Fix PemKeyConfigTests (#55577) (#55998)

We were creating PemKeyConfig objects using different private
keys but always using testnode.crt certificate that uses the
RSA public key. The PemKeyConfig was built but we would
then later fail to handle SSL connections during the TLS
handshake eitherway.
This became obvious in FIPS tests where the consistency
checks that FIPS 140 mandates kick in and failed early
becausethe private key was of different type than the
public key

Author: jkakavas

libs/ssl-config/src/test/java/org/elasticsearch/common/ssl/PemKeyConfigTests.java

@@ -70,6 +70,7 @@ public void testBuildKeyConfigFromPkcs8PemFilesWithoutPassword() throws Exceptio
     }
 
     public void testBuildKeyConfigFromPkcs8PemFilesWithPassword() throws Exception {
+        assumeFalse("Can't run in a FIPS JVM, PBE KeySpec is not available", inFipsJvm());
         final Path cert = getDataPath("/certs/cert2/cert2.crt");
         final Path key = getDataPath("/certs/cert2/cert2-pkcs8.key");
         final PemKeyConfig keyConfig = new PemKeyConfig(cert, key, "c2-pass".toCharArray());

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/PEMKeyConfigTests.java

@@ -23,6 +23,7 @@ public class PEMKeyConfigTests extends ESTestCase {
     public static final SecureString TESTNODE_PASSWORD = new SecureString("testnode".toCharArray());
 
     public void testEncryptedPkcs8RsaKey() throws Exception {
+        assumeFalse("Can't run in a FIPS JVM, PBE KeySpec is not available", inFipsJvm());
         verifyKeyConfig("testnode.crt", "key_pkcs8_encrypted.pem", TESTNODE_PASSWORD);
     }
 
@@ -31,11 +32,11 @@ public void testUnencryptedPkcs8RsaKey() throws Exception {
     }
 
     public void testUnencryptedPkcs8DsaKey() throws Exception {
-        verifyKeyConfig("testnode.crt", "dsa_key_pkcs8_plain.pem", NO_PASSWORD);
+        verifyKeyConfig("testnode_dsa.crt", "dsa_key_pkcs8_plain.pem", NO_PASSWORD);
     }
 
     public void testUnencryptedPkcs8EcKey() throws Exception {
-        verifyKeyConfig("testnode.crt", "ec_key_pkcs8_plain.pem", NO_PASSWORD);
+        verifyKeyConfig("testnode_ec.crt", "ec_key_pkcs8_plain.pem", NO_PASSWORD);
     }
 
     public void testEncryptedPkcs1RsaKey() throws Exception {

x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/README.asciidoc

@@ -91,6 +91,10 @@ openssl pkcs12 -in dsa.p12 -nodes -nocerts | openssl pkcs8 -topk8 -nocrypt -outf
 ----
 [source,shell]
 ----
+openssl pkcs12 -in dsa.p12 -nodes -nokeys -cacerts -out testnode_dsa.crt
+----
+[source,shell]
+----
 keytool -importkeystore -srckeystore testnode.jks -destkeystore ec.p12 -deststoretype PKCS12 \
                 -srcalias testnode_ec -deststorepass testnode -destkeypass testnode
 ----
@@ -99,8 +103,10 @@ keytool -importkeystore -srckeystore testnode.jks -destkeystore ec.p12 -deststor
 openssl pkcs12 -in ec.p12 -nodes -nocerts | openssl pkcs8 -topk8 -nocrypt -outform pem \
                 -out ec_key_pkcs8_plain.pem
 ----
-
-
+[source,shell]
+----
+openssl pkcs12 -in ec.p12 -nodes -nokeys -cacerts -out testnode_ec.crt
+----
 
 Create `PKCS#8` encrypted key from the encrypted `PKCS#1` encoded `testnode.pem`
 [source,shell]

x-pack/plugin/core/src/test/resources/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode_dsa.crt

@@ -0,0 +1,27 @@
+Bag Attributes
+    friendlyName: testnode_dsa
+    localKeyID: 54 69 6D 65 20 31 35 38 37 35 35 38 39 34 34 36 39 38 
+subject=CN = Elasticsearch Test Node
+
+issuer=CN = Elasticsearch Test Node
+
+-----BEGIN CERTIFICATE-----
+MIIDODCCAvSgAwIBAgIEIjxzajANBglghkgBZQMEAwIFADAiMSAwHgYDVQQDExdF
+bGFzdGljc2VhcmNoIFRlc3QgTm9kZTAeFw0xODA1MTcwOTQzMThaFw00NTEwMDIw
+OTQzMThaMCIxIDAeBgNVBAMTF0VsYXN0aWNzZWFyY2ggVGVzdCBOb2RlMIIBtzCC
+ASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2EbdSPO9EAMMeP4C2
+USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdrmVClpJ+f6AR7ECLC
+T7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXzrith1yrv8iIDGZ3R
+SAHHAhUAl2BQjxUjC8yykrmCouuEC/BYHPUCgYEA9+GghdabPd7LvKtcNrhXuXmU
+r7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6EwoFhO3zwkyjMim4TwW
+eotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhRkImog9/hWuWfBpKL
+Zl6Ae1UlZAFMO/7PSSoDgYQAAoGAd0xuuUUSAXsXaQ/dp9ThBTVzdVhGk6VAcWb4
+03uMXUyXKsnCIASTm6bVWKjNxO1EsP3Slyd5CwbqIRUBK5NjzdQP/hHGtEIbqtYK
+Y1VZI7T91Lk8/Dc/p9Vgh27bPR8Yq8wPKU3EIJzYi0Nw8AxZf10yK+5tQ6pPUa3d
+H6lXt5qjgbQwgbEwHQYDVR0OBBYEFEPyOMLAA8bEK6SwOZgXXIg3ABkPMIGPBgNV
+HREEgYcwgYSCCWxvY2FsaG9zdIIVbG9jYWxob3N0LmxvY2FsZG9tYWluggpsb2Nh
+bGhvc3Q0ghdsb2NhbGhvc3Q0LmxvY2FsZG9tYWluNIIKbG9jYWxob3N0NoIXbG9j
+YWxob3N0Ni5sb2NhbGRvbWFpbjaHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJ
+YIZIAWUDBAMCBQADLwAwLAIULbToaXth2hZiQZDt9w4reOr7w+kCFCLdy1T6UdFS
+e1Mec3NrqztRk0uY
+-----END CERTIFICATE-----