-
Notifications
You must be signed in to change notification settings - Fork 272
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove hardcoded provider #4588
Changes from all commits
20f49f0
0f4458d
5c255ef
6b1b9a5
0781143
5b4ca68
750f4ef
4c0e650
c5a3d45
a286e29
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -36,6 +36,7 @@ | |
import java.security.AccessController; | ||
import java.security.MessageDigest; | ||
import java.security.PrivilegedAction; | ||
import java.security.Provider; | ||
import java.security.Security; | ||
import java.util.ArrayList; | ||
import java.util.Arrays; | ||
|
@@ -63,7 +64,6 @@ | |
import org.apache.logging.log4j.Logger; | ||
import org.apache.lucene.search.QueryCachingPolicy; | ||
import org.apache.lucene.search.Weight; | ||
import org.bouncycastle.jce.provider.BouncyCastleProvider; | ||
|
||
import org.opensearch.OpenSearchException; | ||
import org.opensearch.OpenSearchSecurityException; | ||
|
@@ -378,26 +378,15 @@ | |
demoCertHashes.add("a2ce3f577a5031398c1b4f58761444d837b031d0aff7614f8b9b5e4a9d59dbd1"); // esnode | ||
demoCertHashes.add("cd708e8dc707ae065f7ad8582979764b497f062e273d478054ab2f49c5469c6"); // root-ca | ||
|
||
tryAddSecurityProviders(); | ||
|
||
// updates correct sha256sum | ||
demoCertHashes.add("a3556d6bb61f7bd63cb19b1c8d0078d30c12739dedb0455c5792ac8627782042"); // kirk | ||
demoCertHashes.add("25e34a9a5d4f1dceed1666eb624397bf3fe5787a7133cd32838ace0381bce1f7"); // kirk-key | ||
demoCertHashes.add("a2ce3f577a5031398c1b4f58761444d837b031d0aff7614f8b9b5e4a9d59dbd1"); // esnode | ||
demoCertHashes.add("ba9c5a61065f7f6115188128ffbdaa18fca34562b78b811f082439e2bef1d282"); // esnode-key | ||
demoCertHashes.add("bcd708e8dc707ae065f7ad8582979764b497f062e273d478054ab2f49c5469c6"); // root-ca | ||
|
||
final SecurityManager sm = System.getSecurityManager(); | ||
|
||
if (sm != null) { | ||
sm.checkPermission(new SpecialPermission()); | ||
} | ||
|
||
AccessController.doPrivileged((PrivilegedAction<Void>) () -> { | ||
if (Security.getProvider("BC") == null) { | ||
Security.addProvider(new BouncyCastleProvider()); | ||
} | ||
Comment on lines
-395
to
-397
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can you point me to the code that would be doing the instantiation instead of this block right here? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This would now be handled by the JDK setup itself which I believe is preferred. I have tested the Blake2b code and the demo certificates against a local JDK 17, the bundled JDK 21 and run the Bulk Integration Tests. Otherwise an alternative could be to hardcode one or both , e.g like 2.11...terryquigleysas:security:2.11#diff-e7ef66295cba81a49e4349781a2e9678d2b021a570e978bb4feb422b03d5d74aR334 For FIPS we can reconfigure the Java environment, e.g. #3420 (comment) |
||
return null; | ||
}); | ||
|
||
final String advancedModulesEnabledKey = ConfigConstants.SECURITY_ADVANCED_MODULES_ENABLED; | ||
if (settings.hasValue(advancedModulesEnabledKey)) { | ||
deprecationLogger.deprecate("Setting {} is ignored.", advancedModulesEnabledKey); | ||
|
@@ -491,6 +480,41 @@ | |
} | ||
} | ||
|
||
@SuppressWarnings("removal") | ||
private void tryAddSecurityProviders() { | ||
final SecurityManager sm = System.getSecurityManager(); | ||
|
||
if (sm != null) { | ||
sm.checkPermission(new SpecialPermission()); | ||
} | ||
|
||
// Add provider if on the classpath. Only add first provider found. | ||
AccessController.doPrivileged((PrivilegedAction<Void>) () -> { | ||
if (Security.getProvider("BC") == null) { | ||
try { | ||
Class<?> providerClass = Class.forName("org.bouncycastle.jce.provider.BouncyCastleProvider"); | ||
Provider provider = (Provider) providerClass.getDeclaredConstructor().newInstance(); | ||
Security.addProvider(provider); | ||
log.debug("Bouncy Castle Provider added"); | ||
return null; | ||
} catch (Exception e) { | ||
log.debug("Bouncy Castle Provider could not be added", e); | ||
} | ||
} | ||
if (Security.getProvider("BCFIPS") == null) { | ||
try { | ||
Class<?> providerClass = Class.forName("org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"); | ||
Provider provider = (Provider) providerClass.getDeclaredConstructor().newInstance(); | ||
Security.addProvider(provider); | ||
log.debug("Bouncy Castle FIPS Provider added"); | ||
} catch (Exception e) { | ||
log.debug("Bouncy Castle FIPS Provider could not be added", e); | ||
} | ||
} | ||
return null; | ||
}); | ||
} | ||
|
||
private void verifyTLSVersion(final String settings, final List<String> configuredProtocols) { | ||
for (final var tls : configuredProtocols) { | ||
if (tls.equalsIgnoreCase("TLSv1") || tls.equalsIgnoreCase("TLSv1.1")) { | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What was this used for? What does the special permission check do and why is it no longer needed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@derek-ho I think this boilerplate code setup for doPrivileged calls originates from the Elasticsearch recommendations here https://www.elastic.co/guide/en/elasticsearch/plugins/current/creating-classic-plugins.html#plugin-authors-jsm