001 /*
002 * Cumulus4j - Securing your data in the cloud - http://cumulus4j.org
003 * Copyright (C) 2011 NightLabs Consulting GmbH
004 *
005 * This program is free software: you can redistribute it and/or modify
006 * it under the terms of the GNU Affero General Public License as
007 * published by the Free Software Foundation, either version 3 of the
008 * License, or (at your option) any later version.
009 *
010 * This program is distributed in the hope that it will be useful,
011 * but WITHOUT ANY WARRANTY; without even the implied warranty of
012 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
013 * GNU Affero General Public License for more details.
014 *
015 * You should have received a copy of the GNU Affero General Public License
016 * along with this program. If not, see <http://www.gnu.org/licenses/>.
017 */
018 package org.cumulus4j.keystore;
019
020 import java.io.DataOutputStream;
021 import java.io.File;
022 import java.io.FileInputStream;
023 import java.io.FileNotFoundException;
024 import java.io.FileOutputStream;
025 import java.io.IOException;
026 import java.io.OutputStream;
027 import java.io.UnsupportedEncodingException;
028 import java.lang.ref.WeakReference;
029 import java.net.URLEncoder;
030 import java.security.GeneralSecurityException;
031 import java.security.SecureRandom;
032 import java.security.spec.KeySpec;
033 import java.util.ArrayList;
034 import java.util.Arrays;
035 import java.util.Collections;
036 import java.util.Date;
037 import java.util.HashMap;
038 import java.util.LinkedList;
039 import java.util.List;
040 import java.util.Map;
041 import java.util.Set;
042 import java.util.SortedSet;
043 import java.util.Timer;
044 import java.util.TimerTask;
045 import java.util.TreeSet;
046 import java.util.UUID;
047
048 import javax.crypto.SecretKey;
049 import javax.crypto.SecretKeyFactory;
050 import javax.crypto.spec.PBEKeySpec;
051
052 import org.bouncycastle.crypto.CryptoException;
053 import org.bouncycastle.crypto.params.KeyParameter;
054 import org.bouncycastle.crypto.params.ParametersWithIV;
055 import org.cumulus4j.crypto.Cipher;
056 import org.cumulus4j.crypto.CipherOperationMode;
057 import org.cumulus4j.crypto.CryptoRegistry;
058 import org.cumulus4j.keystore.prop.LongProperty;
059 import org.cumulus4j.keystore.prop.Property;
060 import org.slf4j.Logger;
061 import org.slf4j.LoggerFactory;
062
063 /**
064 * <p>
065 * <code>KeyStore</code> is a storage facility for cryptographic keys.
066 * </p>
067 * <p>
068 * An instance of <code>KeyStore</code> manages a file in the local file system, in which it stores
069 * the keys used by the Cumulus4j-DataNucleus-plug-in in an encrypted form. All data written to the
070 * file is encrypted, hence plain data never touches the local file system (except for
071 * <a target="_blank" href="http://en.wikipedia.org/wiki/Swap_space">swapping</a>!).
072 * </p>
073 * <p>
074 * For every read/write operation, the <code>KeyStore</code> requires a user to authenticate via a
075 * user-name and a password. The password is used to encrypt/decrypt an internally used master-key
076 * which is then used to encrypt/decrypt the actual keys used by the Cumulus4j-DataNucleus-plug-in.
077 * Due to this internal master key, a user can be added or deleted and a user's password can be
078 * changed without the need of decrypting and encrypting all the contents of the KeyStore.
079 * </p>
080 * <p>
081 * By default, a <code>KeyStore</code> {@link #generateKey(String, char[]) generates keys} with a size
082 * of 256 bit. This can be controlled, however, by specifying the system property
083 * {@value #SYSTEM_PROPERTY_KEY_SIZE} (e.g. passing the argument "-Dcumulus4j.KeyStore.keySize=128"
084 * to the <code>java</code> command line will switch to 128-bit-keys).
085 * </p>
086 * <p>
087 * <b>Important:</b> As the master key is generated when the first
088 * {@link #createUser(String, char[], String, char[]) user is created} and is then not changed anymore, you must therefore
089 * specify the desired key-size already at the moment when you initialise the key store (i.e. create the first user). If
090 * you change the key-size later, it will affect only those keys that are created later.
091 * </p>
092 * <p>
093 * Note, that the "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files" does not
094 * need to be installed for very strong cryptography, because we don't use the JCE (see {@link Cipher}).
095 * </p>
096 * <h3>File format of the key store file (version 1)</h3>
097 * <p>
098 * <table border="1" width="100%">
099 * <tbody>
100 * <tr>
101 * <td align="right" valign="top"><b>Bytes</b></td><td valign="top"><b>Descrition</b></td>
102 * </tr>
103 * <tr>
104 * <td align="right" valign="top">17</td><td valign="top">Header "Cumulus4jKeyStore" (ASCII encoded)</td>
105 * </tr>
106 * <tr>
107 * <td align="right" valign="top">4</td><td valign="top">int: File version</td>
108 * </tr>
109 * <tr>
110 * <td align="right" valign="top">4</td><td valign="top">int: Number of entries in 'Block A' to follow.</td>
111 * </tr>
112 * <tr>
113 * <td colspan="2">
114 * <table bgcolor="#F0F0F0" border="1" width="100%">
115 * <tbody>
116 * <tr><td bgcolor="#D0D0D0" colspan="2"><b>Block A: String constants</b></td></tr>
117 * <tr>
118 * <td colspan="2">
119 * In order to reduce the file size (and thus increase the write speed), various
120 * strings like encryption algorithm, checksum algorithm and the like are not written
121 * again and again for every key, but instead only once here. In every key, these
122 * Strings are then referenced instead by their position-index (zero-based).
123 * </td>
124 * </tr>
125 *
126 * <tr>
127 * <td align="right" valign="top"><b>Bytes</b></td><td valign="top"><b>Descrition</b></td>
128 * </tr>
129 * <tr>
130 * <td align="right" valign="top">2</td><td valign="top">short <i>len</i>: Number of bytes to follow (written by {@link DataOutputStream#writeUTF(String)}).</td>
131 * </tr>
132 * <tr>
133 * <td align="right" valign="top"><i>len</i></td><td valign="top">String: Constant's value (written by {@link DataOutputStream#writeUTF(String)}).</td>
134 * </tr>
135 * </tbody>
136 * </table>
137 * </td>
138 * </tr>
139 *
140 *
141 * <tr>
142 * <td align="right" valign="top">4</td><td valign="top">int: Number of entries in 'Block B' to follow.</td>
143 * </tr>
144 * <tr>
145 * <td colspan="2">
146 * <table bgcolor="#F0F0F0" border="1" width="100%">
147 * <tbody>
148 * <tr><td bgcolor="#D0D0D0" colspan="2"><b>Block B: User-key-map</b></td></tr>
149 *
150 * <tr>
151 * <td colspan="2">
152 * For every user, the master-key is stored encrypted with the user's password in this block.
153 * </td>
154 * </tr>
155 *
156 * <tr>
157 * <td align="right" valign="top"><b>Bytes</b></td><td valign="top"><b>Descrition</b></td>
158 * </tr>
159 *
160 * <tr>
161 * <td align="right" valign="top">2</td><td valign="top">short <i>len1</i>: User name: Number of bytes to follow (written by {@link DataOutputStream#writeUTF(String)}).</td>
162 * </tr>
163 * <tr>
164 * <td align="right" valign="top"><i>len1</i></td><td valign="top">String: User name (written by {@link DataOutputStream#writeUTF(String)}).</td>
165 * </tr>
166 *
167 * <tr>
168 * <td align="right" valign="top">4</td><td valign="top">int: Key size for the password-based key (in bits! i.e. usually 128 or 256).</td>
169 * </tr>
170 * <tr>
171 * <td align="right" valign="top">4</td><td valign="top">int: Iteration count for the password-based key.</td>
172 * </tr>
173 * <tr>
174 * <td align="right" valign="top">4</td><td valign="top">int: Reference to the name of the key-generator-algorithm for creating the password-based key (index in the list of 'Block A').</td>
175 * </tr>
176 *
177 * <tr>
178 * <td align="right" valign="top">2</td><td valign="top">UNSIGNED short <i>len2</i>: Salt: Number of bytes to follow (written by {@link KeyStoreUtil#writeByteArrayWithShortLengthHeader(DataOutputStream, byte[])}).</td>
179 * </tr>
180 * <tr>
181 * <td align="right" valign="top"><i>len2</i></td><td valign="top">byte[]: Salt to be used when generating the password-based key (written by {@link KeyStoreUtil#writeByteArrayWithShortLengthHeader(DataOutputStream, byte[])}).</td>
182 * </tr>
183 *
184 * <!-- BEGIN written by {@link AbstractEncryptedData#write(DataOutputStream, Map)} -->
185 * <tr>
186 * <td align="right" valign="top">4</td><td valign="top">int: Reference to the name of the encryption algorithm used to encrypt this record's data (index in the list of 'Block A').</td>
187 * </tr>
188 *
189 * <tr>
190 * <td align="right" valign="top">2</td><td valign="top">UNSIGNED short <i>lenIV</i>: IV: Number of bytes to follow (written by {@link KeyStoreUtil#writeByteArrayWithShortLengthHeader(DataOutputStream, byte[])}).</td>
191 * </tr>
192 * <tr>
193 * <td align="right" valign="top"><i>lenIV</i></td><td valign="top">byte[]: The actual IV (initialisation vector) used to encrypt the key's data (written by {@link KeyStoreUtil#writeByteArrayWithShortLengthHeader(DataOutputStream, byte[])}).</td>
194 * </tr>
195 *
196 * <tr>
197 * <td align="right" valign="top">4</td><td valign="top">int: Reference to the name of the <a target="_blank" href="http://en.wikipedia.org/wiki/Message_authentication_code">MAC</a> algorithm used to authenticate this record's data (index in the list of 'Block A').</td>
198 * </tr>
199 *
200 * <tr>
201 * <td align="right" valign="top">2</td><td valign="top">short <i>lenMACKey</i>: MAC key: Number of bytes in the MAC's key.</td>
202 * </tr>
203 * <tr>
204 * <td align="right" valign="top">2</td><td valign="top">short <i>lenMACIV</i>: MAC IV: Number of bytes in the MAC's IV.</td>
205 * </tr>
206 * <tr>
207 * <td align="right" valign="top">2</td><td valign="top">short <i>lenMAC</i>: MAC: Number of bytes in the MAC.</td>
208 * </tr>
209 *
210 * <tr>
211 * <td align="right" valign="top">2</td><td valign="top">UNSIGNED short <i>lenEncrypted</i>: Number of encrypted bytes following (written by {@link KeyStoreUtil#writeByteArrayWithShortLengthHeader(DataOutputStream, byte[])}).</td>
212 * </tr>
213 *
214 * <tr>
215 * <td colspan="2">
216 * <table bgcolor="#E0E0E0" border="1" width="100%">
217 * <tbody>
218 * <tr><td bgcolor="#C0C0C0" colspan="2"><b>ENCRYPTED</b></td></tr>
219 * <tr>
220 * <td align="right" valign="top"><i>lenMACKey</i></td><td valign="top">MAC key: The actual MAC's key (random).</td>
221 * </tr>
222 * <tr>
223 * <td align="right" valign="top"><i>lenMACIV</i></td><td valign="top">MAC IV: The actual MAC's IV (random).</td>
224 * </tr>
225 * <tr>
226 * <td align="right" valign="top"><i>all until MAC</i></td><td valign="top">The actual data (payload).</td>
227 * </tr>
228 * <tr>
229 * <td align="right" valign="top"><i>lenMAC</i></td><td valign="top">MAC: The actual MAC.</td>
230 * </tr>
231 * </tbody>
232 * </table>
233 * </td>
234 * </tr>
235 *
236 * <!-- END written by {@link AbstractEncryptedData#write(DataOutputStream, Map)} -->
237 *
238 * </tbody>
239 * </table>
240 * </td>
241 * </tr>
242 *
243 *
244 * <tr>
245 * <td align="right" valign="top">4</td><td valign="top">int: Number of entries in 'Block C' to follow.</td>
246 * </tr>
247 * <tr>
248 * <td colspan="2">
249 * <table bgcolor="#F0F0F0" border="1" width="100%">
250 * <tbody>
251 * <tr><td bgcolor="#D0D0D0" colspan="2"><b>Block C: Key-ID-key-map</b></td></tr>
252 *
253 * <tr>
254 * <td colspan="2">
255 * This block contains the actual keys. Every key is encrypted with the master-key.
256 * </td>
257 * </tr>
258 *
259 * <tr>
260 * <td align="right" valign="top"><b>Bytes</b></td><td valign="top"><b>Descrition</b></td>
261 * </tr>
262 *
263 * <tr>
264 * <td align="right" valign="top">8</td><td valign="top">long: Key identifier.</td>
265 * </tr>
266 *
267 * <!-- BEGIN written by {@link AbstractEncryptedData#write(DataOutputStream, Map)} -->
268 * <tr>
269 * <td align="right" valign="top">4</td><td valign="top">int: Reference to the name of the encryption algorithm used to encrypt this record's data (index in the list of 'Block A').</td>
270 * </tr>
271 *
272 * <tr>
273 * <td align="right" valign="top">2</td><td valign="top">UNSIGNED short <i>lenIV</i>: IV: Number of bytes to follow (written by {@link KeyStoreUtil#writeByteArrayWithShortLengthHeader(DataOutputStream, byte[])}).</td>
274 * </tr>
275 * <tr>
276 * <td align="right" valign="top"><i>lenIV</i></td><td valign="top">byte[]: The actual IV (initialisation vector) used to encrypt the key's data (written by {@link KeyStoreUtil#writeByteArrayWithShortLengthHeader(DataOutputStream, byte[])}).</td>
277 * </tr>
278 *
279 * <tr>
280 * <td align="right" valign="top">4</td><td valign="top">int: Reference to the name of the MAC algorithm used to authenticate this record's data (index in the list of 'Block A').</td>
281 * </tr>
282 *
283 * <tr>
284 * <td align="right" valign="top">2</td><td valign="top">short <i>lenMACKey</i>: MAC key: Number of bytes in the MAC's key.</td>
285 * </tr>
286 * <tr>
287 * <td align="right" valign="top">2</td><td valign="top">short <i>lenMACIV</i>: MAC IV: Number of bytes in the MAC's IV.</td>
288 * </tr>
289 * <tr>
290 * <td align="right" valign="top">2</td><td valign="top">short <i>lenMAC</i>: MAC: Number of bytes in the MAC.</td>
291 * </tr>
292 *
293 * <tr>
294 * <td align="right" valign="top">2</td><td valign="top">UNSIGNED short <i>lenEncrypted</i>: Number of encrypted bytes following (written by {@link KeyStoreUtil#writeByteArrayWithShortLengthHeader(DataOutputStream, byte[])}).</td>
295 * </tr>
296 *
297 * <tr>
298 * <td colspan="2">
299 * <table bgcolor="#E0E0E0" border="1" width="100%">
300 * <tbody>
301 * <tr><td bgcolor="#C0C0C0" colspan="2"><b>ENCRYPTED</b></td></tr>
302 * <tr>
303 * <td align="right" valign="top"><i>lenMACKey</i></td><td valign="top">MAC key: The actual MAC's key (random).</td>
304 * </tr>
305 * <tr>
306 * <td align="right" valign="top"><i>lenMACIV</i></td><td valign="top">MAC IV: The actual MAC's IV (random).</td>
307 * </tr>
308 * <tr>
309 * <td align="right" valign="top"><i>all until MAC</i></td><td valign="top">The actual data (payload).</td>
310 * </tr>
311 * <tr>
312 * <td align="right" valign="top"><i>lenMAC</i></td><td valign="top">MAC: The actual MAC.</td>
313 * </tr>
314 * </tbody>
315 * </table>
316 * </td>
317 * </tr>
318 *
319 * <!-- END written by {@link AbstractEncryptedData#write(DataOutputStream, Map)} -->
320 *
321 * </tbody>
322 * </table>
323 * </td>
324 * </tr>
325 *
326 *
327 * <tr>
328 * <td align="right" valign="top">4</td><td valign="top">int: Number of entries in 'Block D' to follow.</td>
329 * </tr>
330 * <tr>
331 * <td colspan="2">
332 * <table bgcolor="#F0F0F0" border="1" width="100%">
333 * <tbody>
334 * <tr><td bgcolor="#D0D0D0" colspan="2"><b>Block D: Properties</b></td></tr>
335 * <tr>
336 * <td colspan="2">
337 * See {@link Property} for details about what this block is used for.
338 * </td>
339 * </tr>
340 * <tr>
341 * <td align="right" valign="top"><b>Bytes</b></td><td valign="top"><b>Descrition</b></td>
342 * </tr>
343 *
344 * <tr>
345 * <td align="right" valign="top">2</td><td valign="top">short <i>len1</i>: Property name: Number of bytes to follow (written by {@link DataOutputStream#writeUTF(String)}).</td>
346 * </tr>
347 * <tr>
348 * <td align="right" valign="top"><i>len1</i></td><td valign="top">String: Property name (written by {@link DataOutputStream#writeUTF(String)}).</td>
349 * </tr>
350 *
351 * <tr>
352 * <td align="right" valign="top">4</td><td valign="top">int: Reference to the fully qualified class name of the {@link Property} (index in the list of 'Block A').</td>
353 * </tr>
354 *
355 * <!-- BEGIN written by {@link AbstractEncryptedData#write(DataOutputStream, Map)} -->
356 * <tr>
357 * <td align="right" valign="top">4</td><td valign="top">int: Reference to the name of the encryption algorithm used to encrypt this record's data (index in the list of 'Block A').</td>
358 * </tr>
359 *
360 * <tr>
361 * <td align="right" valign="top">2</td><td valign="top">UNSIGNED short <i>lenIV</i>: IV: Number of bytes to follow (written by {@link KeyStoreUtil#writeByteArrayWithShortLengthHeader(DataOutputStream, byte[])}).</td>
362 * </tr>
363 * <tr>
364 * <td align="right" valign="top"><i>lenIV</i></td><td valign="top">byte[]: The actual IV (initialisation vector) used to encrypt the key's data (written by {@link KeyStoreUtil#writeByteArrayWithShortLengthHeader(DataOutputStream, byte[])}).</td>
365 * </tr>
366 *
367 * <tr>
368 * <td align="right" valign="top">4</td><td valign="top">int: Reference to the name of the MAC algorithm used to authenticate this record's data (index in the list of 'Block A').</td>
369 * </tr>
370 *
371 * <tr>
372 * <td align="right" valign="top">2</td><td valign="top">short <i>lenMACKey</i>: MAC key: Number of bytes in the MAC's key.</td>
373 * </tr>
374 * <tr>
375 * <td align="right" valign="top">2</td><td valign="top">short <i>lenMACIV</i>: MAC IV: Number of bytes in the MAC's IV.</td>
376 * </tr>
377 * <tr>
378 * <td align="right" valign="top">2</td><td valign="top">short <i>lenMAC</i>: MAC: Number of bytes in the MAC.</td>
379 * </tr>
380 *
381 * <tr>
382 * <td align="right" valign="top">4</td><td valign="top">int <i>lenEncrypted</i>: Number of encrypted bytes following (written by {@link KeyStoreUtil#writeByteArrayWithIntegerLengthHeader(DataOutputStream, byte[])}).</td>
383 * </tr>
384 *
385 * <tr>
386 * <td colspan="2">
387 * <table bgcolor="#E0E0E0" border="1" width="100%">
388 * <tbody>
389 * <tr><td bgcolor="#C0C0C0" colspan="2"><b>ENCRYPTED</b></td></tr>
390 * <tr>
391 * <td align="right" valign="top"><i>lenMACKey</i></td><td valign="top">MAC key: The actual MAC's key (random).</td>
392 * </tr>
393 * <tr>
394 * <td align="right" valign="top"><i>lenMACIV</i></td><td valign="top">MAC IV: The actual MAC's IV (random).</td>
395 * </tr>
396 * <tr>
397 * <td align="right" valign="top"><i>all until MAC</i></td><td valign="top">The actual data (payload).</td>
398 * </tr>
399 * <tr>
400 * <td align="right" valign="top"><i>lenMAC</i></td><td valign="top">MAC: The actual MAC.</td>
401 * </tr>
402 * </tbody>
403 * </table>
404 * </td>
405 * </tr>
406 *
407 * <!-- END written by {@link AbstractEncryptedData#write(DataOutputStream, Map)} -->
408 *
409 * <tr>
410 * <td align="right" valign="top">20</td><td valign="top">SHA1 checksum over the complete file except for the header "Cumulus4jKeyStore", i.e. from the file version at byte offset 17 (including) till here (excluding).</td>
411 * </tr>
412 * </tbody>
413 * </table>
414 * </td>
415 * </tr>
416 *
417 * </tbody>
418 * </table>
419 * </p>
420 *
421 * @author Marco หงุ่ยตระกูล-Schulze - marco at nightlabs dot de
422 */
423 public class KeyStore
424 {
425 static final Logger logger = LoggerFactory.getLogger(KeyStore.class);
426
427 // private static final BouncyCastleProvider bouncyCastleProvider = new BouncyCastleProvider();
428 // static {
429 // Security.insertProviderAt(bouncyCastleProvider, 2);
430 //
431 // KeyGenerator kg;
432 // try {
433 // kg = KeyGenerator.getInstance("AES");
434 // } catch (NoSuchAlgorithmException e) {
435 // logger.warn("KeyGenerator.getInstance(\"AES\") failed: " + e, e);
436 // kg = null;
437 // }
438 //
439 // if (kg == null || kg.getProvider() != bouncyCastleProvider)
440 // logger.warn("BouncyCastleProvider was NOT registered!!!");
441 // }
442
443 /**
444 * <p>
445 * System property to control the size of the keys {@link #generateKey(String, char[]) generated}. This
446 * includes not only the actual keys for the main encryption/decryption (in the database), but also the
447 * master key used to protect the file managed by the <code>KeyStore</code>.
448 * </p>
449 * <p>
450 * By default (if the system property {@value #SYSTEM_PROPERTY_KEY_SIZE} is not specified), keys will have a size of 256 bit.
451 * </p>
452 * <p>
453 * Note, that specifying the system property does not change any old keys - only new keys are generated
454 * with the currently active key size. Therefore, if you want to ensure that the internal master key is
455 * only 128 bit long, you have to make sure that the proper key size is specified when the first
456 * {@link #createUser(String, char[], String, char[]) user is created}!
457 * </p>
458 */
459 public static final String SYSTEM_PROPERTY_KEY_SIZE = "cumulus4j.KeyStore" + ".keySize";
460
461 /**
462 * <p>
463 * System property to control the encryption algorithm that is used to encrypt data within the key-store. Whenever a new user is
464 * created or a new key is generated, data has to be encrypted (note that the encryption does not happen directly
465 * before data is written to the file, but already most data in memory is encrypted!).
466 * </p>
467 * <p>
468 * By default (if the system property {@value #SYSTEM_PROPERTY_ENCRYPTION_ALGORITHM} is not specified),
469 * "Twofish/GCM/NoPadding" is used. For example, to switch to "AES/CFB/NoPadding", you'd have
470 * to specify the command line argument "-Dcumulus4j.KeyStore.encryptionAlgorithm=AES/CFB/NoPadding".
471 * </p>
472 * <p>
473 * See <a target="_blank" href="http://cumulus4j.org/1.2.0/documentation/supported-algorithms.html">this document</a>
474 * for further information about what values are supported.
475 * </p>
476 * <p>
477 * <b>Important:</b> The default MAC algorithm is "NONE", which is a very bad choice for most encryption algorithms!
478 * Therefore, you must change the MAC algorithm via the system property {@value #SYSTEM_PROPERTY_MAC_ALGORITHM}
479 * if you change the encryption algorithm!
480 * </p>
481 */
482 public static final String SYSTEM_PROPERTY_ENCRYPTION_ALGORITHM = "cumulus4j.KeyStore" + ".encryptionAlgorithm";
483
484 /**
485 * <p>
486 * System property to control the <a target="_blank" href="http://en.wikipedia.org/wiki/Message_authentication_code">MAC</a>
487 * algorithm that is used to protect the data within the key-store against manipulation.
488 * </p>
489 * <p>
490 * Whenever data is encrypted, this MAC algorithm is used to calculate a MAC over the original plain-text-data.
491 * The MAC is then stored together with the plain-text-data within the encrypted area.
492 * When data is decrypted, the MAC is calculated again over the decrypted plain-text-data and compared to the
493 * original MAC in order to make sure (1) that data was correctly decrypted [i.e. the password provided by the user
494 * is correct] and (2) that the data in the key-store was not manipulated by an attacker.
495 * </p>
496 * <p>
497 * The MAC algorithm used during encryption is stored in the encryption-record's meta-data in order
498 * to use the correct algorithm during decryption, no matter what current MAC algorithm is configured.
499 * Therefore, you can safely change this setting at any time - it will affect future encryption
500 * operations, only.
501 * </p>
502 * <p>
503 * Some block cipher modes (e.g. <a target="_blank" href="http://en.wikipedia.org/wiki/Galois/Counter_Mode">GCM</a>) already include authentication
504 * and therefore no MAC is necessary. In this case, you can specify the MAC algorithm {@value #MAC_ALGORITHM_NONE}.
505 * </p>
506 * <p>
507 * <b>Important:</b> If you specify the MAC algorithm "NONE" and use an encryption algorithm without
508 * authentication, the key store will not be able to detect a wrong password and instead return
509 * corrupt data!!! Be VERY careful with the MAC algorithm "NONE"!!!
510 * </p>
511 * <p>
512 * The default value (used when this system property is not specified) is "NONE", because the default
513 * encryption algorithm is "Twofish/GCM/NoPadding", which (due to "GCM") does not require an additional
514 * MAC.
515 * </p>
516 */
517 public static final String SYSTEM_PROPERTY_MAC_ALGORITHM = "cumulus4j.KeyStore" + ".macAlgorithm";
518
519 /**
520 * <p>
521 * Constant for deactivating the <a target="_blank" href="http://en.wikipedia.org/wiki/Message_authentication_code">MAC</a>.
522 * </p>
523 * <p>
524 * <b>Important: Deactivating the MAC is dangerous!</b> Choose this value only, if you are absolutely
525 * sure that your {@link #SYSTEM_PROPERTY_ENCRYPTION_ALGORITHM encryption algorithm} already
526 * provides authentication - like <a target="_blank" href="http://en.wikipedia.org/wiki/Galois/Counter_Mode">GCM</a>
527 * does for example.
528 * </p>
529 * @see #SYSTEM_PROPERTY_MAC_ALGORITHM
530 */
531 public static final String MAC_ALGORITHM_NONE = "NONE";
532
533 private static final String KEY_STORE_PROPERTY_NAME_NEXT_KEY_ID = "nextKeyID";
534
535 private SecureRandom secureRandom = new SecureRandom();
536
537 private static Timer expireCacheEntryTimer = new Timer(KeyStore.class.getSimpleName(), true);
538
539 private TimerTask expireCacheEntryTimerTask = new ExipreCacheEntryTimerTask(this);
540
541 private KeyStoreData keyStoreData = new KeyStoreData();
542
543 private static class ExipreCacheEntryTimerTask extends TimerTask
544 {
545 private static final Logger logger = LoggerFactory.getLogger(ExipreCacheEntryTimerTask.class);
546
547 private WeakReference<KeyStore> keyStoreRef;
548
549 public ExipreCacheEntryTimerTask(KeyStore keyStore)
550 {
551 if (keyStore == null)
552 throw new IllegalArgumentException("keyStore == null");
553
554 this.keyStoreRef = new WeakReference<KeyStore>(keyStore);
555 }
556
557 @Override
558 public void run()
559 {
560 try {
561 KeyStore keyStore = keyStoreRef.get();
562 if (keyStore == null) {
563 logger.info("run: KeyStore has been garbage-collected. Removing this ExipreCacheEntryTimerTask.");
564 this.cancel();
565 return;
566 }
567
568 Date removeCachedEntriesOlderThanThisDate = new Date(System.currentTimeMillis() - 3L * 60L * 1000L); // TODO make this configurable!
569
570 LinkedList<String> userNamesToExpire = new LinkedList<String>();
571 synchronized (keyStore) {
572 for (CachedMasterKey cmk : keyStore.cache_userName2cachedMasterKey.values()) {
573 if (cmk.getLastUse().before(removeCachedEntriesOlderThanThisDate))
574 userNamesToExpire.add(cmk.getUserName());
575 }
576 }
577
578 for (String userName : userNamesToExpire) {
579 logger.info("run: Expiring cache for user '{}'.", userName);
580 keyStore.clearCache(userName);
581 }
582
583 if (logger.isDebugEnabled()) {
584 synchronized (keyStore) {
585 logger.debug("run: {} users left in cache.", keyStore.cache_userName2cachedMasterKey.size());
586 }
587 }
588 } catch (Throwable x) {
589 // The TimerThread is cancelled, if a task throws an exception. Furthermore, they are not logged at all.
590 // Since we do not want the TimerThread to die, we catch everything (Throwable - not only Exception) and log
591 // it here. IMHO there's nothing better we can do. Marco :-)
592 logger.error("run: " + x, x);
593 }
594 }
595 }
596
597 /**
598 * Gets the key-size that is currently configured. Therefore, this method checks, if the
599 * system property {@value #SYSTEM_PROPERTY_KEY_SIZE} has been specified, and if so returns its value.
600 * If not, it falls back to 256.
601 *
602 * @return the current key-size.
603 */
604 int getKeySize()
605 {
606 int ks = keySize;
607
608 if (ks == 0) {
609 String keySizePropName = SYSTEM_PROPERTY_KEY_SIZE;
610 String keySizePropValue = System.getProperty(keySizePropName);
611 if (keySizePropValue == null || keySizePropValue.trim().isEmpty()) {
612 ks = 256; // default value, if the property was not defined.
613 logger.info("getKeySize: System property '{}' is not set. Using default key size ({} bit).", keySizePropName, ks);
614 }
615 else {
616 try {
617 ks = Integer.parseInt(keySizePropValue.trim());
618 } catch (NumberFormatException x) {
619 NumberFormatException n = new NumberFormatException("Value of system property '" + keySizePropName + "' is not a valid integer!");
620 n.initCause(x);
621 throw n;
622 }
623 if (ks < 1)
624 throw new IllegalStateException("Value of system property '" + keySizePropName + "' is " + keySize + " but must be >= 1!!!");
625
626 logger.info("getKeySize: System property '{}' is set to {} bit. Using this key size.", keySizePropName, ks);
627 }
628 keySize = ks;
629 }
630
631 return ks;
632 }
633 private int keySize = 0;
634
635
636 String getEncryptionAlgorithm()
637 {
638 String ea = encryptionAlgorithm;
639
640 if (ea == null) {
641 String encryptionAlgorithmPropName = SYSTEM_PROPERTY_ENCRYPTION_ALGORITHM;
642 String encryptionAlgorithmPropValue = System.getProperty(encryptionAlgorithmPropName);
643 if (encryptionAlgorithmPropValue == null || encryptionAlgorithmPropValue.trim().isEmpty()) {
644 ea = "Twofish/GCM/NoPadding"; // default value, if the property was not defined.
645 // ea = "Twofish/CBC/PKCS5Padding"; // default value, if the property was not defined.
646 // ea = "AES/CBC/PKCS5Padding"; // default value, if the property was not defined.
647 // ea = "AES/CFB/NoPadding"; // default value, if the property was not defined.
648 logger.info("getEncryptionAlgorithm: System property '{}' is not set. Using default algorithm '{}'.", encryptionAlgorithmPropName, ea);
649 }
650 else {
651 ea = encryptionAlgorithmPropValue.trim();
652 logger.info("getEncryptionAlgorithm: System property '{}' is set to '{}'. Using this encryption algorithm.", encryptionAlgorithmPropName, ea);
653 }
654 encryptionAlgorithm = ea;
655 }
656
657 return ea;
658 }
659 private String encryptionAlgorithm = null;
660
661
662 String getMACAlgorithm()
663 {
664 String ma = macAlgorithm;
665
666 if (ma == null) {
667 String macAlgorithmPropName = SYSTEM_PROPERTY_MAC_ALGORITHM;
668 String macAlgorithmPropValue = System.getProperty(macAlgorithmPropName);
669 if (macAlgorithmPropValue == null || macAlgorithmPropValue.trim().isEmpty()) {
670 ma = MAC_ALGORITHM_NONE; // default value, if the property was not defined.
671 logger.info("getMACAlgorithm: System property '{}' is not set. Using default MAC algorithm '{}'.", macAlgorithmPropName, ma);
672 }
673 else {
674 ma = macAlgorithmPropValue.trim();
675 logger.info("getMACAlgorithm: System property '{}' is set to '{}'. Using this MAC algorithm.", macAlgorithmPropName, ma);
676 }
677 macAlgorithm = ma;
678 }
679
680 return ma;
681 }
682 private String macAlgorithm = null;
683
684
685 byte[] generateKey(int keySize)
686 {
687 byte[] result = new byte[(keySize + 7) / 8];
688 secureRandom.nextBytes(result);
689 return result;
690 }
691
692 byte[] generateKey()
693 {
694 return generateKey(getKeySize());
695 // return new SecretKeySpec(
696 // generateKey(getKeySize()),
697 // getBaseAlgorithm(getEncryptionAlgorithm())
698 // );
699 }
700
701 private String keyStoreID;
702 private File keyStoreFile;
703
704 /**
705 * <p>
706 * Create a new instance of <code>KeyStore</code>.
707 * </p>
708 * <p>
709 * If the file specified by <code>keyStoreFile</code> exists, it is read into memory. If it does not exist,
710 * an empty <code>KeyStore</code> is created and written to this file.
711 * </p>
712 * @param keyStoreID the identifier that is used to reference this key-store. Usually, this is the simple file name
713 * without path and without extension. The <code>keyStoreID</code> is currently not stored in the key-store-file -
714 * it is transient.
715 * @param keyStoreFile the file to be read (if existing) or created. Note that temporary files (and later maybe backup files, too)
716 * are created in the same directory (i.e. in {@link File#getParentFile() keyStoreFile.getParentFile()}).
717 *
718 * @throws IOException if reading from or writing to the local file-system failed.
719 */
720 public KeyStore(String keyStoreID, File keyStoreFile) throws IOException
721 {
722 if (keyStoreFile == null)
723 throw new IllegalArgumentException("keyStoreFile == null");
724
725 if (keyStoreID == null)
726 throw new IllegalArgumentException("keyStoreID == null");
727
728 // TODO maybe be more restrictive?! E.g. allow only MIME-base64 characters?
729 if (keyStoreID.indexOf('*') > 0)
730 throw new IllegalArgumentException("keyStoreID must not contain '*'");
731
732 if (keyStoreID.indexOf('_') > 0)
733 throw new IllegalArgumentException("keyStoreID must not contain '_'");
734
735 if (keyStoreID.indexOf(' ') > 0)
736 throw new IllegalArgumentException("keyStoreID must not contain ' '");
737
738 this.keyStoreID = keyStoreID;
739 this.keyStoreFile = keyStoreFile;
740
741 if (!keyStoreFile.getParentFile().isDirectory())
742 throw new FileNotFoundException("Path does not exist or is not a directory: " + keyStoreFile.getParentFile().getAbsolutePath());
743
744 // In case the old file was already deleted, but the new not yet renamed, we check, if a new file
745 // exists and the old file is missing - in this case, we load the new file.
746 File newKeyStoreFile = getNewKeyStoreFile();
747 if (!keyStoreFile.exists() && newKeyStoreFile.exists())
748 keyStoreFile = newKeyStoreFile;
749
750 FileInputStream in = keyStoreFile.length() == 0 ? null : new FileInputStream(keyStoreFile);
751 if (in != null) {
752 try {
753 keyStoreData.readFromStream(in);
754 } finally {
755 in.close();
756 }
757 }
758 else
759 storeToFile(); // create the file (empty) already now, if it does not exist.
760
761 expireCacheEntryTimer.schedule(expireCacheEntryTimerTask, 60000, 60000); // TODO make this configurable
762 }
763
764 public static void main(String[] args) throws UnsupportedEncodingException {
765 System.out.println(URLEncoder.encode("_*", "UTF-8"));
766 }
767
768 /**
769 * Get the identifier that is used to reference this key-store. Usually, this is the simple file name
770 * without path and without extension. The <code>keyStoreID</code> is currently not stored in the key-store-file -
771 * it is transient. Note, though, that it is used persistently inside the actual database!
772 * @return the identifier that is used to reference this key-store.
773 */
774 public String getKeyStoreID() {
775 return keyStoreID;
776 }
777
778 File getNewKeyStoreFile()
779 {
780 return new File(keyStoreFile.getParentFile(), keyStoreFile.getName() + ".new");
781 }
782
783 /**
784 * Determine if this <code>KeyStore</code> is completely empty. As soon as the first user has been
785 * created, this method will return <code>false</code>.
786 *
787 * @return <code>true</code> if this <code>KeyStore</code> contains neither any user nor any key, i.e. is totally empty;
788 * <code>false</code> otherwise.
789 */
790 public synchronized boolean isEmpty()
791 {
792 return keyStoreData.user2keyMap.isEmpty();
793 }
794
795 synchronized long nextKeyID(String authUserName, char[] authPassword) throws AuthenticationException
796 {
797 LongProperty property = getProperty(authUserName, authPassword, LongProperty.class, KEY_STORE_PROPERTY_NAME_NEXT_KEY_ID);
798 if (property.getValue() == null)
799 property.setValue(1L);
800
801 long result = property.getValue();
802 property.setValue(result + 1);
803 _setProperty(authUserName, authPassword, property);
804 return result;
805 }
806
807 private Map<String, CachedMasterKey> cache_userName2cachedMasterKey = new HashMap<String, CachedMasterKey>();
808
809 public synchronized int getMasterKeySize(String authUserName, char[] authPassword)
810 throws AuthenticationException
811 {
812 MasterKey masterKey = getMasterKey(authUserName, authPassword);
813 return masterKey.getEncoded().length * 8;
814 }
815
816 /**
817 * Authenticate and get the master-key. If there is a cache-entry existing, directly return this
818 * (after comparing the password); otherwise decrypt the master-key using the given password.
819 *
820 * @param authUserName the user from whose slot to take and decrypt the master-key.
821 * @param authPassword the password with which to try to decrypt the master-key.
822 * @return the decrypted, plain master-key.
823 * @throws AuthenticationException if the specified <code>authUserName</code> does not exist or the specified <code>authPassword</code>
824 * is not correct for the given <code>authUserName</code>.
825 */
826 synchronized MasterKey getMasterKey(String authUserName, char[] authPassword)
827 throws AuthenticationException
828 {
829 // logger.trace("getMasterKey: authUserName={} authPassword={}", authUserName, new String(authPassword));
830
831 CachedMasterKey cachedMasterKey = cache_userName2cachedMasterKey.get(authUserName);
832 MasterKey result = cachedMasterKey == null ? null : cachedMasterKey.getMasterKey();
833 if (result != null && Arrays.equals(authPassword, cachedMasterKey.getPassword())) {
834 cachedMasterKey.updateLastUse();
835 return result;
836 }
837 result = null;
838
839 EncryptedMasterKey encryptedKey = keyStoreData.user2keyMap.get(authUserName);
840 if (encryptedKey == null)
841 logger.warn("getMasterKey: Unknown userName: {}", authUserName); // NOT throw exception here to not disclose the true reason of the AuthenticationException - see below
842 else {
843 PlaintextDataAndMAC plaintextDataAndMAC;
844 try {
845 Cipher cipher = getCipherForUserPassword(
846 authPassword,
847 encryptedKey.getPasswordBasedKeySize(),
848 encryptedKey.getPasswordBasedIterationCount(),
849 encryptedKey.getPasswordBasedKeyGeneratorAlgorithm(),
850 encryptedKey.getSalt(),
851 encryptedKey.getEncryptionIV(), encryptedKey.getEncryptionAlgorithm(),
852 CipherOperationMode.DECRYPT
853 );
854 byte[] decrypted = cipher.doFinal(encryptedKey.getEncryptedData());
855
856 plaintextDataAndMAC = new PlaintextDataAndMAC(decrypted, encryptedKey);
857 } catch (CryptoException x) {
858 logger.warn("getMasterKey: Caught CryptoException indicating a wrong password for user \"{}\"!", authUserName);
859 plaintextDataAndMAC = null;
860 } catch (GeneralSecurityException x) {
861 throw new RuntimeException(x);
862 }
863
864 try {
865 if (plaintextDataAndMAC != null && plaintextDataAndMAC.verifyMAC())
866 result = new MasterKey(plaintextDataAndMAC.getData());
867 else
868 logger.warn("getMasterKey: Wrong password for user \"{}\"! MAC verification failed.", authUserName);
869 } catch (GeneralSecurityException x) {
870 throw new RuntimeException(x);
871 }
872 }
873
874 // We check only once at the end of this method if we could successfully authenticate and otherwise
875 // throw a AuthenticationException. If we threw the AuthenticationException at different locations (even with the same
876 // message), and attacker might know from the stack trace (=> line number) whether the user-name
877 // or the password was wrong. This information will be logged, but not disclosed in the exception.
878 // Marco :-)
879 if (result == null)
880 throw new AuthenticationException("Unknown user \"" + authUserName + "\" or wrong password!");
881
882 cache_userName2cachedMasterKey.put(authUserName, new CachedMasterKey(authUserName, authPassword, result));
883 return result;
884 }
885
886 private Cipher getCipherForUserPassword(
887 char[] password,
888 int passwordBasedKeySize, int passwordBasedIterationCount, String passwordBasedKeyGeneratorAlgorithm,
889 byte[] salt, byte[] iv, String algorithm, CipherOperationMode opmode) throws GeneralSecurityException
890 {
891 if (iv == null) {
892 if (CipherOperationMode.ENCRYPT != opmode)
893 throw new IllegalArgumentException("iv must not be null when decrypting!");
894 }
895 else {
896 if (CipherOperationMode.ENCRYPT == opmode)
897 throw new IllegalArgumentException("iv must be null when encrypting!");
898 }
899
900 if (algorithm == null) {
901 if (CipherOperationMode.ENCRYPT != opmode)
902 throw new IllegalArgumentException("algorithm must not be null when decrypting!");
903
904 algorithm = getEncryptionAlgorithm();
905 }
906
907 SecretKeyFactory factory = SecretKeyFactory.getInstance(passwordBasedKeyGeneratorAlgorithm);
908
909 KeySpec spec = new PBEKeySpec(password, salt, passwordBasedIterationCount, passwordBasedKeySize);
910 SecretKey secretKey = factory.generateSecret(spec);
911
912 Cipher cipher = CryptoRegistry.sharedInstance().createCipher(algorithm);
913
914 if (iv == null) {
915 iv = new byte[cipher.getIVSize()];
916 secureRandom.nextBytes(iv);
917 }
918
919 cipher.init(opmode, new ParametersWithIV(new KeyParameter(secretKey.getEncoded()), iv));
920
921 return cipher;
922 }
923
924 // private String getBaseAlgorithm(String algorithm)
925 // {
926 // int slashIdx = algorithm.indexOf('/');
927 // if (slashIdx < 0)
928 // return algorithm;
929 //
930 // return algorithm.substring(0, slashIdx);
931 // }
932
933 private Cipher getCipherForMasterKey(MasterKey masterKey, byte[] iv, String algorithm, CipherOperationMode opmode) throws GeneralSecurityException
934 {
935 if (iv == null) {
936 if (CipherOperationMode.ENCRYPT != opmode)
937 throw new IllegalArgumentException("iv must not be null when decrypting!");
938 }
939 else {
940 if (CipherOperationMode.ENCRYPT == opmode)
941 throw new IllegalArgumentException("iv must be null when encrypting!");
942 }
943
944 if (algorithm == null) {
945 if (CipherOperationMode.ENCRYPT != opmode)
946 throw new IllegalArgumentException("algorithm must not be null when decrypting!");
947
948 algorithm = getEncryptionAlgorithm();
949 }
950
951 Cipher cipher = CryptoRegistry.sharedInstance().createCipher(algorithm);
952
953 if (iv == null) {
954 iv = new byte[cipher.getIVSize()];
955 secureRandom.nextBytes(iv);
956 }
957 cipher.init(opmode, new ParametersWithIV(new KeyParameter(masterKey.getEncoded()), iv));
958 return cipher;
959 }
960
961 /**
962 * <p>
963 * Generate a new key and store it to the file.
964 * </p>
965 * <p>
966 * The new key will be generated with the size specified by the
967 * system property {@value #SYSTEM_PROPERTY_KEY_SIZE} and encrypted with the
968 * master-key and the encryption-algorithm specified by the
969 * system property {@value #SYSTEM_PROPERTY_ENCRYPTION_ALGORITHM}.
970 * </p>
971 *
972 * @param authUserName the authenticated user authorizing this action.
973 * @param authPassword the password for authenticating the user specified by <code>authUserName</code>.
974 * @return the newly created key.
975 * @throws AuthenticationException if the specified <code>authUserName</code> does not exist or the specified <code>authPassword</code>
976 * is not correct for the given <code>authUserName</code>.
977 * @throws IOException if writing to the local file-system failed.
978 */
979 public synchronized GeneratedKey generateKey(String authUserName, char[] authPassword)
980 throws AuthenticationException, IOException
981 {
982 long keyID = nextKeyID(authUserName, authPassword);
983 byte[] key = generateKey();
984 GeneratedKey generatedKey = new GeneratedKey(keyID, key);
985 _setKey(authUserName, authPassword, keyID, key);
986 storeToFile();
987 return generatedKey;
988 }
989
990 /**
991 * <p>
992 * Generate <code>qty</code> new keys and store them to the file.
993 * </p>
994 * <p>
995 * This method behaves like {@link #generateKey(String, char[])} but is much
996 * faster when multiple keys have to be generated (bulk operation).
997 * </p>
998 *
999 * @param authUserName the authenticated user authorizing this action.
1000 * @param authPassword the password for authenticating the user specified by <code>authUserName</code>.
1001 * @param qty the number of keys to be generated. If 0, the method will do nothing and return
1002 * an empty list, if < 0, an {@link IllegalArgumentException} will be thrown.
1003 * @return a list of generated keys; never <code>null</code>.
1004 * @throws AuthenticationException if the specified <code>authUserName</code> does not exist or the specified <code>authPassword</code>
1005 * is not correct for the given <code>authUserName</code>.
1006 * @throws IOException if writing to the local file-system failed.
1007 */
1008 public synchronized List<GeneratedKey> generateKeys(String authUserName, char[] authPassword, int qty)
1009 throws AuthenticationException, IOException
1010 {
1011 if (qty < 0)
1012 throw new IllegalArgumentException("qty < 0");
1013
1014 List<GeneratedKey> result = new ArrayList<GeneratedKey>(qty);
1015 for (int i = 0; i < qty; ++i) {
1016 long keyID = nextKeyID(authUserName, authPassword);
1017 byte[] key = generateKey();
1018 GeneratedKey generatedKey = new GeneratedKey(keyID, key);
1019 _setKey(authUserName, authPassword, keyID, key);
1020 result.add(generatedKey);
1021 }
1022 storeToFile();
1023 return result;
1024 }
1025
1026 /**
1027 * <p>
1028 * Create a new user.
1029 * </p>
1030 * <p>
1031 * Before the <code>KeyStore</code> can be used (i.e. before most methods work), this method has to be called
1032 * to create the first user. When the first user is created, the internal master-key is generated, which will
1033 * then not be changed anymore (double-check that the {@link #SYSTEM_PROPERTY_KEY_SIZE key-size} is set correctly at
1034 * this time).
1035 * </p>
1036 *
1037 * @param authUserName the authenticated user authorizing this action. If the very first user is created, this value
1038 * is ignored and can be <code>null</code>.
1039 * @param authPassword the password for authenticating the user specified by <code>authUserName</code>. If the very first user is created, this value
1040 * is ignored and can be <code>null</code>.
1041 * @param userName the name of the user to be created.
1042 * @param password the password of the new user.
1043 * @throws AuthenticationException if the specified <code>authUserName</code> does not exist or the specified <code>authPassword</code>
1044 * is not correct for the given <code>authUserName</code>.
1045 * @throws UserAlreadyExistsException if a user with the name specified by <code>userName</code> already exists.
1046 * @throws IOException if writing to the local file-system failed.
1047 */
1048 public synchronized void createUser(String authUserName, char[] authPassword, String userName, char[] password)
1049 throws AuthenticationException, UserAlreadyExistsException, IOException
1050 {
1051 if (userName == null)
1052 throw new IllegalArgumentException("userName must not be null!");
1053
1054 if (password == null)
1055 throw new IllegalArgumentException("password must not be null!");
1056
1057 MasterKey masterKey;
1058
1059 if (isEmpty()) {
1060 byte[] key = generateKey();
1061 masterKey = new MasterKey(key);
1062 // Unfortunately, we cannot clear the sensitive data from the key instance, because
1063 // there is no nice way to do this (we could only do very ugly reflection-based stuff).
1064 // But fortunately, this happens only the very first time a new, empty KeyStore is created.
1065 // With an existing KeyStore we won't come here and our MasterKey can [and will] be cleared.
1066 // Marco :-)
1067 logger.info("createUser: Created master-key with a size of {} bits. This key will not be modified for this key-store anymore.", key.length * 8);
1068 }
1069 else
1070 masterKey = getMasterKey(authUserName, authPassword);
1071
1072 if (keyStoreData.user2keyMap.containsKey(userName))
1073 throw new UserAlreadyExistsException("User '" + userName + "' already exists!");
1074
1075 setUser(masterKey, userName, password);
1076 }
1077
1078 synchronized void setUser(MasterKey masterKey, String userName, char[] password)
1079 throws IOException
1080 {
1081 byte[] plainMasterKeyData = masterKey.getEncoded();
1082
1083 byte[] salt = new byte[8]; // Are 8 bytes salt salty (i.e. secure) enough?
1084 secureRandom.nextBytes(salt);
1085 try {
1086 int passwordBasedKeySize = getKeySize();
1087 int passwordBasedIterationCount = 1024; // TODO make configurable!
1088 String passwordBasedKeyGeneratorAlgorithm = "PBKDF2WithHmacSHA1"; // TODO make configurable
1089
1090 Cipher cipher = getCipherForUserPassword(
1091 password,
1092 passwordBasedKeySize,
1093 passwordBasedIterationCount,
1094 passwordBasedKeyGeneratorAlgorithm,
1095 salt, null, null, CipherOperationMode.ENCRYPT
1096 );
1097
1098 PlaintextDataAndMAC plaintextDataAndMAC = new PlaintextDataAndMAC(plainMasterKeyData, getMACAlgorithm());
1099 byte[] encrypted = cipher.doFinal(plaintextDataAndMAC.toByteArray());
1100
1101 byte[] iv = ((ParametersWithIV)cipher.getParameters()).getIV();
1102
1103 EncryptedMasterKey encryptedKey = new EncryptedMasterKey(
1104 keyStoreData,
1105 userName,
1106 passwordBasedKeySize,
1107 passwordBasedIterationCount,
1108 keyStoreData.stringConstant(passwordBasedKeyGeneratorAlgorithm),
1109 salt,
1110 keyStoreData.stringConstant(cipher.getTransformation()),
1111 iv,
1112 keyStoreData.stringConstant(plaintextDataAndMAC.getMACAlgorithm()),
1113 (short)plaintextDataAndMAC.getMACKey().length,
1114 (short)plaintextDataAndMAC.getMACIV().length,
1115 (short)plaintextDataAndMAC.getMAC().length, encrypted
1116 );
1117 keyStoreData.user2keyMap.put(userName, encryptedKey);
1118 usersCache = null;
1119 } catch (CryptoException e) {
1120 throw new RuntimeException(e);
1121 } catch (GeneralSecurityException e) {
1122 throw new RuntimeException(e);
1123 }
1124
1125 storeToFile();
1126 }
1127
1128 synchronized void storeToFile() throws IOException
1129 {
1130 File newKeyStoreFile = getNewKeyStoreFile();
1131 boolean deleteNewKeyStoreFile = true;
1132 try {
1133 OutputStream out = new FileOutputStream(newKeyStoreFile);
1134 try {
1135 keyStoreData.writeToStream(out);
1136 } finally {
1137 out.close();
1138 }
1139
1140 deleteNewKeyStoreFile = false;
1141 keyStoreFile.delete();
1142 newKeyStoreFile.renameTo(keyStoreFile);
1143 } finally {
1144 if (deleteNewKeyStoreFile) {
1145 try {
1146 newKeyStoreFile.delete();
1147 } catch (Exception x) {
1148 logger.warn("Deleting the newKeyStoreFile failed!", x);
1149 }
1150 }
1151 }
1152 }
1153
1154 /**
1155 * <p>
1156 * Get all users who can authenticate at this <code>KeyStore</code>.
1157 * </p>
1158 *
1159 * @param authUserName the authenticated user authorizing this action.
1160 * @param authPassword the password for authenticating the user specified by <code>authUserName</code>.
1161 * @return a read-only {@link Set} of all user-names known to this <code>KeyStore</code>. This
1162 * <code>Set</code> is an unmodifiable copy of the internally used data and therefore is both thread-safe
1163 * and iteration-safe (i.e. it can be iterated while simultaneously users are {@link #deleteUser(String, char[], String) deleted}).
1164 * @throws AuthenticationException if the specified <code>authUserName</code> does not exist or the specified <code>authPassword</code>
1165 * is not correct for the given <code>authUserName</code>.
1166 */
1167 public synchronized SortedSet<String> getUsers(String authUserName, char[] authPassword)
1168 throws AuthenticationException
1169 {
1170 // The following getMasterKey(...) is no real protection, because the information returned by this method
1171 // is currently not protected, but this way, we already have the right arguments to later encrypt this
1172 // information, too - if we ever want to.
1173 // Marco :-)
1174 getMasterKey(authUserName, authPassword);
1175
1176 SortedSet<String> users = usersCache;
1177 if (users == null) {
1178 users = Collections.unmodifiableSortedSet(new TreeSet<String>(keyStoreData.user2keyMap.keySet()));
1179 usersCache = users;
1180 }
1181
1182 return users;
1183 }
1184
1185 private SortedSet<String> usersCache = null;
1186
1187 /**
1188 * <p>
1189 * Delete the user specified by <code>userName</code>.
1190 * </p>
1191 * <p>
1192 * Deleting the authenticated user himself (i.e. <code>authUserName == userName</code>) is possible,
1193 * as long as it is not the last user.
1194 * </p>
1195 *
1196 * @param authUserName the name of the principal, i.e. the user authorizing this operation.
1197 * @param authPassword the password of the principal.
1198 * @param userName the name of the user to be deleted.
1199 * @throws AuthenticationException if the specified <code>authUserName</code> does not exist or the specified <code>authPassword</code>
1200 * is not correct for the given <code>authUserName</code>.
1201 * @throws UserNotFoundException if there is no user with the name specified by <code>userName</code>.
1202 * @throws CannotDeleteLastUserException if the last user would be deleted by this method invocation (thus rendering
1203 * the <code>KeyStore</code> unusable and unrecoverable - i.e. totally lost).
1204 * @throws IOException if writing to the local file-system failed.
1205 */
1206 public synchronized void deleteUser(String authUserName, char[] authPassword, String userName)
1207 throws AuthenticationException, UserNotFoundException, CannotDeleteLastUserException, IOException
1208 {
1209 // The following getMasterKey(...) is no real protection, because a user can be deleted without
1210 // authenticating on the file-base (as this doesn't require to decrypt data, currently), but
1211 // this way, we already have the right arguments here and might later encrypt the required infos.
1212 // Marco :-)
1213 getMasterKey(authUserName, authPassword);
1214
1215 EncryptedMasterKey encryptedKey = keyStoreData.user2keyMap.get(userName);
1216 if (encryptedKey == null)
1217 throw new UserNotFoundException("The user \"" + userName + "\" does not exist!");
1218
1219 if (keyStoreData.user2keyMap.size() == 1)
1220 throw new CannotDeleteLastUserException("You cannot delete the last user and \"" + userName + "\" is the last user!");
1221
1222 clearCache(userName);
1223 keyStoreData.user2keyMap.remove(userName);
1224 usersCache = null;
1225
1226 storeToFile();
1227 }
1228
1229 /**
1230 * <p>
1231 * Change a user's password.
1232 * </p>
1233 * <p>
1234 * The user identified by <code>userName</code> will have the new password specified by
1235 * <code>newPassword</code> immediately after this method. Authenticating this user with
1236 * his old password will fail afterwards.
1237 * </p>
1238 *
1239 * @param authUserName the authenticated user authorizing this action.
1240 * @param authPassword the password for authenticating the user specified by <code>authUserName</code>.
1241 * @param userName the user whose password is to be changed. This can be the same as <code>authUserName</code>.
1242 * @param newPassword the new password.
1243 * @throws AuthenticationException if the specified <code>authUserName</code> does not exist or the specified <code>authPassword</code>
1244 * is not correct for the given <code>authUserName</code>.
1245 * @throws UserNotFoundException if there is no user with the name specified by <code>userName</code>.
1246 * @throws IOException if writing to the local file-system failed.
1247 */
1248 public synchronized void changeUserPassword(String authUserName, char[] authPassword, String userName, char[] newPassword)
1249 throws AuthenticationException, UserNotFoundException, IOException
1250 {
1251 MasterKey masterKey = getMasterKey(authUserName, authPassword);
1252
1253 if (!keyStoreData.user2keyMap.containsKey(userName))
1254 throw new UserNotFoundException("User '" + userName + "' does not exist!");
1255
1256 setUser(masterKey, userName, newPassword);
1257 }
1258
1259 /**
1260 * Get the key identified by the given <code>keyID</code>.
1261 *
1262 * @param authUserName the authenticated user authorizing this action.
1263 * @param authPassword the password for authenticating the user specified by <code>authUserName</code>.
1264 * @param keyID the identifier of the key to get.
1265 * @return the key associated with the given identifier; never <code>null</code> (if there is no key for the given <code>keyID</code>,
1266 * a {@link KeyNotFoundException} is thrown).
1267 * @throws AuthenticationException if the specified <code>authUserName</code> does not exist or the specified <code>authPassword</code>
1268 * is not correct for the given <code>authUserName</code>.
1269 * @throws KeyNotFoundException if the specified <code>keyID</code> does not reference any existing key. Note, that the
1270 * authentication process occurs before any lookup and therefore a {@link KeyNotFoundException} indicates a correct authentication
1271 * (otherwise the {@link AuthenticationException} would have been thrown before).
1272 */
1273 public synchronized byte[] getKey(String authUserName, char[] authPassword, long keyID)
1274 throws AuthenticationException, KeyNotFoundException
1275 {
1276 MasterKey masterKey = getMasterKey(authUserName, authPassword);
1277 EncryptedKey encryptedKey = keyStoreData.keyID2keyMap.get(keyID);
1278 if (encryptedKey == null)
1279 throw new KeyNotFoundException("There is no key with keyID=" + keyID + "!");
1280
1281 try {
1282 Cipher cipher = getCipherForMasterKey(
1283 masterKey,
1284 encryptedKey.getEncryptionIV(),
1285 encryptedKey.getEncryptionAlgorithm(),
1286 CipherOperationMode.DECRYPT
1287 );
1288 byte[] decrypted = cipher.doFinal(encryptedKey.getEncryptedData());
1289
1290 PlaintextDataAndMAC plaintextDataAndMAC = new PlaintextDataAndMAC(decrypted, encryptedKey);
1291 if (!plaintextDataAndMAC.verifyMAC())
1292 throw new IllegalStateException("MAC mismatch!!! This means, the decryption key was wrong!");
1293
1294 return plaintextDataAndMAC.getData();
1295 } catch (CryptoException e) {
1296 throw new RuntimeException(e);
1297 } catch (GeneralSecurityException e) {
1298 throw new RuntimeException(e);
1299 }
1300 }
1301
1302 public synchronized SortedSet<Long> getKeyIDs(String authUserName, char[] authPassword)
1303 throws AuthenticationException
1304 {
1305 getMasterKey(authUserName, authPassword);
1306 SortedSet<Long> result = new TreeSet<Long>(keyStoreData.keyID2keyMap.keySet());
1307 return result;
1308 }
1309
1310 private void _setKey(String authUserName, char[] authPassword, long keyID, byte[] key)
1311 throws AuthenticationException
1312 {
1313 MasterKey masterKey = getMasterKey(authUserName, authPassword);
1314
1315 try {
1316 PlaintextDataAndMAC plaintextDataAndMAC = new PlaintextDataAndMAC(key, getMACAlgorithm());
1317
1318 Cipher cipher = getCipherForMasterKey(masterKey, null, null, CipherOperationMode.ENCRYPT);
1319 byte[] iv = ((ParametersWithIV)cipher.getParameters()).getIV();
1320 byte[] encrypted = cipher.doFinal(plaintextDataAndMAC.toByteArray());
1321
1322 EncryptedKey encryptedKey = new EncryptedKey(
1323 keyStoreData,
1324 keyID,
1325 keyStoreData.stringConstant(cipher.getTransformation()),
1326 iv,
1327 plaintextDataAndMAC.getMACAlgorithm(),
1328 (short)plaintextDataAndMAC.getMACKey().length,
1329 (short)plaintextDataAndMAC.getMACIV().length,
1330 (short)plaintextDataAndMAC.getMAC().length, encrypted
1331 );
1332 keyStoreData.keyID2keyMap.put(keyID, encryptedKey);
1333 } catch (CryptoException e) {
1334 throw new RuntimeException(e);
1335 } catch (GeneralSecurityException e) {
1336 throw new RuntimeException(e);
1337 }
1338 }
1339
1340 /**
1341 * <p>
1342 * Get a named property.
1343 * </p>
1344 * <p>
1345 * The <code>KeyStore</code> supports managing arbitrary properties in the form of
1346 * name-value-pairs. The names are plain-text, but the values are encrypted.
1347 * A property-value can be of any type for which a subclass of
1348 * {@link org.cumulus4j.keystore.prop.Property} exists.
1349 * </p>
1350 * <p>
1351 * This method will always return an instance of the given <code>propertyType</code>, no matter,
1352 * if the property exists in this <code>KeyStore</code> or not. If the property does not exist,
1353 * its {@link Property#getValue() value} will be <code>null</code>.
1354 * </p>
1355 * <p>
1356 * <b>Important:</b> Never directly instantiate a {@link Property}-subclass. Always use this method
1357 * as a factory for property instances.
1358 * </p>
1359 *
1360 * @param <P> the type of the property.
1361 * @param authUserName the authenticated user authorizing this action.
1362 * @param authPassword the password for authenticating the user specified by <code>authUserName</code>.
1363 * @param propertyType the type of the property; must not be <code>null</code>. If the property does not yet exist,
1364 * every type can be specified. If the property already exists, this type must match the type of the property.
1365 * If they do not match, an {@link IllegalArgumentException} is thrown.
1366 * @param name the unique name of the property; must not be <code>null</code>.
1367 * @return the property; never <code>null</code>. If the property does not yet exist, a new, empty property is returned.
1368 * @throws AuthenticationException if the specified <code>authUserName</code> does not exist or the specified <code>authPassword</code>
1369 * is not correct for the given <code>authUserName</code>.
1370 * @see #setProperty(String, char[], Property)
1371 * @see #removeProperty(String, char[], String)
1372 */
1373 public synchronized <P extends Property<?>> P getProperty(String authUserName, char[] authPassword, Class<P> propertyType, String name)
1374 throws AuthenticationException
1375 {
1376 MasterKey masterKey = getMasterKey(authUserName, authPassword);
1377
1378 if (name == null)
1379 throw new IllegalArgumentException("name == null");
1380
1381 EncryptedProperty encryptedProperty = keyStoreData.name2propertyMap.get(name);
1382
1383 P result;
1384 try {
1385 result = propertyType.newInstance();
1386 } catch (InstantiationException e) {
1387 throw new RuntimeException(e);
1388 } catch (IllegalAccessException e) {
1389 throw new RuntimeException(e);
1390 }
1391 result.setName(name);
1392 result.setXxx(propertyXxx);
1393
1394 if (encryptedProperty != null) {
1395 if (!propertyType.equals(encryptedProperty.getType()))
1396 throw new IllegalArgumentException("propertyType != encryptedProperty.type :: " + propertyType.getClass().getName() + " != " + encryptedProperty.getType().getName());
1397
1398 try {
1399 Cipher cipher = getCipherForMasterKey(
1400 masterKey,
1401 encryptedProperty.getEncryptionIV(),
1402 encryptedProperty.getEncryptionAlgorithm(),
1403 CipherOperationMode.DECRYPT
1404 );
1405 byte[] decrypted = cipher.doFinal(encryptedProperty.getEncryptedData());
1406
1407 PlaintextDataAndMAC plaintextDataAndMAC = new PlaintextDataAndMAC(decrypted, encryptedProperty);
1408 if (!plaintextDataAndMAC.verifyMAC())
1409 throw new IllegalStateException("MAC mismatch!!! This means, the decryption key was wrong!");
1410
1411 result.setValueEncoded(plaintextDataAndMAC.getData());
1412 } catch (CryptoException e) {
1413 throw new RuntimeException(e);
1414 } catch (GeneralSecurityException e) {
1415 throw new RuntimeException(e);
1416 }
1417 }
1418
1419 return result;
1420 }
1421
1422 public synchronized SortedSet<Property<?>> getProperties(String authUserName, char[] authPassword)
1423 throws AuthenticationException
1424 {
1425 SortedSet<Property<?>> result = new TreeSet<Property<?>>();
1426 for (Map.Entry<String, EncryptedProperty> me : keyStoreData.name2propertyMap.entrySet()) {
1427 Property<?> property = getProperty(authUserName, authPassword, me.getValue().getType(), me.getKey());
1428 result.add(property);
1429 }
1430 return result;
1431 }
1432
1433 /**
1434 * <p>
1435 * Remove a property.
1436 * </p>
1437 * <p>
1438 * If the property with the given name does not exist, this method won't do anything.
1439 * </p>
1440 *
1441 * @param authUserName the authenticated user authorizing this action.
1442 * @param authPassword the password for authenticating the user specified by <code>authUserName</code>.
1443 * @param name the unique name of the property; must not be <code>null</code>.
1444 * @return whether the property was removed, i.e. whether this <code>KeyStore</code> was changed by the operation.
1445 * @throws AuthenticationException if the specified <code>authUserName</code> does not exist or the specified <code>authPassword</code>
1446 * is not correct for the given <code>authUserName</code>.
1447 * @throws IOException if writing to the local file-system failed.
1448 * @see #getProperty(String, char[], Class, String)
1449 * @see #setProperty(String, char[], Property)
1450 */
1451 public synchronized boolean removeProperty(String authUserName, char[] authPassword, String name)
1452 throws AuthenticationException, IOException
1453 {
1454 boolean removed = _removeProperty(authUserName, authPassword, name);
1455
1456 if (removed)
1457 storeToFile();
1458
1459 return removed;
1460 }
1461
1462 boolean _removeProperty(String authUserName, char[] authPassword, String name)
1463 throws AuthenticationException
1464 {
1465 getMasterKey(authUserName, authPassword);
1466 return keyStoreData.name2propertyMap.remove(name) != null;
1467 }
1468
1469 private UUID propertyXxx = UUID.randomUUID();
1470
1471 /**
1472 * <p>
1473 * Set a property.
1474 * </p>
1475 * <p>
1476 * If the property's {@link Property#getValue() value} is <code>null</code>, the property is
1477 * {@link #removeProperty(String, char[], String) removed} instead.
1478 * </p>
1479 * <p>
1480 * If a property with the same {@link Property#getName() name} already exists, it is overwritten.
1481 * </p>
1482 * <p>
1483 * The property's value is encrypted with the internal master-key. The property's name is stored
1484 * in plain (unencrypted) form.
1485 * </p>
1486 *
1487 * @param authUserName the authenticated user authorizing this action.
1488 * @param authPassword the password for authenticating the user specified by <code>authUserName</code>.
1489 * @param property the property to set. Do not instantiate any property directly!
1490 * Use {@link #getProperty(String, char[], Class, String)} instead!
1491 * @throws AuthenticationException if the specified <code>authUserName</code> does not exist or the specified <code>authPassword</code>
1492 * is not correct for the given <code>authUserName</code>.
1493 * @throws IOException if writing to the local file-system failed.
1494 * @see #getProperty(String, char[], Class, String)
1495 * @see #removeProperty(String, char[], String)
1496 */
1497 public synchronized void setProperty(String authUserName, char[] authPassword, Property<?> property)
1498 throws AuthenticationException, IOException
1499 {
1500 _setProperty(authUserName, authPassword, property);
1501 storeToFile();
1502 }
1503
1504 private void _setProperty(String authUserName, char[] authPassword, Property<?> property)
1505 throws AuthenticationException
1506 {
1507 MasterKey masterKey = getMasterKey(authUserName, authPassword);
1508
1509 if (property == null)
1510 throw new IllegalArgumentException("property == null");
1511
1512 if (!propertyXxx.equals(property.getXxx()))
1513 throw new IllegalArgumentException("property was not created by this KeyStore! You should use 'getProperty(...)' instead of 'new SomeProperty(...)'!!! And you should never store properties unencrypted somewhere outside!");
1514
1515 if (property.getName() == null)
1516 throw new IllegalArgumentException("property.name == null");
1517
1518 keyStoreData.stringConstant(property.getClass().getName());
1519
1520 byte[] plainValueEncoded = property.getValueEncoded();
1521 if (plainValueEncoded == null) {
1522 _removeProperty(authUserName, authPassword, property.getName());
1523 }
1524 else {
1525 try {
1526 PlaintextDataAndMAC plaintextDataAndMAC = new PlaintextDataAndMAC(plainValueEncoded, getMACAlgorithm());
1527
1528 Cipher cipher = getCipherForMasterKey(masterKey, null, null, CipherOperationMode.ENCRYPT);
1529 byte[] encrypted = cipher.doFinal(plaintextDataAndMAC.toByteArray());
1530 byte[] iv = ((ParametersWithIV)cipher.getParameters()).getIV();
1531
1532 @SuppressWarnings("unchecked")
1533 Class<? extends Property<?>> propertyType = (Class<? extends Property<?>>) property.getClass();
1534 EncryptedProperty encryptedProperty = new EncryptedProperty(
1535 keyStoreData, property.getName(),
1536 propertyType,
1537 keyStoreData.stringConstant(cipher.getTransformation()),
1538 iv,
1539 plaintextDataAndMAC.getMACAlgorithm(),
1540 (short)plaintextDataAndMAC.getMACKey().length,
1541 (short)plaintextDataAndMAC.getMACIV().length,
1542 (short)plaintextDataAndMAC.getMAC().length, encrypted
1543 );
1544 keyStoreData.name2propertyMap.put(encryptedProperty.getName(), encryptedProperty);
1545 } catch (CryptoException e) {
1546 throw new RuntimeException(e);
1547 } catch (GeneralSecurityException e) {
1548 throw new RuntimeException(e);
1549 }
1550 }
1551 }
1552
1553 /**
1554 * <p>
1555 * Clear all cached data for the specified user name.
1556 * </p>
1557 * <p>
1558 * Every time, a user
1559 * calls a method requiring <code>authUserName</code> and <code>authPassword</code>,
1560 * either an authentication process happens, or a previously cached authentication
1561 * result (i.e. a decrypted master-key) is used. In order to speed things up, authentication results are cached for a
1562 * limited time. After this time elapses, the data is cleared by a timer. If a user wants (for security reasons)
1563 * remove the cached data from the memory earlier, he can call this method.
1564 * </p>
1565 *
1566 * @param userName the user for which to clear all the cached data. <code>null</code> to clear the complete cache for all users.
1567 */
1568 public synchronized void clearCache(String userName)
1569 {
1570 if (userName == null) {
1571 for(CachedMasterKey cachedMasterKey : cache_userName2cachedMasterKey.values())
1572 cachedMasterKey.clear();
1573
1574 cache_userName2cachedMasterKey.clear();
1575 }
1576 else {
1577 CachedMasterKey cachedMasterKey = cache_userName2cachedMasterKey.remove(userName);
1578 if (cachedMasterKey != null)
1579 cachedMasterKey.clear();
1580 }
1581 }
1582
1583 @Override
1584 protected void finalize() throws Throwable {
1585 clearCache(null);
1586 super.finalize();
1587 }
1588 }