Package ai.attackframework.tools.burp.utils.opensearch

Class OpenSearchTlsSupport

java.lang.Object
ai.attackframework.tools.burp.utils.opensearch.OpenSearchTlsSupport
public final class OpenSearchTlsSupport extends Object
Shared TLS helpers for OpenSearch connectivity, pin import, and trust-mode enforcement.

The persisted TLS mode lives in RuntimeConfig. Imported pinned certificate material is session-scoped and held only in SecureCredentialStore, similar to auth secrets.

  • Method Details

    • currentTlsMode

      public static String currentTlsMode()
      Returns the effective OpenSearch TLS mode, honoring the insecure override property when set.

    • isInsecureMode

      public static boolean isInsecureMode()
      Returns whether the current TLS mode trusts all certificates insecurely.

    • isPinnedMode

      public static boolean isPinnedMode()
      Returns whether the current TLS mode requires a pinned certificate.

    • hasPinnedCertificate

      public static boolean hasPinnedCertificate()
      Returns whether pinned certificate material is currently loaded in session memory.

    • pinnedCertificateFingerprint

      public static String pinnedCertificateFingerprint()
      Returns the loaded pinned certificate fingerprint, or blank when none is loaded.

    • importPinnedCertificate

      public static SecureCredentialStore.PinnedTlsCertificate importPinnedCertificate(Path path) throws IOException, CertificateException
      Imports one X.509 certificate file and returns session-ready pin material.

      DER and PEM encodings are supported by the JCA certificate factory as long as the file contains a single X.509 certificate.

      Parameters:
      path - source file chosen by the user
      Returns:
      imported pin material
      Throws:
      IOException - when the file cannot be read
      CertificateException - when the file does not contain a readable X.509 certificate

    • buildPinnedSslContext

      public static SSLContext buildPinnedSslContext() throws GeneralSecurityException
      Builds an SSL context that trusts only the currently imported pinned certificate.
      Throws:
      GeneralSecurityException

    • successTrustSummary

      public static String successTrustSummary(String baseUrl)
      Returns a user-facing trust summary for successful connections under the current mode.

    • failureTrustSummary

      public static String failureTrustSummary(String baseUrl, String detail)
      Returns a user-facing trust summary for failed connections under the current mode.

    • looksLikeTrustFailure

      public static boolean looksLikeTrustFailure(String message)
      Returns true when the message looks like a TLS trust, pin, or hostname-verification failure.