Re: [pgjdbc/pgjdbc] issue #3942: File extension-based format detection breaks DER keys with .key suffix

pgjdbc/pgjdbc GitHub issues and pull requests (mirror)  
help / color / mirror / Atom feed

From: sehrope (@sehrope) <[email protected]>
To: pgjdbc/pgjdbc <[email protected]>
Subject: Re: [pgjdbc/pgjdbc] issue #3942: File extension-based format detection breaks DER keys with .key suffix
Date: Sun, 22 Feb 2026 16:40:46 +0000
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>

Yes this is a regression. Thanks for the report.

I believe the intention of LibPQFactory is to match the default behavior of libpq whenever possible. It's a bit different here (even before the PEM support PR) as historically we support Java's native key stores for certs. In libpq they try loading the key twice and only report the second error: https://github.com/postgres/postgres/blob/412f78c66eedbe9cf41a657f4566d86a69ab7af2/src/interfaces/li...

That works fine for the happy path where the key can be read correctly in some manner. But might give a not so great error if it's really the first type that's tried. Probably fine though as it does not stop you from being able to connect when you otherwise could (just the error message is not that helpful).

I think we need to do something similar here as well. Maybe we also offer a separate driver option to instruct how to pick (e.g, default of "auto" that tries all options, but explicit "PEM" etc to force only one attempt at the known type).

I don't like any of the file extension based checks. I think we might be able to remove them with the "auto" option as the change would only be in the possible not-so-great error message if it fails. Be simpler than trying to handle file extensions and an entire separate code path.

@davecramer @vlsi Thoughts?

view thread (6+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: github://pgjdbc/pgjdbc
  Cc: [email protected], [email protected]
  Subject: Re: [pgjdbc/pgjdbc] issue #3942: File extension-based format detection breaks DER keys with .key suffix
  In-Reply-To: <<[email protected]>>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox