Skip to content

Add BCFKS keystore generation utilities#6087

Open
beanuwave wants to merge 2 commits intoopensearch-project:mainfrom
sternadsoftware:document_store_creation
Open

Add BCFKS keystore generation utilities#6087
beanuwave wants to merge 2 commits intoopensearch-project:mainfrom
sternadsoftware:document_store_creation

Conversation

@beanuwave
Copy link
Copy Markdown
Contributor

@beanuwave beanuwave commented Apr 13, 2026
edited
Loading

Description

This PR includes documentation and utilities on how BCFKS keystores and truststore where created for #6059

The script log should look like this 
❯ env BC_FIPS_JAR=/home/iigonin/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bc-fips/2.1.2/61fbe8383f70489dda95a11a2a4739eb818ff2c/bc-fips-2.1.2.jar ./src/test/resources/bcfks-generation/generate_bcfks_keystores.sh
=== Converting JKS-only keystores ===
OK  /home/iigonin/workspace/securitySternad/src/test/resources/cache/kirk-keystore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/cache/kirk-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/cache/node-0-keystore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/cache/node-0-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/cache/spock-keystore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/cache/spock-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/cache/truststore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/cache/truststore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/dlsfls/kirk-keystore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/dlsfls/kirk-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/dlsfls/node-0-keystore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/dlsfls/node-0-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/dlsfls/spock-keystore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/dlsfls/spock-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/dlsfls/truststore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/dlsfls/truststore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/jwt/kirk-keystore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/jwt/kirk-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/jwt/node-0-keystore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/jwt/node-0-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/jwt/spock-keystore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/jwt/spock-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/jwt/truststore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/jwt/truststore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/ldap/kirk-keystore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/ldap/kirk-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/ldap/node-0-keystore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/ldap/node-0-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/ldap/spock-keystore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/ldap/spock-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/ldap/truststore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/ldap/truststore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/migration/kirk-keystore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/migration/kirk-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/migration/node-0-keystore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/migration/node-0-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/migration/spock-keystore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/migration/spock-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/migration/truststore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/migration/truststore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/multitenancy/kirk-keystore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/multitenancy/kirk-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/multitenancy/node-0-keystore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/multitenancy/node-0-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/multitenancy/spock-keystore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/multitenancy/spock-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/multitenancy/truststore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/multitenancy/truststore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/restapi/kirk-keystore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/restapi/kirk-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/restapi/node-0-keystore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/restapi/node-0-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/restapi/spock-keystore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/restapi/spock-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/restapi/truststore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/restapi/truststore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/sanity-tests/kirk-keystore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/sanity-tests/kirk-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/ssl/extended_key_usage/node-0-keystore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/ssl/extended_key_usage/node-0-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/ssl/extended_key_usage/truststore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/ssl/extended_key_usage/truststore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/ssl/reload/kirk-keystore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/ssl/reload/kirk-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/ssl/reload/spock-keystore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/ssl/reload/spock-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/ssl/reload/truststore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/ssl/reload/truststore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/ssl/truststore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/ssl/truststore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/ssl/truststore_fail.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/ssl/truststore_fail.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/ssl/truststore_invalid.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/ssl/truststore_invalid.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/ssl/truststore_valid.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/ssl/truststore_valid.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/kirk-keystore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/kirk-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/node-0-keystore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/node-0-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/node-1-keystore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/node-1-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/node-2-keystore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/node-2-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/spock-keystore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/spock-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/truststore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/truststore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/truststore_fail.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/truststore_fail.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/auditlog/truststore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/auditlog/truststore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/auditlog/truststore_fail.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/auditlog/truststore_fail.bcfks

=== Converting PKCS12 keystores (preferred source for shared base names) ===
OK  /home/iigonin/workspace/securitySternad/src/test/resources/auditlog/kirk-keystore.p12 -> /home/iigonin/workspace/securitySternad/src/test/resources/auditlog/kirk-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/auditlog/node-0-keystore.p12 -> /home/iigonin/workspace/securitySternad/src/test/resources/auditlog/node-0-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/auditlog/spock-keystore.p12 -> /home/iigonin/workspace/securitySternad/src/test/resources/auditlog/spock-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/ssl/kirk-keystore.p12 -> /home/iigonin/workspace/securitySternad/src/test/resources/ssl/kirk-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/ssl/node-0-keystore.p12 -> /home/iigonin/workspace/securitySternad/src/test/resources/ssl/node-0-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/ssl/node-1-keystore.p12 -> /home/iigonin/workspace/securitySternad/src/test/resources/ssl/node-1-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/ssl/node-2-keystore.p12 -> /home/iigonin/workspace/securitySternad/src/test/resources/ssl/node-2-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/ssl/spock-keystore.p12 -> /home/iigonin/workspace/securitySternad/src/test/resources/ssl/spock-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/ssl/node-untspec5-keystore.p12 -> /home/iigonin/workspace/securitySternad/src/test/resources/ssl/node-untspec5-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/node-untspec5-keystore.p12 -> /home/iigonin/workspace/securitySternad/src/test/resources/node-untspec5-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/node-untspec6-keystore.p12 -> /home/iigonin/workspace/securitySternad/src/test/resources/node-untspec6-keystore.bcfks

=== Converting sslConfigurator keystores (password: secret) ===
OK  /home/iigonin/workspace/securitySternad/src/test/resources/sslConfigurator/jks/node1-keystore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/sslConfigurator/jks/node1-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/sslConfigurator/jks/other-root-ca.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/sslConfigurator/jks/other-root-ca.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/sslConfigurator/jks/truststore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/sslConfigurator/jks/truststore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/sslConfigurator/pem/node-wrong-hostname-keystore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/sslConfigurator/pem/node-wrong-hostname-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/sslConfigurator/pem/node1-keystore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/sslConfigurator/pem/node1-keystore.bcfks
OK  /home/iigonin/workspace/securitySternad/src/test/resources/sslConfigurator/pem/truststore.jks -> /home/iigonin/workspace/securitySternad/src/test/resources/sslConfigurator/pem/truststore.bcfks

Done. 64 BCFKS files written alongside their source keystores.

Check List

  • New functionality includes testing
  • New functionality has been documented
  • New Roles/Permissions have a corresponding security dashboards plugin PR
  • API changes companion pull request created
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@iigonin @bennygoerzig @KarstenSchnitter
Add BCFKS keystore generation utilities
a803457 
Signed-off-by: Iwan Igonin <iigonin@sternad.de>
Co-authored-by: Benny Goerzig <benny.goerzig@sap.com>
Co-authored-by: Karsten Schnitter <k.schnitter@sap.com>
Co-authored-by: Kai Sternad <k.sternad@sternad.de>
@cwperks
Copy link
Copy Markdown
Member

cwperks commented Apr 13, 2026

@beanuwave is it not possible to use java's keytool for this?

i.e.

keytool -genkeypair \
  -alias mykey \
  -keyalg RSA \
  -keysize 2048 \
  -sigalg SHA256withRSA \
  -keystore mykeystore.bcfks \
  -storetype BCFKS \
  -storepass changeit \
  -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
  -providerpath bc-fips-2.1.2.jar

@beanuwave
Copy link
Copy Markdown
Contributor Author

beanuwave commented Apr 14, 2026
edited
Loading

@beanuwave is it not possible to use java's keytool for this?

@cwperks
Migrating legacy keystores to BCFKS is absolutely possible, with the caveat being the amount of effort and complexity involved.

For example, consider a legacy JKS keystore using RSA-1024 and PBE-SHA1-3DES. Migrating it using command-line tools alone would require re-keying and re-issuing the certificate. Since RSA-1024 is outright rejected by FIPS and the weak PBE scheme prevents FIPS-mode tooling from unwrapping the private key - then repackaging into PKCS12 with FIPS-safe ciphers, and finally importing into BCFKS format that requires CA access:

  #!/usr/bin/env bash
  # Example: migrate a legacy JKS (RSA-1024 + PBE-SHA1-3DES) to BCFKS
  #
  # Assumptions:
  #   - alias in the source JKS is "node"
  #   - CA cert + key are available (needed to re-sign since key changes)
  #   - bc-fips JAR path is in BC_FIPS_JAR

  set -euo pipefail

  ALIAS="node"
  OLD_JKS="old.jks"
  STORE_PASS="changeit"
  CA_CERT="root-ca.pem"
  CA_KEY="root-ca-key.pem"

  # 1. Export old JKS to PKCS12 using the SUN provider (no FIPS enforcement yet)
  keytool -importkeystore \
    -srckeystore  "$OLD_JKS"   -srcstoretype  JKS    -srcstorepass  "$STORE_PASS" \
    -destkeystore old.p12      -deststoretype PKCS12 -deststorepass "$STORE_PASS" \
    -noprompt

  # 2. Extract the old cert to reuse its subject / SANs
  openssl pkcs12 -in old.p12 -passin pass:"$STORE_PASS" -clcerts -nokeys -out old-cert.pem

  SUBJECT=$(openssl x509 -in old-cert.pem -noout -subject -nameopt compat | sed 's/^subject=//')
  SANS=$(openssl x509 -in old-cert.pem -noout -ext subjectAltName \
         | grep -v "Subject Alt" | tr -d ' ')

  # 3. Generate a new RSA-2048 key (replaces the weak RSA-1024)
  openssl genrsa -out new-key.pem 2048

  # 4. Create a CSR preserving the original subject and SANs
  openssl req -new -key new-key.pem -subj "$SUBJECT" \
    -addext "subjectAltName=$SANS" -out new.csr

  # 5. Re-sign with the CA (certificate must be reissued because the key changed)
  openssl x509 -req -in new.csr \
    -CA "$CA_CERT" -CAkey "$CA_KEY" -CAcreateserial \
    -days 3650 -sha256 \
    -copy_extensions copy \
    -out new-cert.pem

  # 6. Bundle new key + cert into PKCS12 with a FIPS-safe cipher
  openssl pkcs12 -export \
    -in new-cert.pem -inkey new-key.pem \
    -certfile "$CA_CERT" \
    -name "$ALIAS" \
    -keypbe AES-256-CBC -certpbe AES-256-CBC -macalg SHA256 \
    -passout pass:"$STORE_PASS" \
    -out new.p12

  # 7. Import into BCFKS using the BouncyCastle FIPS provider
  keytool -importkeystore \
    -srckeystore  new.p12  -srcstoretype  PKCS12 -srcstorepass  "$STORE_PASS" \
    -destkeystore new.bcfks -deststoretype BCFKS -deststorepass "$STORE_PASS" \
    -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
    -providerpath "$BC_FIPS_JAR" \
    -noprompt

Given that we have 64 key/trust stores, which are only partially documented (only 3 out of 13 test directories include a README), I decided to take a different approach and handle the re-import in java. This also allows validating key strength upfront and failing fast with a clear error if material is encountered that FIPS would later reject at runtime.

EDIT: This is also more future-proof: any change to the conversion logic - such as enforcing a minimum key strength - requires a single code change rather than hunting down and updating every README across the repository.

@cwperks
Copy link
Copy Markdown
Member

cwperks commented May 6, 2026

@beanuwave can we also capture in a github issue that this script should have a sibling batch script?

Other comment is that I think we can be assured that bc-fips jar is around in the OpenSearch installation now since its provided by the core under lib/ so maybe the bash script can be simplified accordingly?

@iigonin @bennygoerzig @KarstenSchnitter
Include Windows bat script
e29708d 
Signed-off-by: Iwan Igonin <iigonin@sternad.de>
Co-authored-by: Benny Goerzig <benny.goerzig@sap.com>
Co-authored-by: Karsten Schnitter <k.schnitter@sap.com>
Co-authored-by: Kai Sternad <k.sternad@sternad.de>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 7, 2026

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

🧪 No relevant tests
🔒 Security concerns

Sensitive information exposure:
Keystore passwords (e.g., changeit, secret) are passed as plain-text command-line arguments in both the shell script and batch script. On shared systems, these passwords can be exposed via process listings. While these appear to be test/development credentials, it is still a concern if these scripts are used in CI environments where process output may be logged.

✅ No TODO sections
🔀 No multiple PR themes
⚡ Recommended focus areas for review

No Cleanup on Failure

The batch script creates a temporary directory CONVERT_DIR but only cleans it up at the end of the script. If any of the java conversion commands fail mid-loop, the script continues (no error checking per iteration) and the temp directory may not be cleaned up if the script is interrupted. Unlike the shell script which uses trap for cleanup, the batch script has no equivalent error-handling for mid-execution failures.

 
set CONVERT_DIR=%TEMP%\bcfks-convert-%RANDOM%
mkdir "%CONVERT_DIR%"

javac -cp "%BC_FIPS%" "%SCRIPT_DIR%ConvertKeystore.java" -d "%CONVERT_DIR%"
if errorlevel 1 (
    echo ERROR: Compilation failed. >&2
    rmdir /s /q "%CONVERT_DIR%"
    exit /b 1
)

set CONVERTED=0

:: ── JKS-only keystores ────────────────────────────────────────────────────────

echo === Converting JKS-only keystores ===

for %%F in (
    cache\kirk-keystore.jks
    cache\node-0-keystore.jks
    cache\spock-keystore.jks
    cache\truststore.jks
    dlsfls\kirk-keystore.jks
    dlsfls\node-0-keystore.jks
    dlsfls\spock-keystore.jks
    dlsfls\truststore.jks
    jwt\kirk-keystore.jks
    jwt\node-0-keystore.jks
    jwt\spock-keystore.jks
    jwt\truststore.jks
    ldap\kirk-keystore.jks
    ldap\node-0-keystore.jks
    ldap\spock-keystore.jks
    ldap\truststore.jks
    migration\kirk-keystore.jks
    migration\node-0-keystore.jks
    migration\spock-keystore.jks
    migration\truststore.jks
    multitenancy\kirk-keystore.jks
    multitenancy\node-0-keystore.jks
    multitenancy\spock-keystore.jks
    multitenancy\truststore.jks
    restapi\kirk-keystore.jks
    restapi\node-0-keystore.jks
    restapi\spock-keystore.jks
    restapi\truststore.jks
    sanity-tests\kirk-keystore.jks
    ssl\extended_key_usage\node-0-keystore.jks
    ssl\extended_key_usage\truststore.jks
    ssl\reload\kirk-keystore.jks
    ssl\reload\spock-keystore.jks
    ssl\reload\truststore.jks
    ssl\truststore.jks
    ssl\truststore_fail.jks
    ssl\truststore_invalid.jks
    ssl\truststore_valid.jks
    auditlog\truststore.jks
    auditlog\truststore_fail.jks
    kirk-keystore.jks
    node-0-keystore.jks
    node-1-keystore.jks
    node-2-keystore.jks
    spock-keystore.jks
    truststore.jks
    truststore_fail.jks
) do (
    set SRC=%RESOURCES%\%%F
    set DEST=!SRC:.jks=.bcfks!
    java --enable-native-access=ALL-UNNAMED -cp "%CONVERT_DIR%;%BC_FIPS%" ConvertKeystore "!SRC!" JKS changeit "!DEST!" changeit
    set /a CONVERTED+=1
)

:: ── PKCS12 keystores ──────────────────────────────────────────────────────────

echo.
echo === Converting PKCS12 keystores (preferred source for shared base names) ===

for %%F in (
    auditlog\kirk-keystore.p12
    auditlog\node-0-keystore.p12
    auditlog\spock-keystore.p12
    ssl\kirk-keystore.p12
    ssl\node-0-keystore.p12
    ssl\node-1-keystore.p12
    ssl\node-2-keystore.p12
    ssl\spock-keystore.p12
    ssl\node-untspec5-keystore.p12
    node-untspec5-keystore.p12
    node-untspec6-keystore.p12
) do (
    set SRC=%RESOURCES%\%%F
    set DEST=!SRC:.p12=.bcfks!
    java --enable-native-access=ALL-UNNAMED -cp "%CONVERT_DIR%;%BC_FIPS%" ConvertKeystore "!SRC!" PKCS12 changeit "!DEST!" changeit
    set /a CONVERTED+=1
)

:: ── sslConfigurator keystores (password: secret) ──────────────────────────────

echo.
echo === Converting sslConfigurator keystores (password: secret) ===

for %%F in (
    sslConfigurator\jks\node1-keystore.jks
    sslConfigurator\jks\other-root-ca.jks
    sslConfigurator\jks\truststore.jks
    sslConfigurator\pem\node-wrong-hostname-keystore.jks
    sslConfigurator\pem\node1-keystore.jks
    sslConfigurator\pem\truststore.jks
) do (
    set SRC=%RESOURCES%\%%F
    set DEST=!SRC:.jks=.bcfks!
    java --enable-native-access=ALL-UNNAMED -cp "%CONVERT_DIR%;%BC_FIPS%" ConvertKeystore "!SRC!" JKS secret "!DEST!" secret
    set /a CONVERTED+=1
)

echo.
echo Done. %CONVERTED% BCFKS files written alongside their source keystores.

rmdir /s /q "%CONVERT_DIR%"
Password in Args

Keystore passwords are passed as plain-text command-line arguments. On multi-user systems, these passwords may be visible to other users via process listing (e.g., ps aux). Consider reading passwords from environment variables or stdin instead.

 
public static void main(String[] args) throws Exception {
    if (args.length < 4) {
        System.err.println("Usage: ConvertKeystore <srcFile> <srcType> <srcPass> <destFile> [destPass]");
        System.exit(1);
    }
    String srcFile = args[0];
    String srcType = args[1];
    String srcPass = args[2];
    String destFile = args[3];
    String destPass = args.length > 4 ? args[4] : srcPass;
Comment Mismatch

Lines 103-104 contain a misleading comment: # auditlog/ JKS files intentionally omitted: PKCS12 counterparts exist immediately followed by adding auditlog/truststore.jks and auditlog/truststore_fail.jks to the JKS-only list. This contradicts the comment and may cause confusion about whether these files should be converted from JKS or PKCS12.

 
  # auditlog/ JKS files intentionally omitted: PKCS12 counterparts exist
  auditlog/truststore.jks
  auditlog/truststore_fail.jks
)

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 7, 2026

PR Code Suggestions ✨

Explore these optional code suggestions:

CategorySuggestion                                                                                                                                    Impact
General
Ensure temp directory cleanup on all exit paths

The batch script does not clean up CONVERT_DIR on failure paths after the mkdir
succeeds but before the rmdir at the end. If javac fails, the script exits early
with rmdir called, but if any java invocation fails mid-loop, the temp directory is
never cleaned up. Add a cleanup on error or use a final cleanup regardless of exit
path, similar to the trap in the shell script.

src/test/resources/bcfks-generation/generate_bcfks_keystores.bat [28-29]

 set CONVERT_DIR=%TEMP%\bcfks-convert-%RANDOM%
 mkdir "%CONVERT_DIR%"
+:: Register cleanup on exit via a label-based goto pattern or ensure rmdir is always called
Suggestion importance[1-10]: 4

__

Why: The improved_code only adds a comment without actually implementing cleanup logic, making it not a concrete fix. The concern about temp directory leaks is valid but the suggestion doesn't provide a real solution, and the set -euo pipefail equivalent in batch is limited anyway.

Low
Improve argument count check readability

The condition args.length > 4 checks for more than 4 elements, meaning args[4] is
only used when there are at least 5 arguments. Since args[4] is the 5th argument
(index 4), the correct check should be args.length > 4, which is actually correct.
However, the usage message says [destPass] is the 5th argument (index 4), so the
condition should be args.length >= 5 for clarity and correctness — args.length > 4
is equivalent but less readable and could mask off-by-one errors if the argument
count changes.

src/test/resources/bcfks-generation/ConvertKeystore.java [29]

-String destPass = args.length > 4 ? args[4] : srcPass;
+String destPass = args.length >= 5 ? args[4] : srcPass;
Suggestion importance[1-10]: 3

__

Why: args.length > 4 and args.length >= 5 are functionally identical, so this is purely a readability improvement with no correctness impact. The suggestion is valid but offers only marginal benefit.

Low
Remove comment strings from bash array elements

The JKS_ONLY array contains inline comments (lines starting with #), but bash array
elements cannot be comments — these comment strings will be treated as actual array
values and passed to convert, causing failures when files like # sslConfigurator
keystores use password 'secret' – passed explicitly below are looked up. The [[
"$rel" =~ ^# ]] && continue guard handles this, but it's fragile. Consider removing
inline comments from the array entirely to avoid confusion.

src/test/resources/bcfks-generation/generate_bcfks_keystores.sh [109-112]

-for rel in "${JKS_ONLY[@]}"; do
-  [[ "$rel" =~ ^# ]] && continue
-  convert "$RESOURCES/$rel" JKS
-done
+# Remove comment entries from the array; document separately above the array declaration
+JKS_ONLY=(
+  cache/kirk-keystore.jks
+  ...
+  auditlog/truststore.jks
+  auditlog/truststore_fail.jks
+)
Suggestion importance[1-10]: 3

__

Why: The script already handles comment-like strings with [[ "$rel" =~ ^# ]] && continue, so this is not a bug. The suggestion is a style improvement, but the improved_code uses ... as a placeholder rather than showing the actual complete array, making it incomplete and potentially misleading.

Low

@codecov
Copy link
Copy Markdown

codecov Bot commented May 7, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.83%. Comparing base (ca2aaf1) to head (e29708d).
⚠️ Report is 38 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #6087      +/-   ##
==========================================
+ Coverage   74.47%   74.83%   +0.35%     
==========================================
  Files         446      447       +1     
  Lines       28423    28470      +47     
  Branches     4331     4327       -4     
==========================================
+ Hits        21168    21305     +137     
+ Misses       5245     5173      -72     
+ Partials     2010     1992      -18

see 47 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cwperks cwperks Awaiting requested review from cwperks cwperks is a code owner

@DarshitChanpura DarshitChanpura Awaiting requested review from DarshitChanpura DarshitChanpura is a code owner

@derek-ho derek-ho Awaiting requested review from derek-ho derek-ho is a code owner

@finnegancarroll finnegancarroll Awaiting requested review from finnegancarroll finnegancarroll is a code owner

@nibix nibix Awaiting requested review from nibix nibix is a code owner

@RyanL1997 RyanL1997 Awaiting requested review from RyanL1997 RyanL1997 is a code owner

@reta reta Awaiting requested review from reta reta is a code owner

@shikharj05 shikharj05 Awaiting requested review from shikharj05 shikharj05 is a code owner

@willyborankin willyborankin Awaiting requested review from willyborankin willyborankin is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@beanuwave @cwperks @iigonin