Merge pull request #68 from ankitCEO2/sdk5

add multi user multi cluster sample

pom.xml

@@ -19,7 +19,7 @@
                 <activeByDefault>true</activeByDefault>
             </activation>
             <properties>
-                <cloudhsmVersion>5.5.0</cloudhsmVersion>
+                <cloudhsmVersion>5.8.0</cloudhsmVersion>
                 <cloudhsmJarPath>/opt/cloudhsm/java/cloudhsm-jce-${cloudhsmVersion}.jar</cloudhsmJarPath>
             </properties>
         </profile>
@@ -445,6 +445,32 @@
                             </filters>
                         </configuration>
                     </execution>
+                    <execution>
+                        <id>build-multi-user-multi-cluster-runner</id>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>shade</goal>
+                        </goals>
+                        <configuration>
+                            <outputFile>target/assembly/multi-user-multi-cluster-runner.jar</outputFile>
+                            <transformers>
+                                <transformer implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
+                                    <mainClass>com.amazonaws.cloudhsm.examples.MultiUserMultiClusterRunner</mainClass>
+                                </transformer>
+                            </transformers>
+                            <finalName>multi-user-multi-cluster-runner</finalName>
+                            <filters>
+                                <filter>
+                                    <artifact>*:*</artifact>
+                                    <excludes>
+                                        <exclude>META-INF/*.SF</exclude>
+                                        <exclude>META-INF/*.DSA</exclude>
+                                        <exclude>META-INF/*.RSA</exclude>
+                                    </excludes>
+                                </filter>
+                            </filters>
+                        </configuration>
+                    </execution>
                 </executions>
             </plugin>
 
@@ -691,6 +717,23 @@
                             </arguments>
                         </configuration>
                     </execution>
+                    <execution>
+                        <id>verify-multi-user-multi-cluster</id>
+                        <phase>verify</phase>
+                        <goals>
+                            <goal>exec</goal>
+                        </goals>
+                        <configuration>
+                            <executable>java</executable>
+                            <arguments>
+                                <argument>-enableassertions</argument>
+                                <argument>-jar</argument>
+                                <argument>target/assembly/multi-user-multi-cluster-runner.jar</argument>
+                                <argument>--method</argument>
+                                <argument>environment</argument>
+                            </arguments>
+                        </configuration>
+                    </execution>
                 </executions>
             </plugin>
         </plugins>

src/main/java/com/amazonaws/cloudhsm/examples/AESWrappingRunner.java

@@ -85,20 +85,24 @@ private static void aesGcmWrapNoPadding(Key aesWrappingKey, Key payloadKey) thro
         final Cipher cipher =
                 Cipher.getInstance("AES/GCM/NoPadding", CloudHsmProvider.PROVIDER_NAME);
 
-        // Initialization Vector - this is overridden by HSM
-        byte[] IV = new byte[12];
+        final int tagLen = 128;
 
         // Create GCMParameterSpec GCMParameterSpec(int tagLen, byte[] iv)
         // Can also use GCMParameterSpec(int tagLen, byte[] iv, int offset, int byteCount)
-        final int tagLen = 128;
-        GCMParameterSpec gcmSpecWrap = new GCMParameterSpec(tagLen, IV);
+
+        // Initialization Vector - We are passing a zero-byte IV to the GCMParameterSpec because
+        // the IV will be ignored by CloudHSM. The HSM will generate its own IV during the operation
+        // and return it to the application
+        GCMParameterSpec gcmSpecWrap = new GCMParameterSpec(tagLen, new byte[0]);
 
         // Initialize the cipher in wrap mode.
         cipher.init(Cipher.WRAP_MODE, aesWrappingKey, gcmSpecWrap);
 
         // Wrap the payload key.
         byte[] wrappedKey = cipher.wrap(payloadKey);
-        // Get iv from wrap cipher to perform unwrapping
+        // Get IV from wrap cipher to perform unwrapping.
+        // Fetch the IV generated by the HSM during the wrap operation for later
+        // uses in unwrap operation in the application.
         byte[] iv = cipher.getIV();
 
         // Initialize an AesGcmWrap no padding cipher for unwrapping.

src/main/java/com/amazonaws/cloudhsm/examples/AsymmetricKeys.java

@@ -88,6 +88,23 @@ public static KeyPair generateRSAKeyPair(int keySizeInBits, String label)
                 keySizeInBits, label, new KeyAttributesMap(), new KeyAttributesMap());
     }
 
+    /**
+     * Generate an RSA key pair and the given provider.
+     *
+     * <p>The label passed will be appended with ":Public" and ":Private" for the respective keys.
+     *
+     * @return a key pair object that represents the keys on the HSM.
+     * @throws InvalidAlgorithmParameterException
+     * @throws NoSuchAlgorithmException
+     * @throws NoSuchProviderException
+     */
+    public static KeyPair generateRSAKeyPair(int keySizeInBits, String label, String providerName)
+            throws InvalidAlgorithmParameterException, NoSuchAlgorithmException,
+            NoSuchProviderException, AddAttributeException {
+        return doGenerateRSAKeyPair(
+                keySizeInBits, label, new KeyAttributesMap(), new KeyAttributesMap(), providerName);
+    }
+
     /**
      * Generate an RSA key pair.
      *
@@ -105,9 +122,23 @@ public static KeyPair generateRSAKeyPair(
             KeyAttributesMap additionalPrivateKeyAttributes)
             throws InvalidAlgorithmParameterException, NoSuchAlgorithmException,
                     NoSuchProviderException, AddAttributeException {
+        return doGenerateRSAKeyPair(keySizeInBits,
+                label,
+                additionalPublicKeyAttributes,
+                additionalPrivateKeyAttributes,
+                CloudHsmProvider.PROVIDER_NAME);
+    }
+
+    private static KeyPair doGenerateRSAKeyPair(int keySizeInBits,
+                                                String label,
+                                                KeyAttributesMap additionalPublicKeyAttributes,
+                                                KeyAttributesMap additionalPrivateKeyAttributes,
+                                                String providerName)
+                                                throws InvalidAlgorithmParameterException, NoSuchAlgorithmException,
+                                                NoSuchProviderException, AddAttributeException {
 
         KeyPairGenerator keyPairGen =
-                KeyPairGenerator.getInstance("RSA", CloudHsmProvider.PROVIDER_NAME);
+                KeyPairGenerator.getInstance("RSA", providerName);
 
         // Set attributes for RSA public key
         final KeyAttributesMap publicKeyAttrsMap = new KeyAttributesMap();

src/main/java/com/amazonaws/cloudhsm/examples/LoginRunner.java

@@ -22,6 +22,7 @@
 import java.security.Key;
 import java.security.Security;
 import java.security.AuthProvider;
+import java.text.MessageFormat;
 import javax.security.auth.callback.Callback;
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.callback.PasswordCallback;
@@ -117,8 +118,13 @@ public static void loginWithExplicitCredentials(String user, String pass) {
             System.out.println(ex);
             return;
         }
+        loginWithPinOnGivenProvider(user, pass, CloudHsmProvider.PROVIDER_NAME);
+        logout(provider);
+    }
 
-        ApplicationCallBackHandler loginHandler = new ApplicationCallBackHandler(user + ":" + pass);
+    public static void loginWithPinOnGivenProvider(String user, String password, String providerName) {
+        AuthProvider provider = (AuthProvider) Security.getProvider(providerName);
+        ApplicationCallBackHandler loginHandler = new ApplicationCallBackHandler(user + ":" + password);
         try {
             provider.login(null, loginHandler);
         } catch(AccountAlreadyLoggedInException e) {
@@ -131,13 +137,7 @@ public static void loginWithExplicitCredentials(String user, String pass) {
         } catch (LoginException e) {
             e.printStackTrace();
         }
-        System.out.printf("\nLogin successful!\n\n");
-
-        // Explicit logout is only available when you explicitly login using
-        // AuthProvider's Login method
-        logout(provider);
-
-        System.out.printf("\nLogout successful!\n\n");
+        System.out.printf(MessageFormat.format("\nLogin successful on provider {0} with user {1}!\n\n", providerName, user));
     }
 
     /**
@@ -204,11 +204,15 @@ public static void loginWithEnvVariables() throws Exception {
      * Logout will force the provider to end your session.
      */
     public static void logout(AuthProvider provider) {
+        // Explicit logout is only available when you explicitly login using
+        // AuthProvider's Login method
         try {
             provider.logout();
         } catch (Exception e) {
             e.printStackTrace();
         }
+
+        System.out.printf(MessageFormat.format("\nLogout successful on provider {0}!\n\n", provider.getName()));
     }
 
     static class ApplicationCallBackHandler implements CallbackHandler {