tessl/maven-org-elasticsearch--elasticsearch-ssl-config
SSL/TLS configuration library for Elasticsearch providing comprehensive security management utilities.
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
'%3e%3cpath%20d='m7.15%205.779.281.877c-.001.502.003.991.124%201.48l.116-.082.229-1.265c.723%201.422%202.78%203.325%202.53%205.008-.022.154-.082.3-.158.435.349-.014.375-.38.578-.56.187%201.005.17%201.975-.22%202.932l1.428%203.159c-.007.07-.626.285-.744.226-.087-.044-.629-1.506-.742-1.754-.103-.224-.457-1.044-.592-1.165-.592-.534-2.033-.183-2.773-.256l.488-.115.148-.109c-.68-.08-1.363-.34-1.85-.815.531.046%201.052.121%201.592.087.1-.006.378-.02.432-.114-1.338-.016-2.398-.569-3.16-1.62-1.03-1.422-1.646-3.215-2.658-4.662-.203-.289-.474-.68-.776-.847-.015-.092.076-.054.137-.049.375.034.778.157%201.148.234l1.26.462c-.404-.737-1.332-.637-1.984-.994-.759-.416-1.2-1.386-1.487-2.149-.258-.68-.536-1.495-.492-2.217.282.262.529.573.896.73.087-.102-.838-1.102-.867-1.323C-.051.673.656-.051%201.328.003c1.128.09%202.44%201.953%202.87%202.886.074.069.145-.23.149-.25.029-.154.01-.306.054-.452.67.932%201.64%201.722%202.122%202.768l.626%201.778V5.78Z'/%3e%3cpath%20d='m10.851%206.733.626-1.778c.483-1.047%201.451-1.836%202.122-2.769.045.147.025.299.054.452.005.021.075.32.149.25.43-.932%201.742-2.796%202.87-2.885.672-.054%201.38.67%201.294%201.31-.03.22-.954%201.221-.867%201.322.367-.156.614-.467.896-.729.044.722-.234%201.536-.49%202.218-.288.763-.73%201.733-1.488%202.149-.652.356-1.58.256-1.984.993l1.26-.461c.37-.077.772-.2%201.148-.234.06-.006.152-.044.136.049-.301.166-.573.557-.775.847-.794%201.135-1.347%202.488-2.049%203.68-.635%201.081-1.285%202.087-2.613%202.432.148-.768.005-1.562-.173-2.316l-.32-.092c-.219-1.088-.84-2.001-1.466-2.908l.919-1.475.229%201.265.116.082c.12-.489.125-.979.123-1.48l.283-.877v.955ZM8.017%2014.984c-.238.57-.531%201.119-.78%201.686-.089.204-.446%201.24-.518%201.295-.145.114-.622-.087-.777-.2l1.207-2.78h.868ZM12.008%2013.75c-.059.174-.949.7-1.04.617l.12-.5.92-.117Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h18v18H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/maven-org-elasticsearch--elasticsearch-ssl-config@9.1.00
# Elasticsearch SSL Configuration Library
1
2
The Elasticsearch SSL Configuration Library provides comprehensive SSL/TLS configuration management utilities for Java applications. It offers a robust framework for handling SSL configurations including key stores, trust stores, certificate management, PEM utilities, and various SSL verification modes with extensive validation and diagnostic capabilities.
3
4
## Package Information
5
6
- **Package Name**: org.elasticsearch:elasticsearch-ssl-config
7
- **Package Type**: maven
8
- **Language**: Java
9
- **Installation**: Add to your Maven `pom.xml`:
10
11
```xml
12
<dependency>
13
<groupId>org.elasticsearch</groupId>
14
<artifactId>elasticsearch-ssl-config</artifactId>
15
<version>9.1.3</version>
16
</dependency>
17
```
18
19
For Gradle:
20
21
```gradle
22
implementation 'org.elasticsearch:elasticsearch-ssl-config:9.1.3'
23
```
24
25
## Core Imports
26
27
```java
28
import org.elasticsearch.common.ssl.SslConfiguration;
29
import org.elasticsearch.common.ssl.SslConfigurationLoader;
30
import org.elasticsearch.common.ssl.SslKeyConfig;
31
import org.elasticsearch.common.ssl.SslTrustConfig;
32
import org.elasticsearch.common.ssl.SslVerificationMode;
33
import org.elasticsearch.common.ssl.SslClientAuthenticationMode;
34
```
35
36
## Basic Usage
37
38
```java
39
import org.elasticsearch.common.ssl.*;
40
import javax.net.ssl.SSLContext;
41
import java.nio.file.Path;
42
import java.util.List;
43
44
// Create SSL configuration
45
SslConfiguration config = new SslConfiguration(
46
"https", // setting prefix
47
true, // explicitly configured
48
new PemTrustConfig(List.of("ca.pem"), basePath), // trust config
49
new PemKeyConfig("cert.pem", "key.pem", null, basePath), // key config
50
SslVerificationMode.FULL, // verification mode
51
SslClientAuthenticationMode.OPTIONAL, // client auth
52
List.of(), // cipher suites (use defaults)
53
List.of("TLSv1.3", "TLSv1.2") // supported protocols
54
);
55
56
// Create SSL context
57
SSLContext sslContext = config.createSslContext();
58
59
// Use the SSL context for secure connections
60
// (with HttpsURLConnection, SSLSocketFactory, etc.)
61
```
62
63
## Architecture
64
65
The library is built around several key architectural components:
66
67
- **Configuration Management**: Central `SslConfiguration` record that encapsulates all SSL settings and can create `SSLContext` instances
68
- **Pluggable Key Sources**: `SslKeyConfig` interface with implementations for PEM files, keystores, and empty configurations
69
- **Flexible Trust Models**: `SslTrustConfig` interface supporting PEM CA files, trust stores, system defaults, composite configurations, and trust-everything modes
70
- **Configuration Loading**: Abstract `SslConfigurationLoader` for building configurations from various settings sources
71
- **Utility Layer**: Comprehensive utilities for keystore operations, PEM parsing, certificate handling, and SSL diagnostics
72
- **Type Safety**: Strong typing with enums for verification modes, client authentication, and certificate fields
73
74
## Capabilities
75
76
### SSL Configuration Management
77
78
Core SSL configuration functionality providing immutable configuration objects and SSL context creation.
79
80
```java { .api }
81
public record SslConfiguration(
82
String settingPrefix,
83
boolean explicitlyConfigured,
84
SslTrustConfig trustConfig,
85
SslKeyConfig keyConfig,
86
SslVerificationMode verificationMode,
87
SslClientAuthenticationMode clientAuth,
88
List<String> ciphers,
89
List<String> supportedProtocols
90
) {
91
public SSLContext createSslContext();
92
public List<String> getCipherSuites();
93
public Collection<Path> getDependentFiles();
94
public Collection<? extends StoredCertificate> getConfiguredCertificates();
95
}
96
```
97
98
[SSL Configuration Management](./configuration.md)
99
100
### Key Management
101
102
SSL key material management with support for PEM files, keystores, and programmatic key configurations.
103
104
```java { .api }
105
public interface SslKeyConfig {
106
Collection<Path> getDependentFiles();
107
X509ExtendedKeyManager createKeyManager();
108
List<Tuple<PrivateKey, X509Certificate>> getKeys();
109
Collection<StoredCertificate> getConfiguredCertificates();
110
default boolean hasKeyMaterial();
111
default SslTrustConfig asTrustConfig();
112
}
113
114
public class PemKeyConfig implements SslKeyConfig {
115
public PemKeyConfig(String certificatePath, String keyPath, char[] keyPassword, Path configBasePath);
116
}
117
118
public class StoreKeyConfig implements SslKeyConfig {
119
public StoreKeyConfig(String path, char[] storePassword, String type,
120
Function<KeyStore, KeyStore> filter, char[] keyPassword,
121
String algorithm, Path configBasePath);
122
}
123
```
124
125
[Key Management](./key-management.md)
126
127
### Trust Management
128
129
SSL trust configuration with support for various trust models including PEM CA files, trust stores, and system defaults.
130
131
```java { .api }
132
public interface SslTrustConfig {
133
Collection<Path> getDependentFiles();
134
X509ExtendedTrustManager createTrustManager();
135
Collection<? extends StoredCertificate> getConfiguredCertificates();
136
default boolean isSystemDefault();
137
}
138
139
public class PemTrustConfig implements SslTrustConfig {
140
public PemTrustConfig(List<String> certificateAuthorities, Path basePath);
141
}
142
143
public class StoreTrustConfig implements SslTrustConfig {
144
public StoreTrustConfig(String path, char[] password, String type, String algorithm,
145
boolean requireTrustAnchors, Path configBasePath);
146
}
147
```
148
149
[Trust Management](./trust-management.md)
150
151
### SSL Utilities
152
153
Comprehensive utility functions for keystore operations, PEM file parsing, certificate handling, and SSL-related tasks.
154
155
```java { .api }
156
public final class KeyStoreUtil {
157
public static String inferKeyStoreType(String path);
158
public static KeyStore readKeyStore(Path path, String ksType, char[] password);
159
public static KeyStore buildKeyStore(Collection<Certificate> certificateChain, PrivateKey privateKey, char[] password);
160
public static X509ExtendedKeyManager createKeyManager(Certificate[] certificateChain, PrivateKey privateKey, char[] password);
161
public static X509ExtendedTrustManager createTrustManager(Collection<Certificate> certificates);
162
}
163
164
public final class PemUtils {
165
public static PrivateKey readPrivateKey(Path path, Supplier<char[]> passwordSupplier);
166
public static List<Certificate> readCertificates(Collection<Path> certPaths);
167
public static PrivateKey parsePKCS8PemString(String pemString);
168
}
169
```
170
171
[SSL Utilities](./utilities.md)
172
173
### SSL Diagnostics
174
175
Advanced diagnostic capabilities for troubleshooting SSL trust failures and certificate issues.
176
177
```java { .api }
178
public class SslDiagnostics {
179
public static final SslDiagnostics INSTANCE;
180
181
public String getTrustDiagnosticFailure(X509Certificate[] chain, PeerType peerType,
182
SSLSession session, String contextName,
183
Map<String, List<X509Certificate>> trustedIssuers);
184
public static List<String> describeValidHostnames(X509Certificate certificate);
185
public static IssuerTrust checkIssuerTrust(Map<String, List<X509Certificate>> trustedIssuers,
186
X509Certificate peerCert);
187
}
188
189
public final class DiagnosticTrustManager extends X509ExtendedTrustManager {
190
public DiagnosticTrustManager(X509ExtendedTrustManager delegate, Supplier<String> contextName,
191
DiagnosticLogger logger);
192
}
193
```
194
195
[SSL Diagnostics](./diagnostics.md)
196
197
### Configuration Types and Enums
198
199
Strongly-typed enums and data classes for SSL configuration options, verification modes, and certificate handling.
200
201
```java { .api }
202
public enum SslVerificationMode {
203
NONE, CERTIFICATE, FULL;
204
205
public abstract boolean isHostnameVerificationEnabled();
206
public abstract boolean isCertificateVerificationEnabled();
207
public static SslVerificationMode parse(String value);
208
}
209
210
public enum SslClientAuthenticationMode {
211
NONE, OPTIONAL, REQUIRED;
212
213
public abstract boolean enabled();
214
public abstract void configure(SSLParameters sslParameters);
215
public static SslClientAuthenticationMode parse(String value);
216
}
217
218
public record StoredCertificate(
219
X509Certificate certificate,
220
String path,
221
String format,
222
String alias,
223
boolean hasPrivateKey
224
) {}
225
```
226
227
[Configuration Types and Enums](./enums-types.md)