Improve keystore generation

[JiriOndrusek]

Describe the feature here

Http-grouped: It should be possible to generate keystore and truststore during build. (if not disabled)

[JiriOndrusek]

The feature for generating the certificates could be created in a general way, so other modules can re-use it

[JiriOndrusek]

One way of general solution might be adopting the Quarkus way by using https://github.com/cescoffier/certificate-generator

[jamesnetherton]

One way of general solution might be adopting the Quarkus way by using https://github.com/cescoffier/certificate-generator

Yeah, I saw that project mentioned on Quarkus Zulip some time ago and wondered whether we could start using it.

If possible, I think it'd be good to try and use a single tool for cert generation in the project. Currently we've got a mix of shell scripts, maven plugins etc which becomes a bit of a maintenance pain.

[ppalaga]

Indeed https://github.com/cescoffier/certificate-generator would be great to replace them all. I did not know it exist, thanks for the pointer. IIRC, we were forced to use openssl for writing PKCS12 stores, because Java's java.security.KeyStore did not support some sort of store encoding required by FIPS. Looking at https://github.com/cescoffier/certificate-generator/blob/main/certificate-generator/src/main/java/me/escoffier/certs/CertificateUtils.java#L200-L270 it seems that it is using java.security.KeyStore for writing the stores. But you mentioned recently @JiriOndrusek that JKS works on FIPS too? I wonder whether we need to try to fix certificate-generator's PKCS12 impl to comply with FIPS?

[JiriOndrusek]

Indeed https://github.com/cescoffier/certificate-generator would be great to replace them all. I did not know it exist, thanks for the pointer. IIRC, we were forced to use openssl for writing PKCS12 stores, because Java's java.security.KeyStore did not support some sort of store encoding required by FIPS. Looking at https://github.com/cescoffier/certificate-generator/blob/main/certificate-generator/src/main/java/me/escoffier/certs/CertificateUtils.java#L200-L270 it seems that it is using java.security.KeyStore for writing the stores. But you mentioned recently @JiriOndrusek that JKS works on FIPS too? I wonder whether we need to try to fix certificate-generator's PKCS12 impl to comply with FIPS?

With one of the recent java updates (I'm not sure which concrete build it was), certificates generated by the java keystore work in FIPS environment. (I noticed it several weeks ago) Therefore the certificate-generator project should cover all our needs.

I'm currently trying to solve FIPS for kafka tests and I'm using the certificate-generator, which seems to be easily usable. Once I'm sure that all works, I'll ping you on the PR to discuss whether we want to use such approach on the whole project.

[JiriOndrusek]

I tried generator-projext in kafka and all looks good.
My second attempt would be cxf-soap to see whether the complex generation can be achieved by the project.
The main problem causes the fact, that the project creates self-signed certificates, which might be a problem.

[JiriOndrusek]

I found, that the certificate generator project won't be usable in a more complex use-cases (like cxf-soap)
For example in cxf-soap-ssl, special constraint is required for the certificate generation, see the code. To achieve the same result in crtiicate-generator project, we would need to customize this part of code.

My conclusion at this moment is, that we can use the certificate-generator approach in easier cases. (the complex ones would stay the same). Now I plan to go through the project and find places where the usage should be possible.

I think that the refactor to certificate generator approach is still worth the try, as it will make all simple certificates generation even simple and clearer for developers.