Enable testing in FIPS140 JVM #31666
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
JKS keystores cannot be used in a FIPS JVM as attempting to use one in order to init a KeyManagerFactory or a TrustManagerFactory is not allowed.( JKS keystore algorithms for private key encryption are not FIPS 140 approved) This commit replaces JKS keystores in our tests with the corresponding PEM encoded key and certificates both for key and trust configurations. Whenever it's not possible to refactor the test, i.e. when we are testing that we can load a JKS keystore, etc. we attempt to mute the test when we are running in FIPS 140 JVM. Testing for the JVM is naive and is based on the name of the security provider as we would control the testing infrastrtucture and so this would be reliable enough. Other cases of tests being muted are the ones that involve custom TrustStoreManagers or KeyStoreManagers, null TLS Ciphers and the SAMLAuthneticator class as we cannot sign XML documents in the way we were doing. SAMLAuthenticator tests in a FIPS JVM can be reenabled with precomputed and signed SAML messages at a later stage. IT will be covered in a subsequent PR
jkakavas
added
>test
|
Pinging @elastic/es-security |
12 tasks
|
@elasticmachine test this please ( The failure doesn't reproduce locally) |
jaymode
requested changes
Jun 29, 2018
| KeyStore keyStore = KeyStore.getInstance("JKS"); | ||
| keyStore.load(in, "password".toCharArray()); | ||
| KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); | ||
| try (InputStream certFile = RestClientBuilderIntegTests.class.getResourceAsStream("/test.crt")) { |
There was a problem hiding this comment.
can you add a comment that this builds a keystore programmatically so that it is keystore format independent?
There was a problem hiding this comment.
Well, it is not entirely keystore format independent. This was changed for the same reason the tests that load a JKS keystore from disk are changed. One can't KeyManagerFactory#init() with a JKS store in a FIPS JVM. Can it be that I missed the essence of your comment ?
There was a problem hiding this comment.
The main reason I want a comment is so that someone doesn’t come along and go “this is silly let’s just use a keystore”
| @@ -111,6 +111,8 @@ public void testInvalidJodaPattern() { | |||
| } | |||
|
|
|||
| public void testJodaPatternLocale() { | |||
| //TODO investigate if this is a bug in Joda | |||
There was a problem hiding this comment.
Can you open a issue for this specifically? This is very odd for a FIPS JVM to have a date parse error
There was a problem hiding this comment.
Was on my to-do list, will open ASAP.
There was a problem hiding this comment.
Opened #31724, will look into it in more detail
| @@ -99,6 +99,9 @@ public static void setupKeyStore() throws IOException { | |||
|
|
|||
| @Override | |||
| protected Settings nodeSettings(int nodeOrdinal) { | |||
| if (inFipsJvm()) { | |||
There was a problem hiding this comment.
can we have a assumeFalse in a before class here?
There was a problem hiding this comment.
The issue with this one is that it has many @BeforeClass already and there is no guarantee the assumeFalse will be ran before those. startHttp in particular will throw an error in a FIPS JVM, and so will the stopHttpd() that will run on cleanup because of @AfterClass. I discussed possibilities to mute this in a cleaner way with Tal and he suggested trying with ESIntegTestCase.ClusterScope(scope = Scope.TEST, numDataNodes = 0) so that no nodes are setup so I can try this if the current solution is too ugly.
There was a problem hiding this comment.
Can you do the one before the class in a ClassRule? We use it in a few places for cases like this. One recent case that was a bit different is #30763 and I believe there is another case in SecurityIntegTestCase
There was a problem hiding this comment.
Thanks, I wasn't aware of this
| @@ -53,6 +53,8 @@ public void testReadPKCS8EcKey() throws Exception { | |||
| } | |||
|
|
|||
| public void testReadEncryptedPKCS8Key() throws Exception { | |||
| assumeFalse("Can't run in a FIPS JVM, PBE KeySpec is not available", | |||
| inFipsJvm()); | |||
There was a problem hiding this comment.
line wrap doesn't seem necessary
| @@ -197,6 +204,8 @@ public void testThatCreateSSLEngineWithOnlyTruststoreWorks() throws Exception { | |||
|
|
|||
|
|
|||
| public void testCreateWithKeystoreIsValidForServer() throws Exception { | |||
| assumeFalse("Can't run in a FIPS JVM, JKS keystores can't be used", | |||
| public static LDAPConnection openConnection(String url, String bindDN, String bindPassword, Path truststore) throws Exception { | ||
| boolean useGlobalSSL = ESTestCase.randomBoolean(); | ||
| public static LDAPConnection openConnection(String url, String bindDN, String bindPassword, List<String> certificateAuthorities) throws | ||
| Exception { |
There was a problem hiding this comment.
for the line wrap can you split it right before List<String? I find this easier to read
| @@ -1907,7 +1910,7 @@ private void signElement(Element parent, Tuple<X509Certificate, PrivateKey> keyP | |||
| final String refID = "#" + parent.getAttribute("ID"); | |||
| final X509Certificate certificate = keyPair.v1(); | |||
| final PrivateKey privateKey = keyPair.v2(); | |||
| final XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM"); | |||
| final XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM", "SUN"); | |||
There was a problem hiding this comment.
That was leftover from some testing
| .put("xpack.security.audit.enabled", false) | ||
| .put(XPackSettings.WATCHER_ENABLED.getKey(), false) | ||
| .put(TestZenDiscovery.USE_MOCK_PINGS.getKey(), false); | ||
| .putList("transport.profiles.client.xpack.security.ssl.certificate_authorities", Arrays.asList |
There was a problem hiding this comment.
move Arrays.asList to the line below
| @@ -96,6 +97,11 @@ private Path initTempDir() throws Exception { | |||
| return tempDir; | |||
| } | |||
|
|
|||
| @BeforeClass | |||
| public static void chechFipsJvm() { | |||
| builder.put("xpack.ssl.keystore.path", store) | ||
| .put("xpack.ssl.verification_mode", "certificate") | ||
| .put("xpack.ssl.truststore.path", store); | ||
| private void addSslSettingsForKeyPair(Settings.Builder builder, Path key, String keyPassphrase, Path cert, List<String> |
There was a problem hiding this comment.
split the line with both the type and variable name for readability
jaymode
reviewed
Jul 3, 2018
| public static final ExternalResource MUTE_IN_FIPS_JVM = new ExternalResource() { | ||
| @Override | ||
| protected void before() { | ||
| assumeFalse("Can't run in a FIPS JVM because none if the supported Keystore types can be used", inFipsJvm()); |
jaymode
approved these changes
Jul 9, 2018
| sslContext = SSLContext.getInstance("TLSv1.2"); | ||
| sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom()); | ||
| sslContext.init(new KeyManager[]{km}, new TrustManager[]{tm}, new SecureRandom()); | ||
| return sslContext; |
There was a problem hiding this comment.
indentation is off after other changes
| SSLContext context = SSLContext.getInstance("TLSv1.2"); | ||
| context.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom()); | ||
| context.init(new KeyManager[]{km}, new TrustManager[]{tm}, new SecureRandom()); |
There was a problem hiding this comment.
can you add spaces? new KeyManager[] { km }, new TrustManager[] { tm }
This was previously mistakenly removed in one of the refactoring phases.
|
@elasticmachine test this please |
dnhatn
added a commit
that referenced
this pull request
Jul 20, 2018
* master: Painless: Simplify Naming in Lookup Package (#32177) Handle missing values in painless (#32207) add support for write index resolution when creating/updating documents (#31520) ECS Task IAM profile credentials ignored in repository-s3 plugin (#31864) Remove indication of future multi-homing support (#32187) Rest test - allow for snapshots to take 0 milliseconds Make x-pack-core generate a pom file Rest HL client: Add put watch action (#32026) Build: Remove pom generation for plugin zip files (#32180) Fix comments causing errors with Java 11 Fix rollup on date fields that don't support epoch_millis (#31890) Detect and prevent configuration that triggers a Gradle bug (#31912) [test] port linux package packaging tests (#31943) Revert "Introduce a Hashing Processor (#31087)" (#32178) Remove empty @return from JavaDoc Adjust SSLDriver behavior for JDK11 changes (#32145) [test] use randomized runner in packaging tests (#32109) Add support for field aliases. (#32172) Painless: Fix caching bug and clean up addPainlessClass. (#32142) Call setReferences() on custom referring tokenfilters in _analyze (#32157) Fix BwC Tests looking for UUID Pre 6.4 (#32158) Improve docs for search preferences (#32159) use before instead of onOrBefore Add more contexts to painless execute api (#30511) Add EC2 credential test for repository-s3 (#31918) A replica can be promoted and started in one cluster state update (#32042) Fix Java 11 javadoc compile problem Fix CP for namingConventions when gradle home has spaces (#31914) Fix `range` queries on `_type` field for singe type indices (#31756) [DOCS] Update TLS on Docker for 6.3 (#32114) ESIndexLevelReplicationTestCase doesn't support replicated failures but it's good to know what they are Remove versionType from translog (#31945) Switch distribution to new style Requests (#30595) Build: Skip jar tests if jar disabled Painless: Add PainlessClassBuilder (#32141) Build: Make additional test deps of check (#32015) Disable C2 from using AVX-512 on JDK 10 (#32138) Build: Move shadow customizations into common code (#32014) Painless: Fix Bug with Duplicate PainlessClasses (#32110) Remove empty @param from Javadoc Re-disable packaging tests on suse boxes Docs: Fix missing example script quote (#32010) [ML] Wait for aliases in multi-node tests (#32086) [ML] Move analyzer dependencies out of categorization config (#32123) Ensure to release translog snapshot in primary-replica resync (#32045) Handle TokenizerFactory TODOs (#32063) Relax TermVectors API to work with textual fields other than TextFieldType (#31915) Updates the build to gradle 4.9 (#32087) Mute :qa:mixed-cluster indices.stats/10_index/Index - all’ Check that client methods match API defined in the REST spec (#31825) Enable testing in FIPS140 JVM (#31666) Fix put mappings java API documentation (#31955) Add exclusion option to `keep_types` token filter (#32012) [Test] Modify assert statement for ssl handshake (#32072)
jkakavas
added a commit
to jkakavas/elasticsearch
that referenced
this pull request
Jul 20, 2018
Ensure our tests can run in a FIPS JVM JKS keystores cannot be used in a FIPS JVM as attempting to use one in order to init a KeyManagerFactory or a TrustManagerFactory is not allowed.( JKS keystore algorithms for private key encryption are not FIPS 140 approved) This commit replaces JKS keystores in our tests with the corresponding PEM encoded key and certificates both for key and trust configurations. Whenever it's not possible to refactor the test, i.e. when we are testing that we can load a JKS keystore, etc. we attempt to mute the test when we are running in FIPS 140 JVM. Testing for the JVM is naive and is based on the name of the security provider as we would control the testing infrastrtucture and so this would be reliable enough. Other cases of tests being muted are the ones that involve custom TrustStoreManagers or KeyStoreManagers, null TLS Ciphers and the SAMLAuthneticator class as we cannot sign XML documents in the way we were doing. SAMLAuthenticator tests in a FIPS JVM can be reenabled with precomputed and signed SAML messages at a later stage. IT will be covered in a subsequent PR
jkakavas
added a commit
that referenced
this pull request
Jul 20, 2018
* Enable testing in FIPS140 JVM (#31666) Ensure our tests can run in a FIPS JVM JKS keystores cannot be used in a FIPS JVM as attempting to use one in order to init a KeyManagerFactory is not allowed.( JKS keystore algorithms for private key encryption are not FIPS 140 approved) This commit replaces JKS keystores in our tests with the corresponding PEM encoded key and certificates both for key and trust configurations. Whenever it's not possible to refactor the test, i.e. when we are testing that we can load a JKS keystore, etc. we attempt to mute the test when we are running in FIPS 140 JVM. Testing for the JVM is naive and is based on the name of the security provider as we would control the testing infrastrtucture and so this would be reliable enough. Other cases of tests being muted are the ones that involve custom TrustStoreManagers or KeyStoreManagers, null TLS Ciphers and the SAMLAuthneticator class as we cannot sign XML documents in the way we were doing. SAMLAuthenticator tests in a FIPS JVM can be reenabled with precomputed and signed SAML messages at a later stage. IT will be covered in a subsequent PR
martijnvg
added a commit
that referenced
this pull request
Jul 21, 2018
* es/6.x: (24 commits) Fix broken backport Switch full-cluster-restart to new style Requests (#32140) Fix multi level nested sort (#32204) MINOR: Remove unused `IndexDynamicSettings` (#32237) (#32248) [Tests] Remove QueryStringQueryBuilderTests#toQuery class assertions (#32236) Switch rolling restart to new style Requests (#32147) Enhance Parent circuit breaker error message (#32056) [ML] Use default request durability for .ml-state index (#32233) Enable testing in FIPS140 JVM (#31666) (#32231) Remove indices stats timeout from monitoring docs TESTS: Check for Netty resource leaks (#31861) (#32225) Rename ranking evaluation response section (#32166) Dependencies: Upgrade to joda time 2.10 (#32160) Backport SSL context names (#30953) to 6.x (#32223) Require Gradle 4.9 as minimum version (#32200) Detect old trial licenses and mimic behaviour (#32209) Painless: Simplify Naming in Lookup Package (#32177) add support for write index resolution when creating/updating documents (#31520) A replica can be promoted and started in one cluster state update (#32042) Rest test - allow for snapshots to take 0 milliseconds ...
jkakavas
added a commit
to jkakavas/elasticsearch
that referenced
this pull request
Jul 24, 2018
Now that elastic#31666 and elastic#31989 are merged we can run our tests in fips JVM. This commits enables us to run tests on a Java 8 JVM using BouncyCastleFIPS as a security Provider.
Merged
jkakavas
added a commit
that referenced
this pull request
Jul 25, 2018
jkakavas
added a commit
that referenced
this pull request
Jul 25, 2018
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
JKS keystores cannot be used in a FIPS 140 JVM as attempting to use
one in order to init a KeyManagerFactory is not
allowed.( JKS keystore algorithms for private key encryption are not
FIPS 140 approved)
This commit replaces JKS keystores in our tests with the
corresponding PEM encoded key and certificates for most of key and
trust configurations. JKS keystores are still used in some places as
TrustManagerFactory can be init with JKS keystores.
Whenever it's not possible to refactor the test, i.e. when we are
testing that we can load a JKS keystore, etc. we attempt to
mute the test when we are running in FIPS 140 JVM. Testing for the
JVM is naive and is based on the name of the security provider as
we would control the testing infrastrtucture and so this would be
reliable enough.
Other cases of tests being muted are the ones that involve custom
TrustStoreManagers or KeyStoreManagers, null TLS Ciphers and the
SAMLAuthneticator class as we cannot sign XML documents in the
way we were doing. SAMLAuthenticator tests in a FIPS JVM can be
reenabled with precomputed and signed SAML messages at a later stage.
IT will be covered in a subsequent PR