z-kovacs opened a new pull request, #20542:
URL: https://github.com/apache/pulsar/pull/20542
Fixes #20373
### Motivation
<!-- Explain here the context, and why you're making that change. What is
the problem you're trying to solve. -->
If we configure pulsar following the doc to use BouncyCastle FIPS library
instead of the default non-FIPS version, we receive a `ClassNotFoundException:
org.bouncycastle.jce.provider.BouncyCastleProvider` - as the MessageCryptoBc
implementation is not prepared to use the FIPS library API (way more
restrictive).
BC FIPS has some restrictions:
- ECDSA keys cannot be used neither for encryption nor for key wrapping only
RSA keys
- RSA keys can only be used for key wrapping, not encryption
- different API to manipulate ECDSA key loading/saving
### Modifications
<!-- Describe the modifications you've done. -->
I have lifted out the BC FIPS and non-FIPS related code from
`MessageCryptoBc` into the already existing `bouncy-castle-bc` and
`bouncy-castle-bcfips` module, and created a `bouncy-castle-common` module with
an interface definition and a dynamic loader of the implementation based on the
security provider in classpath.
`MessageCryptoBc` now accessing the BC version specific crypto functionality
via the dynamically loaded delegate.
in non-FIPS mode we use encrypt mode of cyphers to encrypt data key
(probably should be wrap, but ECIES cypher does not support wrap).
In FIPS mode you have to use wrap. So as of now it is not possible to unify
code to wrap the data key.
### Verifying this change
- [ ] Make sure that the change passes the CI checks.
This change added tests and can be verified as follows:
- *Added unittest for making sure key wrapping and encrypting are
compatible for RSA keys*
- *Added unittest for making sure that encryption works end-to-end when
only bc FIPS libraries are loaded*
### Does this pull request potentially affect one of the following parts:
<!-- DO NOT REMOVE THIS SECTION. CHECK THE PROPER BOX ONLY. -->
*If the box was checked, please highlight the changes*
- [ ] Dependencies (add or upgrade a dependency)
- [ ] The public API
- [ ] The schema
- [ ] The default values of configurations
- [ ] The threading model
- [ ] The binary protocol
- [ ] The REST endpoints
- [ ] The admin CLI options
- [ ] The metrics
- [ ] Anything that affects deployment
Note:
we have to warn users if they want to change the client to use BC FIPS
client lib, the messages produced with non FIPS setup and where the master key
was ECDSA key - won't be readable! (FIPS has way less enabled cyphers.)
we have to add to website to BC instructions, that you can mix fips ad
non-fips producers and consumers as long as you use RSA master keys, since
ECDSA keys cannot be used to wrap keys in BC FIPS.
### Documentation
<!-- DO NOT REMOVE THIS SECTION. CHECK THE PROPER BOX ONLY. -->
- [ ] `doc` <!-- Your PR contains doc changes. -->
- [x] `doc-required` <!-- Your PR changes impact docs and you will update
later -->
- [ ] `doc-not-needed` <!-- Your PR changes do not impact docs -->
- [ ] `doc-complete` <!-- Docs have been already added -->
### Matching PR in forked repository
PR in forked repository: <!-- ENTER URL HERE -->
<!--
After opening this PR, the build in apache/pulsar will fail and instructions
will
be provided for opening a PR in the PR author's forked repository.
apache/pulsar pull requests should be first tested in your own fork since
the
apache/pulsar CI based on GitHub Actions has constrained resources and quota.
GitHub Actions provides separate quota for pull requests that are executed
in
a forked repository.
The tests will be run in the forked repository until all PR review comments
have
been handled, the tests pass and the PR is approved by a reviewer.
-->
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
