Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KeytoolCertificateGenerator: Improve API and implementation #131

Open
k-wall opened this issue Jun 20, 2023 · 4 comments
Open

KeytoolCertificateGenerator: Improve API and implementation #131

k-wall opened this issue Jun 20, 2023 · 4 comments

Comments

@k-wall
Copy link
Contributor

k-wall commented Jun 20, 2023
edited
Loading

KeytoolCertificateGenerator was a great start that has allowed us to quickly get testing TLS use-cases. However, its API is a bit weird and it relies on shelling out to command line tools.

We should think about:

  • Do we value the integration tests having the ability to generate TLS certificates on the fly? Maybe static key material would be good enough.
  • Shelling out to command line tools makes the test suite slower, introduces fragility and erects barriers to participation. Developers need to keep their environments in sync with the same version of the command line tools. This isn't really reasonable for open source development.
  • Self-signed certificate generation in Java isn't possible using the public APIs. We could adopt Bouncy Castle as a test dependency. We could then take an approach similar to Strimzi https://github.com/strimzi/strimzi-kafka-operator/blob/main/systemtest/src/main/java/io/strimzi/systemtest/security/SystemTestCertAndKeyBuilder.java

Also - as originally discussed on #120, it would be desirable if the generator supported other keystore formats, and the generated key material was available over an API to support the testing of richer TLS use-cases. It would also be good if it supported things like generating expired certificates, and certificate chains.
@k-wall
Copy link
Contributor Author

k-wall commented Jun 20, 2023

@SamBarker @franvila what do you think?

This was referenced Jun 20, 2023
Closed
Closed
@franvila
Copy link
Contributor

I totally agree. This wasn't the best approach, but it was the only one I found to generate the certs. I didn't know bouncy castle but we could follow the same approach than strimzi if it fits to our goals.

@k-wall
Copy link
Contributor Author

k-wall commented Jun 21, 2023

I totally agree. This wasn't the best approach, but it was the only one I found to generate the certs. I didn't know bouncy castle but we could follow the same approach than strimzi if it fits to our goals.

Like i say, this isn't meant as a criticism of existing work. It is just a realisation that we need something better.

@k-wall k-wall mentioned this issue Jun 22, 2023
Merged
5 tasks
@robobario
Copy link
Contributor

robobario commented Jan 25, 2024
edited
Loading

Just bumping this as I'm looking at Vault TLS testing, Vault wants a private key in PEM form which looks like we'd have to use a separate tool to extract if we start with Keystore as the source of keys.

For this case we might want to generate the private key in PEM form and self-signed-cert in PEM with bouncycastle and import the cert into a java store.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@robobario @k-wall @franvila