/*
* Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
* @test
* @bug 8006591
* @summary Protect keystore entries using stronger PBE algorithms
*/
import java.io.*;
import java.security.*;
import javax.crypto.*;
import javax.crypto.spec.*;
// Retrieve a keystore entry, protected by the default encryption algorithm.
// Set the keystore entry, protected by a stronger encryption algorithm.
public class PBETest {
private final static String DIR = System.getProperty("test.src", ".");
private final static String KEY_PROTECTION_PROPERTY =
"keystore.PKCS12.keyProtectionAlgorithm";
private static final String[] PBE_ALGOS = {
"PBEWithSHA1AndDESede",
"PBEWithHmacSHA1AndAES_128",
"PBEWithHmacSHA224AndAES_128",
"PBEWithHmacSHA256AndAES_128",
"PBEWithHmacSHA384AndAES_128",
"PBEWithHmacSHA512AndAES_128"
};
private static final char[] PASSWORD = "passphrase".toCharArray();
private static final String KEYSTORE_TYPE = "JKS";
private static final String KEYSTORE = DIR + "/keystore.jks";
private static final String NEW_KEYSTORE_TYPE = "PKCS12";
private static final String ALIAS = "vajra";
private static final byte[] IV = {
0x11,0x12,0x13,0x14,0x15,0x16,0x17,0x18,
0x19,0x1A,0x1B,0x1C,0x1D,0x1E,0x1F,0x20
};
private static final byte[] SALT = {
0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08
};
private static final int ITERATION_COUNT = 1024;
public static void main(String[] args) throws Exception {
for (String algo : PBE_ALGOS) {
String filename = algo + ".p12";
main0(algo, filename, true);
main0(algo, filename, false);
Security.setProperty(KEY_PROTECTION_PROPERTY, algo);
main0(null, "PBE.p12", false);
Security.setProperty(KEY_PROTECTION_PROPERTY, "");
}
main0(null, "default.p12", false); // default algorithm
}
private static void main0(String algo, String filename, boolean useParams)
throws Exception {
KeyStore keystore = load(KEYSTORE_TYPE, KEYSTORE, PASSWORD);
KeyStore.Entry entry =
keystore.getEntry(ALIAS,
new KeyStore.PasswordProtection(PASSWORD));
System.out.println("Retrieved key entry named '" + ALIAS + "'");
Key originalKey = null;
if (entry instanceof KeyStore.PrivateKeyEntry) {
originalKey = ((KeyStore.PrivateKeyEntry) entry).getPrivateKey();
} else if (entry instanceof KeyStore.SecretKeyEntry) {
originalKey = ((KeyStore.SecretKeyEntry) entry).getSecretKey();
}
// Set entry
KeyStore keystore2 = load(NEW_KEYSTORE_TYPE, null, null);
if (useParams) {
keystore2.setEntry(ALIAS, entry,
new KeyStore.PasswordProtection(PASSWORD, algo,
new PBEParameterSpec(SALT, ITERATION_COUNT,
new IvParameterSpec(IV))));
System.out.println("Encrypted key entry using: " + algo +
" (with PBE parameters)");
} else if (algo != null) {
keystore2.setEntry(ALIAS, entry,
new KeyStore.PasswordProtection(PASSWORD, algo, null));
System.out.println("Encrypted key entry using: " + algo +
" (without PBE parameters)");
} else {
keystore2.setEntry(ALIAS, entry,
new KeyStore.PasswordProtection(PASSWORD));
String prop = Security.getProperty(KEY_PROTECTION_PROPERTY);
if (prop == null || prop.isEmpty()) {
System.out.println("Encrypted key entry using: " +
"default PKCS12 key protection algorithm");
} else {
System.out.println("Encrypted key entry using: " +
"keyProtectionAlgorithm=" + prop);
}
}
try (FileOutputStream outStream = new FileOutputStream(filename)) {
System.out.println("Storing keystore to: " + filename);
keystore2.store(outStream, PASSWORD);
}
try {
keystore2 = load(NEW_KEYSTORE_TYPE, filename, PASSWORD);
entry = keystore2.getEntry(ALIAS,
new KeyStore.PasswordProtection(PASSWORD));
Key key;
if (entry instanceof KeyStore.PrivateKeyEntry) {
key = ((KeyStore.PrivateKeyEntry) entry).getPrivateKey();
} else if (entry instanceof KeyStore.SecretKeyEntry) {
key = ((KeyStore.SecretKeyEntry) entry).getSecretKey();
} else {
throw new Exception("Failed to retrieve key entry");
}
if (originalKey.equals(key)) {
System.out.println("Retrieved key entry named '" + ALIAS + "'");
System.out.println();
} else {
throw new Exception(
"Failed: recovered key does not match the original key");
}
} finally {
new File(filename).delete();
}
}
private static KeyStore load(String type, String path, char[] password)
throws Exception {
KeyStore keystore = KeyStore.getInstance(type);
if (path != null) {
try (FileInputStream inStream = new FileInputStream(path)) {
System.out.println("Loading keystore from: " + path);
keystore.load(inStream, password);
System.out.println("Loaded keystore with " + keystore.size() +
" entries");
}
} else {
keystore.load(null, null);
}
return keystore;
}
}