Start Collector key manager

Author: bernd

graylog2-server/src/main/java/org/graylog/collectors/CollectorCaKeyManager.java

@@ -0,0 +1,150 @@
+/*
+ * Copyright (C) 2020 Graylog, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Server Side Public License, version 1,
+ * as published by MongoDB, Inc.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * Server Side Public License for more details.
+ *
+ * You should have received a copy of the Server Side Public License
+ * along with this program. If not, see
+ * <http://www.mongodb.com/licensing/server-side-public-license>.
+ */
+package org.graylog.collectors;
+
+import com.github.benmanes.caffeine.cache.Caffeine;
+import com.github.benmanes.caffeine.cache.Expiry;
+import com.github.benmanes.caffeine.cache.LoadingCache;
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.eventbus.EventBus;
+import com.google.common.eventbus.Subscribe;
+import com.google.common.util.concurrent.AbstractIdleService;
+import jakarta.inject.Inject;
+import jakarta.inject.Singleton;
+import org.graylog.collectors.events.CollectorCaConfigUpdated;
+import org.graylog.security.pki.PemUtils;
+import org.graylog2.security.encryption.EncryptedValueService;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.net.ssl.X509KeyManager;
+import java.net.Socket;
+import java.security.Principal;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+import java.time.Duration;
+
+@Singleton
+public class CollectorCaKeyManager extends AbstractIdleService implements X509KeyManager {
+    private static final Logger LOG = LoggerFactory.getLogger(CollectorCaKeyManager.class);
+    private static final String ALIAS = "server";
+
+    private final CollectorCaService caService;
+    private final EncryptedValueService encryptedValueService;
+    private final EventBus eventBus;
+    private final LoadingCache<Integer, CacheEntry> cache;
+
+    private record CacheEntry(PrivateKey privateKey,
+                              X509Certificate serverCert,
+                              String serverCertFingerprint,
+                              X509Certificate signingCert,
+                              String signingCertFingerprint) {
+    }
+
+    @Inject
+    public CollectorCaKeyManager(CollectorCaService caService,
+                                 EncryptedValueService encryptedValueService,
+                                 EventBus eventBus) {
+        this.caService = caService;
+        this.encryptedValueService = encryptedValueService;
+        this.eventBus = eventBus;
+        this.cache = Caffeine.newBuilder()
+                .expireAfter(Expiry.<Integer, CacheEntry>creating((key, value) -> Duration.ofSeconds(1)))
+                .maximumSize(1)
+                .initialCapacity(1)
+                .build(this::loadCacheKey);
+    }
+
+    private CacheEntry loadCacheKey(Integer key) {
+        try {
+            final var signingCertEntry = caService.getSigningCert();
+            final var serverCertEntry = caService.getOtlpServerCert();
+            final var signingCert = PemUtils.parseCertificate(signingCertEntry.certificate());
+            final var serverCert = PemUtils.parseCertificate(serverCertEntry.certificate());
+            final var privateKey = PemUtils.parsePrivateKey(encryptedValueService.decrypt(serverCertEntry.privateKey()));
+            LOG.warn("Loaded server cert <{}> and signing cert <{}>", serverCertEntry.fingerprint(), signingCertEntry.fingerprint());
+            return new CacheEntry(privateKey, serverCert, serverCertEntry.fingerprint(), signingCert, signingCertEntry.fingerprint());
+        } catch (Exception e) {
+            LOG.error("Couldn't load certificates", e);
+            throw new RuntimeException(e);
+        }
+    }
+
+    @Override
+    protected void startUp() throws Exception {
+        eventBus.register(this);
+    }
+
+    @Override
+    protected void shutDown() throws Exception {
+        eventBus.unregister(this);
+    }
+
+    @Subscribe
+    @VisibleForTesting
+    void handleCollectorsConfigEvent(CollectorCaConfigUpdated event) {
+        cache.invalidateAll();
+    }
+
+    @Override
+    public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
+        if ("EdDSA".equals(keyType)) {
+            LOG.warn("Returning <{}> as the server alias for key type <{}>", ALIAS, keyType);
+            return ALIAS;
+        }
+        LOG.warn("Returning null for key type <{}>", keyType);
+        return null;
+    }
+
+    @Override
+    public X509Certificate[] getCertificateChain(String alias) {
+        if (ALIAS.equals(alias)) {
+            final var entry = cache.get(0);
+            LOG.warn("Returning certificate chain for alias <{}>: server-cert={} signing-cert={}",
+                    alias, entry.serverCertFingerprint(), entry.signingCertFingerprint());
+            return new X509Certificate[]{entry.serverCert(), entry.signingCert()};
+        }
+        LOG.warn("Returning null certificate chain for alias <{}>", alias);
+        return null;
+    }
+
+    @Override
+    public PrivateKey getPrivateKey(String alias) {
+        if (ALIAS.equals(alias)) {
+            final var entry = cache.get(0);
+            LOG.warn("Returning private key for server certificate <{}>", entry.serverCertFingerprint());
+            return entry.privateKey();
+        }
+        LOG.warn("Returning null private key for alias <{}>", alias);
+        return null;
+    }
+
+    @Override
+    public String[] getClientAliases(String keyType, Principal[] issuers) {
+        return null;
+    }
+
+    @Override
+    public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) {
+        return null;
+    }
+
+    @Override
+    public String[] getServerAliases(String keyType, Principal[] issuers) {
+        return null;
+    }
+}

graylog2-server/src/main/java/org/graylog/collectors/CollectorCaService.java

@@ -16,23 +16,17 @@
  */
 package org.graylog.collectors;
 
-import io.netty.handler.ssl.ClientAuth;
-import io.netty.handler.ssl.SslContextBuilder;
-import io.netty.handler.ssl.SslProvider;
 import jakarta.inject.Inject;
 import jakarta.inject.Singleton;
 import org.bouncycastle.asn1.x509.KeyPurposeId;
 import org.bouncycastle.asn1.x509.KeyUsage;
 import org.graylog.security.pki.Algorithm;
 import org.graylog.security.pki.CertificateEntry;
 import org.graylog.security.pki.CertificateService;
-import org.graylog.security.pki.PemUtils;
 import org.graylog2.plugin.cluster.ClusterIdService;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import java.security.PrivateKey;
-import java.security.cert.X509Certificate;
 import java.time.Duration;
 import java.util.List;
 
@@ -110,43 +104,6 @@ public CertificateEntry getOtlpServerCert() {
         return certificateService.findById(ensureConfig().otlpServerCertId()).orElseThrow(this::caNotInitializedError);
     }
 
-    /**
-     * Creates a new {@link SslContextBuilder} configured for the OTLP server endpoint.
-     * <p>
-     * The builder is configured with:
-     * <ul>
-     *   <li>The OTLP server certificate and private key for server identity</li>
-     *   <li>Client authentication required (mTLS)</li>
-     *   <li>The signing cert as the trust anchor for validating client certificates</li>
-     * </ul>
-     *
-     * @return a configured SslContextBuilder ready to be built
-     */
-    public SslContextBuilder newServerSslContextBuilder() {
-        final var hierarchy = loadHierarchy();
-        final var otlpServerCert = hierarchy.otlpServerCert();
-        final var signingCert = hierarchy.signingCert();
-
-        try {
-            final PrivateKey key = PemUtils.parsePrivateKey(certificateService.encryptedValueService().decrypt(otlpServerCert.privateKey()));
-
-            final X509Certificate signingCertPem = PemUtils.parseCertificate(signingCert.certificate());
-            final X509Certificate serverCertPem = PemUtils.parseCertificate(otlpServerCert.certificate());
-            final X509Certificate trustedCert = PemUtils.parseCertificate(signingCert.certificate());
-
-            // The Collector only has access to the CA cert, so we need to have the intermediate signing cert
-            // in the key cert chain.
-            return SslContextBuilder.forServer(key, serverCertPem, signingCertPem)
-                    // JDK provider required: BoringSSL (OPENSSL) can load Ed25519 keys but cannot
-                    // complete TLS handshakes — its cipher suite negotiation doesn't recognize Ed25519.
-                    .sslProvider(SslProvider.JDK)
-                    .clientAuth(ClientAuth.REQUIRE)
-                    .trustManager(trustedCert);
-        } catch (Exception e) {
-            throw new RuntimeException("Failed to create OTLP server SSL context", e);
-        }
-    }
-
     /**
      * Loads the existing Collector CA hierarchy.
      *

graylog2-server/src/main/java/org/graylog/collectors/CollectorCaTrustManager.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2020 Graylog, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Server Side Public License, version 1,
+ * as published by MongoDB, Inc.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * Server Side Public License for more details.
+ *
+ * You should have received a copy of the Server Side Public License
+ * along with this program. If not, see
+ * <http://www.mongodb.com/licensing/server-side-public-license>.
+ */
+package org.graylog.collectors;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.net.ssl.X509TrustManager;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+
+public class CollectorCaTrustManager implements X509TrustManager {
+    private static final Logger LOG = LoggerFactory.getLogger(CollectorCaTrustManager.class);
+
+    @Override
+    public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
+        LOG.info("CLIENT {} s={}", x509Certificates, s);
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
+    }
+
+    @Override
+    public X509Certificate[] getAcceptedIssuers() {
+        return new X509Certificate[0];
+    }
+}

graylog2-server/src/main/java/org/graylog/collectors/CollectorTLSUtils.java

@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2020 Graylog, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Server Side Public License, version 1,
+ * as published by MongoDB, Inc.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * Server Side Public License for more details.
+ *
+ * You should have received a copy of the Server Side Public License
+ * along with this program. If not, see
+ * <http://www.mongodb.com/licensing/server-side-public-license>.
+ */
+package org.graylog.collectors;
+
+import io.netty.handler.ssl.ClientAuth;
+import io.netty.handler.ssl.SslContextBuilder;
+import io.netty.handler.ssl.SslProvider;
+import jakarta.inject.Inject;
+import org.graylog.security.pki.PemUtils;
+
+import java.security.cert.X509Certificate;
+
+public class CollectorTLSUtils {
+    private final CollectorCaService caService;
+    private final CollectorCaKeyManager keyManager;
+
+    @Inject
+    public CollectorTLSUtils(CollectorCaService caService, CollectorCaKeyManager keyManager) {
+        this.caService = caService;
+        this.keyManager = keyManager;
+    }
+
+    /**
+     * Creates a new {@link SslContextBuilder} configured for the OTLP server endpoint.
+     * <p>
+     * The builder is configured with:
+     * <ul>
+     *   <li>The OTLP server certificate and private key for server identity</li>
+     *   <li>Client authentication required (mTLS)</li>
+     *   <li>The signing cert as the trust anchor for validating client certificates</li>
+     * </ul>
+     *
+     * @return a configured SslContextBuilder ready to be built
+     */
+    public SslContextBuilder newServerSslContextBuilder() {
+        final var signingCert = caService.getSigningCert();
+
+        try {
+            final X509Certificate trustedCert = PemUtils.parseCertificate(signingCert.certificate());
+
+            // The Collector only has access to the CA cert, so we need to have the intermediate signing cert
+            // in the key cert chain.
+            return SslContextBuilder.forServer(keyManager)
+                    // JDK provider required: BoringSSL (OPENSSL) can load Ed25519 keys but cannot
+                    // complete TLS handshakes — its cipher suite negotiation doesn't recognize Ed25519.
+                    .sslProvider(SslProvider.JDK)
+                    .clientAuth(ClientAuth.REQUIRE)
+                    .trustManager(new CollectorCaTrustManager());
+        } catch (Exception e) {
+            throw new RuntimeException("Failed to create OTLP server SSL context", e);
+        }
+    }
+}

graylog2-server/src/main/java/org/graylog/collectors/CollectorsConfigService.java

@@ -18,8 +18,11 @@
 
 import jakarta.inject.Inject;
 import jakarta.inject.Singleton;
+import org.graylog.collectors.events.CollectorCaConfigUpdated;
+import org.graylog2.events.ClusterEventBus;
 import org.graylog2.plugin.cluster.ClusterConfigService;
 
+import java.util.Objects;
 import java.util.Optional;
 
 /**
@@ -30,10 +33,12 @@ public class CollectorsConfigService {
     private static final CollectorsConfig DEFAULT_CONFIG = CollectorsConfig.createDefault("localhost");
 
     private final ClusterConfigService clusterConfigService;
+    private final ClusterEventBus clusterEventBus;
 
     @Inject
-    public CollectorsConfigService(ClusterConfigService clusterConfigService) {
+    public CollectorsConfigService(ClusterConfigService clusterConfigService, ClusterEventBus clusterEventBus) {
         this.clusterConfigService = clusterConfigService;
+        this.clusterEventBus = clusterEventBus;
     }
 
     /**
@@ -70,6 +75,16 @@ public int getOpampMaxRequestBodySizeBytes() {
      * @param config the config object
      */
     public void save(CollectorsConfig config) {
+        final var existing = get();
+
         clusterConfigService.write(config);
+
+        existing.ifPresent(c -> {
+            if (!Objects.equals(c.caCertId(), config.caCertId())
+                    || !Objects.equals(c.signingCertId(), config.signingCertId())
+                    || !Objects.equals(c.otlpServerCertId(), config.otlpServerCertId())) {
+                clusterEventBus.post(new CollectorCaConfigUpdated());
+            }
+        });
     }
 }

graylog2-server/src/main/java/org/graylog/collectors/CollectorsModule.java

@@ -104,6 +104,8 @@ protected void configure() {
 
         // CA
         bind(CollectorCaService.class).in(Scopes.SINGLETON);
+        bind(CollectorCaKeyManager.class).in(Scopes.SINGLETON);
+        addInitializer(CollectorCaKeyManager.class);
 
         // Collectors config
         bind(CollectorsConfigService.class).asEagerSingleton();