dsyer / spring-security-rsa Goto Github PK

License: Apache License 2.0

Java 100.00%

spring-security-rsa's Introduction

This little project provides some RSA extensions to the base spring-security-crypto library. Currently supported: encryption and decryption with 2 algorithms wrapped up in the Spring Security Crypto interfaces TextEncryptor and BytesEncryptor. Example round trip:

TextEncryptor encryptor = new RsaSecretEncryptor();
String cipher = encryptor.encrypt("my message");
String message = encryptor.decrypt(cipher);

Above we create an encryptor with a random RSA key (the default constructor), and use it to encrypt and then decrypt a message. the default constructor is useful for testing, but for more durable use cases you can inject a private key or a KeyPair using the other constructors.

The encryption algorithm in the RsaSecretEncryptor is to generate a random 16-byte password, and use that to encrypt the message. The password is then itself RSA encrypted and prepended to the cipher text. The cipher test is base64 encoded (if using the TextEncryptor interface).

The other algorithm is in the RsaRawEncryptor which does raw RSA encryption on the whole message. We recommend the RsaSecretEncryptor.

N.B. if you need RSA signing and verification there are utilities already available in spring-security-jwt.

Important Prerequisites: to use Spring Security RSA you need the full-strength JCE installed in your JVM (it's not there by default). You can download the "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files" from Oracle, and follow instructions for installation (essentially replace the 2 policy files in the JRE lib/security directory with the ones that you downloaded).

spring-security-rsa's People

Contributors

Stargazers

Watchers

Forkers

benkiefer oucem albertoesteva88 sangkyunyoon albertoesteva2288 amritpk omidp wl4g-collect tysewyn taylorono yjzqv spencergibb yimao mosidev jakenleee rworsnop olgamaciaszek ryanjbaxter worldsoldier

spring-security-rsa's Issues

Update bouncycastle

Latest Version of bcpkix-jdk15on is 1.70 (currently 1.69 is used):

But apparently it is time to switch to bcpkix-jdk18on, because bouncy castle compiles for java8 in its pom anyway. bcpkix-jdk18on seems to be better maintained.

Add support for OAEP padding

http://docs.oracle.com/javase/7/docs/api/javax/crypto/spec/OAEPParameterSpec.html

RSA Raw encryptor not able to decrypt its own encrypted text

Hello, I'm using spring-security-rsa version 1.0.9.RELEASE with Spring boot 2.2.2 but I'm unable to successfully encrypt and decrypt a simple string using the RsaRawEncryptor while using RsaSecretEncryptor it works correctly. This are my two test encryptors:

@Bean
@ConditionalOnProperty(prefix = "cipher.key", name = "private-key")
public TextEncryptor textEncryptor() {
  log.info("Private key provided in properties file to encrypt text");
  return new RsaSecretEncryptor(keyProperties.getPrivateKey());
}

@Bean("raw")
@ConditionalOnProperty(prefix = "cipher.key", name = "private-key")
public TextEncryptor textRawEncryptor() {
  log.info("Private key provided in properties file to encrypt text");
  return new RsaRawEncryptor(keyProperties.getPrivateKey());
}

And this is my simple test:

@Test
  public void encryptorTest() {
    String test = "test";
    String encrypted = textEncryptor.encrypt(test);
    String decrypted = textEncryptor.decrypt(encrypted);
    assertEquals(test, decrypted);
  }

Now if I inject the default encryptor (the RsaSecretEncryptor one) into my code the test passes, however, if I inject the RsaRawEncryptor one I get the following exception:

java.lang.IllegalStateException: Cannot decrypt

	at org.springframework.security.rsa.crypto.RsaRawEncryptor.decrypt(RsaRawEncryptor.java:160)
	at org.springframework.security.rsa.crypto.RsaRawEncryptor.decrypt(RsaRawEncryptor.java:113)
	at org.springframework.security.rsa.crypto.RsaRawEncryptor.decrypt(RsaRawEncryptor.java:102)
	at com.test.encryptorTest(EncryptorTest.java:199)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
	at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
	at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
	at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
	at org.springframework.test.context.junit4.statements.RunBeforeTestExecutionCallbacks.evaluate(RunBeforeTestExecutionCallbacks.java:74)
	at org.springframework.test.context.junit4.statements.RunAfterTestExecutionCallbacks.evaluate(RunAfterTestExecutionCallbacks.java:84)
	at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
	at org.springframework.test.context.junit4.statements.RunBeforeTestMethodCallbacks.evaluate(RunBeforeTestMethodCallbacks.java:75)
	at org.springframework.test.context.junit4.statements.RunAfterTestMethodCallbacks.evaluate(RunAfterTestMethodCallbacks.java:86)
	at org.springframework.test.context.junit4.statements.SpringRepeat.evaluate(SpringRepeat.java:84)
	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325)
	at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.runChild(SpringJUnit4ClassRunner.java:251)
	at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.runChild(SpringJUnit4ClassRunner.java:97)
	at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)
	at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)
	at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)
	at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)
	at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)
	at org.springframework.test.context.junit4.statements.RunBeforeTestClassCallbacks.evaluate(RunBeforeTestClassCallbacks.java:61)
	at org.springframework.test.context.junit4.statements.RunAfterTestClassCallbacks.evaluate(RunAfterTestClassCallbacks.java:70)
	at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
	at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.run(SpringJUnit4ClassRunner.java:190)
	at org.junit.runner.JUnitCore.run(JUnitCore.java:137)
	at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:68)
	at com.intellij.rt.junit.IdeaTestRunner$Repeater.startRunnerWithArgs(IdeaTestRunner.java:33)
	at com.intellij.rt.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:230)
	at com.intellij.rt.junit.JUnitStarter.main(JUnitStarter.java:58)
Caused by: javax.crypto.BadPaddingException: Decryption error
	at sun.security.rsa.RSAPadding.unpadV15(RSAPadding.java:383)
	at sun.security.rsa.RSAPadding.unpad(RSAPadding.java:294)
	at com.sun.crypto.provider.RSACipher.doFinal(RSACipher.java:363)
	at com.sun.crypto.provider.RSACipher.engineDoFinal(RSACipher.java:389)
	at javax.crypto.Cipher.doFinal(Cipher.java:2047)
	at org.springframework.security.rsa.crypto.RsaRawEncryptor.decrypt(RsaRawEncryptor.java:151)
	... 34 more

Shouldn't both work well with the same keypair?

Enhancement: Configurable keystore type

I found the keystore.type "jks" hard coded in the KeyStoreKeyFactory.getKeyPair(..) method. Is it possible to make the keystore.type configurable?
For example via the existing:
encrypt:
__keyStore:
____type: "jceks"

CVE-2023-33201 - bcprov-jdk15on

At the moment if we look into spring-cloud-sleuth dependency tree we would have something like this.

A CVE was created related to the bcprov-jdk15on version.
I reached out to their team and this dependency was split.

I would love it if you guys took this into consideration since bcprov-jdk15on is no longer supported.

Thank you!

Critical vulnerabilities brought by Bouncycastle 1.64

hi,
I'm using spring-cloud-starter which brings spring-security-rsa-1.0.9.RELEASE component
which in turns depends on bcprov-jdk15on-1.64

Unfortunately, the bouncycastle dependency is bring 2 critical security vulnerabilities

Any chance to have those fixed in near future ?
Thank you.

Move to spring related org/project

Since this is a required dependency of spring-cloud-commons.

Upgrade Bouncy Castle due to CVE-2015-7940

There is an open vulnerability on bouncycastle versions before 1.51.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7940

Base64 exception

I am using openssl:

openssl genrsa -out private.pem 1024

to generate rsa private key. And then read the file to create RsaRawEncryptor object, but it throw a exception:

Exception in thread "main" java.lang.IllegalArgumentException: Illegal base64 character a
	at java.util.Base64$Decoder.decode0(Base64.java:714)
	at java.util.Base64$Decoder.decode(Base64.java:526)
	at org.springframework.util.Base64Utils.decode(Base64Utils.java:59)
	at org.springframework.security.rsa.crypto.RsaKeyHelper.base64Decode(RsaKeyHelper.java:133)
	at org.springframework.security.rsa.crypto.RsaKeyHelper.parseKeyPair(RsaKeyHelper.java:78)
	at org.springframework.security.rsa.crypto.RsaRawEncryptor.<init>(RsaRawEncryptor.java:67)
	at com.mofeng.admin.util.RsaUtils.<init>(RsaUtils.java:29)
	at com.mofeng.admin.util.RsaUtils.main(RsaUtils.java:48)

With the help of search engine, i find the reason:

java.util.Base64 can not support the content contain newline.

But the format of private key file seen like:

-----BEGIN RSA PRIVATE KEY-----
something......\n
something......\n
......
-----END RSA PRIVATE KEY-----

if the developer did not modify the file content, it will contain newline.

I solve this problem by:

pemData = pemData.replaceAll("[\n|\r]", "");

But i think load the native file is a common usage. It is best to handle this situation.

Add support for AES/GCM (via Spring Security Crypto)

See https://jira.spring.io/browse/SEC-3002

Using "bcpkix" dependency is more than needed

All the usages of bouncycastle classes are in the "bcprov" lib, so using "bcpkix" is more than needed.

Update to Bouncycastle 1.78

Background

spring-security-rsa 1.1.2

Compile dependency bcprov-jdk18on 1.77 has a recently published CVE.

Please upgrade dependency bcprov-jdk18on to 1.78 or above in spring-security-rsa.

Related tickets:

Is this going to be an official project?

Hi
Do you have a plan to promote spring-security-rsa to spring-security's project?
This project is used by spring-cloud-common.
I wonder why this is not under the spring-security.

I would like to use official RsaSecretEncryptor.
I hope this project to be managed by Spring IO Platform.

Update bouncycastle version to 1.59

Please update bouncycastle version to 1.59