java source code of PrivateKeyEventDecryptor

xyz-hub-master
- .github
  - CODEOWNERS
- docker-compose-dynamodb.yml
- intellij-style.xml
- xyz-psql-connector
  - src
    - main
      - resources
        xyz_ext.sql
        log4j2.properties
        h3Core.sql
      - java
        com
        here
        xyz
        psql
        ECPSTool.java
        PSQLConfig.java
        DatabaseTransactionalWriter.java
        DatabaseStreamWriter.java
        DatabaseMaintainer.java
        DatabaseHandler.java
        DatabaseWriter.java
        PSQLXyzConnector.java
        SQLQueryBuilder.java
        factory
        QuadbinSQL.java
        TweaksSQL.java
        MaintenanceSQL.java
        H3SQL.java
        SQLQuery.java
        Capabilities.java
    - test
      - resources
        events
        InsertNullGeometry.json
        InsertFeaturesEvent.json
        LoadFeaturesEvent.json
        SearchForFeaturesByPropertiesEvent.json
        DeleteSpaceEvent.json
        InsertFeaturesForSearchTestEvent.json
        CountFeaturesEvent.json
        GetFeaturesByIdEvent.json
        BasicSearchByPropertiesAndTagsEvent.json
        InsertFeaturesEventWithHash.json
        TestCreateTable.json
        DeleteFeaturesByTagEvent.json
        InsertFeaturesEventTransactional.json
        UpsertFeaturesEvent.json
        IterateMySpace.json
        SearchForFeaturesEvent.json
        HealthCheckEvent.json
      - java
        com
        here
        xyz
        psql
        GSContext.java
        PSQLXyzConnectorIT.java
  - pom.xml
  - LICENSE
- xyz-hub-test
  - src
    - test
      - resources
        auth
        ACCESS_OWNER_1_WITH_LIMITS.json
        ACCESS_OWNER_1_MANAGE_ALL_SPACES_ONLY.json
        ACCESS_OWNER_1_WITH_USE_CAPABILITIES_AND_ADMIN.json
        ACCESS_OWNER_1_WITH_PSQL.json
        ACCESS_OWNER_1_WITH_MANAGE_SPACES_PACKAGE_HERE.json
        ACCESS_OWNER_1_READ_ALL_FEATURES.json
        ACCESS_OWNER_1_MANAGE_PACKAGES_HERE_OSM.json
        ACCESS_OWNER_1_MANAGE_PACKAGES_HERE.json
        ACCESS_OWNER_1_WITH_USE_CAPABILITIES.json
        ACCESS_OWNER_1_WITH_FEATURES_MANAGE_ALL_SPACES.json
        ACCESS_OWNER_1_NO_ADMIN.json
        ACCESS_OWNER_1_ADMIN.json
        ACCESS_OWNER_1_WITH_ACCESS_CONNECTOR_RULE_TAGGER.json
        STORAGE_AUTH_TEST_PSQL_ONLY.json
        ACCESS_OWNER_3.json
        CONNECTOR_AUTH_TEST_C1_AND_C2.json
        ACCESS_OWNER_2_MANAGE_PACKAGES_HERE_OSM.json
        STORAGE_AUTH_TEST_C1_ONLY.json
        ACCESS_OWNER_3_WITH_CUSTOM_SPACE_IDS.json
        ACCESS_OWNER_1_READ_PACKAGES_HERE.json
        ACCESS_OWNER_1_MANAGE_PACKAGES_HERE_WITH_OWNER.json
        ACCESS_OWNER_1_READ_WRITE_PACKAGES_HERE.json
        ACCESS_OWNER_2.json
        ACCESS_OWNER_1_WITH_LISTENER.json
        ACCESS_ALL.json
        ACCESS_ADMIN_MESSAGING.json
        ACCESS_OWNER_1_WITH_FEATURES_ONLY.json
        NO_ACCESS.json
        ACCESS_OWNER_2_WITH_FEATURES_ADMIN_ALL_SPACES.json
        xyz
        hub
        createFeatureById.json
        createSpaceWithListener.json
        task
        FeatureSample01.json
        createSpacePsql.json
        publishSpace.json
        createSpaceWithFailingPreProcessor.json
        updateSpaceWithSearchableProperties.json
        processedData.json
        createSpaceWithUUID.json
        updateFeature.json
        updateFeatureById.json
        createSpaceWithCopyright.json
        emptyFeatureCollection.json
        createSpaceWithInvalidJson.json
        featureWithNumberId.json
        createSpaceWithoutId.json
        event
        loadFeaturesEvent.json
        createSpaceWithSearchableProperties.json
        updateSpaceWithSearchablePropertiesConnectorC1.json
        createSpaceWithSearchablePropertiesConnectorC1.json
        createSpaceWithUUIDAndParams.json
        createErrorTestSpace.json
        createSpace.json
        createSpaceWithNotAllowedStorage.json
        createSpaceWithProcessor.json
        updateSpaceWithDisabledUUID.json
        patchFeature.json
        auth
        createSpaceWithListener.json
        createSharedSpace.json
        createTestStorageSpace.json
        createCustomIdSpace.json
        createPsqlSpace.json
        createSpaceWithPackage.json
        createDefaultSpace.json
        createSpaceWithFailingAndErrorPreProcessor.json
        updateSpace.json
        createSpaceWithExceptionPreProcessor.json
      - java
        com
        here
        xyz
        hub
        task
        ModifyFeatureOpTest.java
        util
        LimitedQueueTest.java
        CompressionTest.java
        auth
        AuthTestsIT.java
        JWTPayloadTest.java
        XyzHubActionMatrixTest.java
        TestAuthenticator.java
        rest
        ReadFeatureApiIT.java
        TestWithSpaceCleanup.java
        StoreFeaturesApiIT.java
        PropertiesSearchIT.java
        AdminEventsApiIT.java
        CreateSpaceApiIT.java
        RestAssuredConfig.java
        AdminMessagesApiIT.java
        DeleteFeatureApiIT.java
        RestAssuredTest.java
        UpdateSpaceApiIT.java
        ErrorResponseTestIT.java
        ReadSpaceApiIT.java
        ModifySpaceApiIT.java
        ApiParamTest.java
        DeleteSpaceApiIT.java
        ModifyLargeDatasetsIT.java
        TestSpaceWithFeature.java
        UpdateFeatureApiIT.java
        LimitsTestIT.java
        TTLTestsIT.java
        ModifySpaceWithUUID.java
        SpecComplianceApiIT.java
        connectors
        MockedRemoteFunctionClient.java
        RFCMeasurement.java
  - pom.xml
  - LICENSE
- pom.xml
- xyz-models
  - src
    - main
      - java
        com
        here
        xyz
        Extensible.java
        LazyParsable.java
        models
        geojson
        declaration
        IBoundedCoordinates.java
        ILonLat.java
        implementation
        MultiPolygon.java
        MultiPoint.java
        Polygon.java
        LineString.java
        Geometry.java
        FeatureCollection.java
        MultiLineString.java
        GeometryCollection.java
        Point.java
        Properties.java
        Feature.java
        GeometryItem.java
        XyzNamespace.java
        coordinates
        PolygonCoordinates.java
        MultiPolygonCoordinates.java
        LineStringCoordinates.java
        JTSHelper.java
        PointCoordinates.java
        LinearRingCoordinates.java
        PositionList.java
        Position.java
        MultiPointCoordinates.java
        WKTHelper.java
        MultiLineStringCoordinates.java
        BBox.java
        HQuad.java
        exceptions
        InvalidGeometryException.java
        WebMercatorTile.java
        hub
        ConnectorSerializer.java
        Space.java
        ConnectorDeserializer.java
        XyzSerializable.java
        util
        Hasher.java
        responses
        XyzError.java
        XyzResponse.java
        ErrorResponse.java
        NotModifiedResponse.java
        ModifiedEventResponse.java
        StatisticsResponse.java
        ModifiedResponseResponse.java
        SuccessResponse.java
        HealthStatus.java
        CountResponse.java
        ModifiedPayloadResponse.java
        Typed.java
        Payload.java
        events
        QueryEvent.java
        ModifyFeaturesEvent.java
        CountFeaturesEvent.java
        IterateFeaturesEvent.java
        Event.java
        GetFeaturesByBBoxEvent.java
        PropertyQueryList.java
        GetStatisticsEvent.java
        TagsQuery.java
        PropertiesQuery.java
        ModifySpaceEvent.java
        GetFeaturesByTileEvent.java
        SearchForFeaturesEvent.java
        SpatialQueryEvent.java
        TagList.java
        LoadFeaturesEvent.java
        RelocatedEvent.java
        EventNotification.java
        TransformEvent.java
        HealthCheckEvent.java
        DeleteFeaturesByTagEvent.java
        PropertyQuery.java
        GetFeaturesByGeometryEvent.java
        GetFeaturesByIdEvent.java
    - test
      - resources
        com
        here
        xyz
        test
        SpaceWithNullListeners.json
        GetFeaturesByTileEvent.json
        one_feature.json
        nullFeature.json
        SpaceWithListenersAsMap.json
        processedData.json
        SpaceWithListenersAsList.json
        geometries.json
        SpaceWithListenersInStrangeOrder.json
        featureMissingType.json
        featureWithNumberId.json
        GetFeaturesByTileEvent3.json
        GetFeaturesByTileEvent2.json
        feature_example.json
        ErrorAsFeatureCollection.json
        feature_collection_example.json
      - java
        com
        here
        xyz
        JsonMappingTest.java
        models
        geojson
        WebMercatorTileTest.java
        implementation
        Test_NSxyz.java
        TestGeometry.java
        LazyParsedFeatureCollectionTest.java
        TestClone.java
        coordinates
        test
        JTSConverterTest.java
        BBoxTest.java
        events
        EventTest.java
  - pom.xml
  - LICENSE
- LICENSE
- CONTRIBUTING.md
- CHANGELOG.md
- .ort.yml
- .travis.yml
- README.md
- Dockerfile
- .gitignore
- xyz-hub-service
  - src
    - main
      - resources
        config.json
        build.properties
        log4j2-console-plain.json
        log4j2-docker-info.json
        log4j2.component.properties
        log4j2-docker.json
        auth
        dummyJwt.json
        jwt.key
        jwt.pub
        openapi.yaml
        connectors.json
        log4j2-docker-debug.json
        log4j2-console-json.json
      - java
        com
        here
        xyz
        hub
        Service.java
        task
        FeatureTaskHandler.java
        Task.java
        SpaceTaskHandler.java
        ModifyFeatureOp.java
        TaskPipeline.java
        ModifySpaceOp.java
        FeatureTask.java
        SpaceTask.java
        ModifyOp.java
        XYZHubRESTVerticle.java
        util
        health
        MainHealthCheck.java
        GroupedHealthCheck.java
        Config.java
        schema
        HTTPResultMapper.java
        Check.java
        Reporter.java
        Public.java
        Response.java
        ResponseSerializer.java
        Status.java
        checks
        FunctionCheck.java
        ExecutableCheck.java
        DynamoDBHealthCheck.java
        ServiceHealthCheck.java
        RedisHealthCheck.java
        RemoteFunctionHealthAggregator.java
        RemoteFunctionHealthCheck.java
        DBHealthCheck.java
        JDBCHealthCheck.java
        OpenApiTransformer.java
        ARN.java
        geo
        MapBoxVectorTileFlattenedBuilder.java
        MapBoxVectorTileBuilder.java
        GeoTools.java
        LimitedQueue.java
        diff
        Difference.java
        Patcher.java
        ConfigDecryptor.java
        Compression.java
        logging
        LogUtil.java
        AccessLog.java
        ByteSizeAware.java
        config
        InMemSpaceConfigClient.java
        InMemConnectorConfigClient.java
        Initializable.java
        JDBCConfig.java
        ConnectorConfigClient.java
        JDBCConnectorConfigClient.java
        JDBCSpaceConfigClient.java
        DynamoClient.java
        DynamoConnectorConfigClient.java
        DynamoSpaceConfigClient.java
        SpaceConfigClient.java
        cache
        RedisCacheClient.java
        CacheClient.java
        NoopCacheClient.java
        auth
        JWTURIHandler.java
        JwtGenerator.java
        Authorization.java
        XyzAuthProvider.java
        JwtDummyHandler.java
        ServiceMatrix.java
        FeatureAuthorization.java
        XYZUsageLimits.java
        JWTPayload.java
        XyzHubAttributeMap.java
        SpaceAuthorization.java
        ActionMatrix.java
        XyzHubActionMatrix.java
        AttributeMap.java
        rest
        health
        HealthApi.java
        FeatureApi.java
        admin
        Node.java
        messages
        brokers
        SnsMessageBroker.java
        RedisMessageBroker.java
        BroadcastLog.java
        RelayedMessage.java
        TestMessage.java
        AdminMessage.java
        MessageBroker.java
        ApiResponseType.java
        HttpException.java
        FeatureQueryApi.java
        Api.java
        ApiParam.java
        SpaceApi.java
        AdminApi.java
        connectors
        test
        ErrorPreProcessor.java
        ExceptionPreProcessor.java
        DummyListener.java
        DummyPreProcessor.java
        FailingPreProcessor.java
        TestStorageConnector.java
        models
        BinaryResponse.java
        Space.java
        Connector.java
        LambdaFunctionClient.java
        RemoteFunctionClient.java
        BurstAndUpdateThread.java
        HTTPFunctionClient.java
        EmbeddedFunctionClient.java
        RpcClient.java
  - pom.xml
  - LICENSE
- Dockerfile-postgres
- xyz-connectors
  - src
    - main
      - java
        com
        here
        xyz
        connectors
        SimulatedContext.java
        ListenerConnector.java
        StorageConnector.java
        ErrorResponseException.java
        ProcessorConnector.java
        NotificationParams.java
        mocks
        MockedListener.java
        MockedProcessor.java
        AbstractConnectorHandler.java
        decryptors
        PrivateKeyEventDecryptor.java
        EventDecryptor.java
        DummyDecryptor.java
        KmsEventDecryptor.java
        RelocationClient.java
    - test
      - java
        com
        here
        xyz
        connectors
        AbstractConnectorHandlerTest.java
  - pom.xml
  - LICENSE
- docker-compose.yml
- xyz.svg

/*
 * Copyright (C) 2017-2020 HERE Europe B.V.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * SPDX-License-Identifier: Apache-2.0
 * License-Filename: LICENSE
 */

package com.here.xyz.connectors.decryptors;

import static java.nio.charset.StandardCharsets.UTF_8;

import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.LineNumberReader;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.Key;
import java.security.KeyFactory;
import java.security.PrivateKey;
import java.security.spec.MGF1ParameterSpec;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Base64;
import java.util.Iterator;
import java.util.stream.Stream;
import javax.crypto.Cipher;
import javax.crypto.EncryptedPrivateKeyInfo;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.OAEPParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.PSource.PSpecified;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

public class PrivateKeyEventDecryptor extends EventDecryptor {

  /**
   * Logger for the class
   */
  private static final Logger logger = LogManager.getLogger();

  /**
   * Environment variable for the file path to the private key in PKCS#8 PEM format.
   */
  public static final String ENV_PRIVATE_KEY = "PRIVATE_KEY_FILE";

  /**
   * The optional (but recommended) passphrase to decode the private key.
   */
  public static final String ENV_PRIVATE_KEY_PASSPHRASE = "PRIVATE_KEY_PASSPHRASE";

  /**
   * The algorithm used for decrypting the secrets.
   */
  public static final String ALGORITHM = "RSA/ECB/OAEPWithSHA-256AndMGF1Padding";
  /**
   * The algorithm for creating the private key.
   */
  public static final String RSA = "RSA";
  /**
   * Prefix for loading files from classpath.
   */
  private static final String CLASSPATH_PREFIX = "classpath:";
  /**
   * OAEP Padding specs for decrypting secrets.
   */
  private static final OAEPParameterSpec OAEP_PARAMS
      = new OAEPParameterSpec("SHA-256", "MGF1", new MGF1ParameterSpec("SHA-256"), PSpecified.DEFAULT);
  /**
   * The private key for decrypting secrets.
   */
  final private PrivateKey privateKey;

  /**
   * Default constructor to create a new EventDecryptor that takes
   * a private key for decrypting the secrets.
   *
   * For security reasons should the private key be encrypted
   * using PKCS#8 scheme.
   * This line converts an openssl private key to an usable, encrypted
   * PKCS#8 key:
   * openssl pkcs8 -topk8 -in private_key.pem  -v1 PBE-SHA1-3DES -out private_pkcs8.pem
   *
   * This is how you can encrypt a secret using openssl and the public key:
   * openssl pkeyutl -encrypt \
   *                 -inkey public_key.pem \
   *                 -pubin \
   *                 -in secret.txt \
   *                 -pkeyopt rsa_padding_mode:oaep \
   *                 -pkeyopt rsa_oaep_md:sha256 \
   *                 -pkeyopt rsa_mgf1_md:sha256
   *
   * Following environment variables need to be set to use this class:
   * - {@link com.here.xyz.connectors.AbstractConnectorHandler#ENV_DECRYPTOR}
   * - {@link #ENV_PRIVATE_KEY}
   * - {@link #ENV_PRIVATE_KEY_PASSPHRASE}
   */
  PrivateKeyEventDecryptor() {
    PrivateKey tmp;
    try {
      tmp = loadPrivateKey(System.getenv(ENV_PRIVATE_KEY), System.getenv(ENV_PRIVATE_KEY_PASSPHRASE));
    } catch (Exception e) {
      tmp = null;
      logger.error("Could not load the private key. Params will not be decrypted!", e);
    }
    privateKey = tmp;
  }

  /**
   * {@inheritDoc}
   */
  @Override
  public String decryptAsymmetric(final String encoded) {
    if (!isEncrypted(encoded)) {
      return encoded;
    }

    // we cannot decode the secret if no private key is set.
    if (privateKey == null) {
      return encoded;
    }

    String tmp = encoded.substring(2, encoded.length() - 2);

    try {
      Cipher cipher = Cipher.getInstance(ALGORITHM);
      cipher.init(Cipher.DECRYPT_MODE, privateKey, OAEP_PARAMS);

      byte[] decryptedBytes = cipher.doFinal(Base64.getDecoder().decode(tmp));
      return new String(decryptedBytes, UTF_8);
    } catch (IllegalArgumentException e) {
      logger.warn("Could not Base64 decode value", e);
    } catch(Exception e) {
      logger.warn("Could not decrypt string.", e);
    }

    return encoded;
  }

  /**
   * Load the private key.
   *
   * @param filePath The file path to the private key in PKCS#8 PEM format
   * @param passphrase The optional passphrase to decode the private key (recommended).
   * @return Returns the {@link PrivateKey} or null if there a problem.
   */
  public static PrivateKey loadPrivateKey(final String filePath, final String passphrase) {
    if (filePath == null || filePath.isEmpty()) {
      return null;
    }

    Stream<String> lines;
    try {
      if (filePath.startsWith(CLASSPATH_PREFIX)) {
        InputStream is = PrivateKeyEventDecryptor.class.getResourceAsStream(filePath.substring(CLASSPATH_PREFIX.length()));
        lines = new LineNumberReader(new InputStreamReader(is)).lines();
      } else {
        lines = Files.newBufferedReader(Paths.get(filePath), UTF_8).lines();
      }
    } catch (NullPointerException | IOException e) {
      logger.error("Could not load private key from file path '" + filePath + "'", e);
      return null;
    }

    final StringBuilder privateKeyPEM = new StringBuilder();
    final Iterator<String> i = lines.iterator();
    if (i.hasNext()) {
      String header = i.next();
      if ("-----BEGIN PRIVATE KEY-----".equals(header)) {
        i.forEachRemaining(s -> {
          if (!"-----END PRIVATE KEY-----".equals(s)) {
            privateKeyPEM.append(s);
          }
        });
        return createPrivateKey(privateKeyPEM.toString());
      } else if("-----BEGIN ENCRYPTED PRIVATE KEY-----".equals(header)) {
        i.forEachRemaining(s -> {
          if (!"-----END ENCRYPTED PRIVATE KEY-----".equals(s)) {
            privateKeyPEM.append(s);
          }
        });
        return decryptPrivateKey(privateKeyPEM.toString(), passphrase);
      } else{
        logger.error("Unknown key format. Params will not be decrypted.");
        return null;
      }
    }
    logger.error("Empty key file. Params will not be decrypted.");
    return null;
  }

  /**
   * This method decrypts the private key that was encrypted using PKCS#8 scheme.
   *
   * @param pkcs8Data The private key in PEM format without header and footer.
   * @param passphrase The passphrase for decrypting the private key.
   * @return Returns the {@link PrivateKey} or null if there a problem.
   */
  public static PrivateKey decryptPrivateKey(final String pkcs8Data, final String passphrase) {
    if (passphrase == null || pkcs8Data == null) {
      logger.error("Could not create private key because passphrase or key is null");
      return null;
    }
    try {
      PBEKeySpec pbeSpec = new PBEKeySpec(passphrase.toCharArray());
      EncryptedPrivateKeyInfo pkinfo = new EncryptedPrivateKeyInfo(Base64.getDecoder().decode(pkcs8Data.getBytes(UTF_8)));
      SecretKeyFactory skf = SecretKeyFactory.getInstance(pkinfo.getAlgName());
      Key secret = skf.generateSecret(pbeSpec);
      PKCS8EncodedKeySpec keySpec = pkinfo.getKeySpec(secret);
      KeyFactory keyFactory = KeyFactory.getInstance(RSA);
      return keyFactory.generatePrivate(keySpec);
    } catch (Exception e) {
      logger.error("Could not create encrypted private key from environment variable", e);
      return null;
    }
  }

  /**
   * Try to create a RSA private key from a PKCS#8 PEM without header and footer.
   *
   * @param pkcs8Data The private key in PKCS#8 PEM format without header and footer.
   * @return Returns the {@link PrivateKey} or null if there was a problem.
   */
  public static PrivateKey createPrivateKey(final String pkcs8Data) {
    try {
      KeyFactory keyFactory = KeyFactory.getInstance(RSA);
      return keyFactory.generatePrivate(new PKCS8EncodedKeySpec(Base64.getDecoder().decode(pkcs8Data.getBytes(UTF_8))));
    } catch (Exception e) {
      logger.error("Could not create unencrypted private key from environment variable", e);
      return null;
    }
  }
}