When reading PrivateKey from a PEM file, add support for stronger encryption variants

[dalvizu]

Problem

The Java SDK only supports reading encrypted PEM keys that use the aes-128-CBC cipher and hmac sha256 algorithm.

I circulated this internally with then Hedera employees -

@nathanklick : "We should support both AES_128 and AES-256, and permit stronger variants like SHA-384, SHA-512, SHA3-224, or any of the other Variants. We should support decrypting a supplied key as longa s we have the algorithms available to do so. We gain no protection by disallowing decryption of a insecurely encrypted private key that is already exposed on disk."

@lbaird : "I agree that we should be able to read weakly-encrypted keys. And we should be creating strongly-encrypted keys.

"For CNSA compliance (which the platform itself follows), you need AES-256 (not 128) and SHA-384 (not 256)."

Solution

It looks like simply removing these checks doesn't solve the problem - they are defensive checks as the algorithm and cipher itself are hard coded e.g:

https://github.com/hashgraph/hedera-sdk-java/blob/main/sdk/src/main/java/com/hedera/hashgraph/sdk/Pem.java#L172

As we are already delegating to Bouncy Castle, can we simply delegate this like to PEMParser like we do in hedera-services:

https://github.com/hashgraph/hedera-services/blob/49b2e6bd844166a16ac6ca02358bd42f084f3e7c/hapi-utils/src/main/java/com/hedera/services/keys/Ed25519Utils.java#L74

Alternatives

When working with the SDK I have to decrypt my certificates password myself. This works but it is definitely not a pleasant experience and these are things I'd love to see the SDK support.