Incompatible BouncyCastle FIPS changes in bookkeeper 4.14 #10937
Labels
lifecycle/stale
release/blocker
Indicate the PR or issue that should block the release until it gets resolved
release/2.8.1
type/bug
The PR fixed a bug or issue reported a bug
Comments
|
we should also add a test in pulsar, which enable tls for bookkeeper and use bc-non-fips, to cover this error. |
jiazhai
added a commit
to apache/bookkeeper
that referenced
this issue
Jul 5, 2021
### Motivation More details are provided in [Pulsar # 10937](apache/pulsar#10937). In #2631, the default BouncyCastle was changed from non-fips into fips version. But the default version of BouncyCastle in Pulsar is the [non-fips](https://github.com/apache/pulsar/blob/v2.8.0/pulsar-client/pom.xml#L56) one(aimed to make it compatible with the old version of Pulsar). Bouncy Castle provides both FIPS and non-FIPS versions, but in a JVM, it can not include both of the 2 versions(non-Fips and Fips), and we have to exclude the current version before including the other. This makes the backward compatible a little hard, and that's why Pulsar has to involve an individual module for [Bouncy Castle](https://pulsar.apache.org/docs/en/security-bouncy-castle). And if we want to start BookKeeper with TLS enabled through Pulsar's binary, it will meet the following error: ``` Exception in thread "main" java.lang.NoClassDefFoundError: org/bouncycastle/jcajce/provider/BouncyCastleFipsProvider at java.base/java.lang.Class.forName0(Native Method) at java.base/java.lang.Class.forName(Class.java:315) at org.apache.bookkeeper.common.util.ReflectionUtils.forName(ReflectionUtils.java:49) at org.apache.bookkeeper.tls.SecurityProviderFactoryFactory.getSecurityProviderFactory(SecurityProviderFactoryFactory.java:39) at org.apache.bookkeeper.proto.BookieServer.<init>(BookieServer.java:129) at org.apache.bookkeeper.server.service.BookieService.<init>(BookieService.java:52) at org.apache.bookkeeper.server.Main.buildBookieServer(Main.java:304) at org.apache.bookkeeper.server.Main.doMain(Main.java:226) at org.apache.bookkeeper.server.Main.main(Main.java:208) Caused by: java.lang.ClassNotFoundException: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:581) at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178) at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522) ... 9 more ``` This fix is to use the reflection to get the loaded bc version to avoid the hard-coded bc version. ### Changes Use the reflection to get the loaded bc version to avoid the hard-coded bc version Add backward compatible test for bc-non-fips version
jiazhai
added a commit
to jiazhai/bookkeeper-1
that referenced
this issue
Jul 5, 2021
### Motivation More details are provided in [Pulsar # 10937](apache/pulsar#10937). In apache#2631, the default BouncyCastle was changed from non-fips into fips version. But the default version of BouncyCastle in Pulsar is the [non-fips](https://github.com/apache/pulsar/blob/v2.8.0/pulsar-client/pom.xml#L56) one(aimed to make it compatible with the old version of Pulsar). Bouncy Castle provides both FIPS and non-FIPS versions, but in a JVM, it can not include both of the 2 versions(non-Fips and Fips), and we have to exclude the current version before including the other. This makes the backward compatible a little hard, and that's why Pulsar has to involve an individual module for [Bouncy Castle](https://pulsar.apache.org/docs/en/security-bouncy-castle). And if we want to start BookKeeper with TLS enabled through Pulsar's binary, it will meet the following error: ``` Exception in thread "main" java.lang.NoClassDefFoundError: org/bouncycastle/jcajce/provider/BouncyCastleFipsProvider at java.base/java.lang.Class.forName0(Native Method) at java.base/java.lang.Class.forName(Class.java:315) at org.apache.bookkeeper.common.util.ReflectionUtils.forName(ReflectionUtils.java:49) at org.apache.bookkeeper.tls.SecurityProviderFactoryFactory.getSecurityProviderFactory(SecurityProviderFactoryFactory.java:39) at org.apache.bookkeeper.proto.BookieServer.<init>(BookieServer.java:129) at org.apache.bookkeeper.server.service.BookieService.<init>(BookieService.java:52) at org.apache.bookkeeper.server.Main.buildBookieServer(Main.java:304) at org.apache.bookkeeper.server.Main.doMain(Main.java:226) at org.apache.bookkeeper.server.Main.main(Main.java:208) Caused by: java.lang.ClassNotFoundException: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:581) at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178) at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522) ... 9 more ``` This fix is to use the reflection to get the loaded bc version to avoid the hard-coded bc version. ### Changes Use the reflection to get the loaded bc version to avoid the hard-coded bc version Add backward compatible test for bc-non-fips version (cherry picked from commit d03b046)
eolivelli
pushed a commit
to datastax/bookkeeper
that referenced
this issue
Jul 5, 2021
More details are provided in [Pulsar # 10937](apache/pulsar#10937). In apache#2631, the default BouncyCastle was changed from non-fips into fips version. But the default version of BouncyCastle in Pulsar is the [non-fips](https://github.com/apache/pulsar/blob/v2.8.0/pulsar-client/pom.xml#L56) one(aimed to make it compatible with the old version of Pulsar). Bouncy Castle provides both FIPS and non-FIPS versions, but in a JVM, it can not include both of the 2 versions(non-Fips and Fips), and we have to exclude the current version before including the other. This makes the backward compatible a little hard, and that's why Pulsar has to involve an individual module for [Bouncy Castle](https://pulsar.apache.org/docs/en/security-bouncy-castle). And if we want to start BookKeeper with TLS enabled through Pulsar's binary, it will meet the following error: ``` Exception in thread "main" java.lang.NoClassDefFoundError: org/bouncycastle/jcajce/provider/BouncyCastleFipsProvider at java.base/java.lang.Class.forName0(Native Method) at java.base/java.lang.Class.forName(Class.java:315) at org.apache.bookkeeper.common.util.ReflectionUtils.forName(ReflectionUtils.java:49) at org.apache.bookkeeper.tls.SecurityProviderFactoryFactory.getSecurityProviderFactory(SecurityProviderFactoryFactory.java:39) at org.apache.bookkeeper.proto.BookieServer.<init>(BookieServer.java:129) at org.apache.bookkeeper.server.service.BookieService.<init>(BookieService.java:52) at org.apache.bookkeeper.server.Main.buildBookieServer(Main.java:304) at org.apache.bookkeeper.server.Main.doMain(Main.java:226) at org.apache.bookkeeper.server.Main.main(Main.java:208) Caused by: java.lang.ClassNotFoundException: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:581) at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178) at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522) ... 9 more ``` This fix is to use the reflection to get the loaded bc version to avoid the hard-coded bc version. Use the reflection to get the loaded bc version to avoid the hard-coded bc version Add backward compatible test for bc-non-fips version (cherry picked from commit d03b046) (cherry picked from commit e54be34)
hangc0276
added
the
release/blocker
zymap
added a commit
to zymap/pulsar
that referenced
this issue
Aug 24, 2021
--- Fixes apache#10937 *Motivation* The previours bk version was introduce an incompatible issue with BouncyCastle FIPS. BookKeeper already fix this and we should upgrade the version to resolve the issue. For more information: apache#10937 *Modifications* Upgrade bk to 4.14.2
1 task
|
Reopen the issue since we need to add integration tests at the Pulsar side to avoid regression. |
|
@codelipenghui can you please open a new ticket ? I believe it will be clearer from a project management and release management perspective to open a new issue |
dlg99
pushed a commit
to dlg99/pulsar
that referenced
this issue
Dec 1, 2021
Fixes apache#10937 *Motivation* The previours bk version was introduce an incompatible issue with BouncyCastle FIPS. BookKeeper already fix this and we should upgrade the version to resolve the issue. For more information: apache#10937 *Modifications* Upgrade bk to 4.14.2
eolivelli
pushed a commit
to datastax/pulsar
that referenced
this issue
Dec 1, 2021
* [Issue 9728] Upgrade GRPC and bookkeeper (apache#9729) * Upgraded bookkeeper to 4.13.0; grpc to 1.33 Fixes apache#10937 *Motivation* The previours bk version was introduce an incompatible issue with BouncyCastle FIPS. BookKeeper already fix this and we should upgrade the version to resolve the issue. For more information: apache#10937 *Modifications* * Upgrade to BookKeeper 4.14.3 (apache#12760) * Fixed additional post-cherry-pick conflicts Co-authored-by: hangc0276 <chenhang@apache.org> Co-authored-by: chenhang <chenhang@bigo.sg> Co-authored-by: Yong Zhang <zhangyong1025.zy@gmail.com> Co-authored-by: Matteo Merli <mmerli@apache.org>
|
The issue had no activity for 30 days, mark with Stale label. |
bharanic-dev
pushed a commit
to bharanic-dev/pulsar
that referenced
this issue
Mar 18, 2022
Fixes apache#10937 *Motivation* The previours bk version was introduce an incompatible issue with BouncyCastle FIPS. BookKeeper already fix this and we should upgrade the version to resolve the issue. For more information: apache#10937 *Modifications* Upgrade bk to 4.14.2
|
@codelipenghui @hangc0276 is this ticket still relevant? It's weird when I filter At least we should correct the metadata as @eolivelli mentioned #10937 (comment) |
|
Closed as completed. I don't think it's still relevant. For integration tests, a new issue is better. |
Ghatage
pushed a commit
to sijie/bookkeeper
that referenced
this issue
Jul 12, 2024
### Motivation More details are provided in [Pulsar # 10937](apache/pulsar#10937). In apache#2631, the default BouncyCastle was changed from non-fips into fips version. But the default version of BouncyCastle in Pulsar is the [non-fips](https://github.com/apache/pulsar/blob/v2.8.0/pulsar-client/pom.xml#L56) one(aimed to make it compatible with the old version of Pulsar). Bouncy Castle provides both FIPS and non-FIPS versions, but in a JVM, it can not include both of the 2 versions(non-Fips and Fips), and we have to exclude the current version before including the other. This makes the backward compatible a little hard, and that's why Pulsar has to involve an individual module for [Bouncy Castle](https://pulsar.apache.org/docs/en/security-bouncy-castle). And if we want to start BookKeeper with TLS enabled through Pulsar's binary, it will meet the following error: ``` Exception in thread "main" java.lang.NoClassDefFoundError: org/bouncycastle/jcajce/provider/BouncyCastleFipsProvider at java.base/java.lang.Class.forName0(Native Method) at java.base/java.lang.Class.forName(Class.java:315) at org.apache.bookkeeper.common.util.ReflectionUtils.forName(ReflectionUtils.java:49) at org.apache.bookkeeper.tls.SecurityProviderFactoryFactory.getSecurityProviderFactory(SecurityProviderFactoryFactory.java:39) at org.apache.bookkeeper.proto.BookieServer.<init>(BookieServer.java:129) at org.apache.bookkeeper.server.service.BookieService.<init>(BookieService.java:52) at org.apache.bookkeeper.server.Main.buildBookieServer(Main.java:304) at org.apache.bookkeeper.server.Main.doMain(Main.java:226) at org.apache.bookkeeper.server.Main.main(Main.java:208) Caused by: java.lang.ClassNotFoundException: org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:581) at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178) at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522) ... 9 more ``` This fix is to use the reflection to get the loaded bc version to avoid the hard-coded bc version. ### Changes Use the reflection to get the loaded bc version to avoid the hard-coded bc version Add backward compatible test for bc-non-fips version
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
In bookkeeper # 2631, the default BouncyCastle was changed from non-fips into fips version. But the default version of BouncyCastle in Pulsar is the non-fips one(aimed to make it compatible with the old version of Pulsar).
Bouncy Castle provides both FIPS and non-FIPS version, but in a JVM, it can not include both of the 2 versions(non-Fips and Fips), and we have to exclude the current version before including the other. This make the backward compatible a little hard, and that's why Pulsar has to involve individual module for Bouncy Castle.
Pulsar excluded the dependencies of bookkeeper-server's BouncyCastle in Pulsar's pom file, and Pulsar only includes the non-fips version, but the bookkeeper-server still wants to use the hard-coded fips version in bookkeeper # 2631
And if we want to start BookKeeper with TLS enabled through Pulsar's binary, it will meet the following error:
To Reproduce
Steps to reproduce the behavior:
bin/pulsar bookie, with TLS enabled.Expected behavior
By using
bin/pulsar bookie, BookKeeper server should able to start success.BK should not hard-coded fips version for Bouncy Castle, it should have an option to use non-fips version to make it compatible.
Additional context
We may need to provide the fix in the BookKeeper side first, and then change the dependency of bookkeeper version in Pulsar.
The text was updated successfully, but these errors were encountered: