From dev-return-195078-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org  Sun Nov 25 16:49:32 2018
Return-Path: <dev-return-195078-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org>
X-Original-To: archive-asf-public@cust-asf.ponee.io
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by mx-eu-01.ponee.io (Postfix) with SMTP id 663FE180674
	for <archive-asf-public@cust-asf.ponee.io>; Sun, 25 Nov 2018 16:49:31 +0100 (CET)
Received: (qmail 92972 invoked by uid 500); 25 Nov 2018 15:49:30 -0000
Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@tomcat.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@tomcat.apache.org>
List-Post: <mailto:dev@tomcat.apache.org>
List-Id: <dev.tomcat.apache.org>
Reply-To: "Tomcat Developers List" <dev@tomcat.apache.org>
Delivered-To: mailing list dev@tomcat.apache.org
Received: (qmail 92962 invoked by uid 99); 25 Nov 2018 15:49:30 -0000
Received: from Unknown (HELO svn01-us-west.apache.org) (209.188.14.144)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 25 Nov 2018 15:49:30 +0000
Received: from svn01-us-west.apache.org (localhost [127.0.0.1])
	by svn01-us-west.apache.org (ASF Mail Server at svn01-us-west.apache.org) with ESMTP id 9ABD13A0101
	for <dev@tomcat.apache.org>; Sun, 25 Nov 2018 15:49:29 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1847417 - in /tomcat/trunk:
 java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java
 test/org/apache/catalina/tribes/group/interceptors/TestEncryptInterceptor.java
 webapps/docs/changelog.xml
Date: Sun, 25 Nov 2018 15:49:28 -0000
To: dev@tomcat.apache.org
From: schultz@apache.org
X-Mailer: svnmailer-1.0.9
Message-Id: <20181125154929.9ABD13A0101@svn01-us-west.apache.org>

Author: schultz
Date: Sun Nov 25 15:49:28 2018
New Revision: 1847417

URL: http://svn.apache.org/viewvc?rev=1847417&view=rev
Log:
Add support for GCM block cipher mode.

Modified:
    tomcat/trunk/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java
    tomcat/trunk/test/org/apache/catalina/tribes/group/interceptors/TestEncryptInterceptor.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java?rev=1847417&r1=1847416&r2=1847417&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java (original)
+++ tomcat/trunk/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java Sun Nov 25 15:49:28 2018
@@ -25,6 +25,7 @@ import java.util.concurrent.ConcurrentLi
 
 import javax.crypto.Cipher;
 import javax.crypto.NoSuchPaddingException;
+import javax.crypto.spec.GCMParameterSpec;
 import javax.crypto.spec.IvParameterSpec;
 import javax.crypto.spec.SecretKeySpec;
 
@@ -64,7 +65,7 @@ public class EncryptInterceptor extends
     private String encryptionKeyString;
 
 
-    private EncryptionManager encryptionManager;
+    private BaseEncryptionManager encryptionManager;
 
     public EncryptInterceptor() {
     }
@@ -300,7 +301,7 @@ public class EncryptInterceptor extends
         return result;
     }
 
-    private static EncryptionManager createEncryptionManager(String algorithm,
+    private static BaseEncryptionManager createEncryptionManager(String algorithm,
             byte[] encryptionKey, String providerName)
         throws NoSuchAlgorithmException, NoSuchPaddingException, NoSuchProviderException {
         if(null == encryptionKey)
@@ -328,29 +329,31 @@ public class EncryptInterceptor extends
         }
 
         // Note: ECB is not an appropriate mode for secure communications.
+        if("GCM".equalsIgnoreCase(algorithmMode))
+            return new GCMEncryptionManager(algorithm, new SecretKeySpec(encryptionKey, algorithmName), providerName);
+
         if(!("CBC".equalsIgnoreCase(algorithmMode)
                 || "OFB".equalsIgnoreCase(algorithmMode)
                 || "CFB".equalsIgnoreCase(algorithmMode)))
             throw new IllegalArgumentException(sm.getString("encryptInterceptor.algorithm.unsupported-mode", algorithmMode));
 
-        EncryptionManager mgr = new EncryptionManager(algorithm,
+        BaseEncryptionManager mgr = new BaseEncryptionManager(algorithm,
                 new SecretKeySpec(encryptionKey, algorithmName),
                 providerName);
 
         return mgr;
     }
 
-    private static class EncryptionManager {
+    private static class BaseEncryptionManager {
         /**
          * The fully-specified algorithm e.g. AES/CBC/PKCS5Padding.
          */
         private final String algorithm;
 
         /**
-         * The size of the initialization vector to use for encryption. This is
-         * often, but not always, the same as the block size.
+         * The block size of the cipher.
          */
-        private final int ivSize;
+        private final int blockSize;
 
         /**
          * The cryptographic provider name.
@@ -375,7 +378,7 @@ public class EncryptInterceptor extends
          */
         private final ConcurrentLinkedQueue<SecureRandom> randomPool;
 
-        public EncryptionManager(String algorithm, SecretKeySpec secretKey, String providerName)
+        public BaseEncryptionManager(String algorithm, SecretKeySpec secretKey, String providerName)
             throws NoSuchAlgorithmException, NoSuchPaddingException, NoSuchProviderException {
             this.algorithm = algorithm;
             this.providerName = providerName;
@@ -383,7 +386,7 @@ public class EncryptInterceptor extends
 
             cipherPool = new ConcurrentLinkedQueue<>();
             Cipher cipher = createCipher();
-            ivSize = cipher.getBlockSize();
+            blockSize = cipher.getBlockSize();
             cipherPool.offer(cipher);
             randomPool = new ConcurrentLinkedQueue<>();
         }
@@ -402,8 +405,14 @@ public class EncryptInterceptor extends
             return secretKey;
         }
 
-        private int getIVSize() {
-            return ivSize;
+        /**
+         * Gets the size of the initialization vector for the cipher being used.
+         * The IV size is often, but not always, the block size for the cipher.
+         *
+         * @return The size of the initialization vector for this algorithm.
+         */
+        protected int getIVSize() {
+            return blockSize;
         }
 
         private String getProviderName() {
@@ -474,7 +483,7 @@ public class EncryptInterceptor extends
 
             try {
                 cipher = getCipher();
-                cipher.init(Cipher.ENCRYPT_MODE, getSecretKey(), generateIV(iv, 0, ivSize));
+                cipher.init(Cipher.ENCRYPT_MODE, getSecretKey(), generateIV(iv, 0, getIVSize()));
 
                 // Prepend the IV to the beginning of the encrypted data
                 byte[][] data = new byte[2][];
@@ -500,6 +509,7 @@ public class EncryptInterceptor extends
         private byte[] decrypt(byte[] bytes) throws GeneralSecurityException {
             Cipher cipher = null;
 
+            int ivSize = getIVSize();
             AlgorithmParameterSpec IV = generateIV(bytes, 0, ivSize);
 
             try {
@@ -539,4 +549,22 @@ public class EncryptInterceptor extends
             return new IvParameterSpec(ivBytes, offset, length);
         }
     }
+
+    private static class GCMEncryptionManager extends BaseEncryptionManager
+    {
+        public GCMEncryptionManager(String algorithm, SecretKeySpec secretKey, String providerName)
+                throws NoSuchAlgorithmException, NoSuchPaddingException, NoSuchProviderException {
+            super(algorithm, secretKey, providerName);
+        }
+
+        @Override
+        protected int getIVSize() {
+            return 12;
+        }
+
+        @Override
+        protected AlgorithmParameterSpec generateIV(byte[] bytes, int offset, int length) {
+            return new GCMParameterSpec(128, bytes, offset, length);
+        }
+    }
 }

Modified: tomcat/trunk/test/org/apache/catalina/tribes/group/interceptors/TestEncryptInterceptor.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/tribes/group/interceptors/TestEncryptInterceptor.java?rev=1847417&r1=1847416&r2=1847417&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/catalina/tribes/group/interceptors/TestEncryptInterceptor.java (original)
+++ tomcat/trunk/test/org/apache/catalina/tribes/group/interceptors/TestEncryptInterceptor.java Sun Nov 25 15:49:28 2018
@@ -255,7 +255,6 @@ public class TestEncryptInterceptor {
     }
 
     @Test
-    @Ignore("GCM mode is unsupported because it requires a custom initialization vector")
     public void testGCM() throws Exception {
         src.setEncryptionAlgorithm("AES/GCM/PKCS5Padding");
         src.start(Channel.SND_TX_SEQ);

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1847417&r1=1847416&r2=1847417&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Sun Nov 25 15:49:28 2018
@@ -163,6 +163,9 @@
         Make EncryptInterceptor thread-safe. This makes this interceptor
         actually usable. (schultz/markt)
       </fix>
+      <add>
+        Add support for GCM mode to EncryptInterceptor. (schultz)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Other">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org