Merge branch 'RM-3580' into 'master'

RM-3580: Validate KeyLabelParams in EncryptionKeyMaterial.from(TYPE, KeyLabelParams)

See merge request cdoc2/cdoc2-java-ref-impl!34

Author: OlesjaAarma

cdoc2-cli/src/main/java/ee/cyber/cdoc2/cli/SymmetricKeyUtil.java

@@ -206,7 +206,11 @@ public static FormattedOptionParts getSplitPasswordAndLabel(
                     splitFormattedOption(formattedPassword, EncryptionKeyOrigin.PASSWORD);
                 //overwrite label with recipient label to allow entering password without label for
                 //single pbkdfRecipient eg -pw ":pw"
-                return new FormattedOptionParts(parsed.optionChars(), label, EncryptionKeyOrigin.PASSWORD);
+                return new FormattedOptionParts(
+                    parsed.optionChars(),
+                    parsed.label().isBlank() ? label : parsed.label(),
+                    EncryptionKeyOrigin.PASSWORD
+                );
             }
         } else {
             return getSplitPasswordAndLabel(formattedPassword, false);

cdoc2-cli/src/test/java/CDocCliTest.java

@@ -13,6 +13,7 @@
 
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.function.Executable;
 import org.junit.jupiter.api.io.TempDir;
@@ -90,6 +91,21 @@ void testSuccessfulCreateDecryptDocWithPassword() throws IOException {
         decrypt(PASSWORD_OPTION, SUCCESSFUL_EXIT_CODE);
     }
 
+    @Test
+    @Disabled
+    void testSuccessfulCreateDecryptDocWithPasswordWhenItIsInsertedInteractively()
+        throws IOException {
+        encrypt(PASSWORD_OPTION);
+        decrypt("--password=", SUCCESSFUL_EXIT_CODE);
+    }
+
+    @Test
+    void testSuccessfulCreateDecryptDocWithPasswordWhenLabelIsMissing()
+        throws IOException {
+        encrypt(PASSWORD_OPTION);
+        decrypt("--password=:myPlainTextPassword", SUCCESSFUL_EXIT_CODE);
+    }
+
     @Test
     void testSuccessfulCreateDecryptDocWithSecret() throws IOException {
         encrypt(SECRET_OPTION);
@@ -203,15 +219,15 @@ void infoShouldDisplayKeyLabelInDefaultFormatForPassword() throws IOException {
 
     @Test
     void infoShouldDisplayKeyLabelInPlainText() throws IOException {
-        disableKeyLabelFormatting();
+        setUpKeyLabelFormat(false);
 
         encrypt(PASSWORD_OPTION);
         decrypt(PASSWORD_OPTION, SUCCESSFUL_EXIT_CODE);
 
         String expectedKeyLabel = "Password: LABEL:passwordlabel";
         executeInfo(expectedKeyLabel, cdocFile);
 
-        restoreDefaultKeyLabelFormat();
+        setUpKeyLabelFormat(true);
     }
 
     @Test
@@ -226,15 +242,15 @@ void infoShouldDisplayKeyLabelInDefaultFormatForSecret() throws IOException {
 
     @Test
     void infoShouldDisplayKeyLabelInPlainTextForSecret() throws IOException {
-        disableKeyLabelFormatting();
+        setUpKeyLabelFormat(false);
 
         encrypt(SECRET_OPTION);
         decrypt(SECRET_OPTION, SUCCESSFUL_EXIT_CODE);
 
         String expectedKeyLabel = "SymmetricKey: LABEL:label_b64secret";
         executeInfo(expectedKeyLabel, cdocFile);
 
-        restoreDefaultKeyLabelFormat();
+        setUpKeyLabelFormat(true);
     }
 
     @Test
@@ -556,19 +572,11 @@ private static Map<String, String> convertStringToKeyLabelParamsMap(String data)
         return result;
     }
 
-    private void disableKeyLabelFormatting() {
-        Properties props = System.getProperties();
-        props.setProperty(
-            "ee.cyber.cdoc2.key-label.machine-readable-format.enabled",
-            "false"
-        );
-    }
-
-    private void restoreDefaultKeyLabelFormat() {
+    private void setUpKeyLabelFormat(boolean isFormatted) {
         Properties props = System.getProperties();
         props.setProperty(
             "ee.cyber.cdoc2.key-label.machine-readable-format.enabled",
-            "true"
+            String.valueOf(isFormatted)
         );
     }
 

cdoc2-lib/src/main/java/ee/cyber/cdoc2/crypto/KeyLabelParams.java

@@ -1,6 +1,8 @@
 package ee.cyber.cdoc2.crypto;
 
 import java.util.Map;
+import java.util.Objects;
+
 import static ee.cyber.cdoc2.crypto.KeyLabelTools.urlEncodeValue;
 
 
@@ -19,15 +21,14 @@ public KeyLabelParams addParam(String key, String value) {
         return this;
     }
 
-    //ToDo RM-3549
-//    public boolean hasParam(String key) {
-//        Objects.requireNonNull(key);
-//        return true;
-//    }
-//
-//    public boolean isFromOrigin(EncryptionKeyOrigin origin) {
-//        Objects.requireNonNull(origin);
-//        return true;
-//    }
+    public boolean hasParam(KeyLabelTools.KeyLabelDataFields key) {
+        Objects.requireNonNull(key);
+        return this.keyLabelParams.containsKey(key.name());
+    }
+
+    public boolean isFromOrigin(EncryptionKeyOrigin origin) {
+        Objects.requireNonNull(origin);
+        return this.encryptionKeyOrigin.equals(origin);
+    }
 
 }

cdoc2-lib/src/main/java/ee/cyber/cdoc2/crypto/KeyLabelTools.java

@@ -48,26 +48,16 @@ public static String formatKeyLabel(KeyLabelParams keyLabelParams) {
     }
 
     /**
-     * Validates encryption key label with decryption key label.
-     * @param encryptionKeyLabel encryption key label
-     * @param decryptionKeyLabel decryption key label
-     * @return Key Label in the same format as it used for encryption
+     * Validates key label format.
+     * @param keyLabel encryption key label
+     * @return Key Label in plain text
      */
-    public static Object checkKeyLabelFormatAndGet(
-        Object encryptionKeyLabel,
-        Object decryptionKeyLabel
-    ) {
-        if (encryptionKeyLabel.equals(decryptionKeyLabel)) {
-            return decryptionKeyLabel;
-        }
-        if (keyLabelIsFormatted(encryptionKeyLabel) && !keyLabelIsFormatted(decryptionKeyLabel)) {
-            String encryptedKeyLabel = extractKeyLabel(encryptionKeyLabel.toString());
-            if (null != encryptedKeyLabel && encryptedKeyLabel.equals(decryptionKeyLabel)) {
-                return encryptionKeyLabel;
-            }
+    public static String getPlainKeyLabel(String keyLabel) {
+        if (keyLabelIsFormatted(keyLabel)) {
+            return extractKeyLabel(keyLabel);
         }
 
-        return decryptionKeyLabel;
+        return keyLabel;
     }
 
     /**
@@ -219,7 +209,7 @@ public static KeyLabelParams createSecretKeyLabelParams(String keyLabel) {
         KeyLabelParams keyLabelParams = createSymmetricKeyLabelParams(
             EncryptionKeyOrigin.SECRET, keyLabel
         );
-        //ToDo add correct file, not payload file RM-3549
+        //ToDo add correct file, not payload file RM-3648
 //        if (isKeyLabelFileNameAllowedToBeAdded()) {
 //            keyLabelParams.addParam(KeyLabelDataFields.FILE.name(), payloadFileName);
 //        }

cdoc2-lib/src/main/java/ee/cyber/cdoc2/crypto/SymmetricKeyTools.java

@@ -14,7 +14,8 @@
 import ee.cyber.cdoc2.crypto.keymaterial.EncryptionKeyMaterial;
 import ee.cyber.cdoc2.FormattedOptionParts;
 
-import static ee.cyber.cdoc2.crypto.KeyLabelTools.checkKeyLabelFormatAndGet;
+import static ee.cyber.cdoc2.crypto.KeyLabelTools.getPlainKeyLabel;
+import static ee.cyber.cdoc2.crypto.KeyLabelTools.isFormatted;
 
 
 /**
@@ -26,20 +27,19 @@ private SymmetricKeyTools() { }
 
     /**
      * Extract decryption key material from password.
-     * @param passwordAndLabel split password and label
+     * @param pwAndLabel split password and label
      * @param recipients       the list of recipients
      * @return DecryptionKeyMaterial created from password
      */
     public static DecryptionKeyMaterial extractDecryptionKeyMaterialFromPassword(
-        FormattedOptionParts passwordAndLabel,
+        FormattedOptionParts pwAndLabel,
         List<Recipient> recipients
     ) {
         for (Recipient recipient : recipients) {
-            if (recipient instanceof PBKDF2Recipient) {
-
+            if (keyLabelMatches(recipient, EncryptionKeyOrigin.PASSWORD, pwAndLabel.label())) {
                 return DecryptionKeyMaterial.fromPassword(
-                    passwordAndLabel.optionChars(),
-                    passwordAndLabel.label()
+                    pwAndLabel.optionChars(),
+                    recipient.getRecipientKeyLabel()
                 );
             }
         }
@@ -57,14 +57,11 @@ public static DecryptionKeyMaterial extractDecryptionKeyMaterialFromSecret(
         List<Recipient> recipients
     ) {
         for (Recipient recipient : recipients) {
-            Object decryptionKeyLabel = checkKeyLabelFormatAndGet(
-                recipient.getRecipientKeyLabel(),
-                secretAndLabel.label()
-                );
-            if (recipient instanceof SymmetricKeyRecipient
-                && recipient.getRecipientKeyLabel().equals(decryptionKeyLabel)) {
+            if (keyLabelMatches(recipient, EncryptionKeyOrigin.SECRET, secretAndLabel.label())) {
                 var entry = extractKeyMaterialFromSecret(secretAndLabel);
-                return DecryptionKeyMaterial.fromSecretKey(decryptionKeyLabel.toString(), entry.getKey());
+                return DecryptionKeyMaterial.fromSecretKey(
+                    entry.getKey(), recipient.getRecipientKeyLabel()
+                );
             }
         }
         return null;
@@ -112,4 +109,32 @@ public static EncryptionKeyMaterial getEncryptionKeyMaterialFromPassword(
         return EncryptionKeyMaterial.fromPassword(splitPasswordAndLabel.optionChars(), splitPasswordAndLabel.label());
     }
 
+    private static boolean keyLabelMatches(
+        Recipient recipient,
+        EncryptionKeyOrigin keyOrigin,
+        String requestedKeyLabel
+    ) {
+        String recipientKeyLabel = recipient.getRecipientKeyLabel();
+        String plainKeyLabel = getPlainKeyLabel(recipientKeyLabel);
+        if (EncryptionKeyOrigin.PASSWORD == keyOrigin) {
+            return passwordKeyLabelMatches(recipient, plainKeyLabel, requestedKeyLabel);
+        } else if (EncryptionKeyOrigin.SECRET == keyOrigin) {
+            return recipient instanceof SymmetricKeyRecipient
+                && plainKeyLabel.equals(requestedKeyLabel);
+        }
+        return false;
+    }
+
+    private static boolean passwordKeyLabelMatches(
+        Recipient recipient,
+        String plainKeyLabel,
+        String requestedKeyLabel
+    ) {
+        if (isFormatted(requestedKeyLabel)) {
+            return recipient instanceof PBKDF2Recipient
+                && recipient.getRecipientKeyLabel().equals(requestedKeyLabel);
+        }
+        return recipient instanceof PBKDF2Recipient && plainKeyLabel.equals(requestedKeyLabel);
+    }
+
 }

cdoc2-lib/src/main/java/ee/cyber/cdoc2/crypto/keymaterial/DecryptionKeyMaterial.java

@@ -29,8 +29,16 @@ public interface DecryptionKeyMaterial {
      */
     EncryptionKeyOrigin getKeyOrigin();
 
-    static DecryptionKeyMaterial fromSecretKey(String label, SecretKey secretKey) {
-        return new SecretDecryptionKeyMaterial(label, secretKey);
+    /**
+     * Deprecated decryption key. Will be removed later.
+     * Creates decryption key material with secret key.
+     * @param secretKey secret key
+     * @param label key label
+     * @return DecryptionKeyMaterial key material required for decryption
+     */
+    @Deprecated
+    static DecryptionKeyMaterial fromSecretKey(SecretKey secretKey, String label) {
+        return new SecretDecryptionKeyMaterial(secretKey, label);
     }
 
     static DecryptionKeyMaterial fromPassword(char[] password, String label) {

cdoc2-lib/src/main/java/ee/cyber/cdoc2/crypto/keymaterial/EncryptionKeyMaterial.java

@@ -2,6 +2,7 @@
 
 import ee.cyber.cdoc2.crypto.EncryptionKeyOrigin;
 import ee.cyber.cdoc2.crypto.KeyLabelParams;
+import ee.cyber.cdoc2.crypto.KeyLabelTools;
 import ee.cyber.cdoc2.crypto.keymaterial.encrypt.EncryptionKeyMaterialCollectionBuilder;
 import ee.cyber.cdoc2.crypto.keymaterial.encrypt.PasswordEncryptionKeyMaterial;
 import ee.cyber.cdoc2.crypto.keymaterial.encrypt.PublicKeyEncryptionKeyMaterial;
@@ -70,10 +71,14 @@ static EncryptionKeyMaterial fromPublicKey(
         KeyLabelParams keyLabelParams
     ) {
         Objects.requireNonNull(pubKey);
+        EncryptionKeyOrigin origin = EncryptionKeyOrigin.PUBLIC_KEY;
+        if (!keyLabelParams.isFromOrigin(origin)) {
+            throw new IllegalArgumentException("KeyLabelParams must be of type " + origin);
+        }
 
         KeyLabelParams labelParams = (keyLabelParams == null)
             ? createPublicKeyLabelParams(null, null)
-            : keyLabelParams; //TODO: check params RM-3549
+            : keyLabelParams;
 
         return new PublicKeyEncryptionKeyMaterial(pubKey, formatKeyLabel(labelParams));
     }
@@ -119,13 +124,12 @@ static EncryptionKeyMaterial fromSecret(
     ) {
         Objects.requireNonNull(preSharedKey);
         Objects.requireNonNull(keyLabelParams);
-// TODO: check params RM-3549
-//        if (!keyLabelParams.isFromOrigin(EncryptionKeyOrigin.SECRET)
-//            || !keyLabelParams.hasParam(KeyLabelTools.KeyLabelDataFields.LABEL.name())) {
-//
-//            throw new IllegalArgumentException("keyLabelParams must have type "
-//                + KeyLabelTools.KeyLabelType.SECRET + " and have a label");
-//        }
+        KeyLabelTools.KeyLabelDataFields label = KeyLabelTools.KeyLabelDataFields.LABEL;
+        if (!keyLabelParams.isFromOrigin(EncryptionKeyOrigin.SECRET)
+            || !keyLabelParams.hasParam(label)) {
+            throw new IllegalArgumentException("KeyLabelParams must be of type "
+                + KeyLabelTools.KeyLabelType.SECRET + " and have a parameter " + label);
+        }
 
         return new SecretEncryptionKeyMaterial(preSharedKey, formatKeyLabel(keyLabelParams));
     }
@@ -134,5 +138,4 @@ static EncryptionKeyMaterialCollectionBuilder collectionBuilder() {
         return new EncryptionKeyMaterialCollectionBuilder();
     }
 
-
 }

cdoc2-lib/src/main/java/ee/cyber/cdoc2/crypto/keymaterial/decrypt/SecretDecryptionKeyMaterial.java

@@ -8,15 +8,15 @@
 import ee.cyber.cdoc2.crypto.KeyLabelTools;
 import ee.cyber.cdoc2.crypto.keymaterial.DecryptionKeyMaterial;
 
+
 /**
  * Represents key material required for decryption with symmetric key derived from secret.
- *
- * @param keyLabel  key label
  * @param secretKey symmetric key
+ * @param keyLabel  key label
  */
 public record SecretDecryptionKeyMaterial(
-    String keyLabel,
-    SecretKey secretKey
+    SecretKey secretKey,
+    String keyLabel
 ) implements DecryptionKeyMaterial, Destroyable {
 
     @Override