- Push-based key exchange in ASYM_ENCRYPT

- Design document for push-based key exchange (https://issues.jboss.org/browse/JGRP-2297) - Removed ChallengeResponseToken
belaban · Mar 14, 2019 · 29c255d · 29c255d
1 parent 0d9a430
commit 29c255d
Show file tree

Hide file tree

Showing 43 changed files with 1,406 additions and 1,324 deletions.
diff --git a/bin/gen-keys.sh b/bin/gen-keys.sh
@@ -0,0 +1,62 @@
+#!/bin/bash
+
+# Creates a good (signed by a CA) and a bad certificate. Can be used by SSL_KEY_EXCHANGE to test whether rogue
+# members can join a cluster, send messages to it etc.
+# Author: Tristan Tarrant
+
+
+KEYSTORE_DIR=`dirname $0`/../keystore
+CA_KS=$KEYSTORE_DIR/ca.jks
+ROGUE_CA_KS=$KEYSTORE_DIR/rogue-ca.jks
+GOOD_SERVER_KS=$KEYSTORE_DIR/good-server.jks
+ROGUE_SERVER_KS=$KEYSTORE_DIR/rogue-server.jks
+CA_CERT=$KEYSTORE_DIR/ca.cer
+ROGUE_CA_CERT=$KEYSTORE_DIR/rogue-ca.cer
+SERVER_CSR=$KEYSTORE_DIR/server.csr
+SERVER_CER=$KEYSTORE_DIR/server.cer
+ROGUE_CSR=$KEYSTORE_DIR/rogue.csr
+ROGUE_CER=$KEYSTORE_DIR/rogue.cer
+REAL_DIR=`realpath $KEYSTORE_DIR`
+
+
+mkdir -p $KEYSTORE_DIR
+
+# generate CA
+keytool -genkeypair -alias ca -dname cn=ca -validity 10000 -keyalg RSA -keysize 2048 -ext bc:c -keystore $CA_KS -keypass password -storepass password
+
+# generate rogue CA
+keytool -genkeypair -alias rogue_ca -dname cn=rogue_ca -validity 10000 -keyalg RSA -keysize 2048 -ext bc:c -keystore $ROGUE_CA_KS -keypass password -storepass password
+
+
+# export CA certificate
+keytool -exportcert -keystore $CA_KS -alias ca -storepass password -keypass password -file $CA_CERT
+
+# export rogue CA certificate
+keytool -exportcert -keystore $ROGUE_CA_KS -alias rogue_ca -storepass password -keypass password -file $ROGUE_CA_CERT
+
+# generate a trusted key for the server and sign it with the CA
+keytool -genkeypair -alias server -dname cn=server -validity 10000 -keyalg RSA -keysize 2048 -keystore $GOOD_SERVER_KS -keypass password -storepass password
+keytool -certreq -alias server -dname cn=server -keystore $GOOD_SERVER_KS -file $SERVER_CSR -keypass password -storepass password
+keytool -gencert -alias ca -keystore $CA_KS -infile $SERVER_CSR -outfile $SERVER_CER -keypass password -storepass password
+
+# import the server cert chain into $GOOD_SERVER_KS (CA and server cert)
+keytool -importcert -alias ca -keystore $GOOD_SERVER_KS -file $CA_CERT -keypass password -storepass password -noprompt
+keytool -importcert -alias server -keystore $GOOD_SERVER_KS -file $SERVER_CER -keypass password -storepass password
+
+# generate an untrusted key for another server (don't sign it)
+# keytool -genkeypair -alias rogue -dname cn=rogue -validity 10000 -keyalg RSA -keysize 2048 -keystore $ROGUE_SERVER_KS -keypass password -storepass password
+
+
+# generate a untrusted key for the rogue and sign it with the rogue CA
+keytool -genkeypair -alias rogue -dname cn=rogue -validity 10000 -keyalg RSA -keysize 2048 -keystore $ROGUE_SERVER_KS -keypass password -storepass password
+keytool -certreq -alias rogue -dname cn=rogue -keystore $ROGUE_SERVER_KS -file $ROGUE_CSR -keypass password -storepass password
+keytool -gencert -alias rogue_ca -keystore $ROGUE_CA_KS -infile $ROGUE_CSR -outfile $ROGUE_CER -keypass password -storepass password
+
+# import the rogue cert chain into $ROGUE_SERVER_KS (CA and rogue cert)
+keytool -importcert -alias rogue_ca -keystore $ROGUE_SERVER_KS -file $ROGUE_CA_CERT -keypass password -storepass password -noprompt
+keytool -importcert -alias rogue -keystore $ROGUE_SERVER_KS -file $ROGUE_CER -keypass password -storepass password
+
+
+echo "Generated $GOOD_SERVER_KS and $ROGUE_SERVER_KS in $REAL_DIR"
+echo "Cleaning up"
+rm -f $KEYSTORE_DIR/*.csr $KEYSTORE_DIR/*.cer $KEYSTORE_DIR/*ca.jks
diff --git a/build.xml b/build.xml
@@ -40,7 +40,7 @@
     <property name="asciidoc.executable"   value="asciidoctor"/>
     <!-- Also available: colony.css, github.css etc -->
     <property name="asciidoctor-style"     value="./asciidoctor.css"/>
-    <property name="ivy.version"           value="2.4.0" />
+    <property name="ivy.version"           value="2.5.0-rc1" />
     <property name="pom.template"          value="${conf.dir}/pom.template.xml"/>
 
 
@@ -720,7 +720,16 @@
         <runtest suitename="time-sensitive"
                  groups="time-sensitive"
                  parallel="${parallel.classes}"
-                 threadcount="1" />
+                 threadcount="10" />
+    </target>
+
+
+    <target name="encrypt" depends="postcompile,define-testng-task" description="Runs encryption tests">
+        <mkdir dir="${tmp.dir}/test-results/xml/encrypt"/>
+        <runtest suitename="encrypt"
+                 groups="encrypt"
+                 parallel="${parallel.classes}"
+                 threadcount="10" />
     </target>
 
 

diff --git a/conf/asym-encrypt.xml b/conf/asym-encrypt.xml
@@ -8,21 +8,17 @@
     <FD_ALL timeout="8000" interval="3000"/>
     <FD_SOCK/>
     <VERIFY_SUSPECT/>
-
+    <!-- Possibly use a second FRAG2 if the public/private keys added in ASYM_ENCRYPT to the payload make the message too big -->
+    <!--FRAG2 id="1234"/-->
     <!-- Asymmetric encryption using public/private encryption to fetch the shared secret key -->
     <ASYM_ENCRYPT
             sym_keylength="128"
             sym_algorithm="AES/ECB/PKCS5Padding"
             asym_keylength="512"
             asym_algorithm="RSA"/>
-
     <pbcast.NAKACK2/>
     <UNICAST3/>
     <pbcast.STABLE/>
     <FRAG2/>
-    <!-- AUTH below is required by ASYM_ENCRYPT -->
-    <AUTH auth_class="org.jgroups.auth.MD5Token"
-          auth_value="chris"
-          token_hash="MD5"/>
     <pbcast.GMS join_timeout="2000" />
 </config>
diff --git a/conf/asym-ssl.xml b/conf/asym-ssl.xml
@@ -14,17 +14,17 @@
         port_range="10"
     />
     <ASYM_ENCRYPT
-            change_key_on_leave="true"
+            change_key_on_leave="false"
+            change_key_on_coord_leave="true"
             use_external_key_exchange="true"
             sym_keylength="128"
-            sym_algorithm="AES" 
+            sym_algorithm="AES"
             asym_keylength="512"
             asym_algorithm="RSA"/>
-
     <pbcast.NAKACK2 use_mcast_xmit="false"/>
     <UNICAST3/>
     <pbcast.STABLE/>
-    <pbcast.GMS join_timeout="1000"/>
+    <pbcast.GMS join_timeout="2000"/>
     <UFC/>
     <MFC/>
     <FRAG2/>

diff --git a/conf/encrypt.xml b/conf/encrypt.xml
@@ -15,20 +15,17 @@
         sym_algorithm="AES"
         keystore_name="/home/bela/JGroups/keystore/defaultStore.keystore"
         store_password="changeit" alias="myKey"/-->
+    <!-- Possibly use a second FRAG2 if the public/private keys added in ASYM_ENCRYPT to the payload make the message too big -->
+    <!--FRAG2 id="1234"/-->
     <!-- Asymmetric encryption using public/private encryption to fetch the shared secret key -->
     <ASYM_ENCRYPT
             sym_keylength="128"
             sym_algorithm="AES/ECB/PKCS5Padding"
             asym_keylength="512"
             asym_algorithm="RSA"/>
-
     <pbcast.NAKACK2/>
     <UNICAST3/>
     <pbcast.STABLE/>
     <FRAG2/>
-
-    <AUTH auth_class="org.jgroups.auth.MD5Token"
-          auth_value="chris"
-          token_hash="MD5"/>
     <pbcast.GMS join_timeout="2000" />
 </config>
diff --git a/conf/jg-magic-map.xml b/conf/jg-magic-map.xml
@@ -69,7 +69,6 @@
     <class id="87"  name="org.jgroups.protocols.ABP$ABPHeader"/>
     <class id="88"  name="org.jgroups.protocols.EncryptHeader"/>
     <class id="89"  name="org.jgroups.protocols.NAMING$Header"/>
-    <class id="90"  name="org.jgroups.auth.ChallengeResponseHeader"/>
     <class id="91"  name="org.jgroups.protocols.Frag3Header"/>
     <class id="92"  name="org.jgroups.protocols.DH_KEY_EXCHANGE$DhHeader"/>
 </magic-number-class-mapping>