feat(core): Implement named key support for AES-256-GCM encryption

- Renamed prefix from crypto:: to enc:: for consistency
- Added SystemKeyManager class to manage encryption keys derived from
SystemSeed
- Implemented named key support (enc::<keyname>::) for multiple
encryption contexts
- Updated CryptoEnvironmentProvider to use SystemKeyManager for key
retrieval
- Added CRYPTO CLI command with generate and encrypt subcommands
- Added comprehensive tests for named key functionality
- Updated documentation in CRYPTO_IMPLEMENTATION.md
- Replaced ISOUtil import with direct SystemSeed usage
- All tests passing (18 CryptoEnvironmentProviderTest, 4 CRYPTOTest, 13
SystemKeyManagerTest, 1 DeployWithEncryptedPropsTest)

Author: chhil

jpos/src/main/java/org/jpos/core/CryptoEnvironmentProvider.java

@@ -18,10 +18,10 @@
 
 package org.jpos.core;
 
-import org.jpos.iso.ISOUtil;
 import org.jpos.security.SystemSeed;
 
 import javax.crypto.Cipher;
+import javax.crypto.SecretKey;
 import javax.crypto.spec.GCMParameterSpec;
 import javax.crypto.spec.SecretKeySpec;
 import java.nio.ByteBuffer;
@@ -32,7 +32,7 @@
  * EnvironmentProvider that encrypts/decrypts values using AES256.
  * 
  * <p>
- * Format: {@code crypto::<base64-encoded-ciphertext>}
+ * Format: {@code enc::<base64-encoded-ciphertext>}
  * <ul>
  * <li>Algorithm: AES-256-GCM with authenticated encryption</li>
  * <li>Key: 32 bytes derived from SystemSeed using SHA-256</li>
@@ -49,16 +49,25 @@ public class CryptoEnvironmentProvider implements EnvironmentProvider {
 
     @Override
     public String prefix() {
-        return "crypto::";
+        return "enc::";
     }
 
     @Override
     public String get(String config) {
         try {
-            // Remove the crypto:: prefix if present
+            String keyName = null;
             String encoded = config;
-            if (config.startsWith("crypto::")) {
-                encoded = config.substring(8);
+            
+            // Check for key name prefix: enc::keyname::encoded_data
+            if (config.startsWith("enc::")) {
+                String[] parts = config.substring(5).split("::", 2);
+                if (parts.length == 2) {
+                    keyName = parts[0];
+                    encoded = parts[1];
+                } else {
+                    // Default key
+                    encoded = config.substring(5);
+                }
             }
 
             byte[] decoded = Base64.getDecoder().decode(encoded);
@@ -72,9 +81,12 @@ public String get(String config) {
             byte[] ciphertext = new byte[buf.remaining()];
             buf.get(ciphertext);
 
-            // Use first 32 bytes of SystemSeed as the 256-bit AES key
-            byte[] seed = SystemSeed.getSeed(0, 32);
-            SecretKeySpec keySpec = new SecretKeySpec(seed, ALGORITHM);
+            // Use SystemKeyManager to get the derived key
+            SecretKey key = SystemKeyManager.getInstance().getKey(keyName);
+            if (key == null) {
+                throw new RuntimeException("Key not found: " + keyName);
+            }
+            SecretKeySpec keySpec = new SecretKeySpec(key.getEncoded(), ALGORITHM);
 
             // Decrypt with GCM authentication
             Cipher cipher = Cipher.getInstance(TRANSFORMATION);
@@ -92,13 +104,29 @@ public String get(String config) {
      * Helper method to encrypt a value (for generating encrypted config).
      * 
      * @param value the plaintext value to encrypt
-     * @return base64-encoded ciphertext with crypto:: prefix
+     * @return base64-encoded ciphertext with enc:: prefix
      */
     public static String encrypt(String value) {
+        return encrypt(value, null);
+    }
+    
+    /**
+     * Helper method to encrypt a value with a named key.
+     * 
+     * @param value the plaintext value to encrypt
+     * @param keyName the name of the key to use (null for default)
+     * @return base64-encoded ciphertext with enc::keyname:: prefix
+     */
+    public static String encrypt(String value, String keyName) {
         try {
-            // Use first 32 bytes of SystemSeed as the 256-bit AES key
-            byte[] seed = SystemSeed.getSeed(0, 32);
-            SecretKeySpec keySpec = new SecretKeySpec(seed, ALGORITHM);
+            // Use SystemKeyManager to get the key, generating it if it doesn't exist
+            SecretKey key = SystemKeyManager.getInstance().getKey(keyName);
+            if (key == null) {
+                // Key doesn't exist, generate it
+                SystemKeyManager.getInstance().generateKey(keyName);
+                key = SystemKeyManager.getInstance().getKey(keyName);
+            }
+            SecretKeySpec keySpec = new SecretKeySpec(key.getEncoded(), ALGORITHM);
 
             // Generate secure random 12-byte IV
             byte[] iv = new byte[IV_SIZE_BYTES];
@@ -115,7 +143,14 @@ public static String encrypt(String value) {
             buf.put(iv);
             buf.put(ciphertext);
 
-            return "crypto::" + Base64.getEncoder().encodeToString(buf.array());
+            String base64 = Base64.getEncoder().encodeToString(buf.array());
+            
+            // If keyName is provided, include it in the prefix
+            if (keyName != null && !keyName.isEmpty()) {
+                return "enc::" + keyName + "::" + base64;
+            } else {
+                return "enc::" + base64;
+            }
         } catch (Exception e) {
             throw new RuntimeException("Failed to encrypt value", e);
         }

jpos/src/main/java/org/jpos/core/SystemKeyManager.java

@@ -0,0 +1,237 @@
+/*
+ * jPOS Project [http://jpos.org]
+ * Copyright (C) 2000-2026 jPOS Software SRL
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package org.jpos.core;
+
+import org.jpos.security.SystemSeed;
+
+import javax.crypto.Cipher;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.GCMParameterSpec;
+import java.security.SecureRandom;
+import java.util.Base64;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ConcurrentMap;
+
+/**
+ * Manages encryption keys derived from SystemSeed.
+ * 
+ * <p>
+ * This class:
+ * <ul>
+ * <li>Derives a consistent key from SystemSeed (32 bytes = 256 bits)</li>
+ * <li>Supports multiple named keys for different encryption contexts</li>
+ * <li>Provides methods to encrypt/decrypt data using these keys</li>
+ * </ul>
+ */
+public class SystemKeyManager {
+    private static final String DEFAULT_KEY_NAME = "default";
+    private static final String DEFAULT_ENV_VAR = "JPOS_ENCRYPTION_KEY";
+    private static final int KEY_SIZE_BITS = 256;
+
+    private static final SystemKeyManager instance;
+    private static final ConcurrentMap<String, SecretKey> keys = new ConcurrentHashMap<>();
+
+    static {
+        try {
+            instance = new SystemKeyManager();
+        } catch (Exception e) {
+            throw new RuntimeException("Failed to initialize SystemKeyManager", e);
+        }
+    }
+
+    private SystemKeyManager() {
+    }
+
+    /**
+     * Returns the singleton SystemKeyManager instance.
+     *
+     * @return the SystemKeyManager instance
+     */
+    public static SystemKeyManager getInstance() {
+        return instance;
+    }
+
+    /**
+     * Gets a key by name. Returns null if key doesn't exist.
+     *
+     * @param keyName the name of the key to get
+     * @return the SecretKey, or null if not found
+     */
+    public SecretKey getKey(String keyName) {
+        if (keyName == null || keyName.isEmpty()) {
+            keyName = DEFAULT_KEY_NAME;
+        }
+
+        return keys.get(keyName);
+    }
+
+    /**
+     * Gets the default key. Returns null if key doesn't exist.
+     *
+     * @return the default SecretKey, or null if not found
+     */
+    public SecretKey getDefaultKey() {
+        return getKey(DEFAULT_KEY_NAME);
+    }
+
+    /**
+     * Gets the Base64-encoded key by name.
+     *
+     * @param keyName the name of the key
+     * @return Base64-encoded key, or null if not found
+     */
+    public String getKeyBase64(String keyName) {
+        SecretKey key = getKey(keyName);
+        return key != null ? Base64.getEncoder().encodeToString(key.getEncoded()) : null;
+    }
+
+    /**
+     * Generates a new key from SystemSeed and stores it with the given name.
+     * The user is responsible for setting the environment variable manually.
+     *
+     * @param keyName the name to give the key
+     * @return the environment variable name where the key should be stored
+     */
+    public String generateKey(String keyName) {
+        if (keyName == null || keyName.isEmpty()) {
+            keyName = DEFAULT_KEY_NAME;
+        }
+
+        keys.computeIfAbsent(keyName, k -> {
+            try {
+                byte[] seed = SystemSeed.getSeed(0, 32);
+                KeyGenerator keyGen = KeyGenerator.getInstance("AES");
+                keyGen.init(KEY_SIZE_BITS, new SecureRandom(seed));
+                return keyGen.generateKey();
+            } catch (Exception e) {
+                throw new RuntimeException("Failed to generate key from SystemSeed", e);
+            }
+        });
+
+        return getEnvVarName(keyName);
+    }
+
+    /**
+     * Generates a new default key from SystemSeed.
+     *
+     * @return the environment variable name where the key is stored
+     */
+    public String generateDefaultKey() {
+        return generateKey(DEFAULT_KEY_NAME);
+    }
+
+    private static final int IV_SIZE_BYTES = 12;
+    private static final int TAG_LENGTH_BITS = 128;
+
+    /**
+     * Encrypts data using the default key.
+     *
+     * @param data the data to encrypt
+     * @return encrypted data (with IV prepended)
+     */
+    public byte[] encrypt(byte[] data) {
+        return encrypt(data, DEFAULT_KEY_NAME);
+    }
+
+    /**
+     * Encrypts data using a named key.
+     *
+     * @param data    the data to encrypt
+     * @param keyName the name of the key to use
+     * @return encrypted data (with IV prepended)
+     */
+    public byte[] encrypt(byte[] data, String keyName) {
+        try {
+            Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
+            SecretKey key = getKey(keyName);
+
+            byte[] iv = new byte[IV_SIZE_BYTES];
+            new SecureRandom().nextBytes(iv);
+
+            GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(TAG_LENGTH_BITS, iv);
+            cipher.init(Cipher.ENCRYPT_MODE, key, gcmParameterSpec);
+            byte[] ciphertext = cipher.doFinal(data);
+
+            byte[] result = new byte[iv.length + ciphertext.length];
+            System.arraycopy(iv, 0, result, 0, iv.length);
+            System.arraycopy(ciphertext, 0, result, iv.length, ciphertext.length);
+
+            return result;
+        } catch (Exception e) {
+            throw new RuntimeException("Encryption failed", e);
+        }
+    }
+
+    /**
+     * Decrypts data using the default key.
+     *
+     * @param encryptedData the encrypted data (with IV prepended)
+     * @return decrypted data
+     */
+    public byte[] decrypt(byte[] encryptedData) {
+        return decrypt(encryptedData, DEFAULT_KEY_NAME);
+    }
+
+    /**
+     * Decrypts data using a named key.
+     *
+     * @param encryptedData the encrypted data (with IV prepended)
+     * @param keyName       the name of the key to use
+     * @return decrypted data
+     */
+    public byte[] decrypt(byte[] encryptedData, String keyName) {
+        try {
+            Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
+            SecretKey key = getKey(keyName);
+
+            byte[] iv = new byte[IV_SIZE_BYTES];
+            System.arraycopy(encryptedData, 0, iv, 0, iv.length);
+
+            byte[] ciphertext = new byte[encryptedData.length - iv.length];
+            System.arraycopy(encryptedData, iv.length, ciphertext, 0, ciphertext.length);
+
+            GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(TAG_LENGTH_BITS, iv);
+            cipher.init(Cipher.DECRYPT_MODE, key, gcmParameterSpec);
+            return cipher.doFinal(ciphertext);
+        } catch (Exception e) {
+            throw new RuntimeException("Decryption failed", e);
+        }
+    }
+
+    /**
+     * Gets the environment variable name for a key.
+     *
+     * @param keyName the name of the key
+     * @return the environment variable name
+     */
+    public String getEnvVarName(String keyName) {
+        if (keyName == null || keyName.isEmpty()) {
+            keyName = DEFAULT_KEY_NAME;
+        }
+        return DEFAULT_ENV_VAR + (DEFAULT_KEY_NAME.equals(keyName) ? "" : "_" + keyName.toUpperCase());
+    }
+
+    /**
+     * Clears all keys (for testing purposes).
+     */
+    public void clearKeys() {
+        keys.clear();
+    }
+}