restructure key encryption/decryption functions

Author: yasithdev

airavata-api/src/main/java/org/apache/airavata/common/utils/KeyStorePasswordCallback.java

@@ -55,7 +55,7 @@ public interface KeyStorePasswordCallback {
      * Instead of the actual file.
      * @return The password to open the keystore.
      */
-    char[] getStorePassword() throws RuntimeException;
+    char[] getStorePassword();
 
     /**
      * Caller should implement the interface. Should return the pass phrase for

airavata-api/src/main/java/org/apache/airavata/common/utils/SecurityUtil.java

@@ -20,10 +20,12 @@
 package org.apache.airavata.common.utils;
 
 import java.io.*;
+import java.nio.ByteBuffer;
 import java.security.*;
 import java.security.cert.CertificateException;
+import java.util.Arrays;
 import javax.crypto.Cipher;
-import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.GCMParameterSpec;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -34,54 +36,19 @@ public class SecurityUtil {
 
     public static final String PASSWORD_HASH_METHOD_PLAINTEXT = "PLAINTEXT";
     public static final String CHARSET_ENCODING = "UTF-8";
-    public static final String PADDING_MECHANISM = "AES/CBC/PKCS5Padding";
+    public static final String CIPHER_NAME = "AES/GCM/NoPadding";
+    public static final int GCM_IV_BYTES = 12; // 96 bits
+    public static final int GCM_TAG_BITS = 128;
 
     private static final Logger logger = LoggerFactory.getLogger(SecurityUtil.class);
 
-    public static byte[] encryptString(
-            String keyStorePath, String keyAlias, KeyStorePasswordCallback passwordCallback, String value)
-            throws GeneralSecurityException, IOException {
-        return encrypt(keyStorePath, keyAlias, passwordCallback, value.getBytes(CHARSET_ENCODING));
-    }
-
-    public static byte[] encrypt(
-            String keyStorePath, String keyAlias, KeyStorePasswordCallback passwordCallback, byte[] value)
-            throws GeneralSecurityException, IOException {
-
-        Key secretKey = getSymmetricKey(keyStorePath, keyAlias, passwordCallback);
-
-        Cipher cipher = Cipher.getInstance(PADDING_MECHANISM);
-        cipher.init(Cipher.ENCRYPT_MODE, secretKey, new IvParameterSpec(new byte[16]));
-        return cipher.doFinal(value);
-    }
-
-    private static Key getSymmetricKey(String keyStorePath, String keyAlias, KeyStorePasswordCallback passwordCallback)
+    public static Key getSymmetricKey(String keyStorePath, String keyAlias, KeyStorePasswordCallback passwordCallback)
             throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException,
                     UnrecoverableKeyException {
         KeyStore ks = SecurityUtil.loadKeyStore(keyStorePath, passwordCallback);
         return ks.getKey(keyAlias, passwordCallback.getSecretKeyPassPhrase(keyAlias));
     }
 
-    public static byte[] decrypt(
-            String keyStorePath, String keyAlias, KeyStorePasswordCallback passwordCallback, byte[] encrypted)
-            throws GeneralSecurityException, IOException {
-
-        Key secretKey = getSymmetricKey(keyStorePath, keyAlias, passwordCallback);
-
-        Cipher cipher = Cipher.getInstance(PADDING_MECHANISM);
-        cipher.init(Cipher.DECRYPT_MODE, secretKey, new IvParameterSpec(new byte[16]));
-
-        return cipher.doFinal(encrypted);
-    }
-
-    public static String decryptString(
-            String keyStorePath, String keyAlias, KeyStorePasswordCallback passwordCallback, byte[] encrypted)
-            throws GeneralSecurityException, IOException {
-
-        byte[] decrypted = decrypt(keyStorePath, keyAlias, passwordCallback, encrypted);
-        return new String(decrypted, CHARSET_ENCODING);
-    }
-
     public static KeyStore loadKeyStore(String keyStoreFilePath, KeyStorePasswordCallback passwordCallback)
             throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException {
 
@@ -93,4 +60,32 @@ public static KeyStore loadKeyStore(String keyStoreFilePath, KeyStorePasswordCal
         }
         return KeyStore.getInstance(keystoreFile, passwordCallback.getStorePassword());
     }
+
+    public static byte[] encrypt(byte[] data, Key key) throws GeneralSecurityException {
+        // Initialize the cipher
+        var cipher = Cipher.getInstance(SecurityUtil.CIPHER_NAME);
+        cipher.init(Cipher.ENCRYPT_MODE, key);
+        var iv = cipher.getIV();
+        // Encrypt the data
+        var encryptedData = cipher.doFinal(data);
+        // Construct tag [iv,encryptedData]
+        var tag = ByteBuffer.allocate(iv.length + encryptedData.length)
+                .put(iv)
+                .put(encryptedData)
+                .array();
+        return tag;
+    }
+
+    public static byte[] decrypt(byte[] tag, Key key) throws GeneralSecurityException {
+        // Deconstruct tag [iv,encryptedData]
+        var iv = Arrays.copyOfRange(tag, 0, GCM_IV_BYTES);
+        var encryptedData = Arrays.copyOfRange(tag, GCM_IV_BYTES, tag.length);
+        // Initialize the cipher
+        var cipher = Cipher.getInstance(SecurityUtil.CIPHER_NAME);
+        var spec = new GCMParameterSpec(GCM_TAG_BITS, iv);
+        cipher.init(Cipher.DECRYPT_MODE, key, spec);
+        // Decrypt the data
+        var data = cipher.doFinal(encryptedData);
+        return data;
+    }
 }

airavata-api/src/main/java/org/apache/airavata/credential/store/utils/CredentialSerializationUtils.java

@@ -20,16 +20,16 @@
 package org.apache.airavata.credential.store.utils;
 
 import java.io.*;
-import java.security.KeyStore;
 import java.security.SecureRandom;
 import java.util.Base64;
-import javax.crypto.Cipher;
 import javax.crypto.KeyGenerator;
 import javax.crypto.SecretKey;
 import javax.crypto.spec.SecretKeySpec;
 import org.apache.airavata.common.exception.ApplicationSettingsException;
 import org.apache.airavata.common.utils.ApplicationSettings;
 import org.apache.airavata.common.utils.DefaultKeyStorePasswordCallback;
+import org.apache.airavata.common.utils.KeyStorePasswordCallback;
+import org.apache.airavata.common.utils.SecurityUtil;
 import org.apache.airavata.credential.store.credential.Credential;
 import org.apache.airavata.credential.store.store.CredentialStoreException;
 import org.slf4j.Logger;
@@ -102,30 +102,9 @@ public static Credential deserializeCredential(byte[] serializedCredential) thro
      */
     public static byte[] serializeCredentialWithEncryption(Credential credential) throws CredentialStoreException {
         try {
-            // First serialize the credential
             byte[] serializedCredential = serializeCredential(credential);
-
-            // Get the secret key from keystore
             SecretKey secretKey = getSecretKeyFromKeyStore();
-
-            // Use AES/CBC/PKCS5Padding to ensure IV is used and generated
-            Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
-            cipher.init(Cipher.ENCRYPT_MODE, secretKey);
-            byte[] encryptedData = cipher.doFinal(serializedCredential);
-
-            // Get the IV (should not be null)
-            byte[] iv = cipher.getIV();
-            if (iv == null) {
-                throw new CredentialStoreException("IV is null after cipher initialization");
-            }
-
-            // Combine IV and encrypted data
-            byte[] combined = new byte[iv.length + encryptedData.length];
-            System.arraycopy(iv, 0, combined, 0, iv.length);
-            System.arraycopy(encryptedData, 0, combined, iv.length, encryptedData.length);
-
-            return combined;
-
+            return SecurityUtil.encrypt(serializedCredential, secretKey);
         } catch (Exception e) {
             logger.error("Error encrypting credential", e);
             throw new CredentialStoreException("Error encrypting credential", e);
@@ -141,21 +120,8 @@ public static byte[] serializeCredentialWithEncryption(Credential credential) th
     public static Credential deserializeCredentialWithDecryption(byte[] encryptedCredential)
             throws CredentialStoreException {
         try {
-            // Get the secret key from keystore
             SecretKey secretKey = getSecretKeyFromKeyStore();
-
-            // Extract IV and encrypted data
-            byte[] iv = new byte[16]; // AES IV size
-            byte[] encryptedData = new byte[encryptedCredential.length - 16];
-            System.arraycopy(encryptedCredential, 0, iv, 0, 16);
-            System.arraycopy(encryptedCredential, 16, encryptedData, 0, encryptedData.length);
-
-            // Decrypt the data
-            Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
-            cipher.init(Cipher.DECRYPT_MODE, secretKey, new javax.crypto.spec.IvParameterSpec(iv));
-            byte[] decryptedData = cipher.doFinal(encryptedData);
-
-            // Deserialize the decrypted data
+            byte[] decryptedData = SecurityUtil.decrypt(encryptedCredential, secretKey);
             return deserializeCredential(decryptedData);
 
         } catch (Exception e) {
@@ -177,25 +143,9 @@ public static byte[] serializeCredentialWithEncryption(
             Credential credential, String keystorePath, String keyAlias, KeyStorePasswordCallback passwordCallback)
             throws CredentialStoreException {
         try {
-            // First serialize the credential
             byte[] serializedCredential = serializeCredential(credential);
-
-            // Get the secret key from custom keystore
             SecretKey secretKey = getSecretKeyFromCustomKeyStore(keystorePath, keyAlias, passwordCallback);
-
-            // Encrypt the serialized data
-            Cipher cipher = Cipher.getInstance("AES");
-            cipher.init(Cipher.ENCRYPT_MODE, secretKey);
-            byte[] encryptedData = cipher.doFinal(serializedCredential);
-
-            // Combine IV and encrypted data
-            byte[] iv = cipher.getIV();
-            byte[] combined = new byte[iv.length + encryptedData.length];
-            System.arraycopy(iv, 0, combined, 0, iv.length);
-            System.arraycopy(encryptedData, 0, combined, iv.length, encryptedData.length);
-
-            return combined;
-
+            return SecurityUtil.encrypt(serializedCredential, secretKey);
         } catch (Exception e) {
             logger.error("Error encrypting credential with custom keystore", e);
             throw new CredentialStoreException("Error encrypting credential with custom keystore", e);
@@ -215,23 +165,9 @@ public static Credential deserializeCredentialWithDecryption(
             byte[] encryptedCredential, String keystorePath, String keyAlias, KeyStorePasswordCallback passwordCallback)
             throws CredentialStoreException {
         try {
-            // Get the secret key from custom keystore
             SecretKey secretKey = getSecretKeyFromCustomKeyStore(keystorePath, keyAlias, passwordCallback);
-
-            // Extract IV and encrypted data
-            byte[] iv = new byte[16]; // AES IV size
-            byte[] encryptedData = new byte[encryptedCredential.length - 16];
-            System.arraycopy(encryptedCredential, 0, iv, 0, 16);
-            System.arraycopy(encryptedCredential, 16, encryptedData, 0, encryptedData.length);
-
-            // Decrypt the data
-            Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
-            cipher.init(Cipher.DECRYPT_MODE, secretKey, new javax.crypto.spec.IvParameterSpec(iv));
-            byte[] decryptedData = cipher.doFinal(encryptedData);
-
-            // Deserialize the decrypted data
+            byte[] decryptedData = SecurityUtil.decrypt(encryptedCredential, secretKey);
             return deserializeCredential(decryptedData);
-
         } catch (Exception e) {
             logger.error("Error decrypting credential with custom keystore", e);
             throw new CredentialStoreException("Error decrypting credential with custom keystore", e);
@@ -244,12 +180,7 @@ public static Credential deserializeCredentialWithDecryption(
      * @throws Exception if key retrieval fails
      */
     private static SecretKey getSecretKeyFromKeyStore() throws Exception {
-        KeyStore keyStore = KeyStore.getInstance("JKS");
-        try (FileInputStream fis = new FileInputStream(KEYSTORE_PATH)) {
-            keyStore.load(fis, KEYSTORE_PASSWORD_CALLBACK.getStorePassword());
-        }
-
-        return (SecretKey) keyStore.getKey(KEY_ALIAS, KEYSTORE_PASSWORD_CALLBACK.getSecretKeyPassPhrase(KEY_ALIAS));
+        return (SecretKey) SecurityUtil.getSymmetricKey(KEYSTORE_PATH, KEY_ALIAS, KEYSTORE_PASSWORD_CALLBACK);
     }
 
     /**
@@ -262,12 +193,7 @@ private static SecretKey getSecretKeyFromKeyStore() throws Exception {
      */
     private static SecretKey getSecretKeyFromCustomKeyStore(
             String keystorePath, String keyAlias, KeyStorePasswordCallback passwordCallback) throws Exception {
-        KeyStore keyStore = KeyStore.getInstance("JKS");
-        try (FileInputStream fis = new FileInputStream(keystorePath)) {
-            keyStore.load(fis, passwordCallback.getStorePassword());
-        }
-
-        return (SecretKey) keyStore.getKey(keyAlias, passwordCallback.getSecretKeyPassPhrase(keyAlias));
+        return (SecretKey) SecurityUtil.getSymmetricKey(keystorePath, keyAlias, passwordCallback);
     }
 
     /**
@@ -299,13 +225,4 @@ public static SecretKey stringToSecretKey(String keyString) {
         byte[] keyBytes = Base64.getDecoder().decode(keyString);
         return new SecretKeySpec(keyBytes, "AES");
     }
-
-    /**
-     * Interface for keystore password callbacks.
-     */
-    public interface KeyStorePasswordCallback {
-        char[] getStorePassword();
-
-        char[] getSecretKeyPassPhrase(String keyAlias);
-    }
 }

airavata-api/src/test/java/org/apache/airavata/common/utils/SecurityUtilTest.java

@@ -38,19 +38,19 @@ public class SecurityUtilTest {
     public void testEncryptString() throws Exception {
 
         String stringToEncrypt = "Test string to encrypt";
-        byte[] encrypted =
-                SecurityUtil.encryptString(keyStorePath, "mykey", new TestKeyStoreCallback(), stringToEncrypt);
-
-        String decrypted = SecurityUtil.decryptString(keyStorePath, "mykey", new TestKeyStoreCallback(), encrypted);
+        var key = SecurityUtil.getSymmetricKey(keyStorePath, "mykey", new TestKeyStoreCallback());
+        byte[] encrypted = SecurityUtil.encrypt(stringToEncrypt.getBytes(StandardCharsets.UTF_8), key);
+        String decrypted = new String(SecurityUtil.decrypt(encrypted, key));
         assertEquals(stringToEncrypt, decrypted);
     }
 
     @Test
     public void testEncryptBytes() throws Exception {
         String stringToEncrypt = "Test string to encrypt";
         byte[] plaintext = stringToEncrypt.getBytes(StandardCharsets.UTF_8);
-        byte[] encrypted = SecurityUtil.encrypt(keyStorePath, "mykey", new TestKeyStoreCallback(), plaintext);
-        byte[] decrypted = SecurityUtil.decrypt(keyStorePath, "mykey", new TestKeyStoreCallback(), encrypted);
+        var key = SecurityUtil.getSymmetricKey(keyStorePath, "mykey", new TestKeyStoreCallback());
+        byte[] encrypted = SecurityUtil.encrypt(plaintext, key);
+        byte[] decrypted = SecurityUtil.decrypt(encrypted, key);
         assertEquals(plaintext, decrypted);
     }
 

airavata-api/src/test/java/org/apache/airavata/credential/store/store/impl/db/CredentialsDAOTest.java

@@ -35,6 +35,7 @@
 import org.apache.airavata.common.utils.DBUtil;
 import org.apache.airavata.common.utils.DatabaseTestCases;
 import org.apache.airavata.common.utils.DerbyUtil;
+import org.apache.airavata.common.utils.KeyStorePasswordCallback;
 import org.apache.airavata.credential.store.credential.CommunityUser;
 import org.apache.airavata.credential.store.credential.CredentialOwnerType;
 import org.apache.airavata.credential.store.credential.impl.certificate.CertificateCredential;
@@ -320,7 +321,7 @@ public void testSerializationWithEncryption() throws CredentialStoreException, U
         assertTrue(Arrays.equals(privateKey.getEncoded(), newKey.getEncoded()));
     }
 
-    private class TestACSKeyStoreCallback implements CredentialSerializationUtils.KeyStorePasswordCallback {
+    private class TestACSKeyStoreCallback implements KeyStorePasswordCallback {
 
         @Override
         public char[] getStorePassword() {