[ https://issues.apache.org/jira/browse/OOZIE-3676?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17640782#comment-17640782 ]
Janos Makai commented on OOZIE-3676: ------------------------------------ Hello [~dionusos], could you please check the latest patch set? The SpotBugs bugs are unrelated. Thanks in advance. > Remove all non FIPS compliant encoding algorithms from Oozie or make them > configurable > -------------------------------------------------------------------------------------- > > Key: OOZIE-3676 > URL: https://issues.apache.org/jira/browse/OOZIE-3676 > Project: Oozie > Issue Type: Task > Components: core > Affects Versions: 5.2.1 > Reporter: Janos Makai > Assignee: Janos Makai > Priority: Major > Attachments: OOZIE-3676-001.patch > > > The goal of this Jira is to replace non-FIPS compliant encoding algorithm(s) > to FIPS compliant algorithm(s) in Oozie. > At this moment only `org.apache.oozie.action.hadoop.LauncherHelper#getTag` > has non-FIPS compliant algorithm, namely MD-5. > In scope of this ticket, this algorithm will be changed to FIPS compliant > SHA-384. > ({_}read more about the FIPS compliant algorithms below{_}) > ---- > h2. Using FIPS-Compliant Crypto Libraries > This should not need much code change. Ensure that when you are performing > crypto operations (e.g. generating keys, encrypting/decrypting data, > computing hashes, storing/verifying passwords), you are using either OpenSSL > or the standard Java crypto API to do so. > When running in a FIPS environment, the OpenSSL library and Java crypto > provider will be replaced with their CryptoComply equivalents. This > replacement should be API-compatible. > h2. Using FIPS-Approved Algorithms > Only certain algorithms and key sizes are allowed by FIPS. > Common allowed algorithms are shown below for convenience: > Symmetric Algorithms > * AES > * 3DES > Public Key Algorithms > * RSA > * ElGamal > Key Agreement Algorithms > * DH > * MQV > * ECDH > * ECCDH > * ECMQV > SSL/TLS > * TLS 1.0, 1.1, 1.2 > Hash Functions > * SHA-1 _(avoid this as it is soon to be deprecated)_ > * SHA-224, SHA-256 {_}(avoid these as they are soon to be deprecated){_}, > SHA-384, SHA-512 > * SHA3-224, SHA3-256, SHA3-384, SHA3-512 > * SHAKE128, SHAKE256 > Message Authentication > * AES CCM, CMAC, GMAC > * HMAC with SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 > * 3DES CMAC > Password Derivation Functions > * PBKDF2 with SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 > Random Number Generators > * HASH DRBG > * HMAC DRBG > * CTR DRBG > Signature Algorithms > * DSA using SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 > * ECDSA using SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 > * RSA using SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 > Keep in mind that the following common algorithms are *disallowed* and will > likely cause a crash if invoked in FIPS mode: > * MD5: use SHA-384 instead > * RC4 (also called arcfour): use AES-256 instead > * SSL: use TLS instead -- This message was sent by Atlassian Jira (v8.20.10#820010)