From 90d0621f9c6ffad7dfe1cfd213121b61f2907a7d Mon Sep 17 00:00:00 2001
From: Albert Zaharovits <albert.zaharovits@elastic.co>
Date: Sat, 3 Aug 2024 11:55:48 +0300
Subject: [PATCH] Enforce JKS trustore

---
 .../org/elasticsearch/common/ssl/KeyStoreUtil.java   | 12 ++++++++++--
 .../azure/RepositoryAzureClientYamlTestSuiteIT.java  |  5 +++++
 muted-tests.yml                                      |  2 --
 .../java/org/elasticsearch/test/TestTrustStore.java  |  4 ++--
 4 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/KeyStoreUtil.java b/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/KeyStoreUtil.java
index aebee89297a88..7f5b005e28470 100644
--- a/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/KeyStoreUtil.java
+++ b/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/KeyStoreUtil.java
@@ -106,8 +106,12 @@ public static KeyStore filter(KeyStore store, Predicate<KeyStoreEntry> filter) {
      * @param certificates The root certificates to trust
      */
     public static KeyStore buildTrustStore(Iterable<Certificate> certificates) throws GeneralSecurityException {
+        return buildTrustStore(certificates, KeyStore.getDefaultType());
+    }
+
+    public static KeyStore buildTrustStore(Iterable<Certificate> certificates, String type) throws GeneralSecurityException {
         assert certificates != null : "Cannot create keystore with null certificates";
-        KeyStore store = buildNewKeyStore();
+        KeyStore store = buildNewKeyStore(type);
         int counter = 0;
         for (Certificate certificate : certificates) {
             store.setCertificateEntry("cert-" + counter, certificate);
@@ -117,7 +121,11 @@ public static KeyStore buildTrustStore(Iterable<Certificate> certificates) throw
     }
 
     private static KeyStore buildNewKeyStore() throws GeneralSecurityException {
-        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+        return buildNewKeyStore(KeyStore.getDefaultType());
+    }
+
+    private static KeyStore buildNewKeyStore(String type) throws GeneralSecurityException {
+        KeyStore keyStore = KeyStore.getInstance(type);
         try {
             keyStore.load(null, null);
         } catch (IOException e) {
diff --git a/modules/repository-azure/src/yamlRestTest/java/org/elasticsearch/repositories/azure/RepositoryAzureClientYamlTestSuiteIT.java b/modules/repository-azure/src/yamlRestTest/java/org/elasticsearch/repositories/azure/RepositoryAzureClientYamlTestSuiteIT.java
index c40a0fb4da4b1..c4942dea09755 100644
--- a/modules/repository-azure/src/yamlRestTest/java/org/elasticsearch/repositories/azure/RepositoryAzureClientYamlTestSuiteIT.java
+++ b/modules/repository-azure/src/yamlRestTest/java/org/elasticsearch/repositories/azure/RepositoryAzureClientYamlTestSuiteIT.java
@@ -71,6 +71,11 @@ public class RepositoryAzureClientYamlTestSuiteIT extends ESClientYamlSuiteTestC
             () -> trustStore.getTrustStorePath().toString(),
             s -> USE_FIXTURE && ESTestCase.inFipsJvm() == false
         )
+        .systemProperty(
+                "javax.net.ssl.trustStoreType",
+                () -> "jks",
+                s -> USE_FIXTURE && ESTestCase.inFipsJvm() == false
+        )
         .build();
 
     @ClassRule(order = 1)
diff --git a/muted-tests.yml b/muted-tests.yml
index 98a9a52f85a08..4fc4a1b27d1c4 100644
--- a/muted-tests.yml
+++ b/muted-tests.yml
@@ -116,8 +116,6 @@ tests:
   issue: https://github.com/elastic/elasticsearch/issues/111396
 - class: org.elasticsearch.xpack.searchablesnapshots.AzureSearchableSnapshotsIT
   issue: https://github.com/elastic/elasticsearch/issues/111279
-- class: org.elasticsearch.repositories.azure.RepositoryAzureClientYamlTestSuiteIT
-  issue: https://github.com/elastic/elasticsearch/issues/111345
 - class: org.elasticsearch.repositories.blobstore.testkit.AzureSnapshotRepoTestKitIT
   method: testRepositoryAnalysis
   issue: https://github.com/elastic/elasticsearch/issues/111280
diff --git a/test/framework/src/main/java/org/elasticsearch/test/TestTrustStore.java b/test/framework/src/main/java/org/elasticsearch/test/TestTrustStore.java
index e17a309dbc9c8..93a2a4a967592 100644
--- a/test/framework/src/main/java/org/elasticsearch/test/TestTrustStore.java
+++ b/test/framework/src/main/java/org/elasticsearch/test/TestTrustStore.java
@@ -50,8 +50,8 @@ protected void before() {
                 .stream()
                 .map(i -> (Certificate) i)
                 .toList();
-            final var trustStore = KeyStoreUtil.buildTrustStore(certificates);
-            trustStore.store(jksStream, null);
+            final var trustStore = KeyStoreUtil.buildTrustStore(certificates, "jks");
+            trustStore.store(jksStream, new char[0]);
             trustStorePath = tmpTrustStorePath;
         } catch (Exception e) {
             throw new AssertionError("unexpected", e);