Skip to content

Add ECDSA support#326

Open
Zeta201 wants to merge 2 commits into
wso2:masterfrom
Zeta201:ecdsa-keypair
Open

Add ECDSA support#326
Zeta201 wants to merge 2 commits into
wso2:masterfrom
Zeta201:ecdsa-keypair

Conversation

@Zeta201

@Zeta201 Zeta201 commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Purpose

Describe the problems, issues, or needs driving this feature/fix and include links to related issues in the following format: Resolves issue1, issue2, etc.

Goals

Describe the solutions that this feature/fix will introduce to resolve the problems described above

Approach

Describe how you are implementing the solutions. Include an animated GIF or screenshot if the change affects the UI (email documentation@wso2.com to review all UI text). Include a link to a Markdown file or Google doc if the feature write-up is too long to paste here.

User stories

Summary of user stories addressed by this change>

Release note

Brief description of the new feature or bug fix as it will appear in the release notes

Documentation

Link(s) to product documentation that addresses the changes of this PR. If no doc impact, enter “N/A” plus brief explanation of why there’s no doc impact

Training

Link to the PR for changes to the training content in https://github.com/wso2/WSO2-Training, if applicable

Certification

Type “Sent” when you have provided new/updated certification questions, plus four answers for each question (correct answer highlighted in bold), based on this change. Certification questions/answers should be sent to certification@wso2.com and NOT pasted in this PR. If there is no impact on certification exams, type “N/A” and explain why.

Marketing

Link to drafts of marketing content that will describe and promote this feature, including product page changes, technical articles, blog posts, videos, etc., if applicable

Automation tests

  • Unit tests

    Code coverage information

  • Integration tests

    Details about the test cases and coverage

Security checks

Samples

Provide high-level details about the samples related to this feature

Related PRs

List any other related PRs

Migrations (if applicable)

Describe migration steps and platforms on which migration has been tested

Test environment

List all JDK versions, operating systems, databases, and browser/versions on which this feature/fix was tested

Learning

Describe the research phase and any blog posts, patterns, libraries, or add-ons you used to solve the problem.

@coderabbitai

coderabbitai Bot commented Jun 18, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3174b2bf-9382-4898-8b4d-6c262626d8f4

📥 Commits

Reviewing files that changed from the base of the PR and between 049dfc8 and 7ffe854.

📒 Files selected for processing (1)
  • components/tenant-mgt/org.wso2.carbon.tenant.keystore.mgt/src/main/java/org/wso2/carbon/keystore/mgt/KeyStoreGenerator.java
🚧 Files skipped from review as they are similar to previous changes (1)
  • components/tenant-mgt/org.wso2.carbon.tenant.keystore.mgt/src/main/java/org/wso2/carbon/keystore/mgt/KeyStoreGenerator.java

📝 Walkthrough

Overview

This pull request adds Elliptic Curve Digital Signature Algorithm (ECDSA) support to the carbon-multitenancy repository, enabling tenant keystore generation to include EC (P-256 / secp256r1) key pairs alongside existing RSA key pairs.

Key Changes

New utility classes

  • TenantKeyPairConstants: Centralizes cryptographic constants for key algorithms and supported signature algorithms, including EC (EC, SHA256withECDSA, curve secp256r1) and RSA signature algorithm variants (e.g., MD5withRSA, SHA1withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA).
  • TenantKeyPairUtil: Introduces a reusable addKeyEntry() helper that generates either RSA (2048-bit) or EC key pairs, creates a self-signed X.509 certificate containing tenant-domain information (including SAN), and stores the resulting private key and certificate chain into a provided KeyStore under the given alias.

Refactored keystore generation

  • KeyStoreGenerator:
    • Updated to populate keystores using TenantKeyPairUtil.addKeyEntry() rather than the prior internal generateKeyPair(...) implementation.
    • Keystore generation now creates/loads the default keystore and adds both an RSA entry and an EC P-256 entry.
    • Refactored signature-algorithm configuration to build the signatureAlgorithms list from TenantKeyPairConstants, with getSignatureAlgorithm() selecting from that list (defaulting to RSA_MD5).
    • Removed the previous private certificate/keypair generation method and the associated inline BouncyCastle certificate-building logic.

Dependencies

  • pom.xml: Updated carbon.kernel.version from 4.10.108 to 4.12.39.

Impact

Tenant keystore management can now generate and store EC (P-256) key material in addition to RSA, using shared constants and a centralized helper to improve maintainability and consistency across key-entry provisioning.

Walkthrough

The pull request adds EC (P-256) key pair support to tenant keystore generation. A new TenantKeyPairConstants class centralizes string constants for EC and RSA algorithms. A new TenantKeyPairUtil utility class provides a static addKeyEntry method that generates RSA or EC key pairs, creates self-signed X.509 certificates using BouncyCastle, and stores entries in a provided KeyStore. KeyStoreGenerator.generateKeyStore() is refactored to call addKeyEntry twice—once for RSA and once for EC—replacing the removed private generateKeyPair method. The carbon.kernel.version property in the root POM is updated from 4.10.108 to 4.12.39.

Sequence Diagram

sequenceDiagram
  participant KeyStoreGenerator
  participant TenantKeyPairUtil
  participant BouncyCastle
  participant KeyStore

  KeyStoreGenerator->>KeyStore: create/load default keystore
  KeyStoreGenerator->>TenantKeyPairUtil: addKeyEntry(tenantDomain, pwd, keyStore, rsaAlias, RSA_KEY_ALG, sigAlg)
  TenantKeyPairUtil->>BouncyCastle: generate RSA keypair + self-signed cert
  BouncyCastle-->>TenantKeyPairUtil: RSA X509Certificate
  TenantKeyPairUtil->>KeyStore: setKeyEntry(rsaAlias, rsaPrivKey, certChain)
  TenantKeyPairUtil-->>KeyStoreGenerator: RSA X509Certificate
  KeyStoreGenerator->>TenantKeyPairUtil: addKeyEntry(tenantDomain, pwd, keyStore, ecAlias, EC_KEY_ALG, EC_SHA256)
  TenantKeyPairUtil->>BouncyCastle: generate EC(secp256r1) keypair + self-signed cert
  BouncyCastle-->>TenantKeyPairUtil: EC X509Certificate
  TenantKeyPairUtil->>KeyStore: setKeyEntry(ecAlias, ecPrivKey, certChain)
  TenantKeyPairUtil-->>KeyStoreGenerator: EC X509Certificate
  KeyStoreGenerator->>KeyStore: persist using RSA public certificate
Loading
🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Description check ⚠️ Warning The PR description contains only the template structure with no substantive content filled in across any required sections. Complete all required sections including Purpose (with issue links), Goals, Approach, User stories, Release note, Documentation, Testing (unit/integration), Security checks, and Test environment details.
Docstring Coverage ⚠️ Warning Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title 'Add ECDSA support' directly aligns with the main change—introducing EC P-256 elliptic curve support alongside RSA in keystore generation.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
components/tenant-mgt/org.wso2.carbon.tenant.keystore.mgt/src/main/java/org/wso2/carbon/keystore/mgt/KeyStoreGenerator.java (1)

244-254: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Default signature algorithm should use a stronger hash function.

The fallback to RSA_MD5 at line 253 uses a hash function that is no longer recommended for cryptographic operations. Consider changing the default to RSA_SHA256 or another algorithm using SHA-256 or stronger.

Proposed fix
     private static String getSignatureAlgorithm() {

         String algorithm = ServerConfiguration.getInstance().getFirstProperty(SIGNING_ALG);
         // Find in a list of supported signature algorithms.
         for (String supportedAlgorithm : signatureAlgorithms) {
             if (supportedAlgorithm.equalsIgnoreCase(algorithm)) {
                 return supportedAlgorithm;
             }
         }
-        return RSA_MD5;
+        return RSA_SHA256;
     }
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@components/tenant-mgt/org.wso2.carbon.tenant.keystore.mgt/src/main/java/org/wso2/carbon/keystore/mgt/KeyStoreGenerator.java`
around lines 244 - 254, The getSignatureAlgorithm method currently returns
RSA_MD5 as the default fallback algorithm, which uses a weak hash function that
is cryptographically unsound. Replace the RSA_MD5 constant in the return
statement with RSA_SHA256 or another algorithm that uses SHA-256 or stronger to
ensure the default signature algorithm meets current security standards and best
practices for cryptographic operations.
🧹 Nitpick comments (1)
components/tenant-mgt/org.wso2.carbon.tenant.keystore.mgt/src/main/java/org/wso2/carbon/keystore/mgt/util/TenantKeyPairUtil.java (1)

75-76: ⚡ Quick win

Clarify the intent of the initialization call.

The return value of CryptoUtil.getDefaultCryptoUtil() is discarded. If this is intentional for initializing crypto defaults as a side effect, consider adding a brief comment to clarify. Otherwise, if the result is not needed, this call may be unnecessary.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@components/tenant-mgt/org.wso2.carbon.tenant.keystore.mgt/src/main/java/org/wso2/carbon/keystore/mgt/util/TenantKeyPairUtil.java`
around lines 75 - 76, The call to CryptoUtil.getDefaultCryptoUtil() in the try
block discards its return value without explanation. If this call is intended to
initialize crypto defaults as a side effect, add a clarifying comment above the
method call (in the try block) explaining that initialization is required. If
the result is actually needed or used elsewhere, verify that it is being
properly captured and utilized. If neither case applies and the call is
unnecessary, remove it entirely.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@components/tenant-mgt/org.wso2.carbon.tenant.keystore.mgt/src/main/java/org/wso2/carbon/keystore/mgt/util/TenantKeyPairConstants.java`:
- Around line 31-32: The constants RSA_MD5 and RSA_SHA1 in the
TenantKeyPairConstants class use weak hash algorithms (MD5 and SHA1) that are no
longer recommended for cryptographic applications. If these constants are
required for backward compatibility, annotate both RSA_MD5 and RSA_SHA1 with the
`@Deprecated` annotation and add JavaDoc comments explaining why these algorithms
are weak and should not be used for new implementations. If backward
compatibility is not required, consider removing these constants entirely from
the class.

---

Outside diff comments:
In
`@components/tenant-mgt/org.wso2.carbon.tenant.keystore.mgt/src/main/java/org/wso2/carbon/keystore/mgt/KeyStoreGenerator.java`:
- Around line 244-254: The getSignatureAlgorithm method currently returns
RSA_MD5 as the default fallback algorithm, which uses a weak hash function that
is cryptographically unsound. Replace the RSA_MD5 constant in the return
statement with RSA_SHA256 or another algorithm that uses SHA-256 or stronger to
ensure the default signature algorithm meets current security standards and best
practices for cryptographic operations.

---

Nitpick comments:
In
`@components/tenant-mgt/org.wso2.carbon.tenant.keystore.mgt/src/main/java/org/wso2/carbon/keystore/mgt/util/TenantKeyPairUtil.java`:
- Around line 75-76: The call to CryptoUtil.getDefaultCryptoUtil() in the try
block discards its return value without explanation. If this call is intended to
initialize crypto defaults as a side effect, add a clarifying comment above the
method call (in the try block) explaining that initialization is required. If
the result is actually needed or used elsewhere, verify that it is being
properly captured and utilized. If neither case applies and the call is
unnecessary, remove it entirely.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0f7a3f76-1c2d-4f3a-9fda-83bd1e5794c7

📥 Commits

Reviewing files that changed from the base of the PR and between 9c2a2af and 049dfc8.

📒 Files selected for processing (4)
  • components/tenant-mgt/org.wso2.carbon.tenant.keystore.mgt/src/main/java/org/wso2/carbon/keystore/mgt/KeyStoreGenerator.java
  • components/tenant-mgt/org.wso2.carbon.tenant.keystore.mgt/src/main/java/org/wso2/carbon/keystore/mgt/util/TenantKeyPairConstants.java
  • components/tenant-mgt/org.wso2.carbon.tenant.keystore.mgt/src/main/java/org/wso2/carbon/keystore/mgt/util/TenantKeyPairUtil.java
  • pom.xml

Comment on lines +31 to +32
public static final String RSA_MD5 = "MD5withRSA";
public static final String RSA_SHA1 = "SHA1withRSA";

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Consider removing or deprecating weak signature algorithm constants.

MD5withRSA and SHA1withRSA use hash functions that are no longer recommended for new cryptographic applications. Including them as constants may encourage continued use. If backward compatibility is required, consider annotating these with @Deprecated and adding documentation discouraging their use.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@components/tenant-mgt/org.wso2.carbon.tenant.keystore.mgt/src/main/java/org/wso2/carbon/keystore/mgt/util/TenantKeyPairConstants.java`
around lines 31 - 32, The constants RSA_MD5 and RSA_SHA1 in the
TenantKeyPairConstants class use weak hash algorithms (MD5 and SHA1) that are no
longer recommended for cryptographic applications. If these constants are
required for backward compatibility, annotate both RSA_MD5 and RSA_SHA1 with the
`@Deprecated` annotation and add JavaDoc comments explaining why these algorithms
are weak and should not be used for new implementations. If backward
compatibility is not required, consider removing these constants entirely from
the class.

Source: Linters/SAST tools

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant