tessl/maven-org-elasticsearch--elasticsearch-ssl-config
SSL/TLS configuration library for Elasticsearch providing comprehensive security management utilities.
—
Pending
trust-management.mddocs/
Trust Management
SSL trust configuration with support for various trust models including PEM CA files, trust stores, system defaults, composite configurations, and trust-everything modes with certificate validation and restriction capabilities.
Capabilities
SSL Trust Configuration Interface
Core interface for SSL trust configuration providing trust managers and certificate access.
/**
* Interface for SSL trust configuration
*/
public interface SslTrustConfig {
/**
* Gets all certificate files this trust configuration depends on
* @return collection of file paths for monitoring changes
*/
Collection<Path> getDependentFiles();
/**
* Creates a trust manager from this trust configuration
* @return configured X509ExtendedTrustManager for SSL contexts
* @throws SslConfigException if trust manager creation fails
*/
X509ExtendedTrustManager createTrustManager();
/**
* Gets all configured certificates with metadata
* @return collection of trusted certificates
*/
Collection<? extends StoredCertificate> getConfiguredCertificates();
/**
* Checks if this configuration uses the system default trust
* @return true if using JDK default trusted CAs
*/
default boolean isSystemDefault();
}PEM Trust Configuration
Trust configuration that reads PEM encoded trusted certificates (CAs) from files.
/**
* SSL trust configuration using PEM encoded certificate authority files
*/
public final class PemTrustConfig implements SslTrustConfig {
/**
* Creates a PEM-based trust configuration
* @param certificateAuthorities list of CA certificate file paths (relative to basePath)
* @param basePath base path for resolving relative paths
*/
public PemTrustConfig(List<String> certificateAuthorities, Path basePath);
/**
* Gets dependent CA certificate file paths
* @return collection of CA certificate file paths
*/
public Collection<Path> getDependentFiles();
/**
* Gets configured CA certificates with metadata
* @return collection of CA certificates from PEM files
*/
public Collection<? extends StoredCertificate> getConfiguredCertificates();
/**
* Creates X509ExtendedTrustManager from PEM CA files
* @return configured trust manager with CA certificates
* @throws GeneralSecurityException if PEM parsing or trust manager creation fails
*/
public X509ExtendedTrustManager createTrustManager() throws GeneralSecurityException;
@Override
public String toString();
@Override
public boolean equals(Object o);
@Override
public int hashCode();
}Usage Examples:
import org.elasticsearch.common.ssl.PemTrustConfig;
import javax.net.ssl.X509ExtendedTrustManager;
import java.nio.file.Paths;
import java.util.List;
// Single CA certificate
PemTrustConfig singleCA = new PemTrustConfig(
List.of("ca.pem"), // single CA file
Paths.get("/etc/ssl/certs") // base path
);
// Multiple CA certificates
PemTrustConfig multipleCA = new PemTrustConfig(
List.of(
"root-ca.pem", // root CA
"intermediate-ca.pem", // intermediate CA
"additional-ca.pem" // additional trusted CA
),
Paths.get("/config/ssl") // base path
);
// Create trust manager
X509ExtendedTrustManager trustManager = singleCA.createTrustManager();
// Get dependent files for monitoring
Collection<Path> caFiles = singleCA.getDependentFiles();
// Get configured certificates
Collection<? extends StoredCertificate> caCerts = singleCA.getConfiguredCertificates();Store Trust Configuration
Trust configuration that builds trust managers from truststore files (JKS, PKCS12, etc.).
/**
* SSL trust configuration using truststore files
*/
public final class StoreTrustConfig implements SslTrustConfig {
/**
* Creates a truststore-based trust configuration
* @param path path to truststore file (relative to configBasePath)
* @param password password for truststore access
* @param type truststore type (JKS, PKCS12, etc.) or null to infer from extension
* @param algorithm trust manager algorithm (e.g., "PKIX", "SunX509")
* @param requireTrustAnchors whether to require at least one trust anchor
* @param configBasePath base path for resolving relative paths
*/
public StoreTrustConfig(String path, char[] password, String type, String algorithm,
boolean requireTrustAnchors, Path configBasePath);
/**
* Gets dependent truststore file paths
* @return collection containing truststore file path
*/
public Collection<Path> getDependentFiles();
/**
* Gets configured certificates with metadata
* @return collection of certificates from truststore
*/
public Collection<? extends StoredCertificate> getConfiguredCertificates();
/**
* Creates X509ExtendedTrustManager from truststore
* @return configured trust manager
* @throws GeneralSecurityException if trust manager creation fails
*/
public X509ExtendedTrustManager createTrustManager() throws GeneralSecurityException;
@Override
public boolean equals(Object o);
@Override
public int hashCode();
@Override
public String toString();
}Usage Examples:
import org.elasticsearch.common.ssl.StoreTrustConfig;
import java.nio.file.Paths;
// PKCS12 truststore
StoreTrustConfig p12Trust = new StoreTrustConfig(
"truststore.p12", // truststore file
"trustpass".toCharArray(), // truststore password
"PKCS12", // truststore type
"PKIX", // trust manager algorithm
true, // require trust anchors
Paths.get("/etc/ssl") // base path
);
// JKS truststore with auto-detection
StoreTrustConfig jkssTrust = new StoreTrustConfig(
"cacerts.jks", // truststore file
"changeit".toCharArray(), // truststore password
null, // auto-detect type from extension
"SunX509", // trust manager algorithm
false, // don't require trust anchors
Paths.get("/config") // base path
);
// Create trust manager
X509ExtendedTrustManager trustManager = p12Trust.createTrustManager();
// Get certificates
Collection<? extends StoredCertificate> certificates = p12Trust.getConfiguredCertificates();Default JDK Trust Configuration
Trust configuration that uses the JDK's default trusted certificate authorities.
/**
* SSL trust configuration using JDK default trusted CAs
*/
public final class DefaultJdkTrustConfig implements SslTrustConfig {
/**
* Singleton instance for default JDK trust
*/
public static final DefaultJdkTrustConfig DEFAULT_INSTANCE;
/**
* Always returns true (uses system default trust)
* @return true
*/
public boolean isSystemDefault();
/**
* Creates trust manager using JDK default truststore
* @return trust manager with JDK default CAs
* @throws GeneralSecurityException if trust manager creation fails
*/
public X509ExtendedTrustManager createTrustManager() throws GeneralSecurityException;
/**
* Gets empty collection (no specific dependent files)
* @return empty collection
*/
public Collection<Path> getDependentFiles();
/**
* Gets configured certificates from JDK default truststore
* @return collection of JDK default CA certificates
*/
public Collection<? extends StoredCertificate> getConfiguredCertificates();
@Override
public String toString();
@Override
public boolean equals(Object o);
@Override
public int hashCode();
}Usage Examples:
import org.elasticsearch.common.ssl.DefaultJdkTrustConfig;
// Use JDK default trust configuration
SslTrustConfig defaultTrust = DefaultJdkTrustConfig.DEFAULT_INSTANCE;
// Check if system default
boolean isDefault = defaultTrust.isSystemDefault(); // true
// Create trust manager with JDK defaults
X509ExtendedTrustManager trustManager = defaultTrust.createTrustManager();
// Get JDK default CA certificates
Collection<? extends StoredCertificate> jdkCAs = defaultTrust.getConfiguredCertificates();
// Use in SSL configuration
SslConfiguration config = new SslConfiguration(
"https",
false, // not explicitly configured (using defaults)
DefaultJdkTrustConfig.DEFAULT_INSTANCE, // JDK default trust
keyConfig,
SslVerificationMode.FULL,
SslClientAuthenticationMode.NONE,
List.of(),
List.of("TLSv1.3", "TLSv1.2")
);Composite Trust Configuration
Trust configuration that combines multiple trust configurations into a single trust manager.
/**
* SSL trust configuration that merges multiple trust configs
*/
public class CompositeTrustConfig implements SslTrustConfig {
/**
* Gets dependent files from all composite trust configurations
* @return collection of all dependent file paths
*/
public Collection<Path> getDependentFiles();
/**
* Always returns false (not system default since it's composite)
* @return false
*/
public boolean isSystemDefault();
/**
* Creates composite trust manager that trusts certificates from any constituent config
* @return trust manager that combines all trust configurations
* @throws GeneralSecurityException if trust manager creation fails
*/
public X509ExtendedTrustManager createTrustManager() throws GeneralSecurityException;
/**
* Gets certificates from all constituent trust configurations
* @return collection of all certificates from composite configs
*/
public Collection<? extends StoredCertificate> getConfiguredCertificates();
@Override
public boolean equals(Object o);
@Override
public int hashCode();
@Override
public String toString();
}Usage Examples:
// Composite trust configuration is typically created internally by the configuration loader
// when combining multiple trust sources, but can be used directly:
// Example: Combine JDK defaults with custom CA
SslTrustConfig composite = new CompositeTrustConfig(
List.of(
DefaultJdkTrustConfig.DEFAULT_INSTANCE,
new PemTrustConfig(List.of("custom-ca.pem"), basePath)
)
);
// The resulting trust manager will trust both JDK default CAs and the custom CA
X509ExtendedTrustManager trustManager = composite.createTrustManager();Trust Everything Configuration
Trust configuration that accepts all certificates (insecure - for testing only).
/**
* SSL trust configuration that trusts all certificates (INSECURE)
*/
public final class TrustEverythingConfig implements SslTrustConfig {
/**
* Singleton instance for trust-everything configuration
*/
public static final TrustEverythingConfig TRUST_EVERYTHING;
/**
* Gets empty collection (no dependent files)
* @return empty collection
*/
public Collection<Path> getDependentFiles();
/**
* Gets empty collection (no specific certificates)
* @return empty collection
*/
public Collection<? extends StoredCertificate> getConfiguredCertificates();
/**
* Creates trust manager that accepts all certificates (INSECURE)
* @return trust manager that accepts any certificate
*/
public X509ExtendedTrustManager createTrustManager();
@Override
public String toString();
}Usage Examples:
import org.elasticsearch.common.ssl.TrustEverythingConfig;
// WARNING: Only for testing/development - never use in production
SslTrustConfig insecureTrust = TrustEverythingConfig.TRUST_EVERYTHING;
// Use with verification disabled
SslConfiguration testConfig = new SslConfiguration(
"test",
true,
TrustEverythingConfig.TRUST_EVERYTHING, // trust everything (insecure)
keyConfig,
SslVerificationMode.NONE, // no verification
SslClientAuthenticationMode.NONE,
List.of(),
List.of("TLSv1.3")
);
// Create SSL context (will accept any certificate)
SSLContext sslContext = testConfig.createSslContext();Trust Configuration Patterns
Certificate Authority Chain Handling
When working with CA certificate chains, include the full chain:
// CA chain in PEM file:
// -----BEGIN CERTIFICATE-----
// (root CA certificate)
// -----END CERTIFICATE-----
// -----BEGIN CERTIFICATE-----
// (intermediate CA certificate)
// -----END CERTIFICATE-----
PemTrustConfig caChain = new PemTrustConfig(
List.of("ca-chain.pem"), // file with full CA chain
basePath
);Mixed Trust Sources
Combine different trust sources for flexibility:
// Configuration loader can automatically create composite trust:
// - JDK defaults + custom CAs
// - Multiple truststore files
// - PEM files + keystores
// This is typically handled by SslConfigurationLoader internallyTrust Store vs Certificate Files
Choose the appropriate trust configuration based on your certificate format:
// Use PemTrustConfig for:
// - Individual PEM certificate files
// - Certificate bundles in PEM format
// - When you need to easily inspect/modify CA certificates
// Use StoreTrustConfig for:
// - Existing Java truststore files (JKS, PKCS12)
// - Integration with Java keystore tooling
// - When you need password-protected truststore access
// Use DefaultJdkTrustConfig for:
// - Standard web PKI trust (browser-like behavior)
// - When you want to trust well-known CAs
// - Default behavior for most applicationsTrust Validation Restrictions
The library supports restricting trust validation to specific certificate fields:
// This is typically configured through SslConfigurationLoader
// with restricted trust fields for additional security
List<X509Field> restrictedFields = List.of(
X509Field.SAN_DNS, // restrict to DNS names in SAN
X509Field.SAN_OTHERNAME_COMMONNAME // restrict to common names
);
// Applied during trust manager creation for additional validationInstall with Tessl CLI
npx tessl i tessl/maven-org-elasticsearch--elasticsearch-ssl-config