From 20f49f0a8f246eeac234fba8b1df7da3f99effa3 Mon Sep 17 00:00:00 2001 From: Terry Quigley Date: Mon, 22 Jul 2024 11:57:17 +0100 Subject: [PATCH 1/7] Remove hardcoded provider reference Signed-off-by: Terry Quigley --- plugin-security.policy | 3 --- .../security/OpenSearchSecurityPlugin.java | 15 --------------- 2 files changed, 18 deletions(-) diff --git a/plugin-security.policy b/plugin-security.policy index 6a78a5cc91..87502f98f5 100644 --- a/plugin-security.policy +++ b/plugin-security.policy @@ -58,9 +58,6 @@ grant { permission java.net.SocketPermission "*", "connect,accept,resolve"; // BouncyCastle permissions - permission java.security.SecurityPermission "putProviderProperty.BC"; - permission java.security.SecurityPermission "insertProvider.BC"; - permission java.security.SecurityPermission "removeProviderProperty.BC"; permission java.security.SecurityPermission "getProperty.org.bouncycastle.ec.max_f2m_field_size"; permission java.security.SecurityPermission "getProperty.org.bouncycastle.pkcs12.default"; permission java.security.SecurityPermission "getProperty.org.bouncycastle.rsa.max_size"; diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index 3f1905d281..7dbf307f10 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -63,11 +63,9 @@ import org.apache.logging.log4j.Logger; import org.apache.lucene.search.QueryCachingPolicy; import org.apache.lucene.search.Weight; -import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.opensearch.OpenSearchException; import org.opensearch.OpenSearchSecurityException; -import org.opensearch.SpecialPermission; import org.opensearch.Version; import org.opensearch.action.ActionRequest; import org.opensearch.action.search.PitService; @@ -378,19 +376,6 @@ public OpenSearchSecurityPlugin(final Settings settings, final Path configPath) demoCertHashes.add("a2ce3f577a5031398c1b4f58761444d837b031d0aff7614f8b9b5e4a9d59dbd1"); // esnode demoCertHashes.add("cd708e8dc707ae065f7ad8582979764b497f062e273d478054ab2f49c5469c6"); // root-ca - final SecurityManager sm = System.getSecurityManager(); - - if (sm != null) { - sm.checkPermission(new SpecialPermission()); - } - - AccessController.doPrivileged((PrivilegedAction) () -> { - if (Security.getProvider("BC") == null) { - Security.addProvider(new BouncyCastleProvider()); - } - return null; - }); - final String advancedModulesEnabledKey = ConfigConstants.SECURITY_ADVANCED_MODULES_ENABLED; if (settings.hasValue(advancedModulesEnabledKey)) { deprecationLogger.deprecate("Setting {} is ignored.", advancedModulesEnabledKey); From 0f4458db8261b7c64cba34831dd42ef8023ae15e Mon Sep 17 00:00:00 2001 From: Terry Quigley Date: Mon, 22 Jul 2024 12:04:03 +0100 Subject: [PATCH 2/7] Spotless Signed-off-by: Terry Quigley --- .../java/org/opensearch/security/OpenSearchSecurityPlugin.java | 1 - 1 file changed, 1 deletion(-) diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index 7dbf307f10..9ca82ba39d 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -36,7 +36,6 @@ import java.security.AccessController; import java.security.MessageDigest; import java.security.PrivilegedAction; -import java.security.Security; import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; From 6b1b9a5beed77db758afc8ce53f53df066b1823a Mon Sep 17 00:00:00 2001 From: Terry Quigley Date: Fri, 26 Jul 2024 14:38:40 +0100 Subject: [PATCH 3/7] Refactored adding of Bouncy Castle provider. Added support for Bouncy Castle FIPS provider. Signed-off-by: Terry Quigley --- plugin-security.policy | 6 +++ .../security/OpenSearchSecurityPlugin.java | 40 +++++++++++++++++++ 2 files changed, 46 insertions(+) diff --git a/plugin-security.policy b/plugin-security.policy index 87502f98f5..ab2081e5a2 100644 --- a/plugin-security.policy +++ b/plugin-security.policy @@ -58,6 +58,12 @@ grant { permission java.net.SocketPermission "*", "connect,accept,resolve"; // BouncyCastle permissions + permission java.security.SecurityPermission "putProviderProperty.BC"; + permission java.security.SecurityPermission "insertProvider.BC"; + permission java.security.SecurityPermission "removeProviderProperty.BC"; + permission java.security.SecurityPermission "putProviderProperty.BCFIPS"; + permission java.security.SecurityPermission "insertProvider.BCFIPS"; + permission java.security.SecurityPermission "removeProviderProperty.BCFIPS"; permission java.security.SecurityPermission "getProperty.org.bouncycastle.ec.max_f2m_field_size"; permission java.security.SecurityPermission "getProperty.org.bouncycastle.pkcs12.default"; permission java.security.SecurityPermission "getProperty.org.bouncycastle.rsa.max_size"; diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index 9ca82ba39d..08d7ddcea8 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -36,6 +36,8 @@ import java.security.AccessController; import java.security.MessageDigest; import java.security.PrivilegedAction; +import java.security.Provider; +import java.security.Security; import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; @@ -65,6 +67,7 @@ import org.opensearch.OpenSearchException; import org.opensearch.OpenSearchSecurityException; +import org.opensearch.SpecialPermission; import org.opensearch.Version; import org.opensearch.action.ActionRequest; import org.opensearch.action.search.PitService; @@ -375,6 +378,8 @@ public OpenSearchSecurityPlugin(final Settings settings, final Path configPath) demoCertHashes.add("a2ce3f577a5031398c1b4f58761444d837b031d0aff7614f8b9b5e4a9d59dbd1"); // esnode demoCertHashes.add("cd708e8dc707ae065f7ad8582979764b497f062e273d478054ab2f49c5469c6"); // root-ca + tryAddSecurityProviders(); + final String advancedModulesEnabledKey = ConfigConstants.SECURITY_ADVANCED_MODULES_ENABLED; if (settings.hasValue(advancedModulesEnabledKey)) { deprecationLogger.deprecate("Setting {} is ignored.", advancedModulesEnabledKey); @@ -468,6 +473,41 @@ public List run() { } } + @SuppressWarnings("removal") + private void tryAddSecurityProviders() { + final SecurityManager sm = System.getSecurityManager(); + + if (sm != null) { + sm.checkPermission(new SpecialPermission()); + } + + // Add provider if on the classpath. Only add first provider found. + AccessController.doPrivileged((PrivilegedAction) () -> { + if (Security.getProvider("BC") == null) { + try { + Class providerClass = Class.forName("org.bouncycastle.jce.provider.BouncyCastleProvider"); + Provider provider = (Provider) providerClass.getDeclaredConstructor().newInstance(); + Security.addProvider(provider); + log.debug("Bouncy Castle Provider added"); + return null; + } catch (Exception e) { + log.debug("Bouncy Castle Provider could not be added", e); + } + } + if (Security.getProvider("BCFIPS") == null) { + try { + Class providerClass = Class.forName("org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"); + Provider provider = (Provider) providerClass.getDeclaredConstructor().newInstance(); + Security.addProvider(provider); + log.debug("Bouncy Castle FIPS Provider added"); + } catch (Exception e) { + log.debug("Bouncy Castle FIPS Provider could not be added", e); + } + } + return null; + }); + } + private void verifyTLSVersion(final String settings, final List configuredProtocols) { for (final var tls : configuredProtocols) { if (tls.equalsIgnoreCase("TLSv1") || tls.equalsIgnoreCase("TLSv1.1")) { From 07811435e7d7f4a3e149c511738ef5e1daba06a0 Mon Sep 17 00:00:00 2001 From: Terry Quigley Date: Fri, 26 Jul 2024 18:00:46 +0100 Subject: [PATCH 4/7] Additional property added to policy for BCFIPS --- plugin-security.policy | 1 + 1 file changed, 1 insertion(+) diff --git a/plugin-security.policy b/plugin-security.policy index ab2081e5a2..d78b3de130 100644 --- a/plugin-security.policy +++ b/plugin-security.policy @@ -68,6 +68,7 @@ grant { permission java.security.SecurityPermission "getProperty.org.bouncycastle.pkcs12.default"; permission java.security.SecurityPermission "getProperty.org.bouncycastle.rsa.max_size"; permission java.security.SecurityPermission "getProperty.org.bouncycastle.rsa.max_mr_tests"; + permission java.security.SecurityPermission "getProperty.org.bouncycastle.disabledAlgorithms"; permission java.lang.RuntimePermission "accessUserInformation"; From 5b4ca68f601d875b017373b25dd4cafbbd64b372 Mon Sep 17 00:00:00 2001 From: Terry Quigley Date: Fri, 26 Jul 2024 18:00:46 +0100 Subject: [PATCH 5/7] Additional property added to policy for BCFIPS Signed-off-by: Terry Quigley --- plugin-security.policy | 1 + 1 file changed, 1 insertion(+) diff --git a/plugin-security.policy b/plugin-security.policy index ab2081e5a2..d78b3de130 100644 --- a/plugin-security.policy +++ b/plugin-security.policy @@ -68,6 +68,7 @@ grant { permission java.security.SecurityPermission "getProperty.org.bouncycastle.pkcs12.default"; permission java.security.SecurityPermission "getProperty.org.bouncycastle.rsa.max_size"; permission java.security.SecurityPermission "getProperty.org.bouncycastle.rsa.max_mr_tests"; + permission java.security.SecurityPermission "getProperty.org.bouncycastle.disabledAlgorithms"; permission java.lang.RuntimePermission "accessUserInformation"; From c5a3d456adb3e2b83917ced72336211afe90fea9 Mon Sep 17 00:00:00 2001 From: Terry Quigley Date: Fri, 26 Jul 2024 19:47:22 +0100 Subject: [PATCH 6/7] Reorder policy file Signed-off-by: Terry Quigley --- plugin-security.policy | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/plugin-security.policy b/plugin-security.policy index d78b3de130..f553e3160b 100644 --- a/plugin-security.policy +++ b/plugin-security.policy @@ -61,13 +61,14 @@ grant { permission java.security.SecurityPermission "putProviderProperty.BC"; permission java.security.SecurityPermission "insertProvider.BC"; permission java.security.SecurityPermission "removeProviderProperty.BC"; - permission java.security.SecurityPermission "putProviderProperty.BCFIPS"; - permission java.security.SecurityPermission "insertProvider.BCFIPS"; - permission java.security.SecurityPermission "removeProviderProperty.BCFIPS"; permission java.security.SecurityPermission "getProperty.org.bouncycastle.ec.max_f2m_field_size"; permission java.security.SecurityPermission "getProperty.org.bouncycastle.pkcs12.default"; permission java.security.SecurityPermission "getProperty.org.bouncycastle.rsa.max_size"; - permission java.security.SecurityPermission "getProperty.org.bouncycastle.rsa.max_mr_tests"; + + // Additional BouncyCastle FIPS permissions + permission java.security.SecurityPermission "putProviderProperty.BCFIPS"; + permission java.security.SecurityPermission "insertProvider.BCFIPS"; + permission java.security.SecurityPermission "removeProviderProperty.BCFIPS"; permission java.security.SecurityPermission "getProperty.org.bouncycastle.disabledAlgorithms"; permission java.lang.RuntimePermission "accessUserInformation"; From a286e29e9e30cf1b60958f84c7a77e21ed622b7f Mon Sep 17 00:00:00 2001 From: Terry Quigley Date: Fri, 26 Jul 2024 19:56:45 +0100 Subject: [PATCH 7/7] Refactor Signed-off-by: Terry Quigley --- plugin-security.policy | 1 + 1 file changed, 1 insertion(+) diff --git a/plugin-security.policy b/plugin-security.policy index f553e3160b..3af4cda137 100644 --- a/plugin-security.policy +++ b/plugin-security.policy @@ -64,6 +64,7 @@ grant { permission java.security.SecurityPermission "getProperty.org.bouncycastle.ec.max_f2m_field_size"; permission java.security.SecurityPermission "getProperty.org.bouncycastle.pkcs12.default"; permission java.security.SecurityPermission "getProperty.org.bouncycastle.rsa.max_size"; + permission java.security.SecurityPermission "getProperty.org.bouncycastle.rsa.max_mr_tests"; // Additional BouncyCastle FIPS permissions permission java.security.SecurityPermission "putProviderProperty.BCFIPS";