diff options
author | Tor Brede Vekterli <vekterli@yahooinc.com> | 2022-11-09 12:26:07 +0100 |
---|---|---|
committer | Tor Brede Vekterli <vekterli@yahooinc.com> | 2022-11-09 12:50:23 +0100 |
commit | c395f42fa83a3d6e57a76f0691b487b9382b5570 (patch) | |
tree | e092b89bb92d5e13bbd0910b810fa8397fc7a177 /vespaclient-java/src | |
parent | 30a676fb89f28a618f0dc2c0752cde8c29bf320c (diff) |
Use Base62 for tokens and Base58 for keys
* Base62 minimizes extra size overhead relative to Base64.
* Base58 removes ambiguous characters from key encodings.
Common for both bases is that they do not emit any characters that
interfer with easily selecting them on web pages or in the CLI.
Diffstat (limited to 'vespaclient-java/src')
7 files changed, 15 insertions, 19 deletions
diff --git a/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/DecryptTool.java b/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/DecryptTool.java index fc485eb92f2..f1c166ba934 100644 --- a/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/DecryptTool.java +++ b/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/DecryptTool.java @@ -14,12 +14,9 @@ import org.apache.commons.cli.Option; import java.io.IOException; import java.nio.file.Files; import java.nio.file.Paths; -import java.util.Arrays; import java.util.List; import java.util.Optional; -import static com.yahoo.security.ArrayUtils.toUtf8Bytes; - /** * Tooling for decrypting a file using a private key that corresponds to the public key used * to originally encrypt the file. @@ -47,7 +44,7 @@ public class DecryptTool implements Tool { .longOpt(RECIPIENT_PRIVATE_KEY_FILE_OPTION) .hasArg(true) .required(false) - .desc("Recipient private key file") + .desc("Recipient private key file in Base58 encoded format") .build(), Option.builder("i") .longOpt(KEY_ID_OPTION) @@ -103,7 +100,7 @@ public class DecryptTool implements Tool { "used when generating the supplied token"); } } - var privateKey = KeyUtils.fromBase64EncodedX25519PrivateKey(Files.readString(privKeyPath).strip()); + var privateKey = KeyUtils.fromBase58EncodedX25519PrivateKey(Files.readString(privKeyPath).strip()); var secretShared = SharedKeyGenerator.fromSealedKey(sealedSharedKey, privateKey); var cipher = SharedKeyGenerator.makeAesGcmDecryptionCipher(secretShared); diff --git a/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/EncryptTool.java b/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/EncryptTool.java index 737bade400f..886433f00f8 100644 --- a/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/EncryptTool.java +++ b/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/EncryptTool.java @@ -15,8 +15,6 @@ import java.nio.file.Files; import java.nio.file.Paths; import java.util.List; -import static com.yahoo.security.ArrayUtils.toUtf8Bytes; - /** * Tooling to encrypt a file using a public key, emitting a non-secret token that can be * passed on to a recipient holding the corresponding private key. @@ -42,7 +40,7 @@ public class EncryptTool implements Tool { .longOpt(RECIPIENT_PUBLIC_KEY_OPTION) .hasArg(true) .required(false) - .desc("Recipient X25519 public key in Base64 encoded format") + .desc("Recipient X25519 public key in Base58 encoded format") .build(), Option.builder("i") .longOpt(KEY_ID_OPTION) @@ -79,7 +77,7 @@ public class EncryptTool implements Tool { var inputArg = leftoverArgs[0]; var outputPath = Paths.get(CliUtils.optionOrThrow(arguments, OUTPUT_FILE_OPTION)); - var recipientPubKey = KeyUtils.fromBase64EncodedX25519PublicKey(CliUtils.optionOrThrow(arguments, RECIPIENT_PUBLIC_KEY_OPTION).strip()); + var recipientPubKey = KeyUtils.fromBase58EncodedX25519PublicKey(CliUtils.optionOrThrow(arguments, RECIPIENT_PUBLIC_KEY_OPTION).strip()); var keyId = KeyId.ofString(CliUtils.optionOrThrow(arguments, KEY_ID_OPTION)); var shared = SharedKeyGenerator.generateForReceiverPublicKey(recipientPubKey, keyId); var cipher = SharedKeyGenerator.makeAesGcmEncryptionCipher(shared); diff --git a/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/KeygenTool.java b/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/KeygenTool.java index d7885dc6455..3d5accde98f 100644 --- a/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/KeygenTool.java +++ b/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/KeygenTool.java @@ -59,7 +59,7 @@ public class KeygenTool implements Tool { return new ToolDescription( "<options>", "Generates an X25519 key pair and stores its private/public parts in " + - "separate files in Base64 encoded form.", + "separate files in Base58 encoded form.", "Note: this is a BETA tool version; its interface may be changed at any time", OPTIONS); } @@ -101,8 +101,8 @@ public class KeygenTool implements Tool { var privFilePerms = PosixFilePermissions.fromString("rw-------"); Files.createFile( privOutPath, PosixFilePermissions.asFileAttribute(privFilePerms)); - Files.writeString(privOutPath, KeyUtils.toBase64EncodedX25519PrivateKey(privKey) + "\n"); - Files.writeString(pubOutPath, KeyUtils.toBase64EncodedX25519PublicKey(pubKey) + "\n"); + Files.writeString(privOutPath, KeyUtils.toBase58EncodedX25519PrivateKey(privKey) + "\n"); + Files.writeString(pubOutPath, KeyUtils.toBase58EncodedX25519PublicKey(pubKey) + "\n"); } catch (IOException e) { throw new RuntimeException(e); diff --git a/vespaclient-java/src/test/java/com/yahoo/vespa/security/tool/CryptoToolsTest.java b/vespaclient-java/src/test/java/com/yahoo/vespa/security/tool/CryptoToolsTest.java index f529ed828ea..d4992e89802 100644 --- a/vespaclient-java/src/test/java/com/yahoo/vespa/security/tool/CryptoToolsTest.java +++ b/vespaclient-java/src/test/java/com/yahoo/vespa/security/tool/CryptoToolsTest.java @@ -168,11 +168,11 @@ public class CryptoToolsTest { assertEquals(expectedPerms, privKeyPerms); } - private static final String TEST_PRIV_KEY = "4qGcntygFn_a3uqeBa1PbDlygQ-cpOuNznTPIz9ftWE"; - private static final String TEST_PUB_KEY = "ROAH_S862tNMpbJ49lu1dPXFCPHFIXZK30pSrMZEmEg"; + private static final String TEST_PRIV_KEY = "GFg54SaGNCmcSGufZCx68SKLGuAFrASoDeMk3t5AjU6L"; + private static final String TEST_PUB_KEY = "5drrkakYLjYSBpr5Haknh13EiCYL36ndMzK4gTJo6pwh"; // Token created for the above public key (matching the above private key), using key id "my key ID" - private static final String TEST_TOKEN = "AQlteSBrZXkgSUQgAtTxJJdmv3eUoW5Z3NJSdZ3poKPEkW0SJOG" + - "QXP6CaC5XfyAVoUlK_NyYIMsJKyNYKU6WmagZpVG2zQGFJoqiFA"; + private static final String TEST_TOKEN = "OntP9gRVAjXeZIr4zkYqRJFcnA993v7ZEE7VbcNs1NcR3HdE7Mp" + + "wlwi3r3anF1kVa5fn7O1CyeHQpBWpdayUTKkrtyFepG6WJrZdE"; private static final String TEST_TOKEN_KEY_ID = "my key ID"; @Test diff --git a/vespaclient-java/src/test/resources/expected-decrypt-help-output.txt b/vespaclient-java/src/test/resources/expected-decrypt-help-output.txt index ef59741cd30..ddf91c779e2 100644 --- a/vespaclient-java/src/test/resources/expected-decrypt-help-output.txt +++ b/vespaclient-java/src/test/resources/expected-decrypt-help-output.txt @@ -10,7 +10,8 @@ the quotes). this is not provided, the key ID stored as part of the token is not verified. - -k,--recipient-private-key-file <arg> Recipient private key file + -k,--recipient-private-key-file <arg> Recipient private key file in + Base58 encoded format -o,--output-file <arg> Output file for decrypted plaintext. Specify '-' (without the quotes) to write plaintext to diff --git a/vespaclient-java/src/test/resources/expected-encrypt-help-output.txt b/vespaclient-java/src/test/resources/expected-encrypt-help-output.txt index 5e1da32cbe7..beddc69855b 100644 --- a/vespaclient-java/src/test/resources/expected-encrypt-help-output.txt +++ b/vespaclient-java/src/test/resources/expected-encrypt-help-output.txt @@ -10,7 +10,7 @@ the quotes). -i,--key-id <arg> Numeric ID of recipient key -o,--output-file <arg> Output file (will be truncated if it already exists) - -r,--recipient-public-key <arg> Recipient X25519 public key in Base64 + -r,--recipient-public-key <arg> Recipient X25519 public key in Base58 encoded format Note: this is a BETA tool version; its interface may be changed at any time diff --git a/vespaclient-java/src/test/resources/expected-keygen-help-output.txt b/vespaclient-java/src/test/resources/expected-keygen-help-output.txt index 60629c4291f..f386f6d2e3a 100644 --- a/vespaclient-java/src/test/resources/expected-keygen-help-output.txt +++ b/vespaclient-java/src/test/resources/expected-keygen-help-output.txt @@ -1,6 +1,6 @@ usage: vespa-security keygen <options> Generates an X25519 key pair and stores its private/public parts in -separate files in Base64 encoded form. +separate files in Base58 encoded form. -h,--help Show help -k,--private-out-file <arg> Output file for private (secret) key. Will be created with restrictive file |