Throw an exception when unable to read Certificate (#40092)

With SUN security provider, a CertificateException is thrown when
attempting to parse a Certificate from a PEM file on disk with
`sun.security.provider.X509Provider#parseX509orPKCS7Cert`

When using the BouncyCastle Security provider (as we do in fips
tests) the parsing happens in
CertificateFactory#engineGenerateCertificates which doesn't throw
an exception but returns an empty list.

In order to have a consistent behavior, this change makes it so
that we throw a CertificateException when attempting to read
a PEM file from disk and failing to do so in either Security
Provider

Resolves: #39580

Author: jkakavas

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/CertParsingUtils.java

@@ -92,6 +92,9 @@ public static Certificate[] readCertificates(List<Path> certPaths) throws Certif
         for (Path path : certPaths) {
             try (InputStream input = Files.newInputStream(path)) {
                 certificates.addAll((Collection<Certificate>) certFactory.generateCertificates(input));
+                if (certificates.isEmpty()) {
+                    throw new CertificateException("failed to parse any certificates from [" + path.toAbsolutePath() + "]");
+                }
             }
         }
         return certificates.toArray(new Certificate[0]);

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/SSLConfigurationReloaderTests.java

@@ -448,7 +448,6 @@ void reloadSSLContext(SSLConfiguration configuration) {
      * truncating the certificate file that is being monitored
      */
     public void testPEMTrustReloadException() throws Exception {
-        assumeFalse("Broken on BC-FIPS -- https://github.com/elastic/elasticsearch/issues/39580", inFipsJvm());
         Path tempDir = createTempDir();
         Path clientCertPath = tempDir.resolve("testclient.crt");
         Files.copy(getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testclient.crt"), clientCertPath);