Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a FIPS 140-2 enabled JDK 11 JVM in CI #37250

Closed
jkakavas opened this issue Jan 9, 2019 · 8 comments · Fixed by #48378
Closed

Add a FIPS 140-2 enabled JDK 11 JVM in CI #37250

jkakavas opened this issue Jan 9, 2019 · 8 comments · Fixed by #48378
Assignees
@jkakavas
Labels
:Delivery/Build Build or test infrastructure >enhancement :Security/Security Security issues without another label Team:Delivery Meta label for Delivery team

Comments

@jkakavas
Copy link
Member

jkakavas commented Jan 9, 2019

We currently only run our tests in a Java 8 FIPS 140-2 JVM in CI using BouncyCastle FIPS Security Provider. We need to also run our tests with JDK 11.

A complication is that BouncyCastle FIPS Security Provider is not certified yet for JDK 11. This is an ongoing effort , details should be available at https://csrc.nist.gov/projects/cryptographic-module-validation-program/modules-in-process/iut-list) but there is no concrete timeline. This leaves us with the option of SunPKCS11-NSS and its limitations
@jkakavas jkakavas added >enhancement :Delivery/Build Build or test infrastructure :Security/Security Security issues without another label labels Jan 9, 2019
@jkakavas jkakavas self-assigned this Jan 9, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-core-infra

@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security

@pkazi
Copy link

pkazi commented Feb 12, 2019

Can anyone share how to enable FIPS 140-2 in my JDK 8 for running with elasticsearch ?

@tvernum
Copy link
Contributor

tvernum commented Feb 13, 2019

Hi @pkazi, please ask these sorts of questions on our forums at https://discuss.elastic.co/ rather than piggybacking on existing issues here.

@alpar-t alpar-t mentioned this issue Apr 3, 2019
Merged
@jkakavas
Copy link
Member Author

jkakavas commented Apr 16, 2019
edited
Loading

Since #40754 was merged, I've spent some time getting our FIPS 140 testing up to speed so that we can start testing master on FIPS JVMs again. The initial approach included #41024 and https://github.com/elastic/infra/pull/10792

Unfortunately, this proved to be insufficient. The reason is that there is currently no way to set up a JDK11 ( or anything >JDK9 ) in FIPS Approved mode:

  • >JDK9 removed the extension mechanism by which external jars could be placed in jre/lib/ext. This has been the preferred ( and the only documented ) way to configure the BouncyCastleFipsProvider statically and BC is not offering the provider as a module

    In [WIP] Add BouncyCastleFipsProvider as test dependency #41024, we overcome this by adding the provider as a testRuntimeOnly dependency , and this seems to be working just fine.

  • Testing revealed that another thing that was removed (rather silently) in JDK9, was the ability to pass extra parameters to the Security Providers on load time. (Related issue that refers to the behavior change: https://bugs.openjdk.java.net/browse/JDK-8217907). However, it turns out that this was the suggested way to put Sun's JSSE provider in FIPS mode (not only using BCFIPS, but SunPKCS11-NSS as well) Original instructions for JDK8 (now removed) are available in : https://web.archive.org/web/20170324052831/http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/FIPS.html
    Also, as seen in https://bugs.openjdk.java.net/browse/JDK-8217907, the SunJSSE FIPS compliant mode is being removed in JDK13.
    Finally, BouncyCastle offer their own JSSE provider (BCJSSE) that is packaged in a JAR deceivingly named bctls-fips-version.jar but this is also not in FIPS Approved mode by default and require the same jdk8 way of passing a parameter to the Provider.

    This means that the only way for >JDK9 to use a JSSE in FIPS mode is if a vendor provides a JSSE Provider preconfigured in FIPS mode, or only with FIPS mode available so that it can be used as

    security.provider.n=vendor.package.JSSEFipsProviderInFipsMode

    and to the best of my knowledge, there is none available at the moment. Note that this doesn't only affect our ability to run tests in >JDK9, but also possibly anyone's ability to configure a JDK11 JVM in fips approved mode both for JCE crypto and the JSSE.

I will try to get some information from the BouncyCastle folks, regarding their plans for the BouncyCastle FIPS Provider 1.0.2 that is supposedly already tested with JDK11

@jkakavas jkakavas mentioned this issue Apr 16, 2019
Closed
@jkakavas jkakavas added the 7x label Apr 23, 2019
@jkakavas jkakavas mentioned this issue Jul 11, 2019
Merged
@jkakavas
Copy link
Member Author

Good news is that bctls fips 1.0.9 is available in maven as of today. This fixes the regression that prevented us from setting it in FIPS mode in the java.security , so we're unblocked to proceed with this

@jkakavas jkakavas mentioned this issue Oct 23, 2019
Merged
jkakavas added a commit that referenced this issue Nov 15, 2019
@jkakavas
Enable tests in FIPS 140 in JDK 11 (#48378)
c7689ce 
This change enables us to run our test suites in JVMs configured in
FIPS 140 approved mode. It does so by:

- Using BouncyCastle FIPS Cryptographic provider and BSJSSE in
FIPS mode. These are used as testRuntime dependencies for unit
tests and internal clusters, and copied (relevant jars)
explicitly to the lib directory for testclusters used in REST tests

- Configuring any given runtime Java in FIPS mode with the bundled
policy and security properties files, setting the system
properties java.security.properties and java.security.policy
with the == operator that overrides the default JVM properties
and policy.

Running the tests in FIPS 140 approved mode doesn't require an
additional configuration either in CI workers or locally and is
controlled by specifying -Dtests.fips.enabled=true

Closes: #37250
Supersedes: #41024
jkakavas added a commit to jkakavas/elasticsearch that referenced this issue Nov 22, 2019
@jkakavas
Enable tests in FIPS 140 in JDK 11 (elastic#48378)
1d7867d 
This change enables us to run our test suites in JVMs configured in
FIPS 140 approved mode. It does so by:

- Using BouncyCastle FIPS Cryptographic provider and BSJSSE in
FIPS mode. These are used as testRuntime dependencies for unit
tests and internal clusters, and copied (relevant jars)
explicitly to the lib directory for testclusters used in REST tests

- Configuring any given runtime Java in FIPS mode with the bundled
policy and security properties files, setting the system
properties java.security.properties and java.security.policy
with the == operator that overrides the default JVM properties
and policy.

Running the tests in FIPS 140 approved mode doesn't require an
additional configuration either in CI workers or locally and is
controlled by specifying -Dtests.fips.enabled=true

Closes: elastic#37250
Supersedes: elastic#41024
@kumartushar
Copy link

  • the ability to pass extra parameters to the Security Providers on load time

Since #40754 was merged, I've spent some time getting our FIPS 140 testing up to speed so that we can start testing master on FIPS JVMs again. The initial approach included #41024 and elastic/infra#10792

Unfortunately, this proved to be insufficient. The reason is that there is currently no way to set up a JDK11 ( or anything >JDK9 ) in FIPS Approved mode:

  • JDK9 removed the extension mechanism by which external jars could be placed in jre/lib/ext. This has been the preferred ( and the only documented ) way to configure the BouncyCastleFipsProvider statically and BC is not offering the provider as a module
    In [WIP] Add BouncyCastleFipsProvider as test dependency #41024, we overcome this by adding the provider as a testRuntimeOnly dependency , and this seems to be working just fine.

  • Testing revealed that another thing that was removed (rather silently) in JDK9, was the ability to pass extra parameters to the Security Providers on load time. (Related issue that refers to the behavior change: https://bugs.openjdk.java.net/browse/JDK-8217907). However, it turns out that this was the suggested way to put Sun's JSSE provider in FIPS mode (not only using BCFIPS, but SunPKCS11-NSS as well) Original instructions for JDK8 (now removed) are available in : https://web.archive.org/web/20170324052831/http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/FIPS.html
    Also, as seen in https://bugs.openjdk.java.net/browse/JDK-8217907, the SunJSSE FIPS compliant mode is being removed in JDK13.
    Finally, BouncyCastle offer their own JSSE provider (BCJSSE) that is packaged in a JAR deceivingly named bctls-fips-version.jar but this is also not in FIPS Approved mode by default and require the same jdk8 way of passing a parameter to the Provider.
    This means that the only way for >JDK9 to use a JSSE in FIPS mode is if a vendor provides a JSSE Provider preconfigured in FIPS mode, or only with FIPS mode available so that it can be used as

    security.provider.n=vendor.package.JSSEFipsProviderInFipsMode

    and to the best of my knowledge, there is none available at the moment. Note that this doesn't only affect our ability to run tests in >JDK9, but also possibly anyone's ability to configure a JDK11 JVM in fips approved mode both for JCE crypto and the JSSE.

I will try to get some information from the BouncyCastle folks, regarding their plans for the BouncyCastle FIPS Provider 1.0.2 that is supposedly already tested with JDK11

@jkakavas - Do you got any info on this, I am stuck badly with this, any help would be really appreciated.

@jkakavas
Copy link
Member Author

Hi @kumartushar, please ask these sorts of questions on our forums at https://discuss.elastic.co/ rather than piggybacking on existing issues here. This issue has long been closed, please ask a question in the forums and add details on what you are trying to do, what you have done already and where exactly you are stuck badly with this.

@mark-vieira mark-vieira added the Team:Delivery Meta label for Delivery team label Nov 11, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jkakavas jkakavas

Labels
:Delivery/Build Build or test infrastructure >enhancement :Security/Security Security issues without another label Team:Delivery Meta label for Delivery team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Enable tests in FIPS 140 in JDK 11 jkakavas/elasticsearch
6 participants
@tvernum @mark-vieira @kumartushar @jkakavas @elasticmachine @pkazi