Giter VIP home page Giter VIP logo

rahasya's People

Contributors

dheerajkhardwal avatar dinchen-tally avatar formatter avatar gsasikumar avatar renusaha avatar saukap avatar shubhamtally avatar vishwa-vyom avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar

rahasya's Issues

getKeyMaterial guidance

Hi SasiKumar,

My Self is ChariKundavarapu. Yesterday you shared response for my query "REG: DataProvider Error while generating ECDH". When using your code snippet i am able to get the KeyPair but both public and private key values are same.
Please find the below code snippet.
1

DHPublicKey expiry time format issue

hi @vishwa-vyom ,
is it mandatory to pass DHPublicKey expiry time in "2020-09-23T10:53:28.100Z" formate only .
because we are receiving expiry time from other party while FI Fetch is in the format of "2020-09-23T10:53:28.100+0000".
as per UTC format both are true. so are we accepting both or only Z.
we are getting below error while passing "2020-09-23T10:53:28.100+0000".
Screenshot_2020-09-22_17-34-10

BAD_DECRYPT

Hi @vishwa-vyom and @gsasikumar

Good after noon!

I am trying to decrypt data using key material , but unable to do that because of below exception

"javax.crypto.AEADBadTagException: error:1e000065:Cipher functions:OPENSSL_internal:BAD_DECRYPT"
While calling byte[] cipherData = cipher.doFinal(Base64.getDecoder().decode(base64EncodedData));

Please let me know any changes required.

Using algorithm "X25519" for diffie hellman instead of EC algorithm with curve "Curve25519" to comply with RFC-7748 standard

The issue with using "Curve25519" is that it generates a 64 bytes key. For diffie-hellman key exchange, according to rfc-7748 [refer: https://tools.ietf.org/html/rfc7748#page-7] , the key should be 32 bytes. If a service uses openssl for generating x25519 key, the generated key is 32 bytes. This cannot be converted into the 64 bytes format that is currently accepted by BouncyCastle implementation.
For the sake of inter-compatibility and proper standards, using "X25519" is recommended way of creating keys. Also please refer bcgit/bc-java#251 issue in bouncycastle repo for better explanation. This also suggests to use full X25519 ECDH.
If we decide to follow X25519 (RFC7748), I can create a PR to incorporate the changes. This should not affect the implementations used by banks and Account Aggregators.

Error while generating SharedKey - algorithm identifier 1.2.840.113549.1.1.1 in key not recognised

Getting following error while trying to generate Shared Key with a generated Public key (from this package) and my server's Private key.

{
"key": "",
"errorInfo": {
"errorCode": "java.security.spec.InvalidKeySpecException",
"errorInfo": null,
"errorMessage": "encoded key spec not recognized: algorithm identifier 1.2.840.113549.1.1.1 in key not recognised"
}
}

Steps to Reproduce

  1. Generate Key using /ecc/v1/generateKey API
  2. Take the Pubic Key value and use it in /ecc/v1/getSharedKey API
  3. Use Server's Private Key (in PKCS8PrivateKey format) with PEM headers added
  4. Hit the API with the values as obtained above

Expected behavior

Expected sharedkey as result.

Possible Fix

SO pointers point to upgrading org.bouncycastle library - which I upgraded from 1.64 to 1.70 - same error persists.

I am not an expert in Java but I used VSCode's ability to update my gradle config - which I am assuming did the right thing by getting the required version during the build.

Your Environment

The forwardsecrecy project is locally executed using VSCode debugger. Java version is SE 18+36-2087 mixed mode.

I am working on Windows 10 machine with the calls to forwardsecrecy coming from a .NET Core project.

Let me know if anything more is needed.

Screenshot of Swagger:
image

Log messages on Console
image

[iOS] No Support for Bouncy Castle

Hello, There is no support for bouncy castle on iOS. Apple's CryptoKit just provides method to create Curve25519 key. But there is no way in which we can encode the public key in "ASN1 X9.62" format.
Please help urgently.

Getting Exception in decryption code

Getting below exception:-
javax.crypto.AEADBadTagException: mac check in GCM failed

Encryption Code:-
public String encrypt(PrivateKey ourPrivatekey, PublicKey remotePublicKey, String base64YourNonce,
String base64RemoteNonce, String data)
throws InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, NoSuchPaddingException,
InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException {
//derive the secret key
byte[] cipherData = null;
try {
System.out.println("base 64 data "+data);
byte[] srcBytes = data.getBytes(StandardCharsets.US_ASCII);
String sharedSecret = dheService.getSharedSecret(ourPrivatekey, remotePublicKey);
//Xor the nonce
byte[] xoredNonce = xor(Base64.getDecoder().decode(base64YourNonce), Base64.getDecoder().decode(base64RemoteNonce));
//create a session key with the derived secret
String key = getSessionKey(Base64.getDecoder().decode(sharedSecret), xoredNonce);
// Crease the cipher instance with the neessary encryption algorithm
KeyAgreement ka = KeyAgreement.getInstance("ECDH");
System.out.println(ka.getProvider().getName());
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", provider);
//Create the spec with the given session key
SecretKeySpec keySpec = new SecretKeySpec(Base64.getDecoder().decode(key), "AES");
byte[] iv = generateIVBytes(cipher);
System.out.println(iv.length+" --lenght");
//Copy only the last 12 bytes
System.arraycopy(xoredNonce, saltIVOffset, iv, 0, iv.length);
GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(gcmTagLength * 8, iv);
cipher.init(Cipher.ENCRYPT_MODE, keySpec, gcmParameterSpec);
cipherData = cipher.doFinal(srcBytes);
System.out.println("cipher bytes "+cipherData);
} catch (Exception e){
e.printStackTrace();
}
return Base64.getEncoder().encodeToString(cipherData);
}

Decryption Code:-
public String decrypt(PrivateKey ourPrivatekey, PublicKey remotePublicKey, String base64YourNonce,
String base64RemoteNonce, String base64EncodedData)
throws InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, NoSuchPaddingException,
InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException {

    String sharedSecret = dheService.getSharedSecret(ourPrivatekey, remotePublicKey);
    byte[] xoredNonce = xor(Base64.getDecoder().decode(base64YourNonce), Base64.getDecoder().decode(base64RemoteNonce));
    String key = getSessionKey(Base64.getDecoder().decode(sharedSecret), xoredNonce);
    Cipher cipher = Cipher.getInstance(algorithm, provider);
    SecretKeySpec keySpec = new SecretKeySpec(Base64.getDecoder().decode(key), "AES");
    byte[] iv = new byte[12];
    System.arraycopy(xoredNonce, saltIVOffset, iv, 0, ivLength);
    GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(gcmTagLength * 8, iv);
    cipher.init(Cipher.DECRYPT_MODE, keySpec, gcmParameterSpec);
    byte[] cipherData = cipher.doFinal(Base64.getDecoder().decode(base64EncodedData));

    return Base64.getEncoder().encodeToString(cipherData);
}

StackTrace:-
javax.crypto.AEADBadTagException: mac check in GCM failed
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher$AEADGenericBlockCipher.doFinal(Unknown Source)
at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher.engineDoFinal(Unknown Source)
at javax.crypto.Cipher.doFinal(Cipher.java:2222)
at com.finbit.aa.fiu.service.impl.CipherServiceImpl.decrypt(CipherServiceImpl.java:94)
at com.finbit.aa.fiu.service.impl.DecryptFIServiceImpl.decryptFI(DecryptFIServiceImpl.java:47)
at com.finbit.aa.fiu.service.impl.FIFetchRequestServiceImpl.fetchFIData(FIFetchRequestServiceImpl.java:59)
at com.finbit.aa.fiu.controller.ConsentNotificationController.fiNotification(ConsentNotificationController.java:27)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:190)
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138)
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:106)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:888)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:793)
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1040)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:943)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)
at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:909)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:108)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
2020-03-19 12:57:52.575 ERROR 5772 --- [nio-8096-exec-1] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is java.lang.NullPointerException] with root cause

DataProvider Error while generating ECDH

Hi Sasikumar,

My Self is Charikundavarapu. I am trying build forwardsecrecy code without Springboot code. I have compiled successfully but while trying generate ECDH keypair i am getting error. like "no such provider : BC".

I want access utility class file. Currently i am using provider with static value is "BC". Please can you provide which value need to be use in ECCService Class for provider.
ecdh_provider

Any support for other language apart from Java?

Is there any guidance to implement at mobile side along with all the legal specifications? (Android/iOS/Fluttet/ReactNative or any Web/Mobile Front Technology)

It would be very much helpful if any guidance is available.
Also is there any existing code available or is this under development for user facing languages?
Is there any future plans here to develop with other languages?

Key Material Discrepancies with ReBIT Spec

hi sasikumar,
i am using the ecc service v1.2 API's via docker. i am able to encrypt the data. while decryption getting below error.
"mac check in GCM failed". actaully we are consuming ecc API's in my nodejs application. i am unable to understand this java based error. please help me solve this.

Envoronment Details:
OS: Linux
Lang: Node JS

error response:
{
errorCode: 'javax.crypto.AEADBadTagException',
errorMessage: 'mac check in GCM failed',
errorInfo: null
}

encoded key spec not recognized: algorithm identifier 1.3.101.110 in key not recognised

I'm generating x25519 keypair using crypto.generateKeyPairSync in Node.js. But on providing the generated public key in FI data request (/FI/request) api, AA is responding with Invalid DHPublic Key error message. Also following is the error, AA is encountering at their side:

java.security.spec.InvalidKeySpecException: encoded key spec not recognized: 
algorithm identifier 1.3.101.110 in key not recognised
at org.bouncycastle.jcajce.provider.asymmetric.util.BaseKeyFactorySpi.engineGeneratePublic

KeyMaterial that I'm sending:

KeyMaterial: {
    cryptoAlg: 'ECDH',
    curve: 'Curve25519',
    params: 'params',
    DHPublicKey: {
      expiry: '2023-11-20T15:47:05.451Z',
      Parameters: 'params',
      KeyValue: '-----BEGIN PUBLIC KEY-----MCowBQYDK2VuAyEAaKvrY7xCymrRWADcThoGUGmQUYP6sgfeO9lvBHoRM1Y=-----END PUBLIC KEY-----'
    },
    Nonce: 'Zjc0ZjczMjMtZmE4Zi00MDUzLThkOTQtYmE4Mzc2YzJkY2Ri'
  }

Node.js code that I'm using to generate keypair is given below and also provided in this repo here.

function generateKeyPair(password: string){
    const x25519Keys = crypto.generateKeyPairSync("x25519", { publicKeyEncoding: {
      type: "spki",
      format: "pem"
    },
    privateKeyEncoding: {
      type: "pkcs8",
      format: "pem",
      cipher: "aes-256-cbc",
      passphrase: password
    }
  });
  return x25519Keys;
}

Is there anything I'm missing or doing incorrect here?

@gsasikumar

Getting issue in Android 12 Version devices

Hi Team,

I am using Android 12 version devices like Google Pixel 6a and oppo.

I am trying decrypt the encrypted data by using forward secrecy getiing below issue.
Error during decryption com.android.org.conscrypt.OpenSSLX509CertificateFactory$ParsingException: Error parsing private key

Can you please help on this.

ERR java.lang.NullPointerException

Hi sasi,
while trying to decrypt data more than two requests simultaniously i am getting response as "internal server error". while checking on docker logs we found that is " java.lang.NullPointerException". please guide me resolve it.
Thanks in advance.

please refer below screen shots
Screenshot from 2020-08-06 20-28-40
Screenshot from 2020-08-06 20-29-25

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.