prabhashkr commented on code in PR #21483:
URL: https://github.com/apache/kafka/pull/21483#discussion_r2853023355
##########
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/assertion/AssertionUtils.java:
##########
@@ -67,7 +67,8 @@ public static PrivateKey privateKey(byte[] privateKeyContents,
PKCS8EncodedKeySpec keySpec;
if (passphrase.isPresent()) {
- EncryptedPrivateKeyInfo keyInfo = new
EncryptedPrivateKeyInfo(privateKeyContents);
+ byte[] derEncoded = Base64.getDecoder().decode(privateKeyContents);
+ EncryptedPrivateKeyInfo keyInfo = new
EncryptedPrivateKeyInfo(derEncoded);
Review Comment:
I looked at `DefaultSslEngineFactory.PemStore`
You can see that there too Base64 decoding is done first. Not very sure if
there was a bug but, for encrypted private keys with passphrase require this.
And since, this decoding is required in both encrypted and non-encrypted
situations we can have it only once in
https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/assertion/DefaultAssertionCreator.java#L90
Ref:
https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/DefaultSslEngineFactory.java#L515
https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/ssl/DefaultSslEngineFactory.java#L580
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
