You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2021/09/08 07:10:13 UTC

[GitHub] [pulsar] jiazhai opened a new issue #10937: Incompatible BouncyCastle FIPS changes in bookkeeper 4.14

jiazhai opened a new issue #10937:
URL: https://github.com/apache/pulsar/issues/10937


   **Describe the bug**
   In [bookkeeper # 2631](https://github.com/apache/bookkeeper/pull/2631), the default BouncyCastle was changed from non-fips into fips version. But the default version of BouncyCastle in Pulsar is the [non-fips](https://github.com/apache/pulsar/blob/v2.8.0/pulsar-client/pom.xml#L56) one(aimed to make it compatible with the old version of Pulsar). 
   
   Bouncy Castle provides both FIPS and non-FIPS version, but in a JVM, it can not include both of the 2 versions(non-Fips and Fips), and we have to exclude the current version before including the other. This make the backward compatible a little hard, and that's why Pulsar has to involve individual module for [Bouncy Castle](https://pulsar.apache.org/docs/en/security-bouncy-castle).
   
   Pulsar excluded the dependencies of [bookkeeper-server's BouncyCastle](https://github.com/eolivelli/pulsar/blob/2de612791f0334fe469e8e0a58e291358af77cdb/pom.xml#L303) in Pulsar's pom file, and Pulsar only includes the non-fips version, but the bookkeeper-server still wants to use the hard-coded [fips version](https://github.com/Ghatage/bookkeeper/blob/fe45f8f52ba24706ba9b9226b73953b93ef3cefa/bookkeeper-server/src/main/java/org/apache/bookkeeper/tls/TLSContextFactory.java#L63) in [bookkeeper # 2631](https://github.com/apache/bookkeeper/pull/2631)
   
   And if we want to start BookKeeper with TLS enabled through Pulsar's binary, it will meet the following error:
   ```
   Exception in thread "main" java.lang.NoClassDefFoundError: org/bouncycastle/jcajce/provider/BouncyCastleFipsProvider
   	at java.base/java.lang.Class.forName0(Native Method)
   	at java.base/java.lang.Class.forName(Class.java:315)
   	at org.apache.bookkeeper.common.util.ReflectionUtils.forName(ReflectionUtils.java:49)
   	at org.apache.bookkeeper.tls.SecurityProviderFactoryFactory.getSecurityProviderFactory(SecurityProviderFactoryFactory.java:39)
   	at org.apache.bookkeeper.proto.BookieServer.<init>(BookieServer.java:129)
   	at org.apache.bookkeeper.server.service.BookieService.<init>(BookieService.java:52)
   	at org.apache.bookkeeper.server.Main.buildBookieServer(Main.java:304)
   	at org.apache.bookkeeper.server.Main.doMain(Main.java:226)
   	at org.apache.bookkeeper.server.Main.main(Main.java:208)
   Caused by: java.lang.ClassNotFoundException: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
   	at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:581)
   	at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
   	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
   	... 9 more
   ```
   
   **To Reproduce**
   Steps to reproduce the behavior:
   1. using pulsar 2.8.0,
   2. start bookkeeper through `bin/pulsar bookie`, with [TLS enabled](https://bookkeeper.apache.org/docs/latest/security/tls/).
   
   **Expected behavior**
   By using `bin/pulsar bookie`, BookKeeper server should able to start success.
   BK should not hard-coded fips version for Bouncy Castle, it should have an option to use non-fips version to make it compatible.
   
   **Additional context**
   We may need to provide the fix in the BookKeeper side first, and then change the dependency of bookkeeper version in Pulsar.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] codelipenghui closed issue #10937: Incompatible BouncyCastle FIPS changes in bookkeeper 4.14

Posted by GitBox <gi...@apache.org>.

codelipenghui closed issue #10937:
URL: https://github.com/apache/pulsar/issues/10937


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] codelipenghui commented on issue #10937: Incompatible BouncyCastle FIPS changes in bookkeeper 4.14

Posted by GitBox <gi...@apache.org>.

codelipenghui commented on issue #10937:
URL: https://github.com/apache/pulsar/issues/10937#issuecomment-914979570


   Reopen the issue since we need to add integration tests at the Pulsar side to avoid regression.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] eolivelli commented on issue #10937: Incompatible BouncyCastle FIPS changes in bookkeeper 4.14

Posted by GitBox <gi...@apache.org>.

eolivelli commented on issue #10937:
URL: https://github.com/apache/pulsar/issues/10937#issuecomment-926598889


   @codelipenghui can you please open a new ticket ?
   this ticket is bound to 2.8.1 release
   it is awkward to see this re-opened, as 2.8.1 has been released.
   
   I believe it will be clearer from a project management and release management perspective to open a new issue


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] codelipenghui commented on issue #10937: Incompatible BouncyCastle FIPS changes in bookkeeper 4.14

Posted by GitBox <gi...@apache.org>.

codelipenghui commented on issue #10937:
URL: https://github.com/apache/pulsar/issues/10937#issuecomment-1058889332


   The issue had no activity for 30 days, mark with Stale label.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org