Fix certutil http for empty password with JDK 11 and lower

[ywangd]

This PR fix elasticseaerch-certutil http command so that it correctly accepts empty keystore password for JDK version 11 and lower.

Resovles: #55386

[elasticmachine]

Pinging @elastic/es-security (:Security/Security)

[ywangd]

Commands other than http do not have issue with empty password because of the withPassword(...) wrapper. These empty strings are just added here for completeness.

elasticsearch/x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/CertificateTool.java

Lines 928 to 940 in c5b923a

	private static <T, E extends Exception> T withPassword(String description, char[] password, Terminal terminal,
	CheckedFunction<char[], T, E> body) throws E {
	if (password == null) {
	char[] promptedValue = terminal.readSecret("Enter password for " + description + " : ");
	try {
	return body.apply(promptedValue);
	} finally {
	Arrays.fill(promptedValue, (char) 0);
	}
	} else {
	return body.apply(password);
	}
	}

[ywangd]

This change is the fix. But is there any reason this was intentionally set to null for empty char array? I wonder whether the change would introduce any subtle side effect. @tvernum

[albertzaharovits]

Inspecting the uses of this returned CAInfo instance, I am pretty sure this change is not impactful.

However, looking at this other use of CAInfo, there seems to be a pattern where a null value is used to signal that a password prompt is further required. I believe the original code here intended for this same behavior.

[ywangd]

Btw, I checked all usages of PKCS12KeyStore#engineStore and this is the only place that could get a null password.

Tag #55386 here so the issue is correctly referenced here (forgot to do when creating the PR and subsequent editing does not count).

[albertzaharovits]

LGTM

I would've opted for parametrized test methods, to explicitly cover the empty password test cases, instead of relying on randomization for that. So, for example, there would be private void testGenerateSingleCertificateSigningRequest(boolean withEmptyPassword), together with two public test calls.
But I think this is acceptable nonetheless.

[albertzaharovits]

Inspecting the uses of this returned CAInfo instance, I am pretty sure this change is not impactful.

However, looking at this other use of CAInfo, there seems to be a pattern where a null value is used to signal that a password prompt is further required. I believe the original code here intended for this same behavior.

[albertzaharovits]

My preference would have been a simple if in the code.

[ywangd]

Sure I removed it and replaced with if check in the call sites.

[albertzaharovits]

I would've not included the empty password in the list of shouldNotContain, but it's just a personal preference.

[ywangd]

Makes sense. The list is not filtered before passed in.

[albertzaharovits]

I would also suggest changing the title from Support empty p12 keystore password for JDK 11 and lower to Fix certutil http empty password for JDK 11 and lower as well as the description to better reflect what this PR does not so much of how.

[ywangd]

Thanks @albertzaharovits I have made changes based on your comments. One thing I didn't change is having empty password has part of randomPassword() call instead of creating a separate method to test for empty password. The main reason is that both ca password and node password can be empty. So it is easier to test with randomness for better coverage.