SSL certificate hot reload with OtherName in SAN #843
Description
This issue relates to #238.
Hot reloading SSL certificates that contain OtherName in the SAN fail to reload.
GET /_opendistro/_security/api/ssl/certs
{
"http_certificates_list" : [
{
"issuer_dn" : "CN=elastic-test-http,OU=elastic-test",
"subject_dn" : "CN=elastic-test-es-http.local,OU=elastic-test",
"san" : "[[2, elastic-test-es-http]]",
"not_before" : "2020-11-19T12:42:57Z",
"not_after" : "2020-11-19T12:57:57Z"
}
],
"transport_certificates_list" : [
{
"issuer_dn" : "CN=elastic-test-transport,OU=elastic-test",
"subject_dn" : "CN=elastic-test-es-node-0.local,OU=elastic-test",
"san" : "[[0, [B@6ac191ff], [2, elastic-test-es-node-0], [7, 127.0.0.1]]",
"not_before" : "2020-11-19T11:48:35Z",
"not_after" : "2020-11-19T12:03:35Z"
}
]
}
Note [0, [B@6ac191ff] in transport certificate san. Repeated calls to GET /_opendistro/_security/api/ssl/certs shows that the string representation of the OtherName byte array (B@xxxxxxxx) changes each time.
PUT /_opendistro/_security/api/ssl/http/reloadcerts
HTTP certificate does not container OtherName in SAN and works as expected
PUT /_opendistro/_security/api/ssl/transport/reloadcerts
Transport certificate fails to reload with the following error:
{"error":"ElasticsearchSecurityException[Error while initializing transport SSL layer from PEM: java.lang.Exception: New Certs do not have valid Issuer DN, Subject DN or SAN.]; nested: Exception[New Certs do not have valid Issuer DN, Subject DN or SAN.];"}
The issue seems to be that when cert.getSubjectAlternativeNames().toString() parses the byte array value of type 0 (OtherName) the resulting string is always different, causing the SAN strings to never match.
Each entry is a List whose first entry is an Integer (the name type, 0-8) and whose second entry is a String or a byte array
https://docs.oracle.com/javase/8/docs/api/java/security/cert/X509Certificate.html#getSubjectAlternativeNames--