Skip to content

Add KeyUsage, ExtendedKeyUsage, CipherSuite & Protocol to SSL diagnos… #65634

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Aug 16, 2021
Merged

Add KeyUsage, ExtendedKeyUsage, CipherSuite & Protocol to SSL diagnos… #65634

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
88ecbd0
Add KeyUsage, ExtendedKeyUsage, CipherSuite & Protocol to SSL diagnos…
sindhusp Dec 1, 2020
f6af049
Review comments
sindhusp Dec 1, 2020
a7c6be0
Merge branch 'master' into sslDiagnostics
tvernum Aug 13, 2021
3752caf
Tweak implementation and add more tests
tvernum Aug 13, 2021
e23a504
Fix broken test
tvernum Aug 13, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
94 changes: 92 additions & 2 deletions libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/SslDiagnostics.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,14 @@
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Collectors;
import java.util.stream.IntStream;

public class SslDiagnostics {


public static List<String> describeValidHostnames(X509Certificate certificate) {
try {
final Collection<List<?>> names = certificate.getSubjectAlternativeNames();
Expand Down Expand Up @@ -140,6 +143,44 @@ boolean isSameCertificate() {
}
}

/**
* These names align with the values (and indices) defined by {@link X509Certificate#getKeyUsage()}
*/
private static final String[] KEY_USAGE_NAMES = new String[] {
"digitalSignature",
"nonRepudiation",
"keyEncipherment",
"dataEncipherment",
"keyAgreement",
"keyCertSign",
"cRLSign",
"encipherOnly",
"decipherOnly" };

private enum ExtendedKeyUsage {
serverAuth ("1.3.6.1.5.5.7.3.1"),
clientAuth ("1.3.6.1.5.5.7.3.2"),
codeSigning ("1.3.6.1.5.5.7.3.3"),
emailProtection ("1.3.6.1.5.5.7.3.4"),
timeStamping ("1.3.6.1.5.5.7.3.8"),
ocspSigning ("1.3.6.1.5.5.7.3.9");

private String oid;

ExtendedKeyUsage(String oid) {
this.oid = Objects.requireNonNull(oid);
}

public static String decodeOid(String oid) {
for (ExtendedKeyUsage e : values()) {
if (e.oid.equals(oid)) {
return e.name();
}
}
return oid;
}
}

/**
* @param contextName The descriptive name of this SSL context (e.g. "xpack.security.transport.ssl")
* @param trustedIssuers A Map of DN to Certificate, for the issuers that were trusted in the context in which this failure occurred
Expand All @@ -166,8 +207,14 @@ public static String getTrustDiagnosticFailure(X509Certificate[] chain, PeerType
.append(peerType.name().toLowerCase(Locale.ROOT))
.append(" provided a certificate with subject name [")
.append(peerCert.getSubjectX500Principal().getName())
.append("] and ")
.append(fingerprintDescription(peerCert));
.append("], ")
.append(fingerprintDescription(peerCert))
.append(", ")
.append(keyUsageDescription(peerCert))
.append(" and ")
.append(extendedKeyUsageDescription(peerCert));

addSessionDescription(session, message);

if (peerType == PeerType.SERVER) {
try {
Expand Down Expand Up @@ -395,4 +442,47 @@ private static boolean checkIssuer(X509Certificate certificate, X509Certificate
private static boolean isSelfIssued(X509Certificate certificate) {
return certificate.getIssuerX500Principal().equals(certificate.getSubjectX500Principal());
}

private static String keyUsageDescription(X509Certificate certificate) {
boolean[] keyUsage = certificate.getKeyUsage();
if (keyUsage == null || keyUsage.length == 0) {
return "no keyUsage";
}
final String keyUsageDescription = IntStream.range(0, keyUsage.length)
.filter(i -> keyUsage[i])
.mapToObj(i -> (i < KEY_USAGE_NAMES.length) ? KEY_USAGE_NAMES[i] : ("#" + i))
.collect(Collectors.joining(", "));
return keyUsageDescription.isEmpty() ? "no keyUsage" : ("keyUsage [" + keyUsageDescription + "]");
}

private static String extendedKeyUsageDescription(X509Certificate certificate) {
try {
return Optional.ofNullable(certificate.getExtendedKeyUsage())
.flatMap(keyUsage -> generateExtendedKeyUsageDescription(keyUsage))
.orElse("no extendedKeyUsage");
} catch (CertificateParsingException e) {
return "invalid extendedKeyUsage [" + e + "]";
}
}

private static Optional<String> generateExtendedKeyUsageDescription(List<String> oids) {
return oids.stream()
.map(ExtendedKeyUsage::decodeOid)
.reduce((x, y) -> x + ", " + y)
.map(str -> "extendedKeyUsage [" + str + "]");
}

private static void addSessionDescription(SSLSession session, StringBuilder message) {
String cipherSuite = Optional.ofNullable(session)
.map(SSLSession::getCipherSuite)
.orElse("<unknown cipherSuite>");
String protocol = Optional.ofNullable(session)
.map(SSLSession::getProtocol)
.orElse("<unknown protocol>");
message.append("; the session uses cipher suite [")
.append(cipherSuite)
.append("] and protocol [")
.append(protocol)
.append("]");
}
}
Loading