use of org.nhindirect.common.crypto.exceptions.CryptoException in project nhin-d by DirectProject.
the class StaticCachedPKCS11TokenKeyStoreProtectionManager method initTokenStore.
/**
* {@inheritDoc}
*/
public void initTokenStore() throws CryptoException {
loadProvider();
try {
ks = KeyStore.getInstance(keyStoreType);
ks.load(keyStoreSource, credential.getPIN());
// preload the 2 secret keys
keystoreProtectionKey = this.getKey(keyStorePassPhraseAlias);
privateKeyProtectionKey = this.getKey(privateKeyPassPhraseAlias);
// some HSMs only store references to the keys in these objects and
// and still have to go back to the HSM to pull the actual key data
// create a key object from the encoded data
keystoreProtectionKey = new SecretKeySpec(keystoreProtectionKey.getEncoded(), "");
privateKeyProtectionKey = new SecretKeySpec(privateKeyProtectionKey.getEncoded(), "");
} catch (Exception e) {
throw new CryptoException("Error initializing PKCS11 token", e);
}
}
use of org.nhindirect.common.crypto.exceptions.CryptoException in project nhin-d by DirectProject.
the class AbstractPKCS11TokenKeyStoreProtectionManager method setPrivateKeyProtectionKeyAsBytes.
/**
* {@inheritDoc}
*/
@Override
public void setPrivateKeyProtectionKeyAsBytes(byte[] key) throws CryptoException {
try {
final Key keySpec = new SecretKeySpec(key, "");
safeSetKeyWithRetry(privateKeyPassPhraseAlias, keySpec);
} catch (CryptoException e) {
throw e;
} catch (Exception e) {
throw new CryptoException("Error storing key store protection into PKCS11 token", e);
}
}
use of org.nhindirect.common.crypto.exceptions.CryptoException in project nhin-d by DirectProject.
the class AbstractPKCS11TokenKeyStoreProtectionManager method setKeyStoreProtectionKeyAsString.
/**
* {@inheritDoc}
*/
@Override
public void setKeyStoreProtectionKeyAsString(String key) throws CryptoException {
try {
final Key keySpec = new SecretKeySpec(key.getBytes(), "");
safeSetKeyWithRetry(keyStorePassPhraseAlias, keySpec);
} catch (CryptoException e) {
throw e;
} catch (Exception e) {
throw new CryptoException("Error storing key store protection into PKCS11 token", e);
}
}
use of org.nhindirect.common.crypto.exceptions.CryptoException in project nhin-d by DirectProject.
the class PKCS11OperationTests method testImportEncryptedPrivateKeyWithWrapping.
/**
* This test will most likely kick out when executed, but can serve as sample code
* for wrapping and unwrapping sensitive key material on a PKCS11 token.
* @throws Exception
*/
@Test
public void testImportEncryptedPrivateKeyWithWrapping() throws Exception {
/*
* The point of this test is to ensure encrypted private keys can be loaded
* into the token without ever exposing any secret material in process memory.
*/
final String pkcs11ProvName = TestUtils.setupSafeNetToken();
if (!StringUtils.isEmpty(pkcs11ProvName)) {
final PKCS11Credential cred = new BootstrappedPKCS11Credential("1Kingpuff");
final StaticPKCS11TokenKeyStoreProtectionManager mgr = new StaticPKCS11TokenKeyStoreProtectionManager(cred, "KeyStoreProtKey", "PrivKeyProtKey");
/*
* 1. Create an AES128 secret key on the HSM that will be used to
* encrypt and decrypt private key data. Use the PrivKeyProtKey entry to store it
*/
final KeyGenerator keyGen = KeyGenerator.getInstance("AES", pkcs11ProvName);
keyGen.init(128);
final SecretKey keyStoreSecretKey = keyGen.generateKey();
/*
* 2. Get an existing private key that was generated and is stored in a p12 file.
* For real operations, the private key may be generated on an HSM and exported in wrapped format for
* storage in a database. For this test, we'll just use an existing private key in a p12 file and
* wrap it on the HSM.
*/
final KeyStore store = KeyStore.getInstance("pkcs12");
store.load(FileUtils.openInputStream(new File("./src/test/resources/certs/gm2552encrypted.p12")), "1kingpuff".toCharArray());
// there should only be on entry
final String alias = store.aliases().nextElement();
final PrivateKey entry = (PrivateKey) store.getKey(alias, "1kingpuff".toCharArray());
/*
* 3. "Wrap" the private using secret key and AES128 encryption and write it to a file. The encryption is done
* on the HSM so the secret key never leaves the HSM token. We aren't actually "wrapping" the private key because
* it's not on the HSM. Using "encrypt" instead.
*/
byte[] wrappedKey = null;
try {
wrappedKey = mgr.wrapWithSecretKey(keyStoreSecretKey, entry);
} catch (CryptoException e) {
// this HSM token does not support wrapping.... kick out
return;
}
FileUtils.writeByteArrayToFile(new File("wrappedPrivateKey.der"), wrappedKey);
/*
* 4. Now we have a wrap key in a file. Let's install it into the token using the
* secret key on the HSM. This should return us with a private key object, but we should
* not be able to get access to the actual unencrypted key data.
*/
byte[] encryptedKey = FileUtils.readFileToByteArray(new File("wrappedPrivateKey.der"));
final PrivateKey securedPrivateKey = (PrivateKey) mgr.unwrapWithSecretKey(keyStoreSecretKey, encryptedKey, "RSA", Cipher.PRIVATE_KEY);
assertNotNull(securedPrivateKey);
}
}
use of org.nhindirect.common.crypto.exceptions.CryptoException in project nhin-d by DirectProject.
the class HashableBasicAuthValidator method convertPassToHash.
/**
* Converts the password to the appropriate hash representation.
* @param password The plain text password that is part of the resource request.
* @return The password in the appropriate hash representation.
* @throws CryptoException
*/
protected String convertPassToHash(String password) throws CryptoException {
if (hashType.compareToIgnoreCase(HASH_CLEAR) == 0)
return password;
final String digistAlg = DIGEST_TYPE_MAP.get(hashType);
try {
final MessageDigest md = MessageDigest.getInstance(digistAlg);
md.update(password.getBytes());
final byte[] digest = md.digest();
return createStringRep(digest);
} catch (NoSuchAlgorithmException e) {
throw new CryptoException("Algorithm not supported.", e);
}
}
Aggregations