Skip to content

Add JKS keystore support to X509Authentication#374

Draft
devin-ai-integration[bot] wants to merge 6 commits into
masterfrom
devin/1758320587-add-jks-keystore-support
Draft

Add JKS keystore support to X509Authentication#374
devin-ai-integration[bot] wants to merge 6 commits into
masterfrom
devin/1758320587-add-jks-keystore-support

Conversation

@devin-ai-integration
Copy link
Copy Markdown

@devin-ai-integration devin-ai-integration Bot commented Sep 19, 2025

Add JKS keystore support to X509Authentication

Summary

This PR adds JKS keystore support to the X509Authentication class while preserving all existing PEM-based functionality. The implementation adds a new public method configureX509AuthenticationFromKeystore that takes a keystore path, password, and certificate alias, then extracts the certificate and private key to create an SSL context.

Key Changes:

  • New configureX509AuthenticationFromKeystore method for JKS keystore support
  • New createSSLContextFromKeystore helper method that handles keystore loading and certificate extraction
  • Proper error handling for missing certificates, invalid aliases, and keystore access failures
  • Reuses existing createSSLContextFromKeyAndCert method to maintain consistency with PEM implementation

Review & Testing Checklist for Human

⚠️ IMPORTANT: This code has not been compiled or tested due to build environment issues. The following items are critical to verify:

  • End-to-end testing: Create a test JKS keystore and verify the new method works correctly with real certificates
  • Error handling verification: Test scenarios with missing certificate aliases, wrong passwords, and corrupted keystores
  • Integration testing: Verify this doesn't break existing PEM-based X.509 authentication
  • Security review: Review keystore password handling and ensure no sensitive data leaks in logs
  • API integration: Consider how this will be called from the main JDBC connection flow (currently only added to the utility class)

Test Plan Recommendation

  1. Create a test JKS keystore with a known certificate and alias
  2. Call configureX509AuthenticationFromKeystore with valid parameters and verify SSL context creation
  3. Test error cases: wrong alias, wrong password, missing keystore file
  4. Verify existing PEM tests still pass

Notes

  • Link to Devin run: https://app.devin.ai/sessions/9c0cf9c618954421999c2005c0a6da38
  • Requested by: @nbagnard
  • ⚠️ Limitation: This implementation only extends the X509Authentication utility class. Integration with connection properties (to make it callable from JDBC URLs) was not implemented per user request to focus only on the utility class.
  • Architecture: The new method follows the same patterns as the existing PEM implementation and reuses the same SSL context creation logic for consistency.

@devin-ai-integration @nbagnard
Add JKS keystore support to X509Authentication
21121a8 
- Add configureX509AuthenticationFromKeystore method for JKS keystore support
- Add createSSLContextFromKeystore helper method
- Support keystore path, password, and certificate alias parameters
- Reuse existing SSL context creation logic
- Add proper error handling for missing certificates/keys

Co-Authored-By: natacha.bagnard@mongodb.com <natacha.bagnard@mongodb.com>
@devin-ai-integration devin-ai-integration Bot requested a review from a team as a code owner September 19, 2025 22:26
@devin-ai-integration
Copy link
Copy Markdown
Author

devin-ai-integration Bot commented Sep 19, 2025

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

devin-ai-integration Bot and others added 5 commits September 19, 2025 22:35
@devin-ai-integration @nbagnard
Fix code formatting for createSSLContextFromKeystore method
3d554e8 
- Wrap long method signature to match project style
- Remove extra blank line
- Ensure proper indentation

Co-Authored-By: natacha.bagnard@mongodb.com <natacha.bagnard@mongodb.com>
@devin-ai-integration @nbagnard
Fix Google Java Format violations in createSSLContextFromKeystore method
039e0ad 
- Break long exception messages across multiple lines
- Fix line length violations for static analysis compliance
- Maintain consistent formatting with existing codebase

Co-Authored-By: natacha.bagnard@mongodb.com <natacha.bagnard@mongodb.com>
@devin-ai-integration @nbagnard
Add PemToKeystoreConverter test utility for JKS keystore testing
ed69a58 
- Converts unencrypted PEM files to JKS keystore format
- Uses filename as certificate alias (e.g., pkcs8_unencrypted, pkcs1_unencrypted)
- Supports both PKCS#1 and PKCS#8 private key formats
- Includes keystore verification and proper error handling

Co-Authored-By: natacha.bagnard@mongodb.com <natacha.bagnard@mongodb.com>
@devin-ai-integration @nbagnard
Fix redundant import causing static analysis failure
f926759 
- Remove specific UnrecoverableKeyException import since it's covered by java.security.*
- Resolves static analysis violation for import redundancy

Co-Authored-By: natacha.bagnard@mongodb.com <natacha.bagnard@mongodb.com>
@devin-ai-integration @nbagnard
Re-add UnrecoverableKeyException import for static analysis
d40f626 
- Add specific import for UnrecoverableKeyException used in catch block
- Resolves static analysis failure caused by ambiguous import resolution

Co-Authored-By: natacha.bagnard@mongodb.com <natacha.bagnard@mongodb.com>
@nbagnard nbagnard marked this pull request as draft October 27, 2025 19:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nbagnard nbagnard Awaiting requested review from nbagnard

At least 1 approving review is required to merge this pull request.

Assignees

@nbagnard nbagnard

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nbagnard