Add security provider earlier in bootstrap process (#5749)

Signed-off-by: Terry Quigley <[email protected]>
Signed-off-by: Terry Quigley <[email protected]>

Author: terryquigleysas

CHANGELOG.md

@@ -25,6 +25,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - [Resource Sharing] Make migrate api require default access level to be supplied and updates documentations + tests ([#5717](https://github.com/opensearch-project/security/pull/5717))
 - [Resource Sharing] Removes share and revoke java APIs ([#5718](https://github.com/opensearch-project/security/pull/5718))
 - Fix build failure in SecurityFilterTests ([#5736](https://github.com/opensearch-project/security/pull/5736))
+- Add security provider earlier in bootstrap process ([#5749](https://github.com/opensearch-project/security/pull/5749))
 
 ### Maintenance
 - Bump `org.junit.jupiter:junit-jupiter` from 5.13.4 to 5.14.0 ([#5678](https://github.com/opensearch-project/security/pull/5678))

src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java

@@ -37,7 +37,6 @@
 import java.security.AccessController;
 import java.security.MessageDigest;
 import java.security.PrivilegedAction;
-import java.security.Security;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
@@ -65,7 +64,6 @@
 import org.apache.logging.log4j.Logger;
 import org.apache.lucene.search.QueryCachingPolicy;
 import org.apache.lucene.search.Weight;
-import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
 import org.bouncycastle.util.encoders.Hex;
 
 import org.opensearch.OpenSearchException;
@@ -434,8 +432,6 @@ public OpenSearchSecurityPlugin(final Settings settings, final Path configPath)
         demoCertHashes.add("ba9c5a61065f7f6115188128ffbdaa18fca34562b78b811f082439e2bef1d282"); // esnode-key
         demoCertHashes.add("bcd708e8dc707ae065f7ad8582979764b497f062e273d478054ab2f49c5469c6"); // root-ca
 
-        tryAddSecurityProvider();
-
         final String advancedModulesEnabledKey = ConfigConstants.SECURITY_ADVANCED_MODULES_ENABLED;
         if (settings.hasValue(advancedModulesEnabledKey)) {
             deprecationLogger.deprecate("Setting {} is ignored.", advancedModulesEnabledKey);
@@ -2442,17 +2438,6 @@ public Optional<SecureSettingsFactory> getSecureSettingFactory(Settings settings
         );
     }
 
-    @SuppressWarnings("removal")
-    private void tryAddSecurityProvider() {
-        AccessController.doPrivileged((PrivilegedAction<Object>) () -> {
-            if (Security.getProvider("BCFIPS") == null) {
-                Security.addProvider(new BouncyCastleFipsProvider());
-                log.debug("Bouncy Castle FIPS Provider added");
-            }
-            return null;
-        });
-    }
-
     // CS-SUPPRESS-SINGLE: RegexpSingleline get Resource Sharing Extensions
     @Override
     public void loadExtensions(ExtensionLoader loader) {

src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java

@@ -18,6 +18,7 @@
 package org.opensearch.security.ssl;
 
 import java.nio.file.Path;
+import java.security.Security;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
@@ -32,6 +33,7 @@
 import com.fasterxml.jackson.databind.InjectableValues;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
 
 import org.opensearch.OpenSearchException;
 import org.opensearch.SpecialPermission;
@@ -231,6 +233,8 @@ protected OpenSearchSecuritySSLPlugin(final Settings settings, final Path config
             log.error("SSL not activated for http and/or transport.");
         }
 
+        tryAddSecurityProvider();
+
         this.sslSettingsManager = new SslSettingsManager(new Environment(settings, configPath));
     }
 
@@ -747,4 +751,14 @@ protected Settings migrateSettings(Settings settings) {
     public ThreadPool getThreadPool() {
         return this.threadPool;
     }
+
+    private void tryAddSecurityProvider() {
+        AccessController.doPrivileged(() -> {
+            if (Security.getProvider("BCFIPS") == null) {
+                Security.addProvider(new BouncyCastleFipsProvider());
+                log.debug("Bouncy Castle FIPS Provider added");
+            }
+            return null;
+        });
+    }
 }