Draft to allow run in FIPS compliace mode #1

beanuwave · 2024-07-10T10:08:19Z

Description

FIPS gradle build script is removed.
All BC dependencies are replaces by BCFIPS.
Password matcher inside Identity-Shiro that replies on BC to check if hashed passwords matches with OpenBSDBCrypt, is replaced by password4j implementation.
Adds support for BCFKS format (*.bks) for Key & Truststores.
Refactor parsing private keys with formats EC, PKCS8, PKCS1, DSA, w/wo encryption, w/wo parameters.
FIPS approved-only mode can be configured over opensearch.yml file.
java security file is added to the build.
java policy file is altered to grant neccessary security permissions.

This PR provides FIPS 140-2 support by replacing all BC dependencies with BCFIPS dependencies and making FIPS approved-only mode configurable at launch. Running application in approved-only mode restricts BCFIPS provoder to rely solely on FIPS certified cyphers. Due to replacement of BC libraries, BCrypt password matching and private-key loading from file were replaced by alternative implementations.

Reasons for refactoring PemUtils.java that is used by Reindex API, in case of migrating data from a remote cluster that is TLS protected:

PKCS#8 implementation was not supported by BCFIPS library.
java type security.
Password Based Key Derivation Functions such as PKCS#12 and OpenSSL are not supported in BCFIPS approved-only mode, because only PBKDF2 standard is approved for use in FIPS.
generally good idea to let ASN1 annotation parsing be done by external security libraries.

Related Issues

opensearch-project/security#3420

Check List

Functionality includes testing.
API changes companion pull request created, if applicable.
Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

beanuwave · 2024-07-10T10:22:53Z

distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java

+            /*
+             * debug
+             */
+            "-agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=192.168.33.46:5004",


temporary: so the running application can be remotely debugged.

beanuwave · 2024-07-10T10:24:31Z

buildSrc/src/main/resources/fips_java_bcjsse_11.security

-      DSA keySize < 1024
-jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
-    EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC
+jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1, jdkCA&usageTLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224


FIPS approved mode should override this settings anyway, so it's should be used in general for non-FIPS environment setup.

beanuwave · 2024-07-10T10:25:10Z

buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java

@@ -1170,6 +1170,56 @@ private void createConfiguration() {
        baseConfig.put("node.portsfile", "true");
        baseConfig.put("http.port", httpPort);
        baseConfig.put("transport.port", transportPort);
+        baseConfig.put("http.host", "192.168.33.46");


temporary: test reindex API

beanuwave · 2024-07-10T10:27:21Z

build.gradle

@@ -66,6 +66,7 @@ apply from: 'gradle/forbidden-dependencies.gradle'
 apply from: 'gradle/formatting.gradle'
 apply from: 'gradle/local-distribution.gradle'
 apply from: 'gradle/fips.gradle'
+apply from: 'gradle/run-with-fips.gradle'


this script allows to configure/build/deploy/run testcluster with included FIPS libraries.

beanuwave · 2024-07-10T10:27:44Z

buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java

@@ -129,7 +129,7 @@ public void apply(Project project) {
            params.setIsCi(System.getenv("JENKINS_URL") != null);
            params.setIsInternal(isInternal);
            params.setDefaultParallel(findDefaultParallel(project));
-            params.setInFipsJvm(Util.getBooleanProperty("tests.fips.enabled", false));
+            params.setInFipsJvm(Util.getBooleanProperty("tests.fips.enabled", true));


only relevant for tests

beanuwave · 2024-07-10T10:28:25Z

distribution/tools/plugin-cli/build.gradle

@@ -37,8 +37,8 @@ base {
 dependencies {
  compileOnly project(":server")
  compileOnly project(":libs:opensearch-cli")
-  api "org.bouncycastle:bcpg-fips:1.0.7.1"
-  api "org.bouncycastle:bc-fips:1.0.2.5"
+  implementation "org.bouncycastle:bcpg-fips:1.0.7.1"


should not matter

beanuwave · 2024-07-10T10:29:57Z

gradle/fips.gradle

@@ -9,88 +9,85 @@
 * GitHub history for details.
 */



temporary: looks like this script interferes with run-with-fips script

beanuwave · 2024-07-10T10:30:19Z

libs/core/src/main/java/org/opensearch/Build.java

@@ -224,7 +224,7 @@ public String getDistribution() {
     * @return the fully qualified build
     */
    public String getQualifiedVersion() {
-        return version;
+        return "2.14.0";


beanuwave · 2024-07-10T10:33:59Z

libs/ssl-config/src/main/java/org/opensearch/common/ssl/SslConfiguration.java

@@ -155,7 +155,7 @@ public SSLContext createSslContext() {
        final X509ExtendedKeyManager keyManager = keyConfig.createKeyManager();
        final X509ExtendedTrustManager trustManager = trustConfig.createTrustManager();
        try {
-            SSLContext sslContext = SSLContext.getInstance(contextProtocol());
+            SSLContext sslContext = SSLContext.getInstance("TLS", "BCJSSE");


defaults to TLS v1.3

beanuwave · 2024-07-10T10:35:35Z

server/src/main/java/org/opensearch/common/settings/KeyStoreWrapper.java

@@ -523,6 +523,7 @@ private void decryptLegacyEntries() throws GeneralSecurityException, IOException
    /** Write the keystore to the given config directory. */
    public synchronized void save(Path configDir, char[] password) throws Exception {
        ensureOpen();
+        assert password.length >= 20;


if internal keystore is not set, application creates its own without password, but BCFIPS won't allow empty password for keystore.

beanuwave · 2024-07-10T10:36:02Z

server/src/main/resources/org/opensearch/bootstrap/security.policy

@@ -37,7 +37,7 @@
 //// SecurityManager impl:
 //// Must have all permissions to properly perform access checks

-grant codeBase "${codebase.opensearch-secure-sm}" {
+grant {


Signed-off-by: Iwan Igonin <[email protected]>

beanuwave commented Jul 10, 2024

View reviewed changes

beanuwave force-pushed the fips_compliance branch 5 times, most recently from e6b3980 to f3d5c59 Compare July 19, 2024 16:29

beanuwave force-pushed the fips_compliance branch 2 times, most recently from f70aa1c to 8ed74b9 Compare July 23, 2024 12:32

Draft to allow run in FIPS compliace mode

6016d5d

Signed-off-by: Iwan Igonin <[email protected]>

beanuwave force-pushed the fips_compliance branch from 8ed74b9 to 6016d5d Compare July 23, 2024 15:28

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Draft to allow run in FIPS compliace mode #1

Draft to allow run in FIPS compliace mode #1

beanuwave commented Jul 10, 2024 •

edited

Loading

beanuwave Jul 10, 2024

beanuwave Jul 10, 2024

beanuwave Jul 10, 2024

beanuwave Jul 10, 2024

beanuwave Jul 10, 2024

beanuwave Jul 10, 2024

beanuwave Jul 10, 2024

beanuwave Jul 10, 2024

beanuwave Jul 10, 2024

beanuwave Jul 10, 2024

beanuwave Jul 10, 2024

Draft to allow run in FIPS compliace mode #1

Are you sure you want to change the base?

Draft to allow run in FIPS compliace mode #1

Conversation

beanuwave commented Jul 10, 2024 • edited Loading

Description

Related Issues

Check List

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

beanuwave commented Jul 10, 2024 •

edited

Loading