feat(jans-auth-server): introduced key_ops for granular map of crypto…

… service to rotation profile #3415

jans-auth-server/client/src/main/java/io/jans/as/client/util/KeyGenerator.java

@@ -6,46 +6,27 @@
 
 package io.jans.as.client.util;
 
-import io.jans.as.model.crypto.AbstractCryptoProvider;
 import io.jans.as.model.crypto.AuthCryptoProvider;
 import io.jans.as.model.crypto.ElevenCryptoProvider;
 import io.jans.as.model.crypto.encryption.KeyEncryptionAlgorithm;
 import io.jans.as.model.crypto.signature.SignatureAlgorithm;
 import io.jans.as.model.exception.CryptoProviderException;
-import io.jans.as.model.jwk.Algorithm;
-import io.jans.as.model.jwk.JSONWebKey;
-import io.jans.as.model.jwk.JSONWebKeySet;
-import io.jans.as.model.jwk.Use;
+import io.jans.as.model.jwk.*;
 import io.jans.as.model.util.SecurityProviderUtility;
 import io.jans.as.model.util.StringUtils;
 import io.jans.util.StringHelper;
-import org.apache.commons.cli.BasicParser;
-import org.apache.commons.cli.CommandLine;
-import org.apache.commons.cli.CommandLineParser;
-import org.apache.commons.cli.HelpFormatter;
-import org.apache.commons.cli.Option;
-import org.apache.commons.cli.Options;
-import org.apache.commons.cli.ParseException;
+import org.apache.commons.cli.*;
 import org.apache.log4j.Logger;
 import org.apache.logging.log4j.Level;
 import org.apache.logging.log4j.status.StatusLogger;
 import org.json.JSONArray;
 import org.json.JSONObject;
 
-import java.io.FileOutputStream;
 import java.io.IOException;
 import java.util.ArrayList;
-import java.util.Calendar;
-import java.util.GregorianCalendar;
 import java.util.List;
 
-import static io.jans.as.model.jwk.JWKParameter.CERTIFICATE_CHAIN;
-import static io.jans.as.model.jwk.JWKParameter.EXPIRATION_TIME;
-import static io.jans.as.model.jwk.JWKParameter.EXPONENT;
-import static io.jans.as.model.jwk.JWKParameter.KEY_ID;
-import static io.jans.as.model.jwk.JWKParameter.MODULUS;
-import static io.jans.as.model.jwk.JWKParameter.X;
-import static io.jans.as.model.jwk.JWKParameter.Y;
+import static io.jans.as.model.jwk.JWKParameter.*;
 
 /**
  * Command example:
@@ -85,7 +66,7 @@ public class KeyGenerator {
         log = Logger.getLogger(KeyGenerator.class);
     }
 
-    public static void main(String[] args) throws Exception {
+    public static void main(String[] args) {
         new Cli(args).parse();
     }
 
@@ -118,6 +99,7 @@ public Cli(String[] args) {
             options.addOption(HELP, false, "Show help.");
         }
 
+        @SuppressWarnings("java:S1874")
         public void parse() {
             CommandLineParser parser = new BasicParser();
 
@@ -136,51 +118,25 @@ public void parse() {
 
                 String[] sigAlgorithms = cmd.getOptionValues(SIGNING_KEYS);
                 String[] encAlgorithms = cmd.getOptionValues(ENCRYPTION_KEYS);
-                List<Algorithm> signatureAlgorithms = cmd.hasOption(SIGNING_KEYS) ? Algorithm.fromString(sigAlgorithms, Use.SIGNATURE) : new ArrayList<Algorithm>();
-                List<Algorithm> encryptionAlgorithms = cmd.hasOption(ENCRYPTION_KEYS) ? Algorithm.fromString(encAlgorithms, Use.ENCRYPTION) : new ArrayList<Algorithm>();
+                List<Algorithm> signatureAlgorithms = cmd.hasOption(SIGNING_KEYS) ? Algorithm.fromString(sigAlgorithms, Use.SIGNATURE) : new ArrayList<>();
+                List<Algorithm> encryptionAlgorithms = cmd.hasOption(ENCRYPTION_KEYS) ? Algorithm.fromString(encAlgorithms, Use.ENCRYPTION) : new ArrayList<>();
                 if (signatureAlgorithms.isEmpty() && encryptionAlgorithms.isEmpty()) {
                     help();
                 }
 
-                int keyLength = StringHelper.toInt(cmd.getOptionValue(KEY_LENGTH), 2048);
-                int expiration = StringHelper.toInt(cmd.getOptionValue(EXPIRATION), 0);
-                int expirationHours = StringHelper.toInt(cmd.getOptionValue(EXPIRATION_HOURS), 0);
-
-                String testPropFile = null;
-                if (cmd.hasOption(TEST_PROP_FILE)) {
-                    testPropFile = cmd.getOptionValue(TEST_PROP_FILE);
-                }
+                KeyGeneratorContext context = new KeyGeneratorContext();
+                context.setKeyLength(StringHelper.toInt(cmd.getOptionValue(KEY_LENGTH), 2048));
+                context.setExpirationDays(StringHelper.toInt(cmd.getOptionValue(EXPIRATION), 0));
+                context.setExpirationHours(StringHelper.toInt(cmd.getOptionValue(EXPIRATION_HOURS), 0));
+                context.calculateExpiration();
+                context.setTestPropFile(TestPropFile.create(cmd));
 
                 if (cmd.hasOption(OXELEVEN_ACCESS_TOKEN) && cmd.hasOption(OXELEVEN_GENERATE_KEY_ENDPOINT)) {
-                    String accessToken = cmd.getOptionValue(OXELEVEN_ACCESS_TOKEN);
-                    String generateKeyEndpoint = cmd.getOptionValue(OXELEVEN_GENERATE_KEY_ENDPOINT);
-
-                    try {
-                        ElevenCryptoProvider cryptoProvider = new ElevenCryptoProvider(generateKeyEndpoint,
-                                null, null, null, accessToken);
-
-                        generateKeys(cryptoProvider, signatureAlgorithms, encryptionAlgorithms, expiration, expirationHours, testPropFile, keyLength);
-                    } catch (Exception e) {
-                        log.error("Failed to generate keys", e);
-                        help();
-                    }
+                    generateKeysWithEleven(cmd, signatureAlgorithms, encryptionAlgorithms, context);
                 } else if (cmd.hasOption(KEY_STORE_FILE)
                         && cmd.hasOption(KEY_STORE_PASSWORD)
                         && cmd.hasOption(DN_NAME)) {
-                    String keystore = cmd.getOptionValue(KEY_STORE_FILE);
-                    String keypasswd = cmd.getOptionValue(KEY_STORE_PASSWORD);
-                    String dnName = cmd.getOptionValue(DN_NAME);
-
-                    try {
-                        SecurityProviderUtility.installBCProvider(true);
-
-                        AuthCryptoProvider cryptoProvider = new AuthCryptoProvider(keystore, keypasswd, dnName);
-                        generateKeys(cryptoProvider, signatureAlgorithms, encryptionAlgorithms, expiration, expirationHours, testPropFile, keyLength);
-                    } catch (Exception e) {
-                        e.printStackTrace();
-                        log.error("Failed to generate keys", e);
-                        help();
-                    }
+                    generateKeysWithJansAuth(cmd, signatureAlgorithms, encryptionAlgorithms, context);
                 } else {
                     help();
                 }
@@ -190,87 +146,114 @@ public void parse() {
             }
         }
 
-        private void generateKeys(AbstractCryptoProvider cryptoProvider, List<Algorithm> signatureAlgorithms,
-                                  List<Algorithm> encryptionAlgorithms, int expiration, int expirationHours, String testPropFile, int keyLength) throws CryptoProviderException, IOException {
-            JSONWebKeySet jwks = new JSONWebKeySet();
+        private void generateKeysWithJansAuth(CommandLine cmd, List<Algorithm> signatureAlgorithms, List<Algorithm> encryptionAlgorithms, KeyGeneratorContext context) {
+            String keystore = cmd.getOptionValue(KEY_STORE_FILE);
+            String keypasswd = cmd.getOptionValue(KEY_STORE_PASSWORD);
+            String dnName = cmd.getOptionValue(DN_NAME);
 
-            Calendar calendar = new GregorianCalendar();
-            calendar.add(Calendar.DATE, expiration);
-            calendar.add(Calendar.HOUR, expirationHours);
+            try {
+                SecurityProviderUtility.installBCProvider(true);
+
+                context.setCryptoProvider(new AuthCryptoProvider(keystore, keypasswd, dnName));
+                generateKeys(context, signatureAlgorithms, encryptionAlgorithms);
+            } catch (Exception e) {
+                e.printStackTrace();
+                log.error("Failed to generate keys with `jans-auth` crypto", e);
+                help();
+            }
+        }
 
-            boolean genTestPropFile = (testPropFile != null && testPropFile.length() > 0);
+        private void generateKeysWithEleven(CommandLine cmd, List<Algorithm> signatureAlgorithms, List<Algorithm> encryptionAlgorithms, KeyGeneratorContext context) {
+            String accessToken = cmd.getOptionValue(OXELEVEN_ACCESS_TOKEN);
+            String generateKeyEndpoint = cmd.getOptionValue(OXELEVEN_GENERATE_KEY_ENDPOINT);
 
-            List<String> recs = genTestPropFile ? (new ArrayList<>()) : null;
+            try {
+                context.setCryptoProvider(new ElevenCryptoProvider(generateKeyEndpoint,
+                        null, null, null, accessToken));
 
-            for (Algorithm algorithm : signatureAlgorithms) {
-                SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.fromString(algorithm.getParamName());
-                JSONObject result = cryptoProvider.generateKey(algorithm, calendar.getTimeInMillis(), keyLength);
+                generateKeys(context, signatureAlgorithms, encryptionAlgorithms);
+            } catch (Exception e) {
+                log.error("Failed to generate keys with 'eleven' crypto", e);
+                help();
+            }
+        }
+
+        @SuppressWarnings("java:S106")
+        private void generateKeys(KeyGeneratorContext context, List<Algorithm> signatureAlgorithms,
+                                  List<Algorithm> encryptionAlgorithms) throws CryptoProviderException, IOException {
+            JSONWebKeySet jwks = new JSONWebKeySet();
+
+            generateSignatureKeys(context, signatureAlgorithms, jwks, KeyOps.CONNECT);
+            generateSignatureKeys(context, signatureAlgorithms, jwks, KeyOps.SSA);
+            generateEncryptionKeys(context, encryptionAlgorithms, jwks, KeyOps.CONNECT);
+            generateEncryptionKeys(context, encryptionAlgorithms, jwks, KeyOps.SSA);
+
+            context.getTestPropFile().generate();
+            System.out.println(jwks);
+        }
+
+        private void generateEncryptionKeys(KeyGeneratorContext context, List<Algorithm> encryptionAlgorithms, JSONWebKeySet jwks, KeyOps keyOps) throws CryptoProviderException {
+            for (Algorithm algorithm : encryptionAlgorithms) {
+                KeyEncryptionAlgorithm encryptionAlgorithm = KeyEncryptionAlgorithm.fromName(algorithm.getParamName());
+                JSONObject result = context.getCryptoProvider().generateKey(algorithm, context.calculateExpiration().getTimeInMillis(), context.getKeyLength(), keyOps);
 
                 JSONWebKey key = new JSONWebKey();
 
                 key.setName(algorithm.getOutName());
                 key.setDescr(algorithm.getDescription());
                 key.setKid(result.getString(KEY_ID));
-                key.setUse(Use.SIGNATURE);
+                key.setUse(Use.ENCRYPTION);
                 key.setAlg(algorithm);
-                key.setKty(signatureAlgorithm.getFamily().getKeyType());
+                key.setKty(encryptionAlgorithm.getFamily().getKeyType());
                 key.setExp(result.optLong(EXPIRATION_TIME));
-                key.setCrv(signatureAlgorithm.getCurve());
+                key.setCrv(encryptionAlgorithm.getCurve());
                 key.setN(result.optString(MODULUS));
                 key.setE(result.optString(EXPONENT));
                 key.setX(result.optString(X));
                 key.setY(result.optString(Y));
+                key.setKeyOps(keyOps);
 
                 JSONArray x5c = result.optJSONArray(CERTIFICATE_CHAIN);
                 key.setX5c(StringUtils.toList(x5c));
 
                 jwks.getKeys().add(key);
 
-                if (genTestPropFile) {
-                    recs.add(getKeyNameFromAlgorithm(algorithm) + "=" + result.getString(KEY_ID));
-                }
+                context.getTestPropFile().add(getKeyNameFromAlgorithm(algorithm) + "=" + result.getString(KEY_ID));
             }
-            for (Algorithm algorithm : encryptionAlgorithms) {
-                KeyEncryptionAlgorithm encryptionAlgorithm = KeyEncryptionAlgorithm.fromName(algorithm.getParamName());
-                JSONObject result = cryptoProvider.generateKey(algorithm, calendar.getTimeInMillis(), keyLength);
+        }
+
+        private void generateSignatureKeys(KeyGeneratorContext context, List<Algorithm> signatureAlgorithms, JSONWebKeySet jwks, KeyOps keyOps) throws CryptoProviderException {
+            for (Algorithm algorithm : signatureAlgorithms) {
+                SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.fromString(algorithm.getParamName());
+                JSONObject result = context.getCryptoProvider().generateKey(algorithm, context.calculateExpiration().getTimeInMillis(), context.getKeyLength(), keyOps);
 
                 JSONWebKey key = new JSONWebKey();
 
                 key.setName(algorithm.getOutName());
                 key.setDescr(algorithm.getDescription());
                 key.setKid(result.getString(KEY_ID));
-                key.setUse(Use.ENCRYPTION);
+                key.setUse(Use.SIGNATURE);
                 key.setAlg(algorithm);
-                key.setKty(encryptionAlgorithm.getFamily().getKeyType());
+                key.setKty(signatureAlgorithm.getFamily().getKeyType());
                 key.setExp(result.optLong(EXPIRATION_TIME));
-                key.setCrv(encryptionAlgorithm.getCurve());
+                key.setCrv(signatureAlgorithm.getCurve());
                 key.setN(result.optString(MODULUS));
                 key.setE(result.optString(EXPONENT));
                 key.setX(result.optString(X));
                 key.setY(result.optString(Y));
+                key.setKeyOps(keyOps);
 
                 JSONArray x5c = result.optJSONArray(CERTIFICATE_CHAIN);
                 key.setX5c(StringUtils.toList(x5c));
 
                 jwks.getKeys().add(key);
 
-                if (genTestPropFile) {
-                    recs.add(getKeyNameFromAlgorithm(algorithm) + "=" + result.getString(KEY_ID));
-                }
+                context.getTestPropFile().add(getKeyNameFromAlgorithm(algorithm) + "=" + result.getString(KEY_ID));
             }
-            if (genTestPropFile) {
-                try (FileOutputStream fosTestPropFile = new FileOutputStream(testPropFile)) {
-                    for (String rec : recs) {
-                        fosTestPropFile.write(rec.getBytes());
-                        fosTestPropFile.write("\n".getBytes());
-                    }
-                }
-            }
-            System.out.println(jwks);
         }
 
         private static String getKeyNameFromAlgorithm(Algorithm algorithm) {
-            String keyNamePrefix = null;
+            final String keyNamePrefix;
             if (Algorithm.RSA_OAEP.equals(algorithm) || Algorithm.RSA_OAEP_256.equals(algorithm)
                     || Algorithm.ECDH_ES.equals(algorithm) || Algorithm.ECDH_ES_PLUS_A128KW.equals(algorithm)
                     || Algorithm.ECDH_ES_PLUS_A192KW.equals(algorithm)

jans-auth-server/client/src/main/java/io/jans/as/client/util/KeyGeneratorContext.java

@@ -0,0 +1,76 @@
+package io.jans.as.client.util;
+
+import io.jans.as.model.crypto.AbstractCryptoProvider;
+
+import java.util.Calendar;
+import java.util.GregorianCalendar;
+
+/**
+ * @author Yuriy Z
+ */
+public class KeyGeneratorContext {
+
+    private TestPropFile testPropFile;
+    private AbstractCryptoProvider cryptoProvider;
+    private int keyLength;
+
+    private int expirationDays;
+    private int expirationHours;
+    private Calendar expiration;
+
+    public Calendar calculateExpiration() {
+        Calendar calendar = new GregorianCalendar();
+        calendar.add(Calendar.DATE, getExpirationDays());
+        calendar.add(Calendar.HOUR, getExpirationHours());
+        this.expiration = calendar;
+        return calendar;
+    }
+
+    public Calendar getExpiration() {
+        return expiration;
+    }
+
+    public void setExpiration(Calendar expiration) {
+        this.expiration = expiration;
+    }
+
+    public int getKeyLength() {
+        return keyLength;
+    }
+
+    public void setKeyLength(int keyLength) {
+        this.keyLength = keyLength;
+    }
+
+    public TestPropFile getTestPropFile() {
+        return testPropFile;
+    }
+
+    public void setTestPropFile(TestPropFile testPropFile) {
+        this.testPropFile = testPropFile;
+    }
+
+    public AbstractCryptoProvider getCryptoProvider() {
+        return cryptoProvider;
+    }
+
+    public void setCryptoProvider(AbstractCryptoProvider cryptoProvider) {
+        this.cryptoProvider = cryptoProvider;
+    }
+
+    public int getExpirationDays() {
+        return expirationDays;
+    }
+
+    public void setExpirationDays(int expirationDays) {
+        this.expirationDays = expirationDays;
+    }
+
+    public int getExpirationHours() {
+        return expirationHours;
+    }
+
+    public void setExpirationHours(int expirationHours) {
+        this.expirationHours = expirationHours;
+    }
+}