feat: Allow injecting private key decryptor for JWT (box/box-codegen#754) (#355)

box-sdk-build · web-flow · commit 31f3a2a6bcb2 · 2025-07-11T13:23:54.000+02:00
diff --git a/.codegen.json b/.codegen.json
@@ -1 +1 @@
-{ "engineHash": "ac49877", "specHash": "8402463", "version": "0.7.0" }
+{ "engineHash": "b8e7dbb", "specHash": "8402463", "version": "0.7.0" }
diff --git a/src/main/java/com/box/sdkgen/box/jwtauth/BoxJWTAuth.java b/src/main/java/com/box/sdkgen/box/jwtauth/BoxJWTAuth.java
@@ -63,7 +63,8 @@ public AccessToken refreshToken(NetworkSession networkSession) {
             this.config.getClientId(),
             this.subjectId,
             getUuid(),
-            this.config.getJwtKeyId());
+            this.config.getJwtKeyId(),
+            this.config.getPrivateKeyDecryptor());
     JwtKey jwtKey = new JwtKey(this.config.getPrivateKey(), this.config.getPrivateKeyPassphrase());
     String assertion = createJwtAssertion(claims, jwtKey, jwtOptions);
     AuthorizationManager authManager =
diff --git a/src/main/java/com/box/sdkgen/box/jwtauth/JWTConfig.java b/src/main/java/com/box/sdkgen/box/jwtauth/JWTConfig.java
@@ -5,7 +5,9 @@
 
 import com.box.sdkgen.box.tokenstorage.InMemoryTokenStorage;
 import com.box.sdkgen.box.tokenstorage.TokenStorage;
+import com.box.sdkgen.internal.utils.DefaultPrivateKeyDecryptor;
 import com.box.sdkgen.internal.utils.JwtAlgorithm;
+import com.box.sdkgen.internal.utils.PrivateKeyDecryptor;
 import com.box.sdkgen.serialization.json.EnumWrapper;
 import com.box.sdkgen.serialization.json.JsonManager;
 
@@ -29,6 +31,8 @@ public class JWTConfig {
 
   public TokenStorage tokenStorage;
 
+  public PrivateKeyDecryptor privateKeyDecryptor;
+
   public JWTConfig(
       String clientId,
       String clientSecret,
@@ -42,6 +46,7 @@ public JWTConfig(
     this.privateKeyPassphrase = privateKeyPassphrase;
     this.algorithm = new EnumWrapper<JwtAlgorithm>(JwtAlgorithm.RS256);
     this.tokenStorage = new InMemoryTokenStorage();
+    this.privateKeyDecryptor = new DefaultPrivateKeyDecryptor();
   }
 
   protected JWTConfig(Builder builder) {
@@ -54,46 +59,62 @@ protected JWTConfig(Builder builder) {
     this.userId = builder.userId;
     this.algorithm = builder.algorithm;
     this.tokenStorage = builder.tokenStorage;
+    this.privateKeyDecryptor = builder.privateKeyDecryptor;
   }
 
   public static JWTConfig fromConfigJsonString(String configJsonString) {
-    return fromConfigJsonString(configJsonString, null);
+    return fromConfigJsonString(configJsonString, null, null);
   }
 
   public static JWTConfig fromConfigJsonString(String configJsonString, TokenStorage tokenStorage) {
+    return fromConfigJsonString(configJsonString, tokenStorage, null);
+  }
+
+  public static JWTConfig fromConfigJsonString(
+      String configJsonString, PrivateKeyDecryptor privateKeyDecryptor) {
+    return fromConfigJsonString(configJsonString, null, privateKeyDecryptor);
+  }
+
+  public static JWTConfig fromConfigJsonString(
+      String configJsonString, TokenStorage tokenStorage, PrivateKeyDecryptor privateKeyDecryptor) {
     JwtConfigFile configJson =
         JsonManager.deserialize(jsonToSerializedData(configJsonString), JwtConfigFile.class);
+    TokenStorage tokenStorageToUse =
+        (tokenStorage == null ? new InMemoryTokenStorage() : tokenStorage);
+    PrivateKeyDecryptor privateKeyDecryptorToUse =
+        (privateKeyDecryptor == null ? new DefaultPrivateKeyDecryptor() : privateKeyDecryptor);
     JWTConfig newConfig =
-        (!(tokenStorage == null)
-            ? new JWTConfig.Builder(
-                    configJson.getBoxAppSettings().getClientId(),
-                    configJson.getBoxAppSettings().getClientSecret(),
-                    configJson.getBoxAppSettings().getAppAuth().getPublicKeyId(),
-                    configJson.getBoxAppSettings().getAppAuth().getPrivateKey(),
-                    configJson.getBoxAppSettings().getAppAuth().getPassphrase())
-                .enterpriseId(configJson.getEnterpriseId())
-                .userId(configJson.getUserId())
-                .tokenStorage(tokenStorage)
-                .build()
-            : new JWTConfig.Builder(
-                    configJson.getBoxAppSettings().getClientId(),
-                    configJson.getBoxAppSettings().getClientSecret(),
-                    configJson.getBoxAppSettings().getAppAuth().getPublicKeyId(),
-                    configJson.getBoxAppSettings().getAppAuth().getPrivateKey(),
-                    configJson.getBoxAppSettings().getAppAuth().getPassphrase())
-                .enterpriseId(configJson.getEnterpriseId())
-                .userId(configJson.getUserId())
-                .build());
+        new JWTConfig.Builder(
+                configJson.getBoxAppSettings().getClientId(),
+                configJson.getBoxAppSettings().getClientSecret(),
+                configJson.getBoxAppSettings().getAppAuth().getPublicKeyId(),
+                configJson.getBoxAppSettings().getAppAuth().getPrivateKey(),
+                configJson.getBoxAppSettings().getAppAuth().getPassphrase())
+            .enterpriseId(configJson.getEnterpriseId())
+            .userId(configJson.getUserId())
+            .tokenStorage(tokenStorageToUse)
+            .privateKeyDecryptor(privateKeyDecryptorToUse)
+            .build();
     return newConfig;
   }
 
   public static JWTConfig fromConfigFile(String configFilePath) {
-    return fromConfigFile(configFilePath, null);
+    return fromConfigFile(configFilePath, null, null);
   }
 
   public static JWTConfig fromConfigFile(String configFilePath, TokenStorage tokenStorage) {
+    return fromConfigFile(configFilePath, tokenStorage, null);
+  }
+
+  public static JWTConfig fromConfigFile(
+      String configFilePath, PrivateKeyDecryptor privateKeyDecryptor) {
+    return fromConfigFile(configFilePath, null, privateKeyDecryptor);
+  }
+
+  public static JWTConfig fromConfigFile(
+      String configFilePath, TokenStorage tokenStorage, PrivateKeyDecryptor privateKeyDecryptor) {
     String configJsonString = readTextFromFile(configFilePath);
-    return JWTConfig.fromConfigJsonString(configJsonString, tokenStorage);
+    return JWTConfig.fromConfigJsonString(configJsonString, tokenStorage, privateKeyDecryptor);
   }
 
   public String getClientId() {
@@ -132,6 +153,10 @@ public TokenStorage getTokenStorage() {
     return tokenStorage;
   }
 
+  public PrivateKeyDecryptor getPrivateKeyDecryptor() {
+    return privateKeyDecryptor;
+  }
+
   public static class Builder {
 
     protected final String clientId;
@@ -152,6 +177,8 @@ public static class Builder {
 
     protected TokenStorage tokenStorage;
 
+    protected PrivateKeyDecryptor privateKeyDecryptor;
+
     public Builder(
         String clientId,
         String clientSecret,
@@ -165,6 +192,7 @@ public Builder(
       this.privateKeyPassphrase = privateKeyPassphrase;
       this.algorithm = new EnumWrapper<JwtAlgorithm>(JwtAlgorithm.RS256);
       this.tokenStorage = new InMemoryTokenStorage();
+      this.privateKeyDecryptor = new DefaultPrivateKeyDecryptor();
     }
 
     public Builder enterpriseId(String enterpriseId) {
@@ -192,6 +220,11 @@ public Builder tokenStorage(TokenStorage tokenStorage) {
       return this;
     }
 
+    public Builder privateKeyDecryptor(PrivateKeyDecryptor privateKeyDecryptor) {
+      this.privateKeyDecryptor = privateKeyDecryptor;
+      return this;
+    }
+
     public JWTConfig build() {
       return new JWTConfig(this);
     }
diff --git a/src/main/java/com/box/sdkgen/internal/utils/DefaultPrivateKeyDecryptor.java b/src/main/java/com/box/sdkgen/internal/utils/DefaultPrivateKeyDecryptor.java
@@ -0,0 +1,61 @@
+package com.box.sdkgen.internal.utils;
+
+import com.box.sdkgen.box.errors.BoxSDKError;
+import java.io.IOException;
+import java.io.StringReader;
+import java.security.PrivateKey;
+import java.security.Security;
+import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.openssl.PEMDecryptorProvider;
+import org.bouncycastle.openssl.PEMEncryptedKeyPair;
+import org.bouncycastle.openssl.PEMKeyPair;
+import org.bouncycastle.openssl.PEMParser;
+import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
+import org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder;
+import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder;
+import org.bouncycastle.operator.InputDecryptorProvider;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo;
+import org.bouncycastle.pkcs.PKCSException;
+
+public class DefaultPrivateKeyDecryptor implements PrivateKeyDecryptor {
+  public PrivateKey decryptPrivateKey(String encryptedPrivateKey, String passphrase) {
+    Security.addProvider(new BouncyCastleProvider());
+    PrivateKey decryptedPrivateKey;
+    try {
+      PEMParser keyReader = new PEMParser(new StringReader(encryptedPrivateKey));
+      Object keyPair = keyReader.readObject();
+      keyReader.close();
+
+      if (keyPair instanceof PrivateKeyInfo) {
+        PrivateKeyInfo keyInfo = (PrivateKeyInfo) keyPair;
+        decryptedPrivateKey = (new JcaPEMKeyConverter()).getPrivateKey(keyInfo);
+      } else if (keyPair instanceof PEMEncryptedKeyPair) {
+        JcePEMDecryptorProviderBuilder builder = new JcePEMDecryptorProviderBuilder();
+        PEMDecryptorProvider decryptionProvider = builder.build(passphrase.toCharArray());
+        keyPair = ((PEMEncryptedKeyPair) keyPair).decryptKeyPair(decryptionProvider);
+        PrivateKeyInfo keyInfo = ((PEMKeyPair) keyPair).getPrivateKeyInfo();
+        decryptedPrivateKey = (new JcaPEMKeyConverter()).getPrivateKey(keyInfo);
+      } else if (keyPair instanceof PKCS8EncryptedPrivateKeyInfo) {
+        InputDecryptorProvider pkcs8Prov =
+            new JceOpenSSLPKCS8DecryptorProviderBuilder()
+                .setProvider("BC")
+                .build(passphrase.toCharArray());
+        PrivateKeyInfo keyInfo =
+            ((PKCS8EncryptedPrivateKeyInfo) keyPair).decryptPrivateKeyInfo(pkcs8Prov);
+        decryptedPrivateKey = (new JcaPEMKeyConverter()).getPrivateKey(keyInfo);
+      } else {
+        PrivateKeyInfo keyInfo = ((PEMKeyPair) keyPair).getPrivateKeyInfo();
+        decryptedPrivateKey = (new JcaPEMKeyConverter()).getPrivateKey(keyInfo);
+      }
+    } catch (IOException e) {
+      throw new BoxSDKError("Error parsing private key for Box Developer Edition.", e);
+    } catch (OperatorCreationException e) {
+      throw new BoxSDKError("Error parsing PKCS#8 private key for Box Developer Edition.", e);
+    } catch (PKCSException e) {
+      throw new BoxSDKError("Error parsing PKCS private key for Box Developer Edition.", e);
+    }
+    return decryptedPrivateKey;
+  }
+}
diff --git a/src/main/java/com/box/sdkgen/internal/utils/JwtSignOptions.java b/src/main/java/com/box/sdkgen/internal/utils/JwtSignOptions.java
@@ -9,6 +9,7 @@ public class JwtSignOptions {
   protected String subject;
   protected String jwtid;
   protected String keyid;
+  protected PrivateKeyDecryptor privateKeyDecryptor;
 
   public JwtSignOptions(
       JwtAlgorithm algorithm,
@@ -17,12 +18,34 @@ public JwtSignOptions(
       String subject,
       String jwtid,
       String keyid) {
+    this(algorithm, audience, issuer, subject, jwtid, keyid, new DefaultPrivateKeyDecryptor());
+  }
+
+  public JwtSignOptions(
+      EnumWrapper<JwtAlgorithm> algorithm,
+      String audience,
+      String issuer,
+      String subject,
+      String jwtid,
+      String keyid) {
+    this(algorithm, audience, issuer, subject, jwtid, keyid, new DefaultPrivateKeyDecryptor());
+  }
+
+  public JwtSignOptions(
+      JwtAlgorithm algorithm,
+      String audience,
+      String issuer,
+      String subject,
+      String jwtid,
+      String keyid,
+      PrivateKeyDecryptor privateKeyDecryptor) {
     this.algorithm = algorithm;
     this.audience = audience;
     this.issuer = issuer;
     this.subject = subject;
     this.jwtid = jwtid;
     this.keyid = keyid;
+    this.privateKeyDecryptor = privateKeyDecryptor;
   }
 
   public JwtSignOptions(
@@ -31,13 +54,15 @@ public JwtSignOptions(
       String issuer,
       String subject,
       String jwtid,
-      String keyid) {
+      String keyid,
+      PrivateKeyDecryptor privateKeyDecryptor) {
     this.algorithm = algorithm.getEnumValue();
     this.audience = audience;
     this.issuer = issuer;
     this.subject = subject;
     this.jwtid = jwtid;
     this.keyid = keyid;
+    this.privateKeyDecryptor = privateKeyDecryptor;
   }
 
   public JwtAlgorithm getAlgorithm() {
@@ -63,4 +88,8 @@ public String getJwtid() {
   public String getKeyid() {
     return keyid;
   }
+
+  public PrivateKeyDecryptor getPrivateKeyDecryptor() {
+    return privateKeyDecryptor;
+  }
 }
diff --git a/src/main/java/com/box/sdkgen/internal/utils/PrivateKeyDecryptor.java b/src/main/java/com/box/sdkgen/internal/utils/PrivateKeyDecryptor.java
@@ -0,0 +1,9 @@
+package com.box.sdkgen.internal.utils;
+
+import java.security.PrivateKey;
+
+/** Decrypts private key with provided passphrase */
+public interface PrivateKeyDecryptor {
+  /** Decrypts private key using a passphrase. */
+  PrivateKey decryptPrivateKey(String encryptedPrivateKey, String passphrase);
+}
diff --git a/src/main/java/com/box/sdkgen/internal/utils/UtilsManager.java b/src/main/java/com/box/sdkgen/internal/utils/UtilsManager.java
@@ -15,14 +15,11 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
-import java.io.StringReader;
 import java.math.BigInteger;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Paths;
 import java.security.MessageDigest;
-import java.security.PrivateKey;
-import java.security.Security;
 import java.text.SimpleDateFormat;
 import java.util.Arrays;
 import java.util.Base64;
@@ -40,19 +37,6 @@
 import java.util.stream.Collectors;
 import javax.crypto.Mac;
 import javax.crypto.spec.SecretKeySpec;
-import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
-import org.bouncycastle.openssl.PEMDecryptorProvider;
-import org.bouncycastle.openssl.PEMEncryptedKeyPair;
-import org.bouncycastle.openssl.PEMKeyPair;
-import org.bouncycastle.openssl.PEMParser;
-import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
-import org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder;
-import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder;
-import org.bouncycastle.operator.InputDecryptorProvider;
-import org.bouncycastle.operator.OperatorCreationException;
-import org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo;
-import org.bouncycastle.pkcs.PKCSException;
 import org.jose4j.jws.JsonWebSignature;
 import org.jose4j.jwt.JwtClaims;
 import org.jose4j.jwt.NumericDate;
@@ -264,45 +248,6 @@ public static long getEpochTimeInSeconds() {
     return System.currentTimeMillis() / 1000;
   }
 
-  public static PrivateKey decryptPrivateKey(String encryptedPrivateKey, String passphrase) {
-    Security.addProvider(new BouncyCastleProvider());
-    PrivateKey decryptedPrivateKey;
-    try {
-      PEMParser keyReader = new PEMParser(new StringReader(encryptedPrivateKey));
-      Object keyPair = keyReader.readObject();
-      keyReader.close();
-
-      if (keyPair instanceof PrivateKeyInfo) {
-        PrivateKeyInfo keyInfo = (PrivateKeyInfo) keyPair;
-        decryptedPrivateKey = (new JcaPEMKeyConverter()).getPrivateKey(keyInfo);
-      } else if (keyPair instanceof PEMEncryptedKeyPair) {
-        JcePEMDecryptorProviderBuilder builder = new JcePEMDecryptorProviderBuilder();
-        PEMDecryptorProvider decryptionProvider = builder.build(passphrase.toCharArray());
-        keyPair = ((PEMEncryptedKeyPair) keyPair).decryptKeyPair(decryptionProvider);
-        PrivateKeyInfo keyInfo = ((PEMKeyPair) keyPair).getPrivateKeyInfo();
-        decryptedPrivateKey = (new JcaPEMKeyConverter()).getPrivateKey(keyInfo);
-      } else if (keyPair instanceof PKCS8EncryptedPrivateKeyInfo) {
-        InputDecryptorProvider pkcs8Prov =
-            new JceOpenSSLPKCS8DecryptorProviderBuilder()
-                .setProvider("BC")
-                .build(passphrase.toCharArray());
-        PrivateKeyInfo keyInfo =
-            ((PKCS8EncryptedPrivateKeyInfo) keyPair).decryptPrivateKeyInfo(pkcs8Prov);
-        decryptedPrivateKey = (new JcaPEMKeyConverter()).getPrivateKey(keyInfo);
-      } else {
-        PrivateKeyInfo keyInfo = ((PEMKeyPair) keyPair).getPrivateKeyInfo();
-        decryptedPrivateKey = (new JcaPEMKeyConverter()).getPrivateKey(keyInfo);
-      }
-    } catch (IOException e) {
-      throw new BoxSDKError("Error parsing private key for Box Developer Edition.", e);
-    } catch (OperatorCreationException e) {
-      throw new BoxSDKError("Error parsing PKCS#8 private key for Box Developer Edition.", e);
-    } catch (PKCSException e) {
-      throw new BoxSDKError("Error parsing PKCS private key for Box Developer Edition.", e);
-    }
-    return decryptedPrivateKey;
-  }
-
   public static String createJwtAssertion(
       Map<String, Object> claims, JwtKey jwtKey, JwtSignOptions jwtOptions) {
     JwtClaims jwtClaims = new JwtClaims();
@@ -316,7 +261,8 @@ public static String createJwtAssertion(
 
     JsonWebSignature jws = new JsonWebSignature();
     jws.setPayload(jwtClaims.toJson());
-    jws.setKey(decryptPrivateKey(jwtKey.getKey(), jwtKey.getPassphrase()));
+    jws.setKey(
+        jwtOptions.privateKeyDecryptor.decryptPrivateKey(jwtKey.getKey(), jwtKey.getPassphrase()));
     jws.setAlgorithmHeaderValue(jwtOptions.getAlgorithm().getValue());
     jws.setHeader("typ", "JWT");
     if ((jwtOptions.getKeyid() != null) && !jwtOptions.getKeyid().isEmpty()) {

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-{ "engineHash": "ac49877", "specHash": "8402463", "version": "0.7.0" }`
	`1`	`+{ "engineHash": "b8e7dbb", "specHash": "8402463", "version": "0.7.0" }`