Add FIPS TLS encrypted private key tests

[michel-laterman]

What does this PR do?

Add a test to ensure that when if FIPS mode attempting to decrypt an encrypted private key will result in errors.ErrUnsuported. Change the ReadPEM method to return a joined error so that an encrypted block will return an error instead of just having the "no PEM blocks" error.

Why is it important?

FIPS functionality needs tests.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have added tests that prove my fix is effective or that my feature works

Example test run

tlscommon|fips-test-private-key ⇒ go test -tags=requirefips -v -race ./...
=== RUN   TestFIPSCertificateAndKeys
=== RUN   TestFIPSCertificateAndKeys/embed
=== RUN   TestFIPSCertificateAndKeys/embed_small_key
=== RUN   TestFIPSCertificateAndKeys/embed_encrypted_PKCS#1_key
=== RUN   TestFIPSCertificateAndKeys/embed_PKCS#8_key
=== RUN   TestFIPSCertificateAndKeys/From_disk
--- PASS: TestFIPSCertificateAndKeys (0.01s)
    --- PASS: TestFIPSCertificateAndKeys/embed (0.00s)
    --- PASS: TestFIPSCertificateAndKeys/embed_small_key (0.00s)
    --- PASS: TestFIPSCertificateAndKeys/embed_encrypted_PKCS#1_key (0.00s)
    --- PASS: TestFIPSCertificateAndKeys/embed_PKCS#8_key (0.00s)
    --- PASS: TestFIPSCertificateAndKeys/From_disk (0.00s)
PASS
ok  	github.com/elastic/elastic-agent-libs/transport/tlscommon	1.274s

Related issues

• Closes [test][FIPS] Add unit test for encrypted private keys being unsupported #280

[belimawr]

The only thing I didn't understand is why most of the tests won't run when FIPS is enabled.
Do they break with FIPS enabled?

[michel-laterman]

Some of them break, but this is mostly so we can limit the requirefips tests to only test the different behaviour

[simitt]

@michel-laterman I don't think that we should generally exclude non-system tests from running when in fips mode. What we had discussed was to exclude the expensive system tests that might test certain specifics that aren't focused on FIPS relevant parts; instead we want to have some focused system tests for FIPS covering TLS, crypto, pgp,..

Would be worth looking into why these tests are failing rather than disabling them.

[belimawr]

I agree with @simitt, because FIPS changes some cryptographic libraries it is better to have the full suit of tests dealing with crypto running and only add build tags to the ones with different behaviour.

Also, IIRC the elastic-agent-libs CI is rather fast, so I don't see any issues with running the tests twice, one for each build.

[simitt]

@michel-laterman and I discussed to replace hardcoded test certs with generated ones as a follow up #282 (out of scope for currently planned work).

[simitt]

@michel-laterman I created a PR against your branch to get rid of the hardcoded certificates michel-laterman#1. Please review and let me know if you are ok with merging this into your branch before moving on with this PR.

[simitt]

Left a few nits

re-reviewed

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 18ed885

History

• 💚 Build #604 succeeded a8015e6
• 💚 Build #602 succeeded dd46257
• 💚 Build #598 succeeded 635962b
• 💔 Build #597 failed 952398d
• 💔 Build #596 failed d660946
• 💚 Build #593 succeeded 3a0e0d3

[belimawr]

The code looks good, but there is a TODO that was left behind. It would be better to remove it before merging.

[belimawr]

Why a TODO comment? Shouldn't it be just the comment explaining why we use our custom implementation?

Suggested change

	//TODO: this uses an elastic implementation of pkcs8 as the stdlib does not support password protected pkcs8
	// This uses an elastic implementation of pkcs8 as the stdlib does not support password protected pkcs8