Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Backport 2.x] Use boucycastle PEM reader instead of reg expression (#2864) #2877

Merged
merged 1 commit into from
Jun 20, 2023
Merged

[Backport 2.x] Use boucycastle PEM reader instead of reg expression (#2864) #2877

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
91 changes: 22 additions & 69 deletions src/main/java/org/opensearch/security/support/PemKeyReader.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,11 @@
package org.opensearch.security.support;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.io.InputStreamReader;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.LinkOption;
Expand All @@ -53,8 +51,6 @@
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Collection;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

import javax.crypto.Cipher;
import javax.crypto.EncryptedPrivateKeyInfo;
Expand All @@ -65,89 +61,46 @@

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.bouncycastle.util.encoders.Base64;
import org.bouncycastle.util.io.pem.PemObject;
import org.bouncycastle.util.io.pem.PemReader;

import org.opensearch.OpenSearchException;
import org.opensearch.common.settings.Settings;
import org.opensearch.env.Environment;

public final class PemKeyReader {

//private static final String[] EMPTY_STRING_ARRAY = new String[0];
protected static final Logger log = LogManager.getLogger(PemKeyReader.class);
private static final Logger log = LogManager.getLogger(PemKeyReader.class);
static final String JKS = "JKS";
static final String PKCS12 = "PKCS12";

private static final Pattern KEY_PATTERN = Pattern.compile(
"-+BEGIN\\s+.*PRIVATE\\s+KEY[^-]*-+(?:\\s|\\r|\\n)+" + // Header
"([a-z0-9+/=\\r\\n]+)" + // Base64 text
"-+END\\s+.*PRIVATE\\s+KEY[^-]*-+", // Footer
Pattern.CASE_INSENSITIVE);

private static byte[] readPrivateKey(File file) throws KeyException {
try {
InputStream in = new FileInputStream(file);

try {
return readPrivateKey(in);
} finally {
safeClose(in);
}
} catch (FileNotFoundException e) {
try (final InputStream in = new FileInputStream(file)) {
return readPrivateKey(in);
} catch (final IOException e) {
throw new KeyException("could not fine key file: " + file);
}
}

private static byte[] readPrivateKey(InputStream in) throws KeyException {
String content;
try {
content = readContent(in);
} catch (IOException e) {
throw new KeyException("failed to read key input stream", e);
}

Matcher m = KEY_PATTERN.matcher(content);
if (!m.find()) {
throw new KeyException("could not find a PKCS #8 private key in input stream" +
" (see http://netty.io/wiki/sslcontextbuilder-and-private-key.html for more information)");
}

return Base64.decode(m.group(1));
}

private static String readContent(InputStream in) throws IOException {
ByteArrayOutputStream out = new ByteArrayOutputStream();
try {
byte[] buf = new byte[8192];
for (;;) {
int ret = in.read(buf);
if (ret < 0) {
break;
}
out.write(buf, 0, ret);
private static byte[] readPrivateKey(final InputStream in) throws KeyException {
try (final PemReader pemReader = new PemReader(new InputStreamReader(in, StandardCharsets.UTF_8))) {
final PemObject pemObject = pemReader.readPemObject();
if (pemObject == null) {
throw new KeyException(
"could not find a PKCS #8 private key in input stream"
+ " (see http://netty.io/wiki/sslcontextbuilder-and-private-key.html for more information)"
);
}
return out.toString(StandardCharsets.US_ASCII.name());
} finally {
safeClose(out);
return pemObject.getContent();
} catch (final IOException ioe) {
throw new KeyException(
"could not find a PKCS #8 private key in input stream"
+ " (see http://netty.io/wiki/sslcontextbuilder-and-private-key.html for more information)",
ioe
);
}
}

private static void safeClose(InputStream in) {
try {
in.close();
} catch (IOException e) {
//ignore
}
}

private static void safeClose(OutputStream out) {
try {
out.close();
} catch (IOException e) {
//ignore
}
}

public static PrivateKey toPrivateKey(File keyFile, String keyPassword) throws NoSuchAlgorithmException, NoSuchPaddingException,
InvalidKeySpecException, InvalidAlgorithmParameterException, KeyException, IOException {
if (keyFile == null) {
Expand Down
26 changes: 14 additions & 12 deletions src/test/java/com/amazon/dlic/auth/http/saml/HTTPSamlAuthenticatorTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,8 @@ public class HTTPSamlAuthenticatorTest {
+ "XXIa8gT/MdNT0+W3NHKcbE31pDhOI92COZWlhOyp1cLhyo1ytayjxPTl/2RM/Vtj\n" + "T9IKkp7810LOKhrCDQ==\n"
+ "-----END ENCRYPTED PRIVATE KEY-----";

private final static String PRIVATE_KEY_PATTERN = "-----BEGIN PRIVATE KEY-----\n%s\n-----END PRIVATE KEY-----";

private static X509Certificate spSigningCertificate;
private static PrivateKey spSigningPrivateKey;

Expand Down Expand Up @@ -159,8 +161,8 @@ public void decryptAssertionsTest() throws Exception {

Settings settings = Settings.builder().put(IDP_METADATA_URL, mockSamlIdpServer.getMetadataUri())
.put("kibana_url", "http://wherever").put("idp.entity_id", mockSamlIdpServer.getIdpEntityId())
.put("sp.signature_private_key", "-BEGIN PRIVATE KEY-\n"
+ Base64.getEncoder().encodeToString(spSigningPrivateKey.getEncoded()) + "-END PRIVATE KEY-")
.put("sp.signature_private_key",
String.format(PRIVATE_KEY_PATTERN, Base64.getEncoder().encodeToString(spSigningPrivateKey.getEncoded())))
.put("exchange_key", "abc").put("roles_key", "roles").put("path.home", ".").build();

HTTPSamlAuthenticator samlAuthenticator = new HTTPSamlAuthenticator(settings, null);
Expand Down Expand Up @@ -198,8 +200,8 @@ public void shouldUnescapeSamlEntitiesTest() throws Exception {

Settings settings = Settings.builder().put(IDP_METADATA_URL, mockSamlIdpServer.getMetadataUri())
.put("kibana_url", "http://wherever").put("idp.entity_id", mockSamlIdpServer.getIdpEntityId())
.put("sp.signature_private_key", "-BEGIN PRIVATE KEY-\n"
+ Base64.getEncoder().encodeToString(spSigningPrivateKey.getEncoded()) + "-END PRIVATE KEY-")
.put("sp.signature_private_key",
String.format(PRIVATE_KEY_PATTERN, Base64.getEncoder().encodeToString(spSigningPrivateKey.getEncoded())))
.put("exchange_key", "abc").put("roles_key", "roles").put("path.home", ".").build();

HTTPSamlAuthenticator samlAuthenticator = new HTTPSamlAuthenticator(settings, null);
Expand Down Expand Up @@ -240,8 +242,8 @@ public void shouldUnescapeSamlEntitiesTest2() throws Exception {

Settings settings = Settings.builder().put(IDP_METADATA_URL, mockSamlIdpServer.getMetadataUri())
.put("kibana_url", "http://wherever").put("idp.entity_id", mockSamlIdpServer.getIdpEntityId())
.put("sp.signature_private_key", "-BEGIN PRIVATE KEY-\n"
+ Base64.getEncoder().encodeToString(spSigningPrivateKey.getEncoded()) + "-END PRIVATE KEY-")
.put("sp.signature_private_key",
String.format(PRIVATE_KEY_PATTERN, Base64.getEncoder().encodeToString(spSigningPrivateKey.getEncoded())))
.put("exchange_key", "abc").put("roles_key", "roles").put("path.home", ".").build();

HTTPSamlAuthenticator samlAuthenticator = new HTTPSamlAuthenticator(settings, null);
Expand Down Expand Up @@ -282,8 +284,8 @@ public void shouldNotEscapeSamlEntities() throws Exception {

Settings settings = Settings.builder().put(IDP_METADATA_URL, mockSamlIdpServer.getMetadataUri())
.put("kibana_url", "http://wherever").put("idp.entity_id", mockSamlIdpServer.getIdpEntityId())
.put("sp.signature_private_key", "-BEGIN PRIVATE KEY-\n"
+ Base64.getEncoder().encodeToString(spSigningPrivateKey.getEncoded()) + "-END PRIVATE KEY-")
.put("sp.signature_private_key",
String.format(PRIVATE_KEY_PATTERN, Base64.getEncoder().encodeToString(spSigningPrivateKey.getEncoded())))
.put("exchange_key", "abc").put("roles_key", "roles").put("path.home", ".").build();

HTTPSamlAuthenticator samlAuthenticator = new HTTPSamlAuthenticator(settings, null);
Expand Down Expand Up @@ -324,8 +326,8 @@ public void shouldNotTrimWhitespaceInJwtRoles() throws Exception {

Settings settings = Settings.builder().put(IDP_METADATA_URL, mockSamlIdpServer.getMetadataUri())
.put("kibana_url", "http://wherever").put("idp.entity_id", mockSamlIdpServer.getIdpEntityId())
.put("sp.signature_private_key", "-BEGIN PRIVATE KEY-\n"
+ Base64.getEncoder().encodeToString(spSigningPrivateKey.getEncoded()) + "-END PRIVATE KEY-")
.put("sp.signature_private_key",
String.format(PRIVATE_KEY_PATTERN, Base64.getEncoder().encodeToString(spSigningPrivateKey.getEncoded())))
.put("exchange_key", "abc").put("roles_key", "roles").put("path.home", ".").build();

HTTPSamlAuthenticator samlAuthenticator = new HTTPSamlAuthenticator(settings, null);
Expand Down Expand Up @@ -663,8 +665,8 @@ public void basicLogoutTest() throws Exception {
Settings settings = Settings.builder().put(IDP_METADATA_URL, mockSamlIdpServer.getMetadataUri())
.put("kibana_url", "http://wherever").put("idp.entity_id", mockSamlIdpServer.getIdpEntityId())
.put("exchange_key", "abc").put("roles_key", "roles")
.put("sp.signature_private_key", "-BEGIN PRIVATE KEY-\n"
+ Base64.getEncoder().encodeToString(spSigningPrivateKey.getEncoded()) + "-END PRIVATE KEY-")
.put("sp.signature_private_key",
String.format(PRIVATE_KEY_PATTERN, Base64.getEncoder().encodeToString(spSigningPrivateKey.getEncoded())))
.put("path.home", ".").build();

HTTPSamlAuthenticator samlAuthenticator = new HTTPSamlAuthenticator(settings, null);
Expand Down