Add a FIPS 140-2 enabled JDK 11 JVM in CI

[jkakavas]

We currently only run our tests in a Java 8 FIPS 140-2 JVM in CI using BouncyCastle FIPS Security Provider. We need to also run our tests with JDK 11.

A complication is that BouncyCastle FIPS Security Provider is not certified yet for JDK 11. This is an ongoing effort , details should be available at https://csrc.nist.gov/projects/cryptographic-module-validation-program/modules-in-process/iut-list) but there is no concrete timeline. This leaves us with the option of SunPKCS11-NSS and its limitations

[elasticmachine]

Pinging @elastic/es-core-infra

[elasticmachine]

Pinging @elastic/es-security

[pkazi]

Can anyone share how to enable FIPS 140-2 in my JDK 8 for running with elasticsearch ?

[tvernum]

Hi @pkazi, please ask these sorts of questions on our forums at https://discuss.elastic.co/ rather than piggybacking on existing issues here.

[jkakavas]

Since #40754 was merged, I've spent some time getting our FIPS 140 testing up to speed so that we can start testing master on FIPS JVMs again. The initial approach included #41024 and https://github.com/elastic/infra/pull/10792

Unfortunately, this proved to be insufficient. The reason is that there is currently no way to set up a JDK11 ( or anything >JDK9 ) in FIPS Approved mode:

• >JDK9 removed the extension mechanism by which external jars could be placed in jre/lib/ext. This has been the preferred ( and the only documented ) way to configure the BouncyCastleFipsProvider statically and BC is not offering the provider as a module

  In [WIP] Add BouncyCastleFipsProvider as test dependency #41024, we overcome this by adding the provider as a testRuntimeOnly dependency , and this seems to be working just fine.

• Testing revealed that another thing that was removed (rather silently) in JDK9, was the ability to pass extra parameters to the Security Providers on load time. (Related issue that refers to the behavior change: https://bugs.openjdk.java.net/browse/JDK-8217907). However, it turns out that this was the suggested way to put Sun's JSSE provider in FIPS mode (not only using BCFIPS, but SunPKCS11-NSS as well) Original instructions for JDK8 (now removed) are available in : https://web.archive.org/web/20170324052831/http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/FIPS.html
  Also, as seen in https://bugs.openjdk.java.net/browse/JDK-8217907, the SunJSSE FIPS compliant mode is being removed in JDK13.
  Finally, BouncyCastle offer their own JSSE provider (BCJSSE) that is packaged in a JAR deceivingly named bctls-fips-version.jar but this is also not in FIPS Approved mode by default and require the same jdk8 way of passing a parameter to the Provider.

  This means that the only way for >JDK9 to use a JSSE in FIPS mode is if a vendor provides a JSSE Provider preconfigured in FIPS mode, or only with FIPS mode available so that it can be used as

  security.provider.n=vendor.package.JSSEFipsProviderInFipsMode
  

  and to the best of my knowledge, there is none available at the moment. Note that this doesn't only affect our ability to run tests in >JDK9, but also possibly anyone's ability to configure a JDK11 JVM in fips approved mode both for JCE crypto and the JSSE.

I will try to get some information from the BouncyCastle folks, regarding their plans for the BouncyCastle FIPS Provider 1.0.2 that is supposedly already tested with JDK11

[jkakavas]

Good news is that bctls fips 1.0.9 is available in maven as of today. This fixes the regression that prevented us from setting it in FIPS mode in the java.security , so we're unblocked to proceed with this