From 3a452faba2e89d8ff8f9c656a7c861f69d5e2ac6 Mon Sep 17 00:00:00 2001
From: Terry Quigley <terry.quigley@sas.com>
Date: Mon, 27 Oct 2025 11:13:17 +0000
Subject: [PATCH 1/7] Add security provider earlier in the bootstrap process

Signed-off-by: Terry Quigley <terry.quigley@sas.com>
---
 .../security/OpenSearchSecurityPlugin.java        | 11 -----------
 .../security/ssl/OpenSearchSecuritySSLPlugin.java | 15 +++++++++++++++
 2 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
index aebab74557..738e01f59a 100644
--- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
+++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
@@ -2441,17 +2441,6 @@ public Optional<SecureSettingsFactory> getSecureSettingFactory(Settings settings
         );
     }
 
-    @SuppressWarnings("removal")
-    private void tryAddSecurityProvider() {
-        AccessController.doPrivileged((PrivilegedAction<Object>) () -> {
-            if (Security.getProvider("BCFIPS") == null) {
-                Security.addProvider(new BouncyCastleFipsProvider());
-                log.debug("Bouncy Castle FIPS Provider added");
-            }
-            return null;
-        });
-    }
-
     // CS-SUPPRESS-SINGLE: RegexpSingleline get Resource Sharing Extensions
     @Override
     public void loadExtensions(ExtensionLoader loader) {
diff --git a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java
index 003f8d7198..08a34c876d 100644
--- a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java
+++ b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java
@@ -20,6 +20,7 @@
 import java.nio.file.Path;
 import java.security.AccessController;
 import java.security.PrivilegedAction;
+import java.security.Security;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
@@ -35,6 +36,7 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
+import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
 import org.opensearch.OpenSearchException;
 import org.opensearch.SpecialPermission;
 import org.opensearch.Version;
@@ -256,6 +258,8 @@ public Object run() {
             log.error("SSL not activated for http and/or transport.");
         }
 
+        tryAddSecurityProvider();
+
         this.sslSettingsManager = new SslSettingsManager(new Environment(settings, configPath));
     }
 
@@ -772,4 +776,15 @@ protected Settings migrateSettings(Settings settings) {
     public ThreadPool getThreadPool() {
         return this.threadPool;
     }
+
+    @SuppressWarnings("removal")
+    protected void tryAddSecurityProvider() {
+        AccessController.doPrivileged((PrivilegedAction<Object>) () -> {
+            if (Security.getProvider("BCFIPS") == null) {
+                Security.addProvider(new BouncyCastleFipsProvider());
+                log.debug("Bouncy Castle FIPS Provider added");
+            }
+            return null;
+        });
+    }
 }

From d3a9f1e058f78a6e78749c2b8ff48d2920b114bc Mon Sep 17 00:00:00 2001
From: Terry Quigley <terry.quigley@sas.com>
Date: Mon, 27 Oct 2025 11:20:33 +0000
Subject: [PATCH 2/7] spotless

Signed-off-by: Terry Quigley <terry.quigley@sas.com>
---
 .../java/org/opensearch/security/OpenSearchSecurityPlugin.java  | 2 --
 1 file changed, 2 deletions(-)

diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
index 738e01f59a..41e4ef6410 100644
--- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
+++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
@@ -37,7 +37,6 @@
 import java.security.AccessController;
 import java.security.MessageDigest;
 import java.security.PrivilegedAction;
-import java.security.Security;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
@@ -65,7 +64,6 @@
 import org.apache.logging.log4j.Logger;
 import org.apache.lucene.search.QueryCachingPolicy;
 import org.apache.lucene.search.Weight;
-import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
 import org.bouncycastle.util.encoders.Hex;
 
 import org.opensearch.OpenSearchException;

From 2f9a09ba8eaf6ae9461e157b64af899de087805a Mon Sep 17 00:00:00 2001
From: Terry Quigley <terry.quigley@sas.com>
Date: Mon, 27 Oct 2025 11:28:01 +0000
Subject: [PATCH 3/7] spotless

Signed-off-by: Terry Quigley <terry.quigley@sas.com>
---
 .../opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java
index 08a34c876d..cb7729e6af 100644
--- a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java
+++ b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java
@@ -35,8 +35,8 @@
 import com.fasterxml.jackson.databind.InjectableValues;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-
 import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
+
 import org.opensearch.OpenSearchException;
 import org.opensearch.SpecialPermission;
 import org.opensearch.Version;

From 9a9a8122f6212eb13ca156064641236e6c631306 Mon Sep 17 00:00:00 2001
From: Terry Quigley <terry.quigley@sas.com>
Date: Tue, 28 Oct 2025 10:39:34 +0000
Subject: [PATCH 4/7] Add changelog entry

Signed-off-by: Terry Quigley <terry.quigley@sas.com>
---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1153cf2925..76ec73ea23 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -23,6 +23,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - [Resource Sharing] Make migrate api require default access level to be supplied and updates documentations + tests ([#5717](https://github.com/opensearch-project/security/pull/5717))
 - [Resource Sharing] Removes share and revoke java APIs ([#5718](https://github.com/opensearch-project/security/pull/5718))
 - Fix build failure in SecurityFilterTests ([#5736](https://github.com/opensearch-project/security/pull/5736))
+- Add security provider earlier in bootstrap process ([#5749](https://github.com/opensearch-project/security/pull/5749))
 
 ### Maintenance
 - Bump `org.junit.jupiter:junit-jupiter` from 5.13.4 to 5.14.0 ([#5678](https://github.com/opensearch-project/security/pull/5678))

From bf4226c57a485cb8af282dfebda437b79bb9a09b Mon Sep 17 00:00:00 2001
From: Terry Quigley <terry.quigley@sas.com>
Date: Tue, 28 Oct 2025 11:19:09 +0000
Subject: [PATCH 5/7] address merge issue

Signed-off-by: Terry Quigley <terry.quigley@sas.com>
---
 .../opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java  | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java
index 2fbe319771..4841e7c04b 100644
--- a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java
+++ b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java
@@ -18,8 +18,6 @@
 package org.opensearch.security.ssl;
 
 import java.nio.file.Path;
-import java.security.AccessController;
-import java.security.PrivilegedAction;
 import java.security.Security;
 import java.util.ArrayList;
 import java.util.Collection;
@@ -756,7 +754,7 @@ public ThreadPool getThreadPool() {
 
     @SuppressWarnings("removal")
     protected void tryAddSecurityProvider() {
-        AccessController.doPrivileged((PrivilegedAction<Object>) () -> {
+        AccessController.doPrivileged(() -> {
             if (Security.getProvider("BCFIPS") == null) {
                 Security.addProvider(new BouncyCastleFipsProvider());
                 log.debug("Bouncy Castle FIPS Provider added");

From 7d21db99b4cf0a8432c4870660feb1d65f5349cf Mon Sep 17 00:00:00 2001
From: Terry Quigley <terry.quigley@sas.com>
Date: Tue, 28 Oct 2025 14:58:36 +0000
Subject: [PATCH 6/7] remove warning suppression

Signed-off-by: Terry Quigley <terry.quigley@sas.com>
---
 .../org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java
index 4841e7c04b..bb274d811d 100644
--- a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java
+++ b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java
@@ -752,7 +752,6 @@ public ThreadPool getThreadPool() {
         return this.threadPool;
     }
 
-    @SuppressWarnings("removal")
     protected void tryAddSecurityProvider() {
         AccessController.doPrivileged(() -> {
             if (Security.getProvider("BCFIPS") == null) {

From 22c9cfefbcbb41b17ed232a221e8798729465eb8 Mon Sep 17 00:00:00 2001
From: Terry Quigley <terry.quigley@sas.com>
Date: Wed, 29 Oct 2025 16:27:55 +0000
Subject: [PATCH 7/7] reduce number of calls

Signed-off-by: Terry Quigley <terry.quigley@sas.com>
---
 .../java/org/opensearch/security/OpenSearchSecurityPlugin.java  | 2 --
 .../opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java    | 2 +-
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
index 99cd04023b..2fcc8b3d9e 100644
--- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
+++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
@@ -432,8 +432,6 @@ public OpenSearchSecurityPlugin(final Settings settings, final Path configPath)
         demoCertHashes.add("ba9c5a61065f7f6115188128ffbdaa18fca34562b78b811f082439e2bef1d282"); // esnode-key
         demoCertHashes.add("bcd708e8dc707ae065f7ad8582979764b497f062e273d478054ab2f49c5469c6"); // root-ca
 
-        tryAddSecurityProvider();
-
         final String advancedModulesEnabledKey = ConfigConstants.SECURITY_ADVANCED_MODULES_ENABLED;
         if (settings.hasValue(advancedModulesEnabledKey)) {
             deprecationLogger.deprecate("Setting {} is ignored.", advancedModulesEnabledKey);
diff --git a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java
index bb274d811d..dcb0279417 100644
--- a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java
+++ b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java
@@ -752,7 +752,7 @@ public ThreadPool getThreadPool() {
         return this.threadPool;
     }
 
-    protected void tryAddSecurityProvider() {
+    private void tryAddSecurityProvider() {
         AccessController.doPrivileged(() -> {
             if (Security.getProvider("BCFIPS") == null) {
                 Security.addProvider(new BouncyCastleFipsProvider());