MIME-Version: 1.0
References: 
 <CAO7WNRRhJst=iT2C6kBjg+bYsQTBvN5ksXrNS5m+vkYGa+wGGw@mail.gmail.com>
In-Reply-To: 
 <CAO7WNRRhJst=iT2C6kBjg+bYsQTBvN5ksXrNS5m+vkYGa+wGGw@mail.gmail.com>
From: Dave Cramer <davecramer@postgres.rocks>
Date: Tue, 1 Jul 2025 14:49:37 -0400
Message-ID: 
 <CADK3HHL0iyWCCpq2R6N1-JGyjczjtJmk9krFU=5gtTfT8GEaMA@mail.gmail.com>
Subject: Re: Patch for supporting PEM based certs and keys
To: harinath kanchu <kanchuharinath@gmail.com>
Cc: pgsql-jdbc@lists.postgresql.org
Content-Type: multipart/alternative; boundary="000000000000307edb0638e29ce0"
Archived-At: 
 <https://www.postgresql.org/message-id/CADK3HHL0iyWCCpq2R6N1-JGyjczjtJmk9krFU%3D5gtTfT8GEaMA%40mail.gmail.com>
Precedence: bulk

--000000000000307edb0638e29ce0
Content-Type: text/plain; charset="UTF-8"

As you have surmised, we do not accept patches in this form.

Dave Cramer
www.postgres.rocks


On Fri, 27 Jun 2025 at 13:14, harinath kanchu <kanchuharinath@gmail.com>
wrote:

> Hello Pgjdbc community,
>
> I found that PGJDBC currently lacks support for PEM based certs and keys.
>
> We have a use case where PEM files are auto renewed on disk and
> converting them to DER format requires running something that watches
> files on disk and auto-converts to DER.
>
> Hence I would like to propose a patch for supporting PEM based certs, keys.
>
> This is the approach for adding the support,
>
> - Introduce a new PEMKeyManager which implements X509KeyManager.
> - PEMKeyManager will have the logic for extracting the BASE64 encoded
> DER bytes to convert into private key using key algorithm specified by
> property PGProperty.PEM_KEY_ALGORITHM.
> - PEMKeyManager will read the PEM based cert chain using
> CertificateFactory to get the X509Certificate chain.
> - Now LibPQFactory can initialize PEMKeyManager if the SSL Keyfile
> ends with .key or .pem
>
> I am attaching a patch file which also contains new test cases for PEM
> based certs, keys. Please take a look.
>
> Thanks.
>
> Regards,
> Harinath
>

--000000000000307edb0638e29ce0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>As you have surmised, we do not accept patches in thi=
s form.</div><div><br></div><div><div dir=3D"ltr" class=3D"gmail_signature"=
 data-smartmail=3D"gmail_signature"><div dir=3D"ltr">Dave Cramer<div>www.po=
stgres.rocks</div></div></div></div><br></div><br><div class=3D"gmail_quote=
 gmail_quote_container"><div dir=3D"ltr" class=3D"gmail_attr">On Fri, 27 Ju=
n 2025 at 13:14, harinath kanchu &lt;<a href=3D"mailto:kanchuharinath@gmail=
.com">kanchuharinath@gmail.com</a>&gt; wrote:<br></div><blockquote class=3D=
"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(2=
04,204,204);padding-left:1ex">Hello Pgjdbc community,<br>
<br>
I found that PGJDBC currently lacks support for PEM based certs and keys.<b=
r>
<br>
We have a use case where PEM files are auto renewed on disk and<br>
converting them to DER format requires running something that watches<br>
files on disk and auto-converts to DER.<br>
<br>
Hence I would like to propose a patch for supporting PEM based certs, keys.=
<br>
<br>
This is the approach for adding the support,<br>
<br>
- Introduce a new PEMKeyManager which implements X509KeyManager.<br>
- PEMKeyManager will have the logic for extracting the BASE64 encoded<br>
DER bytes to convert into private key using key algorithm specified by<br>
property PGProperty.PEM_KEY_ALGORITHM.<br>
- PEMKeyManager will read the PEM based cert chain using<br>
CertificateFactory to get the X509Certificate chain.<br>
- Now LibPQFactory can initialize PEMKeyManager if the SSL Keyfile<br>
ends with .key or .pem<br>
<br>
I am attaching a patch file which also contains new test cases for PEM<br>
based certs, keys. Please take a look.<br>
<br>
Thanks.<br>
<br>
Regards,<br>
Harinath<br>
</blockquote></div>

--000000000000307edb0638e29ce0--