Jakub Scholz created KAFKA-20440:
------------------------------------
Summary: PEM certificate support should not depend on PKCS12
Key: KAFKA-20440
URL: https://issues.apache.org/jira/browse/KAFKA-20440
Project: Kafka
Issue Type: Bug
Reporter: Jakub Scholz
Currently, when using PEM certificates with Kafka, the {{PemStore}} class will
create an in-memory PKCS12 store and add the PEM certificates/private/public
keys to it. And then it will use the PKCS12 in-memory store. The PKCS12
keystore type is hardcoded in the code.
Because the store type is hardcoded, it means that PEM format cannot be used in
Java virtual machines where PKCS12 stores are disabled. An example of such an
environment is when running Kafka / Kafka clients with the Chainguard FIPS
container images that are built on top of the BouncyCastle library, and where
the PKCS12 store support is disabled.
There does not seem to be any reason why the PKCS12 store type should be
hardcoded. Kafka relies on the Java Keystore API to create the in-memory
keystore and is able to use it with different store types as well. The
{{PemStore}} class can use the default store type instead
({{{}KeyStore.getDefaultType(){}}}). That way, it would provide more
flexibility and independence on the exact JVM configuration it is being used
with. At the same time, it should continue to work for the existing users the
same way as before.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
