nodece commented on code in PR #20542:
URL: https://github.com/apache/pulsar/pull/20542#discussion_r1230644164
##########
pulsar-client-messagecrypto-bc/src/main/java/org/apache/pulsar/client/impl/crypto/MessageCryptoBc.java:
##########
@@ -106,28 +80,64 @@ public class MessageCryptoBc implements
MessageCrypto<MessageMetadata, MessageMe
private static final SecureRandom secureRandom;
+
+ private static final String providerName;
+ private static BcVersionSpecificCryptoUtility
bcVersionSpecificCryptoUtilityDelegate;
+
static {
- SecureRandom rand = null;
- try {
- rand = SecureRandom.getInstance("NativePRNGNonBlocking");
- } catch (NoSuchAlgorithmException nsa) {
- rand = new SecureRandom();
- }
- secureRandom = rand;
+ providerName = SecurityUtility.getProvider().getName();
+
+ switch (providerName) {
+ case SecurityUtility.BC:
+ SecureRandom rand = null;
+ try {
+ rand = SecureRandom.getInstance("NativePRNGNonBlocking",
providerName);
+ } catch (NoSuchAlgorithmException | NoSuchProviderException
nsa) {
+ rand = new SecureRandom();
+ }
+ secureRandom = rand;
+ break;
+ case SecurityUtility.BC_FIPS:
+ try {
+ secureRandom = SecureRandom.getInstance("NONCEANDIV",
providerName);
+ } catch (NoSuchAlgorithmException | NoSuchProviderException
nsa) {
+ throw new RuntimeException(
+ "In BC FIPS mode, we expect the specific Random
generators to be available!");
+ }
+ break;
Review Comment:
> Could you please elaborate on what would we gain from using `NONCEANDIV`
for everything?
Just to use the same mode.
##########
pulsar-client-messagecrypto-bc/src/main/java/org/apache/pulsar/client/impl/crypto/MessageCryptoBc.java:
##########
@@ -106,28 +80,64 @@ public class MessageCryptoBc implements
MessageCrypto<MessageMetadata, MessageMe
private static final SecureRandom secureRandom;
+
+ private static final String providerName;
+ private static BcVersionSpecificCryptoUtility
bcVersionSpecificCryptoUtilityDelegate;
+
static {
- SecureRandom rand = null;
- try {
- rand = SecureRandom.getInstance("NativePRNGNonBlocking");
- } catch (NoSuchAlgorithmException nsa) {
- rand = new SecureRandom();
- }
- secureRandom = rand;
+ providerName = SecurityUtility.getProvider().getName();
+
+ switch (providerName) {
+ case SecurityUtility.BC:
+ SecureRandom rand = null;
+ try {
+ rand = SecureRandom.getInstance("NativePRNGNonBlocking",
providerName);
+ } catch (NoSuchAlgorithmException | NoSuchProviderException
nsa) {
+ rand = new SecureRandom();
+ }
+ secureRandom = rand;
+ break;
+ case SecurityUtility.BC_FIPS:
+ try {
+ secureRandom = SecureRandom.getInstance("NONCEANDIV",
providerName);
+ } catch (NoSuchAlgorithmException | NoSuchProviderException
nsa) {
+ throw new RuntimeException(
+ "In BC FIPS mode, we expect the specific Random
generators to be available!");
+ }
+ break;
Review Comment:
> Could you please elaborate on what would we gain from using `NONCEANDIV`
for everything?
Just to use the same mode.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
