aboutsummaryrefslogtreecommitdiffstats
path: root/vespaclient-java/src/main/java/com/yahoo
diff options
context:
space:
mode:
Diffstat (limited to 'vespaclient-java/src/main/java/com/yahoo')
-rw-r--r--vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/DecryptTool.java16
-rw-r--r--vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/EncryptTool.java4
2 files changed, 14 insertions, 6 deletions
diff --git a/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/DecryptTool.java b/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/DecryptTool.java
index 23543486e1b..af59784bfe0 100644
--- a/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/DecryptTool.java
+++ b/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/DecryptTool.java
@@ -13,9 +13,12 @@ import org.apache.commons.cli.Option;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Paths;
+import java.util.Arrays;
import java.util.List;
import java.util.Optional;
+import static com.yahoo.security.ArrayUtils.toUtf8Bytes;
+
/**
* Tooling for decrypting a file using a private key that corresponds to the public key used
* to originally encrypt the file.
@@ -85,16 +88,19 @@ public class DecryptTool implements Tool {
}
var inputArg = leftoverArgs[0];
var maybeKeyId = Optional.ofNullable(arguments.hasOption(KEY_ID_OPTION)
- ? Integer.parseInt(arguments.getOptionValue(KEY_ID_OPTION))
+ ? arguments.getOptionValue(KEY_ID_OPTION)
: null);
var outputArg = CliUtils.optionOrThrow(arguments, OUTPUT_FILE_OPTION);
var privKeyPath = Paths.get(CliUtils.optionOrThrow(arguments, RECIPIENT_PRIVATE_KEY_FILE_OPTION));
var tokenString = CliUtils.optionOrThrow(arguments, TOKEN_OPTION);
var sealedSharedKey = SealedSharedKey.fromTokenString(tokenString.strip());
- if (maybeKeyId.isPresent() && (maybeKeyId.get() != sealedSharedKey.keyId())) {
- throw new IllegalArgumentException(("Key ID specified with --key-id (%d) does not match key ID " +
- "used when generating the supplied token (%d)")
- .formatted(maybeKeyId.get(), sealedSharedKey.keyId()));
+ if (maybeKeyId.isPresent()) {
+ byte[] myKeyIdBytes = toUtf8Bytes(maybeKeyId.get());
+ if (!Arrays.equals(myKeyIdBytes, sealedSharedKey.keyId())) {
+ // Don't include raw key bytes array verbatim in message (may contain control chars etc).
+ throw new IllegalArgumentException("Key ID specified with --key-id does not match key ID " +
+ "used when generating the supplied token");
+ }
}
var privateKey = KeyUtils.fromBase64EncodedX25519PrivateKey(Files.readString(privKeyPath).strip());
var secretShared = SharedKeyGenerator.fromSealedKey(sealedSharedKey, privateKey);
diff --git a/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/EncryptTool.java b/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/EncryptTool.java
index 5437e8cf9fe..cb16151c9b6 100644
--- a/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/EncryptTool.java
+++ b/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/EncryptTool.java
@@ -14,6 +14,8 @@ import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.List;
+import static com.yahoo.security.ArrayUtils.toUtf8Bytes;
+
/**
* Tooling to encrypt a file using a public key, emitting a non-secret token that can be
* passed on to a recipient holding the corresponding private key.
@@ -77,7 +79,7 @@ public class EncryptTool implements Tool {
var outputPath = Paths.get(CliUtils.optionOrThrow(arguments, OUTPUT_FILE_OPTION));
var recipientPubKey = KeyUtils.fromBase64EncodedX25519PublicKey(CliUtils.optionOrThrow(arguments, RECIPIENT_PUBLIC_KEY_OPTION).strip());
- int keyId = Integer.parseInt(CliUtils.optionOrThrow(arguments, KEY_ID_OPTION));
+ var keyId = toUtf8Bytes(CliUtils.optionOrThrow(arguments, KEY_ID_OPTION));
var shared = SharedKeyGenerator.generateForReceiverPublicKey(recipientPubKey, keyId);
var cipher = SharedKeyGenerator.makeAesGcmEncryptionCipher(shared);