[pgjdbc/pgjdbc] issue #3942: File extension-based format detection breaks DER keys with .key suffix

pgjdbc/pgjdbc GitHub issues and pull requests (mirror)  
help / color / mirror / Atom feed

From: reissseb (@reissseb) <[email protected]>
To: pgjdbc/pgjdbc <[email protected]>
Subject: [pgjdbc/pgjdbc] issue #3942: File extension-based format detection breaks DER keys with .key suffix
Date: Fri, 20 Feb 2026 16:20:50 +0000
Message-ID: <[email protected]> (raw)

This is more of informational purpose for others stumbling upon this problem as well.

It would be nice to update the documentation to clearly state which file format is expected for each file ending.

**Describe the issue**

I updated our Spring Boot application from 3.5.8 to 3.5.11, which includes pgjdbc version v42.7.9.

PR [#3700](https://github.com/pgjdbc/pgjdbc/pull/3700) added PEM support and introduced file extension-based format detection in `LibPQFactory.java`:

```java
} else if (sslkeyfile.endsWith(".key") || sslkeyfile.endsWith(".pem")) {
   initPEM(sslkeyfile, defaultdir, info);
} else {
   initPk8(sslkeyfile, defaultdir, info);
}
```

This change now associates `.key` files with PEM format.

In our case, we were using DER-formatted keys with `.key` extension, which resulted in `MalformedInputException`.

**Solution**

Renaming the key file to use the `.der` extension solved the problem.

**Expected behavior**

Document that `.key` and `.pem` extensions expect PEM text format.

**Driver Version**

v42.7.10

**To Reproduce**

1. Create a DER-formatted private key file with `.key` extension
2. Set `sslkey` parameter in JDBC URL to point to this file
3. Attempt to connect

**Logs**

```
Caused by: org.postgresql.util.PSQLException: Could not load the private key
       at org.postgresql.ssl.PEMKeyManager.getPrivateKey(PEMKeyManager.java:80)
       ...
Caused by: java.nio.charset.MalformedInputException: Input length = 1
       at java.base/java.nio.charset.CoderResult.throwException(Unknown Source)
       at java.base/sun.nio.cs.StreamDecoder.implRead(Unknown Source)
       at java.base/sun.nio.cs.StreamDecoder.read(Unknown Source)
       at java.base/java.io.InputStreamReader.read(Unknown Source)
       at java.base/java.io.BufferedReader.fill(Unknown Source)
       at java.base/java.io.BufferedReader.readLine(Unknown Source)
       at java.base/java.io.BufferedReader.readLine(Unknown Source)
       at java.base/java.nio.file.Files.readAllLines(Unknown Source)
       at java.base/java.nio.file.Files.readAllLines(Unknown Source)
       at org.postgresql.ssl.PEMKeyManager.getPrivateKey(PEMKeyManager.java:50)
```

view thread (6+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: github://pgjdbc/pgjdbc
  Cc: [email protected], [email protected]
  Subject: Re: [pgjdbc/pgjdbc] issue #3942: File extension-based format detection breaks DER keys with .key suffix
  In-Reply-To: <<[email protected]>>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox