From 637a05e9b3334916b0d3cd18a78eba7785f3a6c1 Mon Sep 17 00:00:00 2001 From: AssahBismarkabah Date: Mon, 15 Jul 2024 16:01:47 +0100 Subject: [PATCH 1/3] update security whitepaper --- SECURITY.WHITEPAPER.md | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/SECURITY.WHITEPAPER.md b/SECURITY.WHITEPAPER.md index 81b319f6d..8c8af109e 100644 --- a/SECURITY.WHITEPAPER.md +++ b/SECURITY.WHITEPAPER.md @@ -23,6 +23,40 @@ CMS Encryption: * [RSAES-PKCS1-v1_5](#RSAES-PKCS1-v1_5) - key derivation algorithm for shared files (use public key); * [SHA256withRSA](#SHA256withRSA) - for public keys. +## ECC Update + +With the latest release, Datasafe has transitioned from RSA to Elliptic Curve Cryptography (ECC) to enhance security and performance. This section details the new ECC implementation: + +### Encryption and Signing + +- **Encryption Algorithm**: ECDH (Elliptic Curve Diffie-Hellman) with curve `secp256r1`. +- **Signing Algorithm**: SHA256withECDSA (Elliptic Curve Digital Signature Algorithm) with curve `secp256r1`. + +### Benefits of ECC + +- **Security**: ECC offers stronger security per bit compared to RSA, making it more resistant to cryptographic attacks. +- **Performance**: ECC algorithms generally require less computational power and are faster. +- **Key Size**: ECC achieves comparable security to RSA with much smaller key sizes (256 bits for ECC vs. 2048 bits for RSA), resulting in reduced storage and transmission requirements. + +### Implementation Details +
+Dynamically choosing between RSA and ECC + +```java +private RecipientInfoGenerator getRecipientInfoGenerator(PublicKeyIDWithPublicKey keyWithId, KeyPair senderKeyPair) { + if ("RSA".equals(keyWithId.getPublicKey().getAlgorithm())) { + return new JceKeyTransRecipientInfoGenerator(keyWithId.getKeyID().getValue().getBytes(), keyWithId.getPublicKey()); + } + if (Set.of("ECDH", "EC").contains(keyWithId.getPublicKey().getAlgorithm())) { + return getJceKeyAgreeRecipientInfoGenerator(senderKeyPair, keyWithId); + } + return null; +} +``` +in the updated implementation, the getRecipientInfoGenerator method dynamically chooses between RSA and ECC based on the algorithm associated with the public key. For ECC, it uses ECDH for encryption and SHA256withECDSA for signing. + +
+ ## General information Datasafe is a flexible encryption library. It uses different encryption algorithms. They can be configured by client application. Under the hood Datasafe uses BouncyCastle library to perform encryption. From 94d034b820f0c1d4357d13e93145c4d4ba182b20 Mon Sep 17 00:00:00 2001 From: AssahBismarkabah Date: Mon, 15 Jul 2024 16:40:27 +0100 Subject: [PATCH 2/3] update security whitepaper with release note --- SECURITY.WHITEPAPER.md | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/SECURITY.WHITEPAPER.md b/SECURITY.WHITEPAPER.md index 8c8af109e..4de1f62d1 100644 --- a/SECURITY.WHITEPAPER.md +++ b/SECURITY.WHITEPAPER.md @@ -27,18 +27,18 @@ CMS Encryption: With the latest release, Datasafe has transitioned from RSA to Elliptic Curve Cryptography (ECC) to enhance security and performance. This section details the new ECC implementation: -### Encryption and Signing +#### Encryption and Signing - **Encryption Algorithm**: ECDH (Elliptic Curve Diffie-Hellman) with curve `secp256r1`. - **Signing Algorithm**: SHA256withECDSA (Elliptic Curve Digital Signature Algorithm) with curve `secp256r1`. -### Benefits of ECC +#### Benefits of ECC - **Security**: ECC offers stronger security per bit compared to RSA, making it more resistant to cryptographic attacks. - **Performance**: ECC algorithms generally require less computational power and are faster. - **Key Size**: ECC achieves comparable security to RSA with much smaller key sizes (256 bits for ECC vs. 2048 bits for RSA), resulting in reduced storage and transmission requirements. -### Implementation Details +#### Implementation Details
Dynamically choosing between RSA and ECC @@ -57,6 +57,25 @@ in the updated implementation, the getRecipientInfoGenerator method dynamically
+## Release Notes + +##### ECC Integration + +#### Added +- **Elliptic Curve Cryptography (ECC)**: + - Implemented ECC for improved security and performance. + - Encryption Algorithm: ECDH (Elliptic Curve Diffie-Hellman) with curve `secp256r1`. + - Signing Algorithm: SHA256withECDSA (Elliptic Curve Digital Signature Algorithm) with curve `secp256r1`. + +#### Changed +- **Encryption and Signing**: + - Transitioned from RSA to ECC, enhancing security and reducing key sizes. + +#### Improved +- **Security**: + - ECC offers stronger security per bit compared to RSA. +- **Key Size Reduction**: + - ECC achieves comparable security to RSA with much smaller key sizes, reducing storage and transmission requirements. ## General information Datasafe is a flexible encryption library. It uses different encryption algorithms. They can be configured by client application. Under the hood Datasafe uses BouncyCastle library to perform encryption. From 89da57d55fe921f6d88fbdaeb66c7d95b623037e Mon Sep 17 00:00:00 2001 From: Maxim Grischenko Date: Tue, 16 Jul 2024 14:48:06 +0200 Subject: [PATCH 3/3] #268 bump up spring and spring-boot versions (#333) * #268 bump up spring and spring-boot versions * #268 add jackson dependency * #268 fix "No target Validator set" after upgrade spring-boot * #268 add jackson dependency for tests * #268 fix tests --- .../datasafe-examples-multidfs/pom.xml | 12 +++++++++ .../datasafe-examples-versioned-s3/pom.xml | 12 +++++++++ datasafe-rest-impl/pom.xml | 18 ++++++++----- .../rest/impl/DatasafeRestApplication.java | 3 +-- .../datasafe/rest/impl/config/MvcConfig.java | 4 +-- .../rest/impl/controller/InboxController.java | 2 -- .../datasafe-simple-adapter-spring/pom.xml | 13 ++++++++- .../datasafe-storage-impl-db/pom.xml | 5 ++++ .../datasafe-storage-impl-s3/pom.xml | 12 +++++++++ datasafe-test-storages/pom.xml | 12 +++++++++ pom.xml | 27 ++++++++++++------- 11 files changed, 98 insertions(+), 22 deletions(-) diff --git a/datasafe-examples/datasafe-examples-multidfs/pom.xml b/datasafe-examples/datasafe-examples-multidfs/pom.xml index c6b349de3..ed631312a 100644 --- a/datasafe-examples/datasafe-examples-multidfs/pom.xml +++ b/datasafe-examples/datasafe-examples-multidfs/pom.xml @@ -27,6 +27,18 @@ testcontainers test + + com.fasterxml.jackson.core + jackson-annotations + ${jackson.version} + test + + + com.fasterxml.jackson.core + jackson-databind + ${jackson.version} + test + org.junit.jupiter junit-jupiter-api diff --git a/datasafe-examples/datasafe-examples-versioned-s3/pom.xml b/datasafe-examples/datasafe-examples-versioned-s3/pom.xml index a9944fdbb..1a4322bf1 100644 --- a/datasafe-examples/datasafe-examples-versioned-s3/pom.xml +++ b/datasafe-examples/datasafe-examples-versioned-s3/pom.xml @@ -27,6 +27,18 @@ testcontainers test + + com.fasterxml.jackson.core + jackson-annotations + ${jackson.version} + test + + + com.fasterxml.jackson.core + jackson-databind + ${jackson.version} + test + org.junit.jupiter junit-jupiter-api diff --git a/datasafe-rest-impl/pom.xml b/datasafe-rest-impl/pom.xml index 33dd14c4b..6c63ebf53 100644 --- a/datasafe-rest-impl/pom.xml +++ b/datasafe-rest-impl/pom.xml @@ -13,14 +13,14 @@ Spring Boot DataSafe Application - 3.1.2 + 3.3.1 2.9.2 0.12.4 3.0.0 2.2.4 1.6.0 - 3.0.2 2.3.0 + true @@ -82,12 +82,12 @@ ${spring-boot.version} true - - jakarta.validation - jakarta.validation-api - ${jakarta.validation-api.version} + org.springframework.boot + spring-boot-starter-validation + ${spring-boot.version} + io.jsonwebtoken jjwt-api @@ -103,6 +103,12 @@ io.jsonwebtoken jjwt-jackson ${jjwt.version} + + + com.fasterxml.jackson.core + jackson-databind + + runtime diff --git a/datasafe-rest-impl/src/main/java/de/adorsys/datasafe/rest/impl/DatasafeRestApplication.java b/datasafe-rest-impl/src/main/java/de/adorsys/datasafe/rest/impl/DatasafeRestApplication.java index bdb527dc8..3212355da 100644 --- a/datasafe-rest-impl/src/main/java/de/adorsys/datasafe/rest/impl/DatasafeRestApplication.java +++ b/datasafe-rest-impl/src/main/java/de/adorsys/datasafe/rest/impl/DatasafeRestApplication.java @@ -3,10 +3,9 @@ import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration; -import org.springframework.boot.autoconfigure.jdbc.DataSourceTransactionManagerAutoConfiguration; import org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration; -@SpringBootApplication(exclude = {DataSourceAutoConfiguration.class, DataSourceTransactionManagerAutoConfiguration.class, HibernateJpaAutoConfiguration.class}) +@SpringBootApplication(exclude = {DataSourceAutoConfiguration.class, HibernateJpaAutoConfiguration.class}) public class DatasafeRestApplication { public static void main(String[] args) { diff --git a/datasafe-rest-impl/src/main/java/de/adorsys/datasafe/rest/impl/config/MvcConfig.java b/datasafe-rest-impl/src/main/java/de/adorsys/datasafe/rest/impl/config/MvcConfig.java index a0696d97a..c88c09d56 100644 --- a/datasafe-rest-impl/src/main/java/de/adorsys/datasafe/rest/impl/config/MvcConfig.java +++ b/datasafe-rest-impl/src/main/java/de/adorsys/datasafe/rest/impl/config/MvcConfig.java @@ -6,12 +6,12 @@ import org.springframework.lang.NonNull; import org.springframework.util.StringUtils; import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry; -import org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport; +import org.springframework.web.servlet.config.annotation.WebMvcConfigurer; @Slf4j @Configuration @RequiredArgsConstructor -public class MvcConfig extends WebMvcConfigurationSupport { +public class MvcConfig implements WebMvcConfigurer { private final DatasafeProperties datasafeProperties; diff --git a/datasafe-rest-impl/src/main/java/de/adorsys/datasafe/rest/impl/controller/InboxController.java b/datasafe-rest-impl/src/main/java/de/adorsys/datasafe/rest/impl/controller/InboxController.java index 42ed50988..bdaf2bc07 100644 --- a/datasafe-rest-impl/src/main/java/de/adorsys/datasafe/rest/impl/controller/InboxController.java +++ b/datasafe-rest-impl/src/main/java/de/adorsys/datasafe/rest/impl/controller/InboxController.java @@ -13,7 +13,6 @@ import de.adorsys.datasafe.types.api.resource.PrivateResource; import jakarta.servlet.http.HttpServletResponse; import jakarta.validation.constraints.NotBlank; -import jakarta.validation.constraints.NotNull; import lombok.RequiredArgsConstructor; import lombok.SneakyThrows; import lombok.extern.slf4j.Slf4j; @@ -30,7 +29,6 @@ import java.io.InputStream; import java.io.OutputStream; import java.util.List; -import java.util.Optional; import java.util.Set; import java.util.stream.Collectors; diff --git a/datasafe-simple-adapter/datasafe-simple-adapter-spring/pom.xml b/datasafe-simple-adapter/datasafe-simple-adapter-spring/pom.xml index 853af91b2..bef17150f 100644 --- a/datasafe-simple-adapter/datasafe-simple-adapter-spring/pom.xml +++ b/datasafe-simple-adapter/datasafe-simple-adapter-spring/pom.xml @@ -11,6 +11,12 @@ datasafe-simple-adapter-spring + + 6.1.10 + 3.3.1 + 2.2 + + org.springframework.boot @@ -85,7 +91,7 @@ org.yaml snakeyaml - 2.1 + ${snakeyaml.version} org.junit.jupiter @@ -129,6 +135,11 @@ test-jar test + + com.fasterxml.jackson.core + jackson-databind + ${jackson.version} + jakarta.annotation jakarta.annotation-api diff --git a/datasafe-storage/datasafe-storage-impl-db/pom.xml b/datasafe-storage/datasafe-storage-impl-db/pom.xml index e408805e0..db5401c52 100644 --- a/datasafe-storage/datasafe-storage-impl-db/pom.xml +++ b/datasafe-storage/datasafe-storage-impl-db/pom.xml @@ -11,6 +11,10 @@ datasafe-storage-impl-db + + 6.1.10 + + de.adorsys @@ -26,6 +30,7 @@ org.springframework spring-jdbc + ${spring.framework.version} com.zaxxer diff --git a/datasafe-storage/datasafe-storage-impl-s3/pom.xml b/datasafe-storage/datasafe-storage-impl-s3/pom.xml index 4f16cd52d..8fd486be2 100644 --- a/datasafe-storage/datasafe-storage-impl-s3/pom.xml +++ b/datasafe-storage/datasafe-storage-impl-s3/pom.xml @@ -55,6 +55,18 @@ testcontainers test + + com.fasterxml.jackson.core + jackson-annotations + ${jackson.version} + test + + + com.fasterxml.jackson.core + jackson-databind + ${jackson.version} + test + org.junit.jupiter junit-jupiter-api diff --git a/datasafe-test-storages/pom.xml b/datasafe-test-storages/pom.xml index 5b3956ce8..5dc5a6d33 100644 --- a/datasafe-test-storages/pom.xml +++ b/datasafe-test-storages/pom.xml @@ -28,6 +28,18 @@ testcontainers compile + + com.fasterxml.jackson.core + jackson-annotations + ${jackson.version} + compile + + + com.fasterxml.jackson.core + jackson-databind + ${jackson.version} + compile + de.adorsys datasafe-storage-api diff --git a/pom.xml b/pom.xml index daf7f6932..929b355c6 100644 --- a/pom.xml +++ b/pom.xml @@ -83,14 +83,14 @@ 2.50 32.1.1-jre 4.0.3 - 5.10.0 + 5.11.0-M2 3.12.2 5.5.0 3.1.2 1.26.0 UTF-8 false - 1.18.3 + 1.19.8 0.8.11 2.5 2.0.7 @@ -109,8 +109,6 @@ 2.2.220 8.4.0 4.23.1 - 6.0.11 - 3.1.2 1.4.4 2.16.1 0.0.11 @@ -224,11 +222,27 @@ com.amazonaws aws-java-sdk-s3 ${amazon.aws.version} + + + com.fasterxml.jackson.core + jackson-databind + + com.amazonaws aws-java-sdk-core ${amazon.aws.version} + + + com.fasterxml.jackson.core + jackson-databind + + + com.fasterxml.jackson.core + jackson-core + +