diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-01-23 15:30:06 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-01-23 16:33:56 +0100 |
commit | ee53aae6d9ddc47a6d0b98780e7003fb4450b72d (patch) | |
tree | af78b977ea3cfac3db53314e0b4e815825028084 | |
parent | bf0c364db7d2e31272786c3bc59eea4f26f8ac71 (diff) |
Use 'prime256v1' curve for EC keys
This allows the TLS test in jrt to use elliptic curves crypto in unit
tests (fixes issue where JSSE cannot find matching cipher).
4 files changed, 23 insertions, 14 deletions
diff --git a/jrt/tests/com/yahoo/jrt/CryptoUtils.java b/jrt/tests/com/yahoo/jrt/CryptoUtils.java index 1112234e04e..6890fe88da5 100644 --- a/jrt/tests/com/yahoo/jrt/CryptoUtils.java +++ b/jrt/tests/com/yahoo/jrt/CryptoUtils.java @@ -17,10 +17,9 @@ import javax.security.auth.x500.X500Principal; import java.security.KeyPair; import java.security.cert.X509Certificate; import java.time.Instant; -import java.util.List; -import static com.yahoo.security.KeyAlgorithm.RSA; -import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_RSA; +import static com.yahoo.security.KeyAlgorithm.EC; +import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA; import static com.yahoo.security.X509CertificateBuilder.generateRandomSerialNumber; import static java.time.Instant.EPOCH; import static java.time.temporal.ChronoUnit.DAYS; @@ -30,13 +29,12 @@ import static java.util.Collections.singletonList; /** * @author bjorncs */ -// TODO Use EC. Java/JSSE is currently unable to find compatible ciphers when using elliptic curve crypto from BouncyCastle class CryptoUtils { - static final KeyPair keyPair = KeyUtils.generateKeypair(RSA); + static final KeyPair keyPair = KeyUtils.generateKeypair(EC); static final X509Certificate certificate = X509CertificateBuilder - .fromKeypair(keyPair, new X500Principal("CN=dummy"), EPOCH, Instant.now().plus(1, DAYS), SHA256_WITH_RSA, generateRandomSerialNumber()) + .fromKeypair(keyPair, new X500Principal("CN=dummy"), EPOCH, Instant.now().plus(1, DAYS), SHA256_WITH_ECDSA, generateRandomSerialNumber()) .build(); static final AuthorizedPeers authorizedPeers = new AuthorizedPeers( @@ -50,7 +48,7 @@ class CryptoUtils { Field.CN, new HostGlobPattern("dummy")))))); static TlsContext createTestTlsContext() { - return new DefaultTlsContext(singletonList(certificate), keyPair.getPrivate(), singletonList(certificate), authorizedPeers, AuthorizationMode.ENFORCE, List.of()); + return new DefaultTlsContext(singletonList(certificate), keyPair.getPrivate(), singletonList(certificate), authorizedPeers, AuthorizationMode.ENFORCE, DefaultTlsContext.ALLOWED_CIPHER_SUITES); } } diff --git a/security-utils/src/main/java/com/yahoo/security/KeyAlgorithm.java b/security-utils/src/main/java/com/yahoo/security/KeyAlgorithm.java index 3218f81f0d6..732ac2bb12c 100644 --- a/security-utils/src/main/java/com/yahoo/security/KeyAlgorithm.java +++ b/security-utils/src/main/java/com/yahoo/security/KeyAlgorithm.java @@ -1,20 +1,28 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.security; +import java.security.spec.AlgorithmParameterSpec; +import java.security.spec.ECGenParameterSpec; +import java.util.Optional; + /** * @author bjorncs */ public enum KeyAlgorithm { - RSA("RSA"), - EC("EC"); + RSA("RSA", null), + EC("EC", new ECGenParameterSpec("prime256v1")); // TODO Make curve configurable final String algorithmName; + private final AlgorithmParameterSpec spec; - KeyAlgorithm(String algorithmName) { + KeyAlgorithm(String algorithmName, AlgorithmParameterSpec spec) { this.algorithmName = algorithmName; + this.spec = spec; } String getAlgorithmName() { return algorithmName; } + + Optional<AlgorithmParameterSpec> getSpec() { return Optional.ofNullable(spec); } } diff --git a/security-utils/src/main/java/com/yahoo/security/KeyUtils.java b/security-utils/src/main/java/com/yahoo/security/KeyUtils.java index 0d45a62f193..76e0f5419a3 100644 --- a/security-utils/src/main/java/com/yahoo/security/KeyUtils.java +++ b/security-utils/src/main/java/com/yahoo/security/KeyUtils.java @@ -46,6 +46,9 @@ public class KeyUtils { if (keySize != -1) { keyGen.initialize(keySize); } + if (algorithm.getSpec().isPresent()) { + keyGen.initialize(algorithm.getSpec().get()); + } return keyGen.genKeyPair(); } catch (GeneralSecurityException e) { throw new RuntimeException(e); diff --git a/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java b/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java index 659cf06dd6d..cfaa7ba06df 100644 --- a/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java +++ b/security-utils/src/test/java/com/yahoo/security/tls/DefaultTlsContextTest.java @@ -17,8 +17,8 @@ import java.security.cert.X509Certificate; import java.time.Instant; import java.util.List; -import static com.yahoo.security.KeyAlgorithm.RSA; -import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_RSA; +import static com.yahoo.security.KeyAlgorithm.EC; +import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA; import static com.yahoo.security.X509CertificateBuilder.generateRandomSerialNumber; import static java.time.Instant.EPOCH; import static java.time.temporal.ChronoUnit.DAYS; @@ -33,10 +33,10 @@ public class DefaultTlsContextTest { @Test public void can_create_sslcontext_from_credentials() { - KeyPair keyPair = KeyUtils.generateKeypair(RSA); + KeyPair keyPair = KeyUtils.generateKeypair(EC); X509Certificate certificate = X509CertificateBuilder - .fromKeypair(keyPair, new X500Principal("CN=dummy"), EPOCH, Instant.now().plus(1, DAYS), SHA256_WITH_RSA, generateRandomSerialNumber()) + .fromKeypair(keyPair, new X500Principal("CN=dummy"), EPOCH, Instant.now().plus(1, DAYS), SHA256_WITH_ECDSA, generateRandomSerialNumber()) .build(); AuthorizedPeers authorizedPeers = new AuthorizedPeers( |