Enable PEM file format for ClientCertificateAuthentication (#225)

Co-authored-by: Matthias Kuhr <52661546+MatKuhr@users.noreply.github.com>
Co-authored-by: KavithaSiva <32287936+KavithaSiva@users.noreply.github.com>

Author: 3 people

cloudplatform/cloudplatform-connectivity/pom.xml

@@ -90,6 +90,14 @@
 			<groupId>com.auth0</groupId>
 			<artifactId>java-jwt</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>org.bouncycastle</groupId>
+			<artifactId>bcprov-jdk18on</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.bouncycastle</groupId>
+			<artifactId>bcpkix-jdk18on</artifactId>
+		</dependency>
 		<!-- scope "provided" -->
 		<dependency>
 			<groupId>org.projectlombok</groupId>

cloudplatform/cloudplatform-connectivity/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/KeyStoreReader.java

@@ -0,0 +1,116 @@
+/*
+ * Copyright (c) 2024 SAP SE or an SAP affiliate company. All rights reserved.
+ */
+
+package com.sap.cloud.sdk.cloudplatform.connectivity;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.Reader;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+
+import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
+import org.bouncycastle.openssl.PEMKeyPair;
+import org.bouncycastle.openssl.PEMParser;
+import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
+import org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder;
+import org.bouncycastle.operator.InputDecryptorProvider;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo;
+import org.bouncycastle.pkcs.PKCSException;
+import org.bouncycastle.util.io.pem.PemObject;
+
+import com.sap.cloud.sdk.cloudplatform.connectivity.exception.DestinationAccessException;
+
+import io.vavr.control.Try;
+import lombok.AccessLevel;
+import lombok.NoArgsConstructor;
+
+@NoArgsConstructor( access = AccessLevel.PRIVATE )
+class KeyStoreReader
+{
+    private static final String MSG_CERT = "Provided certificate data did not contain any valid X.509 certificates.";
+    private static final String MSG_KEY = "Provided key data did not contain a valid PEM key";
+
+    @Nonnull
+    static KeyStore createKeyStore(
+        @Nonnull final String alias,
+        @Nonnull final char[] password,
+        @Nonnull final Reader certReader,
+        @Nonnull final Reader keyReader )
+        throws KeyStoreException,
+            CertificateException,
+            IOException,
+            NoSuchAlgorithmException
+    {
+        final Certificate[] clientCertificates =
+            Try.of(() -> loadCertificates(certReader)).getOrElseThrow(e -> new DestinationAccessException(MSG_CERT, e));
+        final PrivateKey privateKey =
+            Try.of(() -> loadKey(keyReader, password)).getOrElseThrow(e -> new DestinationAccessException(MSG_KEY, e));
+        final KeyStore keyStore = KeyStore.getInstance("JKS");
+        keyStore.load(null);
+        keyStore.setKeyEntry(alias, privateKey, password, clientCertificates);
+        return keyStore;
+    }
+
+    @Nonnull
+    static Certificate[] loadCertificates( @Nonnull final Reader certReader )
+        throws CertificateException,
+            IOException
+    {
+        final List<Certificate> certs = new ArrayList<>();
+        final CertificateFactory factory = CertificateFactory.getInstance("X509");
+
+        try( PEMParser pemParser = new PEMParser(certReader) ) {
+            PemObject object;
+            while( (object = pemParser.readPemObject()) != null ) {
+                if( !object.getType().equals("CERTIFICATE") ) {
+                    continue;
+                }
+                certs.add(factory.generateCertificate(new ByteArrayInputStream(object.getContent())));
+            }
+        }
+        if( certs.isEmpty() ) {
+            throw new IllegalArgumentException(
+                "Provided certificate data did not contain any valid X.509 certificates.");
+        }
+        return certs.toArray(new Certificate[0]);
+    }
+
+    @Nonnull
+    static PrivateKey loadKey( @Nonnull final Reader keyReader, @Nullable final char[] password )
+        throws IOException,
+            OperatorCreationException,
+            PKCSException
+    {
+        try( PEMParser pemParser = new PEMParser(keyReader) ) {
+            final Object raw = pemParser.readObject();
+            if( raw instanceof PEMKeyPair ) {
+                return new JcaPEMKeyConverter().getKeyPair((PEMKeyPair) raw).getPrivate();
+            }
+            if( raw instanceof PrivateKey ) {
+                return (PrivateKey) raw;
+            }
+            if( raw instanceof PKCS8EncryptedPrivateKeyInfo ) {
+                final InputDecryptorProvider c = new JceOpenSSLPKCS8DecryptorProviderBuilder().build(password);
+                final PrivateKeyInfo privateKeyInfo = ((PKCS8EncryptedPrivateKeyInfo) raw).decryptPrivateKeyInfo(c);
+                return new JcaPEMKeyConverter().getPrivateKey(privateKeyInfo);
+            }
+            if( raw instanceof PrivateKeyInfo ) {
+                return new JcaPEMKeyConverter().getPrivateKey((PrivateKeyInfo) raw);
+            }
+            throw new IllegalArgumentException("Provided key data did not contain a valid PEM key.");
+        }
+    }
+}

cloudplatform/connectivity-apache-httpclient4/pom.xml

@@ -96,14 +96,6 @@
 				</exclusion>
 			</exclusions>
 		</dependency>
-		<dependency>
-			<groupId>org.bouncycastle</groupId>
-			<artifactId>bcprov-jdk18on</artifactId>
-		</dependency>
-		<dependency>
-			<groupId>org.bouncycastle</groupId>
-			<artifactId>bcpkix-jdk18on</artifactId>
-		</dependency>
 		<dependency>
 			<groupId>org.apache.commons</groupId>
 			<artifactId>commons-lang3</artifactId>

cloudplatform/connectivity-apache-httpclient4/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/AbstractX509SslContextProvider.java

@@ -4,29 +4,15 @@
 
 package com.sap.cloud.sdk.cloudplatform.connectivity;
 
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
 import java.io.Reader;
 import java.io.StringReader;
-import java.security.KeyStore;
-import java.security.PrivateKey;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
-import java.util.ArrayList;
-import java.util.List;
 
 import javax.annotation.Nonnull;
 import javax.net.ssl.SSLContext;
 
 import org.apache.http.ssl.SSLContextBuilder;
-import org.bouncycastle.openssl.PEMKeyPair;
-import org.bouncycastle.openssl.PEMParser;
-import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
-import org.bouncycastle.util.io.pem.PemObject;
 
 import com.sap.cloud.sdk.cloudplatform.PlatformSslContextProvider;
-import com.sap.cloud.sdk.cloudplatform.exception.CloudPlatformException;
 
 import io.vavr.control.Try;
 
@@ -35,6 +21,9 @@
  */
 abstract class AbstractX509SslContextProvider implements PlatformSslContextProvider
 {
+    private static final char[] DEFAULT_PASSWORD = "changeit".toCharArray();
+    private static final String DEFAULT_ALIAS = "instance-identity";
+
     /**
      * Convenience for {@code tryGetContext(new StringReader(cert), new StringReader(key))}
      *
@@ -65,66 +54,9 @@ Try<SSLContext> tryGetContext( @Nonnull final String cert, @Nonnull final String
     Try<SSLContext> tryGetContext( @Nonnull final Reader certReader, @Nonnull final Reader keyReader )
     {
         final SSLContextBuilder sslContextBuilder = SSLContextBuilder.create();
-
-        final Certificate[] clientCertificates;
-        final PrivateKey privateKey;
-
-        try {
-            clientCertificates = loadCertificates(certReader);
-        }
-        catch( final Exception e ) {
-            return Try.failure(new CloudPlatformException("Failed to load platform certificate", e));
-        }
-
-        try {
-            privateKey = loadPrivateKey(keyReader);
-        }
-        catch( final Exception e ) {
-            return Try.failure(new CloudPlatformException("Failed to load platform key", e));
-        }
-
         return Try
-            .of(() -> KeyStore.getInstance("JKS"))
-            .andThenTry(k -> k.load(null))
-            .andThenTry(
-                k -> k.setKeyEntry("instance-identity", privateKey, "changeit".toCharArray(), clientCertificates))
-            .mapTry(k -> sslContextBuilder.loadKeyMaterial(k, "changeit".toCharArray()))
+            .of(() -> KeyStoreReader.createKeyStore(DEFAULT_ALIAS, DEFAULT_PASSWORD, certReader, keyReader))
+            .mapTry(k -> sslContextBuilder.loadKeyMaterial(k, DEFAULT_PASSWORD))
             .mapTry(SSLContextBuilder::build);
     }
-
-    @Nonnull
-    static Certificate[] loadCertificates( @Nonnull final Reader certReader )
-        throws CertificateException,
-            IOException
-    {
-        final List<Certificate> certs = new ArrayList<>();
-        final CertificateFactory factory = CertificateFactory.getInstance("X509");
-
-        try( PEMParser pemParser = new PEMParser(certReader) ) {
-            PemObject object;
-            while( (object = pemParser.readPemObject()) != null ) {
-                if( !object.getType().equals("CERTIFICATE") ) {
-                    continue;
-                }
-                certs.add(factory.generateCertificate(new ByteArrayInputStream(object.getContent())));
-            }
-        }
-        if( certs.isEmpty() ) {
-            throw new CloudPlatformException("Provided certificate data did not contain any valid X.509 certificates.");
-        }
-        return certs.toArray(new Certificate[0]);
-    }
-
-    @Nonnull
-    static PrivateKey loadPrivateKey( @Nonnull final Reader keyReader )
-        throws IOException
-    {
-        try( PEMParser pemParser = new PEMParser(keyReader) ) {
-            final PEMKeyPair keyPair = (PEMKeyPair) pemParser.readObject();
-            if( keyPair == null ) {
-                throw new CloudPlatformException("Provided key data did not contain a valid PEM key.");
-            }
-            return new JcaPEMKeyConverter().getKeyPair(keyPair).getPrivate();
-        }
-    }
 }

cloudplatform/connectivity-apache-httpclient4/src/test/java/com/sap/cloud/sdk/cloudplatform/connectivity/AbstractX509SslContextProviderTest.java

@@ -36,7 +36,7 @@ void testCertificateParsing()
             CertificateException
     {
         final FileReader cert = new FileReader(getTestFile("valid_cert.pem"));
-        final Certificate[] certificates = AbstractX509SslContextProvider.loadCertificates(cert);
+        final Certificate[] certificates = KeyStoreReader.loadCertificates(cert);
 
         assertThat(certificates).isNotEmpty();
         assertThat(certificates[0].getType()).isEqualTo("X.509");
@@ -51,16 +51,16 @@ void testCertificateParsingFailure()
         throws FileNotFoundException
     {
         final FileReader cert = new FileReader(getTestFile("invalid_cert"));
-        assertThatThrownBy(() -> AbstractX509SslContextProvider.loadCertificates(cert))
-            .isInstanceOf(CloudPlatformException.class);
+        assertThatThrownBy(() -> KeyStoreReader.loadCertificates(cert)).isInstanceOf(IllegalArgumentException.class);
     }
 
     @Test
     void testKeyParsing()
-        throws IOException
+        throws Exception
     {
         final FileReader key = new FileReader(getTestFile("valid_key.pem"));
-        final PrivateKey privateKey = AbstractX509SslContextProvider.loadPrivateKey(key);
+        final char[] pw = "changeit".toCharArray();
+        final PrivateKey privateKey = KeyStoreReader.loadKey(key, pw);
 
         assertThat(privateKey.getAlgorithm()).containsIgnoringCase("RSA");
     }
@@ -70,8 +70,8 @@ void testKeyParsingFailure()
         throws FileNotFoundException
     {
         final FileReader key = new FileReader(getTestFile("invalid_key"));
-        assertThatThrownBy(() -> AbstractX509SslContextProvider.loadPrivateKey(key))
-            .isInstanceOf(CloudPlatformException.class);
+        final char[] pw = "changeit".toCharArray();
+        assertThatThrownBy(() -> KeyStoreReader.loadKey(key, pw)).isInstanceOf(IllegalArgumentException.class);
     }
 
     @Test

cloudplatform/connectivity-apache-httpclient4/src/test/java/com/sap/cloud/sdk/cloudplatform/connectivity/KeyStoreReaderTest.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright (c) 2024 SAP SE or an SAP affiliate company. All rights reserved.
+ */
+
+package com.sap.cloud.sdk.cloudplatform.connectivity;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import java.io.FileReader;
+import java.security.KeyStore;
+import java.security.cert.X509Certificate;
+import java.security.interfaces.RSAPrivateCrtKey;
+
+import org.junit.jupiter.api.Test;
+
+class KeyStoreReaderTest
+{
+    private static final String RES =
+        "src/test/resources/" + ClientCertificateAuthenticationLocalTest.class.getSimpleName();
+    private static final String CRT_PATH = RES + "/client-cert.crt";
+    private static final String KEY_PATH = RES + "/client-cert.key";
+
+    @Test
+    void testPem()
+        throws Exception
+    {
+        final String ALIAS = "1";
+        final FileReader certs = new FileReader(CRT_PATH), key = new FileReader(KEY_PATH);
+        final KeyStore createdKeystore = KeyStoreReader.createKeyStore(ALIAS, new char[0], certs, key);
+
+        assertThat(createdKeystore.getType()).isEqualTo("JKS");
+        assertThat(createdKeystore.getProvider()).isNotNull();
+
+        assertThat(createdKeystore.getCertificateChain(ALIAS)).hasSize(1);
+        assertThat(createdKeystore.getCertificate(ALIAS))
+            .isInstanceOf(X509Certificate.class)
+            .extracting(c -> ((X509Certificate) c).getSubjectX500Principal())
+            .hasToString("CN=localhost, EMAILADDRESS=cloudsdk@sap.com, O=Potsdam, ST=Brandenburg, C=DE");
+
+        assertThat(createdKeystore.getKey(ALIAS, new char[0])).isInstanceOf(RSAPrivateCrtKey.class); // no password
+    }
+}

cloudplatform/connectivity-apache-httpclient5/pom.xml

@@ -84,14 +84,6 @@
 			<groupId>org.apache.httpcomponents.core5</groupId>
 			<artifactId>httpcore5</artifactId>
 		</dependency>
-		<dependency>
-			<groupId>org.bouncycastle</groupId>
-			<artifactId>bcprov-jdk18on</artifactId>
-		</dependency>
-		<dependency>
-			<groupId>org.bouncycastle</groupId>
-			<artifactId>bcpkix-jdk18on</artifactId>
-		</dependency>
 		<dependency>
 			<groupId>org.apache.commons</groupId>
 			<artifactId>commons-lang3</artifactId>