Enable automatic detection of keystore type and support for FIPS-compliant BCFKS stores.

Signed-off-by: Iwan Igonin <iigonin@sternad.de>
Co-authored-by: Benny Goerzig <benny.goerzig@sap.com>
Co-authored-by: Karsten Schnitter <k.schnitter@sap.com>
Co-authored-by: Kai Sternad <k.sternad@sternad.de>

Author: 4 people

src/integrationTest/java/org/opensearch/test/framework/cluster/OpenSearchClientProvider.java

@@ -69,6 +69,7 @@
 import org.opensearch.test.framework.certificate.CertificateData;
 import org.opensearch.test.framework.certificate.TestCertificates;
 
+import static org.opensearch.security.ssl.util.SSLConfigConstants.DEFAULT_STORE_TYPE;
 import static org.opensearch.test.framework.cluster.TestRestClientConfiguration.getBasicAuthHeader;
 
 /**
@@ -273,7 +274,7 @@ private SSLContext getSSLContext(CertificateData useCertificateData) {
             trustCertificates = PemKeyReader.loadCertificatesFromFile(getTestCertificates().getRootCertificate());
 
             TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
-            KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
+            KeyStore ks = KeyStore.getInstance(DEFAULT_STORE_TYPE);
 
             ks.load(null);
 

src/integrationTest/java/org/opensearch/test/framework/ldap/LdapServer.java

@@ -48,6 +48,8 @@
 import com.unboundid.ldif.LDIFReader;
 import com.unboundid.util.ssl.SSLUtil;
 
+import static org.opensearch.security.ssl.util.SSLConfigConstants.DEFAULT_STORE_TYPE;
+
 /**
 * Based on class org.opensearch.security.auth.ldap.srv.LdapServer from older tests
 */
@@ -154,7 +156,7 @@ private void addLdapCertificatesToKeystore(KeyStore keyStore) throws KeyStoreExc
     }
 
     private static KeyStore createEmptyKeyStore() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
-        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+        KeyStore keyStore = KeyStore.getInstance(DEFAULT_STORE_TYPE);
         keyStore.load(null);
         return keyStore;
     }

src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java

@@ -1064,12 +1064,16 @@ private List<String> getOtherName(List<?> altName) {
         }
         try (final ASN1InputStream in = new ASN1InputStream((byte[]) altName.get(1))) {
             final ASN1Primitive asn1Primitive = in.readObject();
-            final ASN1Sequence sequence = ASN1Sequence.getInstance(asn1Primitive);
+            // BC X.509 (used in FIPS mode) returns the GeneralName [0] IMPLICIT encoding;
+            // JDK X.509 returns just the OtherName SEQUENCE body. Handle both.
+            final ASN1Sequence sequence = asn1Primitive instanceof ASN1TaggedObject
+                ? ASN1Sequence.getInstance((ASN1TaggedObject) asn1Primitive, false)
+                : ASN1Sequence.getInstance(asn1Primitive);
             final ASN1ObjectIdentifier asn1ObjectIdentifier = ASN1ObjectIdentifier.getInstance(sequence.getObjectAt(0));
-            final ASN1TaggedObject asn1TaggedObject = ASN1TaggedObject.getInstance(sequence.getObjectAt(1));
+            final ASN1TaggedObject asn1TaggedObject = (ASN1TaggedObject) sequence.getObjectAt(1).toASN1Primitive();
             ASN1Object maybeTaggedAsn1Primitive = asn1TaggedObject.getObject();
             if (maybeTaggedAsn1Primitive instanceof ASN1TaggedObject) {
-                maybeTaggedAsn1Primitive = ASN1TaggedObject.getInstance(maybeTaggedAsn1Primitive).getObject();
+                maybeTaggedAsn1Primitive = ((ASN1TaggedObject) maybeTaggedAsn1Primitive).getObject();
             }
             if (maybeTaggedAsn1Primitive instanceof ASN1String) {
                 return ImmutableList.of(asn1ObjectIdentifier.getId(), maybeTaggedAsn1Primitive.toString());

src/main/java/org/opensearch/security/ssl/config/Certificate.java

@@ -120,12 +120,16 @@ private List<String> parseOtherName(List<?> altName) {
         }
         try (final ASN1InputStream in = new ASN1InputStream((byte[]) altName.get(1))) {
             final ASN1Primitive asn1Primitive = in.readObject();
-            final ASN1Sequence sequence = ASN1Sequence.getInstance(asn1Primitive);
+            // BC X.509 (used in FIPS mode) returns the GeneralName [0] IMPLICIT encoding;
+            // JDK X.509 returns just the OtherName SEQUENCE body. Handle both.
+            final ASN1Sequence sequence = asn1Primitive instanceof ASN1TaggedObject
+                ? ASN1Sequence.getInstance((ASN1TaggedObject) asn1Primitive, false)
+                : ASN1Sequence.getInstance(asn1Primitive);
             final ASN1ObjectIdentifier asn1ObjectIdentifier = ASN1ObjectIdentifier.getInstance(sequence.getObjectAt(0));
-            final ASN1TaggedObject asn1TaggedObject = ASN1TaggedObject.getInstance(sequence.getObjectAt(1));
+            final ASN1TaggedObject asn1TaggedObject = (ASN1TaggedObject) sequence.getObjectAt(1).toASN1Primitive();
             ASN1Object maybeTaggedAsn1Primitive = asn1TaggedObject.getObject();
             if (maybeTaggedAsn1Primitive instanceof ASN1TaggedObject) {
-                maybeTaggedAsn1Primitive = ASN1TaggedObject.getInstance(maybeTaggedAsn1Primitive).getObject();
+                maybeTaggedAsn1Primitive = ((ASN1TaggedObject) maybeTaggedAsn1Primitive).getObject();
             }
             if (maybeTaggedAsn1Primitive instanceof ASN1String) {
                 return ImmutableList.of(asn1ObjectIdentifier.getId(), maybeTaggedAsn1Primitive.toString());

src/main/java/org/opensearch/security/ssl/config/KeyStoreUtils.java

@@ -41,6 +41,8 @@
 import io.netty.handler.ssl.ApplicationProtocolNegotiator;
 import io.netty.handler.ssl.SslContext;
 
+import static org.opensearch.security.ssl.util.SSLConfigConstants.DEFAULT_STORE_TYPE;
+
 final class KeyStoreUtils {
 
     private final static Logger log = LogManager.getLogger(KeyStoreUtils.class);
@@ -113,7 +115,7 @@ public static KeyStore loadTrustStore(final Path path, final String type, final
                 if (aliasCertificate == null) {
                     throw new OpenSearchException("Couldn't find SSL certificate for alias " + alias);
                 }
-                keyStore = newKeyStore();
+                keyStore = newKeyStore(type);
                 keyStore.setCertificateEntry(alias, aliasCertificate);
             }
             return keyStore;
@@ -137,7 +139,11 @@ public static KeyStore newTrustStoreFromPem(final Path pemFile) {
     }
 
     private static KeyStore newKeyStore() throws KeyStoreException, CertificateException, IOException, NoSuchAlgorithmException {
-        final var keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+        return newKeyStore(DEFAULT_STORE_TYPE);
+    }
+
+    private static KeyStore newKeyStore(String type) throws KeyStoreException, CertificateException, IOException, NoSuchAlgorithmException {
+        final var keyStore = KeyStore.getInstance(type);
         keyStore.load(null, null);
         return keyStore;
     }
@@ -235,7 +241,7 @@ public static KeyStore newKeyStore(
                     throw new CertificateException("Couldn't find certificate chain for alias " + alias);
                 }
                 final var key = keyStore.getKey(alias, keyPassword);
-                keyStore = newKeyStore();
+                keyStore = newKeyStore(type);
                 keyStore.setKeyEntry(alias, key, keyPassword, certificateChain);
             }
             return keyStore;

src/main/java/org/opensearch/security/ssl/util/SSLConfigConstants.java

@@ -22,6 +22,7 @@
 import java.util.List;
 import java.util.function.Function;
 
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.opensearch.common.settings.Setting;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.security.ssl.config.CertType;
@@ -42,7 +43,7 @@ public final class SSLConfigConstants {
     public static final String ENABLED = "enabled";
     public static final String CLIENT_AUTH_MODE = "clientauth_mode";
     public static final String ENFORCE_CERT_RELOAD_DN_VERIFICATION = "enforce_cert_reload_dn_verification";
-    public static final String DEFAULT_STORE_TYPE = "JKS";
+    public static final String DEFAULT_STORE_TYPE = CryptoServicesRegistrar.isInApprovedOnlyMode() ? "BCFKS" : "JKS";
     public static final String SSL_PREFIX = "plugins.security.ssl.";
 
     public static final String KEYSTORE_TYPE = "keystore_type";

src/main/java/org/opensearch/security/support/PemKeyReader.java

@@ -26,6 +26,7 @@
 
 package org.opensearch.security.support;
 
+import java.io.BufferedInputStream;
 import java.io.ByteArrayInputStream;
 import java.io.File;
 import java.io.FileInputStream;
@@ -51,6 +52,7 @@
 import java.security.spec.InvalidKeySpecException;
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.util.Collection;
+import java.util.Locale;
 import javax.crypto.Cipher;
 import javax.crypto.EncryptedPrivateKeyInfo;
 import javax.crypto.NoSuchPaddingException;
@@ -60,18 +62,27 @@
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.bouncycastle.asn1.ASN1Encodable;
+import org.bouncycastle.asn1.ASN1InputStream;
+import org.bouncycastle.asn1.ASN1Integer;
+import org.bouncycastle.asn1.ASN1Sequence;
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
 import org.bouncycastle.util.io.pem.PemObject;
 import org.bouncycastle.util.io.pem.PemReader;
 
 import org.opensearch.OpenSearchException;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.env.Environment;
 
+import static org.opensearch.security.ssl.util.SSLConfigConstants.DEFAULT_STORE_TYPE;
+
 public final class PemKeyReader {
 
     private static final Logger log = LogManager.getLogger(PemKeyReader.class);
-    static final String JKS = "JKS";
-    static final String PKCS12 = "PKCS12";
+
+    public static final String JKS = "JKS";
+    public static final String PKCS12 = "PKCS12";
+    public static final String BCFKS = "BCFKS";
 
     private static byte[] readPrivateKey(File file) throws KeyException {
         try (final InputStream in = new FileInputStream(file)) {
@@ -173,16 +184,13 @@ public static X509Certificate loadCertificateFromStream(InputStream in) throws E
         return (X509Certificate) fact.generateCertificate(in);
     }
 
-    public static KeyStore loadKeyStore(String storePath, String keyStorePassword, String type) throws Exception {
+    public static KeyStore loadKeyStore(final String storePath, final String keyStorePassword, final String type) throws Exception {
         if (storePath == null) {
             return null;
         }
+        String storeType = extractStoreType(storePath, type);
 
-        if (type == null || !type.toUpperCase().equals(JKS) || !type.toUpperCase().equals(PKCS12)) {
-            type = JKS;
-        }
-
-        final KeyStore store = KeyStore.getInstance(type.toUpperCase());
+        final KeyStore store = KeyStore.getInstance(storeType);
         store.load(new FileInputStream(storePath), keyStorePassword == null ? null : keyStorePassword.toCharArray());
         return store;
     }
@@ -308,8 +316,7 @@ public static KeyStore toTruststore(final String trustCertificatesAliasPrefix, f
             return null;
         }
 
-        KeyStore ks = KeyStore.getInstance(JKS);
-        ks.load(null);
+        KeyStore ks = newEmptyStore();
 
         if (trustCertificates != null && trustCertificates.length > 0) {
             for (int i = 0; i < trustCertificates.length; i++) {
@@ -328,8 +335,7 @@ public static KeyStore toKeystore(
     ) throws Exception {
 
         if (authenticationCertificateAlias != null && authenticationCertificate != null && authenticationKey != null) {
-            KeyStore ks = KeyStore.getInstance(JKS);
-            ks.load(null, null);
+            KeyStore ks = newEmptyStore();
             ks.setKeyEntry(authenticationCertificateAlias, authenticationKey, password, authenticationCertificate);
             return ks;
         } else {
@@ -347,5 +353,54 @@ public static char[] randomChars(int len) {
         return ret;
     }
 
+    public static String extractStoreType(String storePath, String storeType) throws IOException {
+        if (null == storeType) {
+            storeType = detectStoreType(storePath);
+        }
+        if (CryptoServicesRegistrar.isInApprovedOnlyMode() && !PemKeyReader.BCFKS.equalsIgnoreCase(storeType)) {
+            throw new IllegalArgumentException(
+                storeType.toUpperCase(Locale.ROOT) + " truststores are not supported in FIPS mode - use BCFKS."
+            );
+        }
+        return storeType;
+    }
+
+    private static String detectStoreType(String path) throws IOException {
+        try (InputStream raw = new BufferedInputStream(new FileInputStream(path))) {
+            raw.mark(32);
+            byte[] magic = new byte[4];
+            if (raw.read(magic) < 4) {
+                throw new IllegalArgumentException("Cannot detect keystore type: file too short: " + path);
+            }
+            // JKS: 0xFEEDFEED
+            if ((magic[0] & 0xFF) == 0xFE //
+                && (magic[1] & 0xFF) == 0xED //
+                && (magic[2] & 0xFF) == 0xFE //
+                && (magic[3] & 0xFF) == 0xED //
+            ) {
+                return PemKeyReader.JKS;
+            }
+            // ASN.1: distinguish BCFKS from PKCS12 by outer structure
+            // PKCS12 (RFC 7292): outer SEQUENCE starts with INTEGER (version = 3)
+            // BCFKS: outer SEQUENCE starts with SEQUENCE (encrypted content envelope)
+            if ((magic[0] & 0xFF) == 0x30) {
+                raw.reset();
+                try (ASN1InputStream asn1In = new ASN1InputStream(raw)) {
+                    ASN1Sequence outer = (ASN1Sequence) asn1In.readObject();
+                    ASN1Encodable first = outer.getObjectAt(0);
+                    if (first instanceof ASN1Integer) return PemKeyReader.PKCS12;
+                    if (first instanceof ASN1Sequence) return PemKeyReader.BCFKS;
+                } catch (Exception ignored) {}
+            }
+            throw new IllegalArgumentException("Cannot detect keystore type for: " + path + ". Specify explicitly with -kst/-tst.");
+        }
+    }
+
+    private static KeyStore newEmptyStore() throws Exception {
+        var ks = KeyStore.getInstance(DEFAULT_STORE_TYPE);
+        ks.load(null, null);
+        return ks;
+    }
+
     private PemKeyReader() {}
 }

src/main/java/org/opensearch/security/tools/SecurityAdmin.java

@@ -502,14 +502,14 @@ public static int execute(final String[] args) throws Exception {
         System.out.println(" ... done");
 
         if (ks != null) {
-            kst = kst == null ? (ks.endsWith(".jks") ? "JKS" : "PKCS12") : kst;
+            kst = PemKeyReader.extractStoreType(ks, kst);
             if (kspass == null && promptForPassword) {
                 kspass = promptForPassword("Keystore", "kspass", OPENDISTRO_SECURITY_KS_PASS);
             }
         }
 
         if (ts != null) {
-            tst = tst == null ? (ts.endsWith(".jks") ? "JKS" : "PKCS12") : tst;
+            tst = PemKeyReader.extractStoreType(ts, tst);
             if (tspass == null && promptForPassword) {
                 tspass = promptForPassword("Truststore", "tspass", OPENDISTRO_SECURITY_TS_PASS);
             }

src/test/java/org/opensearch/security/ssl/config/JdkSslCertificatesLoaderTest.java

@@ -305,7 +305,7 @@ Path createKeyStore(final String type, final String password, final Map<String,
     }
 
     KeyStore keyStore(final String type) throws Exception {
-        final var keyStore = KeyStore.getInstance(isNull(type) ? KeyStore.getDefaultType() : type);
+        final var keyStore = KeyStore.getInstance(isNull(type) ? DEFAULT_STORE_TYPE : type);
         keyStore.load(null, null);
         return keyStore;
     }