[Backport 3.3] Add security provider earlier in bootstrap process (#5749) (#5756)

Signed-off-by: Terry Quigley <[email protected]>
Signed-off-by: Terry Quigley <[email protected]>
Signed-off-by: Craig Perkins <[email protected]>
Co-authored-by: Terry Quigley <[email protected]>
Co-authored-by: Darshit Chanpura <[email protected]>

Author: 3 people

src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java

@@ -37,7 +37,6 @@
 import java.security.AccessController;
 import java.security.MessageDigest;
 import java.security.PrivilegedAction;
-import java.security.Security;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
@@ -65,7 +64,6 @@
 import org.apache.logging.log4j.Logger;
 import org.apache.lucene.search.QueryCachingPolicy;
 import org.apache.lucene.search.Weight;
-import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
 import org.bouncycastle.util.encoders.Hex;
 
 import org.opensearch.OpenSearchException;
@@ -429,8 +427,6 @@ public OpenSearchSecurityPlugin(final Settings settings, final Path configPath)
         demoCertHashes.add("ba9c5a61065f7f6115188128ffbdaa18fca34562b78b811f082439e2bef1d282"); // esnode-key
         demoCertHashes.add("bcd708e8dc707ae065f7ad8582979764b497f062e273d478054ab2f49c5469c6"); // root-ca
 
-        tryAddSecurityProvider();
-
         final String advancedModulesEnabledKey = ConfigConstants.SECURITY_ADVANCED_MODULES_ENABLED;
         if (settings.hasValue(advancedModulesEnabledKey)) {
             deprecationLogger.deprecate("Setting {} is ignored.", advancedModulesEnabledKey);
@@ -2460,17 +2456,6 @@ public Optional<SecureSettingsFactory> getSecureSettingFactory(Settings settings
         );
     }
 
-    @SuppressWarnings("removal")
-    private void tryAddSecurityProvider() {
-        AccessController.doPrivileged((PrivilegedAction<Object>) () -> {
-            if (Security.getProvider("BCFIPS") == null) {
-                Security.addProvider(new BouncyCastleFipsProvider());
-                log.debug("Bouncy Castle FIPS Provider added");
-            }
-            return null;
-        });
-    }
-
     // CS-SUPPRESS-SINGLE: RegexpSingleline get Resource Sharing Extensions
     @Override
     public void loadExtensions(ExtensionLoader loader) {

src/main/java/org/opensearch/security/ssl/OpenSearchSecuritySSLPlugin.java

@@ -20,6 +20,7 @@
 import java.nio.file.Path;
 import java.security.AccessController;
 import java.security.PrivilegedAction;
+import java.security.Security;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
@@ -34,6 +35,7 @@
 import com.fasterxml.jackson.databind.InjectableValues;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
 
 import org.opensearch.OpenSearchException;
 import org.opensearch.SpecialPermission;
@@ -256,6 +258,8 @@ public Object run() {
             log.error("SSL not activated for http and/or transport.");
         }
 
+        tryAddSecurityProvider();
+
         this.sslSettingsManager = new SslSettingsManager(new Environment(settings, configPath));
     }
 
@@ -772,4 +776,15 @@ protected Settings migrateSettings(Settings settings) {
     public ThreadPool getThreadPool() {
         return this.threadPool;
     }
+
+    @SuppressWarnings("removal")
+    private void tryAddSecurityProvider() {
+        AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
+            if (Security.getProvider("BCFIPS") == null) {
+                Security.addProvider(new BouncyCastleFipsProvider());
+                log.debug("Bouncy Castle FIPS Provider added");
+            }
+            return null;
+        });
+    }
 }