Introduce Support for Reading RSA Keys

[jzheaux]

Fixes: gh-6494

[rwinch]

I have provided feedback inline.

Also, we might consider how this is integrated with Spring's ApplicationContext. Should we provide support to ensure that it is automatically included? Should we also support conversion from a Resource to a key? For example:

@Value("classpath:key.private")
RSAPrivateKey key;

[jzheaux]

@rwinch, I've added to more commits to this PR which address integrating with the application context.

I'm partial to actually having that in a separate PR, but if you feel like the changes are largely obvious/non-controversial, then I'm fine reviewing it all here.

[rwinch]

As discussed offline I will give you some time to polish this (i.e. move addConverters to be private within the post processor)

[jzheaux]

@rwinch, I've applied some polish. First, I moved the converter registration into the post-processor. Also, the post-processor has been simplified a bit, to implement BeanFactoryPostProcessor instead of BeanDefinitionRegistryPostProcessor.

Second, I consolidated and simplified the ApplicationContext-integration tests.

I think this looks much better now, and I'm okay with having everything reviewed together.

[rwinch]

Thanks for the updates! I have provided feedback/questions inline

[rwinch]

I wonder if there is a reason this is so generic given it adds RSA converts. I also wonder if it makes sense in the current package since RSA is applicable to non web apps and to reactive applications.

[jzheaux]

A quick search across the code base shows a handful of classes that extend BeanFactoryPostProcessor. For example, there is one for ldap, one for debug, and one for websocket, among others.

Each of these is in spring-security-config and follows the pattern org.springframework.security.config.{module}.

So, it seems natural to rename this as org.springframework.security.config.crypto.RsaKeyConversionServicePostProcessor since it is post processing the ConversionService to support RSA keys.

[rwinch]

Can you help me understand what the conditional logic is for? It looks like this might be to handle things like classpath:foo.pem. However, my concern is that it should not interfere with existing String to InputStream conversions.

[rwinch]

Does this work if a variable (i.e. ${some.path} is used)? I cannot recall if anything special is necessary, but it has bitten me before.

[jzheaux]

Regarding your first question, the actual registered converter is String -> RSAPublicKey so it will only be invoked when the target type is RSAPublicKey. Yes, the conditional logic is to differentiate between a raw key and one referred to via classpath:foo.pem.

I didn't test your second case, but I will double-check this.

[jzheaux]

I changed the sample to use ${some.property.name} to confirm that works.

[rwinch]

I think we should make the ResourceLoader a member variable and allow it to be injected.

[rwinch]

Does Spring always register a ConversionService (XML, Java Config, and Boot)?

[jzheaux]

No, XML and Java Config do not register a ConversionService. If the user (or Boot) does not supply one then Spring will fall back to the PropertyEditor conversion style.

I didn't look into property editors - would you recommend that in order to provide more in-depth support?

[jzheaux]

@rwinch, I've responded to your comments. Let me know what you think.

[rwinch]

Perhaps I'm missing something, but shouldn't we close the InputStream after reading it? If not, we should make it clear we don't close the InputStream in the Javadoc and explain why.

[rwinch]

Perhaps I'm missing something, but shouldn't we close the InputStream after reading it? If not, we should make it clear we don't close the InputStream in the Javadoc and explain why.

[jzheaux]

Good catch. My intent was to not make an assumption about the nature of the stream being passed in. So, I'll add a Javadoc to both methods.

That said, I think it makes sense to close it in the post processor since it's the post processor that opens it, so I'll change that, too.

[rwinch]

Perhaps add details about the X509_PEM_HEADER is missing to the error message?

[rwinch]

Perhaps add details about PKCS8_PEM_HEADER missing to the error message?

[rwinch]

Thanks. I provided feedback inline

[rwinch]

Sorry for not realizing this till late in the game...I'm realizing we have a tangle here. The core includes crypto and now we have optional dependency on core. I think we need to move the crypo classes that use core into core.

[jzheaux]

@rwinch I moved RsaKeyConverters and RsaKeyConvertersTest over to core. Otherwise, I simply cleaned up the commits a bit so now we just have two: One for the new feature and one for the change in one of the resource server samples.

Note that I placed these in org.springframework.security.converter, which is a new package. I chose it because converter is the tail of the package name for Converter itself, which aligns nicely, I think. Let me know, though, if there is a better spot for it.

[jzheaux]

This is now merged into master. (And I'm super excited about this feature!)