Add SSL Configuration Library #37287
Conversation
This introduces a new ssl-config library that can parse and validate SSL/TLS settings and files. It supports the standard configuration settings as used in the Elastic Stack such as "ssl.verification_mode" and "ssl.certificate_authorities" as well as all file formats used in other parts of Elasticsearch security (such as PEM, JKS, PKCS#12, PKCS#8, et al).
|
Pinging @elastic/es-security |
| * Based on https://github.com/groovenauts/jmeter_oauth_plugin/blob/master/jmeter/src/ | ||
| * main/java/org/apache/jmeter/protocol/oauth/sampler/PrivateKeyReader.java | ||
| */ | ||
| final class DerParser { |
There was a problem hiding this comment.
Cloned from org.elasticsearch.xpack.core.ssl
| /** | ||
| * A variety of utility methods for working with or constructing {@link KeyStore} instances. | ||
| */ | ||
| final class KeyStoreUtil { |
There was a problem hiding this comment.
Most of these methods existed (in some variation) in org.elasticsearch.xpack.core.ssl.CertParsingUtils.
I pulled in just what I needed.
| import java.util.Map; | ||
| import java.util.function.Supplier; | ||
|
|
||
| final class PemUtils { |
There was a problem hiding this comment.
Cloned from org.elasticsearch.xpack.core.ssl with minor variations (mostly due to not being able to use core ES classes) and some additional detail in error messages
| /** | ||
| * A base exception for problems that occur while trying to configure SSL. | ||
| */ | ||
| public class SslConfigException extends RuntimeException { |
There was a problem hiding this comment.
A simple base class because code in libs/ can't use ElasticsearchException
| @@ -0,0 +1,149 @@ | |||
| = Keystore Details | |||
| This document details the steps used to create the certificate and keystore files in this directory. | |||
There was a problem hiding this comment.
This file and all the keys/certs in this directory were cloned from the x-pack pem-utils tests.
We can't control the message, and it varies by JRE release so there's no good reason to assert on it.
libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/KeyStoreUtil.java
Outdated
Show resolved
Hide resolved
libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/PemKeyConfig.java
Outdated
Show resolved
Hide resolved
libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/SslConfiguration.java
Outdated
Show resolved
Hide resolved
| */ | ||
| public abstract void configure(SSLParameters sslParameters); | ||
|
|
||
| private static final Map<String, SslClientAuthenticationMode> LOOKUP = new LinkedHashMap<>(3); |
There was a problem hiding this comment.
Not that I see an issue with this, but for my own benefit/curiosity: Is there a specific reason to use an extra LinkedHashMap and not use Enum.valueOf, or a switch statement to get the SslClientAuthenticationMode from its name ?
There was a problem hiding this comment.
The version I copied from had a switch, but that style has a few weaknesses (IMO)
- You can't create reasonable error messages without duplicating the keys. The old code would switch on string constants, but then use
Enum.name().toLowerCase()for the error message. It works, but there's no guarantees of consistency between those 2 sets of values. - It ends up longer and more verbose (particularly when you want helpful diagnostic erros) for no real beenfit.
The other option is to simply use Enum.valueOf and Enum.name which ties the configuration strings to the enum constants. There's a minor risk in that changes to the enum names change the accepted settings, but that risk is covered pretty weel by tests.
Personally that's my preference, but it's not what we normally do, so I didn't go that direction.
| } | ||
|
|
||
| /** | ||
| * Picks the best (highest security / most recent standard) SSL/TLS algorithm that is supported by the |
There was a problem hiding this comment.
| * Picks the best (highest security / most recent standard) SSL/TLS algorithm that is supported by the | |
| * Picks the best (highest security / most recent standard) SSL/TLS version that is supported by the |
There was a problem hiding this comment.
I resolved this with a slightly different wording. Let me know if you still see an issue.
libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/KeyStoreUtil.java
Outdated
Show resolved
Hide resolved
libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/PemKeyConfig.java
Outdated
Show resolved
Hide resolved
libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/SslClientAuthenticationMode.java
Outdated
Show resolved
Hide resolved
| private String contextAlgorithm() { | ||
| if (supportedProtocols.isEmpty()) { | ||
| // shouldn't happen... | ||
| return "TLSv1.2"; |
There was a problem hiding this comment.
if it shouldn't happen, throw an exception?
libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/SslVerificationMode.java
Outdated
Show resolved
Hide resolved
libs/ssl-config/build.gradle
Outdated
| * under the License. | ||
| */ | ||
|
|
||
| archivesBaseName = 'elasticsearch-ssl-config' |
There was a problem hiding this comment.
It would be preferable to alter project.name in settings.gradle as that would have effects across the board, including what you are looking for here. Also means that if we were to publish this the correct pom would be generated without additional configuration and better visibility in the IDE.
There are some additional changes needed in settings.gradle to keep Eclipse happy, see the discussion in #36477 for a similar change.
There was a problem hiding this comment.
Thanks @tvernum , looks good! You can now also remove this line archiveBaseName since with the changed project name that's the default now.
|
Hmm, @elasticmachine, let's run the default distro tests again. |
|
@elasticmachine -- run gradle build tests 1 |
* master: Deprecate _type from LeafDocLookup (elastic#37491) Allow system privilege to execute proxied actions (elastic#37508) Update Put Watch to allow unknown fields (elastic#37494) AwaitsFix testAddNewReplicas SQL: Add protocol tests and remove jdbc_type from drivers response (elastic#37516) SQL: [Docs] Add an ES-SQL column for data types (elastic#37529) IndexMetaData#mappingOrDefault doesn't need to take a type argument. (elastic#37480) Simplify + Cleanup Dead Code in Settings (elastic#37341) Reject all requests that have an unconsumed body (elastic#37504) [Ml] Prevent config snapshot failure blocking migration (elastic#37493) Fix line length for aliases and remove suppression (elastic#37455) Add SSL Configuration Library (elastic#37287) SQL: Remove slightly used meta commands (elastic#37506) Simplify Snapshot Create Request Handling (elastic#37464) Remove the use of AbstracLifecycleComponent constructor elastic#37488 (elastic#37488) [ML] log minimum diskspace setting if forecast fails due to insufficient d… (elastic#37486)
This introduces a new ssl-config library that can parse and validate SSL/TLS settings and files. It supports the standard configuration settings as used in the Elastic Stack such as "ssl.verification_mode" and "ssl.certificate_authorities" as well as all file formats used in other parts of Elasticsearch security (such as PEM, JKS, PKCS#12, PKCS#8, et al).
Adds reindex.ssl.* settings for reindex from remote. This uses the ssl-config/ internal library to parse and load SSL configuration and files. This is applied when using the low level rest client to connect to a remote ES node Backport of: elastic#37527 Relates: elastic#37287 Resolves: elastic#29755
This is used by the reindex-client library which is published to maven Relates: elastic#37287, elastic#37527 Closes: elastic#38944
This is used by the reindex-client library which is published to maven Relates: elastic#37287, elastic#37527 Backport of: elastic#39019
This is used by the reindex-client library which is published to maven Relates: elastic#37287, elastic#37527 Backport of: elastic#39019
This is used by the reindex-client library which is published to maven Relates: elastic#37287, elastic#37527 Closes: elastic#38944 Backport of: elastic#39019
This introduces a new ssl-config library that can parse
and validate SSL/TLS settings and files.
It supports the standard configuration settings as used in the
Elastic Stack such as "ssl.verification_mode" and
"ssl.certificate_authorities" as well as all file formats used
in other parts of Elasticsearch security (such as PEM, JKS,
PKCS#12, PKCS#8, et al).
Relates: #29755
This commit just adds the new library, a follow up change will make use of it in reindex.
At a future point in time I will also switch X-Pack security to use some/all of this library.
Most of this code is based on existing X-Pack code, but has been heavily refactored in the process.
The PEM parsing code has been modified slightly, mostly due to needing to be part of a standalone library.