Make plugin verification FIPS 140 compliant #44224
Conversation
This change makes the process of verifying the signature of official plugins FIPS 140 compliant by defaulting to use the BouncyCastle FIPS provider and adding a dependency to bcpg-fips that implement parts of openPGP in a FIPS compliant manner. In already FIPS 140 enabled environments that use the BouncyCastle FIPS provider, the bcfips dependency is redundant but doesn't cause an issue as it will be added only in the classpath of the cli-tools
|
Pinging @elastic/es-core-infra |
| @@ -24,8 +24,8 @@ archivesBaseName = 'elasticsearch-plugin-cli' | |||
| dependencies { | |||
| compileOnly project(":server") | |||
| compileOnly project(":libs:elasticsearch-cli") | |||
| compile "org.bouncycastle:bcpg-jdk15on:${versions.bouncycastle}" | |||
| compile "org.bouncycastle:bcprov-jdk15on:${versions.bouncycastle}" | |||
| compile "org.bouncycastle:bcpg-fips:1.0.3" | |||
There was a problem hiding this comment.
each X-fips library uses its own versioning, so we explicitly set it here
| } | ||
|
|
||
| // these two classes intentionally use JDK internal API |
There was a problem hiding this comment.
What apis are they using and why? I think that info is important to be in this comment as a future dev evaluating whether this can be removed would need to know it.
There was a problem hiding this comment.
I added the list of the list of internal classes used. The "why" i think is self-explanatory, unless you mean the technical reasons behind using these internal APIs in the BC code ( assuming there were other alternatives that didn't involve doing so ) but I wouldn't be in the position to answer that.
Yes it already does. Problems with 9+ and FIPS are due to the fact that the option to pass parameters to the provider is removed when installing the FIPS Provider statically in
A fips jvm is nothing more than a normal JVM that uses a fips approved security provider implementation for everything. Here, we don't need such a setup, all the necessary APIs are provided by |
This change makes the process of verifying the signature of official plugins FIPS 140 compliant by defaulting to use the BouncyCastle FIPS provider and adding a dependency to bcpg-fips that implement parts of openPGP in a FIPS compliant manner. In already FIPS 140 enabled environments that use the BouncyCastle FIPS provider, the bcfips dependency is redundant but doesn't cause an issue as it will be added only in the classpath of the cli-tools
This change makes the process of verifying the signature of official plugins FIPS 140 compliant by defaulting to use the BouncyCastle FIPS provider and adding a dependency to bcpg-fips that implement parts of openPGP in a FIPS compliant manner. In already FIPS 140 enabled environments that use the BouncyCastle FIPS provider, the bcfips dependency is redundant but doesn't cause an issue as it will be added only in the classpath of the cli-tools This is a backport of #44224
This change makes the process of verifying the signature of
official plugins FIPS 140 compliant by defaulting to use the
BouncyCastle FIPS provider and adding a dependency to bcpg-fips
that implement parts of openPGP in a FIPS compliant manner.
In already FIPS 140 enabled environments that use the BouncyCastle
FIPS provider, the bcfips dependency is redundant but doesn't
cause an issue as it will be added only in the classpath for the
cli-tools
Resolves: #41263