diff options
author | Neil Derraugh <neil.derraugh@yoppworks.com> | 2020-06-08 10:40:10 -0400 |
---|---|---|
committer | Ofir Sonsino <ofir.sonsino@intl.att.com> | 2020-06-10 08:23:27 +0000 |
commit | 6cfebc0867b2f21a401f55734aba30eb245e3c70 (patch) | |
tree | fcbed2057758d87703104cccaacb302f082d9f19 /openecomp-be/backend/openecomp-sdc-security-util | |
parent | 8a0f58a005175959f5b56c0840ee9980f0d68c01 (diff) |
Fix security issue in SecurityUtil
- Specified mode and padding to address risky algorithm
- Corrected unit test for different exception message
- Moved tests to package
Issue-ID: SDC-3105
Signed-off-by: Neil Derraugh <neil.derraugh@yoppworks.com>
Change-Id: I5773ab555a5468362c775cf99795df4eb8c52136
Diffstat (limited to 'openecomp-be/backend/openecomp-sdc-security-util')
6 files changed, 42 insertions, 30 deletions
diff --git a/openecomp-be/backend/openecomp-sdc-security-util/src/main/java/org/openecomp/sdc/securityutil/CipherUtil.java b/openecomp-be/backend/openecomp-sdc-security-util/src/main/java/org/openecomp/sdc/securityutil/CipherUtil.java index 4f4c18c282..71ac6151f7 100644 --- a/openecomp-be/backend/openecomp-sdc-security-util/src/main/java/org/openecomp/sdc/securityutil/CipherUtil.java +++ b/openecomp-be/backend/openecomp-sdc-security-util/src/main/java/org/openecomp/sdc/securityutil/CipherUtil.java @@ -7,9 +7,9 @@ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -21,43 +21,47 @@ package org.openecomp.sdc.securityutil; import java.security.SecureRandom; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - +import java.util.Arrays; import javax.crypto.Cipher; -import javax.crypto.spec.IvParameterSpec; +import javax.crypto.spec.GCMParameterSpec; import javax.crypto.spec.SecretKeySpec; import org.apache.commons.codec.binary.Base64; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; public class CipherUtil { - private static Logger log = LoggerFactory.getLogger( CipherUtil.class.getName()); + + private static Logger log = LoggerFactory.getLogger(CipherUtil.class.getName()); private static final String ALGORITHM = "AES"; - private static final String ALGORYTHM_DETAILS = ALGORITHM + "/CBC/PKCS5PADDING"; + private static final String ALGORITHM_DETAILS = ALGORITHM + "/GCM/NoPadding"; private static final String CIPHER_PROVIDER = "SunJCE"; - private static final int BLOCK_SIZE = 128; - private static final int BYTE_SIZE = 8; - private static final int IV_SIZE = BLOCK_SIZE / BYTE_SIZE; + + public static final int GCM_TAG_LENGTH = 16; + public static final int GCM_IV_LENGTH = 12; + private static final byte[] EMPTY_BYTE_ARRAY = new byte[0]; private static final String ALGORITHM_NAME = "SHA1PRNG"; + private CipherUtil() {} + /** * Encrypt the text using the secret key in key.properties file * * @param value string to encrypt * @return The encrypted string - * @throws CipherUtilException - * In case of issue with the encryption + * @throws CipherUtilException In case of issue with the encryption */ public static String encryptPKC(String value, String base64key) throws CipherUtilException { Cipher cipher; - byte[] iv = new byte[IV_SIZE]; + byte[] iv = new byte[GCM_IV_LENGTH]; byte[] finalByte; try { - cipher = Cipher.getInstance(ALGORYTHM_DETAILS, CIPHER_PROVIDER); + cipher = Cipher.getInstance(ALGORITHM_DETAILS, CIPHER_PROVIDER); SecureRandom secureRandom = SecureRandom.getInstance(ALGORITHM_NAME); secureRandom.nextBytes(iv); - IvParameterSpec ivspec = new IvParameterSpec(iv); - cipher.init(Cipher.ENCRYPT_MODE, getSecretKeySpec(base64key), ivspec); + GCMParameterSpec spec = + new GCMParameterSpec(GCM_TAG_LENGTH * java.lang.Byte.SIZE, iv); + cipher.init(Cipher.ENCRYPT_MODE, getSecretKeySpec(base64key), spec); finalByte = cipher.doFinal(value.getBytes()); } catch (Exception ex) { @@ -70,12 +74,10 @@ public class CipherUtil { /** * Decrypts the text using the secret key in key.properties file. * - * @param message - * The encrypted string that must be decrypted using the ONAP Portal - * Encryption Key + * @param message The encrypted string that must be decrypted using the ONAP Portal Encryption + * Key * @return The String decrypted - * @throws CipherUtilException - * if any decryption step fails + * @throws CipherUtilException if any decryption step fails */ public static String decryptPKC(String message, String base64key) throws CipherUtilException { @@ -83,10 +85,12 @@ public class CipherUtil { Cipher cipher; byte[] decrypted; try { - cipher = Cipher.getInstance(ALGORYTHM_DETAILS, CIPHER_PROVIDER); - IvParameterSpec ivspec = new IvParameterSpec(subarray(encryptedMessage, 0, IV_SIZE)); - byte[] realData = subarray(encryptedMessage, IV_SIZE, encryptedMessage.length); - cipher.init(Cipher.DECRYPT_MODE, getSecretKeySpec(base64key), ivspec); + cipher = Cipher.getInstance(ALGORITHM_DETAILS, CIPHER_PROVIDER); + byte[] initVector = Arrays.copyOfRange(encryptedMessage, 0, GCM_IV_LENGTH); + GCMParameterSpec spec = + new GCMParameterSpec(GCM_TAG_LENGTH * java.lang.Byte.SIZE, initVector); + byte[] realData = subarray(encryptedMessage, GCM_IV_LENGTH, encryptedMessage.length); + cipher.init(Cipher.DECRYPT_MODE, getSecretKeySpec(base64key), spec); decrypted = cipher.doFinal(realData); } catch (Exception ex) { @@ -120,7 +124,7 @@ public class CipherUtil { private static byte[] subarray(byte[] array, int startIndexInclusive, int endIndexExclusive) { if (array == null) { - return null; + return new byte[0]; } else { if (startIndexInclusive < 0) { startIndexInclusive = 0; diff --git a/openecomp-be/backend/openecomp-sdc-security-util/src/test/java/AuthenticationCookieUtilsTest.java b/openecomp-be/backend/openecomp-sdc-security-util/src/test/java/org/openecomp/sdc/securityutil/AuthenticationCookieUtilsTest.java index 402803479f..6c1e6cb849 100644 --- a/openecomp-be/backend/openecomp-sdc-security-util/src/test/java/AuthenticationCookieUtilsTest.java +++ b/openecomp-be/backend/openecomp-sdc-security-util/src/test/java/org/openecomp/sdc/securityutil/AuthenticationCookieUtilsTest.java @@ -18,6 +18,8 @@ * ============LICENSE_END========================================================= */ +package org.openecomp.sdc.securityutil; + import org.junit.Test; import javax.servlet.http.Cookie; diff --git a/openecomp-be/backend/openecomp-sdc-security-util/src/test/java/CipherUtilTest.java b/openecomp-be/backend/openecomp-sdc-security-util/src/test/java/org/openecomp/sdc/securityutil/CipherUtilTest.java index 888c888d42..437974de02 100644 --- a/openecomp-be/backend/openecomp-sdc-security-util/src/test/java/CipherUtilTest.java +++ b/openecomp-be/backend/openecomp-sdc-security-util/src/test/java/org/openecomp/sdc/securityutil/CipherUtilTest.java @@ -18,11 +18,11 @@ * ============LICENSE_END========================================================= */ +package org.openecomp.sdc.securityutil; + import org.apache.commons.codec.binary.Base64; import org.apache.commons.lang.RandomStringUtils; import org.junit.Test; -import org.openecomp.sdc.securityutil.CipherUtil; -import org.openecomp.sdc.securityutil.CipherUtilException; import static org.junit.Assert.*; @@ -67,7 +67,7 @@ public class CipherUtilTest { CipherUtil.decryptPKC(DATA, KEY); fail(); } catch (CipherUtilException ex) { - assertTrue(ex.getMessage().contains("Wrong IV length")); + assertTrue(ex.getMessage().contains("Input too short")); } } } diff --git a/openecomp-be/backend/openecomp-sdc-security-util/src/test/java/PasswordsTest.java b/openecomp-be/backend/openecomp-sdc-security-util/src/test/java/org/openecomp/sdc/securityutil/PasswordsTest.java index d3ba3bbe4e..34a0c52604 100644 --- a/openecomp-be/backend/openecomp-sdc-security-util/src/test/java/PasswordsTest.java +++ b/openecomp-be/backend/openecomp-sdc-security-util/src/test/java/org/openecomp/sdc/securityutil/PasswordsTest.java @@ -18,6 +18,8 @@ * ============LICENSE_END========================================================= */ +package org.openecomp.sdc.securityutil; + import org.junit.Test; import org.openecomp.sdc.securityutil.Passwords; diff --git a/openecomp-be/backend/openecomp-sdc-security-util/src/test/java/RepresentationUtilsTest.java b/openecomp-be/backend/openecomp-sdc-security-util/src/test/java/org/openecomp/sdc/securityutil/RepresentationUtilsTest.java index 5960c82130..f7af4a9318 100644 --- a/openecomp-be/backend/openecomp-sdc-security-util/src/test/java/RepresentationUtilsTest.java +++ b/openecomp-be/backend/openecomp-sdc-security-util/src/test/java/org/openecomp/sdc/securityutil/RepresentationUtilsTest.java @@ -18,6 +18,8 @@ * ============LICENSE_END========================================================= */ +package org.openecomp.sdc.securityutil; + import org.junit.Test; import java.io.IOException; diff --git a/openecomp-be/backend/openecomp-sdc-security-util/src/test/java/SessionValidationFilterTest.java b/openecomp-be/backend/openecomp-sdc-security-util/src/test/java/org/openecomp/sdc/securityutil/filters/SessionValidationFilterTest.java index 07151bc4d5..cb11ef97f4 100644 --- a/openecomp-be/backend/openecomp-sdc-security-util/src/test/java/SessionValidationFilterTest.java +++ b/openecomp-be/backend/openecomp-sdc-security-util/src/test/java/org/openecomp/sdc/securityutil/filters/SessionValidationFilterTest.java @@ -18,6 +18,8 @@ * ============LICENSE_END========================================================= */ +package org.openecomp.sdc.securityutil.filters; + import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; |