[FAB-8606] Parse non-PKCS8 encoded TLS keys

mastersingh24 · cr22rc · commit dc2b94f4ca61 · 2018-03-01T16:18:36.000Z
CryptoPrimitives.bytesToPrivateKey was only
parsing PKCS8 encoded keys which being with
a "BEGIN EC PRIVATE KEY" header.  This change
addes support for parsing keys with a
"BEGIN PRIVATE KEY" header.

Change-Id: I5c9ba740a1f88be56df373cd206f117e005b3bde
Signed-off-by: Gari Singh &lt;gari.r.singh@gmail.com&gt;
diff --git a/src/main/java/org/hyperledger/fabric/sdk/Endpoint.java b/src/main/java/org/hyperledger/fabric/sdk/Endpoint.java
@@ -40,6 +40,7 @@
 import io.grpc.netty.NegotiationType;
 import io.grpc.netty.NettyChannelBuilder;
 import io.netty.handler.ssl.SslContext;
+import io.netty.handler.ssl.SslContextBuilder;
 import io.netty.handler.ssl.SslProvider;
 import org.apache.commons.codec.binary.Hex;
 import org.apache.commons.logging.Log;
@@ -76,7 +77,7 @@ class Endpoint {
         String sslp = null;
         String nt = null;
         byte[] pemBytes = null;
-        X509Certificate[] clientCert = new X509Certificate[] {};
+        X509Certificate[] clientCert = null;
         PrivateKey clientKey = null;
         Properties purl = parseGrpcUrl(url);
         String protocol = purl.getProperty("protocol");
@@ -200,10 +201,17 @@ class Endpoint {
                         NegotiationType ntype = nt.equals("TLS") ? NegotiationType.TLS : NegotiationType.PLAINTEXT;
 
                         InputStream myInputStream = new ByteArrayInputStream(pemBytes);
-                        SslContext sslContext = GrpcSslContexts.forClient().trustManager(myInputStream)
-                                .sslProvider(sslprovider).keyManager(clientKey, clientCert).build();
-                        this.channelBuilder = NettyChannelBuilder.forAddress(addr, port).sslContext(sslContext)
-                                .negotiationType(ntype);
+                        SslContextBuilder clientContextBuilder = GrpcSslContexts.configure(SslContextBuilder.forClient(), sslprovider);
+                        if (clientKey != null && clientCert != null) {
+                            clientContextBuilder = clientContextBuilder.keyManager(clientKey, clientCert);
+                        }
+                        SslContext sslContext = clientContextBuilder
+                            .trustManager(myInputStream)
+                            .build();
+                        this.channelBuilder = NettyChannelBuilder
+                            .forAddress(addr, port)
+                            .sslContext(sslContext)
+                            .negotiationType(ntype);
                         if (cn != null) {
                             channelBuilder.overrideAuthority(cn);
                         }
diff --git a/src/main/java/org/hyperledger/fabric/sdk/security/CryptoPrimitives.java b/src/main/java/org/hyperledger/fabric/sdk/security/CryptoPrimitives.java
@@ -67,6 +67,7 @@
 import org.bouncycastle.asn1.ASN1Primitive;
 import org.bouncycastle.asn1.ASN1Sequence;
 import org.bouncycastle.asn1.DERSequenceGenerator;
+import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
 import org.bouncycastle.asn1.x9.ECNamedCurveTable;
 import org.bouncycastle.asn1.x9.X9ECParameters;
 import org.bouncycastle.crypto.Digest;
@@ -272,13 +273,19 @@ public PrivateKey bytesToPrivateKey(byte[] pemKey) throws CryptoException {
         CryptoException ce = null;
 
         try {
+            PemReader pr = new PemReader(new StringReader(new String(pemKey)));
+            PemObject po = pr.readPemObject();
             PEMParser pem = new PEMParser(new StringReader(new String(pemKey)));
-            PEMKeyPair kp = (PEMKeyPair) pem.readObject();
-            pk = new JcaPEMKeyConverter().getPrivateKey(kp.getPrivateKeyInfo());
+            logger.debug("found private key with type " + po.getType());
+            if (po.getType().equals("PRIVATE KEY")) {
+                pk = new JcaPEMKeyConverter().getPrivateKey((PrivateKeyInfo) pem.readObject());
+            } else {
+                PEMKeyPair kp = (PEMKeyPair) pem.readObject();
+                pk = new JcaPEMKeyConverter().getPrivateKey(kp.getPrivateKeyInfo());
+            }
         } catch (Exception e) {
             throw new CryptoException("Failed to convert private key bytes", e);
         }
-
         return pk;
     }
 
diff --git a/src/test/java/org/hyperledger/fabric/sdk/security/CryptoPrimitivesTest.java b/src/test/java/org/hyperledger/fabric/sdk/security/CryptoPrimitivesTest.java
@@ -481,6 +481,16 @@ public void testBytesToPrivateKey() {
         }
     }
 
+    @Test
+    public void testBytesToPrivateKeyPKCS8() {
+        try {
+            byte[] bytes = Files.readAllBytes(Paths.get(System.getProperty("user.dir") + "/src/test/resources/tls-client-pk8.key"));
+            PrivateKey pk = crypto.bytesToPrivateKey(bytes);
+        } catch (Exception e) {
+            Assert.fail("failed to parse private key bytes: " + e.toString());
+        }
+    }
+
     @Test
     public void testValidateNotSignedCertificate() {
         try {
diff --git a/src/test/resources/tls-client-pk8.key b/src/test/resources/tls-client-pk8.key
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIDeqhgW+fezuKdH/rZyvfHcDLP16olZ6Ny+eotH30UODoAoGCCqGSM49
+AwEHoUQDQgAEU5E1z3PD12Q/tB6+vAfEcnD8NFhIaPe3DMP6KosNQurERxCme92u
+jeJyu7wh4CNAjWaXXCEv3NKez32S1DSZzw==
+-----END EC PRIVATE KEY-----
diff --git a/src/test/resources/tls-client.crt b/src/test/resources/tls-client.crt
@@ -1,13 +1,14 @@
 -----BEGIN CERTIFICATE-----
-MIIB9DCCAZqgAwIBAgIRANRocgthhzNb+AG+Kor1a9swCgYIKoZIzj0EAwIwWDEL
-MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBG
-cmFuY2lzY28xDTALBgNVBAoTBE9yZzExDTALBgNVBAMTBE9yZzEwHhcNMTYxMjMw
-MTQwOTAxWhcNMjYxMjI4MTQwOTAxWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
-Q2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEVMBMGA1UEChMMT3Jn
-MS1jbGllbnQxMRUwEwYDVQQDEwxPcmcxLWNsaWVudDEwWTATBgcqhkjOPQIBBggq
-hkjOPQMBBwNCAARn1VE6aKXiOUOb8nnIKjXuw3iqbbDlPRyyEJE3jiN4xejPd33z
-vqUOoYZzc0i4O8naEQ+wji3uiPHRbhxsiGKJozUwMzAOBgNVHQ8BAf8EBAMCBaAw
-EwYDVR0lBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAKBggqhkjOPQQDAgNI
-ADBFAiEAvO4Q7FQQjSIaGZ9ErlVMggwjCclTjHuoD+OTGPKq2kUCIBaJcSBDvnpe
-B+kwGPDFlQEiUJqClG5xr6e70Nun9YT2
+MIICKjCCAdKgAwIBAgIQHdoThVFH8Cpj80yagaC1ZjAKBggqhkjOPQQDAjBsMQsw
+CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZy
+YW5jaXNjbzEUMBIGA1UEChMLZXhhbXBsZS5jb20xGjAYBgNVBAMTEXRsc2NhLmV4
+YW1wbGUuY29tMB4XDTE4MDIwODIxMzg0M1oXDTI4MDIwNjIxMzg0M1owVjELMAkG
+A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFu
+Y2lzY28xGjAYBgNVBAMMEUFkbWluQGV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYI
+KoZIzj0DAQcDQgAEATwC+h2CHiRKb1sWBixaXfvCZl+DCcfVo7mZ68KEVlyb8i3v
+ra7UYDwDP5UAiVEf475rfzv6i+nFKo7s5rYyL6NsMGowDgYDVR0PAQH/BAQDAgWg
+MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMCsG
+A1UdIwQkMCKAIKA2x8Bl5f6FZjCqbLr63fJWsGCt5I2dxda99KYVnk3CMAoGCCqG
+SM49BAMCA0YAMEMCIBKLO/U8TR73b+C23oUL7E78ksrAiOzfA73QcDNex8Y2Ah9E
+XEhzrEuw9aPwDpQ3gr3p9JHy21NQrKMtAByYs5Pg
 -----END CERTIFICATE-----
diff --git a/src/test/resources/tls-client.key b/src/test/resources/tls-client.key
@@ -1,5 +1,5 @@
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEILEK9gVnh8MFQ/haNGYxE3jpOGes/KWxPBB772JzEXXhoAoGCCqGSM49
-AwEHoUQDQgAEZ9VROmil4jlDm/J5yCo17sN4qm2w5T0cshCRN44jeMXoz3d9876l
-DqGGc3NIuDvJ2hEPsI4t7ojx0W4cbIhiiQ==
------END EC PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgteCY4ZUmq6WcPcsG
+DP210VN9IJi7Q/iF9s3NyViWkDyhRANCAAQBPAL6HYIeJEpvWxYGLFpd+8JmX4MJ
+x9WjuZnrwoRWXJvyLe+trtRgPAM/lQCJUR/jvmt/O/qL6cUqjuzmtjIv
+-----END PRIVATE KEY-----
