elasticsearch-readonlyrest-plugin icon indicating copy to clipboard operation
elasticsearch-readonlyrest-plugin copied to clipboard

Published 20 hours ago verified publisher icon sscarduzio

[RORDEV-594] PEM certificates support

Open pielas opened this issue 2 years ago • 10 comments

🚀New (ES) Added support for certificates in PEM format

pielas avatar Jun 21 '22 17:06 pielas

@pielas what's the status of this?

sscarduzio avatar Jun 30 '22 09:06 sscarduzio

@sscarduzio it's generally ready. I just need to fix issues with tests on pipeline

pielas avatar Jul 12 '22 18:07 pielas

@pielas sth is wrong with es60x module:

2022-07-13T19:57:00.5198056Z [2022-07-13T19:31:19,069][ERROR][o.e.b.ElasticsearchUncaughtExceptionHandler] [ROR1_2] fatal error in thread [main], exiting
2022-07-13T19:57:00.5198318Z 
2022-07-13T19:57:00.5198603Z java.lang.NoClassDefFoundError: org/bouncycastle/openssl/PEMParser
2022-07-13T19:57:00.5198781Z 
2022-07-13T19:57:00.5199121Z 	at tech.beshu.ror.utils.SSLCertHelper$.$anonfun$loadPrivateKey$3(SSLCertHelper.scala:67) ~[?:?]
2022-07-13T19:57:00.5199395Z 
2022-07-13T19:57:00.5199745Z 	at cats.effect.internals.IORunLoop$.cats$effect$internals$IORunLoop$$loop(IORunLoop.scala:87) ~[?:?]

We've excluded several intermediate ES modules from PR tests recently. Please make sure that these modules pass the problematic test locally (on the develop all modules will be tested in the pipeline)

coutoPL avatar Jul 13 '22 20:07 coutoPL

@coutoPL ah, it turns out that BouncyCastle library, which I included to handle PEM files, causes JAR hell like other BouncyCastle libraries. Could we just exclude support for PEM files in es60?

pielas avatar Jul 14 '22 19:07 pielas

I think that there is no sense to fight with it (assuming that the jarhell is not easy to fix)

coutoPL avatar Jul 14 '22 19:07 coutoPL

Parsing a pem file requires bouncy castle? 😳

sscarduzio avatar Jul 15 '22 03:07 sscarduzio

@sscarduzio No, it's not required. However parsing it without bouncy castle is more troublesome. Here's loadPrivateKey function without using BC https://github.com/sscarduzio/elasticsearch-readonlyrest-plugin/pull/826/commits/efc9cde59904de6e021d70f300617244a45e747b#diff-1f6f852b3a8af9460e226a8940a31dd40d6b941674985610d0328e709292c3dd As you can see it requires to do few steps by hand and this code is able to load only RSA keys (because of KeyFactory.getInstance("RSA")). Handling other types is possible, but requires some more handling. Because such implementation is more error prone I decided to use BouncyCastle lib which takes care of everything

pielas avatar Jul 15 '22 06:07 pielas

OK, I understand. It's ok if you want to skip 6.x

sscarduzio avatar Jul 17 '22 16:07 sscarduzio

@pielas not much is left to do on this task, but it is running really late. Can we please wrap this up and close it in Jira ASAP?

sscarduzio avatar Jul 25 '22 08:07 sscarduzio

@sscarduzio I will close it as soon as possible. However I haven't felt well in recent days. I will try to wrap this up in the following days

pielas avatar Jul 26 '22 14:07 pielas