From 5b5ce421d5f4840ae47dc5b08d8af17047348f03 Mon Sep 17 00:00:00 2001
From: Radek Davidek <rdavidek@trask.cz>
Date: Tue, 21 Oct 2025 16:48:27 +0200
Subject: [PATCH] decode APIM3.2 credentials - clientSecret

---
 .../migration/mapper/ApiDefinitionMapper.java |  3 +-
 .../migration/util/CredentialsDecoder.java    | 55 +++++++++++--------
 2 files changed, 35 insertions(+), 23 deletions(-)

diff --git a/src/main/java/cz/trask/migration/mapper/ApiDefinitionMapper.java b/src/main/java/cz/trask/migration/mapper/ApiDefinitionMapper.java
index 8fd7d57..e2aa681 100644
--- a/src/main/java/cz/trask/migration/mapper/ApiDefinitionMapper.java
+++ b/src/main/java/cz/trask/migration/mapper/ApiDefinitionMapper.java
@@ -14,6 +14,7 @@ import com.fasterxml.jackson.databind.ObjectMapper;
 import cz.trask.migration.model.ApiDefinition32;
 import cz.trask.migration.model.ApiDefinition45;
 import cz.trask.migration.model.ApiDefinition45.ApiPolicies;
+import cz.trask.migration.util.CredentialsDecoder;
 
 public class ApiDefinitionMapper {
 
@@ -216,7 +217,7 @@ public class ApiDefinitionMapper {
 		newSec.setType(oldSec.getType());
 		newSec.setTokenUrl(oldSec.getTokenUrl());
 		newSec.setClientId(oldSec.getClientId());
-		newSec.setClientSecret(oldSec.getClientSecret());
+		newSec.setClientSecret(CredentialsDecoder.decodeCredentials(oldSec.getClientSecret(), "wso2apim32-pk.pem"));
 		newSec.setUsername(oldSec.getUsername());
 		newSec.setPassword(oldSec.getPassword());
 		newSec.setGrantType(oldSec.getGrantType());
diff --git a/src/main/java/cz/trask/migration/util/CredentialsDecoder.java b/src/main/java/cz/trask/migration/util/CredentialsDecoder.java
index 9be5e3c..e54579f 100644
--- a/src/main/java/cz/trask/migration/util/CredentialsDecoder.java
+++ b/src/main/java/cz/trask/migration/util/CredentialsDecoder.java
@@ -16,34 +16,45 @@ import lombok.extern.log4j.Log4j2;
 
 @Log4j2
 public class CredentialsDecoder {
-	
-	public static void decodeCredentials(String credentials, String pkFile) throws Exception {
-		String decodedJson = new String(Base64.getDecoder().decode(credentials));
-		log.debug("Decoded JSON: {}", decodedJson);
 
-		ObjectMapper mapper = new ObjectMapper();
-		Map<String, String> jsonMap = mapper.readValue(decodedJson, Map.class);
+	public static String decodeCredentials(String credentials, String pkFile) {
+		if (credentials == null || credentials.isEmpty()) {
+			log.warn("No credentials provided to decode.");
+			return null;
+		}
+		try {
+			String decodedJson = new String(Base64.getDecoder().decode(credentials));
+			log.debug("Decoded JSON: {}", decodedJson);
 
-		String cipherBase64 = jsonMap.get("c");
-		String transformation = jsonMap.get("t");
-		log.debug("Used algorithm: {}", transformation);
+			ObjectMapper mapper = new ObjectMapper();
+			Map<String, String> jsonMap = mapper.readValue(decodedJson, Map.class);
 
-		String privateKeyPEM = new String(Files.readAllBytes(Paths.get(pkFile)))
-				.replace("-----BEGIN PRIVATE KEY-----", "").replace("-----END PRIVATE KEY-----", "")
-				.replaceAll("\\s+", "");
-		byte[] privateKeyBytes = Base64.getDecoder().decode(privateKeyPEM);
+			String cipherBase64 = jsonMap.get("c");
+			String transformation = jsonMap.get("t");
+			log.debug("Used algorithm: {}", transformation);
 
-		PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(privateKeyBytes);
-		KeyFactory keyFactory = KeyFactory.getInstance("RSA");
-		PrivateKey privateKey = keyFactory.generatePrivate(keySpec);
+			String privateKeyPEM = new String(Files.readAllBytes(Paths.get(pkFile)))
+					.replace("-----BEGIN PRIVATE KEY-----", "").replace("-----END PRIVATE KEY-----", "")
+					.replaceAll("\\s+", "");
+			byte[] privateKeyBytes = Base64.getDecoder().decode(privateKeyPEM);
 
-		byte[] encryptedBytes = Base64.getDecoder().decode(cipherBase64);
-		Cipher cipher = Cipher.getInstance(transformation);
-		cipher.init(Cipher.DECRYPT_MODE, privateKey);
+			PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(privateKeyBytes);
+			KeyFactory keyFactory = KeyFactory.getInstance("RSA");
+			PrivateKey privateKey = keyFactory.generatePrivate(keySpec);
 
-		byte[] decryptedBytes = cipher.doFinal(encryptedBytes);
-		String decryptedText = new String(decryptedBytes, "UTF-8");
+			byte[] encryptedBytes = Base64.getDecoder().decode(cipherBase64);
+			Cipher cipher = Cipher.getInstance(transformation);
+			cipher.init(Cipher.DECRYPT_MODE, privateKey);
 
-		log.debug("Decoded credential: {}", decryptedText);
+			byte[] decryptedBytes = cipher.doFinal(encryptedBytes);
+			String decryptedText = new String(decryptedBytes, "UTF-8");
+
+			log.debug("Decoded credential: {}", decryptedText);
+
+			return decryptedText;
+		} catch (Exception e) {
+			log.error("Error decoding credentials: ", e);
+			return null;
+		}
 	}
 }