Merge pull request #7495 from vespa-engine/bjorncs/security-utils

Bjorncs/security utils
author: Bjørn Christian Seime <bjorn.christian@seime.no> 2018-10-30 15:40:58 +0100
committer: GitHub <noreply@github.com> 2018-10-30 15:40:58 +0100
commit: ef0b462ee638974706820a422f5fa2692ebb62f4 (patch)
tree: 2ae318badd05783eaaa725a3996824da1d0e26ea
parent: af146b406da7911a0e035ea3bf184680b31bac9b (diff)
parent: 8f1729260599ce39546c5d3835d7a63ed051eeaf (diff)
3 files changed, 46 insertions, 17 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/KeyUtils.java b/security-utils/src/main/java/com/yahoo/security/KeyUtils.java
index 11fb0f432e4..0d45a62f193 100644
--- a/security-utils/src/main/java/com/yahoo/security/KeyUtils.java
+++ b/security-utils/src/main/java/com/yahoo/security/KeyUtils.java
@@ -28,6 +28,8 @@ import java.security.PublicKey;
 import java.security.interfaces.RSAPrivateCrtKey;
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.security.spec.RSAPublicKeySpec;
+import java.util.ArrayList;
+import java.util.List;
 
 import static com.yahoo.security.KeyAlgorithm.EC;
 import static com.yahoo.security.KeyAlgorithm.RSA;
@@ -79,18 +81,23 @@ public class KeyUtils {
 
     public static PrivateKey fromPemEncodedPrivateKey(String pem) {
         try (PEMParser parser = new PEMParser(new StringReader(pem))) {
-            Object pemObject = parser.readObject();
-            if (pemObject instanceof PrivateKeyInfo) {
-                PrivateKeyInfo keyInfo = (PrivateKeyInfo) pemObject;
-                PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(keyInfo.getEncoded());
-                return KeyFactory.getInstance(RSA.getAlgorithmName()).generatePrivate(keySpec);
-            } else if (pemObject instanceof PEMKeyPair) {
-                PEMKeyPair pemKeypair = (PEMKeyPair) pemObject;
-                PrivateKeyInfo keyInfo = pemKeypair.getPrivateKeyInfo();
-                JcaPEMKeyConverter pemConverter = new JcaPEMKeyConverter().setProvider(BouncyCastleProviderHolder.getInstance());
-                return pemConverter.getPrivateKey(keyInfo);
+            List<Object> unknownObjects = new ArrayList<>();
+            Object pemObject;
+            while ((pemObject = parser.readObject()) != null) {
+                if (pemObject instanceof PrivateKeyInfo) {
+                    PrivateKeyInfo keyInfo = (PrivateKeyInfo) pemObject;
+                    PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(keyInfo.getEncoded());
+                    return KeyFactory.getInstance(RSA.getAlgorithmName()).generatePrivate(keySpec);
+                } else if (pemObject instanceof PEMKeyPair) {
+                    PEMKeyPair pemKeypair = (PEMKeyPair) pemObject;
+                    PrivateKeyInfo keyInfo = pemKeypair.getPrivateKeyInfo();
+                    JcaPEMKeyConverter pemConverter = new JcaPEMKeyConverter().setProvider(BouncyCastleProviderHolder.getInstance());
+                    return pemConverter.getPrivateKey(keyInfo);
+                } else {
+                    unknownObjects.add(pemObject);
+                }
             }
-            throw new IllegalArgumentException("Unexpected type of PEM type: " + pemObject);
+            throw new IllegalArgumentException("Expected a private key, but found " + unknownObjects.toString());
         } catch (IOException e) {
             throw new UncheckedIOException(e);
         } catch (GeneralSecurityException e) {
diff --git a/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java
index f0d1edd6889..67466179634 100644
--- a/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java
+++ b/security-utils/src/main/java/com/yahoo/security/tls/TransportSecurityOptions.java
@@ -48,17 +48,28 @@ public class TransportSecurityOptions {
 
     public static TransportSecurityOptions fromJsonFile(Path file) {
         try {
-            JsonNode root = mapper.readTree(file.toFile());
-            JsonNode filesNode = getField(root, "files");
-            String privateKeyFile = getField(filesNode, "private-key").asText();
-            String certificatesFile = getField(filesNode, "certificates").asText();
-            String caCertificatesFile = getField(filesNode, "ca-certificates").asText();
-            return new TransportSecurityOptions(privateKeyFile, certificatesFile, caCertificatesFile);
+            return fromJsonNode(mapper.readTree(file.toFile()));
         } catch (IOException e) {
             throw new UncheckedIOException(e);
         }
     }
 
+    public static TransportSecurityOptions fromJson(String json) {
+        try {
+            return fromJsonNode(mapper.readTree(json));
+        } catch (IOException e) {
+            throw new UncheckedIOException(e);
+        }
+    }
+
+    private static TransportSecurityOptions fromJsonNode(JsonNode root) {
+        JsonNode filesNode = getField(root, "files");
+        String privateKeyFile = getField(filesNode, "private-key").asText();
+        String certificatesFile = getField(filesNode, "certificates").asText();
+        String caCertificatesFile = getField(filesNode, "ca-certificates").asText();
+        return new TransportSecurityOptions(privateKeyFile, certificatesFile, caCertificatesFile);
+    }
+
     private static JsonNode getField(JsonNode root, String fieldName) {
         return Optional.ofNullable(root.get(fieldName))
                 .orElseThrow(() -> new IllegalArgumentException(String.format("'%s' field missing", fieldName)));
diff --git a/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsTest.java b/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsTest.java
index f311651cab0..84f71cf8fc2 100644
--- a/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/tls/TransportSecurityOptionsTest.java
@@ -3,6 +3,9 @@ package com.yahoo.security.tls;
 
 import org.junit.Test;
 
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 
@@ -22,4 +25,12 @@ public class TransportSecurityOptionsTest {
         assertEquals(expectedOptions, actualOptions);
     }
 
+    @Test
+    public void can_read_options_from_json() throws IOException {
+        String tlsJson = new String(Files.readAllBytes(TEST_CONFIG_FILE), StandardCharsets.UTF_8);
+        TransportSecurityOptions expectedOptions = new TransportSecurityOptions("myhost.key", "certs.pem", "my_cas.pem");
+        TransportSecurityOptions actualOptions = TransportSecurityOptions.fromJson(tlsJson);
+        assertEquals(expectedOptions, actualOptions);
+    }
+
 }
author	Bjørn Christian Seime <bjorn.christian@seime.no>	2018-10-30 15:40:58 +0100
committer	GitHub <noreply@github.com>	2018-10-30 15:40:58 +0100
commit	ef0b462ee638974706820a422f5fa2692ebb62f4 (patch)
tree	2ae318badd05783eaaa725a3996824da1d0e26ea
parent	af146b406da7911a0e035ea3bf184680b31bac9b (diff)
parent	8f1729260599ce39546c5d3835d7a63ed051eeaf (diff)