Allow skipping hot reload dn validation (#4752)

Signed-off-by: Paris Larkins <[email protected]>
Signed-off-by: Paris Larkins <[email protected]>

src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java

@@ -133,7 +133,9 @@ private void printJCEWarnings() {
     public final SslProvider sslTransportServerProvider;
     public final SslProvider sslTransportClientProvider;
     private final boolean httpSSLEnabled;
+    private final boolean httpSSLEnforceCertReloadDnVerification;
     private final boolean transportSSLEnabled;
+    private final boolean transportSSLEnforceCertReloadDnVerification;
 
     private ArrayList<String> enabledHttpCiphersJDKProvider;
     private ArrayList<String> enabledHttpCiphersOpenSSLProvider;
@@ -166,10 +168,18 @@ public DefaultSecurityKeyStore(final Settings settings, final Path configPath) {
             SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED,
             SSLConfigConstants.SECURITY_SSL_HTTP_ENABLED_DEFAULT
         );
+        httpSSLEnforceCertReloadDnVerification = settings.getAsBoolean(
+            SSLConfigConstants.SECURITY_SSL_HTTP_ENFORCE_CERT_RELOAD_DN_VERIFICATION,
+            true
+        );
         transportSSLEnabled = settings.getAsBoolean(
             SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED,
             SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT
         );
+        transportSSLEnforceCertReloadDnVerification = settings.getAsBoolean(
+            SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_CERT_RELOAD_DN_VERIFICATION,
+            true
+        );
         final boolean useOpenSSLForHttpIfAvailable = OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED
             && settings.getAsBoolean(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, true);
         final boolean useOpenSSLForTransportIfAvailable = OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED
@@ -422,7 +432,7 @@ public void initTransportSSLConfig() {
                     certFromTruststore = new CertFromTruststore(truststoreProps, truststoreAlias);
                 }
 
-                validateNewCerts(transportCerts, certFromKeystore.getCerts());
+                validateNewCerts(transportCerts, certFromKeystore.getCerts(), transportSSLEnforceCertReloadDnVerification);
                 transportServerSslContext = buildSSLServerContext(
                     certFromKeystore.getServerKey(),
                     certFromKeystore.getServerCert(),
@@ -473,7 +483,7 @@ public void initTransportSSLConfig() {
                     certFromFile = new CertFromFile(certProps);
                 }
 
-                validateNewCerts(transportCerts, certFromFile.getCerts());
+                validateNewCerts(transportCerts, certFromFile.getCerts(), transportSSLEnforceCertReloadDnVerification);
                 transportServerSslContext = buildSSLServerContext(
                     certFromFile.getServerPemKey(),
                     certFromFile.getServerPemCert(),
@@ -571,7 +581,7 @@ public void initHttpSSLConfig() {
                     certFromTruststore = new CertFromTruststore(truststoreProps, truststoreAlias);
                 }
 
-                validateNewCerts(httpCerts, certFromKeystore.getCerts());
+                validateNewCerts(httpCerts, certFromKeystore.getCerts(), httpSSLEnforceCertReloadDnVerification);
                 httpSslContext = buildSSLServerContext(
                     certFromKeystore.getServerKey(),
                     certFromKeystore.getServerCert(),
@@ -602,7 +612,7 @@ public void initHttpSSLConfig() {
                 );
                 CertFromFile certFromFile = new CertFromFile(certFileProps);
 
-                validateNewCerts(httpCerts, certFromFile.getCerts());
+                validateNewCerts(httpCerts, certFromFile.getCerts(), httpSSLEnforceCertReloadDnVerification);
                 httpSslContext = buildSSLServerContext(
                     certFromFile.getServerPemKey(),
                     certFromFile.getServerPemCert(),
@@ -633,11 +643,16 @@ public void initHttpSSLConfig() {
      * If the current and new certificates are same, skip remaining checks.
      * For new X509 cert to be valid Issuer, Subject DN must be the same and
      * new certificates should expire after current ones.
-     * @param currentX509Certs  Array of current x509 certificates
-     * @param newX509Certs      Array of x509 certificates which will replace our current cert
+     * @param currentX509Certs Array of current x509 certificates
+     * @param newX509Certs     Array of x509 certificates which will replace our current cert
+     * @param verifyValidDNs   Whether to verify that new certs have valid IssuerDN, SubjectDN and SAN
      * @throws Exception if certificate is invalid
      */
-    private void validateNewCerts(final X509Certificate[] currentX509Certs, final X509Certificate[] newX509Certs) throws Exception {
+    private void validateNewCerts(
+        final X509Certificate[] currentX509Certs,
+        final X509Certificate[] newX509Certs,
+        final boolean verifyValidDNs
+    ) throws Exception {
 
         // First time we init certs ignore validity check
         if (currentX509Certs == null) {
@@ -654,7 +669,7 @@ private void validateNewCerts(final X509Certificate[] currentX509Certs, final X5
         }
 
         // Check if new X509 certs have valid IssuerDN, SubjectDN or SAN
-        if (!hasValidDNs(currentX509Certs, newX509Certs)) {
+        if (verifyValidDNs && !hasValidDNs(currentX509Certs, newX509Certs)) {
             throw new Exception("New Certs do not have valid Issuer DN, Subject DN or SAN.");
         }
     }

src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java

@@ -634,6 +634,23 @@ public List<Setting<?>> getSettings() {
             Setting.longSetting(SSLConfigConstants.SECURITY_SSL_HTTP_CRL_VALIDATION_DATE, -1, -1, Property.NodeScope, Property.Filtered)
         );
 
+        settings.add(
+            Setting.boolSetting(
+                SSLConfigConstants.SECURITY_SSL_HTTP_ENFORCE_CERT_RELOAD_DN_VERIFICATION,
+                true,
+                Property.NodeScope,
+                Property.Filtered
+            )
+        );
+        settings.add(
+            Setting.boolSetting(
+                SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENFORCE_CERT_RELOAD_DN_VERIFICATION,
+                true,
+                Property.NodeScope,
+                Property.Filtered
+            )
+        );
+
         return settings;
     }
 

src/main/java/org/opensearch/security/ssl/util/SSLConfigConstants.java

@@ -82,6 +82,8 @@ public final class SSLConfigConstants {
     public static final String SECURITY_SSL_HTTP_TRUSTSTORE_ALIAS = "plugins.security.ssl.http.truststore_alias";
     public static final String SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH = "plugins.security.ssl.http.truststore_filepath";
     public static final String SECURITY_SSL_HTTP_TRUSTSTORE_TYPE = "plugins.security.ssl.http.truststore_type";
+    public static final String SECURITY_SSL_HTTP_ENFORCE_CERT_RELOAD_DN_VERIFICATION =
+        "plugins.security.ssl.http.enforce_cert_reload_dn_verification";
     public static final String SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE =
         "plugins.security.ssl.transport.enable_openssl_if_available";
     public static final String SECURITY_SSL_TRANSPORT_ENABLED = "plugins.security.ssl.transport.enabled";
@@ -91,6 +93,8 @@ public final class SSLConfigConstants {
     public static final String SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME =
         "plugins.security.ssl.transport.resolve_hostname";
 
+    public static final String SECURITY_SSL_TRANSPORT_ENFORCE_CERT_RELOAD_DN_VERIFICATION =
+        "plugins.security.ssl.transport.enforce_cert_reload_dn_verification";
     public static final String SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS = "plugins.security.ssl.transport.keystore_alias";
     public static final String SECURITY_SSL_TRANSPORT_SERVER_KEYSTORE_ALIAS = "plugins.security.ssl.transport.server.keystore_alias";
     public static final String SECURITY_SSL_TRANSPORT_CLIENT_KEYSTORE_ALIAS = "plugins.security.ssl.transport.client.keystore_alias";