Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Add pkcs12 key functionality #1599

Merged
merged 2 commits into from Nov 29, 2019
Merged

fix: Add pkcs12 key functionality #1599

merged 2 commits into from Nov 29, 2019

Conversation

davecramer
Copy link
Member

WIP
PBE-MD5-DES might be inadequate in environments where high level of security is needed and the key is not protected
pkcs12 uses 3DES which also isn't completely adequate but is certainly more secure than MD5-DES
needs documentation
Also it is possible to use stronger encryption in java 12

All Submissions:

  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same update/change?

New Feature Submissions:

  1. Does your submission pass tests?
  2. Does mvn checkstyle:check pass ?
  3. Have you added your new test classes to an existing test suite in alphabetical order?

Changes to Existing Features:

  • Does this break existing behaviour? If so please explain.
  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your core changes, as applicable?
  • Have you successfully run tests with your changes locally?

@davecramer
fix: Add pkcs12 key functionality
3482a91 
WIP
PBE-MD5-DES might be inadequate in environments where high level of security is needed and the key is not protected
pkcs12 uses 3DES which also isn't completely adequate but is certainly more secure than MD5-DES
@AppVeyorBot
Copy link

Build pgjdbc 1.0.494 completed (commit 40d7cb7a51 by @davecramer)

@codecov-io
Copy link

codecov-io commented Nov 1, 2019
edited

Codecov Report

Merging #1599 into master will decrease coverage by 0.03%.
The diff coverage is 46.15%.

@@             Coverage Diff              @@
##             master    #1599      +/-   ##
============================================
- Coverage     68.87%   68.83%   -0.04%     
- Complexity     3983     4005      +22     
============================================
  Files           179      180       +1     
  Lines         16624    16699      +75     
  Branches       2708     2720      +12     
============================================
+ Hits          11450    11495      +45     
- Misses         3911     3945      +34     
+ Partials       1263     1259       -4

@AppVeyorBot
Copy link

Build pgjdbc 1.0.495 completed (commit 56e9b20a39 by @davecramer)

@davecramer davecramer merged commit 82c2008 into pgjdbc:master Nov 29, 2019
@davecramer davecramer deleted the encrypt branch November 29, 2019 15:01
vlsi
vlsi reviewed Feb 13, 2020
View reviewed changes
pgjdbc/src/main/java/org/postgresql/ssl/PKCS12KeyManager.java
// Sending a wrong certificate makes the connection rejected, even, if clientcert=0 in
// pg_hba.conf.
// therefore we only send our certificate, if the issuer is listed in issuers
X509Certificate[] certchain = getCertificateChain("user");
Copy link
Member

@vlsi vlsi Feb 13, 2020
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a good reason to hard-code this literal?
I think it must be moved to a static final constant with a comment then.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no good reason

vlsi
vlsi reviewed Feb 13, 2020
View reviewed changes
pgjdbc/src/test/java/org/postgresql/test/ssl/LazyKeyManagerTest.java
@Test
public void testLoadP12Key() throws Exception {
String certdir = "../certdir/";
PKCS12KeyManager pkcs12KeyManager = new PKCS12KeyManager(certdir + "goodclient.p12", new TestCallbackHandler("sslpwd"));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess it is better to take sslpwd from the properties file.
Otherwise, the failures would be hard to analyze.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agreed

vlsi
vlsi reviewed Feb 13, 2020
View reviewed changes
pgjdbc/src/test/java/org/postgresql/test/ssl/LazyKeyManagerTest.java
public void testLoadP12Key() throws Exception {
String certdir = "../certdir/";
PKCS12KeyManager pkcs12KeyManager = new PKCS12KeyManager(certdir + "goodclient.p12", new TestCallbackHandler("sslpwd"));
PrivateKey pk = pkcs12KeyManager.getPrivateKey("user");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is unfortunate that getPrivateKey does not throw exceptions.
In other words, this method silently returns null, and the exception is not visible to the caller :(

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ya, very hard to debug

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vlsi vlsi vlsi left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@davecramer @AppVeyorBot @codecov-io @vlsi