Skip to content

Commit

Permalink
Fix forbidden apis on FIPS (#33202)
Browse files Browse the repository at this point in the history
- third party audit detects jar hell with JDK so we disable it
- jdk non portable in forbiddenapis detects classes being used from the
JDK ( for fips ) that are not portable, this is intended so we don't
scan for it on fips.
- different exclusion rules for third party audit on fips

Closes #33179
  • Loading branch information
alpar-t authored Aug 29, 2018
1 parent 6a0d4b4 commit 3828ec6
Show file tree
Hide file tree
Showing 5 changed files with 40 additions and 5 deletions.
6 changes: 6 additions & 0 deletions distribution/tools/plugin-cli/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -39,3 +39,9 @@ test {
// TODO: find a way to add permissions for the tests in this module
systemProperty 'tests.security.manager', 'false'
}

if (project.inFipsJvm) {
// FIPS JVM includes manny classes from bouncycastle which count as jar hell for the third party audit,
// rather than provide a long list of exclusions, disable the check on FIPS.
thirdPartyAudit.enabled = false
}
9 changes: 8 additions & 1 deletion modules/transport-netty4/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,6 @@ thirdPartyAudit.excludes = [
'io.netty.internal.tcnative.SSLContext',

// from io.netty.handler.ssl.util.BouncyCastleSelfSignedCertGenerator (netty)
'org.bouncycastle.asn1.x500.X500Name',
'org.bouncycastle.cert.X509v3CertificateBuilder',
'org.bouncycastle.cert.jcajce.JcaX509CertificateConverter',
'org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder',
Expand Down Expand Up @@ -163,3 +162,11 @@ thirdPartyAudit.excludes = [
'org.conscrypt.Conscrypt',
'org.conscrypt.HandshakeListener'
]

if (project.inFipsJvm == false) {
// BouncyCastleFIPS provides this class, so the exclusion is invalid when running CI in
// a FIPS JVM with BouncyCastleFIPS Provider
thirdPartyAudit.excludes += [
'org.bouncycastle.asn1.x500.X500Name'
]
}
6 changes: 6 additions & 0 deletions plugins/ingest-attachment/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -2141,3 +2141,9 @@ if (project.runtimeJavaVersion > JavaVersion.VERSION_1_8) {
'javax.xml.bind.Unmarshaller'
]
}

if (project.inFipsJvm) {
// FIPS JVM includes manny classes from bouncycastle which count as jar hell for the third party audit,
// rather than provide a long list of exclusions, disable the check on FIPS.
thirdPartyAudit.enabled = false
}
10 changes: 8 additions & 2 deletions plugins/transport-nio/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,6 @@ thirdPartyAudit.excludes = [
'io.netty.internal.tcnative.SSLContext',

// from io.netty.handler.ssl.util.BouncyCastleSelfSignedCertGenerator (netty)
'org.bouncycastle.asn1.x500.X500Name',
'org.bouncycastle.cert.X509v3CertificateBuilder',
'org.bouncycastle.cert.jcajce.JcaX509CertificateConverter',
'org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder',
Expand Down Expand Up @@ -141,4 +140,11 @@ thirdPartyAudit.excludes = [
'org.conscrypt.BufferAllocator',
'org.conscrypt.Conscrypt',
'org.conscrypt.HandshakeListener'
]
]
if (project.inFipsJvm == false) {
// BouncyCastleFIPS provides this class, so the exclusion is invalid when running CI in
// a FIPS JVM with BouncyCastleFIPS Provider
thirdPartyAudit.excludes += [
'org.bouncycastle.asn1.x500.X500Name'
]
}
14 changes: 12 additions & 2 deletions x-pack/plugin/security/cli/build.gradle
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
import org.elasticsearch.gradle.precommit.ForbiddenApisCliTask

apply plugin: 'elasticsearch.build'

archivesBaseName = 'elasticsearch-security-cli'
Expand All @@ -6,8 +8,8 @@ dependencies {
compileOnly "org.elasticsearch:elasticsearch:${version}"
// "org.elasticsearch.plugin:x-pack-core:${version}" doesn't work with idea because the testArtifacts are also here
compileOnly project(path: xpackModule('core'), configuration: 'default')
compile 'org.bouncycastle:bcprov-jdk15on:1.59'
compile 'org.bouncycastle:bcpkix-jdk15on:1.59'
compile 'org.bouncycastle:bcprov-jdk15on:1.59'
testImplementation 'com.google.jimfs:jimfs:1.1'
testCompile "junit:junit:${versions.junit}"
testCompile "org.hamcrest:hamcrest-all:${versions.hamcrest}"
Expand All @@ -20,6 +22,14 @@ dependencyLicenses {
mapping from: /bc.*/, to: 'bouncycastle'
}

if (inFipsJvm) {
if (project.inFipsJvm) {
test.enabled = false
// Forbiden APIs non-portable checks fail because bouncy castle classes being used from the FIPS JDK since those are
// not part of the Java specification - all of this is as designed, so we have to relax this check for FIPS.
tasks.withType(ForbiddenApisCliTask) {
bundledSignatures -= "jdk-non-portable"
}
// FIPS JVM includes manny classes from bouncycastle which count as jar hell for the third party audit,
// rather than provide a long list of exclusions, disable the check on FIPS.
thirdPartyAudit.enabled = false
}

0 comments on commit 3828ec6

Please sign in to comment.