This is an automated email from the ASF dual-hosted git repository.
ctubbsii pushed a commit to branch 1.10
in repository https://gitbox.apache.org/repos/asf/accumulo.git
The following commit(s) were added to refs/heads/1.10 by this push:
new 05a4fc0 Use stronger crypto settings for test certificates (#1960)
05a4fc0 is described below
commit 05a4fc0faba94b0cc8dd335aafb1e282f5f22f35
Author: Christopher Tubbs <ctubb...@apache.org>
AuthorDate: Sat Mar 6 10:59:49 2021 -0500
Use stronger crypto settings for test certificates (#1960)
Backport of 51e18e20ff7e4bdd8d164c99ec8551136d31dc37 for 1.10
* Use 4096 bit RSA keys and SHA512withRSA instead of SHA1withRSA for the
certificate signing algorithm for certificates generated for testing
Accumulo's TLS support
* This avoids problems with test breakages in environments, such as
Fedora 33, with strong default crypto policies for Java that restrict
weak crypto, or if the user has restricted their Java security
policies themselves
---
.../java/org/apache/accumulo/harness/MiniClusterHarness.java | 7 +++----
.../org/apache/accumulo/test/functional/ConfigurableMacBase.java | 9 +++++----
test/src/main/java/org/apache/accumulo/test/util/CertUtils.java | 4 ++--
.../test/java/org/apache/accumulo/test/util/CertUtilsTest.java | 2 +-
4 files changed, 11 insertions(+), 11 deletions(-)
diff --git
a/test/src/main/java/org/apache/accumulo/harness/MiniClusterHarness.java
b/test/src/main/java/org/apache/accumulo/harness/MiniClusterHarness.java
index 7ddf114..3084921 100644
--- a/test/src/main/java/org/apache/accumulo/harness/MiniClusterHarness.java
+++ b/test/src/main/java/org/apache/accumulo/harness/MiniClusterHarness.java
@@ -210,10 +210,9 @@ public class MiniClusterHarness {
truststorePassword = "truststore_password";
try {
new CertUtils(Property.RPC_SSL_KEYSTORE_TYPE.getDefaultValue(),
- "o=Apache Accumulo,cn=MiniAccumuloCluster", "RSA", 2048,
"sha1WithRSAEncryption")
- .createAll(rootKeystoreFile, localKeystoreFile,
publicTruststoreFile,
- cfg.getInstanceName(), rootKeystorePassword,
cfg.getRootPassword(),
- truststorePassword);
+ "o=Apache Accumulo,cn=MiniAccumuloCluster", "RSA", 4096,
"SHA512WITHRSA").createAll(
+ rootKeystoreFile, localKeystoreFile, publicTruststoreFile,
cfg.getInstanceName(),
+ rootKeystorePassword, cfg.getRootPassword(), truststorePassword);
} catch (Exception e) {
throw new RuntimeException("error creating MAC keystore", e);
}
diff --git
a/test/src/main/java/org/apache/accumulo/test/functional/ConfigurableMacBase.java
b/test/src/main/java/org/apache/accumulo/test/functional/ConfigurableMacBase.java
index 0ac5af7..c380838 100644
---
a/test/src/main/java/org/apache/accumulo/test/functional/ConfigurableMacBase.java
+++
b/test/src/main/java/org/apache/accumulo/test/functional/ConfigurableMacBase.java
@@ -23,6 +23,7 @@ import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.OutputStream;
+import java.net.InetAddress;
import java.util.Map;
import org.apache.accumulo.core.client.AccumuloException;
@@ -99,11 +100,11 @@ public class ConfigurableMacBase extends AccumuloITBase {
final String rootKeystorePassword = "root_keystore_password",
truststorePassword = "truststore_password";
try {
+ String hostname = InetAddress.getLocalHost().getHostName();
new CertUtils(Property.RPC_SSL_KEYSTORE_TYPE.getDefaultValue(),
- "o=Apache Accumulo,cn=MiniAccumuloCluster", "RSA", 2048,
"sha1WithRSAEncryption")
- .createAll(rootKeystoreFile, localKeystoreFile,
publicTruststoreFile,
- cfg.getInstanceName(), rootKeystorePassword,
cfg.getRootPassword(),
- truststorePassword);
+ "o=Apache Accumulo,cn=" + hostname, "RSA", 4096,
"SHA512WITHRSA").createAll(
+ rootKeystoreFile, localKeystoreFile, publicTruststoreFile,
cfg.getInstanceName(),
+ rootKeystorePassword, cfg.getRootPassword(), truststorePassword);
} catch (Exception e) {
throw new RuntimeException("error creating MAC keystore", e);
}
diff --git a/test/src/main/java/org/apache/accumulo/test/util/CertUtils.java
b/test/src/main/java/org/apache/accumulo/test/util/CertUtils.java
index 3ce0d02..12c33d8 100644
--- a/test/src/main/java/org/apache/accumulo/test/util/CertUtils.java
+++ b/test/src/main/java/org/apache/accumulo/test/util/CertUtils.java
@@ -123,14 +123,14 @@ public class CertUtils {
public String siteFile = null;
@Parameter(names = "--signing-algorithm", description = "Algorithm used to
sign certificates")
- public String signingAlg = "SHA256WITHRSA";
+ public String signingAlg = "SHA512WITHRSA";
@Parameter(names = "--encryption-algorithm",
description = "Algorithm used to encrypt private keys")
public String encryptionAlg = "RSA";
@Parameter(names = "--keysize", description = "Key size used by encryption
algorithm")
- public int keysize = 2048;
+ public int keysize = 4096;
public AccumuloConfiguration getConfiguration() {
if (siteFile == null) {
diff --git
a/test/src/test/java/org/apache/accumulo/test/util/CertUtilsTest.java
b/test/src/test/java/org/apache/accumulo/test/util/CertUtilsTest.java
index 582910b..3b3ddbe 100644
--- a/test/src/test/java/org/apache/accumulo/test/util/CertUtilsTest.java
+++ b/test/src/test/java/org/apache/accumulo/test/util/CertUtilsTest.java
@@ -41,7 +41,7 @@ public class CertUtilsTest {
new TemporaryFolder(new File(System.getProperty("user.dir") +
"/target"));
private CertUtils getUtils() {
- return new CertUtils(KEYSTORE_TYPE, RDN_STRING, "RSA", 2048,
"sha1WithRSAEncryption");
+ return new CertUtils(KEYSTORE_TYPE, RDN_STRING, "RSA", 4096,
"SHA512WITHRSA");
}
@Test
