You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Luke Biddell <lu...@gmail.com> on 2011/05/06 22:47:49 UTC
AES, JVMs and JCE providers
I've been looking around without success and was hoping you chaps
could confirm a few questions.
I'm looking to use 256 bit AES with Shiro. There's a likelyhood that I
would want it to work successfully between the Oracle (Sun) JVM and
OpenJDK 6 (between Amazon beanstalk and regular AMIs). For the Sun
version I can download the unlimited jurisdiction files and put them
in place using Opscode Chef. I can't find any info around 256bit AES
and OpenJDK.
Would it also be better to use BouncyCastle across both VMs to isolate
myself from possible differences in the JCE. I realise it's an
algorithm but I just wanted to check.
How do I go about using Shiro with 256bit AES assuming this is possible?
Apologies if I've missed something in the docs.
Luke
Re: AES, JVMs and JCE providers
Posted by Luke Biddell <lu...@gmail.com>.
I used OWASP ESAPI to generate a key, they have a command line tool to
help do that.
I trawled their source code and for PBE based algs they use "PBE" for
the key generation.
On 12 May 2011 18:24, Les Hazlewood <lh...@apache.org> wrote:
> Hi Luke,
>
> Thanks for sharing this - I'm sure it will help others.
>
> As for the PBE alg for key generation - I'm not sure off the top of my
> head. What did you end up doing?
>
> Cheers,
>
> Les
>
> On Mon, May 9, 2011 at 3:35 AM, Luke Biddell <lu...@gmail.com> wrote:
>> Hi Les,
>>
>> I've got the BC stuff working nicely. Thought I'd post my test code
>> here to help others.
>>
>> Security.addProvider(new BouncyCastleProvider());
>> final DefaultBlockCipherService dbcs = new
>> DefaultBlockCipherService("PBEWITHSHA256AND256BITAES-CBC-BC");
>> dbcs.setKeySize(256);
>> final byte[] key =
>> Base64.decode("2R2WYJFdwYs0kqpkXhAjZnVP5mbNlvcRpcx9DI86A14=");
>> ByteSource bs =
>> dbcs.encrypt("blahblahblahblahblah".getBytes("UTF-8"), key);
>> System.out.println(bs.toBase64());
>> bs = dbcs.decrypt(bs.getBytes(), key);
>> System.out.println(new String(bs.getBytes(), "UTF-8"));
>> System.out.println(Base64.encodeToString(dbcs.generateNewKey().getEncoded()));
>>
>> All works just fine apart from the call to generateNewKey(), I get an exception:
>>
>>
>> java.security.NoSuchAlgorithmException:
>> PBEWITHSHA256AND256BITAES-CBC-BC KeyGenerator not available
>> at javax.crypto.KeyGenerator.<init>(DashoA13*..)
>> at javax.crypto.KeyGenerator.getInstance(DashoA13*..)
>> at org.apache.shiro.crypto.AbstractSymmetricCipherService.generateNewKey(AbstractSymmetricCipherService.java:56)
>> ... 2 more
>>
>>
>> As I understand it, PBE based algs are a special case and you just
>> have to use "PBE" as the alg to the key generation?
>>
>> Luke
>>
>>
>>
>>
>> On 7 May 2011 00:18, Les Hazlewood <lh...@apache.org> wrote:
>>> You too!
>>>
>>> On Fri, May 6, 2011 at 4:15 PM, Luke Biddell <lu...@gmail.com> wrote:
>>>> I'll give it a go, thanks for the prompt help Les.
>>>>
>>>> Have a great weekend.
>>>>
>>>> Luke
>>>>
>>>> On 7 May 2011 00:10, Les Hazlewood <lh...@apache.org> wrote:
>>>>> Hi Luke,
>>>>>
>>>>> The AesCipherService is basically a pre-configured
>>>>> DefaultBlockCipherService. You can instantiate
>>>>> DefaultBlockCipherService directly, set the JavaBean properties you
>>>>> want, and you should be good (assuming you've set BouncyCastle as the
>>>>> provider).
>>>>>
>>>>> HTH,
>>>>>
>>>>> Les
>>>>>
>>>>> On Fri, May 6, 2011 at 2:58 PM, Luke Biddell <lu...@gmail.com> wrote:
>>>>>> Ok, so I've just read the javadoc around AesCipherService and can see
>>>>>> setKeySize and setBlockSize. Sorry about that.
>>>>>>
>>>>>> If I decide to use Bouncy Castle I presume I just need to derive a
>>>>>> class from AesCipherService and call the super with
>>>>>> PBEWITHSHA256AND256BITAES-CBC-BC as the algorithm (and call
>>>>>> Security.addProvider)?
>>>>>>
>>>>>> On 6 May 2011 21:47, Luke Biddell <lu...@gmail.com> wrote:
>>>>>>> I've been looking around without success and was hoping you chaps
>>>>>>> could confirm a few questions.
>>>>>>>
>>>>>>> I'm looking to use 256 bit AES with Shiro. There's a likelyhood that I
>>>>>>> would want it to work successfully between the Oracle (Sun) JVM and
>>>>>>> OpenJDK 6 (between Amazon beanstalk and regular AMIs). For the Sun
>>>>>>> version I can download the unlimited jurisdiction files and put them
>>>>>>> in place using Opscode Chef. I can't find any info around 256bit AES
>>>>>>> and OpenJDK.
>>>>>>>
>>>>>>> Would it also be better to use BouncyCastle across both VMs to isolate
>>>>>>> myself from possible differences in the JCE. I realise it's an
>>>>>>> algorithm but I just wanted to check.
>>>>>>>
>>>>>>> How do I go about using Shiro with 256bit AES assuming this is possible?
>>>>>>>
>>>>>>> Apologies if I've missed something in the docs.
>>>>>>>
>>>>>>> Luke
>
Re: AES, JVMs and JCE providers
Posted by Les Hazlewood <lh...@apache.org>.
Hi Luke,
Thanks for sharing this - I'm sure it will help others.
As for the PBE alg for key generation - I'm not sure off the top of my
head. What did you end up doing?
Cheers,
Les
On Mon, May 9, 2011 at 3:35 AM, Luke Biddell <lu...@gmail.com> wrote:
> Hi Les,
>
> I've got the BC stuff working nicely. Thought I'd post my test code
> here to help others.
>
> Security.addProvider(new BouncyCastleProvider());
> final DefaultBlockCipherService dbcs = new
> DefaultBlockCipherService("PBEWITHSHA256AND256BITAES-CBC-BC");
> dbcs.setKeySize(256);
> final byte[] key =
> Base64.decode("2R2WYJFdwYs0kqpkXhAjZnVP5mbNlvcRpcx9DI86A14=");
> ByteSource bs =
> dbcs.encrypt("blahblahblahblahblah".getBytes("UTF-8"), key);
> System.out.println(bs.toBase64());
> bs = dbcs.decrypt(bs.getBytes(), key);
> System.out.println(new String(bs.getBytes(), "UTF-8"));
> System.out.println(Base64.encodeToString(dbcs.generateNewKey().getEncoded()));
>
> All works just fine apart from the call to generateNewKey(), I get an exception:
>
>
> java.security.NoSuchAlgorithmException:
> PBEWITHSHA256AND256BITAES-CBC-BC KeyGenerator not available
> at javax.crypto.KeyGenerator.<init>(DashoA13*..)
> at javax.crypto.KeyGenerator.getInstance(DashoA13*..)
> at org.apache.shiro.crypto.AbstractSymmetricCipherService.generateNewKey(AbstractSymmetricCipherService.java:56)
> ... 2 more
>
>
> As I understand it, PBE based algs are a special case and you just
> have to use "PBE" as the alg to the key generation?
>
> Luke
>
>
>
>
> On 7 May 2011 00:18, Les Hazlewood <lh...@apache.org> wrote:
>> You too!
>>
>> On Fri, May 6, 2011 at 4:15 PM, Luke Biddell <lu...@gmail.com> wrote:
>>> I'll give it a go, thanks for the prompt help Les.
>>>
>>> Have a great weekend.
>>>
>>> Luke
>>>
>>> On 7 May 2011 00:10, Les Hazlewood <lh...@apache.org> wrote:
>>>> Hi Luke,
>>>>
>>>> The AesCipherService is basically a pre-configured
>>>> DefaultBlockCipherService. You can instantiate
>>>> DefaultBlockCipherService directly, set the JavaBean properties you
>>>> want, and you should be good (assuming you've set BouncyCastle as the
>>>> provider).
>>>>
>>>> HTH,
>>>>
>>>> Les
>>>>
>>>> On Fri, May 6, 2011 at 2:58 PM, Luke Biddell <lu...@gmail.com> wrote:
>>>>> Ok, so I've just read the javadoc around AesCipherService and can see
>>>>> setKeySize and setBlockSize. Sorry about that.
>>>>>
>>>>> If I decide to use Bouncy Castle I presume I just need to derive a
>>>>> class from AesCipherService and call the super with
>>>>> PBEWITHSHA256AND256BITAES-CBC-BC as the algorithm (and call
>>>>> Security.addProvider)?
>>>>>
>>>>> On 6 May 2011 21:47, Luke Biddell <lu...@gmail.com> wrote:
>>>>>> I've been looking around without success and was hoping you chaps
>>>>>> could confirm a few questions.
>>>>>>
>>>>>> I'm looking to use 256 bit AES with Shiro. There's a likelyhood that I
>>>>>> would want it to work successfully between the Oracle (Sun) JVM and
>>>>>> OpenJDK 6 (between Amazon beanstalk and regular AMIs). For the Sun
>>>>>> version I can download the unlimited jurisdiction files and put them
>>>>>> in place using Opscode Chef. I can't find any info around 256bit AES
>>>>>> and OpenJDK.
>>>>>>
>>>>>> Would it also be better to use BouncyCastle across both VMs to isolate
>>>>>> myself from possible differences in the JCE. I realise it's an
>>>>>> algorithm but I just wanted to check.
>>>>>>
>>>>>> How do I go about using Shiro with 256bit AES assuming this is possible?
>>>>>>
>>>>>> Apologies if I've missed something in the docs.
>>>>>>
>>>>>> Luke
Re: AES, JVMs and JCE providers
Posted by Luke Biddell <lu...@gmail.com>.
Hi Les,
I've got the BC stuff working nicely. Thought I'd post my test code
here to help others.
Security.addProvider(new BouncyCastleProvider());
final DefaultBlockCipherService dbcs = new
DefaultBlockCipherService("PBEWITHSHA256AND256BITAES-CBC-BC");
dbcs.setKeySize(256);
final byte[] key =
Base64.decode("2R2WYJFdwYs0kqpkXhAjZnVP5mbNlvcRpcx9DI86A14=");
ByteSource bs =
dbcs.encrypt("blahblahblahblahblah".getBytes("UTF-8"), key);
System.out.println(bs.toBase64());
bs = dbcs.decrypt(bs.getBytes(), key);
System.out.println(new String(bs.getBytes(), "UTF-8"));
System.out.println(Base64.encodeToString(dbcs.generateNewKey().getEncoded()));
All works just fine apart from the call to generateNewKey(), I get an exception:
java.security.NoSuchAlgorithmException:
PBEWITHSHA256AND256BITAES-CBC-BC KeyGenerator not available
at javax.crypto.KeyGenerator.<init>(DashoA13*..)
at javax.crypto.KeyGenerator.getInstance(DashoA13*..)
at org.apache.shiro.crypto.AbstractSymmetricCipherService.generateNewKey(AbstractSymmetricCipherService.java:56)
... 2 more
As I understand it, PBE based algs are a special case and you just
have to use "PBE" as the alg to the key generation?
Luke
On 7 May 2011 00:18, Les Hazlewood <lh...@apache.org> wrote:
> You too!
>
> On Fri, May 6, 2011 at 4:15 PM, Luke Biddell <lu...@gmail.com> wrote:
>> I'll give it a go, thanks for the prompt help Les.
>>
>> Have a great weekend.
>>
>> Luke
>>
>> On 7 May 2011 00:10, Les Hazlewood <lh...@apache.org> wrote:
>>> Hi Luke,
>>>
>>> The AesCipherService is basically a pre-configured
>>> DefaultBlockCipherService. You can instantiate
>>> DefaultBlockCipherService directly, set the JavaBean properties you
>>> want, and you should be good (assuming you've set BouncyCastle as the
>>> provider).
>>>
>>> HTH,
>>>
>>> Les
>>>
>>> On Fri, May 6, 2011 at 2:58 PM, Luke Biddell <lu...@gmail.com> wrote:
>>>> Ok, so I've just read the javadoc around AesCipherService and can see
>>>> setKeySize and setBlockSize. Sorry about that.
>>>>
>>>> If I decide to use Bouncy Castle I presume I just need to derive a
>>>> class from AesCipherService and call the super with
>>>> PBEWITHSHA256AND256BITAES-CBC-BC as the algorithm (and call
>>>> Security.addProvider)?
>>>>
>>>> On 6 May 2011 21:47, Luke Biddell <lu...@gmail.com> wrote:
>>>>> I've been looking around without success and was hoping you chaps
>>>>> could confirm a few questions.
>>>>>
>>>>> I'm looking to use 256 bit AES with Shiro. There's a likelyhood that I
>>>>> would want it to work successfully between the Oracle (Sun) JVM and
>>>>> OpenJDK 6 (between Amazon beanstalk and regular AMIs). For the Sun
>>>>> version I can download the unlimited jurisdiction files and put them
>>>>> in place using Opscode Chef. I can't find any info around 256bit AES
>>>>> and OpenJDK.
>>>>>
>>>>> Would it also be better to use BouncyCastle across both VMs to isolate
>>>>> myself from possible differences in the JCE. I realise it's an
>>>>> algorithm but I just wanted to check.
>>>>>
>>>>> How do I go about using Shiro with 256bit AES assuming this is possible?
>>>>>
>>>>> Apologies if I've missed something in the docs.
>>>>>
>>>>> Luke
>
Re: AES, JVMs and JCE providers
Posted by Les Hazlewood <lh...@apache.org>.
You too!
On Fri, May 6, 2011 at 4:15 PM, Luke Biddell <lu...@gmail.com> wrote:
> I'll give it a go, thanks for the prompt help Les.
>
> Have a great weekend.
>
> Luke
>
> On 7 May 2011 00:10, Les Hazlewood <lh...@apache.org> wrote:
>> Hi Luke,
>>
>> The AesCipherService is basically a pre-configured
>> DefaultBlockCipherService. You can instantiate
>> DefaultBlockCipherService directly, set the JavaBean properties you
>> want, and you should be good (assuming you've set BouncyCastle as the
>> provider).
>>
>> HTH,
>>
>> Les
>>
>> On Fri, May 6, 2011 at 2:58 PM, Luke Biddell <lu...@gmail.com> wrote:
>>> Ok, so I've just read the javadoc around AesCipherService and can see
>>> setKeySize and setBlockSize. Sorry about that.
>>>
>>> If I decide to use Bouncy Castle I presume I just need to derive a
>>> class from AesCipherService and call the super with
>>> PBEWITHSHA256AND256BITAES-CBC-BC as the algorithm (and call
>>> Security.addProvider)?
>>>
>>> On 6 May 2011 21:47, Luke Biddell <lu...@gmail.com> wrote:
>>>> I've been looking around without success and was hoping you chaps
>>>> could confirm a few questions.
>>>>
>>>> I'm looking to use 256 bit AES with Shiro. There's a likelyhood that I
>>>> would want it to work successfully between the Oracle (Sun) JVM and
>>>> OpenJDK 6 (between Amazon beanstalk and regular AMIs). For the Sun
>>>> version I can download the unlimited jurisdiction files and put them
>>>> in place using Opscode Chef. I can't find any info around 256bit AES
>>>> and OpenJDK.
>>>>
>>>> Would it also be better to use BouncyCastle across both VMs to isolate
>>>> myself from possible differences in the JCE. I realise it's an
>>>> algorithm but I just wanted to check.
>>>>
>>>> How do I go about using Shiro with 256bit AES assuming this is possible?
>>>>
>>>> Apologies if I've missed something in the docs.
>>>>
>>>> Luke
Re: AES, JVMs and JCE providers
Posted by Luke Biddell <lu...@gmail.com>.
I'll give it a go, thanks for the prompt help Les.
Have a great weekend.
Luke
On 7 May 2011 00:10, Les Hazlewood <lh...@apache.org> wrote:
> Hi Luke,
>
> The AesCipherService is basically a pre-configured
> DefaultBlockCipherService. You can instantiate
> DefaultBlockCipherService directly, set the JavaBean properties you
> want, and you should be good (assuming you've set BouncyCastle as the
> provider).
>
> HTH,
>
> Les
>
> On Fri, May 6, 2011 at 2:58 PM, Luke Biddell <lu...@gmail.com> wrote:
>> Ok, so I've just read the javadoc around AesCipherService and can see
>> setKeySize and setBlockSize. Sorry about that.
>>
>> If I decide to use Bouncy Castle I presume I just need to derive a
>> class from AesCipherService and call the super with
>> PBEWITHSHA256AND256BITAES-CBC-BC as the algorithm (and call
>> Security.addProvider)?
>>
>> On 6 May 2011 21:47, Luke Biddell <lu...@gmail.com> wrote:
>>> I've been looking around without success and was hoping you chaps
>>> could confirm a few questions.
>>>
>>> I'm looking to use 256 bit AES with Shiro. There's a likelyhood that I
>>> would want it to work successfully between the Oracle (Sun) JVM and
>>> OpenJDK 6 (between Amazon beanstalk and regular AMIs). For the Sun
>>> version I can download the unlimited jurisdiction files and put them
>>> in place using Opscode Chef. I can't find any info around 256bit AES
>>> and OpenJDK.
>>>
>>> Would it also be better to use BouncyCastle across both VMs to isolate
>>> myself from possible differences in the JCE. I realise it's an
>>> algorithm but I just wanted to check.
>>>
>>> How do I go about using Shiro with 256bit AES assuming this is possible?
>>>
>>> Apologies if I've missed something in the docs.
>>>
>>> Luke
>
Re: AES, JVMs and JCE providers
Posted by Les Hazlewood <lh...@apache.org>.
Hi Luke,
The AesCipherService is basically a pre-configured
DefaultBlockCipherService. You can instantiate
DefaultBlockCipherService directly, set the JavaBean properties you
want, and you should be good (assuming you've set BouncyCastle as the
provider).
HTH,
Les
On Fri, May 6, 2011 at 2:58 PM, Luke Biddell <lu...@gmail.com> wrote:
> Ok, so I've just read the javadoc around AesCipherService and can see
> setKeySize and setBlockSize. Sorry about that.
>
> If I decide to use Bouncy Castle I presume I just need to derive a
> class from AesCipherService and call the super with
> PBEWITHSHA256AND256BITAES-CBC-BC as the algorithm (and call
> Security.addProvider)?
>
> On 6 May 2011 21:47, Luke Biddell <lu...@gmail.com> wrote:
>> I've been looking around without success and was hoping you chaps
>> could confirm a few questions.
>>
>> I'm looking to use 256 bit AES with Shiro. There's a likelyhood that I
>> would want it to work successfully between the Oracle (Sun) JVM and
>> OpenJDK 6 (between Amazon beanstalk and regular AMIs). For the Sun
>> version I can download the unlimited jurisdiction files and put them
>> in place using Opscode Chef. I can't find any info around 256bit AES
>> and OpenJDK.
>>
>> Would it also be better to use BouncyCastle across both VMs to isolate
>> myself from possible differences in the JCE. I realise it's an
>> algorithm but I just wanted to check.
>>
>> How do I go about using Shiro with 256bit AES assuming this is possible?
>>
>> Apologies if I've missed something in the docs.
>>
>> Luke
Re: AES, JVMs and JCE providers
Posted by Luke Biddell <lu...@gmail.com>.
Ok, so I've just read the javadoc around AesCipherService and can see
setKeySize and setBlockSize. Sorry about that.
If I decide to use Bouncy Castle I presume I just need to derive a
class from AesCipherService and call the super with
PBEWITHSHA256AND256BITAES-CBC-BC as the algorithm (and call
Security.addProvider)?
On 6 May 2011 21:47, Luke Biddell <lu...@gmail.com> wrote:
> I've been looking around without success and was hoping you chaps
> could confirm a few questions.
>
> I'm looking to use 256 bit AES with Shiro. There's a likelyhood that I
> would want it to work successfully between the Oracle (Sun) JVM and
> OpenJDK 6 (between Amazon beanstalk and regular AMIs). For the Sun
> version I can download the unlimited jurisdiction files and put them
> in place using Opscode Chef. I can't find any info around 256bit AES
> and OpenJDK.
>
> Would it also be better to use BouncyCastle across both VMs to isolate
> myself from possible differences in the JCE. I realise it's an
> algorithm but I just wanted to check.
>
> How do I go about using Shiro with 256bit AES assuming this is possible?
>
> Apologies if I've missed something in the docs.
>
> Luke
>