Skip to main content
aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEike Stepper2009-05-18 07:35:28 +0000
committerEike Stepper2009-05-18 07:35:28 +0000
commit823730077254bf97b96e3f1d57f409c1cd9360ea (patch)
treeddcda6664b9beb516e3b7b14ece471a0b334a47d
parent769a26d72f279502941688647c6898bc2f22f28d (diff)
downloadcdo-823730077254bf97b96e3f1d57f409c1cd9360ea.tar.gz
cdo-823730077254bf97b96e3f1d57f409c1cd9360ea.tar.xz
cdo-823730077254bf97b96e3f1d57f409c1cd9360ea.zip
[276627] Make salt and iteration count configurable for better security support
https://bugs.eclipse.org/bugs/show_bug.cgi?id=276627
-rw-r--r--plugins/org.eclipse.net4j.util/src/org/eclipse/net4j/util/security/ChallengeNegotiator.java5
-rw-r--r--plugins/org.eclipse.net4j.util/src/org/eclipse/net4j/util/security/ChallengeResponseNegotiator.java73
-rw-r--r--plugins/org.eclipse.net4j.util/src/org/eclipse/net4j/util/security/IUserManager.java8
-rw-r--r--plugins/org.eclipse.net4j.util/src/org/eclipse/net4j/util/security/ResponseNegotiator.java5
-rw-r--r--plugins/org.eclipse.net4j.util/src/org/eclipse/net4j/util/security/SecurityUtil.java18
-rw-r--r--plugins/org.eclipse.net4j.util/src/org/eclipse/net4j/util/security/UserManager.java10
-rw-r--r--plugins/org.eclipse.net4j/src/org/eclipse/net4j/connector/ConnectorCredentialsInjector.java10
7 files changed, 92 insertions, 37 deletions
diff --git a/plugins/org.eclipse.net4j.util/src/org/eclipse/net4j/util/security/ChallengeNegotiator.java b/plugins/org.eclipse.net4j.util/src/org/eclipse/net4j/util/security/ChallengeNegotiator.java
index eb16e678ef..5f819291a4 100644
--- a/plugins/org.eclipse.net4j.util/src/org/eclipse/net4j/util/security/ChallengeNegotiator.java
+++ b/plugins/org.eclipse.net4j.util/src/org/eclipse/net4j/util/security/ChallengeNegotiator.java
@@ -4,7 +4,7 @@
* are made available under the terms of the Eclipse Public License v1.0
* which accompanies this distribution, and is available at
* http://www.eclipse.org/legal/epl-v10.html
- *
+ *
* Contributors:
* Eike Stepper - initial API and implementation
*/
@@ -94,7 +94,8 @@ public class ChallengeNegotiator extends ChallengeResponseNegotiator
{
try
{
- return userManager.encrypt(userID, token, getAlgorithmName());
+ return userManager.encrypt(userID, token, getEncryptionAlgorithmName(), getEncryptionSaltBytes(),
+ getEncryptionIterationCount());
}
catch (Exception ex)
{
diff --git a/plugins/org.eclipse.net4j.util/src/org/eclipse/net4j/util/security/ChallengeResponseNegotiator.java b/plugins/org.eclipse.net4j.util/src/org/eclipse/net4j/util/security/ChallengeResponseNegotiator.java
index b9707edd45..0665b3308a 100644
--- a/plugins/org.eclipse.net4j.util/src/org/eclipse/net4j/util/security/ChallengeResponseNegotiator.java
+++ b/plugins/org.eclipse.net4j.util/src/org/eclipse/net4j/util/security/ChallengeResponseNegotiator.java
@@ -4,7 +4,7 @@
* are made available under the terms of the Eclipse Public License v1.0
* which accompanies this distribution, and is available at
* http://www.eclipse.org/legal/epl-v10.html
- *
+ *
* Contributors:
* Eike Stepper - initial API and implementation
*/
@@ -21,9 +21,22 @@ import java.nio.ByteBuffer;
public abstract class ChallengeResponseNegotiator extends
Negotiator<IChallengeResponse.State, IChallengeResponse.Event> implements IChallengeResponse
{
- public static final String DEFAULT_ALGORITHM_NAME = SecurityUtil.PBE_WITH_MD5_AND_DES;
+ /**
+ * @since 2.0
+ */
+ public static final byte[] DEFAULT_SALT = { (byte)0xc7, (byte)0x73, (byte)0x21, (byte)0x8c, (byte)0x7e, (byte)0xc8,
+ (byte)0xee, (byte)0x99 };
- private String algorithmName = DEFAULT_ALGORITHM_NAME;
+ /**
+ * @since 2.0
+ */
+ public static final int DEFAULT_COUNT = 20;
+
+ private String encryptionAlgorithmName = SecurityUtil.PBE_WITH_MD5_AND_DES;
+
+ private byte[] encryptionSaltBytes = DEFAULT_SALT;
+
+ private int encryptionIterationCount = DEFAULT_COUNT;
public ChallengeResponseNegotiator(boolean initiator)
{
@@ -90,24 +103,62 @@ public abstract class ChallengeResponseNegotiator extends
});
}
- public String getAlgorithmName()
+ /**
+ * @since 2.0
+ */
+ public String getEncryptionAlgorithmName()
+ {
+ return encryptionAlgorithmName;
+ }
+
+ /**
+ * @since 2.0
+ */
+ public void setEncryptionAlgorithmName(String encryptionAlgorithmName)
{
- return algorithmName;
+ this.encryptionAlgorithmName = encryptionAlgorithmName;
}
- public void setAlgorithmName(String algorithmName)
+ /**
+ * @since 2.0
+ */
+ public byte[] getEncryptionSaltBytes()
{
- this.algorithmName = algorithmName;
+ return encryptionSaltBytes;
+ }
+
+ /**
+ * @since 2.0
+ */
+ public void setEncryptionSaltBytes(byte[] encryptionSaltBytes)
+ {
+ this.encryptionSaltBytes = encryptionSaltBytes;
+ }
+
+ /**
+ * @since 2.0
+ */
+ public int getEncryptionIterationCount()
+ {
+ return encryptionIterationCount;
+ }
+
+ /**
+ * @since 2.0
+ */
+ public void setEncryptionIterationCount(int encryptionIterationCount)
+ {
+ this.encryptionIterationCount = encryptionIterationCount;
}
@Override
protected void doBeforeActivate() throws Exception
{
super.doBeforeActivate();
- if (algorithmName == null)
- {
- throw new IllegalStateException("algorithmName == null");
- }
+ checkState(encryptionAlgorithmName, "encryptionAlgorithmName");
+ checkState(encryptionSaltBytes, "encryptionSaltBytes");
+ checkState(encryptionSaltBytes.length > 0, "encryptionSaltBytes");
+ checkState(encryptionIterationCount > 0, "encryptionIterationCount");
}
@Override
diff --git a/plugins/org.eclipse.net4j.util/src/org/eclipse/net4j/util/security/IUserManager.java b/plugins/org.eclipse.net4j.util/src/org/eclipse/net4j/util/security/IUserManager.java
index 748dda9a85..7f22979609 100644
--- a/plugins/org.eclipse.net4j.util/src/org/eclipse/net4j/util/security/IUserManager.java
+++ b/plugins/org.eclipse.net4j.util/src/org/eclipse/net4j/util/security/IUserManager.java
@@ -4,7 +4,7 @@
* are made available under the terms of the Eclipse Public License v1.0
* which accompanies this distribution, and is available at
* http://www.eclipse.org/legal/epl-v10.html
- *
+ *
* Contributors:
* Eike Stepper - initial API and implementation
*/
@@ -19,5 +19,9 @@ public interface IUserManager
public void removeUser(String userID);
- public byte[] encrypt(String userID, byte[] data, String algorithmName) throws SecurityException;
+ /**
+ * @since 2.0
+ */
+ public byte[] encrypt(String userID, byte[] data, String algorithmName, byte[] salt, int count)
+ throws SecurityException;
}
diff --git a/plugins/org.eclipse.net4j.util/src/org/eclipse/net4j/util/security/ResponseNegotiator.java b/plugins/org.eclipse.net4j.util/src/org/eclipse/net4j/util/security/ResponseNegotiator.java
index 0295f71dbb..485bb76bf4 100644
--- a/plugins/org.eclipse.net4j.util/src/org/eclipse/net4j/util/security/ResponseNegotiator.java
+++ b/plugins/org.eclipse.net4j.util/src/org/eclipse/net4j/util/security/ResponseNegotiator.java
@@ -4,7 +4,7 @@
* are made available under the terms of the Eclipse Public License v1.0
* which accompanies this distribution, and is available at
* http://www.eclipse.org/legal/epl-v10.html
- *
+ *
* Contributors:
* Eike Stepper - initial API and implementation
*/
@@ -90,7 +90,8 @@ public class ResponseNegotiator extends ChallengeResponseNegotiator
{
try
{
- return SecurityUtil.encrypt(token, password, getAlgorithmName());
+ return SecurityUtil.encrypt(token, password, getEncryptionAlgorithmName(), getEncryptionSaltBytes(),
+ getEncryptionIterationCount());
}
catch (RuntimeException ex)
{
diff --git a/plugins/org.eclipse.net4j.util/src/org/eclipse/net4j/util/security/SecurityUtil.java b/plugins/org.eclipse.net4j.util/src/org/eclipse/net4j/util/security/SecurityUtil.java
index 3ae537eec1..d17c07f1b6 100644
--- a/plugins/org.eclipse.net4j.util/src/org/eclipse/net4j/util/security/SecurityUtil.java
+++ b/plugins/org.eclipse.net4j.util/src/org/eclipse/net4j/util/security/SecurityUtil.java
@@ -4,7 +4,7 @@
* are made available under the terms of the Eclipse Public License v1.0
* which accompanies this distribution, and is available at
* http://www.eclipse.org/legal/epl-v10.html
- *
+ *
* Contributors:
* Eike Stepper - initial API and implementation
*/
@@ -35,17 +35,13 @@ public final class SecurityUtil
{
}
- public static byte[] encrypt(byte[] data, char[] password, String algorithmName) throws NoSuchAlgorithmException,
- InvalidKeySpecException, NoSuchPaddingException, InvalidKeyException, InvalidAlgorithmParameterException,
- IllegalBlockSizeException, BadPaddingException
+ /**
+ * @since 2.0
+ */
+ public static byte[] encrypt(byte[] data, char[] password, String algorithmName, byte[] salt, int count)
+ throws NoSuchAlgorithmException, InvalidKeySpecException, NoSuchPaddingException, InvalidKeyException,
+ InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException
{
- // Salt
- final byte[] salt = { (byte)0xc7, (byte)0x73, (byte)0x21, (byte)0x8c, (byte)0x7e, (byte)0xc8, (byte)0xee,
- (byte)0x99 }; // TODO Make configurable
-
- // Iteration count
- final int count = 20; // TODO Make configurable
-
// Create PBE parameter set
PBEParameterSpec pbeParamSpec = new PBEParameterSpec(salt, count);
PBEKeySpec pbeKeySpec = new PBEKeySpec(password);
diff --git a/plugins/org.eclipse.net4j.util/src/org/eclipse/net4j/util/security/UserManager.java b/plugins/org.eclipse.net4j.util/src/org/eclipse/net4j/util/security/UserManager.java
index 6d2b0b8c3c..cda8eb9dc6 100644
--- a/plugins/org.eclipse.net4j.util/src/org/eclipse/net4j/util/security/UserManager.java
+++ b/plugins/org.eclipse.net4j.util/src/org/eclipse/net4j/util/security/UserManager.java
@@ -4,7 +4,7 @@
* are made available under the terms of the Eclipse Public License v1.0
* which accompanies this distribution, and is available at
* http://www.eclipse.org/legal/epl-v10.html
- *
+ *
* Contributors:
* Eike Stepper - initial API and implementation
*/
@@ -42,7 +42,11 @@ public class UserManager extends Lifecycle implements IUserManager
}
}
- public byte[] encrypt(String userID, byte[] data, String algorithmName) throws SecurityException
+ /**
+ * @since 2.0
+ */
+ public byte[] encrypt(String userID, byte[] data, String algorithmName, byte[] salt, int count)
+ throws SecurityException
{
char[] password;
synchronized (this)
@@ -57,7 +61,7 @@ public class UserManager extends Lifecycle implements IUserManager
try
{
- return SecurityUtil.encrypt(data, password, algorithmName);
+ return SecurityUtil.encrypt(data, password, algorithmName, salt, count);
}
catch (RuntimeException ex)
{
diff --git a/plugins/org.eclipse.net4j/src/org/eclipse/net4j/connector/ConnectorCredentialsInjector.java b/plugins/org.eclipse.net4j/src/org/eclipse/net4j/connector/ConnectorCredentialsInjector.java
index 1092ac1d8d..a64dfa6896 100644
--- a/plugins/org.eclipse.net4j/src/org/eclipse/net4j/connector/ConnectorCredentialsInjector.java
+++ b/plugins/org.eclipse.net4j/src/org/eclipse/net4j/connector/ConnectorCredentialsInjector.java
@@ -4,17 +4,17 @@
* are made available under the terms of the Eclipse Public License v1.0
* which accompanies this distribution, and is available at
* http://www.eclipse.org/legal/epl-v10.html
- *
+ *
* Contributors:
* Eike Stepper - initial API and implementation
*/
package org.eclipse.net4j.connector;
-import org.eclipse.net4j.util.security.ChallengeResponseNegotiator;
import org.eclipse.net4j.util.security.INegotiatorAware;
import org.eclipse.net4j.util.security.IPasswordCredentialsProvider;
import org.eclipse.net4j.util.security.ResponseNegotiator;
import org.eclipse.net4j.util.security.ResponseNegotiatorInjector;
+import org.eclipse.net4j.util.security.SecurityUtil;
/**
* Injects a configurable response negotiator into selected client connectors.
@@ -41,8 +41,6 @@ import org.eclipse.net4j.util.security.ResponseNegotiatorInjector;
*/
public class ConnectorCredentialsInjector extends ResponseNegotiatorInjector
{
- public static final String DEFAULT_ALGORITHM_NAME = ChallengeResponseNegotiator.DEFAULT_ALGORITHM_NAME;
-
private String connectorDescription;
/**
@@ -64,7 +62,7 @@ public class ConnectorCredentialsInjector extends ResponseNegotiatorInjector
*/
public ConnectorCredentialsInjector(String connectorDescription, IPasswordCredentialsProvider credentialsProvider)
{
- this(connectorDescription, credentialsProvider, DEFAULT_ALGORITHM_NAME);
+ this(connectorDescription, credentialsProvider, SecurityUtil.PBE_WITH_MD5_AND_DES);
}
@Override
@@ -98,7 +96,7 @@ public class ConnectorCredentialsInjector extends ResponseNegotiatorInjector
{
ResponseNegotiator negotiator = new ResponseNegotiator();
negotiator.setCredentialsProvider(credentialsProvider);
- negotiator.setAlgorithmName(algorithmName);
+ negotiator.setEncryptionAlgorithmName(algorithmName);
return negotiator;
}
}

Back to the top