fixup! Validate exipry trust anchor

Author: jfreden

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/CrossClusterApiKeySignatureManager.java

@@ -189,17 +189,60 @@ public boolean verify(X509CertificateSignature signature, String... headers) thr
  leaf.getPublicKey().getAlgorithm()
  );
  }
+
+ authTrustManager.checkClientTrusted(signature.certificates(), leaf.getPublicKey().getAlgorithm());
+
  for (var certificate : signature.certificates()) {
  certificate.checkValidity();
  }
 
- authTrustManager.checkClientTrusted(signature.certificates(), leaf.getPublicKey().getAlgorithm());
+ var trustAnchor = findTrustAnchor(signature.topCertificate(), trustManager.get().getAcceptedIssuers());
+ assert trustAnchor != null : Strings.format("Failed to find trust anchor for [%s]", signature.topCertificate());
+
+ trustAnchor.checkValidity();
 
  final Signature signer = Signature.getInstance(signature.algorithm());
  signer.initVerify(leaf);
  signer.update(getSignableBytes(headers));
  return signer.verify(signature.signature().array());
  }
+
+ /**
+ * Find the certificate that issued the certificate at the top of the current chain. A certificate chain is a list of
+ * certificates followed by one or more CA certificates (usually the last one being a self-signed certificate), with the
+ * following properties:
+ * <br>
+ * 1. The Issuer of each certificate (except the last one) matches the Subject of the next certificate in the list.
+ * 2. Each certificate (except the last one) is signed by the secret key corresponding to the next certificate in the chain (i.e.
+ * the signature of one certificate can be verified using the public key contained in the following certificate).
+ * 3. The last certificate in the list is a trust anchor.
+ */
+ private X509Certificate findTrustAnchor(X509Certificate topCert, X509Certificate[] trustAnchors) {
+ X500Principal issuer = topCert.getIssuerX500Principal();
+
+ for (X509Certificate anchor : trustAnchors) {
+ // Check if the top cert itself is the trust anchor (handles directly trusted certs and full chains)
+ // Per X.509 spec, a certificate is uniquely identified by issuer DN + serial number
+ if (anchor.getIssuerX500Principal().equals(topCert.getIssuerX500Principal())
+ && anchor.getSerialNumber().equals(topCert.getSerialNumber())) {
+ return anchor;
+ }
+
+ if (anchor.getSubjectX500Principal().equals(issuer)) {
+ try {
+ // Verify this anchor actually signed the top cert
+ topCert.verify(anchor.getPublicKey());
+ return anchor;
+ } catch (GeneralSecurityException e) {
+ logger.trace(
+ "Trust anchor [{}] matches issuer name but did not sign the certificate",
+ anchor.getSubjectX500Principal()
+ );
+ }
+ }
+ }
+ return null;
+ }
  }
 
  public class Signer {

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/transport/X509CertificateSignature.java

@@ -79,6 +79,10 @@ public X509Certificate leafCertificate() {
  return certificateChain[0];
  }
 
+ public X509Certificate topCertificate() {
+ return certificateChain[certificateChain.length - 1];
+ }
+
  public String algorithm() {
  return algorithm;
  }

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/CrossClusterApiKeySignatureManagerTests.java

@@ -229,6 +229,31 @@ public void testSignAndVerifyExpiredCertFails() {
  assertThat(exception.getMessage(), containsString(inFipsJvm() ? "certificate expired on" : "NotAfter"));
  }
 
+ public void testSignAndVerifyExpiredTrustAnchorCertFails() {
+ var builder = Settings.builder()
+ .put("path.home", createTempDir())
+ .put(Node.NODE_NAME_SETTING.getKey(), randomAlphaOfLengthBetween(3, 8));
+
+ builder.put(
+ "cluster.remote.signing.certificate_authorities",
+ getDataPath("/org/elasticsearch/xpack/security/signature/expired_ca_cert.crt")
+ )
+ .put(
+ "cluster.remote.my_remote.signing.certificate",
+ getDataPath("/org/elasticsearch/xpack/security/signature/valid_cert_with_expired_ca.crt")
+ )
+ .put(
+ "cluster.remote.my_remote.signing.key",
+ getDataPath("/org/elasticsearch/xpack/security/signature/valid_key_with_expired_ca.key")
+ );
+
+ var manager = new CrossClusterApiKeySignatureManager(TestEnvironment.newEnvironment(builder.build()));
+ var signature = manager.signerForClusterAlias("my_remote").sign("a_header");
+ var verifier = manager.verifier();
+ var exception = assertThrows(CertificateException.class, () -> verifier.verify(signature, "test"));
+ assertThat(exception.getMessage(), containsString(inFipsJvm() ? "certificate expired on" : "NotAfter"));
+ }
+
  private void addStorePathToBuilder(String storeName, String password, String passwordFips, Settings.Builder builder) {
  String storeType = inFipsJvm() ? "BCFKS" : "PKCS12";
  String extension = inFipsJvm() ? ".bcfks" : ".jks";

x-pack/plugin/security/src/test/resources/org/elasticsearch/xpack/security/signature/expired_ca_cert.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSjCCAjKgAwIBAgIUFZpIskODPIOEFLzG1VL/Oqes+g0wDQYJKoZIhvcNAQEL
+BQAwPTEYMBYGA1UEAwwPRXhwaXJlZCBUZXN0IENBMRQwEgYDVQQKDAtUZXN0IENB
+IE9yZzELMAkGA1UEBhMCVVMwHhcNMDAwMTAxMDAwMDAwWhcNMTAwMTAxMDAwMDAw
+WjA9MRgwFgYDVQQDDA9FeHBpcmVkIFRlc3QgQ0ExFDASBgNVBAoMC1Rlc3QgQ0Eg
+T3JnMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AMDDDRT20V+krmukCsLk2uGRA49qWPaXaMLnchJYSGvy9FAh7ziqcjlG2d5MiBzf
+GGB4GBK6zsysYxoaUeJxDSRtFEsSXy4iMyDRU0FmUM3ORhymLdQYZXRC/wWnzruc
+PCwsfqUbnBvOqOLHHIboWxkvp3HZokqioiBG4VZuTMlxMvpIklHlw8JmQnL+35+a
+TFlJYSozh2Kld3g0g1UEwESMoO4t2xDwFO2O73wk/zryeBmPpKkt9CS2Nc759fEV
+VFbXZmcbJO6+WwxZEQS4rrX8vI7eKs/TPGQyeMevJZi0PYnZqP601Lx0y+4y/PiN
+JqtrdGSRdNklSlhHET3R0c8CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFIIJuktlwdkN4v6sgRZSql7X4iliMA0GCSqG
+SIb3DQEBCwUAA4IBAQBwvmoOdFyjHUx8V99zcgd8HOQ/XB7Uctt9te/NfLlhVCN0
+ek0feLWmMJr9XqYM1CJ9jVG78ZS56FitwHkXWRmTqr69+WaZRTrW5csNroyICBS4
+BHhbOM7iEVRenVyGVYGadhBYVAVn/9mkRVARQiIUheNK/3v9pyMuSLf4Sd5QYs6p
+svXin434/PxFj3Teoplqv+iXsPwy7QU5jq+KXl0PWDkxc3Ku7tgc/1Nsk5Zlf3ck
+pQNsdZK979Zx+aTLIbkZnYojgqJSO+2nwTTQj5xZziK9ckeAHvD7VIH5hMDmwAzf
+bjXnaZG0Bfb6vE67G0STGWqNto7M6sXMgL6UgLgm
+-----END CERTIFICATE-----

x-pack/plugin/security/src/test/resources/org/elasticsearch/xpack/security/signature/valid_cert_with_expired_ca.crt

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDxTCCAq2gAwIBAgIUOLClxkGLN1IzdCtlAzyv7ubfnGswDQYJKoZIhvcNAQEL
+BQAwPTEYMBYGA1UEAwwPRXhwaXJlZCBUZXN0IENBMRQwEgYDVQQKDAtUZXN0IENB
+IE9yZzELMAkGA1UEBhMCVVMwIBcNMjUxMDIyMDkyNDIwWhgPMjEyNTA5MjgwOTI5
+MjBaMEIxIDAeBgNVBAMMF3ZhbGlkLWxlYWYuZXhhbXBsZS50ZXN0MREwDwYDVQQK
+DAhMZWFmIE9yZzELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCesxBHTVrGTnbZ7afvsHEE1xpVDdA8eZgOakFa6JJW4zwdRGIfUbw/
+yWTBiZpq2I1Xi7dbY6ReH09UtbWUPCXrhZ71Vq4MO2FSd1knZqXIoqjX9jRAGT5J
++WU3tPNL2aN7fGSQRHKR9mO/TYhTf9yQGCRHzzpLNHJ1RXOKEkdmhsZZ36wz0LKW
+Ps01gzFsTnp8T4SpttJryW2f74q0ZJvT2oSynqyuJS5MbSwqHl2nyeao8Z8BNVe3
+EOKQAWHUUzpf1xy0/p6Eb4LQObxl9N8sJ3zHX/CcwMpcgh/NRsbQn+TiKJwVkGa3
+SU+UxKlCD1+rTkIr//J91njgictfoXnbAgMBAAGjgbUwgbIwDAYDVR0TAQH/BAIw
+ADAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
+MDMGA1UdEQQsMCqCF3ZhbGlkLWxlYWYuZXhhbXBsZS50ZXN0gglsb2NhbGhvc3SH
+BH8AAAEwHwYDVR0jBBgwFoAUggm6S2XB2Q3i/qyBFlKqXtfiKWIwHQYDVR0OBBYE
+FEqSu+i1sHYHANJN5DzvUCZYo6hhMA0GCSqGSIb3DQEBCwUAA4IBAQCDYdk9rdz9
+/q4WvH3FwCA5BwFuiaglL8w0k0DhRCuJBd94YdnmMqNbf8C4elJJF6z1nH6Fv2+9
+2KFQ26VsTchGSDrTy+GGT9F7xMQl/pXAvH0aQs/Km1egtWV6GKb0z1HPqyni0Xet
+swJZ6JKlArKjUKGzKCq7fKBm6BR9xvPj5K2wsfRAozUUFfaOou/jBZ0PDpAZoyZb
+MDMh0EfcvKsOh2VesMsfK3bwXbCScjmkSsIebTC+jWHKpoEm2SlVHAMJRSRWIVV1
+AgKMYcwLQRNcslkS7I6HtEjF79vhR54Yu5kxSuU9QiGgYmccfUrzxikg5M+s7nQm
+zbQhWJ68ME07
+-----END CERTIFICATE-----

x-pack/plugin/security/src/test/resources/org/elasticsearch/xpack/security/signature/valid_key_with_expired_ca.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAnrMQR01axk522e2n77BxBNcaVQ3QPHmYDmpBWuiSVuM8HURi
+H1G8P8lkwYmaatiNV4u3W2OkXh9PVLW1lDwl64We9VauDDthUndZJ2alyKKo1/Y0
+QBk+SfllN7TzS9mje3xkkERykfZjv02IU3/ckBgkR886SzRydUVzihJHZobGWd+s
+M9Cylj7NNYMxbE56fE+EqbbSa8ltn++KtGSb09qEsp6sriUuTG0sKh5dp8nmqPGf
+ATVXtxDikAFh1FM6X9cctP6ehG+C0Dm8ZfTfLCd8x1/wnMDKXIIfzUbG0J/k4iic
+FZBmt0lPlMSpQg9fq05CK//yfdZ44InLX6F52wIDAQABAoIBACuB7dGObHd3ZXAD
+jonQtntcOVTeD5u0vjIdgUNaBVyauY1QhRIPB2v5W40Pm2z1Z3J71E3SuGoxbT9M
+/bXg84hpPpYGKHskAF9qZt+9bW/e4Cksz1BPW1tOayhljFncFcyx4qQGj95iTSBS
+MjCqGh7K749cSZ/6hfKOkslkj3yUwdlA8I27MO4iDMhPj6z+eubHV2G3ypfefGlD
+QQ7ljuFodobtR7udUVWYnPhuScJyUvHG//uCMaLLaW2rWXD3jv0MUbIfTdYUetig
+p0swMeZGUmGh1zlvlJ+l2LBJMXeEi6gzWsHaRO6JJHw/nq64nVb8mq7dCiljRVGv
+G8THEFkCgYEAzoS7zVl1A4M/DbJLJ7i/ZWlT48McAizYx9oq1eAgObrdmDe2Jbvm
+TIwgS1RUfjfViRwgWbuR0X7xt9OIT2QnDGqkOnDJzu764XtLT/D4TNJA1QG3H4L2
+Jy0JksMLhoUXIormGhAV0onSSfNV5SqHt//OrDAQKwfCIUXh9+62LbcCgYEAxLk+
+sEtHp9EzUGYayUbXghWk1u3/RiuEtlx2sS3v+qtbOGAfyXzPYAHJVFiHFo2/JG1Q
+rsYVx5rj/YoQwiFHjR0lkLeEpRqhXv1s1goaUiuBVxzmHX8V97QPLfzEuQLabZwM
+9pWLH8zGTKrSIooRb4I1HU7ooElVYDX02JYcFP0CgYEAiJc953ntbN9XyuVL0//b
+h2V8uL4JPl8PGk/v2PmeFtDDU7Q1Ywu+LI7ZpTknkTu4njDeLLtknJ1LnnvoQipJ
+sWqvKIAE2jsx8ASuMTd94sGFY9z4k3z49bxSAqHCc7x/KreXrVFKPbAuR/8LpsDU
+dxxYQ4aeivdcrMkdxfA6yk0CgYAEhgn1/dUo+7uFVsO46yMbf6nps1FSaL/FfbzQ
++DBzgCs50aQJexA9sezSPrLkht/lU4ouaqmnjF0/wEQAYsmFai0p9b5cGY+qYoN1
+LIhMaWmw+h4kgX6c0owiz5QqePFS4eq+ZNPtKEVLEAaC+s/J06GrCdx5ixYmfzch
+H9qHdQKBgAvOPI7f8bLNJManzHfcnnNnxrKYg1J3YNvRJa+QkGR3sXQULT2NRiT/
+35NrOnKo0pwCgVMgO2zkSG3jQMCG9Yd9hE5fRHCwjhMUK5i7R4xS5FwrvowO+IMW
+g0yyx7tg4keTdlKo9KuJSVlv+tnRIX8ZmYxBMcdtIbLEoMTbA4Yh
+-----END RSA PRIVATE KEY-----