Return-Path: Delivered-To: apmail-click-dev-archive@www.apache.org Received: (qmail 21687 invoked from network); 15 Mar 2010 19:06:39 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 15 Mar 2010 19:06:39 -0000 Received: (qmail 56581 invoked by uid 500); 15 Mar 2010 19:05:52 -0000 Delivered-To: apmail-click-dev-archive@click.apache.org Received: (qmail 56569 invoked by uid 500); 15 Mar 2010 19:05:52 -0000 Mailing-List: contact dev-help@click.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@click.apache.org Delivered-To: mailing list dev@click.apache.org Received: (qmail 56562 invoked by uid 99); 15 Mar 2010 19:05:52 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 15 Mar 2010 19:05:52 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 15 Mar 2010 19:05:48 +0000 Received: from brutus.apache.org (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 49E7F234C48D for ; Mon, 15 Mar 2010 19:05:27 +0000 (UTC) Message-ID: <1275864662.271271268679927301.JavaMail.jira@brutus.apache.org> Date: Mon, 15 Mar 2010 19:05:27 +0000 (UTC) From: "Andrei Ionescu (JIRA)" To: dev@click.apache.org Subject: [jira] Commented: (CLK-608) Add ClickUtils.encode(Object, byte[] key16) and ClickUtils.decode(String, byte[] key16) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/CLK-608?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12845465#action_12845465 ] Andrei Ionescu commented on CLK-608: ------------------------------------ Why not a better solution like: http://www.jcryption.org/ > Add ClickUtils.encode(Object, byte[] key16) and ClickUtils.decode(String, byte[] key16) > --------------------------------------------------------------------------------------- > > Key: CLK-608 > URL: https://issues.apache.org/jira/browse/CLK-608 > Project: Click > Issue Type: Improvement > Components: core > Reporter: Andrey Rybin > Priority: Minor > > ClickUtils has handy methods encode(Object) and decode(String), but it is possible for client to corrupt our internal state in saved objects. > If you will add also encode(Object, byte[] key16) and ClickUtils.decode(String, byte[] key16), which will encipher serialized, gzipped object before base64 encoding and decipher after base64 decoding, then objects will be safe and we can store all sensitive information on client side. > Encipher/decipher are easy in Java: > private static final String DEFAULT_CRYPT_ALGORITHM = "AES"; > public static byte[] encrypt (@NotNull final byte[] src, @NotNull final byte[] key16) throws IllegalArgumentException { > final Key sks = new SecretKeySpec(key16, DEFAULT_CRYPT_ALGORITHM);//throws IAE > try { > final Cipher cf = Cipher.getInstance(DEFAULT_CRYPT_ALGORITHM); > cf.init(Cipher.ENCRYPT_MODE, sks); > //byte[] out = cf.update(buf, 0, n); > return cf.doFinal(src); > } catch (Throwable e) { > throw new IllegalArgumentException("encrypt failed for "+ toHexString(key16) +'='+ sks, e); > }//t > }//encrypt > public static byte[] decrypt (@NotNull final byte[] src, @NotNull final byte[] key16) throws IllegalArgumentException { > final Key sks = new SecretKeySpec(key16, DEFAULT_CRYPT_ALGORITHM);//throws IAE > try { > final Cipher cf = Cipher.getInstance(DEFAULT_CRYPT_ALGORITHM); > cf.init(Cipher.DECRYPT_MODE, sks); > //byte[] out = cf.update(buf, 0, n); > return cf.doFinal(src); > } catch (Throwable e) { > throw new IllegalArgumentException("decrypt failed for "+ toHexString(key16) +'='+ sks, e); > }//t > }//decrypt -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.