[jira] [Created] (AVRO-3629) [Java] Increase the key size for netty SSL tests

[Ryan Skraba (Jira)]

Ryan Skraba created AVRO-3629:
---------------------------------

             Summary: [Java] Increase the key size for netty SSL tests
                 Key: AVRO-3629
                 URL: https://issues.apache.org/jira/browse/AVRO-3629
             Project: Apache Avro
          Issue Type: Bug
            Reporter: Ryan Skraba


Currently using *openjdk version "11.0.16" 2022-07-19* on \{*}Fedora 36{*}, 
building Avro causes exceptions:
{code:java}
[ERROR] org.apache.avro.ipc.netty.TestNettyServerWithSSL.testOneway  Time 
elapsed: 0.031 s  <<< ERROR!
org.apache.avro.AvroRuntimeException: io.netty.handler.codec.DecoderException: 
javax.net.ssl.SSLHandshakeException: Certificates do not conform to algorithm 
constraints
    at org.apache.avro.ipc.Requestor.request(Requestor.java:170)
    at org.apache.avro.ipc.Requestor.request(Requestor.java:101)
    at 
org.apache.avro.ipc.specific.SpecificRequestor.invoke(SpecificRequestor.java:108)
    at com.sun.proxy.$Proxy13.fireandforget(Unknown Source)
    at 
org.apache.avro.ipc.netty.TestNettyServer.testOneway(TestNettyServer.java:127)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at 
org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:59)
 {code}
 

This is due to the keysize of the test certificate:
{code:java}
keytool -list -v -keystore 
./lang/java/ipc-jetty/src/test/resources/org/apache/avro/ipc/servercert.p12 
{code}
 
{code:java}
Keystore type: PKCS12
Keystore provider: SUNYour keystore contains 1 entryAlias name: signedcert
Creation date: Sep 13, 2022
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=SignedCert, O=Snake Oil Inc., ST=Madrid, C=ES
Issuer: CN=TrustedCA, O=Snake Oil Inc., ST=Madrid, C=ES
Serial number: 2
Valid from: Wed Jun 20 16:17:00 CEST 2012 until: Thu Jun 20 16:13:00 CEST 2013
Certificate fingerprints:
     SHA1: AA:E8:93:51:5E:5E:AF:FE:C0:15:67:96:59:27:41:0F:D2:18:C3:12
     SHA256: 
48:31:0B:A2:5F:25:DB:64:BA:7B:4C:72:5E:02:10:3F:89:4C:AD:0F:57:53:93:2C:27:05:42:DA:87:46:2B:50
Signature algorithm name: SHA1withRSA (disabled)
Subject Public Key Algorithm: 1024-bit RSA key (disabled)
Version: 3Extensions: #1: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]#2: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
  timeStamping
]#3: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  DigitalSignature
  Non_repudiation
  Key_Encipherment
  Data_Encipherment
  Key_Agreement
]*******************************************
*******************************************Warning:
<signedcert> uses the SHA1withRSA signature algorithm which is considered a 
security risk and is disabled.
<signedcert> uses a 1024-bit RSA key which is considered a security risk and is 
disabled.
 {code}

This doesn't happen in the ubertool docker image, and it can be worked around 
by fiddling with {{/etc/crypto-policies/back-ends/java.config}} (notably 
setting the acceptable key size to 1024). 

Fixing this would permit Java developers to run the Java unit test suite with 
modern SSL constraints.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)