add VaultTemplate to SigningServiceImpl

pom.xml

@@ -31,12 +31,13 @@
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
     <!-- dependencies -->
     <dgclib.version>1.3.1</dgclib.version>
-    <owasp.version>6.5.3</owasp.version>
-    <spring.boot.version>2.6.8</spring.boot.version>
-    <spring.test.version>5.3.19</spring.test.version>
+    <owasp.version>7.1.1</owasp.version>
+    <spring.boot.version>2.7.1</spring.boot.version>
+    <spring.cloud.version>2021.0.3</spring.cloud.version>
+    <spring.test.version>5.3.22</spring.test.version>
     <spring.security.version>5.7.1</spring.security.version>
     <hibernate.version>5.6.5.Final</hibernate.version>
-   <lombok.version>1.18.22</lombok.version>
+    <lombok.version>1.18.24</lombok.version>
     <liquibase.version>4.9.1</liquibase.version>
     <hcert-kotlin.version>1.2.0</hcert-kotlin.version>
     <kotlin.version>1.6.21</kotlin.version>
@@ -106,6 +107,13 @@
         <type>pom</type>
         <scope>import</scope>
       </dependency>
+      <dependency>
+        <groupId>org.springframework.cloud</groupId>
+        <artifactId>spring-cloud-dependencies</artifactId>
+        <version>${spring.cloud.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
       <dependency>
         <groupId>org.projectlombok</groupId>
         <artifactId>lombok</artifactId>
@@ -185,6 +193,14 @@
       <groupId>org.liquibase</groupId>
       <artifactId>liquibase-core</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.springframework.cloud</groupId>
+      <artifactId>spring-cloud-starter-bootstrap</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework.cloud</groupId>
+      <artifactId>spring-cloud-starter-vault-config</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.junit.jupiter</groupId>
       <artifactId>junit-jupiter-api</artifactId>

src/main/java/eu/europa/ec/dgc/issuance/service/impl/SigningServiceImpl.java

@@ -15,9 +15,12 @@
 import org.bouncycastle.crypto.signers.PSSSigner;
 import org.bouncycastle.jcajce.provider.asymmetric.util.EC5Util;
 import org.bouncycastle.jce.spec.ECParameterSpec;
-import org.springframework.stereotype.Component;
+import org.springframework.context.annotation.Profile;
+import org.springframework.stereotype.Service;
 
-@Component
+
+@Service
+@Profile("!vault")
 public class SigningServiceImpl implements SigningService {
     @Override
     public byte[] signHash(byte[] hashBytes, PrivateKey privateKey) {

src/main/java/eu/europa/ec/dgc/issuance/service/impl/VaultSigningServiceImpl.java

@@ -0,0 +1,48 @@
+package eu.europa.ec.dgc.issuance.service.impl;
+
+import eu.europa.ec.dgc.issuance.service.SigningService;
+import java.math.BigInteger;
+import java.nio.charset.StandardCharsets;
+import java.security.PrivateKey;
+import java.security.interfaces.RSAPrivateCrtKey;
+import java.util.Base64;
+import lombok.RequiredArgsConstructor;
+import org.bouncycastle.crypto.CryptoException;
+import org.bouncycastle.crypto.Digest;
+import org.bouncycastle.crypto.digests.SHA256Digest;
+import org.bouncycastle.crypto.engines.RSABlindedEngine;
+import org.bouncycastle.crypto.params.ECDomainParameters;
+import org.bouncycastle.crypto.params.ECPrivateKeyParameters;
+import org.bouncycastle.crypto.params.RSAPrivateCrtKeyParameters;
+import org.bouncycastle.crypto.signers.ECDSASigner;
+import org.bouncycastle.crypto.signers.PSSSigner;
+import org.bouncycastle.jcajce.provider.asymmetric.util.EC5Util;
+import org.bouncycastle.jce.spec.ECParameterSpec;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Profile;
+import org.springframework.stereotype.Service;
+import org.springframework.vault.core.VaultTemplate;
+import org.springframework.vault.support.Plaintext;
+
+
+@Service
+@RequiredArgsConstructor
+@Profile("vault")
+public class VaultSigningServiceImpl implements SigningService {
+
+    private final VaultTemplate vaultTemplate;
+
+    @Value("${dgc.signKey:issuer-key}")
+    private String signKey;
+
+    @Override
+    public byte[] signHash(byte[] hash, PrivateKey privateKey) {
+        String hashBase64 = Base64.getEncoder().encodeToString(hash);
+
+        String signature = vaultTemplate.opsForTransit().sign(signKey, Plaintext.of(hashBase64)).getSignature();
+        if (signature.startsWith("vault:v1:")) {
+            signature = signature.substring(9);
+        }
+        return Base64.getDecoder().decode(signature);
+    }
+}

src/main/resources/bootstrap-cloud.yaml

@@ -0,0 +1,23 @@
+---
+spring:
+  application:
+    name: cwa-dcc-rules
+  cloud:
+    vault:
+      ssl:
+        trust-store: file:${SSL_VAULT_TRUSTSTORE_PATH}
+        trust-store-password: ${SSL_VAULT_TRUSTSTORE_PASSWORD}
+      enabled: true
+      generic:
+        enabled: false
+      fail-fast: true
+      authentication: KUBERNETES
+      kubernetes:
+        role: ${VAULT_ROLE}
+        kubernetes-path: kubernetes
+        service-account-token-file: /var/run/secrets/kubernetes.io/serviceaccount/token
+      uri: ${VAULT_URI}
+      connection-timeout: 5000
+      read-timeout: 15000
+      config:
+        order: -10

src/main/resources/bootstrap-vaultlocal.yaml

@@ -0,0 +1,14 @@
+spring:
+  cloud:
+    vault:
+      enabled: true
+      # use for local vault transit test (change the access token)
+      token: hvs.s4nIVAiASHG6FNETWBFevasa
+      scheme: http
+      fail-fast: true
+      # use for local vault transit test (change the uri)
+      uri: http://127.0.0.1:8200
+      connection-timeout: 5000
+      read-timeout: 15000
+      config:
+        order: -10

src/main/resources/bootstrap.yaml

@@ -0,0 +1,5 @@
+---
+spring:
+  cloud:
+    vault:
+      enabled: false

src/test/java/eu/europa/ec/dgc/issuance/service/impl/VaultSigningServiceImplTest.java

@@ -0,0 +1,56 @@
+package eu.europa.ec.dgc.issuance.service.impl;
+
+import java.util.Base64;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.mock.mockito.MockBean;
+import org.springframework.context.annotation.Profile;
+import org.springframework.test.context.ActiveProfiles;
+import org.springframework.vault.core.VaultTemplate;
+import org.springframework.vault.core.VaultTransitOperations;
+import org.springframework.vault.support.Plaintext;
+import org.springframework.vault.support.Signature;
+
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+@SpringBootTest
+@ActiveProfiles("vault")
+class VaultSigningServiceImplTest {
+
+    @Autowired
+    private VaultSigningServiceImpl vaultSigningService;
+    @MockBean
+    private VaultTemplate vaultTemplate;
+
+    @Test
+    void signHash() {
+        byte[] hash = Base64.getDecoder().decode("dGVzdA==");
+
+        VaultTransitOperations vaultTransitOperation = mock(VaultTransitOperations.class);
+        when(vaultTemplate.opsForTransit()).thenReturn(vaultTransitOperation);
+        when(vaultTransitOperation.sign("issuer-key", Plaintext.of("dGVzdA==")))
+            .thenReturn(Signature.of("vault:v1:dGVzdA=="));
+
+        byte[] result = vaultSigningService.signHash(hash, null);
+        assertNotNull(result);
+    }
+
+    @Test
+    void signHash_noVaultPrefix() {
+        byte[] hash = Base64.getDecoder().decode("dGVzdA==");
+
+        VaultTransitOperations vaultTransitOperation = mock(VaultTransitOperations.class);
+        when(vaultTemplate.opsForTransit()).thenReturn(vaultTransitOperation);
+        when(vaultTransitOperation.sign("issuer-key", Plaintext.of("dGVzdA==")))
+            .thenReturn(Signature.of("dGVzdA=="));
+
+        byte[] result = vaultSigningService.signHash(hash, null);
+        assertNotNull(result);
+    }
+
+}