Replaced openssl with Java security to add key/cert into keystore #11224
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Paolo Patierno <[email protected]>
|
I am opening this PR to discuss it because we are not going to have exactly the same result as described. |
Signed-off-by: Paolo Patierno <[email protected]>
Signed-off-by: Paolo Patierno <[email protected]>
see-quick
reviewed
Mar 4, 2025
| .optArg("-keypbe", "aes-128-cbc") | ||
| .optArg("-macalg", "sha256") | ||
| .exec(); | ||
| public void addKeyAndCertToKeyStore(File keyFile, File certFile, String alias, File keyStoreFile, String keyStorePassword) |
There was a problem hiding this comment.
Just curious...Shouldn't this method be moved to the CertManager class instead of being in OpenSslCertManager as it does not use any OpenSSL invocation method?
There was a problem hiding this comment.
That's a good point, however there are other methods not using openssl anymore already (i.e. addCertToTrustStore, deleteFromTrustStore, ...). At some point we could think about renaming it to not be strictly tight to OpenSsl.
Signed-off-by: Paolo Patierno <[email protected]>
|
/azp run regression |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is going to replace the usage of OpenSSL tooling for adding a key/cert pair to the keystore with Java security framework.
While running tests I compared what we get by using openssl and what we get with Java.
I was able to tune the algorithm being used to encrypt the private key when it's stored, in order to have AES-128-CBC with 2048 iterations (which are the parameters with current openssl tooling vs the default Java which uses AES-256-CBC and 10000 iterations instead).
PKCS7 Data Shrouded Keybag: PBES2, PBKDF2, AES-128-CBC, Iteration 2048, PRF hmacWithSHA256 Bag Attributes friendlyName: ca localKeyID: 54 69 6D 65 20 31 37 34 31 30 38 38 31 39 35 36 32 39 Key Attributes: <No Attributes>The only difference is about the HMAC used for the keystore integrity.
The openssl tool uses 2048 iterations and salt length 8 bytes.
Java defaults to use 10000 iterations and salt length 10 bytes.
I couldn't find any way to tune them both. Java doesn't expose anything to do so. It's only possible to tune the iterations but by setting a global Java properties like this:
Tbh I am not keen to have such addition because it would be a global setting on the JVM.
So compared to openssl with have more secure HMAC which should not be a problem (the opposite I would say).