Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Limit the scope of BouncyCastle dependency #30358

Merged
merged 18 commits into from
May 29, 2018

Conversation

jkakavas
Copy link
Member

@jkakavas jkakavas commented May 3, 2018

The goal of this PR is to limit the scope of the runtime dependency on
BouncyCastle so that it can be eventually removed.
Users might need to run Elasticsearch in a JVM which is in a FIPS-140
approved mode offered by Bouncy Castle FIPS Security Provider and
using BouncyCastle and BouncyCastleFIPS together will case JAR hell.
BouncyCastle still needs to be used in CLI tools (certutil)
since there's no Java API for generating keys and certificates [1]

  • Splits functionality related to reading and generating certificates
    and keys in two utility classes so that reading certificates and
    keys doesn't require BouncyCastle.
  • Implements a class for parsing PEM Encoded key material (which also
    adds support for reading PKCS8 encoded encrypted private keys).
  • Removes BouncyCastle dependency for all of our test suites(except
    for the tests that explicitly test certificate generation) by using
    pre-generated keys/certificates/keystores.

[1] https://bugs.openjdk.java.net/browse/JDK-8058778

jkakavas added 3 commits May 2, 2018 13:47
Splits functionality related to reading and generating certificates
and keys in two utility classes so that reading/parsing certificates
and keys doesn't require BouncyCastle.
Adds support for reading PKCS8 encoded encrypted private keys.
Removes BouncyCastle dependency for all of our test suites(except
for the tests that explicitly test certificate generation) by
using pregenerated keys/certificates/keystores
@jkakavas jkakavas added >enhancement v7.0.0 :Security/Security Security issues without another label v6.4.0 labels May 3, 2018
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security

jkakavas added 5 commits May 4, 2018 15:35
Introduces the necessary pre-generated key pairs for the SAML tests
and changes test were applicable to account for the need of
different certs or keys while testing.
Bug that caused only the last certificate in a list of many to be
loaded in the trustore.
* Adds support for reading DSA private keys(to be used in SAML
  tests)
* Adds unit tests for DSA private keys and encrypted EC private
  keys
* Reverts previous change regarding zero filling password arrays
  on finally blocks as this caused race conditions and instead
  zero fills char arrays and buffers directly after use
* Replaces testnode_updated.jks that was mistakenly a PKCS12 store
@jkakavas jkakavas added the review label May 4, 2018
@jkakavas jkakavas requested review from tvernum and jaymode May 4, 2018 17:08
@jkakavas
Copy link
Member Author

jkakavas commented May 8, 2018

run gradle build tests

@tvernum
Copy link
Contributor

tvernum commented May 9, 2018

If I'm reading this correctly, then we haven't actually removed the bouncy castle dependency in that:

  • we're still shipping it as a library in x-pack-security that will be on the runtime classpath
  • we have no build protections to prevent it from being directly used within the x-pack plugin
  • we have no build protections to prevent CertGenUtils from being used outside of the CLI.

I don't think we can actually say that this makes it possible to run on a BC-FIPS JVM unless we take some further steps to enforce the separation of the x-pack runtime from BC.
Ideally that would mean dropping the BC jars from x-pack-security and shipping them in some sort of standalone way for the CLI to use. I don't think we have a mechanism for that right now, but core/infr could advise.
Alternatively you might make it work with forbidden APIs, but it's more cumbersome overall.

Copy link
Contributor

@tvernum tvernum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've done a quick review of the main changes since I last looked.
It seems good to me, but I'll probably need to do another run through.

case "1.2.840.10045.2.1":
return "EC";
default:
return null;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both of the callers of this function translate null into an exception.
If we throw it here then the exception can include the parsed OID string in order to provide context - either we got the ASN parsing wrong (and it would helpful to know what we parsed), or the key has an algorithm we don't support (and it would also helpful to know what the OID is)

@jkakavas
Copy link
Member Author

jkakavas commented May 9, 2018

Thanks for the feedback @tvernum

then we haven't actually removed the bouncy castle dependency in that

All valid comments. This intends to split the functionality and remove the use of BouncyCastle so that the dependency can be removed and I should probably have named this accordingly

Ideally that would mean dropping the BC jars from x-pack-security and shipping them in some sort of standalone way for the CLI to use

This is what @jaymode has suggested also, and I will be in touch with infra on how to do it correctly

Copy link
Member

@jaymode jaymode left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jkakavas can you update the title as we aren't really removing the bouncy castle dependency. This is a refactoring to limits the scope of the dependency.

@@ -169,6 +169,9 @@ synchronous and predictable. Also the trigger engine thread is only started on
data nodes. And the Execute Watch API can be triggered regardless is watcher is
started or stopped. ({pull}30118[#30118])

Removes runtime dependency on BouncyCastle for reading/parsing PEM encoded private keys
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

per the latest guidance, let's remove the changelog update from the PR


import static org.elasticsearch.xpack.core.ssl.SSLConfigurationSettings.getKeyStoreType;

public class CertParsingUtils {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add a private constructor as we should never create an instance of this class

return new ArrayList<>(certificates);
}


Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: extra line

return bReader;
}

private static PrivateKey parsePKCS8(BufferedReader bReader) throws IOException, GeneralSecurityException {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you add javadocs for all of the methods in this class?

private final Logger logger;
private final X509ExtendedTrustManager delegate;
private final CertificateTrustRestrictions trustRestrictions;
private final int SAN_CODE_OTHERNAME = 0;
private static final int SAN_CODE_OTHERNAME = 0;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

style: can you move this to be next to the other static final values

assertThat(keyPair.getPrivate().getAlgorithm(), is("RSA"));
assertThat(keyPair.getPublic().getAlgorithm(), is("RSA"));
}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove the extra new lines

assertThat(pemCert, notNullValue());
assertThat(pemCert, equalTo(certificate));
}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove extra line

"testnode"::toCharArray));
assertThat(e.getMessage(), containsString("File is empty"));
}
private Key getKeyFromKeystore(String algo) throws Exception {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you add a line between this and the method above?

@jkakavas jkakavas changed the title Remove BouncyCastle dependency Limit the scope of BouncyCastle dependency May 15, 2018
jkakavas added 2 commits May 15, 2018 08:23
- Removes unecessary white space
- Adds javadoc for PemUtils
Copy link
Member

@jaymode jaymode left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Contributor

@tvernum tvernum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, with a couple of suggestions

@@ -483,7 +485,8 @@ private static void writeCAInfoIfGenerated(ZipOutputStream outputStream, JcaPEMW
outputStream.putNextEntry(new ZipEntry(caDirName + "ca.key"));
if (info.password != null && info.password.length > 0) {
try {
PEMEncryptor encryptor = new JcePEMEncryptorBuilder("DES-EDE3-CBC").setProvider(CertUtils.BC_PROV).build(info.password);
PEMEncryptor encryptor = new JcePEMEncryptorBuilder("DES-EDE3-CBC").setProvider(BC_PROV).
build(info.password);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like an unnecessary line break.

throw new IOException("Invalid DER: stream too short, missing tag");
}
int length = getLength();
byte[] value = new byte[length];
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know we don't want to modify this code too much, but I think we should place some reasonable limits on this length.
I believe the getLength method can return any 32 bit integer (positive or negative), and we probably shouldn't just try to allocate an array of that length.

jkakavas added 5 commits May 17, 2018 11:47
…e-dependency

and resove conflicts that where introduced by the
merge of elastic#30509
Based on the changes to key and trust material reloading that were
introduced in  elastic#30509. DSA and EC keys are regenerated and the
associated certificates are constructed with the correct SAN.
Introduces a check for parsed ASN.1 objects and the max allowed
length for them are set to the size of the key file itself.
Also replaces `Streams` from bouncycastle in SetupPasswordTool with
the same approach already introduced in CommandLineHttpClientTests
for fully consuming a stream
@jkakavas jkakavas merged commit a8faf97 into elastic:master May 29, 2018
martijnvg added a commit that referenced this pull request May 30, 2018
* es/master: (24 commits)
  Add missing_bucket option in the composite agg (#29465)
  Rename index_prefix to index_prefixes (#30932)
  Rename methods in PersistentTasksService (#30837)
  [DOCS] Fix watcher file location
  Update the version checks around range bucket keys, now that the change was backported.
  Use dedicated ML APIs in tests (#30941)
  [DOCS] Remove reference to platinum Docker image (#30916)
  Minor clean-up in InternalRange. (#30886)
  stable filemode for zip distributions (#30854)
  [DOCS] Adds missing TLS settings for auditing (#30822)
  [test] packaging: use shell when running commands (#30852)
  Fix location of AbstractHttpServerTransport (#30888)
  [test] packaging test logging for suse distros
  Moved keyword tokenizer to analysis-common module (#30642)
  Upgrade to Lucene-7.4-snapshot-1cbadda4d3 (#30928)
  Limit the scope of BouncyCastle dependency (#30358)
  [DOCS] Reset edit links (#30909)
  Fix IndexTemplateMetaData parsing from xContent (#30917)
  Remove log traces in AzureStorageServiceImpl and fix test (#30924)
  Deprecate accepting malformed requests in stored script API (#28939)
  ...
jkakavas added a commit to jkakavas/elasticsearch that referenced this pull request May 30, 2018
Limits the scope of the runtime dependency on
BouncyCastle so that it can be eventually removed.

* Splits functionality related to reading and generating certificates
and keys in two utility classes so that reading certificates and
keys doesn't require BouncyCastle.
* Implements a class for parsing PEM Encoded key material (which also
adds support for reading PKCS8 encoded encrypted private keys).
* Removes BouncyCastle dependency for all of our test suites(except
for the tests that explicitly test certificate generation) by using
pre-generated keys/certificates/keystores.
jkakavas added a commit that referenced this pull request May 31, 2018
* Limit the scope of BouncyCastle dependency (#30358)

Limits the scope of the runtime dependency on
BouncyCastle so that it can be eventually removed.

* Splits functionality related to reading and generating certificates
and keys in two utility classes so that reading certificates and
keys doesn't require BouncyCastle.
* Implements a class for parsing PEM Encoded key material (which also
adds support for reading PKCS8 encoded encrypted private keys).
* Removes BouncyCastle dependency for all of our test suites(except
for the tests that explicitly test certificate generation) by using
pre-generated keys/certificates/keystores.

* Ensure intended key is selected in SamlAuthenticatorTests (#30993)

Uses a specific keypair for tests that require a purposefully wrong
keypair instead of selecting one randomly from the same pull from
which the correct one is selected. Entropy is low because of the
small space and the same key can be randomly selected as both the
correct one and the wrong one, causing the tests to fail.
The purposefully wrong key is also used in 
testSigningKeyIsReloadedForEachRequest and needs to be cleaned
up afterwards so the rest of the tests don't use that for signing.
bizybot added a commit that referenced this pull request Jun 1, 2018
* Remove AllocatedPersistentTask.getState() (#30858)

This commit removes the method AllocatedPersistentTask.getState() that
exposes the internal state of an AllocatedPersistentTask and replaces
it with a new isCompleted() method. Related to #29608.

* Improve allocation-disabling instructions (#30248)

Clarify the “one minute” in the instructions to disable the shard allocation
when doing maintenance to say that it is configurable.

* Replace several try-finally statements (#30880)

This change replaces some existing try-finally statements that close resources
in their finally block with the slightly shorter and safer try-with-resources
pattern.

* Move list tasks under Tasks namespace (#30906)

Our API spec define the tasks API as e.g. tasks.list, meaning that they belong to their own namespace. This commit moves them from the cluster namespace to their own namespace.

Relates to #29546

* Deprecate accepting malformed requests in stored script API (#28939)

The stored scripts API today accepts malformed requests instead of throwing an exception.
This PR deprecates accepting malformed put stored script requests (requests not using the official script format).

Relates to #27612

* Remove log traces in AzureStorageServiceImpl and fix test (#30924)

This commit removes some log traces in AzureStorageServiceImpl and also
fixes the AzureStorageServiceTests so that is uses the real
implementation to create Azure clients.

* Fix IndexTemplateMetaData parsing from xContent (#30917)

We failed to register "aliases" and "version" into the list of keywords
in the IndexTemplateMetaData; then fail to parse the following index
template.

```
{
    "aliases": {"log": {}},
    "index_patterns": ["pattern-1"]
}
```
This commit registers that missing keywords.

* [DOCS] Reset edit links (#30909)

* Limit the scope of BouncyCastle dependency (#30358)

Limits the scope of the runtime dependency on
BouncyCastle so that it can be eventually removed.

* Splits functionality related to reading and generating certificates
and keys in two utility classes so that reading certificates and
keys doesn't require BouncyCastle.
* Implements a class for parsing PEM Encoded key material (which also
adds support for reading PKCS8 encoded encrypted private keys).
* Removes BouncyCastle dependency for all of our test suites(except
for the tests that explicitly test certificate generation) by using
pre-generated keys/certificates/keystores.

* Upgrade to Lucene-7.4-snapshot-1cbadda4d3 (#30928)

This snapshot includes LUCENE-8328 which is needed to stabilize CCR builds.

* Moved keyword tokenizer to analysis-common module (#30642)

Relates to #23658

* [test] packaging test logging for suse distros

* Fix location of AbstractHttpServerTransport (#30888)

Currently AbstractHttpServerTransport is in a netty4 module. This is the
incorrect location. This commit moves it out of netty4 module.
Additionally, it moves unit tests that test AbstractHttpServerTransport
logic to server.

* [test] packaging: use shell when running commands (#30852)

When subprocesses are started with ProcessBuilder, they're forked by the
java process directly rather than from a shell, which can be surprising
for our use case here in the packaging tests which is similar to
scripting.

This commit changes the tests to run their subprocess commands in a
shell, using the bash -c <script> syntax for commands on linux and using
the powershell.exe -Command <script> syntax for commands on windows.
This syntax on windows is essentially what the tests were already doing.

* [DOCS] Adds missing TLS settings for auditing (#30822)

* stable filemode for zip distributions (#30854)

Applies default file and directory permissions to zip distributions
similar to how they're set for the tar distributions. Previously zip
distributions would retain permissions they had on the build host's
working tree, which could vary depending on its umask

For #30799

* Minor clean-up in InternalRange. (#30886)

* Make sure all instance variables are final.
* Make generateKey a private static method, instead of protected.
* Rename formatter -> format for consistency.
* Serialize bucket keys as strings as opposed to optional strings.
* Pull the stream serialization logic for buckets into the Bucket class.

* [DOCS] Remove reference to platinum Docker image (#30916)

* Use dedicated ML APIs in tests (#30941)

ML has dedicated APIs for datafeeds and jobs yet base test classes and
some tests were relying on the cluster state for this state. This commit
removes this usage in favor of using the dedicated endpoints.

* Update the version checks around range bucket keys, now that the change was backported.

* [DOCS] Fix watcher file location

* Rename methods in PersistentTasksService (#30837)

This commit renames methods in the PersistentTasksService, to 
make obvious that the methods send requests in order to change 
the state of persistent tasks. 

Relates to #29608.

* Rename index_prefix to index_prefixes (#30932)

This commit also adds index_prefixes tests to TextFieldMapperTests to ensure that cloning and wire-serialization work correctly

* Add missing_bucket option in the composite agg (#29465)

This change adds a new option to the composite aggregation named `missing_bucket`.
This option can be set by source and dictates whether documents without a value for the
source should be ignored. When set to true, documents without a value for a field emits
an explicit `null` value which is then added in the composite bucket.
The `missing` option that allows to set an explicit value (instead of `null`) is deprecated in this change and will be removed in a follow up (only in 7.x).
This commit also changes how the big arrays are allocated, instead of reserving
the provided `size` for all sources they are created with a small intial size and they grow
depending on the number of buckets created by the aggregation:
Closes #29380

* Fsync state file before exposing it (#30929)

With multiple data paths, we write the state files for index metadata to all data paths. We only properly fsync on the first location, though. For other locations, we possibly expose the file before its contents is properly fsynced. This can lead to situations where, after a crash, and where the first data path is not available anymore, ES will see a partially-written state file, preventing the node to start up.

* Fix AliasMetaData parsing (#30866)

AliasMetaData should be parsed more leniently so that the high-level REST client can support forward compatibility on it. This commit addresses this issue that was found as part of #28799 and adds dedicated XContent tests as well.

* Cross Cluster Search: do not use dedicated masters as gateways (#30926)

When we are connecting to a remote cluster we should never select
dedicated master nodes as gateway nodes, or we will end up loading them
with requests that should rather go to other type of nodes e.g. data
nodes or coord_only nodes.

This commit adds the selection based on the node role, to the existing
selection based on version and potential node attributes.

Closes #30687

* Fix missing option serialization after backport

Relates #29465

* REST high-level client: add synced flush API (2) (#30650)

Adds the synced flush API to the high level REST client.

Relates to #27205.

* Fix synced flush docs

They had some copy and paste errors that failed the docs build.

* Change ScriptException status to 400 (bad request) (#30861)

Currently failures to compile a script usually lead to a ScriptException, which
inherits the 500 INTERNAL_SERVER_ERROR from ElasticsearchException if it does
not contain another root cause. Instead, this should be a 400 Bad Request error.
This PR changes this more generally for script compilation errors by changing 
ScriptException to return 400 (bad request) as status code.

Closes #12315

* Fix composite agg serialization error

Fix serialization after backport

Relates #29465

* Revert accidentally pushed changes in NoriAnalysisTests

* SQL: Remove log4j and joda from JDBC dependencies (#30938)

More cleanup of JDBC driver project

Relates to #29856

* [DOCS] Fixes kibana security file location

* [CI] Mute SamlAuthenticatorTests testIncorrectSigningKeyIsRejected

Tracked by #30970

* Add Verify Repository High Level REST API (#30934)

This commit adds Verify Repository, the associated docs and tests for
the high level REST API client. A few small changes to the Verify
Repository Response went into the commit as well.

Relates #27205

* Add “took” timing info to response for _msearch/template API (#30961)

Add “took” timing info to response for _msearch/template API
Closes #30957

* Mute FlushIT tests

We have identified the source causing these tests failed.
This commit mutes them again until we have a proper fix.

Relates #29392

* [CI] Mute HttpSecretsIntegrationTests#testWebhookAction test

Tracked by #30094

* [Test] Prefer ArrayList over Vector (#30965)

Replaces some occurances of Vector class with ArrayList in
tests of the rank-eval module.

* Fix license on AcitveDirectorySIDUtil (#30972)

This code is from an Apache 2.0 licensed codebase and when we imported
it into our codebase it carried the Apache 2.0 license as well. However,
during the migration of the X-Pack codebase from the internal private
repository to the elastic/elasticsearch repository, the migration tool
mistakently changed the license on this source file from the Apache 2.0
license to the Elastic license. This commit addresses this mistake by
reapplying the Apache 2.0 license.

* [CI] Mute Ml rolling upgrade tests

Tracked by #30982

* Make AllocatedPersistentTask.isCompleted() protected (#30949)

This commit changes the isCompleted() method to be protected so that
classes that extends AllocatedPersistentTask can use it.

Related to #30858

* [CI] Mute Ml rolling upgrade test for mixed cluster too

It can fail in either the mixed cluster or the upgraded cluster,
so it needs to be muted in both.

Tracked by #30982

* [Docs] Fix typo in Min Aggregation reference (#30899)

* Refactor Sniffer and make it testable (#29638)

This commit reworks the Sniffer component to simplify it and make it possible to test it.

In particular, it no longer takes out the host that failed when sniffing on failure, but rather relies on whatever the cluster returns. This is the result of some valid comments from #27985. Taking out one single host is too naive, hard to test and debug.

A new Scheduler abstraction is introduced to abstract the tasks scheduling away and make it possible to plug in any test implementation and take out timing aspects when testing.

Concurrency aspects have also been improved, synchronized methods are no longer required. At the same time, we were able to take #27697 and #25701 into account and fix them, especially now that we can more easily add tests.

Last but not least, unit tests are added for the Sniffer component, long overdue.

Closes #27697
Closes #25701

* Deprecates indexing and querying a context completion field without context (#30712)

This change deprecates completion queries and documents without context that target a
context enabled completion field. Querying without context degrades the search
performance considerably (even when the number of indexed contexts is low).
This commit targets master but the deprecation will take place in 6.x and the functionality
will be removed in 7 in a follow up.

Closes #29222

* Core: Remove RequestBuilder from Action (#30966)

This commit removes the RequestBuilder generic type from Action. It was
needed to be used by the newRequest method, which in turn was used by
client.prepareExecute. Both of these methods are now removed, along with
the existing users of prepareExecute constructing the appropriate
builder directly.

* Ensure intended key is selected in SamlAuthenticatorTests (#30993)

* Ensure that a purposefully wrong key is used

Uses a specific keypair for tests that require a purposefully wrong
keypair instead of selecting one randomly from the same pull from
which the correct one is selected. Entropy is low because of the
small space and the same key can be randomly selected as both the
correct one and the wrong one, causing the tests to fail.
The purposefully wrong key is also used in 
testSigningKeyIsReloadedForEachRequest and needs to be cleaned
up afterwards so the rest of the tests don't use that for signing.

Resolves #30970

* [DOCS] Update readme for testing x-pack code snippets (#30696)

* Remove version read/write logic in Verify Response (#30879)

Since master will always communicate with a >=6.4 node, the logic for
checking if the node is 6.4 and conditionally reading and writing based
on that can be removed from master. This logic will stay in 6.x as it is
the bridge to the cleaner response in master. This also unmutes the
failing test due to this bwc change.

Closes #30807

* HLRest: Allow caller to set per request options (#30490)

This modifies the high level rest client to allow calling code to
customize per request options for the bulk API. You do the actual
customization by passing a `RequestOptions` object to the API call
which is set on the `Request` that is generated by the high level
client. It also makes the `RequestOptions` a thing in the low level
rest client. For now that just means you use it to customize the
headers and the `httpAsyncResponseConsumerFactory` and we'll add
node selectors and per request timeouts in a follow up.

I only implemented this on the bulk API because it is the first one
in the list alphabetically and I wanted to keep the change small
enough to review. I'll convert the remaining APIs in a followup.

* [DOCS] Clarify not all PKCS12 usable as truststores (#30750)

Although elasticsearch-certutil generates PKCS#12
files which are usable as both keystore and truststore
this is uncommon in practice. Settle these expectations
for the users following our security guides.

* Transport client: Don't validate node in handshake (#30737)

This is related to #30141. Right now in the transport client we open a
temporary node connection and take the node information. This node
information is used to open a permanent connection that is used for the
client. However, we continue to use the configured transport address.
If the configured transport address is a load balancer, you might
connect to a different node for the permanent connection. This causes
the handshake validation to fail. This commit removes the handshake
validation for the transport client when it simple node sample mode.

* Remove unused query methods from MappedFieldType. (#30987)

* Remove MappedFieldType#nullValueQuery, as it is now unused.
* Remove MappedFieldType#queryStringTermQuery, as it is never overridden.

* Reuse expiration date of trial licenses (#30950)

* Retain the expiryDate for trial licenses

While updating the license signature to the new license spec retain
the trial license expiration date to that of the existing license.

Resolves #30882

* Watcher: Give test a little more time

Changes watcher's integration tests to wait 30 seconds when starting
watcher rather than 10 seconds because this build failed when starting
took 12 seconds:
https://elasticsearch-ci.elastic.co/job/elastic+elasticsearch+6.3+periodic/222/console
@jkakavas jkakavas deleted the remove-bouncy-castle-dependency branch September 14, 2018 06:57
@jimczi jimczi added v7.0.0-beta1 and removed v7.0.0 labels Feb 7, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants