spolavarpau1 commented on code in PR #593:
URL: https://github.com/apache/ranger/pull/593#discussion_r2164961325


##########
kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java:
##########
@@ -919,59 +935,107 @@ private SealedObject sealKey(Key key, char[] password) 
throws Exception {
         logger.debug("==> sealKey()");

Review Comment:
   Can you add class name here as well similar to line #964



##########
kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java:
##########
@@ -919,59 +935,107 @@ private SealedObject sealKey(Key key, char[] password) 
throws Exception {
         logger.debug("==> sealKey()");
 
         // Create SecretKey
-        SecretKeyFactory secretKeyFactory = 
SecretKeyFactory.getInstance("PBEWithMD5AndTripleDES");
-        PBEKeySpec       pbeKeySpec       = new PBEKeySpec(password);
-        SecretKey        secretKey        = 
secretKeyFactory.generateSecret(pbeKeySpec);
+        SupportedPBECryptoAlgo encrAlgo         = isFIPSEnabled ? 
SupportedPBECryptoAlgo.PBKDF2WithHmacSHA256 : 
SupportedPBECryptoAlgo.PBEWithMD5AndTripleDES;
+        SecretKeyFactory       secretKeyFactory = 
SecretKeyFactory.getInstance(encrAlgo.getAlgoName());
 
-        pbeKeySpec.clearPassword();
-
-        // Generate random bytes, set up the PBEParameterSpec, seal the key
+        PBEKeySpec             pbeKeySpec = null;
+        PBEKeySpec             pbeCipherSpec = null;
+        byte[] salt = null;
         SecureRandom random = new SecureRandom();
-        byte[]       salt   = new byte[8];
-
-        random.nextBytes(salt);
-
-        PBEParameterSpec pbeSpec = new PBEParameterSpec(salt, 20);
-        Cipher           cipher  = 
Cipher.getInstance("PBEWithMD5AndTripleDES");
+        if (SupportedPBECryptoAlgo.PBKDF2WithHmacSHA256.equals(encrAlgo)) {
+            salt = new byte[8 * 2];
+            random.nextBytes(salt);
+            pbeKeySpec = new PBEKeySpec(password, salt, 20, 
encrAlgo.getKeyLength());
+            pbeCipherSpec = pbeKeySpec;
+        } else {
+            salt = new byte[8];
+            random.nextBytes(salt);
+            pbeKeySpec = new PBEKeySpec(password);
+            pbeCipherSpec = new PBEKeySpec(password, salt, 20);
+        }
 
-        cipher.init(Cipher.ENCRYPT_MODE, secretKey, pbeSpec);
+        SecretKey secretKey = secretKeyFactory.generateSecret(pbeKeySpec);
+        pbeKeySpec.clearPassword();
 
-        RangerSealedObject ret = new RangerSealedObject(key, cipher);
+        // Seal the Key
+        Cipher cipher = Cipher.getInstance(encrAlgo.getCipherTransformation());
+        cipher.init(Cipher.ENCRYPT_MODE, secretKey, 
encrAlgo.getAlgoParamSpec(pbeCipherSpec));
 
-        logger.debug("<== sealKey(): ret={}", ret);
+        logger.debug("<== RangerKeyStore.sealKey()");
 
-        return ret;
+        return new RangerSealedObject(key, cipher, salt);
     }
 
-    private Key unsealKey(SealedObject sealedKey, char[] password) throws 
Exception {
+    private Key unsealKey(SecretKeyEntry secretKeyEntry, char[] password) 
throws Exception {
         logger.debug("==> unsealKey()");

Review Comment:
   Please add classname here as well to be in sync with other debug logs



##########
kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java:
##########
@@ -919,59 +935,107 @@ private SealedObject sealKey(Key key, char[] password) 
throws Exception {
         logger.debug("==> sealKey()");
 
         // Create SecretKey
-        SecretKeyFactory secretKeyFactory = 
SecretKeyFactory.getInstance("PBEWithMD5AndTripleDES");
-        PBEKeySpec       pbeKeySpec       = new PBEKeySpec(password);
-        SecretKey        secretKey        = 
secretKeyFactory.generateSecret(pbeKeySpec);
+        SupportedPBECryptoAlgo encrAlgo         = isFIPSEnabled ? 
SupportedPBECryptoAlgo.PBKDF2WithHmacSHA256 : 
SupportedPBECryptoAlgo.PBEWithMD5AndTripleDES;
+        SecretKeyFactory       secretKeyFactory = 
SecretKeyFactory.getInstance(encrAlgo.getAlgoName());
 
-        pbeKeySpec.clearPassword();
-
-        // Generate random bytes, set up the PBEParameterSpec, seal the key
+        PBEKeySpec             pbeKeySpec = null;
+        PBEKeySpec             pbeCipherSpec = null;
+        byte[] salt = null;
         SecureRandom random = new SecureRandom();
-        byte[]       salt   = new byte[8];
-
-        random.nextBytes(salt);
-
-        PBEParameterSpec pbeSpec = new PBEParameterSpec(salt, 20);
-        Cipher           cipher  = 
Cipher.getInstance("PBEWithMD5AndTripleDES");
+        if (SupportedPBECryptoAlgo.PBKDF2WithHmacSHA256.equals(encrAlgo)) {
+            salt = new byte[8 * 2];
+            random.nextBytes(salt);
+            pbeKeySpec = new PBEKeySpec(password, salt, 20, 
encrAlgo.getKeyLength());
+            pbeCipherSpec = pbeKeySpec;
+        } else {
+            salt = new byte[8];
+            random.nextBytes(salt);
+            pbeKeySpec = new PBEKeySpec(password);
+            pbeCipherSpec = new PBEKeySpec(password, salt, 20);
+        }
 
-        cipher.init(Cipher.ENCRYPT_MODE, secretKey, pbeSpec);
+        SecretKey secretKey = secretKeyFactory.generateSecret(pbeKeySpec);
+        pbeKeySpec.clearPassword();
 
-        RangerSealedObject ret = new RangerSealedObject(key, cipher);
+        // Seal the Key
+        Cipher cipher = Cipher.getInstance(encrAlgo.getCipherTransformation());
+        cipher.init(Cipher.ENCRYPT_MODE, secretKey, 
encrAlgo.getAlgoParamSpec(pbeCipherSpec));
 
-        logger.debug("<== sealKey(): ret={}", ret);
+        logger.debug("<== RangerKeyStore.sealKey()");
 
-        return ret;
+        return new RangerSealedObject(key, cipher, salt);
     }
 
-    private Key unsealKey(SealedObject sealedKey, char[] password) throws 
Exception {
+    private Key unsealKey(SecretKeyEntry secretKeyEntry, char[] password) 
throws Exception {
         logger.debug("==> unsealKey()");
 
-        // Create SecretKey
-        SecretKeyFactory secretKeyFactory = 
SecretKeyFactory.getInstance("PBEWithMD5AndTripleDES");
-        PBEKeySpec       pbeKeySpec       = new PBEKeySpec(password);
-        SecretKey        secretKey        = 
secretKeyFactory.generateSecret(pbeKeySpec);
+        // fetch encryption algo name
+        String encrAlgoName = 
JsonUtilsV2.jsonToMap(secretKeyEntry.attributes).get(KEY_CRYPTO_ALGO_NAME);
+        SupportedPBECryptoAlgo encrAlgo;
+        if (Objects.nonNull(encrAlgoName) && !encrAlgoName.isEmpty()) {

Review Comment:
   Any reason why we are not using StringUtils.isEmpty() instead?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@ranger.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to