Refactored api key verifier

Author: geiralund

build.gradle.kts

@@ -103,7 +103,7 @@ subprojects {
 
     spotless {
         kotlin {
-            ktlint()
+            ktlint("com.github.shyiko:ktlint:0.31.0")
         }
         kotlinGradle {
             target("*.gradle.kts", "additionalScripts/*.gradle.kts")

ktor-utils/build.gradle.kts

@@ -3,5 +3,6 @@ val ktorVersion = "1.2.0"
 dependencies {
     implementation("io.ktor:ktor-server:$ktorVersion")
     implementation("io.ktor:ktor-auth:$ktorVersion")
+    implementation("commons-codec:commons-codec:1.12")
     testImplementation("io.ktor:ktor-server-test-host:$ktorVersion")
 }

ktor-utils/src/main/kotlin/no/nav/dagpenger/ktor/auth/ApiKeyVerifier.kt

@@ -1,31 +1,27 @@
 package no.nav.dagpenger.ktor.auth
 
+import org.apache.commons.codec.binary.Hex
+import java.nio.charset.StandardCharsets
 import javax.crypto.Mac
 import javax.crypto.spec.SecretKeySpec
 
-class ApiKeyVerifier(private val secret: ByteArray) {
+class ApiKeyVerifier(private val secret: String) {
 
     private val algorithm = "HmacSHA256"
 
-    fun verify(apiKey: ByteArray, expectedApiKey: ByteArray): Boolean {
-
-        val hmac = generate(apiKey)
-
-        if (hmac.size != expectedApiKey.size) return false
-        var result = 0
-        for (i in 0 until hmac.size) {
-            result = result.or(hmac[i].toInt().xor(expectedApiKey[i].toInt()))
-        }
+    fun verify(apiKey: String, expectedApiKey: String): Boolean {
+        return apiKey == generate(expectedApiKey)
+    }
 
-        return result == 0
+    fun generate(apiKey: String): String {
+        return String(Hex.encodeHex(generateDigest(apiKey.toByteArray(StandardCharsets.UTF_8))))
     }
 
-    fun generate(apiKey: ByteArray): ByteArray {
-        val keySpec = SecretKeySpec(secret, algorithm)
+    private fun generateDigest(apiKey: ByteArray): ByteArray {
+        val secret = SecretKeySpec(secret.toByteArray(StandardCharsets.UTF_8), algorithm)
         val mac = Mac.getInstance(algorithm)
-        mac.init(keySpec)
-
-        val hmac = mac.doFinal(apiKey)
-        return hmac
+        mac.init(secret)
+        return mac.doFinal(apiKey)
     }
-}
+}
+

ktor-utils/src/test/kotlin/no/nav/dagpenger/ktor/auth/ApiKeyVerifierTest.kt

@@ -8,23 +8,23 @@ internal class ApiKeyVerifierTest {
 
     @Test
     fun `Should be able to verify api key with same secret`() {
-        val verifier = ApiKeyVerifier("secret".toByteArray())
-        val enc = verifier.generate("apikey".toByteArray())
-        assertTrue { verifier.verify("apikey".toByteArray(), enc) }
+        val verifier = ApiKeyVerifier("secret")
+        val enc = verifier.generate("apikey")
+        assertTrue { verifier.verify( enc, "apikey") }
     }
 
     @Test
     fun `Should not be able to verify api if key has changed key with same secret`() {
-        val verifier = ApiKeyVerifier("secret".toByteArray())
-        val enc = verifier.generate("apikey".toByteArray())
-        assertFalse { verifier.verify("Apikey".toByteArray(), enc) }
+        val verifier = ApiKeyVerifier("secret")
+        val enc = verifier.generate("apikey")
+        assertFalse { verifier.verify( enc, "Apikey") }
     }
 
     @Test
     fun `Should not be able to verify api if with secret changed`() {
-        val generator = ApiKeyVerifier("another secret".toByteArray())
-        val enc = generator.generate("apikey".toByteArray())
-        val verifier = ApiKeyVerifier("secret".toByteArray())
-        assertFalse { verifier.verify("apikey".toByteArray(), enc) }
+        val generator = ApiKeyVerifier("another secret")
+        val enc = generator.generate("apikey")
+        val verifier = ApiKeyVerifier("secret")
+        assertFalse { verifier.verify(enc, "apikey") }
     }
 }