diff options
| author |   Jim Hahn <jrh3@att.com> | 2020-10-28 16:22:01 -0400 |
|---|---|---|
| committer | Jim Hahn <jrh3@att.com> | 2020-10-29 08:17:47 -0400 |
| commit | f9c66e100522272543a550736cbe660cad4bfec5 (patch) | |
| tree | 3368cf75fad013636e67b9d424bec54e8c02e0b9 /utils/src/test/java/org/onap | |
| parent | 923f85537b509bb0befc296c2c8d40807a326296 (diff) | |
Fix sonar security issue in CryptoUtils
Sonar reports that CryptoUtils is using AES with CBC, which is known
to be insecure. Switched to "AES/GCM/NoPadding".
Note: values in any property files using encryption or the "enc:"
prefix will have to be re-encrypted.
Issue-ID: POLICY-2801
Change-Id: I41f00d4f3ee67a00b92135150120d1faa621655a
Signed-off-by: Jim Hahn <jrh3@att.com>
Diffstat (limited to 'utils/src/test/java/org/onap')
| -rw-r--r-- | utils/src/test/java/org/onap/policy/common/utils/coder/PropertyCoderTest.java | 18 | ||||
| -rw-r--r-- | utils/src/test/java/org/onap/policy/common/utils/security/CryptoUtilsTest.java | 6 |
2 files changed, 19 insertions, 5 deletions
diff --git a/utils/src/test/java/org/onap/policy/common/utils/coder/PropertyCoderTest.java b/utils/src/test/java/org/onap/policy/common/utils/coder/PropertyCoderTest.java index 47453dfc..86f8a1b1 100644 --- a/utils/src/test/java/org/onap/policy/common/utils/coder/PropertyCoderTest.java +++ b/utils/src/test/java/org/onap/policy/common/utils/coder/PropertyCoderTest.java @@ -33,15 +33,29 @@ import org.junit.Test; public class PropertyCoderTest { private PropertyCoder propertyCoder = null; private static final String AES_ENCRYPTION_KEY = "aes_encryption_key"; + + /* + * Note: to generate the encrypted values, invoke CryptoUtils passing both the value + * to be encrypted and the secret key. + * + * The secret key should typically be 32 characters long, resulting in a 256-bit + * key, and is placed in "aes_encryption_key". + * + * For "xacml.pdp.rest.password", the encrypted value was generated via: + * java org.onap.policy.common.utils.security.CryptoUtils enc alpha abcdefghijklmnopqrstuvwxyzabcdef + * + * For "pass", the encrypted value was generated via: + * java org.onap.policy.common.utils.security.CryptoUtils enc hello abcdefghijklmnopqrstuvwxyzabcdef + */ private static final String json = ("{'aes_encryption_key':'abcdefghijklmnopqrstuvwxyzabcdef'" - + ",'xacml.pdp.rest.password':'enc:YZ8EqzsxIOzIuK416SWAdrv+0cKKkqsQt/NYH9+uxwI='" + + ",'xacml.pdp.rest.password':'enc:FSfOhDygtmnX3gkMSfTFMoBFW+AG5k6goNj2KZgQmeF0DqgcMg=='" + ",'xacml.pdp.rest.user':'testpdp'" + ",'xacml.pdp.rest.client.user':'policy'" + ",'xacml.pdp.rest.client.password':'policy'" + ",'xacml.pdp.rest.environment':'TEST'" + ",'servers':[{'name':'server1','port':'10'," - + "'pass':'enc:KXIY94KcAapOAAeFbtjQL4kBPB4k+NJfwdP+GpG3LWQ='}" + + "'pass':'enc:08Fj6tLhmWjkZkf52O2A2ZNT8PpL80yEOEKXlbV/gnm0lkR9OA=='}" + ",{'name':'server2','port':'20','pass':'plaintext'}]" + "}").replace('\'', '"'); diff --git a/utils/src/test/java/org/onap/policy/common/utils/security/CryptoUtilsTest.java b/utils/src/test/java/org/onap/policy/common/utils/security/CryptoUtilsTest.java index ce9435d8..625fd1f5 100644 --- a/utils/src/test/java/org/onap/policy/common/utils/security/CryptoUtilsTest.java +++ b/utils/src/test/java/org/onap/policy/common/utils/security/CryptoUtilsTest.java @@ -2,7 +2,7 @@ * ============LICENSE_START======================================================= * ONAP * ================================================================================ - * Copyright (C) 2019 AT&T Intellectual Property. All rights reserved. + * Copyright (C) 2019-2020 AT&T Intellectual Property. All rights reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -37,7 +37,7 @@ public class CryptoUtilsTest { private static Logger logger = LoggerFactory.getLogger(CryptoUtilsTest.class); private static final String PASS = "HelloWorld"; private static final String SECRET_KEY = "MTIzNDU2Nzg5MDEyMzQ1Ng=="; - private static final String ENCRYPTED_PASS = "enc:hcI2XVX+cxPz/6rlbebkWpCFF6WPbBtT7iJRr2VHUkA="; + private static final String ENCRYPTED_PASS = "enc:Z6QzirpPyDpwmIcNbE3U2iq6g/ubJBEdzssoigxGGChlQtdWOLD8y00O"; private static final String DECRYPTED_MSG = "encrypted value: {} decrypted value : {}"; private static final String ENCRYPTED_MSG = "original value : {} encrypted value: {}"; @@ -120,4 +120,4 @@ public class CryptoUtilsTest { String decryptedAgain = CryptoUtils.decrypt(decryptedValue, SECRET_KEY); assertEquals(decryptedValue, decryptedAgain); } -}
\ No newline at end of file +} |