Fix PemKeyConfigTests (#55577) (#55996)

We were creating PemKeyConfig objects using different private keys but always using testnode.crt certificate that uses the RSA public key. The PemKeyConfig was built but we would then later fail to handle SSL connections during the TLS handshake eitherway. This became obvious in FIPS tests where the consistency checks that FIPS 140 mandates kick in and failed early becausethe private key was of different type than the public key
2020-04-30 12:05:27 +03:00 · 2020-04-30 12:05:27 +03:00 · 3c7c9573b4
parent 31a84b17ad
commit 3c7c9573b4
4 changed files with 39 additions and 4 deletions
--- a/libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/PemKeyConfigTests.java
+++ b/libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/PemKeyConfigTests.java
@ -70,6 +70,7 @@ public class PemKeyConfigTests extends ESTestCase {
    }

    public void testBuildKeyConfigFromPkcs8PemFilesWithPassword() throws Exception {
+        assumeFalse("Can't run in a FIPS JVM, PBE KeySpec is not available", inFipsJvm());
        final Path cert = getDataPath("/certs/cert2/cert2.crt");
        final Path key = getDataPath("/certs/cert2/cert2-pkcs8.key");
        final PemKeyConfig keyConfig = new PemKeyConfig(cert, key, "c2-pass".toCharArray());
--- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/PEMKeyConfigTests.java
+++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/PEMKeyConfigTests.java
@ -23,6 +23,7 @@ public class PEMKeyConfigTests extends ESTestCase {
    public static final SecureString TESTNODE_PASSWORD = new SecureString("testnode".toCharArray());

    public void testEncryptedPkcs8RsaKey() throws Exception {
+        assumeFalse("Can't run in a FIPS JVM, PBE KeySpec is not available", inFipsJvm());
        verifyKeyConfig("testnode.crt", "key_pkcs8_encrypted.pem", TESTNODE_PASSWORD);
    }

@ -31,11 +32,11 @@ public class PEMKeyConfigTests extends ESTestCase {
    }

    public void testUnencryptedPkcs8DsaKey() throws Exception {
-        verifyKeyConfig("testnode.crt", "dsa_key_pkcs8_plain.pem", NO_PASSWORD);
+        verifyKeyConfig("testnode_dsa.crt", "dsa_key_pkcs8_plain.pem", NO_PASSWORD);
    }

    public void testUnencryptedPkcs8EcKey() throws Exception {
-        verifyKeyConfig("testnode.crt", "ec_key_pkcs8_plain.pem", NO_PASSWORD);
+        verifyKeyConfig("testnode_ec.crt", "ec_key_pkcs8_plain.pem", NO_PASSWORD);
    }

    public void testEncryptedPkcs1RsaKey() throws Exception {
--- a/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/README.asciidoc
+++ b/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/README.asciidoc
@ -91,6 +91,10 @@ openssl pkcs12 -in dsa.p12 -nodes -nocerts | openssl pkcs8 -topk8 -nocrypt -outf
 ----
 [source,shell]
 ----
+openssl pkcs12 -in dsa.p12 -nodes -nokeys -cacerts -out testnode_dsa.crt
+----
+[source,shell]
+----
 keytool -importkeystore -srckeystore testnode.jks -destkeystore ec.p12 -deststoretype PKCS12 \
                -srcalias testnode_ec -deststorepass testnode -destkeypass testnode
 ----
@ -99,8 +103,10 @@ keytool -importkeystore -srckeystore testnode.jks -destkeystore ec.p12 -deststor
 openssl pkcs12 -in ec.p12 -nodes -nocerts | openssl pkcs8 -topk8 -nocrypt -outform pem \
                -out ec_key_pkcs8_plain.pem
 ----
-
-
+[source,shell]
+----
+openssl pkcs12 -in ec.p12 -nodes -nokeys -cacerts -out testnode_ec.crt
+----

 Create `PKCS#8` encrypted key from the encrypted `PKCS#1` encoded `testnode.pem`
 [source,shell]
--- a/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_dsa.crt
+++ b/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_dsa.crt
@ -0,0 +1,27 @@
+Bag Attributes
+    friendlyName: testnode_dsa
+    localKeyID: 54 69 6D 65 20 31 35 38 37 35 35 38 39 34 34 36 39 38 
+subject=CN = Elasticsearch Test Node
+
+issuer=CN = Elasticsearch Test Node
+
+-----BEGIN CERTIFICATE-----
+MIIDODCCAvSgAwIBAgIEIjxzajANBglghkgBZQMEAwIFADAiMSAwHgYDVQQDExdF
+bGFzdGljc2VhcmNoIFRlc3QgTm9kZTAeFw0xODA1MTcwOTQzMThaFw00NTEwMDIw
+OTQzMThaMCIxIDAeBgNVBAMTF0VsYXN0aWNzZWFyY2ggVGVzdCBOb2RlMIIBtzCC
+ASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2
+USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLC
+T7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3R
+SAHHAhUAl2BQjxUjC8yykrmCouuEC/BYHPUCgYEA9+GghdabPd7LvKtcNrhXuXmU
+r7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwW
+eotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKL
+Zl6Ae1UlZAFMO/7PSSoDgYQAAoGAd0xuuUUSAXsXaQ/dp9ThBTVzdVhGk6VAcWb4
+03uMXUyXKsnCIASTm6bVWKjNxO1EsP3Slyd5CwbqIRUBK5NjzdQP/hHGtEIbqtYK
+Y1VZI7T91Lk8/Dc/p9Vgh27bPR8Yq8wPKU3EIJzYi0Nw8AxZf10yK+5tQ6pPUa3d
+H6lXt5qjgbQwgbEwHQYDVR0OBBYEFEPyOMLAA8bEK6SwOZgXXIg3ABkPMIGPBgNV
+HREEgYcwgYSCCWxvY2FsaG9zdIIVbG9jYWxob3N0LmxvY2FsZG9tYWluggpsb2Nh
+bGhvc3Q0ghdsb2NhbGhvc3Q0LmxvY2FsZG9tYWluNIIKbG9jYWxob3N0NoIXbG9j
+YWxob3N0Ni5sb2NhbGRvbWFpbjaHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJ
+YIZIAWUDBAMCBQADLwAwLAIULbToaXth2hZiQZDt9w4reOr7w+kCFCLdy1T6UdFS
+e1Mec3NrqztRk0uY
+-----END CERTIFICATE-----