Create CertificateGenerator based on keytool (#25)

Wojciech Kapcia (Tigase) opened 4 years ago

Currently sun.security.* API is being closed off (understandable). There is no reasonable alternative API to generate self-signed certificate within newer versions of JDK. One option would be to use BouncyCastle but this is yet another external library and we are trying to minimise dependency on those (memory usage).

One alternative solution would be to use keytool command line tool to obtain the certificate - no additional dependencies and compatibility with newer versions of JDK.

Related
- Option to disable generation of self-signed certificates. (tigase/_server/server-core#1279) Closed

Activities

Wojciech Kapcia (Tigase) commented 3 years ago

This can be done in 8.3 as we will bump JDK requirement to JDK17 in that version
Wojciech Kapcia (Tigase) commented 3 years ago

Implemented self-signed certificated generation using keytool executable utilising Process API, which will be used only under JDK17 and newer (current version for tigase-utils is still set for JDK11 so it's still executable with older Java versions, for example when using it as library in clients).

There is a JDK bug that mentions this API change and they even have API prototype but it's still not available... possible in newer Java version it could be used.

Wojciech Kapcia (Tigase) commented 3 years ago

In docker:

2022-03-24 11:56:21:953] [SEVERE  ] [              in_0-c2s ] SSLContextContainer.getSSLContext(): Can not initialize SSLContext for domain: atlantiscity, protocol: TLS
java.io.IOException: Cannot run program "keytool": error=0, Failed to exec spawn helper: pid: 601, exit value: 1
at java.base/java.lang.ProcessBuilder.start(Unknown Source)
at java.base/java.lang.ProcessBuilder.start(Unknown Source)
at tigase.cert.KeytoolCertificateGenerator.generateSelfSignedCertificateEntry(KeytoolCertificateGenerator.java:100)
at tigase.cert.CertificateUtil.createSelfSignedCertificate(CertificateUtil.java:142)
at tigase.io.CertificateContainer.createCertificateKmf(CertificateContainer.java:532)
at tigase.io.CertificateContainer.createCertificate(CertificateContainer.java:144)
at tigase.io.SSLContextContainerAbstract.createCertificate(SSLContextContainerAbstract.java:112)
at tigase.io.SSLContextContainerAbstract.createContextHolder(SSLContextContainerAbstract.java:144)
at tigase.io.SSLContextContainer.getSSLContext(SSLContextContainer.java:285)
at tigase.io.SSLContextContainer.getSSLContext(SSLContextContainer.java:268)
at tigase.io.SSLContextContainer.createIoInterface(SSLContextContainer.java:209)
at tigase.net.IOService.startTLS(IOService.java:428)
at tigase.server.xmppclient.ClientConnectionManager.processCommand(ClientConnectionManager.java:768)
at tigase.server.xmppclient.ClientConnectionManager.processPacket(ClientConnectionManager.java:129)
at tigase.server.AbstractMessageReceiver$QueueListener.run(AbstractMessageReceiver.java:1398)
Caused by: java.io.IOException: error=0, Failed to exec spawn helper: pid: 601, exit value: 1
at java.base/java.lang.ProcessImpl.forkAndExec(Native Method)
at java.base/java.lang.ProcessImpl.<init>(Unknown Source)
at java.base/java.lang.ProcessImpl.start(Unknown Source)
... 15 more

Wojciech Kapcia (Tigase) commented 3 years ago

Looks like the issue with emulating x86 on arm platform, which is very slow (so most likely execution of keytool process just timeouts/fails). Works fine with native image.
Login to comment

Type	Task
Priority	Normal
Assignee	Wojciech Kapcia (Tigase)
Version	tigase-server-8.3.0

Issue Votes (0)

Watchers (0)

Reference

tigase/_server/tigase-utils#25