Mik*_*kov 13 java securestring java-security
我正在寻找Java相当于.NET的SecureString.aspx.是否有这样的实施在2018年?
OWASP实现并不完全相同,因为它只是一个普通的char数组.虽然.NET等价物提供了额外的功能,例如从/向非托管内存获取实例的能力以及加密.
我知道普通的Java模式传递密码,char[]并Arrays.fill()在使用后用零做.但它需要在char[]所有时间内构建一个简单的实用程序类.
Oracle有一个GuardedString实现.它是与.NET SecureString解决方案最接近的匹配.
安全的字符串实现,解决了与保持密码相关的问题
java.lang.String.也就是说,表示为String的任何内容都作为明文密码保存在内存中,并至少保留在内存中,直到它被垃圾回收.所述
GuardedString类通过以加密的形式存储在存储器中的字符减轻这个问题.加密密钥将是随机生成的密钥.在序列化形式中,
GuardedStrings将使用已知的默认密钥加密.这是为了提供最低程度的保护,无论运输.对于与远程连接器框架的通信,建议部署启用SSL以进行真正的加密.应用程序也可能希望继续存在
GuardedString.对于Identity Manager,它应将GuardedStrings 转换为EncryptedData可以使用Identity Manager的"管理加密"功能进行存储和管理.其他应用程序可能希望APIConfiguration整体序列化.这些应用程序负责加密APIConfigurationblob以获得额外的安全层(超出提供的基本默认密钥加密GuardedString).
我修改了 OWASP 版本以在内存中随机填充字符数组,因此静态字符数组不会与实际字符一起存储。
import java.security.SecureRandom;
import java.util.Arrays;
/**
* This is not a string but a CharSequence that can be cleared of its memory.
* Important for handling passwords. Represents text that should be kept
* confidential, such as by deleting it from computer memory when no longer
* needed or garbaged collected.
*/
public class SecureString implements CharSequence {
private final int[] chars;
private final int[] pad;
public SecureString(final CharSequence original) {
this(0, original.length(), original);
}
public SecureString(final int start, final int end, final CharSequence original) {
final int length = end - start;
pad = new int[length];
chars = new int[length];
scramble(start, length, original);
}
@Override
public char charAt(final int i) {
return (char) (pad[i] ^ chars[i]);
}
@Override
public int length() {
return chars.length;
}
@Override
public CharSequence subSequence(final int start, final int end) {
return new SecureString(start, end, this);
}
/**
* Convert array back to String but not using toString(). See toString() docs
* below.
*/
public String asString() {
final char[] value = new char[chars.length];
for (int i = 0; i < value.length; i++) {
value[i] = charAt(i);
}
return new String(value);
}
/**
* Manually clear the underlying array holding the characters
*/
public void clear() {
Arrays.fill(chars, '0');
Arrays.fill(pad, 0);
}
/**
* Protect against using this class in log statements.
* <p>
* {@inheritDoc}
*/
@Override
public String toString() {
return "Secure:XXXXX";
}
/**
* Called by garbage collector.
* <p>
* {@inheritDoc}
*/
@Override
public void finalize() throws Throwable {
clear();
super.finalize();
}
/**
* Randomly pad the characters to not store the real character in memory.
*
* @param start start of the {@code CharSequence}
* @param length length of the {@code CharSequence}
* @param characters the {@code CharSequence} to scramble
*/
private void scramble(final int start, final int length, final CharSequence characters) {
final SecureRandom random = new SecureRandom();
for (int i = start; i < length; i++) {
final char charAt = characters.charAt(i);
pad[i] = random.nextInt();
chars[i] = pad[i] ^ charAt;
}
}
}