Support certs with separate Extended Key Usage

[lavacat]

Problem: Right now certs that specify extended key usage must set
both clientAuth and serverAuth.

Solution: Add settings to path additional server cert and use it when
creating ssl server

*Issue #474 *

Description of changes:

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[vrozov]

@lavacat Please check why CI build failed

[debjanibnrj]

Currently the changes made are only for PEM certs. Since we support jks certs as well, we will probably need to extend these changes to include JKS certs (link)

[debjanibnrj]

Slight confused by mixedKeyUsageEnabled. Does that mean the cert has both clientAuth and serverAuth?

[debjanibnrj]

Why update this from true to false? It is set to false by default so that custom transport settings are used.

[debjanibnrj]

it may be good to disable these settings if mixedKeyUsage is false. Eg -

Suggested change

	settings.add(Setting.boolSetting(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_MIXED_KEY_USAGE_ENABLED, SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_MIXED_KEY_USAGE_ENABLED_DEFAULT, Property.NodeScope, Property.Filtered));
	if (!isMixedKeyUsageAllowed(settings)) {
	settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_PEMCERT_FILEPATH, Property.NodeScope, Property.Filtered));
	settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_FILEPATH, Property.NodeScope, Property.Filtered));
	settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_PEMKEY_PASSWORD, Property.NodeScope, Property.Filtered));
	settings.add(Setting.simpleString(SSLConfigConstants.OPENDISTRO_SECURITY_SSL_TRANSPORT_SERVER_PEMTRUSTEDCAS_FILEPATH, Property.NodeScope, Property.Filtered));
	}

You can create a helper function like -

    private static boolean isMixedKeyUsageAllowed(final Settings settings) {
        return settings.getAsBoolean(SSLConfigConstants. OPENDISTRO_SECURITY_SSL_TRANSPORT_MIXED_KEY_USAGE_ENABLED, false);
    }

[lavacat]

@debjanibnrj Thanks for comments. I'll resume working on this.

• will add JKS cert support
• mixedKeyUsageEnabled means both clientAuth and serverAuth, if it's confusing, happy to use some other name
• agree with having .server. and .client. and defaulting to old way. Will refactor

[codecov]

Codecov Report

Merging #493 (0c1aefb) into master (8419ab5) will increase coverage by 0.36%.
The diff coverage is 90.43%.

@@             Coverage Diff              @@
##             master     #493      +/-   ##
============================================
+ Coverage     63.91%   64.27%   +0.36%     
- Complexity     3169     3210      +41     
============================================
  Files           239      244       +5     
  Lines         16882    17040     +158     
  Branches       3036     3034       -2     
============================================
+ Hits          10790    10953     +163     
+ Misses         4543     4541       -2     
+ Partials       1549     1546       -3     

Impacted Files	Coverage Δ	Complexity Δ
...icsearch/security/ssl/util/SSLConfigConstants.java	77.77% <ø> (ø)	7.00 <0.00> (ø)
...istroforelasticsearch/security/ssl/util/Utils.java	63.63% <0.00%> (-6.37%)	5.00 <1.00> (+1.00)	⬇️
...elasticsearch/security/ssl/util/KeystoreProps.java	72.72% <72.72%> (ø)	2.00 <2.00> (?)
...sticsearch/security/ssl/util/CertFromKeystore.java	73.91% <73.91%> (ø)	8.00 <8.00> (?)
...icsearch/security/ssl/util/CertFromTruststore.java	90.90% <90.90%> (ø)	8.00 <8.00> (?)
...ecurity/ssl/DefaultOpenDistroSecurityKeyStore.java	69.10% <94.38%> (+3.20%)	71.00 <10.00> (+3.00)
...arch/security/ssl/OpenDistroSecuritySSLPlugin.java	84.44% <100.00%> (+1.83%)	25.00 <0.00> (+1.00)
...elasticsearch/security/ssl/util/CertFileProps.java	100.00% <100.00%> (ø)	5.00 <5.00> (?)
...relasticsearch/security/ssl/util/CertFromFile.java	100.00% <100.00%> (ø)	13.00 <13.00> (?)
...relasticsearch/security/auditlog/NullAuditLog.java	33.33% <0.00%> (-4.77%)	7.00% <0.00%> (-1.00%)
... and 7 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8419ab5...3e54769. Read the comment docs.

[nicot]

Looks great to me! Thanks for making these changes.

[nicot]

Thanks for adding this!

[debjanibnrj]

Why add || extendedKeyUsageEnabled here?

[debjanibnrj]

Thanks for refactoring these into classes. Much cleaner approach. 👍

[lavacat]

@nicot @debjanibnrj

• added keystore, truststore files and integration test in SSLTest.java
• added unit tests for all new CertFrom* classes
• cleaned up imports

@debjanibnrj based on your question "Why add || extendedKeyUsageEnabled here?"
did a small refactor and added cleaner useKeyStore and useRawFiles variables

Nothing else changed

[debjanibnrj]

Thanks for your contribution. Added a minor comment but overall looks great!

[debjanibnrj]

@hardik-k-shah can you have a look as well

[lavacat]

Thanks for your contribution. Added a minor comment but overall looks great!

@debjanibnrj FYI, don't see the new comments. I think I've addressed all older ones.

[hardik-k-shah]

Thanks @lavacat and @nicot for your contribution.
Overall it looks good. Few minor comments.

[hardik-k-shah]

should we also check truststoreAlias and keystoreAlias for non-null and throw exception if anyone of it was set to null?

[lavacat]

If the alias isn't provided SSLCertificateHelper.exportServerCertChain will take the first one. I've made it required for extended key usage because server/client alias should be different at least for keystore.
Made a comment and added a test

[lavacat]

@debjanibnrj @hardik-k-shah thanks for comments and noticing those mistakes, made all changes as you've suggested.