Parameterized class used for initializing crypto provider

apache · Jul 22, 2023 · a7793ce · a7793ce
1 parent 8fdced0
commit a7793ce
Show file tree

Hide file tree

Showing 8 changed files with 49 additions and 44 deletions.
diff --git a/.build/parent-pom-template.xml b/.build/parent-pom-template.xml
@@ -773,7 +773,7 @@
       <dependency>
         <groupId>software.amazon.cryptools</groupId>
         <artifactId>AmazonCorrettoCryptoProvider</artifactId>
-        <version>[2.0, 3.0)</version>
+        <version>2.2.0</version>
         <classifier>linux-x86_64</classifier>
       </dependency>
 

diff --git a/src/java/org/apache/cassandra/config/Config.java b/src/java/org/apache/cassandra/config/Config.java
@@ -79,7 +79,7 @@ public static Set<String> splitCommaDelimited(String src)
     public String authenticator;
     public String authorizer;
     public String role_manager;
-    public String crypto_provider;
+    public ParameterizedClass crypto_provider;
     public String network_authorizer;
     @Replaces(oldName = "permissions_validity_in_ms", converter = Converters.MILLIS_DURATION_INT, deprecated = true)
     public volatile DurationSpec.IntMillisecondsBound permissions_validity = new DurationSpec.IntMillisecondsBound("2s");

diff --git a/src/java/org/apache/cassandra/config/DatabaseDescriptor.java b/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
@@ -100,9 +100,8 @@
 import org.apache.cassandra.locator.SeedProvider;
 import org.apache.cassandra.security.EncryptionContext;
 import org.apache.cassandra.security.SSLFactory;
-import org.apache.cassandra.service.AmazonCorrettoCryptoProviderImpl;
 import org.apache.cassandra.service.CacheService.CacheType;
-import org.apache.cassandra.service.ICryptoProvider;
+import org.apache.cassandra.security.ICryptoProvider;
 import org.apache.cassandra.service.paxos.Paxos;
 import org.apache.cassandra.utils.FBUtilities;
 import org.apache.cassandra.utils.StorageCompatibilityMode;
@@ -176,7 +175,7 @@ public class DatabaseDescriptor
 
     private static Config.DiskAccessMode indexAccessMode;
 
-    private static ICryptoProvider cryptoProvider = new AmazonCorrettoCryptoProviderImpl();
+    private static ICryptoProvider cryptoProvider;
     private static IAuthenticator authenticator;
     private static IAuthorizer authorizer;
     private static INetworkAuthorizer networkAuthorizer;
@@ -439,6 +438,8 @@ private static void applyAll() throws ConfigurationException
 
         applyTokensConfig();
 
+        applyCryptoProvider();
+
         applySeedProvider();
 
         applyEncryptionContext();
@@ -880,9 +881,6 @@ else if (conf.commitlog_segment_size.toMebibytes() >= 2048)
         else if (conf.commitlog_segment_size.toKibibytes() < 2 * conf.max_mutation_size.toKibibytes())
             throw new ConfigurationException("commitlog_segment_size must be at least twice the size of max_mutation_size / 1024", false);
 
-        if (conf.crypto_provider != null)
-            cryptoProvider = FBUtilities.newCryptoProvider(conf.crypto_provider);
-
         // native transport encryption options
         if (conf.client_encryption_options != null)
         {
@@ -1223,6 +1221,25 @@ public static void applySslContext()
         }
     }
 
+    public static void applyCryptoProvider()
+    {
+        try
+        {
+            if (conf.crypto_provider == null)
+                conf.crypto_provider = new ParameterizedClass("org.apache.cassandra.security.DefaultCryptoProvider", null);
+
+            Class<?> cryptoProviderClass = Class.forName(conf.crypto_provider.class_name);
+            cryptoProvider = (ICryptoProvider)cryptoProviderClass.getConstructor(Map.class).newInstance(conf.crypto_provider.parameters);
+
+            cryptoProvider.installProvider();
+        }
+        catch(Exception e)
+        {
+            throw new ConfigurationException("Failed to initialize crypto Provider.", e);
+        }
+
+    }
+
     public static void applySeedProvider()
     {
         // load the seeds for node contact points
@@ -1506,10 +1523,11 @@ private static IFailureDetector createFailureDetector(String detectorClassName)
         return detector;
     }
 
-    public static ICryptoProvider getCryptoProvider() {return cryptoProvider;}
+    public static ICryptoProvider getCryptoProvider() { return cryptoProvider; }
 
-    public void setCryptoProvider(ICryptoProvider cryptoProvider) {
-        DatabaseDescriptor.cryptoProvider = cryptoProvider;
+    public void setCryptoProvider(ICryptoProvider cryptoProvider)
+    {
+        cryptoProvider = cryptoProvider;
     }
     public static IAuthenticator getAuthenticator()
     {

diff --git a/...ice/AmazonCorrettoCryptoProviderImpl.java → ...andra/security/DefaultCryptoProvider.java b/...ice/AmazonCorrettoCryptoProviderImpl.java → ...andra/security/DefaultCryptoProvider.java
@@ -16,8 +16,9 @@
  * limitations under the License.
  */
 
-package org.apache.cassandra.service;
+package org.apache.cassandra.security;
 
+import java.util.Map;
 import javax.crypto.Cipher;
 
 import org.slf4j.Logger;
@@ -26,15 +27,18 @@
 import org.apache.cassandra.exceptions.StartupException;
 import com.amazon.corretto.crypto.provider.AmazonCorrettoCryptoProvider;
 
-public class AmazonCorrettoCryptoProviderImpl implements ICryptoProvider
+public class DefaultCryptoProvider implements ICryptoProvider
 {
-    private static final Logger logger = LoggerFactory.getLogger(AmazonCorrettoCryptoProviderImpl.class);
+    private static final Logger logger = LoggerFactory.getLogger(DefaultCryptoProvider.class);
+
+    public DefaultCryptoProvider(Map<String, String> args) {}
     @Override
     public void installProvider() throws StartupException
     {
         try
         {
             AmazonCorrettoCryptoProvider.install();
+            AmazonCorrettoCryptoProvider.INSTANCE.assertHealthy();
         }
         catch(Exception e)
         {
@@ -45,13 +49,19 @@ public void installProvider() throws StartupException
     @Override
     public void checkProvider() throws Exception
     {
-        try {
-            if (Cipher.getInstance("AES/GCM/NoPadding").getProvider().getName().equals(AmazonCorrettoCryptoProvider.PROVIDER_NAME)) {
+        try
+        {
+            if (Cipher.getInstance("AES/GCM/NoPadding").getProvider().getName().equals(AmazonCorrettoCryptoProvider.PROVIDER_NAME))
+            {
                 AmazonCorrettoCryptoProvider.INSTANCE.assertHealthy();
-            } else {
-                logger.warn("ACCP is not the highest priority provider");
             }
-        } catch (Exception e) {
+            else
+            {
+                logger.warn("{} is not the highest priority provider", AmazonCorrettoCryptoProvider.class.getName());
+            }
+        }
+        catch (Exception e)
+        {
             logger.warn("Corretto Crypto Provider Error", e);
         }
     }

diff --git a/...he/cassandra/service/ICryptoProvider.java → ...e/cassandra/security/ICryptoProvider.java b/...he/cassandra/service/ICryptoProvider.java → ...e/cassandra/security/ICryptoProvider.java
@@ -16,7 +16,7 @@
  * limitations under the License.
  */
 
-package org.apache.cassandra.service;
+package org.apache.cassandra.security;
 
 import org.apache.cassandra.exceptions.StartupException;
 

diff --git a/src/java/org/apache/cassandra/service/CassandraDaemon.java b/src/java/org/apache/cassandra/service/CassandraDaemon.java
@@ -259,8 +259,6 @@ protected void setup()
 
         CommitLog.instance.start();
 
-        installCryptoProvider();
-
         runStartupChecks();
 
         try
@@ -490,18 +488,6 @@ protected void setup()
         completeSetup();
     }
 
-    public void installCryptoProvider()
-    {
-        try
-        {
-            DatabaseDescriptor.getCryptoProvider().installProvider();
-        }
-        catch (StartupException e)
-        {
-            exitOrFail(e.returnCode, e.getMessage(), e.getCause());
-        }
-    }
-
     public void runStartupChecks()
     {
         try

diff --git a/src/java/org/apache/cassandra/utils/FBUtilities.java b/src/java/org/apache/cassandra/utils/FBUtilities.java
@@ -88,7 +88,6 @@
 import org.apache.cassandra.io.util.FileUtils;
 import org.apache.cassandra.locator.InetAddressAndPort;
 import org.apache.cassandra.security.ISslContextFactory;
-import org.apache.cassandra.service.ICryptoProvider;
 import org.apache.cassandra.utils.concurrent.FutureCombiner;
 import org.apache.cassandra.utils.concurrent.UncheckedInterruptedException;
 import org.objectweb.asm.Opcodes;
@@ -637,13 +636,6 @@ static IPartitioner newPartitioner(String partitionerClassName, Optional<Abstrac
         return FBUtilities.instanceOrConstruct(partitionerClassName, "partitioner");
     }
 
-    public static ICryptoProvider newCryptoProvider(String className) throws ConfigurationException
-    {
-        if (!className.contains("."))
-            className = "org.apache.cassandra.service." + className;
-        return FBUtilities.construct(className, "crypto provider");
-    }
-
     public static IAuthorizer newAuthorizer(String className) throws ConfigurationException
     {
         if (!className.contains("."))

diff --git a/test/unit/org/apache/cassandra/config/DatabaseDescriptorRefTest.java b/test/unit/org/apache/cassandra/config/DatabaseDescriptorRefTest.java
@@ -258,9 +258,8 @@ public class DatabaseDescriptorRefTest
     "org.apache.cassandra.security.EncryptionContext",
     "org.apache.cassandra.security.ISslContextFactory",
     "org.apache.cassandra.security.SSLFactory",
-    "org.apache.cassandra.service.AmazonCorrettoCryptoProviderImpl",
     "org.apache.cassandra.service.CacheService$CacheType",
-    "org.apache.cassandra.service.ICryptoProvider",
+    "org.apache.cassandra.security.ICryptoProvider",
     "org.apache.cassandra.transport.ProtocolException",
     "org.apache.cassandra.utils.Closeable",
     "org.apache.cassandra.utils.CloseableIterator",