[accumulo] branch main updated: Use stronger crypto settings for test certificates (#1960)

Sat, 06 Mar 2021 09:00:03 -0800 

This is an automated email from the ASF dual-hosted git repository.

ctubbsii pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/accumulo.git


The following commit(s) were added to refs/heads/main by this push:
     new 51e18e2  Use stronger crypto settings for test certificates (#1960)
51e18e2 is described below

commit 51e18e20ff7e4bdd8d164c99ec8551136d31dc37
Author: Christopher Tubbs <ctubb...@apache.org>
AuthorDate: Sat Mar 6 10:59:49 2021 -0500

    Use stronger crypto settings for test certificates (#1960)
    
    * Use 4096 bit RSA keys and SHA512withRSA instead of SHA1withRSA for the
      certificate signing algorithm for certificates generated for testing
      Accumulo's TLS support
    * This avoids problems with test breakages in environments, such as
      Fedora 33, with strong default crypto policies for Java that restrict
      weak crypto, or if the user has restricted their Java security
      policies themselves
---
 .../main/java/org/apache/accumulo/harness/MiniClusterHarness.java  | 7 +++----
 .../org/apache/accumulo/test/functional/ConfigurableMacBase.java   | 2 +-
 test/src/main/java/org/apache/accumulo/test/util/CertUtils.java    | 4 ++--
 .../src/test/java/org/apache/accumulo/test/util/CertUtilsTest.java | 2 +-
 4 files changed, 7 insertions(+), 8 deletions(-)

diff --git 
a/test/src/main/java/org/apache/accumulo/harness/MiniClusterHarness.java 
b/test/src/main/java/org/apache/accumulo/harness/MiniClusterHarness.java
index 4d3d41f..7172255 100644
--- a/test/src/main/java/org/apache/accumulo/harness/MiniClusterHarness.java
+++ b/test/src/main/java/org/apache/accumulo/harness/MiniClusterHarness.java
@@ -156,10 +156,9 @@ public class MiniClusterHarness {
         truststorePassword = "truststore_password";
     try {
       new CertUtils(Property.RPC_SSL_KEYSTORE_TYPE.getDefaultValue(),
-          "o=Apache Accumulo,cn=MiniAccumuloCluster", "RSA", 2048, 
"sha1WithRSAEncryption")
-              .createAll(rootKeystoreFile, localKeystoreFile, 
publicTruststoreFile,
-                  cfg.getInstanceName(), rootKeystorePassword, 
cfg.getRootPassword(),
-                  truststorePassword);
+          "o=Apache Accumulo,cn=MiniAccumuloCluster", "RSA", 4096, 
"SHA512WITHRSA").createAll(
+              rootKeystoreFile, localKeystoreFile, publicTruststoreFile, 
cfg.getInstanceName(),
+              rootKeystorePassword, cfg.getRootPassword(), truststorePassword);
     } catch (Exception e) {
       throw new RuntimeException("error creating MAC keystore", e);
     }
diff --git 
a/test/src/main/java/org/apache/accumulo/test/functional/ConfigurableMacBase.java
 
b/test/src/main/java/org/apache/accumulo/test/functional/ConfigurableMacBase.java
index 18bffd6..0ec931c 100644
--- 
a/test/src/main/java/org/apache/accumulo/test/functional/ConfigurableMacBase.java
+++ 
b/test/src/main/java/org/apache/accumulo/test/functional/ConfigurableMacBase.java
@@ -100,7 +100,7 @@ public class ConfigurableMacBase extends AccumuloITBase {
     try {
       String hostname = InetAddress.getLocalHost().getHostName();
       new CertUtils(Property.RPC_SSL_KEYSTORE_TYPE.getDefaultValue(),
-          "o=Apache Accumulo,cn=" + hostname, "RSA", 2048, 
"sha1WithRSAEncryption").createAll(
+          "o=Apache Accumulo,cn=" + hostname, "RSA", 4096, 
"SHA512WITHRSA").createAll(
               rootKeystoreFile, localKeystoreFile, publicTruststoreFile, 
cfg.getInstanceName(),
               rootKeystorePassword, cfg.getRootPassword(), truststorePassword);
     } catch (Exception e) {
diff --git a/test/src/main/java/org/apache/accumulo/test/util/CertUtils.java 
b/test/src/main/java/org/apache/accumulo/test/util/CertUtils.java
index b200436..79b4f87 100644
--- a/test/src/main/java/org/apache/accumulo/test/util/CertUtils.java
+++ b/test/src/main/java/org/apache/accumulo/test/util/CertUtils.java
@@ -117,14 +117,14 @@ public class CertUtils {
     public String accumuloPropsFile = null;
 
     @Parameter(names = "--signing-algorithm", description = "Algorithm used to 
sign certificates")
-    public String signingAlg = "SHA256WITHRSA";
+    public String signingAlg = "SHA512WITHRSA";
 
     @Parameter(names = "--encryption-algorithm",
         description = "Algorithm used to encrypt private keys")
     public String encryptionAlg = "RSA";
 
     @Parameter(names = "--keysize", description = "Key size used by encryption 
algorithm")
-    public int keysize = 2048;
+    public int keysize = 4096;
 
     @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "path 
provided by test")
     public SiteConfiguration getSiteConfiguration() {
diff --git 
a/test/src/test/java/org/apache/accumulo/test/util/CertUtilsTest.java 
b/test/src/test/java/org/apache/accumulo/test/util/CertUtilsTest.java
index e4a8ca6..b98beff 100644
--- a/test/src/test/java/org/apache/accumulo/test/util/CertUtilsTest.java
+++ b/test/src/test/java/org/apache/accumulo/test/util/CertUtilsTest.java
@@ -45,7 +45,7 @@ public class CertUtilsTest {
       new TemporaryFolder(new File(System.getProperty("user.dir") + 
"/target"));
 
   private CertUtils getUtils() {
-    return new CertUtils(KEYSTORE_TYPE, RDN_STRING, "RSA", 2048, 
"sha1WithRSAEncryption");
+    return new CertUtils(KEYSTORE_TYPE, RDN_STRING, "RSA", 4096, 
"SHA512WITHRSA");
   }
 
   @SuppressFBWarnings(value = "HARD_CODE_PASSWORD", justification = "test 
password is okay")

Reply via email to