From 01e4e36345da1f8fe0fe58e1613ae2ab26685ad9 Mon Sep 17 00:00:00 2001 From: curry772 Date: Thu, 28 May 2026 13:29:26 +0900 Subject: [PATCH] =?UTF-8?q?HsmContextSha256KeyDerivationStrategy=20?= =?UTF-8?q?=EC=B6=94=EA=B0=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Sonnet 4.6 --- ...HsmContextSha256KeyDerivationStrategy.java | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 src/main/java/com/eactive/eai/custom/common/security/keyderiv/HsmContextSha256KeyDerivationStrategy.java diff --git a/src/main/java/com/eactive/eai/custom/common/security/keyderiv/HsmContextSha256KeyDerivationStrategy.java b/src/main/java/com/eactive/eai/custom/common/security/keyderiv/HsmContextSha256KeyDerivationStrategy.java new file mode 100644 index 0000000..c564d54 --- /dev/null +++ b/src/main/java/com/eactive/eai/custom/common/security/keyderiv/HsmContextSha256KeyDerivationStrategy.java @@ -0,0 +1,62 @@ +package com.eactive.eai.custom.common.security.keyderiv; + +import java.nio.charset.StandardCharsets; +import java.security.MessageDigest; +import java.util.Map; + +import javax.crypto.SecretKey; + +import com.eactive.eai.common.hsm.HsmCryptoService; +import com.eactive.eai.common.security.keyderiv.DerivedKey; +import com.eactive.eai.common.security.keyderiv.KeyDerivationStrategy; +import com.eactive.eai.common.util.ApplicationContextProvider; + +/** + * HSM 마스터키 + 런타임 컨텍스트값을 연결(concatenate)한 뒤 SHA-256 해싱으로 키를 도출하는 전략. + * SHA-256 출력은 항상 32바이트(AES-256)이므로 별도 keyLength 파라미터가 불필요하다. + * + * key_deriv_params (JSON) 예시: + * { + * "hsmKeyAlias" : "MASTER_KEY_AES", + * "contextKey" : "X-Api-Group-Seq" -- runtimeContext에서 꺼낼 키 이름 + * } + */ +public class HsmContextSha256KeyDerivationStrategy implements KeyDerivationStrategy { + + @Override + public DerivedKey deriveKey(Map params, Map runtimeContext) throws Exception { + String hsmKeyAlias = required(params, PARAM_HSM_KEY_ALIAS); + String contextKey = required(params, PARAM_CONTEXT_KEY); + + SecretKey masterKey = hsmCryptoService().getSecretKey(hsmKeyAlias); + byte[] masterKeyBytes = masterKey.getEncoded(); + byte[] contextBytes = runtimeContext.getOrDefault(contextKey, "") + .getBytes(StandardCharsets.UTF_8); + + byte[] combined = new byte[masterKeyBytes.length + contextBytes.length]; + System.arraycopy(masterKeyBytes, 0, combined, 0, masterKeyBytes.length); + System.arraycopy(contextBytes, 0, combined, masterKeyBytes.length, contextBytes.length); + + byte[] derived = MessageDigest.getInstance("SHA-256").digest(combined); + return new DerivedKey(derived, derived); + } + + @Override + public String buildCacheKey(String cryptoName, Map params, Map runtimeContext) { + String contextKey = params.getOrDefault(PARAM_CONTEXT_KEY, ""); + String contextValue = runtimeContext.getOrDefault(contextKey, ""); + return cryptoName + ":" + contextValue; + } + + private String required(Map params, String key) { + String value = params.get(key); + if (value == null || value.trim().isEmpty()) { + throw new IllegalArgumentException("key_deriv_params 필수값 누락: " + key); + } + return value; + } + + private HsmCryptoService hsmCryptoService() { + return ApplicationContextProvider.getContext().getBean(HsmCryptoService.class); + } +}