Start Collector key manager

Author: bernd

graylog2-server/src/main/java/org/graylog/collectors/CollectorCaKeyManager.java

@@ -0,0 +1,134 @@
+/*
+ * Copyright (C) 2020 Graylog, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Server Side Public License, version 1,
+ * as published by MongoDB, Inc.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * Server Side Public License for more details.
+ *
+ * You should have received a copy of the Server Side Public License
+ * along with this program. If not, see
+ * <http://www.mongodb.com/licensing/server-side-public-license>.
+ */
+package org.graylog.collectors;
+
+import com.github.benmanes.caffeine.cache.Caffeine;
+import com.github.benmanes.caffeine.cache.Expiry;
+import com.github.benmanes.caffeine.cache.LoadingCache;
+import com.google.common.eventbus.EventBus;
+import com.google.common.eventbus.Subscribe;
+import com.google.common.util.concurrent.AbstractIdleService;
+import jakarta.inject.Inject;
+import jakarta.inject.Singleton;
+import org.graylog.collectors.events.CollectorCaConfigUpdated;
+import org.graylog.security.pki.PemUtils;
+import org.graylog2.security.encryption.EncryptedValueService;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.net.ssl.X509KeyManager;
+import java.net.Socket;
+import java.security.Principal;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+import java.time.Duration;
+
+@Singleton
+public class CollectorCaKeyManager extends AbstractIdleService implements X509KeyManager {
+    private static final Logger LOG = LoggerFactory.getLogger(CollectorCaKeyManager.class);
+
+    private final CollectorCaService caService;
+    private final EncryptedValueService encryptedValueService;
+    private final EventBus eventBus;
+    private final LoadingCache<Integer, CacheEntry> cache;
+
+    private record CacheEntry(PrivateKey privateKey, X509Certificate serverCert, X509Certificate signingCert) {
+    }
+
+    @Inject
+    public CollectorCaKeyManager(CollectorCaService caService,
+                                 EncryptedValueService encryptedValueService,
+                                 EventBus eventBus) {
+        this.caService = caService;
+        this.encryptedValueService = encryptedValueService;
+        this.eventBus = eventBus;
+        this.cache = Caffeine.newBuilder()
+                .expireAfter(Expiry.<Integer, CacheEntry>creating((key, value) -> Duration.ofSeconds(1)))
+                .maximumSize(1)
+                .initialCapacity(1)
+                .build(this::loadCacheKey);
+    }
+
+    private CacheEntry loadCacheKey(Integer key) {
+        LOG.info("Loading key {}", key);
+        try {
+            final var signingCertEntry = caService.getOtlpServerCert();
+            final var serverCertEntry = caService.getOtlpServerCert();
+            final var signingCert = PemUtils.parseCertificate(signingCertEntry.certificate());
+            final var serverCert = PemUtils.parseCertificate(serverCertEntry.certificate());
+            final var privateKey = PemUtils.parsePrivateKey(encryptedValueService.decrypt(serverCertEntry.privateKey()));
+            return new CacheEntry(privateKey, serverCert, signingCert);
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    @Override
+    protected void startUp() throws Exception {
+        eventBus.register(this);
+    }
+
+    @Override
+    protected void shutDown() throws Exception {
+        eventBus.unregister(this);
+    }
+
+    @Subscribe
+    @SuppressWarnings("unused")
+    public void handleCollectorsConfigEvent(CollectorCaConfigUpdated event) {
+        cache.invalidateAll();
+    }
+
+    @Override
+    public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
+        return keyType;
+    }
+
+    @Override
+    public X509Certificate[] getCertificateChain(String alias) {
+        LOG.warn("getCertificateChain alias={}", alias);
+        if ("EdDSA".equals(alias)) {
+            final var entry = cache.get(0);
+            return new X509Certificate[]{entry.serverCert(), entry.signingCert()};
+        }
+        return null;
+    }
+
+    @Override
+    public PrivateKey getPrivateKey(String alias) {
+        LOG.warn("getPrivateKey alias={}", alias);
+        if ("EdDSA".equals(alias)) {
+            return cache.get(0).privateKey();
+        }
+        return null;
+    }
+
+    @Override
+    public String[] getClientAliases(String keyType, Principal[] issuers) {
+        return null;
+    }
+
+    @Override
+    public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) {
+        return null;
+    }
+
+    @Override
+    public String[] getServerAliases(String keyType, Principal[] issuers) {
+        return null;
+    }
+}

graylog2-server/src/main/java/org/graylog/collectors/CollectorCaService.java

@@ -16,23 +16,17 @@
  */
 package org.graylog.collectors;
 
-import io.netty.handler.ssl.ClientAuth;
-import io.netty.handler.ssl.SslContextBuilder;
-import io.netty.handler.ssl.SslProvider;
 import jakarta.inject.Inject;
 import jakarta.inject.Singleton;
 import org.bouncycastle.asn1.x509.KeyPurposeId;
 import org.bouncycastle.asn1.x509.KeyUsage;
 import org.graylog.security.pki.Algorithm;
 import org.graylog.security.pki.CertificateEntry;
 import org.graylog.security.pki.CertificateService;
-import org.graylog.security.pki.PemUtils;
 import org.graylog2.plugin.cluster.ClusterIdService;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import java.security.PrivateKey;
-import java.security.cert.X509Certificate;
 import java.time.Duration;
 import java.util.List;
 
@@ -110,43 +104,6 @@ public CertificateEntry getOtlpServerCert() {
         return certificateService.findById(ensureConfig().otlpServerCertId()).orElseThrow(this::caNotInitializedError);
     }
 
-    /**
-     * Creates a new {@link SslContextBuilder} configured for the OTLP server endpoint.
-     * <p>
-     * The builder is configured with:
-     * <ul>
-     *   <li>The OTLP server certificate and private key for server identity</li>
-     *   <li>Client authentication required (mTLS)</li>
-     *   <li>The signing cert as the trust anchor for validating client certificates</li>
-     * </ul>
-     *
-     * @return a configured SslContextBuilder ready to be built
-     */
-    public SslContextBuilder newServerSslContextBuilder() {
-        final var hierarchy = loadHierarchy();
-        final var otlpServerCert = hierarchy.otlpServerCert();
-        final var signingCert = hierarchy.signingCert();
-
-        try {
-            final PrivateKey key = PemUtils.parsePrivateKey(certificateService.encryptedValueService().decrypt(otlpServerCert.privateKey()));
-
-            final X509Certificate signingCertPem = PemUtils.parseCertificate(signingCert.certificate());
-            final X509Certificate serverCertPem = PemUtils.parseCertificate(otlpServerCert.certificate());
-            final X509Certificate trustedCert = PemUtils.parseCertificate(signingCert.certificate());
-
-            // The Collector only has access to the CA cert, so we need to have the intermediate signing cert
-            // in the key cert chain.
-            return SslContextBuilder.forServer(key, serverCertPem, signingCertPem)
-                    // JDK provider required: BoringSSL (OPENSSL) can load Ed25519 keys but cannot
-                    // complete TLS handshakes — its cipher suite negotiation doesn't recognize Ed25519.
-                    .sslProvider(SslProvider.JDK)
-                    .clientAuth(ClientAuth.REQUIRE)
-                    .trustManager(trustedCert);
-        } catch (Exception e) {
-            throw new RuntimeException("Failed to create OTLP server SSL context", e);
-        }
-    }
-
     /**
      * Loads the existing Collector CA hierarchy.
      *

graylog2-server/src/main/java/org/graylog/collectors/CollectorTLSUtils.java

@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2020 Graylog, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Server Side Public License, version 1,
+ * as published by MongoDB, Inc.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * Server Side Public License for more details.
+ *
+ * You should have received a copy of the Server Side Public License
+ * along with this program. If not, see
+ * <http://www.mongodb.com/licensing/server-side-public-license>.
+ */
+package org.graylog.collectors;
+
+import io.netty.handler.ssl.ClientAuth;
+import io.netty.handler.ssl.SslContextBuilder;
+import io.netty.handler.ssl.SslProvider;
+import jakarta.inject.Inject;
+import org.graylog.security.pki.PemUtils;
+
+import java.security.cert.X509Certificate;
+
+public class CollectorTLSUtils {
+    private final CollectorCaService caService;
+    private final CollectorCaKeyManager keyManager;
+
+    @Inject
+    public CollectorTLSUtils(CollectorCaService caService, CollectorCaKeyManager keyManager) {
+        this.caService = caService;
+        this.keyManager = keyManager;
+    }
+
+    /**
+     * Creates a new {@link SslContextBuilder} configured for the OTLP server endpoint.
+     * <p>
+     * The builder is configured with:
+     * <ul>
+     *   <li>The OTLP server certificate and private key for server identity</li>
+     *   <li>Client authentication required (mTLS)</li>
+     *   <li>The signing cert as the trust anchor for validating client certificates</li>
+     * </ul>
+     *
+     * @return a configured SslContextBuilder ready to be built
+     */
+    public SslContextBuilder newServerSslContextBuilder() {
+        final var signingCert = caService.getSigningCert();
+
+        try {
+            final X509Certificate trustedCert = PemUtils.parseCertificate(signingCert.certificate());
+
+            // The Collector only has access to the CA cert, so we need to have the intermediate signing cert
+            // in the key cert chain.
+            return SslContextBuilder.forServer(keyManager)
+                    // JDK provider required: BoringSSL (OPENSSL) can load Ed25519 keys but cannot
+                    // complete TLS handshakes — its cipher suite negotiation doesn't recognize Ed25519.
+                    .sslProvider(SslProvider.JDK)
+                    .clientAuth(ClientAuth.REQUIRE)
+                    .trustManager(trustedCert);
+        } catch (Exception e) {
+            throw new RuntimeException("Failed to create OTLP server SSL context", e);
+        }
+    }
+}

graylog2-server/src/main/java/org/graylog/collectors/CollectorsConfigService.java

@@ -18,8 +18,11 @@
 
 import jakarta.inject.Inject;
 import jakarta.inject.Singleton;
+import org.graylog.collectors.events.CollectorCaConfigUpdated;
+import org.graylog2.events.ClusterEventBus;
 import org.graylog2.plugin.cluster.ClusterConfigService;
 
+import java.util.Objects;
 import java.util.Optional;
 
 /**
@@ -30,10 +33,12 @@ public class CollectorsConfigService {
     private static final CollectorsConfig DEFAULT_CONFIG = CollectorsConfig.createDefault("localhost");
 
     private final ClusterConfigService clusterConfigService;
+    private final ClusterEventBus clusterEventBus;
 
     @Inject
-    public CollectorsConfigService(ClusterConfigService clusterConfigService) {
+    public CollectorsConfigService(ClusterConfigService clusterConfigService, ClusterEventBus clusterEventBus) {
         this.clusterConfigService = clusterConfigService;
+        this.clusterEventBus = clusterEventBus;
     }
 
     /**
@@ -70,6 +75,17 @@ public int getOpampMaxRequestBodySizeBytes() {
      * @param config the config object
      */
     public void save(CollectorsConfig config) {
+        final var existing = get();
+
         clusterConfigService.write(config);
+
+
+        existing.ifPresent(c -> {
+            if (!Objects.equals(c.caCertId(), config.caCertId())
+                    || !Objects.equals(c.signingCertId(), config.signingCertId())
+                    || !Objects.equals(c.otlpServerCertId(), config.otlpServerCertId())) {
+                clusterEventBus.post(new CollectorCaConfigUpdated());
+            }
+        });
     }
 }

graylog2-server/src/main/java/org/graylog/collectors/CollectorsModule.java

@@ -104,6 +104,8 @@ protected void configure() {
 
         // CA
         bind(CollectorCaService.class).in(Scopes.SINGLETON);
+        bind(CollectorCaKeyManager.class).in(Scopes.SINGLETON);
+        addInitializer(CollectorCaKeyManager.class);
 
         // Collectors config
         bind(CollectorsConfigService.class).asEagerSingleton();

graylog2-server/src/main/java/org/graylog/collectors/events/CollectorCaConfigUpdated.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) 2020 Graylog, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Server Side Public License, version 1,
+ * as published by MongoDB, Inc.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * Server Side Public License for more details.
+ *
+ * You should have received a copy of the Server Side Public License
+ * along with this program. If not, see
+ * <http://www.mongodb.com/licensing/server-side-public-license>.
+ */
+package org.graylog.collectors.events;
+
+public record CollectorCaConfigUpdated() {
+}

graylog2-server/src/main/java/org/graylog/collectors/input/transport/CollectorIngestHttpTransport.java

@@ -24,6 +24,7 @@
 import io.netty.handler.ssl.SslContext;
 import jakarta.inject.Named;
 import org.graylog.collectors.CollectorCaService;
+import org.graylog.collectors.CollectorTLSUtils;
 import org.graylog.collectors.CollectorsConfig;
 import org.graylog.collectors.CollectorsConfigService;
 import org.graylog.collectors.IngestEndpointConfig;
@@ -60,7 +61,7 @@ public class CollectorIngestHttpTransport extends AbstractHttpTransport {
     public static final String NAME = "CollectorIngestHttpTransport";
     static final int DEFAULT_HTTP_PORT = 14401;
 
-    private final CollectorCaService collectorCaService;
+    private final CollectorTLSUtils tlsUtils;
 
     @AssistedInject
     public CollectorIngestHttpTransport(@Assisted Configuration configuration,
@@ -71,12 +72,12 @@ public CollectorIngestHttpTransport(@Assisted Configuration configuration,
                                         LocalMetricRegistry localMetricRegistry,
                                         TLSProtocolsConfiguration tlsConfiguration,
                                         @Named("trusted_proxies") Set<IpSubnet> trustedProxies,
-                                        CollectorCaService collectorCaService,
+                                        CollectorTLSUtils tlsUtils,
                                         CollectorsConfigService collectorsConfigService) {
         super(buildTransportConfig(collectorsConfigService), eventLoopGroup, eventLoopGroupFactory,
                 nettyTransportConfiguration, throughputCounter, localMetricRegistry,
                 tlsConfiguration, trustedProxies, OtlpHttpUtils.LOGS_PATH);
-        this.collectorCaService = collectorCaService;
+        this.tlsUtils = tlsUtils;
     }
 
     private static Configuration buildTransportConfig(CollectorsConfigService collectorsConfigService) {
@@ -100,7 +101,7 @@ private static Configuration buildTransportConfig(CollectorsConfigService collec
     @Override
     protected Callable<? extends ChannelHandler> createSslHandler(MessageInput input) {
         return () -> {
-            final SslContext sslContext = collectorCaService.newServerSslContextBuilder().build();
+            final SslContext sslContext = tlsUtils.newServerSslContextBuilder().build();
             return sslContext.newHandler(PooledByteBufAllocator.DEFAULT);
         };
     }