github-mirrors/elasticsearch
1
0
Fork 0
mirror of https://github.com/elastic/elasticsearch.git synced 2025-04-24 15:17:30 -04:00
Code Issues Projects Releases Packages Wiki Activity

Gracefully handle exceptions from Security Providers (#65464)

Browse source 
In certain situations, such as when configured in FIPS 140 mode,
the Java security provider in use might throw a subclass of
java.lang.Error. We currently do not catch these and as a result
the JVM exits, shutting down elasticsearch.

This commit attempts to address this by catching subclasses of Error
that might be thrown for instance when a PBKDF2 implementation
is used from a Security Provider in FIPS 140 mode, with the password
input being less than 14 bytes (112 bits).

- In our PBKDF2 family of hashers, we catch the Error and
throw an ElasticsearchException while creating or verifying the
hash. We throw on verification instead of simply returning false
on purpose so that the message bubbles up and the cause becomes
obvious (otherwise it would be indistinguishable from a wrong
password).
- In KeyStoreWrapper, we catch the Error in order to wrap and re-throw 
a GeneralSecurityException with a helpful message. This can happen when 
using any of the keystore CLI commands, when the node starts or when we 
attempt to reload secure settings.
- In the `elasticsearch-users` tool, we catch the ElasticsearchException that
the Hasher class re-throws and throw an appropriate UserException.

Tests are missing because it's not trivial to set CI in fips approved mode
right now, and thus any tests would need to be muted. There is a parallel
effort in #64024 to enable that and tests will be added in a followup.
This commit is contained in:
Ioannis Kakavas 2020-11-26 15:57:33 +02:00 committed by GitHub
parent 302e5761fc
commit e7d06843f9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 26 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

3
distribution/tools/keystore-cli/src/main/java/org/elasticsearch/common/settings/BaseKeyStoreCommand.java
View file

@ -28,6 +28,7 @@ import org.elasticsearch.cli.UserException;
import org.elasticsearch.env.Environment;
import java.nio.file.Path;
import java.security.GeneralSecurityException;
public abstract class BaseKeyStoreCommand extends KeyStoreAwareCommand {
@ -68,7 +69,7 @@ public abstract class BaseKeyStoreCommand extends KeyStoreAwareCommand {
keyStore.decrypt(keyStorePassword.getChars());
}
executeCommand(terminal, options, env);
} catch (SecurityException e) {
} catch (SecurityException | GeneralSecurityException e) {
throw new UserException(ExitCodes.DATA_ERROR, e.getMessage());
} finally {
if (keyStorePassword != null) {