From 8df05d6ab65eddf94d5975ea436fdb2220fad38f Mon Sep 17 00:00:00 2001 From: Terry Quigley <77437788+terryquigleysas@users.noreply.github.com> Date: Wed, 29 Oct 2025 17:55:26 +0000 Subject: [PATCH 1/3] Add security provider earlier in bootstrap process (#5749) Signed-off-by: Terry Quigley Signed-off-by: Terry Quigley <77437788+terryquigleysas@users.noreply.github.com> (cherry picked from commit 6f2b39a6bfd826622289afd4c3728adcc4bcfa49) --- .../security/OpenSearchSecurityPlugin.java | 15 --------------- .../security/ssl/OpenSearchSecuritySSLPlugin.java | 14 ++++++++++++++ 2 files changed, 14 insertions(+), 15 deletions(-) diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index d380f0baa8..23e12f567e 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -37,7 +37,6 @@ import java.security.AccessController; import java.security.MessageDigest; import java.security.PrivilegedAction; -import java.security.Security; import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; @@ -65,7 +64,6 @@ import org.apache.logging.log4j.Logger; import org.apache.lucene.search.QueryCachingPolicy; import org.apache.lucene.search.Weight; -import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider; import org.bouncycastle.util.encoders.Hex; import org.opensearch.OpenSearchException; @@ -429,8 +427,6 @@ public OpenSearchSecurityPlugin(final Settings settings, final Path configPath) demoCertHashes.add("ba9c5a61065f7f6115188128ffbdaa18fca34562b78b811f082439e2bef1d282"); // esnode-key demoCertHashes.add("bcd708e8dc707ae065f7ad8582979764b497f062e273d478054ab2f49c5469c6"); // root-ca - tryAddSecurityProvider(); - final String advancedModulesEnabledKey = ConfigConstants.SECURITY_ADVANCED_MODULES_ENABLED; if (settings.hasValue(advancedModulesEnabledKey)) { deprecationLogger.deprecate("Setting {} is ignored.", advancedModulesEnabledKey); @@ -2460,17 +2456,6 @@ public Optional getSecureSettingFactory(Settings settings ); } - @SuppressWarnings("removal") - private void tryAddSecurityProvider() { - AccessController.doPrivileged((PrivilegedAction) () -> { - if (Security.getProvider("BCFIPS") == null) { - Security.addProvider(new BouncyCastleFipsProvider()); - log.debug("Bouncy Castle FIPS Provider added"); - } - return null; - }); - } - // CS-SUPPRESS-SINGLE: RegexpSingleline get Resource Sharing Extensions @Override public void loadExtensions(ExtensionLoader loader) { diff --git a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java index 003f8d7198..ddb880011b 100644 --- a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java +++ b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java @@ -20,6 +20,7 @@ import java.nio.file.Path; import java.security.AccessController; import java.security.PrivilegedAction; +import java.security.Security; import java.util.ArrayList; import java.util.Collection; import java.util.Collections; @@ -34,6 +35,7 @@ import com.fasterxml.jackson.databind.InjectableValues; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; +import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider; import org.opensearch.OpenSearchException; import org.opensearch.SpecialPermission; @@ -256,6 +258,8 @@ public Object run() { log.error("SSL not activated for http and/or transport."); } + tryAddSecurityProvider(); + this.sslSettingsManager = new SslSettingsManager(new Environment(settings, configPath)); } @@ -772,4 +776,14 @@ protected Settings migrateSettings(Settings settings) { public ThreadPool getThreadPool() { return this.threadPool; } + + private void tryAddSecurityProvider() { + AccessController.doPrivileged(() -> { + if (Security.getProvider("BCFIPS") == null) { + Security.addProvider(new BouncyCastleFipsProvider()); + log.debug("Bouncy Castle FIPS Provider added"); + } + return null; + }); + } } From 0f94231b5975599efce5826b5aa44359ba2486f5 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Wed, 29 Oct 2025 14:05:15 -0400 Subject: [PATCH 2/3] Add SuppressWarnings Signed-off-by: Craig Perkins --- .../org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java | 1 + 1 file changed, 1 insertion(+) diff --git a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java index ddb880011b..c6b917aaa9 100644 --- a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java +++ b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java @@ -777,6 +777,7 @@ public ThreadPool getThreadPool() { return this.threadPool; } + @SuppressWarnings("removal") private void tryAddSecurityProvider() { AccessController.doPrivileged(() -> { if (Security.getProvider("BCFIPS") == null) { From c8af863ddf64bc8dcbd6365bd99a7355ec5526d4 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Wed, 29 Oct 2025 14:12:52 -0400 Subject: [PATCH 3/3] disambiguate Signed-off-by: Craig Perkins --- .../opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java index c6b917aaa9..89e8003ed1 100644 --- a/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java +++ b/src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java @@ -779,7 +779,7 @@ public ThreadPool getThreadPool() { @SuppressWarnings("removal") private void tryAddSecurityProvider() { - AccessController.doPrivileged(() -> { + AccessController.doPrivileged((PrivilegedAction) () -> { if (Security.getProvider("BCFIPS") == null) { Security.addProvider(new BouncyCastleFipsProvider()); log.debug("Bouncy Castle FIPS Provider added");