feat: add support for other security providers#3590

robhafner · robhafner · commit 27963fb8b0ef · 2024-07-31T16:57:23.000-04:00
Dynamically load security providers using the Java Service Provider Interface.

This allows the user to pick the provider based upon the dependencies it has on
its classpath.
diff --git a/util/src/main/java/io/kubernetes/client/util/SSLUtils.java b/util/src/main/java/io/kubernetes/client/util/SSLUtils.java
@@ -24,6 +24,7 @@
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
+import java.security.Provider;
 import java.security.Security;
 import java.security.UnrecoverableKeyException;
 import java.security.cert.Certificate;
@@ -32,6 +33,7 @@
 import java.security.cert.X509Certificate;
 import java.security.spec.InvalidKeySpecException;
 import java.util.Collection;
+import java.util.ServiceLoader;
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;
 import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
@@ -40,55 +42,63 @@
 import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator;
 import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
 import org.bouncycastle.util.io.pem.PemWriter;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 public class SSLUtils {
+  private static final Logger log = LoggerFactory.getLogger(SSLUtils.class);
+
   static {
-    Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
+    ServiceLoader<Provider> services = ServiceLoader.load(java.security.Provider.class);
+    for (Provider service : services) {
+      log.debug("Found security provider: " + service.getName());
+      Security.addProvider(service);
+    }
   }
 
   public static boolean isNotNullOrEmpty(String val) {
     return val != null && val.length() > 0;
   }
 
   public static KeyManager[] keyManagers(
-      byte[] certData,
-      byte[] keyData,
-      String algo,
-      String passphrase,
-      String keyStoreFile,
-      String keyStorePassphrase)
-      throws NoSuchAlgorithmException, UnrecoverableKeyException, KeyStoreException,
+          byte[] certData,
+          byte[] keyData,
+          String algo,
+          String passphrase,
+          String keyStoreFile,
+          String keyStorePassphrase)
+          throws NoSuchAlgorithmException, UnrecoverableKeyException, KeyStoreException,
           CertificateException, InvalidKeySpecException, IOException {
     KeyManager[] keyManagers = null;
     if (certData != null && keyData != null) {
       KeyStore keyStore =
-          createKeyStore(certData, keyData, algo, passphrase, keyStoreFile, keyStorePassphrase);
+              createKeyStore(certData, keyData, algo, passphrase, keyStoreFile, keyStorePassphrase);
       KeyManagerFactory kmf =
-          KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+              KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
       kmf.init(keyStore, passphrase.toCharArray());
       keyManagers = kmf.getKeyManagers();
     }
     return keyManagers;
   }
 
   public static KeyStore createKeyStore(
-      byte[] clientCertData,
-      byte[] clientKeyData,
-      String clientKeyAlgo,
-      String clientKeyPassphrase,
-      String keyStoreFile,
-      String keyStorePassphrase)
-      throws IOException, CertificateException, NoSuchAlgorithmException, InvalidKeySpecException,
+          byte[] clientCertData,
+          byte[] clientKeyData,
+          String clientKeyAlgo,
+          String clientKeyPassphrase,
+          String keyStoreFile,
+          String keyStorePassphrase)
+          throws IOException, CertificateException, NoSuchAlgorithmException, InvalidKeySpecException,
           KeyStoreException {
     try (InputStream certInputStream = new ByteArrayInputStream(clientCertData);
-        InputStream keyInputStream = new ByteArrayInputStream(clientKeyData)) {
+         InputStream keyInputStream = new ByteArrayInputStream(clientKeyData)) {
       return createKeyStore(
-          certInputStream,
-          keyInputStream,
-          clientKeyAlgo,
-          clientKeyPassphrase != null ? clientKeyPassphrase.toCharArray() : null,
-          keyStoreFile,
-          getKeyStorePassphrase(keyStorePassphrase));
+              certInputStream,
+              keyInputStream,
+              clientKeyAlgo,
+              clientKeyPassphrase != null ? clientKeyPassphrase.toCharArray() : null,
+              keyStoreFile,
+              getKeyStorePassphrase(keyStorePassphrase));
     }
   }
 
@@ -113,24 +123,24 @@ public static String recognizePrivateKeyAlgo(byte[] privateKeyBytes) {
   }
 
   public static PrivateKey loadKey(byte[] privateKeyBytes)
-      throws IOException, InvalidKeySpecException {
+          throws IOException, InvalidKeySpecException {
     return loadKey(
-        new ByteArrayInputStream(privateKeyBytes), recognizePrivateKeyAlgo(privateKeyBytes));
+            new ByteArrayInputStream(privateKeyBytes), recognizePrivateKeyAlgo(privateKeyBytes));
   }
 
   public static PrivateKey loadKey(byte[] pemPrivateKeyBytes, String algo)
-      throws IOException, InvalidKeySpecException {
+          throws IOException, InvalidKeySpecException {
     return loadKey(new ByteArrayInputStream(pemPrivateKeyBytes), algo);
   }
 
   public static PrivateKey loadKey(InputStream keyInputStream, String clientKeyAlgo)
-      throws IOException, InvalidKeySpecException {
+          throws IOException, InvalidKeySpecException {
     final PrivateKey privateKey;
     try (final PEMParser pemParser = new PEMParser(new InputStreamReader(keyInputStream))) {
       final Object pemObject = pemParser.readObject();
       if (pemObject == null) {
         final String message =
-            String.format("PEM Private Key Algorithm [%s] not parsed", clientKeyAlgo);
+                String.format("PEM Private Key Algorithm [%s] not parsed", clientKeyAlgo);
         throw new InvalidKeySpecException(message);
       }
       final JcaPEMKeyConverter converter = new JcaPEMKeyConverter();
@@ -144,23 +154,23 @@ public static PrivateKey loadKey(InputStream keyInputStream, String clientKeyAlg
       } else {
         final String pemObjectType = pemObject.getClass().getSimpleName();
         final String message =
-            String.format(
-                "PEM Private Key Algorithm [%s] Type [%s] not supported",
-                clientKeyAlgo, pemObjectType);
+                String.format(
+                        "PEM Private Key Algorithm [%s] Type [%s] not supported",
+                        clientKeyAlgo, pemObjectType);
         throw new InvalidKeySpecException(message);
       }
     }
     return privateKey;
   }
 
   public static KeyStore createKeyStore(
-      InputStream certInputStream,
-      InputStream keyInputStream,
-      String clientKeyAlgo,
-      char[] clientKeyPassphrase,
-      String keyStoreFile,
-      char[] keyStorePassphrase)
-      throws IOException, CertificateException, NoSuchAlgorithmException, InvalidKeySpecException,
+          InputStream certInputStream,
+          InputStream keyInputStream,
+          String clientKeyAlgo,
+          char[] clientKeyPassphrase,
+          String keyStoreFile,
+          char[] keyStorePassphrase)
+          throws IOException, CertificateException, NoSuchAlgorithmException, InvalidKeySpecException,
           KeyStoreException {
     CertificateFactory certFactory = CertificateFactory.getInstance("X509");
     Collection<? extends Certificate> certs = certFactory.generateCertificates(certInputStream);
@@ -184,15 +194,15 @@ public static KeyStore createKeyStore(
     }
 
     String alias =
-        ((X509Certificate) certs.stream().findFirst().get()).getSubjectX500Principal().getName();
+            ((X509Certificate) certs.stream().findFirst().get()).getSubjectX500Principal().getName();
     keyStore.setKeyEntry(
-        alias, privateKey, clientKeyPassphrase, certs.toArray(new X509Certificate[certs.size()]));
+            alias, privateKey, clientKeyPassphrase, certs.toArray(new X509Certificate[certs.size()]));
 
     return keyStore;
   }
 
   private static void loadDefaultKeyStoreFile(KeyStore keyStore, char[] keyStorePassphrase)
-      throws CertificateException, NoSuchAlgorithmException, IOException {
+          throws CertificateException, NoSuchAlgorithmException, IOException {
 
     String keyStorePath = System.getProperty("javax.net.ssl.keyStore");
     if (keyStorePath != null && keyStorePath.length() > 0) {
@@ -206,7 +216,7 @@ private static void loadDefaultKeyStoreFile(KeyStore keyStore, char[] keyStorePa
   }
 
   private static boolean loadDefaultStoreFile(KeyStore keyStore, File fileToLoad, char[] passphrase)
-      throws CertificateException, NoSuchAlgorithmException, IOException {
+          throws CertificateException, NoSuchAlgorithmException, IOException {
     if (fileToLoad.exists() && fileToLoad.isFile() && fileToLoad.length() > 0) {
       try (FileInputStream inputStream = new FileInputStream(fileToLoad)) {
         keyStore.load(inputStream, passphrase);
