Merge pull request #39162 from Wzy19930507

philwebb · philwebb · commit 8147b7a288b8 · 2024-01-17T15:57:48.000-08:00
* pr/39162: Polish 'Reactor PemPrivateKeyParser to use DerElement' Reactor PemPrivateKeyParser to use DerElement Closes gh-39162
diff --git a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemPrivateKeyParser.java b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/ssl/pem/PemPrivateKeyParser.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2023 the original author or authors.
+ * Copyright 2012-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -27,9 +27,13 @@
 import java.security.spec.InvalidKeySpecException;
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Base64;
 import java.util.Collections;
+import java.util.HashMap;
+import java.util.HexFormat;
 import java.util.List;
+import java.util.Map;
 import java.util.function.BiFunction;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
@@ -73,6 +77,26 @@ final class PemPrivateKeyParser {
 
 	public static final int BASE64_TEXT_GROUP = 1;
 
+	private static final EncodedOid RSA_ALGORITHM = EncodedOid.OID_1_2_840_113549_1_1_1;
+
+	private static final EncodedOid ELLIPTIC_CURVE_ALGORITHM = EncodedOid.OID_1_2_840_10045_2_1;
+
+	private static final EncodedOid ELLIPTIC_CURVE_384_BIT = EncodedOid.OID_1_3_132_0_34;
+
+	private static final Map<EncodedOid, String> ALGORITHMS;
+	static {
+		Map<EncodedOid, String> algorithms = new HashMap<>();
+		algorithms.put(EncodedOid.OID_1_2_840_113549_1_1_1, "RSA");
+		algorithms.put(EncodedOid.OID_1_2_840_113549_1_1_10, "RSA");
+		algorithms.put(EncodedOid.OID_1_2_840_10040_4_1, "DSA");
+		algorithms.put(EncodedOid.OID_1_3_101_110, "XDH");
+		algorithms.put(EncodedOid.OID_1_3_101_111, "XDH");
+		algorithms.put(EncodedOid.OID_1_3_101_112, "EdDSA");
+		algorithms.put(EncodedOid.OID_1_3_101_113, "EdDSA");
+		algorithms.put(EncodedOid.OID_1_2_840_10045_2_1, "EC");
+		ALGORITHMS = Collections.unmodifiableMap(algorithms);
+	}
+
 	private static final List<PemParser> PEM_PARSERS;
 	static {
 		List<PemParser> parsers = new ArrayList<>();
@@ -86,21 +110,6 @@ final class PemPrivateKeyParser {
 		PEM_PARSERS = Collections.unmodifiableList(parsers);
 	}
 
-	/**
-	 * ASN.1 encoded object identifier {@literal 1.2.840.113549.1.1.1}.
-	 */
-	private static final int[] RSA_ALGORITHM = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01 };
-
-	/**
-	 * ASN.1 encoded object identifier {@literal 1.2.840.10045.2.1}.
-	 */
-	private static final int[] EC_ALGORITHM = { 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01 };
-
-	/**
-	 * ASN.1 encoded object identifier {@literal 1.3.132.0.34}.
-	 */
-	private static final int[] EC_PARAMETERS = { 0x2b, 0x81, 0x04, 0x00, 0x22 };
-
 	private PemPrivateKeyParser() {
 	}
 
@@ -121,29 +130,22 @@ private static PKCS8EncodedKeySpec createKeySpecForSec1Ec(byte[] bytes, String p
 		Assert.state(privateKey != null && privateKey.isType(ValueType.PRIMITIVE, TagType.OCTET_STRING),
 				"Key spec should contain private key");
 		DerElement parameters = DerElement.of(ecPrivateKey.getContents());
-		return createKeySpecForAlgorithm(bytes, EC_ALGORITHM, getEcParameters(parameters));
+		return createKeySpecForAlgorithm(bytes, ELLIPTIC_CURVE_ALGORITHM, getEcParameters(parameters));
 	}
 
-	private static int[] getEcParameters(DerElement parameters) {
+	private static EncodedOid getEcParameters(DerElement parameters) {
 		if (parameters == null) {
-			return EC_PARAMETERS;
+			return ELLIPTIC_CURVE_384_BIT;
 		}
 		Assert.state(parameters.isType(ValueType.ENCODED), "Key spec should contain encoded parameters");
 		DerElement contents = DerElement.of(parameters.getContents());
 		Assert.state(contents.isType(ValueType.PRIMITIVE, TagType.OBJECT_IDENTIFIER),
 				"Key spec parameters should contain object identifier");
-		return getEcParameters(contents.getContents());
+		return EncodedOid.of(contents);
 	}
 
-	private static int[] getEcParameters(ByteBuffer bytes) {
-		int[] result = new int[bytes.remaining()];
-		for (int i = 0; i < result.length; i++) {
-			result[i] = bytes.get() & 0xFF;
-		}
-		return result;
-	}
-
-	private static PKCS8EncodedKeySpec createKeySpecForAlgorithm(byte[] bytes, int[] algorithm, int[] parameters) {
+	private static PKCS8EncodedKeySpec createKeySpecForAlgorithm(byte[] bytes, EncodedOid algorithm,
+			EncodedOid parameters) {
 		try {
 			DerEncoder encoder = new DerEncoder();
 			encoder.integer(0x00); // Version 0
@@ -160,7 +162,20 @@ private static PKCS8EncodedKeySpec createKeySpecForAlgorithm(byte[] bytes, int[]
 	}
 
 	private static PKCS8EncodedKeySpec createKeySpecForPkcs8(byte[] bytes, String password) {
-		return new PKCS8EncodedKeySpec(bytes);
+		DerElement ecPrivateKey = DerElement.of(bytes);
+		Assert.state(ecPrivateKey.isType(ValueType.ENCODED, TagType.SEQUENCE),
+				"Key spec should be an ASN.1 encoded sequence");
+		DerElement version = DerElement.of(ecPrivateKey.getContents());
+		Assert.state(version != null && version.isType(ValueType.PRIMITIVE, TagType.INTEGER),
+				"Key spec should start with version");
+		DerElement sequence = DerElement.of(ecPrivateKey.getContents());
+		Assert.state(sequence != null && sequence.isType(ValueType.ENCODED, TagType.SEQUENCE),
+				"Key spec should contain private key");
+		DerElement algorithmId = DerElement.of(sequence.getContents());
+		Assert.state(algorithmId != null && algorithmId.isType(ValueType.PRIMITIVE, TagType.OBJECT_IDENTIFIER),
+				"Key spec container object identifier");
+		String algorithmName = ALGORITHMS.get(EncodedOid.of(algorithmId));
+		return (algorithmName != null) ? new PKCS8EncodedKeySpec(bytes, algorithmName) : new PKCS8EncodedKeySpec(bytes);
 	}
 
 	private static PKCS8EncodedKeySpec createKeySpecForPkcs8Encrypted(byte[] bytes, String password) {
@@ -231,6 +246,15 @@ private static byte[] decodeBase64(String content) {
 
 		private PrivateKey parse(byte[] bytes, String password) {
 			PKCS8EncodedKeySpec keySpec = this.keySpecFactory.apply(bytes, password);
+			if (keySpec.getAlgorithm() != null) {
+				try {
+					KeyFactory keyFactory = KeyFactory.getInstance(keySpec.getAlgorithm());
+					return keyFactory.generatePrivate(keySpec);
+				}
+				catch (InvalidKeySpecException | NoSuchAlgorithmException ex) {
+					// Ignore
+				}
+			}
 			for (String algorithm : this.algorithms) {
 				try {
 					KeyFactory keyFactory = KeyFactory.getInstance(algorithm);
@@ -251,9 +275,9 @@ static class DerEncoder {
 
 		private final ByteArrayOutputStream stream = new ByteArrayOutputStream();
 
-		void objectIdentifier(int... encodedObjectIdentifier) throws IOException {
-			int code = (encodedObjectIdentifier != null) ? 0x06 : 0x05;
-			codeLengthBytes(code, bytes(encodedObjectIdentifier));
+		void objectIdentifier(EncodedOid encodedOid) throws IOException {
+			int code = (encodedOid != null) ? 0x06 : 0x05;
+			codeLengthBytes(code, (encodedOid != null) ? encodedOid.toByteArray() : null);
 		}
 
 		void integer(int... encodedInteger) throws IOException {
@@ -449,4 +473,69 @@ private static String getEncryptionAlgorithm(AlgorithmParameters algParameters,
 
 	}
 
+	/**
+	 * ANS.1 encoded object identifier.
+	 */
+	static final class EncodedOid {
+
+		static final EncodedOid OID_1_2_840_10040_4_1 = EncodedOid.of("2a8648ce380401");
+		static final EncodedOid OID_1_2_840_113549_1_1_1 = EncodedOid.of("2A864886F70D010101");
+		static final EncodedOid OID_1_2_840_113549_1_1_10 = EncodedOid.of("2a864886f70d01010a");
+		static final EncodedOid OID_1_3_101_110 = EncodedOid.of("2b656e");
+		static final EncodedOid OID_1_3_101_111 = EncodedOid.of("2b656f");
+		static final EncodedOid OID_1_3_101_112 = EncodedOid.of("2b6570");
+		static final EncodedOid OID_1_3_101_113 = EncodedOid.of("2b6571");
+		static final EncodedOid OID_1_2_840_10045_2_1 = EncodedOid.of("2a8648ce3d0201");
+		static final EncodedOid OID_1_3_132_0_34 = EncodedOid.of("2b81040022");
+
+		private final byte[] value;
+
+		private EncodedOid(byte[] value) {
+			this.value = value;
+		}
+
+		byte[] toByteArray() {
+			return this.value.clone();
+		}
+
+		@Override
+		public boolean equals(Object obj) {
+			if (this == obj) {
+				return true;
+			}
+			if (obj == null || getClass() != obj.getClass()) {
+				return false;
+			}
+			return Arrays.equals(this.value, ((EncodedOid) obj).value);
+		}
+
+		@Override
+		public int hashCode() {
+			return Arrays.hashCode(this.value);
+		}
+
+		static EncodedOid of(String hexString) {
+			return of(HexFormat.of().parseHex(hexString));
+		}
+
+		static EncodedOid of(DerElement derElement) {
+			return of(derElement.getContents());
+		}
+
+		static EncodedOid of(ByteBuffer byteBuffer) {
+			return of(byteBuffer.array(), byteBuffer.arrayOffset() + byteBuffer.position(), byteBuffer.remaining());
+		}
+
+		static EncodedOid of(byte[] bytes) {
+			return of(bytes, 0, bytes.length);
+		}
+
+		static EncodedOid of(byte[] bytes, int off, int len) {
+			byte[] value = new byte[len];
+			System.arraycopy(bytes, off, value, 0, len);
+			return new EncodedOid(value);
+		}
+
+	}
+
 }
