46 import javax.crypto.spec.*; |
46 import javax.crypto.spec.*; |
47 import javax.security.auth.DestroyFailedException; |
47 import javax.security.auth.DestroyFailedException; |
48 |
48 |
49 import sun.security.x509.AlgorithmId; |
49 import sun.security.x509.AlgorithmId; |
50 import sun.security.util.ObjectIdentifier; |
50 import sun.security.util.ObjectIdentifier; |
|
51 import sun.security.util.SecurityProperties; |
51 |
52 |
52 /** |
53 /** |
53 * This class implements a protection mechanism for private keys. In JCE, we |
54 * This class implements a protection mechanism for private keys. In JCE, we |
54 * use a stronger protection mechanism than in the JDK, because we can use |
55 * use a stronger protection mechanism than in the JDK, because we can use |
55 * the <code>Cipher</code> class. |
56 * the <code>Cipher</code> class. |
73 // JavaSoft proprietary key-protection algorithm (used to protect private |
74 // JavaSoft proprietary key-protection algorithm (used to protect private |
74 // keys in the keystore implementation that comes with JDK 1.2) |
75 // keys in the keystore implementation that comes with JDK 1.2) |
75 private static final String KEY_PROTECTOR_OID = "1.3.6.1.4.1.42.2.17.1.1"; |
76 private static final String KEY_PROTECTOR_OID = "1.3.6.1.4.1.42.2.17.1.1"; |
76 |
77 |
77 private static final int MAX_ITERATION_COUNT = 5000000; |
78 private static final int MAX_ITERATION_COUNT = 5000000; |
78 private static final int ITERATION_COUNT = 200000; |
79 private static final int MIN_ITERATION_COUNT = 10000; |
|
80 private static final int DEFAULT_ITERATION_COUNT = 200000; |
79 private static final int SALT_LEN = 20; // the salt length |
81 private static final int SALT_LEN = 20; // the salt length |
80 private static final int DIGEST_LEN = 20; |
82 private static final int DIGEST_LEN = 20; |
|
83 private static final int ITERATION_COUNT; |
81 |
84 |
82 // the password used for protecting/recovering keys passed through this |
85 // the password used for protecting/recovering keys passed through this |
83 // key protector |
86 // key protector |
84 private char[] password; |
87 private char[] password; |
|
88 |
|
89 /** |
|
90 * {@systemProperty jdk.jceks.iterationCount} property indicating the |
|
91 * number of iterations for password-based encryption (PBE) in JCEKS |
|
92 * keystores. Values in the range 10000 to 5000000 are considered valid. |
|
93 * If the value is out of this range, or is not a number, or is |
|
94 * unspecified; a default of 200000 is used. |
|
95 */ |
|
96 static { |
|
97 int iterationCount = DEFAULT_ITERATION_COUNT; |
|
98 String ic = SecurityProperties.privilegedGetOverridable( |
|
99 "jdk.jceks.iterationCount"); |
|
100 if (ic != null && !ic.isEmpty()) { |
|
101 try { |
|
102 iterationCount = Integer.parseInt(ic); |
|
103 if (iterationCount < MIN_ITERATION_COUNT || |
|
104 iterationCount > MAX_ITERATION_COUNT) { |
|
105 iterationCount = DEFAULT_ITERATION_COUNT; |
|
106 } |
|
107 } catch (NumberFormatException e) {} |
|
108 } |
|
109 ITERATION_COUNT = iterationCount; |
|
110 } |
85 |
111 |
86 KeyProtector(char[] password) { |
112 KeyProtector(char[] password) { |
87 if (password == null) { |
113 if (password == null) { |
88 throw new IllegalArgumentException("password can't be null"); |
114 throw new IllegalArgumentException("password can't be null"); |
89 } |
115 } |