[
https://issues.apache.org/jira/browse/CASSANDRA-18270?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17693380#comment-17693380
]
Maulin Vasavada edited comment on CASSANDRA-18270 at 2/24/23 11:57 PM:
-----------------------------------------------------------------------
Okay, I think I found the issue. In 4.1 we had
[this|https://github.com/apache/cassandra/blob/cassandra-4.1/src/java/org/apache/cassandra/security/PEMBasedSslContextFactory.java#L108-L111]
code which used to default the keyPassword to keystore_password in case
keyPassword was null/empty AND that helped make sure that in the test case, for
the unencrypted PEM key the password is null. Hence it would go in the else
part of [this if statement
|https://github.com/apache/cassandra/blob/cassandra-4.1/src/java/org/apache/cassandra/security/PEMReader.java#L103]and
work correctly. Now in the latest code that equivalent logic is not present
for defaulting keyPassword to keystore_password in case of empty as per
[this|https://github.com/instaclustr/cassandra/blob/CASSANDRA-18264-trunk-followup/src/java/org/apache/cassandra/security/PEMBasedSslContextFactory.java#L108]
code.
One solution would be to check for isEmpty() in the PEMReader instead of just
non null and that should fix this.
In JKS based keystores the passwords could be empty strings vs null. However,
In case of PEM files I feel it should be safe to consider empty string as null
password. Does that make sense, then I can change the PEMReader accordingly.
was (Author: maulin.vasavada):
Okay, I think I found the issue. In 4.1 we had
[this|https://github.com/apache/cassandra/blob/cassandra-4.1/src/java/org/apache/cassandra/security/PEMBasedSslContextFactory.java#L108-L111]
code which used to default the keyPassword to keystore_password in case
keyPassword was null/empty AND that helped make sure that in the test case, for
the unencrypted PEM key the password is null. Hence it would go in the else
part of [this if statement
|https://github.com/apache/cassandra/blob/cassandra-4.1/src/java/org/apache/cassandra/security/PEMReader.java#L103]and
work correctly. Now in the latest code that equivalent logic is not present
for defaulting keyPassword to keystore_password in case of empty as per
[this|https://github.com/instaclustr/cassandra/blob/CASSANDRA-18264-trunk-followup/src/java/org/apache/cassandra/security/PEMBasedSslContextFactory.java#L108]
code.
One solution would be to check for isEmpty() in the PEMReader instead of just
non null and that should fix this.
In JKS based keystores the passwords could be empty strings vs null. In case of
PEM files I feel it should be safe to consider empty string as null password.
Does that make sense, then I can change the PEMReader accordingly.
> ssl-factory demo in examples is broken
> --------------------------------------
>
> Key: CASSANDRA-18270
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18270
> Project: Cassandra
> Issue Type: Bug
> Components: Local/Other
> Reporter: Stefan Miklosovic
> Assignee: Maulin Vasavada
> Priority: Normal
> Fix For: 4.1.x, 4.x
>
>
> this fails, it is not happening in cassandra-4.1
> {code}
> cd examples/ssl-factory
> ant build && ant test
> {code}
> My suspicion is that SSL factory related stuff was recently changed, in
> trunk, by (1) and this broke related ssl test.
> [~maulin.vasavada] do you have some time to look into that as you are the
> author of the tests? I think I fixed the most of it here (2) but one test is
> still failing and I can not wrap my head around that one. It gives:
> {code}
> [junit] Testcase:
> buildKeyManagerFactoryHappyPathForUnencryptedKey(org.apache.cassandra.security.KubernetesSecretsPEMSslContextFactoryTest):
> Caused an ERROR
> [junit] Failed to build key manager store for secure connections
> [junit] javax.net.ssl.SSLException: Failed to build key manager store for
> secure connections
> [junit] at
> org.apache.cassandra.security.PEMBasedSslContextFactory.buildKeyManagerFactory(PEMBasedSslContextFactory.java:267)
> [junit] at
> org.apache.cassandra.security.PEMBasedSslContextFactory.buildKeyManagerFactory(PEMBasedSslContextFactory.java:229)
> [junit] at
> org.apache.cassandra.security.KubernetesSecretsPEMSslContextFactory.buildKeyManagerFactory(KubernetesSecretsPEMSslContextFactory.java:169)
> [junit] at
> org.apache.cassandra.security.KubernetesSecretsPEMSslContextFactoryTest.buildKeyManagerFactoryHappyPathForUnencryptedKey(KubernetesSecretsPEMSslContextFactoryTest.java:244)
> [junit] Caused by: java.io.IOException: overrun, bytes = 1195
> [junit] at
> javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:95)
> [junit] at
> org.apache.cassandra.security.PEMReader.extractPrivateKey(PEMReader.java:108)
> [junit] at
> org.apache.cassandra.security.PEMBasedSslContextFactory.buildKeyStore(PEMBasedSslContextFactory.java:319)
> [junit] at
> org.apache.cassandra.security.PEMBasedSslContextFactory.buildKeyManagerFactory(PEMBasedSslContextFactory.java:251)
> {code}
> (1)
> https://github.com/apache/cassandra/commit/ed3901823a5fe9f8838d8b592a1b7703b12e810b
> (2)
> https://github.com/instaclustr/cassandra/tree/CASSANDRA-18264-trunk-followup
> cc [~Jyothsnakonisa]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
