search

ulisesbocchio / jasypt-spring-boot

Jasypt integration for Spring boot
MIT License
2.91k stars 522 forks source link

integrating jasypt with ibmjcefips provider #34

Closed schacko3 closed 8 years ago

schacko3 commented 8 years ago

I havent been successful at integrating jasypt with ibmjcefips provider. I can use the provider directly in my code so yes it is successfully set up in the jdk (e.g. strong encryption enabled, provider registered). But attempt to encrypt with it using jasypt I get a FipsRuntimeException. I have googled this exception repeatedly without luck. Is there a way to get more debug from jasypt? Has anyone successfully integrated jasypt with a truly FIPS compliant provider (Bouncy Castle is not certified compliant). Thanks.

ulisesbocchio commented 8 years ago

I'm not so sure it'll work. Do you have any test code on how are you successfully using it without jasypt?

schacko3 commented 8 years ago

Hi -  can clean up the code and send later . But are you aware of jasypt working with any FIPS compliant provider before ? Thanks 

schacko3 commented 8 years ago

would you know of anyway I can get more debug out of the jasypt cmd line tools? Then I can investigate the root cause of the FIPSRuntimeException I get when I try to encrypt via jasypt cmd line..

ulisesbocchio commented 8 years ago

I'm not aware of any integration at the moment. Jasypt is open source and the cmd line tool is quite simple, you can download the code or check it out here. That service class is used by the CLI classes that are called from scripts you're using.

ulisesbocchio commented 8 years ago

In any case, an example of what you're doing would be the only way I'd be able to help you

schacko3 commented 8 years ago

What we had been doing paraphrased below. Would like to do the same using jasypt's property files alone, or at least minimal programming:

IBMJCEFIPS ibmJCEFIPSProvider = new com.ibm.crypto.fips.provider.IBMJCEFIPS(); public static void main(String[] args) {

    String plainText = "What to encrypt" ;

    byte[] keyBytes =   generateEncodedFIPSAESKeyBytes();

    String key = encodeBase64String(keyBytes);
    System.out.println(key);

    SecretKeySpec secretObj = null;

    secretObj = new SecretKeySpec(keyBytes,"AES");

    try {
        Cipher cipher = Cipher.getInstance("AES");
        cipher.init(Cipher.ENCRYPT_MODE, secretObj);

        // Encrypt the input text from the cipher
        byte[] encryptedTextBytes = cipher.doFinal(plainText.getBytes(UTF_8));

         String encrypted = new String(encodeBase64(encryptedTextBytes));

         System.out.println(encrypted);
    } catch (InvalidKeyException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    } catch (NoSuchAlgorithmException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    } catch (NoSuchPaddingException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    } catch (IllegalBlockSizeException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    } catch (BadPaddingException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    } catch (UnsupportedEncodingException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }
}

public String generateEncodedFIPSAESKey() {
    Security.addProvider(ibmJCEFIPSProvider);
    try {
        KeyGenerator keyGen = KeyGenerator.getInstance("AES", ibmJCEFIPSProvider);
        keyGen.init(KEY_SIZE_128);

        SecretKey secKey = keyGen.generateKey();
        byte[] keyBytes = secKey.getEncoded();
        return encodeBase64String(keyBytes);
    } catch (NoSuchAlgorithmException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }

}
ulisesbocchio commented 8 years ago

It seems like all you gotta do is to implement StringEncryptor to use it with this plugin:

public interface StringEncryptor {

    /**
     * Encrypt the input message
     * 
     * @param message the message to be encrypted
     * @return the result of encryption
     */
    public String encrypt(String message);

    /**
     * Decrypt an encrypted message
     * 
     * @param encryptedMessage the encrypted message to be decrypted
     * @return the result of decryption
     */
    public String decrypt(String encryptedMessage);

}

And then follow the guide in the Readme to hook in your own encryptor, which is basically just defining a @Bean:

@Bean(name="encryptorBean")
    static public StringEncryptor stringEncryptor() {
        return new YourFIPSStringEncryptor();
    }
ulisesbocchio commented 8 years ago

where can I get this? com.ibm.crypto.fips.provider.IBMJCEFIPS