final ElasticsearchException exception = ExceptionUtils.createBadHeaderException(); log.error(exception); auditLog.logBadHeaders(request); if(SSLRequestHelper.containsBadHeader(threadContext, ConfigConstants.SG_CONFIG_PREFIX)) { final ElasticsearchException exception = ExceptionUtils.createBadHeaderException(); log.error(exception); auditLog.logBadHeaders(request); if((sslInfo = SSLRequestHelper.getSSLInfo(settings, configPath, request, principalExtractor)) != null) { if(sslInfo.getPrincipal() != null) { threadContext.putTransient("_sg_ssl_principal", sslInfo.getPrincipal()); if(sslInfo.getX509Certs() != null) { threadContext.putTransient("_sg_ssl_peer_certificates", sslInfo.getX509Certs()); threadContext.putTransient("_sg_ssl_protocol", sslInfo.getProtocol()); threadContext.putTransient("_sg_ssl_cipher", sslInfo.getCipher());
return effectiveLicense; return createOrGetTrial("Unable to verify license due to "+ExceptionUtils.getRootCause(e));
final String tenant = Utils.coalesce(request.header("sgtenant"), request.header("sg_tenant"));
CertificateValidator validator = new CertificateValidator(rootCas.toArray(new X509Certificate[0]), crls); validator.setDate(CRL_DATE); try { validator.validate(certsToValidate.toArray(new X509Certificate[0])); Assert.fail(); } catch (CertificateException e) { Assert.assertTrue(ExceptionUtils.getRootCause(e) instanceof CertificateRevokedException);
CertificateValidator validator = new CertificateValidator(rootCas.toArray(new X509Certificate[0]), Collections.emptyList()); validator.setEnableCRLDP(true); validator.setEnableOCSP(true); validator.setDate(CRL_DATE); try { validator.validate(certsToValidate.toArray(new X509Certificate[0])); Assert.fail(); } catch (CertificateException e) { Assert.assertTrue(ExceptionUtils.getRootCause(e) instanceof CertificateRevokedException);
protected void checkRequest(final RestRequest request, final RestChannel channel) { if(SSLRequestHelper.containsBadHeader(threadContext, "_sg_ssl_")) { final ElasticsearchException exception = ExceptionUtils.createBadHeaderException(); errorHandler.logError(exception, request, 1); throw exception; } try { if(SSLRequestHelper.getSSLInfo(settings, configPath, request, null) == null) { logger.error("Not an SSL request"); throw new ElasticsearchSecurityException("Not an SSL request", RestStatus.INTERNAL_SERVER_ERROR); } } catch (SSLPeerUnverifiedException e) { logger.error("No client certificates found but such are needed (SG 8)."); errorHandler.logError(e, request, 0); throw ExceptionsHelper.convertToElastic(e); } } }
@Test public void testUnmodifieableCipherProtocolConfig() throws Exception { SSLConfigConstants.getSecureSSLProtocols(Settings.EMPTY, false)[0] = "bogus"; Assert.assertEquals("TLSv1.3", SSLConfigConstants.getSecureSSLProtocols(Settings.EMPTY, false)[0]); try { SSLConfigConstants.getSecureSSLCiphers(Settings.EMPTY, false).set(0, "bogus"); Assert.fail(); } catch (UnsupportedOperationException e) { //expected } }
if(SSLRequestHelper.containsBadHeader(getThreadContext(), ConfigConstants.SG_CONFIG_PREFIX)) { final ElasticsearchException exception = ExceptionUtils.createBadHeaderException(); auditLog.logBadHeaders(request, task.getAction(), task); log.error(exception);
@Test public void testAvailCiphers() throws Exception { final SSLContext serverContext = SSLContext.getInstance("TLS"); serverContext.init(null, null, null); final SSLEngine engine = serverContext.createSSLEngine(); final List<String> jdkSupportedCiphers = new ArrayList<>(Arrays.asList(engine.getSupportedCipherSuites())); jdkSupportedCiphers.retainAll(SSLConfigConstants.getSecureSSLCiphers(Settings.EMPTY, false)); engine.setEnabledCipherSuites(jdkSupportedCiphers.toArray(new String[0])); final List<String> jdkEnabledCiphers = Arrays.asList(engine.getEnabledCipherSuites()); // example // TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, // TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA System.out.println("JDK enabled ciphers: " + jdkEnabledCiphers); Assert.assertTrue(jdkEnabledCiphers.size() > 0); }
public static PrivateKey exportDecryptedKey(final KeyStore ks, final String alias, final char[] password) throws KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException { logKeyStore(ks); final List<String> aliases = toList(ks.aliases()); String evaluatedAlias = alias; if (alias == null && aliases.size() > 0) { evaluatedAlias = aliases.get(0); } if (evaluatedAlias == null) { throw new KeyStoreException("null alias, current aliases: " + aliases); } final Key key = ks.getKey(evaluatedAlias, (password == null || password.length == 0) ? null:password); if (key == null) { throw new KeyStoreException("no key alias named " + evaluatedAlias); } if (key instanceof PrivateKey) { return (PrivateKey) key; } return null; }
private void logExplanation(Exception e) { if (ExceptionUtils.findMsg(e, "not contain valid private key") != null) { log.error("Your keystore or PEM does not contain a key. " + "If you specified a key password, try removing it. " + "If you did not specify a key password, perhaps you need to if the key is in fact password-protected. " + "Maybe you just confused keys and certificates."); } if (ExceptionUtils.findMsg(e, "not contain valid certificates") != null) { log.error("Your keystore or PEM does not contain a certificate. Maybe you confused keys and certificates."); } }
private static void logKeyStore(final KeyStore ks) { try { final List<String> aliases = toList(ks.aliases()); if (log.isDebugEnabled()) { log.debug("Keystore has {} entries/aliases", ks.size()); for (String _alias : aliases) { log.debug("Alias {}: is a certificate entry?{}/is a key entry?{}", _alias, ks.isCertificateEntry(_alias), ks.isKeyEntry(_alias)); Certificate[] certs = ks.getCertificateChain(_alias); if (certs != null) { log.debug("Alias {}: chain len {}", _alias, certs.length); for (int i = 0; i < certs.length; i++) { X509Certificate certificate = (X509Certificate) certs[i]; log.debug("cert {} of type {} -> {}", certificate.getSubjectX500Principal(), certificate.getBasicConstraints(), certificate.getSubjectX500Principal().equals(certificate.getIssuerX500Principal())); } } X509Certificate cert = (X509Certificate) ks.getCertificate(_alias); if (cert != null) { log.debug("Alias {}: single cert {} of type {} -> {}", _alias, cert.getSubjectX500Principal(), cert.getBasicConstraints(), cert.getSubjectX500Principal().equals(cert.getIssuerX500Principal())); } } } } catch (Exception e) { log.error("Error logging keystore due to "+e, e); } }
CertificateValidator validator = new CertificateValidator(rootCas.toArray(new X509Certificate[0]), crls); validator.setDate(CRL_DATE); try { validator.validate(certsToValidate.toArray(new X509Certificate[0])); } catch (CertificateException e) { Assert.fail(ExceptionsHelper.stackTrace(ExceptionUtils.getRootCause(e)));
} catch (Exception e) { Throwable rootCause = ExceptionUtils.getRootCause(e);
@Override public SSLEngine createClientTransportSSLEngine(final String peerHost, final int peerPort) throws SSLException { if (peerHost != null) { final SSLEngine engine = externalSslContext.createSSLEngine(peerHost, peerPort); final SSLParameters sslParams = new SSLParameters(); sslParams.setEndpointIdentificationAlgorithm("HTTPS"); engine.setSSLParameters(sslParams); engine.setEnabledProtocols(evalSecure(engine.getEnabledProtocols(), SSLConfigConstants.getSecureSSLProtocols(settings, false))); engine.setEnabledCipherSuites(evalSecure(engine.getEnabledCipherSuites(), SSLConfigConstants.getSecureSSLCiphers(settings, false).toArray(new String[0]))); engine.setUseClientMode(true); return engine; } else { final SSLEngine engine = externalSslContext.createSSLEngine(); engine.setEnabledProtocols(evalSecure(engine.getEnabledProtocols(), SSLConfigConstants.getSecureSSLProtocols(settings, false))); engine.setEnabledCipherSuites(evalSecure(engine.getEnabledCipherSuites(), SSLConfigConstants.getSecureSSLCiphers(settings, false).toArray(new String[0]))); engine.setUseClientMode(true); return engine; } }
@Test public void testAvailCiphersOpenSSL() throws Exception { Assume.assumeTrue(OpenSsl.isAvailable()); // Set<String> openSSLAvailCiphers = new // HashSet<>(OpenSsl.availableCipherSuites()); // System.out.println("OpenSSL available ciphers: "+openSSLAvailCiphers); // ECDHE-RSA-AES256-SHA, ECDH-ECDSA-AES256-SHA, DH-DSS-DES-CBC-SHA, // ADH-AES256-SHA256, ADH-CAMELLIA128-SHA final Set<String> openSSLSecureCiphers = new HashSet<>(); for (final String secure : SSLConfigConstants.getSecureSSLCiphers(Settings.EMPTY, false)) { if (OpenSsl.isCipherSuiteAvailable(secure)) { openSSLSecureCiphers.add(secure); } } System.out.println("OpenSSL secure ciphers: " + openSSLSecureCiphers); Assert.assertTrue(openSSLSecureCiphers.size() > 0); }
public static Throwable findMsg(final Throwable e, String msg) { if(e == null) { return null; } if(e.getMessage() != null && e.getMessage().contains(msg)) { return e; } final Throwable cause = e.getCause(); if(cause == null) { return null; } return findMsg(cause, msg); }
public static Throwable getRootCause(final Throwable e) { if(e == null) { return null; } final Throwable cause = e.getCause(); if(cause == null) { return e; } return getRootCause(cause); }
Assert.fail(); } catch (Exception e) { Throwable root = ExceptionUtils.getRootCause(e); e.printStackTrace(); Assert.assertTrue(root.getMessage().contains("Wrong user in scroll context"));
Assert.fail(); } catch (Exception e) { Throwable root = ExceptionUtils.getRootCause(e); e.printStackTrace(); Assert.assertTrue(root.getMessage().contains("Wrong user in scroll context"));