[
https://issues.apache.org/jira/browse/CASSANDRA-18270?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17693394#comment-17693394
]
Maulin Vasavada edited comment on CASSANDRA-18270 at 2/25/23 1:25 AM:
----------------------------------------------------------------------
Based on my research so far the PEM key generation - it fails to output public
key from the encrypted PEM if the password is less than 4 characters, hence I
feel it should be safe to make the change to check for !isEmpty() instead of
non null in the PEMReader to determine if the PEM is encrypted or not.
So what should be the next step, [~smiklosovic] ? I made the change locally and
all the tests are passing now, do you want to just make it on your branch at
[this
line|https://github.com/instaclustr/cassandra/blob/CASSANDRA-18264-trunk-followup/src/java/org/apache/cassandra/security/PEMReader.java#L103]
to check for the below condition OR do you want me to raise a PR?
{code:java}
if (!StringUtils.isEmpty(keyPassword)) {code}
And just for the reference, when I try to output public key from an encrypted
PEM with password size of 2 characters I get the following error. It is
interesting that it doesn't prevent me to generate the encrypted PEM with
password of less than 4 characters but fails later.
{noformat}
command: openssl rsa -in encrypted-keypair2.pem -pubout -out public-key.pem
libressl/libressl-3.3/crypto/ui/ui_lib.c:782:You must type in 4 to 1023
characters{noformat}
was (Author: maulin.vasavada):
Based on my research so far the PEM key generation - it fails to output public
key from the encrypted PEM if the password is less than 4 characters, hence I
feel it should be safe to make the change to check for !isEmpty() instead of
non null in the PEMReader to determine if the PEM is encrypted or not.
So what should be the next step, [~smiklosovic] ? I made the change locally and
all the tests are passing now, do you want to just make it on your branch at
[this
line|https://github.com/instaclustr/cassandra/blob/CASSANDRA-18264-trunk-followup/src/java/org/apache/cassandra/security/PEMReader.java#L103]
to check for the below condition OR do you want me to raise a PR?
{code:java}
if (!StringUtils.isEmpty(keyPassword)) {code}
And just for the reference, when I try to output public key from an encrypted
PEM with password size of 2 characters I get the following error-
{noformat}
command: openssl rsa -in encrypted-keypair2.pem -pubout -out public-key.pem
libressl/libressl-3.3/crypto/ui/ui_lib.c:782:You must type in 4 to 1023
characters{noformat}
> ssl-factory demo in examples is broken
> --------------------------------------
>
> Key: CASSANDRA-18270
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18270
> Project: Cassandra
> Issue Type: Bug
> Components: Local/Other
> Reporter: Stefan Miklosovic
> Assignee: Maulin Vasavada
> Priority: Normal
> Fix For: 4.1.x, 4.x
>
>
> this fails, it is not happening in cassandra-4.1
> {code}
> cd examples/ssl-factory
> ant build && ant test
> {code}
> My suspicion is that SSL factory related stuff was recently changed, in
> trunk, by (1) and this broke related ssl test.
> [~maulin.vasavada] do you have some time to look into that as you are the
> author of the tests? I think I fixed the most of it here (2) but one test is
> still failing and I can not wrap my head around that one. It gives:
> {code}
> [junit] Testcase:
> buildKeyManagerFactoryHappyPathForUnencryptedKey(org.apache.cassandra.security.KubernetesSecretsPEMSslContextFactoryTest):
> Caused an ERROR
> [junit] Failed to build key manager store for secure connections
> [junit] javax.net.ssl.SSLException: Failed to build key manager store for
> secure connections
> [junit] at
> org.apache.cassandra.security.PEMBasedSslContextFactory.buildKeyManagerFactory(PEMBasedSslContextFactory.java:267)
> [junit] at
> org.apache.cassandra.security.PEMBasedSslContextFactory.buildKeyManagerFactory(PEMBasedSslContextFactory.java:229)
> [junit] at
> org.apache.cassandra.security.KubernetesSecretsPEMSslContextFactory.buildKeyManagerFactory(KubernetesSecretsPEMSslContextFactory.java:169)
> [junit] at
> org.apache.cassandra.security.KubernetesSecretsPEMSslContextFactoryTest.buildKeyManagerFactoryHappyPathForUnencryptedKey(KubernetesSecretsPEMSslContextFactoryTest.java:244)
> [junit] Caused by: java.io.IOException: overrun, bytes = 1195
> [junit] at
> javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:95)
> [junit] at
> org.apache.cassandra.security.PEMReader.extractPrivateKey(PEMReader.java:108)
> [junit] at
> org.apache.cassandra.security.PEMBasedSslContextFactory.buildKeyStore(PEMBasedSslContextFactory.java:319)
> [junit] at
> org.apache.cassandra.security.PEMBasedSslContextFactory.buildKeyManagerFactory(PEMBasedSslContextFactory.java:251)
> {code}
> (1)
> https://github.com/apache/cassandra/commit/ed3901823a5fe9f8838d8b592a1b7703b12e810b
> (2)
> https://github.com/instaclustr/cassandra/tree/CASSANDRA-18264-trunk-followup
> cc [~Jyothsnakonisa]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
