From 27dfc46b813b37041bff93e1f89cf8617be81e38 Mon Sep 17 00:00:00 2001
From: "opensearch-trigger-bot[bot]"
 <98922864+opensearch-trigger-bot[bot]@users.noreply.github.com>
Date: Wed, 26 Oct 2022 14:49:02 -0500
Subject: [PATCH] Add bcpkix-jdk15on runtimeOnly dependency to read keys with
 bouncycastle (#2191) (#2200)

* Add bouncycastle bcpkix-jdk15on runtimeOnly dependency to read keys with bouncycastle

Signed-off-by: Craig Perkins <cwperx@amazon.com>
(cherry picked from commit 966b3fcf68e3bc6f74a237228606aa4a68a6cdee)

Co-authored-by: Craig Perkins <cwperx@amazon.com>
---
 build.gradle                                  |  1 +
 .../opensearch/security/ssl/OpenSSLTest.java  |  2 +-
 .../org/opensearch/security/ssl/SSLTest.java  | 35 ++++++++++++++++++-
 src/test/resources/ssl/node-0-pkcs1.key.pem   | 27 ++++++++++++++
 4 files changed, 63 insertions(+), 2 deletions(-)
 create mode 100644 src/test/resources/ssl/node-0-pkcs1.key.pem

diff --git a/build.gradle b/build.gradle
index 0f89731d7f..c301a65ba3 100644
--- a/build.gradle
+++ b/build.gradle
@@ -318,6 +318,7 @@ dependencies {
     runtimeOnly 'org.apache.santuario:xmlsec:2.2.3'
     runtimeOnly 'com.github.luben:zstd-jni:1.5.0-2'
     runtimeOnly 'org.checkerframework:checker-qual:3.5.0'
+    runtimeOnly "org.bouncycastle:bcpkix-jdk15on:${versions.bouncycastle}"
 
 
     implementation 'org.apache.commons:commons-lang3:3.4'
diff --git a/src/test/java/org/opensearch/security/ssl/OpenSSLTest.java b/src/test/java/org/opensearch/security/ssl/OpenSSLTest.java
index 790477ffe3..204175043c 100644
--- a/src/test/java/org/opensearch/security/ssl/OpenSSLTest.java
+++ b/src/test/java/org/opensearch/security/ssl/OpenSSLTest.java
@@ -174,7 +174,7 @@ public void testHttpsAndNodeSSLFailedCipher() throws Exception {
     @Test
     public void testHttpsAndNodeSSLPem() throws Exception {
         Assume.assumeTrue(OpenSearchSecuritySSLPlugin.OPENSSL_SUPPORTED && OpenSsl.isAvailable());
-        super.testHttpsAndNodeSSLPem();
+        super.testHttpsAndNodeSSLPKCS8Pem();
     }
     
     @Test
diff --git a/src/test/java/org/opensearch/security/ssl/SSLTest.java b/src/test/java/org/opensearch/security/ssl/SSLTest.java
index d98ee3f3f2..fc04dfdb5f 100644
--- a/src/test/java/org/opensearch/security/ssl/SSLTest.java
+++ b/src/test/java/org/opensearch/security/ssl/SSLTest.java
@@ -264,7 +264,7 @@ public void testHttpsAndNodeSSL() throws Exception {
     }
     
     @Test
-    public void testHttpsAndNodeSSLPem() throws Exception {
+    public void testHttpsAndNodeSSLPKCS8Pem() throws Exception {
 
         final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true)
                 .put(ConfigConstants.SECURITY_SSL_ONLY, true)
@@ -300,6 +300,39 @@ public void testHttpsAndNodeSSLPem() throws Exception {
         Assert.assertTrue(rh.executeSimpleRequest("_opendistro/_security/sslinfo?pretty").contains("CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE"));
     }
 
+    @Test
+    public void testHttpsAndNodeSSLPKCS1Pem() throws Exception {
+
+        final Settings settings = Settings.builder().put("plugins.security.ssl.transport.enabled", true)
+                .put(ConfigConstants.SECURITY_SSL_ONLY, true)
+                .put(SSLConfigConstants.SECURITY_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL)
+                .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, allowOpenSSL)
+                .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.crt.pem"))
+                .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-pkcs1.key.pem"))
+                .put(SSLConfigConstants.SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/root-ca.pem"))
+                .put("plugins.security.ssl.transport.enforce_hostname_verification", false)
+                .put("plugins.security.ssl.transport.resolve_hostname", false)
+
+                .put("plugins.security.ssl.http.enabled", true)
+                .put("plugins.security.ssl.http.clientauth_mode", "REQUIRE")
+                .put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMCERT_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0.crt.pem"))
+                .put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMKEY_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/node-0-pkcs1.key.pem"))
+                .put(SSLConfigConstants.SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, FileHelper. getAbsoluteFilePathFromClassPath("ssl/root-ca.pem"))
+                .build();
+
+        setupSslOnlyMode(settings);
+
+        RestHelper rh = restHelper();
+        rh.enableHTTPClientSSL = true;
+        rh.trustHTTPServerCertificate = true;
+        rh.sendAdminCertificate = true;
+
+        Assert.assertTrue(rh.executeSimpleRequest("_opendistro/_security/sslinfo?pretty").contains("TLS"));
+        Assert.assertTrue(rh.executeSimpleRequest("_opendistro/_security/sslinfo?pretty").length() > 0);
+        Assert.assertTrue(rh.executeSimpleRequest("_nodes/settings?pretty").contains(clusterInfo.clustername));
+        Assert.assertTrue(rh.executeSimpleRequest("_opendistro/_security/sslinfo?pretty").contains("CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE"));
+    }
+
     @Test
     public void testHttpsAndNodeSSLPemEnc() throws Exception {
 
diff --git a/src/test/resources/ssl/node-0-pkcs1.key.pem b/src/test/resources/ssl/node-0-pkcs1.key.pem
new file mode 100644
index 0000000000..3f17386738
--- /dev/null
+++ b/src/test/resources/ssl/node-0-pkcs1.key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAh5j6Dy0HqaP5MZe+KLkby42pUJn7OaQfZ7AYHJXs8XQ0aB+3
+eHfl57ubGDlsbxZc9s88LuhPo1Y3Frgj7SbH/KVeD0nc04uSWDvhFlxbL27c+Top
+Pg75YTC8KcXy4mK+Bt1od28yxno6z18XroOoqBEf7086MY7MyDnduuLp/B1nwGij
+YM32k+KP9HJbRu9JMMt16GQYmbQtGJEqo5E8WAP/doTiH1f/cASSSoaiAR4Lzjhj
+bf6BEvtEQK51BFvqhG/qN229joyiOOexiLZb/bCdRdGebOOpOb9uBjqI1FlVc4Tg
+IfyCKm/QATinZMLCcSl6NcUTFgcJkUxZn9DaEwIDAQABAoIBAERT0a3UAwh4mBll
+XW0n2dm4iJkU/oMNMMYO9hdxdPQ2mjHdyZXq1O7wmjaauQlBO5ci1jDM31RvHVNV
+dsUJxbyJl9wcXCo9KoFLqyCZaVl9g9wScrXS1dcjt61VEg8Bsr/C0eFdJzjcXsYg
+JM7LiTEnb/Am/Cv8yTQb9J83uLBRXfTG965R05voFV5OkGvto+YUJH8AkNB0J8sl
+5xW/fWGSAVTGgZJ+qFJHW28J9gXR/gccqcGw0YAfxaEYcDCGofQgS8rqmbduiolS
+lJ7HHpr7iPx97B9R9b3h9rIaaliHgyXDVrNiG0vJGxlu8A3OZa80aUy0olbOoO4C
+JOykUAECgYEA9biE/Pt0J1maa9YvtXKGCc4BVpYISVRI/UqlVRbAvNmiw2Gk3dkv
+OGpwmFfcg5zvObHuagO8/gxPowRekrstbuYhbFDsqxF3klyuOjrNLIPFfd3s+JnA
+nw2pq106veUGcVlXiHFowfZsM6Ao/YC7RZHe+LVRwYC4WKmBOMdWuckCgYEAjUUf
+VhtayWpwcPfHvi64gTewPe7YtdY/loHod9D7BDLZhbQR87VKDtQXl0suS+mUAA4w
+ygxITwy88xbeojdkaspxt5yn+2cwVWF0xNAtLLs0RSxOAeCMDgS1GtCOdLXiDmr+
+u/qOLfypgs8fd0+zPmESwAE17kUNREfFBy48IvsCgYA3f295/AkmAhTgmkW4Q5+G
+g2LF/ajtdv3tR3jEGRl7DeS3IEyuVqlVoqS/o8iIaV+WtltU0ndTIdCyzv/VQDVo
+wM13u2dY098fzZMET9ebYD+wx/kHxSI+SkWyEKJ91UZ5P2aHyKWSeWfC2T+o0fR6
+KBImNj266Km6TL6E5nDuEQKBgCFv8vLWlq6F2wdiHo0NUe6D19tQ5Upk47gkF3oE
+pOVhg8r5zCX7CwRnfw34ZYTiTH2W3kV0ksjjIvYGu7t5kPMV58Sl97yxt+b9oj3T
+aF3mEYEt82jOVVgcFSG7q3xEcLUo7hJgQ7buztB/Zds/qhVhtKZtou46ueEne6Mv
+dlxxAoGBALPpHtIUdfQtGxj63Bq/VKOSUrDCHKhEmLa5Cd2EetpPoLsw3OrdykSB
+Q8y7/SOLOA6bLJ+OkCpzGFvylAcb+6R5HWVLSWoGD6njCCj1kflJ8LJgwxSfUf/V
+Oz3//TDGkH+1OuH34d0MXaHfzBMiPLlMG7pd35kmuDgIx4UjT6Ep
+-----END RSA PRIVATE KEY-----