[ 
https://issues.apache.org/jira/browse/CASSANDRA-17031?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17452094#comment-17452094
 ] 

Maulin Vasavada commented on CASSANDRA-17031:
---------------------------------------------

[~smiklosovic] Your idea of dumping details of the certificate in plain text 
makes sense. Currently we have 
[this|https://github.com/apache/cassandra/pull/1316/files#diff-6e9b4d54347a547d5bb5b002cad6afccd25826beb221bb79ebf57c65bc891e11R199]
 logging that prints certificates Issuer, Subject, Serial number and Expiry 
-fields in my experience most useful in order to debug any TLS cert issues. I 
can change the above log to be of 'info' type to make it easily accessible than 
debug. [~jonmeredith] Do you think it would be helpful going beyond this and 
dump full certificate details?  

> Add support for PEM based key material for SSL
> ----------------------------------------------
>
>                 Key: CASSANDRA-17031
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-17031
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Messaging/Internode
>            Reporter: Maulin Vasavada
>            Assignee: Maulin Vasavada
>            Priority: Normal
>             Fix For: 4.1
>
>          Time Spent: 4h
>  Remaining Estimate: 0h
>
> h1. Scope
> Currently Cassandra supports standard keystore types for SSL 
> keys/certificates. The scope of this enhancement is to add support for PEM 
> based key material (keys/certificate) given that PEM is widely used common 
> format for the same. We intend to add support for Unencrypted and Password 
> Based Encrypted (PBE) PKCS#8 formatted Private Keys in PEM format with 
> standard algorithms (RSA, DSA and EC) along with the certificate chain for 
> the private key and PEM based X509 certificates. The work here is going to be 
> built on top of [CEP-9: Make SSLContext creation 
> pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable]
>  for which the code is merged for Apache Cassandra 4.1 release.
> We intend to support the key material be configured as direct PEM values 
> input OR via the file (configured with keystore and truststore configurations 
> today). We are not going to model PEM as a valid 'store_type' given that 
> 'store_type' has a [specific 
> definition|https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html#GUID-AB51DEFD-5238-4F96-967F-082F6D34FBEA].
>  
> h1. Approach
> Create an implementation for 
> [ISslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/ISslContextFactory.java]
>  extending 
> [FileBasedSslContextFactory|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/security/FileBasedSslContextFactory.java]
>  implementation to add PEM formatted key/certificates.
> h1. Motivation
> PEM is a widely used format for encoding Private Keys and X.509 Certificates 
> and Apache Cassandra's current implementation lacks the support for 
> specifying the PEM formatted key material for SSL configurations. This means 
> operators have to re-create the key material to comply to the supported 
> formats (using key/trust store types - jks, pkcs12 etc) and deal with an 
> operational task for managing it. This is an operational overhead we can 
> avoid by supporting the PEM format making Apache Cassandra even more customer 
> friendly and drive more adoption.
> h1. Proposed Changes
>  # A new implementation for ISslContextFactory - PEMBasedSslContextFactory 
> with the following supported configuration
> {panel:title=New configurations}
> {panel}
> |{{encryption_options:  }}
>  {{    }}{{ssl_context_factory:}}
>  {{        }}{{class_name: 
> org.apache.cassandra.security.PEMBasedSslContextFactory}}
>  {{        }}{{parameters:}}
>  {{          }}{{private_key: <PEM Formatted }}{{private}} {{key with the 
> certificate chain>}}
>  {{          }}{{private_key_password: <Password }}{{for}} {{the 
> }}{{private}} {{key }}{{if}} {{it is encrypted>}}
>  {{          }}{{trusted_certificates: <PEM formatted trusted certificates>}}|
> *NOTE:* We could reuse 'keystore_password' instead of the 
> 'private_key_password'. However PEM encoded private key is not a 'keystore' 
> in itself hence it would be inappropriate to piggyback on that other than 
> avoid duplicating similar fields.
>  # The PEMBasedSslContextFactory will also support file based key material 
> (and the corresponding HOT Reloading based on file timestamp updates) for the 
> PEM format via existing  'keystore' and 'truststore' encryption options. 
> However in that case the 'truststore_password' configuration won't be used 
> since generally PEM formatted certificates for truststore don't get encrypted 
> with a password.
>  # The PEMBasedSslContextFactory will internally create PKCS12 keystore for 
> private key and the trusted certificates. However, this doesn't impact the 
> user of the implementation in anyway and it is mentioned for clarity only.
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to