At first, its my first post - sorry if this post is not vell described and designed.
My problem is that i need to connect to DB in GCP by SSL connection using spring boot. Inside GCP im generating three needed certs(client-cert.pem, client-key.pem, server-ca.pem). Unfortunately spring cannot connect to db with client-key stored in pem file, so i have to keep client-key for exmaple inside .DER cert.
To connect to db i use this piece of code.
return DataSourceBuilder
.create()
.url("jdbc:postgresql://XXX:5432/XXX?"
"ssl=true&sslmode=verify-ca&"
"sslrootcert=server-ca.pem&"
"sslcert=client-cert.pem&"
"sslkey=client-key.der")
.build();
}
To generate .DER from .PEM file i used this command:
openssl pkcs8 -topk8 -inform PEM -in client-key.pem -outform DER -nocrypt -out client-key.der
Locally its working, but i have to keep certs inside secret manager(SM) at GCP. SM can store only values so i keep binary values from .DER file
.
Im using GCP java libriaries to connect to SM:
private String getKey(String projectId, String secretCertName, boolean isPEM) {
try (SecretManagerServiceClient client = SecretManagerServiceClient.create()) {
SecretVersionName secretVersionName = SecretVersionName.of(projectId, secretCertName, "latest");
AccessSecretVersionResponse response = client.accessSecretVersion(secretVersionName);
return response.getPayload().getData().toStringUtf8();
} catch (IOException e) {
System.out.println("gcp cant connect !");
}
return null;
}
Its working with PEM and string values, but if i want save this key inside .DER file then my client-key.der file is not matching to cert generated by openssl and spring cant connect to DB with stack:
org.postgresql.util.PSQLException: Could not read SSL key file client-key.der. at org.postgresql.ssl.LazyKeyManager.getPrivateKey(LazyKeyManager.java:284) ~[postgresql-42.3.2.jar:42.3.2] at java.base/sun.security.ssl.AbstractKeyManagerWrapper.getPrivateKey(SSLContextImpl.java:1696) ~[na:na] ...
Caused by: java.io.IOException: Invalid lenByte at java.base/sun.security.util.DerValue.<init>(DerValue.java:374) ~[na:na] at java.base/sun.security.util.DerValue.<init>(DerValue.java:312) ~[na:na] at java.base/javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:86) ~[na:na] at org.postgresql.ssl.LazyKeyManager.getPrivateKey(LazyKeyManager.java:236) ~[postgresql-42.3.2.jar:42.3.2] ... 73 common frames omitted
Any idea how I should read binary files ( like .DER cert ) from GCP SM ? I read that should be encoded, but i have had no success until now.
Thanks for advance and please be gentle, its my first post :)
CodePudding user response:
Basing on John comment i saved encoded .DER file inside secret manager. Next i decoded value from secret manager API. Important thing in this case - save byte[] instead of String, to file !