From 7c999423471fdcadbc676615d178f116547d3066 Mon Sep 17 00:00:00 2001
From: Jake Landis <jake.landis@elastic.co>
Date: Tue, 14 Nov 2023 12:04:41 -0600
Subject: [PATCH] add back grant and nitpicks

---
 build-tools-internal/src/main/resources/fips_java.policy       | 1 +
 test/test-clusters/src/main/resources/fips/fips_java.policy    | 1 +
 .../xpack/security/authc/saml/SamlAuthenticatorTests.java      | 3 ++-
 .../xpack/security/authc/kerberos/SimpleKdcLdapServer.java     | 2 +-
 4 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/build-tools-internal/src/main/resources/fips_java.policy b/build-tools-internal/src/main/resources/fips_java.policy
index c7d299f05b838..bbfc1caf7593a 100644
--- a/build-tools-internal/src/main/resources/fips_java.policy
+++ b/build-tools-internal/src/main/resources/fips_java.policy
@@ -4,6 +4,7 @@ grant {
      permission java.security.SecurityPermission "getProperty.keystore.type.compat";
      permission java.security.SecurityPermission "getProperty.jdk.tls.disabledAlgorithms";
      permission java.security.SecurityPermission "getProperty.jdk.certpath.disabledAlgorithms";
+     permission java.security.SecurityPermission "getProperty.jdk.tls.server.defaultDHEParameters";
      permission java.lang.RuntimePermission "getProtectionDomain";
      permission java.util.PropertyPermission "java.runtime.name", "read";
      permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";
diff --git a/test/test-clusters/src/main/resources/fips/fips_java.policy b/test/test-clusters/src/main/resources/fips/fips_java.policy
index c7d299f05b838..bbfc1caf7593a 100644
--- a/test/test-clusters/src/main/resources/fips/fips_java.policy
+++ b/test/test-clusters/src/main/resources/fips/fips_java.policy
@@ -4,6 +4,7 @@ grant {
      permission java.security.SecurityPermission "getProperty.keystore.type.compat";
      permission java.security.SecurityPermission "getProperty.jdk.tls.disabledAlgorithms";
      permission java.security.SecurityPermission "getProperty.jdk.certpath.disabledAlgorithms";
+     permission java.security.SecurityPermission "getProperty.jdk.tls.server.defaultDHEParameters";
      permission java.lang.RuntimePermission "getProtectionDomain";
      permission java.util.PropertyPermission "java.runtime.name", "read";
      permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticatorTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticatorTests.java
index 646f390d28a1c..60f6cc53902b9 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticatorTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticatorTests.java
@@ -1418,7 +1418,8 @@ private Encrypter getEncrypter(Tuple<X509Certificate, PrivateKey> keyPair) throw
         KeyEncryptionParameters keyEncryptionParameters = new KeyEncryptionParameters();
         keyEncryptionParameters.setEncryptionCredential(keyEncryptionCredential);
         if (inFipsJvm()) {
-            keyEncryptionParameters.setAlgorithm(randomFrom(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP));
+            // RSA v1.5 is not allowed when running in FIPS mode
+            keyEncryptionParameters.setAlgorithm(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
         } else {
             keyEncryptionParameters.setAlgorithm(
                 randomFrom(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP, EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15)
diff --git a/x-pack/qa/evil-tests/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/SimpleKdcLdapServer.java b/x-pack/qa/evil-tests/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/SimpleKdcLdapServer.java
index 027bde808dea6..30b1744962e35 100644
--- a/x-pack/qa/evil-tests/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/SimpleKdcLdapServer.java
+++ b/x-pack/qa/evil-tests/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/SimpleKdcLdapServer.java
@@ -185,7 +185,7 @@ private void prepareKdcServerAndStart() throws Exception {
         simpleKdc.getKdcConfig().setLong(KdcConfigKey.MINIMUM_TICKET_LIFETIME, minimumTicketLifeTime.getMillis());
         simpleKdc.getKdcConfig().setLong(KdcConfigKey.MAXIMUM_RENEWABLE_LIFETIME, maxRenewableLifeTime.getMillis());
         if (inFipsJvm()) {
-            // triple DES not supported in FIPs
+            // Triple DES is not allowed when running in FIPS mode
             String encryptionTypes = (String) KdcConfigKey.ENCRYPTION_TYPES.getDefaultValue();
             simpleKdc.getKdcConfig()
                 .setString(KdcConfigKey.ENCRYPTION_TYPES, encryptionTypes.toLowerCase().replace("des3-cbc-sha1-kd", ""));