개발/Web
[Tomcat] JNDI 정보 암호화(DB정보 : url, username, passowrd) / KDF 알고리즘 이용
ynzu🤍
2021. 11. 30. 14:29
반응형
1. url, username, password를 encrypt 한다.
- KDFEncrypted.java
import java.security.MessageDigest;
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.codec.binary.Hex;
public class KDFEncrypted {
public static void main(String[] args) {
String key = "test";
String url = "jdbc:tibero:thin:@10.10.10.XX:XXXX:tibero";
String username = "root";
String password= "1q2w3e4r";
try {
System.out.println("########### Encrypt ############");
byte[] enc_url = encrypt("AES", key.getBytes(), url.getBytes());
byte[] enc_username = encrypt("AES", key.getBytes(), username.getBytes());
byte[] enc_password = encrypt("AES", key.getBytes(), password.getBytes());
String hex_url = new String(Hex.encodeHex(enc_url));
String hex_username = new String(Hex.encodeHex(enc_username));
String hex_password = new String(Hex.encodeHex(enc_password));
System.out.println("enc_hex_url : " + hex_url);
System.out.println("enc_hex_username : " + hex_username);
System.out.println("enc_hex_password : " + hex_password);
}catch (Exception e){
e.printStackTrace();
}
}
public static byte[] encrypt(String symmAlg, byte[] passwd, byte[] tbeData) throws Exception {
byte[] encData = null;
MessageDigest md = null;
//try {
md = MessageDigest.getInstance("SHA-256");
md.update(passwd);
byte[] hashVal = md.digest();
byte[] key = new byte[16];
System.arraycopy(hashVal, 0, key, 0, 16);
byte[] iv = new byte[16];
System.arraycopy(hashVal, 4, iv, 0, 16);
String encAlg = (symmAlg + "/CBC/PKCS5Padding");
Cipher cipher = Cipher.getInstance(encAlg);
cipher.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(key, symmAlg), new IvParameterSpec(iv));
encData = cipher.doFinal(tbeData);
return encData;
}
}
=> KDF Encrypt 후 Hex Encoding, key값은 decrypt할 때 사용한다.(해당 예제에서 key는 test라는 string data)
2. Server.xml에 JNDI를 등록한다
<Context allowCasualMultipartParsing="true" docBase="project1"
path="/sample" reloadable="true" source="org.eclipse.jst.jee.server:project1">
<Resource auth="Container"
defaultAutoCommit="false"
driverClassName="com.tmax.tibero.jdbc.TbDriver"
factory="com.project1.framework.jndi.KDFDecryptedDataSourceFactory"
initialSize="1" maxActive="2"
maxWait="10000" minIdle="2"
name="jdbc/project1"
url="ac0973fa30774730995c2ff93353836ac102d1a795207b10ec353e6dbd01dd6e0d1ded3d41cbc9cce87c78b6b1ec6a8d"
username="5c5f0fc1f068b4c54698e71fc0982f1b"
password="f334da1d60b3e0e0d8d89802cf5209d3"
type="javax.sql.DataSource"
validationQuery="select 1 from dual" />
</Context>
=> 여기서 주의할 점은 factory, url, username, password이다.
KDFEncrypted.java로 부터 얻은 url, username, password를 세팅해주며, factory는 3번을 참고한다.
3. KDFDecryptedDataSourceFactory.java
package com.project1.framework.jndi;
import java.security.MessageDigest;
import java.util.Enumeration;
import java.util.Hashtable;
import java.util.Random;
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import javax.naming.Context;
import javax.naming.Name;
import javax.naming.RefAddr;
import javax.naming.Reference;
import javax.naming.StringRefAddr;
import org.apache.commons.codec.binary.Hex;
import org.apache.commons.dbcp.BasicDataSourceFactory;
public class KDFDecryptedDataSourceFactory extends BasicDataSourceFactory {
private final String key = "test";
private final String symmAlg = "AES";
public static String randomIv(int len) {
StringBuffer strBuffer = new StringBuffer();
String iv = null, ivS = null;
Random rd = new Random();
for( int i = 0; i < len; i++ ) {
if( iv == null || iv.length() < len ){
ivS = Integer.toHexString(rd.nextInt());
iv = strBuffer.append(ivS).toString();
}
if( iv.length() > len ) {
iv = iv.substring(0, len);
break;
}
if( iv.length() == len ) break;
}
return iv;
}
public Object getObjectInstance(Object obj, Name name, Context nameCtx, Hashtable environment) throws Exception {
if (obj instanceof Reference) {
setUsername((Reference) obj);
setPassword((Reference) obj);
setUrl((Reference) obj);
}
return super.getObjectInstance(obj, name, nameCtx, environment);
}
private void setUrl(Reference ref) throws Exception {
findDecryptAndReplace("url", ref);
}
private void setUsername(Reference ref) throws Exception {
findDecryptAndReplace("username", ref);
}
private void setPassword(Reference ref) throws Exception {
findDecryptAndReplace("password", ref);
}
private void findDecryptAndReplace( String refType, Reference ref) throws Exception {
int idx = find(refType, ref);
String decrypted = decrypt(ref.get(idx).getContent().toString());
replace(idx, refType, decrypted, ref);
}
private void replace(int idx, String refType, String newValue, Reference ref) throws Exception {
ref.remove(idx);
ref.add(idx, new StringRefAddr(refType, newValue));
}
private int find(String addrType, Reference ref) throws Exception {
Enumeration enu = ref.getAll();
for (int i = 0; enu.hasMoreElements(); i++) {
RefAddr addr = (RefAddr) enu.nextElement();
if (addr.getType().compareTo(addrType) == 0)
return i;
}
throw new Exception("The \"" + addrType + "\" name/value pair was not found"
+ " in the Reference object. The reference Object is" + " " + ref.toString());
}
// 복호화
private String decrypt(String ciphertext) throws Exception {
MessageDigest md = null;
md = MessageDigest.getInstance("SHA-256");
md.update(key.getBytes());
byte[] hashVal = md.digest();
byte[] key = new byte[16];
System.arraycopy(hashVal, 0, key, 0, 16);
byte[] iv = new byte[16];
System.arraycopy(hashVal, 4, iv, 0, 16);
String encAlg = (symmAlg + "/CBC/PKCS5Padding");
Cipher cipher = Cipher.getInstance(encAlg);
cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(key, symmAlg), new IvParameterSpec(iv));
String decryptedVal = new String( cipher.doFinal(Hex.decodeHex(ciphertext.toCharArray())) );
return decryptedVal;
}
}
728x90
반응형