[feat] support reading DSA (public key) in full DER

Author: kares

src/main/java/org/jruby/ext/openssl/impl/PKey.java

@@ -239,13 +239,27 @@ public static PublicKey readDSAPublicKey(final byte[] input)
 
     public static PublicKey readDSAPublicKey(final KeyFactory dsaFactory, final byte[] input)
         throws IOException, InvalidKeySpecException {
-        ASN1Sequence seq = (ASN1Sequence) new ASN1InputStream(input).readObject();
-        if ( seq.size() == 4 ) {
-            BigInteger y = ((ASN1Integer) seq.getObjectAt(0)).getValue();
-            BigInteger p = ((ASN1Integer) seq.getObjectAt(1)).getValue();
-            BigInteger q = ((ASN1Integer) seq.getObjectAt(2)).getValue();
-            BigInteger g = ((ASN1Integer) seq.getObjectAt(3)).getValue();
-            return dsaFactory.generatePublic(new DSAPublicKeySpec(y, p, q, g));
+        ASN1Sequence seq;
+        ASN1Primitive obj = new ASN1InputStream(input).readObject();
+        if (obj instanceof ASN1Sequence) {
+            seq = (ASN1Sequence) obj;
+            if (seq.size() == 4) {
+                BigInteger y = ((ASN1Integer) seq.getObjectAt(0)).getValue();
+                BigInteger p = ((ASN1Integer) seq.getObjectAt(1)).getValue();
+                BigInteger q = ((ASN1Integer) seq.getObjectAt(2)).getValue();
+                BigInteger g = ((ASN1Integer) seq.getObjectAt(3)).getValue();
+                return dsaFactory.generatePublic(new DSAPublicKeySpec(y, p, q, g));
+            } else if (seq.size() == 2 && seq.getObjectAt(1) instanceof DERBitString) {
+                ASN1Integer y = (ASN1Integer)
+                        new ASN1InputStream(((DERBitString) seq.getObjectAt(1)).getBytes()).readObject();
+                seq = (ASN1Sequence) ((ASN1Sequence) seq.getObjectAt(0)).getObjectAt(1);
+                BigInteger p = ((ASN1Integer) seq.getObjectAt(0)).getValue();
+                BigInteger q = ((ASN1Integer) seq.getObjectAt(1)).getValue();
+                BigInteger g = ((ASN1Integer) seq.getObjectAt(2)).getValue();
+                //System.out.println(y);
+                //System.out.println(p);
+                return dsaFactory.generatePublic(new DSAPublicKeySpec(y.getPositiveValue(), p, q, g));
+            }
         }
         return null;
     }

src/main/java/org/jruby/ext/openssl/x509store/PEMInputOutput.java

@@ -56,6 +56,7 @@
 import java.security.interfaces.ECPublicKey;
 import java.security.interfaces.RSAPublicKey;
 import java.security.interfaces.RSAPrivateCrtKey;
+import java.security.spec.DSAPublicKeySpec;
 import java.security.spec.ECParameterSpec;
 import java.security.spec.InvalidKeySpecException;
 import java.security.spec.KeySpec;
@@ -64,6 +65,7 @@
 import java.security.spec.X509EncodedKeySpec;
 import java.util.ArrayList;
 import java.util.Collections;
+import java.util.Enumeration;
 import java.util.List;
 
 import java.util.StringTokenizer;
@@ -466,9 +468,17 @@ public static DSAPublicKey readDSAPubKey(Reader in) throws IOException {
         final String BEG_STRING_DSA_PUBLIC = BEF_G + PEM_STRING_DSA_PUBLIC;
         final BufferedReader reader = makeBuffered(in); String line;
         while ( ( line = reader.readLine() ) != null ) {
-            if ( line.indexOf(BEG_STRING_DSA_PUBLIC) != -1 ) {
+            if ( line.indexOf(BEG_STRING_PUBLIC) != -1 ) {
                 try {
-                    return (DSAPublicKey) readPublicKey(reader, "DSA", BEF_E + PEM_STRING_DSA_PUBLIC);
+                    return readDSAPublicKey(reader, BEF_E + PEM_STRING_PUBLIC);
+                }
+                catch (Exception e) {
+                    throw mapReadException("problem creating DSA public key: ", e);
+                }
+            }
+            else if ( line.indexOf(BEG_STRING_DSA_PUBLIC) != -1 ) {
+                try {
+                    return readDSAPublicKey(reader, BEF_E + PEM_STRING_DSA_PUBLIC);
                 }
                 catch (Exception e) {
                     throw mapReadException("problem creating DSA public key: ", e);
@@ -558,7 +568,7 @@ public static RSAPublicKey readRSAPublicKey(Reader in, char[] f)
                     throw mapReadException("problem creating RSA public key: ", e);
                 }
             }
-            else if ( line.indexOf(BEF_G+PEM_STRING_RSA_PUBLIC) != -1 ) {
+            else if ( line.indexOf(BEF_G + PEM_STRING_RSA_PUBLIC) != -1 ) {
                 try {
                     return (RSAPublicKey) readPublicKey(reader, "RSA", BEF_E + PEM_STRING_RSA_PUBLIC);
                 }
@@ -1170,9 +1180,7 @@ private static RSAPublicKey readRSAPublicKey(BufferedReader in, String endMarker
         Object asnObject = new ASN1InputStream(readBase64Bytes(in, endMarker)).readObject();
         ASN1Sequence sequence = (ASN1Sequence) asnObject;
         org.bouncycastle.asn1.pkcs.RSAPublicKey rsaPubStructure = org.bouncycastle.asn1.pkcs.RSAPublicKey.getInstance(sequence);
-        RSAPublicKeySpec keySpec = new RSAPublicKeySpec(
-                    rsaPubStructure.getModulus(),
-                    rsaPubStructure.getPublicExponent());
+        RSAPublicKeySpec keySpec = new RSAPublicKeySpec(rsaPubStructure.getModulus(), rsaPubStructure.getPublicExponent());
 
         try {
             return (RSAPublicKey) SecurityHelper.getKeyFactory("RSA").generatePublic(keySpec);
@@ -1182,6 +1190,26 @@ private static RSAPublicKey readRSAPublicKey(BufferedReader in, String endMarker
         return null;
     }
 
+    private static DSAPublicKey readDSAPublicKey(BufferedReader in, String endMarker) throws IOException {
+        Object asnObject = new ASN1InputStream(readBase64Bytes(in, endMarker)).readObject();
+        Enumeration seq = ((ASN1Sequence) asnObject).getObjects();
+        ASN1Integer y = ASN1Integer.getInstance(seq.nextElement());
+        ASN1Integer p = ASN1Integer.getInstance(seq.nextElement());
+        ASN1Integer q = ASN1Integer.getInstance(seq.nextElement());
+        ASN1Integer g = ASN1Integer.getInstance(seq.nextElement());
+
+        DSAPublicKeySpec keySpec = new DSAPublicKeySpec(
+                y.getPositiveValue(), p.getPositiveValue(), q.getPositiveValue(), g.getPositiveValue()
+        );
+
+        try {
+            return (DSAPublicKey) SecurityHelper.getKeyFactory("DSA").generatePublic(keySpec);
+        }
+        catch (NoSuchAlgorithmException e) { /* ignore */ }
+        catch (InvalidKeySpecException e) { /* ignore */ }
+        return null;
+    }
+
     private static PublicKey readPublicKey(byte[] input, String alg, String endMarker) throws IOException {
         KeySpec keySpec = new X509EncodedKeySpec(input);
         try {

src/test/ruby/dsa/test_dsa.rb

@@ -71,4 +71,165 @@ def test_dsa_sys_sign_verify
     assert dsa.sysverify(digest, sig).eql?(true)
   end
 
+  def test_DSAPrivateKey
+    # OpenSSL DSAPrivateKey format; similar to RSAPrivateKey
+    dsa512 = Fixtures.pkey("dsa512")
+    asn1 = OpenSSL::ASN1::Sequence([
+      OpenSSL::ASN1::Integer(0),
+      OpenSSL::ASN1::Integer(dsa512.p),
+      OpenSSL::ASN1::Integer(dsa512.q),
+      OpenSSL::ASN1::Integer(dsa512.g),
+      OpenSSL::ASN1::Integer(dsa512.pub_key),
+      OpenSSL::ASN1::Integer(dsa512.priv_key)
+    ])
+    key = OpenSSL::PKey::DSA.new(asn1.to_der)
+    assert_predicate key, :private?
+    assert_same_dsa dsa512, key
+
+    pem = <<~EOF
+-----BEGIN DSA PRIVATE KEY-----
+MIH4AgEAAkEA5lB4GvEwjrsMlGDqGsxrbqeFRh6o9OWt6FgTYiEEHaOYhkIxv0Ok
+RZPDNwOG997mDjBnvDJ1i56OmS3MbTnovwIVAJgub/aDrSDB4DZGH7UyarcaGy6D
+AkB9HdFw/3td8K4l1FZHv7TCZeJ3ZLb7dF3TWoGUP003RCqoji3/lHdKoVdTQNuR
+S/m6DlCwhjRjiQ/lBRgCLCcaAkEAjN891JBjzpMj4bWgsACmMggFf57DS0Ti+5++
+Q1VB8qkJN7rA7/2HrCR3gTsWNb1YhAsnFsoeRscC+LxXoXi9OAIUBG98h4tilg6S
+55jreJD3Se3slps=
+-----END DSA PRIVATE KEY-----
+    EOF
+    key = OpenSSL::PKey::DSA.new(pem)
+    assert_same_dsa dsa512, key
+
+    assert_equal asn1.to_der, dsa512.to_der
+    assert_equal pem, dsa512.export
+  end
+
+  def test_DSAPrivateKey_encrypted
+    # key = abcdef
+    dsa512 = Fixtures.pkey("dsa512")
+    pem = <<~EOF
+-----BEGIN DSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,F8BB7BFC7EAB9118AC2E3DA16C8DB1D9
+
+D2sIzsM9MLXBtlF4RW42u2GB9gX3HQ3prtVIjWPLaKBYoToRUiv8WKsjptfZuLSB
+74ZPdMS7VITM+W1HIxo/tjS80348Cwc9ou8H/E6WGat8ZUk/igLOUEII+coQS6qw
+QpuLMcCIavevX0gjdjEIkojBB81TYDofA1Bp1z1zDI/2Zhw822xapI79ZF7Rmywt
+OSyWzFaGipgDpdFsGzvT6//z0jMr0AuJVcZ0VJ5lyPGQZAeVBlbYEI4T72cC5Cz7
+XvLiaUtum6/sASD2PQqdDNpgx/WA6Vs1Po2kIUQIM5TIwyJI0GdykZcYm6xIK/ta
+Wgx6c8K+qBAIVrilw3EWxw==
+-----END DSA PRIVATE KEY-----
+    EOF
+    key = OpenSSL::PKey::DSA.new(pem, "abcdef")
+    assert_same_dsa dsa512, key
+    key = OpenSSL::PKey::DSA.new(pem) { "abcdef" }
+    assert_same_dsa dsa512, key
+
+    cipher = OpenSSL::Cipher.new("aes-128-cbc")
+    exported = dsa512.to_pem(cipher, "abcdef\0\1")
+    assert_same_dsa dsa512, OpenSSL::PKey::DSA.new(exported, "abcdef\0\1")
+    assert_raise(OpenSSL::PKey::DSAError) {
+      OpenSSL::PKey::DSA.new(exported, "abcdef")
+    }
+  end
+
+  def test_PUBKEY
+    dsa512 = Fixtures.pkey("dsa512")
+    asn1 = OpenSSL::ASN1::Sequence([
+      OpenSSL::ASN1::Sequence([
+        OpenSSL::ASN1::ObjectId("DSA"),
+        OpenSSL::ASN1::Sequence([
+          OpenSSL::ASN1::Integer(dsa512.p),
+          OpenSSL::ASN1::Integer(dsa512.q),
+          OpenSSL::ASN1::Integer(dsa512.g)
+        ])
+      ]),
+      OpenSSL::ASN1::BitString(OpenSSL::ASN1::Integer(dsa512.pub_key).to_der)
+    ])
+    key = OpenSSL::PKey::DSA.new(asn1.to_der)
+    assert_not_predicate key, :private?
+    assert_same_dsa dup_public(dsa512), key
+
+    ##
+    der = "0\x81\xF10\x81\xA8\x06\a*\x86H\xCE8\x04\x010\x81\x9C\x02A\x00\xE6Px\x1A\xF10\x8E\xBB\f\x94`\xEA\x1A\xCCkn\xA7\x85F\x1E\xA8\xF4\xE5\xAD\xE8X\x13b!\x04\x1D\xA3\x98\x86B1\xBFC\xA4E\x93\xC37\x03\x86\xF7\xDE\xE6\x0E0g\xBC2u\x8B\x9E\x8E\x99-\xCCm9\xE8\xBF\x02\x15\x00\x98.o\xF6\x83\xAD \xC1\xE06F\x1F\xB52j\xB7\x1A\e.\x83\x02@}\x1D\xD1p\xFF{]\xF0\xAE%\xD4VG\xBF\xB4\xC2e\xE2wd\xB6\xFBt]\xD3Z\x81\x94?M7D*\xA8\x8E-\xFF\x94wJ\xA1WS@\xDB\x91K\xF9\xBA\x0EP\xB0\x864c\x89\x0F\xE5\x05\x18\x02,'\x1A\x03D\x00\x02A\x00\x8C\xDF=\xD4\x90c\xCE\x93#\xE1\xB5\xA0\xB0\x00\xA62\b\x05\x7F\x9E\xC3KD\xE2\xFB\x9F\xBECUA\xF2\xA9\t7\xBA\xC0\xEF\xFD\x87\xAC$w\x81;\x165\xBDX\x84\v'\x16\xCA\x1EF\xC7\x02\xF8\xBCW\xA1x\xBD8"
+    pp OpenSSL::ASN1.decode(key.to_der) if $DEBUG
+    assert_equal der, key.to_der
+
+    pem = <<~EOF
+-----BEGIN PUBLIC KEY-----
+MIHxMIGoBgcqhkjOOAQBMIGcAkEA5lB4GvEwjrsMlGDqGsxrbqeFRh6o9OWt6FgT
+YiEEHaOYhkIxv0OkRZPDNwOG997mDjBnvDJ1i56OmS3MbTnovwIVAJgub/aDrSDB
+4DZGH7UyarcaGy6DAkB9HdFw/3td8K4l1FZHv7TCZeJ3ZLb7dF3TWoGUP003RCqo
+ji3/lHdKoVdTQNuRS/m6DlCwhjRjiQ/lBRgCLCcaA0QAAkEAjN891JBjzpMj4bWg
+sACmMggFf57DS0Ti+5++Q1VB8qkJN7rA7/2HrCR3gTsWNb1YhAsnFsoeRscC+LxX
+oXi9OA==
+-----END PUBLIC KEY-----
+    EOF
+    key = OpenSSL::PKey::DSA.new(pem)
+    assert_same_dsa dup_public(dsa512), key
+
+    ##
+    assert_equal der, key.to_der
+
+    dup_der = dup_public(dsa512).to_der
+    # pp OpenSSL::ASN1.decode(dup_der)
+    assert_equal asn1.to_der.size, dup_der.size
+    assert_equal asn1.to_der.encoding, dup_der.encoding
+    # TODO smt slightly weird with to_der:
+    #assert_equal asn1.to_der, dup_der
+    assert_equal asn1.value[1].value, OpenSSL::ASN1.decode(dup_der).value[1].value
+    assert_equal asn1.value[0].value[0].value, OpenSSL::ASN1.decode(dup_der).value[0].value[0].value
+    assert_equal asn1.value[0].value[1].value[0].value, OpenSSL::ASN1.decode(dup_der).value[0].value[1].value[0].value
+    assert_equal asn1.value[0].value[1].value[1].value, OpenSSL::ASN1.decode(dup_der).value[0].value[1].value[1].value
+    assert_equal asn1.value[0].value[1].value[2].value, OpenSSL::ASN1.decode(dup_der).value[0].value[1].value[2].value
+
+    assert_equal pem, dup_public(dsa512).export
+  end
+
+  def test_read_DSAPublicKey_pem
+    # NOTE: where is the standard? PKey::DSA.new can read only PEM
+    p = 12260055936871293565827712385212529106400444521449663325576634579961635627321079536132296996623400607469624537382977152381984332395192110731059176842635699
+    q = 979494906553787301107832405790107343409973851677
+    g = 3731695366899846297271147240305742456317979984190506040697507048095553842519347835107669437969086119948785140453492839427038591924536131566350847469993845
+    y = 10505239074982761504240823422422813362721498896040719759460296306305851824586095328615844661273887569281276387605297130014564808567159023649684010036304695
+    pem = <<-EOF
+-----BEGIN DSA PUBLIC KEY-----
+MIHfAkEAyJSJ+g+P/knVcgDwwTzC7Pwg/pWs2EMd/r+lYlXhNfzg0biuXRul8VR4
+VUC/phySExY0PdcqItkR/xYAYNMbNwJBAOoV57X0FxKO/PrNa/MkoWzkCKV/hzhE
+p0zbFdsicw+hIjJ7S6Sd/FlDlo89HQZ2FuvWJ6wGLM1j00r39+F2qbMCFQCrkhIX
+SG+is37hz1IaBeEudjB2HQJAR0AloavBvtsng8obsjLb7EKnB+pSeHr/BdIQ3VH7
+fWLOqqkzFeRrYMDzUpl36XktY6Yq8EJYlW9pCMmBVNy/dQ==
+-----END DSA PUBLIC KEY-----
+    EOF
+    key = OpenSSL::PKey::DSA.new(pem)
+    assert(key.public?)
+    assert(!key.private?)
+    assert_equal(p, key.p)
+    assert_equal(q, key.q)
+    assert_equal(g, key.g)
+    assert_equal(y, key.pub_key)
+    assert_equal(nil, key.priv_key)
+  end
+
+  private
+
+  def assert_same_dsa(expected, key)
+    check_component(expected, key, [:p, :q, :g, :pub_key, :priv_key])
+  end
+
+  def check_component(base, test, keys)
+    keys.each { |comp| assert_equal base.send(comp), test.send(comp) }
+  end
+
+  def dup_public(key)
+    case key
+    when OpenSSL::PKey::DSA
+      dsa = OpenSSL::PKey::DSA.new
+      dsa.set_pqg(key.p, key.q, key.g)
+      dsa.set_key(key.pub_key, nil)
+      dsa
+    else
+      raise "unknown key type: #{key.class}"
+    end
+  end
+
 end

src/test/ruby/fixtures/pkey/dsa512

@@ -0,0 +1,8 @@
+-----BEGIN DSA PRIVATE KEY-----
+MIH4AgEAAkEA5lB4GvEwjrsMlGDqGsxrbqeFRh6o9OWt6FgTYiEEHaOYhkIxv0Ok
+RZPDNwOG997mDjBnvDJ1i56OmS3MbTnovwIVAJgub/aDrSDB4DZGH7UyarcaGy6D
+AkB9HdFw/3td8K4l1FZHv7TCZeJ3ZLb7dF3TWoGUP003RCqoji3/lHdKoVdTQNuR
+S/m6DlCwhjRjiQ/lBRgCLCcaAkEAjN891JBjzpMj4bWgsACmMggFf57DS0Ti+5++
+Q1VB8qkJN7rA7/2HrCR3gTsWNb1YhAsnFsoeRscC+LxXoXi9OAIUBG98h4tilg6S
+55jreJD3Se3slps=
+-----END DSA PRIVATE KEY-----