Re: [pgjdbc/pgjdbc] PR #3700: Add PEMKeyManager to handle PEM based certs and keys.

pgjdbc/pgjdbc GitHub issues and pull requests (mirror)  
help / color / mirror / Atom feed

From: cfredri4 (@cfredri4) <[email protected]>
To: pgjdbc/pgjdbc <[email protected]>
Subject: Re: [pgjdbc/pgjdbc] PR #3700: Add PEMKeyManager to handle PEM based certs and keys.
Date: Thu, 03 Jul 2025 09:03:34 +0000
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>

> @cfredri4 as the `getPrivateKey` method is called during the SSL Handshake, I believe the read happens during the connection establishment , and there might NOT be any reads further in the entire lifetime of connection.

Correct.

> Subsequent new connections anyways should create new objects of `LibPQFactory` and `KeyManagers` which will trigger reads again.

You're right, I missed this part.
This means that there is really no point that the existing key managers (`PKCS12KeyManager`, `LazyKeyManager`) cache the key material and only read once.

> In case if a cert expires during the lifetime of a connection, probably the connection terminates and that will lead to creation of new one.

Of topic, but in general this does _not_ happen in TLS; certificate expiry is checked only during handshake so any connection will remain active when the certificate expires.

> So, do you think reading the material from file every time (or caching the content) cause any issues ?

No real issue. I only reacted to that it was done differently from the existing key managers. For consistency maybe the existing key managers should be updated to always read from file, it would slightly simplify things.

view thread (30+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: github://pgjdbc/pgjdbc
  Cc: [email protected], [email protected]
  Subject: Re: [pgjdbc/pgjdbc] PR #3700: Add PEMKeyManager to handle PEM based certs and keys.
  In-Reply-To: <<[email protected]>>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox