From f03f644dac804c5f9e1d868ea6354f4ae6ca80e4 Mon Sep 17 00:00:00 2001 From: Artem Prigoda Date: Tue, 12 Apr 2022 13:35:36 +0200 Subject: [PATCH 1/3] [discovery-gce] Fix initialisation of transport in FIPS mode Load the the keystore with Google certificates in the JKS format instead of the default p12 which is not compatible with FIPS. --- .../cloud/gce/GceInstancesServiceImpl.java | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/plugins/discovery-gce/src/main/java/org/elasticsearch/cloud/gce/GceInstancesServiceImpl.java b/plugins/discovery-gce/src/main/java/org/elasticsearch/cloud/gce/GceInstancesServiceImpl.java index 5667de257d867..7aeea82b1edf0 100644 --- a/plugins/discovery-gce/src/main/java/org/elasticsearch/cloud/gce/GceInstancesServiceImpl.java +++ b/plugins/discovery-gce/src/main/java/org/elasticsearch/cloud/gce/GceInstancesServiceImpl.java @@ -8,8 +8,8 @@ package org.elasticsearch.cloud.gce; +import com.google.api.client.googleapis.GoogleUtils; import com.google.api.client.googleapis.compute.ComputeCredential; -import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport; import com.google.api.client.http.GenericUrl; import com.google.api.client.http.HttpHeaders; import com.google.api.client.http.HttpRequest; @@ -19,6 +19,7 @@ import com.google.api.client.http.javanet.NetHttpTransport; import com.google.api.client.json.JsonFactory; import com.google.api.client.json.jackson2.JacksonFactory; +import com.google.api.client.util.SecurityUtils; import com.google.api.services.compute.Compute; import com.google.api.services.compute.model.Instance; import com.google.api.services.compute.model.InstanceList; @@ -36,6 +37,7 @@ import java.io.IOException; import java.security.GeneralSecurityException; +import java.security.KeyStore; import java.util.ArrayList; import java.util.Collection; import java.util.Collections; @@ -173,7 +175,12 @@ private static boolean headerContainsMetadataFlavor(HttpResponse response) { protected synchronized HttpTransport getGceHttpTransport() throws GeneralSecurityException, IOException { if (gceHttpTransport == null) { if (validateCerts) { - gceHttpTransport = GoogleNetHttpTransport.newTrustedTransport(); + // Manually load the certificates in the jks format instead of the default p12 which is not compatible with FIPS. + KeyStore certTrustStore = SecurityUtils.getJavaKeyStore(); + try (var is = GoogleUtils.class.getResourceAsStream("google.jks")) { + SecurityUtils.loadKeyStore(certTrustStore, is, "notasecret"); + } + gceHttpTransport = new NetHttpTransport.Builder().trustCertificates(certTrustStore).build(); } else { // this is only used for testing - alternative we could use the defaul keystore but this requires special configs too.. gceHttpTransport = new NetHttpTransport.Builder().doNotValidateCertificate().build(); From 835969928b05de2a66ed733e7337f31b08eda913 Mon Sep 17 00:00:00 2001 From: Artem Prigoda Date: Tue, 12 Apr 2022 13:37:04 +0200 Subject: [PATCH 2/3] Update docs/changelog/85817.yaml --- docs/changelog/85817.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 docs/changelog/85817.yaml diff --git a/docs/changelog/85817.yaml b/docs/changelog/85817.yaml new file mode 100644 index 0000000000000..76c2c3ffd8ce2 --- /dev/null +++ b/docs/changelog/85817.yaml @@ -0,0 +1,5 @@ +pr: 85817 +summary: "[discovery-gce] Fix initialisation of transport in FIPS mode" +area: Discovery-Plugins +type: bug +issues: [] From 5b6f23d0c6d06ac4c27ac8ba8fbf779f9d02fff1 Mon Sep 17 00:00:00 2001 From: Artem Prigoda Date: Tue, 12 Apr 2022 16:29:20 +0200 Subject: [PATCH 3/3] Update docs/changelog/85817.yaml --- docs/changelog/85817.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/changelog/85817.yaml b/docs/changelog/85817.yaml index 76c2c3ffd8ce2..7d5e70bac6fbf 100644 --- a/docs/changelog/85817.yaml +++ b/docs/changelog/85817.yaml @@ -2,4 +2,5 @@ pr: 85817 summary: "[discovery-gce] Fix initialisation of transport in FIPS mode" area: Discovery-Plugins type: bug -issues: [] +issues: + - 85803