You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2020/04/08 01:56:30 UTC
[GitHub] [pulsar] schahal opened a new issue #6690: Pulsar proxy with TLS
enabled not ignoring attribute fields in private key
(loadPrivateKeyFromPemFile())
schahal opened a new issue #6690: Pulsar proxy with TLS enabled not ignoring attribute fields in private key (loadPrivateKeyFromPemFile())
URL: https://github.com/apache/pulsar/issues/6690
**Describe the bug**
There are cases when a private key pem file (e.g., when [converting a pkcs#12 pair to pem](https://security.stackexchange.com/a/191120)) may be of the format:
```
Bag Attributes
friendlyName: *.example.com
localKeyID: <redacted>
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
<redacted>
-----END PRIVATE KEY-----
```
As a result, the client can't complete the TLS connection... from client:
```
ERROR ClientConnection:388 | ... Handshake failed: Connection reset by peer
```
**To Reproduce**
1. Enable pulsar-proxy with TLS enabled
2. Import your tls.crt and tls.key k8s secrets (import the cert) with key being in format of Description above
3. Try to connect via `pulsar+ssl` with your client
4. See the error:
From client
```
2020-04-07 07:15:22.782 INFO ConnectionPool:85 | Created connection for pulsar+ssl://<redacted>:6651
2020-04-07 07:15:23.051 INFO ClientConnection:330 | ... Connected to broker
2020-04-07 07:15:23.256 ERROR ClientConnection:388 | ... Handshake failed: Connection reset by peer
2020-04-07 07:15:23.256 INFO ClientConnection:1349 | ... Connection closed
```
From server:
```
13:45:03.437 [pulsar-proxy-io-2-1] WARN io.netty.channel.ChannelInitializer - Failed to initialize a channel. Closing: [id: 0x488d7794, L:/<redacted>]
java.lang.IllegalArgumentException: Illegal base64 character 20
u0009at java.util.Base64$Decoder.decode0(Base64.java:714) ~[?:1.8.0_232]
u0009at java.util.Base64$Decoder.decode(Base64.java:526) ~[?:1.8.0_232]
u0009at java.util.Base64$Decoder.decode(Base64.java:549) ~[?:1.8.0_232]
u0009at org.apache.pulsar.common.util.SecurityUtility.loadPrivateKeyFromPemFile(SecurityUtility.java:206) ~[org.apache.pulsar-pulsar-common-2.4.2.jar:2.4.2]
```
**Expected behavior**
As, say, with other servers like nginx, it should be able to load the key appropriately even in this format. After applying workaround (see "Workaround" below), works:
```
2020-04-07 16:59:41.336 INFO ConnectionPool:85 | Created connection for pulsar+ssl://<redacted>:6651
2020-04-07 16:59:41.536 INFO ClientConnection:330 | [<redacted>:<redacted> -> <redacted?:6651] Connected to broker
2020-04-07 16:59:42.358 INFO HandlerBase:53 | [persistent://<tenant>/<ns>/<topic>, ] Getting connection from pool
2020-04-07 16:59:42.572 INFO ConnectionPool:85 | Created connection for pulsar://<redacted>:6650
2020-04-07 16:59:42.765 INFO ClientConnection:332 | [<redacted>:<redacted> -> <redacted>:6651] Connected to broker through proxy. Logical broker: pulsar://<redacted>:6650
```
**Desktop (Environment):**
- OS: Ubuntu 18.04
- Kubernetes 1.15
- Pulsar v2.4.2
### Workaround
Make sure private key begins and ands with `-----BEGIN` and `-----END`, respectively, and restart the pulsar-proxy
### Proposed Solution
In https://github.com/apache/pulsar/blob/master/pulsar-common/src/main/java/org/apache/pulsar/common/util/SecurityUtility.java#L251-279, change:
```
// Skip the first line (-----BEGIN RSA PRIVATE KEY-----)
reader.readLine();
while ((currentLine = reader.readLine()) != null) {
sb.append(previousLine);
previousLine = currentLine;
}
// Skip the last line (-----END RSA PRIVATE KEY-----)
```
... to something like:
```
// Jump to the first line, eg: "-----BEGIN RSA PRIVATE KEY-----"
while(!reader.readLine().startsWith("-----BEGIN") {
reader.readLine
}
// Stop once we see the last line (-----END RSA PRIVATE KEY-----)
while ((currentLine = reader.readLine()) != null && ! currentLine.startsWith("-----END")) {
sb.append(currentLine);
}
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [pulsar] merlimat closed issue #6690: Pulsar proxy with TLS enabled
not ignoring attribute fields in private key (loadPrivateKeyFromPemFile())
Posted by GitBox <gi...@apache.org>.
merlimat closed issue #6690: Pulsar proxy with TLS enabled not ignoring attribute fields in private key (loadPrivateKeyFromPemFile())
URL: https://github.com/apache/pulsar/issues/6690
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [pulsar] sijie commented on issue #6690: Pulsar proxy with TLS
enabled not ignoring attribute fields in private key
(loadPrivateKeyFromPemFile())
Posted by GitBox <gi...@apache.org>.
sijie commented on issue #6690: Pulsar proxy with TLS enabled not ignoring attribute fields in private key (loadPrivateKeyFromPemFile())
URL: https://github.com/apache/pulsar/issues/6690#issuecomment-610711381
@schahal thank you for reporting this issue. since you already figured out the solution, do you want to submit a pull request?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services