[fix][client] Support for PKCS#8 private key

[izumo27]

Motivation

When attempting to load an RSA private key in PKCS#8 format for message encryption, the key loading fails.

Modifications

When the RSA private key is in PKCS#1 format (begin with BEGIN RSA PRIVATE KEY), the type of pemObj is PEMKeyPair.

• pulsar/pulsar-client-messagecrypto-bc/src/main/java/org/apache/pulsar/client/impl/crypto/MessageCryptoBc.java

  Line 238 in 200c925

  Object pemObj = pemReader.readObject();

• https://github.com/bcgit/bc-java/blob/r1rv75/pkix/src/main/java/org/bouncycastle/openssl/PEMParser.java#L120
• https://github.com/bcgit/bc-java/blob/r1rv75/pkix/src/main/java/org/bouncycastle/openssl/PEMParser.java#L153-L216
  • https://github.com/bcgit/bc-java/blob/r1rv75/pkix/src/main/java/org/bouncycastle/openssl/PEMParser.java#L95
  • https://github.com/bcgit/bc-java/blob/r1rv75/pkix/src/main/java/org/bouncycastle/openssl/PEMParser.java#L65
• https://github.com/bcgit/bc-java/blob/r1rv75/pkix/src/main/java/org/bouncycastle/openssl/PEMParser.java#L191

However, When the RSA private key is in PKCS#8 format (begin with BEGIN PRIVATE KEY), BouncyCastle utilizes PrivateKeyParser, resulting in the type of pemObj being PrivateKeyInfo.

• https://github.com/bcgit/bc-java/blob/r1rv75/pkix/src/main/java/org/bouncycastle/openssl/PEMParser.java#L567-L578
  • https://github.com/bcgit/bc-java/blob/r1rv75/pkix/src/main/java/org/bouncycastle/openssl/PEMParser.java#L99
  • https://github.com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/openssl/PEMParser.java#L69
• https://github.com/bcgit/bc-java/blob/r1rv75/pkix/src/main/java/org/bouncycastle/openssl/PEMParser.java#L572

Verifying this change

• Make sure that the change passes the CI checks.

This change added tests and can be verified as follows:

• Add a PKCS#8 private key for testing

If the box was checked, please highlight the changes

• Dependencies (add or upgrade a dependency)
• The public API
• The schema
• The default values of configurations
• The threading model
• The binary protocol
• The REST endpoints
• The admin CLI options
• The metrics
• Anything that affects deployment

Documentation

• doc
• doc-required
• doc-not-needed
• doc-complete

Matching PR in forked repository

PR in forked repository:

• [fix][client] Support for PKCS#8 private key izumo27/pulsar#2
• [fix][client] Failed test PKCS#8 izumo27/pulsar#3 (test failure before this modification)

[Technoboy-]

We should keep the original test with x.pemkey.

[izumo27]

We should keep the original test with x.pemkey.

In testRSAEncryption, producer and producer2 use the same key, so it looks like producer2 is not needed.

pulsar/pulsar-broker/src/test/java/org/apache/pulsar/client/api/SimpleProducerConsumerTest.java

Lines 2780 to 2783 in 529e1ab

	Producer<byte[]> producer = pulsarClient.newProducer().topic("persistent://my-property/my-ns/myrsa-topic1")
	.addEncryptionKey("client-rsa.pem").cryptoKeyReader(new EncKeyReader()).create();
	Producer<byte[]> producer2 = pulsarClient.newProducer().topic("persistent://my-property/my-ns/myrsa-topic1")
	.addEncryptionKey("client-rsa.pem").cryptoKeyReader(new EncKeyReader()).create();

Actually, in ECDSA's test, there is only one producer.

pulsar/pulsar-broker/src/test/java/org/apache/pulsar/client/api/SimpleProducerConsumerTest.java

Lines 2701 to 2703 in 529e1ab

	Producer<byte[]> cryptoProducer = pulsarClient.newProducer()
	.topic(topicName).addEncryptionKey("client-ecdsa.pem")
	.cryptoKeyReader(new EncKeyReader()).create();

[izumo27]

I missed many tests using private-key.client-rsa.pem.
I modified them.

[izumo27]

PTAL, thanks. @Technoboy-