Use stronger crypto settings for test certificates (#1960) Backport of 51e18e20ff7e4bdd8d164c99ec8551136d31dc37 for 1.10 * Use 4096 bit RSA keys and SHA512withRSA instead of SHA1withRSA for the certificate signing algorithm for certificates generated for testing Accumulo's TLS support * This avoids problems with test breakages in environments, such as Fedora 33, with strong default crypto policies for Java that restrict weak crypto, or if the user has restricted their Java security policies themselves

commit: 05a4fc0faba94b0cc8dd335aafb1e282f5f22f35 [log] [tgz]
author: Christopher Tubbs <ctubbsii@apache.org> Sat Mar 06 10:59:49 2021 -0500
committer: Christopher Tubbs <ctubbsii@apache.org> Mon Mar 08 07:50:25 2021 -0500
tree: b9f343a068310656dfed0a924dfdf030965d49f6
parent: 4b3a3b98d8916dc49f0ce54f6b8dca7b9473dc29 [diff]
diff --git a/test/src/main/java/org/apache/accumulo/harness/MiniClusterHarness.java b/test/src/main/java/org/apache/accumulo/harness/MiniClusterHarness.java
index 7ddf114..3084921 100644
--- a/test/src/main/java/org/apache/accumulo/harness/MiniClusterHarness.java
+++ b/test/src/main/java/org/apache/accumulo/harness/MiniClusterHarness.java

@@ -210,10 +210,9 @@
         truststorePassword = "truststore_password";
     try {
       new CertUtils(Property.RPC_SSL_KEYSTORE_TYPE.getDefaultValue(),
-          "o=Apache Accumulo,cn=MiniAccumuloCluster", "RSA", 2048, "sha1WithRSAEncryption")
-              .createAll(rootKeystoreFile, localKeystoreFile, publicTruststoreFile,
-                  cfg.getInstanceName(), rootKeystorePassword, cfg.getRootPassword(),
-                  truststorePassword);
+          "o=Apache Accumulo,cn=MiniAccumuloCluster", "RSA", 4096, "SHA512WITHRSA").createAll(
+              rootKeystoreFile, localKeystoreFile, publicTruststoreFile, cfg.getInstanceName(),
+              rootKeystorePassword, cfg.getRootPassword(), truststorePassword);
     } catch (Exception e) {
       throw new RuntimeException("error creating MAC keystore", e);
     }

diff --git a/test/src/main/java/org/apache/accumulo/test/functional/ConfigurableMacBase.java b/test/src/main/java/org/apache/accumulo/test/functional/ConfigurableMacBase.java
index 0ac5af7..c380838 100644
--- a/test/src/main/java/org/apache/accumulo/test/functional/ConfigurableMacBase.java
+++ b/test/src/main/java/org/apache/accumulo/test/functional/ConfigurableMacBase.java

@@ -23,6 +23,7 @@
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.OutputStream;
+import java.net.InetAddress;
 import java.util.Map;
 
 import org.apache.accumulo.core.client.AccumuloException;
@@ -99,11 +100,11 @@
     final String rootKeystorePassword = "root_keystore_password",
         truststorePassword = "truststore_password";
     try {
+      String hostname = InetAddress.getLocalHost().getHostName();
       new CertUtils(Property.RPC_SSL_KEYSTORE_TYPE.getDefaultValue(),
-          "o=Apache Accumulo,cn=MiniAccumuloCluster", "RSA", 2048, "sha1WithRSAEncryption")
-              .createAll(rootKeystoreFile, localKeystoreFile, publicTruststoreFile,
-                  cfg.getInstanceName(), rootKeystorePassword, cfg.getRootPassword(),
-                  truststorePassword);
+          "o=Apache Accumulo,cn=" + hostname, "RSA", 4096, "SHA512WITHRSA").createAll(
+              rootKeystoreFile, localKeystoreFile, publicTruststoreFile, cfg.getInstanceName(),
+              rootKeystorePassword, cfg.getRootPassword(), truststorePassword);
     } catch (Exception e) {
       throw new RuntimeException("error creating MAC keystore", e);
     }

diff --git a/test/src/main/java/org/apache/accumulo/test/util/CertUtils.java b/test/src/main/java/org/apache/accumulo/test/util/CertUtils.java
index 3ce0d02..12c33d8 100644
--- a/test/src/main/java/org/apache/accumulo/test/util/CertUtils.java
+++ b/test/src/main/java/org/apache/accumulo/test/util/CertUtils.java

@@ -123,14 +123,14 @@
     public String siteFile = null;
 
     @Parameter(names = "--signing-algorithm", description = "Algorithm used to sign certificates")
-    public String signingAlg = "SHA256WITHRSA";
+    public String signingAlg = "SHA512WITHRSA";
 
     @Parameter(names = "--encryption-algorithm",
         description = "Algorithm used to encrypt private keys")
     public String encryptionAlg = "RSA";
 
     @Parameter(names = "--keysize", description = "Key size used by encryption algorithm")
-    public int keysize = 2048;
+    public int keysize = 4096;
 
     public AccumuloConfiguration getConfiguration() {
       if (siteFile == null) {

diff --git a/test/src/test/java/org/apache/accumulo/test/util/CertUtilsTest.java b/test/src/test/java/org/apache/accumulo/test/util/CertUtilsTest.java
index 582910b..3b3ddbe 100644
--- a/test/src/test/java/org/apache/accumulo/test/util/CertUtilsTest.java
+++ b/test/src/test/java/org/apache/accumulo/test/util/CertUtilsTest.java

@@ -41,7 +41,7 @@
       new TemporaryFolder(new File(System.getProperty("user.dir") + "/target"));
 
   private CertUtils getUtils() {
-    return new CertUtils(KEYSTORE_TYPE, RDN_STRING, "RSA", 2048, "sha1WithRSAEncryption");
+    return new CertUtils(KEYSTORE_TYPE, RDN_STRING, "RSA", 4096, "SHA512WITHRSA");
   }
 
   @Test
commit	05a4fc0faba94b0cc8dd335aafb1e282f5f22f35	[log] [tgz]
author	Christopher Tubbs <ctubbsii@apache.org>	Sat Mar 06 10:59:49 2021 -0500
committer	Christopher Tubbs <ctubbsii@apache.org>	Mon Mar 08 07:50:25 2021 -0500
tree	b9f343a068310656dfed0a924dfdf030965d49f6
parent	4b3a3b98d8916dc49f0ce54f6b8dca7b9473dc29 [diff]