Draft to allow run in FIPS compliace mode #1
Conversation
| /* | ||
| * debug | ||
| */ | ||
| "-agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=192.168.33.46:5004", |
There was a problem hiding this comment.
temporary: so the running application can be remotely debugged.
| DSA keySize < 1024 | ||
| jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \ | ||
| EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC | ||
| jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1, jdkCA&usageTLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224 |
There was a problem hiding this comment.
FIPS approved mode should override this settings anyway, so it's should be used in general for non-FIPS environment setup.
| baseConfig.put("node.portsfile", "true"); | ||
| baseConfig.put("http.port", httpPort); | ||
| baseConfig.put("transport.port", transportPort); | ||
| baseConfig.put("http.host", "192.168.33.46"); |
There was a problem hiding this comment.
temporary: test reindex API
build.gradle
Outdated
| apply from: 'gradle/formatting.gradle' | ||
| apply from: 'gradle/local-distribution.gradle' | ||
| apply from: 'gradle/fips.gradle' | ||
| apply from: 'gradle/run-with-fips.gradle' |
There was a problem hiding this comment.
this script allows to configure/build/deploy/run testcluster with included FIPS libraries.
| params.setIsInternal(isInternal); | ||
| params.setDefaultParallel(findDefaultParallel(project)); | ||
| params.setInFipsJvm(Util.getBooleanProperty("tests.fips.enabled", false)); | ||
| params.setInFipsJvm(Util.getBooleanProperty("tests.fips.enabled", true)); |
There was a problem hiding this comment.
only relevant for tests
| compileOnly project(":libs:opensearch-cli") | ||
| api "org.bouncycastle:bcpg-fips:1.0.7.1" | ||
| api "org.bouncycastle:bc-fips:1.0.2.5" | ||
| implementation "org.bouncycastle:bcpg-fips:1.0.7.1" |
There was a problem hiding this comment.
should not matter
gradle/fips.gradle
Outdated
| * Modifications Copyright OpenSearch Contributors. See | ||
| * GitHub history for details. | ||
| */ | ||
|
|
There was a problem hiding this comment.
temporary: looks like this script interferes with run-with-fips script
| */ | ||
| public String getQualifiedVersion() { | ||
| return version; | ||
| return "2.14.0"; |
| final X509ExtendedTrustManager trustManager = trustConfig.createTrustManager(); | ||
| try { | ||
| SSLContext sslContext = SSLContext.getInstance(contextProtocol()); | ||
| SSLContext sslContext = SSLContext.getInstance("TLS", "BCJSSE"); |
There was a problem hiding this comment.
defaults to TLS v1.3
| /** Write the keystore to the given config directory. */ | ||
| public synchronized void save(Path configDir, char[] password) throws Exception { | ||
| ensureOpen(); | ||
| assert password.length >= 20; |
There was a problem hiding this comment.
if internal keystore is not set, application creates its own without password, but BCFIPS won't allow empty password for keystore.
| //// Must have all permissions to properly perform access checks | ||
|
|
||
| grant codeBase "${codebase.opensearch-secure-sm}" { | ||
| grant { |
beanuwave
force-pushed
the
fips_compliance
branch
5 times, most recently
from
e6b3980 to
f3d5c59
Compare
beanuwave
force-pushed
the
fips_compliance
branch
2 times, most recently
from
f70aa1c to
8ed74b9
Compare
Signed-off-by: Iwan Igonin <iigonin@sternad.de>
beanuwave
force-pushed
the
fips_compliance
branch
from
8ed74b9 to
6016d5d
Compare
Description
This PR provides FIPS 140-2 support by replacing all BC dependencies with BCFIPS dependencies and making FIPS approved-only mode configurable at launch. Running application in approved-only mode restricts BCFIPS provoder to rely solely on FIPS certified cyphers. Due to replacement of BC libraries, BCrypt password matching and private-key loading from file were replaced by alternative implementations.
Reasons for refactoring PemUtils.java that is used by Reindex API, in case of migrating data from a remote cluster that is TLS protected:
Related Issues
opensearch-project/security#3420
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.