the default encryption key is not secure");
+            }
         } catch (InvalidKeyException e) {
             throw new InvalidKeyException("InvalidKeyException due to invalid passPhrase:
" + Arrays.toString(passPhrase));
         } catch (NoSuchAlgorithmException e) {
-            throw new NoSuchAlgorithmException("NoSuchAlgorithmException while using XMLCipher.TRIPLEDES
algorithm: DESede");
+            throw new NoSuchAlgorithmException("NoSuchAlgorithmException while using algorithm:
" + algorithm);
         } catch (InvalidKeySpecException e) {
             throw new InvalidKeySpecException("Invalid Key generated while using passPhrase:
" + Arrays.toString(passPhrase));
         }


Mime
View raw message