[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[libeufin] branch master updated: Routines to protect private keys with
From: |
gnunet |
Subject: |
[libeufin] branch master updated: Routines to protect private keys with passphrases. |
Date: |
Thu, 21 Nov 2019 04:16:52 +0100 |
This is an automated email from the git hooks/post-receive script.
marcello pushed a commit to branch master
in repository libeufin.
The following commit(s) were added to refs/heads/master by this push:
new 8547eeb Routines to protect private keys with passphrases.
8547eeb is described below
commit 8547eeb81f0a6a433331571a9eaaa148851e89fa
Author: Marcello Stanisci <address@hidden>
AuthorDate: Thu Nov 21 04:16:07 2019 +0100
Routines to protect private keys with passphrases.
---
.../kotlin/tech/libeufin/sandbox/CryptoUtil.kt | 67 +++++++++++++++++++---
sandbox/src/test/kotlin/CryptoUtilTest.kt | 24 +++++++-
2 files changed, 83 insertions(+), 8 deletions(-)
diff --git a/sandbox/src/main/kotlin/tech/libeufin/sandbox/CryptoUtil.kt
b/sandbox/src/main/kotlin/tech/libeufin/sandbox/CryptoUtil.kt
index 55ad1bd..fdd0233 100644
--- a/sandbox/src/main/kotlin/tech/libeufin/sandbox/CryptoUtil.kt
+++ b/sandbox/src/main/kotlin/tech/libeufin/sandbox/CryptoUtil.kt
@@ -22,17 +22,14 @@ package tech.libeufin.sandbox
import org.bouncycastle.jce.provider.BouncyCastleProvider
import java.io.ByteArrayOutputStream
import java.math.BigInteger
-import java.security.KeyFactory
-import java.security.KeyPairGenerator
-import java.security.MessageDigest
-import java.security.Signature
+import java.security.*
import java.security.interfaces.RSAPrivateCrtKey
import java.security.interfaces.RSAPublicKey
import java.security.spec.*
-import javax.crypto.Cipher
-import javax.crypto.KeyGenerator
-import javax.crypto.SecretKey
+import javax.crypto.*
import javax.crypto.spec.IvParameterSpec
+import javax.crypto.spec.PBEKeySpec
+import javax.crypto.spec.PBEParameterSpec
import javax.crypto.spec.SecretKeySpec
/**
@@ -214,4 +211,60 @@ object CryptoUtil {
}
return digest.digest()
}
+
+
+ fun decryptSecret(data: EncryptedPrivateKeyInfo, passphrase: String):
RSAPrivateCrtKey {
+
+ /* make key out of passphrase */
+ val pbeKeySpec = PBEKeySpec(passphrase.toCharArray())
+ val keyFactory = SecretKeyFactory.getInstance(data.algName)
+ val secretKey = keyFactory.generateSecret(pbeKeySpec)
+
+ /* Make a cipher */
+ val cipher = Cipher.getInstance(data.algName)
+ cipher.init(
+ Cipher.DECRYPT_MODE,
+ secretKey,
+ data.algParameters // has hash count and salt
+ )
+
+ /* Ready to decrypt */
+ val decryptedKeySpec: PKCS8EncodedKeySpec = data.getKeySpec(cipher)
+ val priv =
KeyFactory.getInstance("RSA").generatePrivate(decryptedKeySpec)
+ if (priv !is RSAPrivateCrtKey)
+ throw Exception("wrong encoding")
+ return priv
+ }
+
+ fun encryptSecret(data: ByteArray, passphrase: String): ByteArray {
+
+ /* Cipher parameters: salt and hash count */
+ val hashIterations = 30
+ val salt = ByteArray(8)
+ SecureRandom().nextBytes(salt)
+ val pbeParameterSpec = PBEParameterSpec(salt, hashIterations)
+
+ /* *Other* cipher parameters: symmetric key (from password) */
+ val pbeAlgorithm = "PBEWithSHA1AndDESede"
+ val pbeKeySpec = PBEKeySpec(passphrase.toCharArray())
+ val keyFactory = SecretKeyFactory.getInstance(pbeAlgorithm)
+ val secretKey = keyFactory.generateSecret(pbeKeySpec)
+
+ /* Make a cipher */
+ val cipher = Cipher.getInstance(pbeAlgorithm)
+ cipher.init(Cipher.ENCRYPT_MODE, secretKey, pbeParameterSpec)
+
+ /* ready to encrypt now */
+ val cipherText = cipher.doFinal(data)
+
+ /* Must now bundle a PKCS#8-compatible object, that contains
+ * algorithm, salt and hash count information */
+
+ val bundleAlgorithmParams =
AlgorithmParameters.getInstance(pbeAlgorithm)
+ bundleAlgorithmParams.init(pbeParameterSpec)
+
+ val bundle = EncryptedPrivateKeyInfo(bundleAlgorithmParams, cipherText)
+
+ return bundle.encoded
+ }
}
diff --git a/sandbox/src/test/kotlin/CryptoUtilTest.kt
b/sandbox/src/test/kotlin/CryptoUtilTest.kt
index 0dc6a87..bee8d0c 100644
--- a/sandbox/src/test/kotlin/CryptoUtilTest.kt
+++ b/sandbox/src/test/kotlin/CryptoUtilTest.kt
@@ -22,9 +22,9 @@ package tech.libeufin.sandbox
import org.junit.Test
import java.security.KeyPairGenerator
import java.security.interfaces.RSAPrivateCrtKey
+import javax.crypto.EncryptedPrivateKeyInfo
import kotlin.test.assertEquals
import kotlin.test.assertTrue
-import kotlin.collections.contentEquals
class CryptoUtilTest {
@@ -74,4 +74,26 @@ class CryptoUtilTest {
val sig = CryptoUtil.signEbicsA006(data, keyPair.private)
assertTrue(CryptoUtil.verifyEbicsA006(sig, data, keyPair.public))
}
+
+ @Test
+ fun testPassphraseEncryption() {
+
+ val keyPair = CryptoUtil.generateRsaKeyPair(1024)
+
+ /* encrypt with original key */
+ val data = "Hello, World!".toByteArray(Charsets.UTF_8)
+ val secret = CryptoUtil.encryptEbicsE002(data, keyPair.public)
+
+ /* encrypt and decrypt private key */
+ val encPriv = CryptoUtil.encryptSecret(keyPair.private.encoded,
"secret")
+ val plainPriv =
CryptoUtil.decryptSecret(EncryptedPrivateKeyInfo(encPriv),"secret")
+
+ /* decrypt with decrypted private key */
+ val revealed = CryptoUtil.decryptEbicsE002(secret, plainPriv)
+
+ assertEquals(
+ String(revealed, charset = Charsets.UTF_8),
+ String(data, charset = Charsets.UTF_8)
+ )
+ }
}
\ No newline at end of file
--
To stop receiving notification emails like this one, please contact
address@hidden.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [libeufin] branch master updated: Routines to protect private keys with passphrases.,
gnunet <=