EncryptOpenSSLPass.java

  1. /*
  2.  * GovWay - A customizable API Gateway 
  3.  * https://govway.org
  4.  * 
  5.  * Copyright (c) 2005-2025 Link.it srl (https://link.it). 
  6.  * 
  7.  * This program is free software: you can redistribute it and/or modify
  8.  * it under the terms of the GNU General Public License version 3, as published by
  9.  * the Free Software Foundation.
  10.  *
  11.  * This program is distributed in the hope that it will be useful,
  12.  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14.  * GNU General Public License for more details.
  15.  *
  16.  * You should have received a copy of the GNU General Public License
  17.  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18.  *
  19.  */


  22. package org.openspcoop2.utils.security;

  24. import java.io.ByteArrayOutputStream;
  25. import java.security.MessageDigest;
  26. import java.util.Arrays;

  28. import javax.crypto.spec.IvParameterSpec;
  29. import javax.crypto.spec.SecretKeySpec;

  31. import org.apache.commons.lang.StringUtils;
  32. import org.openspcoop2.utils.UtilsException;
  33. import org.openspcoop2.utils.certificate.SymmetricKeyUtils;
  34. import org.openspcoop2.utils.io.Base64Utilities;
  35. import org.openspcoop2.utils.io.HexBinaryUtilities;
  36. import org.openspcoop2.utils.random.RandomUtilities;

  38. /** 
  39.  * EncryptOpenSSLPassw
  40.  *
  41.  * @author Poli Andrea (apoli@link.it)
  42.  * @author $Author$
  43.  * @version $Rev$, $Date$
  44.  */
  45. public class EncryptOpenSSLPass extends AbstractCipher {

  47.      /**
  48.       * 
  49.       * Openssl encrypts data using the following steps:
  50.       * 1. salt = 8-byte cryptographically-strong random number
  51.       * 2. key = messageDigest("sha256", password+salt)
  52.       * 3. iv = messageDigest(key+password+salt)[0,16)
  53.       * 4. cipherTextRaw = encrypt("aes256cbc", key, iv, textPlain)
  54.       * 5. cipherText = "Salted__"+salt+cipherTextRaw
  55.     */
  56.     public static CipherInfo buildCipherInfo(String password, String digestAlgoParam, OpenSSLEncryptionMode mode) throws UtilsException {
  57.         
  58.         CipherInfo cipherInfo = new CipherInfo();
  59.         
  60.         cipherInfo.setSalt(buildSalt());
  61.         
  62.         cipherInfo.setEncodedKey(buildSecretKey(password, cipherInfo.getSalt(), digestAlgoParam, mode));
  63.         cipherInfo.setKey(new SecretKeySpec(cipherInfo.getEncodedKey(), SymmetricKeyUtils.ALGO_AES));
  64.         
  65.         cipherInfo.setIv(buildIV(password, cipherInfo.getSalt(), cipherInfo.getEncodedKey(), digestAlgoParam));
  66.         cipherInfo.setIvParameterSpec(convertTo(cipherInfo.getIv()));
  67.         
  68.         return cipherInfo;
  69.     }
  70.     static byte[] buildSalt() throws UtilsException {
  71.         try {                
  72.             // Create salt
  73.             byte[] salt = new byte[8];
  74.             RandomUtilities.getSecureRandom().nextBytes(salt);
  75.             return salt;
  76.         }catch(Exception e) {
  77.             throw new UtilsException(e.getMessage(),e);
  78.         }
  79.     }
  80.     static byte[] buildSecretKey(String password, byte[] salt, String digestAlgoParam, OpenSSLEncryptionMode modeParam) throws UtilsException {
  81.         try {
  82.             // Create key
  83.             byte[] secretKeyClear = password.getBytes();
  84.             ByteArrayOutputStream bout = new ByteArrayOutputStream();
  85.             bout.write(secretKeyClear);
  86.             bout.write(salt);
  87.             bout.flush();
  88.             bout.close();
  89.             byte[]passAndSalt = bout.toByteArray();
  90.             
  91.             String digestAlgo = digestAlgoParam;
  92.             if(digestAlgoParam==null || StringUtils.isEmpty(digestAlgoParam)) {
  93.                 digestAlgo = "SHA-256";
  94.             }
  95.             MessageDigest md = MessageDigest.getInstance(digestAlgo);
  96.             byte[] key = md.digest(passAndSalt);
  97.             OpenSSLEncryptionMode mode = modeParam!=null ? modeParam : OpenSSLEncryptionMode.AES_256_CBC;
  98.             switch (mode) {
  99.             case AES_128_CBC:
  100.                 key = Arrays.copyOf(key, 16); // AES-128 richiede una chiave di 128 bit (16 byte).
  101.                 break;
  102.             case AES_192_CBC:
  103.                 key = Arrays.copyOf(key, 24); // AES-192 richiede una chiave di 192 bit (24 byte).
  104.                 break;
  105.             case AES_256_CBC:
  106.                 key = Arrays.copyOf(key, 32); // AES-256 richiede una chiave di 256 bit (32 byte). 
  107.                 break;
  108.             } 
  109.             return key;
  110.         }catch(Exception e) {
  111.             throw new UtilsException(e.getMessage(),e);
  112.         }
  113.     }
  114.     static byte[] buildIV(String password, byte[] salt, byte[]encodedKey, String digestAlgoParam) throws UtilsException {
  115.         try {
  116.             String digestAlgo = digestAlgoParam;
  117.             if(digestAlgoParam==null || StringUtils.isEmpty(digestAlgoParam)) {
  118.                 digestAlgo = "SHA-256";
  119.             }
  120.             MessageDigest md = MessageDigest.getInstance(digestAlgo);
  121.             
  122.             // Derive IV
  123.             ByteArrayOutputStream bout = new ByteArrayOutputStream();
  124.             bout.write(encodedKey);
  125.             bout.write(password.getBytes());
  126.             bout.write(salt);
  127.             bout.flush();
  128.             bout.close();
  129.             byte[] keyAndPassAndSalt = bout.toByteArray();
  130.                      
  131.             return Arrays.copyOfRange( md.digest(keyAndPassAndSalt), 0, 16);
  132.         }catch(Exception e) {
  133.             throw new UtilsException(e.getMessage(),e);
  134.         }
  135.     }
  136.     static IvParameterSpec convertTo(byte[] iv) {
  137.         return new IvParameterSpec(iv);
  138.     }

  140.     public static byte[] formatOutput(byte [] salt, byte [] cipherText) throws UtilsException {
  141.         try {
  142.             ByteArrayOutputStream bos = new ByteArrayOutputStream();
  143.             bos.writeBytes("Salted__".getBytes());
  144.             bos.writeBytes(salt);
  145.             bos.writeBytes(cipherText);
  146.             bos.flush();
  147.             bos.close();
  148.             return bos.toByteArray();
  149.         }catch(Exception e) {
  150.             throw new UtilsException(e.getMessage(),e);
  151.         }
  152.     }
  153.     
  154.     private static final String AES_CBC_PKCS5PADDING = "AES/CBC/PKCS5Padding";
  155.     
  156.     
  157.     private CipherInfo cipherInfo;
  158.     private OpenSSLEncryptionMode mode;
  159.     
  160.     public EncryptOpenSSLPass(String password) throws UtilsException {
  161.         this(password, null);
  162.     }
  163.     public EncryptOpenSSLPass(String password, OpenSSLEncryptionMode modeParam) throws UtilsException {
  164.         super(javax.crypto.Cipher.ENCRYPT_MODE);
  165.         this.mode = modeParam!=null ? modeParam : OpenSSLEncryptionMode.AES_256_CBC;
  166.         this.cipherInfo = buildCipherInfo(password, null, this.mode);
  167.         this.key = this.cipherInfo.getKey();
  168.         this.ivParameterSpec = this.cipherInfo.getIvParameterSpec();
  169.     }
  170.     
  171.     
  172.     static String getAlgorithm(OpenSSLEncryptionMode mode) throws UtilsException {
  173.         switch (mode) {
  174.         case AES_128_CBC:
  175.         case AES_192_CBC:
  176.         case AES_256_CBC:
  177.             return AES_CBC_PKCS5PADDING;
  178.         } 
  179.         throw new UtilsException("Unsupported mode");
  180.     }
  181.     
  182.     public byte[] encrypt(String data, String charsetName) throws UtilsException{
  183.         return formatOutput(this.cipherInfo.getSalt(), super.process(data, charsetName, getAlgorithm(this.mode)));
  184.     }
  185.     public byte[] encrypt(byte[] data) throws UtilsException{
  186.         return formatOutput(this.cipherInfo.getSalt(), super.process(data, getAlgorithm(this.mode)));
  187.     }
  188.     
  189.     public byte[] encryptBase64(String data, String charsetName) throws UtilsException{
  190.         return Base64Utilities.encode(this.encrypt(data, charsetName));
  191.     }
  192.     public byte[] encryptBase64(byte[] data) throws UtilsException{
  193.         return Base64Utilities.encode(this.encrypt(data));
  194.     }
  195.     
  196.     public String encryptBase64AsString(String data, String charsetName) throws UtilsException{
  197.         return Base64Utilities.encodeAsString(this.encrypt(data, charsetName));
  198.     }
  199.     public String encryptBase64AsString(byte[] data) throws UtilsException{
  200.         return Base64Utilities.encodeAsString(this.encrypt(data));
  201.     }
  202.     
  203.     public char[] encryptHexBinary(String data, String charsetName) throws UtilsException{
  204.         return HexBinaryUtilities.encode(this.encrypt(data, charsetName));
  205.     }
  206.     public char[] encryptHexBinary(byte[] data) throws UtilsException{
  207.         return HexBinaryUtilities.encode(this.encrypt(data));
  208.     }
  209.     
  210.     public String encryptHexBinaryAsString(String data, String charsetName) throws UtilsException{
  211.         return HexBinaryUtilities.encodeAsString(this.encrypt(data, charsetName));
  212.     }
  213.     public String encryptHexBinaryAsString(byte[] data) throws UtilsException{
  214.         return HexBinaryUtilities.encodeAsString(this.encrypt(data));
  215.     }
  216.     
  217.     @Override
  218.     public void initIV(String algorithm) throws UtilsException{
  219.         // NOP
  220.         // Non deve fare nulla questa chiamata, viene gestita dalla funzione sopra l'IV
  221.     }
  222. }
Created with JaCoCo 0.8.8.202204050719