Refactor CryptoUtils

Author: Phillipus

Diff for: org.archicontribs.modelrepository/src/org/archicontribs/modelrepository/authentication/CryptoUtils.java

@@ -9,7 +9,6 @@
 import java.nio.CharBuffer;
 import java.nio.charset.Charset;
 import java.security.GeneralSecurityException;
-import java.security.Key;
 import java.security.NoSuchAlgorithmException;
 import java.security.Provider;
 import java.security.SecureRandom;
@@ -129,17 +128,8 @@ public static SecretKey generateRandomSecretKey() throws NoSuchAlgorithmExceptio
 
     /**
      * Generate a SecretKey from a password using a PBE based algorithm
-     * 
-     * Algorithms supported:
-     * 
-     * PBEwithHmacSHA256AndAES_256
-     * PBEWithHmacSHA1AndAES_256
-     * PBEWithHmacSHA512AndAES_128
-     * PBEWithHmacSHA1AndAES_128
-     * PBEWithHmacSHA384AndAES_256
-     * PBEWithMD5AndDES
-     */
-    public static SecretKey generateKeyFromPassword(String algorithm, char[] password) throws GeneralSecurityException {
+     */
+    public static SecretKey generateKeyFromPassword(char[] password, String algorithm) throws GeneralSecurityException {
         // Convert the password bytes to Base64 characters because PBEKey class will not accept non-Ascii characters in a password
         char[] encodedPassword = encodeCharsToBase64(password);
 
@@ -150,17 +140,9 @@ public static SecretKey generateKeyFromPassword(String algorithm, char[] passwor
     }
 
     /**
-     * Generate a SecretKey from a password using a PBK based algorithm with salt and iterations
-     * 
-     * Algorithms supported:
-     * 
-     * PBKDF2WithHmacSHA1
-     * PBKDF2WithHmacSHA224
-     * PBKDF2WithHmacSHA256
-     * PBKDF2WithHmacSHA384
-     * PBKDF2WithHmacSHA512
+     * Generate a SecretKey from a password using a PBK based algorithm
      */
-    public static SecretKey generateKeyFromPassword(String algorithm, char[] password, byte[] salt, int iterations) throws Exception {
+    public static SecretKey generateKeyFromPassword(char[] password, String algorithm, byte[] salt, int iterations) throws GeneralSecurityException {
         // Convert the password bytes to Base64 characters because PBEKey class will not accept non-Ascii characters in a password
         char[] encodedPassword = encodeCharsToBase64(password);
 
@@ -169,44 +151,94 @@ public static SecretKey generateKeyFromPassword(String algorithm, char[] passwor
         SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(algorithm);
         SecretKey pbeKey = keyFactory.generateSecret(pbeKeySpec);
 
+        // Wrap the pbeKey in a SecretKeySpec
         return new SecretKeySpec(pbeKey.getEncoded(), "AES");
     }
 
     /**
-     * Get and initialise Cipher based on PBE key from generateKeyFromPassword
+     * Encrypt/ Decrypt bytes with a password using a PBE based algorithm
      * 
-     * @param key The secret PBE key generated from calling generateKeyFromPassword
-     * @param algorithm The PBE transformation algorithm to use
+     * @param password Password 
+     * @param pbeAlgorithm The PBE algorithm to use
      * @param mode Cipher.ENCRYPT_MODE or Cipher.DECRYPT_MODE
-     * @param salt Salt needed for PBEParameterSpec
-     * @param iv Optional IV - some PBE algorithms don't use one
-     * @param iterations
+     * @param bytes The bytes to encrypt/decypt
+     * @param salt Salt (required)
+     * @param iv IV (optional)
+     * @param iterations Iterations for the PBEParameterSpec
+     * @return The encrypted or decrypted bytes
      */
-    public static Cipher getPBECipher(Key key, String algorithm, int mode, byte[] salt, byte[] iv, int iterations) throws GeneralSecurityException {
-        Cipher cipher = Cipher.getInstance(algorithm);
+    public static byte[] transformWithPassword(char[] password, String pbeAlgorithm, int mode, byte[] bytes, byte[] salt, byte[] iv,
+                                               int iterations) throws GeneralSecurityException {
+        // Generate a PBE key for the Cipher
+        SecretKey secretKey = generateKeyFromPassword(password, pbeAlgorithm);
+
+        // Encrypt the input with the Cipher
+        Cipher keyCipher = Cipher.getInstance(pbeAlgorithm);
 
-        // PBEParameterSpec with salt and (optional) iv spec
+        // IvParameterSpec is optional depending on the algorithm
         IvParameterSpec paramSpec = iv != null ? new IvParameterSpec(iv) : null;
 
-        // Create parameters from the salt and an arbitrary number of iterations (paramSpec will be null if iv is null)
+        // Create parameters from the salt and the iterations (paramSpec will be null if iv is null)
         PBEParameterSpec pbeParamSpec = new PBEParameterSpec(salt, iterations, paramSpec);
-
+        
         // Set the cipher mode to decryption or encryption
-        cipher.init(mode, key, pbeParamSpec);
+        keyCipher.init(mode, secretKey, pbeParamSpec);
+        
+        // Encypt/Decrypt the bytes
+        return keyCipher.doFinal(bytes);
+    }
 
-        return cipher;
+    /**
+     * Encrypt/ Decrypt bytes with a password using a PBK based algorithm
+     * 
+     * @param password Password 
+     * @param pbkAlgorithm  The PBK algorithm to use
+     * @param cipherAlgorithm The Cipher algorithm to use - AES or AES/CBC/PKCS5Padding or AES/GCM/NoPadding
+     * @param mode Cipher.ENCRYPT_MODE or Cipher.DECRYPT_MODE
+     * @param bytes The bytes to encrypt/decypt
+     * @param salt Salt (required)
+     * @param iv IV (required)
+     * @param iterations Iterations for the PBEKeySpec
+     * @return The encrypted or decrypted bytes
+     */
+    public static byte[] transformWithPassword2(char[] password, String pbkAlgorithm, String cipherAlgorithm, int mode, byte[] bytes, byte[] salt, byte[] iv,
+                                                int iterations) throws GeneralSecurityException {
+        // Generate a key with the PBK Algorithm
+        SecretKey secretKey = generateKeyFromPassword(password, pbkAlgorithm, salt, iterations);
+
+        // Get the cipher from the key and cipher algorithm
+        Cipher keyCipher = getCipher(secretKey, cipherAlgorithm, mode, iv);
+        
+        // Encypt/Decrypt the bytes
+        return keyCipher.doFinal(bytes);
+    }
+    
+    /**
+     * Encrypt/ Decrypt bytes with a SecretKey 
+     * 
+     * @param key The secret key to use for the Cipher
+     * @param cipherAlgorithm The Cipher algorithm to use - AES or AES/CBC/PKCS5Padding or AES/GCM/NoPadding
+     * @param mode Cipher.ENCRYPT_MODE or Cipher.DECRYPT_MODE
+     * @param bytes The bytes to encrypt/decypt
+     * @param iv IV (optional)
+     * @return The encrypted or decrypted bytes
+     * @throws GeneralSecurityException
+     */
+    public static byte[] transformWithKey(SecretKey key, String cipherAlgorithm, int mode, byte[] bytes, byte[] iv) throws GeneralSecurityException {
+        Cipher cipher = getCipher(key, cipherAlgorithm, mode, iv);
+        return cipher.doFinal(bytes);
     }
 
     /**
      * Get and initialise Cipher with a secret key and optional iv
-     * param @iv is optional and not used for AES
+     * param @iv is optional and not used for AES, AES/CBC/PKCS5Padding or AES/GCM/NoPadding
      * 
-     * @param key The scret key 
-     * @param algorithm The transformation algorithm to use
+     * @param key The secret key 
+     * @param algorithm The transformation algorithm to use - AES, 
      * @param mode Cipher.ENCRYPT_MODE or Cipher.DECRYPT_MODE
      * @param iv Optional IV
      */
-    public static Cipher getCipher(Key key, String algorithm, int mode, byte... iv) throws GeneralSecurityException {
+    public static Cipher getCipher(SecretKey key, String algorithm, int mode, byte... iv) throws GeneralSecurityException {
         Cipher cipher = Cipher.getInstance(algorithm);
 
         switch(algorithm) {

Diff for: org.archicontribs.modelrepository/src/org/archicontribs/modelrepository/authentication/internal/EncryptedCredentialsStorage.java

@@ -129,8 +129,7 @@ public boolean storePassword(char[] password) throws GeneralSecurityException, I
         byte[] passwordBytes = CryptoUtils.convertCharsToBytes(password);
 
         // Encrypt the password
-        Cipher cipher = CryptoUtils.getCipher(key, CIPHER_ALGORITHM, Cipher.ENCRYPT_MODE);
-        byte[] encrypted = cipher.doFinal(passwordBytes);
+        byte[] encrypted = CryptoUtils.transformWithKey(key, CIPHER_ALGORITHM, Cipher.ENCRYPT_MODE, passwordBytes, null);
 
         // Store in properties file as a Base64 encoded string
         getProperties().setProperty(PASSWORD, Base64.getEncoder().encodeToString(encrypted)); // Use Base64 because this is a string
@@ -167,8 +166,7 @@ public char[] getPassword() throws IOException, GeneralSecurityException {
             }
 
             // Decrypt the password
-            Cipher cipher = CryptoUtils.getCipher(key, CIPHER_ALGORITHM, Cipher.DECRYPT_MODE);
-            passwordBytes = cipher.doFinal(passwordBytes);
+            passwordBytes = CryptoUtils.transformWithKey(key, CIPHER_ALGORITHM, Cipher.DECRYPT_MODE, passwordBytes, null);
 
             // Use UTF-8 because we used that to encrypt it
             return CryptoUtils.convertBytesToChars(passwordBytes);
@@ -340,8 +338,13 @@ private static SecretKey loadPrimaryKey(char[] password) throws GeneralSecurityE
                 byte[] keybytes = Arrays.copyOfRange(bytes, PBE_SALT_LENGTH, bytes.length);
 
                 // Decrypt the key bytes with the password and salt
-                Cipher cipher = getCipherWithPassword(password, Cipher.DECRYPT_MODE, salt);
-                keybytes = cipher.doFinal(keybytes);
+                keybytes = CryptoUtils.transformWithPassword(password,
+                                                             PBE_ALGORITHM,
+                                                             Cipher.DECRYPT_MODE,
+                                                             keybytes,
+                                                             salt,
+                                                             null, // no iv
+                                                             PBE_ITERATIONS);
 
                 // Return the key
                 return new SecretKeySpec(keybytes, "AES");
@@ -359,8 +362,13 @@ private static void savePrimaryKey(SecretKey key, char[] password) throws Genera
         byte[] salt = CryptoUtils.generateRandomBytes(PBE_SALT_LENGTH);
 
         // Encrypt the key
-        Cipher cipher = getCipherWithPassword(password, Cipher.ENCRYPT_MODE, salt);
-        byte[] keybytes = cipher.doFinal(key.getEncoded());
+        byte[] keybytes = CryptoUtils.transformWithPassword(password,
+                                                            PBE_ALGORITHM,
+                                                            Cipher.ENCRYPT_MODE,
+                                                            key.getEncoded(),
+                                                            salt,
+                                                            null, // no iv
+                                                            PBE_ITERATIONS);
 
         File primaryKeyFile = getPrimaryKeyFile();
 
@@ -380,19 +388,6 @@ private static void savePrimaryKey(SecretKey key, char[] password) throws Genera
         }
     }
 
-    /**
-     * Create a Cipher using a password rather than a key
-     * The key is generated from the the password
-     * See https://stackoverflow.com/questions/13673556/using-password-based-encryption-on-a-file-in-java
-     */
-    private static Cipher getCipherWithPassword(char[] password, int mode, byte[] salt) throws GeneralSecurityException {
-        // Generate the SecretKey from the password
-        SecretKey key = CryptoUtils.generateKeyFromPassword(PBE_ALGORITHM, password);
-
-        // Return the Cipher using the key, salt, no iv, and iteration count
-        return CryptoUtils.getPBECipher(key, PBE_ALGORITHM, mode, salt, null, PBE_ITERATIONS);
-    }
-    
     private static char[] askUserForPrimaryPassword() {
         // Check that current thread is the UI thread in case this is called from a non-UI thread
         if(Display.getCurrent() != null) {