[aerogear-dev] Question around encryption for iOS push certificate passphrase

Daniel Passos daniel at passos.me
Wed Feb 5 12:53:48 EST 2014 

On Wed, Feb 5, 2014 at 2:49 PM, Matthias Wessendorf <matzew at apache.org>wrote:

> Hello Bruno,
>
>
> On Wed, Feb 5, 2014 at 5:05 PM, Bruno Oliveira <bruno at abstractj.org>wrote:
>
>> You shouldn't store your private key, please make use of the suggested
>> code and let me know.
>>
>
>
> OK, not storing the 'private key', but instead I am only storing the IV,
> salt and ciphertext, right ?
>

Right. In this case you don't need store Private Key


> The following code is basically the (relevant) code behind the web-form
> when someone creates the logical construct of an iOS variant:
>
>
> https://github.com/matzew/psswd-salting/blob/master/src/test/java/net/wessendorf/salt/SecretKeyTest.java#L44-L62
>
> In real I get all the information for the variant (e.g. its name, its
> description, its certificate file and the passphrase for the certificate),
> but the above has been limited to the passphrase, as everything else is not
> so important here :-)
>
> So after that I have basically the following pieces in the database:
> * IV
> * salt
> * ciphertex
>
> instead of the plaintext passphrase for the iOS certs.
>

*NEVER* store password/passphrase


>  But, now, somewhere later in in the program, I need to do the decryption
> to get the actual passphrase for the stored Apple-certificate.
> However, I don't see how to create the CryptoBox here, as I should not
> stash the private/secret key, nor do I have access to the previous
> CryptoBox object
>
>
> https://github.com/matzew/psswd-salting/blob/master/src/test/java/net/wessendorf/salt/SecretKeyTest.java#L64-L85
>
>
> Looks like I am missing something here
>

If you have Salt and password you can create a PrivateKey "on the fly"


Pbkdf2 pbkdf2 = AeroGearCrypto.pbkdf2();
byte[] rawPassword = pbkdf2.encrypt(passphrase, salt);
PrivateKey privateKey = new PrivateKey(rawPassword);


And for create CriptoBox you only need a PrivateKey

 CryptoBox cryptoBox = new CryptoBox(privateKey);

Now you a able to decrypt using stored IV :)

byte[] decryptedData = cryptoBox.decrypt(IV, data);

That was exactly what we did in Ecrypted Store

https://github.com/danielpassos/aerogear-android/blob/master/src/org/jboss/aerogear/android/impl/datamanager/EncryptedSQLStore.java#L115-L150


-Matthias
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20140205/6d99234e/attachment.html

More information about the aerogear-dev mailing list