Filter out CA PrivateKeyEntry when creating a KeyManager #73807
Conversation
|
@elasticmachine update branch |
|
@elasticmachine update branch |
|
@elasticmachine update branch |
|
@elasticmachine update branch |
|
@elasticmachine update branch |
|
@elasticmachine update branch |
|
@elasticmachine update branch |
|
@BigPandaToo I looked into the failing tests and these are actually bugs in the enroll node and enroll kibana APIs that we missed originally because of lack of integration tests. I fixed them here instead of opening a new PR, let me know if you have any concerns with that |
| setting 'xpack.security.transport.ssl.enabled', 'true' | ||
| setting 'xpack.security.http.ssl.keystore.path', 'httpCa.p12' | ||
| setting 'xpack.security.transport.ssl.keystore.path', 'transport.p12' | ||
| setting 'xpack.security.transport.ssl.verification_mode', 'none' |
There was a problem hiding this comment.
Why do we need verification mode to be none for transport ?
There was a problem hiding this comment.
Changed it to certificate. The reason I didn't leave it to be full - this transport cert doesn't have SAN (which is required for the full verification mode). I think it is orthogonal to these test purposes.
There was a problem hiding this comment.
Changed it to certificate.
This is what we will be configuring nodes with too, so it makes sense to have this to certificate instead of none.
The reason I didn't leave it to be full - this transport cert doesn't have SAN (which is required for the full verification mode).I think it is orthogonal to these test purposes.
We are using this cluster for Enrollment IT and our enrollment process will generate configuration that sets the transport verification mode to certificate so it's in our best interest to keep the test cluster config as close to what users will have as possible
...t-high-level/qa/ssl-enabled/src/javaRestTest/java/org/elasticsearch/client/EnrollmentIT.java
Show resolved
Hide resolved
...java/org/elasticsearch/xpack/security/action/enrollment/TransportKibanaEnrollmentAction.java
Show resolved
Hide resolved
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/StoreKeyConfig.java
Outdated
Show resolved
Hide resolved
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/StoreKeyConfig.java
Outdated
Show resolved
Hide resolved
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/StoreKeyConfig.java
Show resolved
Hide resolved
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/StoreKeyConfig.java
Outdated
Show resolved
Hide resolved
BigPandaToo
changed the title
|
@elasticmachine update branch |
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/StoreKeyConfig.java
Show resolved
Hide resolved
| assertThat(http_key, notNullValue()); | ||
| assertThat(aliases.length, equalTo(1)); | ||
| assertThat(aliases[0], equalTo("http")); | ||
| assertThat(certificates.length, equalTo(2)); |
There was a problem hiding this comment.
I think we can remove this assertion, it doesn't test something that we are interested in ( the certificate chain length of the non-ca certificate we happened to use in the test ) - same as below
There was a problem hiding this comment.
Just making sure we haven't deleted something we didn't mean to (like it happened before the last chage)
There was a problem hiding this comment.
This the certificate chain length of a single certificate chain of a single PrivateKeyEntry. ( final X509Certificate[] certificates = keyManager.getCertificateChain("http"); )
We wouldn't have deleted one of the certificates in that chain before the last change.
There was a problem hiding this comment.
I still think we don't need this, but won't block the PR on this
x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/StoreKeyConfigTests.java
Outdated
Show resolved
Hide resolved
| assertThat(aliases[0], equalTo("ca")); | ||
| assertThat(certificates.length, equalTo(1)); | ||
| } | ||
|
|
There was a problem hiding this comment.
maybe quickly add one that contains a keystore with private key entries and trusted certificate entries and check the behavior there too ?
There was a problem hiding this comment.
What do you mean? A keystore with multiple not ca private key? Making sure nothing being deleted?
There was a problem hiding this comment.
A keystore with a TrustedCertificate entry, a CA PrivateKeyEntry and a non-ca PrivateKeyEntry and make sure that we removed the CA PrivateKeyEntry only
There was a problem hiding this comment.
I believe that's what httpCa.p12 is in testCreateKeyManagerFromPKCS12ContainingCA
...rity/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlMetadataCommandTests.java
Show resolved
Hide resolved
There was a problem hiding this comment.
Thanks for the iteration @BigPandaToo . Let's fix the keystore checking for multiple entries and a couple minor things and it'd be good to be merged
|
Suggestion for PR Title : "Filter out CA PrivateKeyEntry when creating a KeyManager" Suggestion for the description: ( It'd be nice to have diffs and suggested text as with code :/ but we don't so I add this below , feel free to pick any of the wording you might like ) -----> |
BigPandaToo
changed the title
| keyStore.load(in, keyStorePassword.getChars()); | ||
| } | ||
| List<String> aliases = new ArrayList<>(); | ||
| for (String s : Collections.list(keyStore.aliases())) { |
There was a problem hiding this comment.
we should not be filtering here. We should check that the aliases of all entries are 3 so that we can verify below that we do not remove non PrivateKeyEntry entries
In 8.0, with security on by default, we store the HTTP
layer CA PrivateKeyEntry in the http.ssl keystore (along
with the node certificate) so that it is available in our
Enrollment API transport actions.
When loading a keystore, the current behavior is that the
X509ExtendedKeyManager will iterate through the PrivateKeyEntry
objects and will return the first key/certificate that satisfies
the requirements of the client and the server configuration,
and lacks any additional logic/filters.
We need the KeyManager to deterministically pick the node
certificate/key in all cases as this is the intended entry to be
used for TLS on the HTTP layer.
This change introduces filtering when creating the in-memory
keystore the KeyManager is loaded with, so that it will not
include PrivateKeyEntry objects when:
CA certificate
Related: #75097