Ensure CI is run in FIPS 140 approved only mode#64024
Merged
jkakavas merged 79 commits intoelastic:masterfrom Dec 23, 2020
Merged
Ensure CI is run in FIPS 140 approved only mode#64024jkakavas merged 79 commits intoelastic:masterfrom
jkakavas merged 79 commits intoelastic:masterfrom
Conversation
We were depending on the BouncyCastle FIPS own mechanics to set itself in approved only mode since we run with the Security Manager enabled. The check during startup seems to happen before we set our restrictive SecurityManager though in org.elasticsearch.bootstrap.Elasticsearch , and this means that BCFIPS would not be in approved onlu mode, unless explicitly configured so. This commit sets the appropriate JVM property to explicitly set BCFIPS in approved only mode and addresses a number of tests that would fail in approved mode. Mainly: - Tests that use PBKDF2 with a password less than 112 bits (14char) - Tests that use a PKCS12 keystore and were not already muted. It also changes a few unit tests where we would use bcrypt even in FIPS 140 mode. These would still pass since we are bundling our own bcrypt implementation, but are now changed to use FIPS 140 approved algorithms instead for better coverage.
Collaborator
|
Pinging @elastic/es-security (:Security/Security) |
ywangd
reviewed
Oct 22, 2020
Member
ywangd
left a comment
There was a problem hiding this comment.
I left a few comments. Woud like to have another round later. Thanks!
...plugin/core/src/test/java/org/elasticsearch/xpack/core/Fips140ProviderVerificationTests.java
Outdated
Show resolved
Hide resolved
...internalClusterTest/java/org/elasticsearch/integration/ClusterPrivilegeIntegrationTests.java
Show resolved
Hide resolved
| " - names: '*'\n" + | ||
| " privileges: [ all ]\n" + | ||
| "create_doc_role:\n" + | ||
| "create_doc_role:\n" + |
Member
There was a problem hiding this comment.
Nit: The indentation is now inconsistent with all_indices_role. I do think the change here looks better. But I'd suggest we make the same change to all_indices_role as well.
...rc/internalClusterTest/java/org/elasticsearch/integration/CreateDocsIndexPrivilegeTests.java
Outdated
Show resolved
Hide resolved
...erTest/java/org/elasticsearch/xpack/security/authz/store/NativePrivilegeStoreCacheTests.java
Show resolved
Hide resolved
tvernum
reviewed
Oct 22, 2020
...plugin/core/src/test/java/org/elasticsearch/xpack/core/Fips140ProviderVerificationTests.java
Outdated
Show resolved
Hide resolved
|
|
||
| public class Fips140ProviderVerificationTests extends ESTestCase { | ||
|
|
||
| public void testBcFipsProviderInUse(){ |
Contributor
There was a problem hiding this comment.
Nit
Suggested change
| public void testBcFipsProviderInUse(){ | |
| public void testBcFipsProviderInUse() { |
...plugin/core/src/test/java/org/elasticsearch/xpack/core/Fips140ProviderVerificationTests.java
Outdated
Show resolved
Hide resolved
...plugin/core/src/test/java/org/elasticsearch/xpack/core/Fips140ProviderVerificationTests.java
Outdated
Show resolved
Hide resolved
...rity/src/test/java/org/elasticsearch/xpack/security/authc/file/FileUserPasswdStoreTests.java
Outdated
Show resolved
Hide resolved
.../plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlTestCase.java
Outdated
Show resolved
Hide resolved
| break; | ||
| default: | ||
| keySize = randomFrom(1024, 2048); | ||
| keySize = randomFrom(2048); |
Contributor
There was a problem hiding this comment.
Suggested change
| keySize = randomFrom(2048); | |
| keySize = 2048; |
...t/java/org/elasticsearch/xpack/security/authc/support/CachingUsernamePasswordRealmTests.java
Outdated
Show resolved
Hide resolved
Member
|
I could be missing something, but is |
This was referenced Nov 24, 2020
jkakavas
added a commit
that referenced
this pull request
Nov 26, 2020
In certain situations, such as when configured in FIPS 140 mode, the Java security provider in use might throw a subclass of java.lang.Error. We currently do not catch these and as a result the JVM exits, shutting down elasticsearch. This commit attempts to address this by catching subclasses of Error that might be thrown for instance when a PBKDF2 implementation is used from a Security Provider in FIPS 140 mode, with the password input being less than 14 bytes (112 bits). - In our PBKDF2 family of hashers, we catch the Error and throw an ElasticsearchException while creating or verifying the hash. We throw on verification instead of simply returning false on purpose so that the message bubbles up and the cause becomes obvious (otherwise it would be indistinguishable from a wrong password). - In KeyStoreWrapper, we catch the Error in order to wrap and re-throw a GeneralSecurityException with a helpful message. This can happen when using any of the keystore CLI commands, when the node starts or when we attempt to reload secure settings. - In the `elasticsearch-users` tool, we catch the ElasticsearchException that the Hasher class re-throws and throw an appropriate UserException. Tests are missing because it's not trivial to set CI in fips approved mode right now, and thus any tests would need to be muted. There is a parallel effort in #64024 to enable that and tests will be added in a followup.
jkakavas
added a commit
to jkakavas/elasticsearch
that referenced
this pull request
Nov 26, 2020
In certain situations, such as when configured in FIPS 140 mode, the Java security provider in use might throw a subclass of java.lang.Error. We currently do not catch these and as a result the JVM exits, shutting down elasticsearch. This commit attempts to address this by catching subclasses of Error that might be thrown for instance when a PBKDF2 implementation is used from a Security Provider in FIPS 140 mode, with the password input being less than 14 bytes (112 bits). - In our PBKDF2 family of hashers, we catch the Error and throw an ElasticsearchException while creating or verifying the hash. We throw on verification instead of simply returning false on purpose so that the message bubbles up and the cause becomes obvious (otherwise it would be indistinguishable from a wrong password). - In KeyStoreWrapper, we catch the Error in order to wrap and re-throw a GeneralSecurityException with a helpful message. This can happen when using any of the keystore CLI commands, when the node starts or when we attempt to reload secure settings. - In the `elasticsearch-users` tool, we catch the ElasticsearchException that the Hasher class re-throws and throw an appropriate UserException. Tests are missing because it's not trivial to set CI in fips approved mode right now, and thus any tests would need to be muted. There is a parallel effort in elastic#64024 to enable that and tests will be added in a followup.
jkakavas
added a commit
to jkakavas/elasticsearch
that referenced
this pull request
Nov 26, 2020
In certain situations, such as when configured in FIPS 140 mode, the Java security provider in use might throw a subclass of java.lang.Error. We currently do not catch these and as a result the JVM exits, shutting down elasticsearch. This commit attempts to address this by catching subclasses of Error that might be thrown for instance when a PBKDF2 implementation is used from a Security Provider in FIPS 140 mode, with the password input being less than 14 bytes (112 bits). - In our PBKDF2 family of hashers, we catch the Error and throw an ElasticsearchException while creating or verifying the hash. We throw on verification instead of simply returning false on purpose so that the message bubbles up and the cause becomes obvious (otherwise it would be indistinguishable from a wrong password). - In KeyStoreWrapper, we catch the Error in order to wrap and re-throw a GeneralSecurityException with a helpful message. This can happen when using any of the keystore CLI commands, when the node starts or when we attempt to reload secure settings. - In the `elasticsearch-users` tool, we catch the ElasticsearchException that the Hasher class re-throws and throw an appropriate UserException. Tests are missing because it's not trivial to set CI in fips approved mode right now, and thus any tests would need to be muted. There is a parallel effort in elastic#64024 to enable that and tests will be added in a followup.
jkakavas
added a commit
that referenced
this pull request
Nov 26, 2020
In certain situations, such as when configured in FIPS 140 mode, the Java security provider in use might throw a subclass of java.lang.Error. We currently do not catch these and as a result the JVM exits, shutting down elasticsearch. This commit attempts to address this by catching subclasses of Error that might be thrown for instance when a PBKDF2 implementation is used from a Security Provider in FIPS 140 mode, with the password input being less than 14 bytes (112 bits). - In our PBKDF2 family of hashers, we catch the Error and throw an ElasticsearchException while creating or verifying the hash. We throw on verification instead of simply returning false on purpose so that the message bubbles up and the cause becomes obvious (otherwise it would be indistinguishable from a wrong password). - In KeyStoreWrapper, we catch the Error in order to wrap and re-throw a GeneralSecurityException with a helpful message. This can happen when using any of the keystore CLI commands, when the node starts or when we attempt to reload secure settings. - In the `elasticsearch-users` tool, we catch the ElasticsearchException that the Hasher class re-throws and throw an appropriate UserException. Tests are missing because it's not trivial to set CI in fips approved mode right now, and thus any tests would need to be muted. There is a parallel effort in #64024 to enable that and tests will be added in a followup.
jkakavas
added a commit
that referenced
this pull request
Nov 26, 2020
In certain situations, such as when configured in FIPS 140 mode, the Java security provider in use might throw a subclass of java.lang.Error. We currently do not catch these and as a result the JVM exits, shutting down elasticsearch. This commit attempts to address this by catching subclasses of Error that might be thrown for instance when a PBKDF2 implementation is used from a Security Provider in FIPS 140 mode, with the password input being less than 14 bytes (112 bits). - In our PBKDF2 family of hashers, we catch the Error and throw an ElasticsearchException while creating or verifying the hash. We throw on verification instead of simply returning false on purpose so that the message bubbles up and the cause becomes obvious (otherwise it would be indistinguishable from a wrong password). - In KeyStoreWrapper, we catch the Error in order to wrap and re-throw a GeneralSecurityException with a helpful message. This can happen when using any of the keystore CLI commands, when the node starts or when we attempt to reload secure settings. - In the `elasticsearch-users` tool, we catch the ElasticsearchException that the Hasher class re-throws and throw an appropriate UserException. Tests are missing because it's not trivial to set CI in fips approved mode right now, and thus any tests would need to be muted. There is a parallel effort in #64024 to enable that and tests will be added in a followup.
…sic. All the tests that require basic license are already muted in fips mode so they won't be affected
…sions that can be run in a correctly configured FIPS 140-2 JVM and we are lacking granural control of which bwc versions can be used
…tores so that these can be run in fips mode
…d of keystores so that these can be run in fips mode
This was referenced Dec 23, 2020
tvernum
added a commit
to tvernum/elasticsearch
that referenced
this pull request
Dec 29, 2020
As of elastic#64024 we run FIPS CI on a true, FIPS approved only mode JVM. This mandates that any passwords that are fed into PBKDF2 must have at least 112 bits of entropy (that is, be 14 characters long). This commit updates our Keystore CLI tests so that tests either: 1. Use a 14+ character password when in FIPS mode, _or_ 2. Are skipped on FIPS mode (because they explicitly test empty passwords) Resolves: elastic#66845
tvernum
added a commit
that referenced
this pull request
Dec 30, 2020
As of #64024 we run FIPS CI on a true, FIPS approved only mode JVM. This mandates that any passwords that are fed into PBKDF2 must have at least 112 bits of entropy (that is, be 14 characters long). This commit updates our Keystore CLI tests so that tests either: 1. Use a 14+ character password when in FIPS mode, _or_ 2. Are skipped on FIPS mode (because they explicitly test empty passwords) Resolves: #66845
tvernum
added a commit
to tvernum/elasticsearch
that referenced
this pull request
Dec 31, 2020
As of elastic#64024 we run FIPS CI on a true, FIPS approved only mode JVM. This mandates that any passwords that are fed into PBKDF2 must have at least 112 bits of entropy (that is, be 14 characters long). This commit updates our Keystore CLI tests so that tests either: 1. Use a 14+ character password when in FIPS mode, _or_ 2. Are skipped on FIPS mode (because they explicitly test empty passwords) Backport of: elastic#66846
ywangd
pushed a commit
that referenced
this pull request
Jan 4, 2021
As of #64024 we run FIPS CI on a true, FIPS approved only mode JVM. This mandates that any passwords that are fed into PBKDF2 must have at least 112 bits of entropy (that is, be 14 characters long). This commit updates our Keystore CLI tests so that tests either: 1. Use a 14+ character password when in FIPS mode, _or_ 2. Are skipped on FIPS mode (because they explicitly test empty passwords) Backport of: #66846
ywangd
pushed a commit
to ywangd/elasticsearch
that referenced
this pull request
Jan 4, 2021
As of elastic#64024 we run FIPS CI on a true, FIPS approved only mode JVM. This mandates that any passwords that are fed into PBKDF2 must have at least 112 bits of entropy (that is, be 14 characters long). This commit updates our Keystore CLI tests so that tests either: 1. Use a 14+ character password when in FIPS mode, _or_ 2. Are skipped on FIPS mode (because they explicitly test empty passwords) Backport of: elastic#66846
ywangd
added a commit
that referenced
this pull request
Jan 4, 2021
As of #64024 we run FIPS CI on a true, FIPS approved only mode JVM. This mandates that any passwords that are fed into PBKDF2 must have at least 112 bits of entropy (that is, be 14 characters long). This commit updates our Keystore CLI tests so that tests either: 1. Use a 14+ character password when in FIPS mode, _or_ 2. Are skipped on FIPS mode (because they explicitly test empty passwords) Backport of: #66846 Co-authored-by: Tim Vernum <tim.vernum@elastic.co>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
We were depending on the BouncyCastle FIPS own mechanics to set
itself in approved only mode since we run with the Security
Manager enabled. The check during startup seems to happen before we
set our restrictive SecurityManager though in
org.elasticsearch.bootstrap.Elasticsearch , and this means that
BCFIPS would not be in approved only mode, unless explicitly
configured so.
This commit sets the appropriate JVM property to explicitly set
BCFIPS in approved only mode in CI and adds tests to ensure that we
will be running with BCFIPS in approved only mode when we expect to.
It also sets
xpack.security.fips_mode.enabledto true for all test clustersused in fips mode and sets the distribution to the default one. It adds a
password to the elasticsearch keystore for all test clusters that run in fips
mode.
Moreover, it changes a few unit tests where we would use bcrypt even in
FIPS 140 mode. These would still pass since we are bundling our own
bcrypt implementation, but are now changed to use FIPS 140 approved
algorithms instead for better coverage.
It also addresses a number of tests that would fail in approved only mode
Mainly:
Tests that use PBKDF2 with a password less than 112 bits (14char). We
elected to change the passwords used everywhere to be at least 14
characters long instead of mandating
the use of
pbkdf2_stretchbecause bothpbkdf2andpbkdf2_stretchare supported and allowed in fips mode and it makes senseto test with both. We could possibly figure out the password algorithm used
for each test and adjust password length accordingly only for
pbkdf2butthere is little value in that. It's good practice to use strong passwords so if
our docs and tests use longer passwords, then it's for the best. The approach
is brittle as there is no guarantee that the next test that will be added won't
use a short password, so we add some testing documentation too.
This leaves us with a possible coverage gap since we do support passwords
as short as 6 characters but we only test with > 14 chars but the
validation itself was not tested even before. Tests can be added in a followup,
outside of fips related context.
Tests that use a PKCS12 keystore and were not already muted.
Tests that depend on running test clusters with a basic license or
using the OSS distribution as FIPS 140 support is not available in
neither of these.
Finally, it adds some information around FIPS 140 testing in our testing
documentation reference so that developers can hopefully keep in
mind fips 140 related intricacies when writing/changing docs.