This is an automated email from the ASF dual-hosted git repository.
mmerli pushed a commit to branch branch-3.0
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/branch-3.0 by this push:
new 0f7434580f2 [fix][sec] Upgrade Bouncycastle to 1.75 to address
CVE-2023-33201 (#20631)
0f7434580f2 is described below
commit 0f7434580f285d027a625d9de7ca41e3e74a6365
Author: Lari Hotari <lhot...@users.noreply.github.com>
AuthorDate: Fri Jun 23 15:18:35 2023 +0300
[fix][sec] Upgrade Bouncycastle to 1.75 to address CVE-2023-33201 (#20631)
---
bouncy-castle/bc/LICENSE | 6 +--
bouncy-castle/bc/pom.xml | 4 +-
distribution/server/pom.xml | 4 ++
distribution/server/src/assemble/LICENSE.bin.txt | 8 ++--
distribution/shell/src/assemble/LICENSE.bin.txt | 8 ++--
pom.xml | 46 +++++++++++++++++++---
pulsar-broker-auth-athenz/pom.xml | 5 +++
pulsar-client-auth-athenz/pom.xml | 5 +++
.../pulsar/client/impl/crypto/MessageCryptoBc.java | 32 ++++++++++++---
pulsar-io/aerospike/pom.xml | 10 +++++
pulsar-sql/presto-distribution/LICENSE | 8 ++--
tests/integration/pom.xml | 5 +++
tiered-storage/file-system/pom.xml | 18 +++++++--
13 files changed, 127 insertions(+), 32 deletions(-)
diff --git a/bouncy-castle/bc/LICENSE b/bouncy-castle/bc/LICENSE
index 5921755346e..dae8f16df5b 100644
--- a/bouncy-castle/bc/LICENSE
+++ b/bouncy-castle/bc/LICENSE
@@ -205,6 +205,6 @@
This projects includes binary packages with the following licenses:
Bouncy Castle License
* Bouncy Castle -- licenses/LICENSE-bouncycastle.txt
- - org.bouncycastle-bcpkix-jdk15on-1.60.jar
- - org.bouncycastle-bcprov-jdk15on-1.60.jar
- - org.bouncycastle-bcprov-ext-jdk15on-1.60.jar
+ - org.bouncycastle-bcpkix-jdk18on-1.75.jar
+ - org.bouncycastle-bcprov-jdk18on-1.75.jar
+ - org.bouncycastle-bcprov-ext-jdk18on-1.75.jar
diff --git a/bouncy-castle/bc/pom.xml b/bouncy-castle/bc/pom.xml
index fdd3ebfcf0f..8a26082b126 100644
--- a/bouncy-castle/bc/pom.xml
+++ b/bouncy-castle/bc/pom.xml
@@ -42,13 +42,13 @@
<dependency>
<groupId>org.bouncycastle</groupId>
- <artifactId>bcpkix-jdk15on</artifactId>
+ <artifactId>bcpkix-jdk18on</artifactId>
<version>${bouncycastle.version}</version>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
- <artifactId>bcprov-ext-jdk15on</artifactId>
+ <artifactId>bcprov-ext-jdk18on</artifactId>
<version>${bouncycastle.version}</version>
</dependency>
</dependencies>
diff --git a/distribution/server/pom.xml b/distribution/server/pom.xml
index 7ee2bd88128..0e033b10ed4 100644
--- a/distribution/server/pom.xml
+++ b/distribution/server/pom.xml
@@ -259,6 +259,10 @@
<groupId>io.grpc</groupId>
<artifactId>grpc-all</artifactId>
</dependency>
+ <dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcpkix-jdk18on</artifactId>
+ </dependency>
<dependency>
<groupId>io.perfmark</groupId>
diff --git a/distribution/server/src/assemble/LICENSE.bin.txt
b/distribution/server/src/assemble/LICENSE.bin.txt
index c53da3bd536..8dc361cab3a 100644
--- a/distribution/server/src/assemble/LICENSE.bin.txt
+++ b/distribution/server/src/assemble/LICENSE.bin.txt
@@ -575,10 +575,10 @@ Creative Commons Attribution License
Bouncy Castle License
* Bouncy Castle -- ../licenses/LICENSE-bouncycastle.txt
- - org.bouncycastle-bcpkix-jdk15on-1.69.jar
- - org.bouncycastle-bcprov-ext-jdk15on-1.69.jar
- - org.bouncycastle-bcprov-jdk15on-1.69.jar
- - org.bouncycastle-bcutil-jdk15on-1.69.jar
+ - org.bouncycastle-bcpkix-jdk18on-1.75.jar
+ - org.bouncycastle-bcprov-ext-jdk18on-1.75.jar
+ - org.bouncycastle-bcprov-jdk18on-1.75.jar
+ - org.bouncycastle-bcutil-jdk18on-1.75.jar
------------------------
diff --git a/distribution/shell/src/assemble/LICENSE.bin.txt
b/distribution/shell/src/assemble/LICENSE.bin.txt
index e69b74e7a9e..43bbfdec5bf 100644
--- a/distribution/shell/src/assemble/LICENSE.bin.txt
+++ b/distribution/shell/src/assemble/LICENSE.bin.txt
@@ -470,10 +470,10 @@ Creative Commons Attribution License
Bouncy Castle License
* Bouncy Castle -- ../licenses/LICENSE-bouncycastle.txt
- - bcpkix-jdk15on-1.69.jar
- - bcprov-ext-jdk15on-1.69.jar
- - bcprov-jdk15on-1.69.jar
- - bcutil-jdk15on-1.69.jar
+ - bcpkix-jdk18on-1.75.jar
+ - bcprov-ext-jdk18on-1.75.jar
+ - bcprov-jdk18on-1.75.jar
+ - bcutil-jdk18on-1.75.jar
------------------------
diff --git a/pom.xml b/pom.xml
index 0389eeed2ad..24b712bdadb 100644
--- a/pom.xml
+++ b/pom.xml
@@ -152,7 +152,7 @@ flexible messaging model and an intuitive client
API.</description>
<slf4j.version>1.7.32</slf4j.version>
<commons.collections4.version>4.4</commons.collections4.version>
<log4j2.version>2.18.0</log4j2.version>
- <bouncycastle.version>1.69</bouncycastle.version>
+ <bouncycastle.version>1.75</bouncycastle.version>
<bouncycastle.bcpkix-fips.version>1.0.6</bouncycastle.bcpkix-fips.version>
<bouncycastle.bc-fips.version>1.0.2.3</bouncycastle.bc-fips.version>
<jackson.version>2.14.2</jackson.version>
@@ -824,9 +824,15 @@ flexible messaging model and an intuitive client
API.</description>
</dependency>
<dependency>
- <groupId>com.github.docker-java</groupId>
- <artifactId>docker-java-core</artifactId>
- <version>${docker-java.version}</version>
+ <groupId>com.github.docker-java</groupId>
+ <artifactId>docker-java-core</artifactId>
+ <version>${docker-java.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<dependency>
<groupId>com.github.docker-java</groupId>
@@ -892,7 +898,7 @@ flexible messaging model and an intuitive client
API.</description>
<dependency>
<groupId>org.bouncycastle</groupId>
- <artifactId>bcpkix-jdk15on</artifactId>
+ <artifactId>bcpkix-jdk18on</artifactId>
<version>${bouncycastle.version}</version>
</dependency>
@@ -924,6 +930,24 @@ flexible messaging model and an intuitive client
API.</description>
<groupId>com.yahoo.athenz</groupId>
<artifactId>athenz-cert-refresher</artifactId>
<version>${athenz.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+
+ <dependency>
+ <groupId>com.yahoo.athenz</groupId>
+ <artifactId>athenz-auth-core</artifactId>
+ <version>${athenz.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<dependency>
@@ -1068,6 +1092,18 @@ flexible messaging model and an intuitive client
API.</description>
</exclusions>
</dependency>
+ <dependency>
+ <groupId>io.grpc</groupId>
+ <artifactId>grpc-xds</artifactId>
+ <version>${grpc.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+
<dependency>
<groupId>com.google.http-client</groupId>
<artifactId>google-http-client</artifactId>
diff --git a/pulsar-broker-auth-athenz/pom.xml
b/pulsar-broker-auth-athenz/pom.xml
index b8837ce67fc..6711a60bc89 100644
--- a/pulsar-broker-auth-athenz/pom.xml
+++ b/pulsar-broker-auth-athenz/pom.xml
@@ -53,6 +53,11 @@
<artifactId>athenz-zpe-java-client</artifactId>
</dependency>
+ <dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcpkix-jdk18on</artifactId>
+ </dependency>
+
</dependencies>
<build>
diff --git a/pulsar-client-auth-athenz/pom.xml
b/pulsar-client-auth-athenz/pom.xml
index 2149cfb2a2f..81315611e9b 100644
--- a/pulsar-client-auth-athenz/pom.xml
+++ b/pulsar-client-auth-athenz/pom.xml
@@ -52,6 +52,11 @@
<artifactId>athenz-cert-refresher</artifactId>
</dependency>
+ <dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcpkix-jdk18on</artifactId>
+ </dependency>
+
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
diff --git
a/pulsar-client-messagecrypto-bc/src/main/java/org/apache/pulsar/client/impl/crypto/MessageCryptoBc.java
b/pulsar-client-messagecrypto-bc/src/main/java/org/apache/pulsar/client/impl/crypto/MessageCryptoBc.java
index 2d7b779fa7b..146f066ae2c 100644
---
a/pulsar-client-messagecrypto-bc/src/main/java/org/apache/pulsar/client/impl/crypto/MessageCryptoBc.java
+++
b/pulsar-client-messagecrypto-bc/src/main/java/org/apache/pulsar/client/impl/crypto/MessageCryptoBc.java
@@ -35,6 +35,7 @@ import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Security;
+import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.InvalidKeySpecException;
import java.util.HashMap;
import java.util.List;
@@ -73,6 +74,7 @@ import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.jce.spec.ECParameterSpec;
import org.bouncycastle.jce.spec.ECPrivateKeySpec;
import org.bouncycastle.jce.spec.ECPublicKeySpec;
+import org.bouncycastle.jce.spec.IESParameterSpec;
import org.bouncycastle.openssl.PEMException;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.PEMParser;
@@ -172,6 +174,7 @@ public class MessageCryptoBc implements
MessageCrypto<MessageMetadata, MessageMe
dataKey = keyGenerator.generateKey();
iv = new byte[IV_LEN];
+
}
private PublicKey loadPublicKey(byte[] keyBytes) throws Exception {
@@ -322,22 +325,27 @@ public class MessageCryptoBc implements
MessageCrypto<MessageMetadata, MessageMe
byte[] encryptedKey;
try {
-
+ AlgorithmParameterSpec params = null;
// Encrypt data key using public key
if (RSA.equals(pubKey.getAlgorithm())) {
dataKeyCipher = Cipher.getInstance(RSA_TRANS,
BouncyCastleProvider.PROVIDER_NAME);
} else if (ECDSA.equals(pubKey.getAlgorithm())) {
dataKeyCipher = Cipher.getInstance(ECIES,
BouncyCastleProvider.PROVIDER_NAME);
+ params = createIESParameterSpec();
} else {
String msg = logCtx + "Unsupported key type " +
pubKey.getAlgorithm() + " for key " + keyName;
log.error(msg);
throw new PulsarClientException.CryptoException(msg);
}
- dataKeyCipher.init(Cipher.ENCRYPT_MODE, pubKey);
+ if (params != null) {
+ dataKeyCipher.init(Cipher.ENCRYPT_MODE, pubKey, params);
+ } else {
+ dataKeyCipher.init(Cipher.ENCRYPT_MODE, pubKey);
+ }
encryptedKey = dataKeyCipher.doFinal(dataKey.getEncoded());
} catch (IllegalBlockSizeException | BadPaddingException |
NoSuchAlgorithmException | NoSuchProviderException
- | NoSuchPaddingException | InvalidKeyException e) {
+ | NoSuchPaddingException | InvalidKeyException |
InvalidAlgorithmParameterException e) {
log.error("{} Failed to encrypt data key {}. {}", logCtx, keyName,
e.getMessage());
throw new PulsarClientException.CryptoException(e.getMessage());
}
@@ -345,6 +353,13 @@ public class MessageCryptoBc implements
MessageCrypto<MessageMetadata, MessageMe
encryptedDataKeyMap.put(keyName, eki);
}
+ // required since Bouncycastle 1.72 when using ECIES, it is required to
pass in an IESParameterSpec
+ private IESParameterSpec createIESParameterSpec() {
+ // the IESParameterSpec to use was discovered by debugging
BouncyCastle 1.69 and running the
+ // test
org.apache.pulsar.client.api.SimpleProducerConsumerTest#testCryptoWithChunking
+ return new IESParameterSpec(null, null, 128);
+ }
+
/*
* Remove a key <p> Remove the key identified by the keyName from the list
of keys.<p>
*
@@ -474,23 +489,28 @@ public class MessageCryptoBc implements
MessageCrypto<MessageMetadata, MessageMe
byte[] keyDigest = null;
try {
-
+ AlgorithmParameterSpec params = null;
// Decrypt data key using private key
if (RSA.equals(privateKey.getAlgorithm())) {
dataKeyCipher = Cipher.getInstance(RSA_TRANS,
BouncyCastleProvider.PROVIDER_NAME);
} else if (ECDSA.equals(privateKey.getAlgorithm())) {
dataKeyCipher = Cipher.getInstance(ECIES,
BouncyCastleProvider.PROVIDER_NAME);
+ params = createIESParameterSpec();
} else {
log.error("Unsupported key type {} for key {}.",
privateKey.getAlgorithm(), keyName);
return false;
}
- dataKeyCipher.init(Cipher.DECRYPT_MODE, privateKey);
+ if (params != null) {
+ dataKeyCipher.init(Cipher.DECRYPT_MODE, privateKey, params);
+ } else {
+ dataKeyCipher.init(Cipher.DECRYPT_MODE, privateKey);
+ }
dataKeyValue = dataKeyCipher.doFinal(encryptedDataKey);
keyDigest = digest.digest(encryptedDataKey);
} catch (IllegalBlockSizeException | BadPaddingException |
NoSuchAlgorithmException | NoSuchProviderException
- | NoSuchPaddingException | InvalidKeyException e) {
+ | NoSuchPaddingException | InvalidKeyException |
InvalidAlgorithmParameterException e) {
log.error("{} Failed to decrypt data key {} to decrypt messages
{}", logCtx, keyName, e.getMessage());
return false;
}
diff --git a/pulsar-io/aerospike/pom.xml b/pulsar-io/aerospike/pom.xml
index 2b2a504147f..dc735577a59 100644
--- a/pulsar-io/aerospike/pom.xml
+++ b/pulsar-io/aerospike/pom.xml
@@ -52,6 +52,16 @@
<groupId>com.aerospike</groupId>
<artifactId>aerospike-client-bc</artifactId>
<version>${aerospike-client.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcpkix-jdk18on</artifactId>
</dependency>
</dependencies>
diff --git a/pulsar-sql/presto-distribution/LICENSE
b/pulsar-sql/presto-distribution/LICENSE
index 29bde2dada2..8f67f2f7ef4 100644
--- a/pulsar-sql/presto-distribution/LICENSE
+++ b/pulsar-sql/presto-distribution/LICENSE
@@ -590,7 +590,7 @@ Creative Commons Attribution License
Bouncy Castle License
* Bouncy Castle -- licenses/LICENSE-bouncycastle.txt
- - bcpkix-jdk15on-1.69.jar
- - bcprov-ext-jdk15on-1.69.jar
- - bcprov-jdk15on-1.69.jar
- - bcutil-jdk15on-1.69.jar
+ - bcpkix-jdk18on-1.75.jar
+ - bcprov-ext-jdk18on-1.75.jar
+ - bcprov-jdk18on-1.75.jar
+ - bcutil-jdk18on-1.75.jar
diff --git a/tests/integration/pom.xml b/tests/integration/pom.xml
index c5acf24ab43..3600ead12f1 100644
--- a/tests/integration/pom.xml
+++ b/tests/integration/pom.xml
@@ -126,6 +126,11 @@
<artifactId>docker-java-core</artifactId>
<scope>test</scope>
</dependency>
+ <dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcpkix-jdk18on</artifactId>
+ <scope>test</scope>
+ </dependency>
<dependency>
<groupId>org.apache.pulsar</groupId>
diff --git a/tiered-storage/file-system/pom.xml
b/tiered-storage/file-system/pom.xml
index cf482f43a4e..5b4474c977b 100644
--- a/tiered-storage/file-system/pom.xml
+++ b/tiered-storage/file-system/pom.xml
@@ -110,13 +110,23 @@
<version>${hdfs-offload-version3}</version>
<scope>test</scope>
<exclusions>
- <exclusion>
- <groupId>io.netty</groupId>
- <artifactId>netty-all</artifactId>
- </exclusion>
+ <exclusion>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-all</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
</exclusions>
</dependency>
+ <dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcpkix-jdk18on</artifactId>
+ <scope>test</scope>
+ </dependency>
+
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-codec-http</artifactId>
