in src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java [271:427]
public void initTransportSSLConfig() {
// when extendedKeyUsageEnabled and we use keyStore, client/server certs will be in the
// same keyStore file
// when extendedKeyUsageEnabled and we use rawFiles, client/server certs will be in
// different files
// That's why useRawFiles checks for extra location
final boolean useKeyStore = settings.hasValue(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH);
final boolean useRawFiles = settings.hasValue(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH) ||
(settings.hasValue(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH) && settings.hasValue(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH));
final boolean extendedKeyUsageEnabled = settings.getAsBoolean(SSLConfigConstants.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED,
SSLConfigConstants.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED_DEFAULT);
if (useKeyStore) {
final String keystoreFilePath = resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH,
true);
final String keystoreType = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE,
DEFAULT_STORE_TYPE);
final String keystorePassword = settings.get(
SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_PASSWORD,
SSLConfigConstants.DEFAULT_STORE_PASSWORD);
final String truststoreFilePath = resolve(
SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, true);
if (settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, null) == null) {
throw new OpenSearchException(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH
+ " must be set if transport ssl is requested.");
}
final String truststoreType = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE,
DEFAULT_STORE_TYPE);
final String truststorePassword = settings.get(
SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_PASSWORD,
SSLConfigConstants.DEFAULT_STORE_PASSWORD);
KeystoreProps keystoreProps = new KeystoreProps(
keystoreFilePath, keystoreType, keystorePassword);
KeystoreProps truststoreProps = new KeystoreProps(
truststoreFilePath, truststoreType, truststorePassword);
try {
CertFromKeystore certFromKeystore;
CertFromTruststore certFromTruststore;
if (extendedKeyUsageEnabled) {
final String truststoreServerAlias = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS,
null);
final String truststoreClientAlias = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS,
null);
final String keystoreServerAlias = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS,
null);
final String keystoreClientAlias = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS,
null);
final String serverKeyPassword = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_KEYPASSWORD,
keystorePassword);
final String clientKeyPassword = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_KEYPASSWORD,
keystorePassword);
// we require all aliases to be set explicitly
// because they should be different for client and server
if (keystoreServerAlias == null || keystoreClientAlias == null || truststoreServerAlias == null || truststoreClientAlias == null)
{
throw new OpenSearchException(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS + ", "
+ SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS + ", "
+ SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_TRUSTSTORE_ALIAS + ", "
+ SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_TRUSTSTORE_ALIAS
+ " must be set when "
+ SSLConfigConstants.SECURITY_SSL_TRANSPORT_EXTENDED_KEY_USAGE_ENABLED + " is true.");
}
certFromKeystore = new CertFromKeystore(
keystoreProps, keystoreServerAlias, keystoreClientAlias, serverKeyPassword, clientKeyPassword);
certFromTruststore = new CertFromTruststore(
truststoreProps, truststoreServerAlias, truststoreClientAlias);
} else {
// when alias is null, we take first entry in the store
final String truststoreAlias = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_ALIAS,
null);
final String keystoreAlias = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS,
null);
final String keyPassword = settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_KEYPASSWORD,
keystorePassword);
certFromKeystore = new CertFromKeystore(keystoreProps, keystoreAlias, keyPassword);
certFromTruststore = new CertFromTruststore(truststoreProps, truststoreAlias);
}
validateNewCerts(transportCerts, certFromKeystore.getCerts());
transportServerSslContext = buildSSLServerContext(
certFromKeystore.getServerKey(), certFromKeystore.getServerCert(),
certFromTruststore.getServerTrustedCerts(), getEnabledSSLCiphers(this.sslTransportServerProvider, false),
this.sslTransportServerProvider, ClientAuth.REQUIRE);
transportClientSslContext = buildSSLClientContext(
certFromKeystore.getClientKey(), certFromKeystore.getClientCert(),
certFromTruststore.getClientTrustedCerts(), getEnabledSSLCiphers(sslTransportClientProvider, false),
sslTransportClientProvider);
setTransportSSLCerts(certFromKeystore.getCerts());
} catch (final Exception e) {
logExplanation(e);
throw new OpenSearchSecurityException(
"Error while initializing transport SSL layer: " + e.toString(), e);
}
} else if (useRawFiles) {
try {
CertFromFile certFromFile;
if (extendedKeyUsageEnabled) {
CertFileProps clientCertProps = new CertFileProps(
resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH, true),
resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_FILEPATH, true),
resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMTRUSTEDCAS_FILEPATH, true),
settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMKEY_PASSWORD)
);
CertFileProps serverCertProps = new CertFileProps(
resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH, true),
resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH, true),
resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH, true),
settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD)
);
certFromFile = new CertFromFile(clientCertProps, serverCertProps);
} else {
CertFileProps certProps = new CertFileProps(
resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, true),
resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, true),
resolve(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, true),
settings.get(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_PASSWORD)
);
certFromFile = new CertFromFile(certProps);
}
validateNewCerts(transportCerts, certFromFile.getCerts());
transportServerSslContext = buildSSLServerContext(
certFromFile.getServerPemKey(), certFromFile.getServerPemCert(), certFromFile.getServerTrustedCas(),
certFromFile.getServerPemKeyPassword(),
getEnabledSSLCiphers(this.sslTransportServerProvider, false),
this.sslTransportServerProvider, ClientAuth.REQUIRE);
transportClientSslContext = buildSSLClientContext(
certFromFile.getClientPemKey(), certFromFile.getClientPemCert(), certFromFile.getClientTrustedCas(),
certFromFile.getClientPemKeyPassword(),
getEnabledSSLCiphers(sslTransportClientProvider, false), sslTransportClientProvider);
setTransportSSLCerts(certFromFile.getCerts());
} catch (final Exception e) {
logExplanation(e);
throw new OpenSearchSecurityException(
"Error while initializing transport SSL layer from PEM: " + e.toString(), e);
}
} else {
throw new OpenSearchException(SSLConfigConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH + " or "
+ SSLConfigConstants.SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH + " and "
+ SSLConfigConstants.SECURITY_SSL_TRANSPORT_CLIENT_PEMCERT_FILEPATH
+ " must be set if transport ssl is requested.");
}
}