summaryrefslogtreecommitdiff
path: root/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java
diff options
context:
space:
mode:
Diffstat (limited to 'eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java')
-rw-r--r--eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java57
1 files changed, 38 insertions, 19 deletions
diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java
index bc770a8c..ad6471d5 100644
--- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java
+++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java
@@ -1,19 +1,14 @@
package at.gv.egiz.eaaf.core.impl.utils;
import java.io.UnsupportedEncodingException;
-import java.nio.charset.Charset;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
-import java.security.spec.InvalidKeySpecException;
-import java.security.spec.KeySpec;
import java.util.Arrays;
import java.util.Base64;
import javax.annotation.PostConstruct;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
-import javax.crypto.SecretKeyFactory;
-import javax.crypto.spec.PBEKeySpec;
import org.apache.commons.lang3.StringUtils;
import org.joda.time.DateTime;
@@ -32,6 +27,9 @@ import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException;
import at.gv.egiz.eaaf.core.exceptions.EaafException;
import at.gv.egiz.eaaf.core.exceptions.EaafIllegalStateException;
import at.gv.egiz.eaaf.core.exceptions.PendingReqIdValidationException;
+import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory;
+import at.gv.egiz.eaaf.core.impl.credential.SymmetricKeyConfiguration;
+import at.gv.egiz.eaaf.core.impl.credential.SymmetricKeyConfiguration.SymmetricKeyType;
/**
* PendingRequestId generation strategy based on signed tokens that facilitates
@@ -45,11 +43,22 @@ public class SecurePendingRequestIdGenerationStrategy
private static final Logger log =
LoggerFactory.getLogger(SecurePendingRequestIdGenerationStrategy.class);
- @Autowired(required = true)
- IConfiguration baseConfig;
+ @Autowired(required = true) IConfiguration baseConfig;
+ @Autowired EaafKeyStoreFactory keyStoreFactory;
+ private static final String FRIENDLYNAME = "pendingRequestId key";
+
+ public static final String CONFIG_PROP_PENDINGREQUESTID_DIGIST_TYPE =
+ "core.pendingrequestid.digist.type";
public static final String CONFIG_PROP_PENDINGREQUESTID_DIGIST_SECRET =
"core.pendingrequestid.digist.secret";
+
+ public static final String CONFIG_PROP_PENDINGREQUESTID_DIGIST_HSM_KEYSTORE =
+ "core.pendingrequestid.digist.keystore.name";
+ public static final String CONFIG_PROP_PENDINGREQUESTID_DIGIST_HSM_ALIAS =
+ "core.pendingrequestid.digist.key.alias";
+
+
public static final String CONFIG_PROP_PENDINGREQUESTID_DIGIST_ALGORITHM =
"core.pendingrequestid.digist.algorithm";
public static final String CONFIG_PROP_PENDINGREQUESTID_MAX_LIFETIME =
@@ -67,7 +76,7 @@ public class SecurePendingRequestIdGenerationStrategy
private final int maxPendingReqIdSize = 1024;
private String digistAlgorithm = null;
private SecretKey key = null;
- private final byte[] salt = "notRequiredInThisScenario".getBytes(Charset.defaultCharset());
+ private final String salt = "notRequiredInThisScenario";
@Override
public String generateExternalPendingRequestId() throws EaafException {
@@ -183,13 +192,6 @@ public class SecurePendingRequestIdGenerationStrategy
private void initialize() throws EaafConfigurationException {
log.debug("Initializing " + this.getClass().getName() + " ... ");
- final String pendingReqIdDigistSecret =
- baseConfig.getBasicConfiguration(CONFIG_PROP_PENDINGREQUESTID_DIGIST_SECRET);
- if (StringUtils.isEmpty(pendingReqIdDigistSecret)) {
- throw new EaafConfigurationException("config.08",
- new Object[] { CONFIG_PROP_PENDINGREQUESTID_DIGIST_SECRET });
- }
-
digistAlgorithm = baseConfig.getBasicConfiguration(
CONFIG_PROP_PENDINGREQUESTID_DIGIST_ALGORITHM, DEFAULT_PENDINGREQUESTID_DIGIST_ALGORITHM);
@@ -197,12 +199,29 @@ public class SecurePendingRequestIdGenerationStrategy
Integer.parseInt(baseConfig.getBasicConfiguration(CONFIG_PROP_PENDINGREQUESTID_MAX_LIFETIME,
DEFAULT_PENDINGREQUESTID_MAX_LIFETIME));
+
+ SymmetricKeyConfiguration secretKeyConfig = new SymmetricKeyConfiguration();
+ secretKeyConfig.setFriendlyName(FRIENDLYNAME);
+ secretKeyConfig.setKeyType(
+ baseConfig.getBasicConfiguration(CONFIG_PROP_PENDINGREQUESTID_DIGIST_TYPE,
+ SymmetricKeyType.PASSPHRASE.name()));
+
+ secretKeyConfig.setSoftKeyPassphrase(
+ baseConfig.getBasicConfiguration(CONFIG_PROP_PENDINGREQUESTID_DIGIST_SECRET));
+ secretKeyConfig.setSoftKeySalt(salt);
+
+ secretKeyConfig.setKeyStoreName(
+ baseConfig.getBasicConfiguration(CONFIG_PROP_PENDINGREQUESTID_DIGIST_HSM_KEYSTORE));
+ secretKeyConfig.setKeyAlias(
+ baseConfig.getBasicConfiguration(CONFIG_PROP_PENDINGREQUESTID_DIGIST_HSM_ALIAS));
+
+ //validate symmetric-key configuration
+ secretKeyConfig.validate();
+
try {
- final SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("PBKDF2WITHHMACSHA256");
- final KeySpec spec = new PBEKeySpec(pendingReqIdDigistSecret.toCharArray(), salt, 10000, 128);
- key = keyFactory.generateSecret(spec);
+ key = keyStoreFactory.buildNewSymmetricKey(secretKeyConfig).getFirst();
- } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
+ } catch (EaafException e) {
log.error("Can NOT initialize TokenService with configuration object", e);
throw new EaafConfigurationException("config.09",
new Object[] { CONFIG_PROP_PENDINGREQUESTID_DIGIST_SECRET, "Can NOT generate HMAC key" },
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-02 20:01:44 +0000