Skip to content

Add fips.mode configuration to control truststore check in FIPS mode for GCS repository #21122

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
reta merged 10 commits into from
Apr 6, 2026
Merged

Add fips.mode configuration to control truststore check in FIPS mode for GCS repository #21122

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
489982f
Add fips.mode configuration to control truststore check in FIPS mode
Apr 4, 2026
640e25b
retry gradle-check
Apr 4, 2026
44847fd
Adjust comment for fips.mode to address diff analyzer warning
Apr 4, 2026
3ea0132
retry gradle-check
Apr 4, 2026
ef340ec
FIPS mode: update comment for compliance check
Apr 4, 2026
5170a9d
[GCS] Fix FIPS mode truststore handling by using BCFKS for default Go…
Apr 4, 2026
804ecb4
Merge branch 'main' into main
reta Apr 5, 2026
f9f92c5
Update GCS FIPS unit tests for auto-created BCFKS truststore
Apr 6, 2026
20cc8d4
Fix spotless formatting issues
Apr 6, 2026
1012319
Merge branch 'main' into main
reta Apr 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 25 additions & 5 deletions ...pository-gcs/src/main/java/org/opensearch/repositories/gcs/GoogleCloudStorageService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.Security;
import java.util.Enumeration;
import java.util.Map;

import static java.util.Collections.emptyMap;
Expand Down Expand Up @@ -231,11 +232,9 @@ private KeyStore loadTrustStore(TruststoreSettings truststoreSettings) throws Ge
}
logger.debug("Loaded custom truststore from path: {} with type: {}", truststorePath, truststoreType);
} else if (Security.getProvider("BCFIPS") != null) {
throw new IllegalStateException(
"FIPS mode is active but no custom truststore is configured. "
+ "Please configure gcs.client.<client-name>.truststore.path and "
+ "gcs.client.<client-name>.truststore.secure_password settings."
);
// FIPS mode is active: create FIPS-compliant (BCFKS) truststore with Google default certs
certTrustStore = createFipsCompliantGoogleTrustStore();
logger.debug("Using FIPS-compliant Google default certificate trust store");
} else {
// requires java.lang.RuntimePermission "setFactory"
// Pin the TLS trust certificates.
Expand Down Expand Up @@ -302,4 +301,25 @@ static Integer toTimeout(final TimeValue timeout) {
}
return Math.toIntExact(timeout.getMillis());
}

private KeyStore createFipsCompliantGoogleTrustStore() throws GeneralSecurityException, IOException {
// Use BCFKS KeyStore type which is required for FIPS mode
KeyStore trustStore = KeyStore.getInstance("BCFIPS", "BCFIPS");
// Initialize empty BCFKS trust store
trustStore.load(null, null);

// Load Google's built-in default trust store
KeyStore googleDefaultStore = GoogleUtils.getCertificateTrustStore();
Enumeration<String> aliases = googleDefaultStore.aliases();

// Copy all certificate entries into the FIPS-compliant BCFKS trust store
while (aliases.hasMoreElements()) {
String alias = aliases.nextElement();
if (googleDefaultStore.isCertificateEntry(alias)) {
trustStore.setCertificateEntry(alias, googleDefaultStore.getCertificate(alias));
}
}

return trustStore;
}
}
11 changes: 5 additions & 6 deletions ...gcs/src/test/java/org/opensearch/repositories/gcs/GoogleCloudStorageServiceFipsTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,6 @@
import org.opensearch.common.settings.Settings;
import org.opensearch.common.settings.SettingsException;

import java.io.IOException;
import java.nio.file.Path;

import static org.hamcrest.Matchers.containsString;
Expand Down Expand Up @@ -68,17 +67,18 @@ public void testCustomTruststoreConfiguration() throws Exception {
assertNotNull(storage);
}

public void testFipsModeEnforcesTruststoreConfiguration() throws Exception {
public void testFipsModeTruststoreConfiguration() throws Exception {
final var service = new GoogleCloudStorageService();
final var statsCollector = new GoogleCloudStorageOperationsStats("bucket");

{ // Scenario 1: No truststore configuration -> should throw exception
{ // Scenario 1: No truststore configuration -> auto-create FIPS truststore
final var secureSettings = new MockSecureSettings();
final var settings = Settings.builder().setSecureSettings(secureSettings).build();
service.refreshAndClearCache(GoogleCloudStorageClientSettings.load(settings));

final var exception = expectThrows(IOException.class, () -> service.client("default", "repo", statsCollector));
assertThat(exception.getMessage(), containsString("FIPS mode is active but no custom truststore is configured"));
// Should create client successfully without exception
final var storage = service.client("default", "repo", statsCollector);
assertNotNull(storage);
}

{ // Scenario 2: Path + password configured (missing type) -> should throw exception
Expand All @@ -105,5 +105,4 @@ public void testFipsModeEnforcesTruststoreConfiguration() throws Exception {
assertNotNull("Storage client should be created successfully with full truststore configuration", storage);
}
}

}
Loading