Upgrade Bouncy Castle FIPS dependencies (#112989) (#117321)

This PR updates `bc-fips` and `bctls-fips` dependencies to the latest minor versions.
2025-04-24 15:17:30 -04:00 · 2024-11-22 12:51:07 +01:00 · 2024-11-22 12:51:07 +01:00 · 029287a84a
commit 029287a84a
parent 27af37bc75
12 changed files with 34 additions and 22 deletions
--- a/build-tools-internal/src/main/groovy/elasticsearch.fips.gradle
+++ b/build-tools-internal/src/main/groovy/elasticsearch.fips.gradle
@ -24,12 +24,12 @@ if (BuildParams.inFipsJvm) {
    File fipsSecurity = new File(fipsResourcesDir, javaSecurityFilename)
    File fipsPolicy = new File(fipsResourcesDir, 'fips_java.policy')
    File fipsTrustStore = new File(fipsResourcesDir, 'cacerts.bcfks')
-    def bcFips = dependencies.create('org.bouncycastle:bc-fips:1.0.2.4')
-    def bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:1.0.17')
+    def bcFips = dependencies.create('org.bouncycastle:bc-fips:1.0.2.5')
+    def bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:1.0.19')
    def manualDebug = false; //change this to manually debug bouncy castle in an IDE
    if(manualDebug) {
-      bcFips = dependencies.create('org.bouncycastle:bc-fips-debug:1.0.2.4')
-      bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:1.0.17'){
+      bcFips = dependencies.create('org.bouncycastle:bc-fips-debug:1.0.2.5')
+      bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:1.0.19'){
        exclude group: 'org.bouncycastle', module: 'bc-fips'  // to avoid jar hell
      }
    }
--- a/build-tools-internal/src/main/resources/fips_java.policy
+++ b/build-tools-internal/src/main/resources/fips_java.policy
@ -5,6 +5,7 @@ grant {
     permission java.security.SecurityPermission "getProperty.jdk.tls.disabledAlgorithms";
     permission java.security.SecurityPermission "getProperty.jdk.certpath.disabledAlgorithms";
     permission java.security.SecurityPermission "getProperty.jdk.tls.server.defaultDHEParameters";
+     permission java.security.SecurityPermission "getProperty.org.bouncycastle.ec.max_f2m_field_size";
     permission java.lang.RuntimePermission "getProtectionDomain";
     permission java.util.PropertyPermission "java.runtime.name", "read";
     permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";
@ -20,6 +21,6 @@ grant {
 };

 // rely on the caller's socket permissions, the JSSE TLS implementation here is always allowed to connect
-grant codeBase "file:${jdk.module.path}/bctls-fips-1.0.17.jar" {
+grant codeBase "file:${jdk.module.path}/bctls-fips-1.0.19.jar" {
  permission java.net.SocketPermission "*", "connect";
 };
--- a/distribution/tools/plugin-cli/build.gradle
+++ b/distribution/tools/plugin-cli/build.gradle
@ -29,7 +29,7 @@ dependencies {
  implementation 'org.ow2.asm:asm-tree:9.7'

  api "org.bouncycastle:bcpg-fips:1.0.7.1"
-  api "org.bouncycastle:bc-fips:1.0.2.4"
+  api "org.bouncycastle:bc-fips:1.0.2.5"
  testImplementation project(":test:framework")
  testImplementation "com.google.jimfs:jimfs:${versions.jimfs}"
  testRuntimeOnly "com.google.guava:guava:${versions.jimfs_guava}"
--- a/docs/changelog/112989.yaml
+++ b/docs/changelog/112989.yaml
@ -0,0 +1,5 @@
+pr: 112989
+summary: Upgrade Bouncy Castle FIPS dependencies
+area: Security
+type: upgrade
+issues: []
--- a/docs/reference/security/fips-140-compliance.asciidoc
+++ b/docs/reference/security/fips-140-compliance.asciidoc
@ -53,8 +53,8 @@ https://docs.oracle.com/en/java/javase/17/security/java-cryptography-architectur
 https://docs.oracle.com/en/java/javase/17/security/java-secure-socket-extension-jsse-reference-guide.html[JSSE] implementation is required
 so that the JVM uses FIPS validated implementations of NIST recommended cryptographic algorithms.

-Elasticsearch has been tested with Bouncy Castle's https://repo1.maven.org/maven2/org/bouncycastle/bc-fips/1.0.2.4/bc-fips-1.0.2.4.jar[bc-fips 1.0.2.4]
-and https://repo1.maven.org/maven2/org/bouncycastle/bctls-fips/1.0.17/bctls-fips-1.0.17.jar[bctls-fips 1.0.17].
+Elasticsearch has been tested with Bouncy Castle's https://repo1.maven.org/maven2/org/bouncycastle/bc-fips/1.0.2.5/bc-fips-1.0.2.5.jar[bc-fips 1.0.2.5]
+and https://repo1.maven.org/maven2/org/bouncycastle/bctls-fips/1.0.19/bctls-fips-1.0.19.jar[bctls-fips 1.0.19].
 Please refer to the {es}
 https://www.elastic.co/support/matrix#matrix_jvm[JVM support matrix] for details on which combinations of JVM and security provider are supported in FIPS mode. Elasticsearch does not ship with a FIPS certified provider. It is the responsibility of the user
 to install and configure the security provider to ensure compliance with FIPS 140-2. Using a FIPS certified provider will ensure that only
--- a/gradle/verification-metadata.xml
+++ b/gradle/verification-metadata.xml
@ -3243,14 +3243,14 @@
            <sha256 value="d749db58c2bd353f1c03541d747b753931d4b84da8e48993ef51efe8694b4ed7" origin="Generated by Gradle"/>
         </artifact>
      </component>
-      <component group="org.bouncycastle" name="bc-fips" version="1.0.2.4">
-         <artifact name="bc-fips-1.0.2.4.jar">
-            <sha256 value="703ecd8a3a619800269bc8cd442f2ebf469bd2fe70478364f58ddc6460c35f9f" origin="Generated by Gradle"/>
+      <component group="org.bouncycastle" name="bc-fips" version="1.0.2.5">
+         <artifact name="bc-fips-1.0.2.5.jar">
+            <sha256 value="50e4c7a0d0c68413d3d8587560d56945ac09e7c89c41bd971cd22d76be6f1085" origin="Generated by Gradle"/>
         </artifact>
      </component>
-      <component group="org.bouncycastle" name="bc-fips-debug" version="1.0.2.4">
-         <artifact name="bc-fips-debug-1.0.2.4.jar">
-            <sha256 value="a025e947c9c91d023bf2a0a3a74d78d5f8b9f6f0f4de13dc52025f2b996a306b" origin="Generated by Gradle"/>
+      <component group="org.bouncycastle" name="bc-fips-debug" version="1.0.2.5">
+         <artifact name="bc-fips-debug-1.0.2.5.jar">
+            <sha256 value="5cfda7e020c5c1a3b1724386f139957472e551494254b8fc74e34f73590fc605" origin="Generated by Gradle"/>
         </artifact>
      </component>
      <component group="org.bouncycastle" name="bcpg-fips" version="1.0.7.1">
@ -3288,9 +3288,9 @@
            <sha256 value="add5915e6acfc6ab5836e1fd8a5e21c6488536a8c1f21f386eeb3bf280b702d7" origin="Generated by Gradle"/>
         </artifact>
      </component>
-      <component group="org.bouncycastle" name="bctls-fips" version="1.0.17">
-         <artifact name="bctls-fips-1.0.17.jar">
-            <sha256 value="51dfd28ec370f27ba4efc10ec8e21129e34e2f2340ac465a6d17a468e0a4696d" origin="Generated by Gradle"/>
+      <component group="org.bouncycastle" name="bctls-fips" version="1.0.19">
+         <artifact name="bctls-fips-1.0.19.jar">
+            <sha256 value="a0bbad2eb5268f1baa08f0e2e69cb61cd292e19e73595c620d586d335d97d1a8" origin="Generated by Gradle"/>
         </artifact>
      </component>
      <component group="org.bouncycastle" name="bcutil-jdk18on" version="1.78.1">
--- a/plugins/discovery-ec2/build.gradle
+++ b/plugins/discovery-ec2/build.gradle
@ -77,6 +77,7 @@ tasks.register("writeTestJavaPolicy") {
          "permission java.security.SecurityPermission \"getProperty.jdk.tls.disabledAlgorithms\";",
          "permission java.security.SecurityPermission \"getProperty.jdk.certpath.disabledAlgorithms\";",
          "permission java.security.SecurityPermission \"getProperty.keystore.type.compat\";",
+          "permission java.security.SecurityPermission \"getProperty.org.bouncycastle.ec.max_f2m_field_size\";",
          "};"
        ].join("\n")
      )
--- a/test/test-clusters/src/main/resources/fips/fips_java.policy
+++ b/test/test-clusters/src/main/resources/fips/fips_java.policy
@ -5,6 +5,7 @@ grant {
     permission java.security.SecurityPermission "getProperty.jdk.tls.disabledAlgorithms";
     permission java.security.SecurityPermission "getProperty.jdk.certpath.disabledAlgorithms";
     permission java.security.SecurityPermission "getProperty.jdk.tls.server.defaultDHEParameters";
+     permission java.security.SecurityPermission "getProperty.org.bouncycastle.ec.max_f2m_field_size";
     permission java.lang.RuntimePermission "getProtectionDomain";
     permission java.util.PropertyPermission "java.runtime.name", "read";
     permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";
@ -20,6 +21,6 @@ grant {
 };

 // rely on the caller's socket permissions, the JSSE TLS implementation here is always allowed to connect
-grant codeBase "file:${jdk.module.path}/bctls-fips-1.0.17.jar" {
+grant codeBase "file:${jdk.module.path}/bctls-fips-1.0.19.jar" {
  permission java.net.SocketPermission "*", "connect";
 };
--- a/x-pack/plugin/core/build.gradle
+++ b/x-pack/plugin/core/build.gradle
@ -65,7 +65,7 @@ dependencies {
  testImplementation project(path: ':modules:rest-root')
  testImplementation project(path: ':modules:health-shards-availability')
  // Needed for Fips140ProviderVerificationTests
-  testCompileOnly('org.bouncycastle:bc-fips:1.0.2.4')
+  testCompileOnly('org.bouncycastle:bc-fips:1.0.2.5')

  testImplementation(project(':x-pack:license-tools')) {
    transitive = false
--- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/RestrictedTrustManagerTests.java
+++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/RestrictedTrustManagerTests.java
@ -218,7 +218,7 @@ public class RestrictedTrustManagerTests extends ESTestCase {
            if (cert.endsWith("/ca")) {
                assertTrusted(trustManager, cert);
            } else {
-                assertNotValid(trustManager, cert, inFipsJvm() ? "Unable to find certificate chain." : "PKIX path building failed.*");
+                assertNotValid(trustManager, cert, inFipsJvm() ? "Unable to construct a valid chain" : "PKIX path building failed.*");
            }
        }
    }
--- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/ssl/SslClientAuthenticationTests.java
+++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/ssl/SslClientAuthenticationTests.java
@ -107,7 +107,7 @@ public class SslClientAuthenticationTests extends SecurityIntegTestCase {
            if (inFipsJvm()) {
                Throwable t = ExceptionsHelper.unwrap(e, CertificateException.class);
                assertThat(t, instanceOf(CertificateException.class));
-                assertThat(t.getMessage(), containsString("Unable to find certificate chain"));
+                assertThat(t.getMessage(), containsString("Unable to construct a valid chain"));
            } else {
                Throwable t = ExceptionsHelper.unwrap(e, CertPathBuilderException.class);
                assertThat(t, instanceOf(CertPathBuilderException.class));
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SimpleSecurityNetty4ServerTransportTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SimpleSecurityNetty4ServerTransportTests.java
@ -571,7 +571,11 @@ public class SimpleSecurityNetty4ServerTransportTests extends AbstractSimpleTran
                final ConnectTransportException e = openConnectionExpectFailure(qcService, node, connectionProfile);
                assertThat(
                    e.getRootCause().getMessage(),
-                    anyOf(containsString("unable to find valid certification path"), containsString("Unable to find certificate chain"))
+                    anyOf(
+                        containsString("unable to find valid certification path"),
+                        containsString("Unable to find certificate chain"),
+                        containsString("Unable to construct a valid chain")
+                    )
                );
            }