summaryrefslogtreecommitdiffstats
path: root/security-util-lib
diff options
context:
space:
mode:
authorOfir Sonsino <ofir.sonsino@intl.att.com>2020-05-31 07:59:58 +0000
committerGerrit Code Review <gerrit@onap.org>2020-05-31 07:59:58 +0000
commit74dc5044f00a113eef41b345390f8c266112b2d7 (patch)
treef07a5a1dfcd8137baf79c82192fb2130544e6e58 /security-util-lib
parent745e3fe26aa61ca02ea3a05e26b900671f5e04a6 (diff)
parent7d831d7e9dba8c3228c427065ee06951150f7a81 (diff)
Merge "Fix security issue in CipherUtil"
Diffstat (limited to 'security-util-lib')
-rw-r--r--security-util-lib/src/main/java/org/onap/sdc/security/CipherUtil.java26
-rw-r--r--security-util-lib/src/test/java/org/onap/sdc/security/CipherUtilTest.java2
2 files changed, 17 insertions, 11 deletions
diff --git a/security-util-lib/src/main/java/org/onap/sdc/security/CipherUtil.java b/security-util-lib/src/main/java/org/onap/sdc/security/CipherUtil.java
index a51d3ff..ba8665a 100644
--- a/security-util-lib/src/main/java/org/onap/sdc/security/CipherUtil.java
+++ b/security-util-lib/src/main/java/org/onap/sdc/security/CipherUtil.java
@@ -22,7 +22,9 @@ package org.onap.sdc.security;
import java.security.SecureRandom;
+import java.util.Arrays;
import javax.crypto.Cipher;
+import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.codec.binary.Base64;
@@ -35,11 +37,12 @@ import org.onap.sdc.security.logging.wrappers.Logger;
public class CipherUtil {
private static Logger log = Logger.getLogger( CipherUtil.class.getName());
private static final String ALGORITHM = "AES";
- private static final String ALGORYTHM_DETAILS = ALGORITHM + "/CBC/PKCS5PADDING";
+ private static final String ALGORYTHM_DETAILS = ALGORITHM + "/GCM/NoPadding";
private static final String CIPHER_PROVIDER = "SunJCE";
- private static final int BLOCK_SIZE = 128;
- private static final int BYTE_SIZE = 8;
- private static final int IV_SIZE = BLOCK_SIZE / BYTE_SIZE;
+
+ public static final int GCM_TAG_LENGTH = 16;
+ public static final int GCM_IV_LENGTH = 12;
+
private static final byte[] EMPTY_BYTE_ARRAY = new byte[0];
private static final String ALGORITHM_NAME = "SHA1PRNG";
@@ -53,14 +56,15 @@ public class CipherUtil {
*/
public static String encryptPKC(String value, String base64key) throws CipherUtilException {
Cipher cipher;
- byte[] iv = new byte[IV_SIZE];
+ byte[] iv = new byte[GCM_IV_LENGTH];
byte[] finalByte;
try {
cipher = Cipher.getInstance(ALGORYTHM_DETAILS, CIPHER_PROVIDER);
SecureRandom secureRandom = SecureRandom.getInstance(ALGORITHM_NAME);
secureRandom.nextBytes(iv);
- IvParameterSpec ivspec = new IvParameterSpec(iv);
- cipher.init(Cipher.ENCRYPT_MODE, getSecretKeySpec(base64key), ivspec);
+ GCMParameterSpec spec =
+ new GCMParameterSpec(GCM_TAG_LENGTH * java.lang.Byte.SIZE, iv);
+ cipher.init(Cipher.ENCRYPT_MODE, getSecretKeySpec(base64key), spec);
finalByte = cipher.doFinal(value.getBytes());
} catch (Exception ex) {
@@ -87,9 +91,11 @@ public class CipherUtil {
byte[] decrypted;
try {
cipher = Cipher.getInstance(ALGORYTHM_DETAILS, CIPHER_PROVIDER);
- IvParameterSpec ivspec = new IvParameterSpec(subarray(encryptedMessage, 0, IV_SIZE));
- byte[] realData = subarray(encryptedMessage, IV_SIZE, encryptedMessage.length);
- cipher.init(Cipher.DECRYPT_MODE, getSecretKeySpec(base64key), ivspec);
+ byte[] initVector = Arrays.copyOfRange(encryptedMessage, 0, GCM_IV_LENGTH);
+ GCMParameterSpec spec =
+ new GCMParameterSpec(GCM_TAG_LENGTH * java.lang.Byte.SIZE, initVector);
+ byte[] realData = subarray(encryptedMessage, GCM_IV_LENGTH, encryptedMessage.length);
+ cipher.init(Cipher.DECRYPT_MODE, getSecretKeySpec(base64key), spec);
decrypted = cipher.doFinal(realData);
} catch (Exception ex) {
diff --git a/security-util-lib/src/test/java/org/onap/sdc/security/CipherUtilTest.java b/security-util-lib/src/test/java/org/onap/sdc/security/CipherUtilTest.java
index 3f60a9f..9a6646c 100644
--- a/security-util-lib/src/test/java/org/onap/sdc/security/CipherUtilTest.java
+++ b/security-util-lib/src/test/java/org/onap/sdc/security/CipherUtilTest.java
@@ -70,7 +70,7 @@ public class CipherUtilTest {
CipherUtil.decryptPKC(DATA, KEY);
fail();
} catch (CipherUtilException ex) {
- assertTrue(ex.getMessage().contains("Wrong IV length"));
+ assertTrue(ex.getMessage().contains("Input too short"));
}
}
}