remove BC libs from 'libs:common'; revert SecureRandomHolder

buildSrc/src/main/java/org/opensearch/gradle/info/GlobalBuildInfoPlugin.java

@@ -114,7 +114,7 @@ public void apply(Project project) {
             // Initialize global build parameters
             boolean isInternal = GlobalBuildInfoPlugin.class.getResource("/buildSrc.marker") != null;
             var cryptoStandard = System.getenv(OPENSEARCH_CRYPTO_STANDARD);
-            var inFipsJvm = cryptoStandard != null && cryptoStandard.equals("FIPS-140-3");
+            var inFipsJvm = "FIPS-140-3".equals(cryptoStandard);
 
             params.reset();
             params.setRuntimeJavaHome(runtimeJavaHome);

buildSrc/src/main/resources/forbidden/jdk-signatures.txt

@@ -37,7 +37,7 @@ java.nio.file.Path#toFile()
 java.nio.file.Files#createTempDirectory(java.lang.String,java.nio.file.attribute.FileAttribute[])
 java.nio.file.Files#createTempFile(java.lang.String,java.lang.String,java.nio.file.attribute.FileAttribute[])
 
-@defaultMessage Use org.opensearch.common.crypto.KeyStoreFactory instead of java.security.KeyStore
+@defaultMessage Use org.opensearch.common.ssl.KeyStoreFactory instead of java.security.KeyStore
 java.security.KeyStore#getInstance(java.lang.String)
 java.security.KeyStore#getInstance(java.lang.String,java.lang.String)
 java.security.KeyStore#getInstance(java.lang.String,java.security.Provider)

client/rest/build.gradle

@@ -51,16 +51,15 @@ dependencies {
   api "commons-codec:commons-codec:${versions.commonscodec}"
   api "commons-logging:commons-logging:${versions.commonslogging}"
   api "org.slf4j:slf4j-api:${versions.slf4j}"
-  api "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"
   api "org.bouncycastle:bctls-fips:${versions.bouncycastle_tls}"
-  api "org.bouncycastle:bcutil-fips:${versions.bouncycastle_util}"
+
 
   // reactor
   api "io.projectreactor:reactor-core:${versions.reactor}"
   api "org.reactivestreams:reactive-streams:${versions.reactivestreams}"
 
   testImplementation project(":client:test")
-  testImplementation project(':libs:opensearch-common')
+  testImplementation project(':libs:opensearch-ssl-config')
   testImplementation "com.carrotsearch.randomizedtesting:randomizedtesting-runner:${versions.randomizedrunner}"
   testImplementation "junit:junit:${versions.junit}"
   testImplementation "org.hamcrest:hamcrest:${versions.hamcrest}"
@@ -72,7 +71,6 @@ dependencies {
   testImplementation "org.apache.logging.log4j:log4j-core:${versions.log4j}"
   testImplementation "org.apache.logging.log4j:log4j-jul:${versions.log4j}"
   testImplementation "org.apache.logging.log4j:log4j-slf4j-impl:${versions.log4j}"
-  testImplementation "commons-io:commons-io:${versions.commonsio}"
 }
 
 tasks.named("dependencyLicenses").configure {
@@ -143,7 +141,70 @@ thirdPartyAudit {
       'io.micrometer.core.instrument.composite.CompositeMeterRegistry',
       'io.micrometer.core.instrument.search.Search',
       'reactor.blockhound.BlockHound$Builder',
-      'reactor.blockhound.integration.BlockHoundIntegration'
+      'reactor.blockhound.integration.BlockHoundIntegration',
+      'org.bouncycastle.asn1.ASN1Encodable',
+      'org.bouncycastle.asn1.ASN1InputStream',
+      'org.bouncycastle.asn1.ASN1Integer',
+      'org.bouncycastle.asn1.ASN1Object',
+      'org.bouncycastle.asn1.ASN1ObjectIdentifier',
+      'org.bouncycastle.asn1.ASN1OctetString',
+      'org.bouncycastle.asn1.ASN1Primitive',
+      'org.bouncycastle.asn1.ASN1Sequence',
+      'org.bouncycastle.asn1.ASN1String',
+      'org.bouncycastle.asn1.DERBitString',
+      'org.bouncycastle.asn1.DERNull',
+      'org.bouncycastle.asn1.bsi.BSIObjectIdentifiers',
+      'org.bouncycastle.asn1.cms.GCMParameters',
+      'org.bouncycastle.asn1.eac.EACObjectIdentifiers',
+      'org.bouncycastle.asn1.edec.EdECObjectIdentifiers',
+      'org.bouncycastle.asn1.nist.NISTObjectIdentifiers',
+      'org.bouncycastle.asn1.ocsp.OCSPResponse',
+      'org.bouncycastle.asn1.ocsp.ResponderID',
+      'org.bouncycastle.asn1.oiw.OIWObjectIdentifiers',
+      'org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers',
+      'org.bouncycastle.asn1.pkcs.PrivateKeyInfo',
+      'org.bouncycastle.asn1.pkcs.RSASSAPSSparams',
+      'org.bouncycastle.asn1.rosstandart.RosstandartObjectIdentifiers',
+      'org.bouncycastle.asn1.x500.AttributeTypeAndValue',
+      'org.bouncycastle.asn1.x500.RDN',
+      'org.bouncycastle.asn1.x500.X500Name',
+      'org.bouncycastle.asn1.x500.style.BCStyle',
+      'org.bouncycastle.asn1.x509.AlgorithmIdentifier',
+      'org.bouncycastle.asn1.x509.Certificate',
+      'org.bouncycastle.asn1.x509.DigestInfo',
+      'org.bouncycastle.asn1.x509.Extensions',
+      'org.bouncycastle.asn1.x509.KeyPurposeId',
+      'org.bouncycastle.asn1.x509.SubjectPublicKeyInfo',
+      'org.bouncycastle.asn1.x509.X509ObjectIdentifiers',
+      'org.bouncycastle.asn1.x9.ECNamedCurveTable',
+      'org.bouncycastle.asn1.x9.X9ObjectIdentifiers',
+      'org.bouncycastle.crypto.KDFCalculator',
+      'org.bouncycastle.crypto.fips.FipsDRBG',
+      'org.bouncycastle.crypto.fips.FipsDRBG$Base',
+      'org.bouncycastle.crypto.fips.FipsDRBG$Builder',
+      'org.bouncycastle.crypto.fips.FipsKDF',
+      'org.bouncycastle.crypto.fips.FipsKDF$TLSOperatorFactory',
+      'org.bouncycastle.crypto.fips.FipsKDF$TLSPRF',
+      'org.bouncycastle.crypto.fips.FipsKDF$TLSParametersBuilder',
+      'org.bouncycastle.crypto.fips.FipsKDF$TLSParametersWithPRFBuilder',
+      'org.bouncycastle.crypto.fips.FipsNonceGenerator',
+      'org.bouncycastle.crypto.fips.FipsSecureRandom',
+      'org.bouncycastle.jcajce.io.OutputStreamFactory',
+      'org.bouncycastle.jcajce.spec.DHDomainParameterSpec',
+      'org.bouncycastle.jcajce.util.JcaJceHelper',
+      'org.bouncycastle.math.ec.ECCurve',
+      'org.bouncycastle.math.ec.ECFieldElement',
+      'org.bouncycastle.math.ec.ECPoint',
+      'org.bouncycastle.util.Arrays',
+      'org.bouncycastle.util.BigIntegers',
+      'org.bouncycastle.util.IPAddress',
+      'org.bouncycastle.util.Integers',
+      'org.bouncycastle.util.Pack',
+      'org.bouncycastle.util.Shorts',
+      'org.bouncycastle.util.Strings',
+      'org.bouncycastle.util.Times',
+      'org.bouncycastle.util.encoders.Hex',
+      'org.bouncycastle.util.io.Streams'
    )
    ignoreViolations(
       'reactor.core.publisher.Traces$SharedSecretsCallSiteSupplierFactory$TracingException'

client/rest/licenses/bctls-fips-2.0.19.jar.sha1

@@ -1 +1 @@
-9cc33650ede63bc1a8281ed5c8e1da314d50bc76
+9cc33650ede63bc1a8281ed5c8e1da314d50bc76

client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java

@@ -39,8 +39,8 @@
 
 import org.apache.hc.core5.http.HttpHost;
 import org.apache.hc.core5.ssl.SSLContextBuilder;
-import org.opensearch.common.crypto.KeyStoreFactory;
-import org.opensearch.common.crypto.KeyStoreType;
+import org.opensearch.common.ssl.KeyStoreFactory;
+import org.opensearch.common.ssl.KeyStoreType;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
 

client/rest/src/test/java/org/opensearch/client/documentation/RestClientDocumentation.java

@@ -67,7 +67,7 @@
 import org.opensearch.client.RestClient;
 import org.opensearch.client.RestClientBuilder;
 import org.opensearch.client.RestClientBuilder.HttpClientConfigCallback;
-import org.opensearch.common.crypto.KeyStoreFactory;
+import org.opensearch.common.ssl.KeyStoreFactory;
 
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
@@ -85,7 +85,7 @@
 import java.util.Iterator;
 import java.util.concurrent.CountDownLatch;
 
-import static org.opensearch.common.crypto.KeyStoreType.PKCS_12;
+import static org.opensearch.common.ssl.KeyStoreType.PKCS_12;
 
 /**
  * This class is used to generate the Java low-level REST client documentation.

distribution/tools/keystore-cli/src/test/java/org/opensearch/common/settings/AddFileKeyStoreCommandTests.java

@@ -94,8 +94,7 @@ public void testMissingCreateWithEmptyPasswordWithoutPromptIfForced() throws Exc
     }
 
     public void testMissingNoCreate() throws Exception {
-        var password = randomFrom("", "keystorepassword");
-        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm() && password.isEmpty());
+        var password = inFipsJvm() ? "keystorepassword" : randomFrom("", "keystorepassword");
         terminal.addSecretInput(password);
         terminal.addTextInput("n"); // explicit no
         execute("foo");

distribution/tools/keystore-cli/src/test/java/org/opensearch/common/settings/CreateKeyStoreCommandTests.java

@@ -57,8 +57,7 @@ protected Environment createEnv(Map<String, String> settings) throws UserExcepti
     }
 
     public void testNotMatchingPasswords() throws Exception {
-        String password = randomFrom("", "keystorepassword");
-        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm() && password.isEmpty());
+        String password = inFipsJvm() ? "keystorepassword" : randomFrom("", "keystorepassword");
         terminal.addSecretInput(password);
         terminal.addSecretInput("notthekeystorepasswordyouarelookingfor");
         UserException e = expectThrows(UserException.class, () -> execute(randomFrom("-p", "--password")));
@@ -74,8 +73,7 @@ public void testDefaultNotPromptForPassword() throws Exception {
     }
 
     public void testPosix() throws Exception {
-        String password = randomFrom("", "keystorepassword");
-        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm() && password.isEmpty());
+        String password = inFipsJvm() ? "keystorepassword" : randomFrom("", "keystorepassword");
         terminal.addSecretInput(password);
         terminal.addSecretInput(password);
         execute(randomFrom("-p", "--password"));
@@ -84,8 +82,7 @@ public void testPosix() throws Exception {
     }
 
     public void testNotPosix() throws Exception {
-        String password = randomFrom("", "keystorepassword");
-        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm() && password.isEmpty());
+        String password = inFipsJvm() ? "keystorepassword" : randomFrom("", "keystorepassword");
         terminal.addSecretInput(password);
         terminal.addSecretInput(password);
         env = setupEnv(false, fileSystems);
@@ -95,8 +92,7 @@ public void testNotPosix() throws Exception {
     }
 
     public void testOverwrite() throws Exception {
-        String password = randomFrom("", "keystorepassword");
-        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm() && password.isEmpty());
+        String password = inFipsJvm() ? "keystorepassword" : randomFrom("", "keystorepassword");
 
         Path keystoreFile = KeyStoreWrapper.keystorePath(env.configDir());
         byte[] content = "not a keystore".getBytes(StandardCharsets.UTF_8);

distribution/tools/keystore-cli/src/test/java/org/opensearch/common/settings/KeyStoreWrapperTests.java

@@ -39,8 +39,8 @@
 import org.apache.lucene.store.IndexOutput;
 import org.apache.lucene.store.NIOFSDirectory;
 import org.bouncycastle.crypto.CryptoServicesRegistrar;
-import org.opensearch.common.crypto.KeyStoreFactory;
-import org.opensearch.common.crypto.KeyStoreType;
+import org.opensearch.common.ssl.KeyStoreFactory;
+import org.opensearch.common.ssl.KeyStoreType;
 import org.opensearch.common.util.io.IOUtils;
 import org.opensearch.core.common.settings.SecureString;
 import org.opensearch.env.Environment;

distribution/tools/keystore-cli/src/test/java/org/opensearch/common/settings/ListKeyStoreCommandTests.java

@@ -61,26 +61,23 @@ public void testMissing() throws Exception {
     }
 
     public void testEmpty() throws Exception {
-        String password = randomFrom("", "keystorepassword");
-        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm() && password.isEmpty());
+        String password = inFipsJvm() ? "keystorepassword" : randomFrom("", "keystorepassword");
         createKeystore(password);
         terminal.addSecretInput(password);
         execute();
         assertEquals("keystore.seed\n", terminal.getOutput());
     }
 
     public void testOne() throws Exception {
-        String password = randomFrom("", "keystorepassword");
-        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm() && password.isEmpty());
+        String password = inFipsJvm() ? "keystorepassword" : randomFrom("", "keystorepassword");
         createKeystore(password, "foo", "bar");
         terminal.addSecretInput(password);
         execute();
         assertEquals("foo\nkeystore.seed\n", terminal.getOutput());
     }
 
     public void testMultiple() throws Exception {
-        String password = randomFrom("", "keystorepassword");
-        assumeFalse("Can't use empty password in a FIPS JVM", inFipsJvm() && password.isEmpty());
+        String password = inFipsJvm() ? "keystorepassword" : randomFrom("", "keystorepassword");
         createKeystore(password, "foo", "1", "baz", "2", "bar", "3");
         terminal.addSecretInput(password);
         execute();

distribution/tools/launchers/src/main/java/org/opensearch/tools/launchers/SystemJvmOptions.java

@@ -94,7 +94,7 @@ static List<String> systemJvmOptions(final Path config, Runtime.Version runtimeV
 
     private static String enableFips() {
         var cryptoStandard = System.getenv(OPENSEARCH_CRYPTO_STANDARD);
-        if (cryptoStandard != null && cryptoStandard.equals(FIPS_140_3)) {
+        if (FIPS_140_3.equals(cryptoStandard)) {
             return "-Dorg.bouncycastle.fips.approved_only=true";
         }
         return "";
@@ -103,7 +103,7 @@ private static String enableFips() {
     private static String loadJavaSecurityProperties(final Path config) throws FileNotFoundException {
         String securityFile;
         var cryptoStandard = System.getenv(OPENSEARCH_CRYPTO_STANDARD);
-        if (cryptoStandard != null && cryptoStandard.equals(FIPS_140_3)) {
+        if (FIPS_140_3.equals(cryptoStandard)) {
             securityFile = "fips_java.security";
         } else {
             securityFile = "java.security";

libs/common/build.gradle

@@ -21,10 +21,6 @@ dependencies {
   // This dependency is used only by :libs:core for null-checking interop with other tools
   compileOnly "com.google.code.findbugs:jsr305:3.0.2"
 
-  compileOnly "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"
-  compileOnly "org.bouncycastle:bcutil-fips:${versions.bouncycastle_util}"
-  api "org.bouncycastle:bcpkix-fips:${versions.bouncycastle_pkix}"
-
   /*******
    *  !!!! NO THIRD PARTY DEPENDENCIES !!!!
    *******/
@@ -48,10 +44,6 @@ tasks.named('forbiddenApisMain').configure {
   replaceSignatureFiles 'jdk-signatures'
 }
 
-tasks.named("dependencyLicenses").configure {
-  mapping from: /bc.*/, to: 'bouncycastle'
-}
-
 // Add support for incubator modules on supported Java versions.
 if (BuildParams.runtimeJavaVersion >= JavaVersion.VERSION_20) {
   sourceSets {

libs/common/src/main/java/org/opensearch/common/SecureRandomHolder.java

@@ -32,8 +32,6 @@
 
 package org.opensearch.common;
 
-import org.bouncycastle.crypto.CryptoServicesRegistrar;
-
 import java.security.SecureRandom;
 
 /**
@@ -43,5 +41,5 @@
  */
 class SecureRandomHolder {
     // class loading is atomic - this is a lazy & safe singleton to be used by this package
-    public static final SecureRandom INSTANCE = CryptoServicesRegistrar.getSecureRandom();
+    public static final SecureRandom INSTANCE = new SecureRandom();
 }

libs/ssl-config/src/main/java/org/opensearch/common/ssl/DefaultJdkTrustConfig.java

@@ -33,8 +33,6 @@
 package org.opensearch.common.ssl;
 
 import org.opensearch.common.Nullable;
-import org.opensearch.common.crypto.KeyStoreFactory;
-import org.opensearch.common.crypto.KeyStoreType;
 
 import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509ExtendedTrustManager;

libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreFactory.java → libs/ssl-config/src/main/java/org/opensearch/common/ssl/KeyStoreFactory.java

@@ -6,7 +6,7 @@
  * compatible open source license.
  */
 
-package org.opensearch.common.crypto;
+package org.opensearch.common.ssl;
 
 import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.opensearch.common.SuppressForbidden;
@@ -17,8 +17,8 @@
 import java.util.Objects;
 import java.util.stream.Collectors;
 
-import static org.opensearch.common.crypto.KeyStoreType.SECURE_KEYSTORE_TYPES;
-import static org.opensearch.common.crypto.KeyStoreType.inferStoreType;
+import static org.opensearch.common.ssl.KeyStoreType.SECURE_KEYSTORE_TYPES;
+import static org.opensearch.common.ssl.KeyStoreType.inferStoreType;
 
 /**
  * Restricts types of keystores to PKCS#11 and BCFKS when running in FIPS JVM.

libs/common/src/main/java/org/opensearch/common/crypto/KeyStoreType.java → libs/ssl-config/src/main/java/org/opensearch/common/ssl/KeyStoreType.java

@@ -6,7 +6,7 @@
  * compatible open source license.
  */
 
-package org.opensearch.common.crypto;
+package org.opensearch.common.ssl;
 
 import java.util.HashMap;
 import java.util.List;

libs/ssl-config/src/main/java/org/opensearch/common/ssl/KeyStoreUtil.java

@@ -33,8 +33,6 @@
 package org.opensearch.common.ssl;
 
 import org.opensearch.common.Nullable;
-import org.opensearch.common.crypto.KeyStoreFactory;
-import org.opensearch.common.crypto.KeyStoreType;
 
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;

libs/ssl-config/src/main/java/org/opensearch/common/ssl/SslConfigurationLoader.java

@@ -32,8 +32,6 @@
 
 package org.opensearch.common.ssl;
 
-import org.opensearch.common.crypto.KeyStoreType;
-
 import javax.crypto.Cipher;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.TrustManagerFactory;
@@ -49,7 +47,7 @@
 import java.util.function.Function;
 import java.util.stream.Collectors;
 
-import static org.opensearch.common.crypto.KeyStoreType.inferStoreType;
+import static org.opensearch.common.ssl.KeyStoreType.inferStoreType;
 import static org.opensearch.common.ssl.SslConfigurationKeys.CERTIFICATE;
 import static org.opensearch.common.ssl.SslConfigurationKeys.CERTIFICATE_AUTHORITIES;
 import static org.opensearch.common.ssl.SslConfigurationKeys.CIPHERS;

libs/ssl-config/src/main/java/org/opensearch/common/ssl/StoreKeyConfig.java

@@ -32,8 +32,6 @@
 
 package org.opensearch.common.ssl;
 
-import org.opensearch.common.crypto.KeyStoreType;
-
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.X509ExtendedKeyManager;
 

libs/ssl-config/src/main/java/org/opensearch/common/ssl/StoreTrustConfig.java

@@ -32,8 +32,6 @@
 
 package org.opensearch.common.ssl;
 
-import org.opensearch.common.crypto.KeyStoreType;
-
 import javax.net.ssl.X509ExtendedTrustManager;
 
 import java.nio.file.Path;

libs/common/src/test/java/org/opensearch/common/crypto/KeyStoreFactoryTests.java → libs/ssl-config/src/test/java/org/opensearch/common/ssl/KeyStoreFactoryTests.java

@@ -6,7 +6,7 @@
  * compatible open source license.
  */
 
-package org.opensearch.common.crypto;
+package org.opensearch.common.ssl;
 
 import com.carrotsearch.randomizedtesting.generators.RandomStrings;