Make test-suite runnable under FIPS JVM

[beanuwave]

Description

Makes the required changes to build and test under FIPS-140-3 compliance support. FIPS mode can be activated by adding the -Pcrypto.standard=FIPS-140-3 Gradle parameter.

NOTE:

• This PR includes all remaining changes from the original PR#14912
• Due to the netty FIPS reflection bug in v4.1.125.Final and v4.1.126.Final, the :plugins:transport-reactor-netty4:test task will fail. To run properly, netty needs to be updated to a newer version, such as v4.1.127.Final. Not relevant after update to netty 4.2.7

Related Issues

Resolves RFC

Check List

• Functionality includes testing.
• API changes companion pull request created, if applicable.
• Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Summary by CodeRabbit

• New Features

  • FIPS mode support: enforces FIPS-compliant keystore types, restricts TLS to FIPS‑approved protocols (TLSv1.3/TLSv1.2), and adds configurable truststore settings (path/type/password) for cloud clients.

• Tests

  • Expanded and reorganized FIPS-focused test suites across many modules; added FIPS variants and adjusted test gating to validate keystore and TLS behaviors.

• Documentation

  • Updated test resource READMEs with FIPS guidance and keystore conversion/setup instructions.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[github-actions]

❌ Gradle check result for 9b5da5c: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 986dce7: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[terryquigleysas]

I'd like to raise a general point here to keep in mind with this development, especially as instructions will be required for Java setups other than the bundled version. The Red Hat JDK 21, for example, has a default of fips.keystore.type: PKCS12 - see https://docs.redhat.com/en/documentation/red_hat_build_of_openjdk/21/html/configuring_red_hat_build_of_openjdk_21_on_rhel_with_fips/fips_settings#fips_settings .

We'd like to ensure that code checks aren't so stringent as to prevent this setup from working.

[github-actions]

❌ Gradle check result for 939e6b5: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 11da667: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 9a387a4: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 4e0af75: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 9efd838: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 4fc6b40: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 0139eaa: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for f52e720: null

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[beanuwave]

The Red Hat JDK 21, for example, has a default of fips.keystore.type: PKCS12

@terryquigleysas Thank you for pointing out those limitations.

We'd like to ensure that code checks aren't so stringent as to prevent this setup from working.

We rely on SunPKCS12 provider to load the JVM's default truststore. In case of OpenJKD the default type is the same as RHEL's - so nothing changes for us.

[terryquigleysas]

The Red Hat JDK 21, for example, has a default of fips.keystore.type: PKCS12

@terryquigleysas Thank you for pointing out those limitations.

We'd like to ensure that code checks aren't so stringent as to prevent this setup from working.

We rely on SunPKCS12 provider to load the JVM's default truststore. In case of OpenJKD the default type is the same as RHEL's - so nothing changes for us.

Good news. Thank you for the reply. Much appreciated!

[github-actions]

❌ Gradle check result for cb7949d: null

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 0680de8: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 732e412: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 0fc9331: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[reta]

@reta Happy Thanksgiving and thanks for all the thorough reviews - seriously appreciate it.

Happy Thanksgiving @beanuwave ! LGTM, thank you!

[github-actions]

❌ Gradle check result for 0fc9331: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 0fc9331: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 0fc9331: null

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

✅ Gradle check result for 0fc9331: SUCCESS

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexRestClientSslFipsTests.java (1)

23-35: Test behavior is correct; consider renaming to make FIPS failure explicit

The test logic looks solid: settings are wired as expected for verification_mode = NONE, the ReindexSslConfig construction is asserted to throw, and the message check matches the FIPS restriction on TrustEverythingConfig.

Two small nits you might consider:

• Rename the method to make the expected failure in FIPS mode clearer, e.g. testClientFailsWithVerificationDisabledInFipsMode or testClientWithVerificationDisabledIsRejectedInFipsMode. That will better reflect the assertion and align with the earlier review feedback on naming.
• If TestEnvironment.newEnvironment(settings) no longer throws IOException in this context, you could drop throws IOException from the method signature for a bit of cleanup (optional).

🧹 Nitpick comments (6)

libs/ssl-config/src/test/resources/certs/pem-utils/README.md (1)

223-223: Consider making the Bouncy Castle FIPS JAR path more flexible.

Line 223 hardcodes the jar filename as bc-fips-2.0.0.jar. If the Bouncy Castle FIPS version is updated or deployed differently, this path breaks silently or fails with an unclear error.

Consider using a glob pattern or a variable to discover the jar dynamically:

# Option 1: Use a variable at the top of the script
BC_FIPS_JAR="$LIB_PATH/bc-fips-*.jar"

# Then use it in keytool:
-providerpath "$BC_FIPS_JAR"

Or expand the setup section to validate the jar exists:

BC_FIPS_JAR="$LIB_PATH/bc-fips-2.0.0.jar"
if [ ! -f "$BC_FIPS_JAR" ]; then
    echo "Error: Bouncy Castle FIPS JAR not found at $BC_FIPS_JAR" >&2
    exit 1
fi

libs/ssl-config/src/test/java/org/opensearch/common/ssl/StoreTrustConfigTests.java (1)

112-131: Reload test logic is correct; minor naming nit

The reload test correctly:

• points StoreTrustConfig at a temp keystore path,
• cycles through existing file → missing file → corrupt file → multi‑CA file, and
• reuses the existing assertion helpers.

Only nit: the method name testTrustConfigReloadsKeysStoreContentsForP12Keystore has a small typo (“KeysStore” vs “KeyStore”). Consider renaming to testTrustConfigReloadsKeyStoreContentsForP12Keystore for consistency with JDK terminology.

modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexRestClientSslTests.java (1)

135-152: Exception unwrapping in failure test is brittle across SSL providers

Now that testClientFailsWithUntrustedCertificate is intended to run under multiple JVM/FIPS configurations, the fixed depth of getCause().getCause().getCause().getCause() is fairly fragile; different stacks may wrap the root cause with a different number of layers.

Consider walking the cause chain until you find a CertPathBuilderException (or using a shared helper if one exists) instead of assuming a fixed depth, and then assert on its type/message. This will make the test more resilient across providers without weakening the assertion.

plugins/discovery-gce/src/main/java/org/opensearch/cloud/gce/GceInstancesServiceImpl.java (1)

86-95: Reflection-based FIPS detection is sound, but logging suggestion should be reconsidered given OpenSearch's lack of official BC FIPS support.

Based on my research findings:

1. Reflection approach is correct: CryptoServicesRegistrar.isInApprovedOnlyMode() is a valid BC FIPS API that works as intended. The defensive exception handling is appropriate.

2. BC FIPS is not officially supported by OpenSearch: OpenSearch does not have built-in, documented BC FIPS integration. This code appears to be custom/experimental FIPS detection for the discovery-gce plugin.

3. Silent fallback is intentional and appropriate: Since BC FIPS is optional and not officially supported, silently returning false when reflection fails is the right behavior. Adding debug logging for an unsupported/optional feature may introduce noise without clear benefit.

4. No actual bugs in the code: The reflection pattern is defensive, thread-safe, and correctly invokes the BC FIPS API.

Recommendation: The logging suggestion should be marked as optional. If operators are explicitly testing FIPS mode with BC FIPS (unsupported), they can enable DEBUG logging on the entire plugin package to troubleshoot. Intrinsic debug logging for an optional, unsupported feature is not necessary.

distribution/tools/keystore-cli/src/test/java/org/opensearch/bootstrap/BootstrapFipsTests.java (1)

34-35: Simplify passwordInput construction to avoid unnecessary copies.

new String("keystorepassword".toCharArray()) allocates extra objects without adding security value in a test. You can just use the literal:

-        String passwordInput = new String("keystorepassword".toCharArray()) + System.lineSeparator();
+        String passwordInput = "keystorepassword" + System.lineSeparator();

This is simpler and avoids redundant allocations while keeping the behavior identical.

modules/transport-grpc/src/test/java/org/opensearch/transport/grpc/ssl/SecureSettingsHelpers.java (1)

38-43: Static FIPS-aware constants look good; consider caching the FIPS flag.

This setup cleanly switches keystore type/extension and JSSE provider based on FipsMode.CHECK.isFipsEnabled(). To avoid evaluating the FIPS check three times and to make intent clearer, you could cache it once:

-    private static final String keyStoreType = FipsMode.CHECK.isFipsEnabled() ? "BCFKS" : "JKS";
-    private static final String fileExtension = FipsMode.CHECK.isFipsEnabled() ? ".bcfks" : ".jks";
-    private static final String provider = FipsMode.CHECK.isFipsEnabled() ? "BCJSSE" : "SunJSSE";
+    private static final boolean FIPS_ENABLED = FipsMode.CHECK.isFipsEnabled();
+    private static final String keyStoreType = FIPS_ENABLED ? "BCFKS" : "JKS";
+    private static final String fileExtension = FIPS_ENABLED ? ".bcfks" : ".jks";
+    private static final String provider = FIPS_ENABLED ? "BCJSSE" : "SunJSSE";

Purely optional, no functional change.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0fc9331 and 11e3c7a.

📒 Files selected for processing (8)

• distribution/tools/keystore-cli/src/test/java/org/opensearch/bootstrap/BootstrapFipsTests.java (1 hunks)
• libs/ssl-config/src/test/java/org/opensearch/common/ssl/StoreTrustConfigTests.java (3 hunks)
• libs/ssl-config/src/test/resources/certs/pem-utils/README.md (1 hunks)
• modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexRestClientSslFipsTests.java (1 hunks)
• modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexRestClientSslTests.java (2 hunks)
• modules/transport-grpc/src/test/java/org/opensearch/transport/grpc/ssl/SecureSettingsHelpers.java (5 hunks)
• modules/transport-grpc/src/test/resources/README.md (1 hunks)
• plugins/discovery-gce/src/main/java/org/opensearch/cloud/gce/GceInstancesServiceImpl.java (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• modules/transport-grpc/src/test/resources/README.md

🧰 Additional context used

🧬 Code graph analysis (2)

distribution/tools/keystore-cli/src/test/java/org/opensearch/bootstrap/BootstrapFipsTests.java (2)

server/src/main/java/org/opensearch/common/settings/KeyStoreWrapper.java (1)

• KeyStoreWrapper (100-702)

server/src/main/java/org/opensearch/bootstrap/Bootstrap.java (1)

• Bootstrap (89-495)

modules/transport-grpc/src/test/java/org/opensearch/transport/grpc/ssl/SecureSettingsHelpers.java (2)

server/src/main/java/org/opensearch/common/Randomness.java (1)

• Randomness (64-191)

test/framework/src/main/java/org/opensearch/fips/FipsMode.java (1)

• FipsMode (13-27)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (20)

• GitHub Check: gradle-check
• GitHub Check: precommit (25, ubuntu-latest)
• GitHub Check: assemble (25, ubuntu-latest)
• GitHub Check: assemble (25, windows-latest)
• GitHub Check: assemble (21, ubuntu-latest)
• GitHub Check: assemble (25, ubuntu-24.04-arm)
• GitHub Check: assemble (21, windows-latest)
• GitHub Check: precommit (21, windows-2025, true)
• GitHub Check: assemble (21, ubuntu-24.04-arm)
• GitHub Check: precommit (25, ubuntu-24.04-arm)
• GitHub Check: precommit (25, windows-latest)
• GitHub Check: precommit (21, ubuntu-24.04-arm)
• GitHub Check: precommit (25, macos-15)
• GitHub Check: precommit (25, macos-15-intel)
• GitHub Check: precommit (21, windows-latest)
• GitHub Check: precommit (21, macos-15)
• GitHub Check: precommit (21, ubuntu-latest)
• GitHub Check: precommit (21, macos-15-intel)
• GitHub Check: detect-breaking-change
• GitHub Check: Analyze (java)

🔇 Additional comments (16)

libs/ssl-config/src/test/java/org/opensearch/common/ssl/StoreTrustConfigTests.java (11)

56-60: Good extraction of shared keystore/password constants

Centralizing keystore types, passwords, and the default algorithm as protected constants is clean and makes subclassing (e.g., FIPS tests) straightforward. No issues seen here.

---

62-74: Constructors now consistently use shared keystore constants

Using P12_PASS/PKCS12 and JKS_PASS/JKS directly in these two happy‑path tests improves readability and removes string duplication. The behavior is unchanged and looks correct.

---

76-88: Randomizing keystore type for failure cases is reasonable

Switching to randomFrom(PKCS12, JKS) for the bad‑format and missing‑file tests is a nice way to exercise both keystore types over repeated runs, and the assertions (invalid format / file not found) are independent of the chosen type. This looks good.

---

91-103: Error‑path coverage for incorrect password and missing trust entries looks solid

These tests clearly differentiate:

• incorrect password for PKCS12, and
• missing trust entries in a JKS keystore,

and validate precise error messages. The use of shared constants keeps them easy to extend for FIPS subclasses. No changes suggested.

---

105-111: P12 missing‑entries case and shared assertion helper

Adding the P12 counterpart and delegating to assertMissingCertificateEntries ensures both keystore types see the same “missing entries” behavior. This is a good symmetry improvement.

---

133-142: Making assertCertificateChain protected aids reuse

Exposing this helper as protected is a clean way to let subclasses (e.g., FIPS‑specific tests) reuse the chain verification logic without duplication. Implementation remains straightforward and correct.

---

144-149: assertInvalidFileFormat matches expected failure contract

The helper asserts “cannot read”, “keystore”, and the absolute file path, which is a clear and stable contract for bad‑format errors. Elevating it to protected is appropriate for shared negative‑path tests.

---

151-157: assertFileNotFound behavior and messaging are well‑defined

Validating both the human‑readable message (“file does not exist”, “keystore”, path) and the absence of a cause keeps the error semantics precise. No issues here.

---

159-169: Password‑related helpers look consistent and precise

Both assertPasswordIsIncorrect and assertCannotCreatePasswordManager check for the key path plus specific message fragments. That gives good coverage for different password‑related failure modes without overfitting to full messages. Looks good as‑is.

---

171-176: assertNoCertificateEntries clearly targets empty truststores

The assertions on “does not contain any trusted certificate entries”, “truststore”, and the file path accurately describe the empty‑entries scenario and should be robust across keystore types.

---

178-182: assertMissingCertificateEntries complements the truststore helper well

This helper mirrors the “no certificate entries” message while being keyed on the provided path, which is useful for scenarios where the trust entries are missing from a given keystore. Implementation is consistent with the other helpers.

modules/reindex/src/test/java/org/opensearch/index/reindex/ReindexRestClientSslTests.java (2)

91-91: Secret length/comment looks appropriate for FIPS test coverage

The updated STRONG_PRIVATE_SECRET value and comment explicitly satisfying a ≥112‑bit strength requirement align with typical FIPS password/KEK constraints and should keep the PemKeyConfig / key‑passphrase paths usable in FIPS mode. No changes needed here.

---

170-183: Renamed verification‑disabled test is clear and FIPS‑agnostic

The rename to testClientWithVerificationDisabled plus running it unconditionally (no FIPS guard) keeps the behavior straightforward: when reindex.ssl.verification_mode=NONE, the client should still be able to establish a connection and receive 200. The assertions are simple and provider‑independent; this looks good.

distribution/tools/keystore-cli/src/test/java/org/opensearch/bootstrap/BootstrapFipsTests.java (1)

40-42: I encountered a repository cloning issue that prevents me from directly accessing the codebase. However, based on the review comment provided, I can still analyze the concern raised.

The review comment flags a legitimate security testing concern: using toString() for equality checks on SecureString objects may not validate the actual secret values if toString() is overridden to return a placeholder or length representation (a common security practice to avoid printing secrets).

Since I cannot access the actual SecureString implementation to definitively verify:

1. How toString() is implemented
2. Whether equals() is value-based
3. The actual test context and intent

I'll provide a rewritten review comment that reflects the inability to fully verify the concern while preserving its substance:

---

Verify the implementation of SecureString to determine if the equality check is testing the correct values.

The assertion compares toString() representations of SecureString objects:

assertEquals(seedAfterLoad.toString(), seed.toString());

This raises a concern: if SecureString.toString() is overridden to return a placeholder or length instead of the actual secret (a common security practice), this assertion may pass even when underlying values differ. Before proceeding:

• Check if SecureString provides a value-based equals() method; if so, use assertEquals(seedAfterLoad, seed) directly
• If SecureString exposes char/byte accessors (e.g., getChars()), use assertArrayEquals on those arrays instead
• Verify that the current assertion actually validates the seed value, not just the string representation

modules/transport-grpc/src/test/java/org/opensearch/transport/grpc/ssl/SecureSettingsHelpers.java (2)

121-123: Provider-specific SSLContext + Randomness.createSecure() is a solid FIPS-aware setup.

Using SSLContext.getInstance("TLS", provider) with provider switched between "BCJSSE" and "SunJSSE", plus Randomness.createSecure(), aligns well with the broader FIPS story (FIPS-aware RNG and JSSE provider). It also side-steps the earlier issue of explicitly listing non-FIPS protocols, since the provider enforces its own approved protocol set.

One operational caveat: this will now throw NoSuchProviderException if the expected provider isn’t registered when FipsMode.CHECK.isFipsEnabled() is true. That’s appropriate for a FIPS test, but it does mean CI/Jenkins FIPS jobs must ensure the matching JSSE provider is installed and enabled.

Please confirm that all FIPS JVM configurations used for the new -Pcrypto.standard=FIPS-140-3 runs have the expected JSSE provider registered under the name used here (provider), so these tests don’t fail with NoSuchProviderException.

---

82-108: I'll verify the concerns raised in this review comment by examining the call sites of these test helpers.
<function_calls>

#!/bin/bash

Check usages of the helpers to ensure keystorePath is passed without an extension.

rg -n "getTestKeyManagerFactory(" modules/transport-grpc/src/test/java
rg -n "getTestTrustManagerFactory(" modules/transport-grpc/src/test/java


</function_calls>

Now let me examine the actual call sites to see what arguments are being passed:
<function_calls>

#!/bin/bash

Find all test files that use these helpers

rg -l "getTestKeyManagerFactory|getTestTrustManagerFactory" modules/transport-grpc/src/test/java


</function_calls>

Let me get more context around these function calls:
<function_calls>

#!/bin/bash

Check usages with more context

rg -n -B2 -A2 "getTestKeyManagerFactory(" modules/transport-grpc/src/test/java
rg -n -B2 -A2 "getTestTrustManagerFactory(" modules/transport-grpc/src/test/java


</function_calls>

Let me also check what fileExtension is set to in the helper file:
<function_calls>

#!/bin/bash

Look at the SecureSettingsHelpers file to understand the fileExtension variable

cat -n modules/transport-grpc/src/test/java/org/opensearch/transport/grpc/ssl/SecureSettingsHelpers.java | head -30


</function_calls>

<function_calls>

#!/bin/bash

Get the full content of SecureSettingsHelpers.java

wc -l modules/transport-grpc/src/test/java/org/opensearch/transport/grpc/ssl/SecureSettingsHelpers.java


</function_calls>

<function_calls>

#!/bin/bash

Read the entire file

cat -n modules/transport-grpc/src/test/java/org/opensearch/transport/grpc/ssl/SecureSettingsHelpers.java


</function_calls>

[github-actions]

❌ Gradle check result for 11e3c7a: null

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 2a13ca1: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

✅ Gradle check result for 92653c8: SUCCESS