Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix GCS Keystore Handling in FIPS Mode #75028

Merged
merged 3 commits into from Jul 7, 2021
Merged

Fix GCS Keystore Handling in FIPS Mode #75028

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
63a137e
Fix GCS Keystore Handling in FIPS Mode
original-brownbear Jul 7, 2021
d570c1b
Merge remote-tracking branch 'elastic/master' into 75023
original-brownbear Jul 7, 2021
f66e1aa
comment
original-brownbear Jul 7, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
10 changes: 9 additions & 1 deletion ...itory-gcs/src/main/java/org/elasticsearch/repositories/gcs/GoogleCloudStorageService.java
View file
Open in desktop
Expand Up @@ -12,6 +12,7 @@
import com.google.api.client.http.HttpRequestInitializer;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.util.SecurityUtils;
import com.google.auth.oauth2.GoogleCredentials;
import com.google.auth.oauth2.ServiceAccountCredentials;
import com.google.cloud.ServiceOptions;
Expand All @@ -34,6 +35,7 @@
import java.net.HttpURLConnection;
import java.net.URI;
import java.net.URL;
import java.security.KeyStore;
import java.util.Map;

import static java.nio.charset.StandardCharsets.UTF_8;
Expand Down Expand Up @@ -126,7 +128,13 @@ private Storage createClient(GoogleCloudStorageClientSettings clientSettings,
final NetHttpTransport.Builder builder = new NetHttpTransport.Builder();
// requires java.lang.RuntimePermission "setFactory"
// Pin the TLS trust certificates.
builder.trustCertificates(GoogleUtils.getCertificateTrustStore());
// We manually load the key store from jks instead of using GoogleUtils.getCertificateTrustStore() because that uses a .p12
// store format not compatible with FIPS mode.
final KeyStore certTrustStore = SecurityUtils.getJavaKeyStore();
try (InputStream keyStoreStream = GoogleUtils.class.getResourceAsStream("google.jks")) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Could you add a comment explaining why we have to load this key store?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add a small comment why GoogleUtils.getCertificateTrustStore() is not used directly?

SecurityUtils.loadKeyStore(certTrustStore, keyStoreStream, "notasecret");
}
builder.trustCertificates(certTrustStore);
return builder.build();
});

Expand Down
15 changes: 13 additions & 2 deletions plugins/repository-gcs/src/main/java/org/elasticsearch/repositories/gcs/SocketAccess.java
View file
Open in desktop
Expand Up @@ -32,7 +32,7 @@ public static <T> T doPrivilegedIOException(PrivilegedExceptionAction<T> operati
try {
return AccessController.doPrivileged(operation);
} catch (PrivilegedActionException e) {
throw (IOException) e.getCause();
throw causeAsIOException(e);
}
}

Expand All @@ -44,7 +44,18 @@ public static void doPrivilegedVoidIOException(CheckedRunnable<IOException> acti
return null;
});
} catch (PrivilegedActionException e) {
throw (IOException) e.getCause();
throw causeAsIOException(e);
}
}

private static IOException causeAsIOException(PrivilegedActionException e) {
final Throwable cause = e.getCause();
if (cause instanceof IOException) {
return (IOException) cause;
}
if (cause instanceof RuntimeException) {
throw (RuntimeException) cause;
}
throw new RuntimeException(cause);
}
}