Travis Thomas

Peter Johnson wrote:Did you include the MySQL JDBC driver as one of the JAR files in your Build Path?

This was the error. It would launch from Eclipse fine, but not externally or from the jar. Once I added the MySQL JDBC JAR to to Eclipse build path, it included it in the JAR. Thanks.

Hello,
I am having trouble getting Eclipse to generate an executable jar that actually works. Here is the error I am getting:

C:\Users\User\Documents\workspace\OrderManager build>java -jar Orders.jar java.lang.ClassNotFoundException: com.mysql.jdbc.Driver at java.net.URLClassLoader$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source) at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Unknown Source) at orderManager.OrderManager.initializeConnection(OrderManager.java:57) at orderManager.OrderManager.<init>(OrderManager.java:34) at orderManager.OrderManager.main(OrderManager.java:30) Failed to connect to database. Is it on? Exception in thread "AWT-EventQueue-0" java.lang.NullPointerException at orderManager.OrderManager.getOrdersFromDB(OrderManager.java:83) at orderManager.OrderManager.getCurrentOrderDisplays(OrderManager.java:405) at orderManager.OMWindow.updateCurrentOrdersTable(OMWindow.java:136) at orderManager.OMWindow.createCurrentOrdersTable(OMWindow.java:114) at orderManager.OMWindow.buildGUI(OMWindow.java:70) at orderManager.OMWindow.<init>(OMWindow.java:61) at orderManager.OrderManager.createAndShowGUI(OrderManager.java:352) at orderManager.OrderManager$1.run(OrderManager.java:38) at java.awt.event.InvocationEvent.dispatch(Unknown Source) at java.awt.EventQueue.dispatchEventImpl(Unknown Source) at java.awt.EventQueue.access$000(Unknown Source) at java.awt.EventQueue$1.run(Unknown Source) at java.awt.EventQueue$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at java.security.AccessControlContext$1.doIntersectionPrivilege(Unknown Source) at java.awt.EventQueue.dispatchEvent(Unknown Source) at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source) at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source) at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source) at java.awt.EventDispatchThread.pumpEvents(Unknown Source) at java.awt.EventDispatchThread.pumpEvents(Unknown Source) at java.awt.EventDispatchThread.run(Unknown Source)

When I create the jar, I have specified all three options: Extract required libraries into the jar, Package the required libraries into the jar, and Copy the required libraries into a nearby folder. In no case does Eclipse package the JDBC classes. It includes classes that I didn't know I used--some from org.eclipse, org.hamcrest and JUnit (even though I don't particularly want to include my test class, I can't figure out how to remove it from the jar without removing it from my project).

C:\Users\User\Documents\workspace\OrderManager build>jar tf OrderMan.jar META-INF/MANIFEST.MF org/ org/eclipse/ org/eclipse/jdt/ org/eclipse/jdt/internal/ org/eclipse/jdt/internal/jarinjarloader/ org/eclipse/jdt/internal/jarinjarloader/JIJConstants.class org/eclipse/jdt/internal/jarinjarloader/JarRsrcLoader$ManifestInfo.class org/eclipse/jdt/internal/jarinjarloader/JarRsrcLoader.class org/eclipse/jdt/internal/jarinjarloader/RsrcURLConnection.class org/eclipse/jdt/internal/jarinjarloader/RsrcURLStreamHandler.class org/eclipse/jdt/internal/jarinjarloader/RsrcURLStreamHandlerFactory.class org.hamcrest.core_1.1.0.v20090501071000.jar orderManager/ orderManager/DetailsPanel.class orderManager/AKMInterface.class orderManager/Order.class orderManager/AddOrderDialog$1.class orderManager/AddOrderDialog$2.class orderManager/AddOrderDialog$3.class orderManager/AddOrderDialog.class orderManager/AKMInterfaceTest.class orderManager/OrderManager$1.class orderManager/OrderManager.class orderManager/OMWindow$1.class orderManager/OMWindow$2.class orderManager/OMWindow$3.class orderManager/OMWindow$4.class orderManager/OMWindow$5.class orderManager/OMWindow$6.class orderManager/OMWindow$7.class orderManager/OMWindow$8.class orderManager/OMWindow$9.class orderManager/OMWindow.class orderManager/Connection$AddressHolder.class orderManager/Connection.class orderManager/Person.class junit.jar

I've also tried creating the jar directly from the command line, but I get mainClassNotFound errors.

Thoughts?

Thanks,
Travis

Thanks for the help. I have implemented AES/CBC encryption, storing the IV and initializing the decryption-time Cipher with it. Here are my code snippets for any comments and anyone else's future reference:

public byte[] encryptData(byte[] s) throws GeneralSecurityException { System.out.println("Encrypting..."); byte[] iv = null; byte[] tempResults = null; byte[] results = null; init(); cipher.init(Cipher.ENCRYPT_MODE, secretKeySpec); tempResults = cipher.doFinal(s); iv = cipher.getIV(); results = new byte[iv.length + tempResults.length]; cipher = null; secretKeySpec = null; key = null; // empty everything for GC System.arraycopy(iv, 0, results, 0, iv.length); System.arraycopy(tempResults, 0, results, iv.length, tempResults.length); return results; }

public byte[] decryptData(byte[] s) throws GeneralSecurityException { byte[] iv = Arrays.copyOfRange(s, 0, IV_LENGTH); byte[] data = Arrays.copyOfRange(s,IV_LENGTH,s.length); byte[] results; init(); cipher.init(Cipher.DECRYPT_MODE, secretKeySpec, new IvParameterSpec(iv)); results = cipher.doFinal(data); cipher = null; secretKeySpec = null; key = null; // empty everything for GC return results; }

and finally, my init() method:

public void init() throws GeneralSecurityException { key = getKey(); secretKeySpec = new SecretKeySpec(key, "AES"); cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); }

Hm. I've run into a secondary bug--when I decrypt the data and re-save it, I get an exception stating the data is too long for the SQL column. Tracking it down...

Edit: resolved. Original issue remains.

Here is the code I am using to initialize the Cipher. I'm unsure which mode of encryption is the default.

byte[] results = null; try { key = getKey(); secretKeySpec = new SecretKeySpec(key, algorithm); //algorithm = "AES" cipher = Cipher.getInstance(algorithm); cipher.init(Cipher.ENCRYPT_MODE, secretKeySpec); results = cipher.doFinal(s); } finally { cipher = null; secretKeySpec = null; key = null; // empty everything for GC if (results == null) results = FAIL; //FAIL is a constant } return results;


Here are 3 encrypted... 32 bytes, 16 of which are the same each timeHex values. Original Strings are 16 characters long:
D2 C4 C3 5D 4C B2 BE C9 A8 C7 5F F4 B9 C1 0C 51 20 CD 06 16 4C 68 F5 F2 15 B1 22 E0 D0 14 EA F0 F6 97 85 22 B6 F5 4A 88 23 10 12 D3 20 80 A5 FF 20 CD 06 16 4C 68 F5 F2 15 B1 22 E0 D0 14 EA F0 39 B4 9E 42 39 DF D6 01 4B 6D 49 CB 74 36 2E 59 20 CD 06 16 4C 68 F5 F2 15 B1 22 E0 D0 14 EA F0

This isn't a problem per se but I find the behavior odd and I would like to understand it.

I'm using the standard Java Cipher class to encrypt sensitive information. I've got it functional--it encrypts the user input, and when requested, successfully decrypts it, yielding the desired datum. However, if I look at the encrypted result of each of the inputs, there is a consistent tail on the data. That is, this string: "Lxõò±"àÐêð" is present at the end of every encrypted value. Since I'm using one key for all the encryptions, I assume that some other piece of information is being encrypted separately and the encrypted results pasted together. Any ideas what this extra information is?

Thanks.

I'm a newb so forgive the lack of clarity. I don't have a particular threat model in mind, as I'm just learning how to think about these issues. This code is a learning project, not intended for production.

The reason for encrypting the data in the database is to protect the data at rest. Encrypting that data (assuming the keys are managed properly) means that, in the (inevitable) case of a data breach, PCI/HIPAA/etc. would not require notifying those whose data has been compromised. Some effort up-front can prevent a huge expense down the line. I'm sure Sony would attest to that.

Your point that, if an attacker has access to memory, the data is already lost, is well taken. I had come to that conclusion because JTextComponents return their text as unprotected Strings. The plaintext is already there. I'm not trying to rewrite Swing.

There are ways of authorizing access to segments of memory, aren't there? Perhaps an object could be created within protected memory, accept input, and encipher it before it has the opportunity to leave the memory? Or would the entire JVM be within protected memory if any of it is? I don't really know how that works.

Thanks for your response.

I am writing an application that lets the user input sensitive information. When the user clicks "Save," I would like to be able to take that information and encrypt it for storage in a MySQL database. However, I am wary of using a String to store that information, even temporarily, because a memory dump would be able to find that String even if I reassign the variable to null. I also have the issue of what to do when I decrypt the information to display on the screen. Ideally, I will treat the data as the encrypted array of bytes until the last possible moment of displaying it, and holding that information in a secured place in memory.

I see that in .NET there is a SecureString for such tasks, but I can't find an equivalent in Java. Anyone have an idea?

One thought I've had is to use a StringBuffer and to zero it out after using it. Would that nuke the memory space that held the sensitive data?

Thanks

I'm using some code grabbed off the Interwebs that should work, but I'm getting an exception... got the .der files from my boss, so I assume they're valid, but perhaps not. Spacing and returns are odd here but normal on my machine.

C:\Users\Trevor Basden\Desktop\ImportKey>java ImportKey AKMClientPrivKey.der AKM
ClientSignedCert.der password
Using keystore-file : C:\Users\Trevor Basden\Desktop\ImportKey\keyst2
HERE1
java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: I
OException : algid parse error, not a sequence
at sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(Unknown Source)
at java.security.KeyFactory.generatePrivate(Unknown Source)
at ImportKey.main(ImportKey.java:257)
Caused by: java.security.InvalidKeyException: IOException : algid parse error, n
ot a sequence
at sun.security.pkcs.PKCS8Key.decode(Unknown Source)
at sun.security.pkcs.PKCS8Key.decode(Unknown Source)
at sun.security.rsa.RSAPrivateCrtKeyImpl.<init>(Unknown Source)
at sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(Unknown Source)
at sun.security.rsa.RSAKeyFactory.generatePrivate(Unknown Source)
... 3 more
import java.security.*; import java.io.IOException; import java.io.InputStream; import java.io.FileInputStream; import java.io.DataInputStream; import java.io.ByteArrayInputStream; import java.io.FileOutputStream; import java.security.spec.*; import java.security.cert.Certificate; import java.security.cert.CertificateFactory; import java.util.Collection; import java.util.Iterator; /** * ImportKey.java * * This class imports a key and a certificate into a keystore * (<code>$home/keystore.ImportKey</code>). If the keystore is * already present, it is simply deleted. Both the key and the * certificate file must be in <code>DER</code>-format. The key must be * encoded with <code>PKCS#8</code>-format. The certificate must be * encoded in <code>X.509</code>-format.</p> * * <p>Key format:</p> * <p><code>openssl pkcs8 -topk8 -nocrypt -in YOUR.KEY -out YOUR.KEY.der * -outform der</code></p> * <p>Format of the certificate:</p> * <p><code>openssl x509 -in YOUR.CERT -out YOUR.CERT.der -outform * der</code></p> * <p>Import key and certificate:</p> * <p><code>java comu.ImportKey YOUR.KEY.der YOUR.CERT.der</code></p><br /> * * <p><em>Caution:</em> the old <code>keystore.ImportKey</code>-file is * deleted and replaced with a keystore only containing <code>YOUR.KEY</code> * and <code>YOUR.CERT</code>. The keystore and the key has no password; * they can be set by the <code>keytool -keypasswd</code>-command for setting * the key password, and the <code>keytool -storepasswd</code>-command to set * the keystore password. * <p>The key and the certificate is stored under the alias * <code>importkey</code>; to change this, use <code>keytool - keyclone</code>. * * Created: Fri Apr 13 18:15:07 2001 * Updated: Fri Apr 19 11:03:00 2002 * * @author Joachim Karrer, Jens Carlberg * @version 1.1 **/ public class ImportKey { /** * <p>Creates an InputStream from a file, and fills it with the complete * file. Thus, available() on the returned InputStream will return the * full number of bytes the file contains</p> * @param fname The filename * @return The filled InputStream * @exception IOException, if the Streams couldn't be created. **/ private static InputStream fullStream ( String fname ) throws IOException { FileInputStream fis = new FileInputStream(fname); DataInputStream dis = new DataInputStream(fis); byte[] bytes = new byte[dis.available()]; dis.readFully(bytes); ByteArrayInputStream bais = new ByteArrayInputStream(bytes); return bais; } /** * <p>Takes two file names for a key and the certificate for the key, * and imports those into a keystore. Optionally it takes an alias * for the key. * <p>The first argument is the filename for the key. The key should be * in PKCS8-format. * <p>The second argument is the filename for the certificate for the key. * <p>If a third argument is given it is used as the alias. If missing, * the key is imported with the alias importkey * <p>The name of the keystore file can be controlled by setting * the keystore property (java -Dkeystore=mykeystore). If no name * is given, the file is named <code>keystore.ImportKey</code> * and placed in your home directory. * @param args [0] Name of the key file, [1] Name of the certificate file * [2] Alias for the key. **/ public static void main ( String args[]) { // change this if you want another password by default String keypass = ""; // change this if you want another alias by default String defaultalias = "AKMAdmin"; // change this if you want another keystorefile by default String keystorename = System.getProperty("keyst1"); if (keystorename == null) keystorename = System.getProperty("user.home")+ System.getProperty("file.separator")+ "Desktop\\ImportKey\\keyst2"; // especially this ;-) // parsing command line input String keyfile = ""; String certfile = ""; if (args.length < 3 || args.length>4) { System.out.println("Usage: java comu.ImportKey keyfile " + "certfile password [alias]"); System.exit(0); } else { keyfile = args[0]; certfile = args[1]; keypass = args[2]; if (args.length>3) defaultalias = args[3]; } try { // initializing and clearing keystore KeyStore ks = KeyStore.getInstance("JKS", "SUN"); ks.load( null , keypass.toCharArray()); System.out.println("Using keystore-file : "+keystorename); ks.store(new FileOutputStream ( keystorename ), keypass.toCharArray()); ks.load(new FileInputStream ( keystorename ), keypass.toCharArray()); // loading Key InputStream fl = fullStream (keyfile); byte[] key = new byte[fl.available()]; KeyFactory kf = KeyFactory.getInstance("RSA"); fl.read ( key, 0, fl.available() ); fl.close(); PKCS8EncodedKeySpec keysp = new PKCS8EncodedKeySpec ( key ); System.out.println("HERE1"); PrivateKey ff = kf.generatePrivate(keysp); // loading CertificateChain System.out.println("HERE2"); CertificateFactory cf = CertificateFactory.getInstance ("X.509"); InputStream certstream = fullStream (certfile); Collection c = cf.generateCertificates(certstream) ; Certificate[] certs = new Certificate[c.toArray().length]; if (c.size() == 1) { certstream = fullStream (certfile); System.out.println("One certificate, no chain."); Certificate cert = cf.generateCertificate(certstream) ; certs[0] = cert; } else { System.out.println("Certificate chain length: "+c.size ()); certs = (Certificate[])c.toArray(); } // storing keystore ks.setKeyEntry(defaultalias, ff, keypass.toCharArray(), certs ); System.out.println ("Key and certificate stored."); System.out.println ("Alias:"+defaultalias+" Password:"+keypass); ks.store(new FileOutputStream ( keystorename ), keypass.toCharArray()); } catch (Exception ex) { ex.printStackTrace(); } } }// KeyStore