Hi Craig,
We’ve removed the class RC4Engine that came from
BouncyCastle as per Eclipse IP Team request.
The only class that references it is org.eclipse.mtj.core.model.impl.MetaData.java
from org.eclipse.mtj.core plug-in. It is used to encrypt and decrypt keystore
and key passwords in a project metadata file .mtj (formerly .eclipseme).
For a first solution I’ve commited the classes w/out
Encryptation / decryptation, the data is only converted to base64.
Now, I’m working in a replacement for the RC4Engine
class.
I was able to use the RC4 implementation that comes with default JCE providers through
javax.crypto.Cipher cipher = javax.crypto.Cipher.getInstance("RC4");
This algorithm is available since JDK 1.4.2.
However, the key scheme used by JCE is very different from the one you originally used.
According to the latest version in EclipseME SVN (http://eclipseme.svn.sourceforge.net/viewvc/eclipseme/trunk/eclipseme-src/plugins/eclipseme.core/src/eclipseme/core/model/impl/MetaData.java?view=markup)
you’ve used the UTF-8 converted bytes from the string EclipseME as the
key for RC4 algorithm.
Unfortunately I could not reproduce this same behavior using
JCE. The only way I could get a valid RC4 key was through a KeyGenerator object,
generating a key different from the one you used in EclipseME.
The bad side is that this will break the compatibility from
MTJ and EclipseME (Projects created using EclipseME will not have their
password retrieved correctly when moved to MTJ).
In fact, I’ve just realized that we haven’t thought
about this compatibility, as we’ve changed the project metadata file name
from .eclipseme to .mtj, what implies that after importing projects created with
eclipseme into MTJ, users must convert their projects to J2ME projects via the
J2ME option in projects popup menu. Do you think breaking this compatibility is
a big issue, or are you ok with that, given that it is a new project? In the
future we can implement a project migration wizard from EclipseME to MTJ if we
think is necessary.
Given that this compatibility will be broken, do you have
any hints of how can you handle the encryptation/decryptation of user password?
Looking forward to hear from you,
Hugo
PS. Sorry for this long e-mail, I was just trying to give
you (and other mail-list members) as much information as I can about the
problem. Feel free to contact me if you didn’t understand or need a
better explanation on anything in this mail