• Home
• com.github.nagyesta.lowkey-vault
• lowkey-vault-app
• 2.5.0
• source code
• AesKeyVaultKeyEntity.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

com.github.nagyesta.lowkeyvault.service.key.impl.AesKeyVaultKeyEntity Maven / Gradle / Ivy

package com.github.nagyesta.lowkeyvault.service.key.impl;

import com.github.nagyesta.lowkeyvault.model.v7_2.key.constants.EncryptionAlgorithm;
import com.github.nagyesta.lowkeyvault.model.v7_2.key.constants.KeyOperation;
import com.github.nagyesta.lowkeyvault.model.v7_2.key.constants.KeyType;
import com.github.nagyesta.lowkeyvault.model.v7_2.key.constants.SignatureAlgorithm;
import com.github.nagyesta.lowkeyvault.service.key.ReadOnlyAesKeyVaultKeyEntity;
import com.github.nagyesta.lowkeyvault.service.key.id.VersionedKeyEntityId;
import com.github.nagyesta.lowkeyvault.service.key.util.KeyGenUtil;
import com.github.nagyesta.lowkeyvault.service.vault.VaultFake;
import lombok.extern.slf4j.Slf4j;
import org.springframework.lang.NonNull;
import org.springframework.util.Assert;

import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import java.util.List;

import static com.github.nagyesta.lowkeyvault.service.key.util.KeyGenUtil.generateAes;

@Slf4j
public class AesKeyVaultKeyEntity extends KeyVaultKeyEntity implements ReadOnlyAesKeyVaultKeyEntity {

    public AesKeyVaultKeyEntity(@NonNull final VersionedKeyEntityId id,
                                @NonNull final VaultFake vault,
                                final Integer keyParam,
                                final boolean hsm) {
        super(id, vault, generateAes(keyParam), KeyType.OCT_HSM.validateOrDefault(keyParam, Integer.class), hsm);
    }

    public AesKeyVaultKeyEntity(@NonNull final VersionedKeyEntityId id,
                                @NonNull final VaultFake vault,
                                @NonNull final SecretKey key,
                                final Integer keySize,
                                final boolean hsm) {
        super(id, vault, key, KeyType.OCT_HSM.validateOrDefault(keySize, Integer.class), hsm);
    }

    @Override
    public KeyType getKeyType() {
        return KeyType.OCT_HSM;
    }

    @Override
    public KeyCreationInput keyCreationInput() {
        return new OctKeyCreationInput(getKeyType(), getKeySize());
    }

    @Override
    public byte[] getK() {
        return getKey().getEncoded();
    }

    @Override
    public int getKeySize() {
        return getKeyParam();
    }

    @Override
    protected List disallowedOperations() {
        return List.of(KeyOperation.SIGN, KeyOperation.VERIFY);
    }

    @Override
    public byte[] encryptBytes(
            @NonNull final byte[] clear, @NonNull final EncryptionAlgorithm encryptionAlgorithm,
            final byte[] iv) {
        Assert.state(getOperations().contains(KeyOperation.ENCRYPT), getId() + " does not have ENCRYPT operation assigned.");
        Assert.state(getOperations().contains(KeyOperation.WRAP_KEY), getId() + " does not have WRAP_KEY operation assigned.");
        Assert.state(isEnabled(), getId() + " is not enabled.");
        Assert.isTrue(this.getKeySize() == encryptionAlgorithm.getMaxKeySize(),
                "Key size (" + getKeySize() + ") is not matching the size required by the selected algorithm: "
                        + encryptionAlgorithm.getValue());
        Assert.isTrue(iv != null, "IV must not be null.");
        return doCrypto(() -> {
            final Cipher cipher = Cipher.getInstance(encryptionAlgorithm.getAlg(), KeyGenUtil.BOUNCY_CASTLE_PROVIDER);
            cipher.init(Cipher.ENCRYPT_MODE, this.getKey(), new IvParameterSpec(iv));
            return cipher.doFinal(clear);
        }, "Cannot encrypt message.", log);
    }

    @Override
    public byte[] decryptToBytes(@NonNull final byte[] encrypted, @NonNull final EncryptionAlgorithm encryptionAlgorithm,
                                 final byte[] iv) {
        Assert.state(getOperations().contains(KeyOperation.DECRYPT), getId() + " does not have DECRYPT operation assigned.");
        Assert.state(getOperations().contains(KeyOperation.UNWRAP_KEY), getId() + " does not have UNWRAP_KEY operation assigned.");
        Assert.state(isEnabled(), getId() + " is not enabled.");
        Assert.isTrue(this.getKeySize() == encryptionAlgorithm.getMaxKeySize(),
                "Key size (" + getKeySize() + ") is not matching the size required by the selected algorithm: "
                        + encryptionAlgorithm.getValue());
        Assert.isTrue(iv != null, "IV must not be null.");
        return doCrypto(() -> {
            final Cipher cipher = Cipher.getInstance(encryptionAlgorithm.getAlg(), KeyGenUtil.BOUNCY_CASTLE_PROVIDER);
            cipher.init(Cipher.DECRYPT_MODE, this.getKey(), new IvParameterSpec(iv));
            return cipher.doFinal(encrypted);
        }, "Cannot decrypt message.", log);
    }

    @Override
    public byte[] signBytes(final byte[] digest, final SignatureAlgorithm encryptionAlgorithm) {
        throw new UnsupportedOperationException("Sign is not supported for OCT keys.");
    }

    @Override
    public boolean verifySignedBytes(final byte[] digest,
                                     final SignatureAlgorithm encryptionAlgorithm,
                                     final byte[] signature) {
        throw new UnsupportedOperationException("Verify is not supported for OCT keys.");
    }
}