Thread: [pgjdbc/pgjdbc] d281a7: Add cert key type checking to chooseClientAlias (#...

[pgjdbc/pgjdbc] d281a7: Add cert key type checking to chooseClientAlias (#...

From

Nick Burgan

Date:

24 January 2022, 18:39:29

Branch: refs/heads/master
  Home:   https://github.com/pgjdbc/pgjdbc
  Commit: d281a788b227b73e5a5236a10f3e5f5e73d011e7
      https://github.com/pgjdbc/pgjdbc/commit/d281a788b227b73e5a5236a10f3e5f5e73d011e7
  Author: Nick Burgan <13688219+nmburgan@users.noreply.github.com>
  Date:   2022-01-24 (Mon, 24 Jan 2022)

  Changed paths:
    M pgjdbc/src/main/java/org/postgresql/ssl/LazyKeyManager.java
    M pgjdbc/src/main/java/org/postgresql/ssl/PKCS12KeyManager.java
    M pgjdbc/src/test/java/org/postgresql/test/ssl/LazyKeyManagerTest.java
    M pgjdbc/src/test/java/org/postgresql/test/ssl/PKCS12KeyTest.java

  Log Message:
  -----------
  Add cert key type checking to chooseClientAlias (#2417)

Previously, these functions ignored the keyType (or 'strings') argument to the chooseClientAlias function. Some
libraries(e.g. Bouncy Castle) expect that when chooseClientAlias is called and key types are passed in, that it will
returnnull if the cert doesn't use one of the given key types. For example, if ['EC'] was passed in for keyType and the
certcontained an RSA key, since this would return 'user' rather than null in that case, it would cause Bouncy Castle to
assumeusing an ECDSA signing algorithm was okay, and cause problems during the Certificate Verify part of the
handshake.

This modifies these functions to only return 'user' if keyType is passed in and the cert contains a key of that type.
IfkeyType is empty or null, it will ignore this and continue to check only the issuer.