Settings: Reimplement keystore format to use FIPS compliant algorithms (#28255)

This commit switches the internal format of the elasticsearch keystore
to no longer use java's KeyStore class, but instead encrypt the binary
data of the secrets using AES-GCM. The cipher key is generated using
PBKDF2WithHmacSHA512. Tests are also added for backcompat reading the v1
and v2 formats.

Author: rjernst

distribution/tools/plugin-cli/src/main/java/org/elasticsearch/plugins/InstallPluginCommand.java

@@ -833,8 +833,8 @@ private void createKeystoreIfNeeded(Terminal terminal, Environment env, PluginIn
         KeyStoreWrapper keystore = KeyStoreWrapper.load(env.configFile());
         if (keystore == null) {
             terminal.println("Elasticsearch keystore is required by plugin [" + info.getName() + "], creating...");
-            keystore = KeyStoreWrapper.create(new char[0]);
-            keystore.save(env.configFile());
+            keystore = KeyStoreWrapper.create();
+            keystore.save(env.configFile(), new char[0]);
         }
     }
 

distribution/tools/plugin-cli/src/test/java/org/elasticsearch/plugins/InstallPluginCommandTests.java

@@ -1148,8 +1148,8 @@ public void testKeystoreNotRequired() throws Exception {
 
     public void testKeystoreRequiredAlreadyExists() throws Exception {
         Tuple<Path, Environment> env = createEnv(fs, temp);
-        KeyStoreWrapper keystore = KeyStoreWrapper.create(new char[0]);
-        keystore.save(env.v2().configFile());
+        KeyStoreWrapper keystore = KeyStoreWrapper.create();
+        keystore.save(env.v2().configFile(), new char[0]);
         byte[] expectedBytes = Files.readAllBytes(KeyStoreWrapper.keystorePath(env.v2().configFile()));
         Path pluginDir = createPluginDir(temp);
         String pluginZip = createPluginUrl("fake", pluginDir, "requires.keystore", "true");

server/src/main/java/org/elasticsearch/bootstrap/Bootstrap.java

@@ -233,7 +233,7 @@ static SecureSettings loadSecureSettings(Environment initialEnv) throws Bootstra
 
         try {
             keystore.decrypt(new char[0] /* TODO: read password from stdin */);
-            KeyStoreWrapper.upgrade(keystore, initialEnv.configFile());
+            KeyStoreWrapper.upgrade(keystore, initialEnv.configFile(), new char[0]);
         } catch (Exception e) {
             throw new BootstrapException(e);
         }

server/src/main/java/org/elasticsearch/common/settings/AddFileKeyStoreCommand.java

@@ -66,8 +66,8 @@ protected void execute(Terminal terminal, OptionSet options, Environment env) th
                 terminal.println("Exiting without creating keystore.");
                 return;
             }
-            keystore = KeyStoreWrapper.create(new char[0] /* always use empty passphrase for auto created keystore */);
-            keystore.save(env.configFile());
+            keystore = KeyStoreWrapper.create();
+            keystore.save(env.configFile(), new char[0] /* always use empty passphrase for auto created keystore */);
             terminal.println("Created elasticsearch keystore in " + env.configFile());
         } else {
             keystore.decrypt(new char[0] /* TODO: prompt for password when they are supported */);
@@ -97,7 +97,7 @@ protected void execute(Terminal terminal, OptionSet options, Environment env) th
                 String.join(", ", argumentValues.subList(2, argumentValues.size())) + "] after filepath");
         }
         keystore.setFile(setting, Files.readAllBytes(file));
-        keystore.save(env.configFile());
+        keystore.save(env.configFile(), new char[0]);
     }
 
     @SuppressForbidden(reason="file arg for cli")

server/src/main/java/org/elasticsearch/common/settings/AddStringKeyStoreCommand.java

@@ -63,8 +63,8 @@ protected void execute(Terminal terminal, OptionSet options, Environment env) th
                 terminal.println("Exiting without creating keystore.");
                 return;
             }
-            keystore = KeyStoreWrapper.create(new char[0] /* always use empty passphrase for auto created keystore */);
-            keystore.save(env.configFile());
+            keystore = KeyStoreWrapper.create();
+            keystore.save(env.configFile(), new char[0] /* always use empty passphrase for auto created keystore */);
             terminal.println("Created elasticsearch keystore in " + env.configFile());
         } else {
             keystore.decrypt(new char[0] /* TODO: prompt for password when they are supported */);
@@ -94,6 +94,6 @@ protected void execute(Terminal terminal, OptionSet options, Environment env) th
         } catch (IllegalArgumentException e) {
             throw new UserException(ExitCodes.DATA_ERROR, "String value must contain only ASCII");
         }
-        keystore.save(env.configFile());
+        keystore.save(env.configFile(), new char[0]);
     }
 }

server/src/main/java/org/elasticsearch/common/settings/CreateKeyStoreCommand.java

@@ -54,8 +54,8 @@ protected void execute(Terminal terminal, OptionSet options, Environment env) th
             throw new UserException(ExitCodes.DATA_ERROR, "Passphrases are not equal, exiting.");
         }*/
 
-        KeyStoreWrapper keystore = KeyStoreWrapper.create(password);
-        keystore.save(env.configFile());
+        KeyStoreWrapper keystore = KeyStoreWrapper.create();
+        keystore.save(env.configFile(), password);
         terminal.println("Created elasticsearch keystore in " + env.configFile());
     }
 }