You are viewing a plain text version of this content. The canonical link for it is here.

Posted to solr-user@lucene.apache.org by "Martini, Jeremy (CGI Federal)" <Je...@cgifederal.com> on 2016/10/05 17:43:44 UTC

Error: Strong key gen and multiprime gen require at least 1024-bit keysize

Hi,

I'm looking at filing an issue in JIRA, but wanted to first make sure my issue would be a valid change.

In order to configure our dataSource without requiring a plaintext password in the configuration file, we extended JdbcDataSource to create our own custom implementation. Our dataSource config now looks something like this:

<dataSource type="com.foo.FooDataSource" driver="oracle.jdbc.OracleDriver" url="jdbc:oracle:thin:@db-host-machine:1521:tst1" user="testuser" password="{ENC}{1.1}1ePOfWcbOIU056gKiLTrLw=="/>

We are using the RSA JSAFE Crypto-J libraries for encrypting/decrypting the password. However, this seems to cause an issue when we try use Solr in a Cloud Configuration (using Zookeeper). The error is "Strong key gen and multiprime gen require at least 1024-bit keysize." Full log attached.

This seems to be due to the hard-coded value of 512 in the org.apache.solr.util.CryptoKeys$RSAKeyPair class:

    public RSAKeyPair() {
      KeyPairGenerator keyGen = null;
      try {
        keyGen = KeyPairGenerator.getInstance("RSA");
      } catch (NoSuchAlgorithmException e) {
        throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, e);
      }
      keyGen.initialize(512);

I pulled down the Solr code, changed the hard-coded value to 1024, rebuilt it, and this now everything seems to work great.

Would this be a valid code change to request? I'm happy to create the JIRA ticket and supply a patch file.

Thanks,
Jeremy

Re: Error: Strong key gen and multiprime gen require at least 1024-bit keysize

Posted by Erick Erickson <er...@gmail.com>.

See: https://issues.apache.org/jira/browse/SOLR-9609

Not quite sure when I'll get to it though...

Erick

On Mon, Oct 31, 2016 at 8:22 AM, Adnan Yaqoob <it...@gmail.com> wrote:
> Definitely a valid JIRA. It may choose 512 default but shouldn't be hard
> coded. There must be a way to pass on required lenght
>
> Adnan
>
> On Wed, Oct 5, 2016 at 9:02 PM, Erick Erickson <er...@gmail.com>
> wrote:
>
>> Sure seems like a  JIRA to me. I have no clue why 512 was chosen in
>> the first place though.
>>
>> Or you could post the same question on dev list first.
>>
>> But this is an appropriate JIRA I think.
>>
>> Erick
>>
>> On Wed, Oct 5, 2016 at 10:43 AM, Martini, Jeremy (CGI Federal)
>> <Je...@cgifederal.com> wrote:
>> > Hi,
>> >
>> >
>> >
>> > I'm looking at filing an issue in JIRA, but wanted to first make sure my
>> > issue would be a valid change.
>> >
>> >
>> >
>> > In order to configure our dataSource without requiring a plaintext
>> password
>> > in the configuration file, we extended JdbcDataSource to create our own
>> > custom implementation. Our dataSource config now looks something like
>> this:
>> >
>> >
>> >
>> > <dataSource type="com.foo.FooDataSource" driver="oracle.jdbc.
>> OracleDriver"
>> > url="jdbc:oracle:thin:@db-host-machine:1521:tst1" user="testuser"
>> > password="{ENC}{1.1}1ePOfWcbOIU056gKiLTrLw=="/>
>> >
>> >
>> >
>> > We are using the RSA JSAFE Crypto-J libraries for encrypting/decrypting
>> the
>> > password. However, this seems to cause an issue when we try use Solr in a
>> > Cloud Configuration (using Zookeeper). The error is "Strong key gen and
>> > multiprime gen require at least 1024-bit keysize." Full log attached.
>> >
>> >
>> >
>> > This seems to be due to the hard-coded value of 512 in the
>> > org.apache.solr.util.CryptoKeys$RSAKeyPair class:
>> >
>> >
>> >
>> >     public RSAKeyPair() {
>> >
>> >       KeyPairGenerator keyGen = null;
>> >
>> >       try {
>> >
>> >         keyGen = KeyPairGenerator.getInstance("RSA");
>> >
>> >       } catch (NoSuchAlgorithmException e) {
>> >
>> >         throw new SolrException(SolrException.ErrorCode.SERVER_ERROR,
>> e);
>> >
>> >       }
>> >
>> >       keyGen.initialize(512);
>> >
>> >
>> >
>> > I pulled down the Solr code, changed the hard-coded value to 1024,
>> rebuilt
>> > it, and this now everything seems to work great.
>> >
>> >
>> >
>> > Would this be a valid code change to request? I'm happy to create the
>> JIRA
>> > ticket and supply a patch file.
>> >
>> >
>> >
>> > Thanks,
>> >
>> > Jeremy
>>
>
>
>
> --
> Regards,
> *Adnan Yaqoob*

Re: Error: Strong key gen and multiprime gen require at least 1024-bit keysize

Posted by Adnan Yaqoob <it...@gmail.com>.

Definitely a valid JIRA. It may choose 512 default but shouldn't be hard
coded. There must be a way to pass on required lenght

Adnan

On Wed, Oct 5, 2016 at 9:02 PM, Erick Erickson <er...@gmail.com>
wrote:

> Sure seems like a  JIRA to me. I have no clue why 512 was chosen in
> the first place though.
>
> Or you could post the same question on dev list first.
>
> But this is an appropriate JIRA I think.
>
> Erick
>
> On Wed, Oct 5, 2016 at 10:43 AM, Martini, Jeremy (CGI Federal)
> <Je...@cgifederal.com> wrote:
> > Hi,
> >
> >
> >
> > I'm looking at filing an issue in JIRA, but wanted to first make sure my
> > issue would be a valid change.
> >
> >
> >
> > In order to configure our dataSource without requiring a plaintext
> password
> > in the configuration file, we extended JdbcDataSource to create our own
> > custom implementation. Our dataSource config now looks something like
> this:
> >
> >
> >
> > <dataSource type="com.foo.FooDataSource" driver="oracle.jdbc.
> OracleDriver"
> > url="jdbc:oracle:thin:@db-host-machine:1521:tst1" user="testuser"
> > password="{ENC}{1.1}1ePOfWcbOIU056gKiLTrLw=="/>
> >
> >
> >
> > We are using the RSA JSAFE Crypto-J libraries for encrypting/decrypting
> the
> > password. However, this seems to cause an issue when we try use Solr in a
> > Cloud Configuration (using Zookeeper). The error is "Strong key gen and
> > multiprime gen require at least 1024-bit keysize." Full log attached.
> >
> >
> >
> > This seems to be due to the hard-coded value of 512 in the
> > org.apache.solr.util.CryptoKeys$RSAKeyPair class:
> >
> >
> >
> >     public RSAKeyPair() {
> >
> >       KeyPairGenerator keyGen = null;
> >
> >       try {
> >
> >         keyGen = KeyPairGenerator.getInstance("RSA");
> >
> >       } catch (NoSuchAlgorithmException e) {
> >
> >         throw new SolrException(SolrException.ErrorCode.SERVER_ERROR,
> e);
> >
> >       }
> >
> >       keyGen.initialize(512);
> >
> >
> >
> > I pulled down the Solr code, changed the hard-coded value to 1024,
> rebuilt
> > it, and this now everything seems to work great.
> >
> >
> >
> > Would this be a valid code change to request? I'm happy to create the
> JIRA
> > ticket and supply a patch file.
> >
> >
> >
> > Thanks,
> >
> > Jeremy
>



-- 
Regards,
*Adnan Yaqoob*

Re: Error: Strong key gen and multiprime gen require at least 1024-bit keysize

Posted by Erick Erickson <er...@gmail.com>.

Sure seems like a  JIRA to me. I have no clue why 512 was chosen in
the first place though.

Or you could post the same question on dev list first.

But this is an appropriate JIRA I think.

Erick

On Wed, Oct 5, 2016 at 10:43 AM, Martini, Jeremy (CGI Federal)
<Je...@cgifederal.com> wrote:
> Hi,
>
>
>
> I'm looking at filing an issue in JIRA, but wanted to first make sure my
> issue would be a valid change.
>
>
>
> In order to configure our dataSource without requiring a plaintext password
> in the configuration file, we extended JdbcDataSource to create our own
> custom implementation. Our dataSource config now looks something like this:
>
>
>
> <dataSource type="com.foo.FooDataSource" driver="oracle.jdbc.OracleDriver"
> url="jdbc:oracle:thin:@db-host-machine:1521:tst1" user="testuser"
> password="{ENC}{1.1}1ePOfWcbOIU056gKiLTrLw=="/>
>
>
>
> We are using the RSA JSAFE Crypto-J libraries for encrypting/decrypting the
> password. However, this seems to cause an issue when we try use Solr in a
> Cloud Configuration (using Zookeeper). The error is "Strong key gen and
> multiprime gen require at least 1024-bit keysize." Full log attached.
>
>
>
> This seems to be due to the hard-coded value of 512 in the
> org.apache.solr.util.CryptoKeys$RSAKeyPair class:
>
>
>
>     public RSAKeyPair() {
>
>       KeyPairGenerator keyGen = null;
>
>       try {
>
>         keyGen = KeyPairGenerator.getInstance("RSA");
>
>       } catch (NoSuchAlgorithmException e) {
>
>         throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, e);
>
>       }
>
>       keyGen.initialize(512);
>
>
>
> I pulled down the Solr code, changed the hard-coded value to 1024, rebuilt
> it, and this now everything seems to work great.
>
>
>
> Would this be a valid code change to request? I'm happy to create the JIRA
> ticket and supply a patch file.
>
>
>
> Thanks,
>
> Jeremy