Additional unit test for #4949

src/main/java/org/opensearch/security/ssl/config/KeyStoreConfiguration.java

@@ -18,10 +18,10 @@
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.Collections;
-import java.util.HashSet;
 import java.util.List;
 import java.util.Objects;
 import java.util.Set;
+import java.util.stream.Collectors;
 import javax.net.ssl.KeyManagerFactory;
 import javax.security.auth.x500.X500Principal;
 
@@ -45,12 +45,10 @@ default KeyManagerFactory createKeyManagerFactory(boolean validateCertificates)
     }
 
     default Set<X500Principal> getIssuerDns() {
-        Set<X500Principal> issuerDns = new HashSet<>();
-        final List<Certificate> certificates = loadCertificates();
-        for (Certificate certificate : certificates) {
-            issuerDns.add(certificate.x509Certificate().getIssuerX500Principal());
-        }
-        return issuerDns;
+        return loadCertificates().stream()
+            .map(Certificate::x509Certificate)
+            .map(X509Certificate::getIssuerX500Principal)
+            .collect(Collectors.toSet());
     }
 
     default KeyManagerFactory buildKeyManagerFactory(final KeyStore keyStore, final char[] password) {

src/test/java/org/opensearch/security/ssl/CertificatesRule.java

@@ -144,15 +144,34 @@ public X509CertificateHolder generateCaCertificate(final KeyPair parentKeyPair,
         return generateCaCertificate(parentKeyPair, generateSerialNumber(), startDate, endDate);
     }
 
+    public X509CertificateHolder generateCaCertificate(
+        final KeyPair parentKeyPair,
+        final String subjectName,
+        final Instant startDate,
+        final Instant endDate
+    ) throws IOException, NoSuchAlgorithmException, OperatorCreationException {
+        return generateCaCertificate(parentKeyPair, subjectName, generateSerialNumber(), startDate, endDate);
+    }
+
     public X509CertificateHolder generateCaCertificate(
         final KeyPair parentKeyPair,
         final BigInteger serialNumber,
         final Instant startDate,
         final Instant endDate
+    ) throws IOException, NoSuchAlgorithmException, OperatorCreationException {
+        return generateCaCertificate(parentKeyPair, DEFAULT_SUBJECT_NAME, serialNumber, startDate, endDate);
+    }
+
+    public X509CertificateHolder generateCaCertificate(
+        final KeyPair parentKeyPair,
+        final String subjectName,
+        final BigInteger serialNumber,
+        final Instant startDate,
+        final Instant endDate
     ) throws IOException, NoSuchAlgorithmException, OperatorCreationException {
         // CS-SUPPRESS-SINGLE: RegexpSingleline Extension should only be used sparingly to keep implementations as generic as possible
         return createCertificateBuilder(
-            DEFAULT_SUBJECT_NAME,
+            subjectName,
             DEFAULT_SUBJECT_NAME,
             parentKeyPair.getPublic(),
             parentKeyPair.getPublic(),

src/test/java/org/opensearch/security/ssl/CertificatesUtils.java

@@ -25,9 +25,11 @@
 
 public class CertificatesUtils {
 
-    public static void writePemContent(final Path path, final Object pemContent) throws IOException {
-        try (JcaPEMWriter writer = new JcaPEMWriter(Files.newBufferedWriter(path))) {
-            writer.writeObject(pemContent);
+    public static void writePemContent(final Path path, final Object... content) throws IOException {
+        for (final Object c : content) {
+            try (JcaPEMWriter writer = new JcaPEMWriter(Files.newBufferedWriter(path))) {
+                writer.writeObject(c);
+            }
         }
     }
 

src/test/java/org/opensearch/security/ssl/SslContextHandlerTest.java

@@ -73,6 +73,23 @@ void writeCertificates(
         writePemContent(accessCertificatePrivateKeyPath, privateKeyToPemObject(accessPrivateKey, certificatesRule.privateKeyPassword()));
     }
 
+    @Test
+    public void skipInvalidCaCertificateValidation() throws Exception {
+        final var caCertificate = certificatesRule.caCertificateHolder();
+
+        final var invalidCertKeys = certificatesRule.generateKeyPair();
+        var invalidCaCertificate = certificatesRule.generateCaCertificate(
+            invalidCertKeys,
+            "CN=not_default_subject,OU=client,O=client,L=test,C=de",
+            caCertificate.getNotAfter().toInstant().minus(20, ChronoUnit.DAYS),
+            caCertificate.getNotAfter().toInstant().minus(10, ChronoUnit.DAYS)
+        );
+
+        writePemContent(caCertificatePath, caCertificate, invalidCaCertificate);
+
+        sslContextHandler();
+    }
+
     @Test
     public void doesNothingIfCertificatesAreSame() throws Exception {
         final var sslContextHandler = sslContextHandler();