Hi Michael,
here’‘s a short example which could be used with every application to store encrypted passwords in a database. That’'s nearly the same thing as Oracle does, but in this case the application (Wildfire) must do the de-/encryption.
@ Matt: Very similar code should already be used in Spark, as the settings.xml also stores the password encrypted.
That’'s the output with base64key=“nW1UOFSrdbA=” for the ones without javac:
authenticated
password=secret
encryptesPassword=iYQzm7DO1PQu5sQvSm+nUw==
decryptesPassword=secret
LG
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.DESKeySpec;
import sun.misc.BASE64Decoder;
import sun.misc.BASE64Encoder;
public class DesMain
{
public static void main(String[] args) throws Exception
{
String username = “bar”;
String password = “secret”;
String base64key = “nW1UOFSrdbA=”;
String encryptesPassword = encryptPassword(username,
password, base64key);
// now store encryptesPassword in database
// use this also in DefaultAuthProvider.authenticate(line 39ff)
// before “pstmt.setString(2, password);”
// read encryptesPassword from database
String decryptesPassword = decryptPassword(username,
encryptesPassword, base64key);
// now use it to calculate a digest
// use this in DefaultAuthProvider.authenticate(line 72ff)
// before "String anticipatedDigest
= AuthFactory.createDigest(token, pass);"
if (password.equals(decryptesPassword))
{
System.out.println(“authenticated”);
};
System.out.println(“password=” + password);
System.out.println(“encryptesPassword=” + encryptesPassword);
System.out.println(“decryptesPassword=” + decryptesPassword);
};
public static String encryptPassword(String username,
String password, String b64key) throws Exception
{
String value2encode = username.toLowerCase() + password.toLowerCase();
Cipher ecipher = Cipher.getInstance(“DES”);
SecretKey key = getKey(b64key);
ecipher.init(Cipher.ENCRYPT_MODE, key);
BASE64Encoder be = new sun.misc.BASE64Encoder();
return be.encode(ecipher.doFinal(value2encode.getBytes(“UTF8”)));
};
public static String decryptPassword(String username,
String epassword, String b64key) throws Exception
{
Cipher dcipher = Cipher.getInstance(“DES”);
SecretKey key = getKey(b64key);
dcipher.init(Cipher.DECRYPT_MODE, key);
BASE64Decoder bd = new sun.misc.BASE64Decoder();
return new String(dcipher.doFinal(bd.decodeBuffer(epassword)),
“UTF8”).substring(username.length());
};
/*
- TODO should be a singleton
*/
private static SecretKey getKey(String b64key) throws Exception
{
/*
-
TODO read key from a file; it must never change
-
(actually the software should provide an option to use a new key
-
and to migrate all accounts)
-
losing the key disables all accounts
*/
SecretKey key = null;
if (b64key == “”)
{
/* dynamic key option, useless */
key = KeyGenerator.getInstance(“DES”).generateKey();
} else {
BASE64Decoder bd = new sun.misc.BASE64Decoder();
SecretKeyFactory desFactory = SecretKeyFactory.getInstance(“DES”);
DESKeySpec keyspec = new DESKeySpec(bd.decodeBuffer(b64key));
key = desFactory.generateSecret(keyspec);
};
return key;
};
};
/code