lhotari opened a new pull request, #25400: URL: https://github.com/apache/pulsar/pull/25400
### Motivation Java Cryptography Architecture (JCA) classes like `Cipher`, `MessageDigest`, `KeyGenerator`, `CertificateFactory`, etc. are **not thread-safe** per [Oracle's Java PKI Programmer's Guide](https://docs.oracle.com/en/java/javase/21/security/java-pki-programmers-guide.html). Sharing instances across threads without synchronization can cause corrupted output, `BadPaddingException`, or silently wrong cryptographic results. This was confirmed by Netty's [PR #16350](https://github.com/netty/netty/pull/16350) for `CertificateFactory`, and is well-documented for `MessageDigest` ([pmd/pmd#1862](https://github.com/pmd/pmd/issues/1862)), `Cipher` ([ekino/hibernate-crypto-types#14](https://github.com/ekino/hibernate-crypto-types/issues/14)), and `KeyGenerator`. A review of the Pulsar codebase identified the following thread-safety issues: **MessageCryptoBc (HIGH):** - `Cipher cipher` instance field (line 100) — `encrypt()` is `synchronized` but `decrypt()`/`decryptData()` are not, so the shared Cipher can be used concurrently from different threads - `MessageDigest digest` instance field (line 101) — used in `decryptDataKey()` and `getKeyAndDecryptData()` without any synchronization - `static KeyGenerator keyGenerator` (line 97) — shared across ALL instances, written from constructors on different threads with only per-instance synchronization **DefaultRoleAnonymizerType (MEDIUM-HIGH):** - `MessageDigest digest` fields in `SHA256` and `MD5` enum singletons — `anonymize()` called concurrently without synchronization; `MessageDigest.digest()` resets internal state, so concurrent use produces corrupted hashes **SecurityUtility (LOW):** - `static List<KeyFactory> KEY_FACTORIES` — cached instances shared across threads. While likely safe in practice for standard JDK implementations, the API contract doesn't guarantee thread-safety. ### Modifications **MessageCryptoBc:** Replaced shared `Cipher`, `MessageDigest`, and `KeyGenerator` fields with `FastThreadLocal`-cached instances. This is a hot path (per-message encrypt/decrypt), so thread-local caching avoids the cost of creating new instances per call while ensuring thread safety. **DefaultRoleAnonymizerType:** Replaced `MessageDigest` instance fields in enum singletons with `FastThreadLocal`-cached instances. This is a hot path when enabled (called for every authentication role logged). **SecurityUtility:** Removed cached static `KeyFactory` instances. New instances are created per call in `loadPrivateKeyFromPemStream()`. This is not a hot path (only used during TLS key loading at connection setup), so caching is unnecessary. ### Verifying this change - [ ] Make sure that the change passes the CI checks. This change is already covered by existing tests, such as: - `MessageCryptoBc` unit tests in `pulsar-client-messagecrypto-bc` - `DefaultRoleAnonymizerType` tests in `pulsar-broker-common` - `SecurityUtility` tests in `pulsar-common` - End-to-end encryption integration tests like `SimpleProducerConsumerTest#testCryptoWithChunking` ### Does this pull request potentially affect one of the following parts: - [ ] Dependencies (add or upgrade a dependency) - [ ] The public API - [ ] The schema - [ ] The default values of configurations - [x] The threading model - [ ] The binary protocol - [ ] The REST endpoints - [ ] The admin CLI options - [ ] The metrics - [ ] Anything that affects deployment ### Documentation - [x] `doc-not-needed` ### Matching PR in forked repository PR in forked repository: <!-- ENTER URL HERE --> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
