diff --git a/src/main/java/org/opensearch/security/ssl/config/KeyStoreConfiguration.java b/src/main/java/org/opensearch/security/ssl/config/KeyStoreConfiguration.java index cd6fca2a68..aed7c9b4c6 100644 --- a/src/main/java/org/opensearch/security/ssl/config/KeyStoreConfiguration.java +++ b/src/main/java/org/opensearch/security/ssl/config/KeyStoreConfiguration.java @@ -18,10 +18,10 @@ import java.security.cert.X509Certificate; import java.util.Arrays; import java.util.Collections; -import java.util.HashSet; import java.util.List; import java.util.Objects; import java.util.Set; +import java.util.stream.Collectors; import javax.net.ssl.KeyManagerFactory; import javax.security.auth.x500.X500Principal; @@ -45,12 +45,10 @@ default KeyManagerFactory createKeyManagerFactory(boolean validateCertificates) } default Set getIssuerDns() { - Set issuerDns = new HashSet<>(); - final List certificates = loadCertificates(); - for (Certificate certificate : certificates) { - issuerDns.add(certificate.x509Certificate().getIssuerX500Principal()); - } - return issuerDns; + return loadCertificates().stream() + .map(Certificate::x509Certificate) + .map(X509Certificate::getIssuerX500Principal) + .collect(Collectors.toSet()); } default KeyManagerFactory buildKeyManagerFactory(final KeyStore keyStore, final char[] password) { diff --git a/src/test/java/org/opensearch/security/ssl/CertificatesRule.java b/src/test/java/org/opensearch/security/ssl/CertificatesRule.java index 429768fdac..9ee374921a 100644 --- a/src/test/java/org/opensearch/security/ssl/CertificatesRule.java +++ b/src/test/java/org/opensearch/security/ssl/CertificatesRule.java @@ -144,15 +144,34 @@ public X509CertificateHolder generateCaCertificate(final KeyPair parentKeyPair, return generateCaCertificate(parentKeyPair, generateSerialNumber(), startDate, endDate); } + public X509CertificateHolder generateCaCertificate( + final KeyPair parentKeyPair, + final String subjectName, + final Instant startDate, + final Instant endDate + ) throws IOException, NoSuchAlgorithmException, OperatorCreationException { + return generateCaCertificate(parentKeyPair, subjectName, generateSerialNumber(), startDate, endDate); + } + public X509CertificateHolder generateCaCertificate( final KeyPair parentKeyPair, final BigInteger serialNumber, final Instant startDate, final Instant endDate + ) throws IOException, NoSuchAlgorithmException, OperatorCreationException { + return generateCaCertificate(parentKeyPair, DEFAULT_SUBJECT_NAME, serialNumber, startDate, endDate); + } + + public X509CertificateHolder generateCaCertificate( + final KeyPair parentKeyPair, + final String subjectName, + final BigInteger serialNumber, + final Instant startDate, + final Instant endDate ) throws IOException, NoSuchAlgorithmException, OperatorCreationException { // CS-SUPPRESS-SINGLE: RegexpSingleline Extension should only be used sparingly to keep implementations as generic as possible return createCertificateBuilder( - DEFAULT_SUBJECT_NAME, + subjectName, DEFAULT_SUBJECT_NAME, parentKeyPair.getPublic(), parentKeyPair.getPublic(), diff --git a/src/test/java/org/opensearch/security/ssl/CertificatesUtils.java b/src/test/java/org/opensearch/security/ssl/CertificatesUtils.java index 7b6ee9fc74..e6ad9991ee 100644 --- a/src/test/java/org/opensearch/security/ssl/CertificatesUtils.java +++ b/src/test/java/org/opensearch/security/ssl/CertificatesUtils.java @@ -25,9 +25,11 @@ public class CertificatesUtils { - public static void writePemContent(final Path path, final Object pemContent) throws IOException { - try (JcaPEMWriter writer = new JcaPEMWriter(Files.newBufferedWriter(path))) { - writer.writeObject(pemContent); + public static void writePemContent(final Path path, final Object... content) throws IOException { + for (final Object c : content) { + try (JcaPEMWriter writer = new JcaPEMWriter(Files.newBufferedWriter(path))) { + writer.writeObject(c); + } } } diff --git a/src/test/java/org/opensearch/security/ssl/SslContextHandlerTest.java b/src/test/java/org/opensearch/security/ssl/SslContextHandlerTest.java index 916b7b09a7..b0605672aa 100644 --- a/src/test/java/org/opensearch/security/ssl/SslContextHandlerTest.java +++ b/src/test/java/org/opensearch/security/ssl/SslContextHandlerTest.java @@ -73,6 +73,23 @@ void writeCertificates( writePemContent(accessCertificatePrivateKeyPath, privateKeyToPemObject(accessPrivateKey, certificatesRule.privateKeyPassword())); } + @Test + public void skipInvalidCaCertificateValidation() throws Exception { + final var caCertificate = certificatesRule.caCertificateHolder(); + + final var invalidCertKeys = certificatesRule.generateKeyPair(); + var invalidCaCertificate = certificatesRule.generateCaCertificate( + invalidCertKeys, + "CN=not_default_subject,OU=client,O=client,L=test,C=de", + caCertificate.getNotAfter().toInstant().minus(20, ChronoUnit.DAYS), + caCertificate.getNotAfter().toInstant().minus(10, ChronoUnit.DAYS) + ); + + writePemContent(caCertificatePath, caCertificate, invalidCaCertificate); + + sslContextHandler(); + } + @Test public void doesNothingIfCertificatesAreSame() throws Exception { final var sslContextHandler = sslContextHandler();