Passwords and Encryption
Passwords are needed for external subscriptions. Either we ask every time or we store them somewhere on the server. Asking every time doesn't work as a subscription might affect freebusy and that is checked by other users.
Currently passwords are encrypted and stored in the BwCalendar object.
En/Decryption is carried out by a module which implements the PwEncryptionIntf interface and is obtained by a call on !svc.getEncrypter()
Currently a class name is built into svc. This could be a configurable property.
The currently used class is
This requires a configuration section in the options.xml file. The distrubuted version is
<default-pwencrypt classname="org.bedework.calfacade.security.DefaultPwEncryptionConfig"> <privKeys>@QUICKSTART_DIR@/data/bedework/privkeys</privKeys> <pubKeys>@QUICKSTART_DIR@/data/bedework/pubkeys</pubKeys> <debug>true</debug> <verbose>true</verbose> </default-pwencrypt>
We have 2 directories, one storing the private keys and one the public.
If these keys are lost or changed all stored passwords become invalid. Each file contains 1 or more keys numbered from 0 to n - 1.
Encrypted passwords are stored in the form
where n is the number of the key and chars is the base 64 encoded encryption.
Appending a new key pair will result in the system using the latest pair for all encodings. Old keys will continue to be used.
Most of the work is done by the pki class in rpiUtil - edu.rpi.cmt.security.pki. There are 2 classes, one, PkiUtil?, is a utility which droves the other and can be used to generate private/public keys. The other, PKITools, does the real work.
Creating a set of keys. This will become a runnable utility of some form.
cd into rpiUtil/dist.
The following all goes on one line
java -cp rpiutil-3.6.jar:../lib/commons-codec-1.3.jar:../lib/log4j-1.2.8.jar:../../bwtools/resources/ edu.rpi.cmt.security.pki.PkiUtil -genkeys -privkey bedework/privkeys -pubkey bedework/pubkeys
The utility will generate keys and then test them by encrypting and decrypting a string. If all goes well there is now a set of keys in directory bedework. Copy that directory into the quickstart data directory.
Other useful options are:
- -nappend - do not append to key files - just overwrite - DANGEROUS - will invalidate all your stored passwords.