libroach: add key manager #20670
libroach: add key manager #20670
Conversation
|
This change is |
|
@benesch for build changes. Nothing shocking here. The beginnings of testutils though! |
c-deps/libroach/ccl/key.cc
Outdated
| // https://github.com/cockroachdb/cockroach/blob/master/licenses/CCL.txt | ||
|
|
||
| #include "key.h" | ||
| #include <filters.h> // CryptoPP |
There was a problem hiding this comment.
I'm putting comments here because it's not otherwise clear what these are for. cryptopp doesn't have an include subdir. Any ideas? I don't particularly want to re-organize everything.
There was a problem hiding this comment.
I'd change the include path to be .. instead of ../cryptopp and then refer to everything as cryptopp/FOO.
| #define EXPECT_OK(status) EXPECT_TRUE(status.ok()) << "got: " << status.getState(); | ||
| #define ASSERT_OK(status) ASSERT_TRUE(status.ok()) << "got: " << status.getState(); | ||
|
|
||
| #define EXPECT_ERR(status, err_msg)\ |
There was a problem hiding this comment.
I'm not a fan of macros either, but I like the in-line error reporting and I'm kind of just following gtest here. The compareErrorMessage is a function though.
mberhault
force-pushed
the
marc/add_key_manager
branch
6 times, most recently
from
cfe86b5 to
ce7d6f2
Compare
|
Reviewed 12 of 19 files at r1, 7 of 7 files at r2. c-deps/libroach/CMakeLists.txt, line 44 at r2 (raw file):
PRIVAGE? c-deps/libroach/testutils.h, line 22 at r2 (raw file):
Will this be a problem as soon as this header is included from multiple source files? I think the function definitions should go in a .cc file. c-deps/libroach/testutils.h, line 53 at r2 (raw file):
This evaluates the (textual) expansion of c-deps/libroach/testutils.h, line 56 at r2 (raw file):
Add some braces around these two lines so it doesn't break if there's already an c-deps/libroach/util.cc, line 18 at r2 (raw file):
Why not just use c-deps/libroach/ccl/key.cc, line 10 at r1 (raw file): Previously, mberhault (marc) wrote…
If you c-deps/libroach/ccl/key_manager_test.cc, line 32 at r2 (raw file):
Does Comments from Reviewable |
|
Review status: all files reviewed at latest revision, 9 unresolved discussions, all commit checks successful. c-deps/libroach/CMakeLists.txt, line 44 at r2 (raw file): Previously, bdarnell (Ben Darnell) wrote…
uh. it's a new keyword? Nevermind, fixed. c-deps/libroach/testutils.h, line 22 at r2 (raw file): Previously, bdarnell (Ben Darnell) wrote…
It's fine because we only include it from c-deps/libroach/testutils.h, line 53 at r2 (raw file): Previously, bdarnell (Ben Darnell) wrote…
ouch! good point. Done. c-deps/libroach/testutils.h, line 56 at r2 (raw file): Previously, bdarnell (Ben Darnell) wrote…
Done. and the modified c-deps/libroach/util.cc, line 18 at r2 (raw file): Previously, bdarnell (Ben Darnell) wrote…
oh yeah, that's probably easier. Sticking c-deps/libroach/ccl/key.cc, line 10 at r1 (raw file): Previously, bdarnell (Ben Darnell) wrote…
We use the source tarball that we then build in a completely separate directory. I don't think we want to put semi-built things in our deps, being able to have straightforward refreshes from upstream is nice. What happens if I just use c-deps/libroach/ccl/key_manager_test.cc, line 32 at r2 (raw file): Previously, bdarnell (Ben Darnell) wrote…
It does, even better. Thanks! I forgot about those. Comments from Reviewable |
benesch
left a comment
benesch
left a comment
There was a problem hiding this comment.
Build stuff looks good to me, but I have some high-level concerns about cryptopp. I realize it might be too late, and I assume you and @bdarnell have already evaluated the other crypto options, @mberhault?
The things that worry me are:
-
They're removing support for CMake in the next release source. The Makefile they ship with the project doesn't use autotools, either, so it's going to be a pain to do our out-of-tree cross-compilation if/when we upgrade.
-
Their source tree organization is not super friendly. It also seems to bring in a lot more than we need, but perhaps that's true of every crypto library.
-
The project itself seems to have a rather low bus factor. Seems like the only active contributor is the current maintainer.
I guess I'm just not convinced that we shouldn't just be using OpenSSL or LibreSSL.
Anyway, don't mean to hold you up! Obviously you're the one who will benefit/suffer the most from the choice of crypto library. I can be very easily convinced that cryptopp is the way to go—just wanted to put my thoughts somewhere.
| // clang-format isn't so great for macros. | ||
| // clang-format off | ||
|
|
||
| #define EXPECT_OK(status) { auto s(status); EXPECT_TRUE(s.ok()) << "got: " << s.getState(); } |
There was a problem hiding this comment.
Why do you have to extract a variable? I'd expect this to work:
#define EXPECT_OK(status) EXPECT_TRUE(status.ok()) << "got: " << s.getState();There was a problem hiding this comment.
there's no s in the << s.getState() in your code. If I use status both times, it may be a function that gets run twice.
c-deps/libroach/ccl/key.cc
Outdated
| // https://github.com/cockroachdb/cockroach/blob/master/licenses/CCL.txt | ||
|
|
||
| #include "key.h" | ||
| #include <filters.h> // CryptoPP |
There was a problem hiding this comment.
I'd change the include path to be .. instead of ../cryptopp and then refer to everything as cryptopp/FOO.
|
|
||
| using google::protobuf::StringPrintf; | ||
|
|
||
| namespace testutils { |
There was a problem hiding this comment.
nit: missing space (you have one at the end, and this appears to be our convention)
There was a problem hiding this comment.
if you mean blank line, done. Otherwise, I'll need some clarification.
c-deps/libroach/testutils.cc
Outdated
| // Expected success. | ||
| if (status.ok()) { | ||
| return rocksdb::Status::OK(); | ||
| } else { |
| Bump the version below when changing libroach CMake flags. Search for "BUILD | ||
| ARTIFACT CACHING" in build/common.mk for rationale. | ||
|
|
||
| 1 |
There was a problem hiding this comment.
c-deps/cryptopp-rebuild should get this same explanatory comment (sorry, GH won't let me comment there)
Thanks for remembering to bump this one!
There was a problem hiding this comment.
uh. oops. I thought I had it. Turns out mine was blank.
|
Yeah, blank line is what I meant. Also ignore my macro comment. Just saw
Ben’s concerns about double eval.
…On Wed, Dec 13, 2017 at 8:21 PM marc ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In c-deps/libroach/testutils.cc
<#20670 (comment)>
:
> +// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+// implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+#include <google/protobuf/stubs/stringprintf.h>
+#include <gtest/gtest.h>
+#include <rocksdb/status.h>
+#include <string>
+
+using google::protobuf::StringPrintf;
+
+namespace testutils {
if you mean blank line, done. Otherwise, I'll need some clarification.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#20670 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AA15IB4ZCp1nB-WP3gBogESjL_j6AhI8ks5tAHgPgaJpZM4Q_9fL>
.
|
|
The main crypto libs for C++ are CryptoPP and Botan. They both provide reasonable AES interfaces (you can get fairly basic block-level primitives) and both support about the same ciphers and modes should we want to expand. The C ones, and especially OpenSSL and LibreSSL are.... gross. Both to use and to dig through. I can read through the CryptoPP code and understand what's going on, and using it is fairly straightforward. I pretty quickly gave up on OpenSSL. That said, it's definitely not too late and nothing says we have to stick with CryptoPP. The only things we need it for right now are: AES block-level encryption/decryption (we don't use the higher-level multi-block modes, we do our own), sha-256 (easy to find), and PRNG (but that's just So my opinion (I haven't done nearly enough research into all options to be anywhere close to objective) is to stick with CryptoPP. For info, here's how I used it when testing things out. We replace that one class and we're done. The other uses are just sha-256 and call to |
mberhault
force-pushed
the
marc/add_key_manager
branch
from
0356e6b to
f24b12a
Compare
|
I've added a commit that puts |
|
where the top-level Our dependencies right now always either mix public and private header files at the root (so the private headers are all called "-internal.h" or something), or put private header files within Symlinks would solve the problem nicely but they break the build on Windows.
Thanks for the explainer! Yeah, OpenSSL has a horrible, terrifying API; on the other hand, it's widely used. I get scared when I see bugs like weidai11/cryptopp#146 in cryptopp, though. Who knows what other nearly-invisible bugs are lurking. All that said, happy to leave the decision to you. I really don't have much experience with crypto. |
|
An alternative to the wide include would be to just extract the source to |
|
|
||
| #include <google/protobuf/stubs/stringprintf.h> | ||
|
|
||
| namespace fmt = google::protobuf; |
There was a problem hiding this comment.
@bdarnell: I ended up switching to this, resulting in invocations of fmt::StringPrintf(...). I know this means that you could technically be using fmt::MessageLite but I don't think that's much of an issue. I've left the non-formatting uses of google::protobuf intact.
Grumble, I keep forgetting about that. Adding
Being widely-used is key. It's better to struggle with openssl's awful API than to use a crypto library that hasn't gotten much vetting. Using the highly scientific filter of "have I heard of it before this project?", open/libressl, cryptopp, and libsodium seem like the best bets to me.
Yuck. And from that linked issue we probably don't want to use cryptopp with cmake in the current release either. This demonstrates that build issues are perhaps the dominant concern in choosing a crypto library - we need to compile with the right flags to get all the crypto properties right and also to use hardware-accelerated AES when available. |
|
Ok, I'll spend more time looking into alternatives. That's outside of this PR though. If we do stick with cryptoPP, we can also do the |
Release Note: none. Add the `FileKeyManager` which loads active/old keys from files. This will be used for the store keys. A bunch of build/test things here: * finally use CryptoPP. Only linked against CCL code * add testutils for easier testing * change existing tests to testutils * add FormatString
mberhault
force-pushed
the
marc/add_key_manager
branch
from
8936979 to
5202bdf
Compare
|
Rebased and squashed. PTAL? |
benesch
left a comment
benesch
left a comment
There was a problem hiding this comment.
Build-related stuff all LGTM! Haven't reviewed the actual crypto though.
|
Ping! |
|
Reviewed 1 of 7 files at r3, 1 of 2 files at r4, 2 of 3 files at r5, 1 of 2 files at r6, 4 of 4 files at r7. c-deps/libroach/fmt.h, line 19 at r7 (raw file): Previously, mberhault (marc) wrote…
This is fine, but I think you could also be more explicit about what you're bringing in with something like this: Comments from Reviewable |
|
Review status: all files reviewed at latest revision, 6 unresolved discussions, all commit checks successful. c-deps/libroach/fmt.h, line 19 at r7 (raw file): Previously, bdarnell (Ben Darnell) wrote…
I started that way, but we also have c-deps/libroach/ccl/key.cc, line 10 at r1 (raw file): Previously, benesch (Nikhil Benesch) wrote…
Done. Comments from Reviewable |
4 participants
Release Note: none.
Add the
FileKeyManagerwhich loads active/old keys from files.This will be used for the store keys.
A bunch of build/test things here: