Merge pull request #31 from ebics-java/nonce-key-split

use different values for nonce and transaction key

Author: uwemaurer

src/main/java/org/kopi/ebics/certificate/KeyUtil.java

@@ -31,6 +31,7 @@
 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.codec.binary.Hex;
 import org.kopi.ebics.exception.EbicsException;
+import org.kopi.ebics.utils.Utils;
 
 /**
  * Some key utilities
@@ -50,15 +51,13 @@ private KeyUtil() {
    * @return KeyPair the key pair
    * @throws NoSuchAlgorithmException
    */
-  public static KeyPair makeKeyPair(int keyLen) throws NoSuchAlgorithmException{
+  public static KeyPair makeKeyPair(int keyLen) throws NoSuchAlgorithmException {
     KeyPairGenerator 		keyGen;
 
     keyGen = KeyPairGenerator.getInstance("RSA");
-    keyGen.initialize(keyLen, new SecureRandom());
+    keyGen.initialize(keyLen, Utils.secureRandom);
 
-    KeyPair keypair = keyGen.generateKeyPair();
-
-    return keypair;
+    return keyGen.generateKeyPair();
 
   }
 
@@ -68,16 +67,8 @@ public static KeyPair makeKeyPair(int keyLen) throws NoSuchAlgorithmException{
    * @return the password
    */
   public static String generatePassword() {
-    SecureRandom 		random;
-
-    try {
-      random = SecureRandom.getInstance("SHA1PRNG");
-      String pwd = Base64.encodeBase64String(random.generateSeed(5));
-
+      String pwd = Base64.encodeBase64String(Utils.secureRandom.generateSeed(5));
       return pwd.substring(0, pwd.length() - 2);
-    } catch (NoSuchAlgorithmException e) {
-      throw new RuntimeException(e);
-    }
   }
 
   /**

src/main/java/org/kopi/ebics/certificate/X509Generator.java

@@ -26,7 +26,6 @@
 import java.security.GeneralSecurityException;
 import java.security.KeyPair;
 import java.security.PublicKey;
-import java.security.SecureRandom;
 import java.security.cert.X509Certificate;
 import java.text.SimpleDateFormat;
 import java.util.Date;
@@ -49,6 +48,7 @@
 import org.bouncycastle.asn1.x509.X509Name;
 import org.bouncycastle.jce.X509Principal;
 import org.bouncycastle.x509.X509V3CertificateGenerator;
+import org.kopi.ebics.utils.Utils;
 
 /**
  * An X509 certificate generator for EBICS protocol.
@@ -194,7 +194,7 @@ public X509Certificate generate(KeyPair keypair,
       break;
     }
 
-    certificate = generator.generate(keypair.getPrivate(), "BC", new SecureRandom());
+    certificate = generator.generate(keypair.getPrivate(), "BC", Utils.secureRandom);
     certificate.checkValidity(new Date());
     certificate.verify(keypair.getPublic());
 

src/main/java/org/kopi/ebics/security/EbicsSocketFactory.java

@@ -26,13 +26,14 @@
 import java.net.UnknownHostException;
 import java.security.GeneralSecurityException;
 import java.security.KeyStore;
-import java.security.SecureRandom;
 
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSocketFactory;
 import javax.net.ssl.TrustManagerFactory;
 
+import org.kopi.ebics.utils.Utils;
+
 /**
  * A simple SSL socket factory for EBICS client.
  *
@@ -81,7 +82,7 @@ public EbicsSocketFactory(byte[] keystore,
    * Returns the <code>SSLContext</code> from key store information.
    * @param keystore the key store
    * @param keystoreType the key store type
-   * @param keystrorePass the key store password
+   * @param keystorePass the key store password
    * @param truststore the trust store
    * @param truststoreType the trust store type
    * @param truststorePass the trust store password
@@ -91,7 +92,7 @@ public EbicsSocketFactory(byte[] keystore,
    */
   public SSLContext getSSLContext(byte[] keystore,
                                   String keystoreType,
-                                  char[] keystrorePass,
+                                  char[] keystorePass,
                                   byte[] truststore,
                                   String truststoreType,
                                   char[] truststorePass)
@@ -103,15 +104,15 @@ public SSLContext getSSLContext(byte[] keystore,
     TrustManagerFactory 	tmf;
     SSLContext			context;
 
-    kstore = initKeyStore(keystore, keystrorePass, keystoreType);
+    kstore = initKeyStore(keystore, keystorePass, keystoreType);
     kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
-    kmf.init(kstore, keystrorePass);
+    kmf.init(kstore, keystorePass);
 
     tstore = initKeyStore(truststore, truststorePass, truststoreType);
     tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
     tmf.init(tstore);
     context = SSLContext.getInstance("TLS");
-    context.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom());
+    context.init(kmf.getKeyManagers(), tmf.getTrustManagers(), Utils.secureRandom);
 
     return context;
   }

src/main/java/org/kopi/ebics/utils/Utils.java

@@ -60,6 +60,8 @@ public final class Utils {
     org.apache.xml.security.Init.init();
   }
 
+  public static final SecureRandom secureRandom = new SecureRandom();
+
   private Utils() {
   }
 
@@ -119,23 +121,19 @@ public static byte[] zip(byte[] toZip) throws EbicsException {
    * be at least 100 bits.
    * 
    * @return a random nonce.
-   * @throws EbicsException nonce generation fails.
    */
-  public static byte[] generateNonce() throws EbicsException {
-    SecureRandom 		secureRandom;
+  public static byte[] generateNonce() {
+    return secureRandom.generateSeed(16);
+  }
 
-    try {
-      secureRandom = SecureRandom.getInstance("SHA1PRNG");
-      return secureRandom.generateSeed(16);
-    } catch (NoSuchAlgorithmException e) {
-      throw new EbicsException(e.getMessage());
-    }
+  public static byte[] generateKey() {
+    return secureRandom.generateSeed(16);
   }
 
   /**
    * Uncompresses a given byte array input.
    * 
-   * <p>The Decompression is ensured via Universal compression 
+   * The Decompression is ensured via Universal compression
    * algorithm (RFC 1950, RFC 1951) As specified in the EBICS 
    * specification (16 Appendix: Standards and references)
    * 

src/main/java/org/kopi/ebics/xml/DefaultEbicsRootElement.java

@@ -26,7 +26,6 @@
 import java.io.OutputStream;
 import java.io.PrintStream;
 import java.math.BigInteger;
-import java.security.SecureRandom;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.Iterator;
@@ -47,6 +46,7 @@
 import org.kopi.ebics.interfaces.EbicsOrderType;
 import org.kopi.ebics.interfaces.EbicsRootElement;
 import org.kopi.ebics.session.EbicsSession;
+import org.kopi.ebics.utils.Utils;
 
 public abstract class DefaultEbicsRootElement implements EbicsRootElement {
 
@@ -134,7 +134,7 @@ public void insertSchemaLocation(String namespaceURI,
    * @return the generated file name.
    */
   public static String generateName(EbicsOrderType type) {
-    return type.getCode() + new BigInteger(130, new SecureRandom()).toString(32);
+    return type.getCode() + new BigInteger(130, Utils.secureRandom).toString(32);
   }
 
   /**
@@ -143,7 +143,7 @@ public static String generateName(EbicsOrderType type) {
    * @return the generated file name.
    */
   public static String generateName(String prefix) {
-    return prefix + new BigInteger(130, new SecureRandom()).toString(32);
+    return prefix + new BigInteger(130, Utils.secureRandom).toString(32);
   }
 
   @Override

src/main/java/org/kopi/ebics/xml/InitializationRequestElement.java

@@ -24,6 +24,7 @@
 import java.security.NoSuchProviderException;
 
 import javax.crypto.Cipher;
+import javax.crypto.spec.SecretKeySpec;
 
 import org.apache.commons.codec.DecoderException;
 import org.apache.commons.codec.binary.Hex;
@@ -61,6 +62,8 @@ public InitializationRequestElement(EbicsSession session,
     this.type = type;
     this.name = name;
     nonce = Utils.generateNonce();
+    key = Utils.generateKey();
+    keySpec = new SecretKeySpec(key, "EAS");
   }
 
   @Override
@@ -96,9 +99,7 @@ public byte[] getDigest() throws EbicsException {
 
     try {
       return MessageDigest.getInstance("SHA-256", "BC").digest(Utils.canonize(toByteArray()));
-    } catch (NoSuchAlgorithmException e) {
-      throw new EbicsException(e.getMessage());
-    } catch (NoSuchProviderException e) {
+    } catch (NoSuchAlgorithmException | NoSuchProviderException e) {
       throw new EbicsException(e.getMessage());
     }
   }
@@ -135,12 +136,10 @@ protected byte[] decodeHex(byte[] hex) throws EbicsException {
    */
   protected byte[] generateTransactionKey() throws EbicsException {
     try {
-      Cipher			cipher;
-
-      cipher = Cipher.getInstance("RSA/NONE/PKCS1Padding", BouncyCastleProvider.PROVIDER_NAME);
+      Cipher cipher = Cipher.getInstance("RSA/NONE/PKCS1Padding", BouncyCastleProvider.PROVIDER_NAME);
       cipher.init(Cipher.ENCRYPT_MODE, session.getBankE002Key());
 
-      return cipher.doFinal(nonce);
+      return cipher.doFinal(key);
     } catch (Exception e) {
       throw new EbicsException(e.getMessage());
     }
@@ -157,8 +156,10 @@ protected byte[] generateTransactionKey() throws EbicsException {
   // DATA MEMBERS
   // --------------------------------------------------------------------
 
-  private String			name;
+  private final String name;
   protected EbicsOrderType type;
-  protected byte[]			nonce;
-  private static final long 		serialVersionUID = 8983807819242699280L;
+  protected final byte[] nonce;
+  private final byte[] key;
+  protected final SecretKeySpec keySpec;
+  private static final long serialVersionUID = 8983807819242699280L;
 }

src/main/java/org/kopi/ebics/xml/SPRRequestElement.java

@@ -21,8 +21,6 @@
 
 import java.util.Calendar;
 
-import javax.crypto.spec.SecretKeySpec;
-
 import org.kopi.ebics.exception.EbicsException;
 import org.kopi.ebics.schema.h003.DataEncryptionInfoType.EncryptionPubKeyDigest;
 import org.kopi.ebics.schema.h003.DataTransferRequestType;
@@ -60,7 +58,6 @@ public class SPRRequestElement extends InitializationRequestElement {
    */
   public SPRRequestElement(EbicsSession session) throws EbicsException {
     super(session, org.kopi.ebics.session.OrderType.SPR, "SPRRequest.xml");
-    keySpec = new SecretKeySpec(nonce, "EAS");
   }
 
   @Override
@@ -136,6 +133,5 @@ public void buildInitialization() throws EbicsException {
   // DATA MEMBERS
   // --------------------------------------------------------------------
 
-  private SecretKeySpec			keySpec;
   private static final long 		serialVersionUID = -6742241777786111337L;
 }

src/main/java/org/kopi/ebics/xml/UploadInitializationRequestElement.java

@@ -23,8 +23,6 @@
 import java.util.Calendar;
 import java.util.List;
 
-import javax.crypto.spec.SecretKeySpec;
-
 import org.kopi.ebics.exception.EbicsException;
 import org.kopi.ebics.interfaces.ContentFactory;
 import org.kopi.ebics.interfaces.EbicsOrderType;
@@ -78,7 +76,6 @@ public UploadInitializationRequestElement(EbicsSession session,
   {
     super(session, orderType, generateName(orderType));
     this.userData = userData;
-    keySpec = new SecretKeySpec(nonce, "EAS");
     splitter = new Splitter(userData);
     this.orderAttribute = orderAttribute;
   }
@@ -130,13 +127,13 @@ public void buildInitialization() throws EbicsException {
         FULOrderParamsType fULOrderParams = EbicsXmlFactory.createFULOrderParamsType(fileFormat);
 
         List<Parameter> parameters = new ArrayList<>();
-        if (Boolean.valueOf(session.getSessionParam("TEST")).booleanValue()) {
+        if (Boolean.parseBoolean(session.getSessionParam("TEST"))) {
           Value value = EbicsXmlFactory.createValue("String", "TRUE");
           Parameter parameter = EbicsXmlFactory.createParameter("TEST", value);
           parameters.add(parameter);
         }
 
-        if (Boolean.valueOf(session.getSessionParam("EBCDIC")).booleanValue()) {
+        if (Boolean.parseBoolean(session.getSessionParam("EBCDIC"))) {
           Value value = EbicsXmlFactory.createValue("String", "TRUE");
           Parameter parameter = EbicsXmlFactory.createParameter("EBCDIC", value);
           parameters.add(parameter);
@@ -221,9 +218,8 @@ public int getSegmentNumber() {
   // --------------------------------------------------------------------
 
   private final OrderAttributeType.Enum orderAttribute;
-  private byte[]			userData;
+  private final byte[] userData;
   private UserSignature			userSignature;
-  private SecretKeySpec			keySpec;
-  private Splitter			splitter;
+  private final Splitter splitter;
   private static final long 		serialVersionUID = -8083183483311283608L;
 }