[
https://issues.apache.org/jira/browse/KAFKA-20440?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mickael Maison reassigned KAFKA-20440:
--------------------------------------
Assignee: Jakub Scholz
> PEM certificate support should not depend on PKCS12
> ---------------------------------------------------
>
> Key: KAFKA-20440
> URL: https://issues.apache.org/jira/browse/KAFKA-20440
> Project: Kafka
> Issue Type: Bug
> Affects Versions: 4.2.0
> Reporter: Jakub Scholz
> Assignee: Jakub Scholz
> Priority: Major
>
> Currently, when using PEM certificates with Kafka, the {{PemStore}} class
> will create an in-memory PKCS12 store and add the PEM
> certificates/private/public keys to it. And then it will use the PKCS12
> in-memory store. The PKCS12 keystore type is hardcoded in the code.
> Because the store type is hardcoded, it means that PEM format cannot be used
> in Java virtual machines where PKCS12 stores are disabled. An example of such
> an environment is when running Kafka / Kafka clients with the Chainguard FIPS
> container images that are built on top of the BouncyCastle library, and where
> the PKCS12 store support is disabled.
> There does not seem to be any reason why the PKCS12 store type should be
> hardcoded. Kafka relies on the Java Keystore API to create the in-memory
> keystore and is able to use it with different store types as well. The
> {{PemStore}} class can use the default store type instead
> ({{{}KeyStore.getDefaultType(){}}}). That way, it would provide more
> flexibility and independence on the exact JVM configuration it is being used
> with. At the same time, it should continue to work for the existing users the
> same way as before.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
