fix test access token signing key to 2048bit+ for valid testing

[ysknkd]

Summary

Upgrade signing keys less than 2048bit to 2048bit or more used for Access Token Testing.

Background

The test we initially wanted to conduct is one where the signature verification fails because the key used for the signature differs from the kid in the Access Token header.

However, because the test key was less than 2048bit, the signature verification was failing with the following error. As the test is expecting the signature verification to fail, the test is considered a success.

Access Token validation failed: The verification key's size is 2047 bits which is not secure enough for the RS256 algorithm.  The JWT JWA Specification (RFC 7518, Section 3.3) states that keys used with RS256 MUST have a size >= 2048 bits.  Consider using the io.jsonwebtoken.security.Keys class's 'keyPairFor(SignatureAlgorithm.RS256)' method to create a key pair guaranteed to be secure enough for RS256.  See https://tools.ietf.org/html/rfc7518#section-3.3 for more information.

The tests in question are as follows.

• athenz/clients/java/zpe/src/test/java/com/yahoo/athenz/zpe/TestAuthZpe.java

  Lines 1418 to 1433 in 76882ee

  	@Test
  	public void testValidateAccessTokenInvalid() {
  	// create a token with a key id that does not exist
  	List<String> roles = Collections.singletonList("matchall");
  	final String invalidKeyIdToken = createInvalidAccessToken("angler", roles);
  	AccessToken accessToken = AuthZpeClient.validateAccessToken(invalidKeyIdToken, null, null);
  	assertNull(accessToken);
  	// now we're going to include the Bearer part
  	accessToken = AuthZpeClient.validateAccessToken("Bearer " + invalidKeyIdToken, null, null);
  	assertNull(accessToken);
  	}

• athenz/clients/java/zpe/src/test/java/com/yahoo/athenz/zpe/TestAuthZpe.java

  Lines 973 to 987 in 76882ee

  	@Test
  	public void testAllowAccessMatchAllAccessTokenInvalid() {
  	String action = "all";
  	String resource = "angler:stuff";
  	StringBuilder roleName = new StringBuilder();
  	// create a token with a key id that does not exist
  	List<String> roles = Collections.singletonList("matchall");
  	final String invalidKeyIdToken = createInvalidAccessToken("angler", roles);
  	AccessCheckStatus status = AuthZpeClient.allowAccess(invalidKeyIdToken, resource, action, roleName);
  	Assert.assertEquals(status, AccessCheckStatus.DENY_ROLETOKEN_INVALID);
  	}

The error we were expecting is as follows:

Access Token validation failed: JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted.

The signing key impacted this time is unit_test_zts_private_k1.pem. Upgrading other test keys to 2048 bits or more might be worth considering, but we have not made any adjustments since these keys are not being used as the Access Token's signing key and therefore, not strictly necessary.

$ pwd
/path/to/athenz/clients/java/zpe/src/test/resources

$ ls | grep pem | grep -v -e ec -e public | xargs -n1 -I{} bash -c 'echo -n "{}: " && openssl rsa -text -noout -in {}| grep Private'
unit_test_zms_private_k0.pem: Private-Key: (2047 bit, 2 primes)
unit_test_zts_private_k0.pem: Private-Key: (2048 bit, 2 primes)
unit_test_zts_private_k1.pem: Private-Key: (2047 bit, 2 primes)
unit_test_zts_private_k17.pem: Private-Key: (2047 bit, 2 primes)
unit_test_zts_private_k99.pem: Private-Key: (2048 bit, 2 primes)