diff --git a/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/PemUtils.java b/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/PemUtils.java index 45476f125d7..cf46efae229 100644 --- a/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/PemUtils.java +++ b/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/PemUtils.java @@ -509,9 +509,12 @@ final class PemUtils { parser.readAsn1Object().getInteger(); // version String keyHex = parser.readAsn1Object().getString(); BigInteger privateKeyInt = new BigInteger(keyHex, 16); + DerParser.Asn1Object choice = parser.readAsn1Object(); + parser = choice.getParser(); + String namedCurve = getEcCurveNameFromOid(parser.readAsn1Object().getOid()); KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("EC"); - AlgorithmParameterSpec prime256v1ParamSpec = new ECGenParameterSpec("secp256r1"); - keyPairGenerator.initialize(prime256v1ParamSpec); + AlgorithmParameterSpec algorithmParameterSpec = new ECGenParameterSpec(namedCurve); + keyPairGenerator.initialize(algorithmParameterSpec); ECParameterSpec parameterSpec = ((ECKey) keyPairGenerator.generateKeyPair().getPrivate()).getParams(); return new ECPrivateKeySpec(privateKeyInt, parameterSpec); } @@ -602,4 +605,42 @@ final class PemUtils { return certificates; } + private static String getEcCurveNameFromOid(String oidString) throws GeneralSecurityException { + switch (oidString) { + // see https://tools.ietf.org/html/rfc5480#section-2.1.1.1 + case "1.2.840.10045.3.1": + return "secp192r1"; + case "1.3.132.0.1": + return "sect163k1"; + case "1.3.132.0.15": + return "sect163r2"; + case "1.3.132.0.33": + return "secp224r1"; + case "1.3.132.0.26": + return "sect233k1"; + case "1.3.132.0.27": + return "sect233r1"; + case "1.2.840.10045.3.1.7": + return "secp256r1"; + case "1.3.132.0.16": + return "sect283k1"; + case "1.3.132.0.17": + return "sect283r1"; + case "1.3.132.0.34": + return "secp384r1"; + case "1.3.132.0.36": + return "sect409k1"; + case "1.3.132.0.37": + return "sect409r1"; + case "1.3.132.0.35": + return "secp521r1"; + case "1.3.132.0.38": + return "sect571k1"; + case "1.3.132.0.39": + return "sect571r1"; + } + throw new GeneralSecurityException("Error parsing EC named curve identifier. Named curve with OID: " + oidString + + " is not supported"); + } + } diff --git a/libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/PemUtilsTests.java b/libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/PemUtilsTests.java index 60f0cd168ce..d5657b5517b 100644 --- a/libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/PemUtilsTests.java +++ b/libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/PemUtilsTests.java @@ -27,6 +27,8 @@ import java.nio.file.Path; import java.security.Key; import java.security.KeyStore; import java.security.PrivateKey; +import java.security.interfaces.ECPrivateKey; +import java.security.spec.ECParameterSpec; import java.util.function.Supplier; import static org.hamcrest.Matchers.equalTo; @@ -53,7 +55,6 @@ public class PemUtilsTests extends ESTestCase { assertThat(key, notNullValue()); assertThat(key, instanceOf(PrivateKey.class)); PrivateKey privateKey = PemUtils.readPrivateKey(getDataPath("/certs/pem-utils/testnode_with_bagattrs.pem"), EMPTY_PASSWORD); - assertThat(privateKey, notNullValue()); assertThat(privateKey, equalTo(key)); } @@ -66,6 +67,15 @@ public class PemUtilsTests extends ESTestCase { assertThat(privateKey, equalTo(key)); } + public void testReadEcKeyCurves() throws Exception { + String curve = randomFrom("secp256r1", "secp384r1", "secp521r1"); + PrivateKey privateKey = PemUtils.readPrivateKey(getDataPath("/certs/pem-utils/private_" + curve + ".pem"), ""::toCharArray); + assertThat(privateKey, instanceOf(ECPrivateKey.class)); + ECParameterSpec parameterSpec = ((ECPrivateKey) privateKey).getParams(); + // This is brittle but we can't access sun.security.util.NamedCurve + assertThat(parameterSpec.toString(), containsString(curve)); + } + public void testReadPKCS8EcKey() throws Exception { Key key = getKeyFromKeystore("EC"); assertThat(key, notNullValue()); diff --git a/libs/ssl-config/src/test/resources/certs/pem-utils/README.asciidoc b/libs/ssl-config/src/test/resources/certs/pem-utils/README.asciidoc index 0136e967106..f7fbd2ad69c 100644 --- a/libs/ssl-config/src/test/resources/certs/pem-utils/README.asciidoc +++ b/libs/ssl-config/src/test/resources/certs/pem-utils/README.asciidoc @@ -147,3 +147,29 @@ openssl x509 -req -in n2.c2.csr -extensions SAN -CA ca.crt -CAkey ca.key -CAcrea -extfile <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=otherName.1:2.5.4.3;UTF8:node2.cluster2"))\ -out n2.c2.crt -days 10000 ------ + +== Generate EC keys using various curves for testing + +[source,shell] +------- +openssl ecparam -list_curves +------- + +will list all the available curves in a given system. +For the purposes of the tests here, the following curves were used to generate ec keys named accordingly: + +[source,shell] +------- +openssl ecparam -name secp256r1 -genkey -out private_secp256r1.pem +openssl ecparam -name secp384r1 -genkey -out private_secp384r1.pem +openssl ecparam -name secp521r1 -genkey -out private_secp521r1.pem +------- + +and the respective certificates + +[source,shell] +------- +openssl req -x509 -extensions v3_req -key private_secp256r1.pem -out certificate_secp256r1.pem -days 1460 -config openssl_config.cnf +openssl req -x509 -extensions v3_req -key private_secp384r1.pem -out certificate_secp384r1.pem -days 1460 -config openssl_config.cnf +openssl req -x509 -extensions v3_req -key private_secp521r1.pem -out certificate_secp521r1.pem -days 1460 -config openssl_config.cnf +------- diff --git a/libs/ssl-config/src/test/resources/certs/pem-utils/certificate_secp256r1.pem b/libs/ssl-config/src/test/resources/certs/pem-utils/certificate_secp256r1.pem new file mode 100644 index 00000000000..c31ca5ba3e0 --- /dev/null +++ b/libs/ssl-config/src/test/resources/certs/pem-utils/certificate_secp256r1.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIICBzCCAaygAwIBAgIUAhfs6i7USsFCrKcjhaYmjOOekd8wCgYIKoZIzj0EAwIw +IjEgMB4GA1UEAxMXRWxhc3RpY3NlYXJjaCBUZXN0IE5vZGUwHhcNMjAwNDE0MTg0 +OTA0WhcNMjQwNDEzMTg0OTA0WjAiMSAwHgYDVQQDExdFbGFzdGljc2VhcmNoIFRl +c3QgTm9kZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABN7Ioe2JD2Ssbk0pF19W +iwO/leZtIcCIZP9btPMGhq0r4e6va/qCYFRJoAMEKv49RQwL23MfBK1Djm63pl7z +33Cjgb8wgbwwCQYDVR0TBAIwADAdBgNVHQ4EFgQUZGVhl0jaavD09XqqAZq+QB+q +VzMwgY8GA1UdEQSBhzCBhIIJbG9jYWxob3N0ghVsb2NhbGhvc3QubG9jYWxkb21h +aW6CCmxvY2FsaG9zdDSCF2xvY2FsaG9zdDQubG9jYWxkb21haW40ggpsb2NhbGhv +c3Q2ghdsb2NhbGhvc3Q2LmxvY2FsZG9tYWluNocEfwAAAYcQAAAAAAAAAAAAAAAA +AAAAATAKBggqhkjOPQQDAgNJADBGAiEA5rkkz7V8zFb9ME4b3SiBqFQaXGnLNzz5 +UXmL31oevUUCIQCsL/qw/HKhBtojG9LnK5TezFCYauafDPsVqsxvj7F9UA== +-----END CERTIFICATE----- diff --git a/libs/ssl-config/src/test/resources/certs/pem-utils/certificate_secp384r1.pem b/libs/ssl-config/src/test/resources/certs/pem-utils/certificate_secp384r1.pem new file mode 100644 index 00000000000..287fe2a93db --- /dev/null +++ b/libs/ssl-config/src/test/resources/certs/pem-utils/certificate_secp384r1.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICQzCCAcmgAwIBAgIUFBuqf8Y7xcDb5MvDH3/WKCaqZOwwCgYIKoZIzj0EAwIw +IjEgMB4GA1UEAxMXRWxhc3RpY3NlYXJjaCBUZXN0IE5vZGUwHhcNMjAwNDE0MTg1 +MjE4WhcNMjQwNDEzMTg1MjE4WjAiMSAwHgYDVQQDExdFbGFzdGljc2VhcmNoIFRl +c3QgTm9kZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABKLpoDYudvcmGfr1+aImIap7 +C1cC9SUBcI8EOWlogODMUM1DWcaWrQbbQzhUNpQFvX6A/I2SiME5WM2IC+lJX/W8 +fafcLzYF+Ts2Eftmdi9usBsQz+JEGTPcgRNyM/N3FaOBvzCBvDAJBgNVHRMEAjAA +MB0GA1UdDgQWBBTuCqvozIlpHH5kLc3BfsT1bRqpHDCBjwYDVR0RBIGHMIGEggls +b2NhbGhvc3SCFWxvY2FsaG9zdC5sb2NhbGRvbWFpboIKbG9jYWxob3N0NIIXbG9j +YWxob3N0NC5sb2NhbGRvbWFpbjSCCmxvY2FsaG9zdDaCF2xvY2FsaG9zdDYubG9j +YWxkb21haW42hwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMAoGCCqGSM49BAMCA2gA +MGUCMQDtmO2fQY1vVD58fFHsAt0LoStzrhB22SkcfKtTVNlrHkTX8SXjToqKKbxX +AMgUCNoCMFSn7lc3V7xycDx+P1icdb+jLVoFl7G1Ki17B1z6W8JlZRJBsyEiu6qC +UxZU5NBdww== +-----END CERTIFICATE----- diff --git a/libs/ssl-config/src/test/resources/certs/pem-utils/certificate_secp521r1.pem b/libs/ssl-config/src/test/resources/certs/pem-utils/certificate_secp521r1.pem new file mode 100644 index 00000000000..e7952c35a37 --- /dev/null +++ b/libs/ssl-config/src/test/resources/certs/pem-utils/certificate_secp521r1.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICjjCCAe+gAwIBAgIUR5YlaSjZ7BE/bCe5f2966kG8+cowCgYIKoZIzj0EAwIw +IjEgMB4GA1UEAxMXRWxhc3RpY3NlYXJjaCBUZXN0IE5vZGUwHhcNMjAwNDE0MTg1 +MjM4WhcNMjQwNDEzMTg1MjM4WjAiMSAwHgYDVQQDExdFbGFzdGljc2VhcmNoIFRl +c3QgTm9kZTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAC/v/jT1EwJzFyVjSYw8 +H/Ix6Ty9KjTJ+duN1qc9ByGg2YoJw5Z179mAPoDp7LalGCawplhs38J45rqh7pbN +MI+1AaAilKSJiuIzByPlkKjxWOX1sYaxmBY4Kc0UOKpqFfY70fBzhIi8M+9t3eaB +TWoLbIghGkDHG6icTCUawesuTI7/o4G/MIG8MAkGA1UdEwQCMAAwHQYDVR0OBBYE +FNIirnFLQRx8t9uMd3D5Cux+/uSzMIGPBgNVHREEgYcwgYSCCWxvY2FsaG9zdIIV +bG9jYWxob3N0LmxvY2FsZG9tYWluggpsb2NhbGhvc3Q0ghdsb2NhbGhvc3Q0Lmxv +Y2FsZG9tYWluNIIKbG9jYWxob3N0NoIXbG9jYWxob3N0Ni5sb2NhbGRvbWFpbjaH +BH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEwCgYIKoZIzj0EAwIDgYwAMIGIAkIAo+T4 +wkgf9OwzupXYQc8ftQydvucF29sK1OdJDnJHN/oBFtYdo4ZOMar8PzJZ3KtiOETo +IInuL8YE6kO9aTaQOUwCQgDfs3/nnEITC9OzpYpHWDp54phcrKgbHUDEUPn8CPU1 +aH8dJ/TVeSiYkt7dAeqklOP790HfHjS+rTAyMFn7uq4pkw== +-----END CERTIFICATE----- diff --git a/libs/ssl-config/src/test/resources/certs/pem-utils/private_secp256r1.pem b/libs/ssl-config/src/test/resources/certs/pem-utils/private_secp256r1.pem new file mode 100644 index 00000000000..dc137112a46 --- /dev/null +++ b/libs/ssl-config/src/test/resources/certs/pem-utils/private_secp256r1.pem @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIMdU2MBFYjUeThgqXbSrVByV+rMmsKKe6qzwBjgBwgHXoAoGCCqGSM49 +AwEHoUQDQgAE3sih7YkPZKxuTSkXX1aLA7+V5m0hwIhk/1u08waGrSvh7q9r+oJg +VEmgAwQq/j1FDAvbcx8ErUOObremXvPfcA== +-----END EC PRIVATE KEY----- diff --git a/libs/ssl-config/src/test/resources/certs/pem-utils/private_secp384r1.pem b/libs/ssl-config/src/test/resources/certs/pem-utils/private_secp384r1.pem new file mode 100644 index 00000000000..38578d6334a --- /dev/null +++ b/libs/ssl-config/src/test/resources/certs/pem-utils/private_secp384r1.pem @@ -0,0 +1,9 @@ +-----BEGIN EC PARAMETERS----- +BgUrgQQAIg== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MIGkAgEBBDA6lA/V9jd1eZJrD+fkOJMNWDU0xT5aRyUJxrNdIwMWFu1wvswHLvF8 +kZELRUMx3QmgBwYFK4EEACKhZANiAASi6aA2Lnb3Jhn69fmiJiGqewtXAvUlAXCP +BDlpaIDgzFDNQ1nGlq0G20M4VDaUBb1+gPyNkojBOVjNiAvpSV/1vH2n3C82Bfk7 +NhH7ZnYvbrAbEM/iRBkz3IETcjPzdxU= +-----END EC PRIVATE KEY----- diff --git a/libs/ssl-config/src/test/resources/certs/pem-utils/private_secp521r1.pem b/libs/ssl-config/src/test/resources/certs/pem-utils/private_secp521r1.pem new file mode 100644 index 00000000000..0ccf7ea9ce3 --- /dev/null +++ b/libs/ssl-config/src/test/resources/certs/pem-utils/private_secp521r1.pem @@ -0,0 +1,10 @@ +-----BEGIN EC PARAMETERS----- +BgUrgQQAIw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MIHcAgEBBEIANfC2QUp9OWMWk+1+7i1S3hhg1sXiE2Ysv2lTSV3Jct547FJRoNnl +kJEdojfPbWNlP/uxtoWdIY0T/c+K8ErSkPGgBwYFK4EEACOhgYkDgYYABAAv7/40 +9RMCcxclY0mMPB/yMek8vSo0yfnbjdanPQchoNmKCcOWde/ZgD6A6ey2pRgmsKZY +bN/CeOa6oe6WzTCPtQGgIpSkiYriMwcj5ZCo8Vjl9bGGsZgWOCnNFDiqahX2O9Hw +c4SIvDPvbd3mgU1qC2yIIRpAxxuonEwlGsHrLkyO/w== +-----END EC PRIVATE KEY----- diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/PemUtils.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/PemUtils.java index 13bd7e95798..841f27d3cc3 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/PemUtils.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/PemUtils.java @@ -482,9 +482,12 @@ public class PemUtils { parser.readAsn1Object().getInteger(); // version String keyHex = parser.readAsn1Object().getString(); BigInteger privateKeyInt = new BigInteger(keyHex, 16); + DerParser.Asn1Object choice = parser.readAsn1Object(); + parser = choice.getParser(); + String namedCurve = getEcCurveNameFromOid(parser.readAsn1Object().getOid()); KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("EC"); - AlgorithmParameterSpec prime256v1ParamSpec = new ECGenParameterSpec("secp256r1"); - keyPairGenerator.initialize(prime256v1ParamSpec); + AlgorithmParameterSpec algorithmParameterSpec = new ECGenParameterSpec(namedCurve); + keyPairGenerator.initialize(algorithmParameterSpec); ECParameterSpec parameterSpec = ((ECKey) keyPairGenerator.generateKeyPair().getPrivate()).getParams(); return new ECPrivateKeySpec(privateKeyInt, parameterSpec); } @@ -556,7 +559,45 @@ public class PemUtils { case "1.2.840.10045.2.1": return "EC"; } - throw new GeneralSecurityException("Error parsing key algorithm identifier. Algorithm with OID: "+oidString+ " is not " + + throw new GeneralSecurityException("Error parsing key algorithm identifier. Algorithm with OID: " + oidString + " is not " + + "supported"); + } + + private static String getEcCurveNameFromOid(String oidString) throws GeneralSecurityException { + switch (oidString) { + // see https://tools.ietf.org/html/rfc5480#section-2.1.1.1 + case "1.2.840.10045.3.1": + return "secp192r1"; + case "1.3.132.0.1": + return "sect163k1"; + case "1.3.132.0.15": + return "sect163r2"; + case "1.3.132.0.33": + return "secp224r1"; + case "1.3.132.0.26": + return "sect233k1"; + case "1.3.132.0.27": + return "sect233r1"; + case "1.2.840.10045.3.1.7": + return "secp256r1"; + case "1.3.132.0.16": + return "sect283k1"; + case "1.3.132.0.17": + return "sect283r1"; + case "1.3.132.0.34": + return "secp384r1"; + case "1.3.132.0.36": + return "sect409k1"; + case "1.3.132.0.37": + return "sect409r1"; + case "1.3.132.0.35": + return "secp521r1"; + case "1.3.132.0.38": + return "sect571k1"; + case "1.3.132.0.39": + return "sect571r1"; + } + throw new GeneralSecurityException("Error parsing EC named curve identifier. Named curve with OID: " + oidString + " is not " + "supported"); } } diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/PemUtilsTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/PemUtilsTests.java index 3134d42ce36..6cc0f4763b9 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/PemUtilsTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/PemUtilsTests.java @@ -14,6 +14,8 @@ import java.nio.file.Path; import java.security.Key; import java.security.KeyStore; import java.security.PrivateKey; +import java.security.interfaces.ECPrivateKey; +import java.security.spec.ECParameterSpec; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.instanceOf; @@ -57,19 +59,28 @@ public class PemUtilsTests extends ESTestCase { assertThat(key, notNullValue()); assertThat(key, instanceOf(PrivateKey.class)); PrivateKey privateKey = PemUtils.readPrivateKey(getDataPath - ("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/ec_key_pkcs8_plain.pem"), ""::toCharArray); + ("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/ec_key_pkcs8_plain.pem"), ""::toCharArray); assertThat(privateKey, notNullValue()); assertThat(privateKey, equalTo(key)); } + public void testReadEcKeyCurves() throws Exception { + String curve = randomFrom("secp256r1", "secp384r1", "secp521r1"); + PrivateKey privateKey = PemUtils.readPrivateKey(getDataPath + ("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/private_" + curve + ".pem"), ""::toCharArray); + assertThat(privateKey, instanceOf(ECPrivateKey.class)); + ECParameterSpec parameterSpec = ((ECPrivateKey) privateKey).getParams(); + // This is brittle but we can't access sun.security.util.NamedCurve + assertThat(parameterSpec.toString(), containsString(curve)); + } + public void testReadEncryptedPKCS8Key() throws Exception { assumeFalse("Can't run in a FIPS JVM, PBE KeySpec is not available", inFipsJvm()); Key key = getKeyFromKeystore("RSA"); assertThat(key, notNullValue()); assertThat(key, instanceOf(PrivateKey.class)); PrivateKey privateKey = PemUtils.readPrivateKey(getDataPath - ("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/key_pkcs8_encrypted" + - ".pem"), "testnode"::toCharArray); + ("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/key_pkcs8_encrypted.pem"), "testnode"::toCharArray); assertThat(privateKey, notNullValue()); assertThat(privateKey, equalTo(key)); } diff --git a/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/README.asciidoc b/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/README.asciidoc index 0136e967106..f7fbd2ad69c 100644 --- a/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/README.asciidoc +++ b/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/README.asciidoc @@ -147,3 +147,29 @@ openssl x509 -req -in n2.c2.csr -extensions SAN -CA ca.crt -CAkey ca.key -CAcrea -extfile <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=otherName.1:2.5.4.3;UTF8:node2.cluster2"))\ -out n2.c2.crt -days 10000 ------ + +== Generate EC keys using various curves for testing + +[source,shell] +------- +openssl ecparam -list_curves +------- + +will list all the available curves in a given system. +For the purposes of the tests here, the following curves were used to generate ec keys named accordingly: + +[source,shell] +------- +openssl ecparam -name secp256r1 -genkey -out private_secp256r1.pem +openssl ecparam -name secp384r1 -genkey -out private_secp384r1.pem +openssl ecparam -name secp521r1 -genkey -out private_secp521r1.pem +------- + +and the respective certificates + +[source,shell] +------- +openssl req -x509 -extensions v3_req -key private_secp256r1.pem -out certificate_secp256r1.pem -days 1460 -config openssl_config.cnf +openssl req -x509 -extensions v3_req -key private_secp384r1.pem -out certificate_secp384r1.pem -days 1460 -config openssl_config.cnf +openssl req -x509 -extensions v3_req -key private_secp521r1.pem -out certificate_secp521r1.pem -days 1460 -config openssl_config.cnf +------- diff --git a/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/certificate_secp256r1.pem b/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/certificate_secp256r1.pem new file mode 100644 index 00000000000..c31ca5ba3e0 --- /dev/null +++ b/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/certificate_secp256r1.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIICBzCCAaygAwIBAgIUAhfs6i7USsFCrKcjhaYmjOOekd8wCgYIKoZIzj0EAwIw +IjEgMB4GA1UEAxMXRWxhc3RpY3NlYXJjaCBUZXN0IE5vZGUwHhcNMjAwNDE0MTg0 +OTA0WhcNMjQwNDEzMTg0OTA0WjAiMSAwHgYDVQQDExdFbGFzdGljc2VhcmNoIFRl +c3QgTm9kZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABN7Ioe2JD2Ssbk0pF19W +iwO/leZtIcCIZP9btPMGhq0r4e6va/qCYFRJoAMEKv49RQwL23MfBK1Djm63pl7z +33Cjgb8wgbwwCQYDVR0TBAIwADAdBgNVHQ4EFgQUZGVhl0jaavD09XqqAZq+QB+q +VzMwgY8GA1UdEQSBhzCBhIIJbG9jYWxob3N0ghVsb2NhbGhvc3QubG9jYWxkb21h +aW6CCmxvY2FsaG9zdDSCF2xvY2FsaG9zdDQubG9jYWxkb21haW40ggpsb2NhbGhv +c3Q2ghdsb2NhbGhvc3Q2LmxvY2FsZG9tYWluNocEfwAAAYcQAAAAAAAAAAAAAAAA +AAAAATAKBggqhkjOPQQDAgNJADBGAiEA5rkkz7V8zFb9ME4b3SiBqFQaXGnLNzz5 +UXmL31oevUUCIQCsL/qw/HKhBtojG9LnK5TezFCYauafDPsVqsxvj7F9UA== +-----END CERTIFICATE----- diff --git a/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/certificate_secp384r1.pem b/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/certificate_secp384r1.pem new file mode 100644 index 00000000000..287fe2a93db --- /dev/null +++ b/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/certificate_secp384r1.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICQzCCAcmgAwIBAgIUFBuqf8Y7xcDb5MvDH3/WKCaqZOwwCgYIKoZIzj0EAwIw +IjEgMB4GA1UEAxMXRWxhc3RpY3NlYXJjaCBUZXN0IE5vZGUwHhcNMjAwNDE0MTg1 +MjE4WhcNMjQwNDEzMTg1MjE4WjAiMSAwHgYDVQQDExdFbGFzdGljc2VhcmNoIFRl +c3QgTm9kZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABKLpoDYudvcmGfr1+aImIap7 +C1cC9SUBcI8EOWlogODMUM1DWcaWrQbbQzhUNpQFvX6A/I2SiME5WM2IC+lJX/W8 +fafcLzYF+Ts2Eftmdi9usBsQz+JEGTPcgRNyM/N3FaOBvzCBvDAJBgNVHRMEAjAA +MB0GA1UdDgQWBBTuCqvozIlpHH5kLc3BfsT1bRqpHDCBjwYDVR0RBIGHMIGEggls +b2NhbGhvc3SCFWxvY2FsaG9zdC5sb2NhbGRvbWFpboIKbG9jYWxob3N0NIIXbG9j +YWxob3N0NC5sb2NhbGRvbWFpbjSCCmxvY2FsaG9zdDaCF2xvY2FsaG9zdDYubG9j +YWxkb21haW42hwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMAoGCCqGSM49BAMCA2gA +MGUCMQDtmO2fQY1vVD58fFHsAt0LoStzrhB22SkcfKtTVNlrHkTX8SXjToqKKbxX +AMgUCNoCMFSn7lc3V7xycDx+P1icdb+jLVoFl7G1Ki17B1z6W8JlZRJBsyEiu6qC +UxZU5NBdww== +-----END CERTIFICATE----- diff --git a/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/certificate_secp521r1.pem b/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/certificate_secp521r1.pem new file mode 100644 index 00000000000..e7952c35a37 --- /dev/null +++ b/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/certificate_secp521r1.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICjjCCAe+gAwIBAgIUR5YlaSjZ7BE/bCe5f2966kG8+cowCgYIKoZIzj0EAwIw +IjEgMB4GA1UEAxMXRWxhc3RpY3NlYXJjaCBUZXN0IE5vZGUwHhcNMjAwNDE0MTg1 +MjM4WhcNMjQwNDEzMTg1MjM4WjAiMSAwHgYDVQQDExdFbGFzdGljc2VhcmNoIFRl +c3QgTm9kZTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAC/v/jT1EwJzFyVjSYw8 +H/Ix6Ty9KjTJ+duN1qc9ByGg2YoJw5Z179mAPoDp7LalGCawplhs38J45rqh7pbN +MI+1AaAilKSJiuIzByPlkKjxWOX1sYaxmBY4Kc0UOKpqFfY70fBzhIi8M+9t3eaB +TWoLbIghGkDHG6icTCUawesuTI7/o4G/MIG8MAkGA1UdEwQCMAAwHQYDVR0OBBYE +FNIirnFLQRx8t9uMd3D5Cux+/uSzMIGPBgNVHREEgYcwgYSCCWxvY2FsaG9zdIIV +bG9jYWxob3N0LmxvY2FsZG9tYWluggpsb2NhbGhvc3Q0ghdsb2NhbGhvc3Q0Lmxv +Y2FsZG9tYWluNIIKbG9jYWxob3N0NoIXbG9jYWxob3N0Ni5sb2NhbGRvbWFpbjaH +BH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEwCgYIKoZIzj0EAwIDgYwAMIGIAkIAo+T4 +wkgf9OwzupXYQc8ftQydvucF29sK1OdJDnJHN/oBFtYdo4ZOMar8PzJZ3KtiOETo +IInuL8YE6kO9aTaQOUwCQgDfs3/nnEITC9OzpYpHWDp54phcrKgbHUDEUPn8CPU1 +aH8dJ/TVeSiYkt7dAeqklOP790HfHjS+rTAyMFn7uq4pkw== +-----END CERTIFICATE----- diff --git a/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/private_secp256r1.pem b/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/private_secp256r1.pem new file mode 100644 index 00000000000..dc137112a46 --- /dev/null +++ b/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/private_secp256r1.pem @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIMdU2MBFYjUeThgqXbSrVByV+rMmsKKe6qzwBjgBwgHXoAoGCCqGSM49 +AwEHoUQDQgAE3sih7YkPZKxuTSkXX1aLA7+V5m0hwIhk/1u08waGrSvh7q9r+oJg +VEmgAwQq/j1FDAvbcx8ErUOObremXvPfcA== +-----END EC PRIVATE KEY----- diff --git a/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/private_secp384r1.pem b/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/private_secp384r1.pem new file mode 100644 index 00000000000..38578d6334a --- /dev/null +++ b/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/private_secp384r1.pem @@ -0,0 +1,9 @@ +-----BEGIN EC PARAMETERS----- +BgUrgQQAIg== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MIGkAgEBBDA6lA/V9jd1eZJrD+fkOJMNWDU0xT5aRyUJxrNdIwMWFu1wvswHLvF8 +kZELRUMx3QmgBwYFK4EEACKhZANiAASi6aA2Lnb3Jhn69fmiJiGqewtXAvUlAXCP +BDlpaIDgzFDNQ1nGlq0G20M4VDaUBb1+gPyNkojBOVjNiAvpSV/1vH2n3C82Bfk7 +NhH7ZnYvbrAbEM/iRBkz3IETcjPzdxU= +-----END EC PRIVATE KEY----- diff --git a/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/private_secp521r1.pem b/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/private_secp521r1.pem new file mode 100644 index 00000000000..0ccf7ea9ce3 --- /dev/null +++ b/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/private_secp521r1.pem @@ -0,0 +1,10 @@ +-----BEGIN EC PARAMETERS----- +BgUrgQQAIw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MIHcAgEBBEIANfC2QUp9OWMWk+1+7i1S3hhg1sXiE2Ysv2lTSV3Jct547FJRoNnl +kJEdojfPbWNlP/uxtoWdIY0T/c+K8ErSkPGgBwYFK4EEACOhgYkDgYYABAAv7/40 +9RMCcxclY0mMPB/yMek8vSo0yfnbjdanPQchoNmKCcOWde/ZgD6A6ey2pRgmsKZY +bN/CeOa6oe6WzTCPtQGgIpSkiYriMwcj5ZCo8Vjl9bGGsZgWOCnNFDiqahX2O9Hw +c4SIvDPvbd3mgU1qC2yIIRpAxxuonEwlGsHrLkyO/w== +-----END EC PRIVATE KEY----- diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/EllipticCurveSSLTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/EllipticCurveSSLTests.java index 068c999e383..b212b000ed1 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/EllipticCurveSSLTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/EllipticCurveSSLTests.java @@ -40,35 +40,36 @@ import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.equalTo; public class EllipticCurveSSLTests extends SecurityIntegTestCase { + private static String CURVE; @Override protected Settings nodeSettings(int nodeOrdinal) { - final Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-key.pem"); - final Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-cert.pem"); + final Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/private_" + CURVE + ".pem"); + final Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/certificate_" + CURVE + ".pem"); return Settings.builder() - .put(super.nodeSettings(nodeOrdinal).filter(s -> s.startsWith("xpack.security.transport.ssl") == false)) - .put("xpack.security.transport.ssl.enabled", true) - .put("xpack.security.transport.ssl.key", keyPath) - .put("xpack.security.transport.ssl.certificate", certPath) - .put("xpack.security.transport.ssl.certificate_authorities", certPath) - // disable hostname verificate since these certs aren't setup for that - .put("xpack.security.transport.ssl.verification_mode", "certificate") - .build(); + .put(super.nodeSettings(nodeOrdinal).filter(s -> s.startsWith("xpack.security.transport.ssl") == false)) + .put("xpack.security.transport.ssl.enabled", true) + .put("xpack.security.transport.ssl.key", keyPath) + .put("xpack.security.transport.ssl.certificate", certPath) + .put("xpack.security.transport.ssl.certificate_authorities", certPath) + // disable hostname verificate since these certs aren't setup for that + .put("xpack.security.transport.ssl.verification_mode", "certificate") + .build(); } @Override protected Settings transportClientSettings() { - final Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-key.pem"); - final Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-cert.pem"); + final Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/private_" + CURVE + ".pem"); + final Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/certificate_" + CURVE + ".pem"); return Settings.builder() - .put(super.transportClientSettings().filter(s -> s.startsWith("xpack.security.transport.ssl") == false)) - .put("xpack.security.transport.ssl.enabled", true) - .put("xpack.security.transport.ssl.key", keyPath) - .put("xpack.security.transport.ssl.certificate", certPath) - .put("xpack.security.transport.ssl.certificate_authorities", certPath) - // disable hostname verificate since these certs aren't setup for that - .put("xpack.security.transport.ssl.verification_mode", "certificate") - .build(); + .put(super.transportClientSettings().filter(s -> s.startsWith("xpack.security.transport.ssl") == false)) + .put("xpack.security.transport.ssl.enabled", true) + .put("xpack.security.transport.ssl.key", keyPath) + .put("xpack.security.transport.ssl.certificate", certPath) + .put("xpack.security.transport.ssl.certificate_authorities", certPath) + // disable hostname verificate since these certs aren't setup for that + .put("xpack.security.transport.ssl.verification_mode", "certificate") + .build(); } @Override @@ -78,13 +79,13 @@ public class EllipticCurveSSLTests extends SecurityIntegTestCase { public void testConnection() throws Exception { assumeFalse("Fails on BCTLS with 'Closed engine without receiving the close alert message.'", inFipsJvm()); - final Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-key.pem"); - final Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-cert.pem"); + final Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/private_" + CURVE + ".pem"); + final Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/certificate_" + CURVE + ".pem"); PrivateKey privateKey = PemUtils.readPrivateKey(keyPath, () -> null); Certificate[] certs = CertParsingUtils.readCertificates(Collections.singletonList(certPath.toString()), null); X509ExtendedKeyManager x509ExtendedKeyManager = CertParsingUtils.keyManager(certs, privateKey, new char[0]); SSLContext sslContext = SSLContext.getInstance("TLS"); - sslContext.init(new X509ExtendedKeyManager[] { x509ExtendedKeyManager }, + sslContext.init(new X509ExtendedKeyManager[]{x509ExtendedKeyManager}, new TrustManager[]{CertParsingUtils.trustManager(CertParsingUtils.readCertificates(Collections.singletonList(certPath)))}, new SecureRandom()); SSLSocketFactory socketFactory = sslContext.getSocketFactory(); @@ -118,6 +119,7 @@ public class EllipticCurveSSLTests extends SecurityIntegTestCase { @BeforeClass public static void assumeECDSACiphersSupported() throws Exception { + CURVE = randomFrom("secp256r1", "secp384r1", "secp521r1"); SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); sslContext.init(null, null, null); SSLEngine sslEngine = sslContext.createSSLEngine();