From 690164d0beeee6082e73d87c1024d11c77bc69f0 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Tue, 10 Sep 2019 14:38:35 +0300 Subject: [PATCH] Change EmailSslTest for FIPS 140 JVMs (#46278) This commit changes the SSLContext for the email server we use in the tests so that it loads its key material from an in memory keystore (that is in turn built from a pair of PEM encoded private key and certificate) instead of a PKCS#12 one. This is done so that when we run our tests in FIPS 140-2 JVMs, the keystore is of a type that the Security Provider actually supports. This also mutes testCanSendMessageToSmtpServerByDisablingVerification as we can't run tests with verification set to `none` in FIPS 140 JVMs. --- .../watcher/actions/email/EmailSslTests.java | 24 +++++++++++---- .../xpack/watcher/actions/email/ca.crt | 20 +++++++++++++ .../xpack/watcher/actions/email/test-smtp.crt | 20 +++++++++++++ .../xpack/watcher/actions/email/test-smtp.pem | 30 +++++++++++++++++++ 4 files changed, 88 insertions(+), 6 deletions(-) create mode 100644 x-pack/plugin/watcher/src/test/resources/org/elasticsearch/xpack/watcher/actions/email/ca.crt create mode 100644 x-pack/plugin/watcher/src/test/resources/org/elasticsearch/xpack/watcher/actions/email/test-smtp.crt create mode 100644 x-pack/plugin/watcher/src/test/resources/org/elasticsearch/xpack/watcher/actions/email/test-smtp.pem diff --git a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/email/EmailSslTests.java b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/email/EmailSslTests.java index c4b0b657b9d..70d7f2f6dd5 100644 --- a/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/email/EmailSslTests.java +++ b/x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/email/EmailSslTests.java @@ -12,6 +12,8 @@ import org.elasticsearch.common.settings.Setting; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.env.TestEnvironment; import org.elasticsearch.test.ESTestCase; +import org.elasticsearch.xpack.core.ssl.CertParsingUtils; +import org.elasticsearch.xpack.core.ssl.PemUtils; import org.elasticsearch.xpack.core.ssl.SSLService; import org.elasticsearch.xpack.core.watcher.execution.WatchExecutionContext; import org.elasticsearch.xpack.core.watcher.watch.Payload; @@ -31,7 +33,8 @@ import javax.mail.internet.MimeMessage; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLException; import java.io.IOException; -import java.io.InputStream; +import java.nio.file.Files; +import java.nio.file.Path; import java.security.GeneralSecurityException; import java.security.KeyStore; import java.util.ArrayList; @@ -50,18 +53,26 @@ public class EmailSslTests extends ESTestCase { @Before public void startSmtpServer() throws GeneralSecurityException, IOException { - final KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); + // Keystore and private key will share the same password final char[] keystorePassword = "test-smtp".toCharArray(); - try (InputStream is = getDataInputStream("test-smtp.p12")) { - keyStore.load(is, keystorePassword); - } + final Path tempDir = createTempDir(); + final Path certPath = tempDir.resolve("test-smtp.crt"); + final Path keyPath = tempDir.resolve("test-smtp.pem"); + Files.copy(getDataPath("/org/elasticsearch/xpack/watcher/actions/email/test-smtp.crt"), certPath); + Files.copy(getDataPath("/org/elasticsearch/xpack/watcher/actions/email/test-smtp.pem"), keyPath); + KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); + keyStore.load(null, keystorePassword); + keyStore.setKeyEntry("test-smtp", PemUtils.readPrivateKey(keyPath, keystorePassword::clone), keystorePassword, + CertParsingUtils.readCertificates(Collections.singletonList(certPath))); final SSLContext sslContext = new SSLContextBuilder().loadKeyMaterial(keyStore, keystorePassword).build(); server = EmailServer.localhost(logger, sslContext); } @After public void stopSmtpServer() { - server.stop(); + if (null != server) { + server.stop(); + } } public void testFailureSendingMessageToSmtpServerWithUntrustedCertificateAuthority() throws Exception { @@ -96,6 +107,7 @@ public class EmailSslTests extends ESTestCase { } public void testCanSendMessageToSmtpServerByDisablingVerification() throws Exception { + assumeFalse("Can't run in a FIPS JVM with verification mode None", inFipsJvm()); List messages = new ArrayList<>(); server.addListener(messages::add); try { diff --git a/x-pack/plugin/watcher/src/test/resources/org/elasticsearch/xpack/watcher/actions/email/ca.crt b/x-pack/plugin/watcher/src/test/resources/org/elasticsearch/xpack/watcher/actions/email/ca.crt new file mode 100644 index 00000000000..16fce6b7389 --- /dev/null +++ b/x-pack/plugin/watcher/src/test/resources/org/elasticsearch/xpack/watcher/actions/email/ca.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSTCCAjGgAwIBAgIUWcS0sZGBePVMAYWycyuWzSZYWQswDQYJKoZIhvcNAQEL +BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l +cmF0ZWQgQ0EwHhcNMTkwODA3MDUxMDUzWhcNMjIwODA2MDUxMDUzWjA0MTIwMAYD +VQQDEylFbGFzdGljIENlcnRpZmljYXRlIFRvb2wgQXV0b2dlbmVyYXRlZCBDQTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKqIbuH52X93CF8M7hiCvNVf +HO9qC/I+UBzYVXt03dU9tFTxilgLRNFwC+3O7uxu8P5OH7qUdIiwdLjQ6+5cfA+R +eL9YbSOQBydmk0bH+MK5lJkrdyHZEWSHbI2Urr87aMUmHTGbQoNzzk61XifS4vlS +GcqsoWteV56IbWNyYTu8EC2i7c2ZJS759aTK02dlxpdymfoTC+O1uWIGUBki5Cqe +rKd9dzEVRWLEb6NfhCMUeUQ09TjGVzHjk4RAY+CcNiy3RufDIQ4pUEdiky/vPl/f +Y/oDsFVW2KUVjzKM4dzDuQOe4KxuqQGojfHtPPJFHoYLXQ7TdewF025ns9T7tCUC +AwEAAaNTMFEwHQYDVR0OBBYEFNPZ3LZtYf4LxJ+jDzGts1cJ8kF7MB8GA1UdIwQY +MBaAFNPZ3LZtYf4LxJ+jDzGts1cJ8kF7MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI +hvcNAQELBQADggEBAFYUrH+epWXc+7dKwerPrPiqjMOEVB6GhrHb6SJQ5qxeeX+Q +P4rRrylk9XEVk3cgH+5SFygYkmXk8heJ2X0vB1cDdgLz47iXI4lrz1n8TOF+lOlM +e9QsoRNp2iCJ/fYXknr38n+z0QsJLLhz5B0dgpd8ASbGir7cG9+DF3R8DmbcTpR7 +tHJA9XTDsJmzFv9reqieP5Kieg1tioaho/qA0XIxzpOIqDKcWOZLtJE5PuMaUSF8 +RwJRVRF5wBZwFpcQwy0E1/rPsWzehtDZ3S5AyME4vsow1M8e5c+YyHpsZcDSdUtB +t0t0BVNDONjm3WlJ1QYryQJOYp8/ZbdVzwpGdVg= +-----END CERTIFICATE----- diff --git a/x-pack/plugin/watcher/src/test/resources/org/elasticsearch/xpack/watcher/actions/email/test-smtp.crt b/x-pack/plugin/watcher/src/test/resources/org/elasticsearch/xpack/watcher/actions/email/test-smtp.crt new file mode 100644 index 00000000000..2ab60c6ed48 --- /dev/null +++ b/x-pack/plugin/watcher/src/test/resources/org/elasticsearch/xpack/watcher/actions/email/test-smtp.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDOjCCAiKgAwIBAgIVAJJCL6+YymqqtgFngOxqkOOiAtx4MA0GCSqGSIb3DQEB +CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu +ZXJhdGVkIENBMB4XDTE5MDgwNzA1MTA1NFoXDTIyMDgwNjA1MTA1NFowFDESMBAG +A1UEAxMJdGVzdC1zbXRwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +kawwFDDphZ484SI62BlIfCI/O8w9KRcSvE8ECELkBRxGjeA6ozF7ctw4rp30L7fU +/RDxbX6o3X4uAMCIwixrvn6rbebggl2WrK3ilIF6Cwotny6dg/qbu30WmDJc7sPp +32t+jGlHyx4I3anSu4C7IJaE1fjZlExxgfsgoV/CtsCmIdPM3qABUHPds3iVd8Q/ ++HESn7/ZWjU2AOsL2V5EbM4AHG5ar6d2zyGMxwmASUpjotjC06FI3PeDGrV/rFlX +K1f8ALrnO9oDQQzwxrWrru8CxVNW5BmJp2aAr/0pp5S05+dozHLYhsWNrb70bFfA +dXsnXRLO8H/CakvhhrM8JQIDAQABo2MwYTAdBgNVHQ4EFgQUsS6DitT6Q+dcIjDj +aQGATdwKVmYwHwYDVR0jBBgwFoAU09nctm1h/gvEn6MPMa2zVwnyQXswFAYDVR0R +BA0wC4IJbG9jYWxob3N0MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAByS +BEiNYEWPM99ALWhQy2NkbDKev9Wgv1GEdgh040UkZ9zMf/RpV+C/Lp9QlagHH+lc +LNEeWGOFSTexWv+QbPcoCVVMH4H+JpRWqcwH/zG21lx2eEMPJwrZKC8YElDw+D/7 +qJgCSRKm3H/CfQqdPKtKU0vZjtKXHBt8PDOGMO0475rm95sZv6rrOqlY9LpJ7Cm8 +6o08gnSZpka1ND0HcB13I9L/rsqMsk3clO7r2d10VCCG2A254ElUSjBCFKbWIfh/ +ws/R0OTCd9UnHmlCWjjxoJ8D/1PNefst17WhGCFQLwB1wWRTDyIyZqAVzVyA94sX +tdYxxBNthPY7Z1aEr5o= +-----END CERTIFICATE----- diff --git a/x-pack/plugin/watcher/src/test/resources/org/elasticsearch/xpack/watcher/actions/email/test-smtp.pem b/x-pack/plugin/watcher/src/test/resources/org/elasticsearch/xpack/watcher/actions/email/test-smtp.pem new file mode 100644 index 00000000000..83bc82a5c10 --- /dev/null +++ b/x-pack/plugin/watcher/src/test/resources/org/elasticsearch/xpack/watcher/actions/email/test-smtp.pem @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,AD2AC08225DD9EA7A429BB867D62D2D1 + +Hv/myqMGjejCI3OFUSwyykeAvVMccqe/pntxjVjx9S5tqSr+gnfvKiUsDGPnoDeR +qP9dGKMA94oAgfRFTdk1nYOASB2C+fakMRtstK/N8K3sOsTPsh4oo+0RAM+ErN6Z +MFFkY+K9hxrhEeuD19M0ro8/U+KoKcaaSVuLZHfcJiBKBklOHAhPAKzTsS9u1LuJ +YyMPV6MtYxCfgZi+xdxedAPV0hp4eKZBA38fN6aZGR42Tr2e4aOgnFKGAA9lgyGg +TfZeqaLcxpGTkL4vPSptVdDlU3a4kHcskeJ7/FasYdXOfVU09Awcg3kBEnGHpkmO +6PifuRgsJyfvdUgJPw1Kjgh2a2s0spmWfSrwIAbWTrtBHfg7Pcok7EqeJ8KNH4R1 +UBckUbtCfbsE6E+AnTDbQEiZZOcrn8QYPlyztQGUoZUOikBbEdUzfiHdM9FHKjfi +BD7M+NCwaBmAwdyyN1w9qcbRk6VZm35V4hxCHLKWdi3qeLapOES1RL8OZxsiHzyU +nExL6Lgk1A1Mheb7adNjY153ckhiQvzjGfm9yIoCvm43VSWcI5FIJG90Zy8hl4n0 +UuWlJE6LsG3yJUT8wpAlVuqKF6PXeMWOYpWhtpVdUcIXIahHL8wlsTZ4GeXqXqAb +crgjrG1nwIx8y5QGkXPCKIeM7gPWdz6nJdcg+7tqLTC7bS5h9Zsae8f3k4be/lSg +YcALp5kWWcXAM3rglftN+oo6tgPRtoM8XzRf8h+/f/geN69LMD9Ej/u51JbO0Ca6 +6A19jdODnYo7F/YhxeBQ0znill6uGsNp950qvYo/GX1K4/2GsjlKueKFXDaSk+Ov +YkwrYQrNQsFVqwIWp8HgJ5l8pBw+ZpG4Xd/nzZ+5d5C1Z1VUgweDtgrYiGe2MMDK +0/7QgUkmyIOOHsC2vBwOJ28NnGSENol3FJaK+DXDp/kahADlxTztuJNeh2LhTa8t +yRZq9xJsW/jU7wqOlozk8w74F1V4nZCgBfW8i5Jj7OHWPa2HPgIKgogr7VhyOcZx +/xhSLtVK+8QZNHa08D1Opj8HVhtdoV5jaUEX0T2fVKlaFGWsmMHpo7EDHyq0czVH +MkgvuuqRqhN9zu6HmnXSOlXh/ddjkcfz5AKSxX8cKAyto50xpWQwFalb2YGbRY0n +e4khQrSZ2f72qlINXy24uyNsSyX1VADKdlW7lhxgQrLXUujD7biHuhO/XFi3o/9F +E7TPslr7ykLHJ93qofqsigtygClw2svNT560Qnkq82oS7Sf5upVYLPSCeRzZSmwY +d9x1XXHgO+6OqUc7HSE+OHexccEEuqrx+LBFfAVePb2w9AjvK2yq+fmMMBC+cnLx +xAMEntQxQIWzeBqITG1rr/qq1HB7xYQdFl06wOJxiY+jOFHv3Fpd7rghgXfr15ih +7d0S0B/UBi/IDQ1kkTSxr9HxAmXo4EVjpEOohcFV0bt1ypx6YfD4TNxEqF8Z4lh6 +4mJH2LCOJXjiZ4cnjvgzN/g5SMCKw3mrCjB3p+92HNUgy5Am3AXuZBNYeaAmVgeX +L7Lly3CtNJ8jSNNgM92St5GTHA7Gk4Nz/uNAUYxVjDGNpwVieAAbpNRj6TSBCwtL +-----END RSA PRIVATE KEY-----