spolavarpau1 commented on code in PR #593: URL: https://github.com/apache/ranger/pull/593#discussion_r2164961325
########## kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java: ########## @@ -919,59 +935,107 @@ private SealedObject sealKey(Key key, char[] password) throws Exception { logger.debug("==> sealKey()"); Review Comment: Can you add class name here as well similar to line #964 ########## kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java: ########## @@ -919,59 +935,107 @@ private SealedObject sealKey(Key key, char[] password) throws Exception { logger.debug("==> sealKey()"); // Create SecretKey - SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBEWithMD5AndTripleDES"); - PBEKeySpec pbeKeySpec = new PBEKeySpec(password); - SecretKey secretKey = secretKeyFactory.generateSecret(pbeKeySpec); + SupportedPBECryptoAlgo encrAlgo = isFIPSEnabled ? SupportedPBECryptoAlgo.PBKDF2WithHmacSHA256 : SupportedPBECryptoAlgo.PBEWithMD5AndTripleDES; + SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(encrAlgo.getAlgoName()); - pbeKeySpec.clearPassword(); - - // Generate random bytes, set up the PBEParameterSpec, seal the key + PBEKeySpec pbeKeySpec = null; + PBEKeySpec pbeCipherSpec = null; + byte[] salt = null; SecureRandom random = new SecureRandom(); - byte[] salt = new byte[8]; - - random.nextBytes(salt); - - PBEParameterSpec pbeSpec = new PBEParameterSpec(salt, 20); - Cipher cipher = Cipher.getInstance("PBEWithMD5AndTripleDES"); + if (SupportedPBECryptoAlgo.PBKDF2WithHmacSHA256.equals(encrAlgo)) { + salt = new byte[8 * 2]; + random.nextBytes(salt); + pbeKeySpec = new PBEKeySpec(password, salt, 20, encrAlgo.getKeyLength()); + pbeCipherSpec = pbeKeySpec; + } else { + salt = new byte[8]; + random.nextBytes(salt); + pbeKeySpec = new PBEKeySpec(password); + pbeCipherSpec = new PBEKeySpec(password, salt, 20); + } - cipher.init(Cipher.ENCRYPT_MODE, secretKey, pbeSpec); + SecretKey secretKey = secretKeyFactory.generateSecret(pbeKeySpec); + pbeKeySpec.clearPassword(); - RangerSealedObject ret = new RangerSealedObject(key, cipher); + // Seal the Key + Cipher cipher = Cipher.getInstance(encrAlgo.getCipherTransformation()); + cipher.init(Cipher.ENCRYPT_MODE, secretKey, encrAlgo.getAlgoParamSpec(pbeCipherSpec)); - logger.debug("<== sealKey(): ret={}", ret); + logger.debug("<== RangerKeyStore.sealKey()"); - return ret; + return new RangerSealedObject(key, cipher, salt); } - private Key unsealKey(SealedObject sealedKey, char[] password) throws Exception { + private Key unsealKey(SecretKeyEntry secretKeyEntry, char[] password) throws Exception { logger.debug("==> unsealKey()"); Review Comment: Please add classname here as well to be in sync with other debug logs ########## kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java: ########## @@ -919,59 +935,107 @@ private SealedObject sealKey(Key key, char[] password) throws Exception { logger.debug("==> sealKey()"); // Create SecretKey - SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBEWithMD5AndTripleDES"); - PBEKeySpec pbeKeySpec = new PBEKeySpec(password); - SecretKey secretKey = secretKeyFactory.generateSecret(pbeKeySpec); + SupportedPBECryptoAlgo encrAlgo = isFIPSEnabled ? SupportedPBECryptoAlgo.PBKDF2WithHmacSHA256 : SupportedPBECryptoAlgo.PBEWithMD5AndTripleDES; + SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance(encrAlgo.getAlgoName()); - pbeKeySpec.clearPassword(); - - // Generate random bytes, set up the PBEParameterSpec, seal the key + PBEKeySpec pbeKeySpec = null; + PBEKeySpec pbeCipherSpec = null; + byte[] salt = null; SecureRandom random = new SecureRandom(); - byte[] salt = new byte[8]; - - random.nextBytes(salt); - - PBEParameterSpec pbeSpec = new PBEParameterSpec(salt, 20); - Cipher cipher = Cipher.getInstance("PBEWithMD5AndTripleDES"); + if (SupportedPBECryptoAlgo.PBKDF2WithHmacSHA256.equals(encrAlgo)) { + salt = new byte[8 * 2]; + random.nextBytes(salt); + pbeKeySpec = new PBEKeySpec(password, salt, 20, encrAlgo.getKeyLength()); + pbeCipherSpec = pbeKeySpec; + } else { + salt = new byte[8]; + random.nextBytes(salt); + pbeKeySpec = new PBEKeySpec(password); + pbeCipherSpec = new PBEKeySpec(password, salt, 20); + } - cipher.init(Cipher.ENCRYPT_MODE, secretKey, pbeSpec); + SecretKey secretKey = secretKeyFactory.generateSecret(pbeKeySpec); + pbeKeySpec.clearPassword(); - RangerSealedObject ret = new RangerSealedObject(key, cipher); + // Seal the Key + Cipher cipher = Cipher.getInstance(encrAlgo.getCipherTransformation()); + cipher.init(Cipher.ENCRYPT_MODE, secretKey, encrAlgo.getAlgoParamSpec(pbeCipherSpec)); - logger.debug("<== sealKey(): ret={}", ret); + logger.debug("<== RangerKeyStore.sealKey()"); - return ret; + return new RangerSealedObject(key, cipher, salt); } - private Key unsealKey(SealedObject sealedKey, char[] password) throws Exception { + private Key unsealKey(SecretKeyEntry secretKeyEntry, char[] password) throws Exception { logger.debug("==> unsealKey()"); - // Create SecretKey - SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBEWithMD5AndTripleDES"); - PBEKeySpec pbeKeySpec = new PBEKeySpec(password); - SecretKey secretKey = secretKeyFactory.generateSecret(pbeKeySpec); + // fetch encryption algo name + String encrAlgoName = JsonUtilsV2.jsonToMap(secretKeyEntry.attributes).get(KEY_CRYPTO_ALGO_NAME); + SupportedPBECryptoAlgo encrAlgo; + if (Objects.nonNull(encrAlgoName) && !encrAlgoName.isEmpty()) { Review Comment: Any reason why we are not using StringUtils.isEmpty() instead? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@ranger.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org