Skip to content

Commit

Permalink
make tests run without BC (not BCFIPS) libraries.
Browse files Browse the repository at this point in the history
Signed-off-by: Iwan Igonin <iigonin@sternad.de>

# Conflicts:
#	client/rest/build.gradle
#	distribution/tools/plugin-cli/build.gradle
#	server/src/main/resources/org/opensearch/bootstrap/test-framework.policy
  • Loading branch information
iigonin committed Oct 25, 2024
1 parent a47f4e6 commit 0bee0a8
Show file tree
Hide file tree
Showing 53 changed files with 455 additions and 231 deletions.
2 changes: 1 addition & 1 deletion buildSrc/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,7 @@ dependencies {
api 'org.jruby.joni:joni:2.2.1'
api "com.fasterxml.jackson.core:jackson-databind:${props.getProperty('jackson_databind')}"
api "org.ajoberstar.grgit:grgit-core:5.2.1"
api "org.bouncycastle:bc-fips:1.0.2.5"
api "org.bouncycastle:bc-fips:${props.getProperty('bouncycastle_jce')}"


testFixturesApi "junit:junit:${props.getProperty('junit')}"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,11 @@ public void execute(Task t) {
test.systemProperty("tests.seed", BuildParams.getTestSeed());
}

test.systemProperty(
"java.security.properties",
project.getRootProject().getLayout().getProjectDirectory() + "/distribution/src/config/fips_java.security"
);

// don't track these as inputs since they contain absolute paths and break cache relocatability
File gradleHome = project.getGradle().getGradleUserHomeDir();
String gradleVersion = project.getGradle().getGradleVersion();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,6 @@ public class BuildParams {
private static JavaVersion gradleJavaVersion;
private static JavaVersion runtimeJavaVersion;
private static String runtimeJavaDetails;
@Deprecated
private static Boolean inFipsJvm;
private static String gitRevision;
private static String gitOrigin;
Expand Down
5 changes: 4 additions & 1 deletion buildSrc/version.properties
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,10 @@ reactivestreams = 1.0.4
# when updating this version, you need to ensure compatibility with:
# - plugins/ingest-attachment (transitive dependency, check the upstream POM)
# - distribution/tools/plugin-cli
bouncycastle=1.78
bouncycastle_jce=1.0.2.4
bouncycastle_tls=1.0.19
bouncycastle_pkix=1.0.7
bouncycastle_pg=1.0.7.1
# test dependencies
randomizedrunner = 2.7.1
junit = 4.13.2
Expand Down
18 changes: 18 additions & 0 deletions client/rest/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,8 @@ dependencies {
api "commons-codec:commons-codec:${versions.commonscodec}"
api "commons-logging:commons-logging:${versions.commonslogging}"
api "org.slf4j:slf4j-api:${versions.slf4j}"
api "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"
api "org.bouncycastle:bctls-fips:${versions.bouncycastle_tls}"

// reactor
api "io.projectreactor:reactor-core:${versions.reactor}"
Expand All @@ -70,6 +72,10 @@ dependencies {
testImplementation "org.apache.logging.log4j:log4j-slf4j-impl:${versions.log4j}"
}

tasks.named("dependencyLicenses").configure {
mapping from: /bc.*/, to: 'bouncycastle'
}

tasks.withType(CheckForbiddenApis).configureEach {
//client does not depend on server, so only jdk and http signatures should be checked
replaceSignatureFiles('jdk-signatures', 'http-signatures')
Expand Down Expand Up @@ -141,6 +147,18 @@ thirdPartyAudit {
'reactor.blockhound.integration.BlockHoundIntegration'
)
ignoreViolations(
'org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom',
'org.bouncycastle.jcajce.provider.ProvSunTLSKDF',
'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$BaseTLSKeyGeneratorSpi',
'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSKeyMaterialGenerator',
'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSKeyMaterialGenerator$2',
'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSMasterSecretGenerator',
'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSMasterSecretGenerator$2',
'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSPRFKeyGenerator',
'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSRsaPreMasterSecretGenerator',
'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSRsaPreMasterSecretGenerator$2',
'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSExtendedMasterSecretGenerator',
'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSExtendedMasterSecretGenerator$2',
'reactor.core.publisher.Traces$SharedSecretsCallSiteSupplierFactory$TracingException'
)
}
Expand Down
1 change: 1 addition & 0 deletions client/rest/licenses/bc-fips-1.0.2.4.jar.sha1
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
9008d04fc13da6455e6a792935b93b629757335d
1 change: 1 addition & 0 deletions client/rest/licenses/bctls-fips-1.0.19.jar.sha1
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
b15d650f6e2a9de08d5569e25a642b6a384dbfd2
14 changes: 14 additions & 0 deletions client/rest/licenses/bouncycastle-LICENSE.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
Copyright (c) 2000 - 2023 The Legion of the Bouncy Castle Inc. (https://www.bouncycastle.org)

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
documentation files (the "Software"), to deal in the Software without restriction, including without limitation
the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software,
and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the
Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
1 change: 1 addition & 0 deletions client/rest/licenses/bouncycastle-NOTICE.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@

Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@

import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.SSLException;
import javax.net.ssl.TrustManagerFactory;

import java.io.IOException;
Expand Down Expand Up @@ -95,15 +95,14 @@ public static void stopHttpServers() throws IOException {
}

public void testBuilderUsesDefaultSSLContext() throws Exception {
assumeFalse("https://github.com/elastic/elasticsearch/issues/49094", inFipsJvm());
final SSLContext defaultSSLContext = SSLContext.getDefault();
try {
try (RestClient client = buildRestClient()) {
try {
client.performRequest(new Request("GET", "/"));
fail("connection should have been rejected due to SSL handshake");
fail("connection should have been rejected due to SSL failure");
} catch (Exception e) {
assertThat(e, instanceOf(SSLHandshakeException.class));
assertThat(e.getCause(), instanceOf(SSLException.class));
}
}

Expand Down
6 changes: 3 additions & 3 deletions distribution/src/config/fips_java.security
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,9 @@ ssl.KeyManagerFactory.algorithm=PKIX
ssl.TrustManagerFactory.algorithm=PKIX
networkaddress.cache.negative.ttl=10
krb5.kdc.bad.policy = tryLast
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1, jdkCA&usageTLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, MD5withRSA, DH keySize < 1024, EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1, jdkCA&usageTLSServer, RSA keySize < 2048, DSA keySize < 2048, EC keySize < 224
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 2048, DSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, MD5withRSA, DH keySize < 2048, EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC
jdk.tls.legacyAlgorithms= \
K_NULL, C_NULL, M_NULL, \
DH_anon, ECDH_anon, \
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -210,17 +210,13 @@ public void testIncorrectPassword() throws Exception {
terminal.addSecretInput("thewrongkeystorepassword");
UserException e = expectThrows(UserException.class, () -> execute("foo", file.toString()));
assertEquals(e.getMessage(), ExitCodes.DATA_ERROR, e.exitCode);
if (inFipsJvm()) {
assertThat(
e.getMessage(),
anyOf(
containsString("Provided keystore password was incorrect"),
containsString("Keystore has been corrupted or tampered with")
)
);
} else {
assertThat(e.getMessage(), containsString("Provided keystore password was incorrect"));
}
assertThat(
e.getMessage(),
anyOf(
containsString("Provided keystore password was incorrect"),
containsString("Keystore has been corrupted or tampered with")
)
);
}

public void testAddToUnprotectedKeystore() throws Exception {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -71,17 +71,13 @@ public void testInvalidPassphrease() throws Exception {
terminal.addSecretInput("thewrongpassword");
UserException e = expectThrows(UserException.class, () -> execute("foo2"));
assertEquals(e.getMessage(), ExitCodes.DATA_ERROR, e.exitCode);
if (inFipsJvm()) {
assertThat(
e.getMessage(),
anyOf(
containsString("Provided keystore password was incorrect"),
containsString("Keystore has been corrupted or tampered with")
)
);
} else {
assertThat(e.getMessage(), containsString("Provided keystore password was incorrect"));
}
assertThat(
e.getMessage(),
anyOf(
containsString("Provided keystore password was incorrect"),
containsString("Keystore has been corrupted or tampered with")
)
);

}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -104,16 +104,12 @@ public void testChangeKeyStorePasswordWrongExistingPassword() throws Exception {
// We'll only be prompted once (for the old password)
UserException e = expectThrows(UserException.class, this::execute);
assertEquals(e.getMessage(), ExitCodes.DATA_ERROR, e.exitCode);
if (inFipsJvm()) {
assertThat(
e.getMessage(),
anyOf(
containsString("Provided keystore password was incorrect"),
containsString("Keystore has been corrupted or tampered with")
)
);
} else {
assertThat(e.getMessage(), containsString("Provided keystore password was incorrect"));
}
assertThat(
e.getMessage(),
anyOf(
containsString("Provided keystore password was incorrect"),
containsString("Keystore has been corrupted or tampered with")
)
);
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -132,17 +132,13 @@ public void testDecryptKeyStoreWithWrongPassword() throws Exception {
SecurityException.class,
() -> loadedKeystore.decrypt(new char[] { 'i', 'n', 'v', 'a', 'l', 'i', 'd' })
);
if (inFipsJvm()) {
assertThat(
exception.getMessage(),
anyOf(
containsString("Provided keystore password was incorrect"),
containsString("Keystore has been corrupted or tampered with")
)
);
} else {
assertThat(exception.getMessage(), containsString("Provided keystore password was incorrect"));
}
assertThat(
exception.getMessage(),
anyOf(
containsString("Provided keystore password was incorrect"),
containsString("Keystore has been corrupted or tampered with")
)
);
}

public void testCannotReadStringFromClosedKeystore() throws Exception {
Expand Down Expand Up @@ -373,8 +369,8 @@ public void testBackcompatV1() throws Exception {
output.writeString("PKCS12");
output.writeString("PBE");

SecretKeyFactory secretFactory = SecretKeyFactory.getInstance("PBE");
KeyStore keystore = KeyStore.getInstance("PKCS12");
SecretKeyFactory secretFactory = SecretKeyFactory.getInstance("PBE", "SunJCE");
KeyStore keystore = KeyStore.getInstance("PKCS12", "SUN");
keystore.load(null, null);
SecretKey secretKey = secretFactory.generateSecret(new PBEKeySpec("stringSecretValue".toCharArray()));
KeyStore.ProtectionParameter protectionParameter = new KeyStore.PasswordProtection(new char[0]);
Expand Down Expand Up @@ -414,8 +410,8 @@ public void testBackcompatV2() throws Exception {
output.writeString("file_setting");
output.writeString("FILE");

SecretKeyFactory secretFactory = SecretKeyFactory.getInstance("PBE");
KeyStore keystore = KeyStore.getInstance("PKCS12");
SecretKeyFactory secretFactory = SecretKeyFactory.getInstance("PBE", "SunJCE");
KeyStore keystore = KeyStore.getInstance("PKCS12", "SUN");
keystore.load(null, null);
SecretKey secretKey = secretFactory.generateSecret(new PBEKeySpec("stringSecretValue".toCharArray()));
KeyStore.ProtectionParameter protectionParameter = new KeyStore.PasswordProtection(new char[0]);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -90,17 +90,13 @@ public void testListWithIncorrectPassword() throws Exception {
terminal.addSecretInput("thewrongkeystorepassword");
UserException e = expectThrows(UserException.class, this::execute);
assertEquals(e.getMessage(), ExitCodes.DATA_ERROR, e.exitCode);
if (inFipsJvm()) {
assertThat(
e.getMessage(),
anyOf(
containsString("Provided keystore password was incorrect"),
containsString("Keystore has been corrupted or tampered with")
)
);
} else {
assertThat(e.getMessage(), containsString("Provided keystore password was incorrect"));
}
assertThat(
e.getMessage(),
anyOf(
containsString("Provided keystore password was incorrect"),
containsString("Keystore has been corrupted or tampered with")
)
);
}

public void testListWithUnprotectedKeystore() throws Exception {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -107,18 +107,13 @@ public void testRemoveWithIncorrectPassword() throws Exception {
terminal.addSecretInput("thewrongpassword");
UserException e = expectThrows(UserException.class, () -> execute("foo"));
assertEquals(e.getMessage(), ExitCodes.DATA_ERROR, e.exitCode);
if (inFipsJvm()) {
assertThat(
e.getMessage(),
anyOf(
containsString("Provided keystore password was incorrect"),
containsString("Keystore has been corrupted or tampered with")
)
);
} else {
assertThat(e.getMessage(), containsString("Provided keystore password was incorrect"));
}

assertThat(
e.getMessage(),
anyOf(
containsString("Provided keystore password was incorrect"),
containsString("Keystore has been corrupted or tampered with")
)
);
}

public void testRemoveFromUnprotectedKeystore() throws Exception {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -87,8 +87,8 @@ static List<String> systemJvmOptions(final Path config) {
}

private static String loadJavaSecurityProperties(final Path config) {
var securityFile = config.resolve("fips_java.security").toFile();
return "-Djava.security.properties=" + securityFile.getAbsolutePath();
var securityFile = config.resolve("fips_java.security");
return "-Djava.security.properties=" + securityFile.toAbsolutePath();
}

private static String allowSecurityManagerOption() {
Expand Down
3 changes: 1 addition & 2 deletions distribution/tools/plugin-cli/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -37,8 +37,7 @@ base {
dependencies {
compileOnly project(":server")
compileOnly project(":libs:opensearch-cli")
api "org.bouncycastle:bcpg-fips:2.0.9"
api "org.bouncycastle:bc-fips:2.0.0"
api "org.bouncycastle:bcpg-fips:${versions.bouncycastle_pg}"
testImplementation project(":test:framework")
testImplementation 'com.google.jimfs:jimfs:1.3.0'
testRuntimeOnly("com.google.guava:guava:${versions.guava}") {
Expand Down
4 changes: 2 additions & 2 deletions libs/ssl-config/build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -36,8 +36,8 @@ dependencies {
api project(':libs:opensearch-common')

// bouncyCastle
implementation 'org.bouncycastle:bcpkix-fips:1.0.7'
compileOnly 'org.bouncycastle:bc-fips:1.0.2.5'
implementation "org.bouncycastle:bcpkix-fips:${versions.bouncycastle_pkix}"
compileOnly "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"

testImplementation(project(":test:framework")) {
exclude group: 'org.opensearch', module: 'opensearch-ssl-config'
Expand Down
1 change: 0 additions & 1 deletion libs/ssl-config/licenses/bc-fips-1.0.2.5.jar.sha1

This file was deleted.

14 changes: 14 additions & 0 deletions libs/ssl-config/licenses/bouncycastle-LICENSE.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
Copyright (c) 2000 - 2023 The Legion of the Bouncy Castle Inc. (https://www.bouncycastle.org)

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
documentation files (the "Software"), to deal in the Software without restriction, including without limitation
the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software,
and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the
Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
1 change: 1 addition & 0 deletions libs/ssl-config/licenses/bouncycastle-NOTICE.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@

Loading

0 comments on commit 0bee0a8

Please sign in to comment.