downgrade bc versions

Signed-off-by: Igonin <[email protected]>

Author: Igonin

client/rest/licenses/bc-fips-2.0.0.jar.sha1

@@ -0,0 +1 @@
+ee9ac432cf08f9a9ebee35d7cf8a45f94959a7ab

client/rest/licenses/bc-fips-2.1.0.jar.sha1

@@ -0,0 +1 @@
+9cc33650ede63bc1a8281ed5c8e1da314d50bc76

client/rest/licenses/bctls-fips-2.0.19.jar.sha1

@@ -0,0 +1 @@
+a1857cd639295b10cc90e6d31ecbc523cdafcc19

client/rest/licenses/bctls-fips-2.1.20.jar.sha1

@@ -32,8 +32,6 @@
 
 package org.opensearch.client;
 
-import com.carrotsearch.randomizedtesting.annotations.ThreadLeakFilters;
-
 import com.sun.net.httpserver.HttpExchange;
 import com.sun.net.httpserver.HttpHandler;
 import com.sun.net.httpserver.HttpsConfigurator;
@@ -66,7 +64,6 @@
 /**
  * Integration test to validate the builder builds a client with the correct configuration
  */
-@ThreadLeakFilters(filters = { BCDisposalDaemonFilter.class })
 public class RestClientBuilderIntegTests extends RestClientTestCase {
 
     private static HttpsServer httpsServer;

client/rest/licenses/bcutil-fips-2.0.3.jar.sha1

@@ -1,4 +1,5 @@
-# Security properties for non-approved mode 'org.bouncycastle.fips.approved_only=false'. Intended to be used complementary e.g.
+# Security properties for non-approved mode 'org.bouncycastle.fips.approved_only=false'.
+# Intended to be used complementary with a single equal sign e.g. 'java.security.properties=java.security'
 
 security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
 security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider

client/rest/licenses/bcutil-fips-2.1.4.jar.sha1

@@ -72,18 +72,13 @@ public void testInvalidPassphrease() throws Exception {
         terminal.addSecretInput("thewrongpassword");
         UserException e = expectThrows(UserException.class, () -> execute("foo2"));
         assertEquals(e.getMessage(), ExitCodes.DATA_ERROR, e.exitCode);
-        if (inFipsJvm()) {
-            assertThat(
-                e.getMessage(),
-                anyOf(
-                    containsString("Provided keystore password was incorrect"),
-                    containsString("Keystore has been corrupted or tampered with")
-                )
-            );
-        } else {
-            assertThat(e.getMessage(), containsString("Provided keystore password was incorrect"));
-        }
-
+        assertThat(
+            e.getMessage(),
+            anyOf(
+                containsString("Provided keystore password was incorrect"),
+                containsString("Keystore has been corrupted or tampered with")
+            )
+        );
     }
 
     public void testMissingPromptCreateWithoutPasswordWhenPrompted() throws Exception {

client/rest/src/test/java/org/opensearch/client/BCDisposalDaemonFilter.java

@@ -104,16 +104,12 @@ public void testChangeKeyStorePasswordWrongExistingPassword() throws Exception {
         // We'll only be prompted once (for the old password)
         UserException e = expectThrows(UserException.class, this::execute);
         assertEquals(e.getMessage(), ExitCodes.DATA_ERROR, e.exitCode);
-        if (inFipsJvm()) {
-            assertThat(
-                e.getMessage(),
-                anyOf(
-                    containsString("Provided keystore password was incorrect"),
-                    containsString("Keystore has been corrupted or tampered with")
-                )
-            );
-        } else {
-            assertThat(e.getMessage(), containsString("Provided keystore password was incorrect"));
-        }
+        assertThat(
+            e.getMessage(),
+            anyOf(
+                containsString("Provided keystore password was incorrect"),
+                containsString("Keystore has been corrupted or tampered with")
+            )
+        );
     }
 }

client/rest/src/test/java/org/opensearch/client/RestClientBuilderIntegTests.java

@@ -138,17 +138,13 @@ public void testDecryptKeyStoreWithWrongPassword() throws Exception {
             SecurityException.class,
             () -> loadedKeystore.decrypt(new char[] { 'i', 'n', 'v', 'a', 'l', 'i', 'd' })
         );
-        if (inFipsJvm()) {
-            assertThat(
-                exception.getMessage(),
-                anyOf(
-                    containsString("Provided keystore password was incorrect"),
-                    containsString("Keystore has been corrupted or tampered with")
-                )
-            );
-        } else {
-            assertThat(exception.getMessage(), containsString("Provided keystore password was incorrect"));
-        }
+        assertThat(
+            exception.getMessage(),
+            anyOf(
+                containsString("Provided keystore password was incorrect"),
+                containsString("Keystore has been corrupted or tampered with")
+            )
+        );
     }
 
     public void testCannotReadStringFromClosedKeystore() throws Exception {

distribution/src/config/java.security

@@ -90,17 +90,13 @@ public void testListWithIncorrectPassword() throws Exception {
         terminal.addSecretInput("thewrongkeystorepassword");
         UserException e = expectThrows(UserException.class, this::execute);
         assertEquals(e.getMessage(), ExitCodes.DATA_ERROR, e.exitCode);
-        if (inFipsJvm()) {
-            assertThat(
-                e.getMessage(),
-                anyOf(
-                    containsString("Provided keystore password was incorrect"),
-                    containsString("Keystore has been corrupted or tampered with")
-                )
-            );
-        } else {
-            assertThat(e.getMessage(), containsString("Provided keystore password was incorrect"));
-        }
+        assertThat(
+            e.getMessage(),
+            anyOf(
+                containsString("Provided keystore password was incorrect"),
+                containsString("Keystore has been corrupted or tampered with")
+            )
+        );
     }
 
     public void testListWithUnprotectedKeystore() throws Exception {

distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/AddStringKeyStoreCommandTests.java

@@ -107,18 +107,13 @@ public void testRemoveWithIncorrectPassword() throws Exception {
         terminal.addSecretInput("thewrongpassword");
         UserException e = expectThrows(UserException.class, () -> execute("foo"));
         assertEquals(e.getMessage(), ExitCodes.DATA_ERROR, e.exitCode);
-        if (inFipsJvm()) {
-            assertThat(
-                e.getMessage(),
-                anyOf(
-                    containsString("Provided keystore password was incorrect"),
-                    containsString("Keystore has been corrupted or tampered with")
-                )
-            );
-        } else {
-            assertThat(e.getMessage(), containsString("Provided keystore password was incorrect"));
-        }
-
+        assertThat(
+            e.getMessage(),
+            anyOf(
+                containsString("Provided keystore password was incorrect"),
+                containsString("Keystore has been corrupted or tampered with")
+            )
+        );
     }
 
     public void testRemoveFromUnprotectedKeystore() throws Exception {

distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/ChangeKeyStorePasswordCommandTests.java

@@ -38,7 +38,6 @@ dependencies {
   compileOnly project(":server")
   compileOnly project(":libs:opensearch-cli")
   api "org.bouncycastle:bcpg-fips:${versions.bouncycastle_pg}"
-  api "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"
   testImplementation(project(":test:framework"))
   testImplementation 'com.google.jimfs:jimfs:1.3.0'
   testRuntimeOnly("com.google.guava:guava:${versions.guava}") {

distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/KeyStoreWrapperTests.java

@@ -0,0 +1 @@
+51c2f633e0c32d10de1ebab4c86f93310ff820f8

distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/ListKeyStoreCommandTests.java

@@ -36,8 +36,8 @@ if (BuildParams.inFipsJvm) {
       fipsPolicy = new File(fipsResourcesDir, "fips_java_bcjsse_11.policy")
     }
     File fipsTrustStore = new File(fipsResourcesDir, 'cacerts.bcfks')
-    def bcFips = dependencies.create('org.bouncycastle:bc-fips:2.1.0')
-    def bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:2.1.20')
+    def bcFips = dependencies.create('org.bouncycastle:bc-fips:2.0.0')
+    def bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:2.0.19')
 
     pluginManager.withPlugin('java') {
       TaskProvider<ExportOpenSearchBuildResourcesTask> fipsResourcesTask = project.tasks.register('fipsResources', ExportOpenSearchBuildResourcesTask)

distribution/tools/keystore-cli/src/test/java/org/opensearch/tools/cli/keystore/RemoveSettingKeyStoreCommandTests.java

@@ -58,11 +58,11 @@ reactivestreams   = "1.0.4"
 # when updating this version, you need to ensure compatibility with:
 #  - plugins/ingest-attachment (transitive dependency, check the upstream POM)
 #  - distribution/tools/plugin-cli
-bouncycastle_jce  = "2.1.0"
-bouncycastle_tls  = "2.1.20"
-bouncycastle_pkix = "2.1.9"
-bouncycastle_pg   = "2.1.11"
-bouncycastle_util = "2.1.4"
+bouncycastle_jce  = "2.0.0"
+bouncycastle_tls  = "2.0.19"
+bouncycastle_pkix = "2.0.7"
+bouncycastle_pg   = "2.0.8"
+bouncycastle_util = "2.0.3"
 password4j        = "1.8.2"
 # test dependencies
 randomizedrunner  = "2.7.1"
@@ -91,6 +91,9 @@ arrow                 = "18.1.0"
 flatbuffers           = "2.0.0"
 
 [libraries]
+bcjce = { group = "org.bouncycastle", name = "bc-fips", version.ref = "bouncycastle_jce" }
+bctls = { group = "org.bouncycastle", name = "bctls-fips", version.ref = "bouncycastle_tls" }
+bcutil = { group = "org.bouncycastle", name = "bcutil-fips", version.ref = "bouncycastle_util" }
 hdrhistogram = { group = "org.hdrhistogram", name = "HdrHistogram", version.ref = "hdrhistogram" }
 jakartaannotation = { group = "jakarta.annotation", name = "jakarta.annotation-api", version.ref = "jakarta_annotation" }
 jodatime = { group = "joda-time", name = "joda-time", version.ref = "joda" }

distribution/tools/plugin-cli/build.gradle

@@ -0,0 +1 @@
+ee9ac432cf08f9a9ebee35d7cf8a45f94959a7ab

distribution/tools/plugin-cli/licenses/bc-fips-2.1.0.jar.sha1

@@ -0,0 +1 @@
+01eea0f325315ca6295b0a6926ff862d8001cdf9

distribution/tools/plugin-cli/licenses/bcpg-fips-2.0.8.jar.sha1

@@ -0,0 +1 @@
+9cc33650ede63bc1a8281ed5c8e1da314d50bc76

distribution/tools/plugin-cli/licenses/bcpg-fips-2.1.11.jar.sha1

@@ -0,0 +1 @@
+a1857cd639295b10cc90e6d31ecbc523cdafcc19

gradle/fips.gradle

@@ -32,8 +32,6 @@
 
 package org.opensearch.common.ssl;
 
-import com.carrotsearch.randomizedtesting.annotations.ThreadLeakFilters;
-
 import org.opensearch.test.OpenSearchTestCase;
 import org.hamcrest.Matchers;
 
@@ -57,7 +55,6 @@
 import static org.hamcrest.Matchers.iterableWithSize;
 import static org.hamcrest.Matchers.notNullValue;
 
-@ThreadLeakFilters(filters = { BCDisposalDaemonFilter.class })
 public class PemKeyConfigTests extends OpenSearchTestCase {
     private static final int IP_NAME = 7;
     private static final int DNS_NAME = 2;

gradle/libs.versions.toml

@@ -32,8 +32,6 @@
 
 package org.opensearch.common.ssl;
 
-import com.carrotsearch.randomizedtesting.annotations.ThreadLeakFilters;
-
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
 import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
 import org.opensearch.test.OpenSearchTestCase;
@@ -57,7 +55,6 @@
 import static org.hamcrest.Matchers.notNullValue;
 import static org.hamcrest.core.StringContains.containsString;
 
-@ThreadLeakFilters(filters = { BCDisposalDaemonFilter.class })
 public class PemUtilsTests extends OpenSearchTestCase {
 
     private static final Supplier<char[]> EMPTY_PASSWORD = () -> new char[0];

libs/ssl-config/licenses/bc-fips-2.0.0.jar.sha1

@@ -32,8 +32,6 @@
 
 package org.opensearch.common.ssl;
 
-import com.carrotsearch.randomizedtesting.annotations.ThreadLeakFilters;
-
 import org.opensearch.common.settings.MockSecureSettings;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.core.common.settings.SecureString;
@@ -53,7 +51,6 @@
 import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.notNullValue;
 
-@ThreadLeakFilters(filters = { BCDisposalDaemonFilter.class })
 public class SslConfigurationLoaderTests extends OpenSearchTestCase {
 
     private final String STRONG_PRIVATE_SECRET = "6!6428DQXwPpi7@$ggeg/=";

libs/ssl-config/licenses/bc-fips-2.1.0.jar.sha1

@@ -32,8 +32,6 @@
 
 package org.opensearch.common.ssl;
 
-import com.carrotsearch.randomizedtesting.annotations.ThreadLeakFilters;
-
 import org.opensearch.test.OpenSearchTestCase;
 import org.hamcrest.Matchers;
 
@@ -60,7 +58,6 @@
 import static org.hamcrest.Matchers.notNullValue;
 import static org.hamcrest.Matchers.nullValue;
 
-@ThreadLeakFilters(filters = { BCDisposalDaemonFilter.class })
 public class StoreKeyConfigTests extends OpenSearchTestCase {
 
     private static final int IP_NAME = 7;

libs/ssl-config/licenses/bcpkix-fips-2.0.7.jar.sha1

@@ -32,8 +32,6 @@
 
 package org.opensearch.common.ssl;
 
-import com.carrotsearch.randomizedtesting.annotations.ThreadLeakFilters;
-
 import org.opensearch.test.OpenSearchTestCase;
 import org.hamcrest.Matchers;
 
@@ -54,7 +52,6 @@
 import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.nullValue;
 
-@ThreadLeakFilters(filters = { BCDisposalDaemonFilter.class })
 public class StoreTrustConfigTests extends OpenSearchTestCase {
 
     private static final char[] P12_PASS = "p12-pass".toCharArray();

libs/ssl-config/licenses/bcpkix-fips-2.1.9.jar.sha1

@@ -114,6 +114,12 @@ dependencies {
 
   // https://mvnrepository.com/artifact/org.roaringbitmap/RoaringBitmap
   api libs.roaringbitmap
+
+  // BC security provider
+  api libs.bcjce
+  api libs.bctls
+  api libs.bcutil
+
   testImplementation 'org.awaitility:awaitility:4.3.0'
   testImplementation(project(":test:framework")) {
     // tests use the locally compiled version of server
@@ -163,6 +169,10 @@ tasks.named("testingConventions").configure {
     }
 }
 
+tasks.named("dependencyLicenses").configure {
+    mapping from: /bc.*/, to: 'bouncycastle'
+}
+
 // Set to current version by default
 def japicmpCompareTarget = System.getProperty("japicmp.compare.version")
 if (japicmpCompareTarget == null) { /* use latest released version */

libs/ssl-config/licenses/bctls-fips-2.0.19.jar.sha1

@@ -0,0 +1 @@
+ee9ac432cf08f9a9ebee35d7cf8a45f94959a7ab