Skip to content

make test-suite runnable under FIPS#5866

Draft
beanuwave wants to merge 1 commit intoopensearch-project:mainfrom
sternadsoftware:fips_compliance4
Draft

make test-suite runnable under FIPS#5866
beanuwave wants to merge 1 commit intoopensearch-project:mainfrom
sternadsoftware:fips_compliance4

Conversation

@beanuwave
Copy link

@beanuwave beanuwave commented Dec 18, 2025

Description

Makes the required changes to build and test under FIPS-140-3 compliance support. FIPS mode can be activated by adding the -Pcrypto.standard=FIPS-140-3 Gradle parameter and configuring BC security providers as high prio.

Includes:

  • use at least 112bit strength for passwords
  • adopt error-messages and stacktraces to BCJSSE and BCFIPS providers
  • enable SNI hostname configuration for LDAP connections to ensure proper hostname verification with BouncyCastle
  • ...

Issues Resolved

Resolves RFC

Testing

[Please provide details of testing done: unit testing, integration testing and manual testing]

Check List

  • New functionality includes testing
  • New functionality has been documented
  • New Roles/Permissions have a corresponding security dashboards plugin PR
  • API changes companion pull request created
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@iigonin @bennygoerzig @KarstenSchnitter
make test-suite runnable under FIPS
0d1943e 
Signed-off-by: Igonin <iigonin@sternad.de>
Co-authored-by: Benny Goerzig <benny.goerzig@sap.com>
Co-authored-by: Karsten Schnitter <k.schnitter@sap.com>
Co-authored-by: Kai Sternad <k.sternad@sternad.de>
nibix
nibix reviewed Dec 19, 2025
View reviewed changes
src/integrationTest/java/org/opensearch/security/hash/PBKDF2DefaultConfigHashingTests.java
private static final String password = CryptoServicesRegistrar.isInApprovedOnlyMode() ? "dtekVF0vEAA9FNvm#KMkTwMN" : "secret";

static {
ADMIN_USER = new TestSecurityConfig.User("admin").roles(ALL_ACCESS)
Copy link
Collaborator

@nibix nibix Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This modifies an attribute that was formely static final but was changed to just static in this PR.

I think this needs to be done in a different way, this is very prone to concurrency issues; and it is modifying static members of other classes is very surprising behavior which is usually not expected.

Copy link
Author

@beanuwave beanuwave Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree - this is just a dirty hack to make it work. Thanks for pointing it out, it should be reworked before moving out of WIP

src/main/java/org/opensearch/security/auth/ldap/backend/LDAPAuthorizationBackend.java
DefaultConnectionFactory connFactory = new DefaultConnectionFactory(config);

// Register custom socket factory for SNI hostname verification with BouncyCastle FIPS if SSL is enabled
if (config.getLdapUrl() != null && config.getLdapUrl().startsWith("ldaps:")) {
Copy link
Collaborator

@nibix nibix Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am a bit confused by this; according to the PR this, this is only about the test code; yet, this is prod code.

Could you elaborate which this change is necessary here? Possibly, we can do it in a separate PR?

Copy link
Author

@beanuwave beanuwave Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I expect the amount of code to double or triple once this moves out of WIP. I also see potential to split this PR by authentication mechanism: LDAP, SAML, ... and possibly hashing-related logic, plus the rest.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nibix nibix nibix left review comments

@cwperks cwperks Awaiting requested review from cwperks cwperks will be requested when the pull request is marked ready for review cwperks is a code owner

@DarshitChanpura DarshitChanpura Awaiting requested review from DarshitChanpura DarshitChanpura will be requested when the pull request is marked ready for review DarshitChanpura is a code owner

@derek-ho derek-ho Awaiting requested review from derek-ho derek-ho will be requested when the pull request is marked ready for review derek-ho is a code owner

@RyanL1997 RyanL1997 Awaiting requested review from RyanL1997 RyanL1997 will be requested when the pull request is marked ready for review RyanL1997 is a code owner

@reta reta Awaiting requested review from reta reta will be requested when the pull request is marked ready for review reta is a code owner

@shikharj05 shikharj05 Awaiting requested review from shikharj05 shikharj05 will be requested when the pull request is marked ready for review shikharj05 is a code owner

@willyborankin willyborankin Awaiting requested review from willyborankin willyborankin will be requested when the pull request is marked ready for review willyborankin is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[RFC] FIPS-140 Compliance Roadmap for OpenSearch

3 participants

@beanuwave @nibix @iigonin