Fix RestrictedTrustManagerTests on Zulu8 (#62436)

Since #61857 we test using BCJSSE (Bouncy Castle SSL) when running on Zulu8 because Azul have backported SSL changes from Java11 into their Java8 JRE which prevents us from using Sun JSSE in FIPS mode. BCJSSE uses different exception messages than Sun JSSE, so we needed to update RestrictedTrustManagerTests.testThatDelegateTrustManagerIsRespected to reflect the fact that sometimes we might be receive BCJSSE error messages on a Java8 JVM Resolves: #62281
2020-09-17 20:00:42 +10:00 · 2020-09-17 20:00:42 +10:00 · fe3bf86620
parent abce04888f
commit fe3bf86620
1 changed files with 13 additions and 2 deletions
--- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/RestrictedTrustManagerTests.java
+++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/RestrictedTrustManagerTests.java
@ -5,13 +5,13 @@
 */
 package org.elasticsearch.xpack.core.ssl;

-import org.elasticsearch.bootstrap.JavaVersion;
 import org.elasticsearch.test.ESTestCase;
 import org.hamcrest.Description;
 import org.hamcrest.TypeSafeMatcher;
 import org.junit.Assert;
 import org.junit.Before;

+import javax.net.ssl.SSLContext;
 import javax.net.ssl.X509ExtendedTrustManager;

 import java.io.IOException;
@ -21,6 +21,7 @@ import java.nio.file.Path;
 import java.nio.file.SimpleFileVisitor;
 import java.nio.file.attribute.BasicFileAttributes;
 import java.security.GeneralSecurityException;
+import java.security.Provider;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
@ -135,13 +136,23 @@ public class RestrictedTrustManagerTests extends ESTestCase {
            if (cert.endsWith("/ca")) {
                assertTrusted(trustManager, cert);
            } else {
-                assertNotValid(trustManager, cert, inFipsJvm() && JavaVersion.current().compareTo(JavaVersion.parse("8")) > 0 ?
+                assertNotValid(trustManager, cert, isUsingBouncyCastleJSSE() ?
                    "unable to process certificates: Unable to find certificate chain.":
                    "PKIX path building failed.*");
            }
        }
    }

+    private boolean isUsingBouncyCastleJSSE() throws GeneralSecurityException {
+        if (inFipsJvm() == false) {
+            return false;
+        }
+        final SSLContext defaultSSL = SSLContext.getDefault();
+        final Provider provider = defaultSSL.getProvider();
+        logger.debug("Default SSL provider is [{}] ([{}])", provider.getName(), provider.getInfo());
+        return "BCJSSE".equals(provider.getName());
+    }
+
    private void assertSingleClusterIsTrusted(int trustedCluster, RestrictedTrustManager trustManager, List<String> trustedNames)
            throws Exception {
        for (int cluster = 1; cluster <= numberOfClusters; cluster++) {