replace KeyToolCertificateGenerator by CertificateBuilder from netty (kroxylicious#544)

franvila · web-flow · commit 981eb9c1acc0 · 2025-11-07T10:12:15.000Z
* replace KeyToolCertificateGenerator by CertificateBuilder from netty

Signed-off-by: Francisco Vila &lt;fvila@redhat.com&gt;

* remove useless variable

Signed-off-by: Francisco Vila &lt;fvila@redhat.com&gt;

* sort imports

Signed-off-by: Francisco Vila &lt;fvila@redhat.com&gt;

* added suggested keystore manager

Signed-off-by: Francisco Vila &lt;fvila@redhat.com&gt;

* sort imports

Signed-off-by: Francisco Vila &lt;fvila@redhat.com&gt;

* reformat

Signed-off-by: Francisco Vila &lt;fvila@redhat.com&gt;

* add copyright header

Signed-off-by: Francisco Vila &lt;fvila@redhat.com&gt;

* refactor

Signed-off-by: Francisco Vila &lt;fvila@redhat.com&gt;

* remove password creation

Signed-off-by: Francisco Vila &lt;fvila@redhat.com&gt;

* throw exceptions

Signed-off-by: Francisco Vila &lt;fvila@redhat.com&gt;

* deleted interface, add new method to generate the certificate file and password

Signed-off-by: Francisco Vila &lt;fvila@redhat.com&gt;

* sort imports

Signed-off-by: Francisco Vila &lt;fvila@redhat.com&gt;

* update method doc

Signed-off-by: Francisco Vila &lt;fvila@redhat.com&gt;

* comments addressed

Signed-off-by: Francisco Vila &lt;fvila@redhat.com&gt;

* fix format

Signed-off-by: Francisco Vila &lt;fvila@redhat.com&gt;

* remove addDnsNames method

Signed-off-by: Francisco Vila &lt;fvila@redhat.com&gt;

* remove commented code

Signed-off-by: Francisco Vila &lt;fvila@redhat.com&gt;

---------

Signed-off-by: Francisco Vila &lt;fvila@redhat.com&gt;
diff --git a/impl/pom.xml b/impl/pom.xml
@@ -131,6 +131,10 @@
             <groupId>org.bouncycastle</groupId>
             <artifactId>bcutil-jdk18on</artifactId>
         </dependency>
+        <dependency>
+            <groupId>io.netty</groupId>
+            <artifactId>netty-pkitesting</artifactId>
+        </dependency>
     </dependencies>
 
     
diff --git a/impl/src/main/java/io/kroxylicious/testing/kafka/common/KeystoreManager.java b/impl/src/main/java/io/kroxylicious/testing/kafka/common/KeystoreManager.java
@@ -0,0 +1,114 @@
+/*
+ * Copyright Kroxylicious Authors.
+ *
+ * Licensed under the Apache Software License version 2.0, available at http://www.apache.org/licenses/LICENSE-2.0
+ */
+package io.kroxylicious.testing.kafka.common;
+
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.nio.file.attribute.FileAttribute;
+import java.nio.file.attribute.PosixFilePermission;
+import java.nio.file.attribute.PosixFilePermissions;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.util.Set;
+import java.util.UUID;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ConcurrentMap;
+
+import io.netty.pkitesting.CertificateBuilder;
+import io.netty.pkitesting.X509Bundle;
+
+public class KeystoreManager {
+    private final ConcurrentMap<Path, String> passwords = new ConcurrentHashMap<>();
+
+    /**
+     * Creates a CertificateBuilder with the appropriate default values for kroxylicious test usage.
+     * @param distinguishedName the distinguished name. See {@link KeystoreManager#buildDistinguishedName(String, String, String, String, String, String, String)}
+     *                          for generating a distinguished name
+     * @return  The partially populated certificate builder.
+     */
+    public CertificateBuilder newCertificateBuilder(String distinguishedName) {
+        return new CertificateBuilder()
+                .rsa2048()
+                .subject(distinguishedName);
+    }
+
+    /**
+     * Builds and adds provided certificate builder as a self-signed certificate
+     * @param certificateBuilder the builder configuring the certificate
+     * @return the self-signed certificate.
+     */
+    public X509Bundle createSelfSignedCertificate(CertificateBuilder certificateBuilder) throws Exception {
+        return certificateBuilder.copy()
+                .setIsCertificateAuthority(true)
+                .buildSelfSigned();
+    }
+
+    /**
+     * Optional we don't need this today!
+     * Builds and adds provided certificate builder as a certificate signed by the provided issuer.
+     * @param certificateBuilder the builder configuring the certificate
+     * @return the signed certificate.
+     */
+    public X509Bundle createSignedCertificate(X509Bundle issuer, CertificateBuilder certificateBuilder) throws Exception {
+        return certificateBuilder.copy()
+                .buildIssuedBy(issuer);
+    }
+
+    /**
+     * Formats the provided fields into a RFC5280 compliant form
+     * @param email the email
+     * @param domain the domain
+     * @param organizationUnit the organization unit
+     * @param organization the organization
+     * @param city the city
+     * @param state the state
+     * @param country the country
+     * @return the distinguished name
+     */
+    public String buildDistinguishedName(String email, String domain, String organizationUnit, String organization, String city, String state, String country) {
+        return "CN=" + domain + ", OU=" + organizationUnit + ", O=" + organization + ", L=" + city + ", ST=" + state + ", C=" + country + ", EMAILADDRESS=" + email;
+    }
+
+    /**
+     * Gets password.
+     *
+     * @return  the password
+     */
+    public String getPassword(Path keystorePath) {
+        // hyphen is removed to make our debugging easier: copy-pasting with hyphens not always copy the whole password
+        return this.passwords.computeIfAbsent(keystorePath, path -> UUID.randomUUID().toString().replace("-", ""));
+    }
+
+    /**
+     * Generate a keystore at returned path. It contains both certificates, subject's (key certs) and issuer's (trust CA certs)
+     * Use {@link KeystoreManager#getPassword(Path)} for getting the keystore password.
+     *
+     * @param bundle the bundle
+     * @return  the path of the generated certificate file
+     * @throws KeyStoreException the key store exception
+     * @throws IOException the io exception
+     * @throws CertificateException the certificate exception
+     * @throws NoSuchAlgorithmException the no such algorithm exception
+     */
+    public Path generateCertificateFile(X509Bundle bundle) throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException {
+        FileAttribute<Set<PosixFilePermission>> attr = PosixFilePermissions.asFileAttribute(PosixFilePermissions.fromString("rwx------"));
+        Path certsDirectory = Files.createTempDirectory("kroxylicious", attr);
+        Path keyStoreFilePath = Paths.get(certsDirectory.toAbsolutePath().toString(), "keystore.jks");
+        KeyStore keyStore = bundle.toKeyStore(getPassword(keyStoreFilePath).toCharArray());
+        try (FileOutputStream stream = new FileOutputStream(keyStoreFilePath.toFile())) {
+            keyStore.store(stream, getPassword(keyStoreFilePath).toCharArray());
+        }
+        keyStoreFilePath.toFile().deleteOnExit();
+        certsDirectory.toFile().deleteOnExit();
+
+        return keyStoreFilePath;
+    }
+}
diff --git a/impl/src/main/java/io/kroxylicious/testing/kafka/common/KeytoolCertificateGenerator.java b/impl/src/main/java/io/kroxylicious/testing/kafka/common/KeytoolCertificateGenerator.java
@@ -31,6 +31,7 @@
 /**
  * Used to configure and manage test certificates using the JDK's keytool.
  */
+@Deprecated(since = "0.13.0")
 @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "Requires ability to write test key material to file-system.")
 public class KeytoolCertificateGenerator {
     private static final String PKCS12_KEYSTORE_TYPE = "PKCS12";
diff --git a/impl/src/test/java/io/kroxylicious/testing/kafka/common/KeystoreTest.java b/impl/src/test/java/io/kroxylicious/testing/kafka/common/KeystoreTest.java
@@ -0,0 +1,197 @@
+/*
+ * Copyright Kroxylicious Authors.
+ *
+ * Licensed under the Apache Software License version 2.0, available at http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+package io.kroxylicious.testing.kafka.common;
+
+import java.nio.file.Path;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.assertj.core.api.InstanceOfAssertFactories;
+import org.junit.jupiter.api.Test;
+
+import io.netty.pkitesting.CertificateBuilder;
+import io.netty.pkitesting.X509Bundle;
+
+import edu.umd.cs.findbugs.annotations.NonNull;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.jupiter.api.Assertions.assertAll;
+
+class KeystoreTest {
+    private static final int ASN_GENERAL_NAME_IP_ADDRESS = 7;
+    private static final int ASN_GENERAL_NAME_DNS = 2;
+
+    @Test
+    void generateSelfSignedKeyStore() throws Exception {
+        var keystore = new KeystoreManager();
+        CertificateBuilder certificateBuilder = keystore.newCertificateBuilder(keystore.buildDistinguishedName("test@kroxylicious.io", "localhost", "Dev",
+                "Kroxylicious.io", null, null, "US"));
+        X509Bundle bundle = keystore.createSelfSignedCertificate(certificateBuilder);
+
+        assertAll(() -> {
+            assertThat(bundle.getCertificate()).isNotNull();
+            assertThat(bundle.isSelfSigned()).isTrue();
+            assertThat(bundle.isCertificateAuthority()).isTrue();
+        });
+    }
+
+    @Test
+    void generateSignedKeyStore() throws Exception {
+        var keystore = new KeystoreManager();
+        CertificateBuilder issuerCertificateBuilder = keystore.newCertificateBuilder(keystore.buildDistinguishedName("mail@kroxylicious.io", "localhost", "TestCA",
+                "Issuer", null, null, "US"));
+
+        CertificateBuilder certificateBuilder = keystore.newCertificateBuilder(keystore.buildDistinguishedName("test@kroxylicious.io", "localhost", "Dev",
+                "Kroxylicious.io", null, null, "US"));
+
+        X509Bundle issuer = keystore.createSelfSignedCertificate(issuerCertificateBuilder);
+        X509Bundle signed = keystore.createSignedCertificate(issuer, certificateBuilder);
+
+        assertAll(() -> {
+            assertThat(signed.getCertificate()).isNotNull();
+            assertThat(signed.getCertificate().getIssuerX500Principal()).isEqualTo(issuer.getCertificate().getSubjectX500Principal());
+            assertThat(signed.isSelfSigned()).isFalse();
+            assertThat(signed.isCertificateAuthority()).isFalse();
+        });
+    }
+
+    @Test
+    void generateKeyStoreWithIPDomain() throws Exception {
+        String domainIP = "127.0.0.1";
+        var keystore = new KeystoreManager();
+        CertificateBuilder certificateBuilder = keystore.newCertificateBuilder(keystore.buildDistinguishedName("test@kroxylicious.io", "localhost", "Dev",
+                "Kroxylicious.io", null, null, "US"))
+                .addSanIpAddress(domainIP);
+        X509Bundle bundle = keystore.createSelfSignedCertificate(certificateBuilder);
+
+        List<?> expectedIp = List.of(KeystoreTest.ASN_GENERAL_NAME_IP_ADDRESS, domainIP);
+
+        assertThat(bundle.getCertificate())
+                .asInstanceOf(InstanceOfAssertFactories.type(X509Certificate.class))
+                .satisfies(c -> {
+                    var names = c.getSubjectAlternativeNames();
+                    assertThat(names)
+                            .singleElement()
+                            .isEqualTo(expectedIp);
+                });
+    }
+
+    @Test
+    void generateKeyStoreWithDnsSAN() throws Exception {
+        String domain = "localhost";
+        var keystore = new KeystoreManager();
+        CertificateBuilder certificateBuilder = keystore.newCertificateBuilder(keystore.buildDistinguishedName("test@kroxylicious.io", "localhost", "Dev",
+                "Kroxylicious.io", null, null, "US"))
+                .addSanDnsName(domain);
+        X509Bundle bundle = keystore.createSelfSignedCertificate(certificateBuilder);
+
+        List<?> expectedDns = List.of(KeystoreTest.ASN_GENERAL_NAME_DNS, domain);
+
+        assertThat(bundle.getCertificate())
+                .asInstanceOf(InstanceOfAssertFactories.type(X509Certificate.class))
+                .satisfies(c -> {
+                    var names = c.getSubjectAlternativeNames();
+                    assertThat(names)
+                            .singleElement()
+                            .isEqualTo(expectedDns);
+                });
+    }
+
+    @Test
+    void generatesKeyStoreWithIPAndDnsSAN() throws Exception {
+        String domain = "localhost";
+        String domainIP = "127.0.0.1";
+        var keystore = new KeystoreManager();
+        CertificateBuilder certificateBuilder = keystore.newCertificateBuilder(keystore.buildDistinguishedName("test@kroxylicious.io", "localhost", "Dev",
+                "Kroxylicious.io", null, null, "US"))
+                .addSanDnsName(domain)
+                .addSanIpAddress(domainIP);
+
+        X509Bundle bundle = keystore.createSelfSignedCertificate(certificateBuilder);
+
+        List<?> expectedDns = List.of(KeystoreTest.ASN_GENERAL_NAME_DNS, domain);
+        List<?> expectedIp = List.of(KeystoreTest.ASN_GENERAL_NAME_IP_ADDRESS, domainIP);
+
+        assertThat(bundle.getCertificate())
+                .asInstanceOf(InstanceOfAssertFactories.type(X509Certificate.class))
+                .satisfies(c -> {
+                    var names = c.getSubjectAlternativeNames();
+                    assertThat(names)
+                            .anyMatch(x -> x.equals(expectedDns))
+                            .anyMatch(x -> x.equals(expectedIp));
+                });
+    }
+
+    @Test
+    void generateKeyStoreFile() throws Exception {
+        String domain = "localhost";
+        var keystore = new KeystoreManager();
+        CertificateBuilder issuerCertificateBuilder = keystore.newCertificateBuilder(keystore.buildDistinguishedName("mail@kroxylicious.io", domain, "TestCA",
+                "Issuer", null, null, "US"));
+
+        CertificateBuilder certificateBuilder = keystore.newCertificateBuilder(keystore.buildDistinguishedName("test@kroxylicious.io", domain, "Dev",
+                "Kroxylicious.io", null, null, "US"));
+
+        X509Bundle issuer = keystore.createSelfSignedCertificate(issuerCertificateBuilder);
+        X509Bundle signed = keystore.createSignedCertificate(issuer, certificateBuilder);
+
+        Path keyStoreFilePath = keystore.generateCertificateFile(signed);
+        String password = keystore.getPassword(keyStoreFilePath);
+        assertThat(keyStoreFilePath.toFile()).exists();
+        var ks = KeyStore.getInstance(keyStoreFilePath.toFile(), password.toCharArray());
+        var keyAliases = keyAliasList(ks);
+        assertThat(keyAliases).hasSize(1);
+        var keyAlias = keyAliases.get(0);
+
+        var certAliases = certificateAliasList(ks);
+        var certAlias = certAliases.get(0);
+        assertAll(() -> {
+            assertThat(certAliases).hasSize(1);
+            assertThat(certAlias).isNotEqualTo(keyAlias);
+        });
+
+        assertAll(() -> {
+            assertThat(ks.getCertificate(keyAlias)).isEqualTo(signed.getCertificate());
+            assertThat(ks.getCertificate(certAlias)).isEqualTo(issuer.getCertificate());
+            assertThat(ks.getType()).isEqualTo(signed.toKeyStore(password.toCharArray()).getType());
+        });
+    }
+
+    @NonNull
+    private List<String> aliasList(KeyStore ks) throws KeyStoreException {
+        List<String> aliases = new ArrayList<>();
+        ks.aliases().asIterator().forEachRemaining(aliases::add);
+        return aliases;
+    }
+
+    @NonNull
+    private List<String> keyAliasList(KeyStore ks) throws KeyStoreException {
+        return aliasList(ks).stream().filter(a -> {
+            try {
+                return ks.isKeyEntry(a);
+            }
+            catch (KeyStoreException e) {
+                throw new RuntimeException(e);
+            }
+        }).toList();
+    }
+
+    @NonNull
+    private List<String> certificateAliasList(KeyStore ks) throws KeyStoreException {
+        return aliasList(ks).stream().filter(a -> {
+            try {
+                return ks.isCertificateEntry(a);
+            }
+            catch (KeyStoreException e) {
+                throw new RuntimeException(e);
+            }
+        }).toList();
+    }
+}
diff --git a/pom.xml b/pom.xml
@@ -99,6 +99,7 @@
         <moby-names-generator.version>20.10.1-r0</moby-names-generator.version>
         <jacoco-maven-plugin.version>0.8.14</jacoco-maven-plugin.version>
         <bouncycastle.version>1.82</bouncycastle.version>
+        <netty.version>4.2.7.Final</netty.version>
 
         <!-- Avoids issues with ryuk when running with podman https://github.com/containers/podman/issues/7927#issuecomment-731525556 -->
         <testcontainers.ryuk.disabled>true</testcontainers.ryuk.disabled>
@@ -253,6 +254,11 @@
                 <artifactId>bcutil-jdk18on</artifactId>
                 <version>${bouncycastle.version}</version>
             </dependency>
+            <dependency>
+                <groupId>io.netty</groupId>
+                <artifactId>netty-pkitesting</artifactId>
+                <version>${netty.version}</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>
 
