GUACAMOLE-1286: Add support for providing a custom IV.

Author: necouchman

extensions/guacamole-auth-json/src/main/java/org/apache/guacamole/auth/json/CryptoService.java

@@ -73,7 +73,7 @@ public class CryptoService {
      * HMAC signature itself as the IV. For our purposes, where the encrypted
      * value becomes an authentication token, this is OK.
      */
-    private static final IvParameterSpec NULL_IV = new IvParameterSpec(new byte[] {
+    public static final IvParameterSpec NULL_IV = new IvParameterSpec(new byte[] {
         0, 0, 0, 0, 0, 0, 0, 0,
         0, 0, 0, 0, 0, 0, 0, 0
     });
@@ -125,6 +125,10 @@ public SecretKey createSignatureKey(byte[] keyBytes) {
      *
      * @param cipherText
      *     The ciphertext to decrypt.
+     * 
+     * @param ivStr
+     *     The string container the crypto IV, or null if one is not
+     *     provided and the NULL_IV should be used.
      *
      * @return
      *     The plaintext which results from decrypting the ciphertext with the
@@ -133,13 +137,20 @@ public SecretKey createSignatureKey(byte[] keyBytes) {
      * @throws GuacamoleException
      *     If any error at all occurs during decryption.
      */
-    public byte[] decrypt(Key key, byte[] cipherText) throws GuacamoleException {
+    public byte[] decrypt(Key key, byte[] cipherText, String ivStr)
+            throws GuacamoleException {
 
         try {
 
+            // Use NULL_IV by default, but, if an IV has been provided as
+            // part of the request, use that, instead.
+            IvParameterSpec iv = NULL_IV;
+            if (ivStr == null || ivStr.isEmpty())
+                iv = new IvParameterSpec(ivStr.getBytes());
+            
             // Init cipher for descryption using secret key
             Cipher cipher = Cipher.getInstance(DECRYPTION_CIPHER_NAME);
-            cipher.init(Cipher.DECRYPT_MODE, key, NULL_IV);
+            cipher.init(Cipher.DECRYPT_MODE, key, iv);
 
             // Perform decryption
             return cipher.doFinal(cipherText);

extensions/guacamole-auth-json/src/main/java/org/apache/guacamole/auth/json/user/UserDataService.java

@@ -100,6 +100,13 @@ public class UserDataService {
      * HMAC/SHA-256.
      */
     public static final String ENCRYPTED_DATA_PARAMETER = "data";
+    
+    /**
+     * The name of the HTTP parameter from which the cryptographic IV should be
+     * read, if provided with the query. If this parameter is not provided, the
+     * {@link CryptoService#NULL_IV} will be used.
+     */
+    public static final String ENCRYPTED_IV_PARAMETER = "iv";
 
     /**
      * Derives a new UserData object from the data contained within the given
@@ -129,14 +136,18 @@ public UserData fromCredentials(Credentials credentials) {
         String base64 = credentials.getParameter(ENCRYPTED_DATA_PARAMETER);
         if (base64 == null)
             return null;
+        
+        // Get the IV string from the credentials
+        String ivStr = credentials.getParameter(ENCRYPTED_IV_PARAMETER);
 
         // Decrypt base64-encoded parameter
         try {
 
             // Decrypt using defined encryption key
             byte[] decrypted = cryptoService.decrypt(
                 cryptoService.createEncryptionKey(confService.getSecretKey()),
-                BaseEncoding.base64().decode(base64)
+                BaseEncoding.base64().decode(base64),
+                ivStr
             );
 
             // Abort if decrypted value cannot possibly have a signature AND data