Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use java.security classes in preference to string-wrappers #147

Merged

Conversation

rtyley
Copy link
Member

@rtyley rtyley commented Jun 27, 2024

This change deletes the PublicKey & PrivateKey classes in our com.gu.pandomainauth package, which were simple string-wrapper classes that held base64-encoded text representations of cryptographic keys.

The java.security classes PublicKey & PrivateKey already exist and, as they represent fully-decoded keys, don't need to be repeatedly decoded from strings the way we had to with our string-wrapper classes. Consequently, the signData() &verifySignature() methods on Crypto are now a bit simpler and more efficient.

We can also use the java.security.KeyPair class to represent the pair of public & private keys.

@rtyley rtyley changed the title Use java.security classes in preference to string-wrappers Use java.security classes in preference to string-wrappers Jun 27, 2024
@rtyley rtyley force-pushed the use-java.security-classes-in-preference-to-string-wrappers branch 4 times, most recently from c692194 to ff3b46f Compare June 28, 2024 18:05
Comment on lines -28 to +35
val privateKey = keyFactory.generatePrivate(new PKCS8EncodedKeySpec(decodeBase64(prvKey.key)))
rsa.initSign(privateKey)
rsa.initSign(prvKey)

rsa.update(data)
rsa.sign()
}

def verifySignature(data: Array[Byte], signature: Array[Byte], pubKey: PublicKey) : Boolean = {
val rsa = Signature.getInstance(signatureAlgorithm, "BC")
val publicKey = keyFactory.generatePublic(new X509EncodedKeySpec(decodeBase64(pubKey.key)))
rsa.initVerify(publicKey)
rsa.initVerify(pubKey)
Copy link
Member Author

@rtyley rtyley Jun 28, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The signData() &verifySignature() methods on Crypto no longer need to repeatedly decode the base64-encoded strings, and so now are a bit simpler and more efficient.

Comment on lines -6 to +8
publicKey: PublicKey,
privateKey: PrivateKey,
signingKeyPair: KeyPair,
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The signature of the PanDomainAuthSettings case class has changed here, but thankfully this won't affect consumers of this library, as they all use the companion apply() method that accepts settingMap: Map[String, String].

@rtyley rtyley marked this pull request as ready for review June 28, 2024 18:16
@rtyley rtyley requested a review from a team as a code owner June 28, 2024 18:16
This change deletes the `PublicKey` & `PrivateKey` classes in our
`com.gu.pandomainauth` package, which were simple string-wrapper classes that held
base64-encoded text representations of cryptographic keys.

The `java.security` classes `PublicKey` & `PrivateKey` already exist and, as they
represent fully-decoded keys, don't need to be _repeatedly_ decoded from strings the
way we had to with our string-wrapper classes. Consequently, the `signData()` &
`verifySignature()` methods on `Crypto` are now a bit simpler and more efficient.

We can also use the `java.security.KeyPair` class to represent the pair of public &
private keys.
@rtyley rtyley force-pushed the use-java.security-classes-in-preference-to-string-wrappers branch from ff3b46f to 72601f7 Compare July 23, 2024 15:04
Copy link
Member

@davidfurey davidfurey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me

@rtyley rtyley merged commit dffa722 into main Jul 24, 2024
4 checks passed
rtyley added a commit to guardian/login.gutools that referenced this pull request Aug 9, 2024
This is pretty minor change, but due to guardian/pan-domain-authentication#147
and guardian/pan-domain-authentication#153, there are a couple of changes required:

* imports for `PublicKey`
*
rtyley added a commit to guardian/login.gutools that referenced this pull request Aug 9, 2024
This is pretty minor change, but due to guardian/pan-domain-authentication#147
and guardian/pan-domain-authentication#153, there are a couple of changes required:

* imports for `PublicKey`
* `settings.privateKey` becomes `settings.signingKeyPair.getPrivate`
rtyley added a commit to guardian/login.gutools that referenced this pull request Aug 9, 2024
This is pretty minor change, but due to guardian/pan-domain-authentication#147
and guardian/pan-domain-authentication#153, there are a couple of changes required:

* imports for `PublicKey`
* `settings.privateKey` becomes `settings.signingKeyPair.getPrivate`
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants