Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/chonton/vault-jca
Java Cryptography Provider using Vault
https://github.com/chonton/vault-jca
hashicorp-vault java-cryptography-implementation jca
Last synced: 3 months ago
JSON representation
Java Cryptography Provider using Vault
- Host: GitHub
- URL: https://github.com/chonton/vault-jca
- Owner: chonton
- License: apache-2.0
- Created: 2023-02-19T00:46:19.000Z (almost 2 years ago)
- Default Branch: main
- Last Pushed: 2023-11-20T21:25:47.000Z (about 1 year ago)
- Last Synced: 2023-11-20T22:28:40.656Z (about 1 year ago)
- Topics: hashicorp-vault, java-cryptography-implementation, jca
- Language: Java
- Homepage:
- Size: 109 KB
- Stars: 1
- Watchers: 1
- Forks: 0
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# JCA for VAULT
[Java Cryptography Architecture](https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html)
provides a way to plug a cryptography provider without modifying the client code. The client needs
to register the provider for it to be available through the Security apis.
This provider leverages
[Vault's transit secrets](https://developer.hashicorp.com/vault/docs/v1.11.x/secrets/transit)
for implementing KeyStore, KeyPairGenerator, and Signature algorithms.
# Requirements
- Java 11
- Maven 3.5.4
# Maven Coordinates
```xml
org.honton.chas
vault-jca
1.1.0
```
[Build details](https://chonton.github.io/vault-jca/index.html)
# Use Cases
## Register Provider
```java
// Explicity specify vault address and token supplier
VaultApi.setVaultInstance(vaultAddress, () -> vaultToken);
private static final String providerName = VaultProvider.register().getName();
// Otherwise, defaul to using VAULT_ADDR and VAULT_TOKEN environment variables
private static final String NAME = VaultProvider.register().getName();
```
## KeyStore
The KeyStore can fetch existing PublicKey from Vault.
```java
// initialize KeyStore
KeyStore keyStore = KeyStore.getInstance(NAME, NAME);
keyStore.load(null, null);
// get an existing Vault public key
PublicKey publicKey = (PublicKey) keyStore.getCertificate(keyName).getPublicKey();
// get an existing Vault private key. Just a reference for use with signature.sign
PrivateKey privateKey = (PrivateKey) keyStore.getKey(keyName, null);
// list keys
Collections.list(keyStore.aliases());
```
## KeyPairGenerator
The KeyPairGenerator can create a new KeyPair in Vault with the name specified in the
VaultParameterSpec.
```java
// keyAlgorithmName is from KeyPairGenerator Algorithms table below
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(keyAlgorithmName, NAME);
VaultParameterSpec keySpec;
if ("EC".equals(keyAlgorithmName)) {
// use appropriate VaultRsaKeyType
keySpec = new VaultRsaParameterSpec(keyName, VaultRsaKeyType.RSA_3072);
} else {
// use appropriate VaultEcdsaKeyAlgorithm
keySpec = new VaultEcdsaParameterSpec(keyName, VaultEcdsaKeyAlgorithm.ECDSA_P521);
}
keyPairGenerator.initialize(keySpec);
KeyPair keyPair = keyPairGenerator.generateKeyPair();
// PublicKey is exported from vault and can be transfered out of process
PublicKey publicKey = keyPair.getPublic();
// PrivateKey remains in vault. This is a reference that can be used by signature,initSign
PrivateKey privateKey = keyPair.getPrivate();
```
## Signature
The Signature can sign (with the PrivateKey) or verify (with the PublicKey) a message using a
Vault key. The keys are obtained from the KeyStore.
```java
// algorithm is from Signature Algorithms table below
Signature signature = Signature.getInstance(signatureAlgorithmName, NAME);
// sign
signature.initSign(privateKey);
signature.update(MESSAGE);
byte[] signatureBytes = signature.sign();
// verify
signature.initVerify(publicKey);
signature.update(MESSAGE);
if (!signature.verify(signatureBytes)) {
throw new VerificationException("");
}
```
The security provider leverages
[Vault's transit secrets](https://developer.hashicorp.com/vault/docs/v1.11.x/secrets/transit)
for implementing the following algorithms.
## [KeyPairGenerator Algorithms](https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#keypairgenerator-algorithms)
| Algorithm Name | Description |
|----------------|-------------------------------------------------|
| RSA | keypairs for the RSA algorithm |
| RSASSA-PSS | keypairs for the RSASSA-PSS signature algorithm |
| EC | keypairs for the Elliptic Curve algorithm |
## KeyStore Algorithms
| Algorithm Name | Description |
|----------------|--------------------------|
| Vault | keypairs stored in Vault |
## [Signature Algorithms](https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#signature-algorithms)
| Algorithm Name | Description |
|----------------------|----------------------------------------|
| ___Deterministic___ | RSA signatures using RSASSA-PKCS1-v1_5 |
| SHA256withRSA | 2048 bit RSA |
| SHA384withRSA | 3072 bit RSA |
| SHA512withRSA | 4096 bit RSA |
| ___Randomized___ | RSA signatures using RSASSA-PSS |
| SHA256withRSAandMGF1 | 2048 bit RSA, MGF1 salt 256 bits |
| SHA384withRSAandMGF1 | 3072 bit RSA, MGF1 salt 384 bits |
| SHA512withRSAandMGF1 | 4096 bit RSA, MGF1 salt 512 bits |
| ___Elliptic Curve___ | EC signatures |
| SHA256withECDSA | 256 bit EC |
| SHA384withECDSA | 384 bit EC |
| SHA512withECDSA | 512 bit EC |
# Keys Security
All private keys remain in Vault. The public key is available through the KeyStore interface. A new
KeyPair is generated using the KeyPairGenerator interface.