Module org.elasticsearch.xcore
Package org.elasticsearch.xpack.core.ssl
Class RestrictedTrustManager
java.lang.Object
javax.net.ssl.X509ExtendedTrustManager
org.elasticsearch.xpack.core.ssl.RestrictedTrustManager
- All Implemented Interfaces:
TrustManager,X509TrustManager
An X509 trust manager that only trusts connections from a restricted set of predefined network entities (nodes, clients, etc).
The trusted entities are defined as a list of predicates on
CertificateTrustRestrictions that built from the
configured restricted trust file. The values in the restricted trust file are compared to value(s) read from the X509 certificate.
If the value(s) read from the X509 certificate match values configured in restricted trust file then restricted trust is established.
If there is no match, then restricted trust is not established and the connection should be terminated. Restricted trust should be used
in conjunction with additional trust models and is intended to restrict, not provide trust.
The values read from the X509 certificate are configurable and the following are supported:
- subjectAltName.otherName.commonName
- subjectAltName.dnsName
RestrictedTrustConfig-
Constructor Summary
ConstructorsConstructorDescriptionRestrictedTrustManager(X509ExtendedTrustManager delegate, org.elasticsearch.xpack.core.ssl.CertificateTrustRestrictions restrictions, Set<X509Field> x509Fields) -
Method Summary
Modifier and TypeMethodDescriptionvoidcheckClientTrusted(X509Certificate[] chain, String authType) voidcheckClientTrusted(X509Certificate[] chain, String authType, Socket socket) voidcheckClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) voidcheckServerTrusted(X509Certificate[] chain, String authType) voidcheckServerTrusted(X509Certificate[] chain, String authType, Socket socket) voidcheckServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine)
-
Constructor Details
-
RestrictedTrustManager
public RestrictedTrustManager(X509ExtendedTrustManager delegate, org.elasticsearch.xpack.core.ssl.CertificateTrustRestrictions restrictions, Set<X509Field> x509Fields)
-
-
Method Details
-
checkClientTrusted
public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException - Specified by:
checkClientTrustedin classX509ExtendedTrustManager- Throws:
CertificateException
-
checkServerTrusted
public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException - Specified by:
checkServerTrustedin classX509ExtendedTrustManager- Throws:
CertificateException
-
checkClientTrusted
public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException - Specified by:
checkClientTrustedin classX509ExtendedTrustManager- Throws:
CertificateException
-
checkServerTrusted
public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException - Specified by:
checkServerTrustedin classX509ExtendedTrustManager- Throws:
CertificateException
-
checkClientTrusted
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException - Throws:
CertificateException
-
checkServerTrusted
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException - Throws:
CertificateException
-
getAcceptedIssuers
-