org.wisdom.crypto

Class CryptoServiceSingleton

java.lang.Object

org.wisdom.crypto.CryptoServiceSingleton

All Implemented Interfaces:

org.wisdom.api.crypto.Crypto

public class CryptoServiceSingleton
extends Object
implements org.wisdom.api.crypto.Crypto

An implementation of the crypto service.

This implementation can be configured from the `conf/application.conf` file:

• crypto.default.hash: the default Hash algorithm among SHA1, SHA-256, SHA-512 and MD5 (default).
• aes.key.size: the key size used in AES with CBC methods. 128 is used by default. Be aware the 256+ keys require runtime adaption because of legal limitations (see unlimited crypto package JCE)
• aes.iterations: the number of iterations used to generate the key (20 by default)

Field Summary

Fields

Modifier and Type	Field and Description
static String	AES_CBC_ALGORITHM
static String	AES_ECB_ALGORITHM
private org.wisdom.api.crypto.Hash	defaultHash
static String	HMAC_SHA_1
private int	iterationCount
private int	keySize
static String	PBKDF_2_WITH_HMAC_SHA_1
private String	secret
private static Charset	UTF_8

Constructor Summary

Constructors

Constructor and Description
CryptoServiceSingleton(org.wisdom.api.configuration.ApplicationConfiguration configuration)
CryptoServiceSingleton(String secret, org.wisdom.api.crypto.Hash defaultHash, Integer keySize, Integer iterationCount)

Method Summary

Modifier and Type	Method and Description
private boolean	constantTimeEquals(String a, String b) Constant time equals method.
byte[]	decodeBase64(String value) Decode a base64 value.
String	decryptAES(String value) Decrypt a String with the standard AES encryption (using the ECB mode) using the default secret (the application secret).
String	decryptAES(String value, String privateKey) Decrypt a String with the standard AES encryption (using the ECB mode).
String	decryptAESWithCBC(String value, String salt) Decrypt a String with the AES encryption advanced using 'AES/CBC/PKCS5Padding'.
String	decryptAESWithCBC(String value, String privateKey, String salt, String iv) Decrypt a String with the AES encryption advanced using 'AES/CBC/PKCS5Padding'.
private byte[]	doFinal(int encryptMode, SecretKey generatedKey, String vector, byte[] message) Utility method encrypting/decrypting the given message.
String	encodeBase64(byte[] value) Encode binary data to base64.
String	encryptAES(String value) Encrypt a String with the AES standard encryption (using the ECB mode) using the default secret (the application secret).
String	encryptAES(String value, String privateKey) Encrypt a String with the AES standard encryption (using the ECB mode).
String	encryptAESWithCBC(String value, String salt) Encrypt a String with the AES encryption advanced using 'AES/CBC/PKCS5Padding'.
String	encryptAESWithCBC(String value, String privateKey, String salt, String iv) Encrypt a String with the AES encryption advanced using 'AES/CBC/PKCS5Padding'.
String	extractSignedToken(String token) Extract a signed token that was signed by signToken(String).
private SecretKey	generateAESKey(String privateKey, String salt) Generate the AES key from the salt and the private key.
private String	getDefaultIV() Gets a segment of the application secret of 16 characters and encoded them in hexadecimal.
private String	getSecretPrefix() Gets the 16 first characters of the application secret.
String	hash(String input) Create a hash using the default hashing algorithm.
String	hash(String input, org.wisdom.api.crypto.Hash hashType) Create a hash using specific hashing algorithm.
String	hexMD5(String value) Build an hexadecimal MD5 hash for a String.
String	hexSHA1(String value) Build an hexadecimal SHA1 hash for a String.
String	sign(String message) Sign a message using the application secret key (HMAC-SHA1).
String	sign(String message, byte[] key) Sign a message with a key.
String	signToken(String token) Sign a token.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

AES_CBC_ALGORITHM

public static final String AES_CBC_ALGORITHM

See Also:

Constant Field Values

AES_ECB_ALGORITHM

public static final String AES_ECB_ALGORITHM

See Also:

Constant Field Values

UTF_8

private static final Charset UTF_8

HMAC_SHA_1

public static final String HMAC_SHA_1

See Also:

Constant Field Values

PBKDF_2_WITH_HMAC_SHA_1

public static final String PBKDF_2_WITH_HMAC_SHA_1

See Also:

Constant Field Values

keySize

private int keySize

iterationCount

private int iterationCount

defaultHash

private org.wisdom.api.crypto.Hash defaultHash

secret

private final String secret

Constructor Detail

CryptoServiceSingleton

public CryptoServiceSingleton(org.wisdom.api.configuration.ApplicationConfiguration configuration)

CryptoServiceSingleton

public CryptoServiceSingleton(String secret,
                              org.wisdom.api.crypto.Hash defaultHash,
                              Integer keySize,
                              Integer iterationCount)

Method Detail

generateAESKey

private SecretKey generateAESKey(String privateKey,
                                 String salt)

Generate the AES key from the salt and the private key.

Parameters:

salt - the salt (hexadecimal)

privateKey - the private key

Returns:

the generated key.

encryptAESWithCBC

public String encryptAESWithCBC(String value,
                                String salt)

Encrypt a String with the AES encryption advanced using 'AES/CBC/PKCS5Padding'. Unlike the regular encode/decode AES method using ECB (Electronic Codebook), it uses Cipher-block chaining (CBC). The salt must be valid hexadecimal String. This method uses parts of the application secret as private key and initialization vector.

Specified by:

encryptAESWithCBC in interface org.wisdom.api.crypto.Crypto

Parameters:

value - The message to encrypt

salt - The salt (hexadecimal String)

Returns:

encrypted String encoded using Base64

encryptAESWithCBC

public String encryptAESWithCBC(String value,
                                String privateKey,
                                String salt,
                                String iv)

Encrypt a String with the AES encryption advanced using 'AES/CBC/PKCS5Padding'. Unlike the regular encode/decode AES method using ECB (Electronic Codebook), it uses Cipher-block chaining (CBC). The private key must have a length of 16 bytes, the salt and initialization vector must be valid hex Strings.

Specified by:

encryptAESWithCBC in interface org.wisdom.api.crypto.Crypto

Parameters:

value - The message to encrypt

privateKey - The private key

salt - The salt (hexadecimal String)

iv - The initialization vector (hexadecimal String)

Returns:

encrypted String encoded using Base64

decryptAESWithCBC

public String decryptAESWithCBC(String value,
                                String salt)

Decrypt a String with the AES encryption advanced using 'AES/CBC/PKCS5Padding'. Unlike the regular encode/decode AES method using ECB (Electronic Codebook), it uses Cipher-block chaining (CBC). The salt and initialization vector must be valid hex Strings. This method use parts of the application secret as private key and the default initialization vector.

Specified by:

decryptAESWithCBC in interface org.wisdom.api.crypto.Crypto

Parameters:

value - An encrypted String encoded using Base64.

salt - The salt (hexadecimal String)

Returns:

The decrypted String

decryptAESWithCBC

public String decryptAESWithCBC(String value,
                                String privateKey,
                                String salt,
                                String iv)

Decrypt a String with the AES encryption advanced using 'AES/CBC/PKCS5Padding'. Unlike the regular encode/decode AES method using ECB (Electronic Codebook), it uses Cipher-block chaining (CBC). The private key must have a length of 16 bytes, the salt and initialization vector must be valid hexadecimal Strings.

Specified by:

decryptAESWithCBC in interface org.wisdom.api.crypto.Crypto

Parameters:

value - An encrypted String encoded using Base64.

privateKey - The private key

salt - The salt (hexadecimal String)

iv - The initialization vector (hexadecimal String)

Returns:

The decrypted String

doFinal

private byte[] doFinal(int encryptMode,
                       SecretKey generatedKey,
                       String vector,
                       byte[] message)

Utility method encrypting/decrypting the given message. The sense of the operation is specified using the `encryptMode` parameter.

Parameters:

encryptMode - encrypt or decrypt mode (Cipher.DECRYPT_MODE or Cipher.ENCRYPT_MODE).

generatedKey - the generated key

vector - the initialization vector

message - the plain/cipher text to encrypt/decrypt

Returns:

the encrypted or decrypted message

sign

public String sign(String message)

Sign a message using the application secret key (HMAC-SHA1).

Specified by:

sign in interface org.wisdom.api.crypto.Crypto

sign

public String sign(String message,
                   byte[] key)

Sign a message with a key.

Specified by:

sign in interface org.wisdom.api.crypto.Crypto

Parameters:

message - The message to sign

key - The key to use

Returns:

The signed message (in hexadecimal)

hash

public String hash(String input)

Create a hash using the default hashing algorithm.

Specified by:

hash in interface org.wisdom.api.crypto.Crypto

Parameters:

input - The password

Returns:

The password hash

hash

public String hash(String input,
                   org.wisdom.api.crypto.Hash hashType)

Create a hash using specific hashing algorithm.

Specified by:

hash in interface org.wisdom.api.crypto.Crypto

Parameters:

input - The password

hashType - The hashing algorithm

Returns:

The password hash

encryptAES

public String encryptAES(String value)

Encrypt a String with the AES standard encryption (using the ECB mode) using the default secret (the application secret).

Specified by:

encryptAES in interface org.wisdom.api.crypto.Crypto

Parameters:

value - The String to encrypt

Returns:

An hexadecimal encrypted string

encryptAES

public String encryptAES(String value,
                         String privateKey)

Encrypt a String with the AES standard encryption (using the ECB mode). Private key must have a length of 16 bytes.

Specified by:

encryptAES in interface org.wisdom.api.crypto.Crypto

Parameters:

value - The String to encrypt

privateKey - The key used to encrypt

Returns:

An hexadecimal encrypted string

decryptAES

public String decryptAES(String value)

Decrypt a String with the standard AES encryption (using the ECB mode) using the default secret (the application secret).

Specified by:

decryptAES in interface org.wisdom.api.crypto.Crypto

Parameters:

value - An hexadecimal encrypted string

Returns:

The decrypted String

decryptAES

public String decryptAES(String value,
                         String privateKey)

Decrypt a String with the standard AES encryption (using the ECB mode). Private key must have a length of 16 bytes.

Specified by:

decryptAES in interface org.wisdom.api.crypto.Crypto

Parameters:

value - An hexadecimal encrypted string

privateKey - The key used to encrypt

Returns:

The decrypted String

getSecretPrefix

private String getSecretPrefix()

Gets the 16 first characters of the application secret.

Returns:

the secret prefix.

getDefaultIV

private String getDefaultIV()

Gets a segment of the application secret of 16 characters and encoded them in hexadecimal. The segment contains from the 16th to the 32th characters from the application secret (16 characters). The extracted segment is encoded in hexadecimal

Returns:

the default initialization vector.

signToken

public String signToken(String token)

Sign a token. This produces a new token, that has this token signed with a nonce.

This primarily exists to defeat the BREACH vulnerability, as it allows the token to effectively be random per request, without actually changing the value.

Specified by:

signToken in interface org.wisdom.api.crypto.Crypto

Parameters:

token - The token to sign

Returns:

The signed token

extractSignedToken

public String extractSignedToken(String token)

Extract a signed token that was signed by signToken(String).

Specified by:

extractSignedToken in interface org.wisdom.api.crypto.Crypto

Parameters:

token - The signed token to extract.

Returns:

The verified raw token, or null if the token isn't valid.

constantTimeEquals

private boolean constantTimeEquals(String a,
                                   String b)

Constant time equals method.

Given a length that both Strings are equal to, this method will always run in constant time. This prevents timing attacks.

encodeBase64

public String encodeBase64(byte[] value)

Encode binary data to base64.

Specified by:

encodeBase64 in interface org.wisdom.api.crypto.Crypto

Parameters:

value - The binary data

Returns:

The base64 encoded String

decodeBase64

public byte[] decodeBase64(String value)

Decode a base64 value.

Specified by:

decodeBase64 in interface org.wisdom.api.crypto.Crypto

Parameters:

value - The base64 encoded String

Returns:

decoded binary data

hexMD5

public String hexMD5(String value)

Build an hexadecimal MD5 hash for a String.

Specified by:

hexMD5 in interface org.wisdom.api.crypto.Crypto

Parameters:

value - The String to hash

Returns:

An hexadecimal Hash

hexSHA1

public String hexSHA1(String value)

Build an hexadecimal SHA1 hash for a String.

Specified by:

hexSHA1 in interface org.wisdom.api.crypto.Crypto

Parameters:

value - The String to hash

Returns:

An hexadecimal Hash