RubyGems - logstash-input-tcp - Versions diffs - 5.2.0-java → 5.2.1-java - Mend

logstash-input-tcp 5.2.0-java → 5.2.1-java

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +7 -0
data/docs/index.asciidoc +2 -2
data/lib/logstash/inputs/tcp/compat_ssl_options.rb +48 -13
data/spec/inputs/tcp_spec.rb +96 -47
data/spec/spec_helper.rb +33 -4
data/vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/{5.2.0/logstash-input-tcp-5.2.0.jar → 5.2.1/logstash-input-tcp-5.2.1.jar} +0 -0
data/version +1 -1
metadata +3 -3

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5f821e3a9df2b90606b5fd46026262b5c7a0054d5e24bf7545d322efbedec40a
-  data.tar.gz: 202f4eeb3fe522d4df635599b7557faaab6884db8d80c1a92a17f140915c1d02
+  metadata.gz: 6ee7c79fca2dceea8688b100903ab8318ad2cd652740b0538c102504209bd1e0
+  data.tar.gz: fee6f5e7d1804c8ef60fd771a3d50caeeee289c9e517a93c2a33a5d207202bdb
 SHA512:
-  metadata.gz: cee3f82c41bfefea68c3e0337a5ad15f50e17ba6e72fe4fbcf004c6580d755107d47435667c73022938fe852a7e4a7401e793f6640c70bac0486f8fcbbd63642
-  data.tar.gz: a588b4ca240e7eb9e6cca0aec296999270c89b375d7b8038de989529447bf8f5df1c38faae49d71821f2051906e34e32e5f834f248ad2a2856583a7b16704caf
+  metadata.gz: 970218c4f6ed173209de6d40113423a49e356e1eeb3a8cf8603b5ddd7c51ae4766cadf73e78d917a17ba36b4d447fc1d9512ea12081dbd1cbb2e28e0f8ea9340
+  data.tar.gz: 0b4120780dcae5f582c118247a064025a57f998ddbe20ff5cb15d3c4ecbdef0a0a522cd6bd2968e77db75ff034d6810f4e13f8372f2de49ce08ea1cada19e573

data/CHANGELOG.md CHANGED

@@ -1,3 +1,10 @@
+## 5.2.1
+  - Support multiple certificates per file [#140](https://github.com/logstash-plugins/logstash-input-tcp/pull/140)
+  - Fixed support for encrypted pkcs8 private keys [#133](https://github.com/logstash-plugins/logstash-input-tcp/pull/133)
+  - Added support for encrypted pem pkcs1 private keys [#131](https://github.com/logstash-plugins/logstash-input-tcp/pull/131)
+  - Changed testing to docker [#128](https://github.com/logstash-plugins/logstash-input-tcp/pull/128)
+  - Fixed heading for `ssl_certificate_authorities` docs [#130](https://github.com/logstash-plugins/logstash-input-tcp/pull/130)
 ## 5.2.0
   - Added support for pkcs1 and pkcs8 key formats [#122](https://github.com/logstash-plugins/logstash-input-tcp/issues/122)
   - Changed server-mode SSL to run on top of Netty [#122](https://github.com/logstash-plugins/logstash-input-tcp/issues/122)

data/docs/index.asciidoc CHANGED

@@ -145,7 +145,7 @@ Path to certificate in PEM format. This certificate will be presented
 to the connecting clients.
 [id="plugins-{type}s-{plugin}-ssl_certificate_authorities"]
-===== `ssl_extra_chain_certs`
+===== `ssl_certificate_authorities`
   * Value type is <<array,array>>
   * Default value is `[]`
@@ -218,4 +218,4 @@ at the TCP layer and IPs will not be resolved to hostnames.
 [id="plugins-{type}s-{plugin}-common-options"]
 include::{include_path}/{type}.asciidoc[]
-:default_codec!:
+:default_codec!:

data/lib/logstash/inputs/tcp/compat_ssl_options.rb CHANGED

@@ -7,9 +7,15 @@ java_import 'java.io.FileReader'
 java_import 'java.security.cert.CertificateFactory'
 java_import 'java.security.cert.X509Certificate'
 java_import 'org.bouncycastle.asn1.pkcs.PrivateKeyInfo'
+java_import 'org.bouncycastle.jce.provider.BouncyCastleProvider'
 java_import 'org.bouncycastle.openssl.PEMKeyPair'
 java_import 'org.bouncycastle.openssl.PEMParser'
+java_import 'org.bouncycastle.openssl.PEMEncryptedKeyPair'
 java_import 'org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter'
+java_import 'org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder'
+java_import 'org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder'
+java_import 'org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo'
 # Simulate a normal SslOptions builder:
 #
@@ -70,34 +76,63 @@ class SslOptions
     # create certificate object
     cf = CertificateFactory.getInstance("X.509")
     cert_chain = []
-    cert_chain << cf.generateCertificate(FileInputStream.new(@ssl_cert_path))
+    fetch_certificates_from_file(@ssl_cert_path, cf) do |cert|
+      cert_chain << cert
+    end
     # convert key from pkcs1 to pkcs8 and get PrivateKey object
     pem_parser = PEMParser.new(FileReader.new(@ssl_key_path))
-    case obj = pem_parser.read_object
-    when PEMKeyPair # likely pkcs#1
-      private_key = JcaPEMKeyConverter.new.get_key_pair(obj).private
-    when PrivateKeyInfo # likely pkcs#8
-      private_key = JcaPEMKeyConverter.new.get_private_key(obj)
+    java.security.Security.addProvider(BouncyCastleProvider.new)
+    converter = JcaPEMKeyConverter.new
+    case obj = pem_parser.readObject
+    when PEMKeyPair # unencrypted pkcs#1
+      private_key = converter.getKeyPair(obj).private
+    when PrivateKeyInfo # unencrypted pkcs#8
+      private_key = converter.getPrivateKey(obj)
+    when PEMEncryptedKeyPair # encrypted pkcs#1
+      key_char_array = @ssl_key_passphrase.to_java.toCharArray
+      decryptor = JcePEMDecryptorProviderBuilder.new.build(key_char_array)
+      key_pair = obj.decryptKeyPair(decryptor)
+      private_key = converter.getKeyPair(key_pair).private
+    when PKCS8EncryptedPrivateKeyInfo # encrypted pkcs#8
+      key_char_array = @ssl_key_passphrase.to_java.toCharArray
+      key = JceOpenSSLPKCS8DecryptorProviderBuilder.new.build(key_char_array)
+      private_key = converter.getPrivateKey(obj.decryptPrivateKeyInfo(key))
     else
       raise "Could not recognize 'ssl_key' format. Class: #{obj.class}"
     end
-    @ssl_extra_chain_certs.each do |cert|
-      cert_chain << cf.generateCertificate(FileInputStream.new(cert))
+    @ssl_extra_chain_certs.each do |file|
+      fetch_certificates_from_file(file, cf) do |cert|
+        cert_chain << cert
+      end
     end
-    sslContextBuilder = SslContextBuilder.forServer(private_key, @ssl_key_passphrase, cert_chain.to_java(java.security.cert.X509Certificate))
+    sslContextBuilder = SslContextBuilder.forServer(private_key, @ssl_key_passphrase, cert_chain.to_java(X509Certificate))
+    trust_certs = []
-    trust_certs = @ssl_certificate_authorities.map do |cert|
-      cf.generateCertificate(FileInputStream.new(cert))
+    @ssl_certificate_authorities.each do |file|
+      fetch_certificates_from_file(file, cf) do |cert|
+        trust_certs << cert
+      end
     end
     if trust_certs.any?
-      sslContextBuilder.trustManager(trust_certs.to_java(java.security.cert.X509Certificate))
+      sslContextBuilder.trustManager(trust_certs.to_java(X509Certificate))
     end
     sslContextBuilder.clientAuth(@ssl_verify ? ClientAuth::REQUIRE : ClientAuth::NONE)
     sslContextBuilder.build()
   end
+  private
+  def fetch_certificates_from_file(file, cf)
+    fis = FileInputStream.new(file)
+    while (fis.available > 0) do
+      yield cf.generateCertificate(fis)
+    end
+  ensure
+    fis.close if fis
+  end
 end

data/spec/inputs/tcp_spec.rb CHANGED

@@ -391,41 +391,21 @@ describe LogStash::Inputs::Tcp do
       end
       context "when ssl_enable is true" do
-        let(:ssc) { SelfSignedCertificate.new }
-        let(:certificate_file) { ssc.certificate }
-        let(:key_file) { ssc.private_key}
-        let(:queue) { Queue.new }
-        let(:config) do
-          {
-            "host" => "127.0.0.1",
-            "port" => port,
-            "ssl_enable" => true,
-            "ssl_cert" => certificate_file.path,
-            "ssl_key" => key_file.path,
-            "ssl_certificate_authorities" => [ certificate_file.path ]
-          }
-        end
         let(:input) { subject }
-        before(:each) { input.register }
-        after(:each) { ssc.delete }
+        let(:queue) { Queue.new }
+        before(:each) { subject.register }
         context "when using a certificate chain" do
-          let(:chain_of_certificates) { helper.chain_of_certificates }
-          let(:config) do
-            {
-              "host" => "127.0.0.1",
-              "port" => port,
-              "ssl_enable" => true,
-              "ssl_cert" => chain_of_certificates[:b_cert].path,
-              "ssl_key" => chain_of_certificates[:b_key].path,
-              "ssl_extra_chain_certs" => [ chain_of_certificates[:a_cert].path ],
-              "ssl_certificate_authorities" => [ chain_of_certificates[:root_ca].path ],
-              "ssl_verify" => true
-            }
+          chain_of_certificates = TcpHelpers.new.chain_of_certificates
+          let(:tcp) do
+            begin
+              socket = TCPSocket.new("127.0.0.1", port)
+            rescue Errno::ECONNREFUSED
+              sleep 1
+              socket = TCPSocket.new("127.0.0.1", port)
+            end
           end
-          let(:tcp) { TCPSocket.new("127.0.0.1", port) }
           let(:sslcontext) do
             sslcontext = OpenSSL::SSL::SSLContext.new
             sslcontext.verify_mode = OpenSSL::SSL::VERIFY_PEER
@@ -435,23 +415,86 @@ describe LogStash::Inputs::Tcp do
             sslcontext
           end
           let(:sslsocket) { OpenSSL::SSL::SSLSocket.new(tcp, sslcontext) }
-          let(:input_task) { Stud::Task.new { input.run(queue) } }
-          before do
-            input_task
+          let(:message) { "message to #{port}" }
+          context "with a non encrypted private key" do
+            let(:config) do
+              {
+                "host" => "127.0.0.1",
+                "port" => port,
+                "ssl_enable" => true,
+                "ssl_cert" => chain_of_certificates[:b_cert].path,
+                "ssl_key" => chain_of_certificates[:b_key].path,
+                "ssl_extra_chain_certs" => [ chain_of_certificates[:a_cert].path ],
+                "ssl_certificate_authorities" => [ chain_of_certificates[:root_ca].path ],
+                "ssl_verify" => true
+              }
+            end
+            it "should be able to connect and write data" do
+              result = TcpHelpers.pipelineless_input(subject, 1) do
+                sslsocket.connect
+                sslsocket.write("#{message}\n")
+                tcp.flush
+                sslsocket.close
+                tcp.close
+              end
+              expect(result.size).to eq(1)
+              expect(result.first.get("message")).to eq(message)
+            end
           end
-          it "should be able to connect and write data" do
-            sslsocket.connect
-            sslsocket.write("Hello world\n")
-            tcp.flush
-            sslsocket.close
-            tcp.close
-            result = input_task.thread.join(0.5)
-            expect(result).to be_nil
-            expect(queue.size).to eq(1)
+          context "when using an encrypted private pkcs1 key" do
+            let(:config) do
+              {
+                "host" => "127.0.0.1",
+                "port" => port,
+                "ssl_enable" => true,
+                "ssl_cert" => chain_of_certificates[:be_cert].path,
+                "ssl_key" => chain_of_certificates[:be_key].path,
+                "ssl_key_passphrase" => "passpasspassword",
+                "ssl_extra_chain_certs" => [ chain_of_certificates[:a_cert].path ],
+                "ssl_certificate_authorities" => [ chain_of_certificates[:root_ca].path ],
+                "ssl_verify" => true
+              }
+            end
+            it "should be able to connect and write data" do
+              result = TcpHelpers.pipelineless_input(subject, 1) do
+                sslsocket.connect
+                sslsocket.write("#{message}\n")
+                tcp.flush
+                sslsocket.close
+                tcp.close
+              end
+              expect(result.size).to eq(1)
+              expect(result.first.get("message")).to eq(message)
+            end
+          end
+          context "when using an encrypted private pkcs8 key" do
+            let(:config) do
+              {
+                "host" => "127.0.0.1",
+                "port" => port,
+                "ssl_enable" => true,
+                "ssl_cert" => chain_of_certificates[:be_cert].path,
+                "ssl_key" => chain_of_certificates[:be_key_pkcs8].path,
+                "ssl_key_passphrase" => "passpasspassword",
+                "ssl_extra_chain_certs" => [ chain_of_certificates[:a_cert].path ],
+                "ssl_certificate_authorities" => [ chain_of_certificates[:root_ca].path ],
+                "ssl_verify" => true
+              }
+            end
+            it "should be able to connect and write data" do
+              result = TcpHelpers.pipelineless_input(subject, 1) do
+                sslsocket.connect
+                sslsocket.write("#{message}\n")
+                tcp.flush
+                sslsocket.close
+                tcp.close
+              end
+              expect(result.size).to eq(1)
+              expect(result.first.get("message")).to eq(message)
+            end
           end
         end
         context "with a poorly-behaving client" do
@@ -459,8 +502,14 @@ describe LogStash::Inputs::Tcp do
           context "that disconnects before doing TLS handshake" do
             before do
-              client = TCPSocket.new("127.0.0.1", port)
-              client.close
+              begin
+                client = TCPSocket.new("127.0.0.1", port)
+                client.close
+              rescue Errno::ECONNREFUSED
+                sleep 1
+                client = TCPSocket.new("127.0.0.1", port)
+                client.close
+              end
             end
             it "should not negatively impact the plugin" do

data/spec/spec_helper.rb CHANGED

@@ -3,11 +3,15 @@ require "logstash/devutils/rspec/spec_helper"
 require "tempfile"
 require "stud/temporary"
+java_import 'org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8EncryptorBuilder'
+java_import 'org.bouncycastle.openssl.jcajce.JcaPEMWriter'
+java_import 'org.bouncycastle.openssl.jcajce.JcaPKCS8Generator'
+java_import 'org.bouncycastle.jce.provider.BouncyCastleProvider'
 # this has been taken from the udp input, it should be DRYed
 class TcpHelpers
-  def pipelineless_input(plugin, size, &block)
+  def self.pipelineless_input(plugin, size, &block)
     queue = Queue.new
     input_thread = Thread.new do
       plugin.run(queue)
@@ -32,12 +36,32 @@ class TcpHelpers
     a_cert,   a_key = build_certificate(root_ca, root_key, "A_Cert")
     aa_cert, aa_key = build_certificate(root_ca, root_key, "AA_Cert")
     b_cert, b_key = build_certificate(a_cert, a_key, "B_Cert")
+    be_cert, be_key, be_key_text = build_certificate(a_cert, a_key, "BE_Cert", "passpasspassword")
+    be_key_pkcs8 = convert_private_key_to_pkcs8_with_passpharse(be_key, "passpasspassword")
     c_cert, c_key = build_certificate(b_cert, b_key, "C_Cert")
     { :root_ca => new_temp_file('', root_ca), :root_key => new_temp_file('', root_key),
       :a_cert  => new_temp_file('', a_cert),  :a_key    => new_temp_file('', a_key),
       :aa_cert => new_temp_file('', aa_cert), :aa_key   => new_temp_file('', aa_key),
       :b_cert  => new_temp_file('', b_cert),  :b_key    => new_temp_file('', b_key),
-      :c_cert  => new_temp_file('', c_cert),  :c_key    => new_temp_file('', c_key)}
+      :be_cert => new_temp_file('', be_cert), :be_key   => new_temp_file('', be_key_text), :be_key_pkcs8 => new_temp_file('', be_key_pkcs8),
+      :c_cert  => new_temp_file('', c_cert),  :c_key    => new_temp_file('', c_key),
+    }
+  end
+  def convert_private_key_to_pkcs8_with_passpharse(pkcs1key, passphrase)
+    pem_parser = PEMParser.new(java.io.StringReader.new(pkcs1key.to_pem))
+    kp = pem_parser.read_object
+    java.security.Security.addProvider(BouncyCastleProvider.new)
+    converter  = JcaPEMKeyConverter.new.setProvider("BC")
+    key = converter.getPrivateKey(kp.get_private_key_info)
+    alg = org.bouncycastle.openssl.PKCS8Generator::PBE_SHA1_RC4_128
+    enc =  JceOpenSSLPKCS8EncryptorBuilder.new(alg).set_passsword(passphrase.to_java.to_char_array).build
+    sw = java.io.StringWriter.new
+    writer = JcaPEMWriter.new(sw)
+    writer.write_object(JcaPKCS8Generator.new(key, enc))
+    writer.flush
+    writer.close
+    sw
   end
   private
@@ -49,12 +73,17 @@ class TcpHelpers
     file
   end
-  def build_certificate(root_ca, root_key=nil, name="")
+  def build_certificate(root_ca, root_key, name, password=nil)
     key = ( root_key.nil? ? OpenSSL::PKey::RSA.new(2048) : root_key )
     options = { :serial => 2, :subject => "/DC=org/DC=ruby-lang/CN=Ruby#{name}", :key => key, :issuer => root_ca.subject}
     cert = new_certificate(options)
     add_ca_extensions(cert, nil, root_ca)
-    [ cert.sign(key, OpenSSL::Digest::SHA256.new), key ]
+    if password
+      key_text = key.to_pem(OpenSSL::Cipher::AES256.new(:CFB), password)
+      [ cert.sign(key, OpenSSL::Digest::SHA256.new), key, key_text ]
+    else
+      [ cert.sign(key, OpenSSL::Digest::SHA256.new), key ]
+    end
   end
   def build_root_ca

data/vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/{5.2.0/logstash-input-tcp-5.2.0.jar → 5.2.1/logstash-input-tcp-5.2.1.jar} RENAMED

Binary file

data/version CHANGED

	@@ -1 +1 @@
1	- 5.2.0
1	+ 5.2.1

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: logstash-input-tcp
 version: !ruby/object:Gem::Version
-  version: 5.2.0
+  version: 5.2.1
 platform: java
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-10-24 00:00:00.000000000 Z
+date: 2019-03-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -164,7 +164,7 @@ files:
 - logstash-input-tcp.gemspec
 - spec/inputs/tcp_spec.rb
 - spec/spec_helper.rb
-- vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/5.2.0/logstash-input-tcp-5.2.0.jar
+- vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/5.2.1/logstash-input-tcp-5.2.1.jar
 - version
 homepage: http://www.elastic.co/guide/en/logstash/current/index.html
 licenses: