Core: SecurityUtils.createMtlsKeyStore should use a fixed algorithm for creating the PrivateKey

[Capstan]

Callers of SecurityUtils.createMtlsKeyStore can direct the use of insecure algorithms in the construction of the mTLS connection. In general, we attempt to affix the algorithm used to inhibit use of algorithms with known vulnerabilities.

Personally, I would be fine with denying provided certs whose cert.getPublicKey().getAlgorithm() was DH or DSA, but in lieu of blocklisting known bad algorithms, perhaps it'd be more security affirmative to allowlist currently-OK algorithms, so we only ever use good versions, and suffer toil later if we have to retrofit additional entries.

My suggestion is to create a case statement just below where the method currently throws IllegalArgumentException for various cases, and add the set of known good algorithms, and throw an InvalidAlgorithmParameterException if it is not one of those. In addition, special case DH and DSA to give references to their vulnerabilities as described in InsecureCypherMode.identifyDiffieHellmanAndDsaVulnerabilities.

/cc @sophieschmieg, as her guidance/requirements will be canonical for importing whatever changes are made here into the monorepo.

Environment details

1. API: Core
2. OS type and version: 5.17.6-1rodete1-amd64
3. Java version: OpenJDK Runtime Environment (build 11.0.13+8-google-release-451398016) OpenJDK 64-Bit Server VM (build 11.0.13+8-google-release-451398016, mixed mode, sharing)
4. version(s): ~head (with local patches)

Steps to reproduce

1. Add errorprone warnings to the build
2. Build.

SecurityUtils.createMtlsKeyStore will generate an InsecureCipherMode warning.

Code example

    PrivateKey key =
        KeyFactory.getInstance(cert.getPublicKey().getAlgorithm()).generatePrivate(keySpecPKCS8);

[meltsufin]

@TimurSadykov Is this something you can look at? Thanks!

[TimurSadykov]

ack, will take a look and update