Regenerates root-ca, kirk and esnode certificates to address already expired root ca certificate #4061
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…expired root ca certificate Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #4061 +/- ##
==========================================
+ Coverage 65.81% 65.86% +0.05%
==========================================
Files 298 298
Lines 21289 21292 +3
Branches 3467 3467
==========================================
+ Hits 14012 14025 +13
+ Misses 5538 5531 -7
+ Partials 1739 1736 -3
|
Expand to see Manual testing steps and results:EXPIRY➜ openssl x509 -in root-ca.pem -noout -text | grep -A 2 Validity
Validity
Not Before: Feb 20 17:00:36 2024 GMT
Not After : Feb 17 17:00:36 2034 GMT
➜ openssl x509 -in esnode.pem -noout -text | grep -A 2 Validity
Validity
Not Before: Feb 20 17:03:25 2024 GMT
Not After : Feb 17 17:03:25 2034 GMT
➜ openssl x509 -in kirk.pem -noout -text | grep -A 2 Validity
Validity
Not Before: Feb 20 17:04:24 2024 GMT
Not After : Feb 17 17:04:24 2034 GMTVERIFICATION➜ openssl verify -CAfile root-ca.pem -verbose kirk.pem
kirk.pem: OK
➜ openssl verify -CAfile root-ca.pem -verbose esnode.pem
esnode.pem: OKDIFF CURRENT vs NEW➜ diff root-ca-cert--old.text root-ca-cert.text
5c5
< 77:e4:af:3e:fc:da:9f:93:f6:4d:06:c4:67:8c:e3:e0:6b:7a:15:8a
---
> 0d:64:09:99:66:7d:c4:14:ec:41:47:8e:b7:d1:79:61:23:e9:a8:e2
9,10c9,10
< Not Before: Aug 29 04:20:03 2023 GMT
< Not After : Sep 28 04:20:03 2023 GMT
---
> Not Before: Feb 20 17:00:36 2024 GMT
> Not After : Feb 17 17:00:36 2034 GMT
45c45
< serial:77:E4:AF:3E:FC:DA:9F:93:F6:4D:06:C4:67:8C:E3:E0:6B:7A:15:8A
---
> serial:0D:64:09:99:66:7D:C4:14:EC:41:47:8E:B7:D1:79:61:23:E9:A8:E2
48,62c48,62
< 8a:29:a9:ca:3f:93:d4:52:8e:8b:93:78:a3:f8:cf:41:15:53:
< 17:43:e2:a9:cd:87:51:8b:49:1a:b2:01:57:b4:68:28:72:28:
< 5e:5f:aa:dd:41:77:55:c2:63:c0:f5:e9:18:1e:92:42:86:1c:
< 3a:49:84:60:a9:7a:5f:af:b4:8a:17:3c:1c:54:68:64:0d:63:
< 19:89:09:fe:4e:cc:b3:0e:0e:57:2b:66:4e:62:8c:72:1c:bf:
< f1:4c:78:ad:36:34:17:33:fd:64:37:99:b5:87:57:05:cb:86:
< 6c:2a:6b:6c:c1:b0:5e:05:98:f0:89:01:b1:4b:72:12:e1:90:
< 0b:f5:1c:98:9f:1d:b9:c3:8d:0c:e5:2b:29:79:8f:16:a6:ff:
< 0b:63:5b:14:a6:d2:2c:ac:a3:4c:f6:4e:0c:b3:63:e3:04:4a:
< a8:c4:a8:1d:61:66:40:85:cc:3d:71:b5:43:82:c5:b5:e0:b4:
< a6:9e:76:07:c7:54:5b:a8:be:bd:df:34:b5:77:1a:f4:24:d2:
< cf:68:90:3c:03:51:ca:95:ec:34:87:eb:57:b9:6d:43:1f:13:
< ce:28:de:87:fc:60:0e:fe:1d:4a:0f:57:90:ee:f2:c4:ce:29:
< 17:fb:9d:c1:97:74:34:40:f1:aa:1f:5b:6e:bc:a5:30:ae:22:
< ed:fe:83:f6
---
> bd:d0:dc:01:d4:84:c8:8b:53:2e:8e:94:b4:ad:f3:05:fd:23:
> 6a:0d:18:32:9b:06:ed:1a:b6:95:0d:0f:3b:64:ff:4b:37:60:
> b4:02:62:e5:e0:37:82:ab:21:c3:17:40:8b:80:5c:2c:78:d3:
> b7:3e:a4:89:53:fd:3d:45:36:7f:95:41:7c:22:e7:a3:d8:cf:
> 14:0a:b6:5a:68:29:42:f7:a0:f4:04:d5:dd:15:e8:4a:22:36:
> 4f:ba:52:87:6f:c9:9a:a9:75:0b:bb:7d:75:5e:9e:d4:4c:93:
> 54:17:ec:3f:68:b6:68:a2:36:e5:fe:19:2c:49:84:90:b6:2f:
> 2c:f0:eb:93:bd:11:48:06:d7:25:49:a2:7e:91:91:41:ad:a8:
> 1a:8a:22:e2:e4:b0:ac:04:af:ff:c4:2e:78:e6:5e:2b:78:2d:
> 02:92:9e:a2:ab:d0:54:c2:07:bb:1e:22:b2:89:37:26:f7:e5:
> 09:ea:ab:2f:5a:fd:49:e1:a2:4a:e6:75:d6:b5:b6:be:8c:6e:
> a5:3c:97:b1:e6:c4:bb:92:77:f2:b2:f8:bd:1e:0c:db:58:bf:
> a6:1f:31:ec:2d:8e:0d:13:b4:09:c5:c9:0a:2f:ad:d5:e6:7a:
> ad:5d:cb:d1:cb:a3:70:ec:e0:01:73:dc:6c:7d:d3:be:93:c5:
> c4:52:fe:22
➜
➜ diff esnode-old.text esnode.text
5c5
< 66:3a:e5:0c:f3:fc:6b:34:43:3d:97:21:03:f5:c4:b3:1d:17:da:23
---
> 69:84:a5:11:3d:e7:ce:ca:2d:59:3a:d6:b9:e5:4f:3e:1d:74:c8:b6
9,10c9,10
< Not Before: Aug 29 19:44:42 2023 GMT
< Not After : Aug 26 19:44:42 2033 GMT
---
> Not Before: Feb 20 17:03:25 2024 GMT
> Not After : Feb 17 17:03:25 2034 GMT
50,64c50,64
< 77:ca:73:a3:54:5c:97:ec:4f:99:cb:d4:2b:5a:1b:2d:dd:ba:
< d5:75:dd:44:24:75:4c:04:90:1d:01:8a:49:17:d4:f3:5a:cf:
< 63:5e:1f:23:b6:c9:0b:e9:e0:6e:96:96:8b:d9:07:bf:2d:56:
< a9:f9:85:b1:19:2f:bb:fc:91:49:40:39:39:23:10:98:ec:3a:
< ed:48:6f:be:3a:78:17:53:82:65:01:2a:92:1e:06:b9:b7:6b:
< eb:6c:2d:1f:4e:04:eb:83:6f:c6:90:3b:a7:e7:15:e8:45:b3:
< fe:f4:cb:4b:1b:c9:16:d5:a9:29:b1:2d:a6:20:46:43:e1:86:
< ac:25:dd:4e:c7:6b:54:e9:74:9a:dc:90:44:e4:fe:24:5c:99:
< ad:22:82:fc:a6:d5:2b:e5:51:a8:60:15:73:78:64:22:c6:dd:
< 2c:9c:1f:e6:11:16:d3:3b:e3:d1:95:64:1a:39:e4:4e:60:49:
< f9:16:0a:3f:63:6a:8d:cb:8c:99:f7:4e:1b:4c:b2:22:f8:d3:
< 9b:88:3d:b1:4d:9b:ee:62:5e:d7:e5:32:4d:9a:5b:ae:ba:8f:
< 58:e5:a5:e6:99:c9:2b:b2:0d:60:6d:03:e4:f9:63:a1:e1:0c:
< 40:92:8c:73:95:d7:7d:54:7a:4b:c7:2c:5f:92:6d:6a:ef:d1:
< 2f:a9:b6:30
---
> 66:e2:8f:95:b2:17:47:4a:85:0a:1d:41:f4:e2:14:36:fb:df:
> 28:14:e8:8c:9e:26:41:52:9f:11:7a:ee:00:f3:a5:02:59:28:
> 5b:d7:b9:50:5a:dd:c1:8f:e5:ee:d0:a7:74:ca:e7:43:7e:6e:
> 55:c6:1f:4c:57:78:85:7d:95:77:98:52:4e:21:55:f0:65:a7:
> d2:dc:95:91:97:f2:d1:a2:ed:76:b6:7a:73:2f:22:de:6a:fd:
> 88:37:1e:1e:f9:e5:9c:67:0d:8c:42:a0:69:0d:39:75:26:9c:
> cb:ac:2a:cb:44:d1:8c:ef:67:91:af:e9:f7:11:28:50:54:81:
> 92:e1:85:40:6a:20:40:18:97:2d:44:a8:7f:f2:e3:90:0f:89:
> 1b:77:36:8a:f5:c8:5e:b3:10:8e:13:9c:bd:32:36:b1:f0:e8:
> bc:90:91:43:42:1c:81:8c:24:b7:e7:25:0f:4b:71:a9:8c:18:
> 85:ce:c7:ad:24:5c:d3:13:8a:01:7d:a1:75:f0:8b:15:80:9c:
> 33:3d:cb:74:13:f1:05:c0:ee:17:a3:ff:8c:e4:6c:ef:af:21:
> e5:7f:ee:51:94:76:4c:a0:3c:08:bd:d8:4b:f2:c6:6b:25:88:
> 43:32:31:1d:15:20:d9:7c:7a:6c:a8:6e:f7:f0:6b:ba:0c:79:
> 63:11:fa:18
➜
➜
➜ diff kirk-old.text kirk.text
5c5
< 66:3a:e5:0c:f3:fc:6b:34:43:3d:97:21:03:f5:c4:b3:1d:17:da:26
---
> 69:84:a5:11:3d:e7:ce:ca:2d:59:3a:d6:b9:e5:4f:3e:1d:74:c8:b7
9,10c9,10
< Not Before: Aug 29 20:06:37 2023 GMT
< Not After : Aug 26 20:06:37 2033 GMT
---
> Not Before: Feb 20 17:04:24 2024 GMT
> Not After : Feb 17 17:04:24 2034 GMT
41a42,43
> X509v3 Subject Key Identifier:
> A3:31:2F:2D:82:0B:97:FD:5E:CA:48:62:E8:1A:0E:CA:E9:73:33:20
45,47c47
< serial:77:E4:AF:3E:FC:DA:9F:93:F6:4D:06:C4:67:8C:E3:E0:6B:7A:15:8A
< X509v3 Subject Key Identifier:
< A3:31:2F:2D:82:0B:97:FD:5E:CA:48:62:E8:1A:0E:CA:E9:73:33:20
---
> serial:0D:64:09:99:66:7D:C4:14:EC:41:47:8E:B7:D1:79:61:23:E9:A8:E2
50,64c50,64
< 34:cc:03:d4:96:25:c0:08:7c:db:21:b5:81:4d:d6:49:d8:7f:
< b5:be:a0:a9:a4:b3:64:ae:d1:e8:8d:0b:ee:c9:5a:5c:df:66:
< cb:61:2b:52:58:e9:4f:26:87:ad:d8:81:16:63:e1:53:fd:8a:
< 8f:6a:fe:7c:85:17:b5:77:43:5f:38:b3:c7:f2:5d:9a:e7:93:
< d2:71:bd:84:e8:b1:2e:ac:df:a0:2f:69:7c:08:59:c4:ce:b6:
< 46:0b:72:66:86:9c:cd:03:7c:da:4d:7f:81:e3:12:c1:1a:44:
< 9d:d1:5e:dc:e1:fb:6a:b9:12:fc:74:9b:20:5c:50:84:02:32:
< db:6f:5e:59:ee:5d:d5:b5:33:3f:9f:62:bb:b7:f7:af:9e:bb:
< 23:8a:1b:f1:5c:bb:3c:ff:8e:bf:7e:69:ed:5b:f8:a0:31:c7:
< c2:0b:1d:47:35:fa:a6:f2:fa:9a:6c:15:ad:0d:c1:7d:57:9c:
< 87:d0:ea:a6:ba:fe:ba:46:26:8e:1a:3b:ea:0e:a4:e5:c4:2e:
< 45:a0:7a:33:1a:a5:77:35:20:fb:61:3b:20:74:0f:f0:c0:85:
< f9:ca:39:d6:e6:6a:da:79:77:de:6b:69:44:6a:fa:25:b7:47:
< 5d:cf:7a:ce:c2:d3:2f:7b:1a:25:0f:00:58:47:ee:d6:06:d3:
< 56:bc:32:44
---
> 08:45:0f:3c:4e:ba:fc:eb:77:bd:9a:91:1a:98:c3:8c:f1:c0:
> 76:d3:aa:f9:e6:da:82:54:21:bd:87:27:0f:0f:0b:39:99:bc:
> 19:b8:7d:33:cf:02:88:ee:94:c4:2f:22:a5:02:d3:3e:1d:b2:
> c9:e5:80:ae:4a:49:cc:92:bf:3e:2d:5e:a0:5d:57:2e:20:1a:
> d2:c4:3f:45:a2:5f:41:63:e6:f5:db:e5:d5:94:1e:2b:9b:df:
> 0f:8d:78:ed:bd:e2:06:86:f0:11:5f:82:47:4e:12:2a:8c:34:
> 61:e1:04:cc:02:6f:ce:bf:18:74:a2:3a:8e:aa:fe:d8:68:e3:
> 56:ac:f1:bd:10:72:29:15:47:58:21:62:47:b6:d9:84:71:8b:
> ab:76:eb:f2:14:ae:d2:1c:23:6f:7a:06:6b:56:48:f1:db:a2:
> ea:e8:f2:66:de:a7:9b:a0:68:12:46:ae:dc:6f:fa:fb:3a:bd:
> 13:ab:d7:df:ef:05:8f:81:ca:08:02:fa:8b:44:b0:7c:69:84:
> a5:33:69:e5:65:21:aa:26:ca:fd:f3:21:86:63:13:e0:cc:7a:
> 33:19:13:f8:e1:67:22:37:54:53:44:bf:7b:79:20:9c:6f:2a:
> 8d:f8:9c:52:bd:fc:0b:21:25:8b:55:34:33:b9:28:21:75:19:
> 23:ba:fe:2d
➜ NEW SHAs➜ cat root-ca.pem | sha256sum
bcd708e8dc707ae065f7ad8582979764b497f062e273d478054ab2f49c5469c6 -
➜ cat esnode.pem | sha256sum
a2ce3f577a5031398c1b4f58761444d837b031d0aff7614f8b9b5e4a9d59dbd1 -
➜ cat kirk.pem | sha256sum
a3556d6bb61f7bd63cb19b1c8d0078d30c12739dedb0455c5792ac8627782042 - |
DarshitChanpura
requested review from
cliu123,
cwperks,
davidlago,
peternied,
RyanL1997,
stephen-crawford,
reta and
willyborankin
as code owners
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
1 task
peternied
requested changes
Feb 20, 2024
src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
Outdated
Show resolved
Hide resolved
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Demo tool uses hardcoded certificates as of now. Generating certificates dynamically can be incorporated in the next iteration of this tool. |
1 task
peternied
previously approved these changes
Feb 20, 2024
This was referenced Feb 20, 2024
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
cwperks
approved these changes
Feb 22, 2024
peternied
approved these changes
Feb 22, 2024
opensearch-trigger-bot bot
pushed a commit
that referenced
this pull request
Feb 22, 2024
…expired root ca certificate (#4061) ### Description During the last renewal of certs #3268, the option `-days 3650` was missed for root-ca.pem cert causing it to set the default expiry of 30 days. This PR regenerates the public cert root-ca.pem, using the same private-key, and it also regenerate public certs `es-node.pem` and `kirk.pem` so that they can be verified with this new certificate. * Category : Bug fix * Why these changes are required? - To ensure the expiry is in 10 years from now * What is the old behavior before changes and new behavior after changes? - root-ca is currently expired, and this change will set expiry to 2034 ### Issues Resolved - Resolves #4047 ### Testing - Automated testing + [Manual Testing](#4061 (comment)) --------- Signed-off-by: Darshit Chanpura <dchanp@amazon.com> (cherry picked from commit 9a6a018) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
DarshitChanpura
pushed a commit
that referenced
this pull request
Feb 22, 2024
…ddress already expired root ca certificate (#4066) Backport 9a6a018 from #4061. Signed-off-by: Darshit Chanpura <dchanp@amazon.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
1 task
dlin2028
pushed a commit
to dlin2028/security
that referenced
this pull request
May 1, 2024
…expired root ca certificate (opensearch-project#4061) ### Description During the last renewal of certs opensearch-project#3268, the option `-days 3650` was missed for root-ca.pem cert causing it to set the default expiry of 30 days. This PR regenerates the public cert root-ca.pem, using the same private-key, and it also regenerate public certs `es-node.pem` and `kirk.pem` so that they can be verified with this new certificate. * Category : Bug fix * Why these changes are required? - To ensure the expiry is in 10 years from now * What is the old behavior before changes and new behavior after changes? - root-ca is currently expired, and this change will set expiry to 2034 ### Issues Resolved - Resolves opensearch-project#4047 ### Testing - Automated testing + [Manual Testing](opensearch-project#4061 (comment)) --------- Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
During the last renewal of certs #3268, the option
-days 3650was missed for root-ca.pem cert causing it to set the default expiry of 30 days. This PR regenerates the public cert root-ca.pem, using the same private-key, and it also regenerate public certses-node.pemandkirk.pemso that they can be verified with this new certificate.Issues Resolved
Testing
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.