centralize PEM parsing logic

mkleene · mkleene · commit 21fd9fbb0e7d · 2026-05-11T16:05:34.000-04:00
diff --git a/sdk/src/main/java/io/opentdf/platform/sdk/ECKeyPair.java b/sdk/src/main/java/io/opentdf/platform/sdk/ECKeyPair.java
@@ -6,6 +6,7 @@
 import java.math.BigInteger;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.InvalidKeyException;
+import java.security.KeyFactory;
 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
 import java.security.NoSuchAlgorithmException;
@@ -16,6 +17,8 @@
 import java.security.spec.ECGenParameterSpec;
 import java.security.spec.ECParameterSpec;
 import java.security.spec.ECPoint;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.X509EncodedKeySpec;
 import java.util.Base64;
 import java.util.Objects;
 
@@ -48,6 +51,13 @@ public ECKeyPair(ECCurve curve) {
         }
     }
 
+    static ECPublicKey publicKeyFromPem(String pem) throws InvalidKeySpecException, NoSuchAlgorithmException {
+        String pemData = pem.replaceAll("-----(BEGIN|END) [A-Z ]+-----", "").replaceAll("\\s", "");
+        byte[] der = Base64.getDecoder().decode(pemData);
+        KeyFactory keyFactory = KeyFactory.getInstance("EC");
+        return (ECPublicKey) keyFactory.generatePublic(new X509EncodedKeySpec(der));
+    }
+
     public ECPublicKey getPublicKey() {
         return (ECPublicKey) this.keyPair.getPublic();
     }
diff --git a/sdk/src/main/java/io/opentdf/platform/sdk/KASClient.java b/sdk/src/main/java/io/opentdf/platform/sdk/KASClient.java
@@ -183,11 +183,7 @@ public byte[] unwrap(Manifest.KeyAccess keyAccess, String policy,  KeyType sessi
             var kasEphemeralPublicKey = response.getSessionPublicKey();
             ECPublicKey publicKey;
             try {
-                byte[] der = Base64.getDecoder().decode(kasEphemeralPublicKey
-                        .replaceAll("-----[^-]+-----", "")
-                        .replaceAll("\\s+", ""));
-                publicKey = (ECPublicKey) KeyFactory.getInstance("EC")
-                        .generatePublic(new X509EncodedKeySpec(der));
+                publicKey = ECKeyPair.publicKeyFromPem(kasEphemeralPublicKey);
             } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
                 throw new SDKException("error decoding KAS session public key", e);
             }
diff --git a/sdk/src/main/java/io/opentdf/platform/sdk/TDF.java b/sdk/src/main/java/io/opentdf/platform/sdk/TDF.java
@@ -249,11 +249,7 @@ private ECKeyWrappedKeyInfo createECWrappedKey(Config.KASInfo kasInfo,
 
             ECPublicKey kasPubKey;
             try {
-                byte[] der = Base64.getDecoder().decode(kasInfo.PublicKey
-                        .replaceAll("-----[^-]+-----", "")
-                        .replaceAll("\\s+", ""));
-                kasPubKey = (ECPublicKey) KeyFactory.getInstance("EC")
-                        .generatePublic(new X509EncodedKeySpec(der));
+                kasPubKey = ECKeyPair.publicKeyFromPem(kasInfo.PublicKey);
             } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
                 throw new SDKException("error decoding KAS EC public key", e);
             }
