MerlinKeystore.java

/*
 * GovWay - A customizable API Gateway 
 * https://govway.org
 * 
 * Copyright (c) 2005-2024 Link.it srl (https://link.it). 
 * 
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 3, as published by
 * the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 *
 */

package org.openspcoop2.security.keystore;

import java.io.Serializable;
import java.security.Key;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.util.Properties;

import org.openspcoop2.security.SecurityException;
import org.openspcoop2.utils.certificate.byok.BYOKRequestParams;
import org.openspcoop2.utils.certificate.hsm.HSMManager;

/**
 * MerlinKeystore
 *
 * @author Andrea Poli (apoli@link.it)
 * @author $Author$
 * @version $Rev$, $Date$
 */
public class MerlinKeystore implements Serializable {

	/**
	 * 
	 */
	private static final long serialVersionUID = 1L;
	
	private transient org.openspcoop2.utils.certificate.KeyStore ks = null;
	
	private byte[] ksBytes;
	private String tipoStore = null;
	private String pathStore = null;
	private String passwordStore = null;
	private String passwordPrivateKey = null;
	
	private boolean hsm;
	
	@Override
	public String toString() {
		StringBuilder bf = new StringBuilder();
		bf.append("KeyStore (").append(this.tipoStore).append(") ").append(this.pathStore);
		return bf.toString();
	}
	
	public MerlinKeystore(String propertyFilePath) throws SecurityException{
		this.initMerlinKeystoreEngine(propertyFilePath, null, false,
				null);
	}
	public MerlinKeystore(String propertyFilePath, 
			BYOKRequestParams requestParams) throws SecurityException{
		this.initMerlinKeystoreEngine(propertyFilePath, null, false, 
				requestParams);
	}
	public MerlinKeystore(String propertyFilePath,String passwordPrivateKey) throws SecurityException{
		this.initMerlinKeystoreEngine(propertyFilePath, passwordPrivateKey, true,
				null);
	}
	public MerlinKeystore(String propertyFilePath,String passwordPrivateKey, 
			BYOKRequestParams requestParams) throws SecurityException{
		this.initMerlinKeystoreEngine(propertyFilePath, passwordPrivateKey, true,
				requestParams);
	}
	private void initMerlinKeystoreEngine(String propertyFilePath,String passwordPrivateKey, boolean privatePasswordRequired, 
			BYOKRequestParams requestParams) throws SecurityException{
		
		Properties propStore = StoreUtils.readProperties("PropertyFilePath", propertyFilePath);
		this.initMerlinKeystoreEngine(propStore,passwordPrivateKey, privatePasswordRequired,
				requestParams);
				
	}
	
	public MerlinKeystore(Properties propStore) throws SecurityException{
		this.initMerlinKeystoreEngine(propStore,null, false,
				null);
	}
	public MerlinKeystore(Properties propStore,
			BYOKRequestParams requestParams) throws SecurityException{
		this.initMerlinKeystoreEngine(propStore,null, false,
				requestParams);
	}
	public MerlinKeystore(Properties propStore,String passwordPrivateKey) throws SecurityException{
		this.initMerlinKeystoreEngine(propStore,passwordPrivateKey, true,
				null);
	}
	public MerlinKeystore(Properties propStore,String passwordPrivateKey,
			BYOKRequestParams requestParams) throws SecurityException{
		this.initMerlinKeystoreEngine(propStore,passwordPrivateKey, true,
				requestParams);
	}
	private void initMerlinKeystoreEngine(Properties propStore,String passwordPrivateKey, boolean privatePasswordRequired,
			BYOKRequestParams requestParams) throws SecurityException{
		
		try{
			if(propStore==null){
				throw new SecurityException("Properties per lo Store non indicato");
			}
			
			this.tipoStore = propStore.getProperty(KeystoreConstants.PROPERTY_KEYSTORE_TYPE);
			if(this.tipoStore!=null){
				this.tipoStore = this.tipoStore.trim();
			}else{
				this.tipoStore = KeyStore.getDefaultType();
			}
			
			this.pathStore = propStore.getProperty(KeystoreConstants.PROPERTY_KEYSTORE_PATH);
			
			this.passwordStore = propStore.getProperty(KeystoreConstants.PROPERTY_KEYSTORE_PASSWORD);
						
			init(passwordPrivateKey, privatePasswordRequired,
					requestParams);
			
		}catch(Exception e){
			throw new SecurityException(e.getMessage(),e);
		}
		
	}
		
	public MerlinKeystore(String pathStore,String tipoStore,String passwordStore) throws SecurityException{
		initMerlinKeystoreEngine(pathStore,tipoStore,passwordStore,null, false,
				null);
	}
	public MerlinKeystore(String pathStore,String tipoStore,String passwordStore,
			BYOKRequestParams requestParams) throws SecurityException{
		initMerlinKeystoreEngine(pathStore,tipoStore,passwordStore,null, false,
				requestParams);
	}
	public MerlinKeystore(String pathStore,String tipoStore,String passwordStore,String passwordPrivateKey) throws SecurityException{
		initMerlinKeystoreEngine(pathStore,tipoStore,passwordStore,passwordPrivateKey, true,
				null);
	}
	public MerlinKeystore(String pathStore,String tipoStore,String passwordStore,String passwordPrivateKey,
			BYOKRequestParams requestParams) throws SecurityException{
		initMerlinKeystoreEngine(pathStore,tipoStore,passwordStore,passwordPrivateKey, true,
				requestParams);
	}
	public void initMerlinKeystoreEngine(String pathStore,String tipoStore,String passwordStore,String passwordPrivateKey, boolean privatePasswordRequired,
			BYOKRequestParams requestParams) throws SecurityException{
			
		this.pathStore = pathStore;
		this.tipoStore = tipoStore;
		this.passwordStore = passwordStore;
		
		init(passwordPrivateKey, privatePasswordRequired,
				requestParams);
		
	}
	
	public MerlinKeystore(byte[]bytesKeystore,String tipoStore,String passwordStore) throws SecurityException{
		initMerlinKeystoreEngine(bytesKeystore,tipoStore,passwordStore,null, false,
				null);
	}
	public MerlinKeystore(byte[]bytesKeystore,String tipoStore,String passwordStore,
			BYOKRequestParams requestParams) throws SecurityException{
		initMerlinKeystoreEngine(bytesKeystore,tipoStore,passwordStore,null, false,
				requestParams);
	}
	public MerlinKeystore(byte[]bytesKeystore,String tipoStore,String passwordStore,String passwordPrivateKey) throws SecurityException{
		initMerlinKeystoreEngine(bytesKeystore,tipoStore,passwordStore,passwordPrivateKey, true,
				null);
	}
	public MerlinKeystore(byte[]bytesKeystore,String tipoStore,String passwordStore,String passwordPrivateKey,
			BYOKRequestParams requestParams) throws SecurityException{
		initMerlinKeystoreEngine(bytesKeystore,tipoStore,passwordStore,passwordPrivateKey, true,
				requestParams);
	}
	public void initMerlinKeystoreEngine(byte[]bytesKeystore,String tipoStore,String passwordStore,String passwordPrivateKey, boolean privatePasswordRequired,
			BYOKRequestParams requestParams) throws SecurityException{
			
		this.ksBytes = bytesKeystore;
		this.tipoStore = tipoStore;
		this.passwordStore = passwordStore;
		
		init(passwordPrivateKey, privatePasswordRequired,
				requestParams);
		
	}
	
	private void init(String passwordPrivateKey, boolean privatePasswordRequired,
			BYOKRequestParams requestParams) throws SecurityException{
		try{
			if(this.tipoStore==null){
				throw new SecurityException("Tipo dello Store non indicato");
			}
			if(this.passwordStore==null){
				throw new SecurityException("Password dello Store non indicata");
			}
			
			HSMManager hsmManager = HSMManager.getInstance();
			if(hsmManager!=null) {
				this.hsm = hsmManager.existsKeystoreType(this.tipoStore);
			}
			
			if(!this.hsm) {
				initKsBytes(requestParams);
			}
			
			this.initKS();
			
			if(passwordPrivateKey==null && privatePasswordRequired){
				if(this.pathStore!=null) {
					throw new SecurityException("Password chiave privata non indicata per lo Store ["+this.pathStore+"] ");
				}
				else {
					throw new SecurityException("Password chiave privata non indicata per lo Store ");
				}
			}
			this.passwordPrivateKey = passwordPrivateKey;
			
		}catch(Exception e){
			throw new SecurityException(e.getMessage(),e);
		}
	}
	
	private void initKsBytes(BYOKRequestParams requestParams) throws SecurityException {
		
		if(this.ksBytes==null && this.pathStore==null){
			throw new SecurityException("Path per lo Store non indicato");
		}

		if(this.ksBytes==null) {
			this.ksBytes = StoreUtils.readContent("Path", this.pathStore);
		}
		
		if(requestParams!=null) {
			this.ksBytes = StoreUtils.unwrapBYOK(this.ksBytes, requestParams);
		}
	}
	
	public boolean isHsm() {
		return this.hsm;
	}

	private void checkInit() throws SecurityException{
		if(this.ks==null) {
			this.initKS();
		}
	}
	private synchronized void initKS() throws SecurityException{
		if(this.ks==null) {
			try{
				if(this.hsm) {
					this.ks = HSMManager.getInstance().getKeystore(this.tipoStore);
				}
				else {
										
					this.ks = new org.openspcoop2.utils.certificate.KeyStore(this.ksBytes, this.tipoStore, this.passwordStore);
					
					// non utilizzabile in hsm, si ottiene errore: java.lang.UnsupportedOperationException: trusted certificates may only be set by token initialization application
					// at jdk.crypto.cryptoki/sun.security.pkcs11.P11KeyStore.engineSetEntry(P11KeyStore.java:1022)
					FixTrustAnchorsNotEmpty.addCertificate(this.ks.getKeystore()); 
				}
			}
			catch(Exception e){
				throw new SecurityException(e.getMessage(),e);
			}
		}
	}
	
	
	public Key getKey(String alias) throws SecurityException {
		return this.getKey(alias, this.passwordPrivateKey);
	}
	public Key getKey(String alias, String password) throws SecurityException {
		if(alias==null) {
			throw new SecurityException("Alias della chiave non fornita");
		}
		if(password==null) {
			throw new SecurityException("Password della chiave non fornita");
		}
		this.checkInit(); // per ripristino da Serializable
		try {
			return this.ks.getPrivateKey(alias, password);
		}catch(Exception e){
			throw new SecurityException(e.getMessage(),e);
		}
	}
	
	public Certificate getCertificate(String alias) throws SecurityException {
		if(alias==null) {
			throw new SecurityException("Alias non fornito");
		}
		this.checkInit(); // per ripristino da Serializable
		try{
			return this.ks.getCertificate(alias);
		}catch(Exception e){
			throw new SecurityException(e.getMessage(),e);
		}
	}

	public org.openspcoop2.utils.certificate.KeyStore getKeyStore() throws SecurityException {
		this.checkInit(); // per ripristino da Serializable
		try{
			return this.ks;
		}catch(Exception e){
			throw new SecurityException(e.getMessage(),e);
		}
	}

}