Correctly handle PKCS#11 tokens for system keystore #33460
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
As defined in the PKCS#11 reference guide https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html PKCS#11 tokens can be used as the JSSE keystore and truststore and the way to indicate this is to set `javax.net.ssl.keyStore` and `javax.net.ssl.trustStore` to `NONE` (case sensitive). This commits ensures that we honor this convention and do not attempt to load the keystore or truststore if the system property is set to NONE. Relates elastic#33459
|
Pinging @elastic/es-security |
When a PKCS#11 token is used as the system truststore, we need to pass a password when loading it, even if only for reading certificate entries. This commit ensures that if `javax.net.ssl.trustStoreType` is set to `PKCS#11` (as it would when a PKCS#11 token is in use) the password specified in `javax.net.ssl.trustStorePassword` is passed when attempting to load the truststore.
jkakavas
changed the title
|
@jaymode I widened the scope of this PR slightly as the changes fitted well together, could you take another look please ? |
|
CI failed with This has never failed in the past , this looks unrelated to this PR and possibly related to #32641 (ping @spinscale for visibility), although it doesn't reproduce locally. |
|
Jenkins test this please |
jkakavas
added a commit
that referenced
this pull request
Sep 10, 2018
* Correctly handle NONE keyword for system keystore As defined in the PKCS#11 reference guide https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html PKCS#11 tokens can be used as the JSSE keystore and truststore and the way to indicate this is to set `javax.net.ssl.keyStore` and `javax.net.ssl.trustStore` to `NONE` (case sensitive). This commits ensures that we honor this convention and do not attempt to load the keystore or truststore if the system property is set to NONE. * Handle password protected system truststore When a PKCS#11 token is used as the system truststore, we need to pass a password when loading it, even if only for reading certificate entries. This commit ensures that if `javax.net.ssl.trustStoreType` is set to `PKCS#11` (as it would when a PKCS#11 token is in use) the password specified in `javax.net.ssl.trustStorePassword` is passed when attempting to load the truststore. Relates #33459
jasontedor
added a commit
to jasontedor/elasticsearch
that referenced
this pull request
Sep 11, 2018
* master: Add full cluster restart base class (elastic#33577) Validate list values for settings (elastic#33503) Copy and validatie soft-deletes setting on resize (elastic#33517) Test: Fix package name SQL: Fix result column names for arithmetic functions (elastic#33500) Upgrade to latest Lucene snapshot (elastic#33505) Enable not wiping cluster settings after REST test (elastic#33575) MINOR: Remove Dead Code in SearchScript (elastic#33569) [Test] Remove duplicate method in TestShardRouting (elastic#32815) mute test on windows Update beats template to include apm-server metrics (elastic#33286) Fix typos (elastic#33499) [CCR] Delay auto follow license check (elastic#33557) [CCR] Add create_follow_index privilege (elastic#33559) Strengthen FilterRoutingTests (elastic#33149) Correctly handle PKCS#11 tokens for system keystore (elastic#33460) Remove some duplicate request conversion methods. (elastic#33538)
jkakavas
added a commit
that referenced
this pull request
Oct 5, 2018
* Correctly handle NONE keyword for system keystore As defined in the PKCS#11 reference guide https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html PKCS#11 tokens can be used as the JSSE keystore and truststore and the way to indicate this is to set `javax.net.ssl.keyStore` and `javax.net.ssl.trustStore` to `NONE` (case sensitive). This commits ensures that we honor this convention and do not attempt to load the keystore or truststore if the system property is set to NONE. * Handle password protected system truststore When a PKCS#11 token is used as the system truststore, we need to pass a password when loading it, even if only for reading certificate entries. This commit ensures that if `javax.net.ssl.trustStoreType` is set to `PKCS#11` (as it would when a PKCS#11 token is in use) the password specified in `javax.net.ssl.trustStorePassword` is passed when attempting to load the truststore. Relates #33459
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Ensure we handle the
NONEkeyword for system keystores correctlyAs defined in the PKCS#11 reference guide
https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html
PKCS#11 tokens can be used as the JSSE keystore and truststore and
the way to indicate this is to set
javax.net.ssl.keyStoreandjavax.net.ssl.trustStoretoNONE(case sensitive).This commits ensures that we honor this convention and do not
attempt to load the keystore or truststore if the system property is
set to NONE.
Ensure we handle password protected
PKCS#11tokens used assystem truststores correctly.
When a PKCS#11 token is used as the system truststore, we need to
pass a password when loading it, even if only for reading
certificate entries. This commit ensures that if
javax.net.ssl.trustStoreTypeis set toPKCS#11(as it wouldwhen a PKCS#11 token is in use) the password specified in
javax.net.ssl.trustStorePasswordis passed when attempting toload the truststore.
Relates #33459