Thread: Patch for supporting PEM based certs and keys
Hello Pgjdbc community, I found that PGJDBC currently lacks support for PEM based certs and keys. We have a use case where PEM files are auto renewed on disk and converting them to DER format requires running something that watches files on disk and auto-converts to DER. Hence I would like to propose a patch for supporting PEM based certs, keys. This is the approach for adding the support, - Introduce a new PEMKeyManager which implements X509KeyManager. - PEMKeyManager will have the logic for extracting the BASE64 encoded DER bytes to convert into private key using key algorithm specified by property PGProperty.PEM_KEY_ALGORITHM. - PEMKeyManager will read the PEM based cert chain using CertificateFactory to get the X509Certificate chain. - Now LibPQFactory can initialize PEMKeyManager if the SSL Keyfile ends with .key or .pem I am attaching a patch file which also contains new test cases for PEM based certs, keys. Please take a look. Thanks. Regards, Harinath
Attachment
Hello, I have raised an issue in the pgjdbc github here https://github.com/pgjdbc/pgjdbc/issues/3702 and also a new PR here https://github.com/pgjdbc/pgjdbc/pull/3700 Happy to discuss further. Thanks - Harinath On Thu, Jun 26, 2025 at 2:15 PM harinath kanchu <kanchuharinath@gmail.com> wrote: > > Hello Pgjdbc community, > > I found that PGJDBC currently lacks support for PEM based certs and keys. > > We have a use case where PEM files are auto renewed on disk and > converting them to DER format requires running something that watches > files on disk and auto-converts to DER. > > Hence I would like to propose a patch for supporting PEM based certs, keys. > > This is the approach for adding the support, > > - Introduce a new PEMKeyManager which implements X509KeyManager. > - PEMKeyManager will have the logic for extracting the BASE64 encoded > DER bytes to convert into private key using key algorithm specified by > property PGProperty.PEM_KEY_ALGORITHM. > - PEMKeyManager will read the PEM based cert chain using > CertificateFactory to get the X509Certificate chain. > - Now LibPQFactory can initialize PEMKeyManager if the SSL Keyfile > ends with .key or .pem > > I am attaching a patch file which also contains new test cases for PEM > based certs, keys. Please take a look. > > Thanks. > > Regards, > Harinath
As you have surmised, we do not accept patches in this form.
Dave Cramer
www.postgres.rocks
On Fri, 27 Jun 2025 at 13:14, harinath kanchu <kanchuharinath@gmail.com> wrote:
Hello Pgjdbc community,
I found that PGJDBC currently lacks support for PEM based certs and keys.
We have a use case where PEM files are auto renewed on disk and
converting them to DER format requires running something that watches
files on disk and auto-converts to DER.
Hence I would like to propose a patch for supporting PEM based certs, keys.
This is the approach for adding the support,
- Introduce a new PEMKeyManager which implements X509KeyManager.
- PEMKeyManager will have the logic for extracting the BASE64 encoded
DER bytes to convert into private key using key algorithm specified by
property PGProperty.PEM_KEY_ALGORITHM.
- PEMKeyManager will read the PEM based cert chain using
CertificateFactory to get the X509Certificate chain.
- Now LibPQFactory can initialize PEMKeyManager if the SSL Keyfile
ends with .key or .pem
I am attaching a patch file which also contains new test cases for PEM
based certs, keys. Please take a look.
Thanks.
Regards,
Harinath