Skip to content

Accept SSL certificates by providing a URL to use cert from within a jar #313

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
pmaedel opened this issue Aug 12, 2020 · 6 comments
Closed

Accept SSL certificates by providing a URL to use cert from within a jar #313

pmaedel opened this issue Aug 12, 2020 · 6 comments
Assignees
@isabek
Labels
status: ideal-for-contribution An issue that a contributor can help us with status: in-progress An issue that is currently being worked on type: enhancement A general enhancement

Comments

@pmaedel
Copy link

pmaedel commented Aug 12, 2020

I have a cert.pem in my src/main/resources
I need it when running the app jarred as well as unjarred.

Specifying it faithfully in my application.properties as spring.r2dbc.properties.sslRootCert=classpath:cert.pem fails as r2dbc does not load the file via classpath: https://github.com/pgjdbc/r2dbc-postgresql/blob/main/src/main/java/io/r2dbc/postgresql/util/Assert.java#L130

Caused by: java.lang.IllegalArgumentException: sslRootCert must not be null and must exist
	at io.r2dbc.postgresql.util.Assert.requireFileExistsOrNull(Assert.java:131) ~[r2dbc-postgresql-0.8.4.RELEASE.jar:0.8.4.RELEASE]
	at io.r2dbc.postgresql.PostgresqlConnectionConfiguration$Builder.sslRootCert(PostgresqlConnectionConfiguration.java:641) ~[r2dbc-postgresql-0.8.4.RELEASE.jar:0.8.4.RELEASE]

I see two options: Either load the specified File via classloader#getResourceAsStream or accept an URL as a cert parameter instead of a String.

The issue was originally raised here: spring-projects/spring-data-r2dbc#430
@pmaedel pmaedel added the status: waiting-for-triage An issue we've not yet triaged label Aug 12, 2020
@mp911de mp911de added type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Aug 13, 2020
@mp911de
Copy link
Collaborator

mp911de commented Aug 13, 2020
edited
Loading

We should accept an URL to allow resolution from a class path resource for cert/root-cert/ssl key. Accepting an URL bears the risk that someone stores a remote URL like a HTTP URL which introduces blocking I/O when resolving the certificate. I don't really see an alternative as it doesn't make sense to introduce a fully-fledged resource abstraction.

We should adopt:

  • PostgresqlConnectionConfiguration
  • PostgresqlConnectionFactoryProvider
  • Tests

to make this work.

@mp911de mp911de added the status: ideal-for-contribution An issue that a contributor can help us with label Aug 13, 2020
@mp911de mp911de changed the title Unable to provide root cert path property when cert is within jar Accept SSL certificates by providing a URL to use cert from within a jar Aug 13, 2020
@isabek
Copy link
Contributor

isabek commented Aug 13, 2020

I would like to work on it. Could you assign it to me, please?

@mp911de
Copy link
Collaborator

mp911de commented Aug 13, 2020

Sure. Feel free to submit a pull request. Let us know if there's something you need assistance with.

@mp911de mp911de added the status: in-progress An issue that is currently being worked on label Aug 13, 2020
@davecramer
Copy link
Member

We found that emulating libpq worked well. Putting the certs in ~/.postgres by default
Also what are you doing for the various levels of cert validation ?

@mp911de
Copy link
Collaborator

mp911de commented Aug 13, 2020

For VERIFY_CA we enable the trust manager, for VERIFY_FULL, we additionally verify the hostname with a HostnameVerifier. The other SSL modes enable just the encryption part according to the SSL handshake requirements.

isabek added a commit to isabek/r2dbc-postgresql that referenced this issue Aug 17, 2020
@isabek
Accept SSL certificates by providing a URL to use cert from within a jar
a693322 
[resolves pgjdbc#313]
@isabek
Copy link
Contributor

isabek commented Aug 17, 2020

@mp911de, what kind of test should I add? Could you assist me?

@isabek isabek mentioned this issue Aug 17, 2020
Closed
4 tasks
isabek added a commit to isabek/r2dbc-postgresql that referenced this issue Nov 7, 2020
@isabek
Accept SSL certificates by providing a URL to use cert from within a jar
ad39491 
[resolves pgjdbc#313]
mp911de pushed a commit that referenced this issue Feb 18, 2021
@isabek @mp911de
Accept SSL certificates by providing a resource path.
97fc297 
We now try to resolve SSL certificates first from the class path and then fall back to files when providing a path as string.

[resolves #313][closes #318]

Signed-off-by: Mark Paluch <[email protected]>
@dependabot dependabot bot mentioned this issue Mar 13, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@isabek isabek

Labels
status: ideal-for-contribution An issue that a contributor can help us with status: in-progress An issue that is currently being worked on type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Accept SSL certificates by providing a URL to use cert from within a jar isabek/r2dbc-postgresql
4 participants
@davecramer @pmaedel @mp911de @isabek