[prev in list] [next in list] [prev in thread] [next in thread]
List: openjdk-net-dev
Subject: Re: [ipv6] On updating certificates in tests
From: Arthur Eubanks <aeubanks () google ! com>
Date: 2019-04-24 3:56:18
Message-ID: CAPW48sr-MeeDnfkVdJJAVuN71P+YQnZbwfF67p9o8pBBPG6gDA () mail ! gmail ! com
[Download RAW message or body]
Thanks, I'll try it out. This seems very complicated for updating a cert
though.
On Tue, Apr 23, 2019, 5:22 AM Pavel Rappo <pavel.rappo@oracle.com> wrote:
> Arthur,
>
> Some time ago Chris mentioned [1] that there was at least one test failing
> due
> to missing SANs in its certificates:
>
>
> test/jdk/sun/net/www/protocol/https/HttpsURLConnection/IPAddressIPIdentities.java
>
> You then replied that your were planning to address that issue in a future
> change.
>
> I thought it might be helpful to you to get step-by-step instructions on
> how
> to change that test security setup, so you won't waste too much of your
> time.
>
> Bear in mind that this is just one way to achieve that. This should work
> reasonably well for not more than a handful of such tests. If you find more
> tests relying on SAN in certificates, please get back on the list and
> we'll try
> figure out a better way of doing this together. I would not go there just
> yet,
> because I have a heavy suspicion it will require programmatic access to
> keytool
> and its security friends. It might cause restructuring the test
> significantly.
> So let's see the affected area first.
>
> Here we go:
>
> 1. Create a directory and cd into it (so everything is clean and tidy)
>
> mkdir my-certificates-for-tests && cd my-certificates-for-tests
>
> 2. Generate a self-signed CA certificate
>
> keytool -genkeypair \
> -keyalg RSA \
> -startdate 2019/01/01 \
> -validity 13000 \
> -keysize 1024 \
> -dname "C=XX, ST=CA-State, L=CA-City, O=CA-Org" \
> -ext bc=ca:true \
> -storetype PKCS12 \
> -alias root \
> -keystore temp.jks \
> -storepass 123456
>
> 3. Generate a self-signed (for now) certificate for the server
>
> keytool -genkeypair \
> -keyalg RSA \
> -keysize 1024 \
> -dname "C=YY, ST=Server-State, L=Server-City, O=Server,
> OU=Server-Unit, CN=Server-Name" \
> -alias server \
> -keystore temp.jks \
> -storepass 123456
>
> 4. Sign that server certificate using the previously generated CA's
> certificate
>
> keytool -certreq \
> -alias server \
> -keystore temp.jks \
> -storepass 123456 \
> | keytool -gencert \
> -rfc \
> -startdate 2019/01/02 \
> -validity 12000 \
> -ext san:critical=ip:127.0.0.1,ip:0:0:0:0:0:0:0:1 \
> -alias root \
> -keystore temp.jks \
> -storepass 123456 \
> | keytool -importcert \
> -alias server \
> -keystore temp.jks \
> -storepass 123456
>
> 5. Repeat the process for the client certificate
>
> keytool -genkeypair \
> -keyalg RSA \
> -keysize 1024 \
> -dname "C=ZZ, ST=Client-State, L=Client-City, O=Client,
> OU=Client-Unit, CN=Client-Name" \
> -alias client \
> -keystore temp.jks \
> -storepass 123456
>
> then
>
> keytool -certreq \
> -alias client \
> -keystore temp.jks \
> -storepass 123456 \
> | keytool -gencert \
> -rfc \
> -startdate 2019/01/02 \
> -validity 12000 \
> -ext san:critical=ip:127.0.0.1,ip:0:0:0:0:0:0:0:1 \
> -alias root \
> -keystore temp.jks \
> -storepass 123456 \
> | keytool -importcert \
> -alias client \
> -keystore temp.jks \
> -storepass 123456
>
> Now, so as to update the test source, you will need to print the
> certificates
> and the keys. As far as I know, keytool cannot really do this (however,
> there's
> an API to which we might fall back later). For now you could simply use the
> openssl tool.
>
> 6. Print the certificates
>
> keytool -list \
> -rfc \
> -alias root \
> -keystore temp.jks \
> -storepass 123456 \
> | openssl x509 -inform pem -text
>
> keytool -list \
> -rfc \
> -alias server \
> -keystore temp.jks \
> -storepass 123456 \
> | openssl x509 -inform pem -text
>
> keytool -list \
> -rfc \
> -alias client \
> -keystore temp.jks \
> -storepass 123456 \
> | openssl x509 -inform pem -text
>
> 7. Export the keys from the keystore
>
> openssl pkcs12 -in temp.jks -nodes -nocerts -out keys.pem -passin
> pass:123456
>
> 8. Manually split the resulting `keys.pem` file into 2: server.pem and
> client.pem, discarding the root key.
>
> 9. Print the keys
>
> openssl rsa -in server.pem -text
>
> openssl rsa -in client.pem -text
>
> Now you should have all the data required to update the test.
>
> -Pavel
>
>
> --------------------------------------------------------------------------------
> [1] https://mail.openjdk.java.net/pipermail/net-dev/2019-March/012311.html
>
>
[Attachment #3 (text/html)]
<div dir="auto">Thanks, I'll try it out. This seems very complicated for updating \
a cert though. </div><br><div class="gmail_quote"><div dir="ltr" \
class="gmail_attr">On Tue, Apr 23, 2019, 5:22 AM Pavel Rappo <<a \
href="mailto:pavel.rappo@oracle.com">pavel.rappo@oracle.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex">Arthur,<br> <br>
Some time ago Chris mentioned [1] that there was at least one test failing due<br>
to missing SANs in its certificates:<br>
<br>
test/jdk/sun/net/www/protocol/https/HttpsURLConnection/IPAddressIPIdentities.java<br>
<br>
You then replied that your were planning to address that issue in a future<br>
change.<br>
<br>
I thought it might be helpful to you to get step-by-step instructions on how<br>
to change that test security setup, so you won't waste too much of your time.<br>
<br>
Bear in mind that this is just one way to achieve that. This should work<br>
reasonably well for not more than a handful of such tests. If you find more<br>
tests relying on SAN in certificates, please get back on the list and we'll \
try<br> figure out a better way of doing this together. I would not go there just \
yet,<br> because I have a heavy suspicion it will require programmatic access to \
keytool<br> and its security friends. It might cause restructuring the test \
significantly.<br> So let's see the affected area first. <br>
<br>
Here we go:<br>
<br>
1. Create a directory and cd into it (so everything is clean and tidy)<br>
<br>
mkdir my-certificates-for-tests && cd \
my-certificates-for-tests<br> <br>
2. Generate a self-signed CA certificate<br>
<br>
keytool -genkeypair \<br>
-keyalg RSA \<br>
-startdate 2019/01/01 \<br>
-validity 13000 \<br>
-keysize 1024 \<br>
-dname "C=XX, ST=CA-State, L=CA-City, O=CA-Org" \<br>
-ext bc=ca:true \<br>
-storetype PKCS12 \<br>
-alias root \<br>
-keystore temp.jks \<br>
-storepass 123456<br>
<br>
3. Generate a self-signed (for now) certificate for the server<br>
<br>
keytool -genkeypair \<br>
-keyalg RSA \<br>
-keysize 1024 \<br>
-dname "C=YY, ST=Server-State, L=Server-City, O=Server, \
OU=Server-Unit, CN=Server-Name" \<br>
-alias server \<br>
-keystore temp.jks \<br>
-storepass 123456<br>
<br>
4. Sign that server certificate using the previously generated CA's certificate<br>
<br>
keytool -certreq \<br>
-alias server \<br>
-keystore temp.jks \<br>
-storepass 123456 \<br>
| keytool -gencert \<br>
-rfc \<br>
-startdate 2019/01/02 \<br>
-validity 12000 \<br>
-ext san:critical=ip:127.0.0.1,ip:0:0:0:0:0:0:0:1 \<br>
-alias root \<br>
-keystore temp.jks \<br>
-storepass 123456 \<br>
| keytool -importcert \<br>
-alias server \<br>
-keystore temp.jks \<br>
-storepass 123456<br>
<br>
5. Repeat the process for the client certificate<br>
<br>
keytool -genkeypair \<br>
-keyalg RSA \<br>
-keysize 1024 \<br>
-dname "C=ZZ, ST=Client-State, L=Client-City, O=Client, \
OU=Client-Unit, CN=Client-Name" \<br>
-alias client \<br>
-keystore temp.jks \<br>
-storepass 123456<br>
<br>
then<br>
<br>
keytool -certreq \<br>
-alias client \<br>
-keystore temp.jks \<br>
-storepass 123456 \<br>
| keytool -gencert \<br>
-rfc \<br>
-startdate 2019/01/02 \<br>
-validity 12000 \<br>
-ext san:critical=ip:127.0.0.1,ip:0:0:0:0:0:0:0:1 \<br>
-alias root \<br>
-keystore temp.jks \<br>
-storepass 123456 \<br>
| keytool -importcert \<br>
-alias client \<br>
-keystore temp.jks \<br>
-storepass 123456<br>
<br>
Now, so as to update the test source, you will need to print the certificates<br>
and the keys. As far as I know, keytool cannot really do this (however, \
there's<br> an API to which we might fall back later). For now you could simply \
use the<br> openssl tool.<br>
<br>
6. Print the certificates<br>
<br>
keytool -list \<br>
-rfc \<br>
-alias root \<br>
-keystore temp.jks \<br>
-storepass 123456 \<br>
| openssl x509 -inform pem -text<br>
<br>
keytool -list \<br>
-rfc \<br>
-alias server \<br>
-keystore temp.jks \<br>
-storepass 123456 \<br>
| openssl x509 -inform pem -text<br>
<br>
keytool -list \<br>
-rfc \<br>
-alias client \<br>
-keystore temp.jks \<br>
-storepass 123456 \<br>
| openssl x509 -inform pem -text<br>
<br>
7. Export the keys from the keystore<br>
<br>
openssl pkcs12 -in temp.jks -nodes -nocerts -out keys.pem -passin \
pass:123456<br> <br>
8. Manually split the resulting `keys.pem` file into 2: server.pem and<br>
client.pem, discarding the root key.<br>
<br>
9. Print the keys<br>
<br>
openssl rsa -in server.pem -text<br>
<br>
openssl rsa -in client.pem -text<br>
<br>
Now you should have all the data required to update the test.<br>
<br>
-Pavel<br>
<br>
--------------------------------------------------------------------------------<br>
[1] <a href="https://mail.openjdk.java.net/pipermail/net-dev/2019-March/012311.html" \
rel="noreferrer noreferrer" \
target="_blank">https://mail.openjdk.java.net/pipermail/net-dev/2019-March/012311.html</a><br>
<br>
</blockquote></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic