-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for FIPS compliance mode #14912
base: main
Are you sure you want to change the base?
Support for FIPS compliance mode #14912
Conversation
❌ Gradle check result for 6016d5d: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
8e8ed47
to
6016d5d
Compare
❌ Gradle check result for 8e8ed47: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
❌ Gradle check result for 6016d5d: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
.../identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcher.java
Outdated
Show resolved
Hide resolved
Could use some help maybe from @cwperks or @peternied reviewing this, please. |
buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java
Outdated
Show resolved
Hide resolved
2aa0d1d
to
246aeed
Compare
buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java
Outdated
Show resolved
Hide resolved
distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java
Outdated
Show resolved
Hide resolved
❌ Gradle check result for 246aeed: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
246aeed
to
7e16ec6
Compare
❌ Gradle check result for 350a69e: SUCCESS Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
Signed-off-by: Iwan Igonin <iigonin@sternad.de> # Conflicts: # server/build.gradle
Signed-off-by: Iwan Igonin <iigonin@sternad.de> � Please enter the commit message for your changes. Lines starting � with '�' will be ignored, and an empty message aborts the commit. � � interactive rebase in progress; onto 4b284c5 � Last commands done (2 commands done): � pick a47f4e6 Draft to allow run in FIPS compliace mode � pick 0bee0a8 make tests run without BC (not BCFIPS) libraries. � Next commands to do (8 remaining commands): � pick 4fc6201 disable approved-only mode for launch configuration of testcluster � pick 321929f update all BC libraries to support JAVA 21 � You are currently rebasing branch 'fips_compliance2' on '4b284c54270'. � � Changes to be committed: � modified: buildSrc/build.gradle � modified: buildSrc/src/main/java/org/opensearch/gradle/OpenSearchTestBasePlugin.java � modified: buildSrc/src/main/java/org/opensearch/gradle/info/BuildParams.java � modified: client/rest/build.gradle � new file: client/rest/licenses/bc-fips-1.0.2.4.jar.sha1 � new file: client/rest/licenses/bctls-fips-1.0.19.jar.sha1 � new file: client/rest/licenses/bouncycastle-LICENSE.txt � new file: client/rest/licenses/bouncycastle-NOTICE.txt � modified: client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java � modified: distribution/src/config/fips_java.security � modified: distribution/tools/keystore-cli/src/test/java/org/opensearch/common/settings/AddFileKeyStoreCommandTests.java � modified: distribution/tools/keystore-cli/src/test/java/org/opensearch/common/settings/AddStringKeyStoreCommandTests.java � modified: distribution/tools/keystore-cli/src/test/java/org/opensearch/common/settings/ChangeKeyStorePasswordCommandTests.java � modified: distribution/tools/keystore-cli/src/test/java/org/opensearch/common/settings/KeyStoreWrapperTests.java � modified: distribution/tools/keystore-cli/src/test/java/org/opensearch/common/settings/ListKeyStoreCommandTests.java � modified: distribution/tools/keystore-cli/src/test/java/org/opensearch/common/settings/RemoveSettingKeyStoreCommandTests.java � modified: distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java � modified: distribution/tools/plugin-cli/build.gradle � modified: gradle/libs.versions.toml � modified: libs/ssl-config/build.gradle � deleted: libs/ssl-config/licenses/bc-fips-1.0.2.5.jar.sha1 � new file: libs/ssl-config/licenses/bouncycastle-LICENSE.txt � new file: libs/ssl-config/licenses/bouncycastle-NOTICE.txt � modified: libs/ssl-config/src/main/java/org/opensearch/common/ssl/DefaultJdkTrustConfig.java � modified: libs/ssl-config/src/main/java/org/opensearch/common/ssl/PemUtils.java � modified: libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemKeyConfigTests.java � modified: libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemTrustConfigTests.java � modified: libs/ssl-config/src/test/java/org/opensearch/common/ssl/PemUtilsTests.java � modified: modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexRestClientSslTests.java � modified: modules/transport-netty4/build.gradle � modified: modules/transport-netty4/src/test/java/org/opensearch/http/netty4/ssl/SecureNetty4HttpServerTransportTests.java � modified: modules/transport-netty4/src/test/java/org/opensearch/transport/netty4/ssl/SimpleSecureNetty4TransportTests.java � deleted: modules/transport-netty4/src/test/resources/netty4-secure.jks � new file: modules/transport-netty4/src/test/resources/netty4-secure.p12 � modified: plugins/discovery-azure-classic/src/internalClusterTest/java/org/opensearch/discovery/azure/classic/AzureDiscoveryClusterFormationTests.java � deleted: plugins/identity-shiro/licenses/bcprov-jdk18on-1.78.jar.sha1 � deleted: plugins/identity-shiro/licenses/bcprov-jdk18on-LICENSE.txt � new file: plugins/identity-shiro/licenses/password4j-1.8.2.jar.sha1 � new file: plugins/identity-shiro/licenses/password4j-LICENSE.txt � renamed: plugins/identity-shiro/licenses/bcprov-jdk18on-NOTICE.txt -> plugins/identity-shiro/licenses/password4j-NOTICE.txt � modified: plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcher.java � modified: plugins/repository-azure/build.gradle � modified: plugins/telemetry-otel/build.gradle � modified: server/build.gradle � new file: server/licenses/bc-fips-1.0.2.4.jar.sha1 � new file: server/licenses/bctls-fips-1.0.19.jar.sha1 � new file: server/licenses/bouncycastle-LICENSE.txt � new file: server/licenses/bouncycastle-NOTICE.txt � modified: server/src/main/java/org/opensearch/bootstrap/Bootstrap.java � modified: server/src/main/java/org/opensearch/common/settings/FipsSettings.java � modified: server/src/main/java/org/opensearch/common/settings/KeyStoreWrapper.java � modified: server/src/main/resources/org/opensearch/bootstrap/security.policy � modified: server/src/main/resources/org/opensearch/bootstrap/test-framework.policy �
Signed-off-by: Iwan Igonin <iigonin@sternad.de> # Conflicts: # buildSrc/version.properties
Signed-off-by: Iwan Igonin <iigonin@sternad.de>
Signed-off-by: Iwan Igonin <iigonin@sternad.de>
…ional tests. Signed-off-by: Iwan Igonin <iigonin@sternad.de>
Signed-off-by: Iwan Igonin <iigonin@sternad.de>
Signed-off-by: Iwan Igonin <iigonin@sternad.de>
Signed-off-by: Iwan Igonin <iigonin@sternad.de>
Signed-off-by: Iwan Igonin <iigonin@sternad.de>
350a69e
to
26fa0b1
Compare
936d0b4
to
7a44f38
Compare
❌ Gradle check result for 7a44f38: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
Signed-off-by: Iwan Igonin <iigonin@sternad.de>
7a44f38
to
17f6d8e
Compare
❌ Gradle check result for 17f6d8e: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
Description
OPENSEARCH_CRYPTO_STANDARD=FIPS-140-3
.This PR provides FIPS 140-3 support by replacing all BC dependencies with BCFIPS dependencies and making FIPS approved-only mode configurable at launch. Running application in approved-only mode restricts BCFIPS provoder to rely solely on FIPS certified cyphers. Due to replacement of BC libraries, BCrypt password matching and private-key loading from file were replaced by alternative implementations.
Reasons for refactoring PemUtils.java that is used by Reindex API, in case of migrating data from a remote cluster that is TLS protected:
Related Issues
opensearch-project/security#3420
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.