Enable FIPS entitlements based on org.bouncycastle.fips.approved_only.

mosche · mosche · commit 9501d77417ef · 2025-03-11T17:24:32.000+01:00
When enabling FIPS `javax.net.ssl.trustStore` is not necessarily set.
This change adds FIPS entitlements based on `org.bouncycastle.fips.approved_only=true`,
which enforces usage of FIPS approved functionality only.

Additionally, this PR grants read access to a custom trust store if
provided via `javax.net.ssl.trustStore`, otherwise read access to the
default JDK trust store is granted.

Relates to ES-11025.
diff --git a/libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java b/libs/entitlement/src/main/java/org/elasticsearch/entitlement/initialization/EntitlementInitialization.java
@@ -241,16 +241,19 @@ private static PolicyManager createPolicyManager() {
             )
         );
 
-        Path trustStorePath = trustStorePath();
-        if (trustStorePath != null) {
+        // conditionally add FIPS entitlements if FIPS only functionality is enforced
+        if ("true".equals(System.getProperty("org.bouncycastle.fips.approved_only"))) {
+            // if custom trust store is set, grant read access to its location, otherwise use the default trust store
+            String trustStore = System.getProperty("javax.net.ssl.trustStore");
+            Path trustStorePath = trustStore != null ? Path.of(trustStore) : bootstrapArgs.libDir().resolve("security/jssecacerts");
             Collections.addAll(
                 serverScopes,
                 new Scope(
                     "org.bouncycastle.fips.tls",
                     List.of(
                         new FilesEntitlement(List.of(FileData.ofPath(trustStorePath, READ))),
-                        new OutboundNetworkEntitlement(),
-                        new ManageThreadsEntitlement()
+                        new ManageThreadsEntitlement(),
+                        new OutboundNetworkEntitlement()
                     )
                 ),
                 new Scope(
@@ -302,11 +305,6 @@ private static Path getUserHome() {
         return PathUtils.get(userHome);
     }
 
-    private static Path trustStorePath() {
-        String trustStore = System.getProperty("javax.net.ssl.trustStore");
-        return trustStore != null ? Path.of(trustStore) : null;
-    }
-
     private static Stream<InstrumentationService.InstrumentationInfo> fileSystemProviderChecks() throws ClassNotFoundException,
         NoSuchMethodException {
         var fileSystemProviderClass = FileSystems.getDefault().provider().getClass();
