Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Specify rsa transform, aes & tag length #839

Merged
merged 1 commit into from Oct 20, 2017
Merged

Specify rsa transform, aes & tag length #839

merged 1 commit into from Oct 20, 2017

Conversation

saandrews
Copy link
Contributor

Addressing issues mentioned in #838. Tested using a test program in C++ using openssl and verified encryption/decryption using RSA works both ways.

@saandrews saandrews added area/client type/bug The PR fixed a bug or issue reported a bug labels Oct 18, 2017
merlimat
merlimat approved these changes Oct 19, 2017
View reviewed changes
Copy link
Contributor

@merlimat merlimat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@massakam
Copy link
Contributor

LGTM

@merlimat
Copy link
Contributor

@saandrews There are 3 tests failing in Jenkins:

Test Result (3 failures / +3)

    org.apache.pulsar.client.api.SimpleProducerConsumerTest.testECDSAEncryption
    org.apache.pulsar.client.api.SimpleProducerConsumerTest.testEncryptionFailure
    org.apache.pulsar.client.api.SimpleProducerConsumerTest.testRSAEncryption

@merlimat merlimat added this to the 1.21.0-incubating milestone Oct 19, 2017
@saandrews
Copy link
Contributor Author

This is because our build env does not have the JCE Unlimited Strength Jurisdiction Policy files. http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html. I'll dig further to see if we can install them in our environment.

@merlimat
Copy link
Contributor

This is because our build env does not have the JCE Unlimited Strength Jurisdiction Policy files. http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html. I'll dig further to see if we can install them in our environment.

We should have it working out of the box with standard JDK and allow the better encryption if available.

@saandrews
Copy link
Contributor Author

saandrews commented Oct 19, 2017
edited

I see your point. But, if we do not enforce, a producer produced using 256 bit AES key and if consumer host does not have the unlimited policy files installed, it will fail to decrypt. This is true for RSA/ECDSA keys as well. I'm considering the following change to address this:

int aesKeyLength = javax.crypto.Cipher.getMaxAllowedKeyLength("AES");
if (aesKeyLength <= 128) {
    log.warn(
             "{} JCE Cryptographic strength is limited to {}. Consider installing JCE Unlimited Strength Jurisdiction Policy Files.",
             logCtx, aesKeyLength);
        keyGenerator.init(aesKeyLength, secureRandom);
    } else {
        keyGenerator.init(256, secureRandom);
    }

@saandrews
Copy link
Contributor Author

retest this please

1 similar comment
@saandrews
Copy link
Contributor Author

retest this please

@saandrews saandrews merged commit f5268ed into apache:master Oct 20, 2017
jai1 pushed a commit to jai1/pulsar that referenced this pull request Feb 8, 2018
@saandrews @rdhabalia
Specify rsa transform, aes & tag length (apache#839)
c9c0a4b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@merlimat merlimat merlimat approved these changes

@rdhabalia rdhabalia Awaiting requested review from rdhabalia

@massakam massakam Awaiting requested review from massakam

Assignees
No one assigned
Labels
area/client type/bug The PR fixed a bug or issue reported a bug
Projects
None yet
Milestone
1.21.0-incubating
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@saandrews @massakam @merlimat