Lazily load ES|QL md5 function

In Java 14 the `MessageDigest` specification was changed so that the
"MD5" hash function is no longer required. It is permissible for a JRE
to ship without support for MD5 hashes.

This commit modifies the ES|QL MD5 hash function implementation so
that the `MessageDigest` object is no longer loaded on startup, and
instead is lazily instantiated when needed.

If an ES|QL query makes use of md5, and it is unavailable, then the
query will fail with an ES|QL verification exception

Resolves: #129689

Author: tvernum

x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/scalar/string/Md5.java

@@ -9,6 +9,7 @@
 
 import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
 import org.elasticsearch.common.io.stream.StreamInput;
+import org.elasticsearch.xpack.esql.VerificationException;
 import org.elasticsearch.xpack.esql.core.expression.Expression;
 import org.elasticsearch.xpack.esql.core.tree.NodeInfo;
 import org.elasticsearch.xpack.esql.core.tree.Source;
@@ -18,13 +19,16 @@
 import org.elasticsearch.xpack.esql.expression.function.scalar.string.Hash.HashFunction;
 
 import java.io.IOException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
 import java.util.List;
+import java.util.concurrent.atomic.AtomicReference;
 
 public class Md5 extends AbstractHashFunction {
 
     public static final NamedWriteableRegistry.Entry ENTRY = new NamedWriteableRegistry.Entry(Expression.class, "MD5", Md5::new);
 
-    private static final HashFunction MD5 = HashFunction.create("MD5");
+    private final AtomicReference<HashFunction> MD5 = new AtomicReference<>();
 
     @FunctionInfo(
         returnType = "keyword",
@@ -39,9 +43,23 @@ private Md5(StreamInput in) throws IOException {
         super(in);
     }
 
+    /**
+     * As of Java 14, it is permissible for a JRE to ship without the {@code MD5} {@link MessageDigest}.
+     * We want the "md5" function in ES|QL to fail at runtime on such platforms (rather than at startup)
+     * so we build the {@link HashFunction} lazily.
+     */
     @Override
     protected HashFunction getHashFunction() {
-        return MD5;
+        HashFunction function = MD5.get();
+        if (function == null) {
+            try {
+                function = new HashFunction("MD5", MessageDigest.getInstance("MD5"));
+                MD5.compareAndSet(null, function);
+            } catch (NoSuchAlgorithmException e) {
+                throw new VerificationException("function 'md5' is not available on this platform: {}", e.getMessage());
+            }
+        }
+        return function;
     }
 
     @Override

x-pack/plugin/esql/src/test/java/org/elasticsearch/xpack/esql/expression/function/scalar/string/Md5UnavailableTests.java

@@ -0,0 +1,37 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.esql.expression.function.scalar.string;
+
+import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.xpack.esql.VerificationException;
+import org.elasticsearch.xpack.esql.core.expression.Literal;
+import org.elasticsearch.xpack.esql.core.tree.Source;
+
+import java.security.Provider;
+import java.security.Security;
+
+import static org.hamcrest.Matchers.notNullValue;
+
+public class Md5UnavailableTests extends ESTestCase {
+
+    public void testMd5Unavailable() {
+        assumeFalse("We run with different security providers in FIPS, and changing them at runtime is more complicated", inFipsJvm());
+        final Provider sunProvider = Security.getProvider("SUN");
+        final Md5 md5;
+        try {
+            Security.removeProvider("SUN");
+            md5 = new Md5(Source.EMPTY, Literal.NULL);
+            expectThrows(VerificationException.class, md5::getHashFunction);
+        } finally {
+            Security.addProvider(sunProvider);
+        }
+
+        assertThat(md5.getHashFunction(), notNullValue());
+    }
+
+}