From 88af509e836976b545e071cfe562bf70258c6c70 Mon Sep 17 00:00:00 2001 From: Neil Derraugh Date: Wed, 6 May 2020 11:28:39 -0400 Subject: Fix security issues in SecurityUtil - Removed hard coded key - Specified mode and padding to address risky algorithm Issue-ID: SDC-3017 Signed-off-by: Neil Derraugh Change-Id: I6c21174003fcb5669de49158d8dd6bf9907f50c6 --- .../openecomp/sdc/securityutil/SecurityUtil.java | 154 --------------------- .../src/test/java/SecurityUtilTest.java | 49 ------- 2 files changed, 203 deletions(-) delete mode 100644 openecomp-be/backend/openecomp-sdc-security-util/src/main/java/org/openecomp/sdc/securityutil/SecurityUtil.java delete mode 100644 openecomp-be/backend/openecomp-sdc-security-util/src/test/java/SecurityUtilTest.java (limited to 'openecomp-be') diff --git a/openecomp-be/backend/openecomp-sdc-security-util/src/main/java/org/openecomp/sdc/securityutil/SecurityUtil.java b/openecomp-be/backend/openecomp-sdc-security-util/src/main/java/org/openecomp/sdc/securityutil/SecurityUtil.java deleted file mode 100644 index 4494d4d7a9..0000000000 --- a/openecomp-be/backend/openecomp-sdc-security-util/src/main/java/org/openecomp/sdc/securityutil/SecurityUtil.java +++ /dev/null @@ -1,154 +0,0 @@ -/*- - * ============LICENSE_START======================================================= - * SDC - * ================================================================================ - * Copyright (C) 2019 AT&T Intellectual Property. All rights reserved. - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END========================================================= - */ - -package org.openecomp.sdc.securityutil; - -import fj.data.Either; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import javax.crypto.BadPaddingException; -import javax.crypto.Cipher; -import javax.crypto.IllegalBlockSizeException; -import javax.crypto.NoSuchPaddingException; -import javax.crypto.spec.SecretKeySpec; -import java.io.UnsupportedEncodingException; -import java.nio.charset.StandardCharsets; -import java.security.InvalidKeyException; -import java.security.Key; -import java.security.NoSuchAlgorithmException; -import java.util.Base64; - -public class SecurityUtil { - - private static final Logger LOG = LoggerFactory.getLogger( SecurityUtil.class ); - private static final byte[] KEY = new byte[]{-64,5,-32 ,-117 ,-44,8,-39, 1, -9, 36,-46,-81, 62,-15,-63,-75}; - public static final SecurityUtil INSTANCE = new SecurityUtil(); - public static final String ALGORITHM = "AES" ; - public static final String CHARSET = StandardCharsets.UTF_8.name(); - - public static Key secKey = null ; - - /** - * - * cmd commands >$PROGRAM_NAME decrypt "$ENCRYPTED_MSG" - * >$PROGRAM_NAME encrypt "message" - **/ - - private SecurityUtil(){ super(); } - - static { - try{ - secKey = generateKey( KEY, ALGORITHM ); - } - catch(Exception e){ - LOG.warn("cannot generate key for {}", ALGORITHM); - } - } - - - - public static Key generateKey(final byte[] KEY, String algorithm){ - return new SecretKeySpec(KEY, algorithm); - } - - //obfuscates key prefix -> ********** - public String obfuscateKey(String sensitiveData){ - - if (sensitiveData != null){ - int len = sensitiveData.length(); - StringBuilder builder = new StringBuilder(sensitiveData); - for (int i=0; i encrypt(String strDataToEncrypt){ - if (strDataToEncrypt != null ){ - try { - LOG.debug("Encrypt key -> {}", secKey); - Cipher aesCipherForEncryption = Cipher.getInstance("AES"); // Must specify the mode explicitly as most JCE providers default to ECB mode!! - aesCipherForEncryption.init(Cipher.ENCRYPT_MODE, secKey); - byte[] byteDataToEncrypt = strDataToEncrypt.getBytes(); - byte[] byteCipherText = aesCipherForEncryption.doFinal(byteDataToEncrypt); - String strCipherText = new String( Base64.getMimeEncoder().encode(byteCipherText), CHARSET ); - LOG.debug("Cipher Text generated using AES is {}", strCipherText); - return Either.left(strCipherText); - } catch( NoSuchAlgorithmException | UnsupportedEncodingException e){ - LOG.warn( "cannot encrypt data unknown algorithm or missing encoding for {}" ,secKey.getAlgorithm()); - } catch( InvalidKeyException e){ - LOG.warn( "invalid key recieved - > {} | {}" , Base64.getDecoder().decode( secKey.getEncoded() ), e.getMessage() ); - } catch( IllegalBlockSizeException | BadPaddingException | NoSuchPaddingException e){ - LOG.warn( "bad algorithm definition (Illegal Block Size or padding), please review you algorithm block&padding" , e.getMessage() ); - } - } - return Either.right("Cannot encrypt "+strDataToEncrypt); - } - - /** - * Decrypt the Data - * @param byteCipherText - should be valid bae64 input in the length of 16bytes - * @param isBase64Decoded - is data already base64 encoded&aligned to 16 bytes - * a. Initialize a new instance of Cipher for Decryption (normally don't reuse the same object) - * b. Decrypt the cipher bytes using doFinal method - */ - public Either decrypt(byte[] byteCipherText , boolean isBase64Decoded){ - if (byteCipherText != null){ - byte[] alignedCipherText = byteCipherText; - try{ - if (isBase64Decoded) - alignedCipherText = Base64.getDecoder().decode(byteCipherText); - LOG.debug("Decrypt key -> "+secKey.getEncoded()); - Cipher aesCipherForDecryption = Cipher.getInstance("AES"); // Must specify the mode explicitly as most JCE providers default to ECB mode!! - aesCipherForDecryption.init(Cipher.DECRYPT_MODE, secKey); - byte[] byteDecryptedText = aesCipherForDecryption.doFinal(alignedCipherText); - String strDecryptedText = new String(byteDecryptedText); - LOG.debug("Decrypted Text message is: {}" , obfuscateKey( strDecryptedText )); - return Either.left(strDecryptedText); - } catch( NoSuchAlgorithmException e){ - LOG.warn( "cannot encrypt data unknown algorithm or missing encoding for {}" ,secKey.getAlgorithm()); - } catch( InvalidKeyException e){ - LOG.warn( "invalid key recieved - > {} | {}" , Base64.getDecoder().decode( secKey.getEncoded() ), e.getMessage() ); - } catch( IllegalBlockSizeException | BadPaddingException | NoSuchPaddingException e){ - LOG.warn( "bad algorithm definition (Illegal Block Size or padding), please review you algorithm block&padding" , e.getMessage() ); - } - } - return Either.right("Decrypt FAILED"); - } - - public Either decrypt(String byteCipherText){ - try { - return decrypt(byteCipherText.getBytes(CHARSET),true); - } catch( UnsupportedEncodingException e ){ - LOG.warn( "Missing encoding for {} | {} " ,secKey.getAlgorithm() , e.getMessage()); - } - return Either.right("Decrypt FAILED"); - } -} diff --git a/openecomp-be/backend/openecomp-sdc-security-util/src/test/java/SecurityUtilTest.java b/openecomp-be/backend/openecomp-sdc-security-util/src/test/java/SecurityUtilTest.java deleted file mode 100644 index 938f3c5e92..0000000000 --- a/openecomp-be/backend/openecomp-sdc-security-util/src/test/java/SecurityUtilTest.java +++ /dev/null @@ -1,49 +0,0 @@ -/*- - * ============LICENSE_START======================================================= - * SDC - * ================================================================================ - * Copyright (C) 2019 AT&T Intellectual Property. All rights reserved. - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END========================================================= - */ - -import org.junit.Test; - -import java.util.Base64; -import org.openecomp.sdc.securityutil.SecurityUtil; - -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertNotEquals; - -public class SecurityUtilTest { - - @Test - public void encryptDecryptAES128() { - String data = "decrypt SUCCESS!!"; - String encrypted = SecurityUtil.INSTANCE.encrypt(data).left().value(); - assertNotEquals( data, encrypted ); - byte[] decryptMsg = Base64.getDecoder().decode(encrypted); - assertEquals( SecurityUtil.INSTANCE.decrypt( decryptMsg , false ).left().value() ,data ); - assertEquals( SecurityUtil.INSTANCE.decrypt( encrypted.getBytes() , true ).left().value() ,data ); - } - - @Test - public void obfuscateKey() { - String key = "abcdefghij123456"; - String expectedkey = "********ij123456"; - String obfuscated = SecurityUtil.INSTANCE.obfuscateKey( key ); - System.out.println( obfuscated ); - assertEquals( obfuscated , expectedkey ); - } -} -- cgit 1.2.3-korg