summaryrefslogtreecommitdiffstats
path: root/vespajlib
diff options
context:
space:
mode:
authorBjørn Christian Seime <bjorncs@oath.com>2018-08-30 17:54:17 +0200
committerBjørn Christian Seime <bjorncs@oath.com>2018-08-30 17:54:17 +0200
commita000c375c91bb1b244ef34f6a483d8833a4643de (patch)
tree6bc3191ef6dddac0bc12f4c2e916b7039b6ebd18 /vespajlib
parenta6cf9aa6529fe441532278d9da8317e101b462ee (diff)
Use elliptic curve crypto to speed up unit tests
- Fix generating csr with EC - Add unit test of extracting EC public key from private key - Test X509CertificateBuilder using both RSA and EC
Diffstat (limited to 'vespajlib')
-rw-r--r--vespajlib/src/main/java/com/yahoo/security/SignatureAlgorithm.java3
-rw-r--r--vespajlib/src/main/java/com/yahoo/security/X509CertificateBuilder.java4
-rw-r--r--vespajlib/src/test/java/com/yahoo/security/KeyStoreBuilderTest.java2
-rw-r--r--vespajlib/src/test/java/com/yahoo/security/KeyUtilsTest.java9
-rw-r--r--vespajlib/src/test/java/com/yahoo/security/Pkcs10CsrBuilderTest.java4
-rw-r--r--vespajlib/src/test/java/com/yahoo/security/Pkcs10CsrTest.java12
-rw-r--r--vespajlib/src/test/java/com/yahoo/security/Pkcs10CsrUtilsTest.java4
-rw-r--r--vespajlib/src/test/java/com/yahoo/security/SslContextBuilderTest.java2
-rw-r--r--vespajlib/src/test/java/com/yahoo/security/TestUtils.java4
-rw-r--r--vespajlib/src/test/java/com/yahoo/security/X509CertificateBuilderTest.java39
-rw-r--r--vespajlib/src/test/java/com/yahoo/security/X509CertificateUtilsTest.java8
11 files changed, 62 insertions, 29 deletions
diff --git a/vespajlib/src/main/java/com/yahoo/security/SignatureAlgorithm.java b/vespajlib/src/main/java/com/yahoo/security/SignatureAlgorithm.java
index 552d964bf51..b1e4934b128 100644
--- a/vespajlib/src/main/java/com/yahoo/security/SignatureAlgorithm.java
+++ b/vespajlib/src/main/java/com/yahoo/security/SignatureAlgorithm.java
@@ -6,7 +6,8 @@ package com.yahoo.security;
*/
public enum SignatureAlgorithm {
SHA256_WITH_RSA("SHA256withRSA"),
- SHA512_WITH_RSA("SHA512withRSA");
+ SHA512_WITH_RSA("SHA512withRSA"),
+ SHA512_WITH_ECDSA("SHA512withECDSA");
private final String algorithmName;
diff --git a/vespajlib/src/main/java/com/yahoo/security/X509CertificateBuilder.java b/vespajlib/src/main/java/com/yahoo/security/X509CertificateBuilder.java
index 5b2cc1127a9..a5b79c9a9f9 100644
--- a/vespajlib/src/main/java/com/yahoo/security/X509CertificateBuilder.java
+++ b/vespajlib/src/main/java/com/yahoo/security/X509CertificateBuilder.java
@@ -73,7 +73,9 @@ public class X509CertificateBuilder {
long serialNumber) {
try {
PKCS10CertificationRequest bcCsr = csr.getBcCsr();
- PublicKey publicKey = new JcaPKCS10CertificationRequest(bcCsr).getPublicKey();
+ PublicKey publicKey = new JcaPKCS10CertificationRequest(bcCsr)
+ .setProvider(BouncyCastleProviderHolder.getInstance())
+ .getPublicKey();
return new X509CertificateBuilder(caIssuer,
new X500Principal(bcCsr.getSubject().getEncoded()),
notBefore,
diff --git a/vespajlib/src/test/java/com/yahoo/security/KeyStoreBuilderTest.java b/vespajlib/src/test/java/com/yahoo/security/KeyStoreBuilderTest.java
index 500c7cb23e1..06ea5d963a3 100644
--- a/vespajlib/src/test/java/com/yahoo/security/KeyStoreBuilderTest.java
+++ b/vespajlib/src/test/java/com/yahoo/security/KeyStoreBuilderTest.java
@@ -25,7 +25,7 @@ public class KeyStoreBuilderTest {
@Test
public void can_create_jks_keystore_from_privatekey_and_certificate() throws Exception {
- KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 4096);
+ KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256);
X509Certificate certificate = createCertificate(keyPair);
KeyStoreBuilder.withType(KeyStoreType.JKS)
.withKeyEntry("key", keyPair.getPrivate(), certificate)
diff --git a/vespajlib/src/test/java/com/yahoo/security/KeyUtilsTest.java b/vespajlib/src/test/java/com/yahoo/security/KeyUtilsTest.java
index f414bf8ba84..825f4446d94 100644
--- a/vespajlib/src/test/java/com/yahoo/security/KeyUtilsTest.java
+++ b/vespajlib/src/test/java/com/yahoo/security/KeyUtilsTest.java
@@ -18,13 +18,20 @@ import static org.junit.Assert.assertThat;
public class KeyUtilsTest {
@Test
- public void can_extract_public_key_from_private() {
+ public void can_extract_public_key_from_rsa_private() {
KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA);
PublicKey publicKey = KeyUtils.extractPublicKey(keyPair.getPrivate());
assertNotNull(publicKey);
}
@Test
+ public void can_extract_public_key_from_ecdsa_private() {
+ KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC);
+ PublicKey publicKey = KeyUtils.extractPublicKey(keyPair.getPrivate());
+ assertNotNull(publicKey);
+ }
+
+ @Test
public void can_serialize_deserialize_pem() {
KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA);
String pem = KeyUtils.toPem(keyPair.getPrivate());
diff --git a/vespajlib/src/test/java/com/yahoo/security/Pkcs10CsrBuilderTest.java b/vespajlib/src/test/java/com/yahoo/security/Pkcs10CsrBuilderTest.java
index 812e26360a4..d51203a5cb2 100644
--- a/vespajlib/src/test/java/com/yahoo/security/Pkcs10CsrBuilderTest.java
+++ b/vespajlib/src/test/java/com/yahoo/security/Pkcs10CsrBuilderTest.java
@@ -16,8 +16,8 @@ public class Pkcs10CsrBuilderTest {
@Test
public void can_build_csr_with_sans() {
X500Principal subject = new X500Principal("CN=subject");
- KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048);
- Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, keypair, SignatureAlgorithm.SHA256_WITH_RSA)
+ KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256);
+ Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, keypair, SignatureAlgorithm.SHA512_WITH_ECDSA)
.addSubjectAlternativeName("san1.com")
.addSubjectAlternativeName("san2.com")
.build();
diff --git a/vespajlib/src/test/java/com/yahoo/security/Pkcs10CsrTest.java b/vespajlib/src/test/java/com/yahoo/security/Pkcs10CsrTest.java
index b3141eeca5a..b7dc627b86e 100644
--- a/vespajlib/src/test/java/com/yahoo/security/Pkcs10CsrTest.java
+++ b/vespajlib/src/test/java/com/yahoo/security/Pkcs10CsrTest.java
@@ -20,10 +20,10 @@ public class Pkcs10CsrTest {
@Test
public void can_read_subject_alternative_names() {
X500Principal subject = new X500Principal("CN=subject");
- KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048);
+ KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256);
SubjectAlternativeName san1 = new SubjectAlternativeName(DNS_NAME, "san1.com");
SubjectAlternativeName san2 = new SubjectAlternativeName(DNS_NAME, "san2.com");
- Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, keypair, SignatureAlgorithm.SHA256_WITH_RSA)
+ Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, keypair, SignatureAlgorithm.SHA512_WITH_ECDSA)
.addSubjectAlternativeName(san1)
.addSubjectAlternativeName(san2)
.build();
@@ -33,8 +33,8 @@ public class Pkcs10CsrTest {
@Test
public void can_read_basic_constraints() {
X500Principal subject = new X500Principal("CN=subject");
- KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048);
- Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, keypair, SignatureAlgorithm.SHA256_WITH_RSA)
+ KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256);
+ Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, keypair, SignatureAlgorithm.SHA512_WITH_ECDSA)
.setBasicConstraints(true, true)
.build();
assertTrue(csr.getBasicConstraints().isPresent());
@@ -44,8 +44,8 @@ public class Pkcs10CsrTest {
@Test
public void can_read_extensions() {
X500Principal subject = new X500Principal("CN=subject");
- KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048);
- Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, keypair, SignatureAlgorithm.SHA256_WITH_RSA)
+ KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256);
+ Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, keypair, SignatureAlgorithm.SHA512_WITH_ECDSA)
.addSubjectAlternativeName("san")
.setBasicConstraints(true, true)
.build();
diff --git a/vespajlib/src/test/java/com/yahoo/security/Pkcs10CsrUtilsTest.java b/vespajlib/src/test/java/com/yahoo/security/Pkcs10CsrUtilsTest.java
index a0457b26f8b..04d35a537bb 100644
--- a/vespajlib/src/test/java/com/yahoo/security/Pkcs10CsrUtilsTest.java
+++ b/vespajlib/src/test/java/com/yahoo/security/Pkcs10CsrUtilsTest.java
@@ -18,8 +18,8 @@ public class Pkcs10CsrUtilsTest {
@Test
public void can_deserialize_serialized_pem_csr() {
X500Principal subject = new X500Principal("CN=subject");
- KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048);
- Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, keypair, SignatureAlgorithm.SHA256_WITH_RSA).build();
+ KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256);
+ Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, keypair, SignatureAlgorithm.SHA512_WITH_ECDSA).build();
String pem = Pkcs10CsrUtils.toPem(csr);
Pkcs10Csr deserializedCsr = Pkcs10CsrUtils.fromPem(pem);
assertThat(pem, containsString("BEGIN CERTIFICATE REQUEST"));
diff --git a/vespajlib/src/test/java/com/yahoo/security/SslContextBuilderTest.java b/vespajlib/src/test/java/com/yahoo/security/SslContextBuilderTest.java
index 6b17520ffe0..cc269a4ef43 100644
--- a/vespajlib/src/test/java/com/yahoo/security/SslContextBuilderTest.java
+++ b/vespajlib/src/test/java/com/yahoo/security/SslContextBuilderTest.java
@@ -47,7 +47,7 @@ public class SslContextBuilderTest {
@Test
public void can_build_sslcontext_with_keystore_from_private_key_and_certificate() throws Exception {
- KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048);
+ KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256);
X509Certificate certificate = createCertificate(keyPair);
new SslContextBuilder()
.withKeyStore(keyPair.getPrivate(), certificate)
diff --git a/vespajlib/src/test/java/com/yahoo/security/TestUtils.java b/vespajlib/src/test/java/com/yahoo/security/TestUtils.java
index 17c9cb99f0e..dcf75e26aec 100644
--- a/vespajlib/src/test/java/com/yahoo/security/TestUtils.java
+++ b/vespajlib/src/test/java/com/yahoo/security/TestUtils.java
@@ -18,7 +18,7 @@ import static com.yahoo.security.KeyStoreUtils.writeKeyStoreToFile;
class TestUtils {
static KeyStore createKeystore(KeyStoreType type, char[] password) {
- KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 4096);
+ KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256);
return KeyStoreBuilder.withType(type)
.withKeyEntry("entry-name", keyPair.getPrivate(), password, createCertificate(keyPair))
.build();
@@ -31,7 +31,7 @@ class TestUtils {
static X509Certificate createCertificate(KeyPair keyPair, X500Principal subject) {
return X509CertificateBuilder
.fromKeypair(
- keyPair, subject, Instant.now(), Instant.now().plus(1, ChronoUnit.DAYS), SignatureAlgorithm.SHA256_WITH_RSA, 1)
+ keyPair, subject, Instant.now(), Instant.now().plus(1, ChronoUnit.DAYS), SignatureAlgorithm.SHA512_WITH_ECDSA, 1)
.build();
}
diff --git a/vespajlib/src/test/java/com/yahoo/security/X509CertificateBuilderTest.java b/vespajlib/src/test/java/com/yahoo/security/X509CertificateBuilderTest.java
index 36ef9d759a8..469d4887858 100644
--- a/vespajlib/src/test/java/com/yahoo/security/X509CertificateBuilderTest.java
+++ b/vespajlib/src/test/java/com/yahoo/security/X509CertificateBuilderTest.java
@@ -2,24 +2,47 @@
package com.yahoo.security;
import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
import javax.security.auth.x500.X500Principal;
import java.security.KeyPair;
-import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
+import java.util.Arrays;
+import java.util.Collection;
import static org.junit.Assert.assertEquals;
/**
* @author bjorncs
*/
+@RunWith(Parameterized.class)
public class X509CertificateBuilderTest {
+ @Parameterized.Parameters(name = "{0}")
+ public static Collection<Object[]> data() {
+ return Arrays.asList(new Object[][] {
+ {KeyAlgorithm.RSA, 2048, SignatureAlgorithm.SHA512_WITH_RSA},
+ {KeyAlgorithm.EC, 256, SignatureAlgorithm.SHA512_WITH_ECDSA}});
+ }
+
+ private final KeyAlgorithm keyAlgorithm;
+ private final int keySize;
+ private final SignatureAlgorithm signatureAlgorithm;
+
+ public X509CertificateBuilderTest(KeyAlgorithm keyAlgorithm,
+ int keySize,
+ SignatureAlgorithm signatureAlgorithm) {
+ this.keyAlgorithm = keyAlgorithm;
+ this.keySize = keySize;
+ this.signatureAlgorithm = signatureAlgorithm;
+ }
+
@Test
- public void can_build_self_signed_certificate() throws NoSuchAlgorithmException {
- KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048);
+ public void can_build_self_signed_certificate() {
+ KeyPair keyPair = KeyUtils.generateKeypair(keyAlgorithm, keySize);
X500Principal subject = new X500Principal("CN=myservice");
X509Certificate cert =
X509CertificateBuilder.fromKeypair(
@@ -27,7 +50,7 @@ public class X509CertificateBuilderTest {
subject,
Instant.now(),
Instant.now().plus(1, ChronoUnit.DAYS),
- SignatureAlgorithm.SHA256_WITH_RSA,
+ signatureAlgorithm,
1)
.setBasicConstraints(true, true)
.build();
@@ -38,9 +61,9 @@ public class X509CertificateBuilderTest {
public void can_build_certificate_from_csr() {
X500Principal subject = new X500Principal("CN=subject");
X500Principal issuer = new X500Principal("CN=issuer");
- KeyPair csrKeypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048);
- Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, csrKeypair, SignatureAlgorithm.SHA256_WITH_RSA).build();
- KeyPair caKeypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048);
+ KeyPair csrKeypair = KeyUtils.generateKeypair(keyAlgorithm, keySize);
+ Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, csrKeypair, signatureAlgorithm).build();
+ KeyPair caKeypair = KeyUtils.generateKeypair(keyAlgorithm, keySize);
X509Certificate cert = X509CertificateBuilder
.fromCsr(
csr,
@@ -48,7 +71,7 @@ public class X509CertificateBuilderTest {
Instant.now(),
Instant.now().plus(1, ChronoUnit.DAYS),
caKeypair.getPrivate(),
- SignatureAlgorithm.SHA256_WITH_RSA,
+ signatureAlgorithm,
1)
.addSubjectAlternativeName("subject1.alt")
.addSubjectAlternativeName("subject2.alt")
diff --git a/vespajlib/src/test/java/com/yahoo/security/X509CertificateUtilsTest.java b/vespajlib/src/test/java/com/yahoo/security/X509CertificateUtilsTest.java
index e5605e93e55..d4cd76d6040 100644
--- a/vespajlib/src/test/java/com/yahoo/security/X509CertificateUtilsTest.java
+++ b/vespajlib/src/test/java/com/yahoo/security/X509CertificateUtilsTest.java
@@ -24,7 +24,7 @@ import static org.junit.Assert.assertThat;
public class X509CertificateUtilsTest {
@Test
public void can_deserialize_serialized_pem_certificate() {
- KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048);
+ KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256);
X500Principal subject = new X500Principal("CN=myservice");
X509Certificate cert = TestUtils.createCertificate(keypair, subject);
assertEquals(subject, cert.getSubjectX500Principal());
@@ -37,7 +37,7 @@ public class X509CertificateUtilsTest {
@Test
public void can_deserialize_serialized_pem_certificate_list() {
- KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048);
+ KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256);
X500Principal subject1 = new X500Principal("CN=myservice");
X509Certificate cert1 = TestUtils.createCertificate(keypair, subject1);
X500Principal subject2 = new X500Principal("CN=myservice");
@@ -52,7 +52,7 @@ public class X509CertificateUtilsTest {
@Test
public void can_list_subject_alternative_names() {
- KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048);
+ KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256);
X500Principal subject = new X500Principal("CN=myservice");
SubjectAlternativeName san = new SubjectAlternativeName(DNS_NAME, "dns-san");
X509Certificate cert = X509CertificateBuilder
@@ -61,7 +61,7 @@ public class X509CertificateUtilsTest {
subject,
Instant.now(),
Instant.now().plus(1, ChronoUnit.DAYS),
- SignatureAlgorithm.SHA256_WITH_RSA,
+ SignatureAlgorithm.SHA512_WITH_ECDSA,
1)
.addSubjectAlternativeName(san)
.build();