1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.syncope.core.spring.security;
20
21 import java.io.UnsupportedEncodingException;
22 import java.nio.charset.StandardCharsets;
23 import java.security.InvalidKeyException;
24 import java.security.NoSuchAlgorithmException;
25 import java.util.Base64;
26 import java.util.Map;
27 import java.util.concurrent.ConcurrentHashMap;
28 import javax.crypto.BadPaddingException;
29 import javax.crypto.Cipher;
30 import javax.crypto.IllegalBlockSizeException;
31 import javax.crypto.NoSuchPaddingException;
32 import javax.crypto.spec.SecretKeySpec;
33 import org.apache.commons.lang3.ArrayUtils;
34 import org.apache.commons.lang3.StringUtils;
35 import org.apache.syncope.common.lib.types.CipherAlgorithm;
36 import org.apache.syncope.core.spring.ApplicationContextProvider;
37 import org.jasypt.commons.CommonUtils;
38 import org.jasypt.digest.StandardStringDigester;
39 import org.slf4j.Logger;
40 import org.slf4j.LoggerFactory;
41 import org.springframework.security.crypto.bcrypt.BCrypt;
42
43 public final class Encryptor {
44
45 private static final Logger LOG = LoggerFactory.getLogger(Encryptor.class);
46
47 private static final Map<String, Encryptor> INSTANCES = new ConcurrentHashMap<>();
48
49 private static final String DEFAULT_SECRET_KEY = "1abcdefghilmnopqrstuvz2!";
50
51 public static Encryptor getInstance() {
52 return getInstance(null);
53 }
54
55 public static Encryptor getInstance(final String secretKey) {
56 String actualKey = StringUtils.isBlank(secretKey) ? DEFAULT_SECRET_KEY : secretKey;
57
58 Encryptor instance = INSTANCES.get(actualKey);
59 if (instance == null) {
60 instance = new Encryptor(actualKey);
61 INSTANCES.put(actualKey, instance);
62 }
63
64 return instance;
65 }
66
67 private final Map<CipherAlgorithm, StandardStringDigester> digesters = new ConcurrentHashMap<>();
68
69 private SecretKeySpec keySpec;
70
71 private Encryptor(final String secretKey) {
72 String actualKey = secretKey;
73 if (actualKey.length() < 16) {
74 StringBuilder actualKeyPadding = new StringBuilder(actualKey);
75 int length = 16 - actualKey.length();
76 String randomChars = SecureRandomUtils.generateRandomPassword(length);
77
78 actualKeyPadding.append(randomChars);
79 actualKey = actualKeyPadding.toString();
80 LOG.warn("The secret key is too short (< 16), adding some random characters. "
81 + "Passwords encrypted with AES and this key will not be recoverable "
82 + "as a result if the container is restarted.");
83 }
84
85 try {
86 keySpec = new SecretKeySpec(ArrayUtils.subarray(
87 actualKey.getBytes(StandardCharsets.UTF_8), 0, 16),
88 CipherAlgorithm.AES.getAlgorithm());
89 } catch (Exception e) {
90 LOG.error("Error during key specification", e);
91 }
92 }
93
94 public String encode(final String value, final CipherAlgorithm cipherAlgorithm)
95 throws UnsupportedEncodingException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException,
96 IllegalBlockSizeException, BadPaddingException {
97
98 String encoded = null;
99
100 if (value != null) {
101 if (cipherAlgorithm == null || cipherAlgorithm == CipherAlgorithm.AES) {
102 Cipher cipher = Cipher.getInstance(CipherAlgorithm.AES.getAlgorithm());
103 cipher.init(Cipher.ENCRYPT_MODE, keySpec);
104
105 encoded = Base64.getEncoder().encodeToString(cipher.doFinal(value.getBytes(StandardCharsets.UTF_8)));
106 } else if (cipherAlgorithm == CipherAlgorithm.BCRYPT) {
107 encoded = BCrypt.hashpw(value, BCrypt.gensalt());
108 } else {
109 encoded = getDigester(cipherAlgorithm).digest(value);
110 }
111 }
112
113 return encoded;
114 }
115
116 public boolean verify(final String value, final CipherAlgorithm cipherAlgorithm, final String encoded) {
117 boolean verified = false;
118
119 try {
120 if (value != null) {
121 if (cipherAlgorithm == null || cipherAlgorithm == CipherAlgorithm.AES) {
122 verified = encode(value, cipherAlgorithm).equals(encoded);
123 } else if (cipherAlgorithm == CipherAlgorithm.BCRYPT) {
124 verified = BCrypt.checkpw(value, encoded);
125 } else {
126 verified = getDigester(cipherAlgorithm).matches(value, encoded);
127 }
128 }
129 } catch (Exception e) {
130 LOG.error("Could not verify encoded value", e);
131 }
132
133 return verified;
134 }
135
136 public String decode(final String encoded, final CipherAlgorithm cipherAlgorithm)
137 throws UnsupportedEncodingException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException,
138 IllegalBlockSizeException, BadPaddingException {
139
140 String decoded = null;
141
142 if (encoded != null && cipherAlgorithm == CipherAlgorithm.AES) {
143 Cipher cipher = Cipher.getInstance(CipherAlgorithm.AES.getAlgorithm());
144 cipher.init(Cipher.DECRYPT_MODE, keySpec);
145
146 decoded = new String(cipher.doFinal(Base64.getDecoder().decode(encoded)), StandardCharsets.UTF_8);
147 }
148
149 return decoded;
150 }
151
152 private StandardStringDigester getDigester(final CipherAlgorithm cipherAlgorithm) {
153 StandardStringDigester digester = digesters.get(cipherAlgorithm);
154 if (digester == null) {
155 digester = new StandardStringDigester();
156
157 if (cipherAlgorithm.getAlgorithm().startsWith("S-")) {
158 SecurityProperties securityProperties =
159 ApplicationContextProvider.getApplicationContext().getBean(SecurityProperties.class);
160
161
162 digester.setAlgorithm(cipherAlgorithm.getAlgorithm().replaceFirst("S\\-", ""));
163 digester.setIterations(securityProperties.getDigester().getSaltIterations());
164 digester.setSaltSizeBytes(securityProperties.getDigester().getSaltSizeBytes());
165 digester.setInvertPositionOfPlainSaltInEncryptionResults(
166 securityProperties.getDigester().isInvertPositionOfPlainSaltInEncryptionResults());
167 digester.setInvertPositionOfSaltInMessageBeforeDigesting(
168 securityProperties.getDigester().isInvertPositionOfSaltInMessageBeforeDigesting());
169 digester.setUseLenientSaltSizeCheck(
170 securityProperties.getDigester().isUseLenientSaltSizeCheck());
171 } else {
172
173 digester.setAlgorithm(cipherAlgorithm.getAlgorithm());
174 digester.setIterations(1);
175 digester.setSaltSizeBytes(0);
176 }
177
178 digester.setStringOutputType(CommonUtils.STRING_OUTPUT_TYPE_HEXADECIMAL);
179
180 digesters.put(cipherAlgorithm, digester);
181 }
182
183 return digester;
184 }
185 }