opensearch-project · MaciejMierzwa · Jul 12, 2023
@@ -17,8 +17,11 @@
 import org.opensearch.discovery.InitializeExtensionResponse;
 import org.opensearch.sdk.ExtensionsRunner;
 import org.opensearch.sdk.SDKTransportService;
+import org.opensearch.sdk.ssl.DefaultSslKeyStore;
 import org.opensearch.transport.TransportService;
 
+import java.nio.file.Path;
+
 import static org.opensearch.sdk.ExtensionsRunner.NODE_NAME_SETTING;
 
 /**
@@ -53,6 +56,8 @@ public ExtensionsInitRequestHandler(ExtensionsRunner extensionsRunner) {
      */
     public InitializeExtensionResponse handleExtensionInitRequest(InitializeExtensionRequest extensionInitRequest) {
         logger.info("Registering Extension Request received from OpenSearch");
+        validateDNs(extensionInitRequest);
+
         extensionsRunner.getThreadPool().getThreadContext().putHeader("extension_unique_id", extensionInitRequest.getExtension().getId());
         SDKTransportService sdkTransportService = extensionsRunner.getSdkTransportService();
         sdkTransportService.setOpensearchNode(extensionInitRequest.getSourceNode());
@@ -94,4 +99,12 @@ public InitializeExtensionResponse handleExtensionInitRequest(InitializeExtensio
             extensionsRunner.getSdkClusterService().getClusterSettings().sendPendingSettingsUpdateConsumers();
         }
     }
+
+    private void validateDNs(InitializeExtensionRequest extensionInitRequest) {
+        DefaultSslKeyStore sks = new DefaultSslKeyStore(extensionsRunner.getSettings(), Path.of("").toAbsolutePath().resolve("config"));
+        String distingishedName = extensionInitRequest.getExtension().getDistinguishedNames();
+        if(!sks.hasValidDNs(distingishedName)) {
+            throw new IllegalArgumentException("DN: " + distingishedName + " is different then transport certificate DN.");
+        }
+    }
 }
@@ -17,6 +17,7 @@
 import java.nio.file.Paths;
 import java.security.AccessController;
 import java.security.NoSuchAlgorithmException;
+import java.security.Principal;
 import java.security.PrivateKey;
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
@@ -459,6 +460,13 @@ private boolean hasValidDNs(final X509Certificate[] currentX509Certs, final X509
         return currentCertDNList.equals(newCertDNList);
     }
 
+    public boolean hasValidDNs(String dn) {
+        return Arrays.stream(this.transportCerts)
+                .map(X509Certificate::getSubjectX500Principal)
+                .map(Principal::getName)
+                .anyMatch(dn::equals);
+    }
+
     /**
      * Check if new X509 certs have expiry date after the current X509 certs.
      * @param currentX509Certs Array of current X509Certificates.