[improve][client] Make client TLS/crypto helpers work on FIPS-restricted JVMs#26154
Open
david-streamlio wants to merge 3 commits into
Open
[improve][client] Make client TLS/crypto helpers work on FIPS-restricted JVMs#26154david-streamlio wants to merge 3 commits into
david-streamlio wants to merge 3 commits into
Conversation
…ted JVMs Two small fixes for JVMs running a restricted security configuration (e.g. BC-FIPS in approved-only mode): - MessageCryptoBc: when the BCFIPS provider is registered, source randomness for data-key and IV generation from its SP 800-90A DRBG instead of the SUN NativePRNGNonBlocking algorithm, which does not exist in FIPS providers. Only registered providers are consulted so class loading still avoids BouncyCastle classpath resolution. - KeyManagerProxy: fall back to the platform default keystore type when the hardcoded JKS type is unavailable. JKS remains preferred because it accepts certificate lists that do not form a linked chain, which PKCS12 rejects (verified by KeyManagerProxyTest's multiple-CA case).
53ddc42 to
bb1ca41
Compare
This was referenced Jul 6, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR improves Pulsar client-side TLS/crypto helper compatibility with FIPS-restricted JVM security configurations by avoiding hardcoded SUN-provider assumptions and selecting FIPS-appropriate primitives when the BC-FIPS provider is registered.
Changes:
MessageCryptoBc: PreferSecureRandomfrom the registeredBCFIPSprovider (its DRBG) when available; otherwise keep existingNativePRNGNonBlockingbehavior.KeyManagerProxy: Prefer JKS for the in-memory keystore but fall back toKeyStore.getDefaultType()when JKS is unavailable (e.g., under FIPS restrictions).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| pulsar-common/src/main/java/org/apache/pulsar/common/util/KeyManagerProxy.java | Adds JKS → default keystore-type fallback for the in-memory keystore used by the auto-refreshing PEM key manager. |
| pulsar-client-messagecrypto-bc/src/main/java/org/apache/pulsar/client/impl/crypto/MessageCryptoBc.java | Switches SecureRandom selection to use BC-FIPS DRBG when BCFIPS is registered, preserving non-FIPS behavior otherwise. |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
Two client-path helpers hardcode SUN-provider-specific choices that fail or fall back to non-approved crypto on JVMs running a restricted security configuration (e.g. BC-FIPS in approved-only mode):
MessageCryptoBcpinsSecureRandom.getInstance("NativePRNGNonBlocking")for data-key and GCM-IV generation. That algorithm doesn't exist in FIPS providers, and even when the fallback engages, randomness is sourced outside the FIPS-validated module. NIST SP 800-38D permits random 96-bit GCM IVs only when generated by an approved DRBG.KeyManagerProxy(the auto-refreshing PEM key manager) hardcodesKeyStore.getInstance("JKS")for its in-memory keystore, which fails where the JKS keystore type is unavailable.This is one of a set of small preparatory cleanups for FIPS-restricted deployments; a broader PIP is being drafted separately.
Modifications
MessageCryptoBc: when aBCFIPSprovider is registered, obtainSecureRandom.getInstance("DEFAULT", bcfips)— the BC-FIPS SP 800-90A DRBG — so key/IV generation stays within the FIPS-validated module. Only registered providers are consulted (Security.getProvider), deliberately avoiding BouncyCastle classpath resolution during class loading, consistent with the existing lazyBcProviderHolderdesign. Behavior on standard JVMs is unchanged (NativePRNGNonBlocking, falling back tonew SecureRandom()).KeyManagerProxy: keep JKS as the preferred in-memory keystore type, but fall back toKeyStore.getDefaultType()when JKS is unavailable. JKS remains preferred deliberately: PKCS12'ssetKeyEntryrejects certificate lists that do not form a linked chain, which JKS accepts — switching unconditionally to the default type breaksKeyManagerProxyTest's multiple-CA case (verified while developing this change).Verifying this change
This change is already covered by existing tests:
KeyManagerProxyTest(including the multiple-CA chain case that pins the JKS-preferred behavior) andRawBatchMessageContainerImplTest(exercisesMessageCryptoBcencryption end-to-end). TheBCFIPSbranch cannot be exercised without a FIPS-registered JVM; it is compile-verified, and theDEFAULTSecureRandom service is confirmed present inbc-fips2.0.1.Does this pull request potentially affect one of the following parts: