Ensure parsed keys uses 'EC' as algorithm

Remove use of JcaPEMKeyConverter as it generated keys with 'ECDSA' as algorithm.
author: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2019-05-03 14:37:22 +0200
committer: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2019-05-03 15:19:17 +0200
commit: bcd18d57c73f4d3f04cf794e9e1e684a39d49218 (patch)
tree: 910b19dbdae361dfdbe62f9d748ba2085d52d59b /security-utils
parent: 1715733a1242d073a354947d3a5013e8c961790d (diff)
2 files changed, 26 insertions, 8 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/KeyUtils.java b/security-utils/src/main/java/com/yahoo/security/KeyUtils.java
index 307be34d0b7..783afb7ac1d 100644
--- a/security-utils/src/main/java/com/yahoo/security/KeyUtils.java
+++ b/security-utils/src/main/java/com/yahoo/security/KeyUtils.java
@@ -3,8 +3,11 @@ package com.yahoo.security;
 
 import org.bouncycastle.asn1.ASN1Encodable;
 import org.bouncycastle.asn1.ASN1Primitive;
+import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
 import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
 import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
+import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
 import org.bouncycastle.jcajce.provider.asymmetric.ec.BCECPrivateKey;
 import org.bouncycastle.jce.spec.ECParameterSpec;
 import org.bouncycastle.jce.spec.ECPublicKeySpec;
@@ -12,7 +15,6 @@ import org.bouncycastle.math.ec.ECPoint;
 import org.bouncycastle.math.ec.FixedPointCombMultiplier;
 import org.bouncycastle.openssl.PEMKeyPair;
 import org.bouncycastle.openssl.PEMParser;
-import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
 import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
 import org.bouncycastle.util.io.pem.PemObject;
 
@@ -30,6 +32,7 @@ import java.security.PublicKey;
 import java.security.interfaces.RSAPrivateCrtKey;
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.security.spec.RSAPublicKeySpec;
+import java.security.spec.X509EncodedKeySpec;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -97,8 +100,8 @@ public class KeyUtils {
                 } else if (pemObject instanceof PEMKeyPair) {
                     PEMKeyPair pemKeypair = (PEMKeyPair) pemObject;
                     PrivateKeyInfo keyInfo = pemKeypair.getPrivateKeyInfo();
-                    JcaPEMKeyConverter pemConverter = new JcaPEMKeyConverter().setProvider(BouncyCastleProviderHolder.getInstance());
-                    return pemConverter.getPrivateKey(keyInfo);
+                    return createKeyFactory(keyInfo.getPrivateKeyAlgorithm())
+                            .generatePrivate(new PKCS8EncodedKeySpec(keyInfo.getEncoded()));
                 } else {
                     unknownObjects.add(pemObject);
                 }
@@ -126,12 +129,14 @@ public class KeyUtils {
                     unknownObjects.add(pemObject);
                     continue;
                 }
-                JcaPEMKeyConverter pemConverter = new JcaPEMKeyConverter().setProvider(BouncyCastleProviderHolder.getInstance());
-                return pemConverter.getPublicKey(keyInfo);
+                return createKeyFactory(keyInfo.getAlgorithm())
+                        .generatePublic(new X509EncodedKeySpec(keyInfo.getEncoded()));
             }
             throw new IllegalArgumentException("Expected a public key, but found " + unknownObjects.toString());
         } catch (IOException e) {
             throw new UncheckedIOException(e);
+        } catch (GeneralSecurityException e) {
+            throw new RuntimeException(e);
         }
     }
 
@@ -163,6 +168,16 @@ public class KeyUtils {
         return primitive.getEncoded();
     }
 
+    private static KeyFactory createKeyFactory(AlgorithmIdentifier algorithm) throws NoSuchAlgorithmException {
+        if (X9ObjectIdentifiers.id_ecPublicKey.equals(algorithm.getAlgorithm())) {
+            return createKeyFactory(KeyAlgorithm.EC);
+        } else if (PKCSObjectIdentifiers.rsaEncryption.equals(algorithm.getAlgorithm())) {
+            return createKeyFactory(KeyAlgorithm.RSA);
+        } else {
+            throw new IllegalArgumentException("Unknown key algorithm: " + algorithm);
+        }
+    }
+
     private static KeyFactory createKeyFactory(KeyAlgorithm algorithm) throws NoSuchAlgorithmException {
         return KeyFactory.getInstance(algorithm.getAlgorithmName(), BouncyCastleProviderHolder.getInstance());
     }
diff --git a/security-utils/src/test/java/com/yahoo/security/KeyUtilsTest.java b/security-utils/src/test/java/com/yahoo/security/KeyUtilsTest.java
index 3a7480dfc63..eba6fad9bd8 100644
--- a/security-utils/src/test/java/com/yahoo/security/KeyUtilsTest.java
+++ b/security-utils/src/test/java/com/yahoo/security/KeyUtilsTest.java
@@ -81,13 +81,16 @@ public class KeyUtilsTest {
 
     @Test
     public void can_deserialize_rsa_publickey_in_pem_format() {
-         KeyUtils.fromPemEncodedPublicKey(rsaPemPublicKey);
+        PublicKey publicKey = KeyUtils.fromPemEncodedPublicKey(rsaPemPublicKey);
+        assertEquals(KeyAlgorithm.RSA.getAlgorithmName(), publicKey.getAlgorithm());
     }
 
     @Test
     public void can_deserialize_ec_keys_in_pem_format() {
-        KeyUtils.fromPemEncodedPublicKey(ecPemPublicKey);
-        KeyUtils.fromPemEncodedPrivateKey(ecPemPrivateKey);
+        PublicKey publicKey = KeyUtils.fromPemEncodedPublicKey(ecPemPublicKey);
+        PrivateKey privateKey = KeyUtils.fromPemEncodedPrivateKey(ecPemPrivateKey);
+        assertEquals(KeyAlgorithm.EC.getAlgorithmName(), publicKey.getAlgorithm());
+        assertEquals(KeyAlgorithm.EC.getAlgorithmName(), privateKey.getAlgorithm());
     }
 
 }
author	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2019-05-03 14:37:22 +0200
committer	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2019-05-03 15:19:17 +0200
commit	bcd18d57c73f4d3f04cf794e9e1e684a39d49218 (patch)
tree	910b19dbdae361dfdbe62f9d748ba2085d52d59b /security-utils
parent	1715733a1242d073a354947d3a5013e8c961790d (diff)