Skip to content

Commit

Permalink
Move check to after new certs are validated
Browse files Browse the repository at this point in the history
Signed-off-by: Craig Perkins <[email protected]>
  • Loading branch information
cwperks committed Oct 24, 2024
1 parent bea1d5b commit d03d83c
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 14 deletions.
15 changes: 8 additions & 7 deletions src/main/java/org/opensearch/security/ssl/SslContextHandler.java
Original file line number Diff line number Diff line change
Expand Up @@ -74,9 +74,7 @@ void reloadSslContext() throws CertificateException {
if (sameCertificates(newCertificates)) {
return;
}
if (sslConfiguration.sslParameters().isValidateCertsOnReloadEnabled()) {
validateNewCertificates(newCertificates);
}
validateNewCertificates(newCertificates, sslConfiguration.sslParameters().shouldValidateNewCertDNs());
invalidateSessions();
if (sslContext.isClient()) {
sslContext = sslConfiguration.buildClientSslContext(false);
Expand Down Expand Up @@ -143,13 +141,16 @@ private void validateSans(final List<Certificate> newCertificates) throws Certif
}
}

private void validateNewCertificates(final List<Certificate> newCertificates) throws CertificateException {
private void validateNewCertificates(final List<Certificate> newCertificates, boolean shouldValidateNewCertDNs)
throws CertificateException {
for (final var certificate : newCertificates) {
certificate.x509Certificate().checkValidity();
}
validateSubjectDns(newCertificates);
validateIssuerDns(newCertificates);
validateSans(newCertificates);
if (shouldValidateNewCertDNs) {
validateSubjectDns(newCertificates);
validateIssuerDns(newCertificates);
validateSans(newCertificates);
}
}

private void invalidateSessions() {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -54,20 +54,20 @@ public class SslParameters {

private final List<String> ciphers;

private final boolean validateCertsOnReload;
private final boolean validateCertDNsOnReload;

private SslParameters(
SslProvider provider,
final ClientAuth clientAuth,
List<String> protocols,
List<String> ciphers,
boolean validateCertsOnReload
boolean validateCertDNsOnReload
) {
this.provider = provider;
this.ciphers = ciphers;
this.protocols = protocols;
this.clientAuth = clientAuth;
this.validateCertsOnReload = validateCertsOnReload;
this.validateCertDNsOnReload = validateCertDNsOnReload;
}

public ClientAuth clientAuth() {
Expand All @@ -86,8 +86,8 @@ public List<String> allowedProtocols() {
return protocols;
}

public boolean isValidateCertsOnReloadEnabled() {
return validateCertsOnReload;
public boolean shouldValidateNewCertDNs() {
return validateCertDNsOnReload;
}

@Override
Expand Down Expand Up @@ -126,7 +126,7 @@ private SslProvider provider(final Settings settings) {
}
}

private boolean validateCertsOnReload(final Settings settings) {
private boolean validateCertDNsOnReload(final Settings settings) {
return settings.getAsBoolean(ENFORCE_CERT_RELOAD_DN_VERIFICATION, true);
}

Expand Down Expand Up @@ -200,7 +200,7 @@ public SslParameters load(final boolean http) {
clientAuth,
protocols(provider, sslConfigSettings, http),
ciphers(provider, sslConfigSettings),
validateCertsOnReload(sslConfigSettings)
validateCertDNsOnReload(sslConfigSettings)
);
if (sslParameters.allowedProtocols().isEmpty()) {
throw new OpenSearchSecurityException("No ssl protocols for " + (http ? "HTTP" : "Transport") + " layer");
Expand Down

0 comments on commit d03d83c

Please sign in to comment.