Package org.jivesoftware.util

Class Obfuscator

java.lang.Object

org.jivesoftware.util.Obfuscator

public class Obfuscator
extends Object

Utility class providing deterministic obfuscation using hardcoded constants. This is NOT cryptographically secure encryption - it uses fixed IV and key values to provide consistent, reversible obfuscation of data. This class is intended for obfuscating configuration values where deterministic output is required (same input always produces same output), but where the values should not be stored in plain text. For true encryption with security guarantees, use AesEncryptor with a randomly generated IV for each encryption operation.

Author:

Matthew Vivian

See Also:

• AesEncryptor
• OF-3074: Prevent hardcoded IV when encrypting parameters

Constructor Summary

Constructors

Constructor	Description
Obfuscator()	Default constructor.

Method Summary

Modifier and Type	Method	Description
String	deobfuscate(String value)	Deobfuscates a Base64-encoded obfuscated string.
String	obfuscate(String value)	Obfuscates a string value using hardcoded constants.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

Obfuscator

public Obfuscator()

Default constructor. Initialises the BouncyCastle security provider if not already loaded.

Method Details

obfuscate

public String obfuscate(String value)

Obfuscates a string value using hardcoded constants. The same input will always produce the same output (deterministic). WARNING: This is NOT cryptographically secure encryption. This method uses: - A static initialization vector (IV) - A hardcoded key - CBC mode (vulnerable to padding oracle attacks) This provides only obfuscation (hiding from casual viewing), not security. Anyone with access to the source code can reverse this obfuscation. Use cases: - Storing configuration values that should not be in plaintext - Backward compatibility with legacy AesEncryptor data - Situations requiring deterministic output (same input → same output) For cryptographically secure encryption, use AesEncryptor instead.

Parameters:

value - the value to obfuscate

Returns:

the Base64-encoded obfuscated value, or null if input is null

See Also:

• for secure encryption with random IVs

deobfuscate

public String deobfuscate(String value)

Deobfuscates a Base64-encoded obfuscated string. WARNING: This method intentionally uses a static initialization vector (IV) and a hardcoded key for backward compatibility with legacy AesEncryptor implementations. This is NOT cryptographically secure and should ONLY be used for obfuscation (hiding values from casual viewing), not for security-critical encryption. The use of a static IV is a known cryptographic weakness that allows pattern analysis and reduces security to "security through obscurity". This is acceptable for this use case because the method is designed for deterministic obfuscation, not secure encryption. Key security limitations: - Static IV enables pattern analysis (identical plaintexts → identical ciphertexts) - Hardcoded key means anyone with source code access can decrypt - CBC mode is vulnerable to padding oracle attacks - No authentication (no AEAD), making tampering undetectable This intentional use of weak cryptography will be flagged by static analysis tools (CodeQL). The warnings are expected and acceptable given the obfuscation-only purpose of this code. For cryptographically secure encryption, use AesEncryptor which provides: - Random IV generation for each encryption operation - Support for custom encryption keys

Parameters:

value - the Base64-encoded obfuscated value

Returns:

the original plaintext value, or null if input is null

See Also:

• for cryptographically secure encryption
• for the hardcoded key and IV values