From 3b9a884f92960f81dbf2aa47631c430908ed8910 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Mon, 18 Mar 2019 08:45:50 +0200 Subject: [PATCH] Throw an exception when unable to read Certificate (#40092) With SUN security provider, a CertificateException is thrown when attempting to parse a Certificate from a PEM file on disk with `sun.security.provider.X509Provider#parseX509orPKCS7Cert` When using the BouncyCastle Security provider (as we do in fips tests) the parsing happens in CertificateFactory#engineGenerateCertificates which doesn't throw an exception but returns an empty list. In order to have a consistent behavior, this change makes it so that we throw a CertificateException when attempting to read a PEM file from disk and failing to do so in either Security Provider Resolves: #39580 --- .../org/elasticsearch/xpack/core/ssl/CertParsingUtils.java | 3 +++ .../xpack/core/ssl/SSLConfigurationReloaderTests.java | 1 - 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/CertParsingUtils.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/CertParsingUtils.java index 11843a40020a2..0a902aba22cb6 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/CertParsingUtils.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/CertParsingUtils.java @@ -92,6 +92,9 @@ public static Certificate[] readCertificates(List certPaths) throws Certif for (Path path : certPaths) { try (InputStream input = Files.newInputStream(path)) { certificates.addAll((Collection) certFactory.generateCertificates(input)); + if (certificates.isEmpty()) { + throw new CertificateException("failed to parse any certificates from [" + path.toAbsolutePath() + "]"); + } } } return certificates.toArray(new Certificate[0]); diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java index 0f38cca9b91b5..83b1d80f563a5 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java @@ -462,7 +462,6 @@ void reloadSSLContext(SSLConfiguration configuration) { * truncating the certificate file that is being monitored */ public void testPEMTrustReloadException() throws Exception { - assumeFalse("Broken on BC-FIPS -- https://github.com/elastic/elasticsearch/issues/39580", inFipsJvm()); Path tempDir = createTempDir(); Path clientCertPath = tempDir.resolve("testclient.crt"); Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"), clientCertPath);