Skip to content

Commit 755c3fd

Browse files
ywangdywangd
authored
Encrypt generated key with AES (#51019)
Replace DES with AES to align with modern encryption standards Resolves: #50843
1 parent 68a37f4 commit 755c3fd

File tree

2 files changed

+20
-2
lines changed

2 files changed

+20
-2
lines changed

x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/CertificateTool.java

+1-1
Original file line numberDiff line numberDiff line change
@@ -922,7 +922,7 @@ static Collection<CertificateInformation> parseFile(Path file) throws Exception
922922
}
923923

924924
static PEMEncryptor getEncrypter(char[] password) {
925-
return new JcePEMEncryptorBuilder("DES-EDE3-CBC").setProvider(BC_PROV).build(password);
925+
return new JcePEMEncryptorBuilder("AES-128-CBC").setProvider(BC_PROV).build(password);
926926
}
927927

928928
private static <T, E extends Exception> T withPassword(String description, char[] password, Terminal terminal,

x-pack/plugin/security/cli/src/test/java/org/elasticsearch/xpack/security/cli/CertificateToolTests.java

+19-1
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@
2121
import org.bouncycastle.asn1.x509.GeneralName;
2222
import org.bouncycastle.asn1.x509.GeneralNames;
2323
import org.bouncycastle.cert.X509CertificateHolder;
24+
import org.bouncycastle.openssl.PEMDecryptorProvider;
2425
import org.bouncycastle.openssl.PEMEncryptedKeyPair;
2526
import org.bouncycastle.openssl.PEMParser;
2627
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
@@ -50,6 +51,7 @@
5051
import org.hamcrest.Matchers;
5152
import org.junit.After;
5253
import org.junit.BeforeClass;
54+
import org.mockito.Mockito;
5355

5456
import javax.net.ssl.KeyManagerFactory;
5557
import javax.net.ssl.TrustManagerFactory;
@@ -349,6 +351,16 @@ public void testGeneratingSignedPemCertificates() throws Exception {
349351
PEMParser pemParser = new PEMParser(reader);
350352
Object parsed = pemParser.readObject();
351353
assertThat(parsed, instanceOf(PEMEncryptedKeyPair.class));
354+
// Verify we are using AES encryption
355+
final PEMDecryptorProvider pemDecryptorProvider = Mockito.mock(PEMDecryptorProvider.class);
356+
try {
357+
((PEMEncryptedKeyPair) parsed).decryptKeyPair(pemDecryptorProvider);
358+
} catch (Exception e) {
359+
// Catch error thrown by the empty mock, we are only interested in the argument passed in
360+
}
361+
finally {
362+
Mockito.verify(pemDecryptorProvider).get("AES-128-CBC");
363+
}
352364
char[] zeroChars = new char[caInfo.password.length];
353365
Arrays.fill(zeroChars, (char) 0);
354366
assertArrayEquals(zeroChars, caInfo.password);
@@ -368,7 +380,13 @@ public void testGeneratingSignedPemCertificates() throws Exception {
368380
assertTrue(Files.exists(zipRoot.resolve(filename)));
369381
final Path cert = zipRoot.resolve(filename + "/" + filename + ".crt");
370382
assertTrue(Files.exists(cert));
371-
assertTrue(Files.exists(zipRoot.resolve(filename + "/" + filename + ".key")));
383+
Path keyFile = zipRoot.resolve(filename + "/" + filename + ".key");
384+
assertTrue(Files.exists(keyFile));
385+
if (keyPassword != null) {
386+
assertTrue(Files.readString(keyFile).contains("DEK-Info: AES-128-CBC"));
387+
} else {
388+
assertFalse(Files.readString(keyFile).contains("DEK-Info:"));
389+
}
372390
final Path p12 = zipRoot.resolve(filename + "/" + filename + ".p12");
373391
try (InputStream input = Files.newInputStream(cert)) {
374392
X509Certificate certificate = readX509Certificate(input);

0 commit comments

Comments
 (0)