Revert "Gracefully handle exceptions from Security Providers (#65464) (…

…#65554)"

This reverts commit 12ba9e3. This
commit was mechanically backported to 7.10 while it shouldn't have
been.

server/src/main/java/org/elasticsearch/cli/KeyStoreAwareCommand.java

@@ -70,11 +70,11 @@ protected static SecureString readPassword(Terminal terminal, boolean withVerifi
      * Decrypt the {@code keyStore}, prompting the user to enter the password in the {@link Terminal} if it is password protected
      */
     protected static void decryptKeyStore(KeyStoreWrapper keyStore, Terminal terminal)
-        throws UserException, IOException {
+        throws UserException, GeneralSecurityException, IOException {
         try (SecureString keystorePassword = keyStore.hasPassword() ?
             readPassword(terminal, false) : new SecureString(new char[0])) {
             keyStore.decrypt(keystorePassword.getChars());
-        } catch (SecurityException | GeneralSecurityException e) {
+        } catch (SecurityException e) {
             throw new UserException(ExitCodes.DATA_ERROR, e.getMessage());
         }
     }

server/src/main/java/org/elasticsearch/common/settings/BaseKeyStoreCommand.java

@@ -28,7 +28,6 @@
 import org.elasticsearch.env.Environment;
 
 import java.nio.file.Path;
-import java.security.GeneralSecurityException;
 
 public abstract class BaseKeyStoreCommand extends KeyStoreAwareCommand {
 
@@ -65,7 +64,7 @@ protected final void execute(Terminal terminal, OptionSet options, Environment e
                 keyStore.decrypt(keyStorePassword.getChars());
             }
             executeCommand(terminal, options, env);
-        } catch (SecurityException | GeneralSecurityException e) {
+        } catch (SecurityException e) {
             throw new UserException(ExitCodes.DATA_ERROR, e.getMessage());
         } finally {
             if (keyStorePassword != null) {

server/src/main/java/org/elasticsearch/common/settings/KeyStoreWrapper.java

@@ -310,14 +310,7 @@ public boolean hasPassword() {
     private Cipher createCipher(int opmode, char[] password, byte[] salt, byte[] iv) throws GeneralSecurityException {
         PBEKeySpec keySpec = new PBEKeySpec(password, salt, KDF_ITERS, CIPHER_KEY_BITS);
         SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(KDF_ALGO);
-        SecretKey secretKey;
-        try {
-            secretKey = keyFactory.generateSecret(keySpec);
-        } catch (Error e) {
-            // Security Providers might throw a subclass of Error in FIPS 140 mode, if some prerequisite like
-            // salt, iv, or password length is not met. We catch this because we don't want the JVM to exit.
-            throw new GeneralSecurityException("Error generating an encryption key from the provided password", e);
-        }
+        SecretKey secretKey = keyFactory.generateSecret(keySpec);
         SecretKeySpec secret = new SecretKeySpec(secretKey.getEncoded(), CIPHER_ALGO);
 
         GCMParameterSpec spec = new GCMParameterSpec(GCM_TAG_BITS, iv);

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/support/Hasher.java

@@ -513,11 +513,7 @@ private static char[] getPbkdf2Hash(SecureString data, int cost) {
             result.put(Base64.getEncoder().encodeToString(secretKeyFactory.generateSecret(keySpec).getEncoded()));
             return result.array();
         } catch (InvalidKeySpecException | NoSuchAlgorithmException e) {
-            throw new ElasticsearchException("Error using PBKDF2 for password hashing", e);
-        } catch (Error e) {
-            // Security Providers might throw a subclass of Error in FIPS 140 mode, if some prerequisite like
-            // salt, iv, or password length is not met. We catch this because we don't want the JVM to exit.
-            throw new ElasticsearchException("Error using PBKDF2 implementation from the selected Security Provider", e);
+            throw new ElasticsearchException("Can't use PBKDF2 for password hashing", e);
         }
     }
 
@@ -543,11 +539,7 @@ private static boolean verifyPbkdf2Hash(SecureString data, char[] hash) {
             final boolean result = CharArrays.constantTimeEquals(computedPwdHash, hashChars);
             return result;
         } catch (InvalidKeySpecException | NoSuchAlgorithmException e) {
-            throw new ElasticsearchException("Error using PBKDF2 for password hashing", e);
-        } catch (Error e) {
-            // Security Providers might throw a subclass of Error in FIPS 140 mode, if some prerequisite like
-            // salt, iv, or password length is not met. We catch this because we don't want the JVM to exit.
-            throw new ElasticsearchException("Error using PBKDF2 implementation from the selected Security Provider", e);
+            throw new ElasticsearchException("Can't use PBKDF2 for password hashing", e);
         } finally {
             if (null != hashChars) {
                 Arrays.fill(hashChars, '\u0000');

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/file/tool/UsersTool.java

@@ -7,7 +7,6 @@
 
 import joptsimple.OptionSet;
 import joptsimple.OptionSpec;
-import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.cli.EnvironmentAwareCommand;
 import org.elasticsearch.cli.ExitCodes;
 import org.elasticsearch.cli.LoggingAwareMultiCommand;
@@ -447,10 +446,7 @@ private static char[] getPasswordHash(Terminal terminal, Environment env, String
         final char[] passwordHash;
         try (SecureString password = parsePassword(terminal, cliPasswordValue)) {
             passwordHash = hasher.hash(password);
-        } catch (ElasticsearchException e) {
-            throw new UserException(ExitCodes.DATA_ERROR, "Error storing the password for the new user", e);
         }
-
         return passwordHash;
     }