Client: Implement certificate pinning (#359)

Author: Anaethelion

elasticsearch.go

@@ -66,9 +66,10 @@ type Config struct {
 	Username  string   // Username for HTTP Basic Authentication.
 	Password  string   // Password for HTTP Basic Authentication.
 
-	CloudID      string // Endpoint for the Elastic Service (https://elastic.co/cloud).
-	APIKey       string // Base64-encoded token for authorization; if set, overrides username/password and service token.
-	ServiceToken string // Service token for authorization; if set, overrides username/password.
+	CloudID                string // Endpoint for the Elastic Service (https://elastic.co/cloud).
+	APIKey                 string // Base64-encoded token for authorization; if set, overrides username/password and service token.
+	ServiceToken           string // Service token for authorization; if set, overrides username/password.
+	CertificateFingerprint string // SHA256 hex fingerprint given by Elasticsearch on first launch.
 
 	Header http.Header // Global HTTP request header.
 
@@ -189,11 +190,12 @@ func NewClient(cfg Config) (*Client, error) {
 	}
 
 	tp, err := estransport.New(estransport.Config{
-		URLs:         urls,
-		Username:     cfg.Username,
-		Password:     cfg.Password,
-		APIKey:       cfg.APIKey,
-		ServiceToken: cfg.ServiceToken,
+		URLs:                   urls,
+		Username:               cfg.Username,
+		Password:               cfg.Password,
+		APIKey:                 cfg.APIKey,
+		ServiceToken:           cfg.ServiceToken,
+		CertificateFingerprint: cfg.CertificateFingerprint,
 
 		Header: cfg.Header,
 		CACert: cfg.CACert,

elasticsearch_internal_test.go

@@ -20,6 +20,8 @@
 package elasticsearch
 
 import (
+	"bytes"
+	"crypto/x509"
 	"encoding/base64"
 	"errors"
 	"io/ioutil"
@@ -774,3 +776,41 @@ func TestCompatibilityHeader(t *testing.T) {
 		client.Search.WithBody(strings.NewReader("{}")),
 	)
 }
+
+
+
+func TestFingerprint(t *testing.T) {
+	body := []byte(`{"body": true"}"`)
+	server := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("X-Elastic-Product", "Elasticsearch")
+		w.Write(body)
+	}))
+	defer server.Close()
+
+	config := Config{
+		Addresses: []string{server.URL},
+		DisableRetry: true,
+	}
+
+	// Without certificate and authority, client should fail on TLS
+	client, _ := NewClient(config)
+	res, err := client.Info()
+	if _, ok := err.(x509.UnknownAuthorityError); !ok {
+		t.Fatalf("Uknown error, expected UnknownAuthorityError, got: %s", err)
+	}
+
+	// We add the fingerprint corresponding ton testcert.LocalhostCert
+	//
+	config.CertificateFingerprint = "448F628A8A65AA18560E53A80C53ACB38C51B427DF0334082349141147DC9BF6"
+	client, _ = NewClient(config)
+	res, err = client.Info()
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer res.Body.Close()
+
+	data, _ := ioutil.ReadAll(res.Body)
+	if bytes.Compare(data, body) != 0 {
+		t.Fatalf("unexpected payload returned: expected: %s, got: %s", body, data)
+	}
+}

estransport/estransport.go

@@ -20,7 +20,10 @@ package estransport
 import (
 	"bytes"
 	"compress/gzip"
+	"crypto/sha256"
+	"crypto/tls"
 	"crypto/x509"
+	"encoding/hex"
 	"errors"
 	"fmt"
 	"io"
@@ -106,6 +109,8 @@ type Config struct {
 	Selector  Selector
 
 	ConnectionPoolFunc func([]*Connection, Selector) ConnectionPool
+
+	CertificateFingerprint string
 }
 
 // Client represents the HTTP client.
@@ -118,6 +123,7 @@ type Client struct {
 	password     string
 	apikey       string
 	servicetoken string
+	fingerprint  string
 	header       http.Header
 
 	retryOnStatus         []int
@@ -150,6 +156,32 @@ func New(cfg Config) (*Client, error) {
 		cfg.Transport = http.DefaultTransport
 	}
 
+	if transport, ok := cfg.Transport.(*http.Transport); ok {
+		if cfg.CertificateFingerprint != "" {
+			transport.DialTLS = func(network, addr string) (net.Conn, error) {
+				fingerprint, _ := hex.DecodeString(cfg.CertificateFingerprint)
+
+				c, err := tls.Dial(network, addr, &tls.Config{InsecureSkipVerify: true})
+				if err != nil {
+					return nil, err
+				}
+
+				// Retrieve the connection state from the remote server.
+				cState := c.ConnectionState()
+				for _, cert := range cState.PeerCertificates {
+					// Compute digest for each certificate.
+					digest := sha256.Sum256(cert.Raw)
+
+					// Provided fingerprint should match at least one certificate from remote before we continue.
+					if bytes.Compare(digest[0:], fingerprint) == 0 {
+						return c, nil
+					}
+				}
+				return nil, fmt.Errorf("fingerprint mismatch, provided: %s", cfg.CertificateFingerprint)
+			}
+		}
+	}
+
 	if cfg.CACert != nil {
 		httpTransport, ok := cfg.Transport.(*http.Transport)
 		if !ok {