Change EmailSslTest for FIPS 140 JVMs (#46278)

This commit changes the SSLContext for the email server we use in
the tests so that it loads its key material from an in memory
keystore (that is in turn built from a pair of PEM encoded private key
and certificate) instead of a PKCS#12 one. This is done so that when 
we run our tests in FIPS 140-2 JVMs, the keystore is of a type that the
Security Provider actually supports.

This also mutes testCanSendMessageToSmtpServerByDisablingVerification
as we can't run tests with verification set to `none` in FIPS 140
JVMs.

x-pack/plugin/watcher/src/test/java/org/elasticsearch/xpack/watcher/actions/email/EmailSslTests.java

@@ -12,6 +12,8 @@ import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.env.TestEnvironment;
 import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.xpack.core.ssl.CertParsingUtils;
+import org.elasticsearch.xpack.core.ssl.PemUtils;
 import org.elasticsearch.xpack.core.ssl.SSLService;
 import org.elasticsearch.xpack.core.watcher.execution.WatchExecutionContext;
 import org.elasticsearch.xpack.core.watcher.watch.Payload;
@@ -31,7 +33,8 @@ import javax.mail.internet.MimeMessage;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLException;
 import java.io.IOException;
-import java.io.InputStream;
+import java.nio.file.Files;
+import java.nio.file.Path;
 import java.security.GeneralSecurityException;
 import java.security.KeyStore;
 import java.util.ArrayList;
@@ -50,18 +53,26 @@ public class EmailSslTests extends ESTestCase {
 
     @Before
     public void startSmtpServer() throws GeneralSecurityException, IOException {
-        final KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+        // Keystore and private key will share the same password
         final char[] keystorePassword = "test-smtp".toCharArray();
-        try (InputStream is = getDataInputStream("test-smtp.p12")) {
-            keyStore.load(is, keystorePassword);
-        }
+        final Path tempDir = createTempDir();
+        final Path certPath = tempDir.resolve("test-smtp.crt");
+        final Path keyPath = tempDir.resolve("test-smtp.pem");
+        Files.copy(getDataPath("/org/elasticsearch/xpack/watcher/actions/email/test-smtp.crt"), certPath);
+        Files.copy(getDataPath("/org/elasticsearch/xpack/watcher/actions/email/test-smtp.pem"), keyPath);
+        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+        keyStore.load(null, keystorePassword);
+        keyStore.setKeyEntry("test-smtp", PemUtils.readPrivateKey(keyPath, keystorePassword::clone), keystorePassword,
+            CertParsingUtils.readCertificates(Collections.singletonList(certPath)));
         final SSLContext sslContext = new SSLContextBuilder().loadKeyMaterial(keyStore, keystorePassword).build();
         server = EmailServer.localhost(logger, sslContext);
     }
 
     @After
     public void stopSmtpServer() {
-        server.stop();
+        if (null != server) {
+            server.stop();
+        }
     }
 
     public void testFailureSendingMessageToSmtpServerWithUntrustedCertificateAuthority() throws Exception {
@@ -96,6 +107,7 @@ public class EmailSslTests extends ESTestCase {
     }
 
     public void testCanSendMessageToSmtpServerByDisablingVerification() throws Exception {
+        assumeFalse("Can't run in a FIPS JVM with verification mode None", inFipsJvm());
         List<MimeMessage> messages = new ArrayList<>();
         server.addListener(messages::add);
         try {

x-pack/plugin/watcher/src/test/resources/org/elasticsearch/xpack/watcher/actions/email/test-smtp.pem

@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,AD2AC08225DD9EA7A429BB867D62D2D1
+
+Hv/myqMGjejCI3OFUSwyykeAvVMccqe/pntxjVjx9S5tqSr+gnfvKiUsDGPnoDeR
+qP9dGKMA94oAgfRFTdk1nYOASB2C+fakMRtstK/N8K3sOsTPsh4oo+0RAM+ErN6Z
+MFFkY+K9hxrhEeuD19M0ro8/U+KoKcaaSVuLZHfcJiBKBklOHAhPAKzTsS9u1LuJ
+YyMPV6MtYxCfgZi+xdxedAPV0hp4eKZBA38fN6aZGR42Tr2e4aOgnFKGAA9lgyGg
+TfZeqaLcxpGTkL4vPSptVdDlU3a4kHcskeJ7/FasYdXOfVU09Awcg3kBEnGHpkmO
+6PifuRgsJyfvdUgJPw1Kjgh2a2s0spmWfSrwIAbWTrtBHfg7Pcok7EqeJ8KNH4R1
+UBckUbtCfbsE6E+AnTDbQEiZZOcrn8QYPlyztQGUoZUOikBbEdUzfiHdM9FHKjfi
+BD7M+NCwaBmAwdyyN1w9qcbRk6VZm35V4hxCHLKWdi3qeLapOES1RL8OZxsiHzyU
+nExL6Lgk1A1Mheb7adNjY153ckhiQvzjGfm9yIoCvm43VSWcI5FIJG90Zy8hl4n0
+UuWlJE6LsG3yJUT8wpAlVuqKF6PXeMWOYpWhtpVdUcIXIahHL8wlsTZ4GeXqXqAb
+crgjrG1nwIx8y5QGkXPCKIeM7gPWdz6nJdcg+7tqLTC7bS5h9Zsae8f3k4be/lSg
+YcALp5kWWcXAM3rglftN+oo6tgPRtoM8XzRf8h+/f/geN69LMD9Ej/u51JbO0Ca6
+6A19jdODnYo7F/YhxeBQ0znill6uGsNp950qvYo/GX1K4/2GsjlKueKFXDaSk+Ov
+YkwrYQrNQsFVqwIWp8HgJ5l8pBw+ZpG4Xd/nzZ+5d5C1Z1VUgweDtgrYiGe2MMDK
+0/7QgUkmyIOOHsC2vBwOJ28NnGSENol3FJaK+DXDp/kahADlxTztuJNeh2LhTa8t
+yRZq9xJsW/jU7wqOlozk8w74F1V4nZCgBfW8i5Jj7OHWPa2HPgIKgogr7VhyOcZx
+/xhSLtVK+8QZNHa08D1Opj8HVhtdoV5jaUEX0T2fVKlaFGWsmMHpo7EDHyq0czVH
+MkgvuuqRqhN9zu6HmnXSOlXh/ddjkcfz5AKSxX8cKAyto50xpWQwFalb2YGbRY0n
+e4khQrSZ2f72qlINXy24uyNsSyX1VADKdlW7lhxgQrLXUujD7biHuhO/XFi3o/9F
+E7TPslr7ykLHJ93qofqsigtygClw2svNT560Qnkq82oS7Sf5upVYLPSCeRzZSmwY
+d9x1XXHgO+6OqUc7HSE+OHexccEEuqrx+LBFfAVePb2w9AjvK2yq+fmMMBC+cnLx
+xAMEntQxQIWzeBqITG1rr/qq1HB7xYQdFl06wOJxiY+jOFHv3Fpd7rghgXfr15ih
+7d0S0B/UBi/IDQ1kkTSxr9HxAmXo4EVjpEOohcFV0bt1ypx6YfD4TNxEqF8Z4lh6
+4mJH2LCOJXjiZ4cnjvgzN/g5SMCKw3mrCjB3p+92HNUgy5Am3AXuZBNYeaAmVgeX
+L7Lly3CtNJ8jSNNgM92St5GTHA7Gk4Nz/uNAUYxVjDGNpwVieAAbpNRj6TSBCwtL
+-----END RSA PRIVATE KEY-----