From 393a50a8eac06d22108f02d88e0b5afe140db21e Mon Sep 17 00:00:00 2001
From: Ghatage <ghatage@apache.org>
Date: Sat, 27 Feb 2021 13:15:54 -0800
Subject: [PATCH 1/6] Make Bookkeeper FIPS compliant by default

---
 bin/bookkeeper                                         |  1 +
 bookkeeper-server/pom.xml                              |  6 +-----
 .../org/apache/bookkeeper/tls/TLSContextFactory.java   |  2 +-
 pom.xml                                                | 10 +++-------
 stream/common/pom.xml                                  |  4 ++++
 5 files changed, 10 insertions(+), 13 deletions(-)

diff --git a/bin/bookkeeper b/bin/bookkeeper
index ddaae2286e8..78f77147e4c 100755
--- a/bin/bookkeeper
+++ b/bin/bookkeeper
@@ -146,6 +146,7 @@ GC_OPTS=$(build_bookie_jvm_opts ${BOOKIE_LOG_DIR} "gc_%p.log")
 NETTY_OPTS=$(build_netty_opts)
 LOGGING_OPTS=$(build_logging_opts ${BOOKIE_LOG_CONF} ${BOOKIE_LOG_DIR} ${BOOKIE_LOG_FILE} ${BOOKIE_ROOT_LOGGER})
 
+BOOKIE_EXTRA_OPTS=$(BOOKIE_EXTRA_OPTS) "-Dorg.bouncycastle.fips.approved_only=true"
 OPTS="${OPTS} -cp ${BOOKIE_CLASSPATH} ${BOOKIE_OPTS} ${GC_OPTS} ${NETTY_OPTS} ${LOGGING_OPTS} ${BOOKIE_EXTRA_OPTS}"
 
 # Create log dir if it doesn't exist
diff --git a/bookkeeper-server/pom.xml b/bookkeeper-server/pom.xml
index 5792ff76b62..e618feae2cf 100644
--- a/bookkeeper-server/pom.xml
+++ b/bookkeeper-server/pom.xml
@@ -102,11 +102,7 @@
     </dependency>
     <dependency>
       <groupId>org.bouncycastle</groupId>
-      <artifactId>bcpkix-jdk15on</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>org.bouncycastle</groupId>
-      <artifactId>bcprov-ext-jdk15on</artifactId>
+      <artifactId>bc-fips</artifactId>
     </dependency>
     <dependency>
       <groupId>com.beust</groupId>
diff --git a/bookkeeper-server/src/main/java/org/apache/bookkeeper/tls/TLSContextFactory.java b/bookkeeper-server/src/main/java/org/apache/bookkeeper/tls/TLSContextFactory.java
index a9734862429..29dbd143a53 100644
--- a/bookkeeper-server/src/main/java/org/apache/bookkeeper/tls/TLSContextFactory.java
+++ b/bookkeeper-server/src/main/java/org/apache/bookkeeper/tls/TLSContextFactory.java
@@ -60,7 +60,7 @@ public class TLSContextFactory implements SecurityHandlerFactory {
 
     static {
         // Fixes loading PKCS8Key file: https://stackoverflow.com/a/18912362
-        java.security.Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
+        java.security.Security.addProvider(new org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider());
     }
 
     /**
diff --git a/pom.xml b/pom.xml
index 389f1715926..652cf6d74a6 100644
--- a/pom.xml
+++ b/pom.xml
@@ -123,7 +123,8 @@
     <commons-lang.version>2.6</commons-lang.version>
     <commons-lang3.version>3.6</commons-lang3.version>
     <commons-io.version>2.4</commons-io.version>
-    <bouncycastle.version>1.60</bouncycastle.version>
+    <bouncycastle.version>1.0.2</bouncycastle.version>
+    <bouncycastle.version>1.0.2</bouncycastle.version>
     <curator.version>5.1.0</curator.version>
     <dropwizard.version>3.2.5</dropwizard.version>
     <etcd.version>0.5.4</etcd.version>
@@ -302,12 +303,7 @@
       <!-- bouncy -->
       <dependency>
         <groupId>org.bouncycastle</groupId>
-        <artifactId>bcpkix-jdk15on</artifactId>
-        <version>${bouncycastle.version}</version>
-      </dependency>
-      <dependency>
-        <groupId>org.bouncycastle</groupId>
-        <artifactId>bcprov-ext-jdk15on</artifactId>
+        <artifactId>bc-fips</artifactId>
         <version>${bouncycastle.version}</version>
       </dependency>
       <!-- reflection libs -->
diff --git a/stream/common/pom.xml b/stream/common/pom.xml
index 03622200323..2fe3a91c9a8 100644
--- a/stream/common/pom.xml
+++ b/stream/common/pom.xml
@@ -44,6 +44,10 @@
           <groupId>io.grpc</groupId>
           <artifactId>grpc-netty-shaded</artifactId>
         </exclusion>
+        <exclusion>
+          <groupId>org.bouncycastle</groupId>
+          <artifactId>bcpkix-jdk15on</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>

From 96a630e4d1caecbc26fd371cedb4b6e6106f8d78 Mon Sep 17 00:00:00 2001
From: Ghatage <ghatage@apache.org>
Date: Sat, 27 Feb 2021 13:50:00 -0800
Subject: [PATCH 2/6] Add LICENSE entry

---
 bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt b/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
index 199db5c93a7..5df908d0b32 100644
--- a/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
+++ b/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
@@ -652,9 +652,7 @@ This product bundles the bouncycastle Library.
 For license details, see deps/bouncycastle-1.60/LICENSE.html
 
 Bundled as
-  - lib/org.bouncycastle-bcpkix-jdk15on-1.60.jar
-  - lib/org.bouncycastle-bcprov-ext-jdk15on-1.60.jar
-  - lib/org.bouncycastle-bcprov-jdk15on-1.60.jar
+  - lib/org.bouncycastle-bc-fips-1.0.2.jar
 ------------------------------------------------------------------------------------
 This product uses the annotations from The Checker Framework, which are licensed under
 MIT License. For details, see deps/checker-qual-3.5.0/LICENSE

From 5cd1021fbcbe2d27a4a8be9d0be148e587bd5d52 Mon Sep 17 00:00:00 2001
From: Ghatage <ghatage@apache.org>
Date: Mon, 1 Mar 2021 21:19:38 -0800
Subject: [PATCH 3/6] Exclude non-fips BwouncyCastle

---
 metadata-drivers/etcd/pom.xml | 6 ++++++
 stream/tests-common/pom.xml   | 4 ++++
 2 files changed, 10 insertions(+)

diff --git a/metadata-drivers/etcd/pom.xml b/metadata-drivers/etcd/pom.xml
index 27430ef5b07..ad6daa51985 100644
--- a/metadata-drivers/etcd/pom.xml
+++ b/metadata-drivers/etcd/pom.xml
@@ -49,6 +49,12 @@
       <groupId>io.grpc</groupId>
       <artifactId>grpc-all</artifactId>
       <version>${grpc.version}</version>
+      <exclusions>
+        <exclusion>
+          <groupId>org.bouncycastle</groupId>
+          <artifactId>bcpkix-jdk15on</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <dependency>
diff --git a/stream/tests-common/pom.xml b/stream/tests-common/pom.xml
index a0eff7f637a..3abf63dd087 100644
--- a/stream/tests-common/pom.xml
+++ b/stream/tests-common/pom.xml
@@ -36,6 +36,10 @@
           <groupId>io.grpc</groupId>
           <artifactId>grpc-netty-shaded</artifactId>
         </exclusion>
+        <exclusion>
+          <groupId>org.bouncycastle</groupId>
+          <artifactId>bcpkix-jdk15on</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>

From dfd79aa7a0399855d098d18905e99185e0abad35 Mon Sep 17 00:00:00 2001
From: Ghatage <ghatage@apache.org>
Date: Mon, 1 Mar 2021 21:21:46 -0800
Subject: [PATCH 4/6] Remove duplicate line

---
 pom.xml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 652cf6d74a6..33a3d02de35 100644
--- a/pom.xml
+++ b/pom.xml
@@ -124,7 +124,6 @@
     <commons-lang3.version>3.6</commons-lang3.version>
     <commons-io.version>2.4</commons-io.version>
     <bouncycastle.version>1.0.2</bouncycastle.version>
-    <bouncycastle.version>1.0.2</bouncycastle.version>
     <curator.version>5.1.0</curator.version>
     <dropwizard.version>3.2.5</dropwizard.version>
     <etcd.version>0.5.4</etcd.version>

From b74f0f66a6884f78924c95656aef70f0e438a2dc Mon Sep 17 00:00:00 2001
From: Ghatage <ghatage@apache.org>
Date: Mon, 1 Mar 2021 21:43:32 -0800
Subject: [PATCH 5/6] Add details to LICENSE files

---
 bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt      | 6 ++----
 bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt    | 6 ++----
 bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt   | 2 +-
 .../{bouncycastle-1.60 => bouncycastle-1.0.2}/LICENSE.html  | 0
 4 files changed, 5 insertions(+), 9 deletions(-)
 rename bookkeeper-dist/src/main/resources/deps/{bouncycastle-1.60 => bouncycastle-1.0.2}/LICENSE.html (100%)

diff --git a/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt b/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
index 44741b2b992..7273c245177 100644
--- a/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
+++ b/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
@@ -657,12 +657,10 @@ Bundled as
 Source available at https://github.com/googleapis/google-auth-library-java/releases/tag/v0.20.0
 ------------------------------------------------------------------------------------
 This product bundles the bouncycastle Library. 
-For license details, see deps/bouncycastle-1.60/LICENSE.html
+For license details, see deps/bouncycastle-1.0.2/LICENSE.html
 
 Bundled as
-  - lib/org.bouncycastle-bcpkix-jdk15on-1.60.jar
-  - lib/org.bouncycastle-bcprov-ext-jdk15on-1.60.jar
-  - lib/org.bouncycastle-bcprov-jdk15on-1.60.jar
+  - lib/org.bouncycastle-bc-fips-1.0.2.jar
 ------------------------------------------------------------------------------------
 This product uses the annotations from The Checker Framework, which are licensed under
 MIT License. For details, see deps/checker-qual-3.5.0/LICENSE
diff --git a/bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt b/bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt
index 73cdc6ff443..9768deb5719 100644
--- a/bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt
+++ b/bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt
@@ -585,12 +585,10 @@ Bundled as
 Source available at https://github.com/google/google-auth-library-java/tree/0.20.0
 ------------------------------------------------------------------------------------
 This product bundles the bouncycastle Library. 
-For license details, see deps/bouncycastle-1.60/LICENSE.html
+For license details, see deps/bouncycastle-1.0.2/LICENSE.html
 
 Bundled as
-  - lib/org.bouncycastle-bcpkix-jdk15on-1.60.jar
-  - lib/org.bouncycastle-bcprov-ext-jdk15on-1.60.jar
-  - lib/org.bouncycastle-bcprov-jdk15on-1.60.jar
+  - lib/org.bouncycastle-bc-fips-1.0.2.jar
 ------------------------------------------------------------------------------------
 
 This product uses the annotations from The Checker Framework, which are licensed under
diff --git a/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt b/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
index 5df908d0b32..4311a9498db 100644
--- a/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
+++ b/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
@@ -649,7 +649,7 @@ Bundled as
 Source available at https://github.com/googleapis/google-auth-library-java/releases/tag/v0.20.0
 ------------------------------------------------------------------------------------
 This product bundles the bouncycastle Library. 
-For license details, see deps/bouncycastle-1.60/LICENSE.html
+For license details, see deps/bouncycastle-1.0.2/LICENSE.html
 
 Bundled as
   - lib/org.bouncycastle-bc-fips-1.0.2.jar
diff --git a/bookkeeper-dist/src/main/resources/deps/bouncycastle-1.60/LICENSE.html b/bookkeeper-dist/src/main/resources/deps/bouncycastle-1.0.2/LICENSE.html
similarity index 100%
rename from bookkeeper-dist/src/main/resources/deps/bouncycastle-1.60/LICENSE.html
rename to bookkeeper-dist/src/main/resources/deps/bouncycastle-1.0.2/LICENSE.html

From fe45f8f52ba24706ba9b9226b73953b93ef3cefa Mon Sep 17 00:00:00 2001
From: Ghatage <ghatage@apache.org>
Date: Tue, 2 Mar 2021 11:19:46 -0800
Subject: [PATCH 6/6] Package LICENSE for bc fips

---
 bookkeeper-dist/src/assemble/bin-all.xml    | 2 +-
 bookkeeper-dist/src/assemble/bin-server.xml | 2 +-
 bookkeeper-dist/src/assemble/bkctl.xml      | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/bookkeeper-dist/src/assemble/bin-all.xml b/bookkeeper-dist/src/assemble/bin-all.xml
index 495702f449b..aa4d58bf9d5 100644
--- a/bookkeeper-dist/src/assemble/bin-all.xml
+++ b/bookkeeper-dist/src/assemble/bin-all.xml
@@ -57,7 +57,7 @@
         <include>checker-qual-3.5.0/LICENSE</include>
         <include>google-auth-library-credentials-0.20.0/LICENSE</include>
         <include>javax.servlet-api-4.0.0/CDDL+GPL-1.1</include>
-        <include>bouncycastle-1.60/LICENSE.html</include>
+        <include>bouncycastle-1.0.2/LICENSE.html</include>
         <include>jsr-305/LICENSE</include>
         <include>netty-4.1.50.Final/*</include>
         <include>paranamer-2.8/LICENSE.txt</include>
diff --git a/bookkeeper-dist/src/assemble/bin-server.xml b/bookkeeper-dist/src/assemble/bin-server.xml
index c381b70ef13..f54f1e59ce9 100644
--- a/bookkeeper-dist/src/assemble/bin-server.xml
+++ b/bookkeeper-dist/src/assemble/bin-server.xml
@@ -53,7 +53,7 @@
         <include>google-auth-library-credentials-0.20.0/LICENSE</include>
         <include>javax.servlet-api-4.0.0/CDDL+GPL-1.1</include>
         <include>netty-4.1.50.Final/*</include>
-        <include>bouncycastle-1.60/LICENSE.html</include>
+        <include>bouncycastle-1.0.2/LICENSE.html</include>
         <include>protobuf-3.14.0/LICENSE</include>
         <include>protobuf-3.12.0/LICENSE</include>
         <include>slf4j-1.7.25/LICENSE.txt</include>
diff --git a/bookkeeper-dist/src/assemble/bkctl.xml b/bookkeeper-dist/src/assemble/bkctl.xml
index 8cdd408536a..84022e771d9 100644
--- a/bookkeeper-dist/src/assemble/bkctl.xml
+++ b/bookkeeper-dist/src/assemble/bkctl.xml
@@ -67,7 +67,7 @@
         <include>checker-qual-3.5.0/LICENSE</include>
         <include>google-auth-library-credentials-0.20.0/LICENSE</include>
         <include>netty-4.1.50.Final/*</include>
-        <include>bouncycastle-1.60/LICENSE.html</include>
+        <include>bouncycastle-1.0.2/LICENSE.html</include>
         <include>protobuf-3.14.0/LICENSE</include>
         <include>protobuf-3.12.0/LICENSE</include>
         <include>slf4j-1.7.25/LICENSE.txt</include>