Skip to content

Commit 2fac622

Browse files
cwperksterryquigleysasDarshitChanpura
authored
[Backport 3.3] Add security provider earlier in bootstrap process (#5749) (#5756)
Signed-off-by: Terry Quigley <[email protected]> Signed-off-by: Terry Quigley <[email protected]> Signed-off-by: Craig Perkins <[email protected]> Co-authored-by: Terry Quigley <[email protected]> Co-authored-by: Darshit Chanpura <[email protected]>
1 parent 5613fa1 commit 2fac622

File tree

2 files changed

+15
-15
lines changed

2 files changed

+15
-15
lines changed

src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java

Lines changed: 0 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,6 @@
3737
import java.security.AccessController;
3838
import java.security.MessageDigest;
3939
import java.security.PrivilegedAction;
40-
import java.security.Security;
4140
import java.util.ArrayList;
4241
import java.util.Arrays;
4342
import java.util.Collection;
@@ -65,7 +64,6 @@
6564
import org.apache.logging.log4j.Logger;
6665
import org.apache.lucene.search.QueryCachingPolicy;
6766
import org.apache.lucene.search.Weight;
68-
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
6967
import org.bouncycastle.util.encoders.Hex;
7068

7169
import org.opensearch.OpenSearchException;
@@ -429,8 +427,6 @@ public OpenSearchSecurityPlugin(final Settings settings, final Path configPath)
429427
demoCertHashes.add("ba9c5a61065f7f6115188128ffbdaa18fca34562b78b811f082439e2bef1d282"); // esnode-key
430428
demoCertHashes.add("bcd708e8dc707ae065f7ad8582979764b497f062e273d478054ab2f49c5469c6"); // root-ca
431429

432-
tryAddSecurityProvider();
433-
434430
final String advancedModulesEnabledKey = ConfigConstants.SECURITY_ADVANCED_MODULES_ENABLED;
435431
if (settings.hasValue(advancedModulesEnabledKey)) {
436432
deprecationLogger.deprecate("Setting {} is ignored.", advancedModulesEnabledKey);
@@ -2460,17 +2456,6 @@ public Optional<SecureSettingsFactory> getSecureSettingFactory(Settings settings
24602456
);
24612457
}
24622458

2463-
@SuppressWarnings("removal")
2464-
private void tryAddSecurityProvider() {
2465-
AccessController.doPrivileged((PrivilegedAction<Object>) () -> {
2466-
if (Security.getProvider("BCFIPS") == null) {
2467-
Security.addProvider(new BouncyCastleFipsProvider());
2468-
log.debug("Bouncy Castle FIPS Provider added");
2469-
}
2470-
return null;
2471-
});
2472-
}
2473-
24742459
// CS-SUPPRESS-SINGLE: RegexpSingleline get Resource Sharing Extensions
24752460
@Override
24762461
public void loadExtensions(ExtensionLoader loader) {

src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@
2020
import java.nio.file.Path;
2121
import java.security.AccessController;
2222
import java.security.PrivilegedAction;
23+
import java.security.Security;
2324
import java.util.ArrayList;
2425
import java.util.Collection;
2526
import java.util.Collections;
@@ -34,6 +35,7 @@
3435
import com.fasterxml.jackson.databind.InjectableValues;
3536
import org.apache.logging.log4j.LogManager;
3637
import org.apache.logging.log4j.Logger;
38+
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
3739

3840
import org.opensearch.OpenSearchException;
3941
import org.opensearch.SpecialPermission;
@@ -256,6 +258,8 @@ public Object run() {
256258
log.error("SSL not activated for http and/or transport.");
257259
}
258260

261+
tryAddSecurityProvider();
262+
259263
this.sslSettingsManager = new SslSettingsManager(new Environment(settings, configPath));
260264
}
261265

@@ -772,4 +776,15 @@ protected Settings migrateSettings(Settings settings) {
772776
public ThreadPool getThreadPool() {
773777
return this.threadPool;
774778
}
779+
780+
@SuppressWarnings("removal")
781+
private void tryAddSecurityProvider() {
782+
AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
783+
if (Security.getProvider("BCFIPS") == null) {
784+
Security.addProvider(new BouncyCastleFipsProvider());
785+
log.debug("Bouncy Castle FIPS Provider added");
786+
}
787+
return null;
788+
});
789+
}
775790
}

0 commit comments

Comments
 (0)