Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

In-memory client cert storage used during cert signing #19180

Merged
merged 4 commits into from
Apr 30, 2024
Merged

In-memory client cert storage used during cert signing #19180

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e6d5351
In-memory client cert storage used during cert signing
todvora Apr 26, 2024
bc881d9
Merge branch 'master' into fix/dont-store-client-certs-on-fs
todvora Apr 26, 2024
612c910
Merge branch 'master' into fix/dont-store-client-certs-on-fs
todvora Apr 29, 2024
37926f6
Merge branch 'master' into fix/dont-store-client-certs-on-fs
moesterheld Apr 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
60 changes: 12 additions & 48 deletions graylog2-server/src/main/java/org/graylog/security/certutil/csr/ClientCertGenerator.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,44 +18,21 @@

import jakarta.inject.Inject;
import jakarta.inject.Named;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
import org.graylog.security.certutil.CaService;
import org.graylog.security.certutil.csr.exceptions.CSRGenerationException;
import org.graylog.security.certutil.csr.exceptions.ClientCertGenerationException;
import org.graylog.security.certutil.privatekey.PrivateKeyEncryptedFileStorage;
import org.graylog.security.certutil.privatekey.PrivateKeyEncryptedStorage;
import org.graylog2.indexer.security.SecurityAdapter;
import org.graylog2.plugin.certificates.RenewalPolicy;
import org.graylog2.plugin.cluster.ClusterConfigService;

import javax.security.auth.x500.X500Principal;
import java.io.IOException;
import java.io.StringWriter;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Base64;
import java.util.List;
import java.util.Optional;

import static org.graylog.security.certutil.CertConstants.CA_KEY_ALIAS;
import static org.graylog.security.certutil.CertConstants.KEY_GENERATION_ALGORITHM;
import static org.graylog.security.certutil.CertConstants.SIGNING_ALGORITHM;

public class ClientCertGenerator {
private final CaService caService;
Expand All @@ -64,12 +41,10 @@ public class ClientCertGenerator {
private final CsrSigner csrSigner;
private final ClusterConfigService clusterConfigService;
private final SecurityAdapter securityAdapter;
private final Path dataDir;

@Inject
public ClientCertGenerator(final CaService caService,
@Named("password_secret") final String passwordSecret,
@Named("data_dir") Path dataDir,
final CsrGenerator csrGenerator,
final CsrSigner csrSigner,
final ClusterConfigService clusterConfigService,
Expand All @@ -80,52 +55,41 @@ public ClientCertGenerator(final CaService caService,
this.csrSigner = csrSigner;
this.clusterConfigService = clusterConfigService;
this.securityAdapter = securityAdapter;
this.dataDir = dataDir;
}

private Path certFilePath(final String role, final String principal) {
var certfile = Base64.getEncoder().encodeToString((role + ":" + principal).getBytes(StandardCharsets.UTF_8));
return dataDir.resolve(Path.of(certfile + ".cert"));
}

private String c(final Object o) throws IOException {
var writer = new StringWriter();
try (JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(writer)) {
jcaPEMWriter.writeObject(o);
}
return writer.toString();
}

public ClientCert generateClientCert(final String principal,
final String role,
final char[] privateKeyPassword) throws ClientCertGenerationException {
try {
var renewalPolicy = this.clusterConfigService.get(RenewalPolicy.class);
var privateKeyEncryptedStorage = new PrivateKeyEncryptedFileStorage(certFilePath(role, principal));

final Optional<KeyStore> optKey = caService.loadKeyStore();
final var caKeystore = optKey.get();
final KeyStore caKeystore = caService.loadKeyStore().orElseThrow(()-> new IllegalStateException("No CA configured"));

var caPrivateKey = (PrivateKey) caKeystore.getKey(CA_KEY_ALIAS, passwordSecret.toCharArray());
var caCertificate = (X509Certificate) caKeystore.getCertificate(CA_KEY_ALIAS);

var privateKeyEncryptedStorage = new InMemoryPrivateKeyStorage();
var csr = csrGenerator.generateCSR(privateKeyPassword, principal, List.of(principal), privateKeyEncryptedStorage);
var pk = privateKeyEncryptedStorage.readEncryptedKey(privateKeyPassword);
var cert = csrSigner.sign(caPrivateKey, caCertificate, csr, renewalPolicy);

securityAdapter.addUserToRoleMapping(role, principal);

return new ClientCert(principal, role, c(caCertificate), c(pk), c(cert));
return new ClientCert(principal, role, serializeAsPEM(caCertificate), serializeAsPEM(pk), serializeAsPEM(cert));
} catch (Exception e) {
throw new ClientCertGenerationException("Failed to generate client certificate", e);
throw new ClientCertGenerationException("Failed to generate client certificate: " + e.getMessage(), e);
}
}

public void removeCertFor(final String role, final String principal) throws IOException {
var certFile = certFilePath(role, principal);
if (Files.exists(certFile)) {
Files.delete(certFile);
securityAdapter.removeUserFromRoleMapping(role, principal);
securityAdapter.removeUserFromRoleMapping(role, principal);
}

private String serializeAsPEM(final Object o) throws IOException {
var writer = new StringWriter();
try (JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(writer)) {
jcaPEMWriter.writeObject(o);
}
return writer.toString();
}
}
36 changes: 36 additions & 0 deletions ...og2-server/src/main/java/org/graylog/security/certutil/csr/InMemoryPrivateKeyStorage.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
/*
* Copyright (C) 2020 Graylog, Inc.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the Server Side Public License, version 1,
* as published by MongoDB, Inc.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* Server Side Public License for more details.
*
* You should have received a copy of the Server Side Public License
* along with this program. If not, see
* <http://www.mongodb.com/licensing/server-side-public-license>.
*/
package org.graylog.security.certutil.csr;

import org.graylog.security.certutil.privatekey.PrivateKeyEncryptedStorage;

import java.security.PrivateKey;

public class InMemoryPrivateKeyStorage implements PrivateKeyEncryptedStorage {

private PrivateKey privateKey;

@Override
public void writeEncryptedKey(char[] password, PrivateKey privateKey) {
this.privateKey = privateKey;
}

@Override
public PrivateKey readEncryptedKey(char[] password) {
return privateKey;
}
}