summaryrefslogtreecommitdiffstats
path: root/security-utils/src/main/java/com/yahoo/security/KeyUtils.java
diff options
context:
space:
mode:
authorTor Brede Vekterli <vekterli@yahooinc.com>2022-11-09 12:26:07 +0100
committerTor Brede Vekterli <vekterli@yahooinc.com>2022-11-09 12:50:23 +0100
commitc395f42fa83a3d6e57a76f0691b487b9382b5570 (patch)
treee092b89bb92d5e13bbd0910b810fa8397fc7a177 /security-utils/src/main/java/com/yahoo/security/KeyUtils.java
parent30a676fb89f28a618f0dc2c0752cde8c29bf320c (diff)
Use Base62 for tokens and Base58 for keys
* Base62 minimizes extra size overhead relative to Base64. * Base58 removes ambiguous characters from key encodings. Common for both bases is that they do not emit any characters that interfer with easily selecting them on web pages or in the CLI.
Diffstat (limited to 'security-utils/src/main/java/com/yahoo/security/KeyUtils.java')
-rw-r--r--security-utils/src/main/java/com/yahoo/security/KeyUtils.java29
1 files changed, 29 insertions, 0 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/KeyUtils.java b/security-utils/src/main/java/com/yahoo/security/KeyUtils.java
index cef0dd9a62e..47055a65618 100644
--- a/security-utils/src/main/java/com/yahoo/security/KeyUtils.java
+++ b/security-utils/src/main/java/com/yahoo/security/KeyUtils.java
@@ -280,6 +280,25 @@ public class KeyUtils {
return Base64.getUrlEncoder().withoutPadding().encodeToString(toRawX25519PublicKeyBytes(publicKey));
}
+ // This sanity check is to avoid any DoS potential caused by passing in a very large key
+ // to a quadratic Base58 decoding routing. We don't do this for the encoding since we
+ // always control the input size for that case.
+ private static void verifyB58InputSmallEnoughToBeX25519Key(String key) {
+ if (key.length() > 64) { // a very wide margin...
+ throw new IllegalArgumentException("Input Base58 is too large to represent an X25519 key");
+ }
+ }
+
+ public static XECPublicKey fromBase58EncodedX25519PublicKey(String base58pk) {
+ verifyB58InputSmallEnoughToBeX25519Key(base58pk);
+ byte[] rawKeyBytes = Base58.codec().decode(base58pk);
+ return fromRawX25519PublicKey(rawKeyBytes);
+ }
+
+ public static String toBase58EncodedX25519PublicKey(XECPublicKey publicKey) {
+ return Base58.codec().encode(toRawX25519PublicKeyBytes(publicKey));
+ }
+
public static XECPrivateKey fromRawX25519PrivateKey(byte[] rawScalarBytes) {
try {
NamedParameterSpec paramSpec = new NamedParameterSpec("X25519");
@@ -309,6 +328,16 @@ public class KeyUtils {
return Base64.getUrlEncoder().withoutPadding().encodeToString(toRawX25519PrivateKeyBytes(privateKey));
}
+ public static XECPrivateKey fromBase58EncodedX25519PrivateKey(String base58pk) {
+ verifyB58InputSmallEnoughToBeX25519Key(base58pk);
+ byte[] rawKeyBytes = Base58.codec().decode(base58pk);
+ return fromRawX25519PrivateKey(rawKeyBytes);
+ }
+
+ public static String toBase58EncodedX25519PrivateKey(XECPrivateKey privateKey) {
+ return Base58.codec().encode(toRawX25519PrivateKeyBytes(privateKey));
+ }
+
// TODO unify with generateKeypair()?
public static KeyPair generateX25519KeyPair() {
try {