SNOW-896818 Limited support for encrypted private keys

sfc-gh-wfateem · sfc-gh-wfateem · commit 8caf4a325b75 · 2024-03-18T21:16:11.000-05:00
diff --git a/src/main/java/net/snowflake/client/core/SFSession.java b/src/main/java/net/snowflake/client/core/SFSession.java
@@ -87,6 +87,8 @@ public class SFSession extends SFBaseSession {
 
   private SFClientConfig sfClientConfig;
 
+  private SecurityUtil securityUtil;
+
   /**
    * Amount of seconds a user is willing to tolerate for establishing the connection with database.
    * In our case, it means the first login request to get authorization token.
@@ -145,6 +147,7 @@ public SFSession() {
 
   public SFSession(DefaultSFConnectionHandler sfConnectionHandler) {
     super(sfConnectionHandler);
+    securityUtil = new SecurityUtil();
   }
 
   /**
@@ -613,6 +616,7 @@ public synchronized void open() throws SFException, SnowflakeSQLException {
       TelemetryService.disable();
     }
 
+    securityUtil.addBouncyCastleProvider();
     // propagate OCSP mode to SFTrustManager. Note OCSP setting is global on JVM.
     HttpUtil.initHttpClient(httpClientSettingsKey, null);
     SFLoginOutput loginOutput =
diff --git a/src/main/java/net/snowflake/client/core/SFSessionProperty.java b/src/main/java/net/snowflake/client/core/SFSessionProperty.java
@@ -80,7 +80,9 @@ public enum SFSessionProperty {
 
   ENABLE_PATTERN_SEARCH("enablePatternSearch", false, Boolean.class),
 
-  DISABLE_GCS_DEFAULT_CREDENTIALS("disableGcsDefaultCredentials", false, Boolean.class);
+  DISABLE_GCS_DEFAULT_CREDENTIALS("disableGcsDefaultCredentials", false, Boolean.class),
+
+  ENABLE_BOUNCY_CASTLE("enableBouncyCastle", false, Boolean.class);
 
   // property key in string
   private String propertyKey;
diff --git a/src/main/java/net/snowflake/client/core/SFTrustManager.java b/src/main/java/net/snowflake/client/core/SFTrustManager.java
@@ -19,7 +19,6 @@
 import java.io.File;
 import java.io.IOException;
 import java.io.OutputStream;
-import java.lang.reflect.InvocationTargetException;
 import java.math.BigInteger;
 import java.net.URI;
 import java.net.URISyntaxException;
@@ -29,8 +28,6 @@
 import java.security.KeyStoreException;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
-import java.security.Provider;
-import java.security.Security;
 import java.security.Signature;
 import java.security.SignatureException;
 import java.security.cert.CertificateEncodingException;
@@ -155,9 +152,6 @@ public class SFTrustManager extends X509ExtendedTrustManager {
   private static final ASN1ObjectIdentifier SHA512RSA =
       new ASN1ObjectIdentifier("1.2.840.113549.1.1.13").intern();
 
-  private static final String DEFAULT_SECURITY_PROVIDER_NAME =
-      "org.bouncycastle.jce.provider.BouncyCastleProvider";
-
   private static final String ALGORITHM_SHA1_NAME = "SHA-1";
   /** Object mapper for JSON encoding and decoding */
   private static final ObjectMapper OBJECT_MAPPER = ObjectMapperFactory.getObjectMapper();
@@ -175,10 +169,7 @@ public class SFTrustManager extends X509ExtendedTrustManager {
   private static final int DEFAULT_OCSP_RESPONDER_CONNECTION_TIMEOUT = 10000;
   /** Default OCSP Cache server host name */
   private static final String DEFAULT_OCSP_CACHE_HOST = "http://ocsp.snowflakecomputing.com";
-  /** provider name */
-  private static final String BOUNCY_CASTLE_PROVIDER = "BC";
-  /** provider name for FIPS */
-  private static final String BOUNCY_CASTLE_FIPS_PROVIDER = "BCFIPS";
+
   /** OCSP response file cache directory */
   private static final FileCacheManager fileCacheManager;
   /** Tolerable validity date range ratio. */
@@ -253,37 +244,6 @@ public class SFTrustManager extends X509ExtendedTrustManager {
     OCSP_RESPONSE_CODE_TO_STRING.put(OCSPResp.UNAUTHORIZED, "unauthorized");
   }
 
-  static {
-    // Add Bouncy Castle to the security provider. This is required to
-    // verify the signature on OCSP response and attached certificates.
-    if (Security.getProvider(BOUNCY_CASTLE_PROVIDER) == null
-        && Security.getProvider(BOUNCY_CASTLE_FIPS_PROVIDER) == null) {
-      Security.addProvider(instantiateSecurityProvider());
-    }
-  }
-
-  private static Provider instantiateSecurityProvider() {
-    try {
-      Class klass = Class.forName(DEFAULT_SECURITY_PROVIDER_NAME);
-      return (Provider) klass.getDeclaredConstructor().newInstance();
-    } catch (ExceptionInInitializerError
-        | ClassNotFoundException
-        | NoSuchMethodException
-        | InstantiationException
-        | IllegalAccessException
-        | IllegalArgumentException
-        | InvocationTargetException
-        | SecurityException ex) {
-      String errMsg =
-          String.format(
-              "Failed to load %s, err=%s. If you use Snowflake JDBC for FIPS jar, "
-                  + "import BouncyCastleFipsProvider in the application.",
-              DEFAULT_SECURITY_PROVIDER_NAME, ex.getMessage());
-      LOGGER.error(errMsg, true);
-      throw new RuntimeException(errMsg);
-    }
-  }
-
   static {
     DATE_FORMAT_UTC.setTimeZone(TimeZone.getTimeZone("UTC"));
   }
diff --git a/src/main/java/net/snowflake/client/core/SecurityUtil.java b/src/main/java/net/snowflake/client/core/SecurityUtil.java
@@ -0,0 +1,56 @@
+package net.snowflake.client.core;
+
+import java.lang.reflect.InvocationTargetException;
+import java.security.Provider;
+import java.security.Security;
+import net.snowflake.client.log.SFLogger;
+import net.snowflake.client.log.SFLoggerFactory;
+
+public class SecurityUtil {
+
+  private static final SFLogger LOGGER = SFLoggerFactory.getLogger(SecurityUtil.class);
+
+  /** provider name */
+  private final String BOUNCY_CASTLE_PROVIDER = "BC";
+
+  /** provider name for FIPS */
+  private final String BOUNCY_CASTLE_FIPS_PROVIDER = "BCFIPS";
+
+  private static final String DEFAULT_SECURITY_PROVIDER_NAME =
+      "org.bouncycastle.jce.provider.BouncyCastleProvider";
+
+  public void addBouncyCastleProvider() {
+    // Add Bouncy Castle to the list of security providers. This is required to
+    // verify the signature on OCSP response and attached certificates.
+    // It is also required to decrypt password protected private keys.
+    // Check to see if the BouncyCastleFipsProvider has already been added.
+    // If so, then we don't want to add the provider BouncyCastleProvider.
+    // The addProvider() method won't add the provider if it already exists.
+    if (Security.getProvider(BOUNCY_CASTLE_FIPS_PROVIDER) == null) {
+      Security.addProvider(instantiateSecurityProvider());
+    }
+  }
+
+  public Provider instantiateSecurityProvider() {
+
+    try {
+      Class klass = Class.forName(DEFAULT_SECURITY_PROVIDER_NAME);
+      return (Provider) klass.getDeclaredConstructor().newInstance();
+    } catch (ExceptionInInitializerError
+        | ClassNotFoundException
+        | NoSuchMethodException
+        | InstantiationException
+        | IllegalAccessException
+        | IllegalArgumentException
+        | InvocationTargetException
+        | SecurityException ex) {
+      String errMsg =
+          String.format(
+              "Failed to load %s, err=%s. If you use Snowflake JDBC for FIPS jar, "
+                  + "import BouncyCastleFipsProvider in the application.",
+              DEFAULT_SECURITY_PROVIDER_NAME, ex.getMessage());
+      LOGGER.error(errMsg, true);
+      throw new RuntimeException(errMsg);
+    }
+  }
+}
diff --git a/src/main/java/net/snowflake/client/core/SessionUtilKeyPair.java b/src/main/java/net/snowflake/client/core/SessionUtilKeyPair.java
@@ -13,6 +13,7 @@
 import com.nimbusds.jose.crypto.RSASSASigner;
 import com.nimbusds.jwt.JWTClaimsSet;
 import com.nimbusds.jwt.SignedJWT;
+import java.io.FileReader;
 import java.io.IOException;
 import java.io.StringReader;
 import java.nio.file.Files;
@@ -37,6 +38,14 @@
 import net.snowflake.client.log.SFLogger;
 import net.snowflake.client.log.SFLoggerFactory;
 import org.apache.commons.codec.binary.Base64;
+import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
+import org.bouncycastle.openssl.PEMParser;
+import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
+import org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder;
+import org.bouncycastle.operator.InputDecryptorProvider;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo;
+import org.bouncycastle.pkcs.PKCSException;
 import org.bouncycastle.util.io.pem.PemReader;
 
 /** Class used to compute jwt token for key pair authentication Created by hyu on 1/16/18. */
@@ -66,6 +75,14 @@ class SessionUtilKeyPair {
 
   private static final int JWT_DEFAULT_AUTH_TIMEOUT = 10;
 
+  /** provider name */
+  private static final String BOUNCY_CASTLE_PROVIDER = "BC";
+
+  /** provider name for FIPS */
+  private static final String BOUNCY_CASTLE_FIPS_PROVIDER = "BCFIPS";
+
+  private boolean ENABLE_BOUNCYCASTLE_PROVIDER = true;
+
   SessionUtilKeyPair(
       PrivateKey privateKey,
       String privateKeyFile,
@@ -78,7 +95,7 @@ class SessionUtilKeyPair {
 
     // check if in FIPS mode
     for (Provider p : Security.getProviders()) {
-      if ("BCFIPS".equals(p.getName())) {
+      if (BOUNCY_CASTLE_FIPS_PROVIDER.equals(p.getName())) {
         this.isFipsMode = true;
         this.SecurityProvider = p;
         break;
@@ -133,37 +150,30 @@ private SecretKeyFactory getSecretKeyFactory(String algorithm) throws NoSuchAlgo
 
   private PrivateKey extractPrivateKeyFromFile(String privateKeyFile, String privateKeyFilePwd)
       throws SFException {
-    try {
-      String privateKeyContent = new String(Files.readAllBytes(Paths.get(privateKeyFile)));
-      if (Strings.isNullOrEmpty(privateKeyFilePwd)) {
-        // unencrypted private key file
-        PemReader pr = new PemReader(new StringReader(privateKeyContent));
-        byte[] decoded = pr.readPemObject().getContent();
-        pr.close();
-        PKCS8EncodedKeySpec encodedKeySpec = new PKCS8EncodedKeySpec(decoded);
-        KeyFactory keyFactory = getKeyFactoryInstance();
-        return keyFactory.generatePrivate(encodedKeySpec);
-      } else {
-        // encrypted private key file
-        PemReader pr = new PemReader(new StringReader(privateKeyContent));
-        byte[] decoded = pr.readPemObject().getContent();
-        pr.close();
-        EncryptedPrivateKeyInfo pkInfo = new EncryptedPrivateKeyInfo(decoded);
-        PBEKeySpec keySpec = new PBEKeySpec(privateKeyFilePwd.toCharArray());
-        SecretKeyFactory pbeKeyFactory = this.getSecretKeyFactory(pkInfo.getAlgName());
-        PKCS8EncodedKeySpec encodedKeySpec =
-            pkInfo.getKeySpec(pbeKeyFactory.generateSecret(keySpec));
-        KeyFactory keyFactory = getKeyFactoryInstance();
-        return keyFactory.generatePrivate(encodedKeySpec);
+
+    if (ENABLE_BOUNCYCASTLE_PROVIDER) {
+      try {
+        return extractPrivateKeyWithBouncyCastle(privateKeyFile, privateKeyFilePwd);
+      } catch (IOException | PKCSException | OperatorCreationException e) {
+        logger.error("Could not extract private key using Bouncy Castle provider");
+        throw new SFException(e, ErrorCode.INVALID_OR_UNSUPPORTED_PRIVATE_KEY, e.getCause());
+      }
+    } else {
+      try {
+        return extractPrivateKeyWithJdk(privateKeyFile, privateKeyFilePwd);
+      } catch (NoSuchAlgorithmException
+          | InvalidKeySpecException
+          | IOException
+          | IllegalArgumentException
+          | NullPointerException
+          | InvalidKeyException e) {
+        logger.error(
+            "Could not extract private key. Try setting " + ENABLE_BOUNCYCASTLE_PROVIDER + "=TRUE");
+        throw new SFException(
+            e,
+            ErrorCode.INVALID_OR_UNSUPPORTED_PRIVATE_KEY,
+            privateKeyFile + ": " + e.getMessage());
       }
-    } catch (NoSuchAlgorithmException
-        | InvalidKeySpecException
-        | IOException
-        | IllegalArgumentException
-        | NullPointerException
-        | InvalidKeyException e) {
-      throw new SFException(
-          e, ErrorCode.INVALID_OR_UNSUPPORTED_PRIVATE_KEY, privateKeyFile + ": " + e.getMessage());
     }
   }
 
@@ -222,4 +232,51 @@ public static int getTimeout() {
     }
     return jwtAuthTimeout;
   }
+
+  private PrivateKey extractPrivateKeyWithBouncyCastle(
+      String privateKeyFile, String privateKeyFilePwd)
+      throws IOException, PKCSException, OperatorCreationException {
+    PrivateKeyInfo privateKeyInfo = null;
+    PEMParser pemParser = new PEMParser(new FileReader(Paths.get(privateKeyFile).toFile()));
+    Object pemObject = pemParser.readObject();
+    if (pemObject instanceof PKCS8EncryptedPrivateKeyInfo) {
+      // Handle the case where the private key is encrypted.
+      PKCS8EncryptedPrivateKeyInfo encryptedPrivateKeyInfo =
+          (PKCS8EncryptedPrivateKeyInfo) pemObject;
+      InputDecryptorProvider pkcs8Prov =
+          new JceOpenSSLPKCS8DecryptorProviderBuilder().build(privateKeyFilePwd.toCharArray());
+      privateKeyInfo = encryptedPrivateKeyInfo.decryptPrivateKeyInfo(pkcs8Prov);
+    } else if (pemObject instanceof PrivateKeyInfo) {
+      // Handle the case where the private key is unencrypted.
+      privateKeyInfo = (PrivateKeyInfo) pemObject;
+    }
+    pemParser.close();
+    JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider(BOUNCY_CASTLE_PROVIDER);
+    return converter.getPrivateKey(privateKeyInfo);
+  }
+
+  private PrivateKey extractPrivateKeyWithJdk(String privateKeyFile, String privateKeyFilePwd)
+      throws IOException, NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException {
+    String privateKeyContent = new String(Files.readAllBytes(Paths.get(privateKeyFile)));
+    if (Strings.isNullOrEmpty(privateKeyFilePwd)) {
+      // unencrypted private key file
+      PemReader pr = new PemReader(new StringReader(privateKeyContent));
+      byte[] decoded = pr.readPemObject().getContent();
+      pr.close();
+      PKCS8EncodedKeySpec encodedKeySpec = new PKCS8EncodedKeySpec(decoded);
+      KeyFactory keyFactory = getKeyFactoryInstance();
+      return keyFactory.generatePrivate(encodedKeySpec);
+    } else {
+      // encrypted private key file
+      PemReader pr = new PemReader(new StringReader(privateKeyContent));
+      byte[] decoded = pr.readPemObject().getContent();
+      pr.close();
+      EncryptedPrivateKeyInfo pkInfo = new EncryptedPrivateKeyInfo(decoded);
+      PBEKeySpec keySpec = new PBEKeySpec(privateKeyFilePwd.toCharArray());
+      SecretKeyFactory pbeKeyFactory = this.getSecretKeyFactory(pkInfo.getAlgName());
+      PKCS8EncodedKeySpec encodedKeySpec = pkInfo.getKeySpec(pbeKeyFactory.generateSecret(keySpec));
+      KeyFactory keyFactory = getKeyFactoryInstance();
+      return keyFactory.generatePrivate(encodedKeySpec);
+    }
+  }
 }
