schahal opened a new issue #6690: Pulsar proxy with TLS enabled not ignoring attribute fields in private key (loadPrivateKeyFromPemFile()) URL: https://github.com/apache/pulsar/issues/6690 **Describe the bug** There are cases when a private key pem file (e.g., when [converting a pkcs#12 pair to pem](https://security.stackexchange.com/a/191120)) may be of the format: ``` Bag Attributes friendlyName: *.example.com localKeyID: <redacted> Key Attributes: <No Attributes> -----BEGIN PRIVATE KEY----- <redacted> -----END PRIVATE KEY----- ``` As a result, the client can't complete the TLS connection... from client: ``` ERROR ClientConnection:388 | ... Handshake failed: Connection reset by peer ``` **To Reproduce** 1. Enable pulsar-proxy with TLS enabled 2. Import your tls.crt and tls.key k8s secrets (import the cert) with key being in format of Description above 3. Try to connect via `pulsar+ssl` with your client 4. See the error: From client ``` 2020-04-07 07:15:22.782 INFO ConnectionPool:85 | Created connection for pulsar+ssl://<redacted>:6651 2020-04-07 07:15:23.051 INFO ClientConnection:330 | ... Connected to broker 2020-04-07 07:15:23.256 ERROR ClientConnection:388 | ... Handshake failed: Connection reset by peer 2020-04-07 07:15:23.256 INFO ClientConnection:1349 | ... Connection closed ``` From server: ``` 13:45:03.437 [pulsar-proxy-io-2-1] WARN io.netty.channel.ChannelInitializer - Failed to initialize a channel. Closing: [id: 0x488d7794, L:/<redacted>] java.lang.IllegalArgumentException: Illegal base64 character 20 u0009at java.util.Base64$Decoder.decode0(Base64.java:714) ~[?:1.8.0_232] u0009at java.util.Base64$Decoder.decode(Base64.java:526) ~[?:1.8.0_232] u0009at java.util.Base64$Decoder.decode(Base64.java:549) ~[?:1.8.0_232] u0009at org.apache.pulsar.common.util.SecurityUtility.loadPrivateKeyFromPemFile(SecurityUtility.java:206) ~[org.apache.pulsar-pulsar-common-2.4.2.jar:2.4.2] ``` **Expected behavior** As, say, with other servers like nginx, it should be able to load the key appropriately even in this format. After applying workaround (see "Workaround" below), works: ``` 2020-04-07 16:59:41.336 INFO ConnectionPool:85 | Created connection for pulsar+ssl://<redacted>:6651 2020-04-07 16:59:41.536 INFO ClientConnection:330 | [<redacted>:<redacted> -> <redacted?:6651] Connected to broker 2020-04-07 16:59:42.358 INFO HandlerBase:53 | [persistent://<tenant>/<ns>/<topic>, ] Getting connection from pool 2020-04-07 16:59:42.572 INFO ConnectionPool:85 | Created connection for pulsar://<redacted>:6650 2020-04-07 16:59:42.765 INFO ClientConnection:332 | [<redacted>:<redacted> -> <redacted>:6651] Connected to broker through proxy. Logical broker: pulsar://<redacted>:6650 ``` **Desktop (Environment):** - OS: Ubuntu 18.04 - Kubernetes 1.15 - Pulsar v2.4.2 ### Workaround Make sure private key begins and ands with `-----BEGIN` and `-----END`, respectively, and restart the pulsar-proxy ### Proposed Solution In https://github.com/apache/pulsar/blob/master/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java#L251-279, change: ``` // Skip the first line (-----BEGIN RSA PRIVATE KEY-----) reader.readLine(); while ((currentLine = reader.readLine()) != null) { sb.append(previousLine); previousLine = currentLine; } // Skip the last line (-----END RSA PRIVATE KEY-----) ``` ... to something like: ``` // Jump to the first line, eg: "-----BEGIN RSA PRIVATE KEY-----" while(!reader.readLine().startsWith("-----BEGIN") { reader.readLine } // Stop once we see the last line (-----END RSA PRIVATE KEY-----) while ((currentLine = reader.readLine()) != null && ! currentLine.startsWith("-----END")) { sb.append(currentLine); } ```
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
