[ipv6] On updating certificates in tests

Arthur Eubanks aeubanks at google.com
Wed Apr 24 03:56:18 UTC 2019 

Thanks, I'll try it out. This seems very complicated for updating a cert
though.

On Tue, Apr 23, 2019, 5:22 AM Pavel Rappo <pavel.rappo at oracle.com> wrote:

> Arthur,
>
> Some time ago Chris mentioned [1] that there was at least one test failing
> due
> to missing SANs in its certificates:
>
>
> test/jdk/sun/net/www/protocol/https/HttpsURLConnection/IPAddressIPIdentities.java
>
> You then replied that your were planning to address that issue in a future
> change.
>
> I thought it might be helpful to you to get step-by-step instructions on
> how
> to change that test security setup, so you won't waste too much of your
> time.
>
> Bear in mind that this is just one way to achieve that. This should work
> reasonably well for not more than a handful of such tests. If you find more
> tests relying on SAN in certificates, please get back on the list and
> we'll try
> figure out a better way of doing this together. I would not go there just
> yet,
> because I have a heavy suspicion it will require programmatic access to
> keytool
> and its security friends. It might cause restructuring the test
> significantly.
> So let's see the affected area first.
>
> Here we go:
>
> 1. Create a directory and cd into it (so everything is clean and tidy)
>
>         mkdir my-certificates-for-tests && cd my-certificates-for-tests
>
> 2. Generate a self-signed CA certificate
>
>         keytool -genkeypair \
>         -keyalg RSA \
>         -startdate 2019/01/01 \
>         -validity 13000 \
>         -keysize 1024 \
>         -dname "C=XX, ST=CA-State, L=CA-City, O=CA-Org" \
>         -ext bc=ca:true \
>         -storetype PKCS12 \
>         -alias root \
>         -keystore temp.jks \
>         -storepass 123456
>
> 3. Generate a self-signed (for now) certificate for the server
>
>         keytool -genkeypair \
>         -keyalg RSA \
>         -keysize 1024 \
>         -dname "C=YY, ST=Server-State, L=Server-City, O=Server,
> OU=Server-Unit, CN=Server-Name" \
>         -alias server \
>         -keystore temp.jks \
>         -storepass 123456
>
> 4. Sign that server certificate using the previously generated CA’s
> certificate
>
>         keytool -certreq \
>         -alias server \
>         -keystore temp.jks \
>         -storepass 123456 \
>         | keytool -gencert \
>         -rfc \
>         -startdate 2019/01/02 \
>         -validity 12000 \
>         -ext san:critical=ip:127.0.0.1,ip:0:0:0:0:0:0:0:1 \
>         -alias root \
>         -keystore temp.jks \
>         -storepass 123456 \
>         | keytool -importcert \
>         -alias server \
>         -keystore temp.jks \
>         -storepass 123456
>
> 5. Repeat the process for the client certificate
>
>         keytool -genkeypair \
>         -keyalg RSA \
>         -keysize 1024 \
>         -dname "C=ZZ, ST=Client-State, L=Client-City, O=Client,
> OU=Client-Unit, CN=Client-Name" \
>         -alias client \
>         -keystore temp.jks \
>         -storepass 123456
>
>    then
>
>         keytool -certreq \
>         -alias client \
>         -keystore temp.jks \
>         -storepass 123456 \
>         | keytool -gencert \
>         -rfc \
>         -startdate 2019/01/02 \
>         -validity 12000 \
>         -ext san:critical=ip:127.0.0.1,ip:0:0:0:0:0:0:0:1 \
>         -alias root \
>         -keystore temp.jks \
>         -storepass 123456 \
>         | keytool -importcert \
>         -alias client \
>         -keystore temp.jks \
>         -storepass 123456
>
> Now, so as to update the test source, you will need to print the
> certificates
> and the keys. As far as I know, keytool cannot really do this (however,
> there's
> an API to which we might fall back later). For now you could simply use the
> openssl tool.
>
> 6. Print the certificates
>
>         keytool -list \
>         -rfc \
>         -alias root \
>         -keystore temp.jks \
>         -storepass 123456 \
>         | openssl x509 -inform pem -text
>
>         keytool -list \
>         -rfc \
>         -alias server \
>         -keystore temp.jks \
>         -storepass 123456 \
>         | openssl x509 -inform pem -text
>
>         keytool -list \
>         -rfc \
>         -alias client \
>         -keystore temp.jks \
>         -storepass 123456 \
>         | openssl x509 -inform pem -text
>
> 7. Export the keys from the keystore
>
>         openssl pkcs12 -in temp.jks -nodes -nocerts -out keys.pem -passin
> pass:123456
>
> 8. Manually split the resulting `keys.pem` file into 2: server.pem and
>    client.pem, discarding the root key.
>
> 9. Print the keys
>
>         openssl rsa -in server.pem -text
>
>         openssl rsa -in client.pem -text
>
> Now you should have all the data required to update the test.
>
> -Pavel
>
>
> --------------------------------------------------------------------------------
> [1] https://mail.openjdk.java.net/pipermail/net-dev/2019-March/012311.html
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.java.net/pipermail/net-dev/attachments/20190423/068feff8/attachment.html>

More information about the net-dev mailing list