Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Polish RsaKeyConverters 

- Remove potential for returning null
- Remove potential for parsing more than one header

Issue gh-9736
This commit is contained in:
Josh Cummings 2021-07-12 14:11:52 -06:00
parent 5f7d871258
commit 01af7877ea
No known key found for this signature in database
GPG Key ID: 49EF60DD7FF83443
1 changed files with 71 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

102
core/src/main/java/org/springframework/security/converter/RsaKeyConverters.java
View File

@ -35,6 +35,7 @@ import java.util.List;
import java.util.stream.Collectors; import java.util.stream.Collectors;
import org.springframework.core.convert.converter.Converter; import org.springframework.core.convert.converter.Converter;
import org.springframework.lang.NonNull;
import org.springframework.util.Assert; import org.springframework.util.Assert;
/** /**
@ -110,41 +111,18 @@ public final class RsaKeyConverters {
* return a {@link RSAPublicKey}. * return a {@link RSAPublicKey}.
*/ */
public static Converter<InputStream, RSAPublicKey> x509() { public static Converter<InputStream, RSAPublicKey> x509() {
KeyFactory keyFactory = rsaFactory(); X509PemDecoder pemDecoder = new X509PemDecoder(rsaFactory());
CertificateFactory certificateFactory = x509CertificateFactory(); X509CertificateDecoder certDecoder = new X509CertificateDecoder(x509CertificateFactory());
return (source) -> { return (source) -> {
List<String> lines = readAllLines(source); List<String> lines = readAllLines(source);
Assert.isTrue( Assert.notEmpty(lines, "Input stream is empty");
!lines.isEmpty() String encodingHint = lines.get(0);
&& (lines.get(0).startsWith(X509_PEM_HEADER) || lines.get(0).startsWith(X509_CERT_HEADER)), Converter<List<String>, RSAPublicKey> decoder = encodingHint.startsWith(X509_PEM_HEADER) ? pemDecoder
: encodingHint.startsWith(X509_CERT_HEADER) ? certDecoder : null;
Assert.notNull(decoder,
"Key is not in PEM-encoded X.509 format or a valid X.509 certificate, please check that the header begins with " "Key is not in PEM-encoded X.509 format or a valid X.509 certificate, please check that the header begins with "
+ X509_PEM_HEADER + " or " + X509_CERT_HEADER); + X509_PEM_HEADER + " or " + X509_CERT_HEADER);
StringBuilder base64Encoded = new StringBuilder(); return decoder.convert(lines);
for (String line : lines) {
if (RsaKeyConverters.isNotX509PemWrapper(line) && isNotX509CertificateWrapper(line)) {
base64Encoded.append(line);
}
}
byte[] x509 = Base64.getDecoder().decode(base64Encoded.toString());
if (lines.get(0).startsWith(X509_PEM_HEADER)) {
try {
return (RSAPublicKey) keyFactory.generatePublic(new X509EncodedKeySpec(x509));
}
catch (Exception ex) {
throw new IllegalArgumentException(ex);
}
}
if (lines.get(0).startsWith(X509_CERT_HEADER)) {
try (InputStream x509CertStream = new ByteArrayInputStream(x509)) {
X509Certificate certificate = (X509Certificate) certificateFactory
.generateCertificate(x509CertStream);
return (RSAPublicKey) certificate.getPublicKey();
}
catch (CertificateException | IOException ex) {
throw new IllegalArgumentException(ex);
}
}
return null;
}; };
} }
@ -175,12 +153,70 @@ public final class RsaKeyConverters {
return !PKCS8_PEM_HEADER.equals(line) && !PKCS8_PEM_FOOTER.equals(line); return !PKCS8_PEM_HEADER.equals(line) && !PKCS8_PEM_FOOTER.equals(line);
} }
private static boolean isNotX509PemWrapper(String line) { private static class X509PemDecoder implements Converter<List<String>, RSAPublicKey> {
private final KeyFactory keyFactory;
X509PemDecoder(KeyFactory keyFactory) {
this.keyFactory = keyFactory;
}
@Override
@NonNull
public RSAPublicKey convert(List<String> lines) {
StringBuilder base64Encoded = new StringBuilder();
for (String line : lines) {
if (isNotX509PemWrapper(line)) {
base64Encoded.append(line);
}
}
byte[] x509 = Base64.getDecoder().decode(base64Encoded.toString());
try {
return (RSAPublicKey) this.keyFactory.generatePublic(new X509EncodedKeySpec(x509));
}
catch (Exception ex) {
throw new IllegalArgumentException(ex);
}
}
private boolean isNotX509PemWrapper(String line) {
return !X509_PEM_HEADER.equals(line) && !X509_PEM_FOOTER.equals(line); return !X509_PEM_HEADER.equals(line) && !X509_PEM_FOOTER.equals(line);
} }
private static boolean isNotX509CertificateWrapper(String line) { }
private static class X509CertificateDecoder implements Converter<List<String>, RSAPublicKey> {
private final CertificateFactory certificateFactory;
X509CertificateDecoder(CertificateFactory certificateFactory) {
this.certificateFactory = certificateFactory;
}
@Override
@NonNull
public RSAPublicKey convert(List<String> lines) {
StringBuilder base64Encoded = new StringBuilder();
for (String line : lines) {
if (isNotX509CertificateWrapper(line)) {
base64Encoded.append(line);
}
}
byte[] x509 = Base64.getDecoder().decode(base64Encoded.toString());
try (InputStream x509CertStream = new ByteArrayInputStream(x509)) {
X509Certificate certificate = (X509Certificate) this.certificateFactory
.generateCertificate(x509CertStream);
return (RSAPublicKey) certificate.getPublicKey();
}
catch (CertificateException | IOException ex) {
throw new IllegalArgumentException(ex);
}
}
private boolean isNotX509CertificateWrapper(String line) {
return !X509_CERT_HEADER.equals(line) && !X509_CERT_FOOTER.equals(line); return !X509_CERT_HEADER.equals(line) && !X509_CERT_FOOTER.equals(line);
} }
}
} }