From a6abb44b6f31dac724e5d83d885811d0f20c81f6 Mon Sep 17 00:00:00 2001 From: Iwan Igonin Date: Fri, 31 Jan 2025 13:20:56 +0100 Subject: [PATCH] build with 'crypto.standard' gradle build parameter Signed-off-by: Iwan Igonin --- .../gradle/info/FipsBuildParams.java | 20 +++++++++++-------- .../gradle/info/GlobalBuildInfoPlugin.java | 2 ++ .../gradle/testclusters/OpenSearchNode.java | 2 +- .../tools/launchers/SystemJvmOptions.java | 16 ++++----------- .../org/opensearch/bootstrap/Bootstrap.java | 2 +- 5 files changed, 20 insertions(+), 22 deletions(-) diff --git a/buildSrc/src/main/java/org/opensearch/gradle/info/FipsBuildParams.java b/buildSrc/src/main/java/org/opensearch/gradle/info/FipsBuildParams.java index 3c1852afdcc3d..83aba1af2152d 100644 --- a/buildSrc/src/main/java/org/opensearch/gradle/info/FipsBuildParams.java +++ b/buildSrc/src/main/java/org/opensearch/gradle/info/FipsBuildParams.java @@ -8,24 +8,28 @@ package org.opensearch.gradle.info; +import java.util.function.Function; + public class FipsBuildParams { - private static final String FIPS_BUILD_PARAM = "OPENSEARCH_CRYPTO_STANDARD"; + public static final String FIPS_BUILD_PARAM = "crypto.standard"; + + public static final String FIPS_ENV_VAR = "OPENSEARCH_CRYPTO_STANDARD"; + + private static String fipsMode; - private static final String FIPS_MODE = System.getenv(FIPS_BUILD_PARAM); + public static void init(Function fipsValue) { + fipsMode = (String) fipsValue.apply(FIPS_BUILD_PARAM); + } private FipsBuildParams() {} public static boolean isInFipsMode() { - return "FIPS-140-3".equals(FIPS_MODE); + return "FIPS-140-3".equals(fipsMode); } public static String getFipsMode() { - return FIPS_MODE; - } - - public static String getFipsBuildParam() { - return FIPS_BUILD_PARAM; + return fipsMode; } } diff --git a/buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java b/buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java index fe354097640f7..4c3a09c394278 100644 --- a/buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java +++ b/buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java @@ -109,6 +109,8 @@ public void apply(Project project) { File rootDir = project.getRootDir(); GitInfo gitInfo = gitInfo(rootDir); + FipsBuildParams.init(project::findProperty); + BuildParams.init(params -> { // Initialize global build parameters boolean isInternal = GlobalBuildInfoPlugin.class.getResource("/buildSrc.marker") != null; diff --git a/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java b/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java index 3145590d00cfa..fda3556c85606 100644 --- a/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java +++ b/buildSrc/src/main/java/org/opensearch/gradle/testclusters/OpenSearchNode.java @@ -797,7 +797,7 @@ private Map getOpenSearchEnvironment() { defaultEnv.put("HOSTNAME", HOSTNAME_OVERRIDE); defaultEnv.put("COMPUTERNAME", COMPUTERNAME_OVERRIDE); if (FipsBuildParams.isInFipsMode()) { - defaultEnv.put(FipsBuildParams.getFipsBuildParam(), FipsBuildParams.getFipsMode()); + defaultEnv.put(FipsBuildParams.FIPS_ENV_VAR, FipsBuildParams.getFipsMode()); } Set commonKeys = new HashSet<>(environment.keySet()); diff --git a/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java b/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java index 60e3085e864b3..5349c81a8a851 100644 --- a/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java +++ b/distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java @@ -44,6 +44,8 @@ final class SystemJvmOptions { static final String OPENSEARCH_CRYPTO_STANDARD = "OPENSEARCH_CRYPTO_STANDARD"; static final String FIPS_140_3 = "FIPS-140-3"; + static final boolean IS_IN_FIPS_JVM = FIPS_140_3.equals(System.getenv(OPENSEARCH_CRYPTO_STANDARD)) + || "true".equalsIgnoreCase(System.getProperty("org.bouncycastle.fips.approved_only")); static List systemJvmOptions(final Path config, Runtime.Version runtimeVersion) throws FileNotFoundException { return Collections.unmodifiableList( @@ -93,21 +95,11 @@ static List systemJvmOptions(final Path config, Runtime.Version runtimeV } private static String enableFips() { - var cryptoStandard = System.getenv(OPENSEARCH_CRYPTO_STANDARD); - if (FIPS_140_3.equals(cryptoStandard)) { - return "-Dorg.bouncycastle.fips.approved_only=true"; - } - return ""; + return IS_IN_FIPS_JVM ? "-Dorg.bouncycastle.fips.approved_only=true" : ""; } private static String loadJavaSecurityProperties(final Path config) throws FileNotFoundException { - String securityFile; - var cryptoStandard = System.getenv(OPENSEARCH_CRYPTO_STANDARD); - if (FIPS_140_3.equals(cryptoStandard)) { - securityFile = "fips_java.security"; - } else { - securityFile = "java.security"; - } + String securityFile = IS_IN_FIPS_JVM ? "fips_java.security" : "java.security"; var securityFilePath = config.resolve(securityFile); if (!Files.exists(securityFilePath)) { diff --git a/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java b/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java index c0f414f415b0d..a940d64fae94b 100644 --- a/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java +++ b/server/src/main/java/org/opensearch/bootstrap/Bootstrap.java @@ -199,7 +199,7 @@ private void setup(boolean addShutdownHook, Environment environment) throws Boot SecureRandomInitializer.init(); var cryptoStandard = System.getenv("OPENSEARCH_CRYPTO_STANDARD"); - if ("FIPS-140-3".equals(cryptoStandard)) { + if ("FIPS-140-3".equals(cryptoStandard) || "true".equalsIgnoreCase(System.getProperty("org.bouncycastle.fips.approved_only"))) { LogManager.getLogger(Bootstrap.class).info("running in FIPS-140-3 mode"); SecurityProviderManager.excludeSunJCE(); }