HSM 암복화 테스트 중 추가 기능 수정
This commit is contained in:
+1
-1
Submodule elink-online-common updated: fef16d1b99...a923ff3f9f
+1
-1
Submodule elink-online-core updated: 52b968e8f8...2929fc753f
+1
-1
Submodule elink-online-transformer updated: 05e887f7f1...a1d822c2d7
+18
-1
@@ -2,8 +2,12 @@ package com.eactive.eai.custom.adapter.http.client.impl.filter;
|
|||||||
|
|
||||||
import java.util.Properties;
|
import java.util.Properties;
|
||||||
|
|
||||||
|
import com.eactive.eai.adapter.http.client.impl.HttpClient5AdapterServiceRest;
|
||||||
import com.eactive.eai.adapter.http.client.impl.filter.HttpClientAdapterFilter;
|
import com.eactive.eai.adapter.http.client.impl.filter.HttpClientAdapterFilter;
|
||||||
import com.eactive.eai.adapter.http.client.impl.filter.OutCryptoFilter;
|
import com.eactive.eai.adapter.http.client.impl.filter.OutCryptoFilter;
|
||||||
|
import com.eactive.eai.util.JsonPathUtil;
|
||||||
|
import com.fasterxml.jackson.databind.JsonNode;
|
||||||
|
import com.fasterxml.jackson.databind.node.ObjectNode;
|
||||||
/**
|
/**
|
||||||
* 제주은행 Open API 기본 암복호화 필더
|
* 제주은행 Open API 기본 암복호화 필더
|
||||||
*/
|
*/
|
||||||
@@ -20,7 +24,20 @@ public class EncFieldOutCryptoFilter implements HttpClientAdapterFilter {
|
|||||||
@Override
|
@Override
|
||||||
public Object doPreFilter(String adptGrpName, String adptName, Properties prop, Object message, Properties tempProp)
|
public Object doPreFilter(String adptGrpName, String adptName, Properties prop, Object message, Properties tempProp)
|
||||||
throws Exception {
|
throws Exception {
|
||||||
return filter.doPreFilter(adptGrpName, adptName, prop, message, setProp(tempProp));
|
String headerGroupName = prop.getProperty(HttpClient5AdapterServiceRest.HEADER_GROUP);
|
||||||
|
|
||||||
|
JsonNode root = JsonPathUtil.toTree(message);
|
||||||
|
ObjectNode rootObjectNode = (ObjectNode) root;
|
||||||
|
JsonNode header = rootObjectNode.get(headerGroupName);
|
||||||
|
rootObjectNode.remove(headerGroupName);
|
||||||
|
|
||||||
|
Object enc = filter.doPreFilter(adptGrpName, adptName, prop, rootObjectNode, setProp(tempProp));
|
||||||
|
|
||||||
|
ObjectNode encJson = (ObjectNode)JsonPathUtil.toTree(enc);
|
||||||
|
encJson.set(headerGroupName, header);
|
||||||
|
|
||||||
|
return encJson;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
|||||||
+88
@@ -0,0 +1,88 @@
|
|||||||
|
package com.eactive.eai.custom.adapter.http.dynamic.filter;
|
||||||
|
|
||||||
|
import java.util.Base64;
|
||||||
|
import java.util.Properties;
|
||||||
|
|
||||||
|
import javax.servlet.http.HttpServletRequest;
|
||||||
|
import javax.servlet.http.HttpServletResponse;
|
||||||
|
|
||||||
|
import org.json.simple.JSONObject;
|
||||||
|
import org.springframework.http.HttpStatus;
|
||||||
|
|
||||||
|
import com.eactive.eai.adapter.http.dynamic.filter.FilterException;
|
||||||
|
import com.eactive.eai.adapter.http.dynamic.filter.HttpAdapterFilter;
|
||||||
|
import com.eactive.eai.common.security.AESCryptoModuleExtension;
|
||||||
|
import com.eactive.eai.common.security.ARIACryptoModuleExtension;
|
||||||
|
import com.eactive.eai.common.security.CryptoModuleExtension;
|
||||||
|
import com.eactive.eai.common.util.Logger;
|
||||||
|
import com.eactive.eai.util.HexaConverter;
|
||||||
|
import com.fasterxml.jackson.databind.JsonNode;
|
||||||
|
import com.fasterxml.jackson.databind.ObjectMapper;
|
||||||
|
import com.fasterxml.jackson.databind.node.ObjectNode;
|
||||||
|
|
||||||
|
public class DecrytTestFilter implements HttpAdapterFilter {
|
||||||
|
|
||||||
|
private static final Logger logger = Logger.getLogger(Logger.LOGGER_ADAPTER);
|
||||||
|
|
||||||
|
private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Object doPreFilter(String adptGrpName, String adptName, Object message, Properties prop,
|
||||||
|
HttpServletRequest request, HttpServletResponse response) throws Exception {
|
||||||
|
try {
|
||||||
|
ObjectNode rootNode = null;
|
||||||
|
String jsonStr = null;
|
||||||
|
if (message instanceof String) {
|
||||||
|
jsonStr = (String) message;
|
||||||
|
} else if (message instanceof JSONObject) {
|
||||||
|
jsonStr = ((JSONObject) message).toJSONString();
|
||||||
|
} else {
|
||||||
|
return message;
|
||||||
|
}
|
||||||
|
rootNode = (ObjectNode) OBJECT_MAPPER.readTree(jsonStr);
|
||||||
|
|
||||||
|
JsonNode alg = rootNode.get("alg");
|
||||||
|
JsonNode mode = rootNode.get("mode");
|
||||||
|
JsonNode padding = rootNode.get("padding");
|
||||||
|
JsonNode aadNode = rootNode.get("aad");
|
||||||
|
JsonNode iv = rootNode.get("iv");
|
||||||
|
byte[] binIv = null;
|
||||||
|
if(iv != null) {
|
||||||
|
String strIv = iv.asText();
|
||||||
|
binIv = HexaConverter.hexToBin(strIv);
|
||||||
|
}
|
||||||
|
JsonNode encKey = rootNode.get("encKey");
|
||||||
|
String strEncKey = encKey.asText();
|
||||||
|
byte[] binEncKey = HexaConverter.hexToBin(strEncKey);
|
||||||
|
|
||||||
|
CryptoModuleExtension ext = "ARIA".equalsIgnoreCase(alg.asText()) ? new ARIACryptoModuleExtension()
|
||||||
|
: new AESCryptoModuleExtension();
|
||||||
|
ext.init(alg.asText(), mode.asText(), padding.asText(), binIv, binEncKey, binEncKey);
|
||||||
|
|
||||||
|
JsonNode encryptedData = rootNode.get("encryptedData");
|
||||||
|
byte[] cipherBytes = Base64.getDecoder().decode(encryptedData.asText().trim());
|
||||||
|
|
||||||
|
byte[] decryptedBytes = null;
|
||||||
|
if(rootNode.has("aad"))
|
||||||
|
decryptedBytes = ext.decrypt(cipherBytes, HexaConverter.hexToBin(aadNode.asText()));
|
||||||
|
else
|
||||||
|
decryptedBytes = ext.decrypt(cipherBytes);
|
||||||
|
|
||||||
|
rootNode.put("hsmKeyRaw", new String(decryptedBytes));
|
||||||
|
|
||||||
|
String jsonString = OBJECT_MAPPER.writeValueAsString(rootNode);
|
||||||
|
return jsonString;
|
||||||
|
|
||||||
|
} catch (Exception e) {
|
||||||
|
logger.error("복호화 실패", e);
|
||||||
|
throw new FilterException("복호화 실패", ERROR_PRE_FAIL, HttpStatus.INTERNAL_SERVER_ERROR.value(), e);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Object doPostFilter(String adptGrpName, String adptName, Object resultMessage, Properties prop,
|
||||||
|
HttpServletRequest request, HttpServletResponse response) throws Exception {
|
||||||
|
return resultMessage;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
+147
@@ -0,0 +1,147 @@
|
|||||||
|
package com.eactive.eai.custom.adapter.http.dynamic.filter;
|
||||||
|
|
||||||
|
import java.security.KeyStore;
|
||||||
|
import java.util.Base64;
|
||||||
|
import java.util.Properties;
|
||||||
|
|
||||||
|
import javax.crypto.SecretKey;
|
||||||
|
import javax.servlet.http.HttpServletRequest;
|
||||||
|
import javax.servlet.http.HttpServletResponse;
|
||||||
|
|
||||||
|
import org.json.simple.JSONObject;
|
||||||
|
import org.springframework.http.HttpStatus;
|
||||||
|
|
||||||
|
import com.eactive.eai.adapter.http.dynamic.filter.FilterException;
|
||||||
|
import com.eactive.eai.adapter.http.dynamic.filter.HttpAdapterFilter;
|
||||||
|
import com.eactive.eai.common.hsm.HsmManager;
|
||||||
|
import com.eactive.eai.common.security.AESCryptoModuleExtension;
|
||||||
|
import com.eactive.eai.common.security.ARIACryptoModuleExtension;
|
||||||
|
import com.eactive.eai.common.security.CryptoModuleExtension;
|
||||||
|
import com.eactive.eai.common.util.Logger;
|
||||||
|
import com.eactive.eai.util.HexaConverter;
|
||||||
|
import com.fasterxml.jackson.databind.JsonNode;
|
||||||
|
import com.fasterxml.jackson.databind.ObjectMapper;
|
||||||
|
import com.fasterxml.jackson.databind.node.ObjectNode;
|
||||||
|
|
||||||
|
public class EncrytTestFilter implements HttpAdapterFilter {
|
||||||
|
|
||||||
|
private static final Logger logger = Logger.getLogger(Logger.LOGGER_ADAPTER);
|
||||||
|
|
||||||
|
private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Object doPreFilter(String adptGrpName, String adptName, Object message, Properties prop,
|
||||||
|
HttpServletRequest request, HttpServletResponse response) throws Exception {
|
||||||
|
try {
|
||||||
|
ObjectNode rootNode = null;
|
||||||
|
String jsonStr = null;
|
||||||
|
if (message instanceof String) {
|
||||||
|
jsonStr = (String) message;
|
||||||
|
} else if (message instanceof JSONObject) {
|
||||||
|
jsonStr = ((JSONObject) message).toJSONString();
|
||||||
|
} else {
|
||||||
|
return message;
|
||||||
|
}
|
||||||
|
rootNode = (ObjectNode) OBJECT_MAPPER.readTree(jsonStr);
|
||||||
|
|
||||||
|
// 1. HSM에서 키 가져오기
|
||||||
|
byte[] hsmKeyBytes = null;
|
||||||
|
JsonNode hsmKeyAlias = rootNode.get("hsmKeyAlias");
|
||||||
|
if (hsmKeyAlias != null) {
|
||||||
|
String hsmKeyAliasValue = hsmKeyAlias.textValue();
|
||||||
|
KeyStore keyStore = HsmManager.getInstance().getKeyStore();
|
||||||
|
|
||||||
|
java.security.Key key = keyStore.getKey(hsmKeyAliasValue, null);
|
||||||
|
if (key instanceof SecretKey) {
|
||||||
|
SecretKey secretKey = (SecretKey) key;
|
||||||
|
hsmKeyBytes = secretKey.getEncoded();
|
||||||
|
if (hsmKeyBytes != null) {
|
||||||
|
String hsmKeyBase64 = Base64.getEncoder().encodeToString(hsmKeyBytes);
|
||||||
|
String hsmKeyHex = HexaConverter.binToHex(hsmKeyBytes);
|
||||||
|
logger.debug("HsmManager] HSM - {} : [{}]", hsmKeyAliasValue, hsmKeyHex);
|
||||||
|
rootNode.put("hsmKeyBase64", hsmKeyBase64);
|
||||||
|
rootNode.put("hsmKeyHex", hsmKeyHex);
|
||||||
|
rootNode.put("hsmKeyRaw", new String(hsmKeyBytes));
|
||||||
|
} else {
|
||||||
|
logger.debug("HsmManager] HSM - secretKey null {} : [{}]", hsmKeyAliasValue, secretKey);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// 2. 암호화 파라미터가 있으면 암호화 후 복호화 검증
|
||||||
|
JsonNode alg = rootNode.get("alg");
|
||||||
|
JsonNode mode = rootNode.get("mode");
|
||||||
|
JsonNode padding = rootNode.get("padding");
|
||||||
|
|
||||||
|
JsonNode enc = rootNode.get("enc");
|
||||||
|
String strEnc = "BASE64";
|
||||||
|
if(enc != null)
|
||||||
|
strEnc = enc.asText();
|
||||||
|
|
||||||
|
JsonNode ivNode = rootNode.get("iv");
|
||||||
|
JsonNode aadNode = rootNode.get("aad");
|
||||||
|
JsonNode encKeyNode = rootNode.get("encKey");
|
||||||
|
JsonNode dataNode = rootNode.get("data");
|
||||||
|
|
||||||
|
if (alg != null && mode != null && padding != null && encKeyNode != null
|
||||||
|
&& dataNode != null) {
|
||||||
|
byte[] binIv = null;
|
||||||
|
if(ivNode != null) {
|
||||||
|
String strIvValue = ivNode.asText();
|
||||||
|
if(strIvValue.length() == 32||strEnc.equalsIgnoreCase("HEX"))
|
||||||
|
binIv = HexaConverter.hexToBin(strIvValue);
|
||||||
|
else
|
||||||
|
binIv = Base64.getDecoder().decode(strIvValue.trim());
|
||||||
|
}
|
||||||
|
|
||||||
|
String strEncKeyValue = encKeyNode.asText();
|
||||||
|
byte[] binEncKey = null;
|
||||||
|
if(strEnc.equalsIgnoreCase("BASE64"))
|
||||||
|
binEncKey = Base64.getDecoder().decode(strEncKeyValue.trim());
|
||||||
|
else
|
||||||
|
binEncKey = HexaConverter.hexToBin(strEncKeyValue);
|
||||||
|
|
||||||
|
CryptoModuleExtension ext = "ARIA".equalsIgnoreCase(alg.asText()) ? new ARIACryptoModuleExtension()
|
||||||
|
: new AESCryptoModuleExtension();
|
||||||
|
ext.init(alg.asText(), mode.asText(), padding.asText(), binIv, binEncKey, binEncKey);
|
||||||
|
|
||||||
|
byte[] plainBytes = dataNode.asText().getBytes();
|
||||||
|
|
||||||
|
// 암호화
|
||||||
|
byte[] encryptedBytes = null;
|
||||||
|
if(rootNode.has("aad"))
|
||||||
|
encryptedBytes = ext.encrypt(plainBytes, HexaConverter.hexToBin(aadNode.asText()));
|
||||||
|
else
|
||||||
|
encryptedBytes = ext.encrypt(plainBytes);
|
||||||
|
|
||||||
|
String encryptedBase64 = Base64.getEncoder().encodeToString(encryptedBytes);
|
||||||
|
rootNode.put("encryptedData", encryptedBase64);
|
||||||
|
logger.debug("암호화 결과: [{}]", encryptedBase64);
|
||||||
|
|
||||||
|
// 복호화 검증
|
||||||
|
byte[] decryptedBytes = null;
|
||||||
|
if(rootNode.has("aad"))
|
||||||
|
decryptedBytes = ext.decrypt(encryptedBytes, HexaConverter.hexToBin(aadNode.asText()));
|
||||||
|
else
|
||||||
|
decryptedBytes = ext.decrypt(encryptedBytes);
|
||||||
|
|
||||||
|
rootNode.put("decryptedVerify", new String(decryptedBytes));
|
||||||
|
logger.debug("복호화 검증: [{}]", new String(decryptedBytes));
|
||||||
|
}
|
||||||
|
|
||||||
|
String jsonString = OBJECT_MAPPER.writeValueAsString(rootNode);
|
||||||
|
return jsonString;
|
||||||
|
|
||||||
|
} catch (Exception e) {
|
||||||
|
throw new FilterException("HSM key 암호화/복호화 검증 실패", ERROR_PRE_FAIL, HttpStatus.INTERNAL_SERVER_ERROR.value(), e);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Object doPostFilter(String adptGrpName, String adptName, Object resultMessage, Properties prop,
|
||||||
|
HttpServletRequest request, HttpServletResponse response) throws Exception {
|
||||||
|
return resultMessage;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
@@ -0,0 +1,117 @@
|
|||||||
|
package com.eactive.eai.custom.adapter.http.dynamic.filter;
|
||||||
|
|
||||||
|
import java.util.Base64;
|
||||||
|
import java.util.HashMap;
|
||||||
|
import java.util.Map;
|
||||||
|
import java.util.Properties;
|
||||||
|
|
||||||
|
import javax.servlet.http.HttpServletRequest;
|
||||||
|
import javax.servlet.http.HttpServletResponse;
|
||||||
|
|
||||||
|
import org.json.simple.JSONObject;
|
||||||
|
import org.springframework.http.HttpStatus;
|
||||||
|
|
||||||
|
import com.eactive.eai.adapter.http.dynamic.filter.FilterException;
|
||||||
|
import com.eactive.eai.adapter.http.dynamic.filter.HttpAdapterFilter;
|
||||||
|
import com.eactive.eai.common.security.keyderiv.DerivedKey;
|
||||||
|
import com.eactive.eai.common.util.Logger;
|
||||||
|
import com.eactive.eai.custom.common.security.keyderiv.HsmContextSha256KeyDerivationStrategy;
|
||||||
|
import com.eactive.eai.custom.common.security.keyderiv.HsmKeyAndIvSliceDerivationStrategy;
|
||||||
|
import com.eactive.eai.util.HexaConverter;
|
||||||
|
import com.fasterxml.jackson.databind.JsonNode;
|
||||||
|
import com.fasterxml.jackson.databind.ObjectMapper;
|
||||||
|
import com.fasterxml.jackson.databind.node.ObjectNode;
|
||||||
|
|
||||||
|
public class GenKeyFilter implements HttpAdapterFilter {
|
||||||
|
|
||||||
|
private static final Logger logger = Logger.getLogger(Logger.LOGGER_ADAPTER);
|
||||||
|
|
||||||
|
private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Object doPreFilter(String adptGrpName, String adptName, Object message, Properties prop,
|
||||||
|
HttpServletRequest request, HttpServletResponse response) throws Exception {
|
||||||
|
try {
|
||||||
|
ObjectNode rootNode = null;
|
||||||
|
String jsonStr = null;
|
||||||
|
if (message instanceof String) {
|
||||||
|
jsonStr = (String) message;
|
||||||
|
} else if (message instanceof JSONObject) {
|
||||||
|
jsonStr = ((JSONObject) message).toJSONString();
|
||||||
|
} else {
|
||||||
|
return message;
|
||||||
|
}
|
||||||
|
rootNode = (ObjectNode) OBJECT_MAPPER.readTree(jsonStr);
|
||||||
|
|
||||||
|
JsonNode hsmKey = rootNode.get("hsmKey");
|
||||||
|
JsonNode hsmIv = rootNode.get("hsmIv");
|
||||||
|
JsonNode contextKey = rootNode.get("contextKey");
|
||||||
|
JsonNode type = rootNode.get("type");
|
||||||
|
|
||||||
|
JsonNode enc = rootNode.get("enc");
|
||||||
|
String strEnc = "BASE64";
|
||||||
|
if(enc != null)
|
||||||
|
strEnc = enc.asText();
|
||||||
|
|
||||||
|
byte[] binIv = null;
|
||||||
|
if(hsmIv != null) {
|
||||||
|
String strIvValue = hsmIv.asText();
|
||||||
|
if(strIvValue.length() == 32||strEnc.equalsIgnoreCase("HEX"))
|
||||||
|
binIv = HexaConverter.hexToBin(strIvValue);
|
||||||
|
else
|
||||||
|
binIv = Base64.getDecoder().decode(strIvValue.trim());
|
||||||
|
}
|
||||||
|
|
||||||
|
String strEncKeyValue = hsmKey.asText();
|
||||||
|
byte[] binEncKey = null;
|
||||||
|
if(strEnc.equalsIgnoreCase("BASE64"))
|
||||||
|
binEncKey = Base64.getDecoder().decode(strEncKeyValue.trim());
|
||||||
|
else
|
||||||
|
binEncKey = HexaConverter.hexToBin(strEncKeyValue);
|
||||||
|
|
||||||
|
DerivedKey derivedKey = null;
|
||||||
|
if(type.asText().equals("douzone")) {
|
||||||
|
Map<String, String> params = new HashMap<>();
|
||||||
|
Map<String, String> runtimeContext = new HashMap<>();
|
||||||
|
params.put("contextKey", "contextKey");
|
||||||
|
runtimeContext.put("contextKey", contextKey.asText());
|
||||||
|
HsmContextSha256KeyDerivationStrategy douzoneStrategy = new HsmContextSha256KeyDerivationStrategy();
|
||||||
|
derivedKey = douzoneStrategy.deriveKey(params, runtimeContext, binEncKey);
|
||||||
|
} else if(type.asText().equals("kakaobank")) {
|
||||||
|
HsmKeyAndIvSliceDerivationStrategy kakaobank = new HsmKeyAndIvSliceDerivationStrategy();
|
||||||
|
derivedKey = kakaobank.deriveKey(binEncKey, binIv);
|
||||||
|
}
|
||||||
|
|
||||||
|
JsonNode aad = rootNode.get("aad");
|
||||||
|
if (aad != null) {
|
||||||
|
rootNode.put("generatedAdd", HexaConverter.binToHex(aad.asText().getBytes()));
|
||||||
|
}
|
||||||
|
|
||||||
|
String encBase64 = Base64.getEncoder().encodeToString(derivedKey.getDecKey());
|
||||||
|
logger.debug("generated KEY {} : [{}]", type.asText(), encBase64);
|
||||||
|
rootNode.put("generatedKeyBase64", encBase64);
|
||||||
|
rootNode.put("generatedKeyHex", HexaConverter.binToHex(derivedKey.getDecKey()));
|
||||||
|
rootNode.put("generatedKeyRaw", new String(derivedKey.getDecKey()));
|
||||||
|
|
||||||
|
if(derivedKey.getIv() != null) {
|
||||||
|
String encBase64Iv = Base64.getEncoder().encodeToString(derivedKey.getIv());
|
||||||
|
logger.debug("generated IV {} : [{}]", type.asText(), encBase64Iv);
|
||||||
|
rootNode.put("generatedIvBase64", encBase64Iv);
|
||||||
|
rootNode.put("generatedIvHex", HexaConverter.binToHex(derivedKey.getIv()));
|
||||||
|
rootNode.put("generatedIvRaw", new String(derivedKey.getIv()));
|
||||||
|
}
|
||||||
|
String jsonString = OBJECT_MAPPER.writeValueAsString(rootNode);
|
||||||
|
return jsonString;
|
||||||
|
|
||||||
|
} catch (Exception e) {
|
||||||
|
throw new FilterException("HSM key 암호화/복호화 검증 실패", ERROR_PRE_FAIL, HttpStatus.INTERNAL_SERVER_ERROR.value(), e);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Object doPostFilter(String adptGrpName, String adptName, Object resultMessage, Properties prop,
|
||||||
|
HttpServletRequest request, HttpServletResponse response) throws Exception {
|
||||||
|
return resultMessage;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
+2
-1
@@ -15,6 +15,7 @@ import com.eactive.eai.adapter.http.dynamic.filter.FilterException;
|
|||||||
import com.eactive.eai.adapter.http.dynamic.filter.HttpAdapterFilter;
|
import com.eactive.eai.adapter.http.dynamic.filter.HttpAdapterFilter;
|
||||||
import com.eactive.eai.common.hsm.HsmManager;
|
import com.eactive.eai.common.hsm.HsmManager;
|
||||||
import com.eactive.eai.common.util.Logger;
|
import com.eactive.eai.common.util.Logger;
|
||||||
|
import com.eactive.eai.util.HexaConverter;
|
||||||
import com.fasterxml.jackson.databind.JsonNode;
|
import com.fasterxml.jackson.databind.JsonNode;
|
||||||
import com.fasterxml.jackson.databind.ObjectMapper;
|
import com.fasterxml.jackson.databind.ObjectMapper;
|
||||||
import com.fasterxml.jackson.databind.node.ObjectNode;
|
import com.fasterxml.jackson.databind.node.ObjectNode;
|
||||||
@@ -53,7 +54,7 @@ public class HSMKeyCryptoFilter implements HttpAdapterFilter {
|
|||||||
String encBase64 = Base64.getEncoder().encodeToString(encoded);
|
String encBase64 = Base64.getEncoder().encodeToString(encoded);
|
||||||
logger.debug("HsmManager] HSM - {} : [{}]", hsmKeyAliasValue, encBase64);
|
logger.debug("HsmManager] HSM - {} : [{}]", hsmKeyAliasValue, encBase64);
|
||||||
rootNode.put("hsmKeyBase64", encBase64);
|
rootNode.put("hsmKeyBase64", encBase64);
|
||||||
rootNode.put("hsmKeyRaw", new String(encoded));
|
rootNode.put("hsmKeyRaw", HexaConverter.binToHex(encoded));
|
||||||
} else {
|
} else {
|
||||||
logger.debug("HsmManager] HSM - secretKey null {} : [{}]", hsmKeyAliasValue, secretKey);
|
logger.debug("HsmManager] HSM - secretKey null {} : [{}]", hsmKeyAliasValue, secretKey);
|
||||||
}
|
}
|
||||||
|
|||||||
+10
-14
@@ -2,14 +2,11 @@ package com.eactive.eai.custom.common.security.keyderiv;
|
|||||||
|
|
||||||
import java.nio.charset.StandardCharsets;
|
import java.nio.charset.StandardCharsets;
|
||||||
import java.security.MessageDigest;
|
import java.security.MessageDigest;
|
||||||
|
import java.security.NoSuchAlgorithmException;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
|
|
||||||
import javax.crypto.SecretKey;
|
|
||||||
|
|
||||||
import com.eactive.eai.common.hsm.HsmCryptoService;
|
|
||||||
import com.eactive.eai.common.security.keyderiv.DerivedKey;
|
import com.eactive.eai.common.security.keyderiv.DerivedKey;
|
||||||
import com.eactive.eai.common.security.keyderiv.KeyDerivationStrategy;
|
import com.eactive.eai.common.security.keyderiv.strategy.BaseHsmKeyDerivationStrategy;
|
||||||
import com.eactive.eai.common.util.ApplicationContextProvider;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* HSM 마스터키 + 런타임 컨텍스트값을 연결(concatenate)한 뒤 SHA-256 해싱으로 키를 도출하는 전략.
|
* HSM 마스터키 + 런타임 컨텍스트값을 연결(concatenate)한 뒤 SHA-256 해싱으로 키를 도출하는 전략.
|
||||||
@@ -21,15 +18,18 @@ import com.eactive.eai.common.util.ApplicationContextProvider;
|
|||||||
* "contextKey" : "X-Api-Group-Seq" -- runtimeContext에서 꺼낼 키 이름
|
* "contextKey" : "X-Api-Group-Seq" -- runtimeContext에서 꺼낼 키 이름
|
||||||
* }
|
* }
|
||||||
*/
|
*/
|
||||||
public class HsmContextSha256KeyDerivationStrategy implements KeyDerivationStrategy {
|
public class HsmContextSha256KeyDerivationStrategy extends BaseHsmKeyDerivationStrategy {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public DerivedKey deriveKey(Map<String, String> params, Map<String, String> runtimeContext) throws Exception {
|
public DerivedKey deriveKey(Map<String, String> params, Map<String, String> runtimeContext) throws Exception {
|
||||||
String hsmKeyAlias = required(params, PARAM_HSM_KEY_ALIAS);
|
byte[] masterKeyBytes = super.getHsmKey(params);
|
||||||
String contextKey = required(params, PARAM_CONTEXT_KEY);
|
|
||||||
|
return deriveKey(params, runtimeContext, masterKeyBytes);
|
||||||
|
}
|
||||||
|
|
||||||
SecretKey masterKey = hsmCryptoService().getSecretKey(hsmKeyAlias);
|
public DerivedKey deriveKey(Map<String, String> params, Map<String, String> runtimeContext, byte[] masterKeyBytes)
|
||||||
byte[] masterKeyBytes = masterKey.getEncoded();
|
throws NoSuchAlgorithmException {
|
||||||
|
String contextKey = required(params, PARAM_CONTEXT_KEY);
|
||||||
byte[] contextBytes = runtimeContext.getOrDefault(contextKey, "")
|
byte[] contextBytes = runtimeContext.getOrDefault(contextKey, "")
|
||||||
.getBytes(StandardCharsets.UTF_8);
|
.getBytes(StandardCharsets.UTF_8);
|
||||||
|
|
||||||
@@ -55,8 +55,4 @@ public class HsmContextSha256KeyDerivationStrategy implements KeyDerivationStrat
|
|||||||
}
|
}
|
||||||
return value;
|
return value;
|
||||||
}
|
}
|
||||||
|
|
||||||
private HsmCryptoService hsmCryptoService() {
|
|
||||||
return ApplicationContextProvider.getContext().getBean(HsmCryptoService.class);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|||||||
+6
-2
@@ -24,7 +24,11 @@ public class HsmKeyAndIvSliceDerivationStrategy extends BaseHsmKeyDerivationStra
|
|||||||
public DerivedKey deriveKey(Map<String, String> params, Map<String, String> runtimeContext) throws Exception {
|
public DerivedKey deriveKey(Map<String, String> params, Map<String, String> runtimeContext) throws Exception {
|
||||||
byte[] keyBytes = super.getHsmKey(params);
|
byte[] keyBytes = super.getHsmKey(params);
|
||||||
byte[] rawIv = super.getHsmIv(params);
|
byte[] rawIv = super.getHsmIv(params);
|
||||||
String ivHex = DatatypeConverter.printHexBinary(rawIv);
|
return deriveKey(keyBytes, rawIv);
|
||||||
|
}
|
||||||
|
|
||||||
|
public DerivedKey deriveKey(byte[] keyBytes, byte[] rawIv) {
|
||||||
|
String ivHex = DatatypeConverter.printHexBinary(rawIv);
|
||||||
if (ivHex.length() < IV_HEX_END) {
|
if (ivHex.length() < IV_HEX_END) {
|
||||||
throw new IllegalArgumentException(
|
throw new IllegalArgumentException(
|
||||||
"hsmIvAlias hex 길이 부족: 최소 " + IV_HEX_END + "자 필요, 실제=" + ivHex.length()
|
"hsmIvAlias hex 길이 부족: 최소 " + IV_HEX_END + "자 필요, 실제=" + ivHex.length()
|
||||||
@@ -32,7 +36,7 @@ public class HsmKeyAndIvSliceDerivationStrategy extends BaseHsmKeyDerivationStra
|
|||||||
}
|
}
|
||||||
byte[] iv = DatatypeConverter.parseHexBinary(ivHex.substring(IV_HEX_OFFSET, IV_HEX_END));
|
byte[] iv = DatatypeConverter.parseHexBinary(ivHex.substring(IV_HEX_OFFSET, IV_HEX_END));
|
||||||
return new DerivedKey(keyBytes, keyBytes, iv);
|
return new DerivedKey(keyBytes, keyBytes, iv);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public String buildCacheKey(String cryptoName, Map<String, String> params, Map<String, String> runtimeContext) {
|
public String buildCacheKey(String cryptoName, Map<String, String> params, Map<String, String> runtimeContext) {
|
||||||
|
|||||||
+470
@@ -0,0 +1,470 @@
|
|||||||
|
package com.eactive.eai.custom.adapter.http.dynamic.filter;
|
||||||
|
|
||||||
|
import static org.junit.jupiter.api.Assertions.assertEquals;
|
||||||
|
import static org.junit.jupiter.api.Assertions.assertNotEquals;
|
||||||
|
import static org.junit.jupiter.api.Assertions.assertThrows;
|
||||||
|
import static org.junit.jupiter.api.Assertions.assertTrue;
|
||||||
|
import static org.junit.jupiter.api.Assumptions.assumeTrue;
|
||||||
|
import static org.mockito.ArgumentMatchers.anyString;
|
||||||
|
import static org.mockito.ArgumentMatchers.eq;
|
||||||
|
import static org.mockito.Mockito.mock;
|
||||||
|
import static org.mockito.Mockito.when;
|
||||||
|
|
||||||
|
import java.io.File;
|
||||||
|
import java.io.InputStream;
|
||||||
|
import java.lang.reflect.Constructor;
|
||||||
|
import java.nio.charset.StandardCharsets;
|
||||||
|
import java.nio.file.Files;
|
||||||
|
import java.util.Arrays;
|
||||||
|
import java.util.HashMap;
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Map;
|
||||||
|
import java.util.Properties;
|
||||||
|
import java.util.UUID;
|
||||||
|
import java.util.concurrent.TimeUnit;
|
||||||
|
|
||||||
|
import javax.crypto.SecretKey;
|
||||||
|
import javax.crypto.spec.SecretKeySpec;
|
||||||
|
import javax.servlet.http.HttpServletRequest;
|
||||||
|
import javax.servlet.http.HttpServletResponse;
|
||||||
|
|
||||||
|
import org.junit.jupiter.api.AfterAll;
|
||||||
|
import org.junit.jupiter.api.BeforeAll;
|
||||||
|
import org.junit.jupiter.api.BeforeEach;
|
||||||
|
import org.junit.jupiter.api.DisplayName;
|
||||||
|
import org.junit.jupiter.api.MethodOrderer;
|
||||||
|
import org.junit.jupiter.api.Test;
|
||||||
|
import org.junit.jupiter.api.TestMethodOrder;
|
||||||
|
import org.springframework.beans.factory.support.BeanDefinitionBuilder;
|
||||||
|
import org.springframework.context.support.GenericApplicationContext;
|
||||||
|
|
||||||
|
import com.eactive.eai.adapter.http.dynamic.filter.InCryptoFilter;
|
||||||
|
import com.eactive.eai.adapter.http.filter.AbstractCryptoFilter;
|
||||||
|
import com.eactive.eai.common.hsm.HsmCryptoService;
|
||||||
|
import com.eactive.eai.common.hsm.HsmManager;
|
||||||
|
import com.eactive.eai.common.property.PropManager;
|
||||||
|
import com.eactive.eai.common.security.CryptoModuleConfigVO;
|
||||||
|
import com.eactive.eai.common.security.CryptoModuleManager;
|
||||||
|
import com.eactive.eai.common.security.CryptoModuleService;
|
||||||
|
import com.eactive.eai.common.security.keyderiv.strategy.HsmKeyDerivationStrategy;
|
||||||
|
import com.eactive.eai.common.security.loader.CryptoModuleConfigLoader;
|
||||||
|
import com.eactive.eai.common.security.mapper.CryptoModuleConfigMapper;
|
||||||
|
import com.eactive.eai.common.util.ApplicationContextProvider;
|
||||||
|
import com.eactive.eai.custom.common.security.keyderiv.HsmContextSha256KeyDerivationStrategy;
|
||||||
|
import com.eactive.eai.data.entity.onl.security.CryptoModuleConfig;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* CryptoFilter HSM 연동 통합 테스트 (SoftHSM2 / SunPKCS11)
|
||||||
|
*
|
||||||
|
* SoftHSM2에서 MASTER_KEY를 조회하여 키를 도출한 뒤
|
||||||
|
* InCryptoFilter 의 암복호화 전체 흐름을 검증한다.
|
||||||
|
*
|
||||||
|
* 사전 조건:
|
||||||
|
* C:\SoftHSM2 에 SoftHSM2 설치 (미설치 시 자동 건너뜀)
|
||||||
|
* MASTER_KEY alias는 없으면 자동 생성됨
|
||||||
|
*
|
||||||
|
* 검증 전략:
|
||||||
|
* HSM → 키 도출 → CryptoModuleExtension → InCryptoFilter doPostFilter(암호화) → doPreFilter(복호화) → 원문 일치
|
||||||
|
*/
|
||||||
|
@TestMethodOrder(MethodOrderer.DisplayName.class)
|
||||||
|
public class CryptoFilterHsmIntegrationTest {
|
||||||
|
|
||||||
|
// -------------------------------------------------------------------------
|
||||||
|
// 상수
|
||||||
|
// -------------------------------------------------------------------------
|
||||||
|
|
||||||
|
private static final String SOFTHSM2_DLL = "C:/SoftHSM2/lib/softhsm2-x64.dll";
|
||||||
|
private static final String SOFTHSM2_UTIL = "C:/SoftHSM2/bin/softhsm2-util.exe";
|
||||||
|
private static final String TOKEN_LABEL = "eapim-test";
|
||||||
|
private static final String PIN = "1234";
|
||||||
|
private static final String MASTER_KEY_ALIAS = "MASTER_KEY";
|
||||||
|
|
||||||
|
/** HsmKeyDerivationStrategy: HSM 마스터키를 파생 없이 직접 사용 */
|
||||||
|
private static final String MOD_HSM_GCM = "HSM_GCM";
|
||||||
|
/** HsmContextSha256KeyDerivationStrategy: HSM 마스터키 + 컨텍스트값 SHA-256 파생 */
|
||||||
|
private static final String MOD_CTX_SHA_GCM = "CTX_SHA256_GCM";
|
||||||
|
|
||||||
|
private static final String CTX_KEY = "X-Api-Group-Seq";
|
||||||
|
private static final String CTX_VAL_A = "GROUP-A";
|
||||||
|
private static final String CTX_VAL_B = "GROUP-B";
|
||||||
|
|
||||||
|
// -------------------------------------------------------------------------
|
||||||
|
// 정적 필드
|
||||||
|
// -------------------------------------------------------------------------
|
||||||
|
|
||||||
|
private static GenericApplicationContext springCtx;
|
||||||
|
private static HsmManager hsmManager;
|
||||||
|
private static File tempCfgFile;
|
||||||
|
|
||||||
|
// -------------------------------------------------------------------------
|
||||||
|
// 내부 클래스: runtimeContext를 고정값으로 반환하는 필터
|
||||||
|
// -------------------------------------------------------------------------
|
||||||
|
|
||||||
|
static class ContextAwareCryptoFilter extends InCryptoFilter {
|
||||||
|
private final String key;
|
||||||
|
private final String value;
|
||||||
|
|
||||||
|
ContextAwareCryptoFilter(String key, String value) {
|
||||||
|
this.key = key;
|
||||||
|
this.value = value;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected Map<String, String> buildRuntimeContext(Properties prop, HttpServletRequest request) {
|
||||||
|
Map<String, String> ctx = new HashMap<>();
|
||||||
|
ctx.put(key, value);
|
||||||
|
return ctx;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// -------------------------------------------------------------------------
|
||||||
|
// 인스턴스 필드
|
||||||
|
// -------------------------------------------------------------------------
|
||||||
|
|
||||||
|
private HttpServletRequest mockReq;
|
||||||
|
private HttpServletResponse mockRes;
|
||||||
|
|
||||||
|
// -------------------------------------------------------------------------
|
||||||
|
// 전체 설정 / 해제
|
||||||
|
// -------------------------------------------------------------------------
|
||||||
|
|
||||||
|
@BeforeAll
|
||||||
|
static void setUpAll() throws Exception {
|
||||||
|
assumeTrue(new File(SOFTHSM2_DLL).exists(),
|
||||||
|
"SoftHSM2 미설치 (C:/SoftHSM2) - 테스트 건너뜀");
|
||||||
|
System.setProperty("SOFTHSM2_CONF", "C:\\SoftHSM2\\etc\\softhsm2.conf");
|
||||||
|
|
||||||
|
// 1. 토큰 초기화
|
||||||
|
ensureTokenInitialized();
|
||||||
|
|
||||||
|
// 2. PKCS11 설정 문자열
|
||||||
|
// attributes(*,...): generate/import 모두 CKA_SENSITIVE=false → getEncoded() 사용 가능
|
||||||
|
String cfgContent = "name = SoftHSM\n"
|
||||||
|
+ "library = " + SOFTHSM2_DLL + "\n"
|
||||||
|
+ "slotListIndex = 0\n"
|
||||||
|
+ "attributes(*, CKO_SECRET_KEY, CKK_AES) = {\n"
|
||||||
|
+ " CKA_SENSITIVE = false\n"
|
||||||
|
+ " CKA_EXTRACTABLE = true\n"
|
||||||
|
+ "}\n";
|
||||||
|
tempCfgFile = File.createTempFile("pkcs11-filter-it-", ".cfg");
|
||||||
|
Files.write(tempCfgFile.toPath(), cfgContent.getBytes("UTF-8"));
|
||||||
|
|
||||||
|
// 3. Mock PropManager (DB 없이 HSM 설정값 제공)
|
||||||
|
PropManager mockPropManager = mock(PropManager.class);
|
||||||
|
when(mockPropManager.getProperty("HSM", "PKCS11_CONFIG")).thenReturn(cfgContent);
|
||||||
|
when(mockPropManager.getProperty("HSM", "PIN")).thenReturn(PIN);
|
||||||
|
when(mockPropManager.getProperty(eq("HSM"), eq("CACHE_RELOAD_YN"), anyString())).thenReturn("N");
|
||||||
|
|
||||||
|
// 4. HsmManager (private 생성자 → 리플렉션)
|
||||||
|
Constructor<HsmManager> hsmCtor = HsmManager.class.getDeclaredConstructor();
|
||||||
|
hsmCtor.setAccessible(true);
|
||||||
|
hsmManager = hsmCtor.newInstance();
|
||||||
|
|
||||||
|
// 5. CryptoModuleManager (private 생성자 → 리플렉션)
|
||||||
|
CryptoModuleConfigLoader mockLoader = mock(CryptoModuleConfigLoader.class);
|
||||||
|
when(mockLoader.findAll()).thenReturn(buildModuleConfigs());
|
||||||
|
|
||||||
|
Constructor<CryptoModuleManager> managerCtor = CryptoModuleManager.class.getDeclaredConstructor();
|
||||||
|
managerCtor.setAccessible(true);
|
||||||
|
CryptoModuleManager manager = managerCtor.newInstance();
|
||||||
|
|
||||||
|
CryptoModuleService cryptoService = new CryptoModuleService();
|
||||||
|
HsmCryptoService hsmCryptoService = new HsmCryptoService();
|
||||||
|
|
||||||
|
// 6. Spring ApplicationContext 구성
|
||||||
|
springCtx = new GenericApplicationContext();
|
||||||
|
springCtx.getBeanFactory().registerSingleton("propManager", mockPropManager);
|
||||||
|
springCtx.getBeanFactory().registerSingleton("hsmManager", hsmManager);
|
||||||
|
springCtx.getBeanFactory().registerSingleton("hsmCryptoService", hsmCryptoService);
|
||||||
|
springCtx.getBeanFactory().registerSingleton("cryptoModuleConfigLoader", mockLoader);
|
||||||
|
springCtx.getBeanFactory().registerSingleton("cryptoModuleManager", manager);
|
||||||
|
springCtx.getBeanFactory().registerSingleton("cryptoModuleService", cryptoService);
|
||||||
|
springCtx.getBeanFactory().registerSingleton("cryptoModuleConfigMapper", testMapper());
|
||||||
|
springCtx.registerBeanDefinition("applicationContextProvider",
|
||||||
|
BeanDefinitionBuilder.genericBeanDefinition(ApplicationContextProvider.class)
|
||||||
|
.getBeanDefinition());
|
||||||
|
springCtx.refresh();
|
||||||
|
|
||||||
|
// 7. HsmManager 시작 (SunPKCS11 Provider 초기화 + KeyStore 오픈)
|
||||||
|
hsmManager.start();
|
||||||
|
assertTrue(hsmManager.isReady(), "HsmManager 초기화 실패");
|
||||||
|
System.out.println("[HSM] Provider: " + hsmManager.getPkcs11Provider().getName());
|
||||||
|
|
||||||
|
// 8. MASTER_KEY 등록 (없으면 자동 생성)
|
||||||
|
ensureMasterKey();
|
||||||
|
|
||||||
|
// 9. CryptoModuleManager 시작 (모듈 설정 로드)
|
||||||
|
manager.start();
|
||||||
|
System.out.println("[Crypto] 모듈 로드 완료");
|
||||||
|
}
|
||||||
|
|
||||||
|
@AfterAll
|
||||||
|
static void tearDownAll() throws Exception {
|
||||||
|
if (hsmManager != null && hsmManager.isStarted()) hsmManager.stop();
|
||||||
|
if (springCtx != null) springCtx.close();
|
||||||
|
if (tempCfgFile != null) tempCfgFile.delete();
|
||||||
|
}
|
||||||
|
|
||||||
|
@BeforeEach
|
||||||
|
void setUp() {
|
||||||
|
mockReq = mock(HttpServletRequest.class);
|
||||||
|
mockRes = mock(HttpServletResponse.class);
|
||||||
|
}
|
||||||
|
|
||||||
|
// =========================================================================
|
||||||
|
// 1. HsmKeyDerivationStrategy — HSM 마스터키 직접 사용 (InCryptoFilter)
|
||||||
|
// =========================================================================
|
||||||
|
|
||||||
|
@Test
|
||||||
|
@DisplayName("1-1. FIELD/GCM HsmKey — doPostFilter 암호화 → doPreFilter 복호화 라운드트립")
|
||||||
|
void testHsmGcm_field_roundTrip() throws Exception {
|
||||||
|
InCryptoFilter filter = new InCryptoFilter();
|
||||||
|
String original = "{\"acno\":\"1234567890\",\"amount\":\"100000\"}";
|
||||||
|
|
||||||
|
Properties prop = new Properties();
|
||||||
|
prop.setProperty(AbstractCryptoFilter.PROP_MODULE_NAME, MOD_HSM_GCM);
|
||||||
|
// SCOPE 기본값 FIELD, 경로 기본값 사용
|
||||||
|
|
||||||
|
// 암호화: body 전체 → /encrypted_data 필드
|
||||||
|
String encrypted = (String) filter.doPostFilter("G", "A", original, prop, mockReq, mockRes);
|
||||||
|
System.out.println("[1-1] encrypted: " + encrypted);
|
||||||
|
assertTrue(encrypted.contains("encrypted_data"), "/encrypted_data 필드가 있어야 한다");
|
||||||
|
|
||||||
|
// 복호화: /encrypted_data 필드 → body 전체 교체
|
||||||
|
String decrypted = (String) filter.doPreFilter("G", "A", encrypted, prop, mockReq, mockRes);
|
||||||
|
System.out.println("[1-1] decrypted: " + decrypted);
|
||||||
|
assertEquals(original, decrypted);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
@DisplayName("1-2. BODY/GCM HsmKey — doPostFilter 암호화 → doPreFilter 복호화 라운드트립")
|
||||||
|
void testHsmGcm_body_roundTrip() throws Exception {
|
||||||
|
InCryptoFilter filter = new InCryptoFilter();
|
||||||
|
String original = "{\"acno\":\"1234567890\",\"amount\":\"100000\"}";
|
||||||
|
|
||||||
|
Properties prop = new Properties();
|
||||||
|
prop.setProperty(AbstractCryptoFilter.PROP_MODULE_NAME, MOD_HSM_GCM);
|
||||||
|
prop.setProperty(AbstractCryptoFilter.PROP_SCOPE, "BODY");
|
||||||
|
|
||||||
|
// 암호화: body 전체 → Base64 암호문
|
||||||
|
String encrypted = (String) filter.doPostFilter("G", "A", original, prop, mockReq, mockRes);
|
||||||
|
System.out.println("[1-2] encrypted(Base64): " + encrypted);
|
||||||
|
assertNotEquals(original, encrypted, "암호문은 평문과 달라야 한다");
|
||||||
|
|
||||||
|
// 복호화: Base64 암호문 → 원문
|
||||||
|
String decrypted = (String) filter.doPreFilter("G", "A", encrypted, prop, mockReq, mockRes);
|
||||||
|
System.out.println("[1-2] decrypted: " + decrypted);
|
||||||
|
assertEquals(original, decrypted);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
@DisplayName("1-3. FIELD/GCM HsmKey + AAD 헤더 — 동일 요청 ID로 암복호화 성공")
|
||||||
|
void testHsmGcm_field_withAad_success() throws Exception {
|
||||||
|
InCryptoFilter filter = new InCryptoFilter();
|
||||||
|
String original = "{\"amount\":\"500000\"}";
|
||||||
|
String requestId = "REQ-20240101-001";
|
||||||
|
|
||||||
|
when(mockReq.getHeader("X-Request-Id")).thenReturn(requestId);
|
||||||
|
|
||||||
|
Properties prop = new Properties();
|
||||||
|
prop.setProperty(AbstractCryptoFilter.PROP_MODULE_NAME, MOD_HSM_GCM);
|
||||||
|
prop.setProperty(AbstractCryptoFilter.PROP_AAD_HEADER, "X-Request-Id");
|
||||||
|
|
||||||
|
String encrypted = (String) filter.doPostFilter("G", "A", original, prop, mockReq, mockRes);
|
||||||
|
String decrypted = (String) filter.doPreFilter( "G", "A", encrypted, prop, mockReq, mockRes);
|
||||||
|
System.out.println("[1-3] decrypted: " + decrypted);
|
||||||
|
assertEquals(original, decrypted);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
@DisplayName("1-4. FIELD/GCM HsmKey + AAD 헤더 — 다른 요청 ID로 복호화 시 GCM 인증 실패")
|
||||||
|
void testHsmGcm_field_withAad_wrongAad_fails() throws Exception {
|
||||||
|
InCryptoFilter filter = new InCryptoFilter();
|
||||||
|
String original = "{\"amount\":\"500000\"}";
|
||||||
|
|
||||||
|
// 암호화 시 요청 ID
|
||||||
|
HttpServletRequest encReq = mock(HttpServletRequest.class);
|
||||||
|
when(encReq.getHeader("X-Request-Id")).thenReturn("REQ-CORRECT");
|
||||||
|
|
||||||
|
// 복호화 시 다른 요청 ID
|
||||||
|
HttpServletRequest decReq = mock(HttpServletRequest.class);
|
||||||
|
when(decReq.getHeader("X-Request-Id")).thenReturn("REQ-WRONG");
|
||||||
|
|
||||||
|
Properties prop = new Properties();
|
||||||
|
prop.setProperty(AbstractCryptoFilter.PROP_MODULE_NAME, MOD_HSM_GCM);
|
||||||
|
prop.setProperty(AbstractCryptoFilter.PROP_AAD_HEADER, "X-Request-Id");
|
||||||
|
|
||||||
|
String encrypted = (String) filter.doPostFilter("G", "A", original, prop, encReq, mockRes);
|
||||||
|
|
||||||
|
assertThrows(Exception.class,
|
||||||
|
() -> filter.doPreFilter("G", "A", encrypted, prop, decReq, mockRes),
|
||||||
|
"잘못된 AAD로 GCM 복호화 시 예외가 발생해야 한다");
|
||||||
|
System.out.println("[1-4] 다른 AAD 복호화 예외 확인 완료");
|
||||||
|
}
|
||||||
|
|
||||||
|
// =========================================================================
|
||||||
|
// 2. HsmContextSha256KeyDerivationStrategy — 컨텍스트 기반 SHA-256 파생 키
|
||||||
|
// =========================================================================
|
||||||
|
|
||||||
|
@Test
|
||||||
|
@DisplayName("2-1. FIELD/GCM ContextSha256 — 동일 컨텍스트로 암복호화 라운드트립")
|
||||||
|
void testCtxSha256Gcm_field_roundTrip() throws Exception {
|
||||||
|
InCryptoFilter filter = new ContextAwareCryptoFilter(CTX_KEY, CTX_VAL_A);
|
||||||
|
String original = "{\"accNo\":\"0011234567890\",\"amount\":\"50000\"}";
|
||||||
|
|
||||||
|
Properties prop = new Properties();
|
||||||
|
prop.setProperty(AbstractCryptoFilter.PROP_MODULE_NAME, MOD_CTX_SHA_GCM);
|
||||||
|
|
||||||
|
String encrypted = (String) filter.doPostFilter("G", "A", original, prop, mockReq, mockRes);
|
||||||
|
System.out.println("[2-1] encrypted: " + encrypted);
|
||||||
|
assertTrue(encrypted.contains("encrypted_data"));
|
||||||
|
|
||||||
|
String decrypted = (String) filter.doPreFilter("G", "A", encrypted, prop, mockReq, mockRes);
|
||||||
|
System.out.println("[2-1] decrypted: " + decrypted);
|
||||||
|
assertEquals(original, decrypted);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
@DisplayName("2-2. FIELD/GCM ContextSha256 — 암호화와 다른 컨텍스트로 복호화 시 GCM 인증 실패")
|
||||||
|
void testCtxSha256Gcm_differentContext_throwsException() throws Exception {
|
||||||
|
InCryptoFilter encFilter = new ContextAwareCryptoFilter(CTX_KEY, CTX_VAL_A);
|
||||||
|
InCryptoFilter decFilter = new ContextAwareCryptoFilter(CTX_KEY, CTX_VAL_B);
|
||||||
|
String original = "{\"data\":\"sensitive\"}";
|
||||||
|
|
||||||
|
Properties prop = new Properties();
|
||||||
|
prop.setProperty(AbstractCryptoFilter.PROP_MODULE_NAME, MOD_CTX_SHA_GCM);
|
||||||
|
|
||||||
|
String encrypted = (String) encFilter.doPostFilter("G", "A", original, prop, mockReq, mockRes);
|
||||||
|
|
||||||
|
assertThrows(Exception.class,
|
||||||
|
() -> decFilter.doPreFilter("G", "A", encrypted, prop, mockReq, mockRes),
|
||||||
|
"다른 컨텍스트 키로 파생된 키는 복호화에 실패해야 한다");
|
||||||
|
System.out.println("[2-2] 다른 컨텍스트 복호화 예외 확인 완료");
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
@DisplayName("2-3. FIELD/GCM ContextSha256 — 컨텍스트별 독립 암복호화 (GROUP-A, GROUP-B 각각 성공)")
|
||||||
|
void testCtxSha256Gcm_perGroupRoundTrip() throws Exception {
|
||||||
|
InCryptoFilter filterA = new ContextAwareCryptoFilter(CTX_KEY, CTX_VAL_A);
|
||||||
|
InCryptoFilter filterB = new ContextAwareCryptoFilter(CTX_KEY, CTX_VAL_B);
|
||||||
|
String plainA = "{\"group\":\"A\",\"amount\":\"1000\"}";
|
||||||
|
String plainB = "{\"group\":\"B\",\"amount\":\"2000\"}";
|
||||||
|
|
||||||
|
Properties prop = new Properties();
|
||||||
|
prop.setProperty(AbstractCryptoFilter.PROP_MODULE_NAME, MOD_CTX_SHA_GCM);
|
||||||
|
|
||||||
|
String encA = (String) filterA.doPostFilter("G", "A", plainA, prop, mockReq, mockRes);
|
||||||
|
String encB = (String) filterB.doPostFilter("G", "B", plainB, prop, mockReq, mockRes);
|
||||||
|
|
||||||
|
assertEquals(plainA, (String) filterA.doPreFilter("G", "A", encA, prop, mockReq, mockRes));
|
||||||
|
assertEquals(plainB, (String) filterB.doPreFilter("G", "B", encB, prop, mockReq, mockRes));
|
||||||
|
System.out.println("[2-3] GROUP-A, GROUP-B 각각 독립 암복호화 성공");
|
||||||
|
}
|
||||||
|
|
||||||
|
// =========================================================================
|
||||||
|
// 헬퍼
|
||||||
|
// =========================================================================
|
||||||
|
|
||||||
|
private static List<CryptoModuleConfig> buildModuleConfigs() {
|
||||||
|
return Arrays.asList(
|
||||||
|
buildDynamic(MOD_HSM_GCM, "AES", "GCM", "NoPadding",
|
||||||
|
HsmKeyDerivationStrategy.class.getName(),
|
||||||
|
"{\"hsmKeyAlias\":\"" + MASTER_KEY_ALIAS + "\"}"),
|
||||||
|
buildDynamic(MOD_CTX_SHA_GCM, "AES", "GCM", "NoPadding",
|
||||||
|
HsmContextSha256KeyDerivationStrategy.class.getName(),
|
||||||
|
"{\"hsmKeyAlias\":\"" + MASTER_KEY_ALIAS + "\",\"contextKey\":\"" + CTX_KEY + "\"}")
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
private static CryptoModuleConfig buildDynamic(String name, String alg, String mode, String padding,
|
||||||
|
String strategy, String params) {
|
||||||
|
CryptoModuleConfig c = new CryptoModuleConfig();
|
||||||
|
c.setCryptoId(UUID.randomUUID().toString());
|
||||||
|
c.setCryptoName(name);
|
||||||
|
c.setAlgType(alg);
|
||||||
|
c.setCipherMode(mode);
|
||||||
|
c.setPadding(padding);
|
||||||
|
c.setKeySourceType("DYNAMIC");
|
||||||
|
c.setKeyDerivStrategy(strategy);
|
||||||
|
c.setKeyDerivParams(params);
|
||||||
|
c.setCacheYn("Y");
|
||||||
|
c.setCacheTtlSec(60);
|
||||||
|
c.setUseYn("Y");
|
||||||
|
// ivHex = null: GCM에서 IV를 AAD 대체값으로 사용하지 않도록 의도적으로 미설정
|
||||||
|
return c;
|
||||||
|
}
|
||||||
|
|
||||||
|
private static void ensureMasterKey() throws Exception {
|
||||||
|
java.security.KeyStore ks = hsmManager.getKeyStore();
|
||||||
|
|
||||||
|
// 이전 실행 키 삭제 (sensitive 여부 무관하게 항상 고정키로 재등록)
|
||||||
|
if (ks.containsAlias(MASTER_KEY_ALIAS)) {
|
||||||
|
ks.deleteEntry(MASTER_KEY_ALIAS);
|
||||||
|
System.out.println("[HSM] 기존 MASTER_KEY 삭제");
|
||||||
|
}
|
||||||
|
|
||||||
|
// CryptoModuleServiceTest.KEY_128 과 동일한 고정 키 → 두 테스트 간 암호문 비교 가능
|
||||||
|
// attributes(*, CKO_SECRET_KEY, CKK_AES) 지시어로 임포트 시 CKA_SENSITIVE=false 적용
|
||||||
|
byte[] keyBytes = "0123456789abcdef".getBytes(StandardCharsets.UTF_8);
|
||||||
|
SecretKey fixedKey = new SecretKeySpec(keyBytes, "AES");
|
||||||
|
ks.setKeyEntry(MASTER_KEY_ALIAS, fixedKey, null, null);
|
||||||
|
|
||||||
|
// 임포트 후 getEncoded() 검증
|
||||||
|
SecretKey stored = (SecretKey) ks.getKey(MASTER_KEY_ALIAS, null);
|
||||||
|
byte[] encoded = stored.getEncoded();
|
||||||
|
System.out.println("[HSM] MASTER_KEY 등록 완료: alias=" + MASTER_KEY_ALIAS
|
||||||
|
+ " / getEncoded()=" + (encoded != null ? encoded.length + "bytes, " + new String(encoded) : "null (추출 불가!)"));
|
||||||
|
}
|
||||||
|
|
||||||
|
private static void ensureTokenInitialized() throws Exception {
|
||||||
|
ProcessBuilder pb = new ProcessBuilder(
|
||||||
|
SOFTHSM2_UTIL, "--init-token", "--free",
|
||||||
|
"--label", TOKEN_LABEL, "--pin", PIN, "--so-pin", PIN);
|
||||||
|
pb.redirectErrorStream(true);
|
||||||
|
Process p = pb.start();
|
||||||
|
String out = readOutput(p);
|
||||||
|
p.waitFor(10, TimeUnit.SECONDS);
|
||||||
|
System.out.println("[SoftHSM2] init-token: " + out.trim());
|
||||||
|
}
|
||||||
|
|
||||||
|
private static CryptoModuleConfigMapper testMapper() {
|
||||||
|
return new CryptoModuleConfigMapper() {
|
||||||
|
@Override
|
||||||
|
public CryptoModuleConfigVO toVo(CryptoModuleConfig e) {
|
||||||
|
CryptoModuleConfigVO vo = new CryptoModuleConfigVO();
|
||||||
|
vo.setCryptoId(e.getCryptoId());
|
||||||
|
vo.setCryptoName(e.getCryptoName());
|
||||||
|
vo.setCryptoDesc(e.getCryptoDesc());
|
||||||
|
vo.setAlgType(e.getAlgType());
|
||||||
|
vo.setCipherMode(e.getCipherMode());
|
||||||
|
vo.setPadding(e.getPadding());
|
||||||
|
vo.setIvHex(e.getIvHex());
|
||||||
|
vo.setKeySourceType(e.getKeySourceType());
|
||||||
|
vo.setEncKeyHex(e.getEncKeyHex());
|
||||||
|
vo.setDecKeyHex(e.getDecKeyHex());
|
||||||
|
vo.setKeyDerivStrategy(e.getKeyDerivStrategy());
|
||||||
|
vo.setKeyDerivParams(e.getKeyDerivParams());
|
||||||
|
vo.setCacheYn(e.getCacheYn());
|
||||||
|
vo.setCacheTtlSec(e.getCacheTtlSec());
|
||||||
|
vo.setUseYn(e.getUseYn());
|
||||||
|
return vo;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public CryptoModuleConfig toEntity(CryptoModuleConfigVO vo) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
private static String readOutput(Process p) throws Exception {
|
||||||
|
InputStream is = p.getInputStream();
|
||||||
|
byte[] buf = new byte[4096];
|
||||||
|
StringBuilder sb = new StringBuilder();
|
||||||
|
int len;
|
||||||
|
while ((len = is.read(buf)) != -1) {
|
||||||
|
sb.append(new String(buf, 0, len, "UTF-8"));
|
||||||
|
}
|
||||||
|
return sb.toString();
|
||||||
|
}
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user