diff options
author | Determe, Sebastien (sd378r) <sd378r@intl.att.com> | 2017-11-16 13:22:49 +0100 |
---|---|---|
committer | Determe, Sebastien (sd378r) <sd378r@intl.att.com> | 2017-11-16 13:42:47 +0100 |
commit | 34400eeebc299cbf8e4335a7bee937753554bed5 (patch) | |
tree | 3ed6036482f969d0ddc157cac4f324ad189a814e /src/main | |
parent | 677d218e4c337de6faca915723d47390ef4290d0 (diff) |
Rework CryptoUtils
CryptoUtils now takes the key from a file located in the resource not
in spring file
Change-Id: I002978d292550e6173efb4324cbb977f35d7e753
Issue-ID: CLAMP-74
Signed-off-by: Determe, Sebastien (sd378r) <sd378r@intl.att.com>
Diffstat (limited to 'src/main')
6 files changed, 73 insertions, 57 deletions
diff --git a/src/main/java/org/onap/clamp/clds/config/EncodedPasswordBasicDataSource.java b/src/main/java/org/onap/clamp/clds/config/EncodedPasswordBasicDataSource.java index 3862a5ac..453689be 100644 --- a/src/main/java/org/onap/clamp/clds/config/EncodedPasswordBasicDataSource.java +++ b/src/main/java/org/onap/clamp/clds/config/EncodedPasswordBasicDataSource.java @@ -28,25 +28,20 @@ import com.att.eelf.configuration.EELFManager; import java.security.GeneralSecurityException; +import org.apache.commons.codec.DecoderException; import org.apache.commons.dbcp.BasicDataSource; import org.onap.clamp.clds.util.CryptoUtils; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.context.annotation.DependsOn; -import org.springframework.stereotype.Component; /** * This class is an extension of the standard datasource, it will be used to * decode the encoded password defined in the application.properties. * */ -@Component("EncodedPasswordBasicDataSource") -@DependsOn(value = { "CryptoUtils" }) public class EncodedPasswordBasicDataSource extends BasicDataSource { protected static final EELFLogger logger = EELFManager.getInstance() .getLogger(EncodedPasswordBasicDataSource.class); protected static final EELFLogger metricsLogger = EELFManager.getInstance().getMetricsLogger(); - @Autowired - private CryptoUtils cryptoUtils; + private CryptoUtils cryptoUtils = new CryptoUtils(); /** * The default constructor calling the parent one. @@ -64,6 +59,8 @@ public class EncodedPasswordBasicDataSource extends BasicDataSource { this.password = cryptoUtils.decrypt(encodedPassword); } catch (GeneralSecurityException e) { logger.error("Unable to decrypt the DB password", e); + } catch (DecoderException e) { + logger.error("Exception caught when decoding the HEX String Key for encryption", e); } } }
\ No newline at end of file diff --git a/src/main/java/org/onap/clamp/clds/util/CryptoUtils.java b/src/main/java/org/onap/clamp/clds/util/CryptoUtils.java index 4b72c6fd..8dbdc77d 100644 --- a/src/main/java/org/onap/clamp/clds/util/CryptoUtils.java +++ b/src/main/java/org/onap/clamp/clds/util/CryptoUtils.java @@ -23,26 +23,54 @@ package org.onap.clamp.clds.util; +import com.att.eelf.configuration.EELFLogger; +import com.att.eelf.configuration.EELFManager; + +import java.io.IOException; +import java.io.UnsupportedEncodingException; import java.security.GeneralSecurityException; +import java.security.SecureRandom; +import java.util.Properties; import javax.crypto.Cipher; +import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.SecretKeySpec; -import org.springframework.core.Ordered; -import org.springframework.core.annotation.Order; -import org.springframework.stereotype.Component; +import org.apache.commons.codec.DecoderException; +import org.apache.commons.codec.binary.Hex; +import org.apache.commons.lang3.ArrayUtils; /** * CryptoUtils for encrypting/decrypting string based on a Key defined in * application.properties (Spring config file). * */ -@Component("CryptoUtils") -@Order(Ordered.HIGHEST_PRECEDENCE) public final class CryptoUtils { - public static final String AES = "AES"; - public static final String KEY_PARAM = "org.onap.clamp.encryption.aes.key"; - private SecretKeySpec secretKeySpec = getSecretKeySpec("aa3871669d893c7fb8abbcda31b88b4f"); + protected static final EELFLogger logger = EELFManager.getInstance().getLogger(CryptoUtils.class); + // Openssl commands: + // Encrypt: echo -n "123456" | openssl aes-128-cbc -e -K <Private Hex key> + // -iv <16 Hex Bytes iv> | xxd -u -g100 + // Final result is to put in properties file is: IV + Outcome of openssl + // command + // ************************************************************ + // Decrypt: echo -n 'Encrypted string' | xxd -r -ps | openssl aes-128-cbc -d + // -K + // <Private Hex Key> -iv <16 Bytes IV extracted from Encrypted String> + private static final String ALGORITHM = "AES"; + private static final String ALGORYTHM_DETAILS = ALGORITHM + "/CBC/PKCS5PADDING"; + private static final int BLOCK_SIZE = 128; + private static final String KEY_PARAM = "org.onap.clamp.encryption.aes.key"; + private static SecretKeySpec secretKeySpec = null; + private IvParameterSpec ivspec; + static { + Properties props = new Properties(); + try { + props.load(ResourceFileUtil.getResourceAsStream("clds/key.properties")); + secretKeySpec = getSecretKeySpec(props.getProperty(KEY_PARAM)); + } catch (IOException | DecoderException e) { + logger.error("Exception occurred during the key reading", e); + } + } /** * Encrypt a value based on the Clamp Encryption Key. @@ -51,16 +79,21 @@ public final class CryptoUtils { * @return The encrypted string * @throws GeneralSecurityException * In case of issue with the encryption + * @throws UnsupportedEncodingException + * In case of issue with the charset conversion */ - public String encrypt(String value) throws GeneralSecurityException { - Cipher cipher = Cipher.getInstance(CryptoUtils.AES); - cipher.init(Cipher.ENCRYPT_MODE, secretKeySpec, cipher.getParameters()); - byte[] encrypted = cipher.doFinal(value.getBytes()); - return byteArrayToHexString(encrypted); + public String encrypt(String value) throws GeneralSecurityException, UnsupportedEncodingException { + Cipher cipher = Cipher.getInstance(CryptoUtils.ALGORYTHM_DETAILS, "SunJCE"); + SecureRandom r = SecureRandom.getInstance("SHA1PRNG"); + byte[] iv = new byte[BLOCK_SIZE / 8]; + r.nextBytes(iv); + ivspec = new IvParameterSpec(iv); + cipher.init(Cipher.ENCRYPT_MODE, secretKeySpec, ivspec); + return Hex.encodeHexString(ArrayUtils.addAll(iv, cipher.doFinal(value.getBytes("UTF-8")))); } /** - * Decrypt a value. + * Decrypt a value based on the Clamp Encryption Key * * @param message * The encrypted string that must be decrypted using the Clamp @@ -68,38 +101,21 @@ public final class CryptoUtils { * @return The String decrypted * @throws GeneralSecurityException * In case of issue with the encryption + * @throws DecoderException + * In case of issue to decode the HexString */ - public String decrypt(String message) throws GeneralSecurityException { - Cipher cipher = Cipher.getInstance(CryptoUtils.AES); - cipher.init(Cipher.DECRYPT_MODE, secretKeySpec); - byte[] decrypted = cipher.doFinal(hexStringToByteArray(message)); + public String decrypt(String message) throws GeneralSecurityException, DecoderException { + byte[] encryptedMessage = Hex.decodeHex(message.toCharArray()); + Cipher cipher = Cipher.getInstance(CryptoUtils.ALGORYTHM_DETAILS, "SunJCE"); + ivspec = new IvParameterSpec(ArrayUtils.subarray(encryptedMessage, 0, BLOCK_SIZE / 8)); + byte[] realData = ArrayUtils.subarray(encryptedMessage, BLOCK_SIZE / 8, encryptedMessage.length); + cipher.init(Cipher.DECRYPT_MODE, secretKeySpec, ivspec); + byte[] decrypted = cipher.doFinal(realData); return new String(decrypted); } - private SecretKeySpec getSecretKeySpec(String keyString) { - byte[] key = hexStringToByteArray(keyString); - return new SecretKeySpec(key, CryptoUtils.AES); - } - - private String byteArrayToHexString(byte[] b) { - StringBuilder sb = new StringBuilder(b.length * 2); - for (int i = 0; i < b.length; i++) { - int v = b[i] & 0xff; - if (v < 16) { - sb.append('0'); - } - sb.append(Integer.toHexString(v)); - } - return sb.toString().toUpperCase(); - } - - private byte[] hexStringToByteArray(String s) { - byte[] b = new byte[s.length() / 2]; - for (int i = 0; i < b.length; i++) { - int index = i * 2; - int v = Integer.parseInt(s.substring(index, index + 2), 16); - b[i] = (byte) v; - } - return b; + private static SecretKeySpec getSecretKeySpec(String keyString) throws DecoderException { + byte[] key = Hex.decodeHex(keyString.toCharArray()); + return new SecretKeySpec(key, CryptoUtils.ALGORITHM); } } diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 8155cb2b..321d88e1 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -96,7 +96,7 @@ kubernetes.namespace=com-att-ajsc spring.datasource.camunda.driverClassName=org.mariadb.jdbc.Driver
spring.datasource.camunda.url=jdbc:mariadb:sequential://localhost:${docker.mariadb.port.host}/camundabpm?autoReconnect=true&retriesAllDown=2147483647&failoverLoopRetries=2147483647
spring.datasource.camunda.username=camunda
-spring.datasource.camunda.password=D75B89195FD913848EA11416F755390E
+spring.datasource.camunda.password=e1bb2a8381d1aa6c09879bd627db3bb560ad29e8a3343fe6aa7e6a7ba622da4e
spring.datasource.camunda.validationQuery=SELECT 1
spring.datasource.camunda.validationQueryTimeout=20000
spring.datasource.camunda.validationInterval=30000
@@ -117,7 +117,7 @@ camunda.bpm.database.schema-update=false spring.datasource.cldsdb.driverClassName=org.mariadb.jdbc.Driver
spring.datasource.cldsdb.url=jdbc:mariadb:sequential://localhost:${docker.mariadb.port.host}/cldsdb4?autoReconnect=true&retriesAllDown=2147483647&failoverLoopRetries=2147483647
spring.datasource.cldsdb.username=clds
-spring.datasource.cldsdb.password=035F8819FEBB754F3C99ECCCC1259850
+spring.datasource.cldsdb.password=4c90a0b48204383f4283448d23e0b885a47237b2a23588e7c4651604f51c1067
spring.datasource.cldsdb.validationQuery=SELECT 1
spring.datasource.cldsdb.validationQueryTimeout=20000
spring.datasource.cldsdb.validationInterval=30000
@@ -144,7 +144,6 @@ org.onap.clamp.config.files.cldsReference=classpath:/clds/clds-reference.propert org.onap.clamp.config.files.cldsPolicyConfig=classpath:/clds/clds-policy-config.properties
org.onap.clamp.config.files.cldsUsers=classpath:/clds/clds-users.json
org.onap.clamp.config.files.globalClds=classpath:/clds/globalClds.properties
-org.onap.clamp.encryption.aes.key=aa3871669d893c7fb8abbcda31b88b4f
#Define user permission related parameters, the permission type can be changed but MUST be redefined in clds-users.properties in that case !
CLDS_PERMISSION_TYPE_CL=permission-type-cl
diff --git a/src/main/resources/clds/clds-policy-config.properties b/src/main/resources/clds/clds-policy-config.properties index b812ffa7..54b92772 100644 --- a/src/main/resources/clds/clds-policy-config.properties +++ b/src/main/resources/clds/clds-policy-config.properties @@ -20,6 +20,7 @@ # =================================================================== # ECOMP is a trademark and service mark of AT&T Intellectual Property. ### + # Configuration Settings for Policy Engine Components PDP_URL1=http://vm1.policy.simpledemo.onap.org:8081/pdp/ , testpdp, alpha123 PDP_URL2=http://vm1.policy.simpledemo.onap.org:8081/pdp/ , testpdp, alpha123 @@ -28,7 +29,8 @@ NOTIFICATION_UEB_SERVERS=localhost NOTIFICATION_TOPIC= CLIENT_ID=myclientid # base64 encoding -CLIENT_KEY=ChlakDuk +#CLIENT_KEY=ChlakDuk +CLIENT_KEY=5CE79532B3A2CB4D132FC0C04BF916A7 #DEVL for development #TEST for Test environments #PROD for prod environments diff --git a/src/main/resources/clds/clds-reference.properties b/src/main/resources/clds/clds-reference.properties index 72308a94..a8382cb0 100644 --- a/src/main/resources/clds/clds-reference.properties +++ b/src/main/resources/clds/clds-reference.properties @@ -81,14 +81,14 @@ sdc.catalog.url=http://sdc.api.simpledemo.onap.org:8080/sdc/v1/catalog/ sdc.hostUrl=http://sdc.api.simpledemo.onap.org:8080 sdc.serviceUrl=http://sdc.api.simpledemo.onap.org:8080/sdc/v1/catalog/services sdc.serviceUsername=test
-sdc.servicePassword=A7CADD84A22398C980847A54D23E24E9
+sdc.servicePassword=aa2871669d793c7fb7abbcda31b88b4c29bf2982755b25f08f8d0130539c11b0
sdc.artifactLabel=blueprintclampcockpit
sdc.sdcX-InstanceID=CLAMP
sdc.artifactType=DCAE_INVENTORY_BLUEPRINT
sdc.locationArtifactLabel=locationclampcockpit
sdc.locationArtifactType=DCAE_INVENTORY_JSON
sdc.InstanceID=X-ECOMP-InstanceID
-#
+sdc.header.requestId = X-ECOMP-RequestID
#
#
ui.location.default={"DC1":"Data Center 1","DC2":"Data Center 2","DC3":"Data Center 3"}
@@ -104,5 +104,6 @@ CLDS_SERVICE_CACHE_MAX_SECONDS=30 DCAE_INVENTORY_URL = https://dcae.api.simpledemo.onap.org:8080 #DCAE Dispatcher Url Properties
-DCAE_DISPATCHER_URL = https://dcae.api.simpledemo.onap.org:8443 +DCAE_DISPATCHER_URL = https://dcae.api.simpledemo.onap.org:8443
+dcae.header.requestId = "X-ECOMP-RequestID" diff --git a/src/main/resources/clds/key.properties b/src/main/resources/clds/key.properties new file mode 100644 index 00000000..dda81104 --- /dev/null +++ b/src/main/resources/clds/key.properties @@ -0,0 +1 @@ +org.onap.clamp.encryption.aes.key=aa3871669d893c7fb8abbcda31b88b4f
\ No newline at end of file |