Encrypt generated key with AES (#51019)

Replace DES with AES to align with modern encryption standards Resolves: #50843
elastic · Jan 15, 2020 · 755c3fd · 755c3fd
1 parent 68a37f4
commit 755c3fd
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 2 deletions.
diff --git a/...ugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/CertificateTool.java b/...ugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/CertificateTool.java
@@ -922,7 +922,7 @@ static Collection<CertificateInformation> parseFile(Path file) throws Exception
     }
 
     static PEMEncryptor getEncrypter(char[] password) {
-        return new JcePEMEncryptorBuilder("DES-EDE3-CBC").setProvider(BC_PROV).build(password);
+        return new JcePEMEncryptorBuilder("AES-128-CBC").setProvider(BC_PROV).build(password);
     }
 
     private static <T, E extends Exception> T withPassword(String description, char[] password, Terminal terminal,

diff --git a/...security/cli/src/test/java/org/elasticsearch/xpack/security/cli/CertificateToolTests.java b/...security/cli/src/test/java/org/elasticsearch/xpack/security/cli/CertificateToolTests.java
@@ -21,6 +21,7 @@
 import org.bouncycastle.asn1.x509.GeneralName;
 import org.bouncycastle.asn1.x509.GeneralNames;
 import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.openssl.PEMDecryptorProvider;
 import org.bouncycastle.openssl.PEMEncryptedKeyPair;
 import org.bouncycastle.openssl.PEMParser;
 import org.bouncycastle.pkcs.PKCS10CertificationRequest;
@@ -50,6 +51,7 @@
 import org.hamcrest.Matchers;
 import org.junit.After;
 import org.junit.BeforeClass;
+import org.mockito.Mockito;
 
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.TrustManagerFactory;
@@ -349,6 +351,16 @@ public void testGeneratingSignedPemCertificates() throws Exception {
                         PEMParser pemParser = new PEMParser(reader);
                         Object parsed = pemParser.readObject();
                         assertThat(parsed, instanceOf(PEMEncryptedKeyPair.class));
+                        // Verify we are using AES encryption
+                        final PEMDecryptorProvider pemDecryptorProvider = Mockito.mock(PEMDecryptorProvider.class);
+                        try {
+                            ((PEMEncryptedKeyPair) parsed).decryptKeyPair(pemDecryptorProvider);
+                        } catch (Exception e) {
+                            // Catch error thrown by the empty mock, we are only interested in the argument passed in
+                        }
+                        finally {
+                            Mockito.verify(pemDecryptorProvider).get("AES-128-CBC");
+                        }
                         char[] zeroChars = new char[caInfo.password.length];
                         Arrays.fill(zeroChars, (char) 0);
                         assertArrayEquals(zeroChars, caInfo.password);
@@ -368,7 +380,13 @@ public void testGeneratingSignedPemCertificates() throws Exception {
             assertTrue(Files.exists(zipRoot.resolve(filename)));
             final Path cert = zipRoot.resolve(filename + "/" + filename + ".crt");
             assertTrue(Files.exists(cert));
-            assertTrue(Files.exists(zipRoot.resolve(filename + "/" + filename + ".key")));
+            Path keyFile = zipRoot.resolve(filename + "/" + filename + ".key");
+            assertTrue(Files.exists(keyFile));
+            if (keyPassword != null) {
+                assertTrue(Files.readString(keyFile).contains("DEK-Info: AES-128-CBC"));
+            } else {
+                assertFalse(Files.readString(keyFile).contains("DEK-Info:"));
+            }
             final Path p12 = zipRoot.resolve(filename + "/" + filename + ".p12");
             try (InputStream input = Files.newInputStream(cert)) {
                 X509Certificate certificate = readX509Certificate(input);