handle RSA 1.5 restriction and add debug build

jakelandis · Nov 9, 2023 · f831e9c · f831e9c
1 parent 57ff496
commit f831e9c
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 4 deletions.
diff --git a/build-tools-internal/src/main/groovy/elasticsearch.fips.gradle b/build-tools-internal/src/main/groovy/elasticsearch.fips.gradle
@@ -25,7 +25,13 @@ if (BuildParams.inFipsJvm) {
     File fipsTrustStore = new File(fipsResourcesDir, 'cacerts.bcfks')
     def bcFips = dependencies.create('org.bouncycastle:bc-fips:1.0.2.4')
     def bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:1.0.17')
-
+    def manualDebug = false; //change this to manually debug bouncy castle in an IDE
+    if(manualDebug) {
+      bcFips = dependencies.create('org.bouncycastle:bc-fips-debug:1.0.2.4')
+      bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:1.0.17'){
+        exclude group: 'org.bouncycastle', module: 'bc-fips'  // to avoid jar hell
+      }
+    }
     pluginManager.withPlugin('java-base') {
       TaskProvider<ExportElasticsearchBuildResourcesTask> fipsResourcesTask = project.tasks.register('fipsResources', ExportElasticsearchBuildResourcesTask)
       fipsResourcesTask.configure {

diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml
@@ -3007,6 +3007,11 @@
             <sha256 value="703ecd8a3a619800269bc8cd442f2ebf469bd2fe70478364f58ddc6460c35f9f" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.bouncycastle" name="bc-fips-debug" version="1.0.2.4">
+         <artifact name="bc-fips-debug-1.0.2.4.jar">
+            <sha256 value="a025e947c9c91d023bf2a0a3a74d78d5f8b9f6f0f4de13dc52025f2b996a306b" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.bouncycastle" name="bcpg-fips" version="1.0.7.1">
          <artifact name="bcpg-fips-1.0.7.1.jar">
             <sha256 value="fea1a096c098395eb67d48700c349d5f75321ef0c7c6af9198bc38f4cc836622" origin="Generated by Gradle"/>

diff --git a/...ity/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticatorTests.java b/...ity/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticatorTests.java
@@ -1417,9 +1417,15 @@ private Encrypter getEncrypter(Tuple<X509Certificate, PrivateKey> keyPair) throw
         final Credential keyEncryptionCredential = new BasicCredential(keyPair.v1().getPublicKey(), keyPair.v2());
         KeyEncryptionParameters keyEncryptionParameters = new KeyEncryptionParameters();
         keyEncryptionParameters.setEncryptionCredential(keyEncryptionCredential);
-        keyEncryptionParameters.setAlgorithm(
-            randomFrom(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP, EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15)
-        );
+        if(inFipsJvm()){
+            keyEncryptionParameters.setAlgorithm(
+                    randomFrom(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP)
+            );
+        } else {
+            keyEncryptionParameters.setAlgorithm(
+                    randomFrom(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP, EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15)
+            );
+        }
 
         final Encrypter samlEncrypter = new Encrypter(encryptionParameters, keyEncryptionParameters);
         samlEncrypter.setKeyPlacement(Encrypter.KeyPlacement.INLINE);