Remove BouncyCastle dependency from runtime (#32193)

* Remove BouncyCastle dependency from runtime This commit introduces a new gradle project that contains the classes that have a dependency on BouncyCastle. For the default distribution, It builds a jar from those and in puts it in a subdirectory of lib (/tools/security-cli) along with the BouncyCastle jars. This directory is then passed in the ES_ADDITIONAL_CLASSPATH_DIRECTORIES of the CLI tools that use these classes. BouncyCastle is removed as a runtime dependency (remains as a compileOnly one) from x-pack core and x-pack security.
2018-07-21 00:03:58 +03:00 · 2018-07-21 00:03:58 +03:00 · aaa8f842d6
parent 7aa8a0a927
commit aaa8f842d6
25 changed files with 294 additions and 172 deletions
--- a/distribution/archives/build.gradle
+++ b/distribution/archives/build.gradle
@ -49,7 +49,7 @@ CopySpec archiveFiles(CopySpec modulesFiles, String distributionType, boolean os
  return copySpec {
    into("elasticsearch-${version}") {
      into('lib') {
-        with libFiles
+        with libFiles(oss)
      }
      into('config') {
        dirMode 0750
--- a/distribution/build.gradle
+++ b/distribution/build.gradle
@ -227,7 +227,8 @@ configure(subprojects.findAll { ['archives', 'packages'].contains(it.name) }) {
    /*****************************************************************************
     *                   Common files in all distributions                       *
     *****************************************************************************/
-    libFiles = copySpec {
+    libFiles = { oss ->
+      copySpec {
        // delay by using closures, since they have not yet been configured, so no jar task exists yet
        from { project(':server').jar }
        from { project(':server').configurations.runtime }
@ -238,6 +239,13 @@ configure(subprojects.findAll { ['archives', 'packages'].contains(it.name) }) {
          from { project(':distribution:tools:plugin-cli').jar }
          from { project(':distribution:tools:plugin-cli').configurations.runtime }
        }
+        if (oss == false) {
+          into('tools/security-cli') {
+            from { project(':x-pack:plugin:security:cli').jar }
+            from { project(':x-pack:plugin:security:cli').configurations.compile }
+          }
+        }
+      }
    }

    modulesFiles = { oss ->
--- a/distribution/packages/build.gradle
+++ b/distribution/packages/build.gradle
@ -126,7 +126,7 @@ Closure commonPackageConfig(String type, boolean oss) {
      }
      into('lib') {
        with copySpec {
-          with libFiles
+          with libFiles(oss)
          // we need to specify every intermediate directory so we iterate through the parents; duplicate calls with the same part are fine
          eachFile { FileCopyDetails fcp ->
            String[] segments = fcp.relativePath.segments
--- a/qa/vagrant/src/main/java/org/elasticsearch/packaging/test/ArchiveTestCase.java
+++ b/qa/vagrant/src/main/java/org/elasticsearch/packaging/test/ArchiveTestCase.java
@ -57,6 +57,7 @@ import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.CoreMatchers.notNullValue;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.isEmptyString;
+import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assume.assumeThat;
 import static org.junit.Assume.assumeTrue;
@ -302,5 +303,26 @@ public abstract class ArchiveTestCase extends PackagingTestCase {
        }
    }

+    public void test90SecurityCliPackaging() {
+        assumeThat(installation, is(notNullValue()));
+
+        final Installation.Executables bin = installation.executables();
+        final Shell sh = new Shell();
+
+        if (distribution().equals(Distribution.DEFAULT_TAR) || distribution().equals(Distribution.DEFAULT_ZIP)) {
+            assertTrue(Files.exists(installation.lib.resolve("tools").resolve("security-cli")));
+            Platforms.onLinux(() -> {
+                final Result result = sh.run(bin.elasticsearchCertutil + " help");
+                assertThat(result.stdout, containsString("Simplifies certificate creation for use with the Elastic Stack"));
+            });
+
+            Platforms.onWindows(() -> {
+                final Result result = sh.run(bin.elasticsearchCertutil + " help");
+                assertThat(result.stdout, containsString("Simplifies certificate creation for use with the Elastic Stack"));
+            });
+        } else if (distribution().equals(Distribution.OSS_TAR) || distribution().equals(Distribution.OSS_ZIP)) {
+            assertFalse(Files.exists(installation.lib.resolve("tools").resolve("security-cli")));
+        }
+    }

 }
--- a/qa/vagrant/src/main/java/org/elasticsearch/packaging/util/Installation.java
+++ b/qa/vagrant/src/main/java/org/elasticsearch/packaging/util/Installation.java
@ -101,6 +101,7 @@ public class Installation {
        public final Path elasticsearchPlugin = platformExecutable("elasticsearch-plugin");
        public final Path elasticsearchKeystore = platformExecutable("elasticsearch-keystore");
        public final Path elasticsearchTranslog = platformExecutable("elasticsearch-translog");
+        public final Path elasticsearchCertutil = platformExecutable("elasticsearch-certutil");

        private Path platformExecutable(String name) {
            final String platformExecutableName = Platforms.WINDOWS
--- a/x-pack/plugin/core/build.gradle
+++ b/x-pack/plugin/core/build.gradle
@ -20,7 +20,6 @@ esplugin {
 }

 dependencyLicenses {
-  mapping from: /bc.*/, to: 'bouncycastle'
  mapping from: /http.*/, to: 'httpclient' // pulled in by rest client
  mapping from: /commons-.*/, to: 'commons' // pulled in by rest client
 }
@ -38,8 +37,6 @@ dependencies {

    // security deps
    compile 'com.unboundid:unboundid-ldapsdk:3.2.0'
-    compile 'org.bouncycastle:bcprov-jdk15on:1.59'
-    compile 'org.bouncycastle:bcpkix-jdk15on:1.59'
    compile project(path: ':modules:transport-netty4', configuration: 'runtime')

    testCompile 'org.elasticsearch:securemock:1.2'
@ -116,6 +113,7 @@ task testJar(type: Jar) {
    appendix 'test'
    from sourceSets.test.output
 }
+
 artifacts {
    // normal es plugins do not publish the jar but we need to since users need it for Transport Clients and extensions
    archives jar
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/CertParsingUtils.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/CertParsingUtils.java
@ -63,7 +63,7 @@ public class CertParsingUtils {
        return PathUtils.get(path).normalize();
    }

-    static KeyStore readKeyStore(Path path, String type, char[] password)
+    public static KeyStore readKeyStore(Path path, String type, char[] password)
            throws IOException, KeyStoreException, CertificateException, NoSuchAlgorithmException {
        try (InputStream in = Files.newInputStream(path)) {
            KeyStore store = KeyStore.getInstance(type);
@ -108,7 +108,7 @@ public class CertParsingUtils {
        return certificates.toArray(new X509Certificate[0]);
    }

-    static List<Certificate> readCertificates(InputStream input) throws CertificateException, IOException {
+    public static List<Certificate> readCertificates(InputStream input) throws CertificateException, IOException {
        CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
        Collection<Certificate> certificates = (Collection<Certificate>) certFactory.generateCertificates(input);
        return new ArrayList<>(certificates);
@ -140,7 +140,7 @@ public class CertParsingUtils {
    /**
     * Creates a {@link KeyStore} from a PEM encoded certificate and key file
     */
-    static KeyStore getKeyStoreFromPEM(Path certificatePath, Path keyPath, char[] keyPassword)
+    public static KeyStore getKeyStoreFromPEM(Path certificatePath, Path keyPath, char[] keyPassword)
            throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException {
        final PrivateKey key = PemUtils.readPrivateKey(keyPath, () -> keyPassword);
        final Certificate[] certificates = readCertificates(Collections.singletonList(certificatePath));
@ -168,7 +168,7 @@ public class CertParsingUtils {
    /**
     * Returns a {@link X509ExtendedKeyManager} that is built from the provided keystore
     */
-    static X509ExtendedKeyManager keyManager(KeyStore keyStore, char[] password, String algorithm)
+    public static X509ExtendedKeyManager keyManager(KeyStore keyStore, char[] password, String algorithm)
            throws NoSuchAlgorithmException, UnrecoverableKeyException, KeyStoreException {
        KeyManagerFactory kmf = KeyManagerFactory.getInstance(algorithm);
        kmf.init(keyStore, password);
@ -271,7 +271,7 @@ public class CertParsingUtils {
    /**
     * Creates a {@link X509ExtendedTrustManager} based on the trust material in the provided {@link KeyStore}
     */
-    static X509ExtendedTrustManager trustManager(KeyStore keyStore, String algorithm)
+    public static X509ExtendedTrustManager trustManager(KeyStore keyStore, String algorithm)
            throws NoSuchAlgorithmException, KeyStoreException {
        TrustManagerFactory tmf = TrustManagerFactory.getInstance(algorithm);
        tmf.init(keyStore);
--- a/x-pack/plugin/security/build.gradle
+++ b/x-pack/plugin/security/build.gradle
@ -22,8 +22,8 @@ dependencies {
    testCompile project(path: xpackModule('core'), configuration: 'testArtifacts')

    compile 'com.unboundid:unboundid-ldapsdk:3.2.0'
-    compile 'org.bouncycastle:bcprov-jdk15on:1.59'
-    compile 'org.bouncycastle:bcpkix-jdk15on:1.59'
+    compileOnly 'org.bouncycastle:bcprov-jdk15on:1.59'
+    compileOnly 'org.bouncycastle:bcpkix-jdk15on:1.59'

    // the following are all SAML dependencies - might as well download the whole internet
    compile "org.opensaml:opensaml-core:3.3.0"
@ -79,7 +79,6 @@ sourceSets.test.resources {
    srcDir '../core/src/test/resources'
 }
 dependencyLicenses {
-    mapping from: /bc.*/, to: 'bouncycastle'
    mapping from: /java-support|opensaml-.*/, to: 'shibboleth'
    mapping from: /http.*/, to: 'httpclient'
 }
--- a/x-pack/plugin/security/cli/build.gradle
+++ b/x-pack/plugin/security/cli/build.gradle
@ -0,0 +1,20 @@
+apply plugin: 'elasticsearch.build'
+
+archivesBaseName = 'elasticsearch-security-cli'
+
+dependencies {
+    compileOnly "org.elasticsearch:elasticsearch:${version}"
+    compileOnly xpackProject('plugin:core')
+    compile 'org.bouncycastle:bcprov-jdk15on:1.59'
+    compile 'org.bouncycastle:bcpkix-jdk15on:1.59'
+    testImplementation 'com.google.jimfs:jimfs:1.1'
+    testCompile "junit:junit:${versions.junit}"
+    testCompile "org.hamcrest:hamcrest-all:${versions.hamcrest}"
+    testCompile 'org.elasticsearch:securemock:1.2'
+    testCompile "org.elasticsearch.test:framework:${version}"
+    testCompile project(path: xpackModule('core'), configuration: 'testArtifacts')
+}
+
+dependencyLicenses {
+    mapping from: /bc.*/, to: 'bouncycastle'
+}
--- a/x-pack/plugin/security/cli/licenses/bcpkix-jdk15on-1.59.jar.sha1
+++ b/x-pack/plugin/security/cli/licenses/bcpkix-jdk15on-1.59.jar.sha1
--- a/x-pack/plugin/security/cli/licenses/bcprov-jdk15on-1.59.jar.sha1
+++ b/x-pack/plugin/security/cli/licenses/bcprov-jdk15on-1.59.jar.sha1
--- a/x-pack/plugin/security/cli/licenses/bouncycastle-LICENSE.txt
+++ b/x-pack/plugin/security/cli/licenses/bouncycastle-LICENSE.txt
--- a/x-pack/plugin/security/cli/licenses/bouncycastle-NOTICE.txt
+++ b/x-pack/plugin/security/cli/licenses/bouncycastle-NOTICE.txt
--- a/x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/CertGenUtils.java
+++ b/x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/CertGenUtils.java
@ -3,7 +3,7 @@
 * or more contributor license agreements. Licensed under the Elastic License;
 * you may not use this file except in compliance with the Elastic License.
 */
-package org.elasticsearch.xpack.core.ssl;
+package org.elasticsearch.xpack.security.cli;

 import org.bouncycastle.asn1.ASN1Encodable;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
--- a/x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/CertificateGenerateTool.java
+++ b/x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/CertificateGenerateTool.java
@ -3,7 +3,7 @@
 * or more contributor license agreements. Licensed under the Elastic License;
 * you may not use this file except in compliance with the Elastic License.
 */
-package org.elasticsearch.xpack.core.ssl;
+package org.elasticsearch.xpack.security.cli;

 import joptsimple.ArgumentAcceptingOptionSpec;
 import joptsimple.OptionSet;
@ -34,6 +34,8 @@ import org.elasticsearch.common.xcontent.ObjectParser;
 import org.elasticsearch.common.xcontent.XContentParser;
 import org.elasticsearch.common.xcontent.XContentType;
 import org.elasticsearch.env.Environment;
+import org.elasticsearch.xpack.core.ssl.CertParsingUtils;
+import org.elasticsearch.xpack.core.ssl.PemUtils;

 import javax.security.auth.x500.X500Principal;

@ -68,6 +70,7 @@ import java.util.zip.ZipOutputStream;

 /**
 * CLI tool to make generation of certificates or certificate requests easier for users
+ *
 * @deprecated Replaced by {@link CertificateTool}
 */
@Deprecated
@ -223,6 +226,7 @@ public class CertificateGenerateTool extends EnvironmentAwareCommand {
    /**
     * This method handles the collection of information about each instance that is necessary to generate a certificate. The user may
     * be prompted or the information can be gathered from a file
+     *
     * @param terminal  the terminal to use for user interaction
     * @param inputFile an optional file that will be used to load the instance information
     * @return a {@link Collection} of {@link CertificateInformation} that represents each instance
@ -239,7 +243,7 @@ public class CertificateGenerateTool extends EnvironmentAwareCommand {
            if (name.isEmpty() == false) {
                final boolean isNameValidFilename = Name.isValidFilename(name);
                String filename = terminal.readText("Enter name for directories and files " + (isNameValidFilename ? "[" + name + "]" : "")
-                        + ": " );
+                    + ": ");
                if (filename.isEmpty() && isNameValidFilename) {
                    filename = name;
                }
@ -298,6 +302,7 @@ public class CertificateGenerateTool extends EnvironmentAwareCommand {

    /**
     * Parses the input file to retrieve the certificate information
+     *
     * @param file the file to parse
     * @return a collection of certificate information
     */
@ -312,6 +317,7 @@ public class CertificateGenerateTool extends EnvironmentAwareCommand {

    /**
     * Generates certificate signing requests and writes them out to the specified file in zip format
+     *
     * @param outputFile the file to write the output to. This file must not already exist
     * @param certInfo   the details to use in the certificate signing requests
     */
@ -388,6 +394,7 @@ public class CertificateGenerateTool extends EnvironmentAwareCommand {

    /**
     * Generates signed certificates in PEM format stored in a zip file
+     *
     * @param outputFile              the file that the certificates will be written to. This file must not exist
     * @param certificateInformations details for creation of the certificates
     * @param caInfo                  the CA information to sign the certificates with
@ -441,6 +448,7 @@ public class CertificateGenerateTool extends EnvironmentAwareCommand {

    /**
     * This method handles the deletion of a file in the case of a partial write
+     *
     * @param file   the file that is being written to
     * @param writer writes the contents of the file
     */
@ -468,6 +476,7 @@ public class CertificateGenerateTool extends EnvironmentAwareCommand {
    /**
     * This method handles writing out the certificate authority cert and private key if the certificate authority was generated by
     * this invocation of the tool
+     *
     * @param outputStream the output stream to write to
     * @param pemWriter    the writer for PEM objects
     * @param info         the certificate authority information
@ -577,6 +586,7 @@ public class CertificateGenerateTool extends EnvironmentAwareCommand {
    /**
     * Helper method to read a private key and support prompting of user for a key. To avoid passwords being placed as an argument we
     * can prompt the user for their password if we encounter an encrypted key.
+     *
     * @param path     the path to the private key
     * @param password the password provided by the user or {@code null}
     * @param terminal the terminal to use for user interaction
--- a/x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/CertificateTool.java
+++ b/x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/CertificateTool.java
@ -3,7 +3,7 @@
 * or more contributor license agreements. Licensed under the Elastic License;
 * you may not use this file except in compliance with the Elastic License.
 */
-package org.elasticsearch.xpack.core.ssl;
+package org.elasticsearch.xpack.security.cli;

 import joptsimple.OptionParser;
 import joptsimple.OptionSet;
@ -39,6 +39,8 @@ import org.elasticsearch.common.xcontent.ObjectParser;
 import org.elasticsearch.common.xcontent.XContentParser;
 import org.elasticsearch.common.xcontent.XContentType;
 import org.elasticsearch.env.Environment;
+import org.elasticsearch.xpack.core.ssl.CertParsingUtils;
+import org.elasticsearch.xpack.core.ssl.PemUtils;

 import javax.security.auth.x500.X500Principal;

@ -546,7 +548,7 @@ public class CertificateTool extends LoggingAwareMultiCommand {
            pkcs12.load(null);
            withPassword(fileName, password, terminal, p12Password -> {
                if (isAscii(p12Password)) {
-                    pkcs12.setKeyEntry(alias, pair.key, p12Password, new Certificate[] { pair.cert });
+                    pkcs12.setKeyEntry(alias, pair.key, p12Password, new Certificate[]{pair.cert});
                    if (caCert != null) {
                        pkcs12.setCertificateEntry("ca", caCert);
                    }
@ -574,7 +576,7 @@ public class CertificateTool extends LoggingAwareMultiCommand {
            terminal.println("The 'csr' mode generates certificate signing requests that can be sent to");
            terminal.println("a trusted certificate authority");
            terminal.println("    * By default, this generates a single CSR for a single instance.");
-            terminal.println("    * You can use the '-multiple' option to generate CSRs for multiple" );
+            terminal.println("    * You can use the '-multiple' option to generate CSRs for multiple");
            terminal.println("       instances, each with their own private key.");
            terminal.println("    * The '-in' option allows for the CSR generation to be automated");
            terminal.println("       by describing the details of each instance in a YAML file");
--- a/x-pack/plugin/security/cli/src/test/java/org/elasticsearch/xpack/security/cli/CertGenUtilsTests.java
+++ b/x-pack/plugin/security/cli/src/test/java/org/elasticsearch/xpack/security/cli/CertGenUtilsTests.java
@ -4,7 +4,7 @@
 * you may not use this file except in compliance with the Elastic License.
 */

-package org.elasticsearch.xpack.core.ssl;
+package org.elasticsearch.xpack.security.cli;

 import org.bouncycastle.asn1.x509.GeneralName;
 import org.bouncycastle.asn1.x509.GeneralNames;
@ -12,6 +12,7 @@ import org.elasticsearch.common.SuppressForbidden;
 import org.elasticsearch.common.network.InetAddresses;
 import org.elasticsearch.common.network.NetworkAddress;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.xpack.security.cli.CertGenUtils;
 import org.junit.BeforeClass;

 import java.math.BigInteger;
--- a/x-pack/plugin/security/cli/src/test/java/org/elasticsearch/xpack/security/cli/CertificateGenerateToolTests.java
+++ b/x-pack/plugin/security/cli/src/test/java/org/elasticsearch/xpack/security/cli/CertificateGenerateToolTests.java
@ -3,7 +3,7 @@
 * or more contributor license agreements. Licensed under the Elastic License;
 * you may not use this file except in compliance with the Elastic License.
 */
-package org.elasticsearch.xpack.core.ssl;
+package org.elasticsearch.xpack.security.cli;

 import com.google.common.jimfs.Configuration;
 import com.google.common.jimfs.Jimfs;
@ -33,9 +33,11 @@ import org.elasticsearch.env.Environment;
 import org.elasticsearch.env.TestEnvironment;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.test.SecuritySettingsSourceField;
-import org.elasticsearch.xpack.core.ssl.CertificateGenerateTool.CAInfo;
-import org.elasticsearch.xpack.core.ssl.CertificateGenerateTool.CertificateInformation;
-import org.elasticsearch.xpack.core.ssl.CertificateGenerateTool.Name;
+import org.elasticsearch.xpack.security.cli.CertificateGenerateTool.CAInfo;
+import org.elasticsearch.xpack.security.cli.CertificateGenerateTool.CertificateInformation;
+import org.elasticsearch.xpack.security.cli.CertificateGenerateTool.Name;
+import org.elasticsearch.xpack.core.ssl.CertParsingUtils;
+import org.elasticsearch.xpack.core.ssl.PemUtils;
 import org.hamcrest.Matchers;
 import org.junit.After;
 import org.junit.BeforeClass;
@ -359,8 +361,8 @@ public class CertificateGenerateToolTests extends ESTestCase {

    public void testGetCAInfo() throws Exception {
        Environment env = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build());
-        Path testNodeCertPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt");
-        Path testNodeKeyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem");
+        Path testNodeCertPath = getDataPath("/org/elasticsearch/xpack/security/cli/testnode.crt");
+        Path testNodeKeyPath = getDataPath("/org/elasticsearch/xpack/security/cli/testnode.pem");
        final boolean passwordPrompt = randomBoolean();
        MockTerminal terminal = new MockTerminal();
        if (passwordPrompt) {
--- a/x-pack/plugin/security/cli/src/test/java/org/elasticsearch/xpack/security/cli/CertificateToolTests.java
+++ b/x-pack/plugin/security/cli/src/test/java/org/elasticsearch/xpack/security/cli/CertificateToolTests.java
@ -3,7 +3,7 @@
 * or more contributor license agreements. Licensed under the Elastic License;
 * you may not use this file except in compliance with the Elastic License.
 */
-package org.elasticsearch.xpack.core.ssl;
+package org.elasticsearch.xpack.security.cli;

 import com.google.common.jimfs.Configuration;
 import com.google.common.jimfs.Jimfs;
@ -39,12 +39,14 @@ import org.elasticsearch.env.TestEnvironment;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.test.SecuritySettingsSourceField;
 import org.elasticsearch.test.TestMatchers;
-import org.elasticsearch.xpack.core.ssl.CertificateTool.CAInfo;
-import org.elasticsearch.xpack.core.ssl.CertificateTool.CertificateAuthorityCommand;
-import org.elasticsearch.xpack.core.ssl.CertificateTool.CertificateCommand;
-import org.elasticsearch.xpack.core.ssl.CertificateTool.CertificateInformation;
-import org.elasticsearch.xpack.core.ssl.CertificateTool.GenerateCertificateCommand;
-import org.elasticsearch.xpack.core.ssl.CertificateTool.Name;
+import org.elasticsearch.xpack.security.cli.CertificateTool.CAInfo;
+import org.elasticsearch.xpack.security.cli.CertificateTool.CertificateAuthorityCommand;
+import org.elasticsearch.xpack.security.cli.CertificateTool.CertificateCommand;
+import org.elasticsearch.xpack.security.cli.CertificateTool.CertificateInformation;
+import org.elasticsearch.xpack.security.cli.CertificateTool.GenerateCertificateCommand;
+import org.elasticsearch.xpack.security.cli.CertificateTool.Name;
+import org.elasticsearch.xpack.core.ssl.CertParsingUtils;
+import org.elasticsearch.xpack.core.ssl.PemUtils;
 import org.hamcrest.Matchers;
 import org.junit.After;
 import org.junit.BeforeClass;
@ -387,8 +389,8 @@ public class CertificateToolTests extends ESTestCase {

    public void testGetCAInfo() throws Exception {
        Environment env = TestEnvironment.newEnvironment(Settings.builder().put("path.home", createTempDir()).build());
-        Path testNodeCertPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.crt");
-        Path testNodeKeyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode.pem");
+        Path testNodeCertPath = getDataPath("/org/elasticsearch/xpack/security/cli/testnode.crt");
+        Path testNodeKeyPath = getDataPath("/org/elasticsearch/xpack/security/cli/testnode.pem");
        final boolean passwordPrompt = randomBoolean();
        MockTerminal terminal = new MockTerminal();
        if (passwordPrompt) {
--- a/x-pack/plugin/security/cli/src/test/resources/org/elasticsearch/xpack/security/cli/testnode.crt
+++ b/x-pack/plugin/security/cli/src/test/resources/org/elasticsearch/xpack/security/cli/testnode.crt
@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID0zCCArugAwIBAgIJALi5bDfjMszLMA0GCSqGSIb3DQEBCwUAMEgxDDAKBgNV
+BAoTA29yZzEWMBQGA1UECxMNZWxhc3RpY3NlYXJjaDEgMB4GA1UEAxMXRWxhc3Rp
+Y3NlYXJjaCBUZXN0IE5vZGUwHhcNMTUwOTIzMTg1MjU3WhcNMTkwOTIyMTg1MjU3
+WjBIMQwwCgYDVQQKEwNvcmcxFjAUBgNVBAsTDWVsYXN0aWNzZWFyY2gxIDAeBgNV
+BAMTF0VsYXN0aWNzZWFyY2ggVGVzdCBOb2RlMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEA3rGZ1QbsW0+MuyrSLmMfDFKtLBkIFW8V0gRuurFg1PUKKNR1
+Mq2tMVwjjYETAU/UY0iKZOzjgvYPKhDTYBTte/WHR1ZK4CYVv7TQX/gtFQG/ge/c
+7u0sLch9p7fbd+/HZiLS/rBEZDIohvgUvzvnA8+OIYnw4kuxKo/5iboAIS41klMg
+/lATm8V71LMY68inht71/ZkQoAHKgcR9z4yNYvQ1WqKG8DG8KROXltll3sTrKbl5
+zJhn660es/1ZnR6nvwt6xnSTl/mNHMjkfv1bs4rJ/py3qPxicdoSIn/KyojUcgHV
+F38fuAy2CQTdjVG5fWj9iz+mQvLm3+qsIYQdFwIDAQABo4G/MIG8MAkGA1UdEwQC
+MAAwHQYDVR0OBBYEFEMMWLWQi/g83PzlHYqAVnty5L7HMIGPBgNVHREEgYcwgYSC
+CWxvY2FsaG9zdIIVbG9jYWxob3N0LmxvY2FsZG9tYWluggpsb2NhbGhvc3Q0ghds
+b2NhbGhvc3Q0LmxvY2FsZG9tYWluNIIKbG9jYWxob3N0NoIXbG9jYWxob3N0Ni5s
+b2NhbGRvbWFpbjaHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQEL
+BQADggEBAMjGGXT8Nt1tbl2GkiKtmiuGE2Ej66YuZ37WSJViaRNDVHLlg87TCcHe
+k2rdO+6sFqQbbzEfwQ05T7xGmVu7tm54HwKMRugoQ3wct0bQC5wEWYN+oMDvSyO6
+M28mZwWb4VtR2IRyWP+ve5DHwTM9mxWa6rBlGzsQqH6YkJpZojzqk/mQTug+Y8aE
+mVoqRIPMHq9ob+S9qd5lp09+MtYpwPfTPx/NN+xMEooXWW/ARfpGhWPkg/FuCu4z
+1tFmCqHgNcWirzMm3dQpF78muE9ng6OB2MXQwL4VgnVkxmlZNHbkR2v/t8MyZJxC
+y4g6cTMM3S/UMt5/+aIB2JAuMKyuD+A=
+-----END CERTIFICATE-----
--- a/x-pack/plugin/security/cli/src/test/resources/org/elasticsearch/xpack/security/cli/testnode.pem
+++ b/x-pack/plugin/security/cli/src/test/resources/org/elasticsearch/xpack/security/cli/testnode.pem
@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,9D867F7E0C94D013
+
+dVoVCjPeg1wgS7rVtOvGfQcrZyLkx393aWRnFq45tbjKBVuITtJ9vI7o4QXOV/15
+Gnb6WhXGIdWrzsxEAd46K6hIuNSISd4Emsx6c2Q5hTqWXXfexbOZBNfTtXtdJPnJ
+1jAaikhtztLo3JSLTKNY5sNxd+XbaQyYVUWvueK6zOaIIMETvB+VPVFd9i1ROibk
+Sgdtyj01KjkoalifqK/tA0CIYNKL0S6/eoK3UhAlpIprlpV+cnXa940C6bjLeJPt
+PMAGGp5RrplxSgrSerw3I9DOWkHGtpqzIka3XneNUXJP8k4HUJ+aZkGH2ZILKS8d
+4KMIb+KZSpHEGn+6uGccWLtZZmAjWJrDw56JbQtSHdRYLBRSOjLbTvQoPu/2Hpli
+7HOxbotlvjptMunncq5aqK57SHA1dh0cwF7J3LUmGFJ67eoz+VV3b5qMn4MopSeI
+mS16Ydd3nGpjSrln/elM0CQxqWfcOAXRZpDpFUQoXcBrLVzvz2DBl/0CrTRLhgzi
+CO+5/IVcBWRlYpRNGgjjP7q0j6URID3jk5J06fYQXmBiwQT5j+GZqqzpMCJ9mIy2
+1O9SN1hebJnIcEU+E0njn/MGjlYdPywhaCy8pqElp6Q8TUEJpwLRFO/owCoBet/n
+ZmCXUjfCGhc1pWHufFcDEQ6xMgEWWY/tdwCZeSU7EhErTjCbfupg+55A5fpDml0m
+3wH4CFcuRjlqyx6Ywixm1ATeitDtJl5HQTw6b8OtEXwSgRmZ0eSqSRVk9QbVS7gu
+IpQe09/Zimb5HzjZqZ3fdqHlcW4xax8hyJeyIvF5ZJ57eY8CBvu/wP2GDn26QnvF
+xQqdfDbq1H4JmpwUHpbFwBoQK4Q6WFd1z4EA9bRQeo3H9PoqoOwMDjzajwLRF7b7
+q6tYH/n9PyHwdf1c4fFwgSmL1toXGfKlA9hjIaLsRSDD6srT5EdUk78bsnddwI51
+tu7C7P4JG+h1VdRNMNTlqtileWsIE7Nn2A1OkcUxZdF5mamENpDpJcHePLto6c8q
+FKiwyFMsxhgsj6HK2HqO+UA4sX5Ni4oHwiPmb//EZLn045M5i1AN26KosJmb8++D
+sgR5reWRy+UqJCTYblVg+7Dx++ggUnfxVyQEsWmw5r5f4KU5wXBkvoVMGtPNa9DE
+n/uLtObD1qkNL38pRsr2OGRchYCgEoKGqEISBP4knfGXLOlWiW/246j9QzI97r1u
+tvy7fKg28G7AUz9l6bpewsPHefBUeRQeieP9eJINaEpxkF/w2RpKDLpQjWxwDDOM
+s+D0mrBMJve17AmJ8rMw6dIQPZYNZ88/jz1uQuUwQ2YlbmtZbCG81k9YMFGEU9XS
+cyhJxj8hvYnt2PR5Z9/cJPyWOs0m/ufOeeQQ8SnU/lzmrQnpzUd2Z6p5i/B7LdRP
+n1kX+l1qynuPnjvBz4nJQE0p6nzW8RyCDSniC9mtYtZmhgC8icqxgbvS7uEOBIYJ
+NbK+0bEETTO34iY/JVTIqLOw3iQZYMeUpxpj6Phgx/oooxMTquMecPKNgeVtaBst
+qjTNPX0ti1/HYpZqzYi8SV8YjHSJWCVMsZjKPr3W/HIcCKqYoIfgzi83Ha2KMQx6
+-----END RSA PRIVATE KEY-----
--- a/x-pack/plugin/security/src/main/bin/elasticsearch-certgen
+++ b/x-pack/plugin/security/src/main/bin/elasticsearch-certgen
@ -4,7 +4,8 @@
 # or more contributor license agreements. Licensed under the Elastic License;
 # you may not use this file except in compliance with the Elastic License.

-ES_MAIN_CLASS=org.elasticsearch.xpack.core.ssl.CertificateGenerateTool \
+ES_MAIN_CLASS=org.elasticsearch.xpack.security.cli.CertificateGenerateTool \
  ES_ADDITIONAL_SOURCES="x-pack-env;x-pack-security-env" \
+  ES_ADDITIONAL_CLASSPATH_DIRECTORIES=lib/tools/security-cli \
  "`dirname "$0"`"/elasticsearch-cli \
  "$@"
--- a/x-pack/plugin/security/src/main/bin/elasticsearch-certgen.bat
+++ b/x-pack/plugin/security/src/main/bin/elasticsearch-certgen.bat
@ -7,8 +7,9 @@ rem you may not use this file except in compliance with the Elastic License.
 setlocal enabledelayedexpansion
 setlocal enableextensions

-set ES_MAIN_CLASS=org.elasticsearch.xpack.core.ssl.CertificateGenerateTool
+set ES_MAIN_CLASS=org.elasticsearch.xpack.security.cli.CertificateGenerateTool
 set ES_ADDITIONAL_SOURCES=x-pack-env;x-pack-security-env
+set ES_ADDITIONAL_CLASSPATH_DIRECTORIES=lib/tools/security-cli
 call "%~dp0elasticsearch-cli.bat" ^
  %%* ^
  || exit /b 1
--- a/x-pack/plugin/security/src/main/bin/elasticsearch-certutil
+++ b/x-pack/plugin/security/src/main/bin/elasticsearch-certutil
@ -4,7 +4,8 @@
 # or more contributor license agreements. Licensed under the Elastic License;
 # you may not use this file except in compliance with the Elastic License.

-ES_MAIN_CLASS=org.elasticsearch.xpack.core.ssl.CertificateTool \
+ES_MAIN_CLASS=org.elasticsearch.xpack.security.cli.CertificateTool \
  ES_ADDITIONAL_SOURCES="x-pack-env;x-pack-security-env" \
+  ES_ADDITIONAL_CLASSPATH_DIRECTORIES=lib/tools/security-cli \
  "`dirname "$0"`"/elasticsearch-cli \
  "$@"
--- a/x-pack/plugin/security/src/main/bin/elasticsearch-certutil.bat
+++ b/x-pack/plugin/security/src/main/bin/elasticsearch-certutil.bat
@ -7,8 +7,9 @@ rem you may not use this file except in compliance with the Elastic License.
 setlocal enabledelayedexpansion
 setlocal enableextensions

-set ES_MAIN_CLASS=org.elasticsearch.xpack.core.ssl.CertificateTool
+set ES_MAIN_CLASS=org.elasticsearch.xpack.security.cli.CertificateTool
 set ES_ADDITIONAL_SOURCES=x-pack-env;x-pack-security-env
+set ES_ADDITIONAL_CLASSPATH_DIRECTORIES=lib/tools/security-cli
 call "%~dp0elasticsearch-cli.bat" ^
  %%* ^
  || exit /b 1