Issue/206 crypto services

dsf-bpe/dsf-bpe-process-api-v2-impl/pom.xml

@@ -57,6 +57,12 @@
 			<groupId>com.auth0</groupId>
 			<artifactId>java-jwt</artifactId>
 		</dependency>
+
+		<dependency>
+			<groupId>de.hs-heilbronn.mi</groupId>
+			<artifactId>crypto-utils</artifactId>
+			<version>${crypto-utils.version.v2}</version>
+		</dependency>
 
 		<dependency>
 			<groupId>org.apache.logging.log4j</groupId>
@@ -93,6 +99,11 @@
 									<groupId>dev.dsf</groupId>
 									<artifactId>dsf-bpe-process-api-v2-impl</artifactId>
 								</artifactItem>
+								<artifactItem>
+									<groupId>de.hs-heilbronn.mi</groupId>
+									<artifactId>crypto-utils</artifactId>
+									<version>${crypto-utils.version.v2}</version>
+								</artifactItem>
 								<artifactItem>
 									<groupId>ca.uhn.hapi.fhir</groupId>
 									<artifactId>hapi-fhir-structures-r4</artifactId>

dsf-bpe/dsf-bpe-process-api-v2-impl/src/main/java/dev/dsf/bpe/v2/ProcessPluginApiImpl.java

@@ -8,6 +8,7 @@
 
 import ca.uhn.fhir.context.FhirContext;
 import dev.dsf.bpe.v2.config.ProxyConfig;
+import dev.dsf.bpe.v2.service.CryptoService;
 import dev.dsf.bpe.v2.service.DsfClientProvider;
 import dev.dsf.bpe.v2.service.EndpointProvider;
 import dev.dsf.bpe.v2.service.FhirClientProvider;
@@ -34,13 +35,14 @@ public class ProcessPluginApiImpl implements ProcessPluginApi, InitializingBean
 	private final QuestionnaireResponseHelper questionnaireResponseHelper;
 	private final ReadAccessHelper readAccessHelper;
 	private final TaskHelper taskHelper;
+	private final CryptoService cryptoService;
 
 	public ProcessPluginApiImpl(ProxyConfig proxyConfig, EndpointProvider endpointProvider, FhirContext fhirContext,
 			DsfClientProvider dsfClientProvider, FhirClientProvider fhirClientProvider,
 			OidcClientProvider oidcClientProvider, MailService mailService, ObjectMapper objectMapper,
 			OrganizationProvider organizationProvider, ProcessAuthorizationHelper processAuthorizationHelper,
 			QuestionnaireResponseHelper questionnaireResponseHelper, ReadAccessHelper readAccessHelper,
-			TaskHelper taskHelper)
+			TaskHelper taskHelper, CryptoService cryptoService)
 	{
 		this.proxyConfig = proxyConfig;
 		this.endpointProvider = endpointProvider;
@@ -55,6 +57,7 @@ public ProcessPluginApiImpl(ProxyConfig proxyConfig, EndpointProvider endpointPr
 		this.questionnaireResponseHelper = questionnaireResponseHelper;
 		this.readAccessHelper = readAccessHelper;
 		this.taskHelper = taskHelper;
+		this.cryptoService = cryptoService;
 	}
 
 	@Override
@@ -73,6 +76,7 @@ public void afterPropertiesSet() throws Exception
 		Objects.requireNonNull(questionnaireResponseHelper, "questionnaireResponseHelper");
 		Objects.requireNonNull(readAccessHelper, "readAccessHelper");
 		Objects.requireNonNull(taskHelper, "taskHelper");
+		Objects.requireNonNull(cryptoService, "cryptoService");
 	}
 
 	@Override
@@ -152,4 +156,10 @@ public TaskHelper getTaskHelper()
 	{
 		return taskHelper;
 	}
+
+	@Override
+	public CryptoService getCryptoService()
+	{
+		return cryptoService;
+	}
 }

dsf-bpe/dsf-bpe-process-api-v2-impl/src/main/java/dev/dsf/bpe/v2/service/CryptoServiceImpl.java

@@ -0,0 +1,217 @@
+package dev.dsf.bpe.v2.service;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.KeyManagementException;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.Collection;
+import java.util.List;
+import java.util.Objects;
+
+import javax.crypto.DecapsulateException;
+import javax.crypto.NoSuchPaddingException;
+import javax.net.ssl.SSLContext;
+
+import de.hsheilbronn.mi.utils.crypto.cert.CertificateValidator;
+import de.hsheilbronn.mi.utils.crypto.context.SSLContextFactory;
+import de.hsheilbronn.mi.utils.crypto.io.KeyStoreReader;
+import de.hsheilbronn.mi.utils.crypto.io.PemReader;
+import de.hsheilbronn.mi.utils.crypto.kem.AbstractKemAesGcm;
+import de.hsheilbronn.mi.utils.crypto.kem.EcDhKemAesGcm;
+import de.hsheilbronn.mi.utils.crypto.kem.RsaKemAesGcm;
+import de.hsheilbronn.mi.utils.crypto.keypair.KeyPairGeneratorFactory;
+import de.hsheilbronn.mi.utils.crypto.keypair.KeyPairValidator;
+import de.hsheilbronn.mi.utils.crypto.keystore.KeyStoreCreator;
+
+public class CryptoServiceImpl implements CryptoService
+{
+	public static final class KemDelegate implements Kem
+	{
+		private final AbstractKemAesGcm delegate;
+
+		public KemDelegate(AbstractKemAesGcm delegate)
+		{
+			this.delegate = delegate;
+		}
+
+		@Override
+		public InputStream encrypt(InputStream data, PublicKey publicKey) throws NoSuchAlgorithmException,
+				InvalidKeyException, NoSuchPaddingException, InvalidAlgorithmParameterException
+		{
+			return delegate.encrypt(data, publicKey);
+		}
+
+		@Override
+		public InputStream decrypt(InputStream encrypted, PrivateKey privateKey)
+				throws IOException, NoSuchAlgorithmException, InvalidKeyException, DecapsulateException,
+				NoSuchPaddingException, InvalidAlgorithmParameterException
+		{
+			return delegate.decrypt(encrypted, privateKey);
+		}
+	}
+
+	@Override
+	public Kem createRsaKem()
+	{
+		return new KemDelegate(new RsaKemAesGcm());
+	}
+
+	@Override
+	public Kem createEcDhKem()
+	{
+		return new KemDelegate(new EcDhKemAesGcm());
+	}
+
+	@Override
+	public KeyPairGenerator createKeyPairGeneratorRsa4096AndInitialize()
+	{
+		return KeyPairGeneratorFactory.rsa4096().initialize();
+	}
+
+	@Override
+	public KeyPairGenerator createKeyPairGeneratorSecp256r1AndInitialize()
+	{
+		return KeyPairGeneratorFactory.secp256r1().initialize();
+	}
+
+	@Override
+	public KeyPairGenerator createKeyPairGeneratorSecp384r1AndInitialize()
+	{
+		return KeyPairGeneratorFactory.secp384r1().initialize();
+	}
+
+	@Override
+	public KeyPairGenerator createKeyPairGeneratorSecp521r1AndInitialize()
+	{
+		return KeyPairGeneratorFactory.secp521r1().initialize();
+	}
+
+	@Override
+	public KeyPairGenerator createKeyPairGeneratorX25519AndInitialize()
+	{
+		return KeyPairGeneratorFactory.x25519().initialize();
+	}
+
+	@Override
+	public KeyPairGenerator createKeyPairGeneratorX448AndInitialize()
+	{
+		return KeyPairGeneratorFactory.x448().initialize();
+	}
+
+	@Override
+	public X509Certificate readCertificate(InputStream pem) throws IOException
+	{
+		return PemReader.readCertificate(pem);
+	}
+
+	@Override
+	public List<X509Certificate> readCertificates(InputStream pem) throws IOException
+	{
+		return PemReader.readCertificates(pem);
+	}
+
+	@Override
+	public PrivateKey readPrivateKey(InputStream pem, char[] password) throws IOException
+	{
+		return PemReader.readPrivateKey(pem, password);
+	}
+
+	@Override
+	public boolean isKeyPair(PrivateKey privateKey, PublicKey publicKey)
+	{
+		return KeyPairValidator.matches(privateKey, publicKey);
+	}
+
+	@Override
+	public boolean isCertificateExpired(X509Certificate certificate)
+	{
+		return CertificateValidator.isCertificateExpired(certificate);
+	}
+
+	@Override
+	public boolean isClientCertificate(X509Certificate certificate)
+	{
+		return CertificateValidator.isClientCertificate(certificate);
+	}
+
+	@Override
+	public boolean isServerCertificate(X509Certificate certificate)
+	{
+		return CertificateValidator.isServerCertificate(certificate);
+	}
+
+	@Override
+	public void validateClientCertificate(KeyStore trustStore, Collection<? extends X509Certificate> certificateChain)
+			throws CertificateException
+	{
+		Objects.requireNonNull(trustStore, "trustStore");
+		Objects.requireNonNull(certificateChain, "certificateChain");
+
+		CertificateValidator.vaildateClientCertificate(trustStore, certificateChain);
+	}
+
+	@Override
+	public void validateServerCertificate(KeyStore trustStore, Collection<? extends X509Certificate> certificateChain)
+			throws CertificateException
+	{
+		Objects.requireNonNull(trustStore, "trustStore");
+		Objects.requireNonNull(certificateChain, "certificateChain");
+
+		CertificateValidator.vaildateServerCertificate(trustStore, certificateChain);
+	}
+
+	@Override
+	public KeyStore createKeyStoreForPrivateKeyAndCertificateChain(PrivateKey key, char[] password,
+			Collection<? extends X509Certificate> chain)
+	{
+		return KeyStoreCreator.jksForPrivateKeyAndCertificateChain(key, password, chain);
+	}
+
+	@Override
+	public KeyStore createKeyStoreForTrustedCertificates(Collection<? extends X509Certificate> certificates)
+	{
+		return KeyStoreCreator.jksForTrustedCertificates(certificates);
+	}
+
+	@Override
+	public KeyStore readKeyStoreJks(InputStream stream, char[] password) throws IOException
+	{
+		return KeyStoreReader.readJks(stream, password);
+	}
+
+	@Override
+	public KeyStore readKeyStorePkcs12(InputStream stream, char[] password) throws IOException
+	{
+		return KeyStoreReader.readPkcs12(stream, password);
+	}
+
+	@Override
+	public SSLContext createSSLContext(KeyStore trustStore)
+			throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException, KeyManagementException
+	{
+		Objects.requireNonNull(trustStore, "trustStore");
+
+		return SSLContextFactory.createSSLContext(trustStore);
+	}
+
+	@Override
+	public SSLContext createSSLContext(KeyStore trustStore, KeyStore keyStore, char[] keyStorePassword)
+			throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException, KeyManagementException
+	{
+		Objects.requireNonNull(trustStore, "trustStore");
+		Objects.requireNonNull(keyStore, "keyStore");
+		Objects.requireNonNull(keyStorePassword, "keyStorePassword");
+
+		return SSLContextFactory.createSSLContext(trustStore, keyStore, keyStorePassword);
+	}
+}

dsf-bpe/dsf-bpe-process-api-v2-impl/src/main/java/dev/dsf/bpe/v2/spring/ApiServiceConfig.java

@@ -33,6 +33,8 @@
 import dev.dsf.bpe.v2.listener.EndListener;
 import dev.dsf.bpe.v2.listener.StartListener;
 import dev.dsf.bpe.v2.plugin.ProcessPluginFactoryImpl;
+import dev.dsf.bpe.v2.service.CryptoService;
+import dev.dsf.bpe.v2.service.CryptoServiceImpl;
 import dev.dsf.bpe.v2.service.DsfClientProvider;
 import dev.dsf.bpe.v2.service.DsfClientProviderImpl;
 import dev.dsf.bpe.v2.service.EndpointProvider;
@@ -88,7 +90,8 @@ public ProcessPluginApi processPluginApiV2()
 	{
 		return new ProcessPluginApiImpl(proxyConfigDelegate(), endpointProvider(), fhirContext(), dsfClientProvider(),
 				fhirClientProvider(), oidcClientProvider(), mailService(), objectMapper(), organizationProvider(),
-				processAuthorizationHelper(), questionnaireResponseHelper(), readAccessHelper(), taskHelper());
+				processAuthorizationHelper(), questionnaireResponseHelper(), readAccessHelper(), taskHelper(),
+				cryptoService());
 	}
 
 	@Bean
@@ -255,4 +258,10 @@ public ListenerFactory listenerFactory()
 		return new ListenerFactoryImpl(ProcessPluginFactoryImpl.API_VERSION, startListener(), endListener(),
 				continueListener());
 	}
+
+	@Bean
+	public CryptoService cryptoService()
+	{
+		return new CryptoServiceImpl();
+	}
 }

dsf-bpe/dsf-bpe-process-api-v2/src/main/java/dev/dsf/bpe/v2/ProcessPluginApi.java

@@ -7,6 +7,7 @@
 
 import ca.uhn.fhir.context.FhirContext;
 import dev.dsf.bpe.v2.config.ProxyConfig;
+import dev.dsf.bpe.v2.service.CryptoService;
 import dev.dsf.bpe.v2.service.DsfClientProvider;
 import dev.dsf.bpe.v2.service.EndpointProvider;
 import dev.dsf.bpe.v2.service.FhirClientProvider;
@@ -52,4 +53,6 @@ public interface ProcessPluginApi
 	ReadAccessHelper getReadAccessHelper();
 
 	TaskHelper getTaskHelper();
+
+	CryptoService getCryptoService();
 }