Allow PemPrivateKeyParser to parse multiple keys

philwebb · philwebb · commit 32e6ce210e13 · 2023-10-19T22:01:23.000-07:00
Update `PemPrivateKeyParser` so that it can parse multiple keys in a single PEM file. Closes gh-37970
diff --git a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemPrivateKeyParser.java b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemPrivateKeyParser.java
@@ -69,6 +69,10 @@ final class PemPrivateKeyParser {
 
 	private static final String SEC1_EC_FOOTER = "-+END\\s+EC\\s+PRIVATE\\s+KEY[^-]*-+";
 
+	private static final String PKCS1_DSA_HEADER = "-+BEGIN\\s+DSA\\s+PRIVATE\\s+KEY[^-]*-+(?:\\s|\\r|\\n)+";
+
+	private static final String PKCS1_DSA_FOOTER = "-+END\\s+DSA\\s+PRIVATE\\s+KEY[^-]*-+";
+
 	private static final String BASE64_TEXT = "([a-z0-9+/=\\r\\n]+)";
 
 	public static final int BASE64_TEXT_GROUP = 1;
@@ -83,6 +87,9 @@ final class PemPrivateKeyParser {
 				"RSASSA-PSS", "EC", "DSA", "EdDSA", "XDH"));
 		parsers.add(new PemParser(PKCS8_ENCRYPTED_HEADER, PKCS8_ENCRYPTED_FOOTER,
 				PemPrivateKeyParser::createKeySpecForPkcs8Encrypted, "RSA", "RSASSA-PSS", "EC", "DSA", "EdDSA", "XDH"));
+		parsers.add(new PemParser(PKCS1_DSA_HEADER, PKCS1_DSA_FOOTER, (bytes, password) -> {
+			throw new IllegalStateException("Unsupported private key format");
+		}));
 		PEM_PARSERS = Collections.unmodifiableList(parsers);
 	}
 
@@ -172,7 +179,7 @@ private static PKCS8EncodedKeySpec createKeySpecForPkcs8Encrypted(byte[] bytes,
 	 * @param key the private key to parse
 	 * @return the parsed private key
 	 */
-	static PrivateKey parse(String key) {
+	static PrivateKey[] parse(String key) {
 		return parse(key, null);
 	}
 
@@ -183,22 +190,23 @@ static PrivateKey parse(String key) {
 	 * @param password the password used to decrypt an encrypted private key
 	 * @return the parsed private key
 	 */
-	static PrivateKey parse(String key, String password) {
+	static PrivateKey[] parse(String key, String password) {
 		if (key == null) {
 			return null;
 		}
+		List<PrivateKey> keys = new ArrayList<>();
 		try {
 			for (PemParser pemParser : PEM_PARSERS) {
 				PrivateKey privateKey = pemParser.parse(key, password);
 				if (privateKey != null) {
-					return privateKey;
+					keys.add(privateKey);
 				}
 			}
-			throw new IllegalStateException("Unrecognized private key format");
 		}
 		catch (Exception ex) {
 			throw new IllegalStateException("Error loading private key file: " + ex.getMessage(), ex);
 		}
+		return keys.toArray(PrivateKey[]::new);
 	}
 
 	/**
@@ -239,7 +247,7 @@ private PrivateKey parse(byte[] bytes, String password) {
 				catch (InvalidKeySpecException | NoSuchAlgorithmException ex) {
 				}
 			}
-			return null;
+			throw new IllegalStateException("Unrecognized private key format");
 		}
 
 	}
diff --git a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemSslStoreBundle.java b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemSslStoreBundle.java
@@ -27,6 +27,7 @@
 import org.springframework.boot.ssl.SslStoreBundle;
 import org.springframework.boot.ssl.pem.KeyVerifier.Result;
 import org.springframework.util.Assert;
+import org.springframework.util.ObjectUtils;
 import org.springframework.util.StringUtils;
 
 /**
@@ -150,13 +151,18 @@ private static void verifyKeys(PrivateKey privateKey, X509Certificate[] certific
 
 	private static PrivateKey loadPrivateKey(PemSslStoreDetails details) {
 		String privateKeyContent = PemContent.load(details.privateKey());
-		return PemPrivateKeyParser.parse(privateKeyContent, details.privateKeyPassword());
+		if (privateKeyContent == null) {
+			return null;
+		}
+		PrivateKey[] privateKeys = PemPrivateKeyParser.parse(privateKeyContent, details.privateKeyPassword());
+		Assert.state(!ObjectUtils.isEmpty(privateKeys), "Loaded private keys are empty");
+		return privateKeys[0];
 	}
 
 	private static X509Certificate[] loadCertificates(PemSslStoreDetails details) {
 		String certificateContent = PemContent.load(details.certificate());
 		X509Certificate[] certificates = PemCertificateParser.parse(certificateContent);
-		Assert.state(certificates != null && certificates.length > 0, "Loaded certificates are empty");
+		Assert.state(!ObjectUtils.isEmpty(certificates), "Loaded certificates are empty");
 		return certificates;
 	}
 
diff --git a/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/ssl/pem/PemPrivateKeyParserTests.java b/spring-boot-project/spring-boot/src/test/java/org/springframework/boot/ssl/pem/PemPrivateKeyParserTests.java
@@ -27,6 +27,7 @@
 import org.junit.jupiter.params.provider.ValueSource;
 
 import org.springframework.core.io.ClassPathResource;
+import org.springframework.util.ObjectUtils;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatIllegalStateException;
@@ -49,7 +50,7 @@ class PemPrivateKeyParserTests {
 	})
 		// @formatter:on
 	void shouldParseTraditionalPkcs8(String file, String algorithm) throws IOException {
-		PrivateKey privateKey = PemPrivateKeyParser.parse(read("org/springframework/boot/web/server/pkcs8/" + file));
+		PrivateKey privateKey = parse(read("org/springframework/boot/web/server/pkcs8/" + file));
 		assertThat(privateKey).isNotNull();
 		assertThat(privateKey.getFormat()).isEqualTo("PKCS#8");
 		assertThat(privateKey.getAlgorithm()).isEqualTo(algorithm);
@@ -62,7 +63,7 @@ void shouldParseTraditionalPkcs8(String file, String algorithm) throws IOExcepti
 	})
 		// @formatter:on
 	void shouldParseTraditionalPkcs1(String file, String algorithm) throws IOException {
-		PrivateKey privateKey = PemPrivateKeyParser.parse(read("org/springframework/boot/web/server/pkcs1/" + file));
+		PrivateKey privateKey = parse(read("org/springframework/boot/web/server/pkcs1/" + file));
 		assertThat(privateKey).isNotNull();
 		assertThat(privateKey.getFormat()).isEqualTo("PKCS#8");
 		assertThat(privateKey.getAlgorithm()).isEqualTo(algorithm);
@@ -76,11 +77,11 @@ void shouldParseTraditionalPkcs1(String file, String algorithm) throws IOExcepti
 		// @formatter:on
 	void shouldNotParseUnsupportedTraditionalPkcs1(String file) {
 		assertThatIllegalStateException()
-			.isThrownBy(() -> PemPrivateKeyParser.parse(read("org/springframework/boot/web/server/pkcs1/" + file)))
+			.isThrownBy(() -> parse(read("org/springframework/boot/web/server/pkcs1/" + file)))
 			.withMessageContaining("Error loading private key file")
 			.withCauseInstanceOf(IllegalStateException.class)
 			.havingCause()
-			.withMessageContaining("Unrecognized private key format");
+			.withMessageContaining("Unsupported private key format");
 	}
 
 	@ParameterizedTest
@@ -99,7 +100,7 @@ void shouldNotParseUnsupportedTraditionalPkcs1(String file) {
 	})
 		// @formatter:on
 	void shouldParseEcPkcs8(String file, String curveName, String oid) throws IOException {
-		PrivateKey privateKey = PemPrivateKeyParser.parse(read("org/springframework/boot/web/server/pkcs8/" + file));
+		PrivateKey privateKey = parse(read("org/springframework/boot/web/server/pkcs8/" + file));
 		assertThat(privateKey).isNotNull();
 		assertThat(privateKey.getFormat()).isEqualTo("PKCS#8");
 		assertThat(privateKey.getAlgorithm()).isEqualTo("EC");
@@ -134,7 +135,7 @@ void shouldNotParseUnsupportedEcPkcs8(String file) {
 	})
 		// @formatter:on
 	void shouldParseEdDsaPkcs8(String file) throws IOException {
-		PrivateKey privateKey = PemPrivateKeyParser.parse(read("org/springframework/boot/web/server/pkcs8/" + file));
+		PrivateKey privateKey = parse(read("org/springframework/boot/web/server/pkcs8/" + file));
 		assertThat(privateKey).isNotNull();
 		assertThat(privateKey.getFormat()).isEqualTo("PKCS#8");
 		assertThat(privateKey.getAlgorithm()).isEqualTo("EdDSA");
@@ -148,7 +149,7 @@ void shouldParseEdDsaPkcs8(String file) throws IOException {
 	})
 		// @formatter:on
 	void shouldParseXdhPkcs8(String file) throws IOException {
-		PrivateKey privateKey = PemPrivateKeyParser.parse(read("org/springframework/boot/web/server/pkcs8/" + file));
+		PrivateKey privateKey = parse(read("org/springframework/boot/web/server/pkcs8/" + file));
 		assertThat(privateKey).isNotNull();
 		assertThat(privateKey.getFormat()).isEqualTo("PKCS#8");
 		assertThat(privateKey.getAlgorithm()).isEqualTo("XDH");
@@ -170,7 +171,7 @@ void shouldParseXdhPkcs8(String file) throws IOException {
 	})
 		// @formatter:on
 	void shouldParseEcSec1(String file, String curveName, String oid) throws IOException {
-		PrivateKey privateKey = PemPrivateKeyParser.parse(read("org/springframework/boot/web/server/sec1/" + file));
+		PrivateKey privateKey = parse(read("org/springframework/boot/web/server/sec1/" + file));
 		assertThat(privateKey).isNotNull();
 		assertThat(privateKey.getFormat()).isEqualTo("PKCS#8");
 		assertThat(privateKey.getAlgorithm()).isEqualTo("EC");
@@ -198,8 +199,8 @@ void shouldNotParseUnsupportedEcSec1(String file) {
 	}
 
 	@Test
-	void parseWithNonKeyTextWillThrowException() {
-		assertThatIllegalStateException().isThrownBy(() -> PemPrivateKeyParser.parse(read("test-banner.txt")));
+	void parseWithNonKeyTextWillReturnEmptyArray() throws Exception {
+		assertThat(PemPrivateKeyParser.parse(read("test-banner.txt"))).isEmpty();
 	}
 
 	@ParameterizedTest
@@ -217,9 +218,10 @@ void shouldParseEncryptedPkcs8(String file, String algorithm) throws IOException
 		// openssl pkcs8 -topk8 -in <input file> -out <output file> -v2 <algorithm>
 		// -passout pass:test
 		// where <algorithm> is aes128 or aes256
-		PrivateKey privateKey = PemPrivateKeyParser.parse(read("org/springframework/boot/web/server/pkcs8/" + file),
-				"test");
-		assertThat(privateKey).isNotNull();
+		String content = read("org/springframework/boot/web/server/pkcs8/" + file);
+		PrivateKey[] privateKeys = PemPrivateKeyParser.parse(content, "test");
+		assertThat(privateKeys).isNotEmpty();
+		PrivateKey privateKey = privateKeys[0];
 		assertThat(privateKey.getFormat()).isEqualTo("PKCS#8");
 		assertThat(privateKey.getAlgorithm()).isEqualTo(algorithm);
 	}
@@ -248,24 +250,26 @@ void shouldNotParseEncryptedPkcs8NotUsingPbkdf2() {
 	}
 
 	@Test
-	void shouldNotParseEncryptedSec1() {
+	void shouldNotParseEncryptedSec1() throws Exception {
 		// created with:
 		// openssl ecparam -genkey -name prime256v1 | openssl ec -aes-128-cbc -out
 		// prime256v1-aes-128-cbc.key
-		assertThatIllegalStateException()
-			.isThrownBy(() -> PemPrivateKeyParser
-				.parse(read("org/springframework/boot/web/server/sec1/prime256v1-aes-128-cbc.key"), "test"))
-			.withMessageContaining("Unrecognized private key format");
+		assertThat(PemPrivateKeyParser
+			.parse(read("org/springframework/boot/web/server/sec1/prime256v1-aes-128-cbc.key"), "test")).isEmpty();
 	}
 
 	@Test
 	void shouldNotParseEncryptedPkcs1() throws Exception {
 		// created with:
 		// openssl genrsa -aes-256-cbc -out rsa-aes-256-cbc.key
-		assertThatIllegalStateException()
-			.isThrownBy(() -> PemPrivateKeyParser
-				.parse(read("org/springframework/boot/web/server/pkcs1/rsa-aes-256-cbc.key"), "test"))
-			.withMessageContaining("Unrecognized private key format");
+		assertThat(PemPrivateKeyParser.parse(read("org/springframework/boot/web/server/pkcs1/rsa-aes-256-cbc.key"),
+				"test"))
+			.isEmpty();
+	}
+
+	private PrivateKey parse(String key) {
+		PrivateKey[] keys = PemPrivateKeyParser.parse(key);
+		return (!ObjectUtils.isEmpty(keys)) ? keys[0] : null;
 	}
 
 	private String read(String path) throws IOException {

Original file line number	Diff line number	Diff line change
`@@ -69,6 +69,10 @@ final class PemPrivateKeyParser {`
`69`	`69`
`70`	`70`	`private static final String SEC1_EC_FOOTER = "-+END\\s+EC\\s+PRIVATE\\s+KEY[^-]*-+";`
`71`	`71`
	`72`	`+ private static final String PKCS1_DSA_HEADER = "-+BEGIN\\s+DSA\\s+PRIVATE\\s+KEY[^-]*-+(?:\\s\|\\r\|\\n)+";`
	`73`	`+`
	`74`	`+ private static final String PKCS1_DSA_FOOTER = "-+END\\s+DSA\\s+PRIVATE\\s+KEY[^-]*-+";`
	`75`	`+`
`72`	`76`	`private static final String BASE64_TEXT = "([a-z0-9+/=\\r\\n]+)";`
`73`	`77`
`74`	`78`	`public static final int BASE64_TEXT_GROUP = 1;`
`@@ -83,6 +87,9 @@ final class PemPrivateKeyParser {`
`83`	`87`	`"RSASSA-PSS", "EC", "DSA", "EdDSA", "XDH"));`
`84`	`88`	`parsers.add(new PemParser(PKCS8_ENCRYPTED_HEADER, PKCS8_ENCRYPTED_FOOTER,`
`85`	`89`	`PemPrivateKeyParser::createKeySpecForPkcs8Encrypted, "RSA", "RSASSA-PSS", "EC", "DSA", "EdDSA", "XDH"));`
	`90`	`+ parsers.add(new PemParser(PKCS1_DSA_HEADER, PKCS1_DSA_FOOTER, (bytes, password) -> {`
	`91`	`+ throw new IllegalStateException("Unsupported private key format");`
	`92`	`+ }));`
`86`	`93`	`PEM_PARSERS = Collections.unmodifiableList(parsers);`
`87`	`94`	`}`
`88`	`95`
`@@ -172,7 +179,7 @@ private static PKCS8EncodedKeySpec createKeySpecForPkcs8Encrypted(byte[] bytes,`
`172`	`179`	`* @param key the private key to parse`
`173`	`180`	`* @return the parsed private key`
`174`	`181`	`*/`
`175`		`- static PrivateKey parse(String key) {`
	`182`	`+ static PrivateKey[] parse(String key) {`
`176`	`183`	`return parse(key, null);`
`177`	`184`	`}`
`178`	`185`
`@@ -183,22 +190,23 @@ static PrivateKey parse(String key) {`
`183`	`190`	`* @param password the password used to decrypt an encrypted private key`
`184`	`191`	`* @return the parsed private key`
`185`	`192`	`*/`
`186`		`- static PrivateKey parse(String key, String password) {`
	`193`	`+ static PrivateKey[] parse(String key, String password) {`
`187`	`194`	`if (key == null) {`
`188`	`195`	`return null;`
`189`	`196`	`}`
	`197`	`+ List<PrivateKey> keys = new ArrayList<>();`
`190`	`198`	`try {`
`191`	`199`	`for (PemParser pemParser : PEM_PARSERS) {`
`192`	`200`	`PrivateKey privateKey = pemParser.parse(key, password);`
`193`	`201`	`if (privateKey != null) {`
`194`		`- return privateKey;`
	`202`	`+ keys.add(privateKey);`
`195`	`203`	`}`
`196`	`204`	`}`
`197`		`- throw new IllegalStateException("Unrecognized private key format");`
`198`	`205`	`}`
`199`	`206`	`catch (Exception ex) {`
`200`	`207`	`throw new IllegalStateException("Error loading private key file: " + ex.getMessage(), ex);`
`201`	`208`	`}`
	`209`	`+ return keys.toArray(PrivateKey[]::new);`
`202`	`210`	`}`
`203`	`211`
`204`	`212`	`/**`
`@@ -239,7 +247,7 @@ private PrivateKey parse(byte[] bytes, String password) {`
`239`	`247`	`catch (InvalidKeySpecException \| NoSuchAlgorithmException ex) {`
`240`	`248`	`}`
`241`	`249`	`}`
`242`		`- return null;`
	`250`	`+ throw new IllegalStateException("Unrecognized private key format");`
`243`	`251`	`}`
`244`	`252`
`245`	`253`	`}`