View Javadoc
1   /*
2    * Copyright 2016 The Netty Project
3    *
4    * The Netty Project licenses this file to you under the Apache License,
5    * version 2.0 (the "License"); you may not use this file except in compliance
6    * with the License. You may obtain a copy of the License at:
7    *
8    *   https://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12   * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13   * License for the specific language governing permissions and limitations
14   * under the License.
15   */
16  package io.netty.handler.ssl;
17  
18  import java.security.PrivateKey;
19  
20  import javax.security.auth.Destroyable;
21  
22  import io.netty.buffer.ByteBuf;
23  import io.netty.buffer.ByteBufAllocator;
24  import io.netty.buffer.Unpooled;
25  import io.netty.util.AbstractReferenceCounted;
26  import io.netty.util.CharsetUtil;
27  import io.netty.util.IllegalReferenceCountException;
28  import io.netty.util.internal.ObjectUtil;
29  
30  /**
31   * This is a special purpose implementation of a {@link PrivateKey} which allows the
32   * user to pass PEM/PKCS#8 encoded key material straight into {@link OpenSslContext}
33   * without having to parse and re-encode bytes in Java land.
34   *
35   * All methods other than what's implemented in {@link PemEncoded} and {@link Destroyable}
36   * throw {@link UnsupportedOperationException}s.
37   *
38   * @see PemEncoded
39   * @see OpenSslContext
40   * @see #valueOf(byte[])
41   * @see #valueOf(ByteBuf)
42   */
43  public final class PemPrivateKey extends AbstractReferenceCounted implements PrivateKey, PemEncoded {
44      private static final long serialVersionUID = 7978017465645018936L;
45  
46      private static final byte[] BEGIN_PRIVATE_KEY = "-----BEGIN PRIVATE KEY-----\n".getBytes(CharsetUtil.US_ASCII);
47      private static final byte[] END_PRIVATE_KEY = "\n-----END PRIVATE KEY-----\n".getBytes(CharsetUtil.US_ASCII);
48  
49      private static final String PKCS8_FORMAT = "PKCS#8";
50  
51      /**
52       * Creates a {@link PemEncoded} value from the {@link PrivateKey}.
53       */
54      static PemEncoded toPEM(ByteBufAllocator allocator, boolean useDirect, PrivateKey key) {
55          // We can take a shortcut if the private key happens to be already
56          // PEM/PKCS#8 encoded. This is the ideal case and reason why all
57          // this exists. It allows the user to pass pre-encoded bytes straight
58          // into OpenSSL without having to do any of the extra work.
59          if (key instanceof PemEncoded) {
60              return ((PemEncoded) key).retain();
61          }
62  
63          byte[] bytes = key.getEncoded();
64          if (bytes == null) {
65              throw new IllegalArgumentException(key.getClass().getName() + " does not support encoding");
66          }
67  
68          return toPEM(allocator, useDirect, bytes);
69      }
70  
71      static PemEncoded toPEM(ByteBufAllocator allocator, boolean useDirect, byte[] bytes) {
72          ByteBuf encoded = Unpooled.wrappedBuffer(bytes);
73          try {
74              ByteBuf base64 = SslUtils.toBase64(allocator, encoded);
75              try {
76                  int size = BEGIN_PRIVATE_KEY.length + base64.readableBytes() + END_PRIVATE_KEY.length;
77  
78                  boolean success = false;
79                  final ByteBuf pem = useDirect ? allocator.directBuffer(size) : allocator.buffer(size);
80                  try {
81                      pem.writeBytes(BEGIN_PRIVATE_KEY);
82                      pem.writeBytes(base64);
83                      pem.writeBytes(END_PRIVATE_KEY);
84  
85                      PemValue value = new PemValue(pem, true);
86                      success = true;
87                      return value;
88                  } finally {
89                      // Make sure we never leak that PEM ByteBuf if there's an Exception.
90                      if (!success) {
91                          SslUtils.zerooutAndRelease(pem);
92                      }
93                  }
94              } finally {
95                  SslUtils.zerooutAndRelease(base64);
96              }
97          } finally {
98              SslUtils.zerooutAndRelease(encoded);
99          }
100     }
101 
102     /**
103      * Creates a {@link PemPrivateKey} from raw {@code byte[]}.
104      *
105      * ATTENTION: It's assumed that the given argument is a PEM/PKCS#8 encoded value.
106      * No input validation is performed to validate it.
107      */
108     public static PemPrivateKey valueOf(byte[] key) {
109         return valueOf(Unpooled.wrappedBuffer(key));
110     }
111 
112     /**
113      * Creates a {@link PemPrivateKey} from raw {@code ByteBuf}.
114      *
115      * ATTENTION: It's assumed that the given argument is a PEM/PKCS#8 encoded value.
116      * No input validation is performed to validate it.
117      */
118     public static PemPrivateKey valueOf(ByteBuf key) {
119         return new PemPrivateKey(key);
120     }
121 
122     private final ByteBuf content;
123 
124     private PemPrivateKey(ByteBuf content) {
125         this.content = ObjectUtil.checkNotNull(content, "content");
126     }
127 
128     @Override
129     public boolean isSensitive() {
130         return true;
131     }
132 
133     @Override
134     public ByteBuf content() {
135         int count = refCnt();
136         if (count <= 0) {
137             throw new IllegalReferenceCountException(count);
138         }
139 
140         return content;
141     }
142 
143     @Override
144     public PemPrivateKey copy() {
145         return replace(content.copy());
146     }
147 
148     @Override
149     public PemPrivateKey duplicate() {
150         return replace(content.duplicate());
151     }
152 
153     @Override
154     public PemPrivateKey retainedDuplicate() {
155         return replace(content.retainedDuplicate());
156     }
157 
158     @Override
159     public PemPrivateKey replace(ByteBuf content) {
160         return new PemPrivateKey(content);
161     }
162 
163     @Override
164     public PemPrivateKey touch() {
165         content.touch();
166         return this;
167     }
168 
169     @Override
170     public PemPrivateKey touch(Object hint) {
171         content.touch(hint);
172         return this;
173     }
174 
175     @Override
176     public PemPrivateKey retain() {
177         return (PemPrivateKey) super.retain();
178     }
179 
180     @Override
181     public PemPrivateKey retain(int increment) {
182         return (PemPrivateKey) super.retain(increment);
183     }
184 
185     @Override
186     protected void deallocate() {
187         // Private Keys are sensitive. We need to zero the bytes
188         // before we're releasing the underlying ByteBuf
189         SslUtils.zerooutAndRelease(content);
190     }
191 
192     @Override
193     public byte[] getEncoded() {
194         throw new UnsupportedOperationException();
195     }
196 
197     @Override
198     public String getAlgorithm() {
199         throw new UnsupportedOperationException();
200     }
201 
202     @Override
203     public String getFormat() {
204         return PKCS8_FORMAT;
205     }
206 
207     /**
208      * NOTE: This is a JDK8 interface/method. Due to backwards compatibility
209      * reasons it's not possible to slap the {@code @Override} annotation onto
210      * this method.
211      *
212      * @see Destroyable#destroy()
213      */
214     @Override
215     public void destroy() {
216         release(refCnt());
217     }
218 
219     /**
220      * NOTE: This is a JDK8 interface/method. Due to backwards compatibility
221      * reasons it's not possible to slap the {@code @Override} annotation onto
222      * this method.
223      *
224      * @see Destroyable#isDestroyed()
225      */
226     @Override
227     public boolean isDestroyed() {
228         return refCnt() == 0;
229     }
230 }