Update certs for SecuritySSLReloadCertsActionTests

[cwperks]

Description

This PR updates expired certs used in SecuritySSLReloadCertsActionTests

• Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation)

Test fix

Issues Resolved

#2675

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[cwperks]

I changed this back from the change introduced in this PR because I'm not positive how to specify the SAN in the openssl command. PR where this was added: https://github.com/opensearch-project/security/pull/1369/files#diff-9e1e704af587fb1787556fe19857df59ef099619245b491958b0c9de83e5f2fe

Node certificates are being generated with the following commands:

openssl genrsa -out node-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in node-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node.key.pem
openssl req -new -key node.key.pem -subj "/C=DE/L=Test/O=Test/OU=SSL/CN=node-1.example.com" -out node.csr
openssl x509 -req -days 3650 -extfile <(printf "subjectAltName=DNS:node-1.example.com,DNS:localhost,IP:127.0.0.1,RID:1.2.3.4.5.5") -in node.csr -out node.crt.pem -CA signing.pem -CAkey signing-key.pem

[cwperks]

I'm able to add otherName in the subjectAltName, but I'm not sure if this is correct:

openssl genrsa -out node2-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in node2-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node2.key.pem
openssl req -new -key node2.key.pem -subj "/C=DE/L=Test/O=Test/OU=SSL/CN=node-2.example.com" -out node2.csr
openssl x509 -req -days 3650 -extfile <(printf "subjectAltName=DNS:node-2.example.com,DNS:localhost,IP:127.0.0.1,RID:1.2.3.4.5.5,otherName:2.5.4.3;UTF8:node-2.example.com") -in node2.csr -out node2.crt.pem -CA signing.pem -CAkey signing-key.pem

[cwperks]

@jksmth Would you be able to provide the commands you used to generate certs in this PR? #1369

[cwperks]

I regenerated the node certificates using:

openssl genrsa -out node-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in node-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node.key.pem
openssl req -new -key node.key.pem -subj "/C=DE/L=Test/O=Test/OU=SSL/CN=node-1.example.com" -out node.csr
openssl x509 -req -days 3650 -extfile <(printf "subjectAltName=RID:1.2.3.4.5.5,otherName:2.5.4.3;UTF8:node-1.example.com,DNS:node-1.example.com,DNS:localhost,IP:127.0.0.1") -in node.csr -out node.crt.pem -CA signing.pem -CAkey signing-key.pem

openssl genrsa -out node-new-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in node-new-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node-new.key.pem
openssl req -new -key node-new.key.pem -subj "/C=DE/L=Test/O=Test/OU=SSL/CN=node-1.example.com" -out node-new.csr
openssl x509 -req -days 3650 -extfile <(printf "subjectAltName=RID:1.2.3.4.5.5,otherName:2.5.4.3;UTF8:node-1.example.com,DNS:node-1.example.com,DNS:localhost,IP:127.0.0.1") -in node-new.csr -out node-new.crt.pem -CA signing.pem -CAkey signing-key.pem

openssl genrsa -out node-wrong-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in node-wrong-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node-wrong.key.pem
openssl req -new -key node-wrong.key.pem -subj "/C=DE/L=Test/O=Test/OU=SSL/CN=node-2.example.com" -out node-wrong.csr
openssl x509 -req -days 3650 -extfile <(printf "subjectAltName=RID:1.2.3.4.5.5,otherName:2.5.4.3;UTF8:node-2.example.com,DNS:node-2.example.com,DNS:localhost,IP:127.0.0.1") -in node-wrong.csr -out node-wrong.crt.pem -CA signing.pem -CAkey signing-key.pem

and the tests pass locally

[cwperks]

More details about subjectAltName can be found here: https://www.openssl.org/docs/man1.0.2/man5/x509v3_config.html

[codecov-commenter]

Codecov Report

Merging #2679 (0d32ae1) into main (9fca0da) will decrease coverage by 0.05%.
The diff coverage is n/a.

📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

@@             Coverage Diff              @@
##               main    #2679      +/-   ##
============================================
- Coverage     61.39%   61.35%   -0.05%     
  Complexity     3383     3383              
============================================
  Files           269      269              
  Lines         18668    18668              
  Branches       3279     3279              
============================================
- Hits          11462    11454       -8     
- Misses         5611     5618       +7     
- Partials       1595     1596       +1     

see 2 files with indirect coverage changes

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[cwperks]

I used the commands below to generate new certs:

# openssl req -x509 -sha256 -new -nodes -key rootCAKey.pem -subj "/CN=Example Com Inc. Signing CA/OU=Example Com Inc. Signing CA/O=Example Com Inc./DC=example/DC=com" -days 3650 -out rootCACert.pem


openssl genrsa -out root-ca-key.pem 2048
openssl req -x509 -sha256 -new -nodes -key root-ca-key.pem -subj "/DC=com/DC=example/O=Example Com Inc./OU=Example Com Inc. Root CA/CN=Example Com Inc. Root CA" -days 3650 -out root-ca.pem
openssl genrsa -out signing-key.pem 2048
openssl req -x509 -sha256 -new -nodes -CA root-ca.pem -CAkey root-ca-key.pem -key signing-key.pem -subj "/DC=com/DC=example/O=Example Com Inc./OU=Example Com Inc. Signing CA/CN=Example Com Inc. Signing CA" -days 3650 -out signing.pem

openssl genrsa -out node-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in node-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node.key.pem
openssl req -new -key node.key.pem -subj "/C=DE/L=Test/O=Test/OU=SSL/CN=node-1.example.com" -out node.csr
openssl x509 -req -days 3650 -extfile <(printf "subjectAltName=RID:1.2.3.4.5.5,otherName:2.5.4.3;UTF8:node-1.example.com,DNS:node-1.example.com,DNS:localhost,IP:127.0.0.1") -in node.csr -out node.crt.pem -CA signing.pem -CAkey signing-key.pem

openssl genrsa -out node-new-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in node-new-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node-new.key.pem
openssl req -new -key node-new.key.pem -subj "/C=DE/L=Test/O=Test/OU=SSL/CN=node-1.example.com" -out node-new.csr
openssl x509 -req -days 3650 -extfile <(printf "subjectAltName=RID:1.2.3.4.5.5,otherName:2.5.4.3;UTF8:node-1.example.com,DNS:node-1.example.com,DNS:localhost,IP:127.0.0.1") -in node-new.csr -out node-new.crt.pem -CA signing.pem -CAkey signing-key.pem

openssl genrsa -out node-wrong-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in node-wrong-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node-wrong.key.pem
openssl req -new -key node-wrong.key.pem -subj "/C=DE/L=Test/O=Test/OU=SSL/CN=node-2.example.com" -out node-wrong.csr
openssl x509 -req -days 3650 -extfile <(printf "subjectAltName=RID:1.2.3.4.5.5,otherName:2.5.4.3;UTF8:node-2.example.com,DNS:node-2.example.com,DNS:localhost,IP:127.0.0.1") -in node-wrong.csr -out node-wrong.crt.pem -CA signing.pem -CAkey signing-key.pem

# CN=kirk,OU=client,O=client,L=Test,C=DE
openssl genrsa -out kirk-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in kirk-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out kirk.key.pem
openssl req -new -key kirk.key.pem -subj "/C=DE/L=Test/O=client/OU=client/CN=kirk" -out kirk.csr
openssl x509 -req -days 3650 -in kirk.csr -out kirk.crt.pem -CA signing.pem -CAkey signing-key.pem

openssl pkcs12 -export -in kirk.crt.bundle.pem -inkey kirk.key.pem -name kirk > kirk.p12

# CN=spock,OU=client,O=client,L=Test,C=DE
openssl genrsa -out spock-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in spock-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out spock.key.pem
openssl req -new -key spock.key.pem -subj "/C=DE/L=Test/O=client/OU=client/CN=spock" -out spock.csr
openssl x509 -req -days 3650 -in spock.csr -out spock.crt.pem -CA signing.pem -CAkey signing-key.pem

openssl pkcs12 -export -in spock.crt.bundle.pem -inkey spock.key.pem -name spock > spock.p12

In addition to generating node.crt.pem, node-new.crt.pem, node-wrong.crt.pem, kirk.crt.pem and spock.crt.pem I had to include the entire certificate chain in each file including the intermediate signing certificate and root certificate. I was not able to figure out how to automatically add the certificate chain when creating a .pem file. When bundling the certificates together in the same file the root certificate was placed at the bottom and the lowest level certificate on the top.

[cwperks]

This SO post describes how to add all certificates to the keystore. https://stackoverflow.com/a/9300727

In summary, the commands for kirk would be:

# kirk.crt.bundle.pem is all certificates with server certificate on the top and root-ca on the bottom
openssl pkcs12 -export -in kirk.crt.bundle.pem -inkey kirk.key.pem -name kirk > kirk.p12

keytool -importkeystore -srckeystore kirk.p12 -destkeystore kirk-keystore.jks -srcstoretype pkcs12 -alias kirk

# Use password changeit for all prompts

# Export the certificate from the newly created keystore
keytool -exportcert -rfc -file kirk-all.pem -keystore kirk-keystore.jks -alias kirk

# Add all certs to kirk-all.pem similar to kirk.crt.bundle.pem

# Import the bundle

keytool -importcert -keystore kirk-keystore.jks -alias kirk -file kirk-all.pem

truststore.jks can be created with:

keytool -import -trustcacerts -file root-ca.pem -alias root-ca -keystore truststore.jks 

[stephen-crawford]

Thank you for helping with this Craig. Looks good to me!

[opensearch-trigger-bot]

The backport to 1.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-1.x 1.x
# Navigate to the new working tree
cd .worktrees/backport-1.x
# Create a new branch
git switch --create backport/backport-2679-to-1.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 bbd43ec56cf1d7913bbe49547b09558ac37bc89f
# Push it to GitHub
git push --set-upstream origin backport/backport-2679-to-1.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-1.x

Then, create a pull request where the base branch is 1.x and the compare/head branch is backport/backport-2679-to-1.x.

[opensearch-trigger-bot]

The backport to 1.3 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-1.3 1.3
# Navigate to the new working tree
cd .worktrees/backport-1.3
# Create a new branch
git switch --create backport/backport-2679-to-1.3
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 bbd43ec56cf1d7913bbe49547b09558ac37bc89f
# Push it to GitHub
git push --set-upstream origin backport/backport-2679-to-1.3
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-1.3

Then, create a pull request where the base branch is 1.3 and the compare/head branch is backport/backport-2679-to-1.3.