This is an automated email from the ASF dual-hosted git repository.
smolnar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git
The following commit(s) were added to refs/heads/master by this push:
new 314f7e9d8 KNOX-3118 - Use SHA256 as Knox Default Self-Signing
algorithm for SSL… (#1015)
314f7e9d8 is described below
commit 314f7e9d85006bdb6983dda21f03cb1563529642
Author: KnightChen <[email protected]>
AuthorDate: Wed Apr 9 15:32:24 2025 +0800
KNOX-3118 - Use SHA256 as Knox Default Self-Signing algorithm for SSL…
(#1015)
---
.../provider/federation/AbstractJWTFilterTest.java | 11 ++++---
.../gateway/config/impl/GatewayConfigImpl.java | 5 +++
.../security/impl/DefaultKeystoreService.java | 6 ++--
.../security/impl/DefaultKeystoreServiceTest.java | 36 +++++++++++++---------
.../impl/DefaultTokenAuthorityServiceTest.java | 12 ++++++++
.../apache/knox/gateway/websockets/BadUrlTest.java | 1 +
.../knox/gateway/websockets/JWTValidatorTest.java | 2 +-
.../gateway/websockets/WebsocketEchoTestBase.java | 1 +
.../WebsocketMultipleConnectionTest.java | 1 +
.../org/apache/knox/gateway/GatewayTestConfig.java | 5 +++
.../apache/knox/gateway/config/GatewayConfig.java | 7 +++++
.../knox/gateway/util/X509CertificateUtil.java | 2 +-
12 files changed, 65 insertions(+), 24 deletions(-)
diff --git
a/gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/AbstractJWTFilterTest.java
b/gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/AbstractJWTFilterTest.java
index 6ad8b7d54..7ca72cd40 100644
---
a/gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/AbstractJWTFilterTest.java
+++
b/gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/AbstractJWTFilterTest.java
@@ -27,6 +27,7 @@ import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import org.apache.commons.codec.binary.Base64;
+import org.apache.knox.gateway.config.GatewayConfig;
import
org.apache.knox.gateway.provider.federation.jwt.filter.AbstractJWTFilter;
import
org.apache.knox.gateway.provider.federation.jwt.filter.SSOCookieFederationFilter;
import
org.apache.knox.gateway.provider.federation.jwt.filter.SignatureVerificationCache;
@@ -107,7 +108,7 @@ public abstract class AbstractJWTFilterTest {
kpg.initialize(2048);
KeyPair KPair = kpg.generateKeyPair();
String dn =
buildDistinguishedName(InetAddress.getLocalHost().getHostName());
- Certificate cert = X509CertificateUtil.generateCertificate(dn, KPair, 365,
"SHA1withRSA");
+ Certificate cert = X509CertificateUtil.generateCertificate(dn, KPair, 365,
GatewayConfig.DEFAULT_SELF_SIGNING_CERT_ALG);
byte[] data = cert.getEncoded();
Base64 encoder = new Base64( 76, "\n".getBytes( StandardCharsets.US_ASCII
) );
pem = new String(encoder.encodeToString( data ).getBytes(
StandardCharsets.US_ASCII ), StandardCharsets.US_ASCII).trim();
@@ -655,7 +656,7 @@ public abstract class AbstractJWTFilterTest {
KeyPair KPair = kpg.generateKeyPair();
String dn =
buildDistinguishedName(InetAddress.getLocalHost().getHostName());
- Certificate cert = X509CertificateUtil.generateCertificate(dn, KPair,
365, "SHA1withRSA");
+ Certificate cert = X509CertificateUtil.generateCertificate(dn, KPair,
365, GatewayConfig.DEFAULT_SELF_SIGNING_CERT_ALG );
byte[] data = cert.getEncoded();
Base64 encoder = new Base64( 76, "\n".getBytes(
StandardCharsets.US_ASCII ) );
String failingPem = new String(encoder.encodeToString( data ).getBytes(
StandardCharsets.US_ASCII ), StandardCharsets.US_ASCII).trim();
@@ -711,7 +712,7 @@ public abstract class AbstractJWTFilterTest {
KeyPair KPair = kpg.generateKeyPair();
String dn =
buildDistinguishedName(InetAddress.getLocalHost().getHostName());
- Certificate cert = X509CertificateUtil.generateCertificate(dn, KPair,
365, "SHA1withRSA");
+ Certificate cert = X509CertificateUtil.generateCertificate(dn, KPair,
365, GatewayConfig.DEFAULT_SELF_SIGNING_CERT_ALG);
byte[] data = cert.getEncoded();
Base64 encoder = new Base64( 76, "\n".getBytes(
StandardCharsets.US_ASCII ) );
String failingPem = new String(encoder.encodeToString( data ).getBytes(
StandardCharsets.US_ASCII ), StandardCharsets.US_ASCII).trim();
@@ -770,7 +771,7 @@ public abstract class AbstractJWTFilterTest {
KeyPair KPair = kpg.generateKeyPair();
String dn =
buildDistinguishedName(InetAddress.getLocalHost().getHostName());
- Certificate cert = X509CertificateUtil.generateCertificate(dn, KPair,
365, "SHA1withRSA");
+ Certificate cert = X509CertificateUtil.generateCertificate(dn, KPair,
365, GatewayConfig.DEFAULT_SELF_SIGNING_CERT_ALG);
byte[] data = cert.getEncoded();
Base64 encoder = new Base64( 76, "\n".getBytes(
StandardCharsets.US_ASCII ) );
String failingPem = new String(encoder.encodeToString( data ).getBytes(
StandardCharsets.US_ASCII ), StandardCharsets.US_ASCII).trim();
@@ -865,7 +866,7 @@ public abstract class AbstractJWTFilterTest {
KeyPair KPair = kpg.generateKeyPair();
String dn =
buildDistinguishedName(InetAddress.getLocalHost().getHostName());
- Certificate cert = X509CertificateUtil.generateCertificate(dn, KPair, 365,
"SHA1withRSA");
+ Certificate cert = X509CertificateUtil.generateCertificate(dn, KPair, 365,
GatewayConfig.DEFAULT_SELF_SIGNING_CERT_ALG);
byte[] data = cert.getEncoded();
Base64 encoder = new Base64( 76, "\n".getBytes( StandardCharsets.US_ASCII
) );
return new String(encoder.encodeToString( data ).getBytes(
StandardCharsets.US_ASCII ), StandardCharsets.US_ASCII).trim();
diff --git
a/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java
b/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java
index c61a8c557..2caef51d4 100644
---
a/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java
+++
b/gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java
@@ -800,6 +800,11 @@ public class GatewayConfigImpl extends Configuration
implements GatewayConfig {
return get(CREDENTIAL_STORE_ALG, DEFAULT_CREDENTIAL_STORE_ALG);
}
+ @Override
+ public String getSelfSigningCertificateAlgorithm() {
+ return get(SELF_SIGNING_CERT_ALG, DEFAULT_SELF_SIGNING_CERT_ALG);
+ }
+
@Override
public String getCredentialStoreType() {
return get(CREDENTIAL_STORE_TYPE, DEFAULT_CREDENTIAL_STORE_TYPE);
diff --git
a/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreService.java
b/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreService.java
index e51f904ae..e1e6a9b81 100644
---
a/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreService.java
+++
b/gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreService.java
@@ -91,6 +91,7 @@ public class DefaultKeystoreService implements
KeystoreService {
private String credentialStoreAlgorithm;
private String credentialStoreType;
private String credentialsSuffix;
+ private String selfSigningCertificateAlgorithm;
public void setMasterService(MasterService ms) {
this.masterService = ms;
@@ -119,6 +120,7 @@ public class DefaultKeystoreService implements
KeystoreService {
this.credentialStoreAlgorithm = config.getCredentialStoreAlgorithm();
this.credentialStoreType = config.getCredentialStoreType();
this.credentialsSuffix = CREDENTIALS_SUFFIX +
this.credentialStoreType.toLowerCase(Locale.ROOT);
+ this.selfSigningCertificateAlgorithm =
config.getSelfSigningCertificateAlgorithm();
}
@Override
@@ -196,11 +198,11 @@ public class DefaultKeystoreService implements
KeystoreService {
X509Certificate cert;
if(hostname.equals(CERT_GEN_MODE_HOSTNAME)) {
String dn =
buildDistinguishedName(InetAddress.getLocalHost().getHostName());
- cert = X509CertificateUtil.generateCertificate(dn, KPair, 365,
"SHA1withRSA");
+ cert = X509CertificateUtil.generateCertificate(dn, KPair, 365,
this.selfSigningCertificateAlgorithm);
}
else {
String dn = buildDistinguishedName(hostname);
- cert = X509CertificateUtil.generateCertificate(dn, KPair, 365,
"SHA1withRSA");
+ cert = X509CertificateUtil.generateCertificate(dn, KPair, 365,
this.selfSigningCertificateAlgorithm);
}
KeyStore privateKS = getKeystoreForGateway();
diff --git
a/gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreServiceTest.java
b/gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreServiceTest.java
index 85841c341..d65ba802d 100644
---
a/gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreServiceTest.java
+++
b/gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreServiceTest.java
@@ -305,6 +305,10 @@ public class DefaultKeystoreServiceTest {
Path defaultFile =
baseDir.resolve("security").resolve("keystores").resolve("gateway.jks");
String defaultAlias = "gateway-identity";
+ config.set(SIGNING_KEYSTORE_NAME, defaultFile.getFileName().toString());
+ config.set(IDENTITY_KEYSTORE_PATH,
defaultFile.toAbsolutePath().toString());
+ config.set(IDENTITY_KEY_ALIAS, defaultAlias);
+
DefaultKeystoreService keystoreService = new DefaultKeystoreService();
keystoreService.setMasterService(masterService);
@@ -314,11 +318,11 @@ public class DefaultKeystoreServiceTest {
fail("Not expecting ServiceLifecycleException due to missing signing
keystore file since a custom one is not specified");
}
- createKeystore(keystoreService, defaultFile, defaultAlias, masterPassword);
+ createKeystore(keystoreService, masterPassword, config);
keystoreService.init(config, Collections.emptyMap());
- testSigningKeystore(keystoreService, defaultFile, defaultAlias,
masterPassword);
+ testSigningKeystore(keystoreService, masterPassword, config);
/* *******************
* Test Custom Values
@@ -328,16 +332,17 @@ public class DefaultKeystoreServiceTest {
String customKeyAlias = "custom_alias";
config.set(SIGNING_KEYSTORE_NAME, customFileName);
+ config.set(IDENTITY_KEYSTORE_PATH, customFile.toAbsolutePath().toString());
config.set(SIGNING_KEY_ALIAS, customKeyAlias);
keystoreServiceAlt.setMasterService(masterService);
// Ensure the signing keystore exists before init-ing the keystore service
- createKeystore(keystoreService, customFile, customKeyAlias,
masterPassword);
+ createKeystore(keystoreService, masterPassword, config);
keystoreServiceAlt.init(config, Collections.emptyMap());
- testSigningKeystore(keystoreServiceAlt, customFile, customKeyAlias,
masterPassword);
+ testSigningKeystore(keystoreServiceAlt, masterPassword, config);
/* *******************
* Test Symlink Parent
@@ -365,17 +370,18 @@ public class DefaultKeystoreServiceTest {
String symlinkKeyAlias = "symlink_alias";
config.set(SIGNING_KEYSTORE_NAME, symlinkFileName);
+ config.set(IDENTITY_KEYSTORE_PATH,
symlinkFile.toAbsolutePath().toString());
config.set(SIGNING_KEY_ALIAS, symlinkKeyAlias);
config.set(GatewayConfigImpl.SECURITY_DIR, symlinkSecurityDir.toString());
keystoreServiceSymlink.setMasterService(masterService);
// Ensure the signing keystore exists before init-ing the keystore service
- createKeystore(keystoreService, symlinkFile, symlinkKeyAlias,
masterPassword);
+ createKeystore(keystoreService, masterPassword, config);
keystoreServiceSymlink.init(config, Collections.emptyMap());
- testSigningKeystore(keystoreServiceSymlink, symlinkFile, symlinkKeyAlias,
masterPassword);
+ testSigningKeystore(keystoreServiceSymlink, masterPassword, config);
// Verify the keystore passwords are set properly...
@@ -531,7 +537,7 @@ public class DefaultKeystoreServiceTest {
keystoreService.setMasterService(masterService);
keystoreService.init(config, Collections.emptyMap());
- createKeystore(keystoreService,
Paths.get(config.getIdentityKeystorePath()), config.getIdentityKeyAlias(),
masterPassword);
+ createKeystore(keystoreService, masterPassword, config);
assertNull(keystoreService.getKeyForGateway("wrongpassword".toCharArray()));
assertNotNull(keystoreService.getKeyForGateway(masterPassword));
@@ -798,12 +804,11 @@ public class DefaultKeystoreServiceTest {
}
private void testSigningKeystore(KeystoreService keystoreService,
- Path expectedKeystoreFilePath,
- String keyAlias,
- char[] masterPassword) throws Exception {
- assertTrue(Files.exists(expectedKeystoreFilePath));
+ char[] masterPassword,
+ GatewayConfig config) throws Exception {
+ assertTrue(Files.exists(Paths.get(config.getIdentityKeystorePath())));
assertNotNull(keystoreService.getSigningKeystore());
- assertNotNull(keystoreService.getSigningKey(keyAlias, masterPassword));
+ assertNotNull(keystoreService.getSigningKey(config.getIdentityKeyAlias(),
masterPassword));
}
private GatewayConfigImpl createGatewayConfig(Path baseDir) {
@@ -814,8 +819,9 @@ public class DefaultKeystoreServiceTest {
}
- private void createKeystore(DefaultKeystoreService keystoreService, Path
keystoreFilePath, String alias, char[] password)
+ private void createKeystore(DefaultKeystoreService keystoreService, char[]
password, final GatewayConfig config)
throws KeystoreServiceException, KeyStoreException,
CertificateException, NoSuchAlgorithmException, IOException {
+ Path keystoreFilePath = Paths.get(config.getIdentityKeystorePath());
KeyStore keystore = keystoreService.createKeyStore(keystoreFilePath,
"JKS", password);
KeyPairGenerator keyPairGenerator;
@@ -827,9 +833,9 @@ public class DefaultKeystoreServiceTest {
String.format(Locale.ROOT,
"CN=%s,OU=Test,O=Hadoop,L=Test,ST=Test,C=US", this.getClass().getName()),
keyPair,
365,
- "SHA1withRSA");
+ config.getSelfSigningCertificateAlgorithm());
- keystore.setKeyEntry(alias, keyPair.getPrivate(),
+ keystore.setKeyEntry(config.getIdentityKeyAlias(), keyPair.getPrivate(),
password,
new java.security.cert.Certificate[]{cert});
diff --git
a/gateway-server/src/test/java/org/apache/knox/gateway/services/token/impl/DefaultTokenAuthorityServiceTest.java
b/gateway-server/src/test/java/org/apache/knox/gateway/services/token/impl/DefaultTokenAuthorityServiceTest.java
index 2efe15945..a11db4f10 100644
---
a/gateway-server/src/test/java/org/apache/knox/gateway/services/token/impl/DefaultTokenAuthorityServiceTest.java
+++
b/gateway-server/src/test/java/org/apache/knox/gateway/services/token/impl/DefaultTokenAuthorityServiceTest.java
@@ -66,6 +66,7 @@ public class DefaultTokenAuthorityServiceTest {
EasyMock.expect(config.getSigningKeyAlias()).andReturn("server").anyTimes();
EasyMock.expect(config.getCredentialStoreType()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_TYPE).anyTimes();
EasyMock.expect(config.getCredentialStoreAlgorithm()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_ALG).anyTimes();
+
EasyMock.expect(config.getSelfSigningCertificateAlgorithm()).andReturn(GatewayConfig.DEFAULT_SELF_SIGNING_CERT_ALG).anyTimes();
MasterService ms = EasyMock.createNiceMock(MasterService.class);
EasyMock.expect(ms.getMasterSecret()).andReturn("horton".toCharArray());
@@ -115,6 +116,7 @@ public class DefaultTokenAuthorityServiceTest {
EasyMock.expect(config.getSigningKeyAlias()).andReturn("server").anyTimes();
EasyMock.expect(config.getCredentialStoreType()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_TYPE).anyTimes();
EasyMock.expect(config.getCredentialStoreAlgorithm()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_ALG).anyTimes();
+
EasyMock.expect(config.getSelfSigningCertificateAlgorithm()).andReturn(GatewayConfig.DEFAULT_SELF_SIGNING_CERT_ALG).anyTimes();
MasterService ms = EasyMock.createNiceMock(MasterService.class);
EasyMock.expect(ms.getMasterSecret()).andReturn("horton".toCharArray());
@@ -165,6 +167,7 @@ public class DefaultTokenAuthorityServiceTest {
EasyMock.expect(config.getSigningKeyAlias()).andReturn("server").anyTimes();
EasyMock.expect(config.getCredentialStoreType()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_TYPE).anyTimes();
EasyMock.expect(config.getCredentialStoreAlgorithm()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_ALG).anyTimes();
+
EasyMock.expect(config.getSelfSigningCertificateAlgorithm()).andReturn(GatewayConfig.DEFAULT_SELF_SIGNING_CERT_ALG).anyTimes();
MasterService ms = EasyMock.createNiceMock(MasterService.class);
EasyMock.expect(ms.getMasterSecret()).andReturn("horton".toCharArray());
@@ -213,6 +216,7 @@ public class DefaultTokenAuthorityServiceTest {
EasyMock.expect(config.getSigningKeyAlias()).andReturn("server").anyTimes();
EasyMock.expect(config.getCredentialStoreType()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_TYPE).anyTimes();
EasyMock.expect(config.getCredentialStoreAlgorithm()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_ALG).anyTimes();
+
EasyMock.expect(config.getSelfSigningCertificateAlgorithm()).andReturn(GatewayConfig.DEFAULT_SELF_SIGNING_CERT_ALG).anyTimes();
MasterService ms = EasyMock.createNiceMock(MasterService.class);
EasyMock.expect(ms.getMasterSecret()).andReturn("horton".toCharArray());
@@ -262,6 +266,7 @@ public class DefaultTokenAuthorityServiceTest {
EasyMock.expect(config.getSigningKeyAlias()).andReturn("server").anyTimes();
EasyMock.expect(config.getCredentialStoreType()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_TYPE).anyTimes();
EasyMock.expect(config.getCredentialStoreAlgorithm()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_ALG).anyTimes();
+
EasyMock.expect(config.getSelfSigningCertificateAlgorithm()).andReturn(GatewayConfig.DEFAULT_SELF_SIGNING_CERT_ALG).anyTimes();
MasterService ms = EasyMock.createNiceMock(MasterService.class);
EasyMock.expect(ms.getMasterSecret()).andReturn("horton".toCharArray());
@@ -316,6 +321,7 @@ public class DefaultTokenAuthorityServiceTest {
EasyMock.expect(config.getSigningKeyAlias()).andReturn("server").anyTimes();
EasyMock.expect(config.getCredentialStoreType()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_TYPE).anyTimes();
EasyMock.expect(config.getCredentialStoreAlgorithm()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_ALG).anyTimes();
+
EasyMock.expect(config.getSelfSigningCertificateAlgorithm()).andReturn(GatewayConfig.DEFAULT_SELF_SIGNING_CERT_ALG).anyTimes();
MasterService ms = EasyMock.createNiceMock(MasterService.class);
@@ -371,6 +377,7 @@ public class DefaultTokenAuthorityServiceTest {
EasyMock.expect(config.getKeystoreCacheSizeLimit()).andReturn(0L).anyTimes();
EasyMock.expect(config.getCredentialStoreType()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_TYPE).anyTimes();
EasyMock.expect(config.getCredentialStoreAlgorithm()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_ALG).anyTimes();
+
EasyMock.expect(config.getSelfSigningCertificateAlgorithm()).andReturn(GatewayConfig.DEFAULT_SELF_SIGNING_CERT_ALG).anyTimes();
MasterService ms = EasyMock.createMock(MasterService.class);
EasyMock.expect(ms.getMasterSecret()).andReturn("horton".toCharArray()).atLeastOnce();
@@ -414,6 +421,7 @@ public class DefaultTokenAuthorityServiceTest {
EasyMock.expect(config.getKeystoreCacheSizeLimit()).andReturn(0L).anyTimes();
EasyMock.expect(config.getCredentialStoreType()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_TYPE).anyTimes();
EasyMock.expect(config.getCredentialStoreAlgorithm()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_ALG).anyTimes();
+
EasyMock.expect(config.getSelfSigningCertificateAlgorithm()).andReturn(GatewayConfig.DEFAULT_SELF_SIGNING_CERT_ALG).anyTimes();
MasterService ms = EasyMock.createMock(MasterService.class);
EasyMock.expect(ms.getMasterSecret()).andReturn("horton".toCharArray()).atLeastOnce();
@@ -462,6 +470,7 @@ public class DefaultTokenAuthorityServiceTest {
EasyMock.expect(config.getKeystoreCacheSizeLimit()).andReturn(0L).anyTimes();
EasyMock.expect(config.getCredentialStoreType()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_TYPE).anyTimes();
EasyMock.expect(config.getCredentialStoreAlgorithm()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_ALG).anyTimes();
+
EasyMock.expect(config.getSelfSigningCertificateAlgorithm()).andReturn(GatewayConfig.DEFAULT_SELF_SIGNING_CERT_ALG).anyTimes();
MasterService ms = EasyMock.createMock(MasterService.class);
EasyMock.expect(ms.getMasterSecret()).andReturn("invalid_password".toCharArray()).atLeastOnce();
@@ -510,6 +519,7 @@ public class DefaultTokenAuthorityServiceTest {
EasyMock.expect(config.getKeystoreCacheSizeLimit()).andReturn(0L).anyTimes();
EasyMock.expect(config.getCredentialStoreType()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_TYPE).anyTimes();
EasyMock.expect(config.getCredentialStoreAlgorithm()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_ALG).anyTimes();
+
EasyMock.expect(config.getSelfSigningCertificateAlgorithm()).andReturn(GatewayConfig.DEFAULT_SELF_SIGNING_CERT_ALG).anyTimes();
MasterService ms = EasyMock.createMock(MasterService.class);
EasyMock.expect(ms.getMasterSecret()).andReturn("horton".toCharArray()).atLeastOnce();
@@ -558,6 +568,7 @@ public class DefaultTokenAuthorityServiceTest {
EasyMock.expect(config.getKeystoreCacheSizeLimit()).andReturn(0L).anyTimes();
EasyMock.expect(config.getCredentialStoreType()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_TYPE).anyTimes();
EasyMock.expect(config.getCredentialStoreAlgorithm()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_ALG).anyTimes();
+
EasyMock.expect(config.getSelfSigningCertificateAlgorithm()).andReturn(GatewayConfig.DEFAULT_SELF_SIGNING_CERT_ALG).anyTimes();
MasterService ms = EasyMock.createMock(MasterService.class);
EasyMock.expect(ms.getMasterSecret()).andReturn("horton".toCharArray()).atLeastOnce();
@@ -606,6 +617,7 @@ public class DefaultTokenAuthorityServiceTest {
EasyMock.expect(config.getSigningKeyAlias()).andReturn("server").anyTimes();
EasyMock.expect(config.getCredentialStoreType()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_TYPE).anyTimes();
EasyMock.expect(config.getCredentialStoreAlgorithm()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_ALG).anyTimes();
+
EasyMock.expect(config.getSelfSigningCertificateAlgorithm()).andReturn(GatewayConfig.DEFAULT_SELF_SIGNING_CERT_ALG).anyTimes();
MasterService ms = EasyMock.createNiceMock(MasterService.class);
EasyMock.expect(ms.getMasterSecret()).andReturn("horton".toCharArray());
diff --git
a/gateway-server/src/test/java/org/apache/knox/gateway/websockets/BadUrlTest.java
b/gateway-server/src/test/java/org/apache/knox/gateway/websockets/BadUrlTest.java
index 360f2da81..fdc71aa59 100644
---
a/gateway-server/src/test/java/org/apache/knox/gateway/websockets/BadUrlTest.java
+++
b/gateway-server/src/test/java/org/apache/knox/gateway/websockets/BadUrlTest.java
@@ -316,6 +316,7 @@ public class BadUrlTest {
EasyMock.expect(gatewayConfig.getCredentialStoreType()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_TYPE).anyTimes();
EasyMock.expect(gatewayConfig.getCredentialStoreAlgorithm()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_ALG).anyTimes();
+
EasyMock.expect(gatewayConfig.getSelfSigningCertificateAlgorithm()).andReturn(GatewayConfig.DEFAULT_SELF_SIGNING_CERT_ALG).anyTimes();
EasyMock.replay(gatewayConfig);
diff --git
a/gateway-server/src/test/java/org/apache/knox/gateway/websockets/JWTValidatorTest.java
b/gateway-server/src/test/java/org/apache/knox/gateway/websockets/JWTValidatorTest.java
index f763314f9..e79bea6d7 100644
---
a/gateway-server/src/test/java/org/apache/knox/gateway/websockets/JWTValidatorTest.java
+++
b/gateway-server/src/test/java/org/apache/knox/gateway/websockets/JWTValidatorTest.java
@@ -91,7 +91,7 @@ public class JWTValidatorTest {
kpg.initialize(2048);
KeyPair KPair = kpg.generateKeyPair();
String dn =
buildDistinguishedName(InetAddress.getLocalHost().getHostName());
- Certificate cert = X509CertificateUtil.generateCertificate(dn, KPair,
365, "SHA1withRSA");
+ Certificate cert = X509CertificateUtil.generateCertificate(dn, KPair,
365, GatewayConfig.DEFAULT_SELF_SIGNING_CERT_ALG);
byte[] data = cert.getEncoded();
Base64 encoder = new Base64( 76, "\n".getBytes(
StandardCharsets.US_ASCII ) );
pem = new String(encoder.encodeToString( data ).getBytes(
StandardCharsets.US_ASCII ), StandardCharsets.US_ASCII).trim();
diff --git
a/gateway-server/src/test/java/org/apache/knox/gateway/websockets/WebsocketEchoTestBase.java
b/gateway-server/src/test/java/org/apache/knox/gateway/websockets/WebsocketEchoTestBase.java
index f3d9b6b5b..3c26466bd 100644
---
a/gateway-server/src/test/java/org/apache/knox/gateway/websockets/WebsocketEchoTestBase.java
+++
b/gateway-server/src/test/java/org/apache/knox/gateway/websockets/WebsocketEchoTestBase.java
@@ -346,6 +346,7 @@ public class WebsocketEchoTestBase {
EasyMock.expect(gatewayConfig.getCredentialStoreType()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_TYPE).anyTimes();
EasyMock.expect(gatewayConfig.getCredentialStoreAlgorithm()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_ALG).anyTimes();
+
EasyMock.expect(gatewayConfig.getSelfSigningCertificateAlgorithm()).andReturn(GatewayConfig.DEFAULT_SELF_SIGNING_CERT_ALG).anyTimes();
EasyMock.replay(gatewayConfig);
diff --git
a/gateway-server/src/test/java/org/apache/knox/gateway/websockets/WebsocketMultipleConnectionTest.java
b/gateway-server/src/test/java/org/apache/knox/gateway/websockets/WebsocketMultipleConnectionTest.java
index edcfeff63..00a1c2697 100644
---
a/gateway-server/src/test/java/org/apache/knox/gateway/websockets/WebsocketMultipleConnectionTest.java
+++
b/gateway-server/src/test/java/org/apache/knox/gateway/websockets/WebsocketMultipleConnectionTest.java
@@ -379,6 +379,7 @@ public class WebsocketMultipleConnectionTest {
EasyMock.expect(gatewayConfig.getCredentialStoreType()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_TYPE).anyTimes();
EasyMock.expect(gatewayConfig.getCredentialStoreAlgorithm()).andReturn(GatewayConfig.DEFAULT_CREDENTIAL_STORE_ALG).anyTimes();
+
EasyMock.expect(gatewayConfig.getSelfSigningCertificateAlgorithm()).andReturn(GatewayConfig.DEFAULT_SELF_SIGNING_CERT_ALG).anyTimes();
EasyMock.replay(gatewayConfig);
diff --git
a/gateway-spi-common/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
b/gateway-spi-common/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
index 3711419fd..ae8c65620 100644
---
a/gateway-spi-common/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
+++
b/gateway-spi-common/src/main/java/org/apache/knox/gateway/GatewayTestConfig.java
@@ -461,6 +461,11 @@ public class GatewayTestConfig extends Configuration
implements GatewayConfig {
return DEFAULT_CREDENTIAL_STORE_ALG;
}
+ @Override
+ public String getSelfSigningCertificateAlgorithm() {
+ return DEFAULT_SELF_SIGNING_CERT_ALG;
+ }
+
@Override
public String getCredentialStoreType() {
return DEFAULT_CREDENTIAL_STORE_TYPE;
diff --git
a/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java
b/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java
index 3718716cf..dd7b2441d 100644
---
a/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java
+++
b/gateway-spi/src/main/java/org/apache/knox/gateway/config/GatewayConfig.java
@@ -92,6 +92,8 @@ public interface GatewayConfig {
String CREDENTIAL_STORE_ALG = "gateway.credential.store.alg";
String DEFAULT_CREDENTIAL_STORE_ALG = "AES";
+ String SELF_SIGNING_CERT_ALG = "gateway.self.signing.cert.alg";
+ String DEFAULT_SELF_SIGNING_CERT_ALG = "SHA256withRSA";
String CREDENTIAL_STORE_TYPE = "gateway.credential.store.type";
String DEFAULT_CREDENTIAL_STORE_TYPE = "JCEKS";
@@ -266,6 +268,11 @@ public interface GatewayConfig {
*/
String getCredentialStoreAlgorithm();
+ /**
+ * @return the algorithm that is used when generating a self-signing
certificate.
+ */
+ String getSelfSigningCertificateAlgorithm();
+
/**
* @return the type of the credential store used by AliasService
*/
diff --git
a/gateway-util-common/src/main/java/org/apache/knox/gateway/util/X509CertificateUtil.java
b/gateway-util-common/src/main/java/org/apache/knox/gateway/util/X509CertificateUtil.java
index e0ddaa303..b66ee8406 100644
---
a/gateway-util-common/src/main/java/org/apache/knox/gateway/util/X509CertificateUtil.java
+++
b/gateway-util-common/src/main/java/org/apache/knox/gateway/util/X509CertificateUtil.java
@@ -64,7 +64,7 @@ public class X509CertificateUtil {
* @param dn the X.509 Distinguished Name, eg "CN=Test, L=London, C=GB"
* @param pair the KeyPair
* @param days how many days from now the Certificate is valid for
- * @param algorithm the signing algorithm, eg "SHA1withRSA"
+ * @param algorithm the signing algorithm, eg "SHA256withRSA"
* @return self-signed X.509 certificate
*/
public static X509Certificate generateCertificate(String dn, KeyPair pair,
int days, String algorithm) {
