fix(NetSSLeay): avoid double-invoking passwd callback in CTX_use_PrivateKey_file

fglock · devin-ai-integration[bot] · fglock · commit cefa7879fc09 · 2026-04-21T13:08:54.000+02:00
CTX_use_PrivateKey_file previously called loadPrivateKeyFile (which invokes the password callback) and then re-opened the PEM and re-invoked the callback to populate ctxState.loadedPrivateKey for buildSslContext. This broke t/local/05_passwd_cb.t, which counts callback invocations: not ok 17 - different cbs per ctx work # each cb called 2x, expected 1 not ok 21 - callback1 called 2 times # got: '3' expected: '2' Plus spurious "Bad plan: planned 36 tests but ran 40" because the extra callback calls ran their own is()/ok() assertions. Fix: loadPrivateKeyFile now takes an optional SslCtxState and populates loadedPrivateKey + clears the cached SSLContext in a single pass. The callback runs exactly once per load. use_PrivateKey_file (SSL-level) benefits too — it now also populates the underlying CTX's key so the KeyManager sees it. Test results on t/local/05_passwd_cb.t: before: Tests: 40 Failed: 6 Parse errors: planned 36 ran 40 after: Tests: 36 Failed: 0 All tests successful. Full Net-SSLeay bundled suite: 47 files, 2326 tests, all pass. ./jcpan -t Digest::SHA3: 33/33 still green. make: green. Generated with [Devin](https://cli.devin.ai/docs) Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
diff --git a/src/main/java/org/perlonjava/core/Configuration.java b/src/main/java/org/perlonjava/core/Configuration.java
@@ -33,7 +33,7 @@ public final class Configuration {
      * Automatically populated by Gradle/Maven during build.
      * DO NOT EDIT MANUALLY - this value is replaced at build time.
      */
-    public static final String gitCommitId = "2313fda82";
+    public static final String gitCommitId = "dc78c6298";
 
     /**
      * Git commit date of the build (ISO format: YYYY-MM-DD).
@@ -48,7 +48,7 @@ public final class Configuration {
      * Parsed by App::perlbrew and other tools via: perl -V | grep "Compiled at"
      * DO NOT EDIT MANUALLY - this value is replaced at build time.
      */
-    public static final String buildTimestamp = "Apr 21 2026 12:38:06";
+    public static final String buildTimestamp = "Apr 21 2026 13:06:01";
 
     // Prevent instantiation
     private Configuration() {
diff --git a/src/main/java/org/perlonjava/runtime/perlmodule/NetSSLeay.java b/src/main/java/org/perlonjava/runtime/perlmodule/NetSSLeay.java
@@ -4876,33 +4876,10 @@ public static RuntimeList CTX_use_PrivateKey_file(RuntimeArray args, int ctx) {
         String filename = args.get(1).toString();
         SslCtxState ctxState = CTX_HANDLES.get(ctxHandle);
         if (ctxState == null) return new RuntimeScalar(0).getList();
-        RuntimeList r = loadPrivateKeyFile(filename, ctxState.passwdCb, ctxState.passwdUserdata);
-        if (r.size() > 0 && r.getFirst().getLong() == 1) {
-            // Load succeeded; parse again into the CTX so the KeyManager
-            // factory has the key at buildSslContext time.
-            try {
-                byte[] fileData = Files.readAllBytes(RuntimeIO.resolvePath(filename));
-                String pem = new String(fileData, StandardCharsets.ISO_8859_1);
-                String pass = null;
-                if (ctxState.passwdCb != null && ctxState.passwdCb.type == RuntimeScalarType.CODE) {
-                    RuntimeArray cbArgs = new RuntimeArray();
-                    cbArgs.push(new RuntimeScalar(0));
-                    cbArgs.push(ctxState.passwdUserdata != null ? ctxState.passwdUserdata
-                            : new RuntimeScalar());
-                    pass = RuntimeCode.apply(ctxState.passwdCb, cbArgs,
-                            RuntimeContextType.SCALAR).getFirst().toString();
-                }
-                byte[] der = parsePemPrivateKey(pem, pass);
-                if (der != null) {
-                    PrivateKey pk = parsePrivateKeyDer(der);
-                    if (pk != null) {
-                        ctxState.loadedPrivateKey = pk;
-                        ctxState.sslContext = null; // force rebuild
-                    }
-                }
-            } catch (Exception ignored) {}
-        }
-        return r;
+        // Pass ctxState so the successful-parse path populates the KeyManager
+        // state in one pass; avoids re-invoking the password callback, which
+        // broke t/local/05_passwd_cb.t (callback counted an extra call per load).
+        return loadPrivateKeyFile(filename, ctxState.passwdCb, ctxState.passwdUserdata, ctxState);
     }
 
     // SSL-level password callback functions
@@ -4933,23 +4910,30 @@ public static RuntimeList use_PrivateKey_file(RuntimeArray args, int ctx) {
         // SSL-level callback takes precedence over CTX-level
         RuntimeScalar cb = ssl.passwdCb;
         RuntimeScalar ud = ssl.passwdUserdata;
+        SslCtxState ctxStateForKey = CTX_HANDLES.get(ssl.ctxHandle);
         if (cb == null) {
             // Fall back to CTX-level callback
-            SslCtxState ctxState = CTX_HANDLES.get(ssl.ctxHandle);
-            if (ctxState != null) {
-                cb = ctxState.passwdCb;
-                ud = ctxState.passwdUserdata;
+            if (ctxStateForKey != null) {
+                cb = ctxStateForKey.passwdCb;
+                ud = ctxStateForKey.passwdUserdata;
             }
         }
-        return loadPrivateKeyFile(filename, cb, ud);
+        return loadPrivateKeyFile(filename, cb, ud, ctxStateForKey);
     }
 
-    private static RuntimeList loadPrivateKeyFile(String filename, RuntimeScalar cb, RuntimeScalar ud) {
+    /**
+     * @param ctxStateForKey if non-null and the PEM parses successfully,
+     *        the parsed {@link PrivateKey} is stored on this context so
+     *        {@code buildSslContext} can pick it up without re-invoking
+     *        the password callback.
+     */
+    private static RuntimeList loadPrivateKeyFile(String filename, RuntimeScalar cb, RuntimeScalar ud,
+                                                  SslCtxState ctxStateForKey) {
         try {
             byte[] fileData = Files.readAllBytes(RuntimeIO.resolvePath(filename));
             String pem = new String(fileData, StandardCharsets.ISO_8859_1);
 
-            // Get password via callback
+            // Get password via callback (invoked exactly once per call)
             String password = null;
             if (cb != null && cb.type == RuntimeScalarType.CODE) {
                 RuntimeArray cbArgs = new RuntimeArray();
@@ -4969,6 +4953,11 @@ private static RuntimeList loadPrivateKeyFile(String filename, RuntimeScalar cb,
             PrivateKey privKey = parsePrivateKeyDer(derBytes);
             if (privKey == null) return new RuntimeScalar(0).getList();
 
+            if (ctxStateForKey != null) {
+                ctxStateForKey.loadedPrivateKey = privKey;
+                ctxStateForKey.sslContext = null; // force rebuild
+            }
+
             return new RuntimeScalar(1).getList(); // success
         } catch (Exception e) {
             return new RuntimeScalar(0).getList(); // failure
