Clean up p12 loading.

atholbro · atholbro · commit 4063c1ab643c · 2026-03-08T21:34:00.000-04:00
diff --git a/README.md b/README.md
@@ -241,7 +241,7 @@ Key Pairs:
 
 | Method                              | Description                                |
 |-------------------------------------|--------------------------------------------|
-| `KeyPair.ofPkcs12()`                | Load private/public key from a .p12 file   |
+| `KeyPair.ofPkcs12()`                | Load private/public key from a .p12 stream |
 
 ### Key Rings
 The key loading lambda (keyProvider() function) receives the token's tainted
diff --git a/paseto/.api-validation/paseto.api b/paseto/.api-validation/paseto.api
@@ -580,7 +580,6 @@ public final class net/aholbrook/paseto/exception/Pkcs12LoadException : net/ahol
 public final class net/aholbrook/paseto/exception/Pkcs12LoadException$Reason : java/lang/Enum {
 	public static final field ALGORITHM_NOT_FOUND Lnet/aholbrook/paseto/exception/Pkcs12LoadException$Reason;
 	public static final field CERTIFICATE_ERROR Lnet/aholbrook/paseto/exception/Pkcs12LoadException$Reason;
-	public static final field FILE_NOT_FOUND Lnet/aholbrook/paseto/exception/Pkcs12LoadException$Reason;
 	public static final field INCORRECT_PASSWORD Lnet/aholbrook/paseto/exception/Pkcs12LoadException$Reason;
 	public static final field IO_EXCEPTION Lnet/aholbrook/paseto/exception/Pkcs12LoadException$Reason;
 	public static final field PRIVATE_KEY_NOT_FOUND Lnet/aholbrook/paseto/exception/Pkcs12LoadException$Reason;
@@ -717,16 +716,16 @@ public final class net/aholbrook/paseto/protocol/key/KeyPair {
 	public final fun getSecretKey ()Lnet/aholbrook/paseto/protocol/key/AsymmetricSecretKey;
 	public final fun getVersion ()Lnet/aholbrook/paseto/protocol/Version;
 	public fun hashCode ()I
-	public static final fun ofPkcs12 (Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)Lnet/aholbrook/paseto/protocol/key/KeyPair;
-	public static final fun ofPkcs12 (Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)Lnet/aholbrook/paseto/protocol/key/KeyPair;
+	public static final fun ofPkcs12 (Ljava/io/InputStream;Ljava/lang/String;Ljava/lang/String;)Lnet/aholbrook/paseto/protocol/key/KeyPair;
+	public static final fun ofPkcs12 (Ljava/io/InputStream;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)Lnet/aholbrook/paseto/protocol/key/KeyPair;
 }
 
 public final class net/aholbrook/paseto/protocol/key/KeyPair$Companion {
 	public final fun generate (Lnet/aholbrook/paseto/protocol/Version;Lnet/aholbrook/paseto/protocol/key/KeyLifecycle;)Lnet/aholbrook/paseto/protocol/key/KeyPair;
 	public static synthetic fun generate$default (Lnet/aholbrook/paseto/protocol/key/KeyPair$Companion;Lnet/aholbrook/paseto/protocol/Version;Lnet/aholbrook/paseto/protocol/key/KeyLifecycle;ILjava/lang/Object;)Lnet/aholbrook/paseto/protocol/key/KeyPair;
-	public final fun ofPkcs12 (Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)Lnet/aholbrook/paseto/protocol/key/KeyPair;
-	public final fun ofPkcs12 (Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)Lnet/aholbrook/paseto/protocol/key/KeyPair;
-	public static synthetic fun ofPkcs12$default (Lnet/aholbrook/paseto/protocol/key/KeyPair$Companion;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;ILjava/lang/Object;)Lnet/aholbrook/paseto/protocol/key/KeyPair;
+	public final fun ofPkcs12 (Ljava/io/InputStream;Ljava/lang/String;Ljava/lang/String;)Lnet/aholbrook/paseto/protocol/key/KeyPair;
+	public final fun ofPkcs12 (Ljava/io/InputStream;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)Lnet/aholbrook/paseto/protocol/key/KeyPair;
+	public static synthetic fun ofPkcs12$default (Lnet/aholbrook/paseto/protocol/key/KeyPair$Companion;Ljava/io/InputStream;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;ILjava/lang/Object;)Lnet/aholbrook/paseto/protocol/key/KeyPair;
 }
 
 public final class net/aholbrook/paseto/protocol/key/SymmetricKey {
diff --git a/paseto/src/main/kotlin/net/aholbrook/paseto/exception/KeyExceptions.kt b/paseto/src/main/kotlin/net/aholbrook/paseto/exception/KeyExceptions.kt
@@ -2,7 +2,6 @@ package net.aholbrook.paseto.exception
 
 import net.aholbrook.paseto.InternalApi
 import net.aholbrook.paseto.protocol.Version
-import java.io.FileNotFoundException
 import java.io.IOException
 import java.security.NoSuchAlgorithmException
 import java.security.UnrecoverableKeyException
@@ -75,7 +74,6 @@ class EcKeyException @InternalApi constructor(msg: String, cause: Throwable? = n
 class Pkcs12LoadException @InternalApi constructor(val reason: Reason, cause: Throwable? = null) :
     KeyException(
         when (reason) {
-            Reason.FILE_NOT_FOUND -> "File not found."
             Reason.ALGORITHM_NOT_FOUND -> "Key algorithm not found - $cause"
             Reason.UNRECOVERABLE_KEY -> "Unrecoverable key - $cause"
             Reason.IO_EXCEPTION -> "IO exception - $cause"
@@ -87,9 +85,6 @@ class Pkcs12LoadException @InternalApi constructor(val reason: Reason, cause: Th
         cause,
     ) {
 
-    /** @param e Wrapped [FileNotFoundException]. */
-    @InternalApi constructor(e: FileNotFoundException) : this(Reason.FILE_NOT_FOUND, e)
-
     /** @param e Wrapped [NoSuchAlgorithmException]. */
     @InternalApi constructor(e: NoSuchAlgorithmException) : this(Reason.ALGORITHM_NOT_FOUND, e)
 
@@ -113,9 +108,6 @@ class Pkcs12LoadException @InternalApi constructor(val reason: Reason, cause: Th
 
     /** Categorical failure reason when loading a PKCS#12 keystore. */
     enum class Reason {
-        /** Keystore path does not exist. */
-        FILE_NOT_FOUND,
-
         /** Required crypto algorithm is unavailable. */
         ALGORITHM_NOT_FOUND,
 
diff --git a/paseto/src/main/kotlin/net/aholbrook/paseto/protocol/key/KeyPair.kt b/paseto/src/main/kotlin/net/aholbrook/paseto/protocol/key/KeyPair.kt
@@ -8,9 +8,8 @@ import net.aholbrook.paseto.exception.KeyVersionException
 import net.aholbrook.paseto.exception.Pkcs12LoadException
 import net.aholbrook.paseto.protocol.Purpose
 import net.aholbrook.paseto.protocol.Version
-import java.io.FileInputStream
-import java.io.FileNotFoundException
 import java.io.IOException
+import java.io.InputStream
 import java.security.KeyStore
 import java.security.KeyStoreException
 import java.security.NoSuchAlgorithmException
@@ -105,11 +104,11 @@ class KeyPair(val secretKey: AsymmetricSecretKey?, val publicKey: AsymmetricPubl
         }
 
         /**
-         * Load an RSA key pair from a PKCS#12 keystore.
+         * Load an RSA key pair from a PKCS#12 keystore stream.
          *
          * This helper is intended for `v1.public` key material.
          *
-         * @param keystoreFile Path to `.p12`/`.pfx` file.
+         * @param input Stream providing the `.p12`/`.pfx` keystore data.
          * @param keystorePass Keystore password.
          * @param alias Alias containing key/certificate entries.
          * @param keyPass Private key password (defaults to [keystorePass]).
@@ -118,14 +117,14 @@ class KeyPair(val secretKey: AsymmetricSecretKey?, val publicKey: AsymmetricPubl
         @JvmStatic
         @JvmOverloads
         fun ofPkcs12(
-            keystoreFile: String,
+            input: InputStream,
             keystorePass: String,
             alias: String,
             keyPass: String = keystorePass,
         ): KeyPair {
             try {
                 val p12 = KeyStore.getInstance("PKCS12")
-                p12.load(FileInputStream(keystoreFile), keystorePass.toCharArray())
+                p12.load(input, keystorePass.toCharArray())
 
                 val privateKey = p12.getKey(alias, keyPass.toCharArray()) as? PrivateKey
                     ?: throw Pkcs12LoadException(Pkcs12LoadException.Reason.PRIVATE_KEY_NOT_FOUND)
@@ -137,8 +136,6 @@ class KeyPair(val secretKey: AsymmetricSecretKey?, val publicKey: AsymmetricPubl
                     AsymmetricSecretKey.ofRawBytes(privateKey.encoded, Version.V1),
                     AsymmetricPublicKey.ofRawBytes(publicKey.encoded, Version.V1),
                 )
-            } catch (e: FileNotFoundException) {
-                throw Pkcs12LoadException(e)
             } catch (e: CertificateException) {
                 throw Pkcs12LoadException(e) // Unlikely to ever throw.
             } catch (e: NoSuchAlgorithmException) {
diff --git a/paseto/src/test/kotlin/net/aholbrook/paseto/TestHelpers.kt b/paseto/src/test/kotlin/net/aholbrook/paseto/TestHelpers.kt
@@ -3,7 +3,7 @@ package net.aholbrook.paseto
 import net.aholbrook.paseto.protocol.Version
 import net.aholbrook.paseto.protocol.key.KeyPair
 import net.aholbrook.paseto.protocol.key.SymmetricKey
-import java.io.File
+import java.io.InputStream
 
 val keyV1Local by lazy { SymmetricKey.generate(Version.V1) }
 val keyV1Public by lazy { KeyPair.generate(Version.V1) }
@@ -15,18 +15,6 @@ val keyV4Local by lazy { SymmetricKey.generate(Version.V4) }
 val keyV4Public by lazy { KeyPair.generate(Version.V4) }
 
 object TestFiles {
-    fun p12ResourcePath(name: String): String {
-        val stream = TestFiles::class.java.getResourceAsStream("/p12/$name")
-            ?: error("Unable to find /p12/$name in test resources")
-        val temp = File.createTempFile(name.removeSuffix(".p12"), ".p12")
-        temp.deleteOnExit()
-
-        stream.use { input ->
-            temp.outputStream().use { output ->
-                input.copyTo(output)
-            }
-        }
-
-        return temp.path
-    }
+    fun p12ResourceStream(name: String): InputStream = TestFiles::class.java.getResourceAsStream("/p12/$name")
+        ?: error("Unable to find /p12/$name in test resources")
 }
diff --git a/paseto/src/test/kotlin/net/aholbrook/paseto/protocol/key/Pkcs12Tests.kt b/paseto/src/test/kotlin/net/aholbrook/paseto/protocol/key/Pkcs12Tests.kt
@@ -17,9 +17,8 @@ import org.junit.jupiter.api.Test
 import org.junit.jupiter.params.ParameterizedTest
 import org.junit.jupiter.params.provider.Arguments
 import org.junit.jupiter.params.provider.MethodSource
-import java.io.File
-import java.io.FileNotFoundException
 import java.io.IOException
+import java.io.InputStream
 import java.security.KeyStore
 import java.security.KeyStoreException
 import java.security.NoSuchAlgorithmException
@@ -31,7 +30,7 @@ class Pkcs12Tests {
     @Test
     fun pkcs12Load_withDefaultKeyPassword() {
         val keys = KeyPair.ofPkcs12(
-            keystoreFile = TestFiles.p12ResourcePath("rfc_v1_rsa.p12"),
+            input = TestFiles.p12ResourceStream("rfc_v1_rsa.p12"),
             keystorePass = "testtest",
             alias = "test",
         )
@@ -43,7 +42,7 @@ class Pkcs12Tests {
     @Test
     fun pkcs12Load_withExplicitKeyPassword() {
         val keys = KeyPair.ofPkcs12(
-            keystoreFile = TestFiles.p12ResourcePath("test_v1_rsa.p12"),
+            input = TestFiles.p12ResourceStream("test_v1_rsa.p12"),
             keystorePass = "password",
             alias = "test",
             keyPass = "password",
@@ -53,27 +52,11 @@ class Pkcs12Tests {
         keys.publicKey.version shouldBe Version.V1
     }
 
-    @Test
-    fun pkcs12Load_notFound() {
-        val missingFile = File.createTempFile("missing-p12", ".p12").apply { delete() }
-
-        val ex = shouldThrow<Pkcs12LoadException> {
-            KeyPair.ofPkcs12(
-                keystoreFile = missingFile.path,
-                keystorePass = "testtest",
-                alias = "test",
-                keyPass = "testtest",
-            )
-        }
-
-        ex.reason shouldBe Pkcs12LoadException.Reason.FILE_NOT_FOUND
-    }
-
     @Test
     fun pkcs12Load_wrongPassword() {
         val ex = shouldThrow<Pkcs12LoadException> {
             KeyPair.ofPkcs12(
-                keystoreFile = TestFiles.p12ResourcePath("rfc_v1_rsa.p12"),
+                input = TestFiles.p12ResourceStream("rfc_v1_rsa.p12"),
                 keystorePass = "wrong",
                 alias = "test",
                 keyPass = "testtest",
@@ -87,7 +70,7 @@ class Pkcs12Tests {
     fun pkcs12Load_wrongAlias() {
         val ex = shouldThrow<Pkcs12LoadException> {
             KeyPair.ofPkcs12(
-                keystoreFile = TestFiles.p12ResourcePath("rfc_v1_rsa.p12"),
+                input = TestFiles.p12ResourceStream("rfc_v1_rsa.p12"),
                 keystorePass = "testtest",
                 alias = "wrong",
                 keyPass = "testtest",
@@ -101,7 +84,7 @@ class Pkcs12Tests {
     fun pkcs12Load_wrongKeyPassword() {
         val ex = shouldThrow<Pkcs12LoadException> {
             KeyPair.ofPkcs12(
-                keystoreFile = TestFiles.p12ResourcePath("rfc_v1_rsa.p12"),
+                input = TestFiles.p12ResourceStream("rfc_v1_rsa.p12"),
                 keystorePass = "testtest",
                 alias = "test",
                 keyPass = "wrong",
@@ -115,7 +98,7 @@ class Pkcs12Tests {
     fun pkcs12Load_noCertificate() {
         val ex = shouldThrow<Pkcs12LoadException> {
             KeyPair.ofPkcs12(
-                keystoreFile = TestFiles.p12ResourcePath("test_v1_rsa_nopub.p12"),
+                input = TestFiles.p12ResourceStream("test_v1_rsa_nopub.p12"),
                 keystorePass = "password",
                 alias = "test",
                 keyPass = "password",
@@ -129,7 +112,7 @@ class Pkcs12Tests {
     fun pkcs12Load_corruptFile() {
         val ex = shouldThrow<Pkcs12LoadException> {
             KeyPair.ofPkcs12(
-                keystoreFile = TestFiles.p12ResourcePath("test_v1_rsa_corrupt.p12"),
+                input = TestFiles.p12ResourceStream("test_v1_rsa_corrupt.p12"),
                 keystorePass = "password",
                 alias = "test",
                 keyPass = "password",
@@ -147,7 +130,6 @@ class Pkcs12Tests {
         expected: Pkcs12LoadException.Reason,
     ) {
         val actual = when (cause) {
-            is FileNotFoundException -> Pkcs12LoadException(cause)
             is NoSuchAlgorithmException -> Pkcs12LoadException(cause)
             is UnrecoverableKeyException -> Pkcs12LoadException(cause)
             is CertificateException -> Pkcs12LoadException(cause)
@@ -175,7 +157,7 @@ class Pkcs12Tests {
             every { KeyStore.getInstance(any()) } throws KeyStoreException()
 
             val ex = shouldThrow<RuntimeException> {
-                KeyPair.ofPkcs12("", "", "", "")
+                KeyPair.ofPkcs12(InputStream.nullInputStream(), "", "", "")
             }
             withClue("check type KeyStoreException") {
                 (ex.cause is KeyStoreException) shouldBe true
@@ -190,7 +172,7 @@ class Pkcs12Tests {
 
             val ex = shouldThrow<Pkcs12LoadException> {
                 KeyPair.ofPkcs12(
-                    keystoreFile = TestFiles.p12ResourcePath("rfc_v1_rsa.p12"),
+                    input = TestFiles.p12ResourceStream("rfc_v1_rsa.p12"),
                     keystorePass = "testtest",
                     alias = "test",
                 )
@@ -208,7 +190,7 @@ class Pkcs12Tests {
 
             val ex = shouldThrow<Pkcs12LoadException> {
                 KeyPair.ofPkcs12(
-                    keystoreFile = TestFiles.p12ResourcePath("rfc_v1_rsa.p12"),
+                    input = TestFiles.p12ResourceStream("rfc_v1_rsa.p12"),
                     keystorePass = "testtest",
                     alias = "test",
                 )
@@ -222,11 +204,6 @@ class Pkcs12Tests {
     companion object {
         @JvmStatic
         fun reasonMappings(): Stream<Arguments> = Stream.of(
-            Arguments.of(
-                "FileNotFoundException -> FILE_NOT_FOUND",
-                FileNotFoundException(),
-                Pkcs12LoadException.Reason.FILE_NOT_FOUND,
-            ),
             Arguments.of(
                 "NoSuchAlgorithmException -> ALGORITHM_NOT_FOUND",
                 NoSuchAlgorithmException(),
