Add support for PEM files

hgeraldino · hgeraldino · commit 86d1ccd89bb8 · 2026-01-06T10:47:44.000-05:00
diff --git a/src/main/java/com/rabbitmq/client/ConnectionFactoryConfigurator.java b/src/main/java/com/rabbitmq/client/ConnectionFactoryConfigurator.java
@@ -17,17 +17,35 @@
 
 import com.rabbitmq.client.impl.AMQConnection;
 
-import javax.net.ssl.*;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import java.io.BufferedReader;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.InputStreamReader;
 import java.net.URISyntaxException;
-import java.security.*;
+import java.security.GeneralSecurityException;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
-import java.util.*;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.Properties;
 import java.util.concurrent.ConcurrentHashMap;
 
+import static java.nio.charset.StandardCharsets.US_ASCII;
+
 /**
  * Helper class to load {@link ConnectionFactory} settings from a property file.
  * <p>
@@ -72,6 +90,7 @@ public class ConnectionFactoryConfigurator {
     public static final String SSL_ENABLED = "ssl.enabled";
     public static final String SSL_KEY_STORE = "ssl.key.store";
     public static final String SSL_KEY_STORE_PASSWORD = "ssl.key.store.password";
+    public static final String SSL_KEY_PASSWORD = "ssl.key.password";
     public static final String SSL_KEY_STORE_TYPE = "ssl.key.store.type";
     public static final String SSL_KEY_STORE_ALGORITHM = "ssl.key.store.algorithm";
     public static final String SSL_TRUST_STORE = "ssl.trust.store";
@@ -80,11 +99,13 @@ public class ConnectionFactoryConfigurator {
     public static final String SSL_TRUST_STORE_ALGORITHM = "ssl.trust.store.algorithm";
     public static final String SSL_VALIDATE_SERVER_CERTIFICATE = "ssl.validate.server.certificate";
     public static final String SSL_VERIFY_HOSTNAME = "ssl.verify.hostname";
+    public static final String PEM_TYPE = "PEM";
 
     // aliases allow to be compatible with keys from Spring Boot and still be consistent with
     // the initial naming of the keys
     private static final Map<String, List<String>> ALIASES = new ConcurrentHashMap<String, List<String>>() {{
         put(SSL_KEY_STORE, Arrays.asList("ssl.key-store"));
+        put(SSL_KEY_PASSWORD, Arrays.asList("ssl.key-password"));
         put(SSL_KEY_STORE_PASSWORD, Arrays.asList("ssl.key-store-password"));
         put(SSL_KEY_STORE_TYPE, Arrays.asList("ssl.key-store-type"));
         put(SSL_KEY_STORE_ALGORITHM, Arrays.asList("ssl.key-store-algorithm"));
@@ -228,6 +249,7 @@ private static void setUpSsl(ConnectionFactory cf, Map<String, String> propertie
         String algorithm = lookUp(SSL_ALGORITHM, properties, prefix);
         String keyStoreLocation = lookUp(SSL_KEY_STORE, properties, prefix);
         String keyStorePassword = lookUp(SSL_KEY_STORE_PASSWORD, properties, prefix);
+        String keyPassword = lookUp(SSL_KEY_PASSWORD, properties, prefix);
         String keyStoreType = lookUp(SSL_KEY_STORE_TYPE, properties, prefix, "PKCS12");
         String keyStoreAlgorithm = lookUp(SSL_KEY_STORE_ALGORITHM, properties, prefix, "SunX509");
         String trustStoreLocation = lookUp(SSL_TRUST_STORE, properties, prefix);
@@ -250,7 +272,7 @@ private static void setUpSsl(ConnectionFactory cf, Map<String, String> propertie
                         algorithm
                 );
             } else {
-                KeyManager[] keyManagers = configureKeyManagers(keyStoreLocation, keyStorePassword, keyStoreType, keyStoreAlgorithm);
+                KeyManager[] keyManagers = configureKeyManagers(keyStoreLocation, keyStorePassword, keyStoreType, keyStoreAlgorithm, keyPassword);
                 TrustManager[] trustManagers = configureTrustManagers(trustStoreLocation, trustStorePassword, trustStoreType, trustStoreAlgorithm);
 
                 // create ssl context
@@ -263,31 +285,57 @@ private static void setUpSsl(ConnectionFactory cf, Map<String, String> propertie
                     cf.enableHostnameVerification();
                 }
             }
-        } catch (NoSuchAlgorithmException | IOException | CertificateException |
-                UnrecoverableKeyException | KeyStoreException | KeyManagementException e) {
+        } catch (IOException | GeneralSecurityException e) {
             throw new IllegalStateException("Error while configuring TLS", e);
         }
     }
 
-    private static KeyManager[] configureKeyManagers(String keystore, String keystorePassword, String keystoreType, String keystoreAlgorithm) throws KeyStoreException, IOException, NoSuchAlgorithmException,
-            CertificateException, UnrecoverableKeyException {
-        char[] keyPassphrase = null;
-        if (keystorePassword != null) {
-            keyPassphrase = keystorePassword.toCharArray();
-        }
+    private static KeyManager[] configureKeyManagers(String keyStoreLocation, String keystorePassword, String keystoreType, String keystoreAlgorithm, String keyPassword) throws IOException, GeneralSecurityException {
         KeyManager[] keyManagers = null;
-        if (keystore != null) {
-            KeyStore ks = KeyStore.getInstance(keystoreType);
-            try (InputStream in = loadResource(keystore)) {
-                ks.load(in, keyPassphrase);
+        if (keyStoreLocation != null) {
+            KeyStore ks = configureKeyStore(keyStoreLocation, keystorePassword, keystoreType, keyPassword);
+
+            char[] password = "".toCharArray();
+            if (PEM_TYPE.equalsIgnoreCase(keystoreType) && keyPassword != null) {
+                password = keyPassword.toCharArray();
+            } else if (keystorePassword != null) {
+                password = keystorePassword.toCharArray();
             }
+
             KeyManagerFactory kmf = KeyManagerFactory.getInstance(keystoreAlgorithm);
-            kmf.init(ks, keyPassphrase);
+            kmf.init(ks, password);
             keyManagers = kmf.getKeyManagers();
         }
         return keyManagers;
     }
 
+    private static KeyStore configureKeyStore(String keyStoreLocation, String keyStorePassword, String keystoreType, String keyPassword) throws GeneralSecurityException, IOException {
+        try (InputStream in = loadResource(keyStoreLocation)) {
+            if (PEM_TYPE.equalsIgnoreCase(keystoreType)) {
+                if (keyStorePassword != null && !keyStorePassword.isEmpty())
+                    throw new CertificateException("KeyStore password cannot be specified with PEM format, only key password may be specified");
+                else {
+                    StringBuilder readerBuilder = new StringBuilder();
+                    try (BufferedReader br = new BufferedReader(new InputStreamReader(in, US_ASCII))) {
+                        String inputLine;
+                        while ((inputLine = br.readLine()) != null) {
+                            readerBuilder.append(inputLine).append('\n');
+                        }
+                    }
+
+                    String pemFileContents = readerBuilder.toString();
+                    return PemReader.loadKeyStore(pemFileContents, pemFileContents, Optional.ofNullable(keyPassword));
+                }
+            } else {
+                char[] keyPassphrase = keyStorePassword == null ? null : keyStorePassword.toCharArray();
+
+                KeyStore ks = KeyStore.getInstance(keystoreType);
+                ks.load(in, keyPassphrase);
+                return ks;
+            }
+        }
+    }
+
     private static TrustManager[] configureTrustManagers(String truststore, String truststorePassword, String truststoreType, String truststoreAlgorithm)
             throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
         char[] trustPassphrase = null;
diff --git a/src/main/java/com/rabbitmq/client/PemReader.java b/src/main/java/com/rabbitmq/client/PemReader.java
@@ -0,0 +1,149 @@
+// Copyright (c) 2017-2025 Broadcom. All Rights Reserved. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
+//
+// This software, the RabbitMQ Java client library, is triple-licensed under the
+// Mozilla Public License 2.0 ("MPL"), the GNU General Public License version 2
+// ("GPL") and the Apache License version 2 ("ASL"). For the MPL, please see
+// LICENSE-MPL-RabbitMQ. For the GPL, please see LICENSE-GPL2.  For the ASL,
+// please see LICENSE-APACHE2.
+//
+// This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND,
+// either express or implied. See the LICENSE file for specific language governing
+// rights and limitations of this software.
+//
+// If you have any questions regarding licensing, please contact us at
+// info@rabbitmq.com.
+
+package com.rabbitmq.client;
+
+import javax.crypto.Cipher;
+import javax.crypto.EncryptedPrivateKeyInfo;
+import javax.crypto.SecretKey;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.PBEKeySpec;
+import java.io.ByteArrayInputStream;
+import java.io.File;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.security.*;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Optional;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import static java.nio.charset.StandardCharsets.US_ASCII;
+import static java.util.Base64.getMimeDecoder;
+import static java.util.regex.Pattern.CASE_INSENSITIVE;
+import static javax.crypto.Cipher.DECRYPT_MODE;
+
+/**
+ * Note: this class is copied from org.apache.zookeeper.util.PemReader (see
+ * https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/main/java/org/apache/zookeeper/util/PemReader.java)
+ * under the same Apache License 2.0 (ASL).
+ *
+ * The following modifications have been made to the original source code:
+ * <ul>
+ * <li>removed methods around loading trustStores.</li>
+ * <li>updated the regular expressions to avoid exponential backtracking.</li>
+ * </ul>
+ */
+public final class PemReader {
+
+    private static final Pattern CERT_PATTERN = Pattern.compile(
+        "-+BEGIN\\s+.*CERTIFICATE[^-]*-+\\s*"  // Header
+            + "([a-z0-9+/=\\r\\n]+)"           // Base64 text
+            + "-+END\\s+.*CERTIFICATE[^-]*-+", // Footer
+        CASE_INSENSITIVE);
+
+    private static final Pattern PRIVATE_KEY_PATTERN = Pattern.compile(
+        "-+BEGIN\\s+.*PRIVATE\\s+KEY[^-]*-+\\s*"  // Header
+            + "([a-z0-9+/=\\r\\n]+)"              // Base64 text
+            + "-+END\\s+.*PRIVATE\\s+KEY[^-]*-+", // Footer
+        CASE_INSENSITIVE);
+
+    private PemReader() {
+    }
+
+    public static KeyStore loadKeyStore(String certificateChainFile, String privateKeyFile, Optional<String> keyPassword) throws IOException, GeneralSecurityException {
+        PrivateKey key = loadPrivateKey(privateKeyFile, keyPassword);
+
+        List<X509Certificate> certificateChain = readCertificateChain(certificateChainFile);
+        if (certificateChain.isEmpty()) {
+            throw new CertificateException("Certificate file does not contain any certificates: "
+                                           + certificateChainFile);
+        }
+
+        KeyStore keyStore = KeyStore.getInstance("JKS");
+        keyStore.load(null, null);
+        keyStore.setKeyEntry("key",
+                             key,
+                             keyPassword.orElse("").toCharArray(),
+                             certificateChain.toArray(new Certificate[0]));
+        return keyStore;
+    }
+
+    public static List<X509Certificate> readCertificateChain(String certificateChain) throws CertificateException {
+        Matcher matcher = CERT_PATTERN.matcher(certificateChain);
+        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
+        List<X509Certificate> certificates = new ArrayList<>();
+
+        int start = 0;
+        while (matcher.find(start)) {
+            byte[] buffer = base64Decode(matcher.group(1));
+            certificates.add((X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(buffer)));
+            start = matcher.end();
+        }
+
+        return certificates;
+    }
+
+    public static PrivateKey loadPrivateKey(String privateKey, Optional<String> keyPassword) throws IOException, GeneralSecurityException {
+        Matcher matcher = PRIVATE_KEY_PATTERN.matcher(privateKey);
+        if (!matcher.find()) {
+            throw new KeyStoreException("did not find a private key");
+        }
+        byte[] encodedKey = base64Decode(matcher.group(1));
+
+        PKCS8EncodedKeySpec encodedKeySpec;
+        if (keyPassword.isPresent()) {
+            EncryptedPrivateKeyInfo encryptedPrivateKeyInfo = new EncryptedPrivateKeyInfo(encodedKey);
+            SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(encryptedPrivateKeyInfo.getAlgName());
+            SecretKey secretKey = keyFactory.generateSecret(new PBEKeySpec(keyPassword.get().toCharArray()));
+
+            Cipher cipher = Cipher.getInstance(encryptedPrivateKeyInfo.getAlgName());
+            cipher.init(DECRYPT_MODE, secretKey, encryptedPrivateKeyInfo.getAlgParameters());
+
+            encodedKeySpec = encryptedPrivateKeyInfo.getKeySpec(cipher);
+        } else {
+            encodedKeySpec = new PKCS8EncodedKeySpec(encodedKey);
+        }
+
+        // this code requires a key in PKCS8 format which is not the default openssl format
+        // to convert to the PKCS8 format you use : openssl pkcs8 -topk8 ...
+        try {
+            KeyFactory keyFactory = KeyFactory.getInstance("RSA");
+            return keyFactory.generatePrivate(encodedKeySpec);
+        } catch (InvalidKeySpecException ignore) {
+        }
+
+        try {
+            KeyFactory keyFactory = KeyFactory.getInstance("EC");
+            return keyFactory.generatePrivate(encodedKeySpec);
+        } catch (InvalidKeySpecException ignore) {
+        }
+
+        KeyFactory keyFactory = KeyFactory.getInstance("DSA");
+        return keyFactory.generatePrivate(encodedKeySpec);
+    }
+
+    private static byte[] base64Decode(String base64) {
+        return getMimeDecoder().decode(base64.getBytes(US_ASCII));
+    }
+
+}
diff --git a/src/test/java/com/rabbitmq/client/test/PropertyFileInitialisationTest.java b/src/test/java/com/rabbitmq/client/test/PropertyFileInitialisationTest.java
@@ -17,20 +17,31 @@
 
 import com.rabbitmq.client.ConnectionFactory;
 import com.rabbitmq.client.ConnectionFactoryConfigurator;
+import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.Test;
 
 import javax.net.ssl.SSLContext;
 import java.io.FileReader;
 import java.io.IOException;
 import java.io.Reader;
-import java.util.*;
+import java.security.cert.CertificateException;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Properties;
 import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.stream.Stream;
 
 import static com.rabbitmq.client.impl.AMQConnection.defaultClientProperties;
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.Mockito.*;
+import static org.mockito.Mockito.anyString;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
 
 /**
  *
@@ -173,6 +184,48 @@ public void tlsInitialisationWithKeyManagerAndTrustManagerShouldSucceed() {
         });
     }
 
+    @Test
+    @DisplayName("TLS initialisation with PEM keystore and Key Store password should fail")
+    void tlsInitialisationWithPemAndKeyStorePasswordShouldFail() {
+        Map<String, String> configuration = new HashMap<>();
+        configuration.put(ConnectionFactoryConfigurator.SSL_ENABLED, "true");
+        configuration.put(ConnectionFactoryConfigurator.SSL_KEY_STORE, "./src/test/resources/property-file-initialisation/tls/certificates.pem");
+        configuration.put(ConnectionFactoryConfigurator.SSL_KEY_STORE_PASSWORD, "bunnies");
+        configuration.put(ConnectionFactoryConfigurator.SSL_KEY_STORE_TYPE, "PEM");
+        configuration.put(ConnectionFactoryConfigurator.SSL_KEY_STORE_ALGORITHM, "S unX509");
+
+        ConnectionFactory connectionFactory = mock(ConnectionFactory.class);
+        assertThatThrownBy(() -> ConnectionFactoryConfigurator.load(connectionFactory, configuration, ""))
+                .isInstanceOf(IllegalStateException.class)
+                .hasRootCauseInstanceOf(CertificateException.class);
+    }
+
+    @Test
+    @DisplayName("TLS initialisation with PEM certificates should succeed")
+    void tlsInitialisationWithPemCertificatesShouldSucceed() {
+        Stream.of("./src/test/resources/property-file-initialisation/tls/",
+                "classpath:/property-file-initialisation/tls/").forEach(baseDirectory -> {
+            Map<String, String> configuration = new HashMap<>();
+            configuration.put(ConnectionFactoryConfigurator.SSL_ENABLED, "true");
+            configuration.put(ConnectionFactoryConfigurator.SSL_KEY_STORE, baseDirectory + "certificates.pem");
+            configuration.put(ConnectionFactoryConfigurator.SSL_KEY_STORE_TYPE, "PEM");
+            configuration.put(ConnectionFactoryConfigurator.SSL_KEY_STORE_ALGORITHM, "SunX509");
+
+            configuration.put(ConnectionFactoryConfigurator.SSL_TRUST_STORE, baseDirectory + "truststore.jks");
+            configuration.put(ConnectionFactoryConfigurator.SSL_TRUST_STORE_PASSWORD, "bunnies");
+            configuration.put(ConnectionFactoryConfigurator.SSL_TRUST_STORE_TYPE, "JKS");
+            configuration.put(ConnectionFactoryConfigurator.SSL_TRUST_STORE_ALGORITHM, "SunX509");
+
+            configuration.put(ConnectionFactoryConfigurator.SSL_VERIFY_HOSTNAME, "true");
+
+            ConnectionFactory connectionFactory = mock(ConnectionFactory.class);
+            ConnectionFactoryConfigurator.load(connectionFactory, configuration, "");
+
+            verify(connectionFactory, times(1)).useSslProtocol(any(SSLContext.class));
+            verify(connectionFactory, times(1)).enableHostnameVerification();
+        });
+    }
+
     @Test
     public void tlsNotEnabledIfNotConfigured() {
         ConnectionFactory connectionFactory = mock(ConnectionFactory.class);
diff --git a/src/test/resources/property-file-initialisation/tls/certificates.pem b/src/test/resources/property-file-initialisation/tls/certificates.pem
