change certAndKey from string to inputstream

google-http-client/src/main/java/com/google/api/client/util/SecurityUtils.java

@@ -263,51 +263,48 @@ public static void loadKeyStoreFromCertificates(
   /**
    * Create a keystore for mutual TLS with the certificate and private key provided.
    *
-   * <p>certAndKey should have the following format:
-   *
-   * <pre>
-   * -----BEGIN CERTIFICATE-----
-   * ......
-   * -----END CERTIFICATE------
-   * ----BEGIN PRIVATE KEY-----
-   * ......
-   * -----END PRIVATE KEY-----
-   * </pre>
-   *
-   * @param certAndKey Concatenation of a x509 certificate PEM string and a PKCS#8 unencrypted
-   *     private key PEM string.
+   * @param certAndKey Certificate and private key input stream. The stream should contain one
+   *     certificate and one unencrypted private key. If there are multiple certificates, only the
+   *     first certificate will be used.
    * @return keystore for mutual TLS.
    */
-  public static KeyStore createMtlsKeyStore(String certAndKey)
+  public static KeyStore createMtlsKeyStore(InputStream certAndKey)
       throws GeneralSecurityException, IOException {
     KeyStore keystore = KeyStore.getInstance("JKS");
-    try {
-      keystore.load(null);
-    } catch (IOException ignored) {
-      // shouldn't throw any exception to load a null keystore.
-    }
+    keystore.load(null);
+
+    PemReader.Section certSection = null;
+    PemReader.Section keySection = null;
+    PemReader reader = new PemReader(new InputStreamReader(certAndKey));
+
+    while (certSection == null || keySection == null) {
+      // Read the certificate and private key.
+      PemReader.Section section = reader.readNextSection();
+      if (section == null) {
+        break;
+      }
 
-    byte[] certAndKeyBytes = certAndKey.getBytes();
+      if ("CERTIFICATE".equals(section.getTitle())) {
+        certSection = section;
+      } else if ("PRIVATE KEY".equals(section.getTitle())) {
+        keySection = section;
+      }
+    }
 
-    // Read the certificate.
-    InputStreamReader reader = new InputStreamReader(new ByteArrayInputStream(certAndKeyBytes));
-    PemReader.Section section = PemReader.readFirstSectionAndClose(reader, "CERTIFICATE");
-    if (section == null) {
+    if (certSection == null) {
       throw new IllegalArgumentException("certificate is missing from certAndKey string");
     }
+    if (keySection == null) {
+      throw new IllegalArgumentException("private key is missing from certAndKey string");
+    }
+
     CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
     X509Certificate cert =
         (X509Certificate)
             certFactory.generateCertificate(
-                new ByteArrayInputStream(section.getBase64DecodedBytes()));
+                new ByteArrayInputStream(certSection.getBase64DecodedBytes()));
 
-    // Read the private key.
-    reader = new InputStreamReader(new ByteArrayInputStream(certAndKeyBytes));
-    section = PemReader.readFirstSectionAndClose(reader, "PRIVATE KEY");
-    if (section == null) {
-      throw new IllegalArgumentException("private key is missing from certAndKey string");
-    }
-    PKCS8EncodedKeySpec keySpecPKCS8 = new PKCS8EncodedKeySpec(section.getBase64DecodedBytes());
+    PKCS8EncodedKeySpec keySpecPKCS8 = new PKCS8EncodedKeySpec(keySection.getBase64DecodedBytes());
     PrivateKey key =
         KeyFactory.getInstance(cert.getPublicKey().getAlgorithm()).generatePrivate(keySpecPKCS8);
 

google-http-client/src/test/java/com/google/api/client/util/SecurityUtilsTest.java

@@ -21,6 +21,7 @@
 import com.google.api.client.testing.util.SecurityTestUtils;
 import com.google.common.io.Resources;
 import java.io.ByteArrayInputStream;
+import java.io.InputStream;
 import java.net.URL;
 import java.nio.charset.StandardCharsets;
 import java.security.KeyStore;
@@ -170,8 +171,10 @@ public void testVerifyX509WrongCa() throws Exception {
   }
 
   public void testCreateMtlsKeyStoreNoCert() throws Exception {
-    URL url = getClass().getClassLoader().getResource("com/google/api/client/util/privateKey.pem");
-    final String certMissing = Resources.toString(url, StandardCharsets.UTF_8);
+    final InputStream certMissing =
+        getClass()
+            .getClassLoader()
+            .getResourceAsStream("com/google/api/client/util/privateKey.pem");
     IllegalArgumentException exception =
         assertThrows(
             IllegalArgumentException.class,
@@ -187,8 +190,8 @@ public void run() throws Throwable {
   }
 
   public void testCreateMtlsKeyStoreNoPrivateKey() throws Exception {
-    URL url = getClass().getClassLoader().getResource("com/google/api/client/util/cert.pem");
-    final String privateKeyMissing = Resources.toString(url, StandardCharsets.UTF_8);
+    final InputStream privateKeyMissing =
+        getClass().getClassLoader().getResourceAsStream("com/google/api/client/util/cert.pem");
     IllegalArgumentException exception =
         assertThrows(
             IllegalArgumentException.class,
@@ -210,7 +213,9 @@ public void testCreateMtlsKeyStoreSuccess() throws Exception {
     url = getClass().getClassLoader().getResource("com/google/api/client/util/privateKey.pem");
     String privateKey = Resources.toString(url, StandardCharsets.UTF_8);
 
-    String certAndKey = cert + "\n" + privateKey;
+    String certAndKeyString = privateKey + "\n" + cert;
+    ByteArrayInputStream certAndKey = new ByteArrayInputStream(certAndKeyString.getBytes());
+
     KeyStore mtlsKeyStore = SecurityUtils.createMtlsKeyStore(certAndKey);
 
     assertEquals(mtlsKeyStore.size(), 1);