diff options
Diffstat (limited to 'qpid/java/broker-core/src/main/java/org/apache/qpid/server/security')
3 files changed, 38 insertions, 16 deletions
diff --git a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManager.java b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManager.java index 5b62f7cffd..0e532cee89 100644 --- a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManager.java +++ b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/SimpleAuthenticationManager.java @@ -46,7 +46,7 @@ import org.apache.qpid.server.security.auth.UsernamePrincipal; import org.apache.qpid.server.security.auth.sasl.plain.PlainPasswordCallback; import org.apache.qpid.server.security.auth.sasl.plain.PlainSaslServer; -@ManagedObject( category = false, type = "Simple" ) +@ManagedObject( category = false, type = "Simple", register = false ) public class SimpleAuthenticationManager extends AbstractAuthenticationManager<SimpleAuthenticationManager> { private static final Logger _logger = Logger.getLogger(SimpleAuthenticationManager.class); diff --git a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/encryption/AESKeyFileEncrypter.java b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/encryption/AESKeyFileEncrypter.java index c0c92f0389..b094ea96f9 100644 --- a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/encryption/AESKeyFileEncrypter.java +++ b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/encryption/AESKeyFileEncrypter.java @@ -36,17 +36,25 @@ import javax.crypto.SecretKey; import javax.crypto.spec.IvParameterSpec; import javax.xml.bind.DatatypeConverter; -import org.apache.qpid.server.configuration.IllegalConfigurationException; - class AESKeyFileEncrypter implements ConfigurationSecretEncrypter { private static final String CIPHER_NAME = "AES/CBC/PKCS5Padding"; private static final int AES_INITIALIZATION_VECTOR_LENGTH = 16; + private static final String AES_ALGORITHM = "AES"; private final SecretKey _secretKey; private final SecureRandom _random = new SecureRandom(); AESKeyFileEncrypter(SecretKey secretKey) { + if(secretKey == null) + { + throw new NullPointerException("A non null secret key must be supplied"); + } + if(!AES_ALGORITHM.equals(secretKey.getAlgorithm())) + { + throw new IllegalArgumentException("Provided secret key was for the algorithm: " + secretKey.getAlgorithm() + + "when" + AES_ALGORITHM + "was needed."); + } _secretKey = secretKey; } @@ -68,19 +76,26 @@ class AESKeyFileEncrypter implements ConfigurationSecretEncrypter } catch (IOException | InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | NoSuchPaddingException e) { - throw new IllegalConfigurationException("Unable to encrypt secret", e); + throw new IllegalArgumentException("Unable to encrypt secret", e); } } @Override public String decrypt(final String encrypted) { + if(!isValidBase64(encrypted)) + { + throw new IllegalArgumentException("Encrypted value is not valid Base 64 data: '" + encrypted + "'"); + } byte[] encryptedBytes = DatatypeConverter.parseBase64Binary(encrypted); try { Cipher cipher = Cipher.getInstance(CIPHER_NAME); - cipher.init(Cipher.DECRYPT_MODE, _secretKey, new IvParameterSpec(encryptedBytes, 0, - AES_INITIALIZATION_VECTOR_LENGTH)); + + IvParameterSpec ivParameterSpec = new IvParameterSpec(encryptedBytes, 0, AES_INITIALIZATION_VECTOR_LENGTH); + + cipher.init(Cipher.DECRYPT_MODE, _secretKey, ivParameterSpec); + return new String(readFromCipherStream(encryptedBytes, AES_INITIALIZATION_VECTOR_LENGTH, encryptedBytes.length - AES_INITIALIZATION_VECTOR_LENGTH, @@ -88,10 +103,15 @@ class AESKeyFileEncrypter implements ConfigurationSecretEncrypter } catch (IOException | InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | NoSuchPaddingException e) { - throw new IllegalConfigurationException("Unable to encrypt secret", e); + throw new IllegalArgumentException("Unable to encrypt secret", e); } } + private boolean isValidBase64(final String encrypted) + { + return encrypted.matches("^([\\w\\d+/]{4})*([\\w\\d+/]{2}==|[\\w\\d+/]{3}=)?$"); + } + private byte[] readFromCipherStream(final byte[] unencryptedBytes, final Cipher cipher) throws IOException { @@ -106,16 +126,16 @@ class AESKeyFileEncrypter implements ConfigurationSecretEncrypter offset, length), cipher)) { - byte[] buf = new byte[1024]; + byte[] buf = new byte[512]; int pos = 0; int read; while ((read = cipherInputStream.read(buf, pos, buf.length - pos)) != -1) { pos += read; - if (pos == buf.length - 1) + if (pos == buf.length) { byte[] tmp = buf; - buf = new byte[buf.length + 1024]; + buf = new byte[buf.length + 512]; System.arraycopy(tmp, 0, buf, 0, tmp.length); } } diff --git a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/encryption/AESKeyFileEncrypterFactory.java b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/encryption/AESKeyFileEncrypterFactory.java index 447f19b7ce..ef92c2a131 100644 --- a/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/encryption/AESKeyFileEncrypterFactory.java +++ b/qpid/java/broker-core/src/main/java/org/apache/qpid/server/security/encryption/AESKeyFileEncrypterFactory.java @@ -46,13 +46,15 @@ import org.apache.qpid.server.plugin.PluggableService; @PluggableService public class AESKeyFileEncrypterFactory implements ConfigurationSecretEncrypterFactory { - private static final String ENCRYPTER_KEY_FILE = "encrypter.key.file"; + static final String ENCRYPTER_KEY_FILE = "encrypter.key.file"; private static final int AES_KEY_SIZE_BITS = 256; private static final int AES_KEY_SIZE_BYTES = AES_KEY_SIZE_BITS / 8; private static final String AES_ALGORITHM = "AES"; - public static String TYPE = "AESKeyFile"; + public static final String TYPE = "AESKeyFile"; + + static final String DEFAULT_KEYS_SUBDIR_NAME = ".keys"; @Override public ConfigurationSecretEncrypter createEncrypter(final ConfiguredObject<?> object) @@ -66,7 +68,7 @@ public class AESKeyFileEncrypterFactory implements ConfigurationSecretEncrypterF { fileLocation = object.getContextValue(String.class, BrokerOptions.QPID_WORK_DIR) - + File.separator + ".keys" + File.separator + + File.separator + DEFAULT_KEYS_SUBDIR_NAME + File.separator + object.getCategoryClass().getSimpleName() + "_" + object.getName() + ".key"; @@ -94,14 +96,14 @@ public class AESKeyFileEncrypterFactory implements ConfigurationSecretEncrypterF || permissions.contains(PosixFilePermission.GROUP_WRITE) || permissions.contains(PosixFilePermission.OTHERS_WRITE)) { - throw new IllegalStateException("Key file '" + throw new IllegalArgumentException("Key file '" + fileLocation + "' has incorrect permissions. Only the owner " + "should be able to read or write this file."); } if(Files.size(file.toPath()) != AES_KEY_SIZE_BYTES) { - throw new IllegalConfigurationException("Key file '" + fileLocation + "' contains an incorrect about of data"); + throw new IllegalArgumentException("Key file '" + fileLocation + "' contains an incorrect about of data"); } try(FileInputStream inputStream = new FileInputStream(file)) @@ -151,7 +153,7 @@ public class AESKeyFileEncrypterFactory implements ConfigurationSecretEncrypterF } catch (NoSuchAlgorithmException | IOException e) { - throw new IllegalConfigurationException("Cannot create key file: " + e.getMessage(), e); + throw new IllegalArgumentException("Cannot create key file: " + e.getMessage(), e); } } |