Only check validity of certs in the chain of the node certificates

src/main/java/org/opensearch/security/ssl/SslConfiguration.java

@@ -17,11 +17,13 @@
 import java.security.PrivilegedExceptionAction;
 import java.util.List;
 import java.util.Objects;
+import java.util.Set;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 import java.util.stream.StreamSupport;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.TrustManagerFactory;
+import javax.security.auth.x500.X500Principal;
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
@@ -74,7 +76,10 @@
     }
 
     public TrustManagerFactory trustStoreFactory() {
-        return trustStoreConfiguration.createTrustManagerFactory(sslParameters.shouldValidateNewCertDNs());
+        return trustStoreConfiguration.createTrustManagerFactory(
+            sslParameters.shouldValidateNewCertDNs(),
+            keyStoreConfiguration.getIssuerDns()
+        );
     }
 
     public SslParameters sslParameters() {
@@ -84,10 +89,10 @@
     @SuppressWarnings("removal")
     SslContext buildServerSslContext(final boolean validateCertificates) {
         try {
-            return AccessController.doPrivileged(
-                (PrivilegedExceptionAction<SslContext>) () -> SslContextBuilder.forServer(
-                    keyStoreConfiguration.createKeyManagerFactory(validateCertificates)
-                )
+            return AccessController.doPrivileged((PrivilegedExceptionAction<SslContext>) () -> {
+                KeyManagerFactory kmFactory = keyStoreConfiguration.createKeyManagerFactory(validateCertificates);
+                Set<X500Principal> issuerDns = keyStoreConfiguration.getIssuerDns();
+                return SslContextBuilder.forServer(kmFactory)
                     .sslProvider(sslParameters.provider())
                     .clientAuth(sslParameters.clientAuth())
                     .protocols(sslParameters.allowedProtocols().toArray(new String[0]))
@@ -112,9 +117,9 @@
                             ApplicationProtocolNames.HTTP_1_1
                         )
                     )
-                    .trustManager(trustStoreConfiguration.createTrustManagerFactory(validateCertificates))
-                    .build()
-            );
+                    .trustManager(trustStoreConfiguration.createTrustManagerFactory(validateCertificates, issuerDns))
+                    .build();
+            });
         } catch (PrivilegedActionException e) {
             throw new OpenSearchException("Failed to build server SSL context", e);
         }
@@ -123,19 +128,21 @@
     @SuppressWarnings("removal")
     SslContext buildClientSslContext(final boolean validateCertificates) {
         try {
-            return AccessController.doPrivileged(
-                (PrivilegedExceptionAction<SslContext>) () -> SslContextBuilder.forClient()
+            return AccessController.doPrivileged((PrivilegedExceptionAction<SslContext>) () -> {
+                KeyManagerFactory kmFactory = keyStoreConfiguration.createKeyManagerFactory(validateCertificates);
+                Set<X500Principal> issuerDns = keyStoreConfiguration.getIssuerDns();
+                return SslContextBuilder.forClient()
                     .sslProvider(sslParameters.provider())
                     .protocols(sslParameters.allowedProtocols())
                     .ciphers(sslParameters.allowedCiphers())
                     .applicationProtocolConfig(ApplicationProtocolConfig.DISABLED)
                     .sessionCacheSize(0)
                     .sessionTimeout(0)
                     .sslProvider(sslParameters.provider())
-                    .keyManager(keyStoreConfiguration.createKeyManagerFactory(validateCertificates))
-                    .trustManager(trustStoreConfiguration.createTrustManagerFactory(validateCertificates))
-                    .build()
-            );
+                    .keyManager(kmFactory)
+                    .trustManager(trustStoreConfiguration.createTrustManagerFactory(validateCertificates, issuerDns))
+                    .build();
+            });
         } catch (PrivilegedActionException e) {
             throw new OpenSearchException("Failed to build client SSL context", e);
         }

src/main/java/org/opensearch/security/ssl/config/KeyStoreConfiguration.java

@@ -18,9 +18,12 @@
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.Collections;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Objects;
+import java.util.Set;
 import javax.net.ssl.KeyManagerFactory;
+import javax.security.auth.x500.X500Principal;
 
 import com.google.common.collect.ImmutableList;
 
@@ -41,6 +44,15 @@ default KeyManagerFactory createKeyManagerFactory(boolean validateCertificates)
         return buildKeyManagerFactory(keyStore.v1(), keyStore.v2());
     }
 
+    default Set<X500Principal> getIssuerDns() {
+        Set<X500Principal> issuerDns = new HashSet<>();
+        final List<Certificate> certificates = loadCertificates();
+        for (Certificate certificate : certificates) {
+            issuerDns.add(certificate.x509Certificate().getIssuerX500Principal());
+        }
+        return issuerDns;
+    }
+
     default KeyManagerFactory buildKeyManagerFactory(final KeyStore keyStore, final char[] password) {
         try {
             final var keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());

src/main/java/org/opensearch/security/ssl/config/KeyStoreUtils.java

@@ -24,10 +24,16 @@
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.security.spec.InvalidKeySpecException;
+import java.util.Arrays;
 import java.util.List;
+import java.util.Set;
 import javax.crypto.NoSuchPaddingException;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLSessionContext;
+import javax.security.auth.x500.X500Principal;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 
 import org.opensearch.OpenSearchException;
 
@@ -37,6 +43,8 @@
 
 final class KeyStoreUtils {
 
+    private final static Logger log = LogManager.getLogger(KeyStoreUtils.class);
+
     private final static class SecuritySslContext extends SslContext {
 
         private SecuritySslContext() {}
@@ -141,15 +149,10 @@
                 final var a = aliases.nextElement();
                 if (keyStore.isCertificateEntry(a)) {
                     final var c = (X509Certificate) keyStore.getCertificate(a);
-                    if (c == null) {
-                        throw new CertificateException("Alias " + a + " does not contain a certificate entry");
-                    }
                     c.checkValidity();
-                } else if (keyStore.isKeyEntry(a)) {
-                    final var cc = keyStore.getCertificateChain(a);
-                    if (cc == null) {
-                        throw new CertificateException("Alias " + a + " does not contain a certificate chain");
-                    }
+                }
+                final var cc = keyStore.getCertificateChain(a);
+                if (cc != null) {
                     for (final var c : cc) {
                         ((X509Certificate) c).checkValidity();
                     }
@@ -162,6 +165,48 @@
         }
     }
 
+    // If dnsToCheck is present, this method will only validate the validate for certificates that match the dns in this list or
+    // up the chain
+    public static void validateKeyStoreCertificates(final KeyStore keyStore, Set<X500Principal> dnsToCheck) {
+        try {
+            final var aliases = keyStore.aliases();
+            while (aliases.hasMoreElements()) {
+                final var a = aliases.nextElement();
+                if (keyStore.isCertificateEntry(a)) {
+                    final var c = (X509Certificate) keyStore.getCertificate(a);
+                    if (dnsToCheck.contains(c.getSubjectX500Principal())) {
+                        c.checkValidity();
+                        final var cc = keyStore.getCertificateChain(a);
+                        if (cc != null) {
+                            for (final var c1 : cc) {
+                                ((X509Certificate) c1).checkValidity();
+                            }
+                        }
+                    } else {
+                        log.info("Skipping validation for " + c.getSubjectX500Principal().getName());
+                    }
+                } else {
+                    if (keyStore.isCertificateEntry(a)) {
+                        final var c = (X509Certificate) keyStore.getCertificate(a);
+                        c.checkValidity();
+                    }
+                    final var cc = keyStore.getCertificateChain(a);
+                    if (cc != null) {
+                        if (Arrays.stream(cc).anyMatch(c -> dnsToCheck.contains(((X509Certificate) c).getSubjectX500Principal()))) {
+                            for (final var c : cc) {
+                                ((X509Certificate) c).checkValidity();
+                            }
+                        }
+                    }
+                }
+            }
+        } catch (KeyStoreException e) {
+            throw new OpenSearchException("Couldn't load keys store", e);
+        } catch (CertificateException e) {
+            throw new OpenSearchException("Invalid certificates", e);
+        }
+    }
+
     public static KeyStore loadKeyStore(final Path path, final String type, final char[] password) {
         try {
             final var keyStore = KeyStore.getInstance(type);

src/main/java/org/opensearch/security/ssl/config/TrustStoreConfiguration.java

@@ -19,9 +19,11 @@
 import java.util.Collections;
 import java.util.List;
 import java.util.Objects;
+import java.util.Set;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 import javax.net.ssl.TrustManagerFactory;
+import javax.security.auth.x500.X500Principal;
 
 import com.google.common.collect.ImmutableList;
 
@@ -46,7 +48,7 @@ public KeyStore createTrustStore() {
         }
 
         @Override
-        public TrustManagerFactory createTrustManagerFactory(boolean validateCertificates) {
+        public TrustManagerFactory createTrustManagerFactory(boolean validateCertificates, Set<X500Principal> issuerDns) {
             return null;
         }
     };
@@ -55,10 +57,10 @@ public TrustManagerFactory createTrustManagerFactory(boolean validateCertificate
 
     List<Certificate> loadCertificates();
 
-    default TrustManagerFactory createTrustManagerFactory(boolean validateCertificates) {
+    default TrustManagerFactory createTrustManagerFactory(boolean validateCertificates, Set<X500Principal> issuerDns) {
         final var trustStore = createTrustStore();
         if (validateCertificates) {
-            KeyStoreUtils.validateKeyStoreCertificates(trustStore);
+            KeyStoreUtils.validateKeyStoreCertificates(trustStore, issuerDns);
         }
         return buildTrustManagerFactory(trustStore);
     }

src/test/java/org/opensearch/security/ssl/config/SslCertificatesLoaderTest.java

@@ -13,6 +13,7 @@
 
 import java.nio.file.Path;
 import java.util.List;
+import java.util.Set;
 
 import com.carrotsearch.randomizedtesting.RandomizedTest;
 import org.junit.ClassRule;
@@ -49,7 +50,7 @@ void assertTrustStoreConfiguration(
         assertThat("Truststore configuration created", nonNull(trustStoreConfiguration));
         assertThat(trustStoreConfiguration.file(), is(expectedFile));
         assertThat(trustStoreConfiguration.loadCertificates(), containsInAnyOrder(expectedCertificates));
-        assertThat(trustStoreConfiguration.createTrustManagerFactory(true), is(notNullValue()));
+        assertThat(trustStoreConfiguration.createTrustManagerFactory(true, Set.of()), is(notNullValue()));
     }
 
     void assertKeyStoreConfiguration(