FakeKS restored to self-signed. Add FakeChainedKS. #125
Conversation
| val SignatureAlgorithmName = "SHA256withRSA" | ||
| val KeyPairAlgorithmName = "RSA" | ||
| val KeyPairKeyLength = 2048 // 2048 is the NIST acceptable key length until 2030 | ||
| val KeystoreType = "PKCS12" |
There was a problem hiding this comment.
Yes. kyetool keeps alerting jks is proprietary and recommending a migration:
$ keytool -keystore generated.keystore -list
Enter keystore password:
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in your keystore *
* has NOT been verified! In order to verify its integrity, *
* you must provide your keystore password. *
***************** WARNING WARNING WARNING *****************
Keystore type: jks
Keystore provider: SUN
Your keystore contains 4 entries
playgeneratedtrusted, Sep 20, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): F3:7E:F7:12:BC:73:EB:A7:CF:AF:C7:49:CD:3A:B1:C1:F0:1B:75:98
playgenerated, Sep 20, 2018, PrivateKeyEntry,
Certificate fingerprint (SHA1): F3:7E:F7:12:BC:73:EB:A7:CF:AF:C7:49:CD:3A:B1:C1:F0:1B:75:98
playgeneratedcatrusted, Sep 20, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): 4C:F3:C9:5E:D8:F1:83:46:BD:89:7C:1F:7D:BD:24:EB:94:9C:E8:8E
playgeneratedca, Sep 20, 2018, PrivateKeyEntry,
Certificate fingerprint (SHA1): 4C:F3:C9:5E:D8:F1:83:46:BD:89:7C:1F:7D:BD:24:EB:94:9C:E8:8E
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore generated.keystore -destkeystore generated.keystore -deststoretype pkcs12".
vs
$ keytool -keystore selfsigned.keystore -list
Enter keystore password:
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in your keystore *
* has NOT been verified! In order to verify its integrity, *
* you must provide your keystore password. *
***************** WARNING WARNING WARNING *****************
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
sslconfig-selfsigned, Oct 5, 2018, PrivateKeyEntry,
There was a problem hiding this comment.
Hmm, the trust entry on the selfsigned.keystore isn't listed. Is it really added?
|
|
||
| val DistinguishedName = "CN=localhost, OU=Unit Testing, O=Mavericks, L=SSL Config Base 1, ST=Cyberspace, C=CY" | ||
| val keyPassword: Array[Char] = EMPTY_PASSWORD | ||
| } |
There was a problem hiding this comment.
The above two objects keep the certificate-specific constants. Below are the Keystore-specific constants. Future refactors could extract this data structures into case classes, etc... and extract duplicate code from FakeKeyStore+FakeChainedKeyStore.
| val KeystoreType = "PKCS12" | ||
| val SignatureAlgorithmOID: ObjectIdentifier = AlgorithmId.sha256WithRSAEncryption_oid | ||
| val keystorePassword: Array[Char] = EMPTY_PASSWORD | ||
| } |
There was a problem hiding this comment.
This set of constants is duplicate in FakeKeyStore.
There was a problem hiding this comment.
Can we make them reference each other? Or even remove the duplication at all?
| certInfo.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, actualAlgorithm) | ||
| val newCert = new X509CertImpl(certInfo) | ||
| newCert.sign(keyPair.getPrivate, KeystoreSettings.SignatureAlgorithmName) | ||
| newCert |
There was a problem hiding this comment.
The two methods above have a lot of duplication amongst themselves and with some other code in FakeKeyStore
| val KeyPairKeyLength = 2048 // 2048 is the NIST acceptable key length until 2030 | ||
| val KeystoreType = "PKCS12" | ||
| val SignatureAlgorithmOID: ObjectIdentifier = AlgorithmId.sha256WithRSAEncryption_oid | ||
| val keystorePassword: Array[Char] = EMPTY_PASSWORD |
| val SignatureAlgorithmName = "SHA256withRSA" | ||
| val KeyPairAlgorithmName = "RSA" | ||
| val KeyPairKeyLength = 2048 // 2048 is the NIST acceptable key length until 2030 | ||
| val KeystoreType = "PKCS12" |
There was a problem hiding this comment.
KeyStore's no longer default to JKS. Instead the default is PKCS12
|
With this change the naming conventions change slightly:
|
| val KeystoreType = "PKCS12" | ||
| val SignatureAlgorithmOID: ObjectIdentifier = AlgorithmId.sha256WithRSAEncryption_oid | ||
| val keystorePassword: Array[Char] = EMPTY_PASSWORD | ||
| } |
There was a problem hiding this comment.
Can we make them reference each other? Or even remove the duplication at all?
|
I added the duplication to focus on having something we can uses ASAP. IMHO all FakeXyz tools shohhuld be moved out of Need to log off now, but will be back tonight to improve the code. |
## Purpose Update ssl-config to version 0.3.5 ## References * lightbend/ssl-config#125 * lagom/lagom#1610
https://github.com/tersesystems/securitybuilder#x509certificatecreator :-) |
Using a keyStore with multiple
privateKeyPairentries to create anSSLContextwith a defaultKeyManagerFactoryhas the consequence that you can't set what key should be used. There are mechanisms to setup SNI or to allow connection-specific key selection. Until those are necessary and implemented, using a single-keyKeyStoreis the simplest option.Note: we could create a collection of tools to create several
KeyStore's (one for the CA, another for the server, a third one for client-side SSL auth) but that's not the purpose of this PR.Fixes #115