Support for FIPS compliance mode #14912
Conversation
|
❌ Gradle check result for 6016d5d: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
beanuwave
changed the title
beanuwave
force-pushed
the
fips_compliance2
branch
from
8e8ed47
to
6016d5d
Compare
|
❌ Gradle check result for 8e8ed47: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
❌ Gradle check result for 6016d5d: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
beanuwave
requested review from
peternied,
anasalkouz,
andrross,
ashking94,
Bukhtawar,
CEHENKLE,
dblock,
dbwiddis,
gbbafna,
kotwanikunal,
mch2,
msfroh,
nknize,
owaiskazi19,
reta,
Rishikesh1159,
sachinpkale,
saratvemulapalli,
shwetathareja,
sohami and
VachaShah
as code owners
.../identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcher.java
Outdated
Show resolved
Hide resolved
|
Could use some help maybe from @cwperks or @peternied reviewing this, please. |
buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java
Outdated
Show resolved
Hide resolved
beanuwave
force-pushed
the
fips_compliance2
branch
from
3637ccf
to
90632d0
Compare
|
❌ Gradle check result for 90632d0: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
beanuwave
force-pushed
the
fips_compliance2
branch
from
90632d0
to
d5b496e
Compare
|
❌ Gradle check result for d5b496e: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
beanuwave
force-pushed
the
fips_compliance2
branch
from
d5b496e
to
52b5345
Compare
|
❌ Gradle check result for 52b5345: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
beanuwave
force-pushed
the
fips_compliance2
branch
from
52b5345
to
89e4b57
Compare
|
❌ Gradle check result for 89e4b57: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
Signed-off-by: Iwan Igonin <iigonin@sternad.de> # Conflicts: # server/build.gradle
Signed-off-by: Iwan Igonin <iigonin@sternad.de> # Conflicts: # client/rest/build.gradle # distribution/tools/plugin-cli/build.gradle # server/src/main/resources/org/opensearch/bootstrap/test-framework.policy
Signed-off-by: Iwan Igonin <iigonin@sternad.de>
Signed-off-by: Iwan Igonin <iigonin@sternad.de>
Signed-off-by: Iwan Igonin <iigonin@sternad.de>
…ional tests. Signed-off-by: Iwan Igonin <iigonin@sternad.de>
Signed-off-by: Iwan Igonin <iigonin@sternad.de>
Signed-off-by: Iwan Igonin <iigonin@sternad.de>
beanuwave
force-pushed
the
fips_compliance2
branch
from
89e4b57
to
2aa0d1d
Compare
| // test with FIPS-140-2 enabled | ||
| plugins.withType(JavaPlugin).configureEach { | ||
| tasks.withType(Test).configureEach { testTask -> | ||
| if (System.getenv('OPENSEARCH_CRYPTO_STANDARD') == 'FIPS-140-2') { |
There was a problem hiding this comment.
With the recent Bouncy Castle 2.x libraries used here it will also be possible to support FIPS-140-3 on Java 21
https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4743
beanuwave
force-pushed
the
fips_compliance2
branch
from
2aa0d1d
to
246aeed
Compare
| @@ -112,6 +113,8 @@ public void apply(Project project) { | |||
| BuildParams.init(params -> { | |||
| // Initialize global build parameters | |||
| boolean isInternal = GlobalBuildInfoPlugin.class.getResource("/buildSrc.marker") != null; | |||
| var cryptoStandard = System.getenv(OPENSEARCH_CRYPTO_STANDARD); | |||
| var inFipsJvm = cryptoStandard != null && cryptoStandard.equals("FIPS-140-2"); | |||
There was a problem hiding this comment.
| import java.util.Arrays; | ||
| import java.util.Collections; | ||
| import java.util.List; | ||
| import java.util.stream.Collectors; | ||
|
|
||
| final class SystemJvmOptions { | ||
|
|
||
| static List<String> systemJvmOptions() { | ||
| protected static final String OPENSEARCH_CRYPTO_STANDARD = "OPENSEARCH_CRYPTO_STANDARD"; | ||
| protected static final String FIPS_140_2 = "FIPS-140-2"; |
There was a problem hiding this comment.
| @@ -143,6 +144,13 @@ def fixtureAddress = { fixture, name, port -> | |||
| 'http://127.0.0.1:' + ephemeralPort | |||
| } | |||
|
|
|||
| def applyFipsConfig(OpenSearchCluster cluster) { | |||
| if (System.getenv('OPENSEARCH_CRYPTO_STANDARD') == 'FIPS-140-2') { | |||
There was a problem hiding this comment.
| @@ -195,6 +195,11 @@ private void setup(boolean addShutdownHook, Environment environment) throws Boot | |||
| BootstrapSettings.CTRLHANDLER_SETTING.get(settings) | |||
| ); | |||
|
|
|||
| var cryptoStandard = System.getenv("OPENSEARCH_CRYPTO_STANDARD"); | |||
| if (cryptoStandard != null && cryptoStandard.equals("FIPS-140-2")) { | |||
There was a problem hiding this comment.
| @@ -55,7 +55,11 @@ reactivestreams = 1.0.4 | |||
| # when updating this version, you need to ensure compatibility with: | |||
| # - plugins/ingest-attachment (transitive dependency, check the upstream POM) | |||
| # - distribution/tools/plugin-cli | |||
| bouncycastle=1.78 | |||
| bouncycastle_jce=2.0.0 | |||
There was a problem hiding this comment.
Is the plan here that there will be two OpenSearch distributions, one to support the current Bouncy Castle libraries, and one containing these FIPS jars?
|
❌ Gradle check result for 246aeed: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
Signed-off-by: Iwan Igonin <iigonin@sternad.de>
beanuwave
force-pushed
the
fips_compliance2
branch
from
246aeed
to
7e16ec6
Compare
Description
This PR provides FIPS 140-2 support by replacing all BC dependencies with BCFIPS dependencies and making FIPS approved-only mode configurable at launch. Running application in approved-only mode restricts BCFIPS provoder to rely solely on FIPS certified cyphers. Due to replacement of BC libraries, BCrypt password matching and private-key loading from file were replaced by alternative implementations.
Reasons for refactoring PemUtils.java that is used by Reindex API, in case of migrating data from a remote cluster that is TLS protected:
Related Issues
opensearch-project/security#3420
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.