Load encrypted private keys + tests

(cherry picked from commit a2c7ae2)

Author: sgrampone

gamutils/src/main/java/com/genexus/gam/utils/keys/PrivateKeyUtil.java

@@ -6,16 +6,22 @@
 import org.bouncycastle.asn1.ASN1InputStream;
 import org.bouncycastle.asn1.ASN1Sequence;
 import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.bouncycastle.openssl.PEMKeyPair;
 import org.bouncycastle.openssl.PEMParser;
+import org.bouncycastle.operator.InputDecryptorProvider;
+import org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo;
+import org.bouncycastle.pkcs.jcajce.JcePKCSPBEInputDecryptorProviderBuilder;
 import org.bouncycastle.util.encoders.Base64;
 
+import javax.crypto.EncryptedPrivateKeyInfo;
 import java.io.FileReader;
 import java.io.InputStream;
 import java.nio.file.Files;
 import java.nio.file.Paths;
 import java.security.KeyFactory;
 import java.security.KeyStore;
+import java.security.Security;
 import java.security.interfaces.RSAPrivateKey;
 import java.security.spec.PKCS8EncodedKeySpec;
 
@@ -49,7 +55,7 @@ public static PrivateKeyUtil value(String ext) {
 
 	public static RSAPrivateKey getPrivateKey(String path, String alias, String password) {
 		String extension = FilenameUtils.getExtension(path);
-		PrivateKeyUtil ext = extension.isEmpty() ? PrivateKeyUtil.value("b64"): PrivateKeyUtil.value(extension);
+		PrivateKeyUtil ext = extension.isEmpty() ? PrivateKeyUtil.value("b64") : PrivateKeyUtil.value(extension);
 		switch (ext) {
 			case pfx:
 			case jks:
@@ -58,7 +64,7 @@ public static RSAPrivateKey getPrivateKey(String path, String alias, String pass
 				return loadFromPkcs12(path, alias, password);
 			case pem:
 			case key:
-				return loadFromPkcs8(path);
+				return loadFromPkcs8(path, password);
 			case b64:
 				return loadFromBase64(path);
 			default:
@@ -67,20 +73,18 @@ public static RSAPrivateKey getPrivateKey(String path, String alias, String pass
 		}
 	}
 
-	private static RSAPrivateKey loadFromBase64(String base64)
-	{
+	private static RSAPrivateKey loadFromBase64(String base64) {
 		logger.debug("loadFromBase64");
-		try(ASN1InputStream stream = new ASN1InputStream(Base64.decode(base64))) {
+		try (ASN1InputStream stream = new ASN1InputStream(Base64.decode(base64))) {
 			ASN1Sequence seq = (ASN1Sequence) stream.readObject();
 			return castPrivateKeyInfo(PrivateKeyInfo.getInstance(seq));
-		}catch (Exception e)
-		{
+		} catch (Exception e) {
 			logger.error("loadFromBase64", e);
 			return null;
 		}
 	}
 
-	private static RSAPrivateKey loadFromPkcs8(String path) {
+	private static RSAPrivateKey loadFromPkcs8(String path, String password) {
 		logger.debug("loadFromPkcs8");
 		try (FileReader privateKeyReader = new FileReader(path)) {
 			try (PEMParser parser = new PEMParser(privateKeyReader)) {
@@ -91,6 +95,13 @@ private static RSAPrivateKey loadFromPkcs8(String path) {
 				} else if (obj instanceof PEMKeyPair) {
 					PEMKeyPair pemKeyPair = (PEMKeyPair) obj;
 					return castPrivateKeyInfo(pemKeyPair.getPrivateKeyInfo());
+				} else if (obj instanceof EncryptedPrivateKeyInfo || obj instanceof PKCS8EncryptedPrivateKeyInfo) {
+					logger.debug("loadFromPkcs8 encrypted private key");
+					Security.addProvider(new BouncyCastleProvider());
+					PKCS8EncryptedPrivateKeyInfo encPrivKeyInfo = (PKCS8EncryptedPrivateKeyInfo) obj;
+					InputDecryptorProvider pkcs8Prov = new JcePKCSPBEInputDecryptorProviderBuilder().setProvider("BC")
+						.build(password.toCharArray());
+					return castPrivateKeyInfo(encPrivKeyInfo.decryptPrivateKeyInfo(pkcs8Prov));
 				} else {
 					logger.error("loadFromPkcs8: Could not load private key");
 					return null;

gamutils/src/test/java/com/genexus/gam/utils/test/JwtTest.java

@@ -108,6 +108,13 @@ public void testCreatePkcs8()
 		Assert.assertFalse("testCreatePkcs8", token.isEmpty());
 	}
 
+	@Test
+	public void testCreateEncryptedPkcs8()
+	{
+		String token = GamUtilsEO.createJWTWithFile(path_RSA_sha256_2048 + "sha256_key.pem", "", password, payload, header);
+		Assert.assertFalse("testCreateEncryptedPkcs8", token.isEmpty());
+	}
+
 	@Test
 	public void testVerifyDer() {
 		boolean result = GamUtilsEO.verifyJWTWithFile(path_RSA_sha256_2048 + "sha256_cert.cer", "", "", tokenFile);

gamutils/src/test/java/com/genexus/gam/utils/test/PrivateKeyTest.java

@@ -71,4 +71,11 @@ public void testLoadBase64() {
 		RSAPrivateKey key = PrivateKeyUtil.getPrivateKey(base64, "", "");
 		Assert.assertNotNull("testLoadBase64", key);
 	}
+
+	@Test
+	public void testLoadEncryptedPkcs8()
+	{
+		RSAPrivateKey key = PrivateKeyUtil.getPrivateKey(path_RSA_sha256_2048 + "sha256_key.pem", "", password);
+		Assert.assertNotNull("testLoadEncryptedPkcs8", key);
+	}
 }

gamutils/src/test/java/com/genexus/gam/utils/test/RandomTest.java

@@ -1,6 +1,7 @@
 package com.genexus.gam.utils.test;
 
 import com.genexus.gam.GamUtilsEO;
+import org.bouncycastle.util.encoders.Hex;
 import org.junit.Assert;
 import org.junit.BeforeClass;
 import org.junit.Test;
@@ -52,4 +53,24 @@ public void testRandomAlphanumeric() {
 		String l256_string = GamUtilsEO.randomAlphanumeric(l256);
 		Assert.assertEquals("l256 alphanumeric: ", l256, l256_string.length());
 	}
+
+	@Test
+	public void testHexaBits() {
+		int[] lengths = new int[]{32, 64, 128, 256, 512, 1024};
+		for (int n : lengths) {
+			String hexa = GamUtilsEO.randomHexaBits(n);
+			Assert.assertFalse("TestHexaBits", hexa.isEmpty());
+			try
+			{
+				byte[] decoded = Hex.decode(hexa);
+				if(decoded.length*8 != n)
+				{
+					Assert.fail("testHexaBits wrong hexa length");
+				}
+			}catch(Exception e)
+			{
+				Assert.fail("testHexaBits not hexa characters" + e.getMessage());
+			}
+		}
+	}
 }

gamutils/src/test/resources/dummycerts/RSA_sha256_2048/sha256_key.pem

@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI5Xxbb/ckzykCAggA
+MBQGCCqGSIb3DQMHBAiLR0U2DKvbeQSCBMg5y4x5chPFsx7N081HcFhNVV2xwvIx
+vbRcBeBUhiVaJUuJfRSXzwm16oqV7bZj91IkbePXGwkhHPeBoyy0yrNgsfFJ+t05
+lQU7vKxSFCiTdijGVbp2nxntOb1yRPkc2pA0iSSED00QNHpjDgcpywAKPDmRJSyM
+mWDmrYzQYLTzyFgmcec53B27DXfHoGHBGwq1lfdKGzlphJPDxd+w+2VuAl33Zuq4
+oriu69l4CHcg64vJAa/Y9BkW3HiAytKaEBHHAuE8W2mHYfW4DwZlBur+lo+aUiNV
+4RFOH1xdej/k4feMXsOnYak93gZIbWyr/8MljbQJLNlE+NkheNzAyTT2a9P04JOv
+GUqv45EO9PIdDBemJxCiK4wmeoS/KhJ/zyictOsc1W659lzdCpCIecu0t/1La5b2
+/MWIkdDmqvE4CSNEmGNykLejKKjvGwk9hTsnpckoo44eNjSiElcItd6d0nZr8o9Q
+h8kK8GF0bRjYYqiXoCO5WCO6h6IcJEVmx58/Y07yQ504Djih5eU5TrbPfVcUNcYy
+fWbcai0/X6SSEJXOuvHtx6s+7Y8f3Uo9mh3UI2we4C7zPABvlGTDMRliamcUc4AD
+8BCahJZuOTN1mkYae+G1IpFW3E12z7+C9bQ6tuundntPuc+GJvEw/Clss6dZ5b3w
++Gf+5Kc9PlPu/UxGTUFntN5AB2GGheERtw6UFG+Wf34aHg8uYPXnOYXK1ssnhXlI
+TxbKSUBiirR/LwoXVapepQdLXfVxirW/QVB42dcH0mjtkgSy5k7teaKZV3eZQhid
+Ja9tGq6cMEngzd7BNWA+zzrjn/Jj5DbnnQhYuBr+w82qfiVqc6VYxTCcs2KJK1lU
+LuwXfygNcksvw+7w0tLqUWNsY1M1ZtmnSWiAW76G6ARugmTevYa0WXLAo/N74c96
+ORW0n8ZSQa7zhROJgefbXsuG4brTRnQMAJc+SzH09BRU8m3xeo8bygUGrN/aDyQy
+DZ37pcWwFXlLRRshYoRqCW7v8TDVnCMSM9aujGnlSyK/l/88BCJuiLziHWPiJgvk
+1x68JoEN/fxLh7O3qTYpUiyfVN8LHB6tqqJe97p12BAzo1HX5WSoq2a/oYl4Hqa2
+VfCwiI11NrUpv1EIKfa2yspRk4JVz38dT+KbxB5mz0MgEL8aq/9cJ4ISersTK2UU
+ZJQPgPvJzbnXU4Vh0ON4P7f724eZvTxzGiiJZAIWrqiR7TyEd4J65r3FbBU1xpLU
+tTgrvv38EkA9+qoAG9CjukGTn1k0T8jNC3vxkn4f2nIMn1n9YbvsiVsjzq1UKzRt
+nxHHzMOfKnt092HsO8dtXwZadrpYcoZk9qVx9xbA1RO9rv9CSqLszWThUOT6xXmG
+3F2ff9jXJjHtAog70TCrU2/bXZmZCmuHG78aLtSUSyNSgCc+Lp9CBQmc0QHrqjCS
+7qwHXhdriOElj0fDwuFOk9pXUfc4t4YDWQGxY7+YWnS7RXCye9YI90U/8TyhLBOs
+JZY2DDlOskC0NoIkqHfb2jyHMtW1BzmQIQ0tfKTxTzyg/dOZKJuIWhvpi9LTHDCI
++Er7OrZ0vf91c5FraxPaXatdw4laiNMak9fgWNsp44jIxYHi0zVQLkjQKDuKVoZo
+Vzk=
+-----END ENCRYPTED PRIVATE KEY-----