- Addressing PR Feedback

- Bumping Java version to v1.8

Author: danny-gallagher

pom.xml

@@ -6,7 +6,7 @@
 
     <groupId>com.mastercard.developer</groupId>
     <artifactId>client-encryption</artifactId>
-    <version>1.5.1-SNAPSHOT</version>
+    <version>1.6.0-SNAPSHOT</version>
     <packaging>jar</packaging>
     <description>Library for Mastercard API compliant payload encryption/decryption</description>
     <url>https://github.com/Mastercard/client-encryption-java</url>
@@ -140,6 +140,7 @@
             <groupId>net.minidev</groupId>
             <artifactId>json-smart</artifactId>
             <version>2.3</version>
+            <scope>test</scope>
         </dependency>
 
         <dependency>
@@ -189,8 +190,8 @@
                     <artifactId>maven-compiler-plugin</artifactId>
                     <version>3.8.1</version>
                     <configuration>
-                        <source>1.7</source>
-                        <target>1.7</target>
+                        <source>1.8</source>
+                        <target>1.8</target>
                     </configuration>
                 </plugin>
             </plugins>

src/main/java/com/mastercard/developer/encryption/FieldLevelEncryption.java

@@ -3,12 +3,12 @@
 import com.jayway.jsonpath.DocumentContext;
 import com.jayway.jsonpath.JsonPath;
 import com.jayway.jsonpath.spi.json.JsonProvider;
+import com.mastercard.developer.encryption.aes.AESCBC;
+
 import javax.crypto.Cipher;
 import java.io.UnsupportedEncodingException;
 import java.nio.charset.StandardCharsets;
 import java.security.GeneralSecurityException;
-import java.security.Key;
-import java.security.spec.AlgorithmParameterSpec;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Map.Entry;
@@ -23,8 +23,6 @@
  */
 public class FieldLevelEncryption {
 
-    private static final String SYMMETRIC_CYPHER = "AES/CBC/PKCS5Padding";
-
     public static String encryptPayload(String payload, FieldLevelEncryptionConfig config) throws EncryptionException {
         return encryptPayload(payload, config, null);
     }
@@ -93,7 +91,7 @@ private static void encryptPayloadPath(DocumentContext payloadContext, String js
         } catch (UnsupportedEncodingException e) {
             // Should not happen
         }
-        byte[] encryptedValueBytes = encryptBytes(params.getSecretKey(), params.getIvSpec(), inJsonBytes);
+        byte[] encryptedValueBytes = AESCBC.cipher(params.getSecretKey(), params.getIvSpec(), inJsonBytes, Cipher.ENCRYPT_MODE);
         String encryptedValue = encodeBytes(encryptedValueBytes, config.fieldValueEncoding);
 
         // Delete data in clear
@@ -161,7 +159,7 @@ private static void decryptPayloadPath(DocumentContext payloadContext, String js
 
         // Decrypt data
         byte[] encryptedValueBytes = decodeValue(JsonParser.jsonEngine.toJsonString(encryptedValueJsonElement), config.fieldValueEncoding);
-        byte[] decryptedValueBytes = decryptBytes(params.getSecretKey(), params.getIvSpec(), encryptedValueBytes);
+        byte[] decryptedValueBytes = AESCBC.cipher(params.getSecretKey(), params.getIvSpec(), encryptedValueBytes, Cipher.DECRYPT_MODE);
 
         // Add decrypted data at the given JSON path
         String decryptedValue = new String(decryptedValueBytes, StandardCharsets.UTF_8);
@@ -176,18 +174,6 @@ private static void decryptPayloadPath(DocumentContext payloadContext, String js
         }
     }
 
-    static byte[] encryptBytes(Key key, AlgorithmParameterSpec iv, byte[] bytes) throws GeneralSecurityException {
-        Cipher cipher = Cipher.getInstance(SYMMETRIC_CYPHER);
-        cipher.init(Cipher.ENCRYPT_MODE, key, iv);
-        return cipher.doFinal(bytes);
-    }
-
-    static byte[] decryptBytes(Key key, AlgorithmParameterSpec iv, byte[] bytes) throws GeneralSecurityException {
-        Cipher cipher = Cipher.getInstance(SYMMETRIC_CYPHER);
-        cipher.init(Cipher.DECRYPT_MODE, key, iv);
-        return cipher.doFinal(bytes);
-    }
-
     private static Object readAndDeleteJsonKey(DocumentContext context, String objectPath, Object object, String key) {
         if (null == key) {
             // Do nothing

src/main/java/com/mastercard/developer/encryption/FieldLevelEncryptionParams.java

@@ -1,27 +1,24 @@
 package com.mastercard.developer.encryption;
 
-import javax.crypto.Cipher;
 import javax.crypto.KeyGenerator;
 import javax.crypto.SecretKey;
 import javax.crypto.spec.IvParameterSpec;
-import javax.crypto.spec.OAEPParameterSpec;
-import javax.crypto.spec.PSource;
 import java.security.GeneralSecurityException;
 import java.security.Key;
-import java.security.spec.MGF1ParameterSpec;
+
+import com.mastercard.developer.encryption.aes.AESEncryption;
+import com.mastercard.developer.encryption.rsa.RSA;
 
 import static com.mastercard.developer.utils.EncodingUtils.decodeValue;
 import static com.mastercard.developer.utils.EncodingUtils.encodeBytes;
-import static com.mastercard.developer.utils.EncryptionUtils.generateIv;
 
 /**
  * Encryption parameters for computing field level encryption/decryption.
  */
 public final class FieldLevelEncryptionParams {
 
     private static final Integer SYMMETRIC_KEY_SIZE = 128;
-    protected static final String SYMMETRIC_KEY_TYPE = "AES";
-    private static final String ASYMMETRIC_CYPHER = "RSA/ECB/OAEPWith{ALG}AndMGF1Padding";
+    static final String SYMMETRIC_KEY_TYPE = "AES";
 
     private final String ivValue;
     private final String encryptedKeyValue;
@@ -46,14 +43,14 @@ public FieldLevelEncryptionParams(String ivValue, String encryptedKeyValue, Stri
     public static FieldLevelEncryptionParams generate(FieldLevelEncryptionConfig config) throws EncryptionException {
 
         // Generate a random IV
-        IvParameterSpec ivParameterSpec = generateIv();
+        IvParameterSpec ivParameterSpec = AESEncryption.generateIv();
         String ivSpecValue = encodeBytes(ivParameterSpec.getIV(), config.fieldValueEncoding);
 
         // Generate an AES secret key
         SecretKey secretKey = generateSecretKey();
 
         // Encrypt the secret key
-        byte[] encryptedSecretKeyBytes = wrapSecretKey(config, secretKey);
+        byte[] encryptedSecretKeyBytes = RSA.wrapSecretKey(config.encryptionCertificate.getPublicKey(), secretKey, config.oaepPaddingDigestAlgorithm);
         String encryptedKeyValue = encodeBytes(encryptedSecretKeyBytes, config.fieldValueEncoding);
 
         // Compute the OAEP padding digest algorithm
@@ -79,14 +76,14 @@ public String getOaepPaddingDigestAlgorithmValue() {
         return oaepPaddingDigestAlgorithmValue;
     }
 
-    public Key getSecretKey() throws EncryptionException {
+    Key getSecretKey() throws EncryptionException {
         try {
             if (secretKey != null) {
                 return secretKey;
             }
             // Decrypt the AES secret key
             byte[] encryptedSecretKeyBytes = decodeValue(encryptedKeyValue, config.fieldValueEncoding);
-            secretKey = FieldLevelEncryptionParams.unwrapSecretKey(config, encryptedSecretKeyBytes, oaepPaddingDigestAlgorithmValue);
+            secretKey = RSA.unwrapSecretKey(config.decryptionKey, encryptedSecretKeyBytes, oaepPaddingDigestAlgorithmValue);
             return secretKey;
         } catch (EncryptionException e) {
             throw e;
@@ -95,7 +92,7 @@ public Key getSecretKey() throws EncryptionException {
         }
     }
 
-    public IvParameterSpec getIvSpec() throws EncryptionException {
+    IvParameterSpec getIvSpec() throws EncryptionException {
         try {
             if (ivParameterSpec != null) {
                 return ivParameterSpec;
@@ -118,37 +115,4 @@ private static SecretKey generateSecretKey() throws EncryptionException {
             throw new EncryptionException("Failed to generate a secret key!", e);
         }
     }
-
-    protected static byte[] wrapSecretKey(FieldLevelEncryptionConfig config, Key key) throws EncryptionException {
-        try {
-            Key publicEncryptionKey = config.encryptionCertificate.getPublicKey();
-            MGF1ParameterSpec mgf1ParameterSpec = new MGF1ParameterSpec(config.oaepPaddingDigestAlgorithm);
-            String asymmetricCipher = ASYMMETRIC_CYPHER.replace("{ALG}", mgf1ParameterSpec.getDigestAlgorithm());
-            Cipher cipher = Cipher.getInstance(asymmetricCipher);
-            cipher.init(Cipher.WRAP_MODE, publicEncryptionKey, getOaepParameterSpec(mgf1ParameterSpec));
-            return cipher.wrap(key);
-        } catch (GeneralSecurityException e) {
-            throw new EncryptionException("Failed to wrap secret key!", e);
-        }
-    }
-
-    protected static Key unwrapSecretKey(EncryptionConfig config, byte[] keyBytes, String oaepDigestAlgorithm) throws EncryptionException {
-        if (!oaepDigestAlgorithm.contains("-")) {
-            oaepDigestAlgorithm = oaepDigestAlgorithm.replace("SHA", "SHA-");
-        }
-        try {
-            MGF1ParameterSpec mgf1ParameterSpec = new MGF1ParameterSpec(oaepDigestAlgorithm);
-            Key key = config.decryptionKey;
-            String asymmetricCipher = ASYMMETRIC_CYPHER.replace("{ALG}", mgf1ParameterSpec.getDigestAlgorithm());
-            Cipher cipher = Cipher.getInstance(asymmetricCipher);
-            cipher.init(Cipher.UNWRAP_MODE, key, getOaepParameterSpec(mgf1ParameterSpec));
-            return cipher.unwrap(keyBytes, SYMMETRIC_KEY_TYPE, Cipher.SECRET_KEY);
-        } catch (GeneralSecurityException e) {
-            throw new EncryptionException("Failed to unwrap secret key!", e);
-        }
-    }
-
-    private static OAEPParameterSpec getOaepParameterSpec(MGF1ParameterSpec mgf1ParameterSpec) {
-        return new OAEPParameterSpec(mgf1ParameterSpec.getDigestAlgorithm(), "MGF1", mgf1ParameterSpec, PSource.PSpecified.DEFAULT);
-    }
 }

src/main/java/com/mastercard/developer/encryption/JweConfigBuilder.java

@@ -14,7 +14,7 @@ public static JweConfigBuilder aJweEncryptionConfig() {
     }
 
     /**
-     * Build a {@link com.mastercard.developer.encryption.JweConfig}.
+     * Build a {@link JweConfig}.
      *
      * @throws EncryptionException
      */
@@ -35,39 +35,39 @@ public JweConfig build() throws EncryptionException {
     }
 
     /**
-     * See: {@link com.mastercard.developer.encryption.EncryptionConfig#encryptionCertificate}.
+     * See: {@link EncryptionConfig#encryptionCertificate}.
      */
     public JweConfigBuilder withEncryptionCertificate(Certificate encryptionCertificate) {
         this.encryptionCertificate = encryptionCertificate;
         return this;
     }
 
     /**
-     * See: {@link com.mastercard.developer.encryption.EncryptionConfig#decryptionKey}.
+     * See: {@link EncryptionConfig#decryptionKey}.
      */
     public JweConfigBuilder withDecryptionKey(PrivateKey decryptionKey) {
         this.decryptionKey = decryptionKey;
         return this;
     }
 
     /**
-     * See: {@link com.mastercard.developer.encryption.EncryptionConfig#encryptionPaths}.
+     * See: {@link EncryptionConfig#encryptionPaths}.
      */
     public JweConfigBuilder withEncryptionPath(String jsonPathIn, String jsonPathOut) {
         this.encryptionPaths.put(jsonPathIn, jsonPathOut);
         return this;
     }
 
     /**
-     * See: {@link com.mastercard.developer.encryption.EncryptionConfig#decryptionPaths}.
+     * See: {@link EncryptionConfig#decryptionPaths}.
      */
     public JweConfigBuilder withDecryptionPath(String jsonPathIn, String jsonPathOut) {
         this.decryptionPaths.put(jsonPathIn, jsonPathOut);
         return this;
     }
 
     /**
-     * See: {@link com.mastercard.developer.encryption.EncryptionConfig#encryptedValueFieldName}.
+     * See: {@link EncryptionConfig#encryptedValueFieldName}.
      */
     public JweConfigBuilder withEncryptedValueFieldName(String encryptedValueFieldName) {
         this.encryptedValueFieldName = encryptedValueFieldName;

src/main/java/com/mastercard/developer/encryption/JweEncryption.java

@@ -5,7 +5,7 @@
 import com.mastercard.developer.encryption.jwe.JWEHeader;
 import com.mastercard.developer.encryption.jwe.JWEObject;
 
-import java.security.interfaces.RSAPublicKey;
+import java.security.GeneralSecurityException;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Map;
@@ -57,7 +57,7 @@ public static String decryptPayload(String payload, JweConfig config) throws Enc
         }
     }
 
-    private static void encryptPayloadPath(DocumentContext payloadContext, String jsonPathIn, String jsonPathOut, JweConfig config) throws EncryptionException {
+    private static void encryptPayloadPath(DocumentContext payloadContext, String jsonPathIn, String jsonPathOut, JweConfig config) throws EncryptionException, GeneralSecurityException {
         Object inJsonElement = readJsonElement(payloadContext, jsonPathIn);
         if (inJsonElement == null) {
             // Nothing to encrypt
@@ -84,7 +84,7 @@ private static void encryptPayloadPath(DocumentContext payloadContext, String js
         payloadContext.put(jsonPathOut, config.encryptedValueFieldName, payload);
     }
 
-    private static void decryptPayloadPath(DocumentContext payloadContext, String jsonPathIn, String jsonPathOut, JweConfig config) throws EncryptionException {
+    private static void decryptPayloadPath(DocumentContext payloadContext, String jsonPathIn, String jsonPathOut, JweConfig config) throws EncryptionException, GeneralSecurityException {
 
         Object inJsonObject = readJsonObject(payloadContext, jsonPathIn);
         if (inJsonObject == null) {

src/main/java/com/mastercard/developer/encryption/aes/AESCBC.java

@@ -0,0 +1,35 @@
+package com.mastercard.developer.encryption.aes;
+
+import com.mastercard.developer.encryption.jwe.JWEObject;
+import com.mastercard.developer.utils.EncodingUtils;
+
+import javax.crypto.Cipher;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.SecretKeySpec;
+import java.security.GeneralSecurityException;
+import java.security.Key;
+import java.security.spec.AlgorithmParameterSpec;
+
+public class AESCBC {
+
+    private AESCBC() {
+    }
+
+    private static final String CYPHER = "AES/CBC/PKCS5Padding";
+
+    public static byte[] decrypt(Key secretKey, JWEObject object) throws GeneralSecurityException {
+        SecretKeySpec aesKey = new SecretKeySpec(secretKey.getEncoded(), 16, 16, "AES");
+
+        byte[] cipherText = EncodingUtils.base64Decode(object.getCipherText());
+        byte[] iv = EncodingUtils.base64Decode(object.getIv());
+        SecretKeySpec keyspec = new SecretKeySpec(aesKey.getEncoded(), "AES");
+
+        return cipher(keyspec, new IvParameterSpec(iv), cipherText, Cipher.DECRYPT_MODE);
+    }
+
+    public static byte[] cipher(Key key, AlgorithmParameterSpec iv, byte[] bytes, int mode) throws GeneralSecurityException {
+        Cipher cipher = Cipher.getInstance(CYPHER);
+        cipher.init(mode, key, iv);
+        return cipher.doFinal(bytes);
+    }
+}

src/main/java/com/mastercard/developer/encryption/aes/AESEncryption.java

@@ -0,0 +1,30 @@
+package com.mastercard.developer.encryption.aes;
+
+import com.mastercard.developer.encryption.EncryptionException;
+import com.mastercard.developer.utils.ByteUtils;
+
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.SecretKeySpec;
+import java.security.GeneralSecurityException;
+import java.security.SecureRandom;
+
+public class AESEncryption {
+
+    public static IvParameterSpec generateIv() throws EncryptionException {
+        try {
+            SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG");
+            byte[] ivBytes = new byte[16];
+            secureRandom.nextBytes(ivBytes);
+            return new IvParameterSpec(ivBytes);
+        } catch (GeneralSecurityException e) {
+            throw new EncryptionException("Failed to generate an IV value!", e);
+        }
+    }
+
+    public static SecretKeySpec generateCek(int bitLength) {
+        SecureRandom random = new SecureRandom();
+        byte[] cekMaterial = new byte[ByteUtils.byteLength(bitLength)];
+        random.nextBytes(cekMaterial);
+        return new SecretKeySpec(cekMaterial, "AES");
+    }
+}

src/main/java/com/mastercard/developer/encryption/aes/AESGCM.java

@@ -0,0 +1,36 @@
+package com.mastercard.developer.encryption.aes;
+
+import com.mastercard.developer.encryption.jwe.JWEObject;
+import com.mastercard.developer.utils.ByteUtils;
+import com.mastercard.developer.utils.EncodingUtils;
+
+import javax.crypto.Cipher;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.GCMParameterSpec;
+import javax.crypto.spec.SecretKeySpec;
+import java.nio.charset.StandardCharsets;
+import java.security.GeneralSecurityException;
+import java.security.Key;
+
+public class AESGCM {
+
+    private AESGCM() {
+    }
+
+    private static final String CYPHER = "AES/GCM/NoPadding";
+
+    public static byte[] decrypt(Key cek, JWEObject object) throws GeneralSecurityException {
+        byte[] aad = object.getRawHeader().getBytes(StandardCharsets.US_ASCII);
+        SecretKey aesKey = new SecretKeySpec(cek.getEncoded(), "AES");
+        GCMParameterSpec gcmSpec = new GCMParameterSpec(128, EncodingUtils.base64Decode(object.getIv()));
+        byte[] bytes = ByteUtils.concat(EncodingUtils.base64Decode(object.getCipherText()), EncodingUtils.base64Decode(object.getAuthTag()));
+        return cipher(aesKey, gcmSpec, bytes, aad, Cipher.DECRYPT_MODE);
+    }
+
+    public static byte[] cipher(Key key, GCMParameterSpec gcpSpec, byte[] bytes, byte[] aad, int mode) throws GeneralSecurityException {
+        Cipher cipher = Cipher.getInstance(CYPHER);
+        cipher.init(mode, key, gcpSpec);
+        cipher.updateAAD(aad);
+        return cipher.doFinal(bytes);
+    }
+}