Merge pull request #60 from fangpenlin/add-encryption-key-config-option

Fix #59 add encryption key config option

Author: danny-gallagher

src/main/java/com/mastercard/developer/encryption/EncryptionConfig.java

@@ -1,6 +1,7 @@
 package com.mastercard.developer.encryption;
 
 import java.security.PrivateKey;
+import java.security.PublicKey;
 import java.security.cert.Certificate;
 import java.util.Collections;
 import java.util.Map;
@@ -35,6 +36,11 @@ public enum Scheme {
      */
     Certificate encryptionCertificate;
 
+    /**
+     * A public key will be used for request encryption.
+     */
+    PublicKey encryptionKey;
+
     /**
      * A private key object to be used for decryption.
      */
@@ -77,6 +83,13 @@ public Certificate getEncryptionCertificate() {
         return encryptionCertificate;
     }
 
+    public PublicKey getEncryptionKey() {
+        if (encryptionKey != null) {
+            return encryptionKey;
+        }
+        return encryptionCertificate.getPublicKey();
+    }
+
     public PrivateKey getDecryptionKey() {
         return decryptionKey;
     }

src/main/java/com/mastercard/developer/encryption/EncryptionConfigBuilder.java

@@ -5,6 +5,7 @@
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
+import java.security.PublicKey;
 import java.security.cert.Certificate;
 import java.util.HashMap;
 import java.util.Map;
@@ -15,6 +16,7 @@
 abstract class EncryptionConfigBuilder {
 
     protected Certificate encryptionCertificate;
+    protected PublicKey encryptionKey;
     protected String encryptionKeyFingerprint;
     protected PrivateKey decryptionKey;
     protected Map<String, String> encryptionPaths = new HashMap<>();
@@ -23,11 +25,20 @@ abstract class EncryptionConfigBuilder {
 
     void computeEncryptionKeyFingerprintWhenNeeded() throws EncryptionException {
         try {
-            if (encryptionCertificate == null || !isNullOrEmpty(encryptionKeyFingerprint)) {
-                // No encryption certificate set or key fingerprint already provided
+            if ((encryptionCertificate == null && encryptionKey == null) || !isNullOrEmpty(encryptionKeyFingerprint)) {
+                // No encryption certificate / encryption key set or key fingerprint already provided
                 return;
             }
-            byte[] keyFingerprintBytes = sha256digestBytes(encryptionCertificate.getPublicKey().getEncoded());
+            if (encryptionKey != null && encryptionCertificate != null) {
+                throw new IllegalArgumentException("You can only supply either an encryption key or an encryption certificate");
+            }
+            final PublicKey publicKey;
+            if (encryptionKey != null) {
+                publicKey = encryptionKey;
+            } else {
+                publicKey = encryptionCertificate.getPublicKey();
+            }
+            final byte[] keyFingerprintBytes = sha256digestBytes(publicKey.getEncoded());
             encryptionKeyFingerprint = encodeBytes(keyFingerprintBytes, FieldLevelEncryptionConfig.FieldValueEncoding.HEX);
         } catch (Exception e) {
             throw new EncryptionException("Failed to compute encryption key fingerprint!", e);

src/main/java/com/mastercard/developer/encryption/JweConfigBuilder.java

@@ -1,6 +1,7 @@
 package com.mastercard.developer.encryption;
 
 import java.security.PrivateKey;
+import java.security.PublicKey;
 import java.security.cert.Certificate;
 import java.util.Collections;
 
@@ -25,6 +26,7 @@ public JweConfig build() throws EncryptionException {
 
         JweConfig config = new JweConfig();
         config.encryptionCertificate = this.encryptionCertificate;
+        config.encryptionKey = this.encryptionKey;
         config.encryptionKeyFingerprint = this.encryptionKeyFingerprint;
         config.decryptionKey = this.decryptionKey;
         config.encryptionPaths = this.encryptionPaths.isEmpty() ? Collections.singletonMap("$", "$") : this.encryptionPaths;
@@ -38,10 +40,24 @@ public JweConfig build() throws EncryptionException {
      * See: {@link EncryptionConfig#encryptionCertificate}.
      */
     public JweConfigBuilder withEncryptionCertificate(Certificate encryptionCertificate) {
+        if (this.encryptionKey != null) {
+            throw new IllegalArgumentException("You have already supplied an encryption key");
+        }
         this.encryptionCertificate = encryptionCertificate;
         return this;
     }
 
+    /**
+     * See: {@link EncryptionConfig#encryptionKey}.
+     */
+    public JweConfigBuilder withEncryptionKey(PublicKey encryptionKey) {
+        if (this.encryptionCertificate != null) {
+            throw new IllegalArgumentException("You have already supplied an encryption certificate");
+        }
+        this.encryptionKey = encryptionKey;
+        return this;
+    }
+
     /**
      * See: {@link EncryptionConfig#decryptionKey}.
      */

src/main/java/com/mastercard/developer/encryption/jwe/JweObject.java

@@ -57,7 +57,7 @@ public String decrypt(JweConfig config) throws EncryptionException, GeneralSecur
 
     public static String encrypt(JweConfig config, String payload, JweHeader header) throws EncryptionException, GeneralSecurityException {
         SecretKeySpec cek = AESEncryption.generateCek(256);
-        byte[] encryptedSecretKeyBytes = RSA.wrapSecretKey(config.getEncryptionCertificate().getPublicKey(), cek, "SHA-256");
+        byte[] encryptedSecretKeyBytes = RSA.wrapSecretKey(config.getEncryptionKey(), cek, "SHA-256");
         String encryptedKey = EncodingUtils.base64UrlEncode(encryptedSecretKeyBytes);
 
         byte[] iv = AESEncryption.generateIv().getIV();

src/test/java/com/mastercard/developer/encryption/JweConfigBuilderTest.java

@@ -31,6 +31,24 @@ public void testBuild_Nominal() throws Exception {
         Assert.assertEquals(Collections.singletonMap("$", "$"), config.getEncryptionPaths());
     }
 
+    @Test
+    public void testBuild_EncryptionKeyFromCertificate() throws Exception {
+        EncryptionConfig config = JweConfigBuilder.aJweEncryptionConfig()
+                .withEncryptionCertificate(TestUtils.getTestEncryptionCertificate())
+                .withDecryptionKey(TestUtils.getTestDecryptionKey())
+                .build();
+        Assert.assertEquals(TestUtils.getTestEncryptionCertificate().getPublicKey(), config.getEncryptionKey());
+    }
+
+    @Test
+    public void testBuild_EncryptionKeyFromEncryptionKey() throws Exception {
+        EncryptionConfig config = JweConfigBuilder.aJweEncryptionConfig()
+                .withEncryptionKey(TestUtils.getTestEncryptionCertificate().getPublicKey())
+                .withDecryptionKey(TestUtils.getTestDecryptionKey())
+                .build();
+        Assert.assertEquals(TestUtils.getTestEncryptionCertificate().getPublicKey(), config.getEncryptionKey());
+    }
+
     @Test
     public void testBuild_ResultShouldBeAssignableToGenericEncryptionConfig() throws Exception {
         EncryptionConfig config = JweConfigBuilder.aJweEncryptionConfig()
@@ -129,6 +147,24 @@ public void testBuild_ShouldThrowIllegalArgumentException_WhenMultipleWildcardsO
                 .build();
     }
 
+    @Test
+    public void testBuild_ShouldComputeCertificateKeyFingerprin() throws Exception {
+        EncryptionConfig config = JweConfigBuilder.aJweEncryptionConfig()
+                .withEncryptionCertificate(TestUtils.getTestEncryptionCertificate())
+                .withDecryptionKey(TestUtils.getTestDecryptionKey())
+                .build();
+        Assert.assertEquals("761b003c1eade3a5490e5000d37887baa5e6ec0e226c07706e599451fc032a79", config.getEncryptionKeyFingerprint());
+    }
+
+    @Test
+    public void testBuild_ShouldComputeEncryptionKeyFingerprin() throws Exception {
+        EncryptionConfig config = JweConfigBuilder.aJweEncryptionConfig()
+                .withEncryptionKey(TestUtils.getTestEncryptionCertificate().getPublicKey())
+                .withDecryptionKey(TestUtils.getTestDecryptionKey())
+                .build();
+        Assert.assertEquals("761b003c1eade3a5490e5000d37887baa5e6ec0e226c07706e599451fc032a79", config.getEncryptionKeyFingerprint());
+    }
+
     @Test
     public void testBuild_ShouldNotComputeCertificateKeyFingerprint_WhenFingerprintSet() throws Exception {
         EncryptionConfig config = JweConfigBuilder.aJweEncryptionConfig()
@@ -138,4 +174,14 @@ public void testBuild_ShouldNotComputeCertificateKeyFingerprint_WhenFingerprintS
                 .build();
         Assert.assertEquals("2f4lvi26vJWzkzAIaiR2G0YsJAQ=", config.getEncryptionKeyFingerprint());
     }
+
+    @Test
+    public void testBuild_ShouldNotComputeEncryptionKeyFingerprint_WhenFingerprintSet() throws Exception {
+        EncryptionConfig config = JweConfigBuilder.aJweEncryptionConfig()
+                .withEncryptionKey(TestUtils.getTestEncryptionCertificate().getPublicKey())
+                .withDecryptionKey(TestUtils.getTestDecryptionKey())
+                .withEncryptionKeyFingerprint("2f4lvi26vJWzkzAIaiR2G0YsJAQ=")
+                .build();
+        Assert.assertEquals("2f4lvi26vJWzkzAIaiR2G0YsJAQ=", config.getEncryptionKeyFingerprint());
+    }
 }

src/test/java/com/mastercard/developer/encryption/rsa/RSATest.java

@@ -24,7 +24,7 @@ public void testWrapUnwrapSecretKey_ShouldReturnTheOriginalKey() throws Exceptio
         SecretKey originalKey = new SecretKeySpec(originalKeyBytes, 0, originalKeyBytes.length, SYMMETRIC_KEY_TYPE);
 
         // WHEN
-        byte[] wrappedKeyBytes = RSA.wrapSecretKey(config.getEncryptionCertificate().getPublicKey(), originalKey, "SHA-256");
+        byte[] wrappedKeyBytes = RSA.wrapSecretKey(config.getEncryptionKey(), originalKey, "SHA-256");
         Key unwrappedKey = RSA.unwrapSecretKey(config.getDecryptionKey(), wrappedKeyBytes, "SHA-256");
 
         // THEN