Add tests for errors thrown by Security Providers (#67259)

We handled the exceptions thrown by Security Providers in the case of short encryption keys in #65464 and this commit adds a couple of tests to validate that the appropriate exceptions are thrown when encryption keys derived from short passwords are in use, in FIPS 140-2 mode.
2025-04-24 15:17:30 -04:00 · 2021-01-14 15:22:56 +02:00 · 2021-01-14 15:22:56 +02:00 · a37122d163
commit a37122d163
parent 1c56c4049a
2 changed files with 31 additions and 0 deletions
--- a/distribution/tools/keystore-cli/src/test/java/org/elasticsearch/common/settings/KeyStoreWrapperTests.java
+++ b/distribution/tools/keystore-cli/src/test/java/org/elasticsearch/common/settings/KeyStoreWrapperTests.java
@ -135,6 +135,28 @@ public class KeyStoreWrapperTests extends ESTestCase {
        }
    }

+    public void testDecryptKeyStoreWithShortPasswordInFips() throws Exception {
+        assumeTrue("This should run only in FIPS mode", inFipsJvm());
+        KeyStoreWrapper keystore = KeyStoreWrapper.create();
+        keystore.save(env.configFile(), "alongenoughpassword".toCharArray());
+        final KeyStoreWrapper loadedkeystore = KeyStoreWrapper.load(env.configFile());
+        final GeneralSecurityException exception = expectThrows(
+            GeneralSecurityException.class,
+            () -> loadedkeystore.decrypt("shortpwd".toCharArray()) // shorter than 14 characters
+        );
+        assertThat(exception.getMessage(), containsString("Error generating an encryption key from the provided password"));
+    }
+
+    public void testCreateKeyStoreWithShortPasswordInFips() throws Exception {
+        assumeTrue("This should run only in FIPS mode", inFipsJvm());
+        KeyStoreWrapper keystore = KeyStoreWrapper.create();
+        final GeneralSecurityException exception = expectThrows(
+            GeneralSecurityException.class,
+            () -> keystore.save(env.configFile(), "shortpwd".toCharArray()) // shorter than 14 characters
+        );
+        assertThat(exception.getMessage(), containsString("Error generating an encryption key from the provided password"));
+    }
+
    public void testCannotReadStringFromClosedKeystore() throws Exception {
        KeyStoreWrapper keystore = KeyStoreWrapper.create();
        assertThat(keystore.getSettingNames(), Matchers.hasItem(KeyStoreWrapper.SEED_SETTING.getKey()));
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/HasherTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/support/HasherTests.java
@ -5,6 +5,7 @@
 */
 package org.elasticsearch.xpack.security.authc.support;

+import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.xpack.core.security.authc.support.Hasher;
@ -173,6 +174,14 @@ public class HasherTests extends ESTestCase {
        assertThat(Hasher.resolveFromHash("notavalidhashformat".toCharArray()), sameInstance(Hasher.NOOP));
    }

+    public void testPbkdf2WithShortPasswordThrowsInFips() {
+        assumeTrue("This should run only in FIPS mode", inFipsJvm());
+        SecureString passwd = new SecureString(randomAlphaOfLength(between(6, 13)).toCharArray());
+        Hasher pbkdfHasher = randomFrom(Hasher.PBKDF2, Hasher.PBKDF2_50000, Hasher.PBKDF2_1000000);
+        ElasticsearchException e = expectThrows(ElasticsearchException.class, () -> pbkdfHasher.hash(passwd));
+        assertThat(e.getMessage(), containsString("Error using PBKDF2 implementation from the selected Security Provider"));
+    }
+
    private static void testHasherSelfGenerated(Hasher hasher) {
        //In FIPS 140 mode, passwords for PBKDF2 need to be at least 14 chars
        SecureString passwd = new SecureString(randomAlphaOfLength(between(14, 18)).toCharArray());