Add certutil http command

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/CertParsingUtils.java

@@ -120,8 +120,20 @@ public static List<Certificate> readCertificates(InputStream input) throws Certi
      *                    return the password for that key. If it returns {@code null}, then the key-pair for that alias is not read.
      */
     public static Map<Certificate, Key> readPkcs12KeyPairs(Path path, char[] password, Function<String, char[]> keyPassword)
-        throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException, UnrecoverableKeyException {
-        final KeyStore store = readKeyStore(path, "PKCS12", password);
+            throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException, UnrecoverableKeyException {
+        return readKeyPairsFromKeystore(path, "PKCS12", password, keyPassword);
+    }
+
+    public static Map<Certificate, Key> readKeyPairsFromKeystore(Path path, String storeType, char[] password,
+                                                                  Function<String, char[]> keyPassword)
+        throws IOException, KeyStoreException, CertificateException, NoSuchAlgorithmException, UnrecoverableKeyException {
+
+        final KeyStore store = readKeyStore(path, storeType, password);
+        return readKeyPairsFromKeystore(store, keyPassword);
+    }
+
+    static Map<Certificate, Key> readKeyPairsFromKeystore(KeyStore store, Function<String, char[]> keyPassword)
+        throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException {
         final Enumeration<String> enumeration = store.aliases();
         final Map<Certificate, Key> map = new HashMap<>(store.size());
         while (enumeration.hasMoreElements()) {

x-pack/plugin/core/src/test/java/org/elasticsearch/test/FileMatchers.java

@@ -0,0 +1,90 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.test;
+
+import org.hamcrest.CustomMatcher;
+import org.hamcrest.Description;
+import org.hamcrest.Matcher;
+
+import java.nio.file.Files;
+import java.nio.file.LinkOption;
+import java.nio.file.Path;
+
+public class FileMatchers {
+    public static Matcher<Path> pathExists(LinkOption... options) {
+        return new CustomMatcher<>("Path exists") {
+            @Override
+            public boolean matches(Object item) {
+                if (item instanceof Path) {
+                    Path path = (Path) item;
+                    return Files.exists(path, options);
+                } else {
+                    return false;
+                }
+
+            }
+        };
+    }
+
+    public static Matcher<Path> isDirectory(LinkOption... options) {
+        return new FileTypeMatcher("directory", options) {
+            @Override
+            protected boolean matchPath(Path path) {
+                return Files.isDirectory(path, options);
+            }
+        };
+    }
+
+    public static Matcher<Path> isRegularFile(LinkOption... options) {
+        return new FileTypeMatcher("regular file", options) {
+            @Override
+            protected boolean matchPath(Path path) {
+                return Files.isRegularFile(path, options);
+            }
+        };
+    }
+
+    private abstract static class FileTypeMatcher extends CustomMatcher<Path> {
+        private final LinkOption[] options;
+
+        FileTypeMatcher(String typeName, LinkOption... options) {
+            super("Path is " + typeName);
+            this.options = options;
+        }
+
+        @Override
+        public boolean matches(Object item) {
+            if (item instanceof Path) {
+                Path path = (Path) item;
+                return matchPath(path);
+            } else {
+                return false;
+            }
+        }
+
+        protected abstract boolean matchPath(Path path);
+
+        @Override
+        public void describeMismatch(Object item, Description description) {
+            super.describeMismatch(item, description);
+            if (item instanceof Path) {
+                Path path = (Path) item;
+                if (Files.exists(path, options) == false) {
+                    description.appendText(" (file not found)");
+                } else if (Files.isDirectory(path, options)) {
+                    description.appendText(" (directory)");
+                } else if (Files.isSymbolicLink(path)) {
+                    description.appendText(" (symlink)");
+                } else if (Files.isRegularFile(path, options)) {
+                    description.appendText(" (regular file)");
+                } else {
+                    description.appendText(" (unknown file type)");
+                }
+            }
+        }
+    }
+}

x-pack/plugin/core/src/test/java/org/elasticsearch/test/TestMatchers.java

@@ -20,6 +20,10 @@
 
 public class TestMatchers extends Matchers {
 
+    /**
+     * @deprecated Use {@link FileMatchers#pathExists}
+     */
+    @Deprecated
     public static Matcher<Path> pathExists(Path path, LinkOption... options) {
         return new CustomMatcher<Path>("Path " + path + " exists") {
             @Override

x-pack/plugin/security/cli/build.gradle

@@ -19,6 +19,11 @@ dependencyLicenses {
   mapping from: /bc.*/, to: 'bouncycastle'
 }
 
+forbiddenPatterns {
+  exclude '**/*.p12'
+  exclude '**/*.jks'
+}
+
 if (BuildParams.inFipsJvm) {
   test.enabled = false
   testingConventions.enabled = false

x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/CertGenUtils.java

@@ -157,6 +157,14 @@ private static X509Certificate generateSignedCertificate(X500Principal principal
             throw new IllegalArgumentException("the certificate must be valid for at least one day");
         }
         final ZonedDateTime notAfter = notBefore.plusDays(days);
+        return generateSignedCertificate(principal, subjectAltNames, keyPair, caCert, caPrivKey, isCa, notBefore, notAfter,
+            signatureAlgorithm);
+    }
+
+    public static X509Certificate generateSignedCertificate(X500Principal principal, GeneralNames subjectAltNames, KeyPair keyPair,
+                                                             X509Certificate caCert, PrivateKey caPrivKey, boolean isCa,
+                                                             ZonedDateTime notBefore, ZonedDateTime notAfter, String signatureAlgorithm)
+        throws NoSuchAlgorithmException, CertIOException, OperatorCreationException, CertificateException {
         final BigInteger serial = CertGenUtils.getSerial();
         JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
 

x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/CertificateTool.java

@@ -142,6 +142,7 @@ public static void main(String[] args) throws Exception {
         subcommands.put("csr", new SigningRequestCommand());
         subcommands.put("cert", new GenerateCertificateCommand());
         subcommands.put("ca", new CertificateAuthorityCommand());
+        subcommands.put("http", new HttpCertificateCommand());
     }
 
 
@@ -920,7 +921,7 @@ static Collection<CertificateInformation> parseFile(Path file) throws Exception
         }
     }
 
-    private static PEMEncryptor getEncrypter(char[] password) {
+    static PEMEncryptor getEncrypter(char[] password) {
         return new JcePEMEncryptorBuilder("DES-EDE3-CBC").setProvider(BC_PROV).build(password);
     }
 
@@ -1036,7 +1037,7 @@ private static PrivateKey readPrivateKey(Path path, char[] password, Terminal te
         }
     }
 
-    private static GeneralNames getSubjectAlternativeNamesValue(List<String> ipAddresses, List<String> dnsNames, List<String> commonNames) {
+    static GeneralNames getSubjectAlternativeNamesValue(List<String> ipAddresses, List<String> dnsNames, List<String> commonNames) {
         Set<GeneralName> generalNameList = new HashSet<>();
         for (String ip : ipAddresses) {
             generalNameList.add(new GeneralName(GeneralName.iPAddress, ip));
@@ -1056,7 +1057,7 @@ private static GeneralNames getSubjectAlternativeNamesValue(List<String> ipAddre
         return new GeneralNames(generalNameList.toArray(new GeneralName[0]));
     }
 
-    private static boolean isAscii(char[] str) {
+    static boolean isAscii(char[] str) {
         return ASCII_ENCODER.canEncode(CharBuffer.wrap(str));
     }