search

elastic / elasticsearch

Free and Open Source, Distributed, RESTful Search Engine
https://www.elastic.co/products/elasticsearch
Other
1.5k stars 24.89k forks source link

FIPS 140-2 validation fails when keystore type not explicitly set #91037

Open jkakavas opened 2 years ago

jkakavas commented 2 years ago

Elasticsearch Version

8.3

Installed Plugins

No response

Java Version

bundled

OS Version

N/A

Problem Description

FIPS 140-2 settings validation fails when the keystore type is not explicitly set to bcfks ( or anything else for that matter ).

Steps to Reproduce

In https://github.com/elastic/elasticsearch/blob/main/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java#L1410 , and only if the x.keystore.type is not explicitly set, we try to infer the type of the keystore ourselves using KeyStoreUtil.inferKeyStoreType. This however only differentiates between PKCS12 and JKS keystores by suffix name and cannot analyze a keystore type detecting this is BCFIPS ( or other ) format.

This causes the validation to fail with a

JKS Keystores cannot be used in a FIPS 140 compliant JVM. Please revisit [setting.name:setting_value] settings;

message.

As mentioned a workaround is to explicitly set the type to something( other than JKS) , i.e. 

x.y.z.keystore.type: BCFKS

Logs (if relevant)

No response

elasticsearchmachine commented 2 years ago

Pinging @elastic/es-security (Team:Security)