Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow test-with-ssl-plugin to be used in FIPS #66554

Merged
merged 7 commits into from
Jan 14, 2021
Merged

Allow test-with-ssl-plugin to be used in FIPS #66554

merged 7 commits into from
Jan 14, 2021

Conversation

jkakavas
Copy link
Member

Selectively use PEM files instead of keystores so that the plugin
can be applied to projects even if these would run in fips mode

@jkakavas
Allow test-with-ssl-plugin to be used in FIPS
6641d23 
Selectively use PEM files instead of keystores so that the plugin
can be applied to projects even if these would run in fips mode
@jkakavas jkakavas added >non-issue :Delivery/Build Build or test infrastructure labels Dec 17, 2020
@jkakavas jkakavas requested a review from breskeby December 17, 2020 19:42
@elasticmachine elasticmachine added the Team:Delivery Meta label for Delivery team label Dec 17, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-delivery (Team:Delivery)

@jkakavas
Copy link
Member Author

@elasticmachine update branch

@jkakavas jkakavas requested review from ywangd and tvernum December 23, 2020 07:42
ywangd
ywangd approved these changes Dec 23, 2020
View reviewed changes
Copy link
Member

@ywangd ywangd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

buildSrc/src/main/resources/test/ssl/README.md Outdated
@@ -18,3 +18,11 @@ The certificates are generated using catch-all SAN in the following procedure:
`keytool -export -alias test-client -keystore test-client.jks -storepass keypass -file test-client.crt`
6. Import the client certificate in the node's keystore:
`keytool -import -alias test-client -keystore test-node.jks -storepass keypass -file test-client.crt -noprompt`
7. Convert the node's keystore to PKCS#12 temporarily so that we can export the private key ( as keytool doesn't allow this)
`keytool -importkeystore -srckeystore test-node.jks -srcstorepass keypass -destkeystore test-node.p12 -deststoretype PKCS12 -deststorepass keypass`
8. Export the client's private key
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
8. Export the client's private key
8. Export the node's private key

buildSrc/src/main/resources/test/ssl/README.md Outdated
`keytool -importkeystore -srckeystore test-node.jks -srcstorepass keypass -destkeystore test-node.p12 -deststoretype PKCS12 -deststorepass keypass`
8. Export the client's private key
`openssl pkcs12 -in test-node.p12 -passin pass:keypass -nocerts -nodes -out test-node.key`
9. Convert the node's keystore to PKCS#12 temporarily so that we can export the private key ( as keytool doesn't allow this)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
9. Convert the node's keystore to PKCS#12 temporarily so that we can export the private key ( as keytool doesn't allow this)
9. Convert the client's keystore to PKCS#12 temporarily so that we can export the private key ( as keytool doesn't allow this)

buildSrc/src/main/resources/test/ssl/README.md Outdated
7. Convert the node's keystore to PKCS#12 temporarily so that we can export the private key ( as keytool doesn't allow this)
`keytool -importkeystore -srckeystore test-node.jks -srcstorepass keypass -destkeystore test-node.p12 -deststoretype PKCS12 -deststorepass keypass`
8. Export the client's private key
`openssl pkcs12 -in test-node.p12 -passin pass:keypass -nocerts -nodes -out test-node.key`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any value to have encryption here? Since this file is mainly used for testing FIPS, so most likely the private key will be encrypted in the wild.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we have enough coverage for this in unit tests, but on the other hand, why not ? :)

@jkakavas
Copy link
Member Author

@elasticmachine update branch

@jkakavas
Copy link
Member Author

@elasticmachine update branch

@jkakavas jkakavas merged commit 1c56c40 into elastic:master Jan 14, 2021
jkakavas added a commit to jkakavas/elasticsearch that referenced this pull request Jan 15, 2021
@jkakavas
Allow test-with-ssl-plugin to be used in FIPS (elastic#66554)
1ad80c6 
Selectively use PEM files instead of keystores so that the plugin
can be applied to projects even if these would run in fips mode
@jkakavas jkakavas mentioned this pull request Jan 15, 2021
Merged
jkakavas added a commit that referenced this pull request Jan 15, 2021
@jkakavas
Allow test-with-ssl-plugin to be used in FIPS (#66554) (#67558)
a8d2021 
Selectively use PEM files instead of keystores so that the plugin
can be applied to projects even if these would run in fips mode
@breskeby breskeby mentioned this pull request May 3, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ywangd ywangd ywangd approved these changes

@breskeby breskeby Awaiting requested review from breskeby

@tvernum tvernum Awaiting requested review from tvernum

Assignees
No one assigned
Labels
:Delivery/Build Build or test infrastructure >non-issue Team:Delivery Meta label for Delivery team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jkakavas @elasticmachine @ywangd