Fix repository-gcs KeyStore.getInstance type/provider order in createFipsCompliantGoogleTrustStore#22288
Conversation
PR Reviewer Guide 🔍(Review updated until commit f75385d)Here are some key observations to aid the review process:
|
PR Code Suggestions ✨Latest suggestions up to 9dc7f65 Explore these optional code suggestions:
Previous suggestionsSuggestions up to commit 2b85907
Suggestions up to commit 26559fb
|
|
@gszkopinski could you please fix DCO check? ( |
|
❌ Gradle check result for 26559fb: null Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
GoogleCloudStorageService.createFipsCompliantGoogleTrustStore called
KeyStore.getInstance("BCFIPS", "BCFIPS"), but "BCFIPS" is the
provider name; the corresponding keystore type is "BCFKS" (already
documented in the in-method comment one line above). Every GCS snapshot
operation on a FIPS-enabled OpenSearch 3.7.0 distribution therefore
fails with:
KeyStoreException: BCFIPS not found
caused by: NoSuchAlgorithmException: no such algorithm: BCFIPS for
provider BCFIPS
Fixes opensearch-project#22287.
Signed-off-by: Guillaume SZKOPINSKI <guillaume.szkopinski@altirnao.com>
26559fb to
2b85907
Compare
|
Persistent review updated to latest commit 2b85907 |
|
Persistent review updated to latest commit 9dc7f65 |
|
❌ Gradle check result for 9dc7f65: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
Persistent review updated to latest commit f75385d |
|
❌ Gradle check result for f75385d: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
Hello @reta ! I can't see the error on the Jenkins/Gradle side. It requires permissions regarding GitHub organizations and teams that I don't want to share. Is it possible to display the error and indicate whether or not it stems from my pull request? |
Description
GoogleCloudStorageService.createFipsCompliantGoogleTrustStorecalls:"BCFIPS"is the provider name registered byBouncyCastleFipsProvider; the keystore type it provides is"BCFKS"— which is exactly what the in-method comment one line above already says (// Use BCFKS KeyStore type which is required for FIPS mode). The call as written therefore throws on every invocation:This makes any GCS snapshot operation fail on a FIPS-enabled OpenSearch 3.7.0 distribution: the buggy method is unconditionally entered whenever
Security.getProvider("BCFIPS") != null(the default for 3.x official images) and no customgcs.client.*.truststore.*is configured.The fix is to pass the correct keystore type (
"BCFKS") while keeping the same provider ("BCFIPS"):After this change the method behaves as the comment and the PR that introduced it (#21122) intended: a BCFKS keystore created via the BCFIPS provider, populated with Google's default trust store entries.
Related Issues
Resolves #22287
Check List
No new tests are added: the buggy line is on a code path that is not currently exercised by any test (otherwise it would have failed in CI). Happy to add a test that asserts
loadTrustStore()returns a usableBCFKSkeystore under FIPS if reviewers prefer.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.