diff --git a/build-tools-internal/src/main/groovy/elasticsearch.fips.gradle b/build-tools-internal/src/main/groovy/elasticsearch.fips.gradle
index 3bff30d9511fb..c9b38449c5ac4 100644
--- a/build-tools-internal/src/main/groovy/elasticsearch.fips.gradle
+++ b/build-tools-internal/src/main/groovy/elasticsearch.fips.gradle
@@ -24,12 +24,12 @@ if (BuildParams.inFipsJvm) {
File fipsSecurity = new File(fipsResourcesDir, javaSecurityFilename)
File fipsPolicy = new File(fipsResourcesDir, 'fips_java.policy')
File fipsTrustStore = new File(fipsResourcesDir, 'cacerts.bcfks')
- def bcFips = dependencies.create('org.bouncycastle:bc-fips:1.0.2.4')
- def bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:1.0.17')
+ def bcFips = dependencies.create('org.bouncycastle:bc-fips:1.0.2.5')
+ def bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:1.0.19')
def manualDebug = false; //change this to manually debug bouncy castle in an IDE
if(manualDebug) {
- bcFips = dependencies.create('org.bouncycastle:bc-fips-debug:1.0.2.4')
- bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:1.0.17'){
+ bcFips = dependencies.create('org.bouncycastle:bc-fips-debug:1.0.2.5')
+ bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:1.0.19'){
exclude group: 'org.bouncycastle', module: 'bc-fips' // to avoid jar hell
}
}
diff --git a/build-tools-internal/src/main/resources/fips_java.policy b/build-tools-internal/src/main/resources/fips_java.policy
index c259b0bc908d8..781e1247db7a5 100644
--- a/build-tools-internal/src/main/resources/fips_java.policy
+++ b/build-tools-internal/src/main/resources/fips_java.policy
@@ -5,6 +5,7 @@ grant {
permission java.security.SecurityPermission "getProperty.jdk.tls.disabledAlgorithms";
permission java.security.SecurityPermission "getProperty.jdk.certpath.disabledAlgorithms";
permission java.security.SecurityPermission "getProperty.jdk.tls.server.defaultDHEParameters";
+ permission java.security.SecurityPermission "getProperty.org.bouncycastle.ec.max_f2m_field_size";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.util.PropertyPermission "java.runtime.name", "read";
permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";
@@ -20,6 +21,6 @@ grant {
};
// rely on the caller's socket permissions, the JSSE TLS implementation here is always allowed to connect
-grant codeBase "file:${jdk.module.path}/bctls-fips-1.0.17.jar" {
+grant codeBase "file:${jdk.module.path}/bctls-fips-1.0.19.jar" {
permission java.net.SocketPermission "*", "connect";
};
diff --git a/distribution/tools/plugin-cli/build.gradle b/distribution/tools/plugin-cli/build.gradle
index ac8ade89c9014..57750f2162a71 100644
--- a/distribution/tools/plugin-cli/build.gradle
+++ b/distribution/tools/plugin-cli/build.gradle
@@ -29,7 +29,7 @@ dependencies {
implementation 'org.ow2.asm:asm-tree:9.7'
api "org.bouncycastle:bcpg-fips:1.0.7.1"
- api "org.bouncycastle:bc-fips:1.0.2.4"
+ api "org.bouncycastle:bc-fips:1.0.2.5"
testImplementation project(":test:framework")
testImplementation "com.google.jimfs:jimfs:${versions.jimfs}"
testRuntimeOnly "com.google.guava:guava:${versions.jimfs_guava}"
diff --git a/docs/changelog/112989.yaml b/docs/changelog/112989.yaml
new file mode 100644
index 0000000000000..364f012f94420
--- /dev/null
+++ b/docs/changelog/112989.yaml
@@ -0,0 +1,5 @@
+pr: 112989
+summary: Upgrade Bouncy Castle FIPS dependencies
+area: Security
+type: upgrade
+issues: []
diff --git a/docs/reference/security/fips-140-compliance.asciidoc b/docs/reference/security/fips-140-compliance.asciidoc
index 5bf73d43541d6..dec17927e62b8 100644
--- a/docs/reference/security/fips-140-compliance.asciidoc
+++ b/docs/reference/security/fips-140-compliance.asciidoc
@@ -53,8 +53,8 @@ https://docs.oracle.com/en/java/javase/17/security/java-cryptography-architectur
https://docs.oracle.com/en/java/javase/17/security/java-secure-socket-extension-jsse-reference-guide.html[JSSE] implementation is required
so that the JVM uses FIPS validated implementations of NIST recommended cryptographic algorithms.
-Elasticsearch has been tested with Bouncy Castle's https://repo1.maven.org/maven2/org/bouncycastle/bc-fips/1.0.2.4/bc-fips-1.0.2.4.jar[bc-fips 1.0.2.4]
-and https://repo1.maven.org/maven2/org/bouncycastle/bctls-fips/1.0.17/bctls-fips-1.0.17.jar[bctls-fips 1.0.17].
+Elasticsearch has been tested with Bouncy Castle's https://repo1.maven.org/maven2/org/bouncycastle/bc-fips/1.0.2.5/bc-fips-1.0.2.5.jar[bc-fips 1.0.2.5]
+and https://repo1.maven.org/maven2/org/bouncycastle/bctls-fips/1.0.19/bctls-fips-1.0.19.jar[bctls-fips 1.0.19].
Please refer to the {es}
https://www.elastic.co/support/matrix#matrix_jvm[JVM support matrix] for details on which combinations of JVM and security provider are supported in FIPS mode. Elasticsearch does not ship with a FIPS certified provider. It is the responsibility of the user
to install and configure the security provider to ensure compliance with FIPS 140-2. Using a FIPS certified provider will ensure that only
diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml
index 0a5dd466ea907..2dfb9276ed6de 100644
--- a/gradle/verification-metadata.xml
+++ b/gradle/verification-metadata.xml
@@ -3243,14 +3243,14 @@
-
-
-
+
+
+
-
-
-
+
+
+
@@ -3288,9 +3288,9 @@
-
-
-
+
+
+
diff --git a/plugins/discovery-ec2/build.gradle b/plugins/discovery-ec2/build.gradle
index d9e86315d9468..14ef9e1384236 100644
--- a/plugins/discovery-ec2/build.gradle
+++ b/plugins/discovery-ec2/build.gradle
@@ -77,6 +77,7 @@ tasks.register("writeTestJavaPolicy") {
"permission java.security.SecurityPermission \"getProperty.jdk.tls.disabledAlgorithms\";",
"permission java.security.SecurityPermission \"getProperty.jdk.certpath.disabledAlgorithms\";",
"permission java.security.SecurityPermission \"getProperty.keystore.type.compat\";",
+ "permission java.security.SecurityPermission \"getProperty.org.bouncycastle.ec.max_f2m_field_size\";",
"};"
].join("\n")
)
diff --git a/test/test-clusters/src/main/resources/fips/fips_java.policy b/test/test-clusters/src/main/resources/fips/fips_java.policy
index c259b0bc908d8..781e1247db7a5 100644
--- a/test/test-clusters/src/main/resources/fips/fips_java.policy
+++ b/test/test-clusters/src/main/resources/fips/fips_java.policy
@@ -5,6 +5,7 @@ grant {
permission java.security.SecurityPermission "getProperty.jdk.tls.disabledAlgorithms";
permission java.security.SecurityPermission "getProperty.jdk.certpath.disabledAlgorithms";
permission java.security.SecurityPermission "getProperty.jdk.tls.server.defaultDHEParameters";
+ permission java.security.SecurityPermission "getProperty.org.bouncycastle.ec.max_f2m_field_size";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.util.PropertyPermission "java.runtime.name", "read";
permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";
@@ -20,6 +21,6 @@ grant {
};
// rely on the caller's socket permissions, the JSSE TLS implementation here is always allowed to connect
-grant codeBase "file:${jdk.module.path}/bctls-fips-1.0.17.jar" {
+grant codeBase "file:${jdk.module.path}/bctls-fips-1.0.19.jar" {
permission java.net.SocketPermission "*", "connect";
};
diff --git a/x-pack/plugin/core/build.gradle b/x-pack/plugin/core/build.gradle
index fb4acb0055a8c..9aebbd1a051b1 100644
--- a/x-pack/plugin/core/build.gradle
+++ b/x-pack/plugin/core/build.gradle
@@ -65,7 +65,7 @@ dependencies {
testImplementation project(path: ':modules:rest-root')
testImplementation project(path: ':modules:health-shards-availability')
// Needed for Fips140ProviderVerificationTests
- testCompileOnly('org.bouncycastle:bc-fips:1.0.2.4')
+ testCompileOnly('org.bouncycastle:bc-fips:1.0.2.5')
testImplementation(project(':x-pack:license-tools')) {
transitive = false
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/RestrictedTrustManagerTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/RestrictedTrustManagerTests.java
index bbf80279b0b2a..60db8b6522518 100644
--- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/RestrictedTrustManagerTests.java
+++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ssl/RestrictedTrustManagerTests.java
@@ -218,7 +218,7 @@ public void testThatDelegateTrustManagerIsRespected() throws Exception {
if (cert.endsWith("/ca")) {
assertTrusted(trustManager, cert);
} else {
- assertNotValid(trustManager, cert, inFipsJvm() ? "Unable to find certificate chain." : "PKIX path building failed.*");
+ assertNotValid(trustManager, cert, inFipsJvm() ? "Unable to construct a valid chain" : "PKIX path building failed.*");
}
}
}
diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/ssl/SslClientAuthenticationTests.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/ssl/SslClientAuthenticationTests.java
index bc01b0693af0a..2851af1461012 100644
--- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/ssl/SslClientAuthenticationTests.java
+++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/ssl/SslClientAuthenticationTests.java
@@ -107,7 +107,7 @@ public void testThatHttpFailsWithoutSslClientAuth() throws IOException {
if (inFipsJvm()) {
Throwable t = ExceptionsHelper.unwrap(e, CertificateException.class);
assertThat(t, instanceOf(CertificateException.class));
- assertThat(t.getMessage(), containsString("Unable to find certificate chain"));
+ assertThat(t.getMessage(), containsString("Unable to construct a valid chain"));
} else {
Throwable t = ExceptionsHelper.unwrap(e, CertPathBuilderException.class);
assertThat(t, instanceOf(CertPathBuilderException.class));
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SimpleSecurityNetty4ServerTransportTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SimpleSecurityNetty4ServerTransportTests.java
index 888e858f2b039..771454a638558 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SimpleSecurityNetty4ServerTransportTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SimpleSecurityNetty4ServerTransportTests.java
@@ -571,7 +571,11 @@ public void testClientChannelUsesSeparateSslConfigurationForRemoteCluster() thro
final ConnectTransportException e = openConnectionExpectFailure(qcService, node, connectionProfile);
assertThat(
e.getRootCause().getMessage(),
- anyOf(containsString("unable to find valid certification path"), containsString("Unable to find certificate chain"))
+ anyOf(
+ containsString("unable to find valid certification path"),
+ containsString("Unable to find certificate chain"),
+ containsString("Unable to construct a valid chain")
+ )
);
}