diff options
Diffstat (limited to 'eaaf_core_utils/src/main')
-rw-r--r-- | eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/credential/EaafKeyStoreFactory.java | 203 |
1 files changed, 102 insertions, 101 deletions
diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/credential/EaafKeyStoreFactory.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/credential/EaafKeyStoreFactory.java index 743a7318..bd2b3cab 100644 --- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/credential/EaafKeyStoreFactory.java +++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/credential/EaafKeyStoreFactory.java @@ -27,11 +27,6 @@ import javax.crypto.SecretKey; import javax.crypto.SecretKeyFactory; import javax.crypto.spec.PBEKeySpec; -import org.apache.commons.lang3.StringUtils; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.core.io.Resource; -import org.springframework.core.io.ResourceLoader; - import at.gv.egiz.eaaf.core.api.idp.IConfiguration; import at.gv.egiz.eaaf.core.exception.EaafKeyAccessException; import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; @@ -42,6 +37,12 @@ import at.gv.egiz.eaaf.core.impl.credential.SymmetricKeyConfiguration.SymmetricK import at.gv.egiz.eaaf.core.impl.data.Pair; import at.gv.egiz.eaaf.core.impl.utils.FileUtils; import at.gv.egiz.eaaf.core.impl.utils.KeyStoreUtils; + +import org.apache.commons.lang3.StringUtils; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.core.io.Resource; +import org.springframework.core.io.ResourceLoader; + import lombok.extern.slf4j.Slf4j; @Slf4j @@ -62,16 +63,16 @@ public class EaafKeyStoreFactory { public static final String ERRORCODE_06 = "internal.keystore.06"; public static final String ERRORCODE_07 = "internal.keystore.07"; public static final String ERRORCODE_10 = "internal.keystore.10"; - + public static final String ERRORCODE_KEY_00 = "internal.key.00"; private static final String HSM_FACADE_PROVIDER_CLASS = "at.asitplus.hsmfacade.provider.HsmFacadeProvider"; - private static final String HSM_FACADE_KEYSTORELOADPARAMETERS_CLASS + private static final String HSM_FACADE_KEYSTORELOADPARAMETERS_CLASS = "at.asitplus.hsmfacade.provider.RemoteKeyStoreLoadParameter"; private static final String HSM_FACADE_PROVIDER_METHOD_CONSTRUCT = "getInstance"; private static final String HSM_FACADE_PROVIDER_METHOD_INIT = "init"; private static final String HSM_FACADE_PROVIDER_METHOD_ISINITIALIZED = "isInitialized"; - private static final String HSM_FACADE_PROVIDER_INIT_ERROR_MSG + private static final String HSM_FACADE_PROVIDER_INIT_ERROR_MSG = "Has HSM-Facade class supported '{}' method: {}"; private static final String HSM_FACADE_PROVIDER = "HsmFacade"; private static final String HSM_FACADE_KEYSTORE_TYPE = "RemoteKeyStore"; @@ -94,10 +95,10 @@ public class EaafKeyStoreFactory { */ @Nonnull public Pair<SecretKey, Provider> buildNewSymmetricKey(SymmetricKeyConfiguration config) throws EaafException { - log.trace("Starting symmetric-key generation based on configuration object ... "); + log.trace("Starting symmetric-key generation based on configuration object ... "); if (SymmetricKeyType.PASSPHRASE.equals(config.getKeyType())) { return generatePassPhraseBasedSymmetricKey(config); - + } else if (SymmetricKeyType.HSMFACADE.equals(config.getKeyType())) { if (isHsmFacadeInitialized) { return getSymmetricKeyFromHsmFacade(config); @@ -109,17 +110,17 @@ public class EaafKeyStoreFactory { new Object[] { config.getFriendlyName() }); } - + } else { log.warn("Symmetric KeyType: {} is unrecognized", config.getKeyType()); throw new EaafConfigurationException(ERRORCODE_01, new Object[] { config.getFriendlyName() }); } - - + + } - + /** * Get a new KeyStore based on a KeyStore configuration-object. * @@ -172,46 +173,46 @@ public class EaafKeyStoreFactory { } @PostConstruct - private void initialize() throws EaafException { - Class<?> hsmProviderClazz = getHsmProviderClass(); - if (hsmProviderClazz != null) { + private void initialize() throws EaafException { + final Class<?> hsmProviderClazz = getHsmProviderClass(); + if (hsmProviderClazz != null) { final String hsmFacadeHost = basicConfig.getBasicConfiguration(CONFIG_PROP_HSM_FACADE_HOST); - Provider alreadyLoadedProvider = Security.getProvider(HSM_FACADE_PROVIDER); - if (alreadyLoadedProvider != null - && alreadyLoadedProvider.getClass().isAssignableFrom(hsmProviderClazz)) { + final Provider alreadyLoadedProvider = Security.getProvider(HSM_FACADE_PROVIDER); + if (alreadyLoadedProvider != null + && alreadyLoadedProvider.getClass().isAssignableFrom(hsmProviderClazz)) { log.info("Find already initialized Java SecurityProvider: {}", alreadyLoadedProvider.getName()); - //mark it as initialized if the state can not be determined + //mark it as initialized if the state can not be determined boolean isAlreadyInitialized = true; try { - Method initializeCheck = + final Method initializeCheck = alreadyLoadedProvider.getClass().getMethod(HSM_FACADE_PROVIDER_METHOD_ISINITIALIZED, new Class[]{}); isAlreadyInitialized = (boolean) initializeCheck.invoke(alreadyLoadedProvider); - - } catch (Exception e) { + + } catch (final Exception e) { log.warn("Can not determine state of alreay loaded HSM Facade. Mark it as 'initialized'"); log.debug("HSM Facade check error: {}", e.getMessage()); - + } isHsmFacadeInitialized = isAlreadyInitialized; - + if (isHsmFacadeInitialized) { log.info("HSM Facade is already initialized. {} can provide KeyStores based on remote HSM", EaafKeyStoreFactory.class.getSimpleName()); - + } else { log.info("HSM Facade is already loaded but not initialized. {} can NOT provide KeyStores based on remote HSM", EaafKeyStoreFactory.class.getSimpleName()); - + } - - } else if (StringUtils.isNotEmpty(hsmFacadeHost)) { + + } else if (StringUtils.isNotEmpty(hsmFacadeHost)) { log.debug("Find host for HSMFacade. Starting crypto provider initialization ... "); initializeHsmFacadeSecurityProvider(hsmProviderClazz, hsmFacadeHost); - + } else { log.info("HSM Facade is on ClassPath but not configurated. {} can only provide software keystores", EaafKeyStoreFactory.class.getSimpleName()); - + } } else { @@ -222,7 +223,7 @@ public class EaafKeyStoreFactory { } - private void initializeHsmFacadeSecurityProvider(Class<?> hsmProviderClazz, String hsmFacadeHost) + private void initializeHsmFacadeSecurityProvider(Class<?> hsmProviderClazz, String hsmFacadeHost) throws EaafException { try { final int port = Integer.parseUnsignedInt( @@ -231,40 +232,40 @@ public class EaafKeyStoreFactory { getConfigurationParameter(CONFIG_PROP_HSM_FACADE_CLIENT_USERNAME); final String clientPassword = getConfigurationParameter(CONFIG_PROP_HSM_FACADE_CLIENT_PASSWORD); - - //initialize HSM-Facade by using JAVA Reflection, because in that case HSM-Facade + + //initialize HSM-Facade by using JAVA Reflection, because in that case HSM-Facade //has not be in ClassPath on every project - Method constructor = hsmProviderClazz.getMethod(HSM_FACADE_PROVIDER_METHOD_CONSTRUCT, new Class[]{}); - Method initMethod = hsmProviderClazz.getMethod(HSM_FACADE_PROVIDER_METHOD_INIT, + final Method constructor = hsmProviderClazz.getMethod(HSM_FACADE_PROVIDER_METHOD_CONSTRUCT, new Class[]{}); + final Method initMethod = hsmProviderClazz.getMethod(HSM_FACADE_PROVIDER_METHOD_INIT, X509Certificate.class, String.class, String.class, String.class, int.class); - if (initMethod != null && constructor != null) { - Object rawProvider = constructor.invoke(hsmProviderClazz); + if (initMethod != null && constructor != null) { + final Object rawProvider = constructor.invoke(hsmProviderClazz); initMethod.invoke( - rawProvider, getHsmFacadeTrustSslCertificate(), + rawProvider, getHsmFacadeTrustSslCertificate(), clientUsername, clientPassword, hsmFacadeHost, port); - - if (rawProvider instanceof Provider) { + + if (rawProvider instanceof Provider) { Security.insertProviderAt((Provider) rawProvider, 0); isHsmFacadeInitialized = true; log.info("HSM Facade is initialized. {} can provide KeyStores based on remote HSM", EaafKeyStoreFactory.class.getSimpleName()); - + } else { - log.warn("Is HSM-Facade class type of 'java.security.Provider': {}", - rawProvider instanceof Provider); + log.warn("Is HSM-Facade class type of 'java.security.Provider': {}", + rawProvider instanceof Provider); throw new EaafException(ERRORCODE_10, new Object[] {HSM_FACADE_PROVIDER_CLASS}); - + } - - } else { - log.warn(HSM_FACADE_PROVIDER_INIT_ERROR_MSG, + + } else { + log.warn(HSM_FACADE_PROVIDER_INIT_ERROR_MSG, HSM_FACADE_PROVIDER_METHOD_CONSTRUCT, constructor != null); - log.warn(HSM_FACADE_PROVIDER_INIT_ERROR_MSG, + log.warn(HSM_FACADE_PROVIDER_INIT_ERROR_MSG, HSM_FACADE_PROVIDER_METHOD_INIT, initMethod != null); throw new EaafException(ERRORCODE_10, new Object[] {HSM_FACADE_PROVIDER_CLASS}); - + } - + //final HsmFacadeProvider provider = HsmFacadeProvider.Companion.getInstance(); //provider.init(getHsmFacadeTrustSslCertificate(), clientUsername, clientPassword, hsmFacadeHost, port); @@ -274,19 +275,19 @@ public class EaafKeyStoreFactory { } catch (final Exception e) { log.error("HSM Facade initialization FAILED with an generic error.", e); throw new EaafConfigurationException(ERRORCODE_03, new Object[] { e.getMessage() }, e); - + } - + } private Class<?> getHsmProviderClass() { try { return Class.forName(HSM_FACADE_PROVIDER_CLASS); - - } catch (ClassNotFoundException e1) { + + } catch (final ClassNotFoundException e1) { log.debug("No HSM-Facade implemenation in ClassPath. HSM-Facade will not be available"); return null; - + } } @@ -304,16 +305,16 @@ public class EaafKeyStoreFactory { if (config.isSkipMakeAbsolutPaths()) { log.debug("Use filepath from config: {}", keyStorePath); ressource = resourceLoader.getResource(keyStorePath); - + } else { final String absKeyStorePath = FileUtils.makeAbsoluteUrl(keyStorePath, basicConfig - .getConfigurationRootDirectory()); + .getConfigurationRootDirectory()); log.debug("Use filepath from config: {}", absKeyStorePath); - + ressource = resourceLoader.getResource(absKeyStorePath); - + } - + if (!ressource.exists()) { throw new EaafConfigurationException(ERRORCODE_05, new Object[] { config.getFriendlyName(), @@ -326,15 +327,15 @@ public class EaafKeyStoreFactory { is.close(); return Pair.newInstance(keyStore, null); - - } catch (EaafException e) { + + } catch (final EaafException e) { throw e; - - } catch (IOException e) { + + } catch (final IOException e) { throw new EaafFactoryException(ERRORCODE_06, new Object[] { config.getFriendlyName(), "KeyStore not valid or password wrong" }); - - } catch (Exception e) { + + } catch (final Exception e) { log.error("Software KeyStore initialization FAILED with an generic error.", e); throw new EaafConfigurationException(ERRORCODE_03, new Object[] { e.getMessage() }, e); @@ -345,14 +346,14 @@ public class EaafKeyStoreFactory { private Pair<KeyStore, Provider> getKeyStoreFromHsmFacade(KeyStoreConfiguration config) throws EaafFactoryException, EaafConfigurationException { return getKeyStoreFromHsmFacade(config.getKeyStoreName(), config.getFriendlyName()); - + } @Nonnull private Pair<KeyStore, Provider> getKeyStoreFromHsmFacade(String keyStoreName, String friendlyName) throws EaafFactoryException, EaafConfigurationException { final String validatedKeyStoreName = checkConfigurationParameter(keyStoreName, - ERRORCODE_06, friendlyName, "KeyStoreName missing for HSM Facade"); + ERRORCODE_06, friendlyName, "KeyStoreName missing for HSM Facade"); try { final KeyStore keyStore = KeyStore.getInstance(HSM_FACADE_KEYSTORE_TYPE, HSM_FACADE_PROVIDER); @@ -368,35 +369,35 @@ public class EaafKeyStoreFactory { } } - + private KeyStore.LoadStoreParameter getHsmFacadeKeyStoreParameter(String keyStoreName) throws EaafException { try { - Class<?> clazz = Class.forName(HSM_FACADE_KEYSTORELOADPARAMETERS_CLASS); - Constructor<?> constructor = clazz.getConstructor(String.class); - Object keyStoreParams = constructor.newInstance(keyStoreName); + final Class<?> clazz = Class.forName(HSM_FACADE_KEYSTORELOADPARAMETERS_CLASS); + final Constructor<?> constructor = clazz.getConstructor(String.class); + final Object keyStoreParams = constructor.newInstance(keyStoreName); return (LoadStoreParameter) keyStoreParams; - - } catch (Exception e) { + + } catch (final Exception e) { log.error("Can NOT build class: {} for HSM-Facade provider", HSM_FACADE_KEYSTORELOADPARAMETERS_CLASS, e); throw new EaafException(ERRORCODE_10, new Object[] {HSM_FACADE_PROVIDER_CLASS}, e); - + } - + } - + @Nonnull - private Pair<SecretKey, Provider> generatePassPhraseBasedSymmetricKey(SymmetricKeyConfiguration config) + private Pair<SecretKey, Provider> generatePassPhraseBasedSymmetricKey(SymmetricKeyConfiguration config) throws EaafConfigurationException { checkConfigurationParameter(config.getSoftKeyPassphrase(), ERRORCODE_KEY_00, config.getFriendlyName(), "passphrase missing"); checkConfigurationParameter(config.getSoftKeySalt(), ERRORCODE_KEY_00, config.getFriendlyName(), "salt missing"); - + try { final SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("PBKDF2WITHHMACSHA256"); final KeySpec spec = new PBEKeySpec( - config.getSoftKeyPassphrase().toCharArray(), - config.getSoftKeySalt().getBytes("UTF-8"), + config.getSoftKeyPassphrase().toCharArray(), + config.getSoftKeySalt().getBytes("UTF-8"), 10000, 128); return Pair.newInstance(keyFactory.generateSecret(spec), null); @@ -408,38 +409,38 @@ public class EaafKeyStoreFactory { } } - + @Nonnull - private Pair<SecretKey, Provider> getSymmetricKeyFromHsmFacade(SymmetricKeyConfiguration config) + private Pair<SecretKey, Provider> getSymmetricKeyFromHsmFacade(SymmetricKeyConfiguration config) throws EaafFactoryException, EaafConfigurationException, EaafKeyAccessException { - Pair<KeyStore, Provider> keyStore = getKeyStoreFromHsmFacade( + final Pair<KeyStore, Provider> keyStore = getKeyStoreFromHsmFacade( config.getKeyStoreName(), config.getFriendlyName()); - + checkConfigurationParameter(config.getKeyAlias(), ERRORCODE_KEY_00, config.getFriendlyName(), "keyAlias missing"); - + try { - SecretKey secretKey = (SecretKey) keyStore.getFirst().getKey(config.getKeyAlias(), null); + final SecretKey secretKey = (SecretKey) keyStore.getFirst().getKey(config.getKeyAlias(), null); if (secretKey == null) { - throw new EaafKeyAccessException(EaafKeyAccessException.ERROR_CODE_09, + throw new EaafKeyAccessException(EaafKeyAccessException.ERROR_CODE_09, config.getFriendlyName(), config.getKeyAlias(), "No SecretKey with Alias "); - - } - + + } + return Pair.newInstance(secretKey, keyStore.getSecond()); - + } catch (UnrecoverableKeyException | KeyStoreException | NoSuchAlgorithmException e) { - throw new EaafKeyAccessException(EaafKeyAccessException.ERROR_CODE_09, e, + throw new EaafKeyAccessException(EaafKeyAccessException.ERROR_CODE_09, e, config.getFriendlyName(), config.getKeyAlias(), e.getMessage()); - - } catch (ClassCastException e) { - throw new EaafKeyAccessException(EaafKeyAccessException.ERROR_CODE_09, + + } catch (final ClassCastException e) { + throw new EaafKeyAccessException(EaafKeyAccessException.ERROR_CODE_09, config.getFriendlyName(), config.getKeyAlias(), "Wrong SecretKey type "); - + } - + } - + private X509Certificate getHsmFacadeTrustSslCertificate() throws EaafConfigurationException { try { final String certFilePath = getConfigurationParameter(CONFIG_PROP_HSM_FACADE_SSLTRUST); |