cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [cxf] 02/05: Destroy some secret keys when we're finished with them
Date Tue, 18 Dec 2018 14:23:27 GMT
This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git

commit edba137b08d8210411ba64403760d2a8de3de329
Author: Colm O hEigeartaigh <coheigea@apache.org>
AuthorDate: Tue Dec 18 12:35:28 2018 +0000

    Destroy some secret keys when we're finished with them
---
 .../apache/cxf/rt/security/crypto/CryptoUtils.java | 17 +++++++++++++-
 .../apache/cxf/rt/security/crypto/HmacUtils.java   | 27 ++++++++++++++++++++--
 2 files changed, 41 insertions(+), 3 deletions(-)

diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/crypto/CryptoUtils.java
b/rt/security/src/main/java/org/apache/cxf/rt/security/crypto/CryptoUtils.java
index b3d2016..a5edd62 100644
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/crypto/CryptoUtils.java
+++ b/rt/security/src/main/java/org/apache/cxf/rt/security/crypto/CryptoUtils.java
@@ -49,6 +49,8 @@ import java.security.spec.ECPublicKeySpec;
 import java.security.spec.RSAPrivateCrtKeySpec;
 import java.security.spec.RSAPrivateKeySpec;
 import java.security.spec.RSAPublicKeySpec;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 
 import javax.crypto.Cipher;
 import javax.crypto.KeyGenerator;
@@ -56,8 +58,10 @@ import javax.crypto.SecretKey;
 import javax.crypto.spec.GCMParameterSpec;
 import javax.crypto.spec.IvParameterSpec;
 import javax.crypto.spec.SecretKeySpec;
+import javax.security.auth.DestroyFailedException;
 
 import org.apache.cxf.common.classloader.ClassLoaderUtils;
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.util.Base64UrlUtility;
 import org.apache.cxf.common.util.Base64Utility;
 import org.apache.cxf.common.util.CompressionUtils;
@@ -70,6 +74,8 @@ import org.apache.cxf.helpers.JavaUtils;
  */
 public final class CryptoUtils {
 
+    private static final Logger LOG = LogUtils.getL7dLogger(CryptoUtils.class);
+
     private CryptoUtils() {
     }
 
@@ -485,9 +491,18 @@ public final class CryptoUtils {
                                        String keyAlgo,
                                        Key wrapperKey,
                                        KeyProperties wrapperKeyProps)  throws SecurityException
{
-        return wrapSecretKey(new SecretKeySpec(keyBytes, convertJCECipherToSecretKeyName(keyAlgo)),
+        SecretKeySpec secretKey = new SecretKeySpec(keyBytes, convertJCECipherToSecretKeyName(keyAlgo));
+        byte[] encryptedKey = wrapSecretKey(secretKey,
                              wrapperKey,
                              wrapperKeyProps);
+
+        // Here we're finished with the SecretKey we created, so we can destroy it
+        try {
+            secretKey.destroy();
+        } catch (DestroyFailedException e) {
+            LOG.log(Level.FINE, "Error destroying key: {}", e.getMessage());
+        }
+        return encryptedKey;
     }
 
     public static byte[] wrapSecretKey(Key secretKey,
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/crypto/HmacUtils.java b/rt/security/src/main/java/org/apache/cxf/rt/security/crypto/HmacUtils.java
index 6dc85a2..43fc3eb 100644
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/crypto/HmacUtils.java
+++ b/rt/security/src/main/java/org/apache/cxf/rt/security/crypto/HmacUtils.java
@@ -26,16 +26,22 @@ import java.security.NoSuchAlgorithmException;
 import java.security.NoSuchProviderException;
 import java.security.Provider;
 import java.security.spec.AlgorithmParameterSpec;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 
 import javax.crypto.KeyGenerator;
 import javax.crypto.Mac;
 import javax.crypto.spec.SecretKeySpec;
+import javax.security.auth.DestroyFailedException;
 
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.util.Base64UrlUtility;
 import org.apache.cxf.common.util.Base64Utility;
 
 public final class HmacUtils {
 
+    private static final Logger LOG = LogUtils.getL7dLogger(CryptoUtils.class);
+
     private HmacUtils() {
 
     }
@@ -80,7 +86,16 @@ public final class HmacUtils {
     public static byte[] computeHmac(byte[] key, String macAlgoJavaName, AlgorithmParameterSpec
spec,
                                      String data) {
         Mac mac = getMac(macAlgoJavaName);
-        return computeHmac(new SecretKeySpec(key, mac.getAlgorithm()), mac, spec, data);
+        SecretKeySpec secretKey = new SecretKeySpec(key, mac.getAlgorithm());
+        byte[] digest = computeHmac(secretKey, mac, spec, data);
+
+        // Here we're finished with the SecretKey we created, so we can destroy it
+        try {
+            secretKey.destroy();
+        } catch (DestroyFailedException e) {
+            LOG.log(Level.FINE, "Error destroying key: {}", e.getMessage());
+        }
+        return digest;
     }
 
     public static byte[] computeHmac(String key, Mac hmac, String data) {
@@ -89,7 +104,15 @@ public final class HmacUtils {
 
     public static byte[] computeHmac(byte[] key, Mac hmac, String data) {
         SecretKeySpec secretKey = new SecretKeySpec(key, hmac.getAlgorithm());
-        return computeHmac(secretKey, hmac, data);
+        byte[] digest = computeHmac(secretKey, hmac, data);
+
+        // Here we're finished with the SecretKey we created, so we can destroy it
+        try {
+            secretKey.destroy();
+        } catch (DestroyFailedException e) {
+            LOG.log(Level.FINE, "Error destroying key: {}", e.getMessage());
+        }
+        return digest;
     }
 
     public static byte[] computeHmac(Key secretKey, Mac hmac, String data) {


Mime
View raw message