From f15c031ef064e622100cb572afce5e96635114db Mon Sep 17 00:00:00 2001
From: Tor Brede Vekterli <vekterli@yahooinc.com>
Date: Wed, 2 Nov 2022 14:00:17 +0100
Subject: Encapsulate key identifier in own object

Enforces invariants and avoids having to pass raw byte arrays around.
---
 .../main/java/com/yahoo/vespa/security/tool/crypto/DecryptTool.java  | 5 +++--
 .../main/java/com/yahoo/vespa/security/tool/crypto/EncryptTool.java  | 3 ++-
 .../java/com/yahoo/vespa/security/tool/crypto/TokenInfoTool.java     | 2 +-
 3 files changed, 6 insertions(+), 4 deletions(-)

(limited to 'vespaclient-java/src/main/java/com/yahoo')

diff --git a/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/DecryptTool.java b/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/DecryptTool.java
index af59784bfe0..fc485eb92f2 100644
--- a/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/DecryptTool.java
+++ b/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/DecryptTool.java
@@ -1,6 +1,7 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.security.tool.crypto;
 
+import com.yahoo.security.KeyId;
 import com.yahoo.security.KeyUtils;
 import com.yahoo.security.SealedSharedKey;
 import com.yahoo.security.SharedKeyGenerator;
@@ -95,8 +96,8 @@ public class DecryptTool implements Tool {
             var tokenString = CliUtils.optionOrThrow(arguments, TOKEN_OPTION);
             var sealedSharedKey = SealedSharedKey.fromTokenString(tokenString.strip());
             if (maybeKeyId.isPresent()) {
-                byte[] myKeyIdBytes = toUtf8Bytes(maybeKeyId.get());
-                if (!Arrays.equals(myKeyIdBytes, sealedSharedKey.keyId())) {
+                var myKeyId = KeyId.ofString(maybeKeyId.get());
+                if (!myKeyId.equals(sealedSharedKey.keyId())) {
                     // Don't include raw key bytes array verbatim in message (may contain control chars etc).
                     throw new IllegalArgumentException("Key ID specified with --key-id does not match key ID " +
                                                        "used when generating the supplied token");
diff --git a/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/EncryptTool.java b/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/EncryptTool.java
index cb16151c9b6..737bade400f 100644
--- a/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/EncryptTool.java
+++ b/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/EncryptTool.java
@@ -1,6 +1,7 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.security.tool.crypto;
 
+import com.yahoo.security.KeyId;
 import com.yahoo.security.KeyUtils;
 import com.yahoo.security.SharedKeyGenerator;
 import com.yahoo.vespa.security.tool.CliUtils;
@@ -79,7 +80,7 @@ public class EncryptTool implements Tool {
             var outputPath = Paths.get(CliUtils.optionOrThrow(arguments, OUTPUT_FILE_OPTION));
 
             var recipientPubKey = KeyUtils.fromBase64EncodedX25519PublicKey(CliUtils.optionOrThrow(arguments, RECIPIENT_PUBLIC_KEY_OPTION).strip());
-            var keyId  = toUtf8Bytes(CliUtils.optionOrThrow(arguments, KEY_ID_OPTION));
+            var keyId  = KeyId.ofString(CliUtils.optionOrThrow(arguments, KEY_ID_OPTION));
             var shared = SharedKeyGenerator.generateForReceiverPublicKey(recipientPubKey, keyId);
             var cipher = SharedKeyGenerator.makeAesGcmEncryptionCipher(shared);
 
diff --git a/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/TokenInfoTool.java b/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/TokenInfoTool.java
index dc597e9301f..5b9f97fd430 100644
--- a/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/TokenInfoTool.java
+++ b/vespaclient-java/src/main/java/com/yahoo/vespa/security/tool/crypto/TokenInfoTool.java
@@ -47,7 +47,7 @@ public class TokenInfoTool implements Tool {
         var stdOut = invocation.stdOut();
 
         stdOut.format("Version:         %d\n", token.tokenVersion());
-        stdOut.format("Key ID:          %s (%s)\n", StringUtilities.escape(fromUtf8Bytes(token.keyId())), hex(token.keyId()));
+        stdOut.format("Key ID:          %s (%s)\n", StringUtilities.escape(token.keyId().asString()), hex(token.keyId().asBytes()));
         stdOut.format("HPKE enc:        %s\n", hex(token.enc()));
         stdOut.format("HPKE ciphertext: %s\n", hex(token.ciphertext()));
 
-- 
cgit v1.2.3