mirror of
https://github.com/honeymoose/OpenSearch.git
synced 2025-02-09 22:45:04 +00:00
475752be75
This change makes the process of verifying the signature of official plugins FIPS 140 compliant by defaulting to use the BouncyCastle FIPS provider and adding a dependency to bcpg-fips that implement parts of openPGP in a FIPS compliant manner. In already FIPS 140 enabled environments that use the BouncyCastle FIPS provider, the bcfips dependency is redundant but doesn't cause an issue as it will be added only in the classpath of the cli-tools This is a backport of #44224
73 lines
2.9 KiB
Groovy
73 lines
2.9 KiB
Groovy
/*
|
|
* Licensed to Elasticsearch under one or more contributor
|
|
* license agreements. See the NOTICE file distributed with
|
|
* this work for additional information regarding copyright
|
|
* ownership. Elasticsearch licenses this file to you under
|
|
* the Apache License, Version 2.0 (the "License"); you may
|
|
* not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing,
|
|
* software distributed under the License is distributed on an
|
|
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
* KIND, either express or implied. See the License for the
|
|
* specific language governing permissions and limitations
|
|
* under the License.
|
|
*/
|
|
|
|
apply plugin: 'elasticsearch.build'
|
|
|
|
archivesBaseName = 'elasticsearch-plugin-cli'
|
|
|
|
dependencies {
|
|
compileOnly project(":server")
|
|
compileOnly project(":libs:elasticsearch-cli")
|
|
compile "org.bouncycastle:bcpg-fips:1.0.3"
|
|
compile "org.bouncycastle:bc-fips:1.0.1"
|
|
testCompile project(":test:framework")
|
|
testCompile 'com.google.jimfs:jimfs:1.1'
|
|
testCompile 'com.google.guava:guava:18.0'
|
|
}
|
|
|
|
dependencyLicenses {
|
|
mapping from: /bc.*/, to: 'bouncycastle'
|
|
}
|
|
|
|
test {
|
|
// TODO: find a way to add permissions for the tests in this module
|
|
systemProperty 'tests.security.manager', 'false'
|
|
}
|
|
|
|
thirdPartyAudit.onlyIf {
|
|
// FIPS JVM includes manny classes from bouncycastle which count as jar hell for the third party audit,
|
|
// rather than provide a long list of exclusions, disable the check on FIPS.
|
|
project.inFipsJvm == false
|
|
}
|
|
|
|
/*
|
|
* these two classes intentionally use the following JDK internal APIs in order to offer the necessary
|
|
* functionality
|
|
*
|
|
* sun.security.internal.spec.TlsKeyMaterialParameterSpec
|
|
* sun.security.internal.spec.TlsKeyMaterialSpec
|
|
* sun.security.internal.spec.TlsMasterSecretParameterSpec
|
|
* sun.security.internal.spec.TlsPrfParameterSpec
|
|
* sun.security.internal.spec.TlsRsaPremasterSecretParameterSpec
|
|
* sun.security.provider.SecureRandom
|
|
*
|
|
*/
|
|
thirdPartyAudit.ignoreViolations(
|
|
'org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom',
|
|
'org.bouncycastle.jcajce.provider.ProvSunTLSKDF',
|
|
'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$BaseTLSKeyGeneratorSpi',
|
|
'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSKeyMaterialGenerator',
|
|
'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSKeyMaterialGenerator$2',
|
|
'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSMasterSecretGenerator',
|
|
'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSMasterSecretGenerator$2',
|
|
'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSPRFKeyGenerator',
|
|
'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSRsaPreMasterSecretGenerator',
|
|
'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSRsaPreMasterSecretGenerator$2'
|
|
)
|