<div dir="ltr">Hello Bruno!<br><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Feb 5, 2014 at 3:52 PM, Bruno Oliveira <span dir="ltr"><<a href="mailto:bruno@abstractj.org" target="_blank">bruno@abstractj.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">You don’t need a key pair, so I can’t see any good reason to use the KeyStore. If Apple graciously requires the passphrase in plain text we need to do something about it.<br>
<br>
PBKDF2 is not only a function to store passwords, but is also possible to generate secret keys. So into your scenarios the solution is:<br>
<br>
Pbkdf2 pbkdf2 = AeroGearCrypto.pbkdf2();<br>
byte[] salt = new Random().randomBytes();<br>
int iterations = 100000;<br>
SecretKey secretKey = pbkdf2.generateSecretKey(PASSWORD, salt, iterations);<br>
<br>
CryptoBox cryptoBox = new CryptoBox(secretKey.getEncoded());<br>
String passphrase = "My bonnie lies over the ocean";<br>
byte[] ciphertext = cryptoBox.encrypt(CRYPTOBOX_IV, passphrase, RAW);<br>
<br>
<br>
Salt, IV and the number of iterations must be stored in some place, or you can just stick with the default number of iterations. But you still need to store salt and IV.<br></blockquote><div><br></div><div><br></div><div>
Ah, thanks for the hints. I have a little isolated test case. In there I (potentially) store the privateKey, the IV and the ciphertext in the database.</div><div><br></div><div>This basically simulates the case when the "new iOS variant" form has been submitted - so instead of the plain passphrase for the cert, I store the three guys (privateKey, IV, ciphertext):</div>
<div><a href="https://github.com/matzew/psswd-salting/blob/master/src/test/java/net/wessendorf/salt/SecretKeyTest.java#L43-L62">https://github.com/matzew/psswd-salting/blob/master/src/test/java/net/wessendorf/salt/SecretKeyTest.java#L43-L62</a><br>
</div><div><br></div><div><br></div><div><br></div><div>Later on, I use the pandora :) to decrypt, by leveraging the stored information in the database (privateKey, IV, ciphertext):</div><div><a href="https://github.com/matzew/psswd-salting/blob/master/src/test/java/net/wessendorf/salt/SecretKeyTest.java#L67-L71">https://github.com/matzew/psswd-salting/blob/master/src/test/java/net/wessendorf/salt/SecretKeyTest.java#L67-L71</a><br>
</div><div><br></div><div><br></div><div>Than I get back the 'plaintext' version of the certificate's passphrase, e.g. as byte[] or String:</div><div><a href="https://github.com/matzew/psswd-salting/blob/master/src/test/java/net/wessendorf/salt/SecretKeyTest.java#L74-L78">https://github.com/matzew/psswd-salting/blob/master/src/test/java/net/wessendorf/salt/SecretKeyTest.java#L74-L78</a><br>
</div><div><br></div><div><br></div><div>Greetings,</div><div>Matthias</div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
--<br>
abstractj<br>
<div><div><br>
On February 5, 2014 at 9:20:37 AM, Matthias Wessendorf (<a href="mailto:matzew@apache.org" target="_blank">matzew@apache.org</a>) wrote:<br>
> > However, I am afraid it does not work for the iOS passphrase,<br>
> required to connect to Apple - looks like the library we use requires<br>
> it in plain text... (due to Apple? Not sure...)<br>
<br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>Matthias Wessendorf <br><br>blog: <a href="http://matthiaswessendorf.wordpress.com/" target="_blank">http://matthiaswessendorf.wordpress.com/</a><br>
sessions: <a href="http://www.slideshare.net/mwessendorf" target="_blank">http://www.slideshare.net/mwessendorf</a><br>twitter: <a href="http://twitter.com/mwessendorf" target="_blank">http://twitter.com/mwessendorf</a>
</div></div>