github-mirrors/elasticsearch
1
0
Fork 0
mirror of https://github.com/elastic/elasticsearch.git synced 2025-06-28 09:28:55 -04:00
Code Issues Projects Releases Packages Wiki Activity

Enable FIPS entitlements based on org.bouncycastle.fips.approved_only. (#124577)

Browse source 
When enabling FIPS `javax.net.ssl.trustStore` is not necessarily set.
This change adds FIPS entitlements based on
`org.bouncycastle.fips.approved_only=true`, which enforces usage of FIPS
approved functionality only.

Additionally, this PR grants read access to a custom trust store if
provided via `javax.net.ssl.trustStore`, otherwise read access to the
default JDK trust store is granted.

Relates to ES-11025.
This commit is contained in:
Moritz Mack 2025-03-12 09:54:48 +01:00 committed by GitHub
parent 37a363050e
commit c41caeb6cd
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 11 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

20
libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java
View file

@ -9,6 +9,7 @@
package org.elasticsearch.entitlement.initialization; package org.elasticsearch.entitlement.initialization;
import org.elasticsearch.core.Booleans;
import org.elasticsearch.core.PathUtils; import org.elasticsearch.core.PathUtils;
import org.elasticsearch.core.internal.provider.ProviderLocator; import org.elasticsearch.core.internal.provider.ProviderLocator;
import org.elasticsearch.entitlement.bootstrap.EntitlementBootstrap; import org.elasticsearch.entitlement.bootstrap.EntitlementBootstrap;
@ -241,16 +242,22 @@ public class EntitlementInitialization {
) )
); );
Path trustStorePath = trustStorePath(); // conditionally add FIPS entitlements if FIPS only functionality is enforced
if (trustStorePath != null) { if (Booleans.parseBoolean(System.getProperty("org.bouncycastle.fips.approved_only"), false)) {
// if custom trust store is set, grant read access to its location, otherwise use the default JDK trust store
String trustStore = System.getProperty("javax.net.ssl.trustStore");
Path trustStorePath = trustStore != null
? Path.of(trustStore)
: Path.of(System.getProperty("java.home")).resolve("lib/security/jssecacerts");
Collections.addAll( Collections.addAll(
serverScopes, serverScopes,
new Scope( new Scope(
"org.bouncycastle.fips.tls", "org.bouncycastle.fips.tls",
List.of( List.of(
new FilesEntitlement(List.of(FileData.ofPath(trustStorePath, READ))), new FilesEntitlement(List.of(FileData.ofPath(trustStorePath, READ))),
new OutboundNetworkEntitlement(), new ManageThreadsEntitlement(),
new ManageThreadsEntitlement() new OutboundNetworkEntitlement()
) )
), ),
new Scope( new Scope(
@ -302,11 +309,6 @@ public class EntitlementInitialization {
return PathUtils.get(userHome); return PathUtils.get(userHome);
} }
private static Path trustStorePath() {
String trustStore = System.getProperty("javax.net.ssl.trustStore");
return trustStore != null ? Path.of(trustStore) : null;
}
private static Stream<InstrumentationService.InstrumentationInfo> fileSystemProviderChecks() throws ClassNotFoundException, private static Stream<InstrumentationService.InstrumentationInfo> fileSystemProviderChecks() throws ClassNotFoundException,
NoSuchMethodException { NoSuchMethodException {
var fileSystemProviderClass = FileSystems.getDefault().provider().getClass(); var fileSystemProviderClass = FileSystems.getDefault().provider().getClass();