Address PR comments

* Make `SecureRandom` a shared static field * Just take in `PrivateKey` instead of `KeyPair` for key unsealing
author: Tor Brede Vekterli <vekterli@yahooinc.com> 2022-10-12 11:43:42 +0200
committer: Tor Brede Vekterli <vekterli@yahooinc.com> 2022-10-12 11:43:42 +0200
commit: d795dc29ab9416d533010e172f38bb810ce747ed (patch)
tree: 044b53d79624c0c70e1e18f965740c06aa94e095 /security-utils/src
parent: 06f5f911249177f94893a5985e0f9db1fcf8b098 (diff)
2 files changed, 8 insertions, 6 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java b/security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java
index 0d46af648e0..440b17eecfa 100644
--- a/security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java
+++ b/security-utils/src/main/java/com/yahoo/security/SharedKeyGenerator.java
@@ -14,6 +14,7 @@ import java.security.InvalidAlgorithmParameterException;
 import java.security.InvalidKeyException;
 import java.security.KeyPair;
 import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
 import java.security.PublicKey;
 import java.security.SecureRandom;
 
@@ -39,11 +40,12 @@ public class SharedKeyGenerator {
     private static final int    AES_GCM_AUTH_TAG_BITS = 128;
     private static final String AES_GCM_ALGO_SPEC     = "AES/GCM/NoPadding";
     private static final String ECIES_CIPHER_NAME     = "ECIES"; // TODO ensure SHA-256+AES. Needs BC version bump
+    private static final SecureRandom SHARED_CSPRNG   = new SecureRandom();
 
     public static SecretSharedKey generateForReceiverPublicKey(PublicKey receiverPublicKey, int keyId) {
         try {
             var keyGen = KeyGenerator.getInstance("AES");
-            keyGen.init(256, new SecureRandom());
+            keyGen.init(256, SHARED_CSPRNG);
             var secretKey = keyGen.generateKey();
 
             var cipher = Cipher.getInstance(ECIES_CIPHER_NAME, BouncyCastleProviderHolder.getInstance());
@@ -58,10 +60,10 @@ public class SharedKeyGenerator {
         }
     }
 
-    public static SecretSharedKey fromSealedKey(SealedSharedKey sealedKey, KeyPair receiverKeyPair) {
+    public static SecretSharedKey fromSealedKey(SealedSharedKey sealedKey, PrivateKey receiverPrivateKey) {
         try {
             var cipher = Cipher.getInstance(ECIES_CIPHER_NAME, BouncyCastleProviderHolder.getInstance());
-            cipher.init(Cipher.DECRYPT_MODE, receiverKeyPair.getPrivate());
+            cipher.init(Cipher.DECRYPT_MODE, receiverPrivateKey);
             byte[] secretKey = cipher.doFinal(sealedKey.eciesPayload());
 
             return new SecretSharedKey(new SecretKeySpec(secretKey, "AES"), sealedKey);
diff --git a/security-utils/src/test/java/com/yahoo/security/SharedKeyTest.java b/security-utils/src/test/java/com/yahoo/security/SharedKeyTest.java
index c5f539dce58..348f214aa85 100644
--- a/security-utils/src/test/java/com/yahoo/security/SharedKeyTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/SharedKeyTest.java
@@ -36,7 +36,7 @@ public class SharedKeyTest {
         var publicToken = myShared.sealedSharedKey().toTokenString();
 
         var theirSealed = SealedSharedKey.fromTokenString(publicToken);
-        var theirShared = SharedKeyGenerator.fromSealedKey(theirSealed, receiverKeyPair);
+        var theirShared = SharedKeyGenerator.fromSealedKey(theirSealed, receiverKeyPair.getPrivate());
 
         assertArrayEquals(myShared.secretKey().getEncoded(), theirShared.secretKey().getEncoded());
     }
@@ -67,7 +67,7 @@ public class SharedKeyTest {
         var expectedSharedSecret = "b1aded9dc19593baa08fe64f916dcbaf3328ec666d2e0c81b1f6f8af9794187b";
 
         var theirSealed = SealedSharedKey.fromTokenString(publicToken);
-        var theirShared = SharedKeyGenerator.fromSealedKey(theirSealed, receiverKeyPair);
+        var theirShared = SharedKeyGenerator.fromSealedKey(theirSealed, receiverKeyPair.getPrivate());
 
         assertEquals(expectedSharedSecret, Hex.toHexString(theirShared.secretKey().getEncoded()));
     }
@@ -78,7 +78,7 @@ public class SharedKeyTest {
         var eveKeyPair   = KeyUtils.generateKeypair(KeyAlgorithm.EC);
         var bobShared    = SharedKeyGenerator.generateForReceiverPublicKey(aliceKeyPair.getPublic(), 1);
         assertThrows(IllegalArgumentException.class, // TODO consider distinct exception class
-                     () -> SharedKeyGenerator.fromSealedKey(bobShared.sealedSharedKey(), eveKeyPair));
+                     () -> SharedKeyGenerator.fromSealedKey(bobShared.sealedSharedKey(), eveKeyPair.getPrivate()));
     }
 
     @Test
author	Tor Brede Vekterli <vekterli@yahooinc.com>	2022-10-12 11:43:42 +0200
committer	Tor Brede Vekterli <vekterli@yahooinc.com>	2022-10-12 11:43:42 +0200
commit	d795dc29ab9416d533010e172f38bb810ce747ed (patch)
tree	044b53d79624c0c70e1e18f965740c06aa94e095 /security-utils/src
parent	06f5f911249177f94893a5985e0f9db1fcf8b098 (diff)