From 3e4dce3e3c14d1003f34070e9ddee2bbf5f475be Mon Sep 17 00:00:00 2001
From: Jonathan Cobb <jonathan@kyuss.org>
Date: Sat, 14 Nov 2020 18:06:45 -0500
Subject: [PATCH] allow PBKDF2 to be enabled/disabled at the class-level

---
 .../cobbzilla/util/security/RsaKeyPair.java    | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/src/main/java/org/cobbzilla/util/security/RsaKeyPair.java b/src/main/java/org/cobbzilla/util/security/RsaKeyPair.java
index 990adec..8ce83cc 100644
--- a/src/main/java/org/cobbzilla/util/security/RsaKeyPair.java
+++ b/src/main/java/org/cobbzilla/util/security/RsaKeyPair.java
@@ -22,6 +22,8 @@ import static org.cobbzilla.util.system.CommandShell.execScript;
 @NoArgsConstructor @Accessors(chain=true) @EqualsAndHashCode(of={"publicKey"}) @Slf4j
 public class RsaKeyPair {
 
+    public static boolean ENABLE_PBKDF2 = true;
+
     public static final int DEFAULT_EXPIRATION_DAYS = 30;
     public static final int MAX_RETRIES = 5;
 
@@ -98,7 +100,7 @@ public class RsaKeyPair {
             + "-days "+PARAM_DAYS+ " -subj \""+PARAM_SUBJECT+"\"";
 
     public static String getDefaultSubject () {
-        return "/C=AQ/ST=Ross Ice Shelf/O=cobbzilla.org/CN=key."+randomAlphanumeric(10)+".cobbzilla.org";
+        return "/C=AQ/ST=Ross Ice Shelf/O=example.org/CN=key."+randomAlphanumeric(10)+".example.org";
     }
 
     private static TempDir newRsaKeyDir(int daysUntilExpiration, String subject, int attempt, int maxKeyTries) {
@@ -148,9 +150,10 @@ public class RsaKeyPair {
                         "openssl rand -out secret.key 32 && " +
 
                         // encrypt data with symmetric key
-                        // disable PBKDF2, not supported on mac osx
-//                        "openssl aes-256-cbc -salt -pbkdf2 -in data -out data.enc -pass file:secret.key && " +
-                        "openssl aes-256-cbc -salt -in data -out data.enc -pass file:secret.key && " +
+                        (ENABLE_PBKDF2
+                                ? "openssl aes-256-cbc -salt -pbkdf2 -in data -out data.enc -pass file:secret.key"
+                                : "openssl aes-256-cbc -salt -in data -out data.enc -pass file:secret.key"
+                        ) + " && " +
 
                         // encrypt sym key with recipient's public key
                         "openssl rsautl -encrypt -oaep -pubin -certin -keyform PEM -inkey recipient.crt -in secret.key -out secret.key.enc && " +
@@ -186,9 +189,10 @@ public class RsaKeyPair {
                     "openssl rsautl -decrypt -oaep -inkey recipient.key -in secret.key.enc -out secret.key && " +
 
                     // decrypt data with symmetric key
-                    // disable PBKDF2, not supported on mac osx
-//                    "openssl aes-256-cbc -d -salt -pbkdf2 -in data.enc -out data -pass file:secret.key && " +
-                    "openssl aes-256-cbc -d -salt -in data.enc -out data -pass file:secret.key && " +
+                    (ENABLE_PBKDF2
+                            ? "openssl aes-256-cbc -d -salt -pbkdf2 -in data.enc -out data -pass file:secret.key"
+                            : "openssl aes-256-cbc -d -salt -in data.enc -out data -pass file:secret.key"
+                    ) + " && " +
 
                     // verify signature with sender's public key
                     "openssl dgst -sha256 -verify <(openssl x509 -in sender.crt -pubkey -noout) -signature data.sig data");