Need a version of EncryptedProperties that extends java.util.Properties

[GoogleCodeExporter]

We need an implementation of EncryptedProperties that extends from 
java.util.Properties so that it can be used with other classes/frameworks that 
require an instance of Properties. 

This should NOT be a change to DefaultEncryptedProperties since that might 
effect current users of that class. 

The getProperty() and setProperty() methods must throw a RuntimeException if 
encryption fails. 

A careful examination of the overridden methods in Properties and Hashtable 
must be made to ensure that no vulnerabilities are introduced. 

Original issue reported on code.google.com by augu...@gmail.com on 11 Oct 2010 at 7:30

[GoogleCodeExporter]

Clarification: setProperty() and getProperty() methods should not simply throw 
RuntimeException for failed encryption / decryption. Rather, they should throw 
some new _subclass_ of RuntimeException; e.g., EncryptionRuntimeException. 
Furthermore this unchecked exception should be declared in the method signature 
(even though it is not strictly required) as well as being described in the 
methods' javadoc. This will make it easier for developers to handle that 
exception if they should so desire.

Original comment by kevin.w.wall@gmail.com on 11 Oct 2010 at 9:09

[GoogleCodeExporter]

Three new classes attached for review. It took a while to dig through all the 
methods of Properties and Hashtable (especially put()) to come up with suitable 
replacements. 

Original comment by augu...@gmail.com on 12 Oct 2010 at 4:07

Attachments:

• ReferenceEncryptedProperties.java
• EnterpriseSecurityRuntimeException.java
• EncryptionRuntimeException.java

[GoogleCodeExporter]

Updated test case, based on the one for DefaultEncryptedProperties. All tests 
pass.

Original comment by augu...@gmail.com on 12 Oct 2010 at 4:08

Attachments:

• ReferenceEncryptedPropertiesTest.java

[GoogleCodeExporter]

These changes look good to me - unless I see comments to the contrary I will 
plan on commiting this to the trunk this evening at 6pm MST.

Original comment by chrisisbeef on 13 Oct 2010 at 8:34

• Changed state: Started

[GoogleCodeExporter]

Checked in 4 files. In source: 

org/owasp/esapi/errors/EnterpriseSecurityRuntimeException.java
org/owasp/esapi/errors/EncryptionRuntimeException.jav
org/owasp/esapi/reference/crypto/ReferenceEncryptedProperties.java

In test: 

org/owasp/esapi/reference/crypto/ReferenceEncryptedPropertiesTest.java

Original comment by augu...@gmail.com on 13 Oct 2010 at 10:26

• Changed state: Fixed

[GoogleCodeExporter]

Also just checked in several more tests and a command line utility class for 
creating, reading and writing encrypted properties files and converting 
plaintext to encrypted properties.  

Original comment by augu...@gmail.com on 14 Oct 2010 at 3:23