Fix sonar security issue in CryptoUtils

Sonar reports that CryptoUtils is using AES with CBC, which is known to be insecure. Switched to "AES/GCM/NoPadding". Note: values in any property files using encryption or the "enc:" prefix will have to be re-encrypted. Issue-ID: POLICY-2801 Change-Id: I41f00d4f3ee67a00b92135150120d1faa621655a Signed-off-by: Jim Hahn <jrh3@att.com>
author: Jim Hahn <jrh3@att.com> 2020-10-28 16:22:01 -0400
committer: Jim Hahn <jrh3@att.com> 2020-10-29 08:17:47 -0400
commit: f9c66e100522272543a550736cbe660cad4bfec5 (patch)
tree: 3368cf75fad013636e67b9d424bec54e8c02e0b9 /utils/src/main
parent: 923f85537b509bb0befc296c2c8d40807a326296 (diff)
1 files changed, 6 insertions, 4 deletions
diff --git a/utils/src/main/java/org/onap/policy/common/utils/security/CryptoUtils.java b/utils/src/main/java/org/onap/policy/common/utils/security/CryptoUtils.java
index af5b3d49..1a9483a9 100644
--- a/utils/src/main/java/org/onap/policy/common/utils/security/CryptoUtils.java
+++ b/utils/src/main/java/org/onap/policy/common/utils/security/CryptoUtils.java
@@ -23,7 +23,7 @@ package org.onap.policy.common.utils.security;
 import java.nio.charset.StandardCharsets;
 import java.util.Random;
 import javax.crypto.Cipher;
-import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.GCMParameterSpec;
 import javax.crypto.spec.SecretKeySpec;
 import javax.xml.bind.DatatypeConverter;
 import org.apache.commons.lang3.ArrayUtils;
@@ -44,7 +44,9 @@ public class CryptoUtils implements CryptoCoder {
     /**
      * Detailed definition of encryption algorithm.
      */
-    private static final String ALGORITHM_DETAILS = ALGORITHM + "/CBC/PKCS5PADDING";
+    private static final String ALGORITHM_DETAILS = ALGORITHM + "/GCM/NoPadding";
+
+    private static final int TAG_SIZE_IN_BITS = 128;
 
     private static final int IV_BLOCK_SIZE_IN_BITS = 128;
 
@@ -120,7 +122,7 @@ public class CryptoUtils implements CryptoCoder {
             Cipher cipher = Cipher.getInstance(ALGORITHM_DETAILS);
             byte[] iv = new byte[IV_BLOCK_SIZE_IN_BYTES];
             RANDOM.nextBytes(iv);
-            IvParameterSpec ivspec = new IvParameterSpec(iv);
+            GCMParameterSpec ivspec = new GCMParameterSpec(TAG_SIZE_IN_BITS, iv);
             cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivspec);
 
             return "enc:" + DatatypeConverter.printBase64Binary(
@@ -175,7 +177,7 @@ public class CryptoUtils implements CryptoCoder {
             byte[] encryptedValue = DatatypeConverter.parseBase64Binary(pureValue);
 
             Cipher cipher = Cipher.getInstance(ALGORITHM_DETAILS);
-            IvParameterSpec ivspec = new IvParameterSpec(
+            GCMParameterSpec ivspec = new GCMParameterSpec(TAG_SIZE_IN_BITS,
                     ArrayUtils.subarray(encryptedValue, 0, IV_BLOCK_SIZE_IN_BYTES));
             byte[] realData = ArrayUtils.subarray(encryptedValue, IV_BLOCK_SIZE_IN_BYTES, encryptedValue.length);
author	Jim Hahn <jrh3@att.com>	2020-10-28 16:22:01 -0400
committer	Jim Hahn <jrh3@att.com>	2020-10-29 08:17:47 -0400
commit	f9c66e100522272543a550736cbe660cad4bfec5 (patch)
tree	3368cf75fad013636e67b9d424bec54e8c02e0b9 /utils/src/main
parent	923f85537b509bb0befc296c2c8d40807a326296 (diff)