Componentize (#48)

Make `Cipher` (plexus, not Java) pluggable components, `PlexusCipher` component is just "shell" gathering then and having some extra functions like "decorating". Dropped insecure AES/CBC/PKCS5Padding and introduced AES/GCM/NoPadding instead.
codehaus-plexus · Sep 28, 2024 · c30abd2 · c30abd2
1 parent b8d5b1f
commit c30abd2
Show file tree

Hide file tree

Showing 9 changed files with 292 additions and 363 deletions.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
diff --git a/src/main/java/org/codehaus/plexus/components/cipher/PlexusCipher.java b/src/main/java/org/codehaus/plexus/components/cipher/PlexusCipher.java
@@ -12,74 +12,76 @@
  */
 package org.codehaus.plexus.components.cipher;
 
+import java.util.Set;
+
 /**
  * @author Oleg Gusakov
  */
 public interface PlexusCipher {
+
+    /**
+     * Returns the available cipher algorithms, never {@code null}.
+     */
+    Set<String> availableCiphers();
+
     /**
-     * encrypt given string with the given passPhrase and encode it into base64
+     * Encrypt given string with the given alg and passPhrase and encode it into Base64 string.
      *
-     * @param str       string to encrypt
-     * @param passPhrase pass phrase
-     * @return encrypted str
+     * @param alg cipher alg to use, never {@code null}
+     * @param str string to encrypt, never {@code null}
+     * @param passPhrase pass phrase, never {@code null}
+     * @return encrypted str, never {@code null}
      * @throws PlexusCipherException if encryption fails
      */
-    String encrypt(String str, String passPhrase) throws PlexusCipherException;
+    String encrypt(String alg, String str, String passPhrase) throws PlexusCipherException;
 
     /**
-     * encrypt given string with the given passPhrase, encode it into base64 and return result, wrapped into { }
-     * decorations
+     * Encrypt given string with the given alg and passPhrase and encode it into Base64 decorated string.
      *
-     * @param str      string to encrypt
-     * @param passPhrase pass phrase
-     * @return encrypted and decorated str
+     * @param alg cipher alg to use, never {@code null}
+     * @param str string to encrypt, never {@code null}
+     * @param passPhrase pass phrase, never {@code null}
+     * @return encrypted and decorated str, never {@code null}
      * @throws PlexusCipherException if encryption fails
      */
-    String encryptAndDecorate(String str, String passPhrase) throws PlexusCipherException;
+    String encryptAndDecorate(String alg, String str, String passPhrase) throws PlexusCipherException;
 
     /**
-     * decrypt given base64 encrypted string
+     * Decrypt given Base64 encoded string with the given alg and passPhrase and return resulting string.
      *
-     * @param str       base64 encoded string
-     * @param passPhrase     pass phrase
-     * @return decrypted str
-     * @throws PlexusCipherException if decryption fails
+     * @param alg cipher alg to use, never {@code null}
+     * @param str string to encrypt, never {@code null}
+     * @param passPhrase pass phrase, never {@code null}
+     * @return encrypted and decorated str, never {@code null}
+     * @throws PlexusCipherException if encryption fails
      */
-    String decrypt(String str, String passPhrase) throws PlexusCipherException;
+    String decrypt(String alg, String str, String passPhrase) throws PlexusCipherException;
 
     /**
-     * decrypt given base64 encoded encrypted string. If string is decorated, decrypt base64 encoded string inside
-     * decorations
+     * Decrypt given decorated  Base64 encoded string with the given alg and passPhrase and return resulting string.
      *
-     * @param str    base64 encoded string
-     * @param passPhrase     pass phrase
-     * @return decrypted decorated str
-     * @throws PlexusCipherException if decryption fails
+     * @param alg cipher alg to use, never {@code null}
+     * @param str string to encrypt, never {@code null}
+     * @param passPhrase pass phrase, never {@code null}
+     * @return encrypted and decorated str, never {@code null}
+     * @throws PlexusCipherException if encryption fails
      */
-    String decryptDecorated(String str, String passPhrase) throws PlexusCipherException;
+    String decryptDecorated(String alg, String str, String passPhrase) throws PlexusCipherException;
 
     /**
-     * check if given string is decorated
-     *
-     * @param str string to check
-     * @return true if string is encrypted
+     * Check if given string is decorated.
      */
     boolean isEncryptedString(String str);
 
     /**
-     * return string inside decorations
+     * Remove decorations from string, if it was decorated.
      *
-     * @param str decorated string
-     * @return undecorated str
-     * @throws PlexusCipherException if decryption fails
+     * @throws PlexusCipherException is string is malformed
      */
     String unDecorate(String str) throws PlexusCipherException;
 
     /**
-     * decorated given string with { and }
-     *
-     * @param str string to decorate
-     * @return decorated str
+     * Decorates given string.
      */
     String decorate(String str);
 }
diff --git a/src/main/java/org/codehaus/plexus/components/cipher/internal/AESGCMNoPadding.java b/src/main/java/org/codehaus/plexus/components/cipher/internal/AESGCMNoPadding.java
@@ -0,0 +1,107 @@
+/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+ */
+
+package org.codehaus.plexus.components.cipher.internal;
+
+import javax.crypto.Cipher;
+import javax.crypto.SecretKey;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.GCMParameterSpec;
+import javax.crypto.spec.PBEKeySpec;
+import javax.crypto.spec.SecretKeySpec;
+import javax.inject.Named;
+import javax.inject.Singleton;
+
+import java.nio.ByteBuffer;
+import java.nio.charset.StandardCharsets;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.KeySpec;
+import java.util.Base64;
+
+import org.codehaus.plexus.components.cipher.PlexusCipherException;
+
+@Singleton
+@Named(AESGCMNoPadding.CIPHER_ALG)
+public class AESGCMNoPadding implements org.codehaus.plexus.components.cipher.internal.Cipher {
+    public static final String CIPHER_ALG = "AES/GCM/NoPadding";
+
+    private static final int TAG_LENGTH_BIT = 128;
+    private static final int IV_LENGTH_BYTE = 12;
+    private static final int SALT_LENGTH_BYTE = 16;
+    private static final int PBE_ITERATIONS = 310000;
+    private static final int PBE_KEY_SIZE = SALT_LENGTH_BYTE * 16;
+    private static final String KEY_FACTORY = "PBKDF2WithHmacSHA512";
+    private static final String KEY_ALGORITHM = "AES";
+
+    @Override
+    public String encrypt(String clearText, String password) throws PlexusCipherException {
+        try {
+            byte[] salt = getRandomNonce(SALT_LENGTH_BYTE);
+            byte[] iv = getRandomNonce(IV_LENGTH_BYTE);
+            SecretKey secretKey = getAESKeyFromPassword(password.toCharArray(), salt);
+            Cipher cipher = Cipher.getInstance(CIPHER_ALG);
+            cipher.init(Cipher.ENCRYPT_MODE, secretKey, new GCMParameterSpec(TAG_LENGTH_BIT, iv));
+            byte[] cipherText = cipher.doFinal(clearText.getBytes(StandardCharsets.UTF_8));
+            byte[] cipherTextWithIvSalt = ByteBuffer.allocate(iv.length + salt.length + cipherText.length)
+                    .put(iv)
+                    .put(salt)
+                    .put(cipherText)
+                    .array();
+            return Base64.getEncoder().encodeToString(cipherTextWithIvSalt);
+        } catch (Exception e) {
+            throw new PlexusCipherException("Failed encrypting", e);
+        }
+    }
+
+    @Override
+    public String decrypt(String encryptedText, String password) throws PlexusCipherException {
+        try {
+            byte[] material = Base64.getDecoder().decode(encryptedText.getBytes(StandardCharsets.UTF_8));
+            ByteBuffer buffer = ByteBuffer.wrap(material);
+            byte[] iv = new byte[IV_LENGTH_BYTE];
+            buffer.get(iv);
+            byte[] salt = new byte[SALT_LENGTH_BYTE];
+            buffer.get(salt);
+            byte[] cipherText = new byte[buffer.remaining()];
+            buffer.get(cipherText);
+            SecretKey secretKey = getAESKeyFromPassword(password.toCharArray(), salt);
+            Cipher cipher = Cipher.getInstance(CIPHER_ALG);
+            cipher.init(Cipher.DECRYPT_MODE, secretKey, new GCMParameterSpec(TAG_LENGTH_BIT, iv));
+            byte[] plainText = cipher.doFinal(cipherText);
+            return new String(plainText, StandardCharsets.UTF_8);
+        } catch (Exception e) {
+            throw new PlexusCipherException("Failed decrypting", e);
+        }
+    }
+
+    private static byte[] getRandomNonce(int numBytes) throws NoSuchAlgorithmException {
+        byte[] nonce = new byte[numBytes];
+        SecureRandom.getInstanceStrong().nextBytes(nonce);
+        return nonce;
+    }
+
+    private static SecretKey getAESKeyFromPassword(char[] password, byte[] salt)
+            throws NoSuchAlgorithmException, InvalidKeySpecException {
+        SecretKeyFactory factory = SecretKeyFactory.getInstance(KEY_FACTORY);
+        KeySpec spec = new PBEKeySpec(password, salt, PBE_ITERATIONS, PBE_KEY_SIZE);
+        return new SecretKeySpec(factory.generateSecret(spec).getEncoded(), KEY_ALGORITHM);
+    }
+}
diff --git a/src/main/java/org/codehaus/plexus/components/cipher/internal/Cipher.java b/src/main/java/org/codehaus/plexus/components/cipher/internal/Cipher.java
@@ -0,0 +1,37 @@
+/*
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+ */
+
+package org.codehaus.plexus.components.cipher.internal;
+
+import org.codehaus.plexus.components.cipher.PlexusCipherException;
+
+/**
+ * Cipher interface.
+ */
+public interface Cipher {
+    /**
+     * Encrypts the clear text data with password and returns result.
+     */
+    String encrypt(final String clearText, final String password) throws PlexusCipherException;
+
+    /**
+     * Decrypts the encrypted text with password and returns clear text result.
+     */
+    String decrypt(final String encryptedText, final String password) throws PlexusCipherException;
+}