fix: using io.github.hakky54:ayza-for-pem to load KeyManager for PEM

manbucy · manbucy · commit cbc7ad01b704 · 2025-10-28T23:43:06.000+08:00
diff --git a/pom.xml b/pom.xml
@@ -167,6 +167,12 @@
             <artifactId>okhttp-brotli</artifactId>
             <version>4.12.0</version>
         </dependency>
+
+        <dependency>
+            <groupId>io.github.hakky54</groupId>
+            <artifactId>ayza-for-pem</artifactId>
+            <version>10.0.1</version>
+        </dependency>
     </dependencies>
     <build>
         <plugins>
diff --git a/src/main/java/com/laker/postman/service/http/ssl/ClientCertificateLoader.java b/src/main/java/com/laker/postman/service/http/ssl/ClientCertificateLoader.java
@@ -1,11 +1,16 @@
 package com.laker.postman.service.http.ssl;
 
+import cn.hutool.core.io.FileUtil;
+import cn.hutool.core.util.StrUtil;
 import com.laker.postman.model.ClientCertificate;
 import lombok.extern.slf4j.Slf4j;
+import nl.altindag.ssl.pem.util.PemUtils;
 
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.X509ExtendedKeyManager;
 import javax.net.ssl.X509KeyManager;
+import java.io.BufferedInputStream;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.net.Socket;
@@ -70,28 +75,16 @@ private static KeyManager[] createKeyManagersFromPFX(ClientCertificate cert) thr
      * 从 PEM 文件创建 KeyManager
      */
     private static KeyManager[] createKeyManagersFromPEM(ClientCertificate cert) throws Exception {
-        // 加载证书
-        X509Certificate certificate = loadCertificateFromPEM(cert.getCertPath());
+        log.debug("Loaded PEM certificate from: {} and key from: {}", cert.getCertPath(), cert.getKeyPath());
+        try (BufferedInputStream certInputStream = FileUtil.getInputStream(cert.getCertPath());
+             BufferedInputStream keyInputStream = FileUtil.getInputStream(cert.getKeyPath())) {
 
-        // 加载私钥
-        PrivateKey privateKey = loadPrivateKeyFromPEM(cert.getKeyPath(), cert.getKeyPassword());
+            X509ExtendedKeyManager keyManager = StrUtil.isNotBlank(cert.getKeyPassword())
+                    ? PemUtils.loadIdentityMaterial(certInputStream, keyInputStream, cert.getKeyPassword().toCharArray())
+                    : PemUtils.loadIdentityMaterial(certInputStream, keyInputStream);
 
-        // 创建 KeyStore 并添加证书和私钥
-        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
-        keyStore.load(null, null);
-
-        Certificate[] certChain = new Certificate[]{certificate};
-        char[] keyPassword = cert.getKeyPassword() != null ?
-            cert.getKeyPassword().toCharArray() : new char[0];
-
-        keyStore.setKeyEntry("client-cert", privateKey, keyPassword, certChain);
-
-        KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
-        kmf.init(keyStore, keyPassword);
-
-        log.debug("Loaded PEM certificate from: {} and key from: {}",
-            cert.getCertPath(), cert.getKeyPath());
-        return kmf.getKeyManagers();
+            return new KeyManager[]{keyManager};
+        }
     }
 
     /**
