Examples with WrappableKeyProtectionManager - org.nhindirect.common.crypto.WrappableKeyProtectionManager

Example 1 with WrappableKeyProtectionManager

use of org.nhindirect.common.crypto.WrappableKeyProtectionManager in project nhin-d by DirectProject.

the class PKCS11Commands method importPrivateKeyFile.

//@Command(name = "ImportP12FileForTempKey", usage = IMPORT_P12_FILE_FOR_TEMP_KEY)
public void importPrivateKeyFile(String[] args) {
    if (!(mgr instanceof WrappableKeyProtectionManager)) {
        System.out.println("Key store manager does not support wrapping.");
        return;
    }
    final WrappableKeyProtectionManager wrapMgr = (WrappableKeyProtectionManager) mgr;
    final String fileName = StringArrayUtil.getRequiredValue(args, 0);
    final String keyStorePass = StringArrayUtil.getOptionalValue(args, 1, "");
    final String privKeyPass = StringArrayUtil.getOptionalValue(args, 2, "");
    try {
        final KeyStore pkcs11Store = mgr.getKS();
        final String providerName = pkcs11Store.getProvider().getName();
        System.out.println("Provider Name: " + providerName);
        /*
			 * 1. Create an AES128 secret key on the HSM that will be used to 
			 * encrypt and decrypt private key data.  Use the PrivKeyProtKey entry to store it
			 */
        final KeyGenerator keyGen = KeyGenerator.getInstance("AES", providerName);
        keyGen.init(128);
        final SecretKey keyStoreSecretKey = keyGen.generateKey();
        /*
			 * 2. Get an existing private key that was generated and is stored in a p12 file.  
			 * For real operations, the private key may be generated on an HSM and exported in wrapped format for
			 * storage in a database.  For this test, we'll just use an existing private key in a p12 file and 
			 * wrap it on the HSM.
			 */
        final KeyStore store = KeyStore.getInstance("pkcs12");
        store.load(FileUtils.openInputStream(new File(fileName)), keyStorePass.toCharArray());
        // there should only be on entry
        final String alias = store.aliases().nextElement();
        final PrivateKey entry = (PrivateKey) store.getKey(alias, privKeyPass.toCharArray());
        /*
			 * 3. "Wrap" the private using secret key and AES128 encryption and write it to a file.  The encryption is done
			 * on the HSM so the secret key never leaves the HSM token.  We aren't actually "wrapping" the private key because
			 * it's not on the HSM.  Using "encrypt" instead.
			 */
        /*
			final Cipher wrapCipher = Cipher.getInstance("AES/CBC/PKCS5Padding", providerName);
			wrapCipher.init(Cipher.WRAP_MODE, keyStoreSecretKey, iv);
			byte[] wrappedKey = wrapCipher.wrap(entry);
			*/
        byte[] wrappedKey = wrapMgr.wrapWithSecretKey(keyStoreSecretKey, entry);
        /*
			 * 4. Now we have a wrap key in a file.  Let's install it into the token using the 
			 * secret key on the HSM.  This should return us with a private key object, but we should
			 * not be able to get access to the actual unencrypted key data.
			 */
        byte[] encryptedKey = wrappedKey;
        /*
			final Cipher unwrapCipher = Cipher.getInstance("AES/CBC/PKCS5Padding", providerName);
			unwrapCipher.init(Cipher.UNWRAP_MODE, keyStoreSecretKey, iv);
			@SuppressWarnings("unused")
			final PrivateKey securedPrivateKey = (PrivateKey)unwrapCipher.unwrap(encryptedKey, "RSA", Cipher.PRIVATE_KEY);
			*/
        @SuppressWarnings("unused") final PrivateKey securedPrivateKey = (PrivateKey) wrapMgr.unwrapWithSecretKey(keyStoreSecretKey, encryptedKey, "RSA", Cipher.PRIVATE_KEY);
        System.out.println("Successfully created an unwrapped private key");
    } catch (Exception e) {
        e.printStackTrace();
    }
}

Also used : WrappableKeyProtectionManager(org.nhindirect.common.crypto.WrappableKeyProtectionManager) SecretKey(javax.crypto.SecretKey) PrivateKey(java.security.PrivateKey) KeyStore(java.security.KeyStore) KeyGenerator(javax.crypto.KeyGenerator) File(java.io.File)

Example 2 with WrappableKeyProtectionManager

use of org.nhindirect.common.crypto.WrappableKeyProtectionManager in project nhin-d by DirectProject.

the class WrappedOnDemandX509CertificateEx method getPrivateKey.

/**
     * {@inheritDoc}}
     */
public synchronized PrivateKey getPrivateKey() {
    if (wrappedKey != null)
        return wrappedKey;
    final WrappableKeyProtectionManager wrapManager = (WrappableKeyProtectionManager) mgr;
    // get the key algorithm from the public key... this will be needed
    // as a parameter to the unwrap method
    final String keyAlg = this.internalCert.getPublicKey().getAlgorithm();
    try {
        wrappedKey = (PrivateKey) wrapManager.unwrapWithSecretKey((SecretKey) mgr.getPrivateKeyProtectionKey(), wrappedData, keyAlg, Cipher.PRIVATE_KEY);
    } catch (CryptoException e) {
        throw new NHINDException(AgentError.Unexpected, "Failed to access wrapped private key.", e);
    }
    return wrappedKey;
}

Also used : WrappableKeyProtectionManager(org.nhindirect.common.crypto.WrappableKeyProtectionManager) CryptoException(org.nhindirect.common.crypto.exceptions.CryptoException) NHINDException(org.nhindirect.stagent.NHINDException)

Aggregations

WrappableKeyProtectionManager (org.nhindirect.common.crypto.WrappableKeyProtectionManager)2 File (java.io.File)1 KeyStore (java.security.KeyStore)1 PrivateKey (java.security.PrivateKey)1 KeyGenerator (javax.crypto.KeyGenerator)1 SecretKey (javax.crypto.SecretKey)1 CryptoException (org.nhindirect.common.crypto.exceptions.CryptoException)1 NHINDException (org.nhindirect.stagent.NHINDException)1