From 063a1f2d30d041f14e982f50bfdbdb6251123b9a Mon Sep 17 00:00:00 2001 From: Lyudmila Fokina <35386883+BigPandaToo@users.noreply.github.com> Date: Fri, 9 Jul 2021 00:53:20 +0200 Subject: [PATCH] Filter out CA PrivateKeyEntry when creating a KeyManager (#73807) In 8.0, with security on by default, we store the HTTP layer CA PrivateKeyEntry in the http.ssl keystore (along with the node certificate) so that it is available in our Enrollment API transport actions. When loading a keystore, the current behavior is that the X509ExtendedKeyManager will iterate through the PrivateKeyEntry objects and will return the first key/certificate that satisfies the requirements of the client and the server configuration, and lacks any additional logic/filters. We need the KeyManager to deterministically pick the node certificate/key in all cases as this is the intended entry to be used for TLS on the HTTP layer. This change introduces filtering when creating the in-memory keystore the KeyManager is loaded with, so that it will not include PrivateKeyEntry objects when: - there are more than 1 PrivateKeyEntry objects in the keystore - The leaf certificate associated with the PrivateKeyEntry is a CA certificate Related: #75097 Co-authored-by: Ioannis Kakavas --- client/rest-high-level/build.gradle | 5 +- .../qa/ssl-enabled/build.gradle | 45 ++++++++++ .../elasticsearch/client/EnrollmentIT.java | 82 ++++++++++++++++++ .../src/javaRestTest/resources}/httpCa.p12 | Bin .../src/javaRestTest/resources}/transport.p12 | Bin .../org/elasticsearch/client/SecurityIT.java | 28 ------ settings.gradle | 1 + .../xpack/core/XPackSettings.java | 1 + .../xpack/core/ssl/StoreKeyConfig.java | 17 ++++ .../xpack/core/ssl/StoreKeyConfigTests.java | 54 ++++++++++++ .../transport/ssl/certs/simple/ca.p12 | Bin 0 -> 2535 bytes .../transport/ssl/certs/simple/httpCa.p12 | Bin 0 -> 6803 bytes .../TransportKibanaEnrollmentAction.java | 2 +- .../TransportNodeEnrollmentAction.java | 28 +++--- .../enrollment/RestKibanaEnrollAction.java | 25 +++--- .../authc/saml/SamlMetadataCommandTests.java | 1 + .../security/authc/saml/SamlRealmTests.java | 3 + 17 files changed, 231 insertions(+), 61 deletions(-) create mode 100644 client/rest-high-level/qa/ssl-enabled/build.gradle create mode 100644 client/rest-high-level/qa/ssl-enabled/src/javaRestTest/java/org/elasticsearch/client/EnrollmentIT.java rename client/rest-high-level/{ => qa/ssl-enabled/src/javaRestTest/resources}/httpCa.p12 (100%) rename client/rest-high-level/{ => qa/ssl-enabled/src/javaRestTest/resources}/transport.p12 (100%) create mode 100644 x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/ca.p12 create mode 100644 x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/httpCa.p12 diff --git a/client/rest-high-level/build.gradle b/client/rest-high-level/build.gradle index 2317bbd72496a..bc42dfa228a49 100644 --- a/client/rest-high-level/build.gradle +++ b/client/rest-high-level/build.gradle @@ -14,6 +14,7 @@ apply plugin: 'elasticsearch.rest-test' apply plugin: 'elasticsearch.publish' apply plugin: 'com.github.johnrengelman.shadow' apply plugin: 'elasticsearch.rest-resources' +apply plugin: 'elasticsearch.internal-test-artifact' group = 'org.elasticsearch.client' archivesBaseName = 'elasticsearch-rest-high-level-client' @@ -67,8 +68,6 @@ tasks.named('forbiddenApisMain').configure { File nodeCert = file("./testnode.crt") File nodeTrustStore = file("./testnode.jks") File pkiTrustCert = file("./src/test/resources/org/elasticsearch/client/security/delegate_pki/testRootCA.crt") -File httpCaKeystore = file("./httpCa.p12"); -File transportKeystore = file("./transport.p12"); tasks.named("integTest").configure { systemProperty 'tests.rest.async', 'false' @@ -118,8 +117,6 @@ testClusters.all { extraConfigFile nodeCert.name, nodeCert extraConfigFile nodeTrustStore.name, nodeTrustStore extraConfigFile pkiTrustCert.name, pkiTrustCert - extraConfigFile httpCaKeystore.name, httpCaKeystore - extraConfigFile transportKeystore.name, transportKeystore setting 'xpack.searchable.snapshot.shared_cache.size', '1mb' setting 'xpack.searchable.snapshot.shared_cache.region_size', '16kb' diff --git a/client/rest-high-level/qa/ssl-enabled/build.gradle b/client/rest-high-level/qa/ssl-enabled/build.gradle new file mode 100644 index 0000000000000..7149402b5053c --- /dev/null +++ b/client/rest-high-level/qa/ssl-enabled/build.gradle @@ -0,0 +1,45 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +import org.elasticsearch.gradle.internal.test.RestIntegTestTask +import org.elasticsearch.gradle.internal.info.BuildParams + +apply plugin: 'elasticsearch.java-rest-test' +dependencies { + javaRestTestImplementation(testArtifact(project(':client:rest-high-level'))) +} + +tasks.matching{ it.name == "javaRestTest" }.configureEach { + onlyIf { BuildParams.inFipsJvm == false} + systemProperty 'tests.rest.cluster.username', System.getProperty('tests.rest.cluster.username', 'test_user') + systemProperty 'tests.rest.cluster.password', System.getProperty('tests.rest.cluster.password', 'test-user-password') +} + +testClusters.matching { it.name == 'javaRestTest' }.configureEach { + testDistribution = 'DEFAULT' + numberOfNodes = 2 + setting 'xpack.license.self_generated.type', 'trial' + setting 'xpack.security.enabled', 'true' + setting 'xpack.security.authc.token.enabled', 'true' + setting 'xpack.security.authc.api_key.enabled', 'true' + + extraConfigFile 'httpCa.p12', file('./src/javaRestTest/resources/httpCa.p12') + extraConfigFile 'transport.p12', file('./src/javaRestTest/resources/transport.p12') + + // TBD: sync these settings (which options are set) with the ones we will be generating in #74868 + setting 'xpack.security.http.ssl.enabled', 'true' + setting 'xpack.security.transport.ssl.enabled', 'true' + setting 'xpack.security.http.ssl.keystore.path', 'httpCa.p12' + setting 'xpack.security.transport.ssl.keystore.path', 'transport.p12' + setting 'xpack.security.transport.ssl.verification_mode', 'certificate' + + + keystore 'xpack.security.http.ssl.keystore.secure_password', 'password' + keystore 'xpack.security.transport.ssl.keystore.secure_password', 'password' + user username: 'admin_user', password: 'admin-password', role: 'superuser' +} diff --git a/client/rest-high-level/qa/ssl-enabled/src/javaRestTest/java/org/elasticsearch/client/EnrollmentIT.java b/client/rest-high-level/qa/ssl-enabled/src/javaRestTest/java/org/elasticsearch/client/EnrollmentIT.java new file mode 100644 index 0000000000000..d3942670920a2 --- /dev/null +++ b/client/rest-high-level/qa/ssl-enabled/src/javaRestTest/java/org/elasticsearch/client/EnrollmentIT.java @@ -0,0 +1,82 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +package org.elasticsearch.client; + +import org.elasticsearch.client.security.KibanaEnrollmentResponse; +import org.elasticsearch.client.security.NodeEnrollmentResponse; +import org.elasticsearch.common.settings.SecureString; +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.util.concurrent.ThreadContext; +import org.elasticsearch.core.PathUtils; +import org.junit.AfterClass; +import org.junit.BeforeClass; + +import java.io.FileNotFoundException; +import java.net.URL; +import java.nio.file.Path; +import java.util.List; + +import static org.hamcrest.Matchers.endsWith; +import static org.hamcrest.Matchers.equalTo; +import static org.hamcrest.Matchers.notNullValue; + +public class EnrollmentIT extends ESRestHighLevelClientTestCase { + private static Path httpTrustStore; + + @BeforeClass + public static void findTrustStore() throws Exception { + final URL resource = EnrollmentIT.class.getResource("/httpCa.p12"); + if (resource == null) { + throw new FileNotFoundException("Cannot find classpath resource /httpCa.p12"); + } + httpTrustStore = PathUtils.get(resource.toURI()); + } + + @AfterClass + public static void cleanupStatics() { + httpTrustStore = null; + } + + @Override + protected String getProtocol() { + return "https"; + } + + @Override + protected Settings restClientSettings() { + String token = basicAuthHeaderValue("admin_user", new SecureString("admin-password".toCharArray())); + return Settings.builder() + .put(ThreadContext.PREFIX + ".Authorization", token) + .put(TRUSTSTORE_PATH, httpTrustStore) + .put(TRUSTSTORE_PASSWORD, "password") + .build(); + } + + public void testEnrollNode() throws Exception { + final NodeEnrollmentResponse nodeEnrollmentResponse = + execute(highLevelClient().security()::enrollNode, highLevelClient().security()::enrollNodeAsync, RequestOptions.DEFAULT); + assertThat(nodeEnrollmentResponse, notNullValue()); + assertThat(nodeEnrollmentResponse.getHttpCaKey(), endsWith("K2S3vidA=")); + assertThat(nodeEnrollmentResponse.getHttpCaCert(), endsWith("LfkRjirc=")); + assertThat(nodeEnrollmentResponse.getTransportKey(), endsWith("1I-r8vOQ==")); + assertThat(nodeEnrollmentResponse.getTransportCert(), endsWith("OpTdtgJo=")); + List nodesAddresses = nodeEnrollmentResponse.getNodesAddresses(); + assertThat(nodesAddresses.size(), equalTo(2)); + } + + public void testEnrollKibana() throws Exception { + KibanaEnrollmentResponse kibanaResponse = + execute(highLevelClient().security()::enrollKibana, highLevelClient().security()::enrollKibanaAsync, RequestOptions.DEFAULT); + assertThat(kibanaResponse, notNullValue()); + assertThat(kibanaResponse.getHttpCa() + , endsWith("brcNC5xq6YE7C4_06nH7F6le4kE4Uo6c9fpkl4ehOxQxndNLn462tFF-8VBA8IftJ1PPWzqGxLsCTzM6p6w8sa-XhgNYglLfkRjirc=")); + assertNotNull(kibanaResponse.getPassword()); + assertThat(kibanaResponse.getPassword().toString().length(), equalTo(14)); + } +} diff --git a/client/rest-high-level/httpCa.p12 b/client/rest-high-level/qa/ssl-enabled/src/javaRestTest/resources/httpCa.p12 similarity index 100% rename from client/rest-high-level/httpCa.p12 rename to client/rest-high-level/qa/ssl-enabled/src/javaRestTest/resources/httpCa.p12 diff --git a/client/rest-high-level/transport.p12 b/client/rest-high-level/qa/ssl-enabled/src/javaRestTest/resources/transport.p12 similarity index 100% rename from client/rest-high-level/transport.p12 rename to client/rest-high-level/qa/ssl-enabled/src/javaRestTest/resources/transport.p12 diff --git a/client/rest-high-level/src/test/java/org/elasticsearch/client/SecurityIT.java b/client/rest-high-level/src/test/java/org/elasticsearch/client/SecurityIT.java index 38c2afa15090f..8cdb2fafe204b 100644 --- a/client/rest-high-level/src/test/java/org/elasticsearch/client/SecurityIT.java +++ b/client/rest-high-level/src/test/java/org/elasticsearch/client/SecurityIT.java @@ -21,7 +21,6 @@ import org.elasticsearch.client.security.GetRolesResponse; import org.elasticsearch.client.security.GetUsersRequest; import org.elasticsearch.client.security.GetUsersResponse; -import org.elasticsearch.client.security.NodeEnrollmentResponse; import org.elasticsearch.client.security.PutRoleRequest; import org.elasticsearch.client.security.PutRoleResponse; import org.elasticsearch.client.security.PutUserRequest; @@ -34,7 +33,6 @@ import org.elasticsearch.client.security.user.privileges.IndicesPrivileges; import org.elasticsearch.client.security.user.privileges.IndicesPrivilegesTests; import org.elasticsearch.client.security.user.privileges.Role; -import org.elasticsearch.client.security.KibanaEnrollmentResponse; import org.elasticsearch.core.CharArrays; import java.io.IOException; @@ -47,12 +45,10 @@ import java.util.Map; import static org.hamcrest.Matchers.empty; -import static org.hamcrest.Matchers.endsWith; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.is; import static org.hamcrest.Matchers.containsString; import static org.hamcrest.Matchers.contains; -import static org.hamcrest.Matchers.notNullValue; import static org.hamcrest.Matchers.nullValue; public class SecurityIT extends ESRestHighLevelClientTestCase { @@ -196,30 +192,6 @@ public void testPutRole() throws Exception { assertThat(deleteRoleResponse.isFound(), is(true)); } - @AwaitsFix(bugUrl = "Determine behavior for keystore with multiple keys") - public void testEnrollNode() throws Exception { - final NodeEnrollmentResponse nodeEnrollmentResponse = - execute(highLevelClient().security()::enrollNode, highLevelClient().security()::enrollNodeAsync, RequestOptions.DEFAULT); - assertThat(nodeEnrollmentResponse, notNullValue()); - assertThat(nodeEnrollmentResponse.getHttpCaKey(), endsWith("ECAwGGoA==")); - assertThat(nodeEnrollmentResponse.getHttpCaCert(), endsWith("ECAwGGoA==")); - assertThat(nodeEnrollmentResponse.getTransportKey(), endsWith("fSI09on8AgMBhqA=")); - assertThat(nodeEnrollmentResponse.getTransportCert(), endsWith("fSI09on8AgMBhqA=")); - List nodesAddresses = nodeEnrollmentResponse.getNodesAddresses(); - assertThat(nodesAddresses.size(), equalTo(1)); - } - - @AwaitsFix(bugUrl = "Determine behavior for keystores with multiple keys") - public void testEnrollKibana() throws Exception { - KibanaEnrollmentResponse kibanaResponse = - execute(highLevelClient().security()::enrollKibana, highLevelClient().security()::enrollKibanaAsync, RequestOptions.DEFAULT); - assertThat(kibanaResponse, notNullValue()); - assertThat(kibanaResponse.getHttpCa() - , endsWith("OWFyeGNmcwovSDJReE1tSG1leXJRaWxYbXJPdk9PUDFTNGRrSTFXbFJLOFdaN3c9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K")); - assertNotNull(kibanaResponse.getPassword()); - assertThat(kibanaResponse.getPassword().toString().length(), equalTo(14)); - } - private void deleteUser(User user) throws IOException { final Request deleteUserRequest = new Request(HttpDelete.METHOD_NAME, "/_security/user/" + user.getUsername()); highLevelClient().getLowLevelClient().performRequest(deleteUserRequest); diff --git a/settings.gradle b/settings.gradle index e7edfd600f8bf..a625a7ea1052a 100644 --- a/settings.gradle +++ b/settings.gradle @@ -13,6 +13,7 @@ List projects = [ 'docs', 'client:rest', 'client:rest-high-level', + 'client:rest-high-level:qa:ssl-enabled', 'client:sniffer', 'client:transport', 'client:test', diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java index 222e1e09d6657..3652bbc6795aa 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java @@ -231,6 +231,7 @@ public static List> getAllSettings() { settings.add(API_KEY_SERVICE_ENABLED_SETTING); settings.add(USER_SETTING); settings.add(PASSWORD_HASHING_ALGORITHM); + settings.add(ENROLLMENT_ENABLED); return Collections.unmodifiableList(settings); } diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/StoreKeyConfig.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/StoreKeyConfig.java index 1c64e3e772796..4ef43f2fa515b 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/StoreKeyConfig.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/StoreKeyConfig.java @@ -77,6 +77,23 @@ X509ExtendedKeyManager createKeyManager(@Nullable Environment environment) { try { KeyStore ks = getStore(ksPath, keyStoreType, keyStorePassword); checkKeyStore(ks); + // TBD: filter out only http.ssl.keystore + List aliases = new ArrayList<>(); + for (String s : Collections.list(ks.aliases())) { + if (ks.isKeyEntry(s)) { + aliases.add(s); + } + } + if (aliases.size() > 1) { + for (String alias : aliases) { + Certificate certificate = ks.getCertificate(alias); + if (certificate instanceof X509Certificate) { + if (((X509Certificate) certificate).getBasicConstraints() != -1) { + ks.deleteEntry(alias); + } + } + } + } return CertParsingUtils.keyManager(ks, keyPassword.getChars(), keyStoreAlgorithm); } catch (FileNotFoundException | NoSuchFileException e) { throw missingKeyConfigFile(e, KEYSTORE_FILE, ksPath); diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/StoreKeyConfigTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/StoreKeyConfigTests.java index 951988a9e2e61..ec98f2d410da9 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/StoreKeyConfigTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/StoreKeyConfigTests.java @@ -16,7 +16,15 @@ import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509ExtendedKeyManager; +import java.io.InputStream; +import java.nio.file.Files; +import java.nio.file.Path; +import java.security.KeyStore; import java.security.PrivateKey; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; import static org.elasticsearch.test.TestMatchers.throwableWithMessage; import static org.hamcrest.Matchers.containsString; @@ -52,6 +60,52 @@ public void testKeyStorePathCanBeEmptyForPkcs11() throws Exception { assertThat(ee.getCause().getMessage(), containsString("PKCS11 not found")); } + public void testCreateKeyManagerFromPKCS12ContainingCA() throws Exception { + assumeFalse("Can't run in a FIPS JVM", inFipsJvm()); + final Settings settings = Settings.builder().put("path.home", createTempDir()).build(); + final Path path = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/httpCa.p12"); + final SecureString keyStorePassword = new SecureString("password".toCharArray()); + final StoreKeyConfig keyConfig = new StoreKeyConfig(path.toString(), "PKCS12", keyStorePassword, keyStorePassword, + KeyManagerFactory.getDefaultAlgorithm(), TrustManagerFactory.getDefaultAlgorithm()); + KeyStore keyStore = KeyStore.getInstance("PKCS12"); + try (InputStream in = Files.newInputStream(path)) { + keyStore.load(in, keyStorePassword.getChars()); + } + List aliases = new ArrayList<>(); + for (String s : Collections.list(keyStore.aliases())) { + if (keyStore.isKeyEntry(s)) { + aliases.add(s); + } + } + assertThat(aliases.size(), equalTo(2)); + final X509ExtendedKeyManager keyManager = keyConfig.createKeyManager(TestEnvironment.newEnvironment(settings)); + for (String alias : aliases) { + PrivateKey key = keyManager.getPrivateKey(alias); + assertTrue(key == null || alias.equals("http")); + } + final String[] new_aliases = keyManager.getServerAliases("RSA", null); + final X509Certificate[] certificates = keyManager.getCertificateChain("http"); + assertThat(new_aliases.length, equalTo(1)); + assertThat(certificates.length, equalTo(2)); + } + + public void testCreateKeyManagerFromPKCS12ContainingCAOnly() throws Exception { + assumeFalse("Can't run in a FIPS JVM", inFipsJvm()); + final Settings settings = Settings.builder().put("path.home", createTempDir()).build(); + final String path = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/ca.p12").toString(); + final SecureString keyStorePassword = new SecureString("password".toCharArray()); + final StoreKeyConfig keyConfig = new StoreKeyConfig(path, "PKCS12", keyStorePassword, keyStorePassword, + KeyManagerFactory.getDefaultAlgorithm(), TrustManagerFactory.getDefaultAlgorithm()); + final X509ExtendedKeyManager keyManager = keyConfig.createKeyManager(TestEnvironment.newEnvironment(settings)); + final PrivateKey ca_key = keyManager.getPrivateKey("ca"); + final String[] aliases = keyManager.getServerAliases("RSA", null); + final X509Certificate[] certificates = keyManager.getCertificateChain("ca"); + assertThat(ca_key, notNullValue()); + assertThat(aliases.length, equalTo(1)); + assertThat(aliases[0], equalTo("ca")); + assertThat(certificates.length, equalTo(1)); + } + private void tryReadPrivateKeyFromKeyStore(String type, String extension) { final Settings settings = Settings.builder().put("path.home", createTempDir()).build(); final String path = getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode" + extension).toString(); diff --git a/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/ca.p12 b/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/ca.p12 new file mode 100644 index 0000000000000000000000000000000000000000..c7fc6a8d156c7b69706b22e666b91c5afc5d05f2 GIT binary patch literal 2535 zcmY+EXE+;*8pkCF5i}a3R!faqC9!FX^w_&ZsjUtb;xx8P6=`GC9wn02s69%|nr%=m zrDn|-t&~b_HI7oQd!KvHdCrITd7tO^|G)3Y9~=j!0RfC~9QYXsEE8iGbHD*$0p#Pr zNlZ9!{29i>am;T2h?uRIaLnds*!XPpL6HAlv9key`8cK{IF9K6E)8P)KR$ad$i!_v zWJ77+3-%S~Bi)tf%tYBSm5%@!8M-Z*a7?}O{Qgo!JZMgl*NrQH^-JeeHAB>Ptf~E_ zlCN1~baS7F)-#*^OrU=4vcQ3YIpzbU3>;b_*t>=D-NksP=ec3UxEx-0k`Nl?N+!~n7e7nYP&qE5P_19zg4kL!N%mBcS{HjB>{pM0$}ISqDO zKw!q)*+}48ptO#;*(*#u_r8XzT$o~&M0O2(_|B0ZA2G1Aa5ytp)l~p8bSpfgoENfg zMc1-unMs*5@@kADY%Qvp9+Cg#J32;f%>sO}5rf-Wp1EtlP5=1N(z$1PBM?6MY(Q`I z;T!FDTq)3|o|g&shdFOnu}Ji#blJ5(uE+XkcwW3M$L604_e(KFAMQtBiSCr|=}UJ) zE_Kb?G0JJdiQ`=z%QJ!=G{2e=v$sXGABr?#8aa_$}L^G!vdN*b1;dq7Z0Sst%d=v5VHEh0mP|4t$>`lN+&t zd*|A*F&3(B(!^F3{{TM{hL^|bkML)^NyVcC@%^+abKMZwlT@suhNSZE*A4YA-p|h;CXC-p2-D&>jXX@$I@-L2I==y$bz;*UifndyBjU3FsvfVslvZ zvekC+Kh|-c`y+dsQ-Y(US)Mg^i-nz>UriVtlL864rnpptDPdCH*DZYlQpI5aKCOBXeUP1-;jSuNBkdP%j{F`B z=;&qH-{u#P=kz6W ztHYU>b(q#&bChxGCZ%r+br<$1R9QLl{Z3cngQbCnhtmd;iKfkn>%z0^WKQ%Osb4*r zAwktEV=|`29t>ViwyC2Bqp}XLc9FCKk>lh@=kpfW1U&M}ZQMOgJ&~YB*^Q>}OL%^f zbM~^NJN#igxqJaRX;IY{?zAhxtWNY6t2xq&KPG0cCPGE!W8P9`Y$RU7v^r5^yII}l zXbZQr!@4qxwF@<>da-M!-^tZ7Cs^p4?~-GHY`AuDlWgmMxoSWjMR`q)ZiUan@ljwO z4nnNtSSlE)FeAq{2niEgjaze}5rc#wi&r+#TuPRle-g$?!&5uCJQK}?dBMTt8iYC= z_LnNb+z8M`CI)u~H@N8EkO#rdbRLEF^$|fscERGD5@gPq$%`Qi3N1#QI0bN z1_Bt)7Vz%`@DHP zDL*5DJ{L_AZ{#4I-*xpX3vr{pKMV@H%yEu^JF?P~STf4C3gf$@cC1T=DN;UU&q$9C zLr$_y40f=qtgqxUIjh=l%sP%IemZeZRvjEJ&oS2em9=f=I1E|6y}^|f@xm@B3xn@= zU?^3jU*~esdBaEY^wvp6mM!CvVF4p4Tql!^S7Z>q$2LuQ7*XMe-(62$ozR3CZtu}X!tSn-9FgafI`A+j*tcXl>eXBN{nK#t zH)3U!mFVywQ?w>p7L%BMZ&L^7!W$x{9U%hYPA-7|)G&E}JZ;o_^seE^uedH6pDG6n z$3kjlz78!`h}>_jn|O@?#ytf|EbIh!!cjc^bGy=dqub^I?u{-2M&49Ts;F-{uU=7g zg>1V*Mmx;*+uG*~ZhYC3m_Nkv7`3+vD~3jF?4q{2Ry0d3Z1Pq_A)U18dTpJ;srm{q z7WsxpQ&V{m#s-Z<+#vVf?gr!tU5}>IE=-P<_1jN{)`7D_)$I>QtPfHNW^7r$5>y@C z>YpbvWJ36yZrl-6EXfbTHS{`Krnmz7>{gY)CqT~W*s#nf*=YG*JzKe=b~E#xQU34& zos&V@1A4;UtbSm35EY1fai8BQJ;PM;S|=

-%Q@S&lyuxU!UhSC@-p9@na61%&z zwrr1$)}%i{XDQ_JLk=l$-E2)!TT(6Szq}Z^F#Q?UGq?a=*+W=L?$_iD!pQp7cERpN!>o4-pJ2IO^IK4qvhebV4nWiWg@DPBhy z_3QKWM_qBW)|i)*bmBUBv{>wb0S{^0fUWUIhk2X%N>ck|=CAP6^s}F%r*&b!3Y6N6 zO$e786(%HaHS?AY9LI``*760Mc!_1|4W#kMH5l$7_1=5X6~<#yIJ^s=8Rc<7mE>hw z63BT3kMz@QT7v957*>5$`C6kuFP8TdC4ppIWEx0Hg3}Tk$WCRK@Gca*qHW;>=$g9Y8HRy@mxu2}C jrv3DYiMz8lQ>rW%8eEjhNVCf-yPW6s@EVX25R?CJE(5BP literal 0 HcmV?d00001 diff --git a/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/httpCa.p12 b/x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/httpCa.p12 new file mode 100644 index 0000000000000000000000000000000000000000..b588f1c55205c22ea65b01a8af80ba6ab9eb5370 GIT binary patch literal 6803 zcma);RZtv^l12v`+%3V~f(-8NFgU@TAPFAaVesJYFt`)k-6gn7aQ6VgW&hpUy|?yd zYpWl+>U`Dxc*4zgFaxZgwILk1KwwQN2Qp+RbQh z=u%&5kl9cOq4074(O)rEHieEmZ=D3>hsZLs^JfPy-rdpjvU}aYp$7x+=!-I4a-Y3p znS3&s^X9{MiU-kHs>c9n3(Yq*v|SeYlvTGGajVzWgXgwC8mxQ%s^=XBdyiHOOf43} z%%6-quF;CIk4rk)t=7*Fsc}#`bnTI&evLS>9%`s1l8@WZnrY>txZ_~XyBU9EvFpm6<4l&B;ybF!0EP>%*XTb*NCa;M>r!|}=*0Ku zA-Vb>AQAD&>9Tq`Y@LdQYeV->pMQL+(BUthhH<8j{e6$3Z#-~@*TOvq3{6%tBy8tC zG|e|P3q`YFSC;alrzApPD_>}PQuX6KO1x^6RO`e+c|5^A=y{w?qS)gioDZVIy{nnXH50|l`=p> zqE+i62!F=3(!u+r^6B>ZHWbBD70#HITZ0U0)nf;WdlMTau+|@SU#F~-=GG}@-za^D zIQ%)qeOh2@#F{Z7RIg`y9?vXmNi$P~5RRRdX8w)^M2Xcp(+BtQ4>}1%|AsZc^?m>sjU^5mQ6;*G zrR}Y;S~D@Z?!~p{C|9cYi$0? z4^JFA%xt4xO-HD++VSY$Id+|5Y^-varF$mwF_N1rbvLz#7{dQ}0@rJ;$eIDsx6F}R zH@4iUC8KBr`aO*lkOwD4hA%4i(T~KZyGf{#wjNcX0&#T>;7AS(9sodCI*wBd{_@lduYGi+=| zXEMs>-RlXK+sOA4gk4)SMh=HZAq&x`o!nK?{*>~-%N~c8t<@0=_Yo~Bnw7Y8ib~_Z zvG38|>3E?;)E_k`&vEB0opAmhnfwLbrG5Qf7wOz8N5$G>OziQF*lJo!fsqPmKLS%) ztwSc@d??lF{$La-MztJ>Pa(sL@P7b7X$hSV83V1@Ccx&d4Qagb$1+@F;41 z5mlLzplFtSzE;+9!z4nCWp^De!BO)?zkrWO579UmOyD|}lJ(NFdb1{iroSOuWS#HG zxB;K##!coH?+Xq~H%}}lzAn3CHOBe+Z6mAta27gqEN&(MEA^f-pcJV5(e zP7mlH|J_LU+V{qQ4dZFZbsC%aFk=46k`uSNSj^4uN*#aS;llw)4-tIjmt09iec8LZ zyan_8ZO?FeK&7$tItxNCf9isV_rTUf^JB0bV+CrRaJkInykfB$vCS?7BK(&sk@473 z$dCZm0GEHp5k&d#0G}NX9!K-5odpFu4?8~(FAoO?HxD1rKQ;ybKW*wrw-#^8-ksS3 z{asDT7uKkE%2@I*o7z0`{t_E-G6ptOtZVuOw&?Xu`&9^biqf7W*6NU1t{?P9CtFNT zOqu-l&(kKZfMoh^pn7&b$Ja-vnT!|N&lB( z*aIWzc(EG$DRJ=ekdxVUOkv1^E9YU#^X>kbfuH|h-FWjvAg_shVIKp% zm78QmO_~ufA8J{b^z_PVxQ5FOMtyg(f)uM`nWNtVZBzKbP9fO^67!6QK*@%z9+rbp z#;+aSIp+*aG)&=PWp&S3E~x&A$9A z^*1s~=x^<{b6L@#1RGWl@2hzO;N6>LRlXx)>}VA&d^7rstYZ`ti5ts$QkiEa+f!Q) znq7;~3s>s24x&zqta)c!EbpWdj+|^&RF%j+M!7Fc_lrBiSF5VAy7tGWGU38R+2{KGl;K7;?u-9|>vm znuUA*mT;feK9!F+)Wvt_NXdtIFE5-)e+HSI{ZUA~$IGE?JyADP+_ka%SD8%0rv=yw z)A*nPGUN4L7?{d=YG&rD;tM=slKsf)LbUR=Oa`ag?iw;~LW&-)$vY1vUnRr5yKk#2 zjCqb@Z-QiEI9f?TG<9hgX1%G30lM;oXpc!Idw*37>dneT99blF3zP4zdFMO>y-Ixa zc`Os!Sxm8G3Pp!xy4a!>2EqJKGa$PV6GnJ0wV!o=tQXntW!^zwgZ))fDjAaxw9=pC zIQ?Npn*zAU!Wv*|Fq4y9=}QJ(0(iePW=?f@(G<^=4;HEG|3dE?7o+=*=3xE>w@|E$ zYm0bB^3`1PiF#)F2EVkS*q-!fU-P1s;usmdr21!Cq2YjDj?azrjd#!B^kc&+dz%{b zl{t}?@ID&WrEwZ%Q-Z>v!8hFvmK-&e_pJs? z8e>po@%x@9lf_E7iowghPmO!KHE(a1Vb4R;L3WPG>QACpNU`c{g91~F#dg!QXpwuC z`6GR1g3wPDre&3r{kt38B5L?8Mc%SH+oGk) z%Vj^pT>^{Wms5B5mEhlxh~o4*VK?4?QCoK75ZR^me%VO`HIRV@*&~l8 zi_HE8QYezk!QI-NEXT))`w3%6VjLHJsU_LHM698V497+1_X)|rem1I;bWl~pG9G{?)Q+&SIW%WY+c)*Q?PJoOZnyEPM+w$XL6n7Hd{BGU58oUX zrqGx+@Gk3*k{qov)j@iSmv(R8cemBT4$t}pKWn=R8jxcnA>P8qxT)I>y9nsxzom)C zjz)$8Fb9|dYycJj&;Qe>oID^9=%3<>>GH38L?9G`Y4Hy-g@pn9v-JL*!2GYa3jEKu z>O4tO-KoyJ3O-ZFaeK~{Xk%VE`7gf)KrktG(c~IaSPK>qM2>7=2FM8y6vg{O`2${M zpKo=EC$#i%0bmERYCtH{jU%k9B3JN0@ynvkHKv^C^KaM6P+X?_Z{jcWjl*{j+U)1v zTH<=gBT_&Uwv|s5XeEaF6OZNfuaCl77vrjEMWuzZvGU~($X;ct=IvdPI17xp>|eS+ z7e9MuXob@;E3jS(W9O(UdAFAt7J(p>QHVT5hJy^pDyYxu5lbm;Y)VgNVF~x6wnZst z-}nf*(DT|UXK;Vw479zEioa_%dRrIEJF~17}=P<1(RjNaR#|Jbd)aWRPE?%$99$`Lg zC(9ooAmpeM5igbG5XS~mW;*c9AY^w}>6SCDxf0djD0;ZvDdHe|-dh`Gmr6z;g@OtD zVRVy60@&vDbPpD5&PwU`s=2 zq?_dDBl0hPWYDq&5z{EKB;7xN{f|?(l_uotC9PFyAAZmI@aLIGH5Wr z3oT*w>Sd!^y)bir$ImroDGb@Vh{vq1aCE-TbmcHnvOH=#*#BzP*M+q7j6j;(OFx2f zUHUZcT_xy)kR1O7Nnh&Y2&T;q(JEjEjT@yir(pZHeJc5(e z>SQ5~@<-swczD*ssnzk`u=~VIA)J3eL9M4zq9;&yoLV?2#;y`j%6E&NuN@0^66<8C zi5MgBkO&BK$wgzw>b?zo;7tCb%lsObMO>3CFB{5WV=%MUM>V}0)>?`a!P)89kyI6i zvljn$qiq%`REW<|z+6Q*jU*eJ(r`?D<9yJSBz=TfnpVbKO9@BR@83ZpoxSu#Jb>Rn z7g#Axf4%Ku@{`jgLKGH1xS?8Y!<4iEnA)t#pzM-7_8sli!ea5(K9Wg~QU)>oMxn?G z`GC}1Ga2t zHsn@Dt;ap_WlzY2x=&omb4yd4uY#d~wovY%kL(@Cjok>&^lY1=yc{VSlWb@{TV!+3 zuf)pPY-X*mO?1r{-)gY;>b9=lSq)8G#l&14M206apw2kb$r<2K?a2G|OgBT_OqF~= z;=jGfUs1>T8RX%ksHCWFrez{~ET(x`evTwt?yJT>#RxQZmDZi{?r0&9B()Iw6&+S4 zBzw{=*N>!C0$^G&91Akv2PO(YTvy#@jZ!%+!~Pc02wdw)1qzA_$$>0Q1lmHO zCM4cOGNz0~`_75cdZ(m>JI4h6X zd#Kia4!e@XR3GDCW7;G6e^kuM|LsyyomCx@eXA_-qHP(jI#(p+lwHxDolfDA=4Eq^ z!dggnmKJkZ0Cx7KQ{g2g;X8)?!%r@-<}_;kwWc@Wt{=Y6c=s=_rnz*EWGaS?dmiP^ zG`HaVMQO_j8BAU>hKEic68_5i2fD@FPnbd4Ql?A@`49AP63JxzMFsTH?F z;Ym&0D?umabMJ$w+tg|}R&lmlY=iF5tbeEg!-70D)jE&aOv3iz$VkbXm;Uz}(q=8; z_S_b8f%An)LanSZt2+Rb8zq|uY+5ygO3hof70$Tamq77!=;l(IiA=$XPRZvZ{Q9Vh z`-0J{Fk9j1PJ+~dK0s;bFDH-TvWlskMe#Qj^~bCtofh;aBxAUWh%FNvJM~^FL?p`n z;_5>w&-kp{7;QuIU=dPBC}{Bdwx?nikRU-|1D+_&x=PVm;jCQZ^?yQjRr(S*Xp&O(rovI#dzIM|A_iPi2nrM3-wof@D@6);xAr*x9O zk{TGd-P8^9!<;{q-8OIRjFrXB2c4NqlQ!AuUb<=W(FiKJ4=k>+8UYkqM_BgR zl~{B1mImWH0Sis}4*Q9UOa*&6v@m;nzJQB2mv)lK#eX3%xaV?#2a zr=@1P1h^MwT;XP>lzCd2=5O5jw=&Z%;XiHpJa}xV+dzpcti_)Of>G{=-fHgAQHz=Y z4u5-9ubiIPN~9QnNhF4W0EJvsqkB94t~%dniE7QBkxjFS=26yKP9xNIx9@AKn==rl zFDw-E6b^i`Zj3U&ek*BA0rw`5j15FAMt@8?VV@GqP1DtQ(M6ZRq2_=tqkrs_aD;+k zegUi6fTjXI*97W!VP=070D^|r0vb8?OK4r}shM&6M2sr)iMY;?CW0=WbEYN?ehG$$taGYz- zq?-6_3xvLA9>5{%QDNC8G2-f2sxSk1zms^~`bE%u)>Ytlw)YamUvQ!GXH^ksR!4W-#MniQuT0~;2#^|5BB5HxNqSkRjO;o-9***tfbXy zD9#;Jfwm9Eb!gA`lK4vnx6G;j5S@oJdV-W$9`i2Qug5bNry_F5JuR=UL9RQ?6m} zSkvthc}ZMUk`OykenK_b1uwm|hun2~9^~@DkKsqZ0qDl+b43)txQ$C%WUs2?5B%b6 z+lTh-sxOD2NQOJDyOQfWpREzN1?822{7pH5rFQ9wD-uy5M#iMx8-q+@?y9?pk=Vb| zYO}a>ngWeZF>QG-Jnrg6l>-uU8vKkNp2AmvDsWEEMXZ7~FB9!b5?poxd#nlw8{dZZ z+}f+QSlbG zA}$8V12&)dax;%Uq#PEWbP(V89UG~LIEgF1)u&`feN|!`xyA2AB-&gU^MQ?z{0H#Ih`~3olWzZ1C3~kFb2QDg z{@p735+r2I8{~YwEjS-&NUF%h34aJC;{8tLLRN!GVYHb3;FN3saQkJ1bnZJYpFeL9 zV+Yd^lLsPdXHuv{f>!mEXIVQ{f92RHKVvm3e`?i=zTYE~x%cpf*8(8a|AE(x79dt*Yp$5R?ae@<1bR~|z6)_Uj S$)T_p<^Rq|goT3%h5iSgGvm_$ literal 0 HcmV?d00001 diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/enrollment/TransportKibanaEnrollmentAction.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/enrollment/TransportKibanaEnrollmentAction.java index 652e411dd3eee..b882a7a80a5ec 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/enrollment/TransportKibanaEnrollmentAction.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/enrollment/TransportKibanaEnrollmentAction.java @@ -101,7 +101,7 @@ public class TransportKibanaEnrollmentAction extends HandledTransportAction { logger.debug("Successfully set the password for user [kibana_system] during kibana enrollment"); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/enrollment/TransportNodeEnrollmentAction.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/enrollment/TransportNodeEnrollmentAction.java index 8a4cecd960466..25bec9d15406b 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/enrollment/TransportNodeEnrollmentAction.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/action/enrollment/TransportNodeEnrollmentAction.java @@ -101,20 +101,22 @@ protected void doExecute(Task task, NodeEnrollmentRequest request, ActionListene for (NodeInfo nodeInfo : response.getNodes()) { nodeList.add(nodeInfo.getInfo(TransportInfo.class).getAddress().publishAddress().toString()); } + try { + final String httpCaKey = Base64.getUrlEncoder().encodeToString(httpCaKeysAndCertificates.get(0).v1().getEncoded()); + final String httpCaCert = Base64.getUrlEncoder().encodeToString(httpCaKeysAndCertificates.get(0).v2().getEncoded()); + final String transportKey = + Base64.getUrlEncoder().encodeToString(transportKeysAndCertificates.get(0).v1().getEncoded()); + final String transportCert = + Base64.getUrlEncoder().encodeToString(transportKeysAndCertificates.get(0).v2().getEncoded()); + listener.onResponse(new NodeEnrollmentResponse(httpCaKey, + httpCaCert, + transportKey, + transportCert, + nodeList)); + } catch (CertificateEncodingException e) { + listener.onFailure(new ElasticsearchException("Unable to enroll node", e)); + } }, listener::onFailure )); - try { - final String httpCaKey = Base64.getUrlEncoder().encodeToString(httpCaKeysAndCertificates.get(0).v1().getEncoded()); - final String httpCaCert = Base64.getUrlEncoder().encodeToString(httpCaKeysAndCertificates.get(0).v2().getEncoded()); - final String transportKey = Base64.getUrlEncoder().encodeToString(transportKeysAndCertificates.get(0).v1().getEncoded()); - final String transportCert = Base64.getUrlEncoder().encodeToString(transportKeysAndCertificates.get(0).v2().getEncoded()); - listener.onResponse(new NodeEnrollmentResponse(httpCaKey, - httpCaCert, - transportKey, - transportCert, - nodeList)); - } catch (CertificateEncodingException e) { - listener.onFailure(new ElasticsearchException("Unable to enroll node", e)); - } } } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/enrollment/RestKibanaEnrollAction.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/enrollment/RestKibanaEnrollAction.java index 64de046e320a0..0d3facc7cf236 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/enrollment/RestKibanaEnrollAction.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/rest/action/enrollment/RestKibanaEnrollAction.java @@ -10,7 +10,6 @@ import org.elasticsearch.client.node.NodeClient; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.xcontent.XContentBuilder; -import org.elasticsearch.common.xcontent.XContentParser; import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.rest.BytesRestResponse; import org.elasticsearch.rest.RestRequest; @@ -43,19 +42,15 @@ public RestKibanaEnrollAction(Settings settings, XPackLicenseState licenseState) return List.of(new Route(RestRequest.Method.GET, "/_security/enroll/kibana")); } - @Override protected RestChannelConsumer innerPrepareRequest( - RestRequest request, NodeClient client) throws IOException { - try (XContentParser parser = request.contentParser()) { - return restChannel -> client.execute( - KibanaEnrollmentAction.INSTANCE, new KibanaEnrollmentRequest(), - new RestBuilderListener<>(restChannel) { - @Override public RestResponse buildResponse( - KibanaEnrollmentResponse kibanaEnrollmentResponse, XContentBuilder builder) throws Exception { - kibanaEnrollmentResponse.toXContent(builder, channel.request()); - return new BytesRestResponse(RestStatus.OK, builder); - } - }); - } + @Override protected RestChannelConsumer innerPrepareRequest(RestRequest request, NodeClient client) throws IOException { + return restChannel -> client.execute(KibanaEnrollmentAction.INSTANCE, + new KibanaEnrollmentRequest(), + new RestBuilderListener(restChannel) { + @Override public RestResponse buildResponse( + KibanaEnrollmentResponse kibanaEnrollmentResponse, XContentBuilder builder) throws Exception { + kibanaEnrollmentResponse.toXContent(builder, channel.request()); + return new BytesRestResponse(RestStatus.OK, builder); + } + }); } - } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlMetadataCommandTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlMetadataCommandTests.java index 9bbb207353c0d..b5797d22d7ff8 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlMetadataCommandTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlMetadataCommandTests.java @@ -569,6 +569,7 @@ public void testSigningMetadataWithPasswordProtectedPemInTerminal() throws Excep assertThat(validateSignature(descriptor.getSignature()), equalTo(true)); } + @AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/75097") public void testDefaultOptionsWithSigningAndMultipleEncryptionKeys() throws Exception { assumeFalse("Can't run in a FIPS JVM, PKCS12 keystores are not usable", inFipsJvm()); final KeyStoreWrapper usedKeyStore = randomFrom(keyStore, passwordProtectedKeystore); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java index 3d0481c867906..4f39e44941a87 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java @@ -433,6 +433,7 @@ public void testCreateCredentialFromPemFiles() throws Exception { assertThat(credential.getPublicKey(), equalTo(encryptionCert.getPublicKey())); } + @AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/75097") public void testCreateEncryptionCredentialFromKeyStore() throws Exception { assumeFalse("Can't run in a FIPS JVM, PKCS12 keystores are not usable", inFipsJvm()); final Path dir = createTempDir(); @@ -482,6 +483,7 @@ public void testCreateEncryptionCredentialFromKeyStore() throws Exception { }); } + @AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/75097") public void testCreateSigningCredentialFromKeyStoreSuccessScenarios() throws Exception { assumeFalse("Can't run in a FIPS JVM, PKCS12 keystores are not usable", inFipsJvm()); final Path dir = createTempDir(); @@ -522,6 +524,7 @@ public void testCreateSigningCredentialFromKeyStoreSuccessScenarios() throws Exc assertThat(credential.getPublicKey(), equalTo(certKeyPair1.v1().getPublicKey())); } + @AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/75097") public void testCreateSigningCredentialFromKeyStoreFailureScenarios() throws Exception { assumeFalse("Can't run in a FIPS JVM, PKCS12 keystores are not usable", inFipsJvm()); final Path dir = createTempDir();