diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-08-30 17:54:17 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-08-30 17:54:17 +0200 |
commit | a000c375c91bb1b244ef34f6a483d8833a4643de (patch) | |
tree | 6bc3191ef6dddac0bc12f4c2e916b7039b6ebd18 /vespajlib | |
parent | a6cf9aa6529fe441532278d9da8317e101b462ee (diff) |
Use elliptic curve crypto to speed up unit tests
- Fix generating csr with EC
- Add unit test of extracting EC public key from private key
- Test X509CertificateBuilder using both RSA and EC
Diffstat (limited to 'vespajlib')
11 files changed, 62 insertions, 29 deletions
diff --git a/vespajlib/src/main/java/com/yahoo/security/SignatureAlgorithm.java b/vespajlib/src/main/java/com/yahoo/security/SignatureAlgorithm.java index 552d964bf51..b1e4934b128 100644 --- a/vespajlib/src/main/java/com/yahoo/security/SignatureAlgorithm.java +++ b/vespajlib/src/main/java/com/yahoo/security/SignatureAlgorithm.java @@ -6,7 +6,8 @@ package com.yahoo.security; */ public enum SignatureAlgorithm { SHA256_WITH_RSA("SHA256withRSA"), - SHA512_WITH_RSA("SHA512withRSA"); + SHA512_WITH_RSA("SHA512withRSA"), + SHA512_WITH_ECDSA("SHA512withECDSA"); private final String algorithmName; diff --git a/vespajlib/src/main/java/com/yahoo/security/X509CertificateBuilder.java b/vespajlib/src/main/java/com/yahoo/security/X509CertificateBuilder.java index 5b2cc1127a9..a5b79c9a9f9 100644 --- a/vespajlib/src/main/java/com/yahoo/security/X509CertificateBuilder.java +++ b/vespajlib/src/main/java/com/yahoo/security/X509CertificateBuilder.java @@ -73,7 +73,9 @@ public class X509CertificateBuilder { long serialNumber) { try { PKCS10CertificationRequest bcCsr = csr.getBcCsr(); - PublicKey publicKey = new JcaPKCS10CertificationRequest(bcCsr).getPublicKey(); + PublicKey publicKey = new JcaPKCS10CertificationRequest(bcCsr) + .setProvider(BouncyCastleProviderHolder.getInstance()) + .getPublicKey(); return new X509CertificateBuilder(caIssuer, new X500Principal(bcCsr.getSubject().getEncoded()), notBefore, diff --git a/vespajlib/src/test/java/com/yahoo/security/KeyStoreBuilderTest.java b/vespajlib/src/test/java/com/yahoo/security/KeyStoreBuilderTest.java index 500c7cb23e1..06ea5d963a3 100644 --- a/vespajlib/src/test/java/com/yahoo/security/KeyStoreBuilderTest.java +++ b/vespajlib/src/test/java/com/yahoo/security/KeyStoreBuilderTest.java @@ -25,7 +25,7 @@ public class KeyStoreBuilderTest { @Test public void can_create_jks_keystore_from_privatekey_and_certificate() throws Exception { - KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 4096); + KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256); X509Certificate certificate = createCertificate(keyPair); KeyStoreBuilder.withType(KeyStoreType.JKS) .withKeyEntry("key", keyPair.getPrivate(), certificate) diff --git a/vespajlib/src/test/java/com/yahoo/security/KeyUtilsTest.java b/vespajlib/src/test/java/com/yahoo/security/KeyUtilsTest.java index f414bf8ba84..825f4446d94 100644 --- a/vespajlib/src/test/java/com/yahoo/security/KeyUtilsTest.java +++ b/vespajlib/src/test/java/com/yahoo/security/KeyUtilsTest.java @@ -18,13 +18,20 @@ import static org.junit.Assert.assertThat; public class KeyUtilsTest { @Test - public void can_extract_public_key_from_private() { + public void can_extract_public_key_from_rsa_private() { KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA); PublicKey publicKey = KeyUtils.extractPublicKey(keyPair.getPrivate()); assertNotNull(publicKey); } @Test + public void can_extract_public_key_from_ecdsa_private() { + KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC); + PublicKey publicKey = KeyUtils.extractPublicKey(keyPair.getPrivate()); + assertNotNull(publicKey); + } + + @Test public void can_serialize_deserialize_pem() { KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA); String pem = KeyUtils.toPem(keyPair.getPrivate()); diff --git a/vespajlib/src/test/java/com/yahoo/security/Pkcs10CsrBuilderTest.java b/vespajlib/src/test/java/com/yahoo/security/Pkcs10CsrBuilderTest.java index 812e26360a4..d51203a5cb2 100644 --- a/vespajlib/src/test/java/com/yahoo/security/Pkcs10CsrBuilderTest.java +++ b/vespajlib/src/test/java/com/yahoo/security/Pkcs10CsrBuilderTest.java @@ -16,8 +16,8 @@ public class Pkcs10CsrBuilderTest { @Test public void can_build_csr_with_sans() { X500Principal subject = new X500Principal("CN=subject"); - KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048); - Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, keypair, SignatureAlgorithm.SHA256_WITH_RSA) + KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256); + Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, keypair, SignatureAlgorithm.SHA512_WITH_ECDSA) .addSubjectAlternativeName("san1.com") .addSubjectAlternativeName("san2.com") .build(); diff --git a/vespajlib/src/test/java/com/yahoo/security/Pkcs10CsrTest.java b/vespajlib/src/test/java/com/yahoo/security/Pkcs10CsrTest.java index b3141eeca5a..b7dc627b86e 100644 --- a/vespajlib/src/test/java/com/yahoo/security/Pkcs10CsrTest.java +++ b/vespajlib/src/test/java/com/yahoo/security/Pkcs10CsrTest.java @@ -20,10 +20,10 @@ public class Pkcs10CsrTest { @Test public void can_read_subject_alternative_names() { X500Principal subject = new X500Principal("CN=subject"); - KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048); + KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256); SubjectAlternativeName san1 = new SubjectAlternativeName(DNS_NAME, "san1.com"); SubjectAlternativeName san2 = new SubjectAlternativeName(DNS_NAME, "san2.com"); - Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, keypair, SignatureAlgorithm.SHA256_WITH_RSA) + Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, keypair, SignatureAlgorithm.SHA512_WITH_ECDSA) .addSubjectAlternativeName(san1) .addSubjectAlternativeName(san2) .build(); @@ -33,8 +33,8 @@ public class Pkcs10CsrTest { @Test public void can_read_basic_constraints() { X500Principal subject = new X500Principal("CN=subject"); - KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048); - Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, keypair, SignatureAlgorithm.SHA256_WITH_RSA) + KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256); + Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, keypair, SignatureAlgorithm.SHA512_WITH_ECDSA) .setBasicConstraints(true, true) .build(); assertTrue(csr.getBasicConstraints().isPresent()); @@ -44,8 +44,8 @@ public class Pkcs10CsrTest { @Test public void can_read_extensions() { X500Principal subject = new X500Principal("CN=subject"); - KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048); - Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, keypair, SignatureAlgorithm.SHA256_WITH_RSA) + KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256); + Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, keypair, SignatureAlgorithm.SHA512_WITH_ECDSA) .addSubjectAlternativeName("san") .setBasicConstraints(true, true) .build(); diff --git a/vespajlib/src/test/java/com/yahoo/security/Pkcs10CsrUtilsTest.java b/vespajlib/src/test/java/com/yahoo/security/Pkcs10CsrUtilsTest.java index a0457b26f8b..04d35a537bb 100644 --- a/vespajlib/src/test/java/com/yahoo/security/Pkcs10CsrUtilsTest.java +++ b/vespajlib/src/test/java/com/yahoo/security/Pkcs10CsrUtilsTest.java @@ -18,8 +18,8 @@ public class Pkcs10CsrUtilsTest { @Test public void can_deserialize_serialized_pem_csr() { X500Principal subject = new X500Principal("CN=subject"); - KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048); - Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, keypair, SignatureAlgorithm.SHA256_WITH_RSA).build(); + KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256); + Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, keypair, SignatureAlgorithm.SHA512_WITH_ECDSA).build(); String pem = Pkcs10CsrUtils.toPem(csr); Pkcs10Csr deserializedCsr = Pkcs10CsrUtils.fromPem(pem); assertThat(pem, containsString("BEGIN CERTIFICATE REQUEST")); diff --git a/vespajlib/src/test/java/com/yahoo/security/SslContextBuilderTest.java b/vespajlib/src/test/java/com/yahoo/security/SslContextBuilderTest.java index 6b17520ffe0..cc269a4ef43 100644 --- a/vespajlib/src/test/java/com/yahoo/security/SslContextBuilderTest.java +++ b/vespajlib/src/test/java/com/yahoo/security/SslContextBuilderTest.java @@ -47,7 +47,7 @@ public class SslContextBuilderTest { @Test public void can_build_sslcontext_with_keystore_from_private_key_and_certificate() throws Exception { - KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048); + KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256); X509Certificate certificate = createCertificate(keyPair); new SslContextBuilder() .withKeyStore(keyPair.getPrivate(), certificate) diff --git a/vespajlib/src/test/java/com/yahoo/security/TestUtils.java b/vespajlib/src/test/java/com/yahoo/security/TestUtils.java index 17c9cb99f0e..dcf75e26aec 100644 --- a/vespajlib/src/test/java/com/yahoo/security/TestUtils.java +++ b/vespajlib/src/test/java/com/yahoo/security/TestUtils.java @@ -18,7 +18,7 @@ import static com.yahoo.security.KeyStoreUtils.writeKeyStoreToFile; class TestUtils { static KeyStore createKeystore(KeyStoreType type, char[] password) { - KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 4096); + KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256); return KeyStoreBuilder.withType(type) .withKeyEntry("entry-name", keyPair.getPrivate(), password, createCertificate(keyPair)) .build(); @@ -31,7 +31,7 @@ class TestUtils { static X509Certificate createCertificate(KeyPair keyPair, X500Principal subject) { return X509CertificateBuilder .fromKeypair( - keyPair, subject, Instant.now(), Instant.now().plus(1, ChronoUnit.DAYS), SignatureAlgorithm.SHA256_WITH_RSA, 1) + keyPair, subject, Instant.now(), Instant.now().plus(1, ChronoUnit.DAYS), SignatureAlgorithm.SHA512_WITH_ECDSA, 1) .build(); } diff --git a/vespajlib/src/test/java/com/yahoo/security/X509CertificateBuilderTest.java b/vespajlib/src/test/java/com/yahoo/security/X509CertificateBuilderTest.java index 36ef9d759a8..469d4887858 100644 --- a/vespajlib/src/test/java/com/yahoo/security/X509CertificateBuilderTest.java +++ b/vespajlib/src/test/java/com/yahoo/security/X509CertificateBuilderTest.java @@ -2,24 +2,47 @@ package com.yahoo.security; import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.Parameterized; import javax.security.auth.x500.X500Principal; import java.security.KeyPair; -import java.security.NoSuchAlgorithmException; import java.security.cert.X509Certificate; import java.time.Instant; import java.time.temporal.ChronoUnit; +import java.util.Arrays; +import java.util.Collection; import static org.junit.Assert.assertEquals; /** * @author bjorncs */ +@RunWith(Parameterized.class) public class X509CertificateBuilderTest { + @Parameterized.Parameters(name = "{0}") + public static Collection<Object[]> data() { + return Arrays.asList(new Object[][] { + {KeyAlgorithm.RSA, 2048, SignatureAlgorithm.SHA512_WITH_RSA}, + {KeyAlgorithm.EC, 256, SignatureAlgorithm.SHA512_WITH_ECDSA}}); + } + + private final KeyAlgorithm keyAlgorithm; + private final int keySize; + private final SignatureAlgorithm signatureAlgorithm; + + public X509CertificateBuilderTest(KeyAlgorithm keyAlgorithm, + int keySize, + SignatureAlgorithm signatureAlgorithm) { + this.keyAlgorithm = keyAlgorithm; + this.keySize = keySize; + this.signatureAlgorithm = signatureAlgorithm; + } + @Test - public void can_build_self_signed_certificate() throws NoSuchAlgorithmException { - KeyPair keyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048); + public void can_build_self_signed_certificate() { + KeyPair keyPair = KeyUtils.generateKeypair(keyAlgorithm, keySize); X500Principal subject = new X500Principal("CN=myservice"); X509Certificate cert = X509CertificateBuilder.fromKeypair( @@ -27,7 +50,7 @@ public class X509CertificateBuilderTest { subject, Instant.now(), Instant.now().plus(1, ChronoUnit.DAYS), - SignatureAlgorithm.SHA256_WITH_RSA, + signatureAlgorithm, 1) .setBasicConstraints(true, true) .build(); @@ -38,9 +61,9 @@ public class X509CertificateBuilderTest { public void can_build_certificate_from_csr() { X500Principal subject = new X500Principal("CN=subject"); X500Principal issuer = new X500Principal("CN=issuer"); - KeyPair csrKeypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048); - Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, csrKeypair, SignatureAlgorithm.SHA256_WITH_RSA).build(); - KeyPair caKeypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048); + KeyPair csrKeypair = KeyUtils.generateKeypair(keyAlgorithm, keySize); + Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, csrKeypair, signatureAlgorithm).build(); + KeyPair caKeypair = KeyUtils.generateKeypair(keyAlgorithm, keySize); X509Certificate cert = X509CertificateBuilder .fromCsr( csr, @@ -48,7 +71,7 @@ public class X509CertificateBuilderTest { Instant.now(), Instant.now().plus(1, ChronoUnit.DAYS), caKeypair.getPrivate(), - SignatureAlgorithm.SHA256_WITH_RSA, + signatureAlgorithm, 1) .addSubjectAlternativeName("subject1.alt") .addSubjectAlternativeName("subject2.alt") diff --git a/vespajlib/src/test/java/com/yahoo/security/X509CertificateUtilsTest.java b/vespajlib/src/test/java/com/yahoo/security/X509CertificateUtilsTest.java index e5605e93e55..d4cd76d6040 100644 --- a/vespajlib/src/test/java/com/yahoo/security/X509CertificateUtilsTest.java +++ b/vespajlib/src/test/java/com/yahoo/security/X509CertificateUtilsTest.java @@ -24,7 +24,7 @@ import static org.junit.Assert.assertThat; public class X509CertificateUtilsTest { @Test public void can_deserialize_serialized_pem_certificate() { - KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048); + KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256); X500Principal subject = new X500Principal("CN=myservice"); X509Certificate cert = TestUtils.createCertificate(keypair, subject); assertEquals(subject, cert.getSubjectX500Principal()); @@ -37,7 +37,7 @@ public class X509CertificateUtilsTest { @Test public void can_deserialize_serialized_pem_certificate_list() { - KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048); + KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256); X500Principal subject1 = new X500Principal("CN=myservice"); X509Certificate cert1 = TestUtils.createCertificate(keypair, subject1); X500Principal subject2 = new X500Principal("CN=myservice"); @@ -52,7 +52,7 @@ public class X509CertificateUtilsTest { @Test public void can_list_subject_alternative_names() { - KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048); + KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256); X500Principal subject = new X500Principal("CN=myservice"); SubjectAlternativeName san = new SubjectAlternativeName(DNS_NAME, "dns-san"); X509Certificate cert = X509CertificateBuilder @@ -61,7 +61,7 @@ public class X509CertificateUtilsTest { subject, Instant.now(), Instant.now().plus(1, ChronoUnit.DAYS), - SignatureAlgorithm.SHA256_WITH_RSA, + SignatureAlgorithm.SHA512_WITH_ECDSA, 1) .addSubjectAlternativeName(san) .build(); |