You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by co...@apache.org on 2018/12/18 17:18:02 UTC
[camel] branch master updated: Destroying some secret keys after
they're used
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/camel.git
The following commit(s) were added to refs/heads/master by this push:
new 44dacd6 Destroying some secret keys after they're used
44dacd6 is described below
commit 44dacd6a5528c85c31c8a3de708ddeb0e7e4b52b
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Tue Dec 18 17:17:24 2018 +0000
Destroying some secret keys after they're used
---
.../xmlsecurity/XMLSecurityDataFormat.java | 62 +++++++++++++++-------
1 file changed, 44 insertions(+), 18 deletions(-)
diff --git a/components/camel-xmlsecurity/src/main/java/org/apache/camel/dataformat/xmlsecurity/XMLSecurityDataFormat.java b/components/camel-xmlsecurity/src/main/java/org/apache/camel/dataformat/xmlsecurity/XMLSecurityDataFormat.java
index 2f36e9f..7df78c9 100644
--- a/components/camel-xmlsecurity/src/main/java/org/apache/camel/dataformat/xmlsecurity/XMLSecurityDataFormat.java
+++ b/components/camel-xmlsecurity/src/main/java/org/apache/camel/dataformat/xmlsecurity/XMLSecurityDataFormat.java
@@ -35,10 +35,10 @@ import java.util.Arrays;
import java.util.Map;
import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.DESedeKeySpec;
import javax.crypto.spec.SecretKeySpec;
-import javax.security.auth.Destroyable;
import javax.xml.transform.dom.DOMSource;
import org.w3c.dom.Document;
@@ -486,7 +486,7 @@ public class XMLSecurityDataFormat extends ServiceSupport implements DataFormat,
+ " ] exists in " + "the configured trust store.");
}
- Key dataEncryptionKey = generateDataEncryptionKey();
+ SecretKey dataEncryptionKey = generateDataEncryptionKey();
XMLCipher keyCipher;
if (null != this.getKeyCipherAlgorithm()) {
@@ -494,14 +494,21 @@ public class XMLSecurityDataFormat extends ServiceSupport implements DataFormat,
} else {
keyCipher = XMLCipher.getInstance(XMLCipher.RSA_OAEP, null, digestAlgorithm);
}
-
+
keyCipher.init(XMLCipher.WRAP_MODE, keyEncryptionKey);
encrypt(exchange, document, stream, dataEncryptionKey, keyCipher, keyEncryptionKey);
+
+ // Clean the secret key from memory
+ try {
+ dataEncryptionKey.destroy();
+ } catch (javax.security.auth.DestroyFailedException ex) {
+ LOG.debug("Error destroying key: {}", ex.getMessage());
+ }
}
private void encryptSymmetric(Exchange exchange, Document document, OutputStream stream) throws Exception {
- Key keyEncryptionKey;
- Key dataEncryptionKey;
+ SecretKey keyEncryptionKey;
+ SecretKey dataEncryptionKey;
if (xmlCipherAlgorithm.equals(XMLCipher.TRIPLEDES)) {
keyEncryptionKey = generateKeyEncryptionKey("DESede");
dataEncryptionKey = generateDataEncryptionKey();
@@ -520,6 +527,19 @@ public class XMLSecurityDataFormat extends ServiceSupport implements DataFormat,
keyCipher.init(XMLCipher.WRAP_MODE, keyEncryptionKey);
encrypt(exchange, document, stream, dataEncryptionKey, keyCipher, keyEncryptionKey);
+
+ // Clean the secret keys from memory
+ try {
+ dataEncryptionKey.destroy();
+ } catch (javax.security.auth.DestroyFailedException ex) {
+ LOG.debug("Error destroying key: {}", ex.getMessage());
+ }
+
+ try {
+ keyEncryptionKey.destroy();
+ } catch (javax.security.auth.DestroyFailedException ex) {
+ LOG.debug("Error destroying key: {}", ex.getMessage());
+ }
}
@@ -527,10 +547,10 @@ public class XMLSecurityDataFormat extends ServiceSupport implements DataFormat,
* Returns the private key for the specified alias, or null if the alias or private key is not found.
*/
// TODO Move this to a crypto utility class
- private Key getPrivateKey(KeyStore keystore, String alias, String password) throws Exception {
+ private PrivateKey getPrivateKey(KeyStore keystore, String alias, String password) throws Exception {
Key key = keystore.getKey(alias, password.toCharArray());
if (key instanceof PrivateKey) {
- return key;
+ return (PrivateKey)key;
} else {
return null;
}
@@ -607,7 +627,7 @@ public class XMLSecurityDataFormat extends ServiceSupport implements DataFormat,
}
private Object decodeWithSymmetricKey(Exchange exchange, Document encodedDocument) throws Exception {
- Key keyEncryptionKey;
+ SecretKey keyEncryptionKey;
if (xmlCipherAlgorithm.equals(XMLCipher.TRIPLEDES)) {
keyEncryptionKey = generateKeyEncryptionKey("DESede");
} else {
@@ -625,6 +645,14 @@ public class XMLSecurityDataFormat extends ServiceSupport implements DataFormat,
throw ex;
}
}
+
+ // Clean the secret key from memory
+ try {
+ keyEncryptionKey.destroy();
+ } catch (javax.security.auth.DestroyFailedException ex) {
+ LOG.debug("Error destroying key: {}", ex.getMessage());
+ }
+
return ret;
}
@@ -639,7 +667,7 @@ public class XMLSecurityDataFormat extends ServiceSupport implements DataFormat,
throw new IllegalStateException("A key store must be defined for asymmetric key decryption.");
}
- Key keyEncryptionKey = getPrivateKey(this.keyStore, this.recipientKeyAlias,
+ PrivateKey keyEncryptionKey = getPrivateKey(this.keyStore, this.recipientKeyAlias,
this.keyPassword != null ? this.keyPassword : this.keyStorePassword);
Object ret = null;
try {
@@ -654,12 +682,10 @@ public class XMLSecurityDataFormat extends ServiceSupport implements DataFormat,
}
// Clean the private key from memory
- if (keyEncryptionKey instanceof Destroyable) {
- try {
- ((Destroyable)keyEncryptionKey).destroy();
- } catch (javax.security.auth.DestroyFailedException ex) {
- LOG.debug("Error destroying private key: {}", ex.getMessage());
- }
+ try {
+ keyEncryptionKey.destroy();
+ } catch (javax.security.auth.DestroyFailedException ex) {
+ LOG.debug("Error destroying key: {}", ex.getMessage());
}
return ret;
@@ -721,11 +747,11 @@ public class XMLSecurityDataFormat extends ServiceSupport implements DataFormat,
}
- private Key generateKeyEncryptionKey(String algorithm) throws
+ private SecretKey generateKeyEncryptionKey(String algorithm) throws
InvalidKeyException, NoSuchAlgorithmException, InvalidKeySpecException {
DESedeKeySpec keySpec;
- Key secretKey;
+ SecretKey secretKey;
try {
if (algorithm.equalsIgnoreCase("DESede")) {
keySpec = new DESedeKeySpec(passPhrase);
@@ -752,7 +778,7 @@ public class XMLSecurityDataFormat extends ServiceSupport implements DataFormat,
return secretKey;
}
- private Key generateDataEncryptionKey() throws Exception {
+ private SecretKey generateDataEncryptionKey() throws Exception {
KeyGenerator keyGenerator = null;
if (xmlCipherAlgorithm.equalsIgnoreCase(XMLCipher.TRIPLEDES)) {
keyGenerator = KeyGenerator.getInstance("DESede");