Click
  1. Click
  2. CLK-608

Add ClickUtils.encode(Object, byte[] key16) and ClickUtils.decode(String, byte[] key16)

    Details

    • Type: Improvement Improvement
    • Status: Open
    • Priority: Minor Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: core
    • Labels:
      None

      Description

      ClickUtils has handy methods encode(Object) and decode(String), but it is possible for client to corrupt our internal state in saved objects.

      If you will add also encode(Object, byte[] key16) and ClickUtils.decode(String, byte[] key16), which will encipher serialized, gzipped object before base64 encoding and decipher after base64 decoding, then objects will be safe and we can store all sensitive information on client side.

      Encipher/decipher are easy in Java:
      private static final String DEFAULT_CRYPT_ALGORITHM = "AES";

      public static byte[] encrypt (@NotNull final byte[] src, @NotNull final byte[] key16) throws IllegalArgumentException {
      final Key sks = new SecretKeySpec(key16, DEFAULT_CRYPT_ALGORITHM);//throws IAE

      try

      { final Cipher cf = Cipher.getInstance(DEFAULT_CRYPT_ALGORITHM); cf.init(Cipher.ENCRYPT_MODE, sks); //byte[] out = cf.update(buf, 0, n); return cf.doFinal(src); }

      catch (Throwable e)

      { throw new IllegalArgumentException("encrypt failed for "+ toHexString(key16) +'='+ sks, e); }

      //t
      }//encrypt

      public static byte[] decrypt (@NotNull final byte[] src, @NotNull final byte[] key16) throws IllegalArgumentException {
      final Key sks = new SecretKeySpec(key16, DEFAULT_CRYPT_ALGORITHM);//throws IAE

      try

      { final Cipher cf = Cipher.getInstance(DEFAULT_CRYPT_ALGORITHM); cf.init(Cipher.DECRYPT_MODE, sks); //byte[] out = cf.update(buf, 0, n); return cf.doFinal(src); }

      catch (Throwable e)

      { throw new IllegalArgumentException("decrypt failed for "+ toHexString(key16) +'='+ sks, e); }

      //t
      }//decrypt

        Activity

        Hide
        Andrei Ionescu added a comment -

        Why not a better solution like:
        http://www.jcryption.org/

        Show
        Andrei Ionescu added a comment - Why not a better solution like: http://www.jcryption.org/
        Hide
        Andrew Fink added a comment -

        Unnecessary dependency.

        All classes above are standard JRE (bundled) classes.

        Show
        Andrew Fink added a comment - Unnecessary dependency. All classes above are standard JRE (bundled) classes.

          People

          • Assignee:
            Unassigned
            Reporter:
            Andrew Fink
          • Votes:
            1 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:

              Development