[ipv6] On updating certificates in tests
Pavel Rappo
pavel.rappo at oracle.com
Tue Apr 23 12:22:13 UTC 2019
Arthur,
Some time ago Chris mentioned [1] that there was at least one test failing due
to missing SANs in its certificates:
test/jdk/sun/net/www/protocol/https/HttpsURLConnection/IPAddressIPIdentities.java
You then replied that your were planning to address that issue in a future
change.
I thought it might be helpful to you to get step-by-step instructions on how
to change that test security setup, so you won't waste too much of your time.
Bear in mind that this is just one way to achieve that. This should work
reasonably well for not more than a handful of such tests. If you find more
tests relying on SAN in certificates, please get back on the list and we'll try
figure out a better way of doing this together. I would not go there just yet,
because I have a heavy suspicion it will require programmatic access to keytool
and its security friends. It might cause restructuring the test significantly.
So let's see the affected area first.
Here we go:
1. Create a directory and cd into it (so everything is clean and tidy)
mkdir my-certificates-for-tests && cd my-certificates-for-tests
2. Generate a self-signed CA certificate
keytool -genkeypair \
-keyalg RSA \
-startdate 2019/01/01 \
-validity 13000 \
-keysize 1024 \
-dname "C=XX, ST=CA-State, L=CA-City, O=CA-Org" \
-ext bc=ca:true \
-storetype PKCS12 \
-alias root \
-keystore temp.jks \
-storepass 123456
3. Generate a self-signed (for now) certificate for the server
keytool -genkeypair \
-keyalg RSA \
-keysize 1024 \
-dname "C=YY, ST=Server-State, L=Server-City, O=Server, OU=Server-Unit, CN=Server-Name" \
-alias server \
-keystore temp.jks \
-storepass 123456
4. Sign that server certificate using the previously generated CA’s certificate
keytool -certreq \
-alias server \
-keystore temp.jks \
-storepass 123456 \
| keytool -gencert \
-rfc \
-startdate 2019/01/02 \
-validity 12000 \
-ext san:critical=ip:127.0.0.1,ip:0:0:0:0:0:0:0:1 \
-alias root \
-keystore temp.jks \
-storepass 123456 \
| keytool -importcert \
-alias server \
-keystore temp.jks \
-storepass 123456
5. Repeat the process for the client certificate
keytool -genkeypair \
-keyalg RSA \
-keysize 1024 \
-dname "C=ZZ, ST=Client-State, L=Client-City, O=Client, OU=Client-Unit, CN=Client-Name" \
-alias client \
-keystore temp.jks \
-storepass 123456
then
keytool -certreq \
-alias client \
-keystore temp.jks \
-storepass 123456 \
| keytool -gencert \
-rfc \
-startdate 2019/01/02 \
-validity 12000 \
-ext san:critical=ip:127.0.0.1,ip:0:0:0:0:0:0:0:1 \
-alias root \
-keystore temp.jks \
-storepass 123456 \
| keytool -importcert \
-alias client \
-keystore temp.jks \
-storepass 123456
Now, so as to update the test source, you will need to print the certificates
and the keys. As far as I know, keytool cannot really do this (however, there's
an API to which we might fall back later). For now you could simply use the
openssl tool.
6. Print the certificates
keytool -list \
-rfc \
-alias root \
-keystore temp.jks \
-storepass 123456 \
| openssl x509 -inform pem -text
keytool -list \
-rfc \
-alias server \
-keystore temp.jks \
-storepass 123456 \
| openssl x509 -inform pem -text
keytool -list \
-rfc \
-alias client \
-keystore temp.jks \
-storepass 123456 \
| openssl x509 -inform pem -text
7. Export the keys from the keystore
openssl pkcs12 -in temp.jks -nodes -nocerts -out keys.pem -passin pass:123456
8. Manually split the resulting `keys.pem` file into 2: server.pem and
client.pem, discarding the root key.
9. Print the keys
openssl rsa -in server.pem -text
openssl rsa -in client.pem -text
Now you should have all the data required to update the test.
-Pavel
--------------------------------------------------------------------------------
[1] https://mail.openjdk.java.net/pipermail/net-dev/2019-March/012311.html
More information about the net-dev
mailing list