From 49b039fab3e5653e549436ef8a4063a4b370e9af Mon Sep 17 00:00:00 2001 From: Raphael 'kena' Poss Date: Tue, 24 May 2022 12:35:30 +0200 Subject: [PATCH] acceptance: comply with openssl key size restrictions The RSA key size used by TLS certs for acceptance tests must be at least 2048 to please OpenSSL (which is used by libpq in tests). The previous PR #71134 had improved this for some cases but the chance was hidden in-between other things. This commit makes it clearer what is going on. Release note: None --- pkg/acceptance/cluster/certs.go | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/pkg/acceptance/cluster/certs.go b/pkg/acceptance/cluster/certs.go index d8d954d1dd9d..cfdf2f357ea2 100644 --- a/pkg/acceptance/cluster/certs.go +++ b/pkg/acceptance/cluster/certs.go @@ -26,7 +26,11 @@ const certsDir = ".localcluster.certs" var absCertsDir string -// keyLen is the length (in bits) of the generated CA and node certs. +// keyLen is the length (in bits) of the generated TLS certs. +// +// This needs to be at least 2048 since the newer versions of openssl +// (used by some tests) produce an error 'ee key too small' for +// smaller values. const keyLen = 2048 // AbsCertsDir returns the absolute path to the certificate directory. @@ -54,12 +58,12 @@ func GenerateCerts(ctx context.Context) func() { // Root user. maybePanic(security.CreateClientPair( certsDir, filepath.Join(certsDir, security.EmbeddedCAKey), - 2048, 48*time.Hour, false, username.RootUserName(), true /* generate pk8 key */)) + keyLen, 48*time.Hour, false, username.RootUserName(), true /* generate pk8 key */)) // Test user. maybePanic(security.CreateClientPair( certsDir, filepath.Join(certsDir, security.EmbeddedCAKey), - 1024, 48*time.Hour, false, username.TestUserName(), true /* generate pk8 key */)) + keyLen, 48*time.Hour, false, username.TestUserName(), true /* generate pk8 key */)) // Certs for starting a cockroach server. Key size is from cli/cert.go:defaultKeySize. maybePanic(security.CreateNodePair(