summaryrefslogtreecommitdiffstats
path: root/openecomp-be/backend
diff options
context:
space:
mode:
authorNeil Derraugh <neil.derraugh@yoppworks.com>2020-05-06 11:28:39 -0400
committerOfir Sonsino <ofir.sonsino@intl.att.com>2020-05-11 08:43:28 +0000
commit88af509e836976b545e071cfe562bf70258c6c70 (patch)
tree552fa663a86588b8909fe4c226ae669f8ebc5e64 /openecomp-be/backend
parent5a5edfe3f6a304e3f856e618e66d71a258b2c44f (diff)
Fix security issues in SecurityUtil
- Removed hard coded key - Specified mode and padding to address risky algorithm Issue-ID: SDC-3017 Signed-off-by: Neil Derraugh <neil.derraugh@yoppworks.com> Change-Id: I6c21174003fcb5669de49158d8dd6bf9907f50c6
Diffstat (limited to 'openecomp-be/backend')
-rw-r--r--openecomp-be/backend/openecomp-sdc-security-util/src/main/java/org/openecomp/sdc/securityutil/SecurityUtil.java154
-rw-r--r--openecomp-be/backend/openecomp-sdc-security-util/src/test/java/SecurityUtilTest.java49
2 files changed, 0 insertions, 203 deletions
diff --git a/openecomp-be/backend/openecomp-sdc-security-util/src/main/java/org/openecomp/sdc/securityutil/SecurityUtil.java b/openecomp-be/backend/openecomp-sdc-security-util/src/main/java/org/openecomp/sdc/securityutil/SecurityUtil.java
deleted file mode 100644
index 4494d4d7a9..0000000000
--- a/openecomp-be/backend/openecomp-sdc-security-util/src/main/java/org/openecomp/sdc/securityutil/SecurityUtil.java
+++ /dev/null
@@ -1,154 +0,0 @@
-/*-
- * ============LICENSE_START=======================================================
- * SDC
- * ================================================================================
- * Copyright (C) 2019 AT&T Intellectual Property. All rights reserved.
- * ================================================================================
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * ============LICENSE_END=========================================================
- */
-
-package org.openecomp.sdc.securityutil;
-
-import fj.data.Either;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import javax.crypto.BadPaddingException;
-import javax.crypto.Cipher;
-import javax.crypto.IllegalBlockSizeException;
-import javax.crypto.NoSuchPaddingException;
-import javax.crypto.spec.SecretKeySpec;
-import java.io.UnsupportedEncodingException;
-import java.nio.charset.StandardCharsets;
-import java.security.InvalidKeyException;
-import java.security.Key;
-import java.security.NoSuchAlgorithmException;
-import java.util.Base64;
-
-public class SecurityUtil {
-
- private static final Logger LOG = LoggerFactory.getLogger( SecurityUtil.class );
- private static final byte[] KEY = new byte[]{-64,5,-32 ,-117 ,-44,8,-39, 1, -9, 36,-46,-81, 62,-15,-63,-75};
- public static final SecurityUtil INSTANCE = new SecurityUtil();
- public static final String ALGORITHM = "AES" ;
- public static final String CHARSET = StandardCharsets.UTF_8.name();
-
- public static Key secKey = null ;
-
- /**
- *
- * cmd commands >$PROGRAM_NAME decrypt "$ENCRYPTED_MSG"
- * >$PROGRAM_NAME encrypt "message"
- **/
-
- private SecurityUtil(){ super(); }
-
- static {
- try{
- secKey = generateKey( KEY, ALGORITHM );
- }
- catch(Exception e){
- LOG.warn("cannot generate key for {}", ALGORITHM);
- }
- }
-
-
-
- public static Key generateKey(final byte[] KEY, String algorithm){
- return new SecretKeySpec(KEY, algorithm);
- }
-
- //obfuscates key prefix -> **********
- public String obfuscateKey(String sensitiveData){
-
- if (sensitiveData != null){
- int len = sensitiveData.length();
- StringBuilder builder = new StringBuilder(sensitiveData);
- for (int i=0; i<len/2; i++){
- builder.setCharAt(i, '*');
- }
- return builder.toString();
- }
- return sensitiveData;
- }
-
- /**
- * @param strDataToEncrypt - plain string to encrypt
- * Encrypt the Data
- * a. Declare / Initialize the Data. Here the data is of type String
- * b. Convert the Input Text to Bytes
- * c. Encrypt the bytes using doFinal method
- */
- public Either<String,String> encrypt(String strDataToEncrypt){
- if (strDataToEncrypt != null ){
- try {
- LOG.debug("Encrypt key -> {}", secKey);
- Cipher aesCipherForEncryption = Cipher.getInstance("AES"); // Must specify the mode explicitly as most JCE providers default to ECB mode!!
- aesCipherForEncryption.init(Cipher.ENCRYPT_MODE, secKey);
- byte[] byteDataToEncrypt = strDataToEncrypt.getBytes();
- byte[] byteCipherText = aesCipherForEncryption.doFinal(byteDataToEncrypt);
- String strCipherText = new String( Base64.getMimeEncoder().encode(byteCipherText), CHARSET );
- LOG.debug("Cipher Text generated using AES is {}", strCipherText);
- return Either.left(strCipherText);
- } catch( NoSuchAlgorithmException | UnsupportedEncodingException e){
- LOG.warn( "cannot encrypt data unknown algorithm or missing encoding for {}" ,secKey.getAlgorithm());
- } catch( InvalidKeyException e){
- LOG.warn( "invalid key recieved - > {} | {}" , Base64.getDecoder().decode( secKey.getEncoded() ), e.getMessage() );
- } catch( IllegalBlockSizeException | BadPaddingException | NoSuchPaddingException e){
- LOG.warn( "bad algorithm definition (Illegal Block Size or padding), please review you algorithm block&padding" , e.getMessage() );
- }
- }
- return Either.right("Cannot encrypt "+strDataToEncrypt);
- }
-
- /**
- * Decrypt the Data
- * @param byteCipherText - should be valid bae64 input in the length of 16bytes
- * @param isBase64Decoded - is data already base64 encoded&aligned to 16 bytes
- * a. Initialize a new instance of Cipher for Decryption (normally don't reuse the same object)
- * b. Decrypt the cipher bytes using doFinal method
- */
- public Either<String,String> decrypt(byte[] byteCipherText , boolean isBase64Decoded){
- if (byteCipherText != null){
- byte[] alignedCipherText = byteCipherText;
- try{
- if (isBase64Decoded)
- alignedCipherText = Base64.getDecoder().decode(byteCipherText);
- LOG.debug("Decrypt key -> "+secKey.getEncoded());
- Cipher aesCipherForDecryption = Cipher.getInstance("AES"); // Must specify the mode explicitly as most JCE providers default to ECB mode!!
- aesCipherForDecryption.init(Cipher.DECRYPT_MODE, secKey);
- byte[] byteDecryptedText = aesCipherForDecryption.doFinal(alignedCipherText);
- String strDecryptedText = new String(byteDecryptedText);
- LOG.debug("Decrypted Text message is: {}" , obfuscateKey( strDecryptedText ));
- return Either.left(strDecryptedText);
- } catch( NoSuchAlgorithmException e){
- LOG.warn( "cannot encrypt data unknown algorithm or missing encoding for {}" ,secKey.getAlgorithm());
- } catch( InvalidKeyException e){
- LOG.warn( "invalid key recieved - > {} | {}" , Base64.getDecoder().decode( secKey.getEncoded() ), e.getMessage() );
- } catch( IllegalBlockSizeException | BadPaddingException | NoSuchPaddingException e){
- LOG.warn( "bad algorithm definition (Illegal Block Size or padding), please review you algorithm block&padding" , e.getMessage() );
- }
- }
- return Either.right("Decrypt FAILED");
- }
-
- public Either<String,String> decrypt(String byteCipherText){
- try {
- return decrypt(byteCipherText.getBytes(CHARSET),true);
- } catch( UnsupportedEncodingException e ){
- LOG.warn( "Missing encoding for {} | {} " ,secKey.getAlgorithm() , e.getMessage());
- }
- return Either.right("Decrypt FAILED");
- }
-}
diff --git a/openecomp-be/backend/openecomp-sdc-security-util/src/test/java/SecurityUtilTest.java b/openecomp-be/backend/openecomp-sdc-security-util/src/test/java/SecurityUtilTest.java
deleted file mode 100644
index 938f3c5e92..0000000000
--- a/openecomp-be/backend/openecomp-sdc-security-util/src/test/java/SecurityUtilTest.java
+++ /dev/null
@@ -1,49 +0,0 @@
-/*-
- * ============LICENSE_START=======================================================
- * SDC
- * ================================================================================
- * Copyright (C) 2019 AT&T Intellectual Property. All rights reserved.
- * ================================================================================
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * ============LICENSE_END=========================================================
- */
-
-import org.junit.Test;
-
-import java.util.Base64;
-import org.openecomp.sdc.securityutil.SecurityUtil;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNotEquals;
-
-public class SecurityUtilTest {
-
- @Test
- public void encryptDecryptAES128() {
- String data = "decrypt SUCCESS!!";
- String encrypted = SecurityUtil.INSTANCE.encrypt(data).left().value();
- assertNotEquals( data, encrypted );
- byte[] decryptMsg = Base64.getDecoder().decode(encrypted);
- assertEquals( SecurityUtil.INSTANCE.decrypt( decryptMsg , false ).left().value() ,data );
- assertEquals( SecurityUtil.INSTANCE.decrypt( encrypted.getBytes() , true ).left().value() ,data );
- }
-
- @Test
- public void obfuscateKey() {
- String key = "abcdefghij123456";
- String expectedkey = "********ij123456";
- String obfuscated = SecurityUtil.INSTANCE.obfuscateKey( key );
- System.out.println( obfuscated );
- assertEquals( obfuscated , expectedkey );
- }
-}