add ca-keyusage option

Author: slobodanadamovic

x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/CertGenUtils.java

@@ -147,9 +147,9 @@ private CertGenUtils() {}
     /**
      * Generates a CA certificate
      */
-    public static X509Certificate generateCACertificate(X500Principal x500Principal, KeyPair keyPair, int days)
+    public static X509Certificate generateCACertificate(X500Principal x500Principal, KeyPair keyPair, int days, KeyUsage keyUsage)
         throws OperatorCreationException, CertificateException, CertIOException, NoSuchAlgorithmException {
-        return generateSignedCertificate(x500Principal, null, keyPair, null, null, true, days, null, null, Set.of());
+        return generateSignedCertificate(x500Principal, null, keyPair, null, null, true, days, null, keyUsage, Set.of());
     }
 
     /**

x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/CertificateGenerateTool.java

@@ -403,7 +403,7 @@ static CAInfo getCAInfo(
         // generate the CA keys and cert
         X500Principal x500Principal = new X500Principal(dn);
         KeyPair keyPair = CertGenUtils.generateKeyPair(keysize);
-        Certificate caCert = CertGenUtils.generateCACertificate(x500Principal, keyPair, days);
+        Certificate caCert = CertGenUtils.generateCACertificate(x500Principal, keyPair, days, null);
         final char[] password;
         if (prompt) {
             password = terminal.readSecret("Enter password for CA private key: ");

x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/CertificateTool.java

@@ -15,6 +15,7 @@
 import org.bouncycastle.asn1.DERIA5String;
 import org.bouncycastle.asn1.x509.GeneralName;
 import org.bouncycastle.asn1.x509.GeneralNames;
+import org.bouncycastle.asn1.x509.KeyUsage;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.bouncycastle.openssl.PEMEncryptor;
 import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
@@ -110,6 +111,7 @@ class CertificateTool extends MultiCommand {
         "[a-zA-Z0-9!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1," + MAX_FILENAME_LENGTH + "}"
     );
     private static final int DEFAULT_KEY_SIZE = 2048;
+    static final List<String> DEFAULT_CA_KEY_USAGE = List.of("keyCertSign", "cRLSign");
 
     // Older versions of OpenSSL had a max internal password length.
     // We issue warnings when writing files with passwords that would not be usable in those versions of OpenSSL.
@@ -202,6 +204,7 @@ abstract static class CertificateCommand extends EnvironmentAwareCommand {
         final OptionSpec<String> outputPathSpec;
         final OptionSpec<String> outputPasswordSpec;
         final OptionSpec<Integer> keysizeSpec;
+        OptionSpec<String> caKeyUsageSpec;
 
         OptionSpec<Void> pemFormatSpec;
         OptionSpec<Integer> daysSpec;
@@ -247,6 +250,7 @@ final void acceptsCertificateAuthority() {
                 .withOptionalArg();
 
             acceptsCertificateAuthorityName();
+            acceptCertificateAuthorityKeyUsage();
         }
 
         void acceptsCertificateAuthorityName() {
@@ -274,6 +278,20 @@ final void acceptInputFile() {
             inputFileSpec = parser.accepts("in", "file containing details of the instances in yaml format").withRequiredArg();
         }
 
+        final void acceptCertificateAuthorityKeyUsage() {
+            OptionSpecBuilder builder = parser.accepts(
+                "ca-keyusage",
+                "comma separated key usages to use for the generated CA. defaults to " + DEFAULT_CA_KEY_USAGE
+            );
+            if (caPkcs12PathSpec != null) {
+                builder = builder.availableUnless(caPkcs12PathSpec);
+            }
+            if (caCertPathSpec != null) {
+                builder = builder.availableUnless(caCertPathSpec);
+            }
+            caKeyUsageSpec = builder.withRequiredArg();
+        }
+
         // For testing
         OptionParser getParser() {
             return parser;
@@ -396,7 +414,16 @@ CAInfo generateCA(Terminal terminal, OptionSet options) throws Exception {
             }
             X500Principal x500Principal = new X500Principal(dn);
             KeyPair keyPair = CertGenUtils.generateKeyPair(getKeySize(options));
-            X509Certificate caCert = CertGenUtils.generateCACertificate(x500Principal, keyPair, getDays(options));
+            final Function<String, Stream<? extends String>> splitByComma = v -> Arrays.stream(Strings.splitStringByCommaToArray(v));
+            final KeyUsage caKeyUsage;
+            if (options.hasArgument(caKeyUsageSpec)) {
+                List<String> keyUsageNames = caKeyUsageSpec.values(options).stream().flatMap(splitByComma).toList();
+                caKeyUsage = CertGenUtils.buildKeyUsage(keyUsageNames);
+            } else {
+                caKeyUsage = CertGenUtils.buildKeyUsage(DEFAULT_CA_KEY_USAGE);
+            }
+
+            X509Certificate caCert = CertGenUtils.generateCACertificate(x500Principal, keyPair, getDays(options), caKeyUsage);
 
             if (options.hasArgument(caPasswordSpec)) {
                 char[] password = getChars(caPasswordSpec.value(options));
@@ -947,6 +974,7 @@ static class CertificateAuthorityCommand extends CertificateCommand {
             super("generate a new local certificate authority");
             acceptCertificateGenerationOptions();
             acceptsCertificateAuthorityName();
+            acceptCertificateAuthorityKeyUsage();
             super.caPasswordSpec = super.outputPasswordSpec;
         }
 

x-pack/plugin/security/cli/src/test/java/org/elasticsearch/xpack/security/cli/CertificateGenerateToolTests.java

@@ -274,7 +274,7 @@ public void testGeneratingSignedCertificates() throws Exception {
         final int keysize = randomFrom(1024, 2048);
         final int days = randomIntBetween(1, 1024);
         KeyPair keyPair = CertGenUtils.generateKeyPair(keysize);
-        X509Certificate caCert = CertGenUtils.generateCACertificate(new X500Principal("CN=test ca"), keyPair, days);
+        X509Certificate caCert = CertGenUtils.generateCACertificate(new X500Principal("CN=test ca"), keyPair, days, null);
 
         final boolean generatedCa = randomBoolean();
         final char[] keyPassword = randomBoolean() ? SecuritySettingsSourceField.TEST_PASSWORD.toCharArray() : null;

x-pack/plugin/security/cli/src/test/java/org/elasticsearch/xpack/security/cli/CertificateToolTests.java

@@ -415,7 +415,13 @@ public void testGeneratingSignedPemCertificates() throws Exception {
         int days = randomIntBetween(1, 1024);
 
         KeyPair keyPair = CertGenUtils.generateKeyPair(keySize);
-        X509Certificate caCert = CertGenUtils.generateCACertificate(new X500Principal("CN=test ca"), keyPair, days);
+        List<String> caKeyUsage = randomBoolean() ? null : CertificateTool.DEFAULT_CA_KEY_USAGE;
+        X509Certificate caCert = CertGenUtils.generateCACertificate(
+            new X500Principal("CN=test ca"),
+            keyPair,
+            days,
+            CertGenUtils.buildKeyUsage(caKeyUsage)
+        );
 
         final boolean selfSigned = randomBoolean();
         final String keyPassword = randomBoolean() ? SecuritySettingsSourceField.TEST_PASSWORD : null;