diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-08-23 13:44:50 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-08-23 13:49:23 +0200 |
commit | a9861c8600f573b072cae1b0014f21934fdb293a (patch) | |
tree | 86361e678e65016c8fec147467a33a3bc35884dc | |
parent | 55b7a3da78176dfef0b0b6da7e25fa69e716611e (diff) |
Allow output of PEM private keys using PKCS#8
3 files changed, 66 insertions, 7 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/KeyFormat.java b/security-utils/src/main/java/com/yahoo/security/KeyFormat.java new file mode 100644 index 00000000000..a04e7951dfe --- /dev/null +++ b/security-utils/src/main/java/com/yahoo/security/KeyFormat.java @@ -0,0 +1,11 @@ +// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.security; + +/** + * Key format + * + * @author bjorncs + */ +public enum KeyFormat { + PKCS1, PKCS8 +} diff --git a/security-utils/src/main/java/com/yahoo/security/KeyUtils.java b/security-utils/src/main/java/com/yahoo/security/KeyUtils.java index f847e78f3c5..ed3b41d6e2a 100644 --- a/security-utils/src/main/java/com/yahoo/security/KeyUtils.java +++ b/security-utils/src/main/java/com/yahoo/security/KeyUtils.java @@ -141,10 +141,36 @@ public class KeyUtils { } } + // Note: Encoding using PKCS#1 as default as this is to be read by tools only supporting PKCS#1 + // Should ideally be PKCS#8 public static String toPem(PrivateKey privateKey) { + return toPem(privateKey, KeyFormat.PKCS1); + } + + public static String toPem(PrivateKey privateKey, KeyFormat format) { + switch (format) { + case PKCS1: + return toPkcs1Pem(privateKey); + case PKCS8: + return toPkcs8Pem(privateKey); + default: + throw new IllegalArgumentException("Unknown format: " + format); + } + } + + public static String toPem(PublicKey publicKey) { + try (StringWriter stringWriter = new StringWriter(); JcaPEMWriter pemWriter = new JcaPEMWriter(stringWriter)) { + pemWriter.writeObject(publicKey); + pemWriter.flush(); + return stringWriter.toString(); + } catch (IOException e) { + throw new UncheckedIOException(e); + } + } + + private static String toPkcs1Pem(PrivateKey privateKey) { try (StringWriter stringWriter = new StringWriter(); JcaPEMWriter pemWriter = new JcaPEMWriter(stringWriter)) { String algorithm = privateKey.getAlgorithm(); - // Note: Encoding using PKCS#1 as this is to be read by tools only supporting PKCS#1 String type; if (algorithm.equals(RSA.getAlgorithmName())) { type = "RSA PRIVATE KEY"; @@ -161,9 +187,9 @@ public class KeyUtils { } } - public static String toPem(PublicKey publicKey) { + private static String toPkcs8Pem(PrivateKey privateKey) { try (StringWriter stringWriter = new StringWriter(); JcaPEMWriter pemWriter = new JcaPEMWriter(stringWriter)) { - pemWriter.writeObject(publicKey); + pemWriter.writeObject(new PemObject("PRIVATE KEY", privateKey.getEncoded())); pemWriter.flush(); return stringWriter.toString(); } catch (IOException e) { diff --git a/security-utils/src/test/java/com/yahoo/security/KeyUtilsTest.java b/security-utils/src/test/java/com/yahoo/security/KeyUtilsTest.java index dc0c0a126ea..58d72043ca5 100644 --- a/security-utils/src/test/java/com/yahoo/security/KeyUtilsTest.java +++ b/security-utils/src/test/java/com/yahoo/security/KeyUtilsTest.java @@ -32,9 +32,9 @@ public class KeyUtilsTest { } @Test - public void can_serialize_and_deserialize_rsa_privatekey_using_pem_format() { + public void can_serialize_and_deserialize_rsa_privatekey_using_pkcs1_pem_format() { KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA); - String pem = KeyUtils.toPem(keyPair.getPrivate()); + String pem = KeyUtils.toPem(keyPair.getPrivate(), KeyFormat.PKCS1); assertThat(pem, containsString("BEGIN RSA PRIVATE KEY")); assertThat(pem, containsString("END RSA PRIVATE KEY")); PrivateKey deserializedKey = KeyUtils.fromPemEncodedPrivateKey(pem); @@ -43,9 +43,20 @@ public class KeyUtilsTest { } @Test - public void can_serialize_and_deserialize_ec_privatekey_using_pem_format() { + public void can_serialize_and_deserialize_rsa_privatekey_using_pkcs8_pem_format() { + KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA); + String pem = KeyUtils.toPem(keyPair.getPrivate(), KeyFormat.PKCS8); + assertThat(pem, containsString("BEGIN PRIVATE KEY")); + assertThat(pem, containsString("END PRIVATE KEY")); + PrivateKey deserializedKey = KeyUtils.fromPemEncodedPrivateKey(pem); + assertEquals(keyPair.getPrivate(), deserializedKey); + assertEquals(KeyAlgorithm.RSA.getAlgorithmName(), deserializedKey.getAlgorithm()); + } + + @Test + public void can_serialize_and_deserialize_ec_privatekey_using_pkcs1_pem_format() { KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC); - String pem = KeyUtils.toPem(keyPair.getPrivate()); + String pem = KeyUtils.toPem(keyPair.getPrivate(), KeyFormat.PKCS1); assertThat(pem, containsString("BEGIN EC PRIVATE KEY")); assertThat(pem, containsString("END EC PRIVATE KEY")); PrivateKey deserializedKey = KeyUtils.fromPemEncodedPrivateKey(pem); @@ -54,6 +65,17 @@ public class KeyUtilsTest { } @Test + public void can_serialize_and_deserialize_ec_privatekey_using_pkcs8_pem_format() { + KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC); + String pem = KeyUtils.toPem(keyPair.getPrivate(), KeyFormat.PKCS8); + assertThat(pem, containsString("BEGIN PRIVATE KEY")); + assertThat(pem, containsString("END PRIVATE KEY")); + PrivateKey deserializedKey = KeyUtils.fromPemEncodedPrivateKey(pem); + assertEquals(keyPair.getPrivate(), deserializedKey); + assertEquals(KeyAlgorithm.EC.getAlgorithmName(), deserializedKey.getAlgorithm()); + } + + @Test public void can_serialize_and_deserialize_rsa_publickey_using_pem_format() { KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA); String pem = KeyUtils.toPem(keyPair.getPublic()); |