Enable FIPS entitlements based on org.bouncycastle.fips.approved_only. (#124577)

When enabling FIPS `javax.net.ssl.trustStore` is not necessarily set. This change adds FIPS entitlements based on `org.bouncycastle.fips.approved_only=true`, which enforces usage of FIPS approved functionality only. Additionally, this PR grants read access to a custom trust store if provided via `javax.net.ssl.trustStore`, otherwise read access to the default JDK trust store is granted. Relates to ES-11025.
2025-06-28 09:28:55 -04:00 · 2025-03-12 09:54:48 +01:00 · 2025-03-12 09:54:48 +01:00 · c41caeb6cd
commit c41caeb6cd
parent 37a363050e
1 changed files with 11 additions and 9 deletions
--- a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java
+++ b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java
@ -9,6 +9,7 @@

 package org.elasticsearch.entitlement.initialization;

+import org.elasticsearch.core.Booleans;
 import org.elasticsearch.core.PathUtils;
 import org.elasticsearch.core.internal.provider.ProviderLocator;
 import org.elasticsearch.entitlement.bootstrap.EntitlementBootstrap;
@ -241,16 +242,22 @@ public class EntitlementInitialization {
            )
        );

-        Path trustStorePath = trustStorePath();
-        if (trustStorePath != null) {
+        // conditionally add FIPS entitlements if FIPS only functionality is enforced
+        if (Booleans.parseBoolean(System.getProperty("org.bouncycastle.fips.approved_only"), false)) {
+            // if custom trust store is set, grant read access to its location, otherwise use the default JDK trust store
+            String trustStore = System.getProperty("javax.net.ssl.trustStore");
+            Path trustStorePath = trustStore != null
+                ? Path.of(trustStore)
+                : Path.of(System.getProperty("java.home")).resolve("lib/security/jssecacerts");
+
            Collections.addAll(
                serverScopes,
                new Scope(
                    "org.bouncycastle.fips.tls",
                    List.of(
                        new FilesEntitlement(List.of(FileData.ofPath(trustStorePath, READ))),
-                        new OutboundNetworkEntitlement(),
-                        new ManageThreadsEntitlement()
+                        new ManageThreadsEntitlement(),
+                        new OutboundNetworkEntitlement()
                    )
                ),
                new Scope(
@ -302,11 +309,6 @@ public class EntitlementInitialization {
        return PathUtils.get(userHome);
    }

-    private static Path trustStorePath() {
-        String trustStore = System.getProperty("javax.net.ssl.trustStore");
-        return trustStore != null ? Path.of(trustStore) : null;
-    }
-
    private static Stream<InstrumentationService.InstrumentationInfo> fileSystemProviderChecks() throws ClassNotFoundException,
        NoSuchMethodException {
        var fileSystemProviderClass = FileSystems.getDefault().provider().getClass();