diff options
author | Tor Brede Vekterli <vekterli@yahooinc.com> | 2022-10-12 11:43:42 +0200 |
---|---|---|
committer | Tor Brede Vekterli <vekterli@yahooinc.com> | 2022-10-12 11:43:42 +0200 |
commit | d795dc29ab9416d533010e172f38bb810ce747ed (patch) | |
tree | 044b53d79624c0c70e1e18f965740c06aa94e095 /security-utils/src | |
parent | 06f5f911249177f94893a5985e0f9db1fcf8b098 (diff) |
Address PR comments
* Make `SecureRandom` a shared static field
* Just take in `PrivateKey` instead of `KeyPair` for key unsealing
Diffstat (limited to 'security-utils/src')
-rw-r--r-- | security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java | 8 | ||||
-rw-r--r-- | security-utils/src/test/java/com/yahoo/security/SharedKeyTest.java | 6 |
2 files changed, 8 insertions, 6 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java b/security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java index 0d46af648e0..440b17eecfa 100644 --- a/security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java +++ b/security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java @@ -14,6 +14,7 @@ import java.security.InvalidAlgorithmParameterException; import java.security.InvalidKeyException; import java.security.KeyPair; import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; import java.security.PublicKey; import java.security.SecureRandom; @@ -39,11 +40,12 @@ public class SharedKeyGenerator { private static final int AES_GCM_AUTH_TAG_BITS = 128; private static final String AES_GCM_ALGO_SPEC = "AES/GCM/NoPadding"; private static final String ECIES_CIPHER_NAME = "ECIES"; // TODO ensure SHA-256+AES. Needs BC version bump + private static final SecureRandom SHARED_CSPRNG = new SecureRandom(); public static SecretSharedKey generateForReceiverPublicKey(PublicKey receiverPublicKey, int keyId) { try { var keyGen = KeyGenerator.getInstance("AES"); - keyGen.init(256, new SecureRandom()); + keyGen.init(256, SHARED_CSPRNG); var secretKey = keyGen.generateKey(); var cipher = Cipher.getInstance(ECIES_CIPHER_NAME, BouncyCastleProviderHolder.getInstance()); @@ -58,10 +60,10 @@ public class SharedKeyGenerator { } } - public static SecretSharedKey fromSealedKey(SealedSharedKey sealedKey, KeyPair receiverKeyPair) { + public static SecretSharedKey fromSealedKey(SealedSharedKey sealedKey, PrivateKey receiverPrivateKey) { try { var cipher = Cipher.getInstance(ECIES_CIPHER_NAME, BouncyCastleProviderHolder.getInstance()); - cipher.init(Cipher.DECRYPT_MODE, receiverKeyPair.getPrivate()); + cipher.init(Cipher.DECRYPT_MODE, receiverPrivateKey); byte[] secretKey = cipher.doFinal(sealedKey.eciesPayload()); return new SecretSharedKey(new SecretKeySpec(secretKey, "AES"), sealedKey); diff --git a/security-utils/src/test/java/com/yahoo/security/SharedKeyTest.java b/security-utils/src/test/java/com/yahoo/security/SharedKeyTest.java index c5f539dce58..348f214aa85 100644 --- a/security-utils/src/test/java/com/yahoo/security/SharedKeyTest.java +++ b/security-utils/src/test/java/com/yahoo/security/SharedKeyTest.java @@ -36,7 +36,7 @@ public class SharedKeyTest { var publicToken = myShared.sealedSharedKey().toTokenString(); var theirSealed = SealedSharedKey.fromTokenString(publicToken); - var theirShared = SharedKeyGenerator.fromSealedKey(theirSealed, receiverKeyPair); + var theirShared = SharedKeyGenerator.fromSealedKey(theirSealed, receiverKeyPair.getPrivate()); assertArrayEquals(myShared.secretKey().getEncoded(), theirShared.secretKey().getEncoded()); } @@ -67,7 +67,7 @@ public class SharedKeyTest { var expectedSharedSecret = "b1aded9dc19593baa08fe64f916dcbaf3328ec666d2e0c81b1f6f8af9794187b"; var theirSealed = SealedSharedKey.fromTokenString(publicToken); - var theirShared = SharedKeyGenerator.fromSealedKey(theirSealed, receiverKeyPair); + var theirShared = SharedKeyGenerator.fromSealedKey(theirSealed, receiverKeyPair.getPrivate()); assertEquals(expectedSharedSecret, Hex.toHexString(theirShared.secretKey().getEncoded())); } @@ -78,7 +78,7 @@ public class SharedKeyTest { var eveKeyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC); var bobShared = SharedKeyGenerator.generateForReceiverPublicKey(aliceKeyPair.getPublic(), 1); assertThrows(IllegalArgumentException.class, // TODO consider distinct exception class - () -> SharedKeyGenerator.fromSealedKey(bobShared.sealedSharedKey(), eveKeyPair)); + () -> SharedKeyGenerator.fromSealedKey(bobShared.sealedSharedKey(), eveKeyPair.getPrivate())); } @Test |