Use Base62 for tokens and Base58 for keys

 * Base62 minimizes extra size overhead relative to Base64.
 * Base58 removes ambiguous characters from key encodings.

Common for both bases is that they do not emit any characters that
interfer with easily selecting them on web pages or in the CLI.

7 files changed, 15 insertions, 19 deletions

diff --git a/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/DecryptTool.java b/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/DecryptTool.java
index fc485eb92f2..f1c166ba934 100644
--- a/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/DecryptTool.java
+++ b/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/DecryptTool.java
@@ -14,12 +14,9 @@ import org.apache.commons.cli.Option;
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Paths;
-import java.util.Arrays;
 import java.util.List;
 import java.util.Optional;
 
-import static com.yahoo.security.ArrayUtils.toUtf8Bytes;
-
 /**
  * Tooling for decrypting a file using a private key that corresponds to the public key used
  * to originally encrypt the file.
@@ -47,7 +44,7 @@ public class DecryptTool implements Tool {
                     .longOpt(RECIPIENT_PRIVATE_KEY_FILE_OPTION)
                     .hasArg(true)
                     .required(false)
-                    .desc("Recipient private key file")
+                    .desc("Recipient private key file in Base58 encoded format")
                     .build(),
             Option.builder("i")
                     .longOpt(KEY_ID_OPTION)
@@ -103,7 +100,7 @@ public class DecryptTool implements Tool {
                                                        "used when generating the supplied token");
                 }
             }
-            var privateKey   = KeyUtils.fromBase64EncodedX25519PrivateKey(Files.readString(privKeyPath).strip());
+            var privateKey   = KeyUtils.fromBase58EncodedX25519PrivateKey(Files.readString(privKeyPath).strip());
             var secretShared = SharedKeyGenerator.fromSealedKey(sealedSharedKey, privateKey);
             var cipher       = SharedKeyGenerator.makeAesGcmDecryptionCipher(secretShared);
 
diff --git a/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/EncryptTool.java b/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/EncryptTool.java
index 737bade400f..886433f00f8 100644
--- a/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/EncryptTool.java
+++ b/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/EncryptTool.java
@@ -15,8 +15,6 @@ import java.nio.file.Files;
 import java.nio.file.Paths;
 import java.util.List;
 
-import static com.yahoo.security.ArrayUtils.toUtf8Bytes;
-
 /**
  * Tooling to encrypt a file using a public key, emitting a non-secret token that can be
  * passed on to a recipient holding the corresponding private key.
@@ -42,7 +40,7 @@ public class EncryptTool implements Tool {
                     .longOpt(RECIPIENT_PUBLIC_KEY_OPTION)
                     .hasArg(true)
                     .required(false)
-                    .desc("Recipient X25519 public key in Base64 encoded format")
+                    .desc("Recipient X25519 public key in Base58 encoded format")
                     .build(),
             Option.builder("i")
                     .longOpt(KEY_ID_OPTION)
@@ -79,7 +77,7 @@ public class EncryptTool implements Tool {
             var inputArg   = leftoverArgs[0];
             var outputPath = Paths.get(CliUtils.optionOrThrow(arguments, OUTPUT_FILE_OPTION));
 
-            var recipientPubKey = KeyUtils.fromBase64EncodedX25519PublicKey(CliUtils.optionOrThrow(arguments, RECIPIENT_PUBLIC_KEY_OPTION).strip());
+            var recipientPubKey = KeyUtils.fromBase58EncodedX25519PublicKey(CliUtils.optionOrThrow(arguments, RECIPIENT_PUBLIC_KEY_OPTION).strip());
             var keyId  = KeyId.ofString(CliUtils.optionOrThrow(arguments, KEY_ID_OPTION));
             var shared = SharedKeyGenerator.generateForReceiverPublicKey(recipientPubKey, keyId);
             var cipher = SharedKeyGenerator.makeAesGcmEncryptionCipher(shared);
diff --git a/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/KeygenTool.java b/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/KeygenTool.java
index d7885dc6455..3d5accde98f 100644
--- a/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/KeygenTool.java
+++ b/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/KeygenTool.java
@@ -59,7 +59,7 @@ public class KeygenTool implements Tool {
         return new ToolDescription(
                 "<options>",
                 "Generates an X25519 key pair and stores its private/public parts in " +
-                "separate files in Base64 encoded form.",
+                "separate files in Base58 encoded form.",
                 "Note: this is a BETA tool version; its interface may be changed at any time",
                 OPTIONS);
     }
@@ -101,8 +101,8 @@ public class KeygenTool implements Tool {
 
             var privFilePerms = PosixFilePermissions.fromString("rw-------");
             Files.createFile( privOutPath, PosixFilePermissions.asFileAttribute(privFilePerms));
-            Files.writeString(privOutPath, KeyUtils.toBase64EncodedX25519PrivateKey(privKey) + "\n");
-            Files.writeString(pubOutPath,  KeyUtils.toBase64EncodedX25519PublicKey(pubKey) + "\n");
+            Files.writeString(privOutPath, KeyUtils.toBase58EncodedX25519PrivateKey(privKey) + "\n");
+            Files.writeString(pubOutPath,  KeyUtils.toBase58EncodedX25519PublicKey(pubKey) + "\n");
 
         } catch (IOException e) {
             throw new RuntimeException(e);
diff --git a/vespaclient-java/src/test/java/com/yahoo/vespa/security/tool/CryptoToolsTest.java b/vespaclient-java/src/test/java/com/yahoo/vespa/security/tool/CryptoToolsTest.java
index f529ed828ea..d4992e89802 100644
--- a/vespaclient-java/src/test/java/com/yahoo/vespa/security/tool/CryptoToolsTest.java
+++ b/vespaclient-java/src/test/java/com/yahoo/vespa/security/tool/CryptoToolsTest.java
@@ -168,11 +168,11 @@ public class CryptoToolsTest {
         assertEquals(expectedPerms, privKeyPerms);
     }
 
-    private static final String TEST_PRIV_KEY     = "4qGcntygFn_a3uqeBa1PbDlygQ-cpOuNznTPIz9ftWE";
-    private static final String TEST_PUB_KEY      = "ROAH_S862tNMpbJ49lu1dPXFCPHFIXZK30pSrMZEmEg";
+    private static final String TEST_PRIV_KEY     = "GFg54SaGNCmcSGufZCx68SKLGuAFrASoDeMk3t5AjU6L";
+    private static final String TEST_PUB_KEY      = "5drrkakYLjYSBpr5Haknh13EiCYL36ndMzK4gTJo6pwh";
     // Token created for the above public key (matching the above private key), using key id "my key ID"
-    private static final String TEST_TOKEN        = "AQlteSBrZXkgSUQgAtTxJJdmv3eUoW5Z3NJSdZ3poKPEkW0SJOG" +
-                                                    "QXP6CaC5XfyAVoUlK_NyYIMsJKyNYKU6WmagZpVG2zQGFJoqiFA";
+    private static final String TEST_TOKEN        = "OntP9gRVAjXeZIr4zkYqRJFcnA993v7ZEE7VbcNs1NcR3HdE7Mp" +
+                                                    "wlwi3r3anF1kVa5fn7O1CyeHQpBWpdayUTKkrtyFepG6WJrZdE";
     private static final String TEST_TOKEN_KEY_ID = "my key ID";
 
     @Test
diff --git a/vespaclient-java/src/test/resources/expected-decrypt-help-output.txt b/vespaclient-java/src/test/resources/expected-decrypt-help-output.txt
index ef59741cd30..ddf91c779e2 100644
--- a/vespaclient-java/src/test/resources/expected-decrypt-help-output.txt
+++ b/vespaclient-java/src/test/resources/expected-decrypt-help-output.txt
@@ -10,7 +10,8 @@ the quotes).
                                          this is not provided, the key ID
                                          stored as part of the token is
                                          not verified.
- -k,--recipient-private-key-file <arg>   Recipient private key file
+ -k,--recipient-private-key-file <arg>   Recipient private key file in
+                                         Base58 encoded format
  -o,--output-file <arg>                  Output file for decrypted
                                          plaintext. Specify '-' (without
                                          the quotes) to write plaintext to
diff --git a/vespaclient-java/src/test/resources/expected-encrypt-help-output.txt b/vespaclient-java/src/test/resources/expected-encrypt-help-output.txt
index 5e1da32cbe7..beddc69855b 100644
--- a/vespaclient-java/src/test/resources/expected-encrypt-help-output.txt
+++ b/vespaclient-java/src/test/resources/expected-encrypt-help-output.txt
@@ -10,7 +10,7 @@ the quotes).
  -i,--key-id <arg>                 Numeric ID of recipient key
  -o,--output-file <arg>            Output file (will be truncated if it
                                    already exists)
- -r,--recipient-public-key <arg>   Recipient X25519 public key in Base64
+ -r,--recipient-public-key <arg>   Recipient X25519 public key in Base58
                                    encoded format
 Note: this is a BETA tool version; its interface may be changed at any
 time
diff --git a/vespaclient-java/src/test/resources/expected-keygen-help-output.txt b/vespaclient-java/src/test/resources/expected-keygen-help-output.txt
index 60629c4291f..f386f6d2e3a 100644
--- a/vespaclient-java/src/test/resources/expected-keygen-help-output.txt
+++ b/vespaclient-java/src/test/resources/expected-keygen-help-output.txt
@@ -1,6 +1,6 @@
 usage: vespa-security keygen <options>
 Generates an X25519 key pair and stores its private/public parts in
-separate files in Base64 encoded form.
+separate files in Base58 encoded form.
  -h,--help                     Show help
  -k,--private-out-file <arg>   Output file for private (secret) key. Will
                                be created with restrictive file