more security manager fixes

jakelandis · Nov 7, 2023 · d099353 · d099353
1 parent 709631b
commit d099353
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 4 deletions.
diff --git a/build-tools-internal/src/main/resources/fips_java.policy b/build-tools-internal/src/main/resources/fips_java.policy
@@ -1,11 +1,11 @@
 grant {
      permission java.security.SecurityPermission "putProviderProperty.BCFIPS";
      permission java.security.SecurityPermission "putProviderProperty.BCJSSE";
-     permission java.security.SecurityPermission "getProperty.jdk.tls.disabledAlgorithms";
-     permission java.security.SecurityPermission "getProperty.jdk.certpath.disabledAlgorithms";
-     permission java.security.SecurityPermission "getProperty.keystore.type.compat";
      permission java.lang.RuntimePermission "getProtectionDomain";
      permission java.util.PropertyPermission "java.runtime.name", "read";
+     permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc";
+     permission java.security.SecurityPermission "getProperty.org.bouncycastle.rsa.allow_multi_use";
+     permission java.util.PropertyPermission "javax.net.debug", "write";
      permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";
      //io.netty.handler.codec.DecoderException
      permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec";
@@ -16,4 +16,19 @@ grant {
      permission org.bouncycastle.crypto.CryptoServicesPermission "exportSecretKey";
      permission org.bouncycastle.crypto.CryptoServicesPermission "exportPrivateKey";
      permission java.io.FilePermission "${javax.net.ssl.trustStore}", "read";
+
+     //TODO: double check these !!
+     permission java.security.SecurityPermission "getProperty.jdk.tls.disabledAlgorithms";
+     permission java.security.SecurityPermission "getProperty.jdk.certpath.disabledAlgorithms";
+     permission java.security.SecurityPermission "getProperty.keystore.type.compat";
+     permission java.security.SecurityPermission "getProperty.org.bouncycastle.ec.disable_f2m";
+     permission java.security.SecurityPermission "getProperty.org.bouncycastle.ec.disable";
+     permission java.security.SecurityPermission "getProperty.org.bouncycastle.tripledes.allow_weak";
+     permission java.security.SecurityPermission "getProperty.jdk.tls.server.defaultDHEParameters";
+     permission java.security.SecurityPermission "getProperty.org.bouncycastle.drbg.gather_pause_secs";
+     permission java.net.NetPermission "getNetworkInformation";
+     permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
+     permission java.lang.RuntimePermission "accessSystemModules";
+     permission java.lang.RuntimePermission "manageProcess";
+     permission java.lang.RuntimePermission "createSecurityManager";
 };
diff --git a/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/SslConfiguration.java b/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/SslConfiguration.java
@@ -57,7 +57,7 @@ public record SslConfiguration(
             SSLContext.getInstance("TLSv1.3");
             protocolAlgorithmMap.put("TLSv1.3", "TLSv1.3");
         } catch (NoSuchAlgorithmException e) {
-            // ignore since we support JVMs using BCJSSE in FIPS mode which doesn't support TLSv1.3
+            // ignore since we support JVMs using BCJSSE in FIPS mode which doesn't support TLSv1.3 //TODO: -> can i remove this ?
         }
         protocolAlgorithmMap.put("TLSv1.2", "TLSv1.2");
         protocolAlgorithmMap.put("TLSv1.1", "TLSv1.1");