Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[master] JCEEncryptor default encryption algorithm upgrade #2004

Merged
merged 10 commits into from
Dec 1, 2023
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
@REM
@REM Copyright (c) 2023 Oracle and/or its affiliates. All rights reserved.
@REM
@REM This program and the accompanying materials are made available under the
@REM terms of the Eclipse Public License v. 2.0 which is available at
@REM http://www.eclipse.org/legal/epl-2.0,
@REM or the Eclipse Distribution License v. 1.0 which is available at
@REM http://www.eclipse.org/org/documents/edl-v10.php.
@REM
@REM SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
@REM

@REM Usage is `passwordUpdate.sh|.cmd -ip <old encrypted password>`
@REM This application internally decrypt old encrypted password used by some previous version EclipseLink and encrypt it by latest algorithm.

@echo off
setlocal
call "%~dp0../../bin/setenv.cmd"

@REM User may increase Java memory setting(s) if desired:
set JVM_ARGS=-Xmx256m

REM Please do not change any of the following lines:
set _FIXPATH=
call :fixpath "%~dp0"
set THIS=%_FIXPATH:~1%

set CLASSPATH=%CLASSPATH%;%THIS%..\..\jlib\eclipselink.jar

set PASSWORD_UPDATE_ARGS=%*

%JAVA_HOME%\bin\java.exe %JVM_ARGS% -cp %CLASSPATH% org.eclipse.persistence.tools.security.JCEEncryptorCmd %PASSWORD_UPDATE_ARGS%

endlocal
goto :EOF

:fixpath
if not %1.==. (
for /f "tokens=1* delims=;" %%a in (%1) do (
call :shortfilename "%%a" & call :fixpath "%%b"
)
)
goto :EOF

:shortfilename
for %%i in (%1) do set _FIXPATH=%_FIXPATH%;%%~fsi
goto :EOF
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
#!/bin/sh
#
# Copyright (c) 2023 Oracle and/or its affiliates. All rights reserved.
#
# This program and the accompanying materials are made available under the
# terms of the Eclipse Public License v. 2.0 which is available at
# http://www.eclipse.org/legal/epl-2.0,
# or the Eclipse Distribution License v. 1.0 which is available at
# http://www.eclipse.org/org/documents/edl-v10.php.
#
# SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
#

#Usage is `passwordUpdate.sh|.cmd -ip <old encrypted password>`
#This application internally decrypt old encrypted password used by some previous version EclipseLink and encrypt it by latest algorithm.

. `dirname $0`/../../bin/setenv.sh

# User may increase Java memory setting(s) if desired:
JVM_ARGS=-Xmx256m

# Please do not change any of the following lines:
CLASSPATH=`dirname $0`/../../jlib/eclipselink.jar:

PASSWORD_UPDATE_ARGS="$@"

${JAVA_HOME}/bin/java ${JVM_ARGS} -cp ${CLASSPATH} \
org.eclipse.persistence.tools.security.JCEEncryptorCmd ${PASSWORD_UPDATE_ARGS}
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 1998, 2021 Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1998, 2023 Oracle and/or its affiliates. All rights reserved.
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License v. 2.0 which is available at
Expand All @@ -21,6 +21,7 @@
import javax.crypto.CipherOutputStream;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.DESKeySpec;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;

import org.eclipse.persistence.exceptions.ValidationException;
Expand All @@ -35,64 +36,79 @@
* @author dminsky
*/
public class SecurableBackwardsCompatibilityTest {

/**
* Test the decryption of a String encrypted with DES ECB.
*/
@Test
public void testStringDecryption_DES_ECB() throws Exception {
String plainTextString = "welcome123_des_ecb";

String testString = encryptString_DES_ECB(plainTextString);
Assert.assertFalse("Strings should not match.", plainTextString.equals(testString));

Securable securable = new JCEEncryptor();
String decryptedString = securable.decryptPassword(testString);
Assert.assertEquals("Strings should match.", plainTextString, decryptedString);
}


/**
* Test the decryption of a String encrypted with AES GCM.
*/
@Test
public void testStringDecryption_AES_GCM() throws Exception {
String plainTextString = "welcome123_aes_gcm";

Securable securable = new JCEEncryptor();
String testString = securable.encryptPassword(plainTextString);
Assert.assertFalse("Strings should not match.", plainTextString.equals(testString));

String decryptedString = securable.decryptPassword(testString);
Assert.assertEquals("Strings should match.", plainTextString, decryptedString);
}

/**
* Test the decryption of a String encrypted with AES CBC.
*/
@Test
public void testStringDecryption_AES_CBC() throws Exception {
String plainTextString = "welcome123_aes_cbc";

Securable securable = new JCEEncryptor();
String testString = securable.encryptPassword(plainTextString);
String testString = encryptString_AES_CBC(plainTextString);
Assert.assertFalse("Strings should not match.", plainTextString.equals(testString));


Securable securable = new JCEEncryptor();
String decryptedString = securable.decryptPassword(testString);
Assert.assertEquals("Strings should match.", plainTextString, decryptedString);
}

/**
* Test the decryption of a String encrypted with AES ECB.
*/
@Test
public void testStringDecryption_AES_ECB() throws Exception {
String plainTextString = "welcome123_aes_ecb";

String testString = encryptString_AES_ECB(plainTextString);
Assert.assertFalse("Strings should not match.", plainTextString.equals(testString));

Securable securable = new JCEEncryptor();
String decryptedString = securable.decryptPassword(testString);
Assert.assertEquals("Strings should match.", plainTextString, decryptedString);
}

/**
* Test the decryption/processing of a plaintext String.
*/
@Test
public void testStringDecryption_PlainText() throws Exception {
String plainTextString = "welcome123_plaintext";

Securable securable = new JCEEncryptor();
String decryptedString = securable.decryptPassword(plainTextString);
Assert.assertEquals("Passwords should match.", plainTextString, decryptedString);
}

/**
* Test the decryption/processing of a null parameter.
*/
Expand All @@ -102,7 +118,7 @@ public void testNullParameterDecryption() throws Exception {
String returnValue = securable.decryptPassword(null);
Assert.assertNull("Null should be returned when decrypting a null value", returnValue);
}

/**
* Test the encryption of a null parameter.
*/
Expand All @@ -117,17 +133,17 @@ public void testNullParameterEncryption() throws Exception {
}
Assert.assertNotNull("A ValidationException should be thrown when encrypting a null value", expectedException);
}

/*
* Internal test utility:
* Return a DES ECB encrypted version of the String parameter, using the legacy encryption code.
*/
private String encryptString_DES_ECB(String aString) throws Exception {
final byte[] bytes = Helper.buildBytesFromHexString("E60B80C7AEC78038");

Cipher cipher = Cipher.getInstance("DES/ECB/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, SecretKeyFactory.getInstance("DES").generateSecret(new DESKeySpec(bytes)));

ByteArrayOutputStream baos = new ByteArrayOutputStream();
CipherOutputStream cos = new CipherOutputStream(baos, cipher);
ObjectOutputStream oos = new ObjectOutputStream(cos);
Expand All @@ -137,17 +153,31 @@ private String encryptString_DES_ECB(String aString) throws Exception {

return Helper.buildHexStringFromBytes(baos.toByteArray());
}


/*
* Internal test utility:
* Return an AES CBC encrypted version of the String parameter, using the legacy encryption code.
*/
private String encryptString_AES_CBC(String aString) throws Exception {
final byte[] bytes = Helper.buildBytesFromHexString("2DB7354A48F1CA7B48ACA247540FC923");

Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
IvParameterSpec iv = getIvSpec();
cipher.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(bytes, "AES"), iv);

return Helper.buildHexStringFromBytes(cipher.doFinal(aString.getBytes("UTF-8")));
}

/*
* Internal test utility:
* Return an AES ECB encrypted version of the String parameter, using the legacy encryption code.
*/
private String encryptString_AES_ECB(String aString) throws Exception {
final byte[] bytes = Helper.buildBytesFromHexString("3E7CFEF156E712906E1F603B59463C67");

Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(bytes, "AES"));

ByteArrayOutputStream baos = new ByteArrayOutputStream();
CipherOutputStream cos = new CipherOutputStream(baos, cipher);
ObjectOutputStream oos = new ObjectOutputStream(cos);
Expand All @@ -157,5 +187,13 @@ private String encryptString_AES_ECB(String aString) throws Exception {

return Helper.buildHexStringFromBytes(baos.toByteArray());
}


private static IvParameterSpec getIvSpec() {
byte[] b = new byte[] {
(byte) -26, (byte) 124, (byte) -99, (byte) 32,
(byte) -37, (byte) -58, (byte) -93, (byte) 100,
(byte) 126, (byte) -55, (byte) -21, (byte) 48,
(byte) -86, (byte) 97, (byte) 12, (byte) 113};
return new IvParameterSpec(b);
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -481,7 +481,13 @@ public class LoggingLocalizationResource extends ListResourceBundle {
{ "validate_object_space", "validate object space." },
{ "stack_of_visited_objects_that_refer_to_the_corrupt_object", "stack of visited objects that refer to the corrupt object: {0}" },
{ "corrupt_object_referenced_through_mapping", "The following corrupt object is referenced through mapping: {0}" },
{ "corrupt_object", "corrupt object: {0}" }
{ "corrupt_object", "corrupt object: {0}" },

{ "encryptor_decrypt_old_algorithm", "Database password was encrypted by deprecated algorithm." +
"\nIt's recommended to re-encrypt it by `passwordUpdate.sh` from eclipselink.zip bundle"},
{ "encryptor_script_usage", "Usage is `passwordUpdate.sh|.cmd -ip <old encrypted password>`"},
{ "encryptor_script_description", "This application internally decrypt old encrypted password used by some previous version EclipseLink and encrypt it by latest algorithm."},
{ "encryptor_script_output", "Re-encrypted password is: {0}"}
};

/**
Expand Down
Loading
Loading