attempt to create keystore file via java

Author: kiryazovi-redis

Makefile

@@ -420,6 +420,7 @@ docker-test:
 
 docker-stop:
 	docker compose --env-file src/test/resources/docker-env/.env -f src/test/resources/docker-env/docker-compose.yml down; \
+	rm -rf /tmp/redis-env-work
 
 prepare: stop
 

pom.xml

@@ -589,6 +589,25 @@
             <scope>test</scope>
         </dependency>
 
+
+        <!-- Bouncy Castle Provider (Crypto API) -->
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcprov-jdk18on</artifactId>
+            <version>1.80</version>
+        </dependency>
+
+        <!-- Bouncy Castle PKIX (X.509 Certificates, PKCS, CSR) -->
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcpkix-jdk18on</artifactId>
+            <version>1.80</version>
+        </dependency>
+
+
+
+
+
     </dependencies>
 
     <build>

src/test/java/io/lettuce/core/SslIntegrationTests.java

@@ -109,6 +109,8 @@ class SslIntegrationTests extends TestSupport {
 
     private final RedisClient redisClient;
 
+    private static File keystore;
+
     @Inject
     SslIntegrationTests(RedisClient redisClient) {
         this.redisClient = redisClient;
@@ -129,6 +131,13 @@ static void beforeClass() {
         truststoreFile2 = path2.toFile();
         cacertFile = envCa(Paths.get("redis-standalone-sentinel-controlled/work/tls")).toFile();
 
+        try {
+            generateCertificates(testGenCertPath("redis-standalone-0/work/tls").toString(), "redis-standalone-0/work/tls");
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+
+        keystore = Paths.get("redis-standalone-0/work/tls/keystore.jks").toFile();
         assumeTrue(CanConnect.to(TestSettings.host(), sslPort()), "Assume that stunnel runs on port 6443");
         // Maybe we should do a list.
         assertThat(truststoreFile0).exists();
@@ -212,10 +221,10 @@ void standaloneWithJdkSslUsingTruststoreUrl() throws Exception {
 
     @Test
     void standaloneWithClientCertificates() {
-        // 6445
+        // 6444
         SslOptions sslOptions = SslOptions.builder() //
                 .jdkSslProvider() //
-                .keystore(new File(KEYSTORE), "changeit".toCharArray()) //
+                .keystore(keystore, "changeit".toCharArray()) //
                 .truststore(truststoreFile0, "changeit") //
                 .build();
         setOptions(sslOptions);

src/test/java/io/lettuce/test/settings/TlsSettings.java

@@ -1,17 +1,33 @@
 package io.lettuce.test.settings;
 
-import java.io.FileInputStream;
-import java.io.FileOutputStream;
-import java.io.IOException;
+import io.lettuce.core.internal.LettuceStrings;
+import org.testcontainers.shaded.org.bouncycastle.cert.X509v3CertificateBuilder;
+import org.testcontainers.shaded.org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.testcontainers.shaded.org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
+import org.testcontainers.shaded.org.bouncycastle.operator.ContentSigner;
+import org.testcontainers.shaded.org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+import org.testcontainers.shaded.org.bouncycastle.pkcs.PKCS10CertificationRequest;
+import org.testcontainers.shaded.org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder;
+import org.testcontainers.shaded.org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest;
+import org.testcontainers.shaded.org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
+import org.testcontainers.shaded.org.bouncycastle.util.io.pem.PemObject;
+import org.testcontainers.shaded.org.bouncycastle.util.io.pem.PemWriter;
+import sun.security.x509.X500Name;
+
+import javax.security.auth.x500.X500Principal;
+import java.io.*;
+import java.math.BigInteger;
+import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
-import java.security.KeyStore;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
+import java.security.*;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
+import java.time.Duration;
+import java.time.Instant;
 import java.util.ArrayList;
+import java.util.Date;
 import java.util.List;
 import java.util.UUID;
 
@@ -27,6 +43,10 @@ public class TlsSettings {
 
     private static final String TEST_TRUSTSTORE = "truststore.jks";
 
+    private static final String TEST_KEYSTORE = "keystore.jks";
+
+    private static final String PASSWORD = "changeit";
+
     public static Path envServerCert(Path certLocation) {
         return Paths.get(TEST_WORK_FOLDER, certLocation.toString(), TEST_SERVER_CERT);
     }
@@ -39,6 +59,14 @@ public static Path testTruststorePath(String name) {
         return Paths.get(TEST_WORK_FOLDER, name + '-' + TEST_TRUSTSTORE);
     }
 
+    public static Path testGenCertPath(String keystoreLocation) {
+        return Paths.get(TEST_WORK_FOLDER, keystoreLocation);
+    }
+
+    public static Path testKeyStorePath(String keystoreLocation) {
+        return Paths.get(TEST_WORK_FOLDER, keystoreLocation, TEST_KEYSTORE);
+    }
+
     /**
      * Creates an empty truststore.
      *
@@ -121,4 +149,90 @@ public static Path createAndSaveTestTruststore(String trustStoreName, Path certi
         return createAndSaveTruststore(trustedCertPaths, trustStorePath, truststorePassword);
     }
 
+    public static void generateCertificates(String caDir, String keystoreFile) throws Exception {
+        createDirectories(caDir);
+
+        KeyPair keyPair = generateKeyPair();
+
+        savePrivateKey(keyPair.getPrivate(), caDir);
+
+        PKCS10CertificationRequest csr = generateCSR(keyPair);
+
+        X509Certificate certificate = signCertificate(csr, keyPair);
+
+        saveCertificate(certificate, caDir);
+
+        createPKCS12(keyPair.getPrivate(), certificate, keystoreFile);
+    }
+
+    private static void createDirectories(String caDir) throws IOException {
+        Files.createDirectories(Paths.get(caDir, "private"));
+        Files.createDirectories(Paths.get(caDir, "certs"));
+    }
+
+    private static KeyPair generateKeyPair() throws NoSuchAlgorithmException {
+        KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
+        keyGen.initialize(2048);
+        return keyGen.generateKeyPair();
+    }
+
+    private static void savePrivateKey(PrivateKey privateKey, String caDir) throws Exception {
+        String keyPath = Paths.get(caDir, "private", "client.key.pem").toString();
+        try (PemWriter pemWriter = new PemWriter(new FileWriter(keyPath))) {
+            pemWriter.writeObject(new PemObject("PRIVATE KEY", privateKey.getEncoded()));
+        }
+
+        File keyFile = new File(keyPath);
+        keyFile.setReadable(false, false);
+        keyFile.setReadable(true, true);
+        keyFile.setWritable(false, false);
+        keyFile.setExecutable(false, false);
+    }
+
+    private static PKCS10CertificationRequest generateCSR(KeyPair keyPair) throws Exception {
+        X500Principal subject = new X500Principal("CN=client,O=lettuce,C=NN,ST=Unknown,L=Unknown");
+        PKCS10CertificationRequestBuilder csrBuilder = new JcaPKCS10CertificationRequestBuilder(subject, keyPair.getPublic());
+
+        ContentSigner signer = new JcaContentSignerBuilder("SHA256withRSA").build(keyPair.getPrivate());
+
+        return csrBuilder.build(signer);
+    }
+
+    private static X509Certificate signCertificate(PKCS10CertificationRequest csr, KeyPair keyPair) throws Exception {
+        org.bouncycastle.asn1.x500.X500Name issuerName = new org.bouncycastle.asn1.x500.X500Name(
+                "CN=client,O=lettuce,C=NN,ST=Unknown,L=Unknown");
+
+        BigInteger serialNumber = BigInteger.valueOf(System.currentTimeMillis());
+        Instant now = Instant.now();
+        Date startDate = Date.from(now);
+        Date endDate = Date.from(now.plus(Duration.ofDays(375)));
+
+        JcaPKCS10CertificationRequest jcaCsr = new JcaPKCS10CertificationRequest(csr);
+
+        X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(org.testcontainers.shaded.org.bouncycastle.asn1.x500.X500Name.getInstance(issuerName), serialNumber, startDate, endDate,
+                jcaCsr.getSubject(), jcaCsr.getPublicKey());
+
+        ContentSigner signer = new JcaContentSignerBuilder("SHA256withRSA").build(keyPair.getPrivate());
+
+        return new JcaX509CertificateConverter().getCertificate(certBuilder.build(signer));
+    }
+
+    private static void saveCertificate(X509Certificate certificate, String caDir) throws Exception {
+        String certPath = Paths.get(caDir, "certs", "client.cert.pem").toString();
+        try (PemWriter pemWriter = new PemWriter(new FileWriter(certPath))) {
+            pemWriter.writeObject(new PemObject("CERTIFICATE", certificate.getEncoded()));
+        }
+    }
+
+    private static void createPKCS12(PrivateKey privateKey, X509Certificate certificate, String keystoreFile) throws Exception {
+        KeyStore keyStore = KeyStore.getInstance("PKCS12");
+        keyStore.load(null, null);
+
+        keyStore.setKeyEntry("client", privateKey, PASSWORD.toCharArray(), new X509Certificate[] { certificate });
+
+        try (OutputStream output = Files.newOutputStream(testKeyStorePath(keystoreFile))) {
+            keyStore.store(output, PASSWORD.toCharArray());
+        }
+    }
+
 }