Sending push notifications with encrypted data payload from appengine (java, standard environment)
360 views
Skip to first unread message
Marco Pöhler
Jul 29, 2016, 9:37:47 AM7/29/16
to Google App Engine
Hi,
I want to send web push notification with encrypted data payload from appengine (Java, Standard Environment - I'm sure it will work in the Flexible Environment, but it's still beta, not recommended for production use, only hosted in US and I reside in Germany/Europe where we have strict laws when it comes to storage of customer data).
My current approach was to adopt the web-push library. I backported it to Java7 (here), and I'm still able to send encrypted push notifications to my browser from the testcase. The URLFetchService must be used instead of org.apache.http.client, of course.
Sadly, web-push uses javax.crypto.spec.GCMParameterSpec which is not whitelisted and I get the following error:
java.lang.NoClassDefFoundError: javax.crypto.spec.GCMParameterSpec is a restricted class. Please see the Google App Engine developer's guide for more details.
at com.google.appengine.tools.development.agent.runtime.Runtime.reject(Runtime.java:52)
at nl.martijndwars.webpush.HttpEce.encrypt(HttpEce.java:176)
The encryption to use for Web Push is "AES/GCM/NoPadding" as described in detail here, so I think this class, which describes the parameters for the GCM algorithm is mandatory to get this working.
The following snippet shows how GCMParameterSpec is used in web-push:
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", "BC");
cipher.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(key_, "AES"), new GCMParameterSpec(16 * 8, nonce_));
cipher.update(new byte[padSize]);
Is there another way to encode data on appengine in a web-push compatible way?
cheers,
Marco
Nick (Cloud Platform Support)
Aug 2, 2016, 4:29:23 PM8/2/16
to Google App Engine
Hey Marco,
I'm not enough of an expert on Java crypto to say how to substitute GCMParameterSpec for another class, and it seems from a cursory examination of the Cipher class and the AlgorithmParameterSpec interface that this isn't possible, but I can recommend that if you need access to functionality that's outside the Standard Runtime security whitelist and you can't use a beta product, Compute Engine is a great place to host the process which needs access to the full JRE.
You could either host your server as a Compute Engine VM cluster behind an HTTP(S) Load Balancer and AutoScaler or use App Engine for the front-ends with Cloud Pub/Sub handling the issue of sending messages, through the Compute Engine instance which can run the crypto code, on to the recipient of the encrypted message.
Let me know if you have any further questions I can do my best to answer.
Cheers,
Nick
Cloud Platform Community Support
I'm not enough of an expert on Java crypto to say how to substitute GCMParameterSpec for another class, and it seems from a cursory examination of the Cipher class and the AlgorithmParameterSpec interface that this isn't possible, but I can recommend that if you need access to functionality that's outside the Standard Runtime security whitelist and you can't use a beta product, Compute Engine is a great place to host the process which needs access to the full JRE.
You could either host your server as a Compute Engine VM cluster behind an HTTP(S) Load Balancer and AutoScaler or use App Engine for the front-ends with Cloud Pub/Sub handling the issue of sending messages, through the Compute Engine instance which can run the crypto code, on to the recipient of the encrypted message.
Let me know if you have any further questions I can do my best to answer.
Cheers,
Nick
Cloud Platform Community Support
lukas sekerak
Oct 14, 2016, 4:53:32 PM10/14/16
to Google App Engine
Hello,
is there any other solution?
For example i dont want use Compute Engine VM, because it does not support Objectify.
Lukas Sekerak
Reply all
Reply to author
Forward
0 new messages