Fix security issue in CipherUtil

- Specified mode and padding to address risky algorithm Issue-ID: SDC-2976 Signed-off-by: Neil Derraugh <neil.derraugh@yoppworks.com> Change-Id: I3a2344f3d4a14ad7cb7e01a68148858147a41427
author: Neil Derraugh <neil.derraugh@yoppworks.com> 2020-05-19 22:50:28 -0400
committer: Neil Derraugh <neil.derraugh@yoppworks.com> 2020-05-19 22:50:28 -0400
commit: 7d831d7e9dba8c3228c427065ee06951150f7a81 (patch)
tree: 3389eb0eba0432387bdb125e3e701ca1c5a81305
parent: 0023364bb5bd18eb791d53ef1be6bbe7309dd4ed (diff)
2 files changed, 17 insertions, 11 deletions
diff --git a/security-util-lib/src/main/java/org/onap/sdc/security/CipherUtil.java b/security-util-lib/src/main/java/org/onap/sdc/security/CipherUtil.java
index a51d3ff..ba8665a 100644
--- a/security-util-lib/src/main/java/org/onap/sdc/security/CipherUtil.java
+++ b/security-util-lib/src/main/java/org/onap/sdc/security/CipherUtil.java
@@ -22,7 +22,9 @@ package org.onap.sdc.security;
 
 import java.security.SecureRandom;
 
+import java.util.Arrays;
 import javax.crypto.Cipher;
+import javax.crypto.spec.GCMParameterSpec;
 import javax.crypto.spec.IvParameterSpec;
 import javax.crypto.spec.SecretKeySpec;
 import org.apache.commons.codec.binary.Base64;
@@ -35,11 +37,12 @@ import org.onap.sdc.security.logging.wrappers.Logger;
 public class CipherUtil {
     private static Logger log = Logger.getLogger( CipherUtil.class.getName());
     private static final String ALGORITHM = "AES";
-    private static final String ALGORYTHM_DETAILS = ALGORITHM + "/CBC/PKCS5PADDING";
+    private static final String ALGORYTHM_DETAILS = ALGORITHM + "/GCM/NoPadding";
     private static final String CIPHER_PROVIDER = "SunJCE";
-    private static final int BLOCK_SIZE = 128;
-    private static final int BYTE_SIZE = 8;
-    private static final int IV_SIZE = BLOCK_SIZE / BYTE_SIZE;
+
+    public static final int GCM_TAG_LENGTH = 16;
+    public static final int GCM_IV_LENGTH = 12;
+
     private static final byte[] EMPTY_BYTE_ARRAY = new byte[0];
     private static final String ALGORITHM_NAME = "SHA1PRNG";
 
@@ -53,14 +56,15 @@ public class CipherUtil {
      */
     public static String encryptPKC(String value, String base64key) throws CipherUtilException {
         Cipher cipher;
-        byte[] iv = new byte[IV_SIZE];
+        byte[] iv = new byte[GCM_IV_LENGTH];
         byte[] finalByte;
         try {
             cipher = Cipher.getInstance(ALGORYTHM_DETAILS, CIPHER_PROVIDER);
             SecureRandom secureRandom = SecureRandom.getInstance(ALGORITHM_NAME);
             secureRandom.nextBytes(iv);
-            IvParameterSpec ivspec = new IvParameterSpec(iv);
-            cipher.init(Cipher.ENCRYPT_MODE, getSecretKeySpec(base64key), ivspec);
+            GCMParameterSpec spec =
+                new GCMParameterSpec(GCM_TAG_LENGTH * java.lang.Byte.SIZE, iv);
+            cipher.init(Cipher.ENCRYPT_MODE, getSecretKeySpec(base64key), spec);
             finalByte = cipher.doFinal(value.getBytes());
 
         } catch (Exception ex) {
@@ -87,9 +91,11 @@ public class CipherUtil {
         byte[] decrypted;
         try {
             cipher = Cipher.getInstance(ALGORYTHM_DETAILS, CIPHER_PROVIDER);
-            IvParameterSpec ivspec = new IvParameterSpec(subarray(encryptedMessage, 0, IV_SIZE));
-            byte[] realData = subarray(encryptedMessage, IV_SIZE, encryptedMessage.length);
-            cipher.init(Cipher.DECRYPT_MODE, getSecretKeySpec(base64key), ivspec);
+            byte[] initVector = Arrays.copyOfRange(encryptedMessage, 0, GCM_IV_LENGTH);
+            GCMParameterSpec spec =
+                new GCMParameterSpec(GCM_TAG_LENGTH * java.lang.Byte.SIZE, initVector);
+            byte[] realData = subarray(encryptedMessage, GCM_IV_LENGTH, encryptedMessage.length);
+            cipher.init(Cipher.DECRYPT_MODE, getSecretKeySpec(base64key), spec);
             decrypted = cipher.doFinal(realData);
 
         } catch (Exception ex) {
diff --git a/security-util-lib/src/test/java/org/onap/sdc/security/CipherUtilTest.java b/security-util-lib/src/test/java/org/onap/sdc/security/CipherUtilTest.java
index 3f60a9f..9a6646c 100644
--- a/security-util-lib/src/test/java/org/onap/sdc/security/CipherUtilTest.java
+++ b/security-util-lib/src/test/java/org/onap/sdc/security/CipherUtilTest.java
@@ -70,7 +70,7 @@ public class CipherUtilTest {
             CipherUtil.decryptPKC(DATA, KEY);
           fail();
        } catch (CipherUtilException ex) {
-          assertTrue(ex.getMessage().contains("Wrong IV length"));
+          assertTrue(ex.getMessage().contains("Input too short"));
         }
     }
 }
author	Neil Derraugh <neil.derraugh@yoppworks.com>	2020-05-19 22:50:28 -0400
committer	Neil Derraugh <neil.derraugh@yoppworks.com>	2020-05-19 22:50:28 -0400
commit	7d831d7e9dba8c3228c427065ee06951150f7a81 (patch)
tree	3389eb0eba0432387bdb125e3e701ca1c5a81305
parent	0023364bb5bd18eb791d53ef1be6bbe7309dd4ed (diff)