最近为客户做了一个工具,需求:客户在命令行下,通过这个工具下载数据包;下载的数据包已加密,只有已登录的用户,才允许解密并使用数据包。
实现并不复杂,流程:
1、用户登录时,采用sha-1+n位随机码加密用户密码,提交服务器验证。
2、数据包已在服务器(PBEWithSHA1AndDESede)加密,用户根据数据包概要信息选择并下载数据包。
3、安装数据包时,需求用户输入密码,确认后执行解密+使用数据包。
在公司windows+linux测试后,到用户现场测试(AIX机器),发现程序报错,查来查去 发现IBM-JDK与Sun-JDK采用不同的加密提供者,采用Sun-JDK加密算法写的代码 在AIX要么加密算法提供者无法找到,要么密钥长度不对。
以下是两种jdk加密算法提供者信息,能看出明显不同。
---------------sun jdk1.5 加密算法提供信息
SUN 1.5 SUN (DSA key/parameter generation; DSA signing; SHA-1, MD5 digests; SecureRandom; X.509 certificates; JKS keystore; PKIX CertPathValidator; PKIX CertPathBuilder; LDAP, Collection CertStores)
SunRsaSign 1.5 Sun RSA signature provider
SunJSSE 1.5 Sun JSSE provider(PKCS12, SunX509 key/trust factories, SSLv3, TLSv1)
SunJCE 1.5 SunJCE Provider (implements RSA, DES, Triple DES, AES, Blowfish, ARCFOUR, RC2, PBE, Diffie-Hellman, HMAC)
SunJGSS 1.0 Sun (Kerberos v5)
SunSASL 1.5 Sun SASL provider(implements client mechanisms for: DIGEST-MD5, GSSAPI, EXTERNAL, PLAIN, CRAM-MD5; server mechanisms for: DIGEST-MD5, GSSAPI, CRAM-MD5)
---------------aix jdk1.5 加密算法提供信息
IBMJSSE2 1.5 IBM JSSE provider2 (implements IbmX509 key/trust factories, SSLv3,
TLSv1)
IBMJCE 1.2 IBMJCE Provider implements the following: HMAC-SHA1, MD2, MD5, MARS,
SHA, MD2withRSA, MD5withRSA, SHA1withRSA, RSA, SHA1withDSA, RC2, RC4, Seal)imple
ments the following:
Signature algorithms : SHA1withDSA, SHA1withRSA, MD5withRSA, MD2wi
thRSA,
SHA2withRSA, SHA3withRSA, SHA5withRSA
Cipher algorithms : Blowfish, AES, DES, TripleDES, PBEWithMD2An
dDES,
PBEWithMD2AndTripleDES, PBEWithMD2AndRC2,
PBEWithMD5AndDES, PBEWithMD5AndTripleDES,
PBEWithMD5AndRC2, PBEWithSHA1AndDES
PBEWithSHA1AndTripleDES, PBEWithSHA1AndRC
2
PBEWithSHAAnd40BitRC2, PBEWithSHAAnd128Bi
tRC2
PBEWithSHAAnd40BitRC4, PBEWithSHAAnd128Bi
tRC4
PBEWithSHAAnd2KeyTripleDES, PBEWithSHAAnd
3KeyTripleDES
Mars, RC2, RC4, ARCFOUR
RSA, Seal
Message authentication code (MAC) : HmacSHA1, HmacSHA256, HmacSHA384, HmacSHA51
2, HmacMD2, HmacMD5
Key agreement algorithm : DiffieHellman
Key (pair) generator : Blowfish, DiffieHellman, DSA, AES, DES, Tri
pleDES, HmacMD5,
HmacSHA1, Mars, RC2, RC4, RSA, Seal, ARCF
OUR
Message digest : MD2, MD5, SHA-1, SHA-256, SHA-384, SHA-512
Algorithm parameter generator : DiffieHellman, DSA
Algorithm parameter : Blowfish, DiffieHellman, AES, DES, TripleDE
S, DSA, Mars,
PBEwithMD5AndDES, RC2
Key factory : DiffieHellman, DSA, RSA
Secret key factory : Blowfish, AES, DES, TripleDES, Mars, RC2, R
C4, Seal, ARCFOUR
PKCS5Key, PBKDF1 and PBKDF2(PKCS5Derived
Key).
Certificate : X.509
Secure random : IBMSecureRandom
Key store : JCEKS, PKCS12KS (PKCS12), JKS
IBMJGSSProvider 1.5 IBMJGSSProvider supports Kerberos V5 Mechanism
IBMCertPath 1.1 IBMCertPath Provider implements the following:
CertificateFactory : X.509
CertPathValidator : PKIX
CertStore : Collection, LDAP
CertPathBuilder : PKIX
IBMSASL 1.5 IBM SASL provider(implements client mechanisms for: DIGEST-MD5, GSSA
PI, EXTERNAL, PLAIN, CRAM-MD5; server mechanisms for: DIGEST-MD5, GSSAPI, CRAM-M
D5)
解决方法:
1、为IBM-JDK写专用程序,用IBM加密算法。 这种方法可能存在两种jdk加密结果不同的风险。
2、把Sun-JDK加密算法包加载到AIX(Java运行)环境中。 采用此方法。
第2种方法,在AIX上需要针对加密算法加载Sun-JDK/JRE的加密算法包。
jre/lib/ext/sunjce_provider.jar、jre/lib/jce.jar下有SunJCE提供者(PBEWithSHA1AndDESede算法需要);jdk/lib/rt.jar下有SUN提供者(SHA-1算法需要)
代码修改
显式加载加密算法提供者
static{
if(null==Security.getProvider("SunJCE")){
Security.addProvider(new com.sun.crypto.provider.SunJCE());
}
if(null==Security.getProvider("SUN")){
Security.addProvider(new sun.security.provider.Sun());
}
}
加密算法使用时需要显式指出提供者名称
/**
* 基于口令的加密方法
* @param src
* @return
*/
public static
byte[] encrypt(byte[] src){
byte[] res = null;
try{
PBEKeySpec keySpec = new PBEKeySpec(secretPasswd);
SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("PBEWithSHA1AndDESede", "SunJCE"); //,"SunJCE"
Key passwdKey = keyFactory.generateSecret(keySpec);
PBEParameterSpec paramSpec = new PBEParameterSpec(secretSalt, secretIterations);
Cipher cip = Cipher.getInstance("PBEWithSHA1AndDESede", "SunJCE");//, "SunJCE"
cip.init(Cipher.ENCRYPT_MODE, passwdKey, paramSpec);
//数据加密
res = cip.doFinal(src);
}catch(Exception ex){
ex.printStackTrace();
}
return res;
} /**
* 基于口令的解密方法
* @param data
* @return
*/
public static
byte[] decrypt(byte[] data){
byte[] res = null;
try{
PBEKeySpec keySpec = new PBEKeySpec(secretPasswd);
SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("PBEWithSHA1AndDESede", "SunJCE"); //,"SunJCE"
Key passwdKey = keyFactory.generateSecret(keySpec);
PBEParameterSpec paramSpec = new PBEParameterSpec(secretSalt, secretIterations);
Cipher cip = Cipher.getInstance("PBEWithSHA1AndDESede", "SunJCE");//, "SunJCE"
cip.init(Cipher.DECRYPT_MODE, passwdKey, paramSpec);
//数据加密
res = cip.doFinal(data);
}catch(Exception ex){
ex.printStackTrace();
}
return res;
} /**
* 返回16进制sha-1加密后信息
* @param btInput
* @return
*/
public static String sha1Hex(byte[] btInput){
final char hexDigits[]={'0','1','2','3','4','5','6','7','8','9','A','B','C','D','E','F'};
try {
MessageDigest mdInst = MessageDigest.getInstance("SHA-1", "SUN");
mdInst.update(btInput);
byte[] md = mdInst.digest();
// 把密文转换成十六进制的字符串形式
int j = md.length;
char str[] = new char[j * 2];
for (int i=0,k=0; i < j; i++) {
byte byte0 = md[i];
str[k++] = hexDigits[byte0 >>> 4 & 0xf];
str[k++] = hexDigits[byte0 & 0xf];
}
return new String(str);
} catch (Exception e) {
e.printStackTrace();
return "";
}
}
3758
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
