[pulsar] 02/14: [Tests] Recreate keystores used in TLS tests with RSA key algorithm & SHA256 to support JDK 11 & TLS 1.3 (#10336)

eolivelli Fri, 14 May 2021 05:18:21 -0700

This is an automated email from the ASF dual-hosted git repository.

eolivelli pushed a commit to branch 2.7.2_ds_rootless
in repository https://gitbox.apache.org/repos/asf/pulsar.git


commit 47ce9dee6311d0174bd1cf2c05456daa9d9c578f
Author: Lari Hotari <lhot...@users.noreply.github.com>
AuthorDate: Mon Apr 26 20:18:27 2021 +0300

    [Tests] Recreate keystores used in TLS tests with RSA key algorithm & 
SHA256 to support JDK 11 & TLS 1.3 (#10336)
    
    * Add script for creating certs for tests
    
    * RSA keys must be used, update documentation for creating keys with keytool
    
    * Update keystores used in tests
    
    (cherry picked from commit 0e4ff8a4a414f02b44a027ead01f49d8b3ab2ade)
---
 build/generate_keystores_for_tests.sh              |  61 +++++++++++++++++++++
 .../authentication/keystoretls/broker.keystore.jks | Bin 2767 -> 3723 bytes
 .../keystoretls/broker.truststore.jks              | Bin 731 -> 838 bytes
 .../authentication/keystoretls/client.keystore.jks | Bin 2767 -> 3726 bytes
 .../keystoretls/client.truststore.jks              | Bin 731 -> 838 bytes
 .../authentication/keystoretls/broker.keystore.jks | Bin 2767 -> 3723 bytes
 .../keystoretls/broker.truststore.jks              | Bin 731 -> 838 bytes
 .../authentication/keystoretls/client.keystore.jks | Bin 2767 -> 3726 bytes
 .../keystoretls/client.truststore.jks              | Bin 731 -> 838 bytes
 site2/docs/security-tls-keystore.md                |   2 +-
 .../version-2.6.0/security-tls-keystore.md         |   2 +-
 .../version-2.6.1/security-tls-keystore.md         |   2 +-
 .../version-2.6.2/security-tls-keystore.md         |   2 +-
 .../security-tls-keystore.md                       |   8 +--
 .../security-tls-keystore.md                       |   4 +-
 .../security-tls-keystore.md                       |   8 +--
 .../security-tls-keystore.md                       |   8 +--
 17 files changed, 79 insertions(+), 18 deletions(-)

diff --git a/build/generate_keystores_for_tests.sh 
b/build/generate_keystores_for_tests.sh
new file mode 100755
index 0000000..551ce8e
--- /dev/null
+++ b/build/generate_keystores_for_tests.sh
@@ -0,0 +1,61 @@
+#!/bin/bash -xe
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+
+cd /tmp
+mkdir keygendir$$
+cd keygendir$$
+
+# create CA key and cert
+openssl req -x509 -newkey rsa:2048 -passout pass:111111 -keyout ca-key -out 
ca-cert -days 3650 -sha256 -subj "/CN=CARoot"
+
+COMMON_PARAMS="-storetype JKS -storepass 111111 -keypass 111111 -noprompt"
+
+# create client and broker truststores and keystores
+keytool -import -keystore client.truststore.jks $COMMON_PARAMS -alias CARoot 
-file ca-cert
+keytool -import -keystore broker.truststore.jks $COMMON_PARAMS -alias CARoot 
-file ca-cert
+keytool -import -keystore client.keystore.jks $COMMON_PARAMS -alias CARoot 
-file ca-cert
+keytool -import -keystore broker.keystore.jks $COMMON_PARAMS -alias CARoot 
-file ca-cert
+
+# create broker key
+keytool -genkeypair -keystore broker.keystore.jks $COMMON_PARAMS -keyalg RSA 
-alias localhost -validity 3650 \
+  -dname 'CN=localhost,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown'
+keytool -certreq -keystore broker.keystore.jks $COMMON_PARAMS -alias localhost 
-file cert-file
+# sign broker key
+openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed 
-days 3650 -CAcreateserial -passin pass:111111
+# import broker key
+keytool -import -keystore broker.keystore.jks $COMMON_PARAMS -alias localhost 
-file cert-signed
+
+# create client key
+keytool -genkeypair -keystore client.keystore.jks $COMMON_PARAMS -keyalg RSA 
-alias clientuser -validity 3650 \
+  -dname 'CN=clientuser,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown'
+keytool  -certreq -keystore client.keystore.jks $COMMON_PARAMS -alias 
clientuser -file cert-file-client
+# sign client key
+openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file-client -out 
cert-signed-client -days 3650 -CAcreateserial -passin pass:111111
+# import client key
+keytool -import -keystore client.keystore.jks $COMMON_PARAMS -alias clientuser 
-file cert-signed-client
+
+# update keystores used in tests
+cp client.truststore.jks broker.truststore.jks client.keystore.jks 
broker.keystore.jks 
$SCRIPT_DIR/../pulsar-broker/src/test/resources/authentication/keystoretls/
+cp client.truststore.jks broker.truststore.jks client.keystore.jks 
broker.keystore.jks 
$SCRIPT_DIR/../pulsar-proxy/src/test/resources/authentication/keystoretls/
+
+cd $SCRIPT_DIR
+rm -rf /tmp/keygendir$$
diff --git 
a/pulsar-broker/src/test/resources/authentication/keystoretls/broker.keystore.jks
 
b/pulsar-broker/src/test/resources/authentication/keystoretls/broker.keystore.jks
index b4fec69..8ef2c6c 100644
Binary files 
a/pulsar-broker/src/test/resources/authentication/keystoretls/broker.keystore.jks
 and 
b/pulsar-broker/src/test/resources/authentication/keystoretls/broker.keystore.jks
 differ
diff --git 
a/pulsar-broker/src/test/resources/authentication/keystoretls/broker.truststore.jks
 
b/pulsar-broker/src/test/resources/authentication/keystoretls/broker.truststore.jks
index 8ac03d8..96f12a3 100644
Binary files 
a/pulsar-broker/src/test/resources/authentication/keystoretls/broker.truststore.jks
 and 
b/pulsar-broker/src/test/resources/authentication/keystoretls/broker.truststore.jks
 differ
diff --git 
a/pulsar-broker/src/test/resources/authentication/keystoretls/client.keystore.jks
 
b/pulsar-broker/src/test/resources/authentication/keystoretls/client.keystore.jks
index 499c8be..375e2e0 100644
Binary files 
a/pulsar-broker/src/test/resources/authentication/keystoretls/client.keystore.jks
 and 
b/pulsar-broker/src/test/resources/authentication/keystoretls/client.keystore.jks
 differ
diff --git 
a/pulsar-broker/src/test/resources/authentication/keystoretls/client.truststore.jks
 
b/pulsar-broker/src/test/resources/authentication/keystoretls/client.truststore.jks
index 8eaa06b..210e423 100644
Binary files 
a/pulsar-broker/src/test/resources/authentication/keystoretls/client.truststore.jks
 and 
b/pulsar-broker/src/test/resources/authentication/keystoretls/client.truststore.jks
 differ
diff --git 
a/pulsar-proxy/src/test/resources/authentication/keystoretls/broker.keystore.jks
 
b/pulsar-proxy/src/test/resources/authentication/keystoretls/broker.keystore.jks
index b4fec69..8ef2c6c 100644
Binary files 
a/pulsar-proxy/src/test/resources/authentication/keystoretls/broker.keystore.jks
 and 
b/pulsar-proxy/src/test/resources/authentication/keystoretls/broker.keystore.jks
 differ
diff --git 
a/pulsar-proxy/src/test/resources/authentication/keystoretls/broker.truststore.jks
 
b/pulsar-proxy/src/test/resources/authentication/keystoretls/broker.truststore.jks
index 8ac03d8..96f12a3 100644
Binary files 
a/pulsar-proxy/src/test/resources/authentication/keystoretls/broker.truststore.jks
 and 
b/pulsar-proxy/src/test/resources/authentication/keystoretls/broker.truststore.jks
 differ
diff --git 
a/pulsar-proxy/src/test/resources/authentication/keystoretls/client.keystore.jks
 
b/pulsar-proxy/src/test/resources/authentication/keystoretls/client.keystore.jks
index 499c8be..375e2e0 100644
Binary files 
a/pulsar-proxy/src/test/resources/authentication/keystoretls/client.keystore.jks
 and 
b/pulsar-proxy/src/test/resources/authentication/keystoretls/client.keystore.jks
 differ
diff --git 
a/pulsar-proxy/src/test/resources/authentication/keystoretls/client.truststore.jks
 
b/pulsar-proxy/src/test/resources/authentication/keystoretls/client.truststore.jks
index 8eaa06b..210e423 100644
Binary files 
a/pulsar-proxy/src/test/resources/authentication/keystoretls/client.truststore.jks
 and 
b/pulsar-proxy/src/test/resources/authentication/keystoretls/client.truststore.jks
 differ
diff --git a/site2/docs/security-tls-keystore.md 
b/site2/docs/security-tls-keystore.md
index befe23c..87f1e69 100644
--- a/site2/docs/security-tls-keystore.md
+++ b/site2/docs/security-tls-keystore.md
@@ -19,7 +19,7 @@ You can use Java’s `keytool` utility to accomplish this task. 
We will generate
 initially for broker, so that we can export and sign it later with CA.
 
 ```shell
-keytool -keystore broker.keystore.jks -alias localhost -validity {validity} 
-genkey
+keytool -keystore broker.keystore.jks -alias localhost -validity {validity} 
-genkeypair -keyalg RSA
 ```
 
 You need to specify two parameters in the above command:
diff --git 
a/site2/website/versioned_docs/version-2.6.0/security-tls-keystore.md 
b/site2/website/versioned_docs/version-2.6.0/security-tls-keystore.md
index ae2fa22..e7913b2 100644
--- a/site2/website/versioned_docs/version-2.6.0/security-tls-keystore.md
+++ b/site2/website/versioned_docs/version-2.6.0/security-tls-keystore.md
@@ -20,7 +20,7 @@ You can use Java’s `keytool` utility to accomplish this task. 
We will generate
 initially for broker, so that we can export and sign it later with CA.
 
 ```shell
-keytool -keystore broker.keystore.jks -alias localhost -validity {validity} 
-genkey
+keytool -keystore broker.keystore.jks -alias localhost -validity {validity} 
-genkeypair -keyalg RSA
 ```
 
 You need to specify two parameters in the above command:
diff --git 
a/site2/website/versioned_docs/version-2.6.1/security-tls-keystore.md 
b/site2/website/versioned_docs/version-2.6.1/security-tls-keystore.md
index 52e1037..fa5f89f 100644
--- a/site2/website/versioned_docs/version-2.6.1/security-tls-keystore.md
+++ b/site2/website/versioned_docs/version-2.6.1/security-tls-keystore.md
@@ -20,7 +20,7 @@ You can use Java’s `keytool` utility to accomplish this task. 
We will generate
 initially for broker, so that we can export and sign it later with CA.
 
 ```shell
-keytool -keystore broker.keystore.jks -alias localhost -validity {validity} 
-genkey
+keytool -keystore broker.keystore.jks -alias localhost -validity {validity} 
-genkeypair -keyalg RSA
 ```
 
 You need to specify two parameters in the above command:
diff --git 
a/site2/website/versioned_docs/version-2.6.2/security-tls-keystore.md 
b/site2/website/versioned_docs/version-2.6.2/security-tls-keystore.md
index c70d172..3429be1 100644
--- a/site2/website/versioned_docs/version-2.6.2/security-tls-keystore.md
+++ b/site2/website/versioned_docs/version-2.6.2/security-tls-keystore.md
@@ -20,7 +20,7 @@ You can use Java’s `keytool` utility to accomplish this task. 
We will generate
 initially for broker, so that we can export and sign it later with CA.
 
 ```shell
-keytool -keystore broker.keystore.jks -alias localhost -validity {validity} 
-genkey
+keytool -keystore broker.keystore.jks -alias localhost -validity {validity} 
-genkeypair -keyalg RSA
 ```
 
 You need to specify two parameters in the above command:
diff --git 
a/site2/website/versioned_docs/version-2.6.0/security-tls-keystore.md 
b/site2/website/versioned_docs/version-2.6.3/security-tls-keystore.md
similarity index 97%
copy from site2/website/versioned_docs/version-2.6.0/security-tls-keystore.md
copy to site2/website/versioned_docs/version-2.6.3/security-tls-keystore.md
index ae2fa22..196d330 100644
--- a/site2/website/versioned_docs/version-2.6.0/security-tls-keystore.md
+++ b/site2/website/versioned_docs/version-2.6.3/security-tls-keystore.md
@@ -1,5 +1,5 @@
 ---
-id: version-2.6.0-security-tls-keystore
+id: version-2.6.3-security-tls-keystore
 title: Using TLS with KeyStore configure
 sidebar_label: Using TLS with KeyStore configure
 original_id: security-tls-keystore
@@ -20,7 +20,7 @@ You can use Java’s `keytool` utility to accomplish this task. 
We will generate
 initially for broker, so that we can export and sign it later with CA.
 
 ```shell
-keytool -keystore broker.keystore.jks -alias localhost -validity {validity} 
-genkey
+keytool -keystore broker.keystore.jks -alias localhost -validity {validity} 
-genkeypair -keyalg RSA
 ```
 
 You need to specify two parameters in the above command:
@@ -222,7 +222,7 @@ 
brokerClientTlsTrustStore=/var/private/tls/client.truststore.jks
 brokerClientTlsTrustStorePassword=clientpw
 # internal auth config
 
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationKeyStoreTls
-brokerClientAuthenticationParameters=keyStoreType:JKS,keyStorePath:/var/private/tls/client.keystore.jks,keyStorePassword:clientpw
+brokerClientAuthenticationParameters={"keyStoreType":"JKS","keyStorePath":"/var/private/tls/client.keystore.jks","keyStorePassword":"clientpw"}
 # currently websocket not support keystore type
 webSocketServiceEnabled=false
 ```
@@ -242,7 +242,7 @@ e.g.
     tlsTrustStorePath=/var/private/tls/client.truststore.jks
     tlsTrustStorePassword=clientpw
     authPlugin=org.apache.pulsar.client.impl.auth.AuthenticationKeyStoreTls
-    
authParams=keyStoreType:JKS,keyStorePath:/var/private/tls/client.keystore.jks,keyStorePassword:clientpw
+    
authParams={"keyStoreType":"JKS","keyStorePath":"/path/to/keystorefile","keyStorePassword":"keystorepw"}
     ```
 
 1. for java client
diff --git 
a/site2/website/versioned_docs/version-2.6.0/security-tls-keystore.md 
b/site2/website/versioned_docs/version-2.7.0/security-tls-keystore.md
similarity index 99%
copy from site2/website/versioned_docs/version-2.6.0/security-tls-keystore.md
copy to site2/website/versioned_docs/version-2.7.0/security-tls-keystore.md
index ae2fa22..f320a23 100644
--- a/site2/website/versioned_docs/version-2.6.0/security-tls-keystore.md
+++ b/site2/website/versioned_docs/version-2.7.0/security-tls-keystore.md
@@ -1,5 +1,5 @@
 ---
-id: version-2.6.0-security-tls-keystore
+id: version-2.7.0-security-tls-keystore
 title: Using TLS with KeyStore configure
 sidebar_label: Using TLS with KeyStore configure
 original_id: security-tls-keystore
@@ -20,7 +20,7 @@ You can use Java’s `keytool` utility to accomplish this task. 
We will generate
 initially for broker, so that we can export and sign it later with CA.
 
 ```shell
-keytool -keystore broker.keystore.jks -alias localhost -validity {validity} 
-genkey
+keytool -keystore broker.keystore.jks -alias localhost -validity {validity} 
-genkeypair -keyalg RSA
 ```
 
 You need to specify two parameters in the above command:
diff --git 
a/site2/website/versioned_docs/version-2.6.0/security-tls-keystore.md 
b/site2/website/versioned_docs/version-2.7.1/security-tls-keystore.md
similarity index 97%
copy from site2/website/versioned_docs/version-2.6.0/security-tls-keystore.md
copy to site2/website/versioned_docs/version-2.7.1/security-tls-keystore.md
index ae2fa22..0fd0d6b 100644
--- a/site2/website/versioned_docs/version-2.6.0/security-tls-keystore.md
+++ b/site2/website/versioned_docs/version-2.7.1/security-tls-keystore.md
@@ -1,5 +1,5 @@
 ---
-id: version-2.6.0-security-tls-keystore
+id: version-2.7.1-security-tls-keystore
 title: Using TLS with KeyStore configure
 sidebar_label: Using TLS with KeyStore configure
 original_id: security-tls-keystore
@@ -20,7 +20,7 @@ You can use Java’s `keytool` utility to accomplish this task. 
We will generate
 initially for broker, so that we can export and sign it later with CA.
 
 ```shell
-keytool -keystore broker.keystore.jks -alias localhost -validity {validity} 
-genkey
+keytool -keystore broker.keystore.jks -alias localhost -validity {validity} 
-genkeypair -keyalg RSA
 ```
 
 You need to specify two parameters in the above command:
@@ -222,7 +222,7 @@ 
brokerClientTlsTrustStore=/var/private/tls/client.truststore.jks
 brokerClientTlsTrustStorePassword=clientpw
 # internal auth config
 
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationKeyStoreTls
-brokerClientAuthenticationParameters=keyStoreType:JKS,keyStorePath:/var/private/tls/client.keystore.jks,keyStorePassword:clientpw
+brokerClientAuthenticationParameters={"keyStoreType":"JKS","keyStorePath":"/var/private/tls/client.keystore.jks","keyStorePassword":"clientpw"}
 # currently websocket not support keystore type
 webSocketServiceEnabled=false
 ```
@@ -242,7 +242,7 @@ e.g.
     tlsTrustStorePath=/var/private/tls/client.truststore.jks
     tlsTrustStorePassword=clientpw
     authPlugin=org.apache.pulsar.client.impl.auth.AuthenticationKeyStoreTls
-    
authParams=keyStoreType:JKS,keyStorePath:/var/private/tls/client.keystore.jks,keyStorePassword:clientpw
+    
authParams={"keyStoreType":"JKS","keyStorePath":"/path/to/keystorefile","keyStorePassword":"keystorepw"}
     ```
 
 1. for java client
diff --git 
a/site2/website/versioned_docs/version-2.6.0/security-tls-keystore.md 
b/site2/website/versioned_docs/version-2.7.2/security-tls-keystore.md
similarity index 97%
copy from site2/website/versioned_docs/version-2.6.0/security-tls-keystore.md
copy to site2/website/versioned_docs/version-2.7.2/security-tls-keystore.md
index ae2fa22..d1f1500 100644
--- a/site2/website/versioned_docs/version-2.6.0/security-tls-keystore.md
+++ b/site2/website/versioned_docs/version-2.7.2/security-tls-keystore.md
@@ -1,5 +1,5 @@
 ---
-id: version-2.6.0-security-tls-keystore
+id: version-2.7.2-security-tls-keystore
 title: Using TLS with KeyStore configure
 sidebar_label: Using TLS with KeyStore configure
 original_id: security-tls-keystore
@@ -20,7 +20,7 @@ You can use Java’s `keytool` utility to accomplish this task. 
We will generate
 initially for broker, so that we can export and sign it later with CA.
 
 ```shell
-keytool -keystore broker.keystore.jks -alias localhost -validity {validity} 
-genkey
+keytool -keystore broker.keystore.jks -alias localhost -validity {validity} 
-genkeypair -keyalg RSA
 ```
 
 You need to specify two parameters in the above command:
@@ -222,7 +222,7 @@ 
brokerClientTlsTrustStore=/var/private/tls/client.truststore.jks
 brokerClientTlsTrustStorePassword=clientpw
 # internal auth config
 
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationKeyStoreTls
-brokerClientAuthenticationParameters=keyStoreType:JKS,keyStorePath:/var/private/tls/client.keystore.jks,keyStorePassword:clientpw
+brokerClientAuthenticationParameters={"keyStoreType":"JKS","keyStorePath":"/var/private/tls/client.keystore.jks","keyStorePassword":"clientpw"}
 # currently websocket not support keystore type
 webSocketServiceEnabled=false
 ```
@@ -242,7 +242,7 @@ e.g.
     tlsTrustStorePath=/var/private/tls/client.truststore.jks
     tlsTrustStorePassword=clientpw
     authPlugin=org.apache.pulsar.client.impl.auth.AuthenticationKeyStoreTls
-    
authParams=keyStoreType:JKS,keyStorePath:/var/private/tls/client.keystore.jks,keyStorePassword:clientpw
+    
authParams={"keyStoreType":"JKS","keyStorePath":"/path/to/keystorefile","keyStorePassword":"keystorepw"}
     ```
 
 1. for java client

[pulsar] 02/14: [Tests] Recreate keystores used in TLS tests with RSA key algorithm & SHA256 to support JDK 11 & TLS 1.3 (#10336)

Reply via email to