This is an automated email from the ASF dual-hosted git repository. eolivelli pushed a commit to branch 2.7.2_ds_rootless in repository https://gitbox.apache.org/repos/asf/pulsar.git
commit 47ce9dee6311d0174bd1cf2c05456daa9d9c578f Author: Lari Hotari <lhot...@users.noreply.github.com> AuthorDate: Mon Apr 26 20:18:27 2021 +0300 [Tests] Recreate keystores used in TLS tests with RSA key algorithm & SHA256 to support JDK 11 & TLS 1.3 (#10336) * Add script for creating certs for tests * RSA keys must be used, update documentation for creating keys with keytool * Update keystores used in tests (cherry picked from commit 0e4ff8a4a414f02b44a027ead01f49d8b3ab2ade) --- build/generate_keystores_for_tests.sh | 61 +++++++++++++++++++++ .../authentication/keystoretls/broker.keystore.jks | Bin 2767 -> 3723 bytes .../keystoretls/broker.truststore.jks | Bin 731 -> 838 bytes .../authentication/keystoretls/client.keystore.jks | Bin 2767 -> 3726 bytes .../keystoretls/client.truststore.jks | Bin 731 -> 838 bytes .../authentication/keystoretls/broker.keystore.jks | Bin 2767 -> 3723 bytes .../keystoretls/broker.truststore.jks | Bin 731 -> 838 bytes .../authentication/keystoretls/client.keystore.jks | Bin 2767 -> 3726 bytes .../keystoretls/client.truststore.jks | Bin 731 -> 838 bytes site2/docs/security-tls-keystore.md | 2 +- .../version-2.6.0/security-tls-keystore.md | 2 +- .../version-2.6.1/security-tls-keystore.md | 2 +- .../version-2.6.2/security-tls-keystore.md | 2 +- .../security-tls-keystore.md | 8 +-- .../security-tls-keystore.md | 4 +- .../security-tls-keystore.md | 8 +-- .../security-tls-keystore.md | 8 +-- 17 files changed, 79 insertions(+), 18 deletions(-) diff --git a/build/generate_keystores_for_tests.sh b/build/generate_keystores_for_tests.sh new file mode 100755 index 0000000..551ce8e --- /dev/null +++ b/build/generate_keystores_for_tests.sh @@ -0,0 +1,61 @@ +#!/bin/bash -xe +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" + +cd /tmp +mkdir keygendir$$ +cd keygendir$$ + +# create CA key and cert +openssl req -x509 -newkey rsa:2048 -passout pass:111111 -keyout ca-key -out ca-cert -days 3650 -sha256 -subj "/CN=CARoot" + +COMMON_PARAMS="-storetype JKS -storepass 111111 -keypass 111111 -noprompt" + +# create client and broker truststores and keystores +keytool -import -keystore client.truststore.jks $COMMON_PARAMS -alias CARoot -file ca-cert +keytool -import -keystore broker.truststore.jks $COMMON_PARAMS -alias CARoot -file ca-cert +keytool -import -keystore client.keystore.jks $COMMON_PARAMS -alias CARoot -file ca-cert +keytool -import -keystore broker.keystore.jks $COMMON_PARAMS -alias CARoot -file ca-cert + +# create broker key +keytool -genkeypair -keystore broker.keystore.jks $COMMON_PARAMS -keyalg RSA -alias localhost -validity 3650 \ + -dname 'CN=localhost,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown' +keytool -certreq -keystore broker.keystore.jks $COMMON_PARAMS -alias localhost -file cert-file +# sign broker key +openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 3650 -CAcreateserial -passin pass:111111 +# import broker key +keytool -import -keystore broker.keystore.jks $COMMON_PARAMS -alias localhost -file cert-signed + +# create client key +keytool -genkeypair -keystore client.keystore.jks $COMMON_PARAMS -keyalg RSA -alias clientuser -validity 3650 \ + -dname 'CN=clientuser,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown' +keytool -certreq -keystore client.keystore.jks $COMMON_PARAMS -alias clientuser -file cert-file-client +# sign client key +openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file-client -out cert-signed-client -days 3650 -CAcreateserial -passin pass:111111 +# import client key +keytool -import -keystore client.keystore.jks $COMMON_PARAMS -alias clientuser -file cert-signed-client + +# update keystores used in tests +cp client.truststore.jks broker.truststore.jks client.keystore.jks broker.keystore.jks $SCRIPT_DIR/../pulsar-broker/src/test/resources/authentication/keystoretls/ +cp client.truststore.jks broker.truststore.jks client.keystore.jks broker.keystore.jks $SCRIPT_DIR/../pulsar-proxy/src/test/resources/authentication/keystoretls/ + +cd $SCRIPT_DIR +rm -rf /tmp/keygendir$$ diff --git a/pulsar-broker/src/test/resources/authentication/keystoretls/broker.keystore.jks b/pulsar-broker/src/test/resources/authentication/keystoretls/broker.keystore.jks index b4fec69..8ef2c6c 100644 Binary files a/pulsar-broker/src/test/resources/authentication/keystoretls/broker.keystore.jks and b/pulsar-broker/src/test/resources/authentication/keystoretls/broker.keystore.jks differ diff --git a/pulsar-broker/src/test/resources/authentication/keystoretls/broker.truststore.jks b/pulsar-broker/src/test/resources/authentication/keystoretls/broker.truststore.jks index 8ac03d8..96f12a3 100644 Binary files a/pulsar-broker/src/test/resources/authentication/keystoretls/broker.truststore.jks and b/pulsar-broker/src/test/resources/authentication/keystoretls/broker.truststore.jks differ diff --git a/pulsar-broker/src/test/resources/authentication/keystoretls/client.keystore.jks b/pulsar-broker/src/test/resources/authentication/keystoretls/client.keystore.jks index 499c8be..375e2e0 100644 Binary files a/pulsar-broker/src/test/resources/authentication/keystoretls/client.keystore.jks and b/pulsar-broker/src/test/resources/authentication/keystoretls/client.keystore.jks differ diff --git a/pulsar-broker/src/test/resources/authentication/keystoretls/client.truststore.jks b/pulsar-broker/src/test/resources/authentication/keystoretls/client.truststore.jks index 8eaa06b..210e423 100644 Binary files a/pulsar-broker/src/test/resources/authentication/keystoretls/client.truststore.jks and b/pulsar-broker/src/test/resources/authentication/keystoretls/client.truststore.jks differ diff --git a/pulsar-proxy/src/test/resources/authentication/keystoretls/broker.keystore.jks b/pulsar-proxy/src/test/resources/authentication/keystoretls/broker.keystore.jks index b4fec69..8ef2c6c 100644 Binary files a/pulsar-proxy/src/test/resources/authentication/keystoretls/broker.keystore.jks and b/pulsar-proxy/src/test/resources/authentication/keystoretls/broker.keystore.jks differ diff --git a/pulsar-proxy/src/test/resources/authentication/keystoretls/broker.truststore.jks b/pulsar-proxy/src/test/resources/authentication/keystoretls/broker.truststore.jks index 8ac03d8..96f12a3 100644 Binary files a/pulsar-proxy/src/test/resources/authentication/keystoretls/broker.truststore.jks and b/pulsar-proxy/src/test/resources/authentication/keystoretls/broker.truststore.jks differ diff --git a/pulsar-proxy/src/test/resources/authentication/keystoretls/client.keystore.jks b/pulsar-proxy/src/test/resources/authentication/keystoretls/client.keystore.jks index 499c8be..375e2e0 100644 Binary files a/pulsar-proxy/src/test/resources/authentication/keystoretls/client.keystore.jks and b/pulsar-proxy/src/test/resources/authentication/keystoretls/client.keystore.jks differ diff --git a/pulsar-proxy/src/test/resources/authentication/keystoretls/client.truststore.jks b/pulsar-proxy/src/test/resources/authentication/keystoretls/client.truststore.jks index 8eaa06b..210e423 100644 Binary files a/pulsar-proxy/src/test/resources/authentication/keystoretls/client.truststore.jks and b/pulsar-proxy/src/test/resources/authentication/keystoretls/client.truststore.jks differ diff --git a/site2/docs/security-tls-keystore.md b/site2/docs/security-tls-keystore.md index befe23c..87f1e69 100644 --- a/site2/docs/security-tls-keystore.md +++ b/site2/docs/security-tls-keystore.md @@ -19,7 +19,7 @@ You can use Java’s `keytool` utility to accomplish this task. We will generate initially for broker, so that we can export and sign it later with CA. ```shell -keytool -keystore broker.keystore.jks -alias localhost -validity {validity} -genkey +keytool -keystore broker.keystore.jks -alias localhost -validity {validity} -genkeypair -keyalg RSA ``` You need to specify two parameters in the above command: diff --git a/site2/website/versioned_docs/version-2.6.0/security-tls-keystore.md b/site2/website/versioned_docs/version-2.6.0/security-tls-keystore.md index ae2fa22..e7913b2 100644 --- a/site2/website/versioned_docs/version-2.6.0/security-tls-keystore.md +++ b/site2/website/versioned_docs/version-2.6.0/security-tls-keystore.md @@ -20,7 +20,7 @@ You can use Java’s `keytool` utility to accomplish this task. We will generate initially for broker, so that we can export and sign it later with CA. ```shell -keytool -keystore broker.keystore.jks -alias localhost -validity {validity} -genkey +keytool -keystore broker.keystore.jks -alias localhost -validity {validity} -genkeypair -keyalg RSA ``` You need to specify two parameters in the above command: diff --git a/site2/website/versioned_docs/version-2.6.1/security-tls-keystore.md b/site2/website/versioned_docs/version-2.6.1/security-tls-keystore.md index 52e1037..fa5f89f 100644 --- a/site2/website/versioned_docs/version-2.6.1/security-tls-keystore.md +++ b/site2/website/versioned_docs/version-2.6.1/security-tls-keystore.md @@ -20,7 +20,7 @@ You can use Java’s `keytool` utility to accomplish this task. We will generate initially for broker, so that we can export and sign it later with CA. ```shell -keytool -keystore broker.keystore.jks -alias localhost -validity {validity} -genkey +keytool -keystore broker.keystore.jks -alias localhost -validity {validity} -genkeypair -keyalg RSA ``` You need to specify two parameters in the above command: diff --git a/site2/website/versioned_docs/version-2.6.2/security-tls-keystore.md b/site2/website/versioned_docs/version-2.6.2/security-tls-keystore.md index c70d172..3429be1 100644 --- a/site2/website/versioned_docs/version-2.6.2/security-tls-keystore.md +++ b/site2/website/versioned_docs/version-2.6.2/security-tls-keystore.md @@ -20,7 +20,7 @@ You can use Java’s `keytool` utility to accomplish this task. We will generate initially for broker, so that we can export and sign it later with CA. ```shell -keytool -keystore broker.keystore.jks -alias localhost -validity {validity} -genkey +keytool -keystore broker.keystore.jks -alias localhost -validity {validity} -genkeypair -keyalg RSA ``` You need to specify two parameters in the above command: diff --git a/site2/website/versioned_docs/version-2.6.0/security-tls-keystore.md b/site2/website/versioned_docs/version-2.6.3/security-tls-keystore.md similarity index 97% copy from site2/website/versioned_docs/version-2.6.0/security-tls-keystore.md copy to site2/website/versioned_docs/version-2.6.3/security-tls-keystore.md index ae2fa22..196d330 100644 --- a/site2/website/versioned_docs/version-2.6.0/security-tls-keystore.md +++ b/site2/website/versioned_docs/version-2.6.3/security-tls-keystore.md @@ -1,5 +1,5 @@ --- -id: version-2.6.0-security-tls-keystore +id: version-2.6.3-security-tls-keystore title: Using TLS with KeyStore configure sidebar_label: Using TLS with KeyStore configure original_id: security-tls-keystore @@ -20,7 +20,7 @@ You can use Java’s `keytool` utility to accomplish this task. We will generate initially for broker, so that we can export and sign it later with CA. ```shell -keytool -keystore broker.keystore.jks -alias localhost -validity {validity} -genkey +keytool -keystore broker.keystore.jks -alias localhost -validity {validity} -genkeypair -keyalg RSA ``` You need to specify two parameters in the above command: @@ -222,7 +222,7 @@ brokerClientTlsTrustStore=/var/private/tls/client.truststore.jks brokerClientTlsTrustStorePassword=clientpw # internal auth config brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationKeyStoreTls -brokerClientAuthenticationParameters=keyStoreType:JKS,keyStorePath:/var/private/tls/client.keystore.jks,keyStorePassword:clientpw +brokerClientAuthenticationParameters={"keyStoreType":"JKS","keyStorePath":"/var/private/tls/client.keystore.jks","keyStorePassword":"clientpw"} # currently websocket not support keystore type webSocketServiceEnabled=false ``` @@ -242,7 +242,7 @@ e.g. tlsTrustStorePath=/var/private/tls/client.truststore.jks tlsTrustStorePassword=clientpw authPlugin=org.apache.pulsar.client.impl.auth.AuthenticationKeyStoreTls - authParams=keyStoreType:JKS,keyStorePath:/var/private/tls/client.keystore.jks,keyStorePassword:clientpw + authParams={"keyStoreType":"JKS","keyStorePath":"/path/to/keystorefile","keyStorePassword":"keystorepw"} ``` 1. for java client diff --git a/site2/website/versioned_docs/version-2.6.0/security-tls-keystore.md b/site2/website/versioned_docs/version-2.7.0/security-tls-keystore.md similarity index 99% copy from site2/website/versioned_docs/version-2.6.0/security-tls-keystore.md copy to site2/website/versioned_docs/version-2.7.0/security-tls-keystore.md index ae2fa22..f320a23 100644 --- a/site2/website/versioned_docs/version-2.6.0/security-tls-keystore.md +++ b/site2/website/versioned_docs/version-2.7.0/security-tls-keystore.md @@ -1,5 +1,5 @@ --- -id: version-2.6.0-security-tls-keystore +id: version-2.7.0-security-tls-keystore title: Using TLS with KeyStore configure sidebar_label: Using TLS with KeyStore configure original_id: security-tls-keystore @@ -20,7 +20,7 @@ You can use Java’s `keytool` utility to accomplish this task. We will generate initially for broker, so that we can export and sign it later with CA. ```shell -keytool -keystore broker.keystore.jks -alias localhost -validity {validity} -genkey +keytool -keystore broker.keystore.jks -alias localhost -validity {validity} -genkeypair -keyalg RSA ``` You need to specify two parameters in the above command: diff --git a/site2/website/versioned_docs/version-2.6.0/security-tls-keystore.md b/site2/website/versioned_docs/version-2.7.1/security-tls-keystore.md similarity index 97% copy from site2/website/versioned_docs/version-2.6.0/security-tls-keystore.md copy to site2/website/versioned_docs/version-2.7.1/security-tls-keystore.md index ae2fa22..0fd0d6b 100644 --- a/site2/website/versioned_docs/version-2.6.0/security-tls-keystore.md +++ b/site2/website/versioned_docs/version-2.7.1/security-tls-keystore.md @@ -1,5 +1,5 @@ --- -id: version-2.6.0-security-tls-keystore +id: version-2.7.1-security-tls-keystore title: Using TLS with KeyStore configure sidebar_label: Using TLS with KeyStore configure original_id: security-tls-keystore @@ -20,7 +20,7 @@ You can use Java’s `keytool` utility to accomplish this task. We will generate initially for broker, so that we can export and sign it later with CA. ```shell -keytool -keystore broker.keystore.jks -alias localhost -validity {validity} -genkey +keytool -keystore broker.keystore.jks -alias localhost -validity {validity} -genkeypair -keyalg RSA ``` You need to specify two parameters in the above command: @@ -222,7 +222,7 @@ brokerClientTlsTrustStore=/var/private/tls/client.truststore.jks brokerClientTlsTrustStorePassword=clientpw # internal auth config brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationKeyStoreTls -brokerClientAuthenticationParameters=keyStoreType:JKS,keyStorePath:/var/private/tls/client.keystore.jks,keyStorePassword:clientpw +brokerClientAuthenticationParameters={"keyStoreType":"JKS","keyStorePath":"/var/private/tls/client.keystore.jks","keyStorePassword":"clientpw"} # currently websocket not support keystore type webSocketServiceEnabled=false ``` @@ -242,7 +242,7 @@ e.g. tlsTrustStorePath=/var/private/tls/client.truststore.jks tlsTrustStorePassword=clientpw authPlugin=org.apache.pulsar.client.impl.auth.AuthenticationKeyStoreTls - authParams=keyStoreType:JKS,keyStorePath:/var/private/tls/client.keystore.jks,keyStorePassword:clientpw + authParams={"keyStoreType":"JKS","keyStorePath":"/path/to/keystorefile","keyStorePassword":"keystorepw"} ``` 1. for java client diff --git a/site2/website/versioned_docs/version-2.6.0/security-tls-keystore.md b/site2/website/versioned_docs/version-2.7.2/security-tls-keystore.md similarity index 97% copy from site2/website/versioned_docs/version-2.6.0/security-tls-keystore.md copy to site2/website/versioned_docs/version-2.7.2/security-tls-keystore.md index ae2fa22..d1f1500 100644 --- a/site2/website/versioned_docs/version-2.6.0/security-tls-keystore.md +++ b/site2/website/versioned_docs/version-2.7.2/security-tls-keystore.md @@ -1,5 +1,5 @@ --- -id: version-2.6.0-security-tls-keystore +id: version-2.7.2-security-tls-keystore title: Using TLS with KeyStore configure sidebar_label: Using TLS with KeyStore configure original_id: security-tls-keystore @@ -20,7 +20,7 @@ You can use Java’s `keytool` utility to accomplish this task. We will generate initially for broker, so that we can export and sign it later with CA. ```shell -keytool -keystore broker.keystore.jks -alias localhost -validity {validity} -genkey +keytool -keystore broker.keystore.jks -alias localhost -validity {validity} -genkeypair -keyalg RSA ``` You need to specify two parameters in the above command: @@ -222,7 +222,7 @@ brokerClientTlsTrustStore=/var/private/tls/client.truststore.jks brokerClientTlsTrustStorePassword=clientpw # internal auth config brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationKeyStoreTls -brokerClientAuthenticationParameters=keyStoreType:JKS,keyStorePath:/var/private/tls/client.keystore.jks,keyStorePassword:clientpw +brokerClientAuthenticationParameters={"keyStoreType":"JKS","keyStorePath":"/var/private/tls/client.keystore.jks","keyStorePassword":"clientpw"} # currently websocket not support keystore type webSocketServiceEnabled=false ``` @@ -242,7 +242,7 @@ e.g. tlsTrustStorePath=/var/private/tls/client.truststore.jks tlsTrustStorePassword=clientpw authPlugin=org.apache.pulsar.client.impl.auth.AuthenticationKeyStoreTls - authParams=keyStoreType:JKS,keyStorePath:/var/private/tls/client.keystore.jks,keyStorePassword:clientpw + authParams={"keyStoreType":"JKS","keyStorePath":"/path/to/keystorefile","keyStorePassword":"keystorepw"} ``` 1. for java client