Fixed an issue with encryption certificate and key fingerprints recomputed at every request (when not provided in configuration)

Author: jaaufauvre

src/main/java/com/mastercard/developer/encryption/FieldLevelEncryption.java

@@ -171,10 +171,10 @@ private static void encryptPayloadPath(DocumentContext payloadContext, String js
             payloadContext.put(jsonPathOut, config.encryptedKeyFieldName, params.getEncryptedKeyValue());
         }
         if (!isNullOrEmpty(config.encryptionCertificateFingerprintFieldName)) {
-            payloadContext.put(jsonPathOut, config.encryptionCertificateFingerprintFieldName, params.getEncryptionCertificateFingerprintValue());
+            payloadContext.put(jsonPathOut, config.encryptionCertificateFingerprintFieldName, config.encryptionCertificateFingerprint);
         }
         if (!isNullOrEmpty(config.encryptionKeyFingerprintFieldName)) {
-            payloadContext.put(jsonPathOut, config.encryptionKeyFingerprintFieldName, params.getEncryptionKeyFingerprintValue());
+            payloadContext.put(jsonPathOut, config.encryptionKeyFingerprintFieldName, config.encryptionKeyFingerprint);
         }
         if (!isNullOrEmpty(config.oaepPaddingDigestAlgorithmFieldName)) {
             payloadContext.put(jsonPathOut, config.oaepPaddingDigestAlgorithmFieldName, params.getOaepPaddingDigestAlgorithmValue());
@@ -210,8 +210,7 @@ private static void decryptPayloadPath(DocumentContext payloadContext, String js
             Object ivJsonElement = readAndDeleteJsonKey(payloadContext, jsonPathIn, inJsonObject, config.ivFieldName);
             readAndDeleteJsonKey(payloadContext, jsonPathIn, inJsonObject, config.encryptionCertificateFingerprintFieldName);
             readAndDeleteJsonKey(payloadContext, jsonPathIn, inJsonObject, config.encryptionKeyFingerprintFieldName);
-            params = new FieldLevelEncryptionParams(jsonEngine.toJsonString(ivJsonElement), jsonEngine.toJsonString(encryptedKeyJsonElement),
-                                                    oaepDigestAlgorithm, null, null, config);
+            params = new FieldLevelEncryptionParams(jsonEngine.toJsonString(ivJsonElement), jsonEngine.toJsonString(encryptedKeyJsonElement), oaepDigestAlgorithm, config);
         }
 
         // Decrypt data

src/main/java/com/mastercard/developer/encryption/FieldLevelEncryptionConfig.java

@@ -175,4 +175,12 @@ public String getEncryptionCertificateFingerprintHeaderName() {
     public String getEncryptionKeyFingerprintHeaderName() {
         return encryptionKeyFingerprintHeaderName;
     }
+
+    public String getEncryptionCertificateFingerprint() {
+        return encryptionCertificateFingerprint;
+    }
+
+    public String getEncryptionKeyFingerprint() {
+        return encryptionKeyFingerprint;
+    }
 }

src/main/java/com/mastercard/developer/encryption/FieldLevelEncryptionConfigBuilder.java

@@ -2,13 +2,17 @@
 
 import com.jayway.jsonpath.JsonPath;
 
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
 import java.security.cert.Certificate;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Map.Entry;
 
 import static com.mastercard.developer.encryption.FieldLevelEncryptionConfig.FieldValueEncoding;
+import static com.mastercard.developer.utils.EncodingUtils.encodeBytes;
+import static com.mastercard.developer.utils.StringUtils.isNullOrEmpty;
 import static java.security.spec.MGF1ParameterSpec.SHA256;
 import static java.security.spec.MGF1ParameterSpec.SHA512;
 
@@ -201,13 +205,17 @@ public FieldLevelEncryptionConfigBuilder withEncryptionKeyFingerprintHeaderName(
 
     /**
      * Build a {@link com.mastercard.developer.encryption.FieldLevelEncryptionConfig}.
+     * @throws EncryptionException
      */
-    public FieldLevelEncryptionConfig build() {
+    public FieldLevelEncryptionConfig build() throws EncryptionException {
 
         checkJsonPathParameterValues();
         checkParameterValues();
         checkParameterConsistency();
 
+        computeEncryptionCertificateFingerprintWhenNeeded();
+        computeEncryptionKeyFingerprintWhenNeeded();
+
         FieldLevelEncryptionConfig config = new FieldLevelEncryptionConfig();
         config.encryptionCertificateFingerprintFieldName = this.encryptionCertificateFingerprintFieldName;
         config.encryptionKeyFingerprintFieldName = this.encryptionKeyFingerprintFieldName;
@@ -291,4 +299,36 @@ private void checkParameterConsistency () {
             throw new IllegalArgumentException("IV field name and encrypted key field name must be both set or both unset!");
         }
     }
+
+    private void computeEncryptionCertificateFingerprintWhenNeeded() throws EncryptionException {
+        try {
+            if (encryptionCertificate == null || !isNullOrEmpty(encryptionCertificateFingerprint)) {
+                // No encryption certificate set or certificate fingerprint already provided
+                return;
+            }
+            byte[] certificateFingerprintBytes = sha256digestBytes(encryptionCertificate.getEncoded());
+            encryptionCertificateFingerprint = encodeBytes(certificateFingerprintBytes, FieldValueEncoding.HEX);
+        } catch (Exception e) {
+            throw new EncryptionException("Failed to compute encryption certificate fingerprint!", e);
+        }
+    }
+
+    private void computeEncryptionKeyFingerprintWhenNeeded() throws EncryptionException {
+        try {
+            if (encryptionCertificate == null || !isNullOrEmpty(encryptionKeyFingerprint)) {
+                // No encryption certificate set or key fingerprint already provided
+                return;
+            }
+            byte[] keyFingerprintBytes = sha256digestBytes(encryptionCertificate.getPublicKey().getEncoded());
+            encryptionKeyFingerprint = encodeBytes(keyFingerprintBytes, FieldValueEncoding.HEX);
+        } catch (Exception e) {
+            throw new EncryptionException("Failed to compute encryption key fingerprint!", e);
+        }
+    }
+
+    private static byte[] sha256digestBytes(byte[] bytes) throws NoSuchAlgorithmException {
+        MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
+        messageDigest.update(bytes);
+        return messageDigest.digest();
+    }
 }

src/main/java/com/mastercard/developer/encryption/FieldLevelEncryptionParams.java

@@ -8,14 +8,11 @@
 import javax.crypto.spec.PSource;
 import java.security.GeneralSecurityException;
 import java.security.Key;
-import java.security.MessageDigest;
 import java.security.SecureRandom;
 import java.security.spec.MGF1ParameterSpec;
 
-import static com.mastercard.developer.encryption.FieldLevelEncryptionConfig.FieldValueEncoding;
 import static com.mastercard.developer.utils.EncodingUtils.decodeValue;
 import static com.mastercard.developer.utils.EncodingUtils.encodeBytes;
-import static com.mastercard.developer.utils.StringUtils.isNullOrEmpty;
 
 /**
  * Encryption parameters for computing field level encryption/decryption.
@@ -30,20 +27,14 @@ public final class FieldLevelEncryptionParams {
     private final String ivValue;
     private final String encryptedKeyValue;
     private final String oaepPaddingDigestAlgorithmValue;
-    private final String encryptionCertificateFingerprintValue;
-    private final String encryptionKeyFingerprintValue;
     private final FieldLevelEncryptionConfig config;
     private Key secretKey;
     private IvParameterSpec ivParameterSpec;
 
-    public FieldLevelEncryptionParams(String ivValue, String encryptedKeyValue,
-                                      String oaepPaddingDigestAlgorithmValue, String encryptionCertificateFingerprintValue,
-                                      String encryptionKeyFingerprintValue, FieldLevelEncryptionConfig config) {
+    public FieldLevelEncryptionParams(String ivValue, String encryptedKeyValue, String oaepPaddingDigestAlgorithmValue, FieldLevelEncryptionConfig config) {
         this.ivValue = ivValue;
         this.encryptedKeyValue = encryptedKeyValue;
         this.oaepPaddingDigestAlgorithmValue = oaepPaddingDigestAlgorithmValue;
-        this.encryptionCertificateFingerprintValue = encryptionCertificateFingerprintValue;
-        this.encryptionKeyFingerprintValue = encryptionKeyFingerprintValue;
         this.config = config;
     }
 
@@ -66,14 +57,12 @@ public static FieldLevelEncryptionParams generate(FieldLevelEncryptionConfig con
         byte[] encryptedSecretKeyBytes = wrapSecretKey(config, secretKey);
         String encryptedKeyValue = encodeBytes(encryptedSecretKeyBytes, config.fieldValueEncoding);
 
-        // Compute fingerprints and OAEP padding digest algorithm
-        String encryptionCertificateFingerprint = getOrComputeEncryptionCertificateFingerprint(config);
-        String encryptionKeyFingerprint = getOrComputeEncryptionKeyFingerprint(config);
+        // Compute the OAEP padding digest algorithm
         String oaepPaddingDigestAlgorithmValue = config.oaepPaddingDigestAlgorithm.replace("-", "");
 
         FieldLevelEncryptionParams params = new FieldLevelEncryptionParams(ivSpecValue, encryptedKeyValue,
-                                                                           oaepPaddingDigestAlgorithmValue, encryptionCertificateFingerprint,
-                                                                           encryptionKeyFingerprint, config);
+                                                                           oaepPaddingDigestAlgorithmValue,
+                                                                           config);
         params.secretKey = secretKey;
         params.ivParameterSpec = ivParameterSpec;
         return params;
@@ -87,14 +76,6 @@ public String getEncryptedKeyValue() {
         return encryptedKeyValue;
     }
 
-    public String getEncryptionCertificateFingerprintValue() {
-        return encryptionCertificateFingerprintValue;
-    }
-
-    public String getEncryptionKeyFingerprintValue() {
-        return encryptionKeyFingerprintValue;
-    }
-
     public String getOaepPaddingDigestAlgorithmValue() {
         return oaepPaddingDigestAlgorithmValue;
     }
@@ -182,38 +163,4 @@ protected static Key unwrapSecretKey(FieldLevelEncryptionConfig config, byte[] k
     private static OAEPParameterSpec getOaepParameterSpec(MGF1ParameterSpec mgf1ParameterSpec) {
         return new OAEPParameterSpec(mgf1ParameterSpec.getDigestAlgorithm(), "MGF1", mgf1ParameterSpec, PSource.PSpecified.DEFAULT);
     }
-
-    private static String getOrComputeEncryptionCertificateFingerprint(FieldLevelEncryptionConfig config) throws EncryptionException {
-        try {
-            String providedCertificateFingerprintValue = config.encryptionCertificateFingerprint;
-            if (!isNullOrEmpty(providedCertificateFingerprintValue)) {
-                return providedCertificateFingerprintValue;
-            } else {
-                byte[] certificateFingerprintBytes = sha256digestBytes(config.encryptionCertificate.getEncoded());
-                return encodeBytes(certificateFingerprintBytes, FieldValueEncoding.HEX);
-            }
-        } catch (GeneralSecurityException e) {
-            throw new EncryptionException("Failed to compute encryption certificate fingerprint!", e);
-        }
-    }
-
-    private static String getOrComputeEncryptionKeyFingerprint(FieldLevelEncryptionConfig config) throws EncryptionException {
-        String providedKeyFingerprintValue = config.encryptionKeyFingerprint;
-        if (!isNullOrEmpty(providedKeyFingerprintValue)) {
-            return providedKeyFingerprintValue;
-        } else {
-            byte[] keyFingerprintBytes = sha256digestBytes(config.encryptionCertificate.getPublicKey().getEncoded());
-            return encodeBytes(keyFingerprintBytes, FieldValueEncoding.HEX);
-        }
-    }
-
-    private static byte[] sha256digestBytes(byte[] bytes) throws EncryptionException {
-        try {
-            MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
-            messageDigest.update(bytes);
-            return messageDigest.digest();
-        } catch (GeneralSecurityException e) {
-            throw new EncryptionException("Failed to digest bytes!", e);
-        }
-    }
 }

src/main/java/com/mastercard/developer/interceptors/HttpExecuteFieldLevelEncryptionInterceptor.java

@@ -50,8 +50,8 @@ public void intercept(HttpRequest request) throws IOException {
                 FieldLevelEncryptionParams params = FieldLevelEncryptionParams.generate(config);
                 updateHeader(headers, config.getIvHeaderName(), params.getIvValue());
                 updateHeader(headers, config.getEncryptedKeyHeaderName(), params.getEncryptedKeyValue());
-                updateHeader(headers, config.getEncryptionCertificateFingerprintHeaderName(), params.getEncryptionCertificateFingerprintValue());
-                updateHeader(headers, config.getEncryptionKeyFingerprintHeaderName(), params.getEncryptionKeyFingerprintValue());
+                updateHeader(headers, config.getEncryptionCertificateFingerprintHeaderName(), config.getEncryptionCertificateFingerprint());
+                updateHeader(headers, config.getEncryptionKeyFingerprintHeaderName(), config.getEncryptionKeyFingerprint());
                 updateHeader(headers, config.getOaepPaddingDigestAlgorithmHeaderName(), params.getOaepPaddingDigestAlgorithmValue());
                 encryptedPayload = FieldLevelEncryption.encryptPayload(requestPayload, config, params);
             } else {
@@ -91,8 +91,7 @@ public void interceptResponse(HttpResponse response) throws IOException {
                 removeHeader(headers, config.getOaepPaddingDigestAlgorithmHeaderName());
                 removeHeader(headers, config.getEncryptionCertificateFingerprintHeaderName());
                 removeHeader(headers, config.getEncryptionKeyFingerprintHeaderName());
-                FieldLevelEncryptionParams params = new FieldLevelEncryptionParams(ivValue, encryptedKeyValue, oaepPaddingDigestAlgorithmValue,
-                                                                                   null, null, config);
+                FieldLevelEncryptionParams params = new FieldLevelEncryptionParams(ivValue, encryptedKeyValue, oaepPaddingDigestAlgorithmValue, config);
                 decryptedPayload = FieldLevelEncryption.decryptPayload(responsePayload, config, params);
             } else {
                 // Encryption params are stored in the payload

src/main/java/com/mastercard/developer/interceptors/OkHttp2FieldLevelEncryptionInterceptor.java

@@ -54,8 +54,8 @@ private static Request handleRequest(Request request, FieldLevelEncryptionConfig
                 FieldLevelEncryptionParams params = FieldLevelEncryptionParams.generate(config);
                 updateHeader(requestBuilder, config.getIvHeaderName(), params.getIvValue());
                 updateHeader(requestBuilder, config.getEncryptedKeyHeaderName(), params.getEncryptedKeyValue());
-                updateHeader(requestBuilder, config.getEncryptionCertificateFingerprintHeaderName(), params.getEncryptionCertificateFingerprintValue());
-                updateHeader(requestBuilder, config.getEncryptionKeyFingerprintHeaderName(), params.getEncryptionKeyFingerprintValue());
+                updateHeader(requestBuilder, config.getEncryptionCertificateFingerprintHeaderName(), config.getEncryptionCertificateFingerprint());
+                updateHeader(requestBuilder, config.getEncryptionKeyFingerprintHeaderName(), config.getEncryptionKeyFingerprint());
                 updateHeader(requestBuilder, config.getOaepPaddingDigestAlgorithmHeaderName(), params.getOaepPaddingDigestAlgorithmValue());
                 encryptedPayload = FieldLevelEncryption.encryptPayload(requestPayload, config, params);
             } else {
@@ -103,8 +103,7 @@ private static Response handleResponse(Response response, FieldLevelEncryptionCo
                 removeHeader(responseBuilder, config.getOaepPaddingDigestAlgorithmHeaderName());
                 removeHeader(responseBuilder, config.getEncryptionCertificateFingerprintHeaderName());
                 removeHeader(responseBuilder, config.getEncryptionKeyFingerprintHeaderName());
-                FieldLevelEncryptionParams params = new FieldLevelEncryptionParams(ivValue, encryptedKeyValue, oaepPaddingDigestAlgorithmValue,
-                                                                                   null, null, config);
+                FieldLevelEncryptionParams params = new FieldLevelEncryptionParams(ivValue, encryptedKeyValue, oaepPaddingDigestAlgorithmValue, config);
                 decryptedPayload = FieldLevelEncryption.decryptPayload(responsePayload, config, params);
             } else {
                 // Encryption params are stored in the payload

src/main/java/com/mastercard/developer/interceptors/OkHttpFieldLevelEncryptionInterceptor.java

@@ -54,8 +54,8 @@ private static Request handleRequest(Request request, FieldLevelEncryptionConfig
                 FieldLevelEncryptionParams params = FieldLevelEncryptionParams.generate(config);
                 updateHeader(requestBuilder, config.getIvHeaderName(), params.getIvValue());
                 updateHeader(requestBuilder, config.getEncryptedKeyHeaderName(), params.getEncryptedKeyValue());
-                updateHeader(requestBuilder, config.getEncryptionCertificateFingerprintHeaderName(), params.getEncryptionCertificateFingerprintValue());
-                updateHeader(requestBuilder, config.getEncryptionKeyFingerprintHeaderName(), params.getEncryptionKeyFingerprintValue());
+                updateHeader(requestBuilder, config.getEncryptionCertificateFingerprintHeaderName(), config.getEncryptionCertificateFingerprint());
+                updateHeader(requestBuilder, config.getEncryptionKeyFingerprintHeaderName(), config.getEncryptionKeyFingerprint());
                 updateHeader(requestBuilder, config.getOaepPaddingDigestAlgorithmHeaderName(), params.getOaepPaddingDigestAlgorithmValue());
                 encryptedPayload = FieldLevelEncryption.encryptPayload(requestPayload, config, params);
             } else {
@@ -103,8 +103,7 @@ private static Response handleResponse(Response response, FieldLevelEncryptionCo
                 removeHeader(responseBuilder, config.getOaepPaddingDigestAlgorithmHeaderName());
                 removeHeader(responseBuilder, config.getEncryptionCertificateFingerprintHeaderName());
                 removeHeader(responseBuilder, config.getEncryptionKeyFingerprintHeaderName());
-                FieldLevelEncryptionParams params = new FieldLevelEncryptionParams(ivValue, encryptedKeyValue, oaepPaddingDigestAlgorithmValue,
-                                                                                   null, null, config);
+                FieldLevelEncryptionParams params = new FieldLevelEncryptionParams(ivValue, encryptedKeyValue, oaepPaddingDigestAlgorithmValue, config);
                 decryptedPayload = FieldLevelEncryption.decryptPayload(responsePayload, config, params);
             } else {
                 // Encryption params are stored in the payload

src/main/java/com/mastercard/developer/interceptors/OpenFeignFieldLevelEncryptionDecoder.java

@@ -53,8 +53,7 @@ public Object decode(Response response, Type type) throws IOException {
                 response = removeHeader(response, config.getEncryptedKeyHeaderName());
                 response = removeHeader(response, config.getEncryptionCertificateFingerprintHeaderName());
                 response = removeHeader(response, config.getEncryptionKeyFingerprintHeaderName());
-                FieldLevelEncryptionParams params = new FieldLevelEncryptionParams(ivValue, encryptedKeyValue, oaepPaddingDigestAlgorithmValue,
-                                                                                   null, null, config);
+                FieldLevelEncryptionParams params = new FieldLevelEncryptionParams(ivValue, encryptedKeyValue, oaepPaddingDigestAlgorithmValue, config);
                 decryptedPayload = FieldLevelEncryption.decryptPayload(responsePayload, config, params);
             } else {
                 // Encryption params are stored in the payload