From a5cacc021ae1d7907753e3847e083da4efd403c2 Mon Sep 17 00:00:00 2001
From: Iwan Igonin <iigonin@sternad.de>
Date: Tue, 3 Mar 2026 14:16:10 +0100
Subject: [PATCH] build-tools

Signed-off-by: Igonin <iigonin@sternad.de>
Co-authored-by: Benny Goerzig <benny.goerzig@sap.com>
Co-authored-by: Karsten Schnitter <k.schnitter@sap.com>
Co-authored-by: Kai Sternad <k.sternad@sternad.de>

# Conflicts:
#	build.gradle
---
 build.gradle              | 42 +++++++++++++++++++++++++++++++++++++++
 config/fips_java.security | 20 +++++++++++++++++++
 2 files changed, 62 insertions(+)
 create mode 100644 config/fips_java.security

diff --git a/build.gradle b/build.gradle
index bc83299361..13926e9431 100644
--- a/build.gradle
+++ b/build.gradle
@@ -13,6 +13,7 @@
 import com.diffplug.gradle.spotless.JavaExtension
 import org.opensearch.gradle.info.FipsBuildParams
 import org.opensearch.gradle.test.RestIntegTestTask
+import org.opensearch.gradle.info.BuildParams
 import groovy.json.JsonBuilder
 
 buildscript {
@@ -241,6 +242,25 @@ task listTasksAsJSON {
     }
 }
 
+def configureFipsJvmArgs(Test task) {
+  if (BuildParams.isInFipsJvm()) {
+    def fipsSecurityFile = project.rootProject.file('config/fips_java.security')
+    task.jvmArgs += "-Djava.security.properties=${fipsSecurityFile}"
+    task.jvmArgs += "-Dorg.bouncycastle.fips.approved_only=true"
+    task.jvmArgs += "-Djavax.net.ssl.trustStore=/home/iigonin/install/opensearch-3.4.0-SNAPSHOT/config/opensearch-fips-truststore.bcfks"
+    task.jvmArgs += "-Djavax.net.ssl.trustStoreProvider=BCFIPS"
+    task.jvmArgs += "-Djavax.net.ssl.trustStoreType=BCFKS"
+    task.jvmArgs += "-Djavax.net.ssl.trustStorePassword=dtekVF0vEAA9FNvm#KMkTwMN"
+  }
+}
+
+def configureSecurityAdminTestJvmArgs(Test task) {
+  if (!BuildParams.isInFipsJvm()) {
+    def bcProviderFile = project.rootProject.file('config/fips_java.security')
+    task.jvmArgs += "-Djava.security.properties=${bcProviderFile}"
+  }
+}
+
 tasks.register('copyExtraTestResources', Copy.class) {
     dependsOn testClasses
 
@@ -270,6 +290,8 @@ def setCommonTestConfig(Test task) {
     // this is needed to reflect access system env map.
     task.jvmArgs += "--add-opens=java.base/java.io=ALL-UNNAMED"
     task.jvmArgs += "--add-opens=java.base/java.util=ALL-UNNAMED"
+    configureFipsJvmArgs(task)
+    configureSecurityAdminTestJvmArgs(task)
     task.retry {
         failOnPassedAfterRetry = false
         maxRetries = 5
@@ -303,6 +325,7 @@ test {
     // this is needed to reflect access system env map.
     jvmArgs += "--add-opens=java.base/java.io=ALL-UNNAMED"
     jvmArgs += "--add-opens=java.base/java.util=ALL-UNNAMED"
+    configureFipsJvmArgs(it)
     retry {
         failOnPassedAfterRetry = false
         maxRetries = 5
@@ -575,6 +598,7 @@ allprojects {
                 integrationTestImplementation "org.apache.logging.log4j:log4j-jul:${versions.log4j}"
                 integrationTestImplementation 'org.hamcrest:hamcrest:2.2'
                 integrationTestImplementation "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"
+                integrationTestImplementation "org.bouncycastle:bctls-fips:${versions.bouncycastle_tls}"
                 integrationTestImplementation "org.bouncycastle:bcpkix-fips:${versions.bouncycastle_pkix}"
                 integrationTestImplementation "org.bouncycastle:bcutil-fips:${versions.bouncycastle_util}"
                 integrationTestImplementation('org.awaitility:awaitility:4.3.0') {
@@ -637,6 +661,7 @@ task integrationTest(type: Test) {
     systemProperty "java.util.logging.manager", "org.apache.logging.log4j.jul.LogManager"
     testClassesDirs = sourceSets.integrationTest.output.classesDirs
     classpath = sourceSets.integrationTest.runtimeClasspath
+    configureFipsJvmArgs(it)
     //run the integrationTest task after the test task
     shouldRunAfter test
     jacoco {
@@ -681,10 +706,12 @@ dependencies {
     // When building with -Pcrypto.standard=FIPS-140-3, bcFips jars are provided by OpenSearch
     if (FipsBuildParams.isInFipsMode()) {
         compileOnly "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"
+        compileOnly "org.bouncycastle:bctls-fips:${versions.bouncycastle_tls}"
         compileOnly "org.bouncycastle:bcpkix-fips:${versions.bouncycastle_pkix}"
         compileOnly "org.bouncycastle:bcutil-fips:${versions.bouncycastle_util}"
     } else {
         implementation "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"
+        implementation "org.bouncycastle:bctls-fips:${versions.bouncycastle_tls}"
         implementation "org.bouncycastle:bcpkix-fips:${versions.bouncycastle_pkix}"
         implementation "org.bouncycastle:bcutil-fips:${versions.bouncycastle_util}"
     }
@@ -796,6 +823,7 @@ dependencies {
         exclude(group: 'org.hamcrest', module: 'hamcrest')
     }
     testImplementation "org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"
+    testImplementation "org.bouncycastle:bctls-fips:${versions.bouncycastle_tls}"
     testImplementation "org.bouncycastle:bcpkix-fips:${versions.bouncycastle_pkix}"
     testImplementation "org.bouncycastle:bcutil-fips:${versions.bouncycastle_util}"
     // JUnit build requirement
@@ -835,6 +863,18 @@ tasks.register('testsJar', Jar) {
     from(sourceSets.test.output)
 }
 
+def configureSecurityAdminBcFips(AbstractArchiveTask task) {
+    def bcFipsJars = configurations.detachedConfiguration(
+        dependencies.create("org.bouncycastle:bc-fips:${versions.bouncycastle_jce}"),
+        dependencies.create("org.bouncycastle:bctls-fips:${versions.bouncycastle_tls}"),
+        dependencies.create("org.bouncycastle:bcpkix-fips:${versions.bouncycastle_pkix}"),
+        dependencies.create("org.bouncycastle:bcutil-fips:${versions.bouncycastle_util}")
+    )
+    task.from(bcFipsJars) {
+        into 'deps/'
+    }
+}
+
 task bundleSecurityAdminStandalone(dependsOn: jar, type: Zip) {
     archiveClassifier = 'securityadmin-standalone'
     from(configurations.runtimeClasspath) {
@@ -850,6 +890,7 @@ task bundleSecurityAdminStandalone(dependsOn: jar, type: Zip) {
         into 'deps/securityconfig'
     }
 }
+configureSecurityAdminBcFips(bundleSecurityAdminStandalone)
 
 task bundleSecurityAdminStandaloneTarGz(dependsOn: jar, type: Tar) {
     archiveClassifier = 'securityadmin-standalone'
@@ -868,6 +909,7 @@ task bundleSecurityAdminStandaloneTarGz(dependsOn: jar, type: Tar) {
         into 'deps/securityconfig'
     }
 }
+configureSecurityAdminBcFips(bundleSecurityAdminStandaloneTarGz)
 
 buildRpm {
     arch = 'NOARCH'
diff --git a/config/fips_java.security b/config/fips_java.security
new file mode 100644
index 0000000000..2ad1770710
--- /dev/null
+++ b/config/fips_java.security
@@ -0,0 +1,20 @@
+# Security Properties for JDK 11 and higher, with BouncyCastle FIPS provider and BouncyCastleJsseProvider in approved-only mode
+# Intended to be used complementary with a single equal sign e.g. 'java.security.properties=fips_java.security'
+
+security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider C:HYBRID;ENABLE{All};
+security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
+security.provider.3=SUN
+security.provider.4=SunJGSS
+
+ssl.KeyManagerFactory.algorithm=PKIX
+ssl.TrustManagerFactory.algorithm=PKIX
+
+# Revocation via BCTLS TrustManager (covers all TLS including LDAPS)
+com.sun.net.ssl.checkRevocation=true
+
+# BC FIPS CertPath revocation mechanisms
+ocsp.enable=true
+org.bouncycastle.x509.enableCRLDP=true
+
+# OCSP stapling — request stapled response from server
+jdk.tls.client.enableStatusRequestExtension=true