1 /*
2  *  Make.org Core API
3  *  Copyright (C) 2018 Make.org
4  *
5  * This program is free software: you can redistribute it and/or modify
6  *  it under the terms of the GNU Affero General Public License as
7  *  published by the Free Software Foundation, either version 3 of the
8  *  License, or (at your option) any later version.
9  *
10  *  This program is distributed in the hope that it will be useful,
11  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
12  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13  *  GNU Affero General Public License for more details.
14  *
15  *  You should have received a copy of the GNU Affero General Public License
16  *  along with this program.  If not, see <https://www.gnu.org/licenses/>.
17  *
18  */
19 
20 package org.make.api.technical.security
21 
22 import grizzled.slf4j.Logging
23 import org.make.api.technical.Base64Encoding
24 
25 import java.nio.ByteBuffer
26 import java.nio.charset.StandardCharsets
27 import java.security.SecureRandom
28 import javax.crypto.spec.{GCMParameterSpec, SecretKeySpec}
29 import javax.crypto.Cipher
30 import scala.util.{Failure, Success, Try}
31 
32 trait AESEncryptionComponent {
33   def aesEncryption: AESEncryption
34 }
35 
36 trait AESEncryption {
37   def encryptToken(token: Array[Byte]): Array[Byte]
38   def decryptToken(buffer: Array[Byte]): Array[Byte]
39   def encryptAndEncode(token: String): String
40   def decodeAndDecrypt(token: String): Try[String]
41 }
42 
43 trait DefaultAESEncryptionComponent extends AESEncryptionComponent {
44   this: SecurityConfigurationComponent with Logging =>
45 
46   override lazy val aesEncryption: DefaultAESEncryption = new DefaultAESEncryption
47   val random = new SecureRandom()
48 
49   class DefaultAESEncryption extends AESEncryption {
50     private val EncryptionAlgorithm: String = "AES/GCM/NoPadding"
51     private val TagLengthBit: Int = 128
52     private val IvSize = 16
53 
54     @SuppressWarnings(Array("org.wartremover.warts.Throw"))
55     val secretKey: SecretKeySpec = {
56       Base64Encoding.decode(securityConfiguration.aesSecretKey) match {
57         case Success(key) => new SecretKeySpec(key, "AES")
58         case Failure(exception) =>
59           logger.error("Cannot decode aes secret key. Key might contain an invalid Base64 format.")
60           throw exception
61       }
62     }
63 
64     override def encryptToken(token: Array[Byte]): Array[Byte] = {
65       val cipher: Cipher = Cipher.getInstance(EncryptionAlgorithm)
66       val iv = newIV()
67       cipher.init(Cipher.ENCRYPT_MODE, secretKey, new GCMParameterSpec(TagLengthBit, iv))
68       val encryptedText = cipher.doFinal(token)
69       ByteBuffer.allocate(iv.length + encryptedText.length).put(iv).put(encryptedText).array()
70     }
71 
72     override def decryptToken(token: Array[Byte]): Array[Byte] = {
73       val buffer = ByteBuffer.wrap(token)
74       val iv = Array.ofDim[Byte](IvSize)
75       buffer.get(iv)
76       val encryptedText = Array.ofDim[Byte](buffer.remaining())
77       buffer.get(encryptedText)
78       val cipher: Cipher = Cipher.getInstance(EncryptionAlgorithm)
79       cipher.init(Cipher.DECRYPT_MODE, secretKey, new GCMParameterSpec(TagLengthBit, iv))
80       cipher.doFinal(encryptedText)
81     }
82 
83     private def newIV(): Array[Byte] = {
84       val buffer = Array.ofDim[Byte](IvSize)
85       random.nextBytes(buffer)
86       buffer
87     }
88 
89     override def encryptAndEncode(token: String): String = {
90       val encryptedToken = encryptToken(token.getBytes(StandardCharsets.UTF_8))
91       Base64Encoding.encode(encryptedToken)
92     }
93 
94     override def decodeAndDecrypt(token: String): Try[String] = {
95       Base64Encoding
96         .decode(token)
97         .map(tokenDecoded => new String(decryptToken(tokenDecoded), StandardCharsets.UTF_8))
98     }
99   }
100 }