Move encryption capabilities to different service

Author: gcatanese

src/main/java/com/adyen/model/clouddevice/security/NexoDerivedKey.java

@@ -46,27 +46,27 @@ public NexoDerivedKey() {
   }
 
   public byte[] getHmacKey() {
-    return hmacKey;
+    return Arrays.copyOf(hmacKey, hmacKey.length);
   }
 
   public void setHmacKey(byte[] hmacKey) {
-    this.hmacKey = hmacKey;
+    this.hmacKey = Arrays.copyOf(hmacKey, hmacKey.length);
   }
 
   public byte[] getCipherKey() {
-    return cipherKey;
+    return Arrays.copyOf(cipherKey, cipherKey.length);
   }
 
   public void setCipherKey(byte[] cipherKey) {
-    this.cipherKey = cipherKey;
+    this.cipherKey = Arrays.copyOf(cipherKey, cipherKey.length);
   }
 
   public byte[] getIv() {
-    return iv;
+    return Arrays.copyOf(iv, iv.length);
   }
 
   public void setIv(byte[] iv) {
-    this.iv = iv;
+    this.iv = Arrays.copyOf(iv, iv.length);
   }
 
   @Override

src/main/java/com/adyen/security/clouddevice/EncryptionCredentialDetails.java

@@ -1,27 +1,20 @@
 package com.adyen.security.clouddevice;
 
-import com.adyen.model.tapi.JSON;
-import com.fasterxml.jackson.annotation.JsonProperty;
-import com.fasterxml.jackson.core.JsonProcessingException;
 import java.util.Objects;
 
 /** Details of the encryption credential used for encrypting the request payload (nexoBlob) */
 public class EncryptionCredentialDetails {
 
   /** The passphrase used to derive the encryption key. */
-  @JsonProperty("Passphrase")
   private String passphrase;
 
   /** The unique identifier of the key. */
-  @JsonProperty("KeyIdentifier")
   private String keyIdentifier;
 
   /** The version of the key. */
-  @JsonProperty("KeyVersion")
   private Integer keyVersion;
 
   /** The version of the Adyen-specific crypto implementation. */
-  @JsonProperty("AdyenCryptoVersion")
   private Integer adyenCryptoVersion;
 
   public String getPassphrase() {
@@ -76,28 +69,6 @@ public EncryptionCredentialDetails adyenCryptoVersion(Integer adyenCryptoVersion
     return this;
   }
 
-  /**
-   * Create an instance of EncryptionCredentialDetails given an JSON string
-   *
-   * @param jsonString JSON string
-   * @return An instance of EncryptionCredentialDetails
-   * @throws JsonProcessingException if the JSON string is invalid with respect to
-   *     EncryptionCredentialDetails
-   */
-  public static EncryptionCredentialDetails fromJson(String jsonString)
-      throws JsonProcessingException {
-    return JSON.getMapper().readValue(jsonString, EncryptionCredentialDetails.class);
-  }
-
-  /**
-   * Convert an instance of EncryptionCredentialDetails to an JSON string
-   *
-   * @return JSON string
-   */
-  public String toJson() throws JsonProcessingException {
-    return JSON.getMapper().writeValueAsString(this);
-  }
-
   @Override
   public boolean equals(Object o) {
     if (this == o) {

src/main/java/com/adyen/security/clouddevice/NexoCryptoPrimitives.java

@@ -86,7 +86,7 @@ static byte[] generateRandomIvNonce() {
     SecureRandom secureRandom;
     try {
       secureRandom = SecureRandom.getInstance("NativePRNGNonBlocking");
-    } catch (Exception ignored) {
+    } catch (NoSuchAlgorithmException ignored) {
       secureRandom = new SecureRandom();
     }
     secureRandom.nextBytes(ivNonce);

src/main/java/com/adyen/security/clouddevice/NexoDerivedKeyGenerator.java

@@ -1,5 +1,3 @@
-package com.adyen.security.clouddevice;
-
 /*
  *                       ######
  *                       ######
@@ -20,6 +18,7 @@
  * This file is open source and available under the MIT license.
  * See the LICENSE file for more info.
  */
+package com.adyen.security.clouddevice;
 
 import static com.adyen.model.clouddevice.security.NexoDerivedKey.NEXO_CIPHER_KEY_LENGTH;
 import static com.adyen.model.clouddevice.security.NexoDerivedKey.NEXO_HMAC_KEY_LENGTH;
@@ -41,6 +40,7 @@ private NexoDerivedKeyGenerator() {}
   static NexoDerivedKey deriveKeyMaterial(String passphrase)
       throws NoSuchAlgorithmException, InvalidKeySpecException {
     byte[] salt = "AdyenNexoV1Salt".getBytes(StandardCharsets.UTF_8);
+    // Iteration count is fixed at 4000 as mandated by the Nexo protocol specification (AdyenNexoV1)
     int iterations = 4000;
 
     PBEKeySpec spec =

src/main/java/com/adyen/security/clouddevice/NexoSecurityException.java

@@ -44,9 +44,4 @@ public NexoSecurityException(String message, Throwable cause) {
   public NexoSecurityException(Throwable cause) {
     super(cause);
   }
-
-  @Override
-  public String toString() {
-    return "NexoSecurityException{message=" + getMessage() + '}';
-  }
 }

src/main/java/com/adyen/service/clouddevice/CloudDeviceApi.java

@@ -5,17 +5,13 @@
 import com.adyen.constants.ApiConstants;
 import com.adyen.model.clouddevice.*;
 import com.adyen.model.clouddevice.CloudDeviceApiAsyncResponse;
-import com.adyen.security.clouddevice.EncryptionCredentialDetails;
-import com.adyen.security.clouddevice.NexoSecurityException;
-import com.adyen.security.clouddevice.NexoSecurityManager;
 import com.adyen.service.exception.ApiException;
 import com.adyen.service.resource.Resource;
-import com.fasterxml.jackson.databind.JsonNode;
-import com.fasterxml.jackson.databind.ObjectMapper;
 import java.io.IOException;
 import java.util.HashMap;
 import java.util.Map;
 
+/** Service of the Cloud Device API */
 public class CloudDeviceApi extends Service {
 
   public static final String API_VERSION = "1";
@@ -216,189 +212,4 @@ public DeviceStatusResponse getDeviceStatus(String merchantAccount, String devic
 
     return DeviceStatusResponse.fromJson(response);
   }
-
-  /**
-   * Send a synchronous encrypted request.
-   *
-   * @param merchantAccount The unique identifier of the merchant account
-   * @param deviceId The unique identifier of the device that you send this request to (must match
-   *     POIID in the MessageHeader).
-   * @param cloudDeviceApiRequest The request to send.
-   * @return instance of CloudDeviceApiResponse
-   * @throws ApiException when an error occurs
-   * @throws IOException when an I/O error occurs
-   * @throws NexoSecurityException when encryption or decryption fails
-   */
-  public CloudDeviceApiResponse syncEncrypted(
-      String merchantAccount,
-      String deviceId,
-      CloudDeviceApiRequest cloudDeviceApiRequest,
-      EncryptionCredentialDetails encryptionCredentialDetails)
-      throws ApiException, IOException, NexoSecurityException {
-
-    NexoSecurityManager nexoSecurityManager = new NexoSecurityManager(encryptionCredentialDetails);
-
-    // Add path params
-    Map<String, String> pathParams = new HashMap<>();
-
-    if (merchantAccount == null) {
-      throw new IllegalArgumentException("Please provide the merchantAccount path parameter");
-    }
-    pathParams.put("merchantAccount", merchantAccount);
-
-    if (deviceId == null) {
-      throw new IllegalArgumentException("Please provide the deviceId path parameter");
-    }
-    pathParams.put("deviceId", deviceId);
-
-    if (cloudDeviceApiRequest.getSaleToPOIRequest() == null
-        || cloudDeviceApiRequest.getSaleToPOIRequest().getMessageHeader() == null) {
-      throw new IllegalArgumentException(
-          "cloudDeviceApiRequest must contain a SaleToPOIRequest with a MessageHeader");
-    }
-    cloudDeviceApiRequest.getSaleToPOIRequest().getMessageHeader().setPOIID(deviceId);
-
-    // encrypt payload
-    SaleToPOISecuredMessage saleToPOISecuredRequest =
-        nexoSecurityManager.encrypt(
-            cloudDeviceApiRequest.toJson(),
-            cloudDeviceApiRequest.getSaleToPOIRequest().getMessageHeader());
-
-    CloudDeviceApiSecuredRequest cloudDeviceApiSecuredRequest = new CloudDeviceApiSecuredRequest();
-    cloudDeviceApiSecuredRequest.setSaleToPOIRequest(saleToPOISecuredRequest);
-
-    String encryptedJson = cloudDeviceApiSecuredRequest.toJson();
-
-    // perform API call
-    Resource resource =
-        new Resource(
-            this, this.baseURL + "/merchants/{merchantAccount}/devices/{deviceId}/sync", null);
-    String response =
-        resource.request(encryptedJson, null, ApiConstants.HttpMethod.POST, pathParams);
-
-    CloudDeviceApiSecuredResponse cloudDeviceApiSecuredResponse =
-        CloudDeviceApiSecuredResponse.fromJson(response);
-
-    String jsonDecryptedResponse =
-        nexoSecurityManager.decrypt(cloudDeviceApiSecuredResponse.getSaleToPOIResponse());
-
-    return CloudDeviceApiResponse.fromJson(jsonDecryptedResponse);
-  }
-
-  /**
-   * Send an asynchronous encrypted request.
-   *
-   * @param merchantAccount The unique identifier of the merchant account
-   * @param deviceId The unique identifier of the device that you send this request to (must match
-   *     POIID in the MessageHeader).
-   * @param cloudDeviceApiRequest The request to send.
-   * @return "ok" on success
-   * @throws ApiException when an error occurs
-   * @throws IOException when an I/O error occurs
-   * @throws NexoSecurityException when encryption or decryption fails
-   */
-  public String asyncEncrypted(
-      String merchantAccount,
-      String deviceId,
-      CloudDeviceApiRequest cloudDeviceApiRequest,
-      EncryptionCredentialDetails encryptionCredentialDetails)
-      throws ApiException, IOException, NexoSecurityException {
-
-    NexoSecurityManager nexoSecurityManager = new NexoSecurityManager(encryptionCredentialDetails);
-
-    // Add path params
-    Map<String, String> pathParams = new HashMap<>();
-
-    if (merchantAccount == null) {
-      throw new IllegalArgumentException("Please provide the merchantAccount path parameter");
-    }
-    pathParams.put("merchantAccount", merchantAccount);
-
-    if (deviceId == null) {
-      throw new IllegalArgumentException("Please provide the deviceId path parameter");
-    }
-    pathParams.put("deviceId", deviceId);
-
-    if (cloudDeviceApiRequest.getSaleToPOIRequest() == null
-        || cloudDeviceApiRequest.getSaleToPOIRequest().getMessageHeader() == null) {
-      throw new IllegalArgumentException(
-          "cloudDeviceApiRequest must contain a SaleToPOIRequest with a MessageHeader");
-    }
-    cloudDeviceApiRequest.getSaleToPOIRequest().getMessageHeader().setPOIID(deviceId);
-
-    // encrypt payload
-    SaleToPOISecuredMessage saleToPOISecuredRequest =
-        nexoSecurityManager.encrypt(
-            cloudDeviceApiRequest.toJson(),
-            cloudDeviceApiRequest.getSaleToPOIRequest().getMessageHeader());
-
-    CloudDeviceApiSecuredRequest cloudDeviceApiSecuredRequest = new CloudDeviceApiSecuredRequest();
-    cloudDeviceApiSecuredRequest.setSaleToPOIRequest(saleToPOISecuredRequest);
-
-    String encryptedJson = cloudDeviceApiSecuredRequest.toJson();
-
-    // perform API call
-    Resource resource =
-        new Resource(
-            this, this.baseURL + "/merchants/{merchantAccount}/devices/{deviceId}/async", null);
-
-    // async responses are decrypted
-    String response =
-        resource.request(encryptedJson, null, ApiConstants.HttpMethod.POST, pathParams);
-
-    return response;
-  }
-
-  /**
-   * Decrypt an event notification
-   *
-   * @param payload Event notification in JSON string format: it can be SaleToPOIResponse (async
-   *     response) or SaleToPOIRequest (event notification)
-   * @param encryptionCredentialDetails The details of the encryption credential used for decrypting
-   *     the payload (nexoBlob)
-   * @return the decrypted payload
-   * @throws NexoSecurityException when decryption fails
-   */
-  public String decryptNotification(
-      String payload, EncryptionCredentialDetails encryptionCredentialDetails)
-      throws NexoSecurityException {
-
-    try {
-      NexoSecurityManager nexoSecurityManager =
-          new NexoSecurityManager(encryptionCredentialDetails);
-
-      ObjectMapper objectMapper = new ObjectMapper();
-      JsonNode jsonNode;
-
-      try {
-        jsonNode = objectMapper.readTree(payload);
-      } catch (Exception e) {
-        throw new NexoSecurityException("Invalid payload");
-      }
-
-      String decryptedMessage;
-      if (jsonNode.has("SaleToPOIResponse")) {
-        // async response received
-        CloudDeviceApiSecuredResponse cloudDeviceApiSecuredResponse =
-            CloudDeviceApiSecuredResponse.fromJson(payload);
-        decryptedMessage =
-            nexoSecurityManager.decrypt(cloudDeviceApiSecuredResponse.getSaleToPOIResponse());
-      } else if (jsonNode.has("SaleToPOIRequest")) {
-        CloudDeviceApiSecuredRequest cloudDeviceApiSecuredRequest =
-            CloudDeviceApiSecuredRequest.fromJson(payload);
-        decryptedMessage =
-            nexoSecurityManager.decrypt(cloudDeviceApiSecuredRequest.getSaleToPOIRequest());
-      } else {
-        throw new NexoSecurityException(
-            "Unexpected payload without SaleToPOIResponse or SaleToPOIRequest");
-      }
-
-      return decryptedMessage;
-
-    } catch (NexoSecurityException e) {
-      throw e;
-    } catch (Exception e) {
-      throw new NexoSecurityException(e.getMessage(), e);
-    }
-  }
 }