/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: Crypt.java,v 1.4 2008/08/19 19:14:54 veiming Exp $
*
* Portions Copyrighted 2010-2015 ForgeRock AS.
*/
/**
* The class <code>Crypt</code> provides generic methods to encryt and decrypt
* data. This class provides a pluggable architecture to encrypt and decrypt
* data, using the <code>AMEncryption</code> interface class. A class that
* implements <code>AMEncryption</code> must be specified via the system
* property: <code>com.iplanet.services.security.encryptor</code>. If none is
* provided, the default provided by iDSAME
* <code>com.iplanet.services.util.JCEEncryption</code> will be used.
* <p>
* Additionally, it provides a method to check if the calling class has
* permission to call these methods. To enable the additional security, the
* property com.sun.identity.security.checkcaller must be set to true.
*/
public class Crypt {
// Private static final varibales
"com.iplanet.security.encryptor";
"com.sun.identity.security.checkcaller";
"com.iplanet.services.util.JCEEncryption";
// The pwd can be changed through the config file.
// But be super consious when you change it. You have to change the
// encrypted versions of the admin passwords simulaneously.
"com.sun.identity.client.encryptionKey";
"KmhUnWR1MYWDYW4xuqdF5nbm+CXIyOVt";
private static boolean checkCaller;
static {
initialize();
}
public static synchronized void reinitialize() {
initialize();
}
private static void initialize() {
DEFAULT_PWD));
DEFAULT_PWD)));
// check if caller needs to be validated
checkCaller = true;
}
}
// Construct the encryptor class
try {
} catch (Exception e) {
instance = new JCEEncryption();
}
try {
} catch (Exception e) {
}
}
return instance;
}
/**
* Check to see if security is enabled and Caller needs to be checked for
* OpenAM specific Java security permissions
*
* @return boolean true if security check enabled, false otherwise
*/
public static boolean checkCaller() {
return checkCaller;
}
/**
* This is a temporary kludge which always returns an instance of
* AMEncryption using hardcoded key It is necessary for backward
* compatibility with 2.0 Java agents This method is to be ONLY used by
* Session module for session id generation.
*
*/
return hardcodedKeyEncryptor;
}
/**
* Checks security permission returns true if action is allowed, false
* otherwise
*/
private static boolean isAccessPermitted() {
try {
"adminpassword");
if (securityManager != null) {
}
return true;
} catch (SecurityException e) {
+ " password utility: Returning NULL", e);
}
return false;
}
/**
* Return AMEncryption instance for deployment-specific secret key
*
*/
}
/**
* <p>
* Encrypt a String.
* </p>
*
* @param clearText
* The string to be encoded.
* @return The encoded string.
*/
}
/**
* <p>
* Encrypt a String using the client's encryption key
* </p>
*
* @param clearText
* The string to be encoded.
* @return The encoded string.
*/
}
/**
* <p>
* Decrypt a String.
* </p>
*
* @param encoded
* The string to be decoded.
* @return The decoded string.
*/
}
/**
* <p>
* Decrypt a String using client's encryption key
* </p>
*
* @param encoded
* The string to be decoded.
* @return The decoded string.
*/
}
/**
* <p>
* Encode a String.
* </p>
*
* @param clearText
* The string to be encoded.
* @param encr
* instance of AMEncryption to use
* @return The encoded string.
*/
if (checkCaller()) {
if (!isAccessPermitted())
return null;
}
return null;
}
// Encrypt the data
try {
} catch (UnsupportedEncodingException uee) {
}
// BASE64 encode the data
// Perf Improvement : Removed the sync block and newed up the Encoder
// object for every call. Its a trade off b/w CPU and mem usage.
// Serialize the data, i.e., remove \n and \r
try {
}
} catch (IOException ioe) {
}
}
/**
* <p>
* Encode a String.
* </p>
*
* @param clearText
* The string to be encoded.
* @return The encoded string.
*/
}
/**
* Decode an encoded string
*
* @param encoded
* The encoded string.
* @param encr
* instance of AMEncryption to use
* @return The decoded string.
*/
if (checkCaller()) {
try {
"adminpassword");
if (securityManager != null) {
}
} catch (SecurityException e) {
return null;
}
}
return (null);
}
// BASE64 decode the data
// Perf Improvement : Removed the sync block and newed up the Decoder
// object for every call. Its a trade off b/w CPU and mem usage.
//The return value of Base64.decode can be null
//if the value isn't divisible by 4. (i.e. corrupted).
return null;
}
// Decrypt the data
return (null);
}
// Convert to String and return
try {
} catch (UnsupportedEncodingException uue) {
}
return (answer);
}
/**
* Decode an encoded string
*
* @param encoded
* The encoded string.
* @return The decoded string.
*/
}
/**
* Check to determine if the calling class has the privilege to execute
* sensitive methods which returns passwords, decrypts data, etc. This
* method uses the stack trace to determine the calling class.
*/
protected static boolean isCallerValid() {
if (!checkCaller) {
return (true);
}
return (isCallerValid(CLASSNAME));
}
/**
* Check to determine if the calling class has the privilege to execute
* sensitive methods which returns passwords, decrypts data, etc. This
* method uses the stack trace to determine the calling class.
*
* @param obj
* The Java object that is performing this check
*/
if (!checkCaller) {
return (true);
}
return (isCallerValid(CLASSNAME));
}
}
/**
* Check to determine if the calling class has the privilege to execute
* sensitive methods which returns passwords, decrypts data, etc. This
* method uses the stack trace to determine the calling class.
*
* @param className
* fully qualified class name of Object calling this function
*/
if (!checkCaller) {
return (true);
}
// Check for Package name matches
return (true);
}
}
// Check for Class name matches
return (true);
}
}
return (false);
}
try {
throw (new Exception());
+ callerClass.length());
}
return (parentClass);
}
"com.iplanet.am", "com.sun.identity.policy" };
"com.iplanet.services.util.Crypt", "TestCrypt" };
}