Minor additions for support SAN/dnsName for restricted trust (#91983) (…

…#92217) Partial backport for #91983 note - intentionally not backporting use of enumerations due to branch differences. A follow up to #91946 with the minor requested changes. Changes included here are: * reuse of variables * additional unit test
elastic · Dec 7, 2022 · b3e60c3 · b3e60c3
1 parent 1d485d0
commit b3e60c3
Show file tree

Hide file tree

Showing 4 changed files with 70 additions and 2 deletions.
diff --git a/...ck/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/RestrictedTrustManager.java b/...ck/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/RestrictedTrustManager.java
@@ -166,7 +166,7 @@ private Set<String> readX509Certificate(X509Certificate certificate) throws Cert
             values.addAll(dnsNames);
         }
         if (x509Fields.contains(SAN_OTHER_COMMON.toLowerCase(Locale.ROOT))) {
-            Set<String> otherNames = getSubjectAlternativeNames(certificate).stream()
+            Set<String> otherNames = sans.stream()
                 .filter(pair -> ((Integer) pair.get(0)).intValue() == SAN_CODE_OTHERNAME)
                 .map(pair -> pair.get(1))
                 .map(value -> decodeDerValue((byte[]) value, certificate))

diff --git a/.../plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationSettings.java b/.../plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationSettings.java
@@ -272,7 +272,7 @@ public class SSLConfigurationSettings {
 
     public static final Function<String, Setting<List<String>>> TRUST_RESTRICTIONS_X509_FIELDS_TEMPLATE = key -> Setting.listSetting(
         key,
-        org.elasticsearch.core.List.of("subjectAltName.otherName.commonName"),
+        org.elasticsearch.core.List.of(RestrictedTrustConfig.SAN_OTHER_COMMON),
         s -> {
             Optional<String> value = RestrictedTrustConfig.SUPPORTED_X_509_FIELDS.stream().filter(v -> v.equalsIgnoreCase(s)).findAny();
             if (value.isPresent() == false) {

diff --git a/...ugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/RestrictedTrustManagerTests.java b/...ugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/RestrictedTrustManagerTests.java
@@ -148,6 +148,53 @@ public void testTrustsOnlyNameOther() throws Exception {
         assertTrusted(trustManager, "onlyOtherName");
     }
 
+    public void testTrustWithVariedFields() throws Exception {
+        final Path cert = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/nodes/restricted.trust.crt");
+        baseTrustManager = CertParsingUtils.trustManager(CertParsingUtils.readCertificates(org.elasticsearch.core.List.of(cert)));
+        X509Certificate[] certs = CertParsingUtils.readX509Certificates(Collections.singletonList(cert));
+        assertTrue(certs[0].getSubjectAlternativeNames().stream().anyMatch(pair -> (Integer) pair.get(0) == 0)); // othername
+        assertTrue(certs[0].getSubjectAlternativeNames().stream().anyMatch(pair -> (Integer) pair.get(0) == 2)); // dns
+        assertTrue(certs[0].getSubjectAlternativeNames().stream().anyMatch(pair -> (Integer) pair.get(0) == 7)); // ip
+        certificates.put("varied", certs);
+        // othername/common name -> "instance03.cluster02.elasticsearch"
+        // dns -> "search.example.com"
+        // ip -> 50.100.150.200
+        String failureMatchDns = ".*subjectaltname\\.dnsname.*search\\.example\\.com.*does not match.*";
+        String failureMatchCommon = ".*subjectaltname\\.othername\\.commonname.*instance03\\.cluster02\\.elasticsearch.*does not match.*";
+
+        // instance03.cluster02.elasticsearch -> *.cluster02.elasticsearch
+        CertificateTrustRestrictions restrictions = new CertificateTrustRestrictions(
+            org.elasticsearch.core.List.of("*.cluster02.elasticsearch")
+        );
+        RestrictedTrustManager trustManager = new RestrictedTrustManager(
+            baseTrustManager,
+            restrictions,
+            org.elasticsearch.core.Set.of(SAN_OTHER_COMMON)
+        );
+        assertTrusted(trustManager, "varied");
+
+        // search.example.com -> *.cluster02.elasticsearch
+        restrictions = new CertificateTrustRestrictions(org.elasticsearch.core.List.of("*.cluster02.elasticsearch"));
+        trustManager = new RestrictedTrustManager(baseTrustManager, restrictions, org.elasticsearch.core.Set.of(SAN_DNS));
+        assertNotValid(trustManager, "varied", failureMatchDns);
+
+        // search.example.com -> *.example.com
+        restrictions = new CertificateTrustRestrictions(org.elasticsearch.core.List.of("*.example.com"));
+        trustManager = new RestrictedTrustManager(baseTrustManager, restrictions, org.elasticsearch.core.Set.of(SAN_DNS));
+        assertTrusted(trustManager, "varied");
+
+        // instance03.cluster02.elasticsearch -> *.example.com
+        restrictions = new CertificateTrustRestrictions(org.elasticsearch.core.List.of("*.example.com"));
+        trustManager = new RestrictedTrustManager(baseTrustManager, restrictions, org.elasticsearch.core.Set.of(SAN_OTHER_COMMON));
+        assertNotValid(trustManager, "varied", failureMatchCommon);
+
+        // instance03.cluster02.elasticsearch or search.example.com -> *.150.200
+        restrictions = new CertificateTrustRestrictions(org.elasticsearch.core.List.of("*.150.200"));
+        trustManager = new RestrictedTrustManager(baseTrustManager, restrictions, org.elasticsearch.core.Set.of(SAN_DNS, SAN_OTHER_COMMON));
+        assertNotValid(trustManager, "varied", failureMatchDns);
+        assertNotValid(trustManager, "varied", failureMatchCommon);
+    }
+
     public void testTrustsExplicitCertificateName() throws Exception {
         final int trustedCluster = randomIntBetween(1, numberOfClusters);
         final List<String> trustedNames = new ArrayList<>(numberOfNodes);

diff --git a/...es/org/elasticsearch/xpack/security/transport/ssl/certs/simple/nodes/restricted.trust.crt b/...es/org/elasticsearch/xpack/security/transport/ssl/certs/simple/nodes/restricted.trust.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDZTCCAk2gAwIBAgIUJYSa8ZSlu1fwxC/oYnmjO2KpFUcwDQYJKoZIhvcNAQEL
+BQAwGzEZMBcGA1UEAxMQcmVzdHJpY3RlZC50cnVzdDAeFw0yMjExMjgyMjUzMDla
+Fw00MjExMjMyMjUzMDlaMBsxGTAXBgNVBAMTEHJlc3RyaWN0ZWQudHJ1c3QwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBrbfvxy+OqGW0XjRpfyPJDB9I
+aNozRT3DCioIBNlKyawh7/rdGXyRsenq2c6uB+J2+fCamEHUCGZWKuCdxhewV8rM
+rLSBRwTOX0q+WjPVe2GN79sHmJHYgkNivdbURgePmL/4U1j+gbwDLGQy1aOMnay9
+TxpRnMbUTsBz8lj5OfA+F9eoSTJjBbf2S/zeQsQMydG/51Mrj2VYfz3dbJjHAxNr
+PlEP8OvM/y9N8qMdMUE9YkaAw2gJKaPqmj/2nucwxrHRuioKTAatW2F3T/5AWJEB
+262WxpZpSqAErR4LXqaUVBdOXwB+DwQKG/uD7gb9QRhuIx0yC4v5MC98mkHJAgMB
+AAGjgaAwgZ0wHQYDVR0OBBYEFPSCxeMJ4lTTDuQ/k3cz6Poc8o96MB8GA1UdIwQY
+MBaAFPSCxeMJ4lTTDuQ/k3cz6Poc8o96MFAGA1UdEQRJMEeCEnNlYXJjaC5leGFt
+cGxlLmNvbYcEMmSWyKArBgNVBAOgJAwiaW5zdGFuY2UwMy5jbHVzdGVyMDIuZWxh
+c3RpY3NlYXJjaDAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQAq3ZPsnZ8k
+2IdQEBHhbIPZKnK02sEMo7gK5sC4LbXnQGCks5wu9KUMpLNI+t4Q41j8+P6kuwZ9
+9XumWKUo2veMssxzlupwqQDX5/oFNKc3D5OAxTq7scs9qOW4oP7u8Scg0inqtJw1
+nPARV6mwVqzuz9dWJxaCugo8NuZ88d9fUuI4WRKixffTuMlRknHKa8DVL0NhKE5Z
+W0TXtRg0VewaSEotKC5CqxI2UUOo7A2x0wteW8PHjz+He14rdDXA+Mw8RGHfjNXf
+vZigDHFcEWYe+twHFYo91w1xNdu0oZFUCwvJnIdUS5el1CncBgKxHo0+M3DyqLX+
+5ZYk1NOCQkpA
+-----END CERTIFICATE-----