fix bc fips issue

Author: binglihub

pom.xml

@@ -310,6 +310,7 @@
             <groupId>org.bouncycastle</groupId>
             <artifactId>bcpkix-fips</artifactId>
             <version>1.0.3</version>
+            <scope>provided</scope>
         </dependency>
         <!-- https://mvnrepository.com/artifact/org.apache.kafka/connect-api -->
         <dependency>

src/main/java/com/snowflake/kafka/connector/internal/EncryptionUtils.java

@@ -0,0 +1,54 @@
+package com.snowflake.kafka.connector.internal;
+
+import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
+import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
+import org.bouncycastle.openssl.PEMParser;
+import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
+import org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder;
+import org.bouncycastle.operator.InputDecryptorProvider;
+import org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo;
+
+import java.io.StringReader;
+import java.security.PrivateKey;
+import java.security.Security;
+
+public class EncryptionUtils
+{
+  static PrivateKey parseEncryptedPrivateKey(String key, String passphrase)
+  {
+    //remove header, footer, and line breaks
+    key = key.replaceAll("-+[A-Za-z ]+-+", "");
+    key = key.replaceAll("\\s", "");
+
+    StringBuilder builder = new StringBuilder();
+    builder.append("-----BEGIN ENCRYPTED PRIVATE KEY-----");
+    for (int i = 0; i < key.length(); i++)
+    {
+      if (i % 64 == 0)
+      {
+        builder.append("\n");
+      }
+      builder.append(key.charAt(i));
+    }
+    builder.append("\n-----END ENCRYPTED PRIVATE KEY-----");
+    key = builder.toString();
+    Security.addProvider(new BouncyCastleFipsProvider());
+    try
+    {
+      PEMParser pemParser = new PEMParser(new StringReader(key));
+      PKCS8EncryptedPrivateKeyInfo encryptedPrivateKeyInfo =
+        (PKCS8EncryptedPrivateKeyInfo) pemParser.readObject();
+      pemParser.close();
+      InputDecryptorProvider pkcs8Prov =
+        new JceOpenSSLPKCS8DecryptorProviderBuilder().build(passphrase.toCharArray());
+      JcaPEMKeyConverter converter =
+        new JcaPEMKeyConverter().setProvider(BouncyCastleFipsProvider.PROVIDER_NAME);
+      PrivateKeyInfo decryptedPrivateKeyInfo =
+        encryptedPrivateKeyInfo.decryptPrivateKeyInfo(pkcs8Prov);
+      return converter.getPrivateKey(decryptedPrivateKeyInfo);
+    } catch (Exception e)
+    {
+      throw SnowflakeErrors.ERROR_0018.getException(e);
+    }
+  }
+}

src/main/java/com/snowflake/kafka/connector/internal/InternalUtils.java

@@ -1,22 +1,14 @@
 package com.snowflake.kafka.connector.internal;
 
 import com.snowflake.kafka.connector.Utils;
+import net.snowflake.client.jdbc.internal.apache.commons.codec.binary.Base64;
+import net.snowflake.client.jdbc.internal.org.bouncycastle.jce.provider.BouncyCastleProvider;
 import net.snowflake.ingest.connection.IngestStatus;
-import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
-import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
-import org.bouncycastle.openssl.PEMKeyPair;
-import org.bouncycastle.openssl.PEMParser;
-import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
-import org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder;
-import org.bouncycastle.operator.InputDecryptorProvider;
-import org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import java.io.StringReader;
 import java.security.KeyFactory;
 import java.security.PrivateKey;
-import java.security.Security;
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.sql.ResultSet;
 import java.sql.SQLException;
@@ -82,70 +74,19 @@ static void assertNotEmpty(String name, Object value)
     }
   }
 
-  static PrivateKey parseEncryptedPrivateKey(String key, String passphrase)
-  {
-    //remove header, footer, and line breaks
-    key = key.replaceAll("-+[A-Za-z ]+-+", "");
-    key = key.replaceAll("\\s", "");
-
-    StringBuilder builder = new StringBuilder();
-    builder.append("-----BEGIN ENCRYPTED PRIVATE KEY-----");
-    for (int i = 0; i < key.length(); i++)
-    {
-      if (i % 64 == 0)
-      {
-        builder.append("\n");
-      }
-      builder.append(key.charAt(i));
-    }
-    builder.append("\n-----END ENCRYPTED PRIVATE KEY-----");
-    key = builder.toString();
-    Security.addProvider(new BouncyCastleFipsProvider());
-    try
-    {
-      PEMParser pemParser = new PEMParser(new StringReader(key));
-      PKCS8EncryptedPrivateKeyInfo encryptedPrivateKeyInfo =
-        (PKCS8EncryptedPrivateKeyInfo) pemParser.readObject();
-      pemParser.close();
-      InputDecryptorProvider pkcs8Prov =
-        new JceOpenSSLPKCS8DecryptorProviderBuilder().build(passphrase.toCharArray());
-      JcaPEMKeyConverter converter =
-        new JcaPEMKeyConverter().setProvider(BouncyCastleFipsProvider.PROVIDER_NAME);
-      PrivateKeyInfo decryptedPrivateKeyInfo =
-        encryptedPrivateKeyInfo.decryptPrivateKeyInfo(pkcs8Prov);
-      return converter.getPrivateKey(decryptedPrivateKeyInfo);
-    } catch (Exception e)
-    {
-      throw SnowflakeErrors.ERROR_0018.getException(e);
-    }
-  }
-
   static PrivateKey parsePrivateKey(String key)
   {
     //remove header, footer, and line breaks
     key = key.replaceAll("-+[A-Za-z ]+-+", "");
     key = key.replaceAll("\\s", "");
 
-    StringBuilder builder = new StringBuilder();
-    builder.append("-----BEGIN RSA PRIVATE KEY-----");
-    for (int i = 0; i < key.length(); i++)
-    {
-      if (i % 64 == 0)
-      {
-        builder.append("\n");
-      }
-      builder.append(key.charAt(i));
-    }
-    builder.append("\n-----END RSA PRIVATE KEY-----");
-    key = builder.toString();
+    java.security.Security.addProvider(new BouncyCastleProvider());
+    byte[] encoded = Base64.decodeBase64(key);
     try
     {
-      PEMParser pemParser = new PEMParser(new StringReader(key));
-      PEMKeyPair pemKeyPair = (PEMKeyPair) pemParser.readObject();
-      PKCS8EncodedKeySpec keySpec =
-        new PKCS8EncodedKeySpec(pemKeyPair.getPrivateKeyInfo().getEncoded());
-      KeyFactory keyFactory = KeyFactory.getInstance("RSA");
-      return keyFactory.generatePrivate(keySpec);
+      KeyFactory kf = KeyFactory.getInstance("RSA");
+      PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(encoded);
+      return kf.generatePrivate(keySpec);
     } catch (Exception e)
     {
       throw SnowflakeErrors.ERROR_0002.getException(e);
@@ -217,8 +158,9 @@ static Properties createProperties(Map<String, String> conf)
 
     if (!privateKeyPassphrase.isEmpty())
     {
-      properties.put(JDBC_PRIVATE_KEY, parseEncryptedPrivateKey(privateKey,
-        privateKeyPassphrase));
+      properties.put(JDBC_PRIVATE_KEY,
+        EncryptionUtils.parseEncryptedPrivateKey(privateKey,
+          privateKeyPassphrase));
     }
     else if (!privateKey.isEmpty())
     {

src/main/java/com/snowflake/kafka/connector/internal/SnowflakeErrors.java

@@ -118,7 +118,7 @@ public enum SnowflakeErrors
   ERROR_0018(
     "0018",
     "Invalid encrypted private key or passphrase",
-    "failed to decrypt private key. Please verify input private key and passphrase. Currently, Snowflake Kafka Connector only supports 'PBE-MD5-DES' encryption algorithm."
+    "failed to decrypt private key. Please verify input private key and passphrase. Snowflake Kafka Connector only supports encryption algorithms in FIPS 140-2"
   ),
   ERROR_0019(
     "0019",

src/test/java/com/snowflake/kafka/connector/internal/InternalUtilsTest.java

@@ -42,7 +42,7 @@ public void testPrivateKey()
   public void testEncryptedPrivateKey()
   {
     assert InternalUtils.parsePrivateKey(TestUtils.getKeyString()).equals(
-      InternalUtils.parseEncryptedPrivateKey(TestUtils.getEncryptedPrivateKey(),
+      EncryptionUtils.parseEncryptedPrivateKey(TestUtils.getEncryptedPrivateKey(),
         TestUtils.getPrivateKeyPassphrase())
     );
   }