open-eid
diff --git a/‎cdoc2-cli/README.md‎
Lines changed: 15 additions & 1 deletion b/‎cdoc2-cli/README.md‎
Lines changed: 15 additions & 1 deletion
diff --git a/‎cdoc2-cli/pom.xml‎
Lines changed: 2 additions & 2 deletions b/‎cdoc2-cli/pom.xml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎cdoc2-cli/src/main/java/ee/cyber/cdoc2/cli/SymmetricKeyUtil.java‎
Lines changed: 48 additions & 29 deletions b/‎cdoc2-cli/src/main/java/ee/cyber/cdoc2/cli/SymmetricKeyUtil.java‎
Lines changed: 48 additions & 29 deletions
diff --git a/‎cdoc2-cli/src/main/java/ee/cyber/cdoc2/cli/commands/CDocCreateCmd.java‎
Lines changed: 32 additions & 44 deletions b/‎cdoc2-cli/src/main/java/ee/cyber/cdoc2/cli/commands/CDocCreateCmd.java‎
Lines changed: 32 additions & 44 deletions
diff --git a/‎cdoc2-cli/src/main/java/ee/cyber/cdoc2/cli/commands/CDocInfoCmd.java‎
Lines changed: 12 additions & 4 deletions b/‎cdoc2-cli/src/main/java/ee/cyber/cdoc2/cli/commands/CDocInfoCmd.java‎
Lines changed: 12 additions & 4 deletions
diff --git a/‎cdoc2-cli/src/main/java/ee/cyber/cdoc2/cli/commands/CDocReEncryptCmd.java‎
Lines changed: 4 additions & 5 deletions b/‎cdoc2-cli/src/main/java/ee/cyber/cdoc2/cli/commands/CDocReEncryptCmd.java‎
Lines changed: 4 additions & 5 deletions
@@ -119,7 +119,6 @@ java -jar target/cdoc2-cli-*.jar decrypt --secret "label_b64secret:base64,aejUgx
 Key and label can be safely stored in a password manager.
 
 
-
 ### Decryption
 To decrypt:
 - CDOC2 file `/tmp/mydoc.cdoc`
@@ -354,3 +353,18 @@ default 10.0
 
 Decrypting will be stopped if compressed file compression ratio is over compressionThreshold
 
+#### ee.cyber.cdoc2.key-label.machine-readable-format.enabled
+default true
+
+Key label format can be defined while encrypting. Machine parsable format is enabled by default 
+and free text format is allowed if the property disabled.
+Machine-readable format is following, where `<data>` is the key label value:
+```
+data:[<mediatype>][;base64],<data>
+```
+
+#### ee.cyber.cdoc2.key-label.file-name.added
+default true
+
+Key label `<data>` field contains different parameters. File name is one of them. For security 
+purpose it can be hidden in configuration. File name is added by default.
@@ -8,7 +8,7 @@
     </parent>
 
     <artifactId>cdoc2-cli</artifactId>
-    <version>1.4.1-SNAPSHOT</version>
+    <version>1.5.0-SNAPSHOT</version>
     <description>Command line utility to create/process CDOC2 files</description>
 
     <properties>
@@ -42,7 +42,7 @@
         <dependency>
             <groupId>ee.cyber.cdoc2</groupId>
             <artifactId>cdoc2-lib</artifactId>
-            <version>1.4.1-SNAPSHOT</version>
+            <version>1.5.0-SNAPSHOT</version>
         </dependency>
     </dependencies>
 
 
@@ -4,9 +4,9 @@
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.security.GeneralSecurityException;
+import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Base64;
-import java.util.LinkedList;
 import java.util.List;
 
 import ee.cyber.cdoc2.container.recipients.PBKDF2Recipient;
@@ -57,24 +57,33 @@ private SymmetricKeyUtil() { }
 
     private static final Logger log = LoggerFactory.getLogger(SymmetricKeyUtil.class);
 
-    public static List<EncryptionKeyMaterial> extractEncryptionKeyMaterialFromSecrets(
-        String[] secrets
-    ) throws CDocValidationException {
-        if (secrets == null || secrets.length == 0) {
-            return List.of();
-        }
+    public static List<FormattedOptionParts> getSecretsAndLabels(String[] secrets)
+        throws CDocValidationException {
 
-        List<EncryptionKeyMaterial> result = new LinkedList<>();
+        List<FormattedOptionParts> secretsAndLabels = new ArrayList<>();
+        if (null != secrets && secrets.length > 0) {
+            for (String secret: secrets) {
+                FormattedOptionParts splitSecret
+                    = splitFormattedOption(secret, EncryptionKeyOrigin.SECRET);
+                secretsAndLabels.add(splitSecret);
+            }
+        }
+        return secretsAndLabels;
+    }
 
-        for (String secret: secrets) {
-            FormattedOptionParts splitSecret
-                = splitFormattedOption(secret, EncryptionKeyOrigin.SECRET);
+    /**
+     * Extract symmetric key material from formatted
+     * or "label123:base64,aejUgxxSQXqiiyrxSGACfMiIRBZq5KjlCwr/xVNY/B0="
+     * @param formattedSecrets "<label>:<secret>"
+     * @return
+     */
+    public static List<EncryptionKeyMaterial> getEncryptionKeyMaterialFromFormattedSecrets(String[] formattedSecrets)
+        throws CDocValidationException {
 
-            EncryptionKeyMaterial km
-                = SymmetricKeyTools.getEncryptionKeyMaterialFromSecret(splitSecret);
-            result.add(km);
-        }
-        return result;
+        return getSecretsAndLabels(formattedSecrets).stream()
+            .map(SymmetricKeyTools::extractKeyMaterialFromSecret)
+            .map(e -> EncryptionKeyMaterial.fromSecret(e.getKey(), e.getValue()))
+            .toList();
     }
 
     public static EncryptionKeyMaterial extractEncryptionKeyMaterialFromSecret(
@@ -84,18 +93,17 @@ public static EncryptionKeyMaterial extractEncryptionKeyMaterialFromSecret(
             return null;
         }
 
-        FormattedOptionParts splitSecret
-            = splitFormattedOption(secret, EncryptionKeyOrigin.SECRET);
+        FormattedOptionParts splitSecret = splitFormattedOption(secret, EncryptionKeyOrigin.SECRET);
 
         return SymmetricKeyTools.getEncryptionKeyMaterialFromSecret(splitSecret);
     }
 
     public static EncryptionKeyMaterial extractEncryptionKeyMaterialFromPassword(
-        FormattedOptionParts passwordAndLabel
-    ) {
-        return EncryptionKeyMaterial.fromPassword(
-            passwordAndLabel.optionChars(), passwordAndLabel.label()
-        );
+        String password
+    ) throws CDocValidationException {
+        FormattedOptionParts splitPasswordAndLabel = getSplitPasswordAndLabel(password, true);
+
+        return SymmetricKeyTools.getEncryptionKeyMaterialFromPassword(splitPasswordAndLabel);
     }
 
     /**
@@ -150,9 +158,10 @@ public static FormattedOptionParts splitFormattedOption(
      * @param verifyPw if password should be asked twice to verify that they match (encryption).
      * @return FormattedOptionParts with extracted password and label
      */
-    public static FormattedOptionParts getSplitPasswordAndLabel(String formattedPassword,
-                                                                boolean verifyPw)
-        throws CDocValidationException {
+    public static FormattedOptionParts getSplitPasswordAndLabel(
+        String formattedPassword,
+        boolean verifyPw
+    ) throws CDocValidationException {
         FormattedOptionParts passwordAndLabel;
         if (formattedPassword.isEmpty()) {
             passwordAndLabel = InteractiveCommunicationUtil.readPasswordAndLabelInteractively(verifyPw);
@@ -180,9 +189,10 @@ public static FormattedOptionParts getSplitPasswordAndLabel(String formattedPass
      * @return
      * @throws CDocValidationException
      */
-    public static FormattedOptionParts getSplitPasswordAndLabel(String formattedPassword,
-                                                                List<PBKDF2Recipient> pbkdf2Recipients)
-        throws CDocValidationException {
+    public static FormattedOptionParts getSplitPasswordAndLabel(
+        String formattedPassword,
+        List<PBKDF2Recipient> pbkdf2Recipients
+    ) throws CDocValidationException {
 
         if (pbkdf2Recipients.size() == 1) {
             String label = pbkdf2Recipients.get(0).getRecipientKeyLabel();
@@ -261,4 +271,13 @@ private static void excludeSecretKeyInPlainText(EncryptionKeyOrigin keyOrigin) {
         }
     }
 
+    public static FormattedOptionParts getPasswordAndLabel(String password)
+        throws CDocValidationException {
+
+        if (null == password) {
+            return null;
+        }
+        return getSplitPasswordAndLabel(password, true);
+    }
+
 }
@@ -1,13 +1,9 @@
 package ee.cyber.cdoc2.cli.commands;
 
+import ee.cyber.cdoc2.FormattedOptionParts;
 import ee.cyber.cdoc2.cli.SymmetricKeyUtil;
 import ee.cyber.cdoc2.CDocBuilder;
-import ee.cyber.cdoc2.CDocValidationException;
-import ee.cyber.cdoc2.FormattedOptionParts;
 import ee.cyber.cdoc2.crypto.keymaterial.EncryptionKeyMaterial;
-import ee.cyber.cdoc2.crypto.EllipticCurve;
-import ee.cyber.cdoc2.crypto.PemTools;
-import ee.cyber.cdoc2.util.SkLdapUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import picocli.CommandLine;
@@ -16,16 +12,13 @@
 import picocli.CommandLine.Command;
 
 import java.io.File;
-import java.security.PublicKey;
 import java.time.Duration;
 import java.time.format.DateTimeParseException;
 import java.util.Arrays;
-import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Properties;
 import java.util.concurrent.Callable;
-import java.util.stream.Collectors;
 
 import static ee.cyber.cdoc2.cli.CDocCommonHelper.getServerProperties;
 
@@ -103,46 +96,54 @@ private void setProperty(Map<String, String> props) {
     public Void call() throws Exception {
 
         if (log.isDebugEnabled()) {
-            log.debug("create --file {} --pubkey {} --cert {} {}",
+            log.debug("create --file {} --pubkey {} --cert {} --secret {} --password {} {}",
                 cdocFile,
                 Arrays.toString(recipient.pubKeys),
                 Arrays.toString(recipient.certs),
+                (recipient.secrets != null) ? "****" : null,
+                (recipient.password != null) ? "****" : null,
                 Arrays.toString(inputFiles));
         }
 
-        //Map of PublicKey, keyLabel
-        Map<PublicKey, String> recipientsMap = new LinkedHashMap<>();
-
-        recipientsMap.putAll(PemTools.loadPubKeysWithKeyLabel(this.recipient.pubKeys));
-        recipientsMap.putAll(PemTools.loadCertKeysWithLabel(this.recipient.certs));
 
-        // fetch authentication certificates' public keys for natural person identity codes
-        Map<PublicKey, String> ldapKeysWithLabels =
-            SkLdapUtil.getPublicKeysWithLabels(this.recipient.identificationCodes).entrySet()
-                .stream()
-                .filter(entry -> EllipticCurve.isSupported(entry.getKey()))
-                .collect(Collectors.toMap(Map.Entry::getKey, Map.Entry::getValue));
-        recipientsMap.putAll(ldapKeysWithLabels);
 
-        List<EncryptionKeyMaterial> recipients = recipientsMap.entrySet().stream()
-            .map(entry -> EncryptionKeyMaterial.fromPublicKey(entry.getKey(), entry.getValue()))
-            .collect(Collectors.toList());
-
-        addSymmetricKeysWithLabels(recipients);
 
         CDocBuilder cDocBuilder = new CDocBuilder()
-            .withRecipients(recipients)
             .withPayloadFiles(Arrays.asList(inputFiles));
 
-        if (keyCapsuleExpiryDuration != null) {
-            setExpiryDurationOrLogWarn(cDocBuilder);
-        }
-
         if (keyServerPropertiesFile != null) {
             Properties p = getServerProperties(keyServerPropertiesFile);
             cDocBuilder.withServerProperties(p);
         }
 
+
+        List<EncryptionKeyMaterial> symmetricKMs =
+            SymmetricKeyUtil.getEncryptionKeyMaterialFromFormattedSecrets(recipient.secrets);
+
+        List<EncryptionKeyMaterial> recipients = EncryptionKeyMaterial.collectionBuilder()
+            .fromPublicKey(this.recipient.pubKeys)
+            .fromX509Certificate(this.recipient.certs)
+            // fetch authentication certificates' public keys for natural person identity codes
+            .fromEId(this.recipient.identificationCodes)
+            .build();
+
+        if (recipient.password != null) {
+            FormattedOptionParts passwordAndLabel
+                = SymmetricKeyUtil.getPasswordAndLabel(recipient.password);
+
+            recipients.addAll(
+                EncryptionKeyMaterial.collectionBuilder().fromPassword(
+                    passwordAndLabel.optionChars(), passwordAndLabel.label()).build());
+        }
+
+        recipients.addAll(symmetricKMs);
+
+        cDocBuilder.withRecipients(recipients);
+
+        if (keyCapsuleExpiryDuration != null) {
+            setExpiryDurationOrLogWarn(cDocBuilder);
+        }
+
         cDocBuilder.buildToFile(cdocFile);
 
         log.info("Created {}", cdocFile.getAbsolutePath());
@@ -160,19 +161,6 @@ private void setExpiryDurationOrLogWarn(CDocBuilder cDocBuilder) {
         }
     }
 
-    private void addSymmetricKeysWithLabels(List<EncryptionKeyMaterial> recipients)
-        throws CDocValidationException {
-
-        recipients.addAll(SymmetricKeyUtil.extractEncryptionKeyMaterialFromSecrets(
-            recipient.secrets)
-        );
-        if (null != recipient.password) {
-            FormattedOptionParts password
-                = SymmetricKeyUtil.getSplitPasswordAndLabel(recipient.password, true);
-            recipients.add(SymmetricKeyUtil.extractEncryptionKeyMaterialFromPassword(password));
-        }
-    }
-
     public static class DurationConverter implements CommandLine.ITypeConverter<Duration> {
         @Override
         public Duration convert(String arg) {
 
@@ -17,6 +17,11 @@
 import java.util.Objects;
 import java.util.concurrent.Callable;
 
+import static ee.cyber.cdoc2.crypto.KeyLabelTools.extractKeyLabelParams;
+import static ee.cyber.cdoc2.crypto.KeyLabelTools.keyLabelParamsForDisplaying;
+
+
+
 //S106 Standard outputs should not be used directly to log anything
 //CLI needs to interact with standard outputs
 @SuppressWarnings("java:S106")
@@ -46,13 +51,16 @@ public Void call() throws Exception {
 
             String type = getHumanReadableType(recipient);
 
-            String label = recipient.getRecipientKeyLabel();
+            Map<String, String> keyLabelParams
+                = extractKeyLabelParams(recipient.getRecipientKeyLabel());
 
             String server = (recipient instanceof ServerRecipient)
-                    ? "(server: " + ((ServerRecipient) recipient).getKeyServerId() + ")"
-                    : "";
+                ? "(server: " + ((ServerRecipient) recipient).getKeyServerId() + ")"
+                : "";
 
-            System.out.println(type + ": " + label + " " + server);
+            System.out.println(
+                type + ": " + keyLabelParamsForDisplaying(keyLabelParams) + " " + server
+            );
         }
 
         return null;
 
@@ -15,7 +15,6 @@
 import ee.cyber.cdoc2.cli.SymmetricKeyUtil;
 import ee.cyber.cdoc2.CDocReEncrypter;
 import ee.cyber.cdoc2.CDocValidationException;
-import ee.cyber.cdoc2.FormattedOptionParts;
 import ee.cyber.cdoc2.client.KeyCapsuleClientFactory;
 import ee.cyber.cdoc2.crypto.keymaterial.DecryptionKeyMaterial;
 import ee.cyber.cdoc2.crypto.keymaterial.EncryptionKeyMaterial;
@@ -134,13 +133,13 @@ private EncryptionKeyMaterial extractSymmetricKeyEncKeyMaterial()
         throws CDocValidationException {
 
         if (null != this.reEncryptPassword) {
-            FormattedOptionParts splitPasswordAndLabel
-                = SymmetricKeyUtil.getSplitPasswordAndLabel(this.reEncryptPassword, true);
-            return SymmetricKeyUtil.extractEncryptionKeyMaterialFromPassword(splitPasswordAndLabel);
+            return SymmetricKeyUtil.extractEncryptionKeyMaterialFromPassword(this.reEncryptPassword);
         }
 
         if (null != this.reEncryptSecret) {
-            return SymmetricKeyUtil.extractEncryptionKeyMaterialFromSecret(this.reEncryptSecret);
+            return SymmetricKeyUtil.extractEncryptionKeyMaterialFromSecret(
+                this.reEncryptSecret
+            );
         }
 
         throw new IllegalArgumentException("Cannot re-create document without password");