search

elastic / elasticsearch

Free and Open Source, Distributed, RESTful Search Engine
https://www.elastic.co/products/elasticsearch
Other
69.71k stars 24.67k forks source link

certutil fails with PEM and empty passwords #93494

Closed nuno-andre closed 1 year ago

nuno-andre commented 1 year ago

Elasticsearch Version

Version: 8.6.1, Build: deb/180c9830da956993e59e2cd70eb32b5e383ea42c/2023-01-24T21:35:11.506992272Z, JVM: 19.0.1

Installed Plugins

No response

Java Version

bundled

OS Version

Linux elk-poc-1 5.15.0-58-generic #64-Ubuntu SMP Thu Jan 5 11:43:13 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Problem Description

elasticsearch-certutil cert raises java.lang.IllegalArgumentException: password empty with --pass "" and/or --ca-pass "" arguments when executed with --pem (but not with PKCS#12).

This command runs properly:

./bin/elasticsearch-certutil cert \
  --in certs/instances.yml \
  --out certs/certs.p12 \
  --pass "" \
  --ca-cert certs/ca.crt \
  --ca-key certs/ca.key \
  --ca-pass "" \
  --silent

Steps to Reproduce

./bin/elasticsearch-certutil cert \
  --in certs/instances.yml \
  --out certs/certs.zip \
  --pass "" \
  --ca-cert certs/ca/ca.crt \
  --ca-key certs/ca/ca.key \
  --ca-pass "" \
  --silent \
  --pem

Logs (if relevant)

Exception in thread "main" java.lang.IllegalArgumentException: password empty
        at org.bouncycastle.jcajce.provider.symmetric.OpenSSLPBKDF$PBKDF.engineGenerateSecret(Unknown Source)
        at java.base/javax.crypto.SecretKeyFactory.generateSecret(SecretKeyFactory.java:333)
        at org.bouncycastle.openssl.jcajce.PEMUtilities.getKey(Unknown Source)
        at org.bouncycastle.openssl.jcajce.PEMUtilities.getKey(Unknown Source)
        at org.bouncycastle.openssl.jcajce.PEMUtilities.crypt(Unknown Source)
        at org.bouncycastle.openssl.jcajce.JcePEMEncryptorBuilder$1.encrypt(Unknown Source)
        at org.bouncycastle.openssl.MiscPEMGenerator.createPemObject(Unknown Source)
        at org.bouncycastle.openssl.MiscPEMGenerator.generate(Unknown Source)
        at org.bouncycastle.util.io.pem.PemWriter.writeObject(Unknown Source)
        at org.bouncycastle.openssl.jcajce.JcaPEMWriter.writeObject(Unknown Source)
        at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.lambda$generateAndWriteSignedCertificates$0(CertificateTool.java:812)
        at org.elasticsearch.xpack.security.cli.CertificateTool.withPassword(CertificateTool.java:1036)
        at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.lambda$generateAndWriteSignedCertificates$1(CertificateTool.java:811)
        at org.elasticsearch.xpack.security.cli.CertificateTool.lambda$fullyWriteZipFile$0(CertificateTool.java:1052)
        at org.elasticsearch.xpack.security.cli.CertificateTool.fullyWriteFile(CertificateTool.java:1096)
        at org.elasticsearch.xpack.security.cli.CertificateTool.fullyWriteZipFile(CertificateTool.java:1047)
        at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.generateAndWriteSignedCertificates(CertificateTool.java:789)
        at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.execute(CertificateTool.java:716)
        at org.elasticsearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:54)
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:85)
        at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:94)
        at org.elasticsearch.xpack.security.cli.CertificateTool.execute(CertificateTool.java:160)
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:85)
        at org.elasticsearch.cli.Command.main(Command.java:50)
        at org.elasticsearch.launcher.CliToolLauncher.main(CliToolLauncher.java:64)
HiDAl commented 1 year ago

Hello @nuno-andre,

From your comment, it seems like you want PEM certificates without a password. From our documentation:

--pass Specifies the password for the generated private keys. This parameter cannot be used with the http parameters.

Keys stored in PKCS#12 format are always password protected, however, this password may be blank. If you want to specify a blank password without a prompt, use --pass "" (with no =) on the command line.

Keys stored in PEM format are password protected only if the --pass parameter is specified. If you do not supply an argument for the --pass parameter, you are prompted for a password. Encrypted PEM files do not support blank passwords (if you do not wish to password-protect your PEM keys, then do not specify --pass).

So, you'll need to remove the --pass option from your command to make it work.

I hope this helps to clarify your question.

Cheers

nuno-andre commented 1 year ago

Hello @HiDAl!

Sorry for the confusion. I was modifying a deployment with PKCS #12 and I took for granted that I needed to indicate those parameters to avoid the password prompt. I have now verified that this is not the case. Thanks!