Add support for KeyStore filters to ssl-config (#75407)

This commit adds the concept of a KeyStore filter to the SSL configuration library. Such a filter it applied to a KeyStore before it is used to construct a KeyManager, in order to modify the entries in the keystore (typically to remove entries that should not be used as SSL client/server keys).
2025-06-28 01:22:26 -04:00 · 2021-08-03 13:22:13 +10:00 · 2021-08-03 13:22:13 +10:00 · c6a90bb5d1
commit c6a90bb5d1
parent c5796645cf
6 changed files with 164 additions and 24 deletions
--- a/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/KeyStoreUtil.java
+++ b/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/KeyStoreUtil.java
@ -33,6 +33,7 @@ import java.util.Collections;
 import java.util.List;
 import java.util.Locale;
 import java.util.function.Function;
 import java.util.function.Predicate;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
@ -89,6 +90,17 @@ public final class KeyStoreUtil {
        return keyStore;
    }
    /**
     * Filters a keystore using a predicate.
     * The provided keystore is modified in place.
     */
    public static KeyStore filter(KeyStore store, Predicate<KeyStoreEntry> filter) {
        stream(store, e -> new SslConfigException("Failed to apply filter to existing keystore", e))
            .filter(filter.negate())
            .forEach(e -> e.delete());
        return store;
    }
    /**
     * Construct an in-memory keystore with multiple trusted cert entries.
     *
@ -170,7 +182,7 @@ public final class KeyStoreUtil {
        return createTrustManager(store, TrustManagerFactory.getDefaultAlgorithm());
    }
-    static Stream<KeyStoreEntry> stream(KeyStore keyStore,
+    public static Stream<KeyStoreEntry> stream(KeyStore keyStore,
                                        Function<GeneralSecurityException, ? extends RuntimeException> exceptionHandler) {
        try {
            return Collections.list(keyStore.aliases()).stream().map(a -> new KeyStoreEntry(keyStore, a, exceptionHandler));
@ -179,7 +191,7 @@ public final class KeyStoreUtil {
        }
    }
-    static class KeyStoreEntry {
+    public static class KeyStoreEntry {
        private final KeyStore store;
        private final String alias;
        private final Function<GeneralSecurityException, ? extends RuntimeException> exceptionHandler;
@ -270,6 +282,17 @@ public final class KeyStoreUtil {
            }
        }
        /**
         * Remove this entry from the underlying keystore
         */
        public void delete() {
            try {
                store.deleteEntry(alias);
            } catch (KeyStoreException e) {
                throw exceptionHandler.apply(e);
            }
        }
    }
--- a/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/SslConfigurationLoader.java
+++ b/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/SslConfigurationLoader.java
@ -13,6 +13,7 @@ import org.elasticsearch.jdk.JavaVersion;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.TrustManagerFactory;
 import java.nio.file.Path;
 import java.security.KeyStore;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
@ -166,6 +167,8 @@ public abstract class SslConfigurationLoader {
    private List<String> defaultCiphers;
    private List<String> defaultProtocols;
    private Function<KeyStore, KeyStore> keyStoreFilter;
    /**
     * Construct a new loader with the "standard" default values.
     *
@ -235,6 +238,15 @@ public abstract class SslConfigurationLoader {
        this.defaultProtocols = defaultProtocols;
    }
    /**
     * Apply a filter function to any keystore that is loaded.
     * @see StoreKeyConfig
     */
    public void setKeyStoreFilter(Function<KeyStore, KeyStore> keyStoreFilter) {
        this.keyStoreFilter = keyStoreFilter;
    }
    /**
     * Clients of this class should implement this method to determine whether there are any settings for a given prefix.
     * This is used to populate {@link SslConfiguration#isExplicitlyConfigured()}.
@ -363,7 +375,7 @@ public abstract class SslConfigurationLoader {
            }
            final String storeType = resolveSetting(KEYSTORE_TYPE, Function.identity(), inferKeyStoreType(keyStorePath));
            final String algorithm = resolveSetting(KEYSTORE_ALGORITHM, Function.identity(), KeyManagerFactory.getDefaultAlgorithm());
-            return new StoreKeyConfig(keyStorePath, storePassword, storeType, keyPassword, algorithm, basePath);
+            return new StoreKeyConfig(keyStorePath, storePassword, storeType, keyStoreFilter, keyPassword, algorithm, basePath);
        }
        return defaultKeyConfig;
--- a/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/StoreKeyConfig.java
+++ b/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/StoreKeyConfig.java
@ -8,6 +8,7 @@
 package org.elasticsearch.common.ssl;
 import org.elasticsearch.core.Nullable;
 import org.elasticsearch.core.Tuple;
 import javax.net.ssl.KeyManagerFactory;
@ -28,6 +29,7 @@ import java.util.Collection;
 import java.util.Enumeration;
 import java.util.List;
 import java.util.Objects;
 import java.util.function.Function;
 import java.util.stream.Collectors;
 /**
@ -37,6 +39,7 @@ public class StoreKeyConfig implements SslKeyConfig {
    private final String keystorePath;
    private final String type;
    private final char[] storePassword;
    private final Function<KeyStore, KeyStore> filter;
    private final char[] keyPassword;
    private final String algorithm;
    private final Path configBasePath;
@ -46,18 +49,21 @@ public class StoreKeyConfig implements SslKeyConfig {
     * @param storePassword The password for the keystore
     * @param type          The {@link KeyStore#getType() type} of the keystore (typically "PKCS12" or "jks").
     *                      See {@link KeyStoreUtil#inferKeyStoreType}.
     * @param filter        A function to process the keystore after it is loaded. See {@link KeyStoreUtil#filter}
     * @param keyPassword   The password for the key(s) within the keystore
-     *                      (see {@link javax.net.ssl.KeyManagerFactory#init(KeyStore, char[])}).
+     *                      (see {@link KeyManagerFactory#init(KeyStore, char[])}).
     * @param algorithm     The algorithm to use for the Key Manager (see {@link KeyManagerFactory#getAlgorithm()}).
     * @param configBasePath The base path for configuration files (used for error handling)
     */
-    public StoreKeyConfig(String path, char[] storePassword, String type, char[] keyPassword, String algorithm, Path configBasePath) {
+    public StoreKeyConfig(String path, char[] storePassword, String type, @Nullable Function<KeyStore, KeyStore> filter,
                          char[] keyPassword, String algorithm, Path configBasePath) {
        this.keystorePath = Objects.requireNonNull(path, "Keystore path cannot be null");
        this.storePassword = Objects.requireNonNull(storePassword, "Keystore password cannot be null (but may be empty)");
        this.type = Objects.requireNonNull(type, "Keystore type cannot be null");
        this.filter = filter;
        this.keyPassword = Objects.requireNonNull(keyPassword, "Key password cannot be null (but may be empty)");
        this.algorithm = Objects.requireNonNull(algorithm, "Keystore algorithm cannot be null");
        this.configBasePath = Objects.requireNonNull(configBasePath, "Config path cannot be null");
        this.keystorePath = Objects.requireNonNull(path, "Keystore path cannot be null");
        this.type = Objects.requireNonNull(type, "Keystore type cannot be null");
    }
    @Override
@ -80,10 +86,23 @@ public class StoreKeyConfig implements SslKeyConfig {
        return configBasePath.resolve(keystorePath);
    }
    /**
     * Equivalent to {@link #getKeys(boolean) getKeys(false)}.
     */
    @Override
    public List<Tuple<PrivateKey, X509Certificate>> getKeys() {
        return getKeys(false);
    }
    /**
     * Return the list of keys inside the configured keystore, optionally applying the {@code filter} that was set during construction.
     */
    public List<Tuple<PrivateKey, X509Certificate>> getKeys(boolean filterKeystore) {
        final Path path = resolvePath();
-        final KeyStore keyStore = readKeyStore(path);
+        KeyStore keyStore = readKeyStore(path);
        if (filterKeystore) {
            keyStore = this.processKeyStore(keyStore);
        }
        return KeyStoreUtil.stream(keyStore, ex -> keystoreException(path, ex))
            .filter(KeyStoreUtil.KeyStoreEntry::isKeyEntry)
            .map(entry -> {
@ -122,7 +141,8 @@ public class StoreKeyConfig implements SslKeyConfig {
    private X509ExtendedKeyManager createKeyManager(Path path) {
        try {
-            final KeyStore keyStore = readKeyStore(path);
+            KeyStore keyStore = readKeyStore(path);
            keyStore = processKeyStore(keyStore);
            checkKeyStore(keyStore, path);
            return KeyStoreUtil.createKeyManager(keyStore, keyPassword, algorithm);
        } catch (GeneralSecurityException e) {
@ -130,6 +150,13 @@ public class StoreKeyConfig implements SslKeyConfig {
        }
    }
    private KeyStore processKeyStore(KeyStore keyStore) {
        if (filter == null) {
            return keyStore;
        }
        return Objects.requireNonNull(filter.apply(keyStore), "A keystore filter may not return null");
    }
    private KeyStore readKeyStore(Path path) {
        try {
            return KeyStoreUtil.readKeyStore(path, type, storePassword);
--- a/libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/KeyStoreUtilTests.java
+++ b/libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/KeyStoreUtilTests.java
@ -0,0 +1,59 @@
 /*
 * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
 * or more contributor license agreements. Licensed under the Elastic License
 * 2.0 and the Server Side Public License, v 1; you may not use this file except
 * in compliance with, at your election, the Elastic License 2.0 or the Server
 * Side Public License, v 1.
 */
 package org.elasticsearch.common.ssl;
 import org.elasticsearch.test.ESTestCase;
 import java.nio.file.Path;
 import java.security.KeyStore;
 import java.util.Collections;
 import static org.hamcrest.Matchers.containsInAnyOrder;
 import static org.hamcrest.Matchers.equalTo;
 public class KeyStoreUtilTests extends ESTestCase {
    private static final char[] P12_PASS = "p12-pass".toCharArray();
    public void testFilter() throws Exception {
        assumeFalse("Can't use PKCS#12 keystores in a FIPS JVM", inFipsJvm());
        final Path p12 = getDataPath("/certs/cert-all/certs.p12");
        final KeyStore original = KeyStoreUtil.readKeyStore(p12, "PKCS12", P12_PASS);
        // No-op filter
        final KeyStore clone = KeyStoreUtil.filter(KeyStoreUtil.readKeyStore(p12, "PKCS12", P12_PASS), entry -> true);
        assertThat(Collections.list(clone.aliases()), containsInAnyOrder("cert1", "cert2"));
        assertSameEntry(original, clone, "cert1", P12_PASS);
        assertSameEntry(original, clone, "cert2", P12_PASS);
        // Filter by alias
        final KeyStore cert1 = KeyStoreUtil.filter(
            KeyStoreUtil.readKeyStore(p12, "PKCS12", P12_PASS),
            entry -> entry.getAlias().equals("cert1")
        );
        assertThat(Collections.list(cert1.aliases()), containsInAnyOrder("cert1"));
        assertSameEntry(original, cert1, "cert1", P12_PASS);
        // Filter by cert
        final KeyStore cert2 = KeyStoreUtil.filter(
            KeyStoreUtil.readKeyStore(p12, "PKCS12", P12_PASS),
            entry -> entry.getX509Certificate().getSubjectX500Principal().getName().equals("CN=cert2")
        );
        assertThat(Collections.list(cert2.aliases()), containsInAnyOrder("cert2"));
        assertSameEntry(original, cert2, "cert2", P12_PASS);
    }
    private void assertSameEntry(KeyStore ks1, KeyStore ks2, String alias, char[] keyPassword) throws Exception {
        assertThat(ks1.isKeyEntry(alias), equalTo(ks2.isKeyEntry(alias)));
        assertThat(ks1.isCertificateEntry(alias), equalTo(ks2.isCertificateEntry(alias)));
        assertThat(ks1.getCertificate(alias), equalTo(ks2.getCertificate(alias)));
        assertThat(ks1.getCertificateChain(alias), equalTo(ks2.getCertificateChain(alias)));
        assertThat(ks1.getKey(alias, P12_PASS), equalTo(ks2.getKey(alias, keyPassword)));
    }
 }
--- a/libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/StoreKeyConfigTests.java
+++ b/libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/StoreKeyConfigTests.java
@ -19,11 +19,13 @@ import java.nio.file.NoSuchFileException;
 import java.nio.file.Path;
 import java.nio.file.StandardCopyOption;
 import java.security.GeneralSecurityException;
 import java.security.KeyStore;
 import java.security.PrivateKey;
 import java.security.cert.CertificateParsingException;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.List;
 import java.util.function.Function;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.X509ExtendedKeyManager;
@ -44,6 +46,8 @@ public class StoreKeyConfigTests extends ESTestCase {
    private static final char[] P12_PASS = "p12-pass".toCharArray();
    private static final char[] JKS_PASS = "jks-pass".toCharArray();
    private static final String KEY_MGR_ALGORITHM = KeyManagerFactory.getDefaultAlgorithm();
    private static final char[] KEY_PASS = "key-pass".toCharArray();
    private Path configBasePath;
@ -68,11 +72,23 @@ public class StoreKeyConfigTests extends ESTestCase {
        assertKeysLoaded(keyConfig, "cert1", "cert2");
    }
    public void testFilterMultipleKeyPKCS12() throws Exception {
        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
        final Path p12 = getDataPath("/certs/cert-all/certs.p12");
        final StoreKeyConfig keyConfig = config(
            p12,
            P12_PASS,
            "PKCS12",
            ks -> KeyStoreUtil.filter(ks, entry -> entry.getAlias().equals("cert1"))
        );
        assertThat(keyConfig.getDependentFiles(), Matchers.containsInAnyOrder(p12));
        assertKeysLoaded(keyConfig, "cert1");
    }
    public void testLoadMultipleKeyJksWithSeparateKeyPassword() throws Exception {
        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
        final String jks = "cert-all/certs.jks";
-        final StoreKeyConfig keyConfig = new StoreKeyConfig(jks, JKS_PASS, "jks", "key-pass".toCharArray(),
+        final StoreKeyConfig keyConfig = new StoreKeyConfig(jks, JKS_PASS, "jks", null, KEY_PASS, KEY_MGR_ALGORITHM, configBasePath);
            KeyManagerFactory.getDefaultAlgorithm(), configBasePath);
        assertThat(keyConfig.getDependentFiles(), Matchers.containsInAnyOrder(configBasePath.resolve(jks)));
        assertKeysLoaded(keyConfig, "cert1", "cert2");
    }
@ -80,8 +96,7 @@ public class StoreKeyConfigTests extends ESTestCase {
    public void testKeyManagerFailsWithIncorrectStorePassword() throws Exception {
        assumeFalse("Can't use JKS/PKCS12 keystores in a FIPS JVM", inFipsJvm());
        final String jks = "cert-all/certs.jks";
-        final StoreKeyConfig keyConfig = new StoreKeyConfig(jks, P12_PASS, "jks", "key-pass".toCharArray(),
+        final StoreKeyConfig keyConfig = new StoreKeyConfig(jks, P12_PASS, "jks", null, KEY_PASS, KEY_MGR_ALGORITHM, configBasePath);
            KeyManagerFactory.getDefaultAlgorithm(), configBasePath);
        final Path path = configBasePath.resolve(jks);
        assertThat(keyConfig.getDependentFiles(), Matchers.containsInAnyOrder(path));
        assertPasswordIsIncorrect(keyConfig, path);
@ -149,8 +164,12 @@ public class StoreKeyConfigTests extends ESTestCase {
    }
    private StoreKeyConfig config(Path path, char[] password, String type) {
        return config(path, password, type, null);
    }
    private StoreKeyConfig config(Path path, char[] password, String type, Function<KeyStore, KeyStore> filter) {
        final String pathName = path == null ? null : path.toString();
-        return new StoreKeyConfig(pathName, password, type, password, KeyManagerFactory.getDefaultAlgorithm(), configBasePath);
+        return new StoreKeyConfig(pathName, password, type, filter, password, KeyManagerFactory.getDefaultAlgorithm(), configBasePath);
    }
    private void assertKeysLoaded(StoreKeyConfig keyConfig, String... names) throws CertificateParsingException {
@ -175,7 +194,7 @@ public class StoreKeyConfigTests extends ESTestCase {
            ));
        }
-        final List<Tuple<PrivateKey, X509Certificate>> keys = keyConfig.getKeys();
+        final List<Tuple<PrivateKey, X509Certificate>> keys = keyConfig.getKeys(true);
        assertThat(keys, iterableWithSize(names.length));
        for (Tuple<PrivateKey, X509Certificate> tup : keys) {
            PrivateKey privateKey = tup.v1();
@ -186,7 +205,7 @@ public class StoreKeyConfigTests extends ESTestCase {
            assertThat(certificate.getIssuerDN().getName(), is("CN=Test CA 1"));
        }
    }
-    
+
    private void assertKeysNotLoaded(StoreKeyConfig keyConfig, String... names) throws CertificateParsingException {
        final X509ExtendedKeyManager keyManager = keyConfig.createKeyManager();
        assertThat(keyManager, notNullValue());
--- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SslSettingsLoaderTests.java
+++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SslSettingsLoaderTests.java
@ -112,7 +112,7 @@ public class SslSettingsLoaderTests extends ESTestCase {
        assertThat(
            ksKeyInfo,
            equalTo(
-                new StoreKeyConfig("path", PASSWORD, "type", PASSWORD, KEY_MGR_ALGORITHM, environment.configFile())
+                new StoreKeyConfig("path", PASSWORD, "type", null, PASSWORD, KEY_MGR_ALGORITHM, environment.configFile())
            )
        );
    }
@ -129,7 +129,7 @@ public class SslSettingsLoaderTests extends ESTestCase {
        assertThat(
            ksKeyInfo,
            equalTo(
-                new StoreKeyConfig("path", PASSWORD, "type", PASSWORD, KEY_MGR_ALGORITHM, environment.configFile())
+                new StoreKeyConfig("path", PASSWORD, "type", null, PASSWORD, KEY_MGR_ALGORITHM, environment.configFile())
            )
        );
        assertSettingDeprecationsAndWarnings(new Setting<?>[]{
@ -151,7 +151,7 @@ public class SslSettingsLoaderTests extends ESTestCase {
        assertThat(
            ksKeyInfo,
            equalTo(
-                new StoreKeyConfig("path", PASSWORD, "type", KEYPASS, KEY_MGR_ALGORITHM, environment.configFile())
+                new StoreKeyConfig("path", PASSWORD, "type", null, KEYPASS, KEY_MGR_ALGORITHM, environment.configFile())
            )
        );
    }
@ -169,7 +169,7 @@ public class SslSettingsLoaderTests extends ESTestCase {
        assertThat(
            ksKeyInfo,
            equalTo(
-                new StoreKeyConfig("path", PASSWORD, "type", KEYPASS, KEY_MGR_ALGORITHM, environment.configFile())
+                new StoreKeyConfig("path", PASSWORD, "type", null, KEYPASS, KEY_MGR_ALGORITHM, environment.configFile())
            )
        );
        assertSettingDeprecationsAndWarnings(new Setting<?>[]{
@ -192,7 +192,7 @@ public class SslSettingsLoaderTests extends ESTestCase {
        assertThat(
            ksKeyInfo,
            equalTo(
-                new StoreKeyConfig("xpack/tls/path.jks", PASSWORD, "jks", KEYPASS, KEY_MGR_ALGORITHM, environment.configFile())
+                new StoreKeyConfig("xpack/tls/path.jks", PASSWORD, "jks", null, KEYPASS, KEY_MGR_ALGORITHM, environment.configFile())
            )
        );
    }
@ -213,7 +213,7 @@ public class SslSettingsLoaderTests extends ESTestCase {
        assertThat(
            ksKeyInfo,
            equalTo(
-                new StoreKeyConfig(path, PASSWORD, "PKCS12", KEYPASS, KEY_MGR_ALGORITHM, environment.configFile())
+                new StoreKeyConfig(path, PASSWORD, "PKCS12", null, KEYPASS, KEY_MGR_ALGORITHM, environment.configFile())
            )
        );
    }
@ -231,7 +231,7 @@ public class SslSettingsLoaderTests extends ESTestCase {
        StoreKeyConfig ksKeyInfo = (StoreKeyConfig) sslConfiguration.getKeyConfig();
        assertThat(
            ksKeyInfo,
-            equalTo(new StoreKeyConfig("xpack/tls/path.foo", PASSWORD, "jks", KEYPASS, KEY_MGR_ALGORITHM, environment.configFile()))
+            equalTo(new StoreKeyConfig("xpack/tls/path.foo", PASSWORD, "jks", null, KEYPASS, KEY_MGR_ALGORITHM, environment.configFile()))
        );
    }
@ -252,7 +252,7 @@ public class SslSettingsLoaderTests extends ESTestCase {
        StoreKeyConfig ksKeyInfo = (StoreKeyConfig) sslConfiguration.getKeyConfig();
        assertThat(
            ksKeyInfo,
-            equalTo(new StoreKeyConfig(path, PASSWORD, type, KEYPASS, KEY_MGR_ALGORITHM, environment.configFile()))
+            equalTo(new StoreKeyConfig(path, PASSWORD, type, null, KEYPASS, KEY_MGR_ALGORITHM, environment.configFile()))
        );
    }