Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Documentation of elasticsearch-certutil is wrong for parameter --pass #35285

Closed
muffl0n opened this issue Nov 6, 2018 · 7 comments · Fixed by #40137
Closed

Documentation of elasticsearch-certutil is wrong for parameter --pass #35285

muffl0n opened this issue Nov 6, 2018 · 7 comments · Fixed by #40137
Labels
>docs General docs changes good first issue low hanging fruit :Security/Security Security issues without another label

Comments

@muffl0n
Copy link
Contributor

muffl0n commented Nov 6, 2018
edited
Loading

Elasticsearch version: Version: 6.4.2, Build: default/deb/04711c2/2018-09-26T13:34:09.098244Z, JVM: 1.8.0_181

JVM version:

openjdk version "1.8.0_181"
OpenJDK Runtime Environment (build 1.8.0_181-8u181-b13-1ubuntu0.18.04.1-b13)
OpenJDK 64-Bit Server VM (build 25.181-b13, mixed mode

OS version: Ubuntu 18.04.1 LTS, Linux foobar-vm 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Description of the problem including expected versus actual behavior:
The documentation states that

If you want to specify a blank password (without prompting), use --pass "" (with no =).

But that seems to be wrong.

Steps to reproduce:

$ /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --silent -in /etc/elasticsearch/instances.yml --out /tmp/elasticsearch-ssl-certs.zip --pass ""
Exception in thread "main" java.lang.IllegalArgumentException: password empty
        at org.bouncycastle.jcajce.provider.symmetric.OpenSSLPBKDF$PBKDF.engineGenerateSecret(Unknown Source)
        at javax.crypto.SecretKeyFactory.generateSecret(SecretKeyFactory.java:330)
        at org.bouncycastle.openssl.jcajce.PEMUtilities.getKey(Unknown Source)
        at org.bouncycastle.openssl.jcajce.PEMUtilities.crypt(Unknown Source)
        at org.bouncycastle.openssl.jcajce.JcePEMEncryptorBuilder$1.encrypt(Unknown Source)
        at org.bouncycastle.openssl.MiscPEMGenerator.createPemObject(Unknown Source)
        at org.bouncycastle.openssl.MiscPEMGenerator.generate(Unknown Source)
        at org.bouncycastle.util.io.pem.PemWriter.writeObject(Unknown Source)
        at org.bouncycastle.openssl.jcajce.JcaPEMWriter.writeObject(Unknown Source)
        at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.lambda$generateAndWriteSignedCertificates$0(CertificateTool.java:798)
        at org.elasticsearch.xpack.security.cli.CertificateTool.withPassword(CertificateTool.java:936)
        at org.elasticsearch.xpack.security.cli.CertificateTool.access$100(CertificateTool.java:85)
        at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.lambda$generateAndWriteSignedCertificates$1(CertificateTool.java:797)
        at org.elasticsearch.xpack.security.cli.CertificateTool.lambda$fullyWriteZipFile$0(CertificateTool.java:950)
        at org.elasticsearch.xpack.security.cli.CertificateTool.fullyWriteFile(CertificateTool.java:994)
        at org.elasticsearch.xpack.security.cli.CertificateTool.fullyWriteZipFile(CertificateTool.java:947)
        at org.elasticsearch.xpack.security.cli.CertificateTool.access$500(CertificateTool.java:85)
        at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.generateAndWriteSignedCertificates(CertificateTool.java:765)
        at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.execute(CertificateTool.java:700)
        at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86)
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
        at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:77)
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
        at org.elasticsearch.cli.Command.main(Command.java:90)
        at org.elasticsearch.xpack.security.cli.CertificateTool.main(CertificateTool.java:137)

Not specifying the parameter at all works, though:

$ /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --silent -in /etc/elasticsearch/instances.yml --out /tmp/elasticsearch-ssl-certs.zip

Tested with 6.4.2

# docker run -v /tmp/instances.yml:/etc/elasticsearch/instances.yml -e "discovery.type=single-node" docker.elastic.co/elasticsearch/elasticsearch:6.4.2 /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --silent -in /etc/elasticsearch/instances.yml --out /tmp/elasticsearch-ssl-certs.zip --pass ""
Exception in thread "main" java.lang.IllegalArgumentException: password empty
...

and 6.3.1:

# docker run -v /tmp/instances.yml:/etc/elasticsearch/instances.yml -e "discovery.type=single-node" docker.elastic.co/elasticsearch/elasticsearch:6.3.1 /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --silent -in /etc/elasticsearch/instances.yml --out /tmp/elasticsearch-ssl-certs.zip --pass ""
Exception in thread "main" java.lang.IllegalArgumentException: password empty
...
@vladimirdolzhenko vladimirdolzhenko added >docs General docs changes good first issue low hanging fruit labels Nov 6, 2018
@colings86 colings86 added the :Security/Security Security issues without another label label Nov 6, 2018
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security

@vikene
Copy link
Contributor

vikene commented Nov 8, 2018

@vladimirdolzhenko @colings86 can I work on this issue ?

@vladimirdolzhenko
Copy link
Contributor

@vikene sure! contributors are always welcome

@tvernum
Copy link
Contributor

tvernum commented Nov 8, 2018

I've have provided an explanation for the observed behaviour.

Any contribution that helps improve the documentation around the --pass option would be appreciated.

@vikene
Copy link
Contributor

vikene commented Nov 8, 2018

@tvernum Sure, thanks for the link 👍

vikene added a commit to vikene/elasticsearch that referenced this issue Nov 10, 2018
@vikene
Issue elastic#35285
d58ba9d 
Better explaination for --pass parameter in documentation for elasticsearch-certutil.
@vikene vikene mentioned this issue Nov 10, 2018
Closed
@diegocsandrim
Copy link
Contributor

It has been quite a while since the last comment, may I help with this issue? Would you mind @vikene?
It looks like we just need those reviews comments applied to the PR, right? Or something has changed since than?

@diegocsandrim diegocsandrim mentioned this issue Mar 17, 2019
Merged
@diegocsandrim
Copy link
Contributor

@tvernum can you give it a look? #40137
I have talked with @vikene and he let me work in the issue (response from email)
I have implemented your review sugestions from the PR #35432, with little changes to improve readability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
>docs General docs changes good first issue low hanging fruit :Security/Security Security issues without another label
Projects
None yet
Milestone
No milestone
7 participants
@vladimirdolzhenko @colings86 @muffl0n @tvernum @diegocsandrim @vikene @elasticmachine