Upgrade Bouncy Castle FIPS dependencies (#112989) (#117321)

This PR updates `bc-fips` and `bctls-fips` dependencies to the latest
minor versions.

build-tools-internal/src/main/groovy/elasticsearch.fips.gradle

@@ -24,12 +24,12 @@ if (BuildParams.inFipsJvm) {
     File fipsSecurity = new File(fipsResourcesDir, javaSecurityFilename)
     File fipsPolicy = new File(fipsResourcesDir, 'fips_java.policy')
     File fipsTrustStore = new File(fipsResourcesDir, 'cacerts.bcfks')
-    def bcFips = dependencies.create('org.bouncycastle:bc-fips:1.0.2.4')
-    def bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:1.0.17')
+    def bcFips = dependencies.create('org.bouncycastle:bc-fips:1.0.2.5')
+    def bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:1.0.19')
     def manualDebug = false; //change this to manually debug bouncy castle in an IDE
     if(manualDebug) {
-      bcFips = dependencies.create('org.bouncycastle:bc-fips-debug:1.0.2.4')
-      bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:1.0.17'){
+      bcFips = dependencies.create('org.bouncycastle:bc-fips-debug:1.0.2.5')
+      bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:1.0.19'){
         exclude group: 'org.bouncycastle', module: 'bc-fips'  // to avoid jar hell
       }
     }

build-tools-internal/src/main/resources/fips_java.policy

@@ -5,6 +5,7 @@ grant {
      permission java.security.SecurityPermission "getProperty.jdk.tls.disabledAlgorithms";
      permission java.security.SecurityPermission "getProperty.jdk.certpath.disabledAlgorithms";
      permission java.security.SecurityPermission "getProperty.jdk.tls.server.defaultDHEParameters";
+     permission java.security.SecurityPermission "getProperty.org.bouncycastle.ec.max_f2m_field_size";
      permission java.lang.RuntimePermission "getProtectionDomain";
      permission java.util.PropertyPermission "java.runtime.name", "read";
      permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";
@@ -20,6 +21,6 @@ grant {
 };
 
 // rely on the caller's socket permissions, the JSSE TLS implementation here is always allowed to connect
-grant codeBase "file:${jdk.module.path}/bctls-fips-1.0.17.jar" {
+grant codeBase "file:${jdk.module.path}/bctls-fips-1.0.19.jar" {
   permission java.net.SocketPermission "*", "connect";
 };

distribution/tools/plugin-cli/build.gradle

@@ -29,7 +29,7 @@ dependencies {
   implementation 'org.ow2.asm:asm-tree:9.7'
 
   api "org.bouncycastle:bcpg-fips:1.0.7.1"
-  api "org.bouncycastle:bc-fips:1.0.2.4"
+  api "org.bouncycastle:bc-fips:1.0.2.5"
   testImplementation project(":test:framework")
   testImplementation "com.google.jimfs:jimfs:${versions.jimfs}"
   testRuntimeOnly "com.google.guava:guava:${versions.jimfs_guava}"

docs/changelog/112989.yaml

@@ -0,0 +1,5 @@
+pr: 112989
+summary: Upgrade Bouncy Castle FIPS dependencies
+area: Security
+type: upgrade
+issues: []

docs/reference/security/fips-140-compliance.asciidoc

@@ -53,8 +53,8 @@ https://docs.oracle.com/en/java/javase/17/security/java-cryptography-architectur
 https://docs.oracle.com/en/java/javase/17/security/java-secure-socket-extension-jsse-reference-guide.html[JSSE] implementation is required
 so that the JVM uses FIPS validated implementations of NIST recommended cryptographic algorithms.
 
-Elasticsearch has been tested with Bouncy Castle's https://repo1.maven.org/maven2/org/bouncycastle/bc-fips/1.0.2.4/bc-fips-1.0.2.4.jar[bc-fips 1.0.2.4]
-and https://repo1.maven.org/maven2/org/bouncycastle/bctls-fips/1.0.17/bctls-fips-1.0.17.jar[bctls-fips 1.0.17].
+Elasticsearch has been tested with Bouncy Castle's https://repo1.maven.org/maven2/org/bouncycastle/bc-fips/1.0.2.5/bc-fips-1.0.2.5.jar[bc-fips 1.0.2.5]
+and https://repo1.maven.org/maven2/org/bouncycastle/bctls-fips/1.0.19/bctls-fips-1.0.19.jar[bctls-fips 1.0.19].
 Please refer to the {es}
 https://www.elastic.co/support/matrix#matrix_jvm[JVM support matrix] for details on which combinations of JVM and security provider are supported in FIPS mode. Elasticsearch does not ship with a FIPS certified provider. It is the responsibility of the user
 to install and configure the security provider to ensure compliance with FIPS 140-2. Using a FIPS certified provider will ensure that only

gradle/verification-metadata.xml

@@ -3243,14 +3243,14 @@
             <sha256 value="d749db58c2bd353f1c03541d747b753931d4b84da8e48993ef51efe8694b4ed7" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="org.bouncycastle" name="bc-fips" version="1.0.2.4">
-         <artifact name="bc-fips-1.0.2.4.jar">
-            <sha256 value="703ecd8a3a619800269bc8cd442f2ebf469bd2fe70478364f58ddc6460c35f9f" origin="Generated by Gradle"/>
+      <component group="org.bouncycastle" name="bc-fips" version="1.0.2.5">
+         <artifact name="bc-fips-1.0.2.5.jar">
+            <sha256 value="50e4c7a0d0c68413d3d8587560d56945ac09e7c89c41bd971cd22d76be6f1085" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="org.bouncycastle" name="bc-fips-debug" version="1.0.2.4">
-         <artifact name="bc-fips-debug-1.0.2.4.jar">
-            <sha256 value="a025e947c9c91d023bf2a0a3a74d78d5f8b9f6f0f4de13dc52025f2b996a306b" origin="Generated by Gradle"/>
+      <component group="org.bouncycastle" name="bc-fips-debug" version="1.0.2.5">
+         <artifact name="bc-fips-debug-1.0.2.5.jar">
+            <sha256 value="5cfda7e020c5c1a3b1724386f139957472e551494254b8fc74e34f73590fc605" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="org.bouncycastle" name="bcpg-fips" version="1.0.7.1">
@@ -3288,9 +3288,9 @@
             <sha256 value="add5915e6acfc6ab5836e1fd8a5e21c6488536a8c1f21f386eeb3bf280b702d7" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="org.bouncycastle" name="bctls-fips" version="1.0.17">
-         <artifact name="bctls-fips-1.0.17.jar">
-            <sha256 value="51dfd28ec370f27ba4efc10ec8e21129e34e2f2340ac465a6d17a468e0a4696d" origin="Generated by Gradle"/>
+      <component group="org.bouncycastle" name="bctls-fips" version="1.0.19">
+         <artifact name="bctls-fips-1.0.19.jar">
+            <sha256 value="a0bbad2eb5268f1baa08f0e2e69cb61cd292e19e73595c620d586d335d97d1a8" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="org.bouncycastle" name="bcutil-jdk18on" version="1.78.1">

plugins/discovery-ec2/build.gradle

@@ -77,6 +77,7 @@ tasks.register("writeTestJavaPolicy") {
           "permission java.security.SecurityPermission \"getProperty.jdk.tls.disabledAlgorithms\";",
           "permission java.security.SecurityPermission \"getProperty.jdk.certpath.disabledAlgorithms\";",
           "permission java.security.SecurityPermission \"getProperty.keystore.type.compat\";",
+          "permission java.security.SecurityPermission \"getProperty.org.bouncycastle.ec.max_f2m_field_size\";",
           "};"
         ].join("\n")
       )

test/test-clusters/src/main/resources/fips/fips_java.policy

@@ -5,6 +5,7 @@ grant {
      permission java.security.SecurityPermission "getProperty.jdk.tls.disabledAlgorithms";
      permission java.security.SecurityPermission "getProperty.jdk.certpath.disabledAlgorithms";
      permission java.security.SecurityPermission "getProperty.jdk.tls.server.defaultDHEParameters";
+     permission java.security.SecurityPermission "getProperty.org.bouncycastle.ec.max_f2m_field_size";
      permission java.lang.RuntimePermission "getProtectionDomain";
      permission java.util.PropertyPermission "java.runtime.name", "read";
      permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";
@@ -20,6 +21,6 @@ grant {
 };
 
 // rely on the caller's socket permissions, the JSSE TLS implementation here is always allowed to connect
-grant codeBase "file:${jdk.module.path}/bctls-fips-1.0.17.jar" {
+grant codeBase "file:${jdk.module.path}/bctls-fips-1.0.19.jar" {
   permission java.net.SocketPermission "*", "connect";
 };

x-pack/plugin/core/build.gradle

@@ -65,7 +65,7 @@ dependencies {
   testImplementation project(path: ':modules:rest-root')
   testImplementation project(path: ':modules:health-shards-availability')
   // Needed for Fips140ProviderVerificationTests
-  testCompileOnly('org.bouncycastle:bc-fips:1.0.2.4')
+  testCompileOnly('org.bouncycastle:bc-fips:1.0.2.5')
 
   testImplementation(project(':x-pack:license-tools')) {
     transitive = false

x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/RestrictedTrustManagerTests.java

@@ -218,7 +218,7 @@ public class RestrictedTrustManagerTests extends ESTestCase {
             if (cert.endsWith("/ca")) {
                 assertTrusted(trustManager, cert);
             } else {
-                assertNotValid(trustManager, cert, inFipsJvm() ? "Unable to find certificate chain." : "PKIX path building failed.*");
+                assertNotValid(trustManager, cert, inFipsJvm() ? "Unable to construct a valid chain" : "PKIX path building failed.*");
             }
         }
     }

x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/ssl/SslClientAuthenticationTests.java

@@ -107,7 +107,7 @@ public class SslClientAuthenticationTests extends SecurityIntegTestCase {
             if (inFipsJvm()) {
                 Throwable t = ExceptionsHelper.unwrap(e, CertificateException.class);
                 assertThat(t, instanceOf(CertificateException.class));
-                assertThat(t.getMessage(), containsString("Unable to find certificate chain"));
+                assertThat(t.getMessage(), containsString("Unable to construct a valid chain"));
             } else {
                 Throwable t = ExceptionsHelper.unwrap(e, CertPathBuilderException.class);
                 assertThat(t, instanceOf(CertPathBuilderException.class));

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SimpleSecurityNetty4ServerTransportTests.java

@@ -571,7 +571,11 @@ public class SimpleSecurityNetty4ServerTransportTests extends AbstractSimpleTran
                 final ConnectTransportException e = openConnectionExpectFailure(qcService, node, connectionProfile);
                 assertThat(
                     e.getRootCause().getMessage(),
-                    anyOf(containsString("unable to find valid certification path"), containsString("Unable to find certificate chain"))
+                    anyOf(
+                        containsString("unable to find valid certification path"),
+                        containsString("Unable to find certificate chain"),
+                        containsString("Unable to construct a valid chain")
+                    )
                 );
             }