diff --git a/x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/CertificateTool.java b/x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/CertificateTool.java index 4ae1f313ce1..ad5cfd5e05b 100644 --- a/x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/CertificateTool.java +++ b/x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/CertificateTool.java @@ -922,7 +922,7 @@ public class CertificateTool extends LoggingAwareMultiCommand { } static PEMEncryptor getEncrypter(char[] password) { - return new JcePEMEncryptorBuilder("DES-EDE3-CBC").setProvider(BC_PROV).build(password); + return new JcePEMEncryptorBuilder("AES-128-CBC").setProvider(BC_PROV).build(password); } private static T withPassword(String description, char[] password, Terminal terminal, diff --git a/x-pack/plugin/security/cli/src/test/java/org/elasticsearch/xpack/security/cli/CertificateToolTests.java b/x-pack/plugin/security/cli/src/test/java/org/elasticsearch/xpack/security/cli/CertificateToolTests.java index 6845edbdc6b..126054c2e5c 100644 --- a/x-pack/plugin/security/cli/src/test/java/org/elasticsearch/xpack/security/cli/CertificateToolTests.java +++ b/x-pack/plugin/security/cli/src/test/java/org/elasticsearch/xpack/security/cli/CertificateToolTests.java @@ -21,6 +21,7 @@ import org.bouncycastle.asn1.x509.Extensions; import org.bouncycastle.asn1.x509.GeneralName; import org.bouncycastle.asn1.x509.GeneralNames; import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.openssl.PEMDecryptorProvider; import org.bouncycastle.openssl.PEMEncryptedKeyPair; import org.bouncycastle.openssl.PEMParser; import org.bouncycastle.pkcs.PKCS10CertificationRequest; @@ -50,6 +51,7 @@ import org.elasticsearch.xpack.core.ssl.PemUtils; import org.hamcrest.Matchers; import org.junit.After; import org.junit.BeforeClass; +import org.mockito.Mockito; import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.TrustManagerFactory; @@ -349,6 +351,16 @@ public class CertificateToolTests extends ESTestCase { PEMParser pemParser = new PEMParser(reader); Object parsed = pemParser.readObject(); assertThat(parsed, instanceOf(PEMEncryptedKeyPair.class)); + // Verify we are using AES encryption + final PEMDecryptorProvider pemDecryptorProvider = Mockito.mock(PEMDecryptorProvider.class); + try { + ((PEMEncryptedKeyPair) parsed).decryptKeyPair(pemDecryptorProvider); + } catch (Exception e) { + // Catch error thrown by the empty mock, we are only interested in the argument passed in + } + finally { + Mockito.verify(pemDecryptorProvider).get("AES-128-CBC"); + } char[] zeroChars = new char[caInfo.password.length]; Arrays.fill(zeroChars, (char) 0); assertArrayEquals(zeroChars, caInfo.password); @@ -368,7 +380,13 @@ public class CertificateToolTests extends ESTestCase { assertTrue(Files.exists(zipRoot.resolve(filename))); final Path cert = zipRoot.resolve(filename + "/" + filename + ".crt"); assertTrue(Files.exists(cert)); - assertTrue(Files.exists(zipRoot.resolve(filename + "/" + filename + ".key"))); + Path keyFile = zipRoot.resolve(filename + "/" + filename + ".key"); + assertTrue(Files.exists(keyFile)); + if (keyPassword != null) { + assertTrue(new String(Files.readAllBytes(keyFile), StandardCharsets.US_ASCII).contains("DEK-Info: AES-128-CBC")); + } else { + assertFalse(new String(Files.readAllBytes(keyFile), StandardCharsets.US_ASCII).contains("DEK-Info:")); + } final Path p12 = zipRoot.resolve(filename + "/" + filename + ".p12"); try (InputStream input = Files.newInputStream(cert)) { X509Certificate certificate = readX509Certificate(input);