I need jCrypt java class in my ColdFusion application to encrypt passwords. Here is the code that I'm trying to use:
<cfscript>
cfobject( name="JCrypt", type="java", action="create", class="JCrypt" );
enc_password = trim(JCrypt.crypt("kL","myPassTest123"));
</cfscript>
Once I run this code error occurred with this message:
Object Instantiation Exception.
Class not found: JCrypt
The message indicates that class is not found. I'm wondering how I can implement jCrypt in my ColdFusion application? Thank you.
I would be hesitant to use something like JCrypt that has little to no footprint on the Internet as the base for password encryption. The sourceforge page has a link to a homepage to no longer exists. You should be using BCrypt for password encryption.
https://auth0.com/blog/hashing-in-action-understanding-bcrypt/
Brad Wood has a great presentation on ColdFusion and BCrypt called "Pass the Salt".
You can download a copy of JBcrypt here:
https://www.mindrot.org/projects/jBCrypt/
Here's a ColdBox Module that can give you some idea of a CF implementation:
https://github.com/coldbox-modules/cbox-bcrypt
That repo has a copy of the JBcrypt.jar file and a CFC wrapper that you can just drop into your application.
https://github.com/coldbox-modules/cbox-bcrypt/blob/master/modules/bcrypt/models/BCrypt.cfc
This wrapper uses a Java Loader to to load the JAR if you can't just drop the file into the CF server's lib path.
oBcrypt = new path.to.Bcrypt();
password = "Password";
hashed = oBcrypt.hashPassword(password);
check = oBcrypt.checkPassword(password, hashed);
The hashPassword() function will save the salt and the encrypted password in a single string that you save in the database.
Related
I have a java program that has a method:
static void verifyAndDecrypt(PGPPublicKey publicKeyIn, PGPSecretKeyRingCollection privateKey, String password, InputStream toBeDecrypted, OutputStream outputStream)
It uses bouncy castle to decrypt and verify a file. The output is written to outputStream.
In production I have run into the scenario of receiving files with signatures that the java code is able to decrypt, but not do signature verification on.
Lets call such a production file prodFile.txt.gpg.
That file is thus encrypted with our public key, and signed with the senders private key.
(I have yet to figure out why it fails, these files are able to be verified using GnuPG)
I have added the option of being lenient and just log a warning when signature fails.
My question is, how do I write unit tests for this?
I could (and have locally on my machine) write a test that takes prodFile.txt.gpg and call verifyAndDecrypt() on it, given that I pass in our secret key and password, and asserts that the file is decrypted, and when the signature verification fails logs a warning.
But I can't check in this code, since it would leave password and private keys in the repo.
So my question is,
How do I create a file testFile.txt.gpg that replicates the above scenario?
I could create key pairs for testing, but I don't know how to force the failing of the signature in the same way as with prodFile.txt.gpg.
I am also wondering if it's possible to "unpack" the content of prodFile.txt.gpg so that I have the cleartext file: prodFile.txt and the corresponding signature that I have problem with. And from there make a modification to prodfile.txt so that the signature doesn't match, then encrypt it with the public key of a keypair for testing purposes while using the "bad" signature. But I can't seem to find a way to do this. I suspect the gpg command won't let me do something like this.
I need to add bulk data into the LDAP server from the ldif file. I researched of java APIs but can't find the suitable one
I already tried with LdapTestUtils but it requires a server restart. I need another way except this
You will need to use a separate library that has API supporting LDIF import. Once such library is Apache Directory LDAP API. The library is in general compatible with most of the LDAP servers.
Refer the documentation, The LdifFileLoader class has features to import LDIF, in tandem with DefaultDirectoryService class (unfortunately I am unable to locate my earlier code demonstrating the LDIF import). You could refer this post, which shows how to use the above, though it deals with a problem of a different type.
I am not sure of the LDAP server you are using, however, you could give the above a shot and check.
It can also be achieved via LdapTemplate. LdapParser will parse the record from ldif file in the form of LdapAttribute then bind this record via ldapTemplate.bind
LdapContextSource contextSource = new LdapContextSource();
contextSource.setUrl("ldap://192.168.99.101:389/");
contextSource.setUserDn("uid=admin,dc=abc,dc=com");
contextSource.setPassword(********);
contextSource.setPooled(false);
contextSource.afterPropertiesSet();
LdapTemplate template = new LdapTemplate(contextSource);
LdifParser parser = new LdifParser(new ClassPathResource("schema.ldif"));
parser.open();
while (parser.hasMoreRecords()) {
LdapAttributes record = parser.getRecord();
LdapName dn = record.getName();
template.bind(dn, null, record);
}
I'm working on a simple java program that takes in user input, then parses the data and uploads it into a sql database to store online.
In my JDBC code I have the following: (Small example)
public class JDBCExample {
// JDBC driver name and database URL
static final String JDBC_DRIVER = "com.mysql.jdbc.Driver";
static final String DB_URL = "jdbc:mysql://localhost/";
// Database credentials
static final String USER = "username";
static final String PASS = "password";
I am wondering how safe it is to have my username and password just openly available in plain text in my programming code after I convert it to a jar file. Is it easy to reverse engineer an application like this and reveal the code?
Incredibly easy, yes. javap -c JDBCExample.class will do it in a heartbeat.
Generally the way this is done is by separating the client-side app, which you distribute publicly, from a server-side app that runs on a trusted server. The client app you distribute doesn't access the database directly; instead, it talks to the server program, which publishes an API (often a RESTful API over HTTP) through which the client can make requests. That trusted server-side program is what talks to the database directly.
And even then, it's best practice to not hard-code your credentials into the server-side code. Instead, have the service read those credentials from a file which you keep separate from the code base (for instance, don't check that file into your source control).
You could save the username and password in a separate property file so that you could change it anytime without having to recompile the codes.
On your question, whatever your code can read in your codes/files, most likely, users can also. Please see this as reference.
I use ciphering and deciphering in my code.
use javax.crypto class to encrypt your password and inside your class use deciphering to decipher and send the password.
This works only if you place class file for deciphering rather than .java file.
example for ciphering link.
i try to find the good way for the best technology/method for hidden password in a file, but without use external jar or library.
Actually i use one object that represent a list of user name and password. Convert my list in a xml (only in memory) and after that, i store in a file with AES.
Use only java 7, no external library.
Is a good/secure method?
If this operation is no good, is possible to create dynamically xml encrypted?
thanks
You can use a FileOutputStream wrapped in a CipherOutputStream.
It's not really secure to save passwords encrypted with AES because:
1) Where do you store the key? If you store it in the server, if an attacker violates the server and finds the key, he will have complete acces to the users information.
2) Do you really need to know the users' passwords? In many application, for security reasons, it's better to keep only the hash of the password. The username can be stored in plaintext and you can also add a salt to the password to enforce it. You can do that with some algorithms offered by Java7 platform. In this way, even if someone enters your server, he can't use users login informations without breaking the hash function.
Here's an example that worked for me:
public byte[] getHash(String password, byte[] salt, String algorithm) throws NoSuchAlgorithmException, UnsupportedEncodingException {
MessageDigest digest = MessageDigest.getInstance(algorithm);//The String rapresents the alg you want to use: for example "SHA-1" or "SHA-256"
digest.reset();
digest.update(salt);
return digest.digest(password.getBytes("UTF-8"));
}
You can also look at this link for a more complete example: https://www.owasp.org/index.php/Hashing_Java
I'm trying to make a program that reads and displays certificate info from the token (Safenet)
but the problem that I face is :
Exception in thread "main" java.security.ProviderException: Error parsing configuration
so I think the problem is in the Configuration file.
How can I make the configration file and also the implementation file so it works correctly.
Thanks
you can able to resolve the error by correcting nss.cfg in %AS_HOME%\domains\nssdomain\config\
you can follow the instructions in the section "Configure Glassfish to Use the NSS Stores" on this page.
Either follow this link also.
In order to work with PKCS#11 in java you need to provide a config file where you at least specify library and name parameter. In this parameters you must specify the path to native library for the token and a arbitrary identifier. Additionally you can add more parameters but they are optional, you can take a look on java pkcs#11 reference guide. I give you a code sample to instantiate a PKCS#11:
// create configuration
String pkcs11nativeLibrary = "/path_to_native_library/library.so";
String pkcs11ConfigSettings = "name = mySmartCard\n" + "library = " + pkcs11nativeLibrary;
byte[] pkcs11ConfigBytes = pkcs11ConfigSettings.getBytes();
final ByteArrayInputStream confStream = new ByteArrayInputStream(pkcs11ConfigBytes);
// instantiate the provider with your config
SunPKCS11 pkcs11Provider = new SunPKCS11(confStream);
Security.addProvider(pkcs11Provider);
// get the keystore
Char[] pkcs11Password = "your_password".toCharArray();
KeyStore myPKCS11KS = KeyStore.getInstance("PKCS11", pkcs11Provider );
myPKCS11KS.load(null, pkcs11Password);
In the sample I put the pkcs11 password directly, however when you try to load a PKCS#11 from some client you have to get the password dinamically in order to do so you can change you key store instance for something like:
// YourCallbackHandler must implements javax.security.auth.callback.CallbackHandler
KeyStore.CallbackHandlerProtection cbhp = new KeyStore.CallbackHandlerProtection(new YourCallbackHandler());
KeyStore.Builder builder = KeyStore.Builder.newInstance("PKCS11", pkcs11Provider, cbhp);
KeyStore myPKCS11KS = builder.getKeyStore();
Hope this helps,