Use Base64 to validate string instead of regexp

.github/workflows/actions.yml

@@ -22,5 +22,10 @@ jobs:
       - name: Build with Maven
         run: mvn -B clean install
 
+      - name: Generate JaCoCo Badge
+        uses: cicirello/jacoco-badge-generator@v2
+        with:
+          generate-branches-badge: true
+
       - name: Codecov
         uses: codecov/codecov-action@v1.3.1

README.md

@@ -1,5 +1,7 @@
 ## openconext-crypt-java
 
+[![Coverage](.github/badges/jacoco.svg)](https://github.com/OpenConext/openconext-crypt-java/actions/workflows/actions.yml)
+
 Create private / public keypair
 ```
 openssl genrsa -traditional -out private_key.pem 2048

pom.xml

@@ -5,7 +5,7 @@
 
     <groupId>org.openconext</groupId>
     <artifactId>java-crypto</artifactId>
-    <version>1.0.3</version>
+    <version>1.0.4</version>
     <packaging>jar</packaging>
 
     <name>java-crypto</name>

src/main/java/crypto/RSAKeyStore.java

@@ -10,15 +10,12 @@
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.security.spec.X509EncodedKeySpec;
 import java.util.Base64;
-import java.util.regex.Pattern;
 
 /**
  * Utility class for encrypting and decrypting secrets with RSA private / public keys
  */
 public class RSAKeyStore implements KeyStore {
 
-    private final Pattern base64Pattern = Pattern.compile("(([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?){1}");
-
     private final PublicKey publicKey;
     private final PrivateKey privateKey;
 
@@ -96,7 +93,16 @@ public String decodeAndDecrypt(String encodedEncryptedSecret) {
 
     @Override
     public boolean isEncryptedSecret(String input) {
-        return input.length() == 344 && base64Pattern.matcher(input).matches();
+        return input.length() == 344 && this.validBase64(input);
+    }
+
+    private boolean validBase64(String input) {
+        try {
+            Base64.getDecoder().decode(input);
+            return true;
+        } catch (IllegalArgumentException e) {
+            return false;
+        }
     }
 
     private String stripPublicKey(String publicKey) {

src/test/java/crypto/KeyStoreTest.java

@@ -7,6 +7,9 @@
 
 import java.io.InputStream;
 import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
+import java.text.Normalizer;
+import java.util.Base64;
 import java.util.UUID;
 
 import static org.junit.jupiter.api.Assertions.*;
@@ -32,13 +35,34 @@ void encryptAndDecryptDevMode() {
         this.doEncryptAndDecrypt(keyStore, keyStore);
     }
 
+    @Test
+    void isEncryptedSecret() {
+        KeyStore keyStore = new RSAKeyStore();
+        String secret = "secret";
+        String encryptedSecret = keyStore.encryptAndEncode(secret);
+
+        assertTrue(keyStore.isEncryptedSecret(encryptedSecret));
+
+        assertFalse(keyStore.isEncryptedSecret("!"));
+        assertFalse(keyStore.isEncryptedSecret("!".repeat(344)));
+        //Corner case - waiting for a smart tester to pick this up
+        assertTrue(keyStore.isEncryptedSecret("a".repeat(344)));
+    }
+
+
     private void doEncryptAndDecrypt(KeyStore encryptionKeyStore, KeyStore decryptionKeyStore) {
         String secret = UUID.randomUUID().toString();
         String encryptedSecret = encryptionKeyStore.encryptAndEncode(secret);
+        String encryptedSecretDuplicate = encryptionKeyStore.encryptAndEncode(secret);
+        //Rainbow attacks are not possible
+        assertNotEquals(encryptedSecret, encryptedSecretDuplicate);
         assertTrue(decryptionKeyStore.isEncryptedSecret(encryptedSecret));
 
         String decodedSecret = decryptionKeyStore.decodeAndDecrypt(encryptedSecret);
         assertEquals(secret, decodedSecret);
+
+        String decodedSecretDuplicate = decryptionKeyStore.decodeAndDecrypt(encryptedSecretDuplicate);
+        assertEquals(secret, decodedSecretDuplicate);
     }
 
     @SneakyThrows