You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by sc...@apache.org on 2018/11/25 15:49:28 UTC
svn commit: r1847417 - in /tomcat/trunk:
java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java
test/org/apache/catalina/tribes/group/interceptors/TestEncryptInterceptor.java
webapps/docs/changelog.xml
Author: schultz
Date: Sun Nov 25 15:49:28 2018
New Revision: 1847417
URL: http://svn.apache.org/viewvc?rev=1847417&view=rev
Log:
Add support for GCM block cipher mode.
Modified:
tomcat/trunk/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java
tomcat/trunk/test/org/apache/catalina/tribes/group/interceptors/TestEncryptInterceptor.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java?rev=1847417&r1=1847416&r2=1847417&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java (original)
+++ tomcat/trunk/java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java Sun Nov 25 15:49:28 2018
@@ -25,6 +25,7 @@ import java.util.concurrent.ConcurrentLi
import javax.crypto.Cipher;
import javax.crypto.NoSuchPaddingException;
+import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
@@ -64,7 +65,7 @@ public class EncryptInterceptor extends
private String encryptionKeyString;
- private EncryptionManager encryptionManager;
+ private BaseEncryptionManager encryptionManager;
public EncryptInterceptor() {
}
@@ -300,7 +301,7 @@ public class EncryptInterceptor extends
return result;
}
- private static EncryptionManager createEncryptionManager(String algorithm,
+ private static BaseEncryptionManager createEncryptionManager(String algorithm,
byte[] encryptionKey, String providerName)
throws NoSuchAlgorithmException, NoSuchPaddingException, NoSuchProviderException {
if(null == encryptionKey)
@@ -328,29 +329,31 @@ public class EncryptInterceptor extends
}
// Note: ECB is not an appropriate mode for secure communications.
+ if("GCM".equalsIgnoreCase(algorithmMode))
+ return new GCMEncryptionManager(algorithm, new SecretKeySpec(encryptionKey, algorithmName), providerName);
+
if(!("CBC".equalsIgnoreCase(algorithmMode)
|| "OFB".equalsIgnoreCase(algorithmMode)
|| "CFB".equalsIgnoreCase(algorithmMode)))
throw new IllegalArgumentException(sm.getString("encryptInterceptor.algorithm.unsupported-mode", algorithmMode));
- EncryptionManager mgr = new EncryptionManager(algorithm,
+ BaseEncryptionManager mgr = new BaseEncryptionManager(algorithm,
new SecretKeySpec(encryptionKey, algorithmName),
providerName);
return mgr;
}
- private static class EncryptionManager {
+ private static class BaseEncryptionManager {
/**
* The fully-specified algorithm e.g. AES/CBC/PKCS5Padding.
*/
private final String algorithm;
/**
- * The size of the initialization vector to use for encryption. This is
- * often, but not always, the same as the block size.
+ * The block size of the cipher.
*/
- private final int ivSize;
+ private final int blockSize;
/**
* The cryptographic provider name.
@@ -375,7 +378,7 @@ public class EncryptInterceptor extends
*/
private final ConcurrentLinkedQueue<SecureRandom> randomPool;
- public EncryptionManager(String algorithm, SecretKeySpec secretKey, String providerName)
+ public BaseEncryptionManager(String algorithm, SecretKeySpec secretKey, String providerName)
throws NoSuchAlgorithmException, NoSuchPaddingException, NoSuchProviderException {
this.algorithm = algorithm;
this.providerName = providerName;
@@ -383,7 +386,7 @@ public class EncryptInterceptor extends
cipherPool = new ConcurrentLinkedQueue<>();
Cipher cipher = createCipher();
- ivSize = cipher.getBlockSize();
+ blockSize = cipher.getBlockSize();
cipherPool.offer(cipher);
randomPool = new ConcurrentLinkedQueue<>();
}
@@ -402,8 +405,14 @@ public class EncryptInterceptor extends
return secretKey;
}
- private int getIVSize() {
- return ivSize;
+ /**
+ * Gets the size of the initialization vector for the cipher being used.
+ * The IV size is often, but not always, the block size for the cipher.
+ *
+ * @return The size of the initialization vector for this algorithm.
+ */
+ protected int getIVSize() {
+ return blockSize;
}
private String getProviderName() {
@@ -474,7 +483,7 @@ public class EncryptInterceptor extends
try {
cipher = getCipher();
- cipher.init(Cipher.ENCRYPT_MODE, getSecretKey(), generateIV(iv, 0, ivSize));
+ cipher.init(Cipher.ENCRYPT_MODE, getSecretKey(), generateIV(iv, 0, getIVSize()));
// Prepend the IV to the beginning of the encrypted data
byte[][] data = new byte[2][];
@@ -500,6 +509,7 @@ public class EncryptInterceptor extends
private byte[] decrypt(byte[] bytes) throws GeneralSecurityException {
Cipher cipher = null;
+ int ivSize = getIVSize();
AlgorithmParameterSpec IV = generateIV(bytes, 0, ivSize);
try {
@@ -539,4 +549,22 @@ public class EncryptInterceptor extends
return new IvParameterSpec(ivBytes, offset, length);
}
}
+
+ private static class GCMEncryptionManager extends BaseEncryptionManager
+ {
+ public GCMEncryptionManager(String algorithm, SecretKeySpec secretKey, String providerName)
+ throws NoSuchAlgorithmException, NoSuchPaddingException, NoSuchProviderException {
+ super(algorithm, secretKey, providerName);
+ }
+
+ @Override
+ protected int getIVSize() {
+ return 12;
+ }
+
+ @Override
+ protected AlgorithmParameterSpec generateIV(byte[] bytes, int offset, int length) {
+ return new GCMParameterSpec(128, bytes, offset, length);
+ }
+ }
}
Modified: tomcat/trunk/test/org/apache/catalina/tribes/group/interceptors/TestEncryptInterceptor.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/tribes/group/interceptors/TestEncryptInterceptor.java?rev=1847417&r1=1847416&r2=1847417&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/catalina/tribes/group/interceptors/TestEncryptInterceptor.java (original)
+++ tomcat/trunk/test/org/apache/catalina/tribes/group/interceptors/TestEncryptInterceptor.java Sun Nov 25 15:49:28 2018
@@ -255,7 +255,6 @@ public class TestEncryptInterceptor {
}
@Test
- @Ignore("GCM mode is unsupported because it requires a custom initialization vector")
public void testGCM() throws Exception {
src.setEncryptionAlgorithm("AES/GCM/PKCS5Padding");
src.start(Channel.SND_TX_SEQ);
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1847417&r1=1847416&r2=1847417&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Sun Nov 25 15:49:28 2018
@@ -163,6 +163,9 @@
Make EncryptInterceptor thread-safe. This makes this interceptor
actually usable. (schultz/markt)
</fix>
+ <add>
+ Add support for GCM mode to EncryptInterceptor. (schultz)
+ </add>
</changelog>
</subsection>
<subsection name="Other">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1847417 - in /tomcat/trunk:
java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java
test/org/apache/catalina/tribes/group/interceptors/TestEncryptInterceptor.java
webapps/docs/changelog.xml
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
On 11/26/18 11:19, Christopher Schultz wrote:
> All,
>
> On 11/25/18 10:49, schultz@apache.org wrote:
>> Author: schultz Date: Sun Nov 25 15:49:28 2018 New Revision:
>> 1847417
>
>> URL: http://svn.apache.org/viewvc?rev=1847417&view=rev Log: Add
>> support for GCM block cipher mode.
>
> It's possible that GCM does not need to have the IV pre-pended to
> the output. I'm investigating...
Nope, it seems to be the same as with all the other modes.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlv8HrYACgkQHPApP6U8
pFjWsQ//YPARuzBBY/1oNmHoS9QIc8MBqD/nfLjXhy3aYMcjkwBMI3SXMJCg53wb
44tnS1tlPlKoKOzxJWFOVsZhlKbBqlXbzq9uWacPomtqHRf9MPJ7JCYyN1RhdF8I
0II47WA25DpFMI98x3uCCIlcVvaTHZFn0OIj2KM+jjwPauS1oDIZekRo6S25F0af
tfAwQyY3JhzVlxxLH6tdzeFtbIqYzch0rDZPgNYJCHJGIxDf/VDtIzdfHbXqNgYS
hzRDey19CtpNKt1yGjL4g4Wj7T4bmISxvG+wZB5gyH8wm5OZ6nJpQjd4Bw2dAhSd
Ns4qNIA2UIr3mlhBNR9BbzlKVNaYBzxcvDEgmqf1SCbTmcxwgNcwhPKonwRBL6xW
sTrK6RbHbJUJjSRicit2/gFarQFhnuCknI2f/9dJmwajRd6BP6o0Wtav8QxFai6t
dbW6x3Kk9iiz7flgr2p7SV0U12Grg6/dwmOzkeEYvQYstfvIQSdjDMtXmWPnqlwB
/oLYQNhHO7uOeCEhaQd+1eyYMc8JjRU8hCG5tQnvlTk2MJswyT6UqHO6yxz+ojpU
0a52GoE7qMkjqqBz8+nob5Apb56RXjYx03KnubBrL7ypaRIiE7wnkxPJp9QoQRwN
rQ1wdDsMdDDuk7fOTbZOeEJl3lqUp/tdFF2oe7hxjx+XtoOD7lU=
=JNhw
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1847417 - in /tomcat/trunk:
java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java
test/org/apache/catalina/tribes/group/interceptors/TestEncryptInterceptor.java
webapps/docs/changelog.xml
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
On 11/25/18 10:49, schultz@apache.org wrote:
> Author: schultz Date: Sun Nov 25 15:49:28 2018 New Revision:
> 1847417
>
> URL: http://svn.apache.org/viewvc?rev=1847417&view=rev Log: Add
> support for GCM block cipher mode.
It's possible that GCM does not need to have the IV pre-pended to the
output. I'm investigating...
- -chris
> Modified:
> tomcat/trunk/java/org/apache/catalina/tribes/group/interceptors/Encryp
tInterceptor.java
>
>
tomcat/trunk/test/org/apache/catalina/tribes/group/interceptors/TestEncr
yptInterceptor.java
> tomcat/trunk/webapps/docs/changelog.xml
>
> Modified:
> tomcat/trunk/java/org/apache/catalina/tribes/group/interceptors/Encryp
tInterceptor.java
>
>
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/tribe
s/group/interceptors/EncryptInterceptor.java?rev=1847417&r1=1847416&r2=1
847417&view=diff
> ======================================================================
========
>
>
- ---
tomcat/trunk/java/org/apache/catalina/tribes/group/interceptors/EncryptI
nterceptor.java
(original)
> +++
> tomcat/trunk/java/org/apache/catalina/tribes/group/interceptors/Encryp
tInterceptor.java
> Sun Nov 25 15:49:28 2018 @@ -25,6 +25,7 @@ import
> java.util.concurrent.ConcurrentLi
>
> import javax.crypto.Cipher; import
> javax.crypto.NoSuchPaddingException; +import
> javax.crypto.spec.GCMParameterSpec; import
> javax.crypto.spec.IvParameterSpec; import
> javax.crypto.spec.SecretKeySpec;
>
> @@ -64,7 +65,7 @@ public class EncryptInterceptor extends private
> String encryptionKeyString;
>
>
> - private EncryptionManager encryptionManager; + private
> BaseEncryptionManager encryptionManager;
>
> public EncryptInterceptor() { } @@ -300,7 +301,7 @@ public class
> EncryptInterceptor extends return result; }
>
> - private static EncryptionManager
> createEncryptionManager(String algorithm, + private static
> BaseEncryptionManager createEncryptionManager(String algorithm,
> byte[] encryptionKey, String providerName) throws
> NoSuchAlgorithmException, NoSuchPaddingException,
> NoSuchProviderException { if(null == encryptionKey) @@ -328,29
> +329,31 @@ public class EncryptInterceptor extends }
>
> // Note: ECB is not an appropriate mode for secure communications.
> + if("GCM".equalsIgnoreCase(algorithmMode)) +
> return new GCMEncryptionManager(algorithm, new
> SecretKeySpec(encryptionKey, algorithmName), providerName); +
> if(!("CBC".equalsIgnoreCase(algorithmMode) ||
> "OFB".equalsIgnoreCase(algorithmMode) ||
> "CFB".equalsIgnoreCase(algorithmMode))) throw new
> IllegalArgumentException(sm.getString("encryptInterceptor.algorithm.un
supported-mode",
> algorithmMode));
>
> - EncryptionManager mgr = new EncryptionManager(algorithm, +
> BaseEncryptionManager mgr = new BaseEncryptionManager(algorithm,
> new SecretKeySpec(encryptionKey, algorithmName), providerName);
>
> return mgr; }
>
> - private static class EncryptionManager { + private static
> class BaseEncryptionManager { /** * The fully-specified algorithm
> e.g. AES/CBC/PKCS5Padding. */ private final String algorithm;
>
> /** - * The size of the initialization vector to use for
> encryption. This is - * often, but not always, the same as
> the block size. + * The block size of the cipher. */ -
> private final int ivSize; + private final int blockSize;
>
> /** * The cryptographic provider name. @@ -375,7 +378,7 @@ public
> class EncryptInterceptor extends */ private final
> ConcurrentLinkedQueue<SecureRandom> randomPool;
>
> - public EncryptionManager(String algorithm, SecretKeySpec
> secretKey, String providerName) + public
> BaseEncryptionManager(String algorithm, SecretKeySpec secretKey,
> String providerName) throws NoSuchAlgorithmException,
> NoSuchPaddingException, NoSuchProviderException { this.algorithm =
> algorithm; this.providerName = providerName; @@ -383,7 +386,7 @@
> public class EncryptInterceptor extends
>
> cipherPool = new ConcurrentLinkedQueue<>(); Cipher cipher =
> createCipher(); - ivSize = cipher.getBlockSize(); +
> blockSize = cipher.getBlockSize(); cipherPool.offer(cipher);
> randomPool = new ConcurrentLinkedQueue<>(); } @@ -402,8 +405,14 @@
> public class EncryptInterceptor extends return secretKey; }
>
> - private int getIVSize() { - return ivSize; +
> /** + * Gets the size of the initialization vector for the
> cipher being used. + * The IV size is often, but not
> always, the block size for the cipher. + * + *
> @return The size of the initialization vector for this algorithm. +
> */ + protected int getIVSize() { + return
> blockSize; }
>
> private String getProviderName() { @@ -474,7 +483,7 @@ public class
> EncryptInterceptor extends
>
> try { cipher = getCipher(); -
> cipher.init(Cipher.ENCRYPT_MODE, getSecretKey(), generateIV(iv, 0,
> ivSize)); + cipher.init(Cipher.ENCRYPT_MODE,
> getSecretKey(), generateIV(iv, 0, getIVSize()));
>
> // Prepend the IV to the beginning of the encrypted data byte[][]
> data = new byte[2][]; @@ -500,6 +509,7 @@ public class
> EncryptInterceptor extends private byte[] decrypt(byte[] bytes)
> throws GeneralSecurityException { Cipher cipher = null;
>
> + int ivSize = getIVSize(); AlgorithmParameterSpec IV =
> generateIV(bytes, 0, ivSize);
>
> try { @@ -539,4 +549,22 @@ public class EncryptInterceptor extends
> return new IvParameterSpec(ivBytes, offset, length); } } + +
> private static class GCMEncryptionManager extends
> BaseEncryptionManager + { + public
> GCMEncryptionManager(String algorithm, SecretKeySpec secretKey,
> String providerName) + throws
> NoSuchAlgorithmException, NoSuchPaddingException,
> NoSuchProviderException { + super(algorithm, secretKey,
> providerName); + } + + @Override + protected
> int getIVSize() { + return 12; + } + +
> @Override + protected AlgorithmParameterSpec
> generateIV(byte[] bytes, int offset, int length) { +
> return new GCMParameterSpec(128, bytes, offset, length); +
> } + } }
>
> Modified:
> tomcat/trunk/test/org/apache/catalina/tribes/group/interceptors/TestEn
cryptInterceptor.java
>
>
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/tribe
s/group/interceptors/TestEncryptInterceptor.java?rev=1847417&r1=1847416&
r2=1847417&view=diff
> ======================================================================
========
>
>
- ---
tomcat/trunk/test/org/apache/catalina/tribes/group/interceptors/TestEncr
yptInterceptor.java
(original)
> +++
> tomcat/trunk/test/org/apache/catalina/tribes/group/interceptors/TestEn
cryptInterceptor.java
> Sun Nov 25 15:49:28 2018 @@ -255,7 +255,6 @@ public class
> TestEncryptInterceptor { }
>
> @Test - @Ignore("GCM mode is unsupported because it requires a
> custom initialization vector") public void testGCM() throws
> Exception { src.setEncryptionAlgorithm("AES/GCM/PKCS5Padding");
> src.start(Channel.SND_TX_SEQ);
>
> Modified: tomcat/trunk/webapps/docs/changelog.xml URL:
> http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?r
ev=1847417&r1=1847416&r2=1847417&view=diff
>
>
========================================================================
======
> --- tomcat/trunk/webapps/docs/changelog.xml (original) +++
> tomcat/trunk/webapps/docs/changelog.xml Sun Nov 25 15:49:28 2018 @@
> -163,6 +163,9 @@ Make EncryptInterceptor thread-safe. This makes
> this interceptor actually usable. (schultz/markt) </fix> +
> <add> + Add support for GCM mode to EncryptInterceptor.
> (schultz) + </add> </changelog> </subsection> <subsection
> name="Other">
>
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlv8HRcACgkQHPApP6U8
pFiLXw/+Nm/GxTsI/9T71pG4y0ATdzrO4+TzXntnVoEesUzH7gU/NooA4iKz1877
VvhIDBdN15as7+8Gr3Za2iO35qIu8Lh5xUOqWqHU89kGrbzuwikoaqwdDziCPWVM
N7R09jgn070CbOTtAAHMuRYlZBnKorSZauAFrqI+tsQnghrb5FKC3IGh6PHhPzYf
D9XxAjF2YsZGbuWxuwB1vy4zvF4nSIzT5mOyW6qxFgT80Nd7TGG18P/VNBud6KFk
YYsMT6bWghy91CmWgn3F+AHZdHBlMMHfUDCmCSmAF4O8QXuu1tBzckIKW5fwkMhY
tpvFBQq90mqbadAT4r0lXRRRxRT3d1pgZdjsYWxG7+LMhfTx3xhPy+NT7PQefMHH
Su5VR7DK4Q939VwDr6wXSxeiPYxF1pSiH/JXUsvRy3z9GsdRSZAf/W3EmRY950pQ
A6LSbdoqGx372AxwQvM82pe2IrYlPQtC25b2EVjRMkpwDacBkpbNTV2U7Wk+G9/T
9ClQc87sEghNvCOwAPj13LunCfR0SVuNInfT7tgFWXsUyg779XIp4JGRN3rJmkl0
kiuRpMJRyaTDo/yzfH93kSFsL+MV7RN+crVyCTeebbUu0VAzRcAMOOqdabha+UYQ
rfmf+PJQG4FwsKr+CxqasMkJoUPzcScnZuzsS8Z0VtHUCxPwDfI=
=fLXO
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org