[
https://issues.apache.org/jira/browse/CASSANDRA-20512?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17940765#comment-17940765
]
Stefan Miklosovic edited comment on CASSANDRA-20512 at 4/3/25 5:08 PM:
-----------------------------------------------------------------------
We are also using libraries like
netty-tcnative-boringssl-static-2.0.70.Final-linux-aarch_64.jar
netty-tcnative-boringssl-static-2.0.70.Final-osx-aarch_64
but we are bundling "linux-aarch_64" and "linux-x86_64" libraries for Corretto
Crypto Provider.
Since 2.3.2 version of ACCP, they are providing osx builds as well.
If Netty is using netty-tcnative-boringssl which is using custom crypto
provider (I assume), being ACCP, what happens when we use the linux build of
ACCP on Mac? That's right, exactly this happens:
{code}
WARN [main] 2025-04-03 19:05:21,679 AbstractCryptoProvider.java:177 -
com.amazon.corretto.crypto.provider.AmazonCorrettoCryptoProvider is not on the
class path! Check node's architecture (`uname -m`) is supported, see lib/<arch>
subdirectories. The correct architecture-specific library for needs to be on
the classpath.
{code}
I think if we ship osx version of boringssl then we should also ship osx
version for ACCP.
was (Author: smiklosovic):
We are also using libraries like
netty-tcnative-boringssl-static-2.0.70.Final-linux-aarch_64.jar
netty-tcnative-boringssl-static-2.0.70.Final-osx-aarch_64
but we are bundling "linux-aarch_64" and "linux-x86_64" libraries for Corretto
Crypto Provider.
Since 2.3.2 version of ACCP, they are providing osx builds as well.
If Netty is using netty-tcnative-boringssl which loads a custom crypto provider
(I assume), being ACCP, what happens when we use the linux build of ACCP on
Mac? That's right, exactly this happens:
{code}
WARN [main] 2025-04-03 19:05:21,679 AbstractCryptoProvider.java:177 -
com.amazon.corretto.crypto.provider.AmazonCorrettoCryptoProvider is not on the
class path! Check node's architecture (`uname -m`) is supported, see lib/<arch>
subdirectories. The correct architecture-specific library for needs to be on
the classpath.
{code}
I think if we ship osx version of boringssl then we should also ship osx
version for ACCP.
> Investigate the usage of FIPS-certified Amazon Corretto Crypto Provider
> -----------------------------------------------------------------------
>
> Key: CASSANDRA-20512
> URL: https://issues.apache.org/jira/browse/CASSANDRA-20512
> Project: Apache Cassandra
> Issue Type: Task
> Components: Legacy/Core
> Reporter: Stefan Miklosovic
> Priority: Normal
>
> We are using version 2.2.0 which is almost 2 years old. There is 2.5.0
> already.
> What is very interesting is that from 2.3.0, they are also offering
> FIPS-certified version of that. (1, 2, 3).
> (1)https://github.com/corretto/amazon-corretto-crypto-provider?tab=readme-ov-file#notes-on-accp-fips
> (2)
> https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4816
> (3) https://github.com/aws/aws-lc/blob/main/crypto/fipsmodule/FIPS.md
> https://central.sonatype.com/artifact/software.amazon.cryptools/AmazonCorrettoCryptoProvider-FIPS/2.5.0/versions
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
