[aerogear-dev] Question around encryption for iOS push certificate passphrase
Matthias Wessendorf
matzew at apache.org
Wed Feb 5 11:00:44 EST 2014
Hello Bruno!
On Wed, Feb 5, 2014 at 3:52 PM, Bruno Oliveira <bruno at abstractj.org> wrote:
> You don't need a key pair, so I can't see any good reason to use the
> KeyStore. If Apple graciously requires the passphrase in plain text we need
> to do something about it.
>
> PBKDF2 is not only a function to store passwords, but is also possible to
> generate secret keys. So into your scenarios the solution is:
>
> Pbkdf2 pbkdf2 = AeroGearCrypto.pbkdf2();
> byte[] salt = new Random().randomBytes();
> int iterations = 100000;
> SecretKey secretKey = pbkdf2.generateSecretKey(PASSWORD, salt,
> iterations);
>
> CryptoBox cryptoBox = new CryptoBox(secretKey.getEncoded());
> String passphrase = "My bonnie lies over the ocean";
> byte[] ciphertext = cryptoBox.encrypt(CRYPTOBOX_IV, passphrase,
> RAW);
>
>
> Salt, IV and the number of iterations must be stored in some place, or you
> can just stick with the default number of iterations. But you still need to
> store salt and IV.
>
Ah, thanks for the hints. I have a little isolated test case. In there I
(potentially) store the privateKey, the IV and the ciphertext in the
database.
This basically simulates the case when the "new iOS variant" form has been
submitted - so instead of the plain passphrase for the cert, I store the
three guys (privateKey, IV, ciphertext):
https://github.com/matzew/psswd-salting/blob/master/src/test/java/net/wessendorf/salt/SecretKeyTest.java#L43-L62
Later on, I use the pandora :) to decrypt, by leveraging the stored
information in the database (privateKey, IV, ciphertext):
https://github.com/matzew/psswd-salting/blob/master/src/test/java/net/wessendorf/salt/SecretKeyTest.java#L67-L71
Than I get back the 'plaintext' version of the certificate's passphrase,
e.g. as byte[] or String:
https://github.com/matzew/psswd-salting/blob/master/src/test/java/net/wessendorf/salt/SecretKeyTest.java#L74-L78
Greetings,
Matthias
>
> --
> abstractj
>
> On February 5, 2014 at 9:20:37 AM, Matthias Wessendorf (matzew at apache.org)
> wrote:
> > > However, I am afraid it does not work for the iOS passphrase,
> > required to connect to Apple - looks like the library we use requires
> > it in plain text... (due to Apple? Not sure...)
>
>
--
Matthias Wessendorf
blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20140205/4c506ab2/attachment.html
More information about the aerogear-dev
mailing list