KeyPairStore.java

/*
 * GovWay - A customizable API Gateway 
 * https://govway.org
 * 
 * Copyright (c) 2005-2024 Link.it srl (https://link.it). 
 * 
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 3, as published by
 * the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 *
 */

package org.openspcoop2.security.keystore;

import java.io.Serializable;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.util.UUID;

import org.openspcoop2.security.SecurityException;
import org.openspcoop2.utils.certificate.JWKPrivateKeyConverter;
import org.openspcoop2.utils.certificate.JWKSet;
import org.openspcoop2.utils.certificate.KeyUtils;
import org.openspcoop2.utils.certificate.byok.BYOKRequestParams;

/**
 * KeyPairStore
 *
 * @author Andrea Poli (apoli@link.it)
 * @author $Author$
 * @version $Rev$, $Date$
 */
public class KeyPairStore implements Serializable {

	/**
	 * 
	 */
	private static final long serialVersionUID = 1L;
	
	private String privateKeyPath;
	private String publicKeyPath;
	
	private byte[] privateKeyContent;
	private byte[] publicKeyContent;
	private transient PrivateKey privateKey;
	private transient PublicKey publicKey;
	
	private String privateKeyPassword;
	private String algorithm;
	
	private String jwkSetContent;
	private String jwkSetKid;
	private transient JWKSet jwkSet;

	@Override
	public String toString() {
		StringBuilder bf = new StringBuilder();
		bf.append("KeyPairStore (private:").append(this.privateKeyPath).append(" public:").append(this.publicKeyPath).append(")");
		return bf.toString();
	}
	
	public KeyPairStore(String privateKeyPath, String publicKeyPath, String privateKeyPassword, String algorithm) throws SecurityException{
		this(privateKeyPath, publicKeyPath, privateKeyPassword, algorithm, null);
	}
	public KeyPairStore(String privateKeyPath, String publicKeyPath, String privateKeyPassword, String algorithm, BYOKRequestParams requestParams) throws SecurityException{

		this.privateKeyPath = privateKeyPath;
		this.publicKeyPath = publicKeyPath;
				
		this.privateKeyPassword = privateKeyPassword;
		this.algorithm = algorithm==null ? KeyUtils.ALGO_RSA : algorithm;
		
		this.privateKeyContent = StoreUtils.readContent("PrivateKey", this.privateKeyPath);
		this.privateKeyContent = StoreUtils.unwrapBYOK(this.privateKeyContent, requestParams);
		
		this.publicKeyContent = StoreUtils.readContent("PublicKey", this.publicKeyPath);
		
	}
	
	public KeyPairStore(String privateKeyPath, byte[] publicKey, String privateKeyPassword, String algorithm) throws SecurityException{
		this(privateKeyPath, publicKey, privateKeyPassword, algorithm, null);
	}
	public KeyPairStore(String privateKeyPath, byte[] publicKey, String privateKeyPassword, String algorithm, BYOKRequestParams requestParams) throws SecurityException{

		this.privateKeyPath = privateKeyPath;
		
		if(publicKey==null){
			throw new SecurityException("Store publicKey non indicato");
		}
		this.publicKeyContent = publicKey;
				
		this.privateKeyPassword = privateKeyPassword;
		this.algorithm = algorithm==null ? KeyUtils.ALGO_RSA : algorithm;
		
		this.privateKeyContent = StoreUtils.readContent("PrivateKey", this.privateKeyPath);
		this.privateKeyContent = StoreUtils.unwrapBYOK(this.privateKeyContent, requestParams);
				
	}
	
	public KeyPairStore(byte[] privateKey, byte[] publicKey, String privateKeyPassword, String algorithm) throws SecurityException{
		this(privateKey, publicKey, privateKeyPassword, algorithm, null);
	}
	public KeyPairStore(byte[] privateKey, byte[] publicKey, String privateKeyPassword, String algorithm, BYOKRequestParams requestParams) throws SecurityException{

		try{
			if(privateKey==null){
				throw new SecurityException("Store privateKey non indicato");
			}
			this.privateKeyContent = privateKey;
			this.privateKeyContent = StoreUtils.unwrapBYOK(this.privateKeyContent, requestParams);
			
			if(publicKey==null){
				throw new SecurityException("Store publicKey non indicato");
			}
			this.publicKeyContent = publicKey;
			
			this.privateKeyPassword = privateKeyPassword;
			this.algorithm = algorithm==null ? KeyUtils.ALGO_RSA : algorithm;
			
		}catch(Exception e){
			throw new SecurityException(e.getMessage(),e);
		}
		
	}
	
	public KeyPairStore(byte[] privateKey, String publicKeyPath, String privateKeyPassword, String algorithm) throws SecurityException{
		this(privateKey, publicKeyPath, privateKeyPassword, algorithm, null);
	}
	public KeyPairStore(byte[] privateKey, String publicKeyPath, String privateKeyPassword, String algorithm, BYOKRequestParams requestParams) throws SecurityException{

		try{
			if(privateKey==null){
				throw new SecurityException("Store privateKey non indicato");
			}
			this.privateKeyContent = privateKey;
			this.privateKeyContent = StoreUtils.unwrapBYOK(this.privateKeyContent, requestParams);
			
			this.publicKeyPath = publicKeyPath;
			
			this.privateKeyPassword = privateKeyPassword;
			this.algorithm = algorithm==null ? KeyUtils.ALGO_RSA : algorithm;
	
			this.publicKeyContent = StoreUtils.readContent("PublicKey", this.publicKeyPath);
			
		}catch(Exception e){
			throw new SecurityException(e.getMessage(),e);
		}
		
	}

	
	public PrivateKey getPrivateKey() throws SecurityException {
		if(this.privateKey==null) {
			initializePrivateKey();
		}
		return this.privateKey;
	}
	private synchronized void initializePrivateKey() throws SecurityException {
		if(this.privateKey==null) {
			try {
				if(this.privateKeyPassword==null) {
					this.privateKey = KeyUtils.getInstance(this.algorithm).getPrivateKey(this.privateKeyContent);
				}
				else {
					this.privateKey = KeyUtils.getInstance(this.algorithm).getPrivateKey(this.privateKeyContent, this.privateKeyPassword);
				}
			}catch(Exception e){
				if(this.privateKeyPassword==null && e.getMessage().contains("org.bouncycastle.openssl.PEMEncryptedKeyPair cannot be cast to class org.bouncycastle.openssl.PEMKeyPair")) {
					throw new SecurityException("Load private key failed: encrypted key require key password",e);
				}
				else {
					throw new SecurityException("Load private key failed: "+e.getMessage(),e);
				}
			}
		}
	}
	
	
	public PublicKey getPublicKey() throws SecurityException {
		if(this.publicKey==null) {
			initializePublicKey();
		}
		return this.publicKey;
	}
	private synchronized void initializePublicKey() throws SecurityException {
		if(this.publicKey==null) {
			try {
				this.publicKey = KeyUtils.getInstance(this.algorithm).getPublicKey(this.publicKeyContent);
			}catch(Exception e){
				throw new SecurityException("Load public key failed: "+e.getMessage(),e);
			}
		}
	}
	
	
	public JWKSet getJwkSet() throws SecurityException {
		if(this.jwkSet==null) {
			initializeJwkSet();
		}
		return this.jwkSet;
	}
	private synchronized void initializeJwkSet() throws SecurityException {
		if(this.jwkSet==null) {
			if(this.jwkSetContent==null) {
				this.jwkSetKid = UUID.randomUUID().toString();
				try {
					this.jwkSetContent = JWKPrivateKeyConverter.convert(this.getPublicKey(), this.getPrivateKey(), this.jwkSetKid, true, false);
				}catch(Exception e){
					throw new SecurityException(e.getMessage(),e);
				}
			}
						
			this.jwkSet = new JWKSet(this.jwkSetContent);
		}
	}
	
	public String getJwkSetKid() {
		return this.jwkSetKid;
	}
}