From 9dde43c37e116eb66d4c0a1e23b75750b3e86984 Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Thu, 16 Jan 2020 08:43:28 +1100 Subject: [PATCH] Encrypt generated key with AES (#51019) Replace DES with AES to align with modern encryption standards Resolves: #50843 --- .../xpack/security/cli/CertificateTool.java | 2 +- .../security/cli/CertificateToolTests.java | 20 ++++++++++++++++++- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/CertificateTool.java b/x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/CertificateTool.java index 4ae1f313ce152..ad5cfd5e05b1d 100644 --- a/x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/CertificateTool.java +++ b/x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/CertificateTool.java @@ -922,7 +922,7 @@ static Collection parseFile(Path file) throws Exception } static PEMEncryptor getEncrypter(char[] password) { - return new JcePEMEncryptorBuilder("DES-EDE3-CBC").setProvider(BC_PROV).build(password); + return new JcePEMEncryptorBuilder("AES-128-CBC").setProvider(BC_PROV).build(password); } private static T withPassword(String description, char[] password, Terminal terminal, diff --git a/x-pack/plugin/security/cli/src/test/java/org/elasticsearch/xpack/security/cli/CertificateToolTests.java b/x-pack/plugin/security/cli/src/test/java/org/elasticsearch/xpack/security/cli/CertificateToolTests.java index 6845edbdc6b38..21a8440a7003c 100644 --- a/x-pack/plugin/security/cli/src/test/java/org/elasticsearch/xpack/security/cli/CertificateToolTests.java +++ b/x-pack/plugin/security/cli/src/test/java/org/elasticsearch/xpack/security/cli/CertificateToolTests.java @@ -21,6 +21,7 @@ import org.bouncycastle.asn1.x509.GeneralName; import org.bouncycastle.asn1.x509.GeneralNames; import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.openssl.PEMDecryptorProvider; import org.bouncycastle.openssl.PEMEncryptedKeyPair; import org.bouncycastle.openssl.PEMParser; import org.bouncycastle.pkcs.PKCS10CertificationRequest; @@ -50,6 +51,7 @@ import org.hamcrest.Matchers; import org.junit.After; import org.junit.BeforeClass; +import org.mockito.Mockito; import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.TrustManagerFactory; @@ -349,6 +351,16 @@ public void testGeneratingSignedPemCertificates() throws Exception { PEMParser pemParser = new PEMParser(reader); Object parsed = pemParser.readObject(); assertThat(parsed, instanceOf(PEMEncryptedKeyPair.class)); + // Verify we are using AES encryption + final PEMDecryptorProvider pemDecryptorProvider = Mockito.mock(PEMDecryptorProvider.class); + try { + ((PEMEncryptedKeyPair) parsed).decryptKeyPair(pemDecryptorProvider); + } catch (Exception e) { + // Catch error thrown by the empty mock, we are only interested in the argument passed in + } + finally { + Mockito.verify(pemDecryptorProvider).get("AES-128-CBC"); + } char[] zeroChars = new char[caInfo.password.length]; Arrays.fill(zeroChars, (char) 0); assertArrayEquals(zeroChars, caInfo.password); @@ -368,7 +380,13 @@ public void testGeneratingSignedPemCertificates() throws Exception { assertTrue(Files.exists(zipRoot.resolve(filename))); final Path cert = zipRoot.resolve(filename + "/" + filename + ".crt"); assertTrue(Files.exists(cert)); - assertTrue(Files.exists(zipRoot.resolve(filename + "/" + filename + ".key"))); + Path keyFile = zipRoot.resolve(filename + "/" + filename + ".key"); + assertTrue(Files.exists(keyFile)); + if (keyPassword != null) { + assertTrue(Files.readString(keyFile).contains("DEK-Info: AES-128-CBC")); + } else { + assertFalse(Files.readString(keyFile).contains("DEK-Info:")); + } final Path p12 = zipRoot.resolve(filename + "/" + filename + ".p12"); try (InputStream input = Files.newInputStream(cert)) { X509Certificate certificate = readX509Certificate(input);