summaryrefslogtreecommitdiffstats
path: root/security-util-lib/src/main
diff options
context:
space:
mode:
authorNeil Derraugh <neil.derraugh@yoppworks.com>2020-05-19 22:50:28 -0400
committerNeil Derraugh <neil.derraugh@yoppworks.com>2020-05-19 22:50:28 -0400
commit7d831d7e9dba8c3228c427065ee06951150f7a81 (patch)
tree3389eb0eba0432387bdb125e3e701ca1c5a81305 /security-util-lib/src/main
parent0023364bb5bd18eb791d53ef1be6bbe7309dd4ed (diff)
Fix security issue in CipherUtil
- Specified mode and padding to address risky algorithm Issue-ID: SDC-2976 Signed-off-by: Neil Derraugh <neil.derraugh@yoppworks.com> Change-Id: I3a2344f3d4a14ad7cb7e01a68148858147a41427
Diffstat (limited to 'security-util-lib/src/main')
-rw-r--r--security-util-lib/src/main/java/org/onap/sdc/security/CipherUtil.java26
1 files changed, 16 insertions, 10 deletions
diff --git a/security-util-lib/src/main/java/org/onap/sdc/security/CipherUtil.java b/security-util-lib/src/main/java/org/onap/sdc/security/CipherUtil.java
index a51d3ff..ba8665a 100644
--- a/security-util-lib/src/main/java/org/onap/sdc/security/CipherUtil.java
+++ b/security-util-lib/src/main/java/org/onap/sdc/security/CipherUtil.java
@@ -22,7 +22,9 @@ package org.onap.sdc.security;
import java.security.SecureRandom;
+import java.util.Arrays;
import javax.crypto.Cipher;
+import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.codec.binary.Base64;
@@ -35,11 +37,12 @@ import org.onap.sdc.security.logging.wrappers.Logger;
public class CipherUtil {
private static Logger log = Logger.getLogger( CipherUtil.class.getName());
private static final String ALGORITHM = "AES";
- private static final String ALGORYTHM_DETAILS = ALGORITHM + "/CBC/PKCS5PADDING";
+ private static final String ALGORYTHM_DETAILS = ALGORITHM + "/GCM/NoPadding";
private static final String CIPHER_PROVIDER = "SunJCE";
- private static final int BLOCK_SIZE = 128;
- private static final int BYTE_SIZE = 8;
- private static final int IV_SIZE = BLOCK_SIZE / BYTE_SIZE;
+
+ public static final int GCM_TAG_LENGTH = 16;
+ public static final int GCM_IV_LENGTH = 12;
+
private static final byte[] EMPTY_BYTE_ARRAY = new byte[0];
private static final String ALGORITHM_NAME = "SHA1PRNG";
@@ -53,14 +56,15 @@ public class CipherUtil {
*/
public static String encryptPKC(String value, String base64key) throws CipherUtilException {
Cipher cipher;
- byte[] iv = new byte[IV_SIZE];
+ byte[] iv = new byte[GCM_IV_LENGTH];
byte[] finalByte;
try {
cipher = Cipher.getInstance(ALGORYTHM_DETAILS, CIPHER_PROVIDER);
SecureRandom secureRandom = SecureRandom.getInstance(ALGORITHM_NAME);
secureRandom.nextBytes(iv);
- IvParameterSpec ivspec = new IvParameterSpec(iv);
- cipher.init(Cipher.ENCRYPT_MODE, getSecretKeySpec(base64key), ivspec);
+ GCMParameterSpec spec =
+ new GCMParameterSpec(GCM_TAG_LENGTH * java.lang.Byte.SIZE, iv);
+ cipher.init(Cipher.ENCRYPT_MODE, getSecretKeySpec(base64key), spec);
finalByte = cipher.doFinal(value.getBytes());
} catch (Exception ex) {
@@ -87,9 +91,11 @@ public class CipherUtil {
byte[] decrypted;
try {
cipher = Cipher.getInstance(ALGORYTHM_DETAILS, CIPHER_PROVIDER);
- IvParameterSpec ivspec = new IvParameterSpec(subarray(encryptedMessage, 0, IV_SIZE));
- byte[] realData = subarray(encryptedMessage, IV_SIZE, encryptedMessage.length);
- cipher.init(Cipher.DECRYPT_MODE, getSecretKeySpec(base64key), ivspec);
+ byte[] initVector = Arrays.copyOfRange(encryptedMessage, 0, GCM_IV_LENGTH);
+ GCMParameterSpec spec =
+ new GCMParameterSpec(GCM_TAG_LENGTH * java.lang.Byte.SIZE, initVector);
+ byte[] realData = subarray(encryptedMessage, GCM_IV_LENGTH, encryptedMessage.length);
+ cipher.init(Cipher.DECRYPT_MODE, getSecretKeySpec(base64key), spec);
decrypted = cipher.doFinal(realData);
} catch (Exception ex) {