This is an automated email from the ASF dual-hosted git repository. ctubbsii pushed a commit to branch 1.10 in repository https://gitbox.apache.org/repos/asf/accumulo.git
The following commit(s) were added to refs/heads/1.10 by this push: new 05a4fc0 Use stronger crypto settings for test certificates (#1960) 05a4fc0 is described below commit 05a4fc0faba94b0cc8dd335aafb1e282f5f22f35 Author: Christopher Tubbs <ctubb...@apache.org> AuthorDate: Sat Mar 6 10:59:49 2021 -0500 Use stronger crypto settings for test certificates (#1960) Backport of 51e18e20ff7e4bdd8d164c99ec8551136d31dc37 for 1.10 * Use 4096 bit RSA keys and SHA512withRSA instead of SHA1withRSA for the certificate signing algorithm for certificates generated for testing Accumulo's TLS support * This avoids problems with test breakages in environments, such as Fedora 33, with strong default crypto policies for Java that restrict weak crypto, or if the user has restricted their Java security policies themselves --- .../java/org/apache/accumulo/harness/MiniClusterHarness.java | 7 +++---- .../org/apache/accumulo/test/functional/ConfigurableMacBase.java | 9 +++++---- test/src/main/java/org/apache/accumulo/test/util/CertUtils.java | 4 ++-- .../test/java/org/apache/accumulo/test/util/CertUtilsTest.java | 2 +- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/test/src/main/java/org/apache/accumulo/harness/MiniClusterHarness.java b/test/src/main/java/org/apache/accumulo/harness/MiniClusterHarness.java index 7ddf114..3084921 100644 --- a/test/src/main/java/org/apache/accumulo/harness/MiniClusterHarness.java +++ b/test/src/main/java/org/apache/accumulo/harness/MiniClusterHarness.java @@ -210,10 +210,9 @@ public class MiniClusterHarness { truststorePassword = "truststore_password"; try { new CertUtils(Property.RPC_SSL_KEYSTORE_TYPE.getDefaultValue(), - "o=Apache Accumulo,cn=MiniAccumuloCluster", "RSA", 2048, "sha1WithRSAEncryption") - .createAll(rootKeystoreFile, localKeystoreFile, publicTruststoreFile, - cfg.getInstanceName(), rootKeystorePassword, cfg.getRootPassword(), - truststorePassword); + "o=Apache Accumulo,cn=MiniAccumuloCluster", "RSA", 4096, "SHA512WITHRSA").createAll( + rootKeystoreFile, localKeystoreFile, publicTruststoreFile, cfg.getInstanceName(), + rootKeystorePassword, cfg.getRootPassword(), truststorePassword); } catch (Exception e) { throw new RuntimeException("error creating MAC keystore", e); } diff --git a/test/src/main/java/org/apache/accumulo/test/functional/ConfigurableMacBase.java b/test/src/main/java/org/apache/accumulo/test/functional/ConfigurableMacBase.java index 0ac5af7..c380838 100644 --- a/test/src/main/java/org/apache/accumulo/test/functional/ConfigurableMacBase.java +++ b/test/src/main/java/org/apache/accumulo/test/functional/ConfigurableMacBase.java @@ -23,6 +23,7 @@ import java.io.File; import java.io.FileOutputStream; import java.io.IOException; import java.io.OutputStream; +import java.net.InetAddress; import java.util.Map; import org.apache.accumulo.core.client.AccumuloException; @@ -99,11 +100,11 @@ public class ConfigurableMacBase extends AccumuloITBase { final String rootKeystorePassword = "root_keystore_password", truststorePassword = "truststore_password"; try { + String hostname = InetAddress.getLocalHost().getHostName(); new CertUtils(Property.RPC_SSL_KEYSTORE_TYPE.getDefaultValue(), - "o=Apache Accumulo,cn=MiniAccumuloCluster", "RSA", 2048, "sha1WithRSAEncryption") - .createAll(rootKeystoreFile, localKeystoreFile, publicTruststoreFile, - cfg.getInstanceName(), rootKeystorePassword, cfg.getRootPassword(), - truststorePassword); + "o=Apache Accumulo,cn=" + hostname, "RSA", 4096, "SHA512WITHRSA").createAll( + rootKeystoreFile, localKeystoreFile, publicTruststoreFile, cfg.getInstanceName(), + rootKeystorePassword, cfg.getRootPassword(), truststorePassword); } catch (Exception e) { throw new RuntimeException("error creating MAC keystore", e); } diff --git a/test/src/main/java/org/apache/accumulo/test/util/CertUtils.java b/test/src/main/java/org/apache/accumulo/test/util/CertUtils.java index 3ce0d02..12c33d8 100644 --- a/test/src/main/java/org/apache/accumulo/test/util/CertUtils.java +++ b/test/src/main/java/org/apache/accumulo/test/util/CertUtils.java @@ -123,14 +123,14 @@ public class CertUtils { public String siteFile = null; @Parameter(names = "--signing-algorithm", description = "Algorithm used to sign certificates") - public String signingAlg = "SHA256WITHRSA"; + public String signingAlg = "SHA512WITHRSA"; @Parameter(names = "--encryption-algorithm", description = "Algorithm used to encrypt private keys") public String encryptionAlg = "RSA"; @Parameter(names = "--keysize", description = "Key size used by encryption algorithm") - public int keysize = 2048; + public int keysize = 4096; public AccumuloConfiguration getConfiguration() { if (siteFile == null) { diff --git a/test/src/test/java/org/apache/accumulo/test/util/CertUtilsTest.java b/test/src/test/java/org/apache/accumulo/test/util/CertUtilsTest.java index 582910b..3b3ddbe 100644 --- a/test/src/test/java/org/apache/accumulo/test/util/CertUtilsTest.java +++ b/test/src/test/java/org/apache/accumulo/test/util/CertUtilsTest.java @@ -41,7 +41,7 @@ public class CertUtilsTest { new TemporaryFolder(new File(System.getProperty("user.dir") + "/target")); private CertUtils getUtils() { - return new CertUtils(KEYSTORE_TYPE, RDN_STRING, "RSA", 2048, "sha1WithRSAEncryption"); + return new CertUtils(KEYSTORE_TYPE, RDN_STRING, "RSA", 4096, "SHA512WITHRSA"); } @Test