KAFKA-20440: PEM certificate support should not depend on PKCS12#22182
Open
daguimu wants to merge 1 commit intoapache:trunkfrom
Open
KAFKA-20440: PEM certificate support should not depend on PKCS12#22182daguimu wants to merge 1 commit intoapache:trunkfrom
daguimu wants to merge 1 commit intoapache:trunkfrom
Conversation
DefaultSslEngineFactory.PemStore hardcoded "PKCS12" when constructing the in-memory key/trust store backing PEM-format certificates. That prevents using PEM in JVMs where the PKCS12 keystore type is disabled (for example FIPS-mode container images built on BouncyCastle), even though the in-memory KeyStore itself works with any default type. Use KeyStore.getDefaultType() in createKeyStoreFromPem and createTrustStoreFromPem so the keystore type follows the JVM configuration (still PKCS12 by default since JDK 9). Add tests asserting the resulting KeyStore reports the JVM-default type for both PEM key stores and PEM trust stores.
|
A label of 'needs-attention' was automatically added to this PR in order to raise the |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
DefaultSslEngineFactory.PemStorehardcodes"PKCS12"when creating the in-memoryKeyStorethat backs PEM-formatted key and trust material:clients/src/main/java/org/apache/kafka/common/security/ssl/DefaultSslEngineFactory.java:463(createKeyStoreFromPem)clients/src/main/java/org/apache/kafka/common/security/ssl/DefaultSslEngineFactory.java:476(createTrustStoreFromPem)In JVMs where the PKCS12 keystore type is disabled (for example Chainguard FIPS container images that use BouncyCastle and disable PKCS12), this prevents PEM-format certificates from being used at all even though the in-memory keystore itself does not depend on PKCS12 specifically.
Root Cause
KeyStore.getInstance("PKCS12")is a hard-coded literal. There is no reason to pin the in-memory store type — the rest of the code only relies on theKeyStoreAPI and works with any default keystore type the JVM provides.Fix
Replace the two hard-coded
"PKCS12"literals withKeyStore.getDefaultType(). On a default JVM the security propertykeystore.typeispkcs12(since JDK 9), so existing users see no behavioural change. On a JVM where the operator has selected a different default type, PEM material now uses that type instead of failing.Tests Added
createKeyStoreFromPemno longer hard-codes PKCS12testPemKeyStoreUsesDefaultKeyStoreType()— asserts the keystore returned byfactory.keystore()reportsKeyStore.getDefaultType()as its typecreateTrustStoreFromPemno longer hard-codes PKCS12testPemTrustStoreUsesDefaultKeyStoreType()— asserts the truststore returned byfactory.truststore()reportsKeyStore.getDefaultType()as its typetestPemTrustStoreConfig*,testPemKeyStoreConfig*,testPemKeyStoreFile*tests continue to load aliases, certificates and private keysImpact
SslConfigs.SSL_KEYSTORE_TYPE_CONFIG≠PEM): unaffected — this code path only handlesPEM_TYPE.