Enhanced PKCS8 parsing to support PEM ASN.1 Private Keys

src/main/java/net/schmizz/sshj/userauth/keyprovider/PKCS8KeyFile.java

@@ -18,7 +18,10 @@
 import com.hierynomus.sshj.common.KeyDecryptionFailedException;
 import net.schmizz.sshj.common.IOUtils;
 import net.schmizz.sshj.common.SecurityUtils;
+import net.schmizz.sshj.userauth.keyprovider.pkcs.KeyPairConverter;
+import net.schmizz.sshj.userauth.keyprovider.pkcs.PrivateKeyInfoKeyPairConverter;
 import net.schmizz.sshj.userauth.password.PasswordUtils;
+import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
 import org.bouncycastle.openssl.EncryptionException;
 import org.bouncycastle.openssl.PEMEncryptedKeyPair;
 import org.bouncycastle.openssl.PEMKeyPair;
@@ -52,6 +55,7 @@ public String getName() {
 
     protected char[] passphrase; // for blanking out
 
+    protected KeyPairConverter<PrivateKeyInfo> privateKeyInfoKeyPairConverter = new PrivateKeyInfoKeyPairConverter();
 
     protected KeyPair readKeyPair()
             throws IOException {
@@ -82,8 +86,12 @@ protected KeyPair readKeyPair()
                     }
                 } else if (o instanceof PEMKeyPair) {
                     kp = pemConverter.getKeyPair((PEMKeyPair) o);
+                } else if (o instanceof PrivateKeyInfo) {
+                    final PrivateKeyInfo privateKeyInfo = (PrivateKeyInfo) o;
+                    final PEMKeyPair pemKeyPair = privateKeyInfoKeyPairConverter.getKeyPair(privateKeyInfo);
+                    kp = pemConverter.getKeyPair(pemKeyPair);
                 } else {
-                    log.debug("Expected PEMEncryptedKeyPair or PEMKeyPair, got: {}", o);
+                    log.warn("Unexpected PKCS8 PEM Object [{}]", o);
                 }
 
             } catch (EncryptionException e) {

src/main/java/net/schmizz/sshj/userauth/keyprovider/pkcs/DSAPrivateKeyInfoKeyPairConverter.java

@@ -0,0 +1,90 @@
+/*
+ * Copyright (C)2021 - SSHJ Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package net.schmizz.sshj.userauth.keyprovider.pkcs;
+
+import org.bouncycastle.asn1.ASN1Integer;
+import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.asn1.ASN1Sequence;
+import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
+import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
+import org.bouncycastle.crypto.params.DSAParameters;
+import org.bouncycastle.openssl.PEMKeyPair;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.util.Objects;
+
+/**
+ * Key Pair Converter from DSA Private Key Information to PEM Key Pair
+ */
+class DSAPrivateKeyInfoKeyPairConverter implements KeyPairConverter<PrivateKeyInfo> {
+    private static final Logger logger = LoggerFactory.getLogger(DSAPrivateKeyInfoKeyPairConverter.class);
+
+    private static final int P_INDEX = 0;
+
+    private static final int Q_INDEX = 1;
+
+    private static final int G_INDEX = 2;
+
+    /**
+     * Get PEM Key Pair calculating DSA Public Key from DSA Private Key Information
+     *
+     * @param privateKeyInfo DSA Private Key Information
+     * @return PEM Key Pair
+     * @throws IOException Thrown on Public Key parsing failures
+     */
+    @Override
+    public PEMKeyPair getKeyPair(final PrivateKeyInfo privateKeyInfo) throws IOException {
+        Objects.requireNonNull(privateKeyInfo, "Private Key Info required");
+        final AlgorithmIdentifier algorithmIdentifier = privateKeyInfo.getPrivateKeyAlgorithm();
+        final ASN1ObjectIdentifier algorithm = algorithmIdentifier.getAlgorithm();
+        if (X9ObjectIdentifiers.id_dsa.equals(algorithm)) {
+            logger.debug("DSA Algorithm Found [{}]", algorithm);
+        } else {
+            throw new IllegalArgumentException(String.format("DSA Algorithm OID required [%s]", algorithm));
+        }
+        final ASN1Integer encodedPublicKey = getEncodedPublicKey(privateKeyInfo);
+        final SubjectPublicKeyInfo subjectPublicKeyInfo = new SubjectPublicKeyInfo(algorithmIdentifier, encodedPublicKey);
+        return new PEMKeyPair(subjectPublicKeyInfo, privateKeyInfo);
+    }
+
+    /**
+     * Get ASN.1 Encoded Public Key calculated according to RFC 6979 Section 2.2
+     *
+     * @param privateKeyInfo DSA Private Key Information
+     * @return ASN.1 Encoded DSA Public Key
+     * @throws IOException Thrown on failures parsing private key
+     */
+    private ASN1Integer getEncodedPublicKey(final PrivateKeyInfo privateKeyInfo) throws IOException {
+        final ASN1Integer privateKey = ASN1Integer.getInstance(privateKeyInfo.parsePrivateKey());
+        final AlgorithmIdentifier algorithmIdentifier = privateKeyInfo.getPrivateKeyAlgorithm();
+        final DSAParameters dsaParameters = getDsaParameters(algorithmIdentifier);
+        final BigInteger publicKey = dsaParameters.getG().modPow(privateKey.getValue(), dsaParameters.getP());
+        return new ASN1Integer(publicKey);
+    }
+
+    private DSAParameters getDsaParameters(final AlgorithmIdentifier algorithmIdentifier) {
+        final ASN1Sequence sequence = ASN1Sequence.getInstance(algorithmIdentifier.getParameters());
+        final ASN1Integer p = ASN1Integer.getInstance(sequence.getObjectAt(P_INDEX));
+        final ASN1Integer q = ASN1Integer.getInstance(sequence.getObjectAt(Q_INDEX));
+        final ASN1Integer g = ASN1Integer.getInstance(sequence.getObjectAt(G_INDEX));
+        return new DSAParameters(p.getValue(), q.getValue(), g.getValue());
+    }
+}

src/main/java/net/schmizz/sshj/userauth/keyprovider/pkcs/ECDSAPrivateKeyInfoKeyPairConverter.java

@@ -0,0 +1,90 @@
+/*
+ * Copyright (C)2021 - SSHJ Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package net.schmizz.sshj.userauth.keyprovider.pkcs;
+
+import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
+import org.bouncycastle.asn1.sec.ECPrivateKey;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
+import org.bouncycastle.asn1.x9.X9ECParameters;
+import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
+import org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil;
+import org.bouncycastle.math.ec.ECMultiplier;
+import org.bouncycastle.math.ec.ECPoint;
+import org.bouncycastle.math.ec.FixedPointCombMultiplier;
+import org.bouncycastle.openssl.PEMKeyPair;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.util.Objects;
+
+/**
+ * Key Pair Converter from ECDSA Private Key Information to PEM Key Pair
+ */
+class ECDSAPrivateKeyInfoKeyPairConverter implements KeyPairConverter<PrivateKeyInfo> {
+    private static final Logger logger = LoggerFactory.getLogger(ECDSAPrivateKeyInfoKeyPairConverter.class);
+
+    private static final boolean POINT_COMPRESSED = false;
+
+    /**
+     * Get PEM Key Pair calculating ECDSA Public Key from ECDSA Private Key Information
+     *
+     * @param privateKeyInfo ECDSA Private Key Information
+     * @return PEM Key Pair
+     * @throws IOException Thrown on Public Key parsing failures
+     */
+    @Override
+    public PEMKeyPair getKeyPair(final PrivateKeyInfo privateKeyInfo) throws IOException {
+        Objects.requireNonNull(privateKeyInfo, "Private Key Info required");
+        final AlgorithmIdentifier algorithmIdentifier = privateKeyInfo.getPrivateKeyAlgorithm();
+        final ASN1ObjectIdentifier algorithm = algorithmIdentifier.getAlgorithm();
+        if (X9ObjectIdentifiers.id_ecPublicKey.equals(algorithm)) {
+            logger.debug("ECDSA Algorithm Found [{}]", algorithm);
+        } else {
+            throw new IllegalArgumentException(String.format("ECDSA Algorithm OID required [%s]", algorithm));
+        }
+        final byte[] encodedPublicKey = getEncodedPublicKey(privateKeyInfo);
+        final SubjectPublicKeyInfo subjectPublicKeyInfo = new SubjectPublicKeyInfo(algorithmIdentifier, encodedPublicKey);
+        return new PEMKeyPair(subjectPublicKeyInfo, privateKeyInfo);
+    }
+
+    /**
+     * Get Encoded Elliptic Curve Public Key calculated according to RFC 6979 Section 2.2
+     *
+     * @param privateKeyInfo ECDSA Private Key Information
+     * @return Encoded Elliptic Curve Public Key
+     * @throws IOException Thrown on failures parsing private key
+     */
+    private byte[] getEncodedPublicKey(final PrivateKeyInfo privateKeyInfo) throws IOException {
+        final X9ECParameters parameters = getParameters(privateKeyInfo.getPrivateKeyAlgorithm());
+        final ECPrivateKey ecPrivateKey = ECPrivateKey.getInstance(privateKeyInfo.parsePrivateKey());
+        final ECPoint publicKey = getPublicKey(parameters, ecPrivateKey.getKey());
+        return publicKey.getEncoded(POINT_COMPRESSED);
+    }
+
+    private X9ECParameters getParameters(final AlgorithmIdentifier algorithmIdentifier) {
+        final ASN1ObjectIdentifier encodedParameters = ASN1ObjectIdentifier.getInstance(algorithmIdentifier.getParameters());
+        return ECUtil.getNamedCurveByOid(encodedParameters);
+    }
+
+    private ECPoint getPublicKey(final X9ECParameters parameters, final BigInteger privateKey) {
+        final ECMultiplier multiplier = new FixedPointCombMultiplier();
+        return multiplier.multiply(parameters.getG(), privateKey);
+    }
+}

src/main/java/net/schmizz/sshj/userauth/keyprovider/pkcs/KeyPairConverter.java

@@ -0,0 +1,35 @@
+/*
+ * Copyright (C)2021 - SSHJ Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package net.schmizz.sshj.userauth.keyprovider.pkcs;
+
+import org.bouncycastle.openssl.PEMKeyPair;
+
+import java.io.IOException;
+
+/**
+ * Converter from typed object to PEM Key Pair
+ * @param <T> Object Type
+ */
+public interface KeyPairConverter<T> {
+    /**
+     * Get PEM Key Pair from typed object
+     *
+     * @param object Typed Object
+     * @return PEM Key Pair
+     * @throws IOException Thrown on conversion failures
+     */
+    PEMKeyPair getKeyPair(T object) throws IOException;
+}

src/main/java/net/schmizz/sshj/userauth/keyprovider/pkcs/PrivateKeyInfoKeyPairConverter.java

@@ -0,0 +1,61 @@
+/*
+ * Copyright (C)2021 - SSHJ Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package net.schmizz.sshj.userauth.keyprovider.pkcs;
+
+import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
+import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
+import org.bouncycastle.openssl.PEMKeyPair;
+
+import java.io.IOException;
+import java.util.Objects;
+
+/**
+ * Key Pair Converter for Private Key Information using known Algorithm Object Identifiers
+ */
+public class PrivateKeyInfoKeyPairConverter implements KeyPairConverter<PrivateKeyInfo> {
+    private DSAPrivateKeyInfoKeyPairConverter dsaPrivateKeyInfoKeyPairConverter = new DSAPrivateKeyInfoKeyPairConverter();
+
+    private ECDSAPrivateKeyInfoKeyPairConverter ecdsaPrivateKeyInfoKeyPairConverter = new ECDSAPrivateKeyInfoKeyPairConverter();
+
+    private RSAPrivateKeyInfoKeyPairConverter rsaPrivateKeyInfoKeyPairConverter = new RSAPrivateKeyInfoKeyPairConverter();
+
+    /**
+     * Get PEM Key Pair delegating to configured converters based on Algorithm Object Identifier
+     *
+     * @param privateKeyInfo Private Key Information
+     * @return PEM Key Pair
+     * @throws IOException Thrown on conversion failures
+     */
+    @Override
+    public PEMKeyPair getKeyPair(final PrivateKeyInfo privateKeyInfo) throws IOException {
+        Objects.requireNonNull(privateKeyInfo, "Private Key Info required");
+        final AlgorithmIdentifier algorithmIdentifier = privateKeyInfo.getPrivateKeyAlgorithm();
+        final ASN1ObjectIdentifier algorithm = algorithmIdentifier.getAlgorithm();
+
+        if (PKCSObjectIdentifiers.rsaEncryption.equals(algorithm)) {
+            return rsaPrivateKeyInfoKeyPairConverter.getKeyPair(privateKeyInfo);
+        } else if (X9ObjectIdentifiers.id_ecPublicKey.equals(algorithm)) {
+            return ecdsaPrivateKeyInfoKeyPairConverter.getKeyPair(privateKeyInfo);
+        } else if (X9ObjectIdentifiers.id_dsa.equals(algorithm)) {
+            return dsaPrivateKeyInfoKeyPairConverter.getKeyPair(privateKeyInfo);
+        } else {
+            throw new IllegalArgumentException(String.format("Unsupported Algorithm [%s]", algorithm));
+        }
+    }
+}

src/main/java/net/schmizz/sshj/userauth/keyprovider/pkcs/RSAPrivateKeyInfoKeyPairConverter.java

@@ -0,0 +1,65 @@
+/*
+ * Copyright (C)2021 - SSHJ Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package net.schmizz.sshj.userauth.keyprovider.pkcs;
+
+import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
+import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
+import org.bouncycastle.asn1.pkcs.RSAPrivateKey;
+import org.bouncycastle.asn1.pkcs.RSAPublicKey;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
+import org.bouncycastle.openssl.PEMKeyPair;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.util.Objects;
+
+/**
+ * Key Pair Converter from RSA Private Key Information to PEM Key Pair
+ */
+class RSAPrivateKeyInfoKeyPairConverter implements KeyPairConverter<PrivateKeyInfo> {
+    private static final Logger logger = LoggerFactory.getLogger(RSAPrivateKeyInfoKeyPairConverter.class);
+
+    /**
+     * Get PEM Key Pair parsing RSA Public Key attributes from RSA Private Key Information
+     *
+     * @param privateKeyInfo RSA Private Key Information
+     * @return PEM Key Pair
+     * @throws IOException Thrown on Public Key parsing failures
+     */
+    @Override
+    public PEMKeyPair getKeyPair(final PrivateKeyInfo privateKeyInfo) throws IOException {
+        Objects.requireNonNull(privateKeyInfo, "Private Key Info required");
+        final AlgorithmIdentifier algorithmIdentifier = privateKeyInfo.getPrivateKeyAlgorithm();
+        final ASN1ObjectIdentifier algorithm = algorithmIdentifier.getAlgorithm();
+        if (PKCSObjectIdentifiers.rsaEncryption.equals(algorithm)) {
+            logger.debug("RSA Algorithm Found [{}]", algorithm);
+        } else {
+            throw new IllegalArgumentException(String.format("RSA Algorithm OID required [%s]", algorithm));
+        }
+
+        final RSAPublicKey rsaPublicKey = getRsaPublicKey(privateKeyInfo);
+        final SubjectPublicKeyInfo subjectPublicKeyInfo = new SubjectPublicKeyInfo(algorithmIdentifier, rsaPublicKey);
+        return new PEMKeyPair(subjectPublicKeyInfo, privateKeyInfo);
+    }
+
+    private RSAPublicKey getRsaPublicKey(final PrivateKeyInfo privateKeyInfo) throws IOException {
+        final RSAPrivateKey rsaPrivateKey = RSAPrivateKey.getInstance(privateKeyInfo.parsePrivateKey());
+        return new RSAPublicKey(rsaPrivateKey.getModulus(), rsaPrivateKey.getPublicExponent());
+    }
+}