5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * The contents of this file are subject to the terms
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * of the Common Development and Distribution License
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * (the License). You may not use this file except in
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * compliance with the License.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * You can obtain a copy of the License at
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * See the License for the specific language governing
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * permission and limitations under the License.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * When distributing Covered Code, include this CDDL
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Header Notice in each file and include the License file
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * If applicable, add the following below the CDDL Header,
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * with the fields enclosed by brackets [] replaced by
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * your own identifying information:
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * $Id: Crypt.java,v 1.4 2008/08/19 19:14:54 veiming Exp $
a4544a5a0e622ef69e38641f87ab1b5685e05911Phill Cunnington * Portions Copyrighted 2010-2015 ForgeRock AS.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport com.sun.identity.shared.configuration.SystemPropertiesManager;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport com.sun.identity.security.ISSecurityPermission;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * The class <code>Crypt</code> provides generic methods to encryt and decrypt
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * data. This class provides a pluggable architecture to encrypt and decrypt
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * data, using the <code>AMEncryption</code> interface class. A class that
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * implements <code>AMEncryption</code> must be specified via the system
f0cb5ab1344f9596bef788d2312629a152869f4eNeil Madden * property: <code>com.iplanet.security.encryptor</code>. If none is
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * provided, the default provided by iDSAME
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * <code>com.iplanet.services.util.JCEEncryption</code> will be used.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Additionally, it provides a method to check if the calling class has
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * permission to call these methods. To enable the additional security, the
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * property com.sun.identity.security.checkcaller must be set to true.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster // Private static final varibales
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster private static final String ENCRYPTOR_CLASS_PROPERTY =
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "com.iplanet.security.encryptor";
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster private static final String CHECK_CALLER_PROPERTY =
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "com.sun.identity.security.checkcaller";
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster private static final String DEFAULT_ENCRYPTOR_CLASS =
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "com.iplanet.services.util.JCEEncryption";
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster // The pwd can be changed through the config file.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster // But be super consious when you change it. You have to change the
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster // encrypted versions of the admin passwords simulaneously.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster private static final String PROPERTY_PWD = "am.encryption.pwd";
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster private static final String PROPERTY_PWD_LOCAL =
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "com.sun.identity.client.encryptionKey";
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "KmhUnWR1MYWDYW4xuqdF5nbm+CXIyOVt";
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster private static AMEncryption hardcodedKeyEncryptor;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster public static synchronized void reinitialize() {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster encryptor = createInstance(SystemPropertiesManager.get(PROPERTY_PWD,
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster localEncryptor = createInstance(SystemPropertiesManager.get(
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster PROPERTY_PWD_LOCAL, SystemPropertiesManager.get(PROPERTY_PWD,
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster hardcodedKeyEncryptor = createInstance(DEFAULT_PWD);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster // check if caller needs to be validated
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster String cCaller = SystemPropertiesManager.get(CHECK_CALLER_PROPERTY);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster if ((cCaller != null) && (cCaller.equalsIgnoreCase("true"))) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster private static AMEncryption createInstance(String password) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster // Construct the encryptor class
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster String encClass = SystemPropertiesManager.get(ENCRYPTOR_CLASS_PROPERTY,
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster instance = (AMEncryption) Class.forName(encClass).newInstance();
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster debug.error("Crypt:: Unable to get class instance: " + encClass, e);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster ((ConfigurableKey) instance).setPassword(password);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster debug.error("Crypt: failed to set password-based key", e);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Check to see if security is enabled and Caller needs to be checked for
8d3140b524c0e28c0a49dc7c7d481123ef3cfe11Chris Lee * OpenAM specific Java security permissions
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * @return boolean true if security check enabled, false otherwise
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * This is a temporary kludge which always returns an instance of
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * AMEncryption using hardcoded key It is necessary for backward
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * compatibility with 2.0 Java agents This method is to be ONLY used by
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Session module for session id generation.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster public static AMEncryption getHardcodedKeyEncryptor() {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Checks security permission returns true if action is allowed, false
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster ISSecurityPermission isp = new ISSecurityPermission("access",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "adminpassword");
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster return true;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "Security Alert: Unauthorized access to Encoding/Decoding"
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster + " password utility: Returning NULL", e);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster return false;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Return AMEncryption instance for deployment-specific secret key
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Encrypt a String.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * @param clearText
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * The string to be encoded.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * @return The encoded string.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster public static String encrypt(String clearText) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Encrypt a String using the client's encryption key
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * @param clearText
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * The string to be encoded.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * @return The encoded string.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster public static String encryptLocal(String clearText) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Decrypt a String.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * @param encoded
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * The string to be decoded.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * @return The decoded string.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Decrypt a String using client's encryption key
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * @param encoded
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * The string to be decoded.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * @return The decoded string.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster public static String decryptLocal(String encoded) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Encode a String.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * @param clearText
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * The string to be encoded.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * @param encr
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * instance of AMEncryption to use
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * @return The encoded string.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster public static String encode(String clearText, AMEncryption encr) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster if (clearText == null || clearText.length() == 0) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster // Encrypt the data
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster encData = encr.encrypt(clearText.getBytes("utf-8"));
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster debug.error("Crypt:: utf-8 encoding is not supported");
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster encData = encryptor.encrypt(clearText.getBytes());
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster // BASE64 encode the data
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster // Perf Improvement : Removed the sync block and newed up the Encoder
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster // object for every call. Its a trade off b/w CPU and mem usage.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster // Serialize the data, i.e., remove \n and \r
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster BufferedReader bufReader = new BufferedReader(new StringReader(str));
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster StringBuffer strClean = new StringBuffer(str.length());
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster while ((strTemp = bufReader.readLine()) != null) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster debug.error("Crypt:: Error while base64 encoding", ioe);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Encode a String.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * @param clearText
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * The string to be encoded.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * @return The encoded string.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster public static String encode(String clearText) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Decode an encoded string
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * @param encoded
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * The encoded string.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * @param encr
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * instance of AMEncryption to use
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * @return The decoded string.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster public static String decode(String encoded, AMEncryption encr) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster ISSecurityPermission isp = new ISSecurityPermission("access",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "adminpassword");
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster debug.error("Security Alert: Unauthorized access to " +
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "Encoding/Decoding password utility: Returning NULL", e);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster if (encoded == null || encoded.length() == 0) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster // BASE64 decode the data
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster // Perf Improvement : Removed the sync block and newed up the Decoder
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster // object for every call. Its a trade off b/w CPU and mem usage.
e81fe7788ef8932b1ba0d096fafeb3f1b4b17b35Gabor Hollosi //The return value of Base64.decode can be null
e81fe7788ef8932b1ba0d096fafeb3f1b4b17b35Gabor Hollosi //if the value isn't divisible by 4. (i.e. corrupted).
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster // Decrypt the data
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster // Convert to String and return
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster debug.error("Crypt:: Unsupported encoding UTF-8", uue);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Decode an encoded string
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * @param encoded
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * The encoded string.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * @return The decoded string.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Check to determine if the calling class has the privilege to execute
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * sensitive methods which returns passwords, decrypts data, etc. This
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * method uses the stack trace to determine the calling class.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster return (true);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Check to determine if the calling class has the privilege to execute
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * sensitive methods which returns passwords, decrypts data, etc. This
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * method uses the stack trace to determine the calling class.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * @param obj
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * The Java object that is performing this check
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster public static boolean isCallerValid(Object obj) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster return (true);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster return (isCallerValid(obj.getClass().getName()));
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Check to determine if the calling class has the privilege to execute
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * sensitive methods which returns passwords, decrypts data, etc. This
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * method uses the stack trace to determine the calling class.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * @param className
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * fully qualified class name of Object calling this function
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster public static boolean isCallerValid(String className) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster return (true);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster String parentClass = getParentClass(className);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster // Check for Package name matches
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster for (int i = 0; i < VALID_PACKAGES.length; i++) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster if (parentClass.startsWith(VALID_PACKAGES[i])) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster return (true);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster // Check for Class name matches
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster for (int i = 0; i < VALID_CLASSES.length; i++) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster return (true);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster return (false);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster protected static String getParentClass(String callerClass) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster throw (new Exception());
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster ByteArrayOutputStream os = new ByteArrayOutputStream();
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster stackTrace = index.substring(index.lastIndexOf(AT_NAME)
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster parentClass = stackTrace.substring(0, stackTrace.indexOf("("));
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster parentClass = stackTrace.substring(0, parentClass.lastIndexOf("."));
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster private static final String[] VALID_PACKAGES = { "com.iplanet.services",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster private static final String[] VALID_CLASSES = {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "com.iplanet.services.util.Crypt", "TestCrypt" };
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster private static final String CLASSNAME = "com.iplanet.services.util.Crypt";