From 2e35a68d22f21a1a38d61225c99ea0e41447d09f Mon Sep 17 00:00:00 2001 From: Jarek Kowalski Date: Wed, 2 Nov 2022 22:29:12 +0000 Subject: [PATCH] Do not reuse KeyFactory instance after a failure. Fixes #4509 This took a while to find the root cause: The internal SPI fallback logic inside `KeyFactory.generatePrivate()` has the weird side effect of latching onto the LAST registered provider (which in our case was Cavium) after `InvalidKeySpecException` is thrown. This choice is sticky for a single instance of KeyFactory and the fix for our issue is to get fresh `KeyFactory` instance when retrying. --- .../io/fabric8/kubernetes/client/internal/CertUtils.java | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/kubernetes-client-api/src/main/java/io/fabric8/kubernetes/client/internal/CertUtils.java b/kubernetes-client-api/src/main/java/io/fabric8/kubernetes/client/internal/CertUtils.java index f067a896abd..972faa998ff 100644 --- a/kubernetes-client-api/src/main/java/io/fabric8/kubernetes/client/internal/CertUtils.java +++ b/kubernetes-client-api/src/main/java/io/fabric8/kubernetes/client/internal/CertUtils.java @@ -167,14 +167,13 @@ public PrivateKey call() { private static PrivateKey handleOtherKeys(InputStream keyInputStream, String clientKeyAlgo) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException { byte[] keyBytes = decodePem(keyInputStream); - KeyFactory keyFactory = KeyFactory.getInstance(clientKeyAlgo); try { // First let's try PKCS8 - return keyFactory.generatePrivate(new PKCS8EncodedKeySpec(keyBytes)); + return KeyFactory.getInstance(clientKeyAlgo).generatePrivate(new PKCS8EncodedKeySpec(keyBytes)); } catch (InvalidKeySpecException e) { // Otherwise try PKCS8 RSAPrivateCrtKeySpec keySpec = PKCS1Util.decodePKCS1(keyBytes); - return keyFactory.generatePrivate(keySpec); + return KeyFactory.getInstance(clientKeyAlgo).generatePrivate(keySpec); } }