Jackson: Encryption post serialisation

[akil-rails]

I am trying to figure out the appropriate place to encrypt the payload that is sent to my remote (legacy API).

1. Tried ClientRequestFilter, but this gets executed before Jackson serialisation takes place,
2. Tried WriterInterceptor, with different values for @priority, but can't seem to get this to run after Jackson serialisation takes place.

Decryption with ClientResponseFilter works fine, I suppose because the filter runs before Jackson.

Any suggestions on what can be done?

[quarkus-bot[bot]]

/cc @geoand (jackson), @gsmet (jackson)

[akil-rails]

The interceptor below results in an EmptyBody being sent. The code snippet below follows DigitalSigningInterceptor.java

@Priority(Priorities.ENTITY_CODER)
@ConstrainedTo(jakarta.ws.rs.RuntimeType.CLIENT)
public class Interceptor implements WriterInterceptor {

    @Override
    public void aroundWriteTo(WriterInterceptorContext context)
      throws IOException, WebApplicationException {
        // following https://github.com/resteasy/resteasy/blob/main/security/resteasy-crypto/src/main/java/org/jboss/resteasy/security/doseta/DigitalSigningInterceptor.java#L174
        OutputStream old = context.getOutputStream();

        ByteArrayOutputStream baos = new ByteArrayOutputStream();
        context.setOutputStream(baos);        
        context.proceed();
        byte[] body = baos.toByteArray();

        // compute signature - or encrypt

        // should be able to write a modified body?
        old.write(body);
        
        context.setOutputStream(old);
    }
}

[mschorsch]

How about creating a custom MessageBodyWriter ? In the MessageBodyWriter you could deserialize and encrypt your entity.

[mschorsch]

After reading your description again I suspect that you are using the resteasy-rest-client-reactive and not resteasy-reactive. In this case the solution via MessageBodyWriter probably does not work.

[mschorsch]

You have to register your providers via @RegisterProvider (https://download.eclipse.org/microprofile/microprofile-rest-client-2.0/microprofile-rest-client-spec-2.0.html#_provider_declaration) then you can use MessageBodyWriter and other providers.

[akil-rails]

Thank you for your reply.
I did register it, though, at the RestClientInterface; since I want this only for specific end-points. I can see the provider does get invoked (and when i remove the @RegisterProvider, the provider stops getting invoked).

@RegisterProvider(Interceptor.class)
@Path("REST/WhiteOak/folio/investorInformation")
public interface InvestorInformationClient {
  
  @POST
  Uni<InvestorInformationResponse> getInvestorInformation(@HeaderParam("Authorization") String auth, InvestorInformationRequest request);
}

The issue is that anything that I write to the old.write(body) doesn't seem to make way till the final HTTP call; and all i get is EmptyBody (Content-Length:0).

[mschorsch]

Can you try a MessageBodyWriter?

[akil-rails]

Thanks!, I was able to proceed with MessageBodyWriter.

@Provider
@ConstrainedTo(jakarta.ws.rs.RuntimeType.CLIENT)
public class MessageCipherMessageWriter extends ClientJacksonMessageBodyWriter {
  private final SecretKeySpec secretKeySpec;
  private final byte[] iv;

  @Inject
  public MessageCipherMessageWriter(ObjectMapper mapper,
      @ConfigProperty(name = "rta.cams.cipher.secret-key") String secretKey,
      @ConfigProperty(name = "rta.cams.cipher.iv") String ivString) {
    super(mapper);
    this.iv = Base64.getDecoder().decode(ivString);
    this.secretKeySpec = new SecretKeySpec(Base64.getDecoder().decode(secretKey), "AES");
  }

  @Override
  public void writeTo(Object o, Class<?> type, Type genericType, Annotation[] annotations, MediaType mediaType,
      MultivaluedMap<String, Object> httpHeaders, OutputStream entityStream)
      throws IOException, WebApplicationException {

        if ( httpHeaders.containsKey("x-do-encrypt") ) {
          // serialize as usual
          ByteArrayOutputStream serializedBody = new ByteArrayOutputStream();
          super.writeTo(o, type, genericType, annotations, mediaType, httpHeaders, serializedBody);

          // encrypt the message
          try {
            String finalMessage = "{\"data\":\"" + encrypt(serializedBody.toString()) + "\"}";
            entityStream.write(finalMessage.getBytes());

          } catch (InvalidKeyException | InvalidAlgorithmParameterException | IllegalBlockSizeException
              | BadPaddingException | NoSuchAlgorithmException | NoSuchPaddingException e) {
            throw new RuntimeException("Encryption failed" + e.getMessage());
          }

        } else {
          super.writeTo(o, type, genericType, annotations, mediaType, httpHeaders, entityStream);
          return;
        }
  }