From 63a137e9af22e129669a8db0b8311f01eb2d7a15 Mon Sep 17 00:00:00 2001
From: Armin Braun <me@obrown.io>
Date: Wed, 7 Jul 2021 12:44:12 +0200
Subject: [PATCH 1/2] Fix GCS Keystore Handling in FIPS Mode

In FIPS mode loading the `.p12` keystore used by the new SDK version is not supported
because of "PBE AlgorithmParameters not available". Fortunately, the SDK still includes
the old jks trust store so we can just manually load it the same way it was loaded by
the previous version to fix things.
Also, fixed `SocketAccess` to properly rethrow this kind of exception and not run into
a class cast issue.

Closes #75023

relates https://github.com/googleapis/google-api-java-client/pull/1738
---
 .../gcs/GoogleCloudStorageService.java            |  8 +++++++-
 .../repositories/gcs/SocketAccess.java            | 15 +++++++++++++--
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/plugins/repository-gcs/src/main/java/org/elasticsearch/repositories/gcs/GoogleCloudStorageService.java b/plugins/repository-gcs/src/main/java/org/elasticsearch/repositories/gcs/GoogleCloudStorageService.java
index 1ebe387b0f7df..9739c31142452 100644
--- a/plugins/repository-gcs/src/main/java/org/elasticsearch/repositories/gcs/GoogleCloudStorageService.java
+++ b/plugins/repository-gcs/src/main/java/org/elasticsearch/repositories/gcs/GoogleCloudStorageService.java
@@ -12,6 +12,7 @@
 import com.google.api.client.http.HttpRequestInitializer;
 import com.google.api.client.http.HttpTransport;
 import com.google.api.client.http.javanet.NetHttpTransport;
+import com.google.api.client.util.SecurityUtils;
 import com.google.auth.oauth2.GoogleCredentials;
 import com.google.auth.oauth2.ServiceAccountCredentials;
 import com.google.cloud.ServiceOptions;
@@ -34,6 +35,7 @@
 import java.net.HttpURLConnection;
 import java.net.URI;
 import java.net.URL;
+import java.security.KeyStore;
 import java.util.Map;
 
 import static java.nio.charset.StandardCharsets.UTF_8;
@@ -126,7 +128,11 @@ private Storage createClient(GoogleCloudStorageClientSettings clientSettings,
             final NetHttpTransport.Builder builder = new NetHttpTransport.Builder();
             // requires java.lang.RuntimePermission "setFactory"
             // Pin the TLS trust certificates.
-            builder.trustCertificates(GoogleUtils.getCertificateTrustStore());
+            final KeyStore certTrustStore = SecurityUtils.getJavaKeyStore();
+            try (InputStream keyStoreStream = GoogleUtils.class.getResourceAsStream("google.jks")) {
+                SecurityUtils.loadKeyStore(certTrustStore, keyStoreStream, "notasecret");
+            }
+            builder.trustCertificates(certTrustStore);
             return builder.build();
         });
 
diff --git a/plugins/repository-gcs/src/main/java/org/elasticsearch/repositories/gcs/SocketAccess.java b/plugins/repository-gcs/src/main/java/org/elasticsearch/repositories/gcs/SocketAccess.java
index f6327e1ba44fd..287b70615840c 100644
--- a/plugins/repository-gcs/src/main/java/org/elasticsearch/repositories/gcs/SocketAccess.java
+++ b/plugins/repository-gcs/src/main/java/org/elasticsearch/repositories/gcs/SocketAccess.java
@@ -32,7 +32,7 @@ public static <T> T doPrivilegedIOException(PrivilegedExceptionAction<T> operati
         try {
             return AccessController.doPrivileged(operation);
         } catch (PrivilegedActionException e) {
-            throw (IOException) e.getCause();
+            throw causeAsIOException(e);
         }
     }
 
@@ -44,7 +44,18 @@ public static void doPrivilegedVoidIOException(CheckedRunnable<IOException> acti
                 return null;
             });
         } catch (PrivilegedActionException e) {
-            throw (IOException) e.getCause();
+            throw causeAsIOException(e);
         }
     }
+
+    private static IOException causeAsIOException(PrivilegedActionException e) {
+        final Throwable cause = e.getCause();
+        if (cause instanceof IOException) {
+            return (IOException) cause;
+        }
+        if (cause instanceof RuntimeException) {
+            throw (RuntimeException) cause;
+        }
+        throw new RuntimeException(cause);
+    }
 }

From f66e1aa9d62c31564b876e96291b514b290ac084 Mon Sep 17 00:00:00 2001
From: Armin Braun <me@obrown.io>
Date: Wed, 7 Jul 2021 14:41:45 +0200
Subject: [PATCH 2/2] comment

---
 .../repositories/gcs/GoogleCloudStorageService.java             | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/plugins/repository-gcs/src/main/java/org/elasticsearch/repositories/gcs/GoogleCloudStorageService.java b/plugins/repository-gcs/src/main/java/org/elasticsearch/repositories/gcs/GoogleCloudStorageService.java
index 9739c31142452..43ddb04bc016b 100644
--- a/plugins/repository-gcs/src/main/java/org/elasticsearch/repositories/gcs/GoogleCloudStorageService.java
+++ b/plugins/repository-gcs/src/main/java/org/elasticsearch/repositories/gcs/GoogleCloudStorageService.java
@@ -128,6 +128,8 @@ private Storage createClient(GoogleCloudStorageClientSettings clientSettings,
             final NetHttpTransport.Builder builder = new NetHttpTransport.Builder();
             // requires java.lang.RuntimePermission "setFactory"
             // Pin the TLS trust certificates.
+            // We manually load the key store from jks instead of using GoogleUtils.getCertificateTrustStore() because that uses a .p12
+            // store format not compatible with FIPS mode.
             final KeyStore certTrustStore = SecurityUtils.getJavaKeyStore();
             try (InputStream keyStoreStream = GoogleUtils.class.getResourceAsStream("google.jks")) {
                 SecurityUtils.loadKeyStore(certTrustStore, keyStoreStream, "notasecret");