directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From erodrig...@apache.org
Subject svn commit: r521941 - in /directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared: crypto/checksum/ crypto/encryption/ service/
Date Fri, 23 Mar 2007 23:31:21 GMT
Author: erodriguez
Date: Fri Mar 23 16:31:20 2007
New Revision: 521941

URL: http://svn.apache.org/viewvc?view=rev&rev=521941
Log:
Changes to kerberos-shared library:
o  Refactored to use JDK JCE, replacing BouncyCastle library.
o  Removal of obsolete code.

Added:
    directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/service/SessionKeyFactory.java
  (with props)
Removed:
    directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/checksum/Crc32Checksum.java
    directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/checksum/RsaMd4Checksum.java
    directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/DesCbcCrcEncryption.java
    directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/DesCbcMd4Encryption.java
    directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/service/DesStringToKey.java
Modified:
    directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/checksum/ChecksumEngine.java
    directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/checksum/RsaMd5Checksum.java
    directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/checksum/Sha1Checksum.java
    directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/Des3CbcEncryption.java
    directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/DesCbcEncryption.java
    directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/EncryptionEngine.java
    directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/EncryptionEngineFactory.java
    directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/NullEncryption.java
    directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/service/LockBox.java

Modified: directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/checksum/ChecksumEngine.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/checksum/ChecksumEngine.java?view=diff&rev=521941&r1=521940&r2=521941
==============================================================================
--- directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/checksum/ChecksumEngine.java
(original)
+++ directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/checksum/ChecksumEngine.java
Fri Mar 23 16:31:20 2007
@@ -20,8 +20,10 @@
 package org.apache.directory.server.kerberos.shared.crypto.checksum;
 
 
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+
 import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherType;
-import org.bouncycastle.crypto.Digest;
 
 
 /**
@@ -30,7 +32,7 @@
  */
 public abstract class ChecksumEngine
 {
-    public abstract Digest getDigest();
+    public abstract MessageDigest getDigest() throws NoSuchAlgorithmException;
 
 
     public abstract ChecksumType checksumType();
@@ -59,12 +61,14 @@
 
     public byte[] calculateChecksum( byte[] data )
     {
-        Digest digester = getDigest();
-
-        digester.reset();
-        digester.update( data, 0, data.length );
-        byte[] returnValue = new byte[digester.getDigestSize()];
-        digester.doFinal( returnValue, 0 );
-        return returnValue;
+        try
+        {
+            MessageDigest digester = getDigest();
+            return digester.digest( data );
+        }
+        catch ( NoSuchAlgorithmException nsae )
+        {
+            return null;
+        }
     }
 }

Modified: directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/checksum/RsaMd5Checksum.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/checksum/RsaMd5Checksum.java?view=diff&rev=521941&r1=521940&r2=521941
==============================================================================
--- directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/checksum/RsaMd5Checksum.java
(original)
+++ directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/checksum/RsaMd5Checksum.java
Fri Mar 23 16:31:20 2007
@@ -20,9 +20,10 @@
 package org.apache.directory.server.kerberos.shared.crypto.checksum;
 
 
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+
 import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherType;
-import org.bouncycastle.crypto.Digest;
-import org.bouncycastle.crypto.digests.MD5Digest;
 
 
 /**
@@ -31,9 +32,9 @@
  */
 public class RsaMd5Checksum extends ChecksumEngine
 {
-    public Digest getDigest()
+    public MessageDigest getDigest() throws NoSuchAlgorithmException
     {
-        return new MD5Digest();
+        return MessageDigest.getInstance( "MD5" );
     }
 
 

Modified: directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/checksum/Sha1Checksum.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/checksum/Sha1Checksum.java?view=diff&rev=521941&r1=521940&r2=521941
==============================================================================
--- directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/checksum/Sha1Checksum.java
(original)
+++ directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/checksum/Sha1Checksum.java
Fri Mar 23 16:31:20 2007
@@ -20,9 +20,10 @@
 package org.apache.directory.server.kerberos.shared.crypto.checksum;
 
 
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+
 import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherType;
-import org.bouncycastle.crypto.Digest;
-import org.bouncycastle.crypto.digests.SHA1Digest;
 
 
 /**
@@ -31,9 +32,9 @@
  */
 public class Sha1Checksum extends ChecksumEngine
 {
-    public Digest getDigest()
+    public MessageDigest getDigest() throws NoSuchAlgorithmException
     {
-        return new SHA1Digest();
+        return MessageDigest.getInstance( "SHA1" );
     }
 
 

Modified: directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/Des3CbcEncryption.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/Des3CbcEncryption.java?view=diff&rev=521941&r1=521940&r2=521941
==============================================================================
--- directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/Des3CbcEncryption.java
(original)
+++ directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/Des3CbcEncryption.java
Fri Mar 23 16:31:20 2007
@@ -20,8 +20,9 @@
 package org.apache.directory.server.kerberos.shared.crypto.encryption;
 
 
-import org.bouncycastle.crypto.BlockCipher;
-import org.bouncycastle.crypto.engines.DESedeEngine;
+import java.security.GeneralSecurityException;
+
+import javax.crypto.Cipher;
 
 
 /**
@@ -30,9 +31,9 @@
  */
 public abstract class Des3CbcEncryption extends EncryptionEngine
 {
-    public BlockCipher getBlockCipher()
+    public Cipher getCipher() throws GeneralSecurityException
     {
-        return new DESedeEngine();
+        return Cipher.getInstance( "DESede/CBC/NoPadding" );
     }
 
 

Modified: directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/DesCbcEncryption.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/DesCbcEncryption.java?view=diff&rev=521941&r1=521940&r2=521941
==============================================================================
--- directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/DesCbcEncryption.java
(original)
+++ directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/DesCbcEncryption.java
Fri Mar 23 16:31:20 2007
@@ -20,8 +20,9 @@
 package org.apache.directory.server.kerberos.shared.crypto.encryption;
 
 
-import org.bouncycastle.crypto.BlockCipher;
-import org.bouncycastle.crypto.engines.DESEngine;
+import java.security.GeneralSecurityException;
+
+import javax.crypto.Cipher;
 
 
 /**
@@ -30,9 +31,9 @@
  */
 public abstract class DesCbcEncryption extends EncryptionEngine
 {
-    public BlockCipher getBlockCipher()
+    public Cipher getCipher() throws GeneralSecurityException
     {
-        return new DESEngine();
+        return Cipher.getInstance( "DES/CBC/NoPadding" );
     }
 
 

Modified: directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/EncryptionEngine.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/EncryptionEngine.java?view=diff&rev=521941&r1=521940&r2=521941
==============================================================================
--- directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/EncryptionEngine.java
(original)
+++ directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/EncryptionEngine.java
Fri Mar 23 16:31:20 2007
@@ -20,16 +20,22 @@
 package org.apache.directory.server.kerberos.shared.crypto.encryption;
 
 
+import java.security.GeneralSecurityException;
 import java.security.SecureRandom;
+import java.security.spec.AlgorithmParameterSpec;
+import java.util.Arrays;
+
+import javax.crypto.Cipher;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.SecretKeySpec;
 
 import org.apache.directory.server.kerberos.shared.crypto.checksum.ChecksumEngine;
 import org.apache.directory.server.kerberos.shared.crypto.checksum.ChecksumType;
+import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
+import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
 import org.apache.directory.server.kerberos.shared.messages.value.EncryptedData;
 import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
-import org.bouncycastle.crypto.BlockCipher;
-import org.bouncycastle.crypto.modes.CBCBlockCipher;
-import org.bouncycastle.crypto.params.KeyParameter;
-import org.bouncycastle.crypto.params.ParametersWithIV;
 
 
 /**
@@ -44,7 +50,7 @@
     public abstract ChecksumEngine getChecksumEngine();
 
 
-    public abstract BlockCipher getBlockCipher();
+    public abstract Cipher getCipher() throws GeneralSecurityException;
 
 
     public abstract EncryptionType encryptionType();
@@ -71,10 +77,29 @@
     public abstract int keySize();
 
 
-    public byte[] getDecryptedData( EncryptionKey key, EncryptedData data )
+    public byte[] getDecryptedData( EncryptionKey key, EncryptedData data ) throws KerberosException
     {
         byte[] decryptedData = decrypt( data.getCipherText(), key.getKeyValue() );
 
+        // extract the old checksum
+        byte[] oldChecksum = new byte[checksumSize()];
+        System.arraycopy( decryptedData, confounderSize(), oldChecksum, 0, oldChecksum.length
);
+
+        // zero out the old checksum in the cipher text
+        for ( int i = confounderSize(); i < confounderSize() + checksumSize(); i++ )
+        {
+            decryptedData[i] = 0;
+        }
+
+        // calculate a new checksum
+        byte[] newChecksum = calculateChecksum( decryptedData );
+
+        // compare checksums
+        if ( !Arrays.equals( oldChecksum, newChecksum ) )
+        {
+            throw new KerberosException( ErrorType.KRB_AP_ERR_BAD_INTEGRITY );
+        }
+
         return removeBytes( decryptedData, confounderSize(), checksumSize() );
     }
 
@@ -102,13 +127,13 @@
 
     private byte[] encrypt( byte[] data, byte[] key )
     {
-        return processBlockCipher( true, data, key, null );
+        return processCipher( true, data, key );
     }
 
 
     private byte[] decrypt( byte[] data, byte[] key )
     {
-        return processBlockCipher( false, data, key, null );
+        return processCipher( false, data, key );
     }
 
 
@@ -194,39 +219,34 @@
     }
 
 
-    private byte[] processBlockCipher( boolean encrypt, byte[] data, byte[] key, byte[] ivec
)
+    private byte[] processCipher( boolean encrypt, byte[] data, byte[] keyBytes )
     {
-        byte[] returnData = new byte[data.length];
-        CBCBlockCipher cbcCipher = new CBCBlockCipher( getBlockCipher() );
-        KeyParameter keyParameter = new KeyParameter( key );
-
-        if ( ivec != null )
+        try
         {
-            ParametersWithIV kpWithIV = new ParametersWithIV( keyParameter, ivec );
-            cbcCipher.init( encrypt, kpWithIV );
-        }
-        else
-        {
-            cbcCipher.init( encrypt, keyParameter );
-        }
+            Cipher cipher = getCipher();
+            SecretKey key = new SecretKeySpec( keyBytes, "DES" );
 
-        int offset = 0;
-        int processedBytesLength = 0;
+            byte[] iv = new byte[]
+                { ( byte ) 0x00, ( byte ) 0x00, ( byte ) 0x00, ( byte ) 0x00, ( byte ) 0x00,
( byte ) 0x00,
+                    ( byte ) 0x00, ( byte ) 0x00 };
+            AlgorithmParameterSpec paramSpec = new IvParameterSpec( iv );
 
-        while ( offset < returnData.length )
-        {
-            try
+            if ( encrypt )
             {
-                processedBytesLength = cbcCipher.processBlock( data, offset, returnData,
offset );
-                offset += processedBytesLength;
+                cipher.init( Cipher.ENCRYPT_MODE, key, paramSpec );
             }
-            catch ( Exception e )
+            else
             {
-                e.printStackTrace();
-                break;
+                cipher.init( Cipher.DECRYPT_MODE, key, paramSpec );
             }
-        }
 
-        return returnData;
+            byte[] finalBytes = cipher.doFinal( data );
+
+            return finalBytes;
+        }
+        catch ( GeneralSecurityException nsae )
+        {
+            return null;
+        }
     }
 }

Modified: directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/EncryptionEngineFactory.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/EncryptionEngineFactory.java?view=diff&rev=521941&r1=521940&r2=521941
==============================================================================
--- directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/EncryptionEngineFactory.java
(original)
+++ directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/EncryptionEngineFactory.java
Fri Mar 23 16:31:20 2007
@@ -39,10 +39,6 @@
         {
             case 0:
                 return new NullEncryption();
-            case 1:
-                return new DesCbcCrcEncryption();
-            case 2:
-                return new DesCbcMd4Encryption();
             case 3:
                 return new DesCbcMd5Encryption();
             case 5:

Modified: directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/NullEncryption.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/NullEncryption.java?view=diff&rev=521941&r1=521940&r2=521941
==============================================================================
--- directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/NullEncryption.java
(original)
+++ directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/NullEncryption.java
Fri Mar 23 16:31:20 2007
@@ -20,9 +20,10 @@
 package org.apache.directory.server.kerberos.shared.crypto.encryption;
 
 
+import javax.crypto.Cipher;
+
 import org.apache.directory.server.kerberos.shared.crypto.checksum.ChecksumEngine;
 import org.apache.directory.server.kerberos.shared.crypto.checksum.ChecksumType;
-import org.bouncycastle.crypto.BlockCipher;
 
 
 /**
@@ -31,7 +32,7 @@
  */
 public class NullEncryption extends EncryptionEngine
 {
-    public BlockCipher getBlockCipher()
+    public Cipher getCipher() 
     {
         return null;
     }
@@ -91,7 +92,7 @@
     }
 
 
-    protected byte[] processBlockCipher( boolean encrypt, byte[] data, byte[] key, byte[]
ivec )
+    protected byte[] processCipher( boolean encrypt, byte[] data, byte[] key, byte[] ivec
)
     {
         return data;
     }

Modified: directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/service/LockBox.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/service/LockBox.java?view=diff&rev=521941&r1=521940&r2=521941
==============================================================================
--- directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/service/LockBox.java
(original)
+++ directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/service/LockBox.java
Fri Mar 23 16:31:20 2007
@@ -28,8 +28,6 @@
 
 import org.apache.directory.server.kerberos.shared.crypto.encryption.Des3CbcMd5Encryption;
 import org.apache.directory.server.kerberos.shared.crypto.encryption.Des3CbcSha1Encryption;
-import org.apache.directory.server.kerberos.shared.crypto.encryption.DesCbcCrcEncryption;
-import org.apache.directory.server.kerberos.shared.crypto.encryption.DesCbcMd4Encryption;
 import org.apache.directory.server.kerberos.shared.crypto.encryption.DesCbcMd5Encryption;
 import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionEngine;
 import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
@@ -81,7 +79,7 @@
 
     static
     {
-        Map map = new HashMap();
+        Map<Class, Class> map = new HashMap<Class, Class>();
 
         map.put( EncTicketPart.class, EncTicketPartEncoder.class );
         map.put( AuthenticationReply.class, EncAsRepPartEncoder.class );
@@ -94,7 +92,7 @@
 
     static
     {
-        Map map = new HashMap();
+        Map<Class, Class> map = new HashMap<Class, Class>();
 
         map.put( EncTicketPart.class, EncTicketPartDecoder.class );
         map.put( Authenticator.class, AuthenticatorDecoder.class );
@@ -107,10 +105,8 @@
 
     static
     {
-        Map map = new HashMap();
+        Map<EncryptionType, Class> map = new HashMap<EncryptionType, Class>();
 
-        map.put( EncryptionType.DES_CBC_CRC, DesCbcCrcEncryption.class );
-        map.put( EncryptionType.DES_CBC_MD4, DesCbcMd4Encryption.class );
         map.put( EncryptionType.DES_CBC_MD5, DesCbcMd5Encryption.class );
         map.put( EncryptionType.DES3_CBC_MD5, Des3CbcMd5Encryption.class );
         map.put( EncryptionType.DES3_CBC_SHA1, Des3CbcSha1Encryption.class );
@@ -119,6 +115,14 @@
     }
 
 
+    /**
+     * Performs an encode and an encrypt.
+     *
+     * @param key The key to use for encrypting.
+     * @param encodable The Kerberos object to encode.
+     * @return The Kerberos EncryptedData.
+     * @throws KerberosException
+     */
     public EncryptedData seal( EncryptionKey key, Encodable encodable ) throws KerberosException
     {
         try
@@ -136,6 +140,15 @@
     }
 
 
+    /**
+     * Perform a decrypt and a decode.
+     *
+     * @param hint The class the encrypted data is expected to contain.
+     * @param key The key to use for decryption.
+     * @param data The data to decrypt.
+     * @return The Kerberos object resulting from a successful decrypt and decode.
+     * @throws KerberosException
+     */
     public Encodable unseal( Class hint, EncryptionKey key, EncryptedData data ) throws KerberosException
     {
         try

Added: directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/service/SessionKeyFactory.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/service/SessionKeyFactory.java?view=auto&rev=521941
==============================================================================
--- directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/service/SessionKeyFactory.java
(added)
+++ directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/service/SessionKeyFactory.java
Fri Mar 23 16:31:20 2007
@@ -0,0 +1,143 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.kerberos.shared.service;
+
+
+import java.security.InvalidKeyException;
+import java.security.SecureRandom;
+
+import javax.crypto.SecretKey;
+import javax.crypto.spec.DESKeySpec;
+import javax.crypto.spec.SecretKeySpec;
+
+import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
+import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
+
+
+/**
+ * Generates new random keys, suitable for use as session keys.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$, $Date$
+ */
+public class SessionKeyFactory
+{
+    /**
+     * SecureRandom.nextBytes() is synchronized, making this safe for static use.
+     */
+    private static final SecureRandom random = new SecureRandom();
+
+
+    /**
+     * Get a new random session key.
+     *
+     * @return The new random session key.
+     */
+    public static EncryptionKey getSessionKey()
+    {
+        // Only need 7 bytes.  With parity will result in 8 bytes.
+        byte[] raw = new byte[7];
+
+        // SecureRandom.nextBytes is already synchronized
+        random.nextBytes( raw );
+
+        byte[] keyBytes = addParity( raw );
+
+        try
+        {
+            // check for weakness
+            if ( DESKeySpec.isWeak( keyBytes, 0 ) )
+            {
+                keyBytes = getStrongKey( keyBytes );
+            }
+        }
+        catch ( InvalidKeyException ike )
+        {
+            /*
+             * Will only get here if the key is null or less
+             * than 8 bytes, which won't ever happen.
+             */
+            return null;
+        }
+
+        SecretKey key = new SecretKeySpec( keyBytes, "DES" );
+        byte[] subSessionKey = key.getEncoded();
+
+        return new EncryptionKey( EncryptionType.DES_CBC_MD5, subSessionKey );
+    }
+
+
+    /**
+     * Adds parity to 7-bytes to form an 8-byte DES key.
+     *
+     * @param sevenBytes
+     * @return The 8-byte DES key with parity.
+     */
+    static byte[] addParity( byte[] sevenBytes )
+    {
+        byte[] result = new byte[8];
+
+        // Keeps track of the bit position in the result.
+        int resultIndex = 1;
+
+        // Used to keep track of the number of 1 bits in each 7-bit chunk.
+        int bitCount = 0;
+
+        // Process each of the 56 bits.
+        for ( int i = 0; i < 56; i++ )
+        {
+            // Get the bit at bit position i
+            boolean bit = ( sevenBytes[6 - i / 8] & ( 1 << ( i % 8 ) ) ) > 0;
+
+            // If set, set the corresponding bit in the result.
+            if ( bit )
+            {
+                result[7 - resultIndex / 8] |= ( 1 << ( resultIndex % 8 ) ) & 0xFF;
+                bitCount++;
+            }
+
+            // Set the parity bit after every 7 bits.
+            if ( ( i + 1 ) % 7 == 0 )
+            {
+                if ( bitCount % 2 == 0 )
+                {
+                    // Set low-order bit (parity bit) if bit count is even.
+                    result[7 - resultIndex / 8] |= 1;
+                }
+                resultIndex++;
+                bitCount = 0;
+            }
+            resultIndex++;
+        }
+
+        return result;
+    }
+
+
+    /**
+     * Corrects the weak key by exclusive OR with 0xF0 constant.
+     */
+    private static byte[] getStrongKey( byte keyValue[] )
+    {
+        keyValue[7] ^= 0xf0;
+
+        return keyValue;
+    }
+}

Propchange: directory/apacheds/trunk/kerberos-shared/src/main/java/org/apache/directory/server/kerberos/shared/service/SessionKeyFactory.java
------------------------------------------------------------------------------
    svn:eol-style = native



Mime
View raw message