Merge pull request #1275 from zhicwu/main

Fix incorrect algorithm extracted from PEM

Author: zhicwu

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 ### Bug Fixes
 * error while converting Nested values to Java maps.
+* incorrect algorithm extracted from PEM. [#1274](https://github.com/ClickHouse/clickhouse-java/issues/1274)
 
 ## 0.4.1, 2023-02-19
 ### Breaking Changes

clickhouse-client/src/main/java/com/clickhouse/client/config/ClickHouseDefaultSslContextProvider.java

@@ -9,6 +9,7 @@
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
 import java.security.SecureRandom;
 import java.security.UnrecoverableKeyException;
 import java.security.cert.Certificate;
@@ -32,8 +33,9 @@
 import com.clickhouse.data.ClickHouseUtils;
 
 public class ClickHouseDefaultSslContextProvider implements ClickHouseSslContextProvider {
-    static final String PEM_BEGIN_PART1 = "---BEGIN ";
-    static final String PEM_BEGIN_PART2 = " PRIVATE KEY---";
+    static final String PEM_HEADER_PREFIX = "---BEGIN ";
+    static final String PEM_HEADER_SUFFIX = " PRIVATE KEY---";
+    static final String PEM_FOOTER_PREFIX = "---END ";
 
     /**
      * An insecure {@link javax.net.ssl.TrustManager}, that don't validate the
@@ -58,10 +60,41 @@ public void checkServerTrusted(X509Certificate[] certs, String authType) {
         }
     }
 
-    protected KeyStore getKeyStore(String cert, String key)
-            throws NoSuchAlgorithmException, InvalidKeySpecException, IOException, CertificateException,
-            KeyStoreException {
-        KeyStore ks;
+    static String getAlgorithm(String header, String defaultAlg) {
+        int startIndex = header.indexOf(PEM_HEADER_PREFIX);
+        int endIndex = startIndex < 0 ? startIndex
+                : header.indexOf(PEM_HEADER_SUFFIX, (startIndex += PEM_HEADER_PREFIX.length()));
+        return startIndex < endIndex ? header.substring(startIndex, endIndex) : defaultAlg;
+    }
+
+    static PrivateKey getPrivateKey(String keyFile)
+            throws NoSuchAlgorithmException, InvalidKeySpecException, IOException {
+        String algorithm = (String) ClickHouseDefaults.SSL_KEY_ALGORITHM.getEffectiveDefaultValue();
+        StringBuilder builder = new StringBuilder();
+        try (BufferedReader reader = new BufferedReader(
+                new InputStreamReader(ClickHouseUtils.getFileInputStream(keyFile)))) {
+            String line = reader.readLine();
+            if (line != null) {
+                algorithm = getAlgorithm(line, algorithm);
+
+                while ((line = reader.readLine()) != null) {
+                    if (line.indexOf(PEM_FOOTER_PREFIX) >= 0) {
+                        break;
+                    }
+
+                    builder.append(line);
+                }
+            }
+        }
+        byte[] encoded = Base64.getDecoder().decode(builder.toString());
+        KeyFactory kf = KeyFactory.getInstance(algorithm);
+        PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(encoded);
+        return kf.generatePrivate(keySpec);
+    }
+
+    protected KeyStore getKeyStore(String cert, String key) throws NoSuchAlgorithmException, InvalidKeySpecException,
+            IOException, CertificateException, KeyStoreException {
+        final KeyStore ks;
         try {
             ks = KeyStore.getInstance(KeyStore.getDefaultType());
             ks.load(null, null); // needed to initialize the key store
@@ -79,33 +112,8 @@ protected KeyStore getKeyStore(String cert, String key)
                     ks.setCertificateEntry("cert" + (index++), c);
                 }
             } else {
-                String algorithm = (String) ClickHouseDefaults.SSL_KEY_ALGORITHM.getEffectiveDefaultValue();
-                StringBuilder builder = new StringBuilder();
-                try (BufferedReader reader = new BufferedReader(
-                        new InputStreamReader(ClickHouseUtils.getFileInputStream(key)))) {
-                    String str;
-                    boolean started = false;
-                    while ((str = reader.readLine()) != null) {
-                        if (!started) {
-                            int startIndex = str.indexOf(PEM_BEGIN_PART1);
-                            int endIndex = startIndex < 0 ? -1
-                                    : str.indexOf(PEM_BEGIN_PART2, (startIndex += PEM_BEGIN_PART1.length() - 1));
-                            if (startIndex < endIndex) {
-                                algorithm = str.substring(startIndex, endIndex);
-                            }
-                            started = true;
-                        } else if (str.indexOf("---END ") < 0) {
-                            builder.append(str);
-                        } else {
-                            break;
-                        }
-                    }
-                }
-                byte[] encoded = Base64.getDecoder().decode(builder.toString());
-                KeyFactory kf = KeyFactory.getInstance(algorithm);
-                PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(encoded);
                 Certificate[] certChain = factory.generateCertificates(in).toArray(new Certificate[0]);
-                ks.setKeyEntry("key", kf.generatePrivate(keySpec), null, certChain);
+                ks.setKeyEntry("key", getPrivateKey(key), null, certChain);
             }
         }
         return ks;

clickhouse-client/src/test/java/com/clickhouse/client/config/ClickHouseDefaultSslContextProviderTest.java

@@ -0,0 +1,22 @@
+package com.clickhouse.client.config;
+
+import org.testng.Assert;
+import org.testng.annotations.Test;
+
+public class ClickHouseDefaultSslContextProviderTest {
+    @Test(groups = { "unit" })
+    public void testGetAlgorithm() {
+        Assert.assertEquals(ClickHouseDefaultSslContextProvider.getAlgorithm("", null), null);
+        Assert.assertEquals(ClickHouseDefaultSslContextProvider.getAlgorithm("---BEGIN ", "x"), "x");
+        Assert.assertEquals(ClickHouseDefaultSslContextProvider.getAlgorithm("---BEGIN PRIVATE KEY---", "x"), "x");
+        Assert.assertEquals(ClickHouseDefaultSslContextProvider.getAlgorithm("---BEGIN  PRIVATE KEY---", "x"), "x");
+        Assert.assertEquals(ClickHouseDefaultSslContextProvider.getAlgorithm("-----BEGIN RSA PRIVATE KEY-----", ""),
+                "RSA");
+    }
+
+    @Test(groups = { "unit" })
+    public void testGetPrivateKey() throws Exception {
+        // openssl genpkey -out pkey4test.pem -algorithm RSA -pkeyopt rsa_keygen_bits:2048
+        Assert.assertNotNull(ClickHouseDefaultSslContextProvider.getPrivateKey("pkey4test.pem"));
+    }
+}

clickhouse-client/src/test/resources/pkey4test.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDFmoBf9QrRl8Hs
+9i3CBxkg+nqc56S7/zK1tCNBma8/DVzMnZlSBRNxrR2xydRp76Yq3ZWcsjZs/UNv
+RTWQDnTrzbJgyOLixTwOWHcGBRI1YmZmg1PtCfzMW7dE3het5ayBuv8chtfkF/cZ
+II0uSm55C9txDBkGLCnRtxN25GFbS+1kgBQIAUBWUWRjij7xY/J8Kdl1j8SVRp3D
+x8kBRp1Obdt2m33j3bw9kX5D5b0GYI1e2t4E5EZcjaMgd0fuXuCYvdYciGCXBXh5
+hVVDIj+OUSqT3hLIsLx+4Y2g5geMvg7RPWv+lJava4EHdx1loQTxSQjqm2Oyt7Zw
+sxkxOfI/AgMBAAECggEBALj899tdQoCOiqy0lofDL2IxO6IyNYUN1sJGXo8mOepU
+LyEbFRK0z8wm3dq38NQv1ybgBBUKvWrw+jVr3EX9UrYB/lEfH1BehueDKAIJs08o
+zGaB4YrSQ8howDyHkjFpB0L39aYWEnxldx0d3S2N3rgRQqElSzP9GjVLJ7yw9veI
+iNkopo5+iJS5481EJfn4qcseD86nejmU197wLVEvqSI24vXlLp00Ycb6q1FefLb3
+Naa2q4meETO0EdkDocluOcqCxg3W6mDUiIINB646KK0H+rEh9SzpJgiMRSZJNJlv
+KK0tSrQz1zHFsJpLEBikSQ3YDoIWVQ32FBCtxOGlGBkCgYEA+Wozm8Ci0RzuBGac
+/BI523sTOT3OOAVsSwQjCS7DvrIQmbxO8PeHVpYSoMVSWcvFCJ5ypICtvI47pmWN
+gJoObHOoGNotiJkzYrbmetZ9KlRp9L+nZ+Iyp+/cjyw+Z5nIEQFF9bD8c4YZJvSj
+DReC/fe6CNco7dRcz1hdfmxbzusCgYEAytIbPBFjTbV+y393TS+TW0fwdrsnRuaJ
+rH9YDmpY3foibUgv1StynLOZLR2H4itXIbQNALbIOXn6lyCo0Q89zSWhEUvlzVTk
+8ZGtmrmLzCnhxTgStQCx5lYN4xGZvSvODiaZCHdicFbHOE4SbfbIoOAkmjKhIl61
+BZoNVl/mXP0CgYB+kvnr4h/+tYrJKvYiKnG4Q8Zmt0nvPjlN/KR3JYdrQFySWHFL
+cqL5OyHq+ximv3WXwSl2+GKzHQ+Ci2j7SbNmMG+vZRHUj8L3JtDip/VPRRWcgqLH
+YpDIjz7EXfSxiOZyUs4ZOJ91VSlwjpgsrbDpiA2eLOr1f182Tqbr4LvazwKBgBXx
+GQUslGOpyOfXCF8PUI/Ffpw5rwwakLZaqHoWwzpwfxz3fEVBiAqv21hoI3UyXyDE
+S8vR+mNNcPC8lcbYMUVqVrx6S4glMQd5TSC6Bge2WDhv0oZGZviWQrZYBxvSC164
+ikHCOKISoUbUG2ZOFnJhDVSpOYlwWYEbo2m+wjs5AoGBAOZVvkBTE8276EyZl6K/
+x589Cs2y2o6PHpWlyJtrDdK5mE8D3c6ptu40/QTwPhclGi/r7C+FWRR2y/uV3DEa
+OVXWxSC3+auv/ZeprB3Gy0U+B0DdZFBVgDWo4KvHc3d+kNLvYyovZi9Hz+qE6qRW
+g/eCnIZBYF2ujc0yjK/lGhyC
+-----END PRIVATE KEY-----