From ab8cd68e52570cd75096629b9db37f23ae0589b8 Mon Sep 17 00:00:00 2001 From: Marco Platania <platania@research.att.com> Date: Tue, 19 Mar 2019 15:22:58 -0400 Subject: Update cloud pwd encryption mechanism Change-Id: I7a311d62d7d5cd5d38dc01250a7e327a9eeac267 Issue-ID: INT-988 Signed-off-by: Marco Platania <platania@research.att.com> Signed-off-by: Gary Wu <gary.i.wu@huawei.com> --- deployment/heat/onap-oom/scripts/Crypto.java | 82 ++++++++++++++++++++++++++++ deployment/heat/onap-oom/scripts/deploy.sh | 9 ++- 2 files changed, 90 insertions(+), 1 deletion(-) create mode 100644 deployment/heat/onap-oom/scripts/Crypto.java (limited to 'deployment/heat') diff --git a/deployment/heat/onap-oom/scripts/Crypto.java b/deployment/heat/onap-oom/scripts/Crypto.java new file mode 100644 index 000000000..a9bad509a --- /dev/null +++ b/deployment/heat/onap-oom/scripts/Crypto.java @@ -0,0 +1,82 @@ +import javax.crypto.Cipher; +import javax.crypto.spec.GCMParameterSpec; +import javax.crypto.spec.SecretKeySpec; +import java.security.GeneralSecurityException; +import java.security.SecureRandom; +import java.util.Arrays; + +public class Crypto { + + private static final String AES = "AES"; + private static final int GCM_TAG_LENGTH = 16; + private static final int GCM_IV_LENGTH = 12; + private static final String AES_GCM_NO_PADDING = "AES/GCM/NoPadding"; + + public static void main(String[] args) { + if(args.length != 2) { + System.out.println("Usage: java Crypto value_to_encrypt key"); + System.out.println("exit(1)"); + System.exit(1); + } + + String value = args[0]; + String key = args[1]; + String encrypted = encryptCloudConfigPassword(value, key); + System.out.println(encrypted); + } + + /** + * encrypt a value and generate a keyfile + * if the keyfile is not found then a new one is created + * + * @throws GeneralSecurityException + */ + public static String encrypt (String value, String keyString) throws GeneralSecurityException { + SecretKeySpec sks = getSecretKeySpec (keyString); + Cipher cipher = Cipher.getInstance(AES_GCM_NO_PADDING); + byte[] initVector = new byte[GCM_IV_LENGTH]; + (new SecureRandom()).nextBytes(initVector); + GCMParameterSpec spec = new GCMParameterSpec(GCM_TAG_LENGTH * java.lang.Byte.SIZE, initVector); + cipher.init(Cipher.ENCRYPT_MODE, sks, spec); + byte[] encoded = value.getBytes(java.nio.charset.StandardCharsets.UTF_8); + byte[] cipherText = new byte[initVector.length + cipher.getOutputSize(encoded.length)]; + System.arraycopy(initVector, 0, cipherText, 0, initVector.length); + cipher.doFinal(encoded, 0, encoded.length, cipherText, initVector.length); + return byteArrayToHexString(cipherText); + } + + public static String encryptCloudConfigPassword(String message, String key) { + try { + return Crypto.encrypt(message, key); + } catch (GeneralSecurityException e) { + return null; + } + } + + private static SecretKeySpec getSecretKeySpec (String keyString) { + byte[] key = hexStringToByteArray (keyString); + return new SecretKeySpec (key, AES); + } + + public static String byteArrayToHexString (byte[] b) { + StringBuilder sb = new StringBuilder(b.length * 2); + for (byte aB : b) { + int v = aB & 0xff; + if (v < 16) { + sb.append('0'); + } + sb.append(Integer.toHexString(v)); + } + return sb.toString ().toUpperCase (); + } + + private static byte[] hexStringToByteArray (String s) { + byte[] b = new byte[s.length () / 2]; + for (int i = 0; i < b.length; i++) { + int index = i * 2; + int v = Integer.parseInt (s.substring (index, index + 2), 16); + b[i] = (byte) v; + } + return b; + } +} \ No newline at end of file diff --git a/deployment/heat/onap-oom/scripts/deploy.sh b/deployment/heat/onap-oom/scripts/deploy.sh index 7977c6a55..264152f76 100755 --- a/deployment/heat/onap-oom/scripts/deploy.sh +++ b/deployment/heat/onap-oom/scripts/deploy.sh @@ -111,8 +111,15 @@ SSH_KEY=~/.ssh/onap_key source $WORKSPACE/test/ete/scripts/install_openstack_cli.sh +#SO_ENCRYPTION_KEY=aa3871669d893c7fb8abbcda31b88b4f +#export OS_PASSWORD_ENCRYPTED=$(echo -n "$OS_PASSWORD" | openssl aes-128-ecb -e -K "$SO_ENCRYPTION_KEY" -nosalt | xxd -c 256 -p) + +#Use new encryption method +pushd $WORKSPACE/deployment/heat/onap-oom/scripts +javac Crypto.java SO_ENCRYPTION_KEY=aa3871669d893c7fb8abbcda31b88b4f -export OS_PASSWORD_ENCRYPTED=$(echo -n "$OS_PASSWORD" | openssl aes-128-ecb -e -K "$SO_ENCRYPTION_KEY" -nosalt | xxd -c 256 -p) +export OS_PASSWORD_ENCRYPTED=$(java Crypto "$OS_PASSWORD" "$SO_ENCRYPTION_KEY") +popd for n in $(seq 1 5); do if [ $full_deletion = true ] ; then -- cgit 1.2.3-korg