Make test-suite runnable under FIPS JVM #18491
Conversation
|
❌ Gradle check result for 9b5da5c: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
❌ Gradle check result for 986dce7: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
I'd like to raise a general point here to keep in mind with this development, especially as instructions will be required for Java setups other than the bundled version. The Red Hat JDK 21, for example, has a default of fips.keystore.type: PKCS12 - see https://docs.redhat.com/en/documentation/red_hat_build_of_openjdk/21/html/configuring_red_hat_build_of_openjdk_21_on_rhel_with_fips/fips_settings#fips_settings . We'd like to ensure that code checks aren't so stringent as to prevent this setup from working. |
|
❌ Gradle check result for 939e6b5: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
beanuwave
force-pushed
the
fips_compliance3
branch
from
939e6b5 to
11da667
Compare
|
❌ Gradle check result for 11da667: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
beanuwave
force-pushed
the
fips_compliance3
branch
from
11da667 to
9a387a4
Compare
|
❌ Gradle check result for 9a387a4: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
beanuwave
force-pushed
the
fips_compliance3
branch
from
9a387a4 to
4e0af75
Compare
|
❌ Gradle check result for 4e0af75: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
beanuwave
force-pushed
the
fips_compliance3
branch
from
4e0af75 to
9efd838
Compare
|
❌ Gradle check result for 9efd838: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
beanuwave
force-pushed
the
fips_compliance3
branch
from
9efd838 to
4fc6b40
Compare
|
❌ Gradle check result for 4fc6b40: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
beanuwave
force-pushed
the
fips_compliance3
branch
from
4fc6b40 to
0139eaa
Compare
|
❌ Gradle check result for 0139eaa: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
beanuwave
force-pushed
the
fips_compliance3
branch
from
0139eaa to
f52e720
Compare
|
❌ Gradle check result for f52e720: null Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
@terryquigleysas Thank you for pointing out those limitations.
We rely on SunPKCS12 provider to load the JVM's default truststore. In case of OpenJKD the default type is the same as RHEL's - so nothing changes for us. |
Good news. Thank you for the reply. Much appreciated! |
beanuwave
force-pushed
the
fips_compliance3
branch
from
f52e720 to
cb7949d
Compare
|
❌ Gradle check result for cb7949d: null Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
beanuwave
force-pushed
the
fips_compliance3
branch
from
cb7949d to
0680de8
Compare
beanuwave
changed the title
|
❌ Gradle check result for 0680de8: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
beanuwave
force-pushed
the
fips_compliance3
branch
from
0680de8 to
732e412
Compare
|
❌ Gradle check result for 732e412: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
beanuwave
force-pushed
the
fips_compliance3
branch
from
732e412 to
6164088
Compare
…folders in tests' Signed-off-by: Igonin <[email protected]> Co-authored-by: Benny Goerzig <[email protected]> Co-authored-by: Karsten Schnitter <[email protected]> Co-authored-by: Kai Sternad <[email protected]>
beanuwave
force-pushed
the
fips_compliance3
branch
from
d892331 to
0da4c6d
Compare
|
❌ Gradle check result for 0da4c6d: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
Signed-off-by: Igonin <[email protected]> Co-authored-by: Benny Goerzig <[email protected]> Co-authored-by: Karsten Schnitter <[email protected]> Co-authored-by: Kai Sternad <[email protected]>
|
❌ Gradle check result for fcc6a05: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
Signed-off-by: Igonin <[email protected]> Co-authored-by: Benny Goerzig <[email protected]> Co-authored-by: Karsten Schnitter <[email protected]> Co-authored-by: Kai Sternad <[email protected]>
beanuwave
force-pushed
the
fips_compliance3
branch
from
f8aa312 to
bbf73cf
Compare
Thanks @beanuwave , sorry haven't looked yet but will do this week, thank you |
...aller-cli/src/test/java/org/opensearch/tools/cli/fips/truststore/TrustStoreServiceTests.java
Outdated
Show resolved
Hide resolved
|
|
||
| import static org.opensearch.client.RestClientTestCase.inFipsJvm; | ||
|
|
||
| public interface RestClientFipsAwareTestCase { |
There was a problem hiding this comment.
I don't think we should make it public - it is just for module tests
| public interface RestClientFipsAwareTestCase { | |
| interface RestClientFipsAwareTestCase { |
| public interface RestClientFipsAwareTestCase { | ||
|
|
||
| default SSLContext getSslContext(boolean server) throws Exception { | ||
| String keyStoreType = inFipsJvm() ? "BCFKS" : "JKS"; |
There was a problem hiding this comment.
To make it a bit more readable, please:
default SSLContext getSslContext(boolean server) throws Exception {
if (inFipsJvm()) {
return getSslContext(server, "BCFKS, SecureRandom.getInstance("DEFAULT", "BCFIPS"), ".bcfks");
} else {
return getSslContext(server, new SecureRandom(), ".jks");
}
}
| } | ||
| }; | ||
|
|
||
| public static final Map<String, List<String>> TYPE_TO_EXTENSION_MAP = new HashMap<>(); |
There was a problem hiding this comment.
| public static final Map<String, List<String>> TYPE_TO_EXTENSION_MAP = new HashMap<>(); | |
| public static final Map<String, List<String>> TYPE_TO_EXTENSION_MAP = Map.of( | |
| "JKS", List.of(".jks", ".ks"), | |
| "PKCS12", List.of(".p12", ".pkcs12", ".pfx"), | |
| "BCFKS", List.of(".bcfks")); // Bouncy Castle FIPS Keystore |
| try { | ||
| final PrivateKey privateKey = PemUtils.readPrivateKey(key, () -> keyPassword); | ||
| final PrivateKey privateKey = PemUtils.readPrivateKey(key, () -> { | ||
| if (keyPassword.length == 0) { |
There was a problem hiding this comment.
Since we always need password now, could we move this validation to constructor? (where we do null check now)
| public Optional<SSLContext> buildSecureAuxServerTransportContext(Settings settings, String auxTransportType) | ||
| throws SSLException { | ||
| // Choose a random protocol from among supported test defaults | ||
| String protocol = randomFrom(DEFAULT_SSL_PROTOCOLS); |
There was a problem hiding this comment.
Shouldn't we pick from FIPS_APPROVED_PROTOCOLS or DEFAULT_SSL_PROTOCOLS here?
| (PrivilegedAction<Version>) () -> Version.parse(System.getProperty("java.version")) | ||
| ); | ||
| if (full.compareTo(Version.parse("12.0.1")) < 0) { | ||
| if (!inFipsJvm()) { |
There was a problem hiding this comment.
Not related, but our baseline is JDK-21, we could clean up this code
| if (Security.getProvider("BCFIPS") != null) { | ||
| certTrustStore = KeyStore.getInstance("BCFKS"); | ||
| InputStream keyStoreStream = getClass().getResourceAsStream("/google.bcfks"); | ||
| SecurityUtils.loadKeyStore(certTrustStore, keyStoreStream, "notasecret"); |
There was a problem hiding this comment.
I believe we definitely should not hardcode password here, please have a setting for it
There was a problem hiding this comment.
Let's make a setting for SSL trust as well as it's passphrase w/o a fallback and use this google.bcfks store only for tests.
Thanks @beanuwave , did a first pass, a few minor comments but I have two major concerns:
Thank you. |
I believe @cwperks suggested creating a new GitHub workflow that supports both scheduled runs and PR comments. |
…or TYPE_TO_EXTENSION_MAP; revert changes to SecureSettingsHelpers.getSecureSettingsProvider; revert changes to AzureClassic Signed-off-by: Igonin <[email protected]> Co-authored-by: Benny Goerzig <[email protected]> Co-authored-by: Karsten Schnitter <[email protected]> Co-authored-by: Kai Sternad <[email protected]>
Signed-off-by: Igonin <[email protected]> Co-authored-by: Benny Goerzig <[email protected]> Co-authored-by: Karsten Schnitter <[email protected]> Co-authored-by: Kai Sternad <[email protected]>
Sorry, a bit late here, I think this is in general viable option, but:
|
Signed-off-by: Igonin <[email protected]> Co-authored-by: Benny Goerzig <[email protected]> Co-authored-by: Karsten Schnitter <[email protected]> Co-authored-by: Kai Sternad <[email protected]>
… google.p12 in non-FIPS mode and an exception in FIPS mode when no truststore is set up. Signed-off-by: Igonin <[email protected]> Co-authored-by: Benny Goerzig <[email protected]> Co-authored-by: Karsten Schnitter <[email protected]> Co-authored-by: Kai Sternad <[email protected]>
|
❌ Gradle check result for 07c6358: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
5 participants
Description
Makes the required changes to build and test under FIPS-140-3 compliance support. FIPS mode can be activated by adding the
-Pcrypto.standard=FIPS-140-3Gradle parameter.NOTE:
:plugins:transport-reactor-netty4:testtask will fail. To run properly, netty needs to be updated to a newer version, such as v4.1.127.Final.Related Issues
Resolves RFC
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.