Add simple token info dumping tool

Dumps key version, ID and HPKE components

3 files changed, 67 insertions, 3 deletions

diff --git a/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/Main.java b/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/Main.java
index 7ca98e4b9ba..11bd8815d77 100644
--- a/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/Main.java
+++ b/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/Main.java
@@ -4,6 +4,7 @@ package com.yahoo.vespa.security.tool;
 import com.yahoo.vespa.security.tool.crypto.DecryptTool;
 import com.yahoo.vespa.security.tool.crypto.EncryptTool;
 import com.yahoo.vespa.security.tool.crypto.KeygenTool;
+import com.yahoo.vespa.security.tool.crypto.TokenInfoTool;
 import org.apache.commons.cli.CommandLine;
 import org.apache.commons.cli.CommandLineParser;
 import org.apache.commons.cli.DefaultParser;
@@ -44,7 +45,7 @@ public class Main {
     }
 
     private static final List<Tool> TOOLS = List.of(
-            new KeygenTool(), new EncryptTool(), new DecryptTool());
+            new KeygenTool(), new EncryptTool(), new DecryptTool(), new TokenInfoTool());
 
     private static Optional<Tool> toolFromCliArgs(String[] args) {
         if (args.length == 0) {
diff --git a/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/KeygenTool.java b/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/KeygenTool.java
index a0b9cce710b..d7885dc6455 100644
--- a/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/KeygenTool.java
+++ b/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/KeygenTool.java
@@ -64,8 +64,14 @@ public class KeygenTool implements Tool {
                 OPTIONS);
     }
 
-    private void handleExistingFileIfAny(Path filePath, boolean allowOverwrite) throws IOException {
-        if (filePath.toFile().exists()) {
+    private static void verifyNotSameKeyPaths(Path privPath, Path pubPath) {
+        if (privPath.equals(pubPath)) {
+            throw new IllegalArgumentException("Private and public key output files must be different");
+        }
+    }
+
+    private static void handleExistingFileIfAny(Path filePath, boolean allowOverwrite) throws IOException {
+        if (Files.exists(filePath)) {
             if (!allowOverwrite) {
                 throw new IllegalArgumentException(("Output file '%s' already exists. No keys written. " +
                                                     "If you want to overwrite existing files, specify --%s.")
@@ -83,6 +89,7 @@ public class KeygenTool implements Tool {
             var arguments   = invocation.arguments();
             var privOutPath = Paths.get(CliUtils.optionOrThrow(arguments, PRIVATE_OUT_FILE_OPTION));
             var pubOutPath  = Paths.get(CliUtils.optionOrThrow(arguments, PUBLIC_OUT_FILE_OPTION));
+            verifyNotSameKeyPaths(privOutPath, pubOutPath);
 
             boolean allowOverwrite = arguments.hasOption(OVERWRITE_EXISTING_OPTION);
             handleExistingFileIfAny(privOutPath, allowOverwrite);
diff --git a/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/TokenInfoTool.java b/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/TokenInfoTool.java
new file mode 100644
index 00000000000..dc597e9301f
--- /dev/null
+++ b/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/TokenInfoTool.java
@@ -0,0 +1,56 @@
+// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.security.tool.crypto;
+
+import com.yahoo.security.SealedSharedKey;
+import com.yahoo.text.StringUtilities;
+import com.yahoo.vespa.security.tool.Tool;
+import com.yahoo.vespa.security.tool.ToolDescription;
+import com.yahoo.vespa.security.tool.ToolInvocation;
+import org.apache.commons.cli.Option;
+
+import java.util.List;
+
+import static com.yahoo.security.ArrayUtils.fromUtf8Bytes;
+import static com.yahoo.security.ArrayUtils.hex;
+
+/**
+ * Tooling to dump the various components of a decryption token
+ *
+ * @author vekterli
+ */
+public class TokenInfoTool implements Tool {
+
+    private static final List<Option> OPTIONS = List.of();
+
+    @Override
+    public String name() {
+        return "token-info";
+    }
+
+    @Override
+    public ToolDescription description() {
+        return new ToolDescription(
+                "<token string>",
+                "Dumps information about the various components of a token",
+                "Note: this is a BETA tool version; its interface may be changed at any time",
+                OPTIONS);
+    }
+
+    @Override
+    public int invoke(ToolInvocation invocation) {
+        var arguments    = invocation.arguments();
+        var leftoverArgs = arguments.getArgs();
+        if (leftoverArgs.length != 1) {
+            throw new IllegalArgumentException("Expected exactly 1 token string argument");
+        }
+        var token = SealedSharedKey.fromTokenString(leftoverArgs[0]);
+        var stdOut = invocation.stdOut();
+
+        stdOut.format("Version:         %d\n", token.tokenVersion());
+        stdOut.format("Key ID:          %s (%s)\n", StringUtilities.escape(fromUtf8Bytes(token.keyId())), hex(token.keyId()));
+        stdOut.format("HPKE enc:        %s\n", hex(token.enc()));
+        stdOut.format("HPKE ciphertext: %s\n", hex(token.ciphertext()));
+
+        return 0;
+    }
+}