From f831e9cf05f7f8d9fb582aa5894f83bb3d6607f5 Mon Sep 17 00:00:00 2001 From: Jake Landis Date: Thu, 9 Nov 2023 17:48:43 -0600 Subject: [PATCH] handle RSA 1.5 restriction and add debug build --- .../src/main/groovy/elasticsearch.fips.gradle | 8 +++++++- gradle/verification-metadata.xml | 5 +++++ .../security/authc/saml/SamlAuthenticatorTests.java | 12 +++++++++--- 3 files changed, 21 insertions(+), 4 deletions(-) diff --git a/build-tools-internal/src/main/groovy/elasticsearch.fips.gradle b/build-tools-internal/src/main/groovy/elasticsearch.fips.gradle index 0ce39ce6a1fb3..f691d4bd996a7 100644 --- a/build-tools-internal/src/main/groovy/elasticsearch.fips.gradle +++ b/build-tools-internal/src/main/groovy/elasticsearch.fips.gradle @@ -25,7 +25,13 @@ if (BuildParams.inFipsJvm) { File fipsTrustStore = new File(fipsResourcesDir, 'cacerts.bcfks') def bcFips = dependencies.create('org.bouncycastle:bc-fips:1.0.2.4') def bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:1.0.17') - + def manualDebug = false; //change this to manually debug bouncy castle in an IDE + if(manualDebug) { + bcFips = dependencies.create('org.bouncycastle:bc-fips-debug:1.0.2.4') + bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:1.0.17'){ + exclude group: 'org.bouncycastle', module: 'bc-fips' // to avoid jar hell + } + } pluginManager.withPlugin('java-base') { TaskProvider fipsResourcesTask = project.tasks.register('fipsResources', ExportElasticsearchBuildResourcesTask) fipsResourcesTask.configure { diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml index 673b918088c73..d1b8b218d9683 100644 --- a/gradle/verification-metadata.xml +++ b/gradle/verification-metadata.xml @@ -3007,6 +3007,11 @@ + + + + + diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticatorTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticatorTests.java index 19ae53caca086..364801ea722e2 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticatorTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticatorTests.java @@ -1417,9 +1417,15 @@ private Encrypter getEncrypter(Tuple keyPair) throw final Credential keyEncryptionCredential = new BasicCredential(keyPair.v1().getPublicKey(), keyPair.v2()); KeyEncryptionParameters keyEncryptionParameters = new KeyEncryptionParameters(); keyEncryptionParameters.setEncryptionCredential(keyEncryptionCredential); - keyEncryptionParameters.setAlgorithm( - randomFrom(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP, EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15) - ); + if(inFipsJvm()){ + keyEncryptionParameters.setAlgorithm( + randomFrom(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP) + ); + } else { + keyEncryptionParameters.setAlgorithm( + randomFrom(EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSAOAEP, EncryptionConstants.ALGO_ID_KEYTRANSPORT_RSA15) + ); + } final Encrypter samlEncrypter = new Encrypter(encryptionParameters, keyEncryptionParameters); samlEncrypter.setKeyPlacement(Encrypter.KeyPlacement.INLINE);