Hello Bruno!


On Wed, Feb 5, 2014 at 3:52 PM, Bruno Oliveira <bruno@abstractj.org> wrote:
You don’t need a key pair, so I can’t see any good reason to use the KeyStore. If Apple graciously requires the passphrase in plain text we need to do something about it.

PBKDF2 is not only a function to store passwords, but is also possible to generate secret keys. So into your scenarios the solution is:

        Pbkdf2 pbkdf2 = AeroGearCrypto.pbkdf2();
        byte[] salt = new Random().randomBytes();
        int iterations = 100000;
        SecretKey secretKey = pbkdf2.generateSecretKey(PASSWORD, salt, iterations);

        CryptoBox cryptoBox = new CryptoBox(secretKey.getEncoded());
        String passphrase = "My bonnie lies over the ocean";
        byte[] ciphertext = cryptoBox.encrypt(CRYPTOBOX_IV, passphrase, RAW);


Salt, IV and the number of iterations must be stored in some place, or you can just stick with the default number of iterations. But you still need to store salt and IV.


Ah, thanks for the hints. I have a little isolated test case. In there I (potentially) store the privateKey, the IV and the ciphertext in the database.

This basically simulates the case when the "new iOS variant" form has been submitted - so instead of the plain passphrase for the cert, I store the three guys (privateKey, IV, ciphertext):
https://github.com/matzew/psswd-salting/blob/master/src/test/java/net/wessendorf/salt/SecretKeyTest.java#L43-L62



Later on, I use the pandora :) to decrypt, by leveraging the stored information in the database (privateKey, IV, ciphertext):
https://github.com/matzew/psswd-salting/blob/master/src/test/java/net/wessendorf/salt/SecretKeyTest.java#L67-L71


Than I get back the 'plaintext' version of the certificate's passphrase, e.g. as byte[] or String:
https://github.com/matzew/psswd-salting/blob/master/src/test/java/net/wessendorf/salt/SecretKeyTest.java#L74-L78


Greetings,
Matthias


 

--
abstractj

On February 5, 2014 at 9:20:37 AM, Matthias Wessendorf (matzew@apache.org) wrote:
> > However, I am afraid it does not work for the iOS passphrase,
> required to connect to Apple - looks like the library we use requires
> it in plain text... (due to Apple? Not sure...)




--
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf