sshd-common/src/main/java/org/apache/sshd/common/config/keys/PrivateKeyEntryDecoder.java

/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements. See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership. The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License. You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied. See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */

package org.apache.sshd.common.config.keys;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.StreamCorruptedException;
import java.security.GeneralSecurityException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.spec.InvalidKeySpecException;
import java.util.Collection;
import java.util.Objects;

import org.apache.sshd.common.config.keys.loader.KeyPairResourceLoader;
import org.apache.sshd.common.session.SessionContext;
import org.apache.sshd.common.util.GenericUtils;
import org.apache.sshd.common.util.NumberUtils;
import org.apache.sshd.common.util.ValidateUtils;
import org.apache.sshd.common.util.io.SecureByteArrayOutputStream;

/**
 * @param  <PUB> Type of {@link PublicKey}
 * @param  <PRV> Type of {@link PrivateKey}
 * @author       <a href="mailto:dev@mina.apache.org">Apache MINA SSHD Project</a>
 */
public interface PrivateKeyEntryDecoder<PUB extends PublicKey, PRV extends PrivateKey>
        extends KeyEntryResolver<PUB, PRV>, PrivateKeyEntryResolver {

    @Override
    default PrivateKey resolve(
            SessionContext session, String keyType, byte[] keyData)
            throws IOException, GeneralSecurityException {
        ValidateUtils.checkNotNullAndNotEmpty(keyType, "No key type provided");
        Collection<String> supported = getSupportedKeyTypes();
        if ((GenericUtils.size(supported) > 0) && supported.contains(keyType)) {
            return decodePrivateKey(session, FilePasswordProvider.EMPTY, keyData);
        }

        throw new InvalidKeySpecException("resolve(" + keyType + ") not in listed supported types: " + supported);
    }

    /**
     * @param  session                  The {@link SessionContext} for invoking this load command - may be {@code null}
     *                                  if not invoked within a session context (e.g., offline tool or session unknown).
     * @param  passwordProvider         The {@link FilePasswordProvider} to use in case the data is encrypted - may be
     *                                  {@code null} if no encrypted data is expected
     * @param  keyData                  The key data bytes in {@code OpenSSH} format (after BASE64 decoding) - ignored
     *                                  if {@code null}/empty
     * @return                          The decoded {@link PrivateKey} - or {@code null} if no data
     * @throws IOException              If failed to decode the key
     * @throws GeneralSecurityException If failed to generate the key
     */
    default PRV decodePrivateKey(
            SessionContext session, FilePasswordProvider passwordProvider, byte... keyData)
            throws IOException, GeneralSecurityException {
        return decodePrivateKey(session, passwordProvider, keyData, 0, NumberUtils.length(keyData));
    }

    default PRV decodePrivateKey(
            SessionContext session, FilePasswordProvider passwordProvider, byte[] keyData, int offset, int length)
            throws IOException, GeneralSecurityException {
        if (length <= 0) {
            return null;
        }

        try (InputStream stream = new ByteArrayInputStream(keyData, offset, length)) {
            return decodePrivateKey(session, passwordProvider, stream);
        }
    }

    default PRV decodePrivateKey(
            SessionContext session, FilePasswordProvider passwordProvider, InputStream keyData)
            throws IOException, GeneralSecurityException {
        // the actual data is preceded by a string that repeats the key type
        String type = KeyEntryResolver.decodeString(keyData, KeyPairResourceLoader.MAX_KEY_TYPE_NAME_LENGTH);
        if (GenericUtils.isEmpty(type)) {
            throw new StreamCorruptedException("Missing key type string");
        }

        Collection<String> supported = getSupportedKeyTypes();
        if (GenericUtils.isEmpty(supported) || (!supported.contains(type))) {
            throw new InvalidKeySpecException("Reported key type (" + type + ") not in supported list: " + supported);
        }

        return decodePrivateKey(session, type, passwordProvider, keyData);
    }

    /**
     * @param  session                  The {@link SessionContext} for invoking this load command - may be {@code null}
     *                                  if not invoked within a session context (e.g., offline tool or session unknown).
     * @param  keyType                  The reported / encode key type
     * @param  passwordProvider         The {@link FilePasswordProvider} to use in case the data is encrypted - may be
     *                                  {@code null} if no encrypted data is expected
     * @param  keyData                  The key data bytes stream positioned after the key type decoding and making sure
     *                                  it is one of the supported types
     * @return                          The decoded {@link PrivateKey}
     * @throws IOException              If failed to read from the data stream
     * @throws GeneralSecurityException If failed to generate the key
     */
    PRV decodePrivateKey(
            SessionContext session, String keyType, FilePasswordProvider passwordProvider, InputStream keyData)
            throws IOException, GeneralSecurityException;

    /**
     * Encodes the {@link PrivateKey} using the {@code OpenSSH} format - same one used by the {@code decodePublicKey}
     * method(s)
     *
     * @param  s           The {@link SecureByteArrayOutputStream} to write the data to.
     * @param  key         The {@link PrivateKey} - may not be {@code null}
     * @param  pubKey      The {@link PublicKey} belonging to the private key - must be non-{@code null} if
     *                     {@link #isPublicKeyRecoverySupported() public key recovery} is not supported
     * @return             The key type value - one of the {@link #getSupportedKeyTypes()} or {@code null} if encoding
     *                     not supported
     * @throws IOException If failed to generate the encoding
     */
    default String encodePrivateKey(SecureByteArrayOutputStream s, PRV key, PUB pubKey) throws IOException {
        Objects.requireNonNull(key, "No private key provided");
        return null;
    }

    default boolean isPublicKeyRecoverySupported() {
        return false;
    }

    /**
     * Attempts to recover the public key given the private one
     *
     * @param  prvKey                   The {@link PrivateKey}
     * @return                          The recovered {@link PublicKey} - {@code null} if cannot recover it
     * @throws GeneralSecurityException If failed to generate the public key
     */
    default PUB recoverPublicKey(PRV prvKey) throws GeneralSecurityException {
        return null;
    }
}