add rekey feature and REKEY CLI

jpos · Oct 2, 2024 · af22124 · af22124
1 parent 2303600
commit af22124
Show file tree

Hide file tree

Showing 2 changed files with 72 additions and 5 deletions.
diff --git a/modules/cryptoservice/src/main/java/org/jpos/crypto/CryptoService.java b/modules/cryptoservice/src/main/java/org/jpos/crypto/CryptoService.java
@@ -192,6 +192,17 @@ public boolean unlock (Supplier<String> passwordSupplier) {
         }
     }
 
+    public void rekey(UUID keyId) throws Exception {
+        if (isLocked())
+            throw new SecurityException("CryptoService is locked");
+        registerKey(
+          keyId.toString(),
+          new String(pgpEncrypt(keyId.toString(),
+          getKey(keyId, unlock.get().toCharArray()).getEncoded())),
+          true
+        );
+    }
+
     /**
      * Lock the CryptoService
      */
@@ -257,7 +268,7 @@ private byte[] pgpEncrypt(String id, byte[] clearText)
     private void renewKey () throws Exception {
         UUID id = UUID.randomUUID();
         SecretKey sk = generateKey();
-        registerKey(id.toString(), new String(pgpEncrypt(id.toString(), sk.getEncoded())));
+        registerKey(id.toString(), new String(pgpEncrypt(id.toString(), sk.getEncoded())), false);
         sem.acquire();
         this.id = id;
         this.sk = sk;
@@ -267,8 +278,8 @@ private void renewKey () throws Exception {
         sem.release();
     }
 
-    private void registerKey(String k, String v) throws Exception {
-        ksProvider.put(k, v);
+    private void registerKey(String k, String v, boolean override) throws Exception {
+        ksProvider.put(k, v, override);
         LogEvent evt = getLog().createLogEvent("security");
         evt.addMessage("<id>" + k + "</id>");
         evt.addMessage(System.lineSeparator() + v);
@@ -290,7 +301,6 @@ private SecretKey getKey (UUID keyId, char[] passPhrase) throws Exception {
           passPhrase
         );
         return new SecretKeySpec(key, 0, key.length, "AES");
-
     }
 
     private byte[] decrypt (SecretKey sk, IvParameterSpec iv, byte[] cryptogram)
@@ -318,7 +328,6 @@ private UUID xor (UUID a, UUID b) {
           a.getLeastSignificantBits() ^ b.getLeastSignificantBits());
     }
 
-
     @Override
     public void setConfiguration(Element e) throws ConfigurationException {
         Element kse = e.getChild("ks-provider");

diff --git a/modules/cryptoservice/src/main/java/org/jpos/q2/cli/crypto/REKEY.java b/modules/cryptoservice/src/main/java/org/jpos/q2/cli/crypto/REKEY.java
@@ -0,0 +1,58 @@
+/*
+ * jPOS Project [http://jpos.org]
+ * Copyright (C) 2000-2021 jPOS Software SRL
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package org.jpos.q2.cli.crypto;
+
+import java.util.Base64;
+import java.util.UUID;
+
+import org.jpos.crypto.CryptoService;
+import org.jpos.crypto.SecureData;
+import org.jpos.q2.CLICommand;
+import org.jpos.q2.CLIContext;
+import org.jpos.util.NameRegistrar;
+
+@SuppressWarnings("unused")
+public class REKEY implements CLICommand {
+    private CryptoService cs;
+
+    @Override
+    public void exec(CLIContext cli, String[] args) throws Exception {
+        cs = NameRegistrar.get("crypto-service", 5000L);
+        if (args.length < 2) {
+            usage(cli);
+            return;
+        }
+        if (cs == null) {
+            cli.println("'crypto-service' not registered");
+            return;
+        }
+        for (int i=1; i<args.length; i++) {
+            cs.rekey(UUID.fromString(args[i]));
+        }
+    }
+
+    private void usage (CLIContext cli) {
+        cli.println ("Usage: REKEY uuid(s)");
+    }
+
+    private void encrypt (CLIContext cli, String clear) throws Exception {
+        SecureData sd = cs.aesEncrypt(clear.getBytes());
+        cli.println (sd.getId() + " " + Base64.getEncoder().encodeToString(sd.getEncoded()));
+    }
+}