-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for FIPS compliance mode #14912
base: main
Are you sure you want to change the base?
Support for FIPS compliance mode #14912
Conversation
❌ Gradle check result for 6016d5d: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
8e8ed47
to
6016d5d
Compare
❌ Gradle check result for 8e8ed47: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
❌ Gradle check result for 6016d5d: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
.../identity-shiro/src/main/java/org/opensearch/identity/shiro/realm/BCryptPasswordMatcher.java
Outdated
Show resolved
Hide resolved
Could use some help maybe from @cwperks or @peternied reviewing this, please. |
buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java
Outdated
Show resolved
Hide resolved
3637ccf
to
90632d0
Compare
❌ Gradle check result for 90632d0: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
90632d0
to
d5b496e
Compare
❌ Gradle check result for d5b496e: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
d5b496e
to
52b5345
Compare
❌ Gradle check result for 52b5345: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
52b5345
to
89e4b57
Compare
❌ Gradle check result for 89e4b57: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
Signed-off-by: Iwan Igonin <iigonin@sternad.de> # Conflicts: # server/build.gradle
Signed-off-by: Iwan Igonin <iigonin@sternad.de> # Conflicts: # client/rest/build.gradle # distribution/tools/plugin-cli/build.gradle # server/src/main/resources/org/opensearch/bootstrap/test-framework.policy
Signed-off-by: Iwan Igonin <iigonin@sternad.de>
Signed-off-by: Iwan Igonin <iigonin@sternad.de>
Signed-off-by: Iwan Igonin <iigonin@sternad.de>
…ional tests. Signed-off-by: Iwan Igonin <iigonin@sternad.de>
Signed-off-by: Iwan Igonin <iigonin@sternad.de>
Signed-off-by: Iwan Igonin <iigonin@sternad.de>
89e4b57
to
2aa0d1d
Compare
// test with FIPS-140-2 enabled | ||
plugins.withType(JavaPlugin).configureEach { | ||
tasks.withType(Test).configureEach { testTask -> | ||
if (System.getenv('OPENSEARCH_CRYPTO_STANDARD') == 'FIPS-140-2') { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With the recent Bouncy Castle 2.x libraries used here it will also be possible to support FIPS-140-3 on Java 21
https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4743
2aa0d1d
to
246aeed
Compare
@@ -112,6 +113,8 @@ public void apply(Project project) { | |||
BuildParams.init(params -> { | |||
// Initialize global build parameters | |||
boolean isInternal = GlobalBuildInfoPlugin.class.getResource("/buildSrc.marker") != null; | |||
var cryptoStandard = System.getenv(OPENSEARCH_CRYPTO_STANDARD); | |||
var inFipsJvm = cryptoStandard != null && cryptoStandard.equals("FIPS-140-2"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
import java.util.Arrays; | ||
import java.util.Collections; | ||
import java.util.List; | ||
import java.util.stream.Collectors; | ||
|
||
final class SystemJvmOptions { | ||
|
||
static List<String> systemJvmOptions() { | ||
protected static final String OPENSEARCH_CRYPTO_STANDARD = "OPENSEARCH_CRYPTO_STANDARD"; | ||
protected static final String FIPS_140_2 = "FIPS-140-2"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@@ -143,6 +144,13 @@ def fixtureAddress = { fixture, name, port -> | |||
'http://127.0.0.1:' + ephemeralPort | |||
} | |||
|
|||
def applyFipsConfig(OpenSearchCluster cluster) { | |||
if (System.getenv('OPENSEARCH_CRYPTO_STANDARD') == 'FIPS-140-2') { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@@ -195,6 +195,11 @@ private void setup(boolean addShutdownHook, Environment environment) throws Boot | |||
BootstrapSettings.CTRLHANDLER_SETTING.get(settings) | |||
); | |||
|
|||
var cryptoStandard = System.getenv("OPENSEARCH_CRYPTO_STANDARD"); | |||
if (cryptoStandard != null && cryptoStandard.equals("FIPS-140-2")) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@@ -55,7 +55,11 @@ reactivestreams = 1.0.4 | |||
# when updating this version, you need to ensure compatibility with: | |||
# - plugins/ingest-attachment (transitive dependency, check the upstream POM) | |||
# - distribution/tools/plugin-cli | |||
bouncycastle=1.78 | |||
bouncycastle_jce=2.0.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the plan here that there will be two OpenSearch distributions, one to support the current Bouncy Castle libraries, and one containing these FIPS jars?
❌ Gradle check result for 246aeed: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
Signed-off-by: Iwan Igonin <iigonin@sternad.de>
246aeed
to
7e16ec6
Compare
Description
This PR provides FIPS 140-2 support by replacing all BC dependencies with BCFIPS dependencies and making FIPS approved-only mode configurable at launch. Running application in approved-only mode restricts BCFIPS provoder to rely solely on FIPS certified cyphers. Due to replacement of BC libraries, BCrypt password matching and private-key loading from file were replaced by alternative implementations.
Reasons for refactoring PemUtils.java that is used by Reindex API, in case of migrating data from a remote cluster that is TLS protected:
Related Issues
opensearch-project/security#3420
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.