Do not reuse KeyFactory instance after a failure.

Fixes fabric8io#4509 This took a while to find the root cause: The internal SPI fallback logic inside `KeyFactory.generatePrivate()` has the weird side effect of latching onto the LAST registered provider (which in our case was Cavium) after `InvalidKeySpecException` is thrown. This choice is sticky for a single instance of KeyFactory and the fix for our issue is to get fresh `KeyFactory` instance when retrying.
sfc-gh-jkowalski · Nov 2, 2022 · 2e35a68 · 2e35a68
1 parent 43af167
commit 2e35a68
Showing 1 changed file with 2 additions and 3 deletions.
diff --git a/kubernetes-client-api/src/main/java/io/fabric8/kubernetes/client/internal/CertUtils.java b/kubernetes-client-api/src/main/java/io/fabric8/kubernetes/client/internal/CertUtils.java
@@ -167,14 +167,13 @@ public PrivateKey call() {
 
   private static PrivateKey handleOtherKeys(InputStream keyInputStream, String clientKeyAlgo) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
     byte[] keyBytes = decodePem(keyInputStream);
-    KeyFactory keyFactory = KeyFactory.getInstance(clientKeyAlgo);
     try {
       // First let's try PKCS8
-      return keyFactory.generatePrivate(new PKCS8EncodedKeySpec(keyBytes));
+      return KeyFactory.getInstance(clientKeyAlgo).generatePrivate(new PKCS8EncodedKeySpec(keyBytes));
     } catch (InvalidKeySpecException e) {
       // Otherwise try PKCS8
       RSAPrivateCrtKeySpec keySpec = PKCS1Util.decodePKCS1(keyBytes);
-      return keyFactory.generatePrivate(keySpec);
+      return KeyFactory.getInstance(clientKeyAlgo).generatePrivate(keySpec);
     }
   }