背景

因为需要将 ES 接入 LDAP 认证，而该功能属于收费的白金版特性，所以选择破解白金版 License。

原理

license 中有一个 signature 字段，ES 会根据该字段判断 License 是否被篡改。只要绕过这个校验逻辑，就可以任意修改 License 内容，从而激活白金版。

以下示例基于官方 ES Docker 镜像 7.14.0 版本，原则上支持任意版本破解。

破解流程

下载对应 Elasticsearch 源文件

地址：https://www.elastic.co/cn/downloads/past-releases#elasticsearch

下载对应版本后，需要进行编译操作，环境使用 WSL + Windows，下载 Windows 或 Linux 版本均可。

解压文件

解压到 D:\elasticsearch-7.14.0，主要修改的 jar 包为：D:/elasticsearch-7.14.0/modules/x-pack-core/x-pack-core-7.14.0.jar

反编译提取源文件

使用 Luyten 反编译 jar 包内的 class 文件。

注：exe 文件有问题，下载 jar 后缀的版本即可（参考 issue）

启动命令：java -jar luyten-0.5.4.jar，需使用 JDK 1.8 并配置好 JAVA_HOME

另存源文件

打开 x-pack-core-7.14.0.jar，定位到以下两个文件，点击 File → Save As 另存为 Java 源码文件，保存到 D:\elasticsearch-7.14.0：

org.elasticsearch.license/LicenseVerifier.class → 另存为 LicenseVerifier.java

org.elasticsearch.xpack.core/XPackBuild.class → 另存为 XPackBuild.java

修改源码

`LicenseVerifier.java`

package org.elasticsearch.license;

import java.nio.*;
import org.elasticsearch.common.bytes.*;
import java.security.*;
import java.util.*;
import org.elasticsearch.common.xcontent.*;
import org.apache.lucene.util.*;
import org.elasticsearch.core.internal.io.*;
import java.io.*;

public class LicenseVerifier
{
    public static boolean verifyLicense(final License license, final byte[] publicKeyData) {
        /* 注释掉这一大段
        byte[] signedContent = null;
        byte[] publicKeyFingerprint = null;
        try {
            final byte[] signatureBytes = Base64.getDecoder().decode(license.signature());
            final ByteBuffer byteBuffer = ByteBuffer.wrap(signatureBytes);
            final int version = byteBuffer.getInt();
            final int magicLen = byteBuffer.getInt();
            final byte[] magic = new byte[magicLen];
            byteBuffer.get(magic);
            final int hashLen = byteBuffer.getInt();
            publicKeyFingerprint = new byte[hashLen];
            byteBuffer.get(publicKeyFingerprint);
            final int signedContentLen = byteBuffer.getInt();
            signedContent = new byte[signedContentLen];
            byteBuffer.get(signedContent);
            final XContentBuilder contentBuilder = XContentFactory.contentBuilder(XContentType.JSON);
            license.toXContent(contentBuilder, (ToXContent.Params)new ToXContent.MapParams((Map)Collections.singletonMap("license_spec_view", "true")));
            final Signature rsa = Signature.getInstance("SHA512withRSA");
            rsa.initVerify(CryptUtils.readPublicKey(publicKeyData));
            final BytesRefIterator iterator = BytesReference.bytes(contentBuilder).iterator();
            BytesRef ref;
            while ((ref = iterator.next()) != null) {
                rsa.update(ref.bytes, ref.offset, ref.length);
            }
            return rsa.verify(signedContent);
        }
        catch (IOException ex) {}
        catch (NoSuchAlgorithmException ex2) {}
        catch (SignatureException ex3) {}
        catch (InvalidKeyException e) {
            throw new IllegalStateException(e);
        }
        finally {
            if (signedContent != null) {
                Arrays.fill(signedContent, (byte)0);
            }
        }
         */
        return true; // 增加这行
    }
    
    public static boolean verifyLicense(final License license) {
        /* 注释掉这一大段
        byte[] publicKeyBytes;
        try {
            final InputStream is = LicenseVerifier.class.getResourceAsStream("/public.key");
            try {
                final ByteArrayOutputStream out = new ByteArrayOutputStream();
                Streams.copy(is, (OutputStream)out);
                publicKeyBytes = out.toByteArray();
                if (is != null) {
                    is.close();
                }
            }
            catch (Throwable t) {
                if (is != null) {
                    try {
                        is.close();
                    }
                    catch (Throwable t2) {
                        t.addSuppressed(t2);
                    }
                }
                throw t;
            }
        }
        catch (IOException ex) {
            throw new IllegalStateException(ex);
        }
        return verifyLicense(license, publicKeyBytes);
        */
        return true; // 增加这行
    }
}

`XPackBuild.java`

package org.elasticsearch.xpack.core;

import org.elasticsearch.common.io.*;
import java.net.*;
import org.elasticsearch.common.*;
import java.nio.file.*;
import java.io.*;
import java.util.jar.*;

public class XPackBuild
{
    public static final XPackBuild CURRENT;
    private String shortHash;
    private String date;
    
    @SuppressForbidden(reason = "looks up path of xpack.jar directly")
    static Path getElasticsearchCodebase() {
        final URL url = XPackBuild.class.getProtectionDomain().getCodeSource().getLocation();
        try {
            return PathUtils.get(url.toURI());
        }
        catch (URISyntaxException bogus) {
            throw new RuntimeException(bogus);
        }
    }
    
    XPackBuild(final String shortHash, final String date) {
        this.shortHash = shortHash;
        this.date = date;
    }
    
    public String shortHash() {
        return this.shortHash;
    }
    
    public String date() {
        return this.date;
    }
    
    static {
        final Path path = getElasticsearchCodebase();
        String shortHash = null;
        String date = null;
        Label_0109: {
            /* 注释掉这一大段即可
            if (path.toString().endsWith(".jar")) {
                try {
                    final JarInputStream jar = new JarInputStream(Files.newInputStream(path, new OpenOption[0]));
                    try {
                        final Manifest manifest = jar.getManifest();
                        shortHash = manifest.getMainAttributes().getValue("Change");
                        date = manifest.getMainAttributes().getValue("Build-Date");
                        jar.close();
                    }
                    catch (Throwable t) {
                        try {
                            jar.close();
                        }
                        catch (Throwable t2) {
                            t.addSuppressed(t2);
                        }
                        throw t;
                    }
                    break Label_0109;
                }
                catch (IOException e) {
                    throw new RuntimeException(e);
                }
            }
             */
            shortHash = "Unknown";
            date = "Unknown";
        }
        CURRENT = new XPackBuild(shortHash, date);
    }
}

源码修改完成，下面生成 class 文件并替换原始文件。

重新编译 Class 文件

注意：
WSL 环境中 D:\elasticsearch-7.14.0 挂载在 /mnt/d/elasticsearch-7.14.0
ES 7.x 需使用 JDK 8 编译，使用 JDK 17 编译会报错：UnsupportedClassVersionError: class file version 61.0（ES 7.x 只支持到 60.0）
以下命令参数按需修改

# 声明一些需要的临时变量
ES_HOME="/mnt/d/elasticsearch-7.14.0"
ES_JAR=$(cd $ES_HOME && ls lib/elasticsearch-[0-9]*.jar)
ESCORE_JAR=$(cd $ES_HOME && ls lib/elasticsearch-core-*.jar)
LUCENE_JAR=$(cd $ES_HOME && ls lib/lucene-core-*.jar)
XPACK_JAR=$(cd $ES_HOME && ls modules/x-pack-core/x-pack-core-*.jar)

cd ${ES_HOME}

# 编译2个Java类对应的class文件
javac -cp "${ES_HOME}/${ES_JAR}:${ES_HOME}/${LUCENE_JAR}:${ES_HOME}/${XPACK_JAR}:${ES_HOME}/${ESCORE_JAR}" LicenseVerifier.java
javac -cp "${ES_HOME}/${ES_JAR}:${ES_HOME}/${LUCENE_JAR}:${ES_HOME}/${XPACK_JAR}:${ES_HOME}/${ESCORE_JAR}" XPackBuild.java

# 解压重新替换并打包
mkdir -p /mnt/d/x-pack/
cp $ES_HOME/modules/x-pack-core/x-pack-core-7.14.0.jar /mnt/d/x-pack/
cd /mnt/d/x-pack/
jar -xvf x-pack-core-7.14.0.jar
cp ${ES_HOME}/XPackBuild.class ./org/elasticsearch/xpack/core/
cp ${ES_HOME}/LicenseVerifier.class ./org/elasticsearch/license/
rm -f x-pack-core-7.14.0.jar
jar cvf x-pack-core-7.14.0.jar .

申请 License 并修改过期时间

前往官网申请 License，选择下载后者版本。

将下载的 License 中 type 改为 platinum，expiry_date_in_millis 延长至足够远的时间：

{
  "license": {
    "uid": "92c6b41e-59f9-4674-b227-77063c5fa8b0",
    "type": "platinum",
    "issue_date_in_millis": 1642291200000,
    "expiry_date_in_millis": 3107746200000,
    "max_nodes": 100,
    "issued_to": "wang xiaowu (race)",
    "issuer": "Web Form",
    "signature": "AAAAAwAAAA0kxge9SLSAvWWnMgDEAAABmC9ZN0hjZDBGYnVyRXpCOW5Bb3FjZDAxOWpSbTVoMVZwUzRxVk1PSmkxaktJRVl5MUYvUWh3bHZVUTllbXNPbzBUemtnbWpBbmlWRmRZb25KNFlBR2x0TXc2K2p1Y1VtMG1UQU9TRGZVSGRwaEJGUjE3bXd3LzRqZ05iLzRteWFNekdxRGpIYlFwYkJiNUs0U1hTVlJKNVlXekMrSlVUdFIvV0FNeWdOYnlESDc3MWhlY3hSQmdKSjJ2ZTcvYlBFOHhPQlV3ZHdDQ0tHcG5uOElCaDJ4K1hob29xSG85N0kvTWV3THhlQk9NL01VMFRjNDZpZEVXeUtUMXIyMlIveFpJUkk2WUdveEZaME9XWitGUi9WNTZVQW1FMG1DenhZU0ZmeXlZakVEMjZFT2NvOWxpZGlqVmlHNC8rWVVUYzMwRGVySHpIdURzKzFiRDl4TmM1TUp2VTBOUlJZUlAyV0ZVL2kvVk10L0NsbXNFYVZwT3NSU082dFNNa2prQ0ZsclZ4NTltbU1CVE5lR09Bck93V2J1Y3c9PQAAAQBAD9GxJeiZQonVdEVrn5+frA3tMD18Stcp3fiHVGVdXRzbHQd3N23tTXSyXlqQo0lB/dDt1A4iKh8/Wotp38mFkYq/W/HbJC3hYkJaOQwBPO0aelWYTi4hAxw7c8HSjLf2S4J0dK7LYRW9vfuaK/YrCr42fOGsZ3GX+9WcwbBWT6ONnaJa2dMQRnDsrmcE599LiEz++8GvICWhzfGxjcHk4lsEGmFBC1FajDQsGf/d7oCI3EiNodgSMHtP3u6DZCt8h036wn4gyv5XdH3YauUltsKDmYqGFfD/Udy4kmiKR5qExX4i/K+7q+p4TVJ3GHqgVwtdXGkKiq32qXEqktj6",
    "start_date_in_millis": 1642291200000
  }
}

将其保存为 license.json。

导入 License 前，请确保以下配置为 false：

1 2	xpack.security.enabled: false xpack.security.transport.ssl.enabled: false

待升级为白金版后再开启这些配置。

导入新的 x-pack-core.jar

使用 Docker 方式启动 ES，通过挂载的方式替换 jar 包。将 x-pack-core-7.14.0.jar 放在宿主机 /mydata/elasticsearch/modules/，挂载到容器内：

......
volumes:
  - /mydata/elasticsearch/modules/x-pack-core-7.14.0.jar:/usr/share/elasticsearch/modules/x-pack-core/x-pack-core-7.14.0.jar
......

导入 License

1
2
3

curl -XPUT -u elastic:{密码} 'http://127.0.0.1:9200/_license?acknowledge=true' \
  -H "Content-Type: application/json" -d @license.json
# 返回 {"acknowledged":true,"license_status":"valid"} 表示写入成功

查看当前 License：

$ curl -XGET -u elastic:{密码} http://127.0.0.1:9200/_license
{
  "license" : {
    "status" : "active",
    "uid" : "92c6b41e-59f9-4674-b227-77063c5fa8b0",
    "type" : "platinum",
    "issue_date" : "2019-11-29T00:00:00.000Z",
    "issue_date_in_millis" : 1558051200000,
    "expiry_date" : "2068-06-24T14:50:00.999Z",
    "expiry_date_in_millis" : 2524579200999,
    "max_nodes" : 1000,
    "issued_to" : "pyker",
    "issuer" : "Web Form",
    "start_date_in_millis" : 1558051200000
  }
}