fix modules/plugins to run inside FIPS env.

Author: iigonin

buildSrc/src/main/groovy/org/opensearch/gradle/test/StandaloneRestTestPlugin.groovy

@@ -31,6 +31,8 @@
 package org.opensearch.gradle.test
 
 import groovy.transform.CompileStatic
+import org.gradle.api.artifacts.VersionCatalog
+import org.gradle.api.artifacts.VersionCatalogsExtension
 import org.opensearch.gradle.OpenSearchJavaPlugin
 import org.opensearch.gradle.ExportOpenSearchBuildResourcesTask
 import org.opensearch.gradle.RepositoriesSetupPlugin
@@ -92,6 +94,10 @@ class StandaloneRestTestPlugin implements Plugin<Project> {
         // create a compileOnly configuration as others might expect it
         project.configurations.create("compileOnly")
         project.dependencies.add('testImplementation', project.project(':test:framework'))
+        if (BuildParams.inFipsJvm) {
+            VersionCatalog libs = project.extensions.getByType(VersionCatalogsExtension).named("libs")
+            project.dependencies.add('testImplementation', libs.findBundle("bouncycastle").get())
+        }
 
         EclipseModel eclipse = project.extensions.getByType(EclipseModel)
         eclipse.classpath.sourceSets = [testSourceSet]

client/rest-high-level/build.gradle

@@ -36,6 +36,7 @@ apply plugin: 'opensearch.build'
 apply plugin: 'opensearch.rest-test'
 apply plugin: 'opensearch.publish'
 apply plugin: 'opensearch.rest-resources'
+apply from: "$rootDir/gradle/fips.gradle"
 
 base {
   group = 'org.opensearch.client'
@@ -66,6 +67,7 @@ dependencies {
   testImplementation "junit:junit:${versions.junit}"
   //this is needed to make RestHighLevelClientTests#testApiNamingConventions work from IDEs
   testImplementation project(":rest-api-spec")
+  testFipsRuntimeOnly libs.bundles.bouncycastle
 }
 
 tasks.named('forbiddenApisMain').configure {

client/rest/build.gradle

@@ -72,9 +72,6 @@ dependencies {
   testImplementation "org.apache.logging.log4j:log4j-core:${versions.log4j}"
   testImplementation "org.apache.logging.log4j:log4j-jul:${versions.log4j}"
   testImplementation "org.apache.logging.log4j:log4j-slf4j-impl:${versions.log4j}"
-
-  testFipsOnly "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"
-  testFipsOnly "org.bouncycastle:bctls-fips:${versions.bouncycastle_tls}"
 }
 
 tasks.named("dependencyLicenses").configure {

client/rest/src/main/java/org/opensearch/client/RestClientBuilder.java

@@ -315,7 +315,7 @@ private CloseableHttpAsyncClient createHttpClient() {
 
         try {
             final TlsStrategy tlsStrategy = ClientTlsStrategyBuilder.create()
-                .setSslContext(SSLContext.getDefault())
+                .setSslContext(SSLContext.getInstance("TLS"))
                 // See https://issues.apache.org/jira/browse/HTTPCLIENT-2219
                 .setTlsDetailsFactory(new Factory<SSLEngine, TlsDetails>() {
                     @Override

client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java

@@ -39,9 +39,6 @@
 
 import org.apache.hc.core5.http.HttpHost;
 import org.apache.hc.core5.ssl.SSLContextBuilder;
-import org.bouncycastle.crypto.CryptoServicesRegistrar;
-import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
-import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
 
@@ -58,7 +55,6 @@
 import java.security.KeyStore;
 import java.security.PrivilegedAction;
 import java.security.SecureRandom;
-import java.security.Security;
 
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.instanceOf;
@@ -70,25 +66,12 @@
  */
 public class RestClientBuilderIntegTests extends RestClientTestCase implements RestClientFipsAwareTestCase {
 
-    static {
-        if (inFipsJvm()) {
-            int highestPriority = 1;
-            if (Security.getProvider(BouncyCastleFipsProvider.PROVIDER_NAME) == null) {
-                Security.insertProviderAt(new BouncyCastleFipsProvider(), highestPriority++);
-            }
-            if (Security.getProvider(BouncyCastleJsseProvider.PROVIDER_NAME) == null) {
-                Security.insertProviderAt(new BouncyCastleJsseProvider(), highestPriority);
-            }
-        }
-    }
-
     private static HttpsServer httpsServer;
 
     @BeforeClass
     public static void startHttpServer() throws Exception {
         httpsServer = HttpsServer.create(new InetSocketAddress(InetAddress.getLoopbackAddress(), 0), 0);
-        String keyStoreType = CryptoServicesRegistrar.isInApprovedOnlyMode() ? "BCFKS" : "JKS";
-        httpsServer.setHttpsConfigurator(new HttpsConfigurator(getSslContext(true, keyStoreType)));
+        httpsServer.setHttpsConfigurator(new HttpsConfigurator(new RestClientBuilderIntegTests().getSslContext(true)));
         httpsServer.createContext("/", new ResponseHandler());
         httpsServer.start();
     }
@@ -108,11 +91,6 @@ public static void stopHttpServers() throws IOException {
     }
 
     public void testBuilderUsesDefaultSSLContext() throws Exception {
-        makeRequest();
-    }
-
-    @Override
-    public void makeRequest(String keyStoreType) throws Exception {
         final SSLContext defaultSSLContext = SSLContext.getDefault();
         try {
             try (RestClient client = buildRestClient()) {
@@ -124,7 +102,7 @@ public void makeRequest(String keyStoreType) throws Exception {
                 }
             }
 
-            SSLContext.setDefault(getSslContext(false, keyStoreType));
+            SSLContext.setDefault(getSslContext(false));
             try (RestClient client = buildRestClient()) {
                 Response response = client.performRequest(new Request("GET", "/"));
                 assertEquals(200, response.getStatusLine().getStatusCode());
@@ -139,19 +117,10 @@ private RestClient buildRestClient() {
         return RestClient.builder(new HttpHost("https", address.getHostString(), address.getPort())).build();
     }
 
-    private static SSLContext getSslContext(boolean server, String keyStoreType) throws Exception {
+    @Override
+    public SSLContext getSslContext(boolean server, String keyStoreType, SecureRandom secureRandom, String fileExtension) throws Exception {
         SSLContext sslContext;
         char[] password = "password".toCharArray();
-        SecureRandom secureRandom;
-        String fileExtension;
-
-        if (CryptoServicesRegistrar.isInApprovedOnlyMode()) {
-            secureRandom = SecureRandom.getInstance("DEFAULT", "BCFIPS");
-            fileExtension = ".bcfks";
-        } else {
-            secureRandom = SecureRandom.getInstanceStrong();
-            fileExtension = ".jks";
-        }
 
         try (
             InputStream trustStoreFile = RestClientBuilderIntegTests.class.getResourceAsStream("/test_truststore" + fileExtension);

client/rest/src/test/java/org/opensearch/client/RestClientFipsAwareTestCase.java

@@ -8,17 +8,27 @@
 
 package org.opensearch.client;
 
+import javax.net.ssl.SSLContext;
+
+import java.security.SecureRandom;
+
 import static org.opensearch.client.RestClientTestCase.inFipsJvm;
 
 public interface RestClientFipsAwareTestCase {
 
-    default void makeRequest() throws Exception {
+    default SSLContext getSslContext(boolean server) throws Exception {
+        String keyStoreType = inFipsJvm() ? "BCFKS" : "JKS";
+        String fileExtension = inFipsJvm() ? ".bcfks" : ".jks";
+        SecureRandom secureRandom;
+
         if (inFipsJvm()) {
-            makeRequest("BCFKS");
+            secureRandom = SecureRandom.getInstance("DEFAULT", "BCFIPS");
         } else {
-            makeRequest("JKS");
+            secureRandom = SecureRandom.getInstanceStrong();
         }
+
+        return getSslContext(server, keyStoreType, secureRandom, fileExtension);
     }
 
-    void makeRequest(String keyStoreType) throws Exception;
+    SSLContext getSslContext(boolean server, String keyStoreType, SecureRandom secureRandom, String fileExtension) throws Exception;
 }

client/sniffer/build.gradle

@@ -29,6 +29,7 @@
  */
 apply plugin: 'opensearch.build'
 apply plugin: 'opensearch.publish'
+apply from: "$rootDir/gradle/fips.gradle"
 
 java {
   targetCompatibility = JavaVersion.VERSION_11
@@ -47,6 +48,9 @@ dependencies {
   api "commons-codec:commons-codec:${versions.commonscodec}"
   api "commons-logging:commons-logging:${versions.commonslogging}"
   api "com.fasterxml.jackson.core:jackson-core:${versions.jackson}"
+  fipsRuntimeOnly "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"
+  fipsRuntimeOnly "org.bouncycastle:bctls-fips:${versions.bouncycastle_tls}"
+  fipsRuntimeOnly "org.bouncycastle:bcutil-fips:${versions.bouncycastle_util}"
 
   testImplementation project(":client:test")
   testImplementation "com.carrotsearch.randomizedtesting:randomizedtesting-runner:${versions.randomizedrunner}"
@@ -57,6 +61,10 @@ dependencies {
   testImplementation "net.bytebuddy:byte-buddy-agent:${versions.bytebuddy}"
 }
 
+tasks.named("dependencyLicenses").configure {
+  mapping from: /bc.*/, to: 'bouncycastle'
+}
+
 tasks.named('forbiddenApisMain').configure {
   //client does not depend on server, so only jdk signatures should be checked
   replaceSignatureFiles 'jdk-signatures'

client/sniffer/licenses/bc-fips-2.0.0.jar.sha1

@@ -0,0 +1 @@
+ee9ac432cf08f9a9ebee35d7cf8a45f94959a7ab

client/sniffer/licenses/bctls-fips-2.0.19.jar.sha1

@@ -0,0 +1 @@
+9cc33650ede63bc1a8281ed5c8e1da314d50bc76

client/sniffer/licenses/bcutil-fips-2.0.3.jar.sha1

@@ -0,0 +1 @@
+a1857cd639295b10cc90e6d31ecbc523cdafcc19