Obfuscate seeds in UvfMetadataPayload.toString.

chenkins · dkocher · commit 07cf0260ce30 · 2025-03-05T15:51:50.000+01:00
diff --git a/hub/src/main/java/ch/iterate/hub/crypto/uvf/UvfMetadataPayload.java b/hub/src/main/java/ch/iterate/hub/crypto/uvf/UvfMetadataPayload.java
@@ -8,6 +8,7 @@
 import ch.cyberduck.core.AlphanumericRandomStringService;
 import ch.cyberduck.core.cryptomator.random.FastSecureRandomProvider;
 
+import org.apache.commons.lang3.StringUtils;
 import org.cryptomator.cryptolib.api.Cryptor;
 import org.cryptomator.cryptolib.api.CryptorProvider;
 import org.cryptomator.cryptolib.api.UVFMasterkey;
@@ -24,6 +25,7 @@
 import java.util.Map;
 import java.util.Objects;
 import java.util.UUID;
+import java.util.stream.Collectors;
 
 import ch.iterate.hub.crypto.exceptions.NotECKeyException;
 import ch.iterate.hub.model.JWEPayload;
@@ -324,11 +326,11 @@ public String toString() {
         return "UvfMetadataPayload{" +
                 "fileFormat='" + fileFormat + '\'' +
                 ", nameFormat='" + nameFormat + '\'' +
-                ", seeds=" + seeds +
+                ", seeds={" + seeds.entrySet().stream().map(e -> e.getKey() + "=" + StringUtils.repeat("*", Integer.min(8, StringUtils.length(e.getValue())))).collect(Collectors.joining(", ")) + "}" +
                 ", initialSeed='" + initialSeed + '\'' +
                 ", latestSeed='" + latestSeed + '\'' +
                 ", kdf='" + kdf + '\'' +
-                ", kdfSalt='" + kdfSalt + '\'' +
+                ", kdfSalt='" + StringUtils.repeat("*", Integer.min(8, StringUtils.length(kdf))) + '\'' +
                 ", automaticAccessGrant=" + automaticAccessGrant +
                 ", storage=" + storage +
                 '}';
diff --git a/hub/src/test/java/ch/iterate/hub/crypto/uvf/UvfMetadataPayloadTest.java b/hub/src/test/java/ch/iterate/hub/crypto/uvf/UvfMetadataPayloadTest.java
@@ -125,6 +125,7 @@ public void encryptDecrypt() throws JOSEException, JsonProcessingException, Pars
             final ECKey fake = new ECKey.Builder(recoveryKey).keyID("kiddo").build();
             assertThrows(JOSEException.class, () -> UvfMetadataPayload.decryptWithJWK(encrypted, fake));
         }
+        assertTrue(orig.toString().startsWith("UvfMetadataPayload{fileFormat='AES-256-GCM-32k', nameFormat='AES-256-SIV', seeds={key02=********, key01=********}, initialSeed='key1', latestSeed='key0', kdf='1STEP-HMAC-SHA512', kdfSalt='********', automaticAccessGrant=class AutomaticAccessGrant {"));
     }
 
     @Test

Original file line number	Diff line number	Diff line change
`@@ -125,6 +125,7 @@ public void encryptDecrypt() throws JOSEException, JsonProcessingException, Pars`
`125`	`125`	`final ECKey fake = new ECKey.Builder(recoveryKey).keyID("kiddo").build();`
`126`	`126`	`assertThrows(JOSEException.class, () -> UvfMetadataPayload.decryptWithJWK(encrypted, fake));`
`127`	`127`	`}`
	`128`	`+ assertTrue(orig.toString().startsWith("UvfMetadataPayload{fileFormat='AES-256-GCM-32k', nameFormat='AES-256-SIV', seeds={key02=******, key01=****}, initialSeed='key1', latestSeed='key0', kdf='1STEP-HMAC-SHA512', kdfSalt='******', automaticAccessGrant=class AutomaticAccessGrant {"));`
`128`	`129`	`}`
`129`	`130`
`130`	`131`	`@Test`