add back grant and nitpicks

jakelandis · Nov 14, 2023 · 7c99942 · 7c99942
1 parent f91b526
commit 7c99942
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 2 deletions.
diff --git a/build-tools-internal/src/main/resources/fips_java.policy b/build-tools-internal/src/main/resources/fips_java.policy
@@ -4,6 +4,7 @@ grant {
      permission java.security.SecurityPermission "getProperty.keystore.type.compat";
      permission java.security.SecurityPermission "getProperty.jdk.tls.disabledAlgorithms";
      permission java.security.SecurityPermission "getProperty.jdk.certpath.disabledAlgorithms";
+     permission java.security.SecurityPermission "getProperty.jdk.tls.server.defaultDHEParameters";
      permission java.lang.RuntimePermission "getProtectionDomain";
      permission java.util.PropertyPermission "java.runtime.name", "read";
      permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";

diff --git a/test/test-clusters/src/main/resources/fips/fips_java.policy b/test/test-clusters/src/main/resources/fips/fips_java.policy
@@ -4,6 +4,7 @@ grant {
      permission java.security.SecurityPermission "getProperty.keystore.type.compat";
      permission java.security.SecurityPermission "getProperty.jdk.tls.disabledAlgorithms";
      permission java.security.SecurityPermission "getProperty.jdk.certpath.disabledAlgorithms";
+     permission java.security.SecurityPermission "getProperty.jdk.tls.server.defaultDHEParameters";
      permission java.lang.RuntimePermission "getProtectionDomain";
      permission java.util.PropertyPermission "java.runtime.name", "read";
      permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";

diff --git a/...ity/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticatorTests.java b/...ity/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticatorTests.java
@@ -1418,7 +1418,8 @@ private Encrypter getEncrypter(Tuple<X509Certificate, PrivateKey> keyPair) throw
         KeyEncryptionParameters keyEncryptionParameters = new KeyEncryptionParameters();
         keyEncryptionParameters.setEncryptionCredential(keyEncryptionCredential);
         if (inFipsJvm()) {
-            keyEncryptionParameters.setAlgorithm(randomFrom(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP));
+            // RSA v1.5 is not allowed when running in FIPS mode
+            keyEncryptionParameters.setAlgorithm(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP);
         } else {
             keyEncryptionParameters.setAlgorithm(
                 randomFrom(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP, EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15)

diff --git a/...ts/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/SimpleKdcLdapServer.java b/...ts/src/test/java/org/elasticsearch/xpack/security/authc/kerberos/SimpleKdcLdapServer.java
@@ -185,7 +185,7 @@ private void prepareKdcServerAndStart() throws Exception {
         simpleKdc.getKdcConfig().setLong(KdcConfigKey.MINIMUM_TICKET_LIFETIME, minimumTicketLifeTime.getMillis());
         simpleKdc.getKdcConfig().setLong(KdcConfigKey.MAXIMUM_RENEWABLE_LIFETIME, maxRenewableLifeTime.getMillis());
         if (inFipsJvm()) {
-            // triple DES not supported in FIPs
+            // Triple DES is not allowed when running in FIPS mode
             String encryptionTypes = (String) KdcConfigKey.ENCRYPTION_TYPES.getDefaultValue();
             simpleKdc.getKdcConfig()
                 .setString(KdcConfigKey.ENCRYPTION_TYPES, encryptionTypes.toLowerCase().replace("des3-cbc-sha1-kd", ""));