[7.x] Add support for more named curves (#55179) (#55211)

We implicitly only supported the prime256v1 ( aka secp256r1 )
curve for the EC keys we read as PEM files to be used in any
SSL Context. We would not fail when trying to read a key
pair using a different curve but we would silently assume
that it was using `secp256r1` which would lead to strange
TLS handshake issues if the curve was actually another one.

This commit fixes that behavior in that it
supports parsing EC keys that use any of the named curves
defined in rfc5915 and rfc5480 making no assumptions about
whether the security provider in use supports them (JDK8 and
higher support all the curves defined in rfc5480).

libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/PemUtils.java

@@ -509,9 +509,12 @@ final class PemUtils {
         parser.readAsn1Object().getInteger(); // version
         String keyHex = parser.readAsn1Object().getString();
         BigInteger privateKeyInt = new BigInteger(keyHex, 16);
+        DerParser.Asn1Object choice = parser.readAsn1Object();
+        parser = choice.getParser();
+        String namedCurve = getEcCurveNameFromOid(parser.readAsn1Object().getOid());
         KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("EC");
-        AlgorithmParameterSpec prime256v1ParamSpec = new ECGenParameterSpec("secp256r1");
-        keyPairGenerator.initialize(prime256v1ParamSpec);
+        AlgorithmParameterSpec algorithmParameterSpec = new ECGenParameterSpec(namedCurve);
+        keyPairGenerator.initialize(algorithmParameterSpec);
         ECParameterSpec parameterSpec = ((ECKey) keyPairGenerator.generateKeyPair().getPrivate()).getParams();
         return new ECPrivateKeySpec(privateKeyInt, parameterSpec);
     }
@@ -602,4 +605,42 @@ final class PemUtils {
         return certificates;
     }
 
+    private static String getEcCurveNameFromOid(String oidString) throws GeneralSecurityException {
+        switch (oidString) {
+            // see https://tools.ietf.org/html/rfc5480#section-2.1.1.1
+            case "1.2.840.10045.3.1":
+                return "secp192r1";
+            case "1.3.132.0.1":
+                return "sect163k1";
+            case "1.3.132.0.15":
+                return "sect163r2";
+            case "1.3.132.0.33":
+                return "secp224r1";
+            case "1.3.132.0.26":
+                return "sect233k1";
+            case "1.3.132.0.27":
+                return "sect233r1";
+            case "1.2.840.10045.3.1.7":
+                return "secp256r1";
+            case "1.3.132.0.16":
+                return "sect283k1";
+            case "1.3.132.0.17":
+                return "sect283r1";
+            case "1.3.132.0.34":
+                return "secp384r1";
+            case "1.3.132.0.36":
+                return "sect409k1";
+            case "1.3.132.0.37":
+                return "sect409r1";
+            case "1.3.132.0.35":
+                return "secp521r1";
+            case "1.3.132.0.38":
+                return "sect571k1";
+            case "1.3.132.0.39":
+                return "sect571r1";
+        }
+        throw new GeneralSecurityException("Error parsing EC named curve identifier. Named curve with OID: " + oidString 
+            + " is not supported");
+    }
+
 }

libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/PemUtilsTests.java

@@ -27,6 +27,8 @@ import java.nio.file.Path;
 import java.security.Key;
 import java.security.KeyStore;
 import java.security.PrivateKey;
+import java.security.interfaces.ECPrivateKey;
+import java.security.spec.ECParameterSpec;
 import java.util.function.Supplier;
 
 import static org.hamcrest.Matchers.equalTo;
@@ -53,7 +55,6 @@ public class PemUtilsTests extends ESTestCase {
         assertThat(key, notNullValue());
         assertThat(key, instanceOf(PrivateKey.class));
         PrivateKey privateKey = PemUtils.readPrivateKey(getDataPath("/certs/pem-utils/testnode_with_bagattrs.pem"), EMPTY_PASSWORD);
-        assertThat(privateKey, notNullValue());
         assertThat(privateKey, equalTo(key));
     }
 
@@ -66,6 +67,15 @@ public class PemUtilsTests extends ESTestCase {
         assertThat(privateKey, equalTo(key));
     }
 
+    public void testReadEcKeyCurves() throws Exception {
+        String curve = randomFrom("secp256r1", "secp384r1", "secp521r1");
+        PrivateKey privateKey = PemUtils.readPrivateKey(getDataPath("/certs/pem-utils/private_" + curve + ".pem"), ""::toCharArray);
+        assertThat(privateKey, instanceOf(ECPrivateKey.class));
+        ECParameterSpec parameterSpec = ((ECPrivateKey) privateKey).getParams();
+        // This is brittle but we can't access sun.security.util.NamedCurve
+        assertThat(parameterSpec.toString(), containsString(curve));
+    }
+
     public void testReadPKCS8EcKey() throws Exception {
         Key key = getKeyFromKeystore("EC");
         assertThat(key, notNullValue());

libs/ssl-config/src/test/resources/certs/pem-utils/README.asciidoc

@@ -147,3 +147,29 @@ openssl x509 -req -in n2.c2.csr -extensions SAN -CA ca.crt -CAkey ca.key -CAcrea
        -extfile <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=otherName.1:2.5.4.3;UTF8:node2.cluster2"))\
        -out n2.c2.crt -days 10000
 ------
+
+== Generate EC keys using various curves for testing
+
+[source,shell]
+-------
+openssl ecparam -list_curves
+-------
+
+will list all the available curves in a given system.
+For the purposes of the tests here, the following curves were used to generate ec keys named accordingly:
+
+[source,shell]
+-------
+openssl ecparam -name secp256r1 -genkey -out private_secp256r1.pem
+openssl ecparam -name secp384r1 -genkey -out private_secp384r1.pem
+openssl ecparam -name secp521r1 -genkey -out private_secp521r1.pem
+-------
+
+and the respective certificates
+
+[source,shell]
+-------
+openssl req -x509 -extensions v3_req -key private_secp256r1.pem -out certificate_secp256r1.pem -days 1460 -config openssl_config.cnf
+openssl req -x509 -extensions v3_req -key private_secp384r1.pem -out certificate_secp384r1.pem -days 1460 -config openssl_config.cnf
+openssl req -x509 -extensions v3_req -key private_secp521r1.pem -out certificate_secp521r1.pem -days 1460 -config openssl_config.cnf
+-------

libs/ssl-config/src/test/resources/certs/pem-utils/certificate_secp256r1.pem

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIICBzCCAaygAwIBAgIUAhfs6i7USsFCrKcjhaYmjOOekd8wCgYIKoZIzj0EAwIw
+IjEgMB4GA1UEAxMXRWxhc3RpY3NlYXJjaCBUZXN0IE5vZGUwHhcNMjAwNDE0MTg0
+OTA0WhcNMjQwNDEzMTg0OTA0WjAiMSAwHgYDVQQDExdFbGFzdGljc2VhcmNoIFRl
+c3QgTm9kZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABN7Ioe2JD2Ssbk0pF19W
+iwO/leZtIcCIZP9btPMGhq0r4e6va/qCYFRJoAMEKv49RQwL23MfBK1Djm63pl7z
+33Cjgb8wgbwwCQYDVR0TBAIwADAdBgNVHQ4EFgQUZGVhl0jaavD09XqqAZq+QB+q
+VzMwgY8GA1UdEQSBhzCBhIIJbG9jYWxob3N0ghVsb2NhbGhvc3QubG9jYWxkb21h
+aW6CCmxvY2FsaG9zdDSCF2xvY2FsaG9zdDQubG9jYWxkb21haW40ggpsb2NhbGhv
+c3Q2ghdsb2NhbGhvc3Q2LmxvY2FsZG9tYWluNocEfwAAAYcQAAAAAAAAAAAAAAAA
+AAAAATAKBggqhkjOPQQDAgNJADBGAiEA5rkkz7V8zFb9ME4b3SiBqFQaXGnLNzz5
+UXmL31oevUUCIQCsL/qw/HKhBtojG9LnK5TezFCYauafDPsVqsxvj7F9UA==
+-----END CERTIFICATE-----

libs/ssl-config/src/test/resources/certs/pem-utils/certificate_secp384r1.pem

@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICQzCCAcmgAwIBAgIUFBuqf8Y7xcDb5MvDH3/WKCaqZOwwCgYIKoZIzj0EAwIw
+IjEgMB4GA1UEAxMXRWxhc3RpY3NlYXJjaCBUZXN0IE5vZGUwHhcNMjAwNDE0MTg1
+MjE4WhcNMjQwNDEzMTg1MjE4WjAiMSAwHgYDVQQDExdFbGFzdGljc2VhcmNoIFRl
+c3QgTm9kZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABKLpoDYudvcmGfr1+aImIap7
+C1cC9SUBcI8EOWlogODMUM1DWcaWrQbbQzhUNpQFvX6A/I2SiME5WM2IC+lJX/W8
+fafcLzYF+Ts2Eftmdi9usBsQz+JEGTPcgRNyM/N3FaOBvzCBvDAJBgNVHRMEAjAA
+MB0GA1UdDgQWBBTuCqvozIlpHH5kLc3BfsT1bRqpHDCBjwYDVR0RBIGHMIGEggls
+b2NhbGhvc3SCFWxvY2FsaG9zdC5sb2NhbGRvbWFpboIKbG9jYWxob3N0NIIXbG9j
+YWxob3N0NC5sb2NhbGRvbWFpbjSCCmxvY2FsaG9zdDaCF2xvY2FsaG9zdDYubG9j
+YWxkb21haW42hwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMAoGCCqGSM49BAMCA2gA
+MGUCMQDtmO2fQY1vVD58fFHsAt0LoStzrhB22SkcfKtTVNlrHkTX8SXjToqKKbxX
+AMgUCNoCMFSn7lc3V7xycDx+P1icdb+jLVoFl7G1Ki17B1z6W8JlZRJBsyEiu6qC
+UxZU5NBdww==
+-----END CERTIFICATE-----

libs/ssl-config/src/test/resources/certs/pem-utils/certificate_secp521r1.pem

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICjjCCAe+gAwIBAgIUR5YlaSjZ7BE/bCe5f2966kG8+cowCgYIKoZIzj0EAwIw
+IjEgMB4GA1UEAxMXRWxhc3RpY3NlYXJjaCBUZXN0IE5vZGUwHhcNMjAwNDE0MTg1
+MjM4WhcNMjQwNDEzMTg1MjM4WjAiMSAwHgYDVQQDExdFbGFzdGljc2VhcmNoIFRl
+c3QgTm9kZTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAC/v/jT1EwJzFyVjSYw8
+H/Ix6Ty9KjTJ+duN1qc9ByGg2YoJw5Z179mAPoDp7LalGCawplhs38J45rqh7pbN
+MI+1AaAilKSJiuIzByPlkKjxWOX1sYaxmBY4Kc0UOKpqFfY70fBzhIi8M+9t3eaB
+TWoLbIghGkDHG6icTCUawesuTI7/o4G/MIG8MAkGA1UdEwQCMAAwHQYDVR0OBBYE
+FNIirnFLQRx8t9uMd3D5Cux+/uSzMIGPBgNVHREEgYcwgYSCCWxvY2FsaG9zdIIV
+bG9jYWxob3N0LmxvY2FsZG9tYWluggpsb2NhbGhvc3Q0ghdsb2NhbGhvc3Q0Lmxv
+Y2FsZG9tYWluNIIKbG9jYWxob3N0NoIXbG9jYWxob3N0Ni5sb2NhbGRvbWFpbjaH
+BH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEwCgYIKoZIzj0EAwIDgYwAMIGIAkIAo+T4
+wkgf9OwzupXYQc8ftQydvucF29sK1OdJDnJHN/oBFtYdo4ZOMar8PzJZ3KtiOETo
+IInuL8YE6kO9aTaQOUwCQgDfs3/nnEITC9OzpYpHWDp54phcrKgbHUDEUPn8CPU1
+aH8dJ/TVeSiYkt7dAeqklOP790HfHjS+rTAyMFn7uq4pkw==
+-----END CERTIFICATE-----

libs/ssl-config/src/test/resources/certs/pem-utils/private_secp256r1.pem

@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIMdU2MBFYjUeThgqXbSrVByV+rMmsKKe6qzwBjgBwgHXoAoGCCqGSM49
+AwEHoUQDQgAE3sih7YkPZKxuTSkXX1aLA7+V5m0hwIhk/1u08waGrSvh7q9r+oJg
+VEmgAwQq/j1FDAvbcx8ErUOObremXvPfcA==
+-----END EC PRIVATE KEY-----

libs/ssl-config/src/test/resources/certs/pem-utils/private_secp384r1.pem

@@ -0,0 +1,9 @@
+-----BEGIN EC PARAMETERS-----
+BgUrgQQAIg==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDA6lA/V9jd1eZJrD+fkOJMNWDU0xT5aRyUJxrNdIwMWFu1wvswHLvF8
+kZELRUMx3QmgBwYFK4EEACKhZANiAASi6aA2Lnb3Jhn69fmiJiGqewtXAvUlAXCP
+BDlpaIDgzFDNQ1nGlq0G20M4VDaUBb1+gPyNkojBOVjNiAvpSV/1vH2n3C82Bfk7
+NhH7ZnYvbrAbEM/iRBkz3IETcjPzdxU=
+-----END EC PRIVATE KEY-----

libs/ssl-config/src/test/resources/certs/pem-utils/private_secp521r1.pem

@@ -0,0 +1,10 @@
+-----BEGIN EC PARAMETERS-----
+BgUrgQQAIw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIANfC2QUp9OWMWk+1+7i1S3hhg1sXiE2Ysv2lTSV3Jct547FJRoNnl
+kJEdojfPbWNlP/uxtoWdIY0T/c+K8ErSkPGgBwYFK4EEACOhgYkDgYYABAAv7/40
+9RMCcxclY0mMPB/yMek8vSo0yfnbjdanPQchoNmKCcOWde/ZgD6A6ey2pRgmsKZY
+bN/CeOa6oe6WzTCPtQGgIpSkiYriMwcj5ZCo8Vjl9bGGsZgWOCnNFDiqahX2O9Hw
+c4SIvDPvbd3mgU1qC2yIIRpAxxuonEwlGsHrLkyO/w==
+-----END EC PRIVATE KEY-----

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/PemUtils.java

@@ -482,9 +482,12 @@ public class PemUtils {
         parser.readAsn1Object().getInteger(); // version
         String keyHex = parser.readAsn1Object().getString();
         BigInteger privateKeyInt = new BigInteger(keyHex, 16);
+        DerParser.Asn1Object choice = parser.readAsn1Object();
+        parser = choice.getParser();
+        String namedCurve = getEcCurveNameFromOid(parser.readAsn1Object().getOid());
         KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("EC");
-        AlgorithmParameterSpec prime256v1ParamSpec = new ECGenParameterSpec("secp256r1");
-        keyPairGenerator.initialize(prime256v1ParamSpec);
+        AlgorithmParameterSpec algorithmParameterSpec = new ECGenParameterSpec(namedCurve);
+        keyPairGenerator.initialize(algorithmParameterSpec);
         ECParameterSpec parameterSpec = ((ECKey) keyPairGenerator.generateKeyPair().getPrivate()).getParams();
         return new ECPrivateKeySpec(privateKeyInt, parameterSpec);
     }
@@ -556,7 +559,45 @@ public class PemUtils {
             case "1.2.840.10045.2.1":
                 return "EC";
         }
-        throw new GeneralSecurityException("Error parsing key algorithm identifier. Algorithm with OID: "+oidString+ " is not " +
+        throw new GeneralSecurityException("Error parsing key algorithm identifier. Algorithm with OID: " + oidString + " is not " +
+            "supported");
+    }
+
+    private static String getEcCurveNameFromOid(String oidString) throws GeneralSecurityException {
+        switch (oidString) {
+            // see https://tools.ietf.org/html/rfc5480#section-2.1.1.1
+            case "1.2.840.10045.3.1":
+                return "secp192r1";
+            case "1.3.132.0.1":
+                return "sect163k1";
+            case "1.3.132.0.15":
+                return "sect163r2";
+            case "1.3.132.0.33":
+                return "secp224r1";
+            case "1.3.132.0.26":
+                return "sect233k1";
+            case "1.3.132.0.27":
+                return "sect233r1";
+            case "1.2.840.10045.3.1.7":
+                return "secp256r1";
+            case "1.3.132.0.16":
+                return "sect283k1";
+            case "1.3.132.0.17":
+                return "sect283r1";
+            case "1.3.132.0.34":
+                return "secp384r1";
+            case "1.3.132.0.36":
+                return "sect409k1";
+            case "1.3.132.0.37":
+                return "sect409r1";
+            case "1.3.132.0.35":
+                return "secp521r1";
+            case "1.3.132.0.38":
+                return "sect571k1";
+            case "1.3.132.0.39":
+                return "sect571r1";
+        }
+        throw new GeneralSecurityException("Error parsing EC named curve identifier. Named curve with OID: " + oidString + " is not " +
             "supported");
     }
 }

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/PemUtilsTests.java

@@ -14,6 +14,8 @@ import java.nio.file.Path;
 import java.security.Key;
 import java.security.KeyStore;
 import java.security.PrivateKey;
+import java.security.interfaces.ECPrivateKey;
+import java.security.spec.ECParameterSpec;
 
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.instanceOf;
@@ -57,19 +59,28 @@ public class PemUtilsTests extends ESTestCase {
         assertThat(key, notNullValue());
         assertThat(key, instanceOf(PrivateKey.class));
         PrivateKey privateKey = PemUtils.readPrivateKey(getDataPath
-                ("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/ec_key_pkcs8_plain.pem"), ""::toCharArray);
+            ("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/ec_key_pkcs8_plain.pem"), ""::toCharArray);
         assertThat(privateKey, notNullValue());
         assertThat(privateKey, equalTo(key));
     }
 
+    public void testReadEcKeyCurves() throws Exception {
+        String curve = randomFrom("secp256r1", "secp384r1", "secp521r1");
+        PrivateKey privateKey = PemUtils.readPrivateKey(getDataPath
+            ("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/private_" + curve + ".pem"), ""::toCharArray);
+        assertThat(privateKey, instanceOf(ECPrivateKey.class));
+        ECParameterSpec parameterSpec = ((ECPrivateKey) privateKey).getParams();
+        // This is brittle but we can't access sun.security.util.NamedCurve
+        assertThat(parameterSpec.toString(), containsString(curve));
+    }
+
     public void testReadEncryptedPKCS8Key() throws Exception {
         assumeFalse("Can't run in a FIPS JVM, PBE KeySpec is not available", inFipsJvm());
         Key key = getKeyFromKeystore("RSA");
         assertThat(key, notNullValue());
         assertThat(key, instanceOf(PrivateKey.class));
         PrivateKey privateKey = PemUtils.readPrivateKey(getDataPath
-                ("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/key_pkcs8_encrypted" +
-                        ".pem"), "testnode"::toCharArray);
+            ("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/key_pkcs8_encrypted.pem"), "testnode"::toCharArray);
         assertThat(privateKey, notNullValue());
         assertThat(privateKey, equalTo(key));
     }

x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/README.asciidoc

@@ -147,3 +147,29 @@ openssl x509 -req -in n2.c2.csr -extensions SAN -CA ca.crt -CAkey ca.key -CAcrea
        -extfile <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=otherName.1:2.5.4.3;UTF8:node2.cluster2"))\
        -out n2.c2.crt -days 10000
 ------
+
+== Generate EC keys using various curves for testing
+
+[source,shell]
+-------
+openssl ecparam -list_curves
+-------
+
+will list all the available curves in a given system.
+For the purposes of the tests here, the following curves were used to generate ec keys named accordingly:
+
+[source,shell]
+-------
+openssl ecparam -name secp256r1 -genkey -out private_secp256r1.pem
+openssl ecparam -name secp384r1 -genkey -out private_secp384r1.pem
+openssl ecparam -name secp521r1 -genkey -out private_secp521r1.pem
+-------
+
+and the respective certificates
+
+[source,shell]
+-------
+openssl req -x509 -extensions v3_req -key private_secp256r1.pem -out certificate_secp256r1.pem -days 1460 -config openssl_config.cnf
+openssl req -x509 -extensions v3_req -key private_secp384r1.pem -out certificate_secp384r1.pem -days 1460 -config openssl_config.cnf
+openssl req -x509 -extensions v3_req -key private_secp521r1.pem -out certificate_secp521r1.pem -days 1460 -config openssl_config.cnf
+-------

x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/certificate_secp256r1.pem

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIICBzCCAaygAwIBAgIUAhfs6i7USsFCrKcjhaYmjOOekd8wCgYIKoZIzj0EAwIw
+IjEgMB4GA1UEAxMXRWxhc3RpY3NlYXJjaCBUZXN0IE5vZGUwHhcNMjAwNDE0MTg0
+OTA0WhcNMjQwNDEzMTg0OTA0WjAiMSAwHgYDVQQDExdFbGFzdGljc2VhcmNoIFRl
+c3QgTm9kZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABN7Ioe2JD2Ssbk0pF19W
+iwO/leZtIcCIZP9btPMGhq0r4e6va/qCYFRJoAMEKv49RQwL23MfBK1Djm63pl7z
+33Cjgb8wgbwwCQYDVR0TBAIwADAdBgNVHQ4EFgQUZGVhl0jaavD09XqqAZq+QB+q
+VzMwgY8GA1UdEQSBhzCBhIIJbG9jYWxob3N0ghVsb2NhbGhvc3QubG9jYWxkb21h
+aW6CCmxvY2FsaG9zdDSCF2xvY2FsaG9zdDQubG9jYWxkb21haW40ggpsb2NhbGhv
+c3Q2ghdsb2NhbGhvc3Q2LmxvY2FsZG9tYWluNocEfwAAAYcQAAAAAAAAAAAAAAAA
+AAAAATAKBggqhkjOPQQDAgNJADBGAiEA5rkkz7V8zFb9ME4b3SiBqFQaXGnLNzz5
+UXmL31oevUUCIQCsL/qw/HKhBtojG9LnK5TezFCYauafDPsVqsxvj7F9UA==
+-----END CERTIFICATE-----

x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/certificate_secp384r1.pem

@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICQzCCAcmgAwIBAgIUFBuqf8Y7xcDb5MvDH3/WKCaqZOwwCgYIKoZIzj0EAwIw
+IjEgMB4GA1UEAxMXRWxhc3RpY3NlYXJjaCBUZXN0IE5vZGUwHhcNMjAwNDE0MTg1
+MjE4WhcNMjQwNDEzMTg1MjE4WjAiMSAwHgYDVQQDExdFbGFzdGljc2VhcmNoIFRl
+c3QgTm9kZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABKLpoDYudvcmGfr1+aImIap7
+C1cC9SUBcI8EOWlogODMUM1DWcaWrQbbQzhUNpQFvX6A/I2SiME5WM2IC+lJX/W8
+fafcLzYF+Ts2Eftmdi9usBsQz+JEGTPcgRNyM/N3FaOBvzCBvDAJBgNVHRMEAjAA
+MB0GA1UdDgQWBBTuCqvozIlpHH5kLc3BfsT1bRqpHDCBjwYDVR0RBIGHMIGEggls
+b2NhbGhvc3SCFWxvY2FsaG9zdC5sb2NhbGRvbWFpboIKbG9jYWxob3N0NIIXbG9j
+YWxob3N0NC5sb2NhbGRvbWFpbjSCCmxvY2FsaG9zdDaCF2xvY2FsaG9zdDYubG9j
+YWxkb21haW42hwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMAoGCCqGSM49BAMCA2gA
+MGUCMQDtmO2fQY1vVD58fFHsAt0LoStzrhB22SkcfKtTVNlrHkTX8SXjToqKKbxX
+AMgUCNoCMFSn7lc3V7xycDx+P1icdb+jLVoFl7G1Ki17B1z6W8JlZRJBsyEiu6qC
+UxZU5NBdww==
+-----END CERTIFICATE-----

x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/certificate_secp521r1.pem

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICjjCCAe+gAwIBAgIUR5YlaSjZ7BE/bCe5f2966kG8+cowCgYIKoZIzj0EAwIw
+IjEgMB4GA1UEAxMXRWxhc3RpY3NlYXJjaCBUZXN0IE5vZGUwHhcNMjAwNDE0MTg1
+MjM4WhcNMjQwNDEzMTg1MjM4WjAiMSAwHgYDVQQDExdFbGFzdGljc2VhcmNoIFRl
+c3QgTm9kZTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAC/v/jT1EwJzFyVjSYw8
+H/Ix6Ty9KjTJ+duN1qc9ByGg2YoJw5Z179mAPoDp7LalGCawplhs38J45rqh7pbN
+MI+1AaAilKSJiuIzByPlkKjxWOX1sYaxmBY4Kc0UOKpqFfY70fBzhIi8M+9t3eaB
+TWoLbIghGkDHG6icTCUawesuTI7/o4G/MIG8MAkGA1UdEwQCMAAwHQYDVR0OBBYE
+FNIirnFLQRx8t9uMd3D5Cux+/uSzMIGPBgNVHREEgYcwgYSCCWxvY2FsaG9zdIIV
+bG9jYWxob3N0LmxvY2FsZG9tYWluggpsb2NhbGhvc3Q0ghdsb2NhbGhvc3Q0Lmxv
+Y2FsZG9tYWluNIIKbG9jYWxob3N0NoIXbG9jYWxob3N0Ni5sb2NhbGRvbWFpbjaH
+BH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEwCgYIKoZIzj0EAwIDgYwAMIGIAkIAo+T4
+wkgf9OwzupXYQc8ftQydvucF29sK1OdJDnJHN/oBFtYdo4ZOMar8PzJZ3KtiOETo
+IInuL8YE6kO9aTaQOUwCQgDfs3/nnEITC9OzpYpHWDp54phcrKgbHUDEUPn8CPU1
+aH8dJ/TVeSiYkt7dAeqklOP790HfHjS+rTAyMFn7uq4pkw==
+-----END CERTIFICATE-----

x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/private_secp256r1.pem

@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIMdU2MBFYjUeThgqXbSrVByV+rMmsKKe6qzwBjgBwgHXoAoGCCqGSM49
+AwEHoUQDQgAE3sih7YkPZKxuTSkXX1aLA7+V5m0hwIhk/1u08waGrSvh7q9r+oJg
+VEmgAwQq/j1FDAvbcx8ErUOObremXvPfcA==
+-----END EC PRIVATE KEY-----

x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/private_secp384r1.pem

@@ -0,0 +1,9 @@
+-----BEGIN EC PARAMETERS-----
+BgUrgQQAIg==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDA6lA/V9jd1eZJrD+fkOJMNWDU0xT5aRyUJxrNdIwMWFu1wvswHLvF8
+kZELRUMx3QmgBwYFK4EEACKhZANiAASi6aA2Lnb3Jhn69fmiJiGqewtXAvUlAXCP
+BDlpaIDgzFDNQ1nGlq0G20M4VDaUBb1+gPyNkojBOVjNiAvpSV/1vH2n3C82Bfk7
+NhH7ZnYvbrAbEM/iRBkz3IETcjPzdxU=
+-----END EC PRIVATE KEY-----

x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/private_secp521r1.pem

@@ -0,0 +1,10 @@
+-----BEGIN EC PARAMETERS-----
+BgUrgQQAIw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIANfC2QUp9OWMWk+1+7i1S3hhg1sXiE2Ysv2lTSV3Jct547FJRoNnl
+kJEdojfPbWNlP/uxtoWdIY0T/c+K8ErSkPGgBwYFK4EEACOhgYkDgYYABAAv7/40
+9RMCcxclY0mMPB/yMek8vSo0yfnbjdanPQchoNmKCcOWde/ZgD6A6ey2pRgmsKZY
+bN/CeOa6oe6WzTCPtQGgIpSkiYriMwcj5ZCo8Vjl9bGGsZgWOCnNFDiqahX2O9Hw
+c4SIvDPvbd3mgU1qC2yIIRpAxxuonEwlGsHrLkyO/w==
+-----END EC PRIVATE KEY-----

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/ssl/EllipticCurveSSLTests.java

@@ -40,35 +40,36 @@ import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
 
 public class EllipticCurveSSLTests extends SecurityIntegTestCase {
+     private static String CURVE;
 
     @Override
     protected Settings nodeSettings(int nodeOrdinal) {
-        final Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-key.pem");
-        final Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-cert.pem");
+        final Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/private_" + CURVE + ".pem");
+        final Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/certificate_" + CURVE + ".pem");
         return Settings.builder()
-                .put(super.nodeSettings(nodeOrdinal).filter(s -> s.startsWith("xpack.security.transport.ssl") == false))
-                .put("xpack.security.transport.ssl.enabled", true)
-                .put("xpack.security.transport.ssl.key", keyPath)
-                .put("xpack.security.transport.ssl.certificate", certPath)
-                .put("xpack.security.transport.ssl.certificate_authorities", certPath)
-                // disable hostname verificate since these certs aren't setup for that
-                .put("xpack.security.transport.ssl.verification_mode", "certificate")
-                .build();
+            .put(super.nodeSettings(nodeOrdinal).filter(s -> s.startsWith("xpack.security.transport.ssl") == false))
+            .put("xpack.security.transport.ssl.enabled", true)
+            .put("xpack.security.transport.ssl.key", keyPath)
+            .put("xpack.security.transport.ssl.certificate", certPath)
+            .put("xpack.security.transport.ssl.certificate_authorities", certPath)
+            // disable hostname verificate since these certs aren't setup for that
+            .put("xpack.security.transport.ssl.verification_mode", "certificate")
+            .build();
     }
 
     @Override
     protected Settings transportClientSettings() {
-        final Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-key.pem");
-        final Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-cert.pem");
+        final Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/private_" + CURVE + ".pem");
+        final Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/certificate_" + CURVE + ".pem");
         return Settings.builder()
-                .put(super.transportClientSettings().filter(s -> s.startsWith("xpack.security.transport.ssl") == false))
-                .put("xpack.security.transport.ssl.enabled", true)
-                .put("xpack.security.transport.ssl.key", keyPath)
-                .put("xpack.security.transport.ssl.certificate", certPath)
-                .put("xpack.security.transport.ssl.certificate_authorities", certPath)
-                // disable hostname verificate since these certs aren't setup for that
-                .put("xpack.security.transport.ssl.verification_mode", "certificate")
-                .build();
+            .put(super.transportClientSettings().filter(s -> s.startsWith("xpack.security.transport.ssl") == false))
+            .put("xpack.security.transport.ssl.enabled", true)
+            .put("xpack.security.transport.ssl.key", keyPath)
+            .put("xpack.security.transport.ssl.certificate", certPath)
+            .put("xpack.security.transport.ssl.certificate_authorities", certPath)
+            // disable hostname verificate since these certs aren't setup for that
+            .put("xpack.security.transport.ssl.verification_mode", "certificate")
+            .build();
     }
 
     @Override
@@ -78,13 +79,13 @@ public class EllipticCurveSSLTests extends SecurityIntegTestCase {
 
     public void testConnection() throws Exception {
         assumeFalse("Fails on BCTLS with 'Closed engine without receiving the close alert message.'", inFipsJvm());
-        final Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-key.pem");
-        final Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/prime256v1-cert.pem");
+        final Path keyPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/private_" + CURVE + ".pem");
+        final Path certPath = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/certificate_" + CURVE + ".pem");
         PrivateKey privateKey = PemUtils.readPrivateKey(keyPath, () -> null);
         Certificate[] certs = CertParsingUtils.readCertificates(Collections.singletonList(certPath.toString()), null);
         X509ExtendedKeyManager x509ExtendedKeyManager = CertParsingUtils.keyManager(certs, privateKey, new char[0]);
         SSLContext sslContext = SSLContext.getInstance("TLS");
-        sslContext.init(new X509ExtendedKeyManager[] { x509ExtendedKeyManager },
+        sslContext.init(new X509ExtendedKeyManager[]{x509ExtendedKeyManager},
             new TrustManager[]{CertParsingUtils.trustManager(CertParsingUtils.readCertificates(Collections.singletonList(certPath)))},
             new SecureRandom());
         SSLSocketFactory socketFactory = sslContext.getSocketFactory();
@@ -118,6 +119,7 @@ public class EllipticCurveSSLTests extends SecurityIntegTestCase {
 
     @BeforeClass
     public static void assumeECDSACiphersSupported() throws Exception {
+        CURVE = randomFrom("secp256r1", "secp384r1", "secp521r1");
         SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
         sslContext.init(null, null, null);
         SSLEngine sslEngine = sslContext.createSSLEngine();