config, server, executor: Reduce RSA keysize in testing (#27393)

pingcap · Aug 30, 2021 · d05660c · d05660c
1 parent 00662f4
commit d05660c
Show file tree

Hide file tree

Showing 6 changed files with 20 additions and 8 deletions.
diff --git a/config/config.go b/config/config.go
@@ -370,6 +370,7 @@ type Security struct {
 	// Allow automatic TLS certificate generation
 	AutoTLS       bool   `toml:"auto-tls" json:"auto-tls"`
 	MinTLSVersion string `toml:"tls-version" json:"tls-version"`
+	RSAKeySize    int    `toml:"rsa-key-size" json:"rsa-key-size"`
 }
 
 // The ErrConfigValidationFailed error is used so that external callers can do a type assertion
@@ -682,6 +683,7 @@ var defaultConf = Config{
 		SpilledFileEncryptionMethod: SpilledFileEncryptionMethodPlaintext,
 		EnableSEM:                   false,
 		AutoTLS:                     true,
+		RSAKeySize:                  4096,
 	},
 	DeprecateIntegerDisplayWidth: false,
 	EnableEnumLengthLimit:        true,

diff --git a/config/config.toml.example b/config/config.toml.example
@@ -211,6 +211,9 @@ auto-tls = true
 # Minium TLS version to use, e.g. "TLSv1.2"
 tls-version = ""
 
+# The RSA Key size for automatic generated RSA keys
+rsa-key-size = 4096
+
 [status]
 # If enable status report HTTP service.
 report-status = true

diff --git a/executor/simple.go b/executor/simple.go
@@ -1535,6 +1535,7 @@ func (e *SimpleExec) executeAlterInstance(s *ast.AlterInstanceStmt) error {
 			variable.GetSysVar("ssl_key").Value,
 			variable.GetSysVar("ssl_cert").Value,
 			config.GetGlobalConfig().Security.AutoTLS,
+			config.GetGlobalConfig().Security.RSAKeySize,
 		)
 		if err != nil {
 			if !s.NoRollbackOnError || config.GetGlobalConfig().Security.RequireSecureTransport {

diff --git a/server/server.go b/server/server.go
@@ -197,15 +197,19 @@ func NewServer(cfg *config.Config, driver IDriver) (*Server, error) {
 	setTxnScope()
 	setSystemTimeZoneVariable()
 
-	tlsConfig, autoReload, err := util.LoadTLSCertificates(s.cfg.Security.SSLCA, s.cfg.Security.SSLKey, s.cfg.Security.SSLCert, s.cfg.Security.AutoTLS)
+	tlsConfig, autoReload, err := util.LoadTLSCertificates(
+		s.cfg.Security.SSLCA, s.cfg.Security.SSLKey, s.cfg.Security.SSLCert,
+		s.cfg.Security.AutoTLS, s.cfg.Security.RSAKeySize)
 
 	// Automatically reload auto-generated certificates.
 	// The certificates are re-created every 30 days and are valid for 90 days.
 	if autoReload {
 		go func() {
 			for range time.Tick(time.Hour * 24 * 30) { // 30 days
 				logutil.BgLogger().Info("Rotating automatically created TLS Certificates")
-				tlsConfig, _, err = util.LoadTLSCertificates(s.cfg.Security.SSLCA, s.cfg.Security.SSLKey, s.cfg.Security.SSLCert, s.cfg.Security.AutoTLS)
+				tlsConfig, _, err = util.LoadTLSCertificates(
+					s.cfg.Security.SSLCA, s.cfg.Security.SSLKey, s.cfg.Security.SSLCert,
+					s.cfg.Security.AutoTLS, s.cfg.Security.RSAKeySize)
 				if err != nil {
 					logutil.BgLogger().Warn("TLS Certificate rotation failed", zap.Error(err))
 				}

diff --git a/server/tidb_test.go b/server/tidb_test.go
@@ -885,6 +885,7 @@ func (ts *tidbTestSerialSuite) TestTLSAuto(c *C) {
 	cfg.Port = cli.port
 	cfg.Status.ReportStatus = false
 	cfg.Security.AutoTLS = true
+	cfg.Security.RSAKeySize = 528 // Reduces unittest runtime
 	server, err := NewServer(cfg, ts.tidbdrv)
 	c.Assert(err, IsNil)
 	cli.port = getPortFromTCPAddr(server.listener.Addr())
@@ -1032,9 +1033,9 @@ func (ts *tidbTestSerialSuite) TestTLSVerify(c *C) {
 	c.Assert(util.IsTLSExpiredError(x509.CertificateInvalidError{Reason: x509.CANotAuthorizedForThisName}), IsFalse)
 	c.Assert(util.IsTLSExpiredError(x509.CertificateInvalidError{Reason: x509.Expired}), IsTrue)
 
-	_, _, err = util.LoadTLSCertificates("", "wrong key", "wrong cert", true)
+	_, _, err = util.LoadTLSCertificates("", "wrong key", "wrong cert", true, 528)
 	c.Assert(err, NotNil)
-	_, _, err = util.LoadTLSCertificates("wrong ca", "/tmp/server-key.pem", "/tmp/server-cert.pem", true)
+	_, _, err = util.LoadTLSCertificates("wrong ca", "/tmp/server-key.pem", "/tmp/server-cert.pem", true, 528)
 	c.Assert(err, NotNil)
 }
 

diff --git a/util/misc.go b/util/misc.go
@@ -440,7 +440,7 @@ type SequenceTable interface {
 }
 
 // LoadTLSCertificates loads CA/KEY/CERT for special paths.
-func LoadTLSCertificates(ca, key, cert string, autoTLS bool) (tlsConfig *tls.Config, autoReload bool, err error) {
+func LoadTLSCertificates(ca, key, cert string, autoTLS bool, rsaKeySize int) (tlsConfig *tls.Config, autoReload bool, err error) {
 	autoReload = false
 	if len(cert) == 0 || len(key) == 0 {
 		if !autoTLS {
@@ -451,7 +451,7 @@ func LoadTLSCertificates(ca, key, cert string, autoTLS bool) (tlsConfig *tls.Con
 		tempStoragePath := config.GetGlobalConfig().TempStoragePath
 		cert = filepath.Join(tempStoragePath, "/cert.pem")
 		key = filepath.Join(tempStoragePath, "/key.pem")
-		err = createTLSCertificates(cert, key)
+		err = createTLSCertificates(cert, key, rsaKeySize)
 		if err != nil {
 			logutil.BgLogger().Warn("TLS Certificate creation failed", zap.Error(err))
 			return
@@ -590,7 +590,7 @@ func QueryStrForLog(query string) string {
 	return query
 }
 
-func createTLSCertificates(certpath string, keypath string) error {
+func createTLSCertificates(certpath string, keypath string, rsaKeySize int) error {
 	privkey, err := rsa.GenerateKey(rand.Reader, 4096)
 	if err != nil {
 		return err
@@ -649,6 +649,7 @@ func createTLSCertificates(certpath string, keypath string) error {
 		return err
 	}
 
-	logutil.BgLogger().Info("TLS Certificates created", zap.String("cert", certpath), zap.String("key", keypath), zap.Duration("validity", certValidity))
+	logutil.BgLogger().Info("TLS Certificates created", zap.String("cert", certpath), zap.String("key", keypath),
+		zap.Duration("validity", certValidity), zap.Int("rsaKeySize", rsaKeySize))
 	return nil
 }