Search in sources :

Example 16 with CryptoException

use of org.nhindirect.common.crypto.exceptions.CryptoException in project nhin-d by DirectProject.

the class StaticCachedPKCS11TokenKeyStoreProtectionManager method initTokenStore.

/**
	 * {@inheritDoc}
	 */
public void initTokenStore() throws CryptoException {
    loadProvider();
    try {
        ks = KeyStore.getInstance(keyStoreType);
        ks.load(keyStoreSource, credential.getPIN());
        // preload the 2 secret keys
        keystoreProtectionKey = this.getKey(keyStorePassPhraseAlias);
        privateKeyProtectionKey = this.getKey(privateKeyPassPhraseAlias);
        // some HSMs only store references to the keys in these objects and 
        // and still have to go back to the HSM to pull the actual key data
        // create a key object from the encoded data
        keystoreProtectionKey = new SecretKeySpec(keystoreProtectionKey.getEncoded(), "");
        privateKeyProtectionKey = new SecretKeySpec(privateKeyProtectionKey.getEncoded(), "");
    } catch (Exception e) {
        throw new CryptoException("Error initializing PKCS11 token", e);
    }
}
Also used : SecretKeySpec(javax.crypto.spec.SecretKeySpec) CryptoException(org.nhindirect.common.crypto.exceptions.CryptoException) CryptoException(org.nhindirect.common.crypto.exceptions.CryptoException)

Example 17 with CryptoException

use of org.nhindirect.common.crypto.exceptions.CryptoException in project nhin-d by DirectProject.

the class AbstractPKCS11TokenKeyStoreProtectionManager method setPrivateKeyProtectionKeyAsBytes.

/**
	 * {@inheritDoc}
	 */
@Override
public void setPrivateKeyProtectionKeyAsBytes(byte[] key) throws CryptoException {
    try {
        final Key keySpec = new SecretKeySpec(key, "");
        safeSetKeyWithRetry(privateKeyPassPhraseAlias, keySpec);
    } catch (CryptoException e) {
        throw e;
    } catch (Exception e) {
        throw new CryptoException("Error storing key store protection into PKCS11 token", e);
    }
}
Also used : SecretKeySpec(javax.crypto.spec.SecretKeySpec) CryptoException(org.nhindirect.common.crypto.exceptions.CryptoException) Key(java.security.Key) SecretKey(javax.crypto.SecretKey) CryptoException(org.nhindirect.common.crypto.exceptions.CryptoException)

Example 18 with CryptoException

use of org.nhindirect.common.crypto.exceptions.CryptoException in project nhin-d by DirectProject.

the class AbstractPKCS11TokenKeyStoreProtectionManager method setKeyStoreProtectionKeyAsString.

/**
	 * {@inheritDoc}
	 */
@Override
public void setKeyStoreProtectionKeyAsString(String key) throws CryptoException {
    try {
        final Key keySpec = new SecretKeySpec(key.getBytes(), "");
        safeSetKeyWithRetry(keyStorePassPhraseAlias, keySpec);
    } catch (CryptoException e) {
        throw e;
    } catch (Exception e) {
        throw new CryptoException("Error storing key store protection into PKCS11 token", e);
    }
}
Also used : SecretKeySpec(javax.crypto.spec.SecretKeySpec) CryptoException(org.nhindirect.common.crypto.exceptions.CryptoException) Key(java.security.Key) SecretKey(javax.crypto.SecretKey) CryptoException(org.nhindirect.common.crypto.exceptions.CryptoException)

Example 19 with CryptoException

use of org.nhindirect.common.crypto.exceptions.CryptoException in project nhin-d by DirectProject.

the class PKCS11OperationTests method testImportEncryptedPrivateKeyWithWrapping.

/**
	 * This test will most likely kick out when executed, but can serve as sample code 
	 * for wrapping and unwrapping sensitive key material on a PKCS11 token.
	 * @throws Exception
	 */
@Test
public void testImportEncryptedPrivateKeyWithWrapping() throws Exception {
    /*
		 * The point of this test is to ensure encrypted private keys can be loaded 
		 * into the token without ever exposing any secret material in process memory.
		 */
    final String pkcs11ProvName = TestUtils.setupSafeNetToken();
    if (!StringUtils.isEmpty(pkcs11ProvName)) {
        final PKCS11Credential cred = new BootstrappedPKCS11Credential("1Kingpuff");
        final StaticPKCS11TokenKeyStoreProtectionManager mgr = new StaticPKCS11TokenKeyStoreProtectionManager(cred, "KeyStoreProtKey", "PrivKeyProtKey");
        /*
			 * 1. Create an AES128 secret key on the HSM that will be used to 
			 * encrypt and decrypt private key data.  Use the PrivKeyProtKey entry to store it
			 */
        final KeyGenerator keyGen = KeyGenerator.getInstance("AES", pkcs11ProvName);
        keyGen.init(128);
        final SecretKey keyStoreSecretKey = keyGen.generateKey();
        /*
			 * 2. Get an existing private key that was generated and is stored in a p12 file.  
			 * For real operations, the private key may be generated on an HSM and exported in wrapped format for
			 * storage in a database.  For this test, we'll just use an existing private key in a p12 file and 
			 * wrap it on the HSM.
			 */
        final KeyStore store = KeyStore.getInstance("pkcs12");
        store.load(FileUtils.openInputStream(new File("./src/test/resources/certs/gm2552encrypted.p12")), "1kingpuff".toCharArray());
        // there should only be on entry
        final String alias = store.aliases().nextElement();
        final PrivateKey entry = (PrivateKey) store.getKey(alias, "1kingpuff".toCharArray());
        /*
			 * 3. "Wrap" the private using secret key and AES128 encryption and write it to a file.  The encryption is done
			 * on the HSM so the secret key never leaves the HSM token.  We aren't actually "wrapping" the private key because
			 * it's not on the HSM.  Using "encrypt" instead.
			 */
        byte[] wrappedKey = null;
        try {
            wrappedKey = mgr.wrapWithSecretKey(keyStoreSecretKey, entry);
        } catch (CryptoException e) {
            // this HSM token does not support wrapping.... kick out
            return;
        }
        FileUtils.writeByteArrayToFile(new File("wrappedPrivateKey.der"), wrappedKey);
        /*
			 * 4. Now we have a wrap key in a file.  Let's install it into the token using the 
			 * secret key on the HSM.  This should return us with a private key object, but we should
			 * not be able to get access to the actual unencrypted key data.
			 */
        byte[] encryptedKey = FileUtils.readFileToByteArray(new File("wrappedPrivateKey.der"));
        final PrivateKey securedPrivateKey = (PrivateKey) mgr.unwrapWithSecretKey(keyStoreSecretKey, encryptedKey, "RSA", Cipher.PRIVATE_KEY);
        assertNotNull(securedPrivateKey);
    }
}
Also used : PKCS11Credential(org.nhindirect.common.crypto.PKCS11Credential) SecretKey(javax.crypto.SecretKey) PrivateKey(java.security.PrivateKey) CryptoException(org.nhindirect.common.crypto.exceptions.CryptoException) KeyGenerator(javax.crypto.KeyGenerator) KeyStore(java.security.KeyStore) File(java.io.File) Test(org.junit.Test)

Example 20 with CryptoException

use of org.nhindirect.common.crypto.exceptions.CryptoException in project nhin-d by DirectProject.

the class HashableBasicAuthValidator method convertPassToHash.

/**
	 * Converts the password to the appropriate hash representation.
	 * @param password The plain text password that is part of the resource request.
	 * @return The password in the appropriate hash representation.
	 * @throws CryptoException
	 */
protected String convertPassToHash(String password) throws CryptoException {
    if (hashType.compareToIgnoreCase(HASH_CLEAR) == 0)
        return password;
    final String digistAlg = DIGEST_TYPE_MAP.get(hashType);
    try {
        final MessageDigest md = MessageDigest.getInstance(digistAlg);
        md.update(password.getBytes());
        final byte[] digest = md.digest();
        return createStringRep(digest);
    } catch (NoSuchAlgorithmException e) {
        throw new CryptoException("Algorithm not supported.", e);
    }
}
Also used : NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) MessageDigest(java.security.MessageDigest) CryptoException(org.nhindirect.common.crypto.exceptions.CryptoException)

Aggregations

CryptoException (org.nhindirect.common.crypto.exceptions.CryptoException)20 SecretKey (javax.crypto.SecretKey)6 Key (java.security.Key)5 SecretKeySpec (javax.crypto.spec.SecretKeySpec)5 ByteArrayInputStream (java.io.ByteArrayInputStream)4 File (java.io.File)4 IOException (java.io.IOException)4 InputStream (java.io.InputStream)4 Cipher (javax.crypto.Cipher)4 IvParameterSpec (javax.crypto.spec.IvParameterSpec)4 Properties (java.util.Properties)3 KeyStore (java.security.KeyStore)2 PrivateKey (java.security.PrivateKey)2 MutableKeyStoreProtectionManager (org.nhindirect.common.crypto.MutableKeyStoreProtectionManager)2 Point (java.awt.Point)1 BufferedReader (java.io.BufferedReader)1 ByteArrayOutputStream (java.io.ByteArrayOutputStream)1 Console (java.io.Console)1 InputStreamReader (java.io.InputStreamReader)1 KeyFactory (java.security.KeyFactory)1