This is an automated email from the ASF dual-hosted git repository. lhotari pushed a commit to branch branch-3.3 in repository https://gitbox.apache.org/repos/asf/pulsar.git
commit 9966ddc0ea3c6cb2e0aeab803e79fded3e914c5f Author: Okada Haruki <[email protected]> AuthorDate: Mon Aug 5 17:41:54 2024 +0900 [improve][misc] Improve AES-GCM cipher performance (#23122) (cherry picked from commit e9deb408eaed2c04e30a27be5fba130f5d4e94b7) --- .../apache/pulsar/client/impl/crypto/MessageCryptoBc.java | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/pulsar-client-messagecrypto-bc/src/main/java/org/apache/pulsar/client/impl/crypto/MessageCryptoBc.java b/pulsar-client-messagecrypto-bc/src/main/java/org/apache/pulsar/client/impl/crypto/MessageCryptoBc.java index f31fb1aa8b0..aa97421a42f 100644 --- a/pulsar-client-messagecrypto-bc/src/main/java/org/apache/pulsar/client/impl/crypto/MessageCryptoBc.java +++ b/pulsar-client-messagecrypto-bc/src/main/java/org/apache/pulsar/client/impl/crypto/MessageCryptoBc.java @@ -92,6 +92,7 @@ public class MessageCryptoBc implements MessageCrypto<MessageMetadata, MessageMe // from assuming hardcoded value. However, it will increase the size of the message even further. public static final String RSA_TRANS = "RSA/NONE/OAEPWithSHA1AndMGF1Padding"; public static final String AESGCM = "AES/GCM/NoPadding"; + private static final String AESGCM_PROVIDER_NAME; private static KeyGenerator keyGenerator; private static final int tagLen = 16 * 8; @@ -123,6 +124,15 @@ public class MessageCryptoBc implements MessageCrypto<MessageMetadata, MessageMe // Initial seed secureRandom.nextBytes(new byte[IV_LEN]); + // Prefer SunJCE provider for AES-GCM for performance reason. + // For cases where SunJCE is not available (e.g. non-hotspot JVM), use BouncyCastle as fallback. + String sunJceProviderName = "SunJCE"; + if (Security.getProvider(sunJceProviderName) != null) { + AESGCM_PROVIDER_NAME = sunJceProviderName; + } else { + AESGCM_PROVIDER_NAME = BouncyCastleProvider.PROVIDER_NAME; + } + // Add provider only if it's not in the JVM if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null) { Security.addProvider(new BouncyCastleProvider()); @@ -145,7 +155,7 @@ public class MessageCryptoBc implements MessageCrypto<MessageMetadata, MessageMe try { - cipher = Cipher.getInstance(AESGCM, BouncyCastleProvider.PROVIDER_NAME); + cipher = Cipher.getInstance(AESGCM, AESGCM_PROVIDER_NAME); // If keygen is not needed(e.g: consumer), data key will be decrypted from the message if (!keyGenNeeded) { // codeql[java/weak-cryptographic-algorithm] - md5 is sufficient for this use case
