From f6921af885f0e5a16b801aa90117cd3fb7496419 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Thu, 26 Nov 2020 17:11:34 +0200 Subject: [PATCH] Revert "Gracefully handle exceptions from Security Providers (#65464) (#65554)" This reverts commit 12ba9e3e169d1ed2ae6e24dd62c1135b636459ec. This commit was mechanically backported to 7.10 while it shouldn't have been. --- .../org/elasticsearch/cli/KeyStoreAwareCommand.java | 4 ++-- .../common/settings/BaseKeyStoreCommand.java | 3 +-- .../common/settings/KeyStoreWrapper.java | 9 +-------- .../xpack/core/security/authc/support/Hasher.java | 12 ++---------- .../xpack/security/authc/file/tool/UsersTool.java | 4 ---- 5 files changed, 6 insertions(+), 26 deletions(-) diff --git a/server/src/main/java/org/elasticsearch/cli/KeyStoreAwareCommand.java b/server/src/main/java/org/elasticsearch/cli/KeyStoreAwareCommand.java index ab6043026db..201d45f54b0 100644 --- a/server/src/main/java/org/elasticsearch/cli/KeyStoreAwareCommand.java +++ b/server/src/main/java/org/elasticsearch/cli/KeyStoreAwareCommand.java @@ -70,11 +70,11 @@ public abstract class KeyStoreAwareCommand extends EnvironmentAwareCommand { * Decrypt the {@code keyStore}, prompting the user to enter the password in the {@link Terminal} if it is password protected */ protected static void decryptKeyStore(KeyStoreWrapper keyStore, Terminal terminal) - throws UserException, IOException { + throws UserException, GeneralSecurityException, IOException { try (SecureString keystorePassword = keyStore.hasPassword() ? readPassword(terminal, false) : new SecureString(new char[0])) { keyStore.decrypt(keystorePassword.getChars()); - } catch (SecurityException | GeneralSecurityException e) { + } catch (SecurityException e) { throw new UserException(ExitCodes.DATA_ERROR, e.getMessage()); } } diff --git a/server/src/main/java/org/elasticsearch/common/settings/BaseKeyStoreCommand.java b/server/src/main/java/org/elasticsearch/common/settings/BaseKeyStoreCommand.java index 98e37669ef7..493d455e42f 100644 --- a/server/src/main/java/org/elasticsearch/common/settings/BaseKeyStoreCommand.java +++ b/server/src/main/java/org/elasticsearch/common/settings/BaseKeyStoreCommand.java @@ -28,7 +28,6 @@ import org.elasticsearch.cli.UserException; import org.elasticsearch.env.Environment; import java.nio.file.Path; -import java.security.GeneralSecurityException; public abstract class BaseKeyStoreCommand extends KeyStoreAwareCommand { @@ -65,7 +64,7 @@ public abstract class BaseKeyStoreCommand extends KeyStoreAwareCommand { keyStore.decrypt(keyStorePassword.getChars()); } executeCommand(terminal, options, env); - } catch (SecurityException | GeneralSecurityException e) { + } catch (SecurityException e) { throw new UserException(ExitCodes.DATA_ERROR, e.getMessage()); } finally { if (keyStorePassword != null) { diff --git a/server/src/main/java/org/elasticsearch/common/settings/KeyStoreWrapper.java b/server/src/main/java/org/elasticsearch/common/settings/KeyStoreWrapper.java index d75456d4d9b..d3080df034c 100644 --- a/server/src/main/java/org/elasticsearch/common/settings/KeyStoreWrapper.java +++ b/server/src/main/java/org/elasticsearch/common/settings/KeyStoreWrapper.java @@ -310,14 +310,7 @@ public class KeyStoreWrapper implements SecureSettings { private Cipher createCipher(int opmode, char[] password, byte[] salt, byte[] iv) throws GeneralSecurityException { PBEKeySpec keySpec = new PBEKeySpec(password, salt, KDF_ITERS, CIPHER_KEY_BITS); SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(KDF_ALGO); - SecretKey secretKey; - try { - secretKey = keyFactory.generateSecret(keySpec); - } catch (Error e) { - // Security Providers might throw a subclass of Error in FIPS 140 mode, if some prerequisite like - // salt, iv, or password length is not met. We catch this because we don't want the JVM to exit. - throw new GeneralSecurityException("Error generating an encryption key from the provided password", e); - } + SecretKey secretKey = keyFactory.generateSecret(keySpec); SecretKeySpec secret = new SecretKeySpec(secretKey.getEncoded(), CIPHER_ALGO); GCMParameterSpec spec = new GCMParameterSpec(GCM_TAG_BITS, iv); diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/support/Hasher.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/support/Hasher.java index 774df6410a0..1b5b65e60c2 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/support/Hasher.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/support/Hasher.java @@ -513,11 +513,7 @@ public enum Hasher { result.put(Base64.getEncoder().encodeToString(secretKeyFactory.generateSecret(keySpec).getEncoded())); return result.array(); } catch (InvalidKeySpecException | NoSuchAlgorithmException e) { - throw new ElasticsearchException("Error using PBKDF2 for password hashing", e); - } catch (Error e) { - // Security Providers might throw a subclass of Error in FIPS 140 mode, if some prerequisite like - // salt, iv, or password length is not met. We catch this because we don't want the JVM to exit. - throw new ElasticsearchException("Error using PBKDF2 implementation from the selected Security Provider", e); + throw new ElasticsearchException("Can't use PBKDF2 for password hashing", e); } } @@ -543,11 +539,7 @@ public enum Hasher { final boolean result = CharArrays.constantTimeEquals(computedPwdHash, hashChars); return result; } catch (InvalidKeySpecException | NoSuchAlgorithmException e) { - throw new ElasticsearchException("Error using PBKDF2 for password hashing", e); - } catch (Error e) { - // Security Providers might throw a subclass of Error in FIPS 140 mode, if some prerequisite like - // salt, iv, or password length is not met. We catch this because we don't want the JVM to exit. - throw new ElasticsearchException("Error using PBKDF2 implementation from the selected Security Provider", e); + throw new ElasticsearchException("Can't use PBKDF2 for password hashing", e); } finally { if (null != hashChars) { Arrays.fill(hashChars, '\u0000'); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/file/tool/UsersTool.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/file/tool/UsersTool.java index eaa4864a81b..df6a86fe126 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/file/tool/UsersTool.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/file/tool/UsersTool.java @@ -7,7 +7,6 @@ package org.elasticsearch.xpack.security.authc.file.tool; import joptsimple.OptionSet; import joptsimple.OptionSpec; -import org.elasticsearch.ElasticsearchException; import org.elasticsearch.cli.EnvironmentAwareCommand; import org.elasticsearch.cli.ExitCodes; import org.elasticsearch.cli.LoggingAwareMultiCommand; @@ -447,10 +446,7 @@ public class UsersTool extends LoggingAwareMultiCommand { final char[] passwordHash; try (SecureString password = parsePassword(terminal, cliPasswordValue)) { passwordHash = hasher.hash(password); - } catch (ElasticsearchException e) { - throw new UserException(ExitCodes.DATA_ERROR, "Error storing the password for the new user", e); } - return passwordHash; }