Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug/Feature-Request - passphrase for secret key within JKS-Keystore #791

Open
SimonSays4223 opened this issue Aug 1, 2018 · 0 comments
Open

Bug/Feature-Request - passphrase for secret key within JKS-Keystore #791

SimonSays4223 opened this issue Aug 1, 2018 · 0 comments

Comments

@SimonSays4223
Copy link

Support for passphrase ("secretKeyPass") for an encrypted key within a JKS-Keystore format!

  • Version: logstash-output-elasticsearch (9.2.0)
  • Operating System: Centos 7
  • Config File:

input {
kafka {
topics => "input_labelled"
client_id => "ls1_input_labelled_consumer"
group_id => "input_labelled_consumer"
id => "ls1_input_labelled_consumer"
bootstrap_servers => "kafka-host1:9092,kafka-host2:9092,kafka-host3:9092"
security_protocol => "SSL"
ssl_key_password => "secretKeyPass"
ssl_keystore_location => "/etc/pki/tls/ls.server.keystore.jks"
ssl_keystore_password => "secreteKeystorePass"
ssl_truststore_location => "/etc/pki/tls/ls.server.truststore.jks"
ssl_truststore_password => "secretTruststorePass"
ssl_keystore_type => "JKS"
ssl_truststore_type => "JKS"
}
}
filter {
}
output {
elasticsearch {
hosts => [ "https://es-host1:9300", "https://es-host2:9300" ]
user => "logstash_system"
password => "secretXpackPass"
ssl => true
ssl_certificate_verification => true
keystore => "/etc/pki/tls/ls.server.keystore.jks"
keystore_password => "secreteKeystorePass""
truststore => "/etc/pki/tls/ls.server.truststore.jks"
truststore_password => "secretTruststorePass"
}
}

  • Sample/Error Data:
    ending Logstash's logs to /var/log/logstash which is now configured via log4j2.properties Aug 01 12:05:46 host-xyz logstash[17689]: [2018-08-01T12:05:46,046][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"6.3.1"} Aug 01 12:05:48 host-xyz logstash[17689]: [2018-08-01T12:05:48,725][INFO ][logstash.pipeline ] Starting pipeline {:pipeline_id=>"winlogbeat", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50} Aug 01 12:05:49 host-xyz logstash[17689]: [2018-08-01T12:05:49,017][ERROR][logstash.pipeline ] Error registering plugin {:pipeline_id=>"winlogbeat", :plugin=>"#<LogStash::OutputDelegator:0x12bedc9d>", :error=>"Cannot recover key", :thread=>"#<Thread:0x974420a run>"} Aug 01 12:05:49 host-xyz logstash[17689]: [2018-08-01T12:05:49,031][ERROR][logstash.pipeline ] Pipeline aborted due to error {:pipeline_id=>"winlogbeat", :exception=>java.security.UnrecoverableKeyException: Cannot recover key, :backtrace=>["sun.security.provider.KeyProtector.recover(sun/security/provider/KeyProtector.java:328)", "sun.security.provider.JavaKeyStore.engineGetKey(sun/security/provider/JavaKeyStore.java:146)", "sun.security.provider.JavaKeyStore$JKS.engineGetKey(sun/security/provider/JavaKeyStore.java:56)", "sun.security.provider.KeyStoreDelegator.engineGetKey(sun/security/provider/KeyStoreDelegator.java:96)", "sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(sun/security/provider/JavaKeyStore.java:70)", "java.security.KeyStore.getKey(java/security/KeyStore.java:1023)", "sun.security.ssl.SunX509KeyManagerImpl.<init>(sun/security/ssl/SunX509KeyManagerImpl.java:133)", "sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(sun/security/ssl/KeyManagerFactoryImpl.java:70)", "javax.net.ssl.KeyManagerFactory.init(javax/net/ssl/KeyManagerFactory.java:256)", "org.apache.http.conn.ssl.SSLContextBuilder.loadKeyMaterial(org/apache/http/conn/ssl/SSLContextBuilder.java:145)", "org.apache.http.conn.ssl.SSLContextBuilder.loadKeyMaterial(org/apache/http/conn/ssl/SSLContextBuilder.java:134)", "java.lang.reflect.Method.invoke(java/lang/reflect/Method.java:498)", "org.jruby.javasupport.JavaMethod.invokeDirectWithExceptionHandling(org/jruby/javasupport/JavaMethod.java:423)", "org.jruby.javasupport.JavaMethod.invokeDirect(org/jruby/javasupport/JavaMethod.java:290)", [...]

I can provide a more detailed log, but I guess the lines above should be enough.

  • Steps to Reproduce:

Keystore-Creation

  1. openssl pkcs12 -export -in certs/ls-host1.crt -inkey private/ls-host1.key -name "localhost" -out ls-host1.p12
    ---> Passwort = "secretKeyPass"

  2. keytool -importkeystore -deststorepass "secreteKeystorePass" -destkeystore ls.server.keystore.jks -srckeystore ls-host1.p12 -srcstoretype PKCS12
    ---> Passwort = "secretKeyPass"

  3. keytool -keystore ls.server.keystore.jks -alias Root-CA -import -file certs/root-ca.crt
    ---> Passwort = "secreteKeystorePass"

Truststore-Creation

  1. keytool -v -import -file certs/root-ca.crt -alias Root-CA -keystore ls.server.truststore.jks
    ---> Passwort = secretTruststorePass
  • Additional Note:
    Yes, we could use the pkcs12-container directly and provide the "secretKeyPass". Nevertheless, it would be great if support for the java JKS would also be implemented fully, as the documentation states that .jks is supported.
    Therefore it would be nice, if the secret key within the JKS-Keystore could have an own passphrase as well as in other plugins (e.g. logstash-input-kafka)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@SimonSays4223