Merge branch 'RM-3354_key-capsule-expiry-cli' into 'master'

RM-3354: Added Key capsule expiry option to CLI

See merge request cdoc2/cdoc2-java-ref-impl!19

Author: OlesjaAarma

cdoc2-cli/README.md

@@ -58,6 +58,14 @@ Certificate (`-c` option):
 java -jar target/cdoc2-cli-*.jar create --server=config/localhost/localhost.properties -f /tmp/localhost.cdoc -c keys/cdoc2client-certificate.pem README.md
 ```
 
+Key capsule expiration date can be requested when adding expiry duration:
+```
+-ex P365D
+```
+Default expiration duration will be used if it is not requested by the client. Default and max 
+expiration durations are configurable values in put-server and get-server.
+
+
 ### Encryption with symmetric key
 
 Generate key with openssl (minimum length 32 bytes):

cdoc2-cli/pom.xml

@@ -8,7 +8,7 @@
     </parent>
 
     <artifactId>cdoc2-cli</artifactId>
-    <version>1.2.0</version>
+    <version>1.3.0-SNAPSHOT</version>
     <description>Command line utility to create/process CDOC2 files</description>
 
     <properties>

cdoc2-cli/src/main/java/ee/cyber/cdoc2/cli/CDocCli.java

@@ -47,6 +47,7 @@ public static void main(String... args) {
             CommandLine.usage(new CDocInfoCmd(), System.out);
         }
         int exitCode = new CommandLine(new CDocCli()).execute(args);
+
         System.exit(exitCode);
     }
 

cdoc2-cli/src/main/java/ee/cyber/cdoc2/cli/commands/CDocCreateCmd.java

@@ -1,6 +1,5 @@
 package ee.cyber.cdoc2.cli.commands;
 
-
 import ee.cyber.cdoc2.cli.SymmetricKeyUtil;
 import ee.cyber.cdoc2.CDocBuilder;
 import ee.cyber.cdoc2.CDocValidationException;
@@ -18,6 +17,8 @@
 
 import java.io.File;
 import java.security.PublicKey;
+import java.time.Duration;
+import java.time.format.DateTimeParseException;
 import java.util.Arrays;
 import java.util.LinkedHashMap;
 import java.util.List;
@@ -28,13 +29,17 @@
 
 import static ee.cyber.cdoc2.cli.CDocCommonHelper.getServerProperties;
 
+
 //S106 - Standard outputs should not be used directly to log anything
 //CLI needs to interact with standard outputs
 @SuppressWarnings("java:S106")
 @Command(name = "create", aliases = {"c", "encrypt"}, showAtFileInUsageHelp = true)
 public class CDocCreateCmd implements Callable<Void> {
+
     private static final Logger log = LoggerFactory.getLogger(CDocCreateCmd.class);
 
+    private static final String DURATION_FORMAT = "P(n)DT(n)H(n)M(n)S";
+
     // default server configuration disabled, until public key server is up and running
     //private static final String DEFAULT_SERVER_PROPERTIES = "classpath:localhost.properties";
 
@@ -75,7 +80,7 @@ private void setProperty(Map<String, String> props) {
 
     @Option(names = {"-S", "--server"},
         paramLabel = "FILE.properties",
-        description = "Key server connection properties file"
+        description = "key server connection properties file"
         // default server configuration disabled, until public key server is up and running
         //, arity = "0..1"
         //, fallbackValue = DEFAULT_SERVER_PROPERTIES
@@ -85,6 +90,12 @@ private void setProperty(Map<String, String> props) {
     @Parameters(paramLabel = "FILE", description = "one or more files to encrypt", arity = "1..*")
     private File[] inputFiles;
 
+    @Option(names = { "-exp", "--expiry" }, paramLabel = DURATION_FORMAT,
+        description = "Key capsule expiry duration",
+        converter = DurationConverter.class
+    )
+    private Duration keyCapsuleExpiryDuration;
+
     @Option(names = { "-h", "--help" }, usageHelp = true, description = "display a help message")
     private boolean helpRequested = false;
 
@@ -123,6 +134,10 @@ public Void call() throws Exception {
             .withRecipients(recipients)
             .withPayloadFiles(Arrays.asList(inputFiles));
 
+        if (keyCapsuleExpiryDuration != null) {
+            setExpiryDurationOrLogWarn(cDocBuilder);
+        }
+
         if (keyServerPropertiesFile != null) {
             Properties p = getServerProperties(keyServerPropertiesFile);
             cDocBuilder.withServerProperties(p);
@@ -135,6 +150,16 @@ public Void call() throws Exception {
         return null;
     }
 
+    private void setExpiryDurationOrLogWarn(CDocBuilder cDocBuilder) {
+        if (null != this.recipient.secrets || null != recipient.password) {
+            String warnMsg = "Key capsule expiry duration cannot be requested for symmetric key "
+                + "encryption";
+            log.warn("WARNING: {}", warnMsg);
+        } else {
+            cDocBuilder.withCapsuleExpiryDuration(keyCapsuleExpiryDuration);
+        }
+    }
+
     private void addSymmetricKeysWithLabels(List<EncryptionKeyMaterial> recipients)
         throws CDocValidationException {
 
@@ -148,4 +173,17 @@ private void addSymmetricKeysWithLabels(List<EncryptionKeyMaterial> recipients)
         }
     }
 
+    public static class DurationConverter implements CommandLine.ITypeConverter<Duration> {
+        @Override
+        public Duration convert(String arg) {
+            try {
+                return Duration.parse(arg);
+            } catch (DateTimeParseException e) {
+                throw new CommandLine.TypeConversionException(
+                    "Expiry duration format should be " + DURATION_FORMAT
+                );
+            }
+        }
+    }
+
 }

cdoc2-lib/src/main/java/ee/cyber/cdoc2/CDocBuilder.java

@@ -1,6 +1,7 @@
 package ee.cyber.cdoc2;
 
 import ee.cyber.cdoc2.client.ExtApiException;
+import ee.cyber.cdoc2.client.KeyCapsuleClient;
 import ee.cyber.cdoc2.client.KeyCapsuleClientImpl;
 import ee.cyber.cdoc2.container.Envelope;
 import ee.cyber.cdoc2.crypto.Crypto;
@@ -29,6 +30,7 @@
 import java.security.PublicKey;
 import java.security.interfaces.ECPublicKey;
 import java.security.interfaces.RSAPublicKey;
+import java.time.Duration;
 import java.util.Base64;
 import java.util.LinkedList;
 import java.util.List;
@@ -43,6 +45,7 @@ public class CDocBuilder {
 
     private List<File> payloadFiles;
     private final List<EncryptionKeyMaterial> recipients = new LinkedList<>();
+    private Duration keyCapsuleExpiryDuration;
     private Properties serverProperties;
 
     public CDocBuilder withPayloadFiles(List<File> files) {
@@ -60,12 +63,19 @@ public CDocBuilder withRecipients(List<EncryptionKeyMaterial> recipientsEncKM) {
         return this;
     }
 
+    public CDocBuilder withCapsuleExpiryDuration(Duration xExpiryDuration) {
+        this.keyCapsuleExpiryDuration = xExpiryDuration;
+        return this;
+    }
+
     public CDocBuilder withServerProperties(Properties p) {
         this.serverProperties = p;
         return this;
     }
 
-    public void buildToFile(File outputCDocFile) throws CDocException, IOException, CDocValidationException {
+    public void buildToFile(File outputCDocFile)
+        throws CDocException, IOException, CDocValidationException {
+
         if (outputCDocFile == null) {
             throw new CDocValidationException("Must provide CDOC output filename ");
         }
@@ -108,11 +118,19 @@ private OpenOption getOpenOption() {
 
     private Envelope prepareEnvelope()
         throws ExtApiException, GeneralSecurityException, IOException {
+
         if (serverProperties == null) {
             return Envelope.prepare(recipients, null);
         } else {
             // for encryption, do not init mTLS client as this might require smart-card
-            return Envelope.prepare(recipients, KeyCapsuleClientImpl.create(serverProperties, false));
+           KeyCapsuleClient client = KeyCapsuleClientImpl.create(serverProperties, false);
+           if (null != keyCapsuleExpiryDuration) {
+               client.setExpiryDuration(keyCapsuleExpiryDuration);
+           }
+            return Envelope.prepare(
+                recipients,
+                client
+            );
         }
     }
 
@@ -238,4 +256,5 @@ void validatePayloadFiles() throws CDocValidationException {
             }
         }
     }
+
 }

cdoc2-lib/src/main/java/ee/cyber/cdoc2/client/EcCapsuleClient.java

@@ -11,7 +11,10 @@ public interface EcCapsuleClient extends ServerClient {
      * @return transactionId to retrieve senderKey from the server
      * @throws ExtApiException if error happens
      */
-    String storeSenderKey(ECPublicKey receiverKey, ECPublicKey senderKey) throws ExtApiException;
+    String storeSenderKey(
+        ECPublicKey receiverKey,
+        ECPublicKey senderKey
+    ) throws ExtApiException;
 
     /**
      * Retrieve previously stored sender key using transaction id

cdoc2-lib/src/main/java/ee/cyber/cdoc2/client/EcCapsuleClientImpl.java

@@ -22,7 +22,10 @@ public EcCapsuleClientImpl(KeyCapsuleClient keyCapsulesClient) {
     }
 
     @Override
-    public String storeSenderKey(ECPublicKey receiverKey, ECPublicKey senderKey) throws ExtApiException {
+    public String storeSenderKey(
+        ECPublicKey receiverKey,
+        ECPublicKey senderKey
+    ) throws ExtApiException {
 
         EllipticCurve curve;
         try {
@@ -47,7 +50,7 @@ public String storeSenderKey(ECPublicKey receiverKey, ECPublicKey senderKey) thr
                 .recipientId(ECKeys.encodeEcPubKeyForTls(curve, receiverKey))
                 .ephemeralKeyMaterial(ECKeys.encodeEcPubKeyForTls(curve, senderKey));
 
-        return keyCapsulesClient.storeCapsule(capsule, null);
+        return keyCapsulesClient.storeCapsule(capsule);
     }
 
     @Override
@@ -79,4 +82,5 @@ public Optional<ECPublicKey> getSenderKey(String transactionId) throws ExtApiExc
     public String getServerIdentifier() {
         return keyCapsulesClient.getServerIdentifier();
     }
+
 }

cdoc2-lib/src/main/java/ee/cyber/cdoc2/client/KeyCapsuleClient.java

@@ -1,10 +1,8 @@
 package ee.cyber.cdoc2.client;
 
-import jakarta.annotation.Nullable;
-
 import ee.cyber.cdoc2.client.model.Capsule;
 
-import java.time.OffsetDateTime;
+import java.time.Duration;
 import java.util.Optional;
 
 
@@ -13,9 +11,14 @@
  */
 public interface KeyCapsuleClient extends ServerClient {
 
-    String storeCapsule(Capsule capsule) throws ExtApiException;
+    /**
+     * When set, then client sends X-ExpiryTime header
+     * @param duration Duration is converted into exact dateTime
+     *                 when {@link #storeCapsule(Capsule)} is called
+     */
+    void setExpiryDuration(Duration duration);
 
-    String storeCapsule(Capsule capsule, @Nullable OffsetDateTime xExpiryTime) throws ExtApiException;
+    String storeCapsule(Capsule capsule) throws ExtApiException;
 
     Optional<Capsule> getCapsule(String id) throws ExtApiException;
 

cdoc2-lib/src/main/java/ee/cyber/cdoc2/client/KeyCapsuleClientImpl.java

@@ -1,5 +1,6 @@
 package ee.cyber.cdoc2.client;
 
+import ee.cyber.cdoc2.client.api.ApiException;
 import ee.cyber.cdoc2.crypto.Pkcs11Tools;
 import ee.cyber.cdoc2.CDocConfiguration;
 import ee.cyber.cdoc2.CDocUserException;
@@ -13,6 +14,7 @@
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
+import java.time.Duration;
 import java.time.OffsetDateTime;
 import java.util.Objects;
 import java.util.Optional;
@@ -21,6 +23,8 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import static ee.cyber.cdoc2.util.DurationUtil.getExpiryTime;
+
 
 /**
  * KeyCapsuleClient initialization from properties file.
@@ -33,6 +37,8 @@ public final class KeyCapsuleClientImpl implements KeyCapsuleClient, KeyCapsuleC
     private final Cdoc2KeyCapsuleApiClient getClient; // mTLS client
     @Nullable
     private KeyStore clientKeyStore; //initialised only from #create(Properties)
+    @Nullable
+    private Duration capsuleExpiryDuration; //initialised only when #setExpiryDuration() was called
 
     private KeyCapsuleClientImpl(
         String serverIdentifier,
@@ -222,24 +228,33 @@ private static KeyStore loadTrustKeyStore(Properties p) throws KeyStoreException
     }
 
     @Override
-    public String storeCapsule(Capsule capsule) throws ExtApiException {
-        return storeCapsule(capsule, null);
+    public void setExpiryDuration(Duration duration) {
+        this.capsuleExpiryDuration = duration;
     }
 
     @Override
-    public String storeCapsule(Capsule capsule, @Nullable OffsetDateTime xExpiryTime) throws ExtApiException {
+    public String storeCapsule(Capsule capsule) throws ExtApiException {
         Objects.requireNonNull(postClient);
 
         String result = null;
         try {
-            result = postClient.createCapsule(capsule, xExpiryTime);
+            result = createCapsule(capsule);
         } catch (Exception e) {
             log.error("Failed to create capsule", e);
             handleOpenApiException(e);
         }
         return result;
     }
 
+    private String createCapsule(Capsule capsule) throws ApiException {
+        if (null != capsuleExpiryDuration) {
+            OffsetDateTime expiryTime = getExpiryTime(capsuleExpiryDuration);
+            return postClient.createCapsule(capsule, expiryTime);
+        } else {
+            return postClient.createCapsule(capsule);
+        }
+    }
+
     @Override
     public Optional<Capsule> getCapsule(String id) throws ExtApiException {
         if (getClient == null) {

cdoc2-lib/src/main/java/ee/cyber/cdoc2/client/RsaCapsuleClient.java

@@ -4,7 +4,12 @@
 import java.util.Optional;
 
 public interface RsaCapsuleClient extends ServerClient {
-    String storeRsaCapsule(RSAPublicKey recipient, byte[] encryptedKek) throws ExtApiException;
+
+    String storeRsaCapsule(
+        RSAPublicKey recipient,
+        byte[] encryptedKek
+    ) throws ExtApiException;
 
     Optional<byte[]> getEncryptedKek(String transactionId) throws ExtApiException;
+
 }