Skip to content

Commit

Permalink
Enhanced PKCS8 parsing to support PEM ASN.1 Private Keys
Browse files Browse the repository at this point in the history
  • Loading branch information
exceptionfactory committed Aug 16, 2021
1 parent 4d9665b commit 59de189
Show file tree
Hide file tree
Showing 10 changed files with 427 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,10 @@
import com.hierynomus.sshj.common.KeyDecryptionFailedException;
import net.schmizz.sshj.common.IOUtils;
import net.schmizz.sshj.common.SecurityUtils;
import net.schmizz.sshj.userauth.keyprovider.pkcs.KeyPairConverter;
import net.schmizz.sshj.userauth.keyprovider.pkcs.PrivateKeyInfoKeyPairConverter;
import net.schmizz.sshj.userauth.password.PasswordUtils;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.openssl.EncryptionException;
import org.bouncycastle.openssl.PEMEncryptedKeyPair;
import org.bouncycastle.openssl.PEMKeyPair;
Expand Down Expand Up @@ -52,6 +55,7 @@ public String getName() {

protected char[] passphrase; // for blanking out

protected KeyPairConverter<PrivateKeyInfo> privateKeyInfoKeyPairConverter = new PrivateKeyInfoKeyPairConverter();

protected KeyPair readKeyPair()
throws IOException {
Expand Down Expand Up @@ -82,8 +86,12 @@ protected KeyPair readKeyPair()
}
} else if (o instanceof PEMKeyPair) {
kp = pemConverter.getKeyPair((PEMKeyPair) o);
} else if (o instanceof PrivateKeyInfo) {
final PrivateKeyInfo privateKeyInfo = (PrivateKeyInfo) o;
final PEMKeyPair pemKeyPair = privateKeyInfoKeyPairConverter.getKeyPair(privateKeyInfo);
kp = pemConverter.getKeyPair(pemKeyPair);
} else {
log.debug("Expected PEMEncryptedKeyPair or PEMKeyPair, got: {}", o);
log.warn("Unexpected PKCS8 PEM Object [{}]", o);
}

} catch (EncryptionException e) {
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
/*
* Copyright (C)2021 - SSHJ Contributors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package net.schmizz.sshj.userauth.keyprovider.pkcs;

import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
import org.bouncycastle.crypto.params.DSAParameters;
import org.bouncycastle.openssl.PEMKeyPair;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import java.io.IOException;
import java.math.BigInteger;
import java.util.Objects;

/**
* Key Pair Converter from DSA Private Key Information to PEM Key Pair
*/
class DSAPrivateKeyInfoKeyPairConverter implements KeyPairConverter<PrivateKeyInfo> {
private static final Logger LOGGER = LoggerFactory.getLogger(DSAPrivateKeyInfoKeyPairConverter.class);

private static final int P_INDEX = 0;

private static final int Q_INDEX = 1;

private static final int G_INDEX = 2;

/**
* Get PEM Key Pair calculating DSA Public Key from DSA Private Key Information
*
* @param privateKeyInfo DSA Private Key Information
* @return PEM Key Pair
* @throws IOException Thrown on Public Key parsing failures
*/
@Override
public PEMKeyPair getKeyPair(final PrivateKeyInfo privateKeyInfo) throws IOException {
Objects.requireNonNull(privateKeyInfo, "Private Key Info required");
final AlgorithmIdentifier algorithmIdentifier = privateKeyInfo.getPrivateKeyAlgorithm();
final ASN1ObjectIdentifier algorithm = algorithmIdentifier.getAlgorithm();
if (X9ObjectIdentifiers.id_dsa.equals(algorithm)) {
LOGGER.debug("DSA Algorithm Found [{}]", algorithm);
} else {
throw new IllegalArgumentException(String.format("DSA Algorithm OID required [%s]", algorithm));
}
final ASN1Integer encodedPublicKey = getEncodedPublicKey(privateKeyInfo);
final SubjectPublicKeyInfo subjectPublicKeyInfo = new SubjectPublicKeyInfo(algorithmIdentifier, encodedPublicKey);
return new PEMKeyPair(subjectPublicKeyInfo, privateKeyInfo);
}

/**
* Get ASN.1 Encoded Public Key calculated according to RFC 6979 Section 2.2
*
* @param privateKeyInfo DSA Private Key Information
* @return ASN.1 Encoded DSA Public Key
* @throws IOException Thrown on failures parsing private key
*/
private ASN1Integer getEncodedPublicKey(final PrivateKeyInfo privateKeyInfo) throws IOException {
final ASN1Integer privateKey = ASN1Integer.getInstance(privateKeyInfo.parsePrivateKey());
final AlgorithmIdentifier algorithmIdentifier = privateKeyInfo.getPrivateKeyAlgorithm();
final DSAParameters dsaParameters = getDsaParameters(algorithmIdentifier);
final BigInteger publicKey = dsaParameters.getG().modPow(privateKey.getValue(), dsaParameters.getP());
return new ASN1Integer(publicKey);
}

private DSAParameters getDsaParameters(final AlgorithmIdentifier algorithmIdentifier) {
final ASN1Sequence sequence = ASN1Sequence.getInstance(algorithmIdentifier.getParameters());
final ASN1Integer p = ASN1Integer.getInstance(sequence.getObjectAt(P_INDEX));
final ASN1Integer q = ASN1Integer.getInstance(sequence.getObjectAt(Q_INDEX));
final ASN1Integer g = ASN1Integer.getInstance(sequence.getObjectAt(G_INDEX));
return new DSAParameters(p.getValue(), q.getValue(), g.getValue());
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
/*
* Copyright (C)2021 - SSHJ Contributors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package net.schmizz.sshj.userauth.keyprovider.pkcs;

import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.asn1.sec.ECPrivateKey;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.asn1.x9.X9ECParameters;
import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
import org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil;
import org.bouncycastle.math.ec.ECMultiplier;
import org.bouncycastle.math.ec.ECPoint;
import org.bouncycastle.math.ec.FixedPointCombMultiplier;
import org.bouncycastle.openssl.PEMKeyPair;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import java.io.IOException;
import java.math.BigInteger;
import java.util.Objects;

/**
* Key Pair Converter from ECDSA Private Key Information to PEM Key Pair
*/
class ECDSAPrivateKeyInfoKeyPairConverter implements KeyPairConverter<PrivateKeyInfo> {
private static final Logger LOGGER = LoggerFactory.getLogger(ECDSAPrivateKeyInfoKeyPairConverter.class);

private static final boolean POINT_COMPRESSED = false;

/**
* Get PEM Key Pair calculating ECDSA Public Key from ECDSA Private Key Information
*
* @param privateKeyInfo ECDSA Private Key Information
* @return PEM Key Pair
* @throws IOException Thrown on Public Key parsing failures
*/
@Override
public PEMKeyPair getKeyPair(final PrivateKeyInfo privateKeyInfo) throws IOException {
Objects.requireNonNull(privateKeyInfo, "Private Key Info required");
final AlgorithmIdentifier algorithmIdentifier = privateKeyInfo.getPrivateKeyAlgorithm();
final ASN1ObjectIdentifier algorithm = algorithmIdentifier.getAlgorithm();
if (X9ObjectIdentifiers.id_ecPublicKey.equals(algorithm)) {
LOGGER.debug("ECDSA Algorithm Found [{}]", algorithm);
} else {
throw new IllegalArgumentException(String.format("ECDSA Algorithm OID required [%s]", algorithm));
}
final byte[] encodedPublicKey = getEncodedPublicKey(privateKeyInfo);
final SubjectPublicKeyInfo subjectPublicKeyInfo = new SubjectPublicKeyInfo(algorithmIdentifier, encodedPublicKey);
return new PEMKeyPair(subjectPublicKeyInfo, privateKeyInfo);
}

/**
* Get Encoded Elliptic Curve Public Key calculated according to RFC 6979 Section 2.2
*
* @param privateKeyInfo ECDSA Private Key Information
* @return Encoded Elliptic Curve Public Key
* @throws IOException Thrown on failures parsing private key
*/
private byte[] getEncodedPublicKey(final PrivateKeyInfo privateKeyInfo) throws IOException {
final X9ECParameters parameters = getParameters(privateKeyInfo.getPrivateKeyAlgorithm());
final ECPrivateKey ecPrivateKey = ECPrivateKey.getInstance(privateKeyInfo.parsePrivateKey());
final ECPoint publicKey = getPublicKey(parameters, ecPrivateKey.getKey());
return publicKey.getEncoded(POINT_COMPRESSED);
}

private X9ECParameters getParameters(final AlgorithmIdentifier algorithmIdentifier) {
final ASN1ObjectIdentifier encodedParameters = ASN1ObjectIdentifier.getInstance(algorithmIdentifier.getParameters());
return ECUtil.getNamedCurveByOid(encodedParameters);
}

private ECPoint getPublicKey(final X9ECParameters parameters, final BigInteger privateKey) {
final ECMultiplier multiplier = new FixedPointCombMultiplier();
return multiplier.multiply(parameters.getG(), privateKey);
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
/*
* Copyright (C)2021 - SSHJ Contributors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package net.schmizz.sshj.userauth.keyprovider.pkcs;

import org.bouncycastle.openssl.PEMKeyPair;

import java.io.IOException;

/**
* Converter from typed object to PEM Key Pair
* @param <T> Object Type
*/
public interface KeyPairConverter<T> {
/**
* Get PEM Key Pair from typed object
*
* @param object Typed Object
* @return PEM Key Pair
* @throws IOException Thrown on conversion failures
*/
PEMKeyPair getKeyPair(T object) throws IOException;
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
/*
* Copyright (C)2021 - SSHJ Contributors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package net.schmizz.sshj.userauth.keyprovider.pkcs;

import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
import org.bouncycastle.openssl.PEMKeyPair;

import java.io.IOException;
import java.util.Objects;

/**
* Key Pair Converter for Private Key Information using known Algorithm Object Identifiers
*/
public class PrivateKeyInfoKeyPairConverter implements KeyPairConverter<PrivateKeyInfo> {
private DSAPrivateKeyInfoKeyPairConverter dsaPrivateKeyInfoKeyPairConverter = new DSAPrivateKeyInfoKeyPairConverter();

private ECDSAPrivateKeyInfoKeyPairConverter ecdsaPrivateKeyInfoKeyPairConverter = new ECDSAPrivateKeyInfoKeyPairConverter();

private RSAPrivateKeyInfoKeyPairConverter rsaPrivateKeyInfoKeyPairConverter = new RSAPrivateKeyInfoKeyPairConverter();

/**
* Get PEM Key Pair delegating to configured converters based on Algorithm Object Identifier
*
* @param privateKeyInfo Private Key Information
* @return PEM Key Pair
* @throws IOException Thrown on conversion failures
*/
@Override
public PEMKeyPair getKeyPair(final PrivateKeyInfo privateKeyInfo) throws IOException {
Objects.requireNonNull(privateKeyInfo, "Private Key Info required");
final AlgorithmIdentifier algorithmIdentifier = privateKeyInfo.getPrivateKeyAlgorithm();
final ASN1ObjectIdentifier algorithm = algorithmIdentifier.getAlgorithm();

if (PKCSObjectIdentifiers.rsaEncryption.equals(algorithm)) {
return rsaPrivateKeyInfoKeyPairConverter.getKeyPair(privateKeyInfo);
} else if (X9ObjectIdentifiers.id_ecPublicKey.equals(algorithm)) {
return ecdsaPrivateKeyInfoKeyPairConverter.getKeyPair(privateKeyInfo);
} else if (X9ObjectIdentifiers.id_dsa.equals(algorithm)) {
return dsaPrivateKeyInfoKeyPairConverter.getKeyPair(privateKeyInfo);
} else {
throw new IllegalArgumentException(String.format("Unsupported Algorithm [%s]", algorithm));
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
/*
* Copyright (C)2021 - SSHJ Contributors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package net.schmizz.sshj.userauth.keyprovider.pkcs;

import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.asn1.pkcs.RSAPrivateKey;
import org.bouncycastle.asn1.pkcs.RSAPublicKey;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.openssl.PEMKeyPair;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import java.io.IOException;
import java.util.Objects;

/**
* Key Pair Converter from RSA Private Key Information to PEM Key Pair
*/
class RSAPrivateKeyInfoKeyPairConverter implements KeyPairConverter<PrivateKeyInfo> {
private static final Logger LOGGER = LoggerFactory.getLogger(RSAPrivateKeyInfoKeyPairConverter.class);

/**
* Get PEM Key Pair parsing RSA Public Key attributes from RSA Private Key Information
*
* @param privateKeyInfo RSA Private Key Information
* @return PEM Key Pair
* @throws IOException Thrown on Public Key parsing failures
*/
@Override
public PEMKeyPair getKeyPair(final PrivateKeyInfo privateKeyInfo) throws IOException {
Objects.requireNonNull(privateKeyInfo, "Private Key Info required");
final AlgorithmIdentifier algorithmIdentifier = privateKeyInfo.getPrivateKeyAlgorithm();
final ASN1ObjectIdentifier algorithm = algorithmIdentifier.getAlgorithm();
if (PKCSObjectIdentifiers.rsaEncryption.equals(algorithm)) {
LOGGER.debug("RSA Algorithm Found [{}]", algorithm);
} else {
throw new IllegalArgumentException(String.format("RSA Algorithm OID required [%s]", algorithm));
}

final RSAPublicKey rsaPublicKey = getRsaPublicKey(privateKeyInfo);
final SubjectPublicKeyInfo subjectPublicKeyInfo = new SubjectPublicKeyInfo(algorithmIdentifier, rsaPublicKey);
return new PEMKeyPair(subjectPublicKeyInfo, privateKeyInfo);
}

private RSAPublicKey getRsaPublicKey(final PrivateKeyInfo privateKeyInfo) throws IOException {
final RSAPrivateKey rsaPrivateKey = RSAPrivateKey.getInstance(privateKeyInfo.parsePrivateKey());
return new RSAPublicKey(rsaPrivateKey.getModulus(), rsaPrivateKey.getPublicExponent());
}
}
Loading

0 comments on commit 59de189

Please sign in to comment.