vikaskr22 commented on code in PR #593:
URL: https://github.com/apache/ranger/pull/593#discussion_r2166877711
##########
kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java:
##########
@@ -919,59 +935,107 @@ private SealedObject sealKey(Key key, char[] password)
throws Exception {
logger.debug("==> sealKey()");
// Create SecretKey
- SecretKeyFactory secretKeyFactory =
SecretKeyFactory.getInstance("PBEWithMD5AndTripleDES");
- PBEKeySpec pbeKeySpec = new PBEKeySpec(password);
- SecretKey secretKey =
secretKeyFactory.generateSecret(pbeKeySpec);
+ SupportedPBECryptoAlgo encrAlgo = isFIPSEnabled ?
SupportedPBECryptoAlgo.PBKDF2WithHmacSHA256 :
SupportedPBECryptoAlgo.PBEWithMD5AndTripleDES;
+ SecretKeyFactory secretKeyFactory =
SecretKeyFactory.getInstance(encrAlgo.getAlgoName());
- pbeKeySpec.clearPassword();
-
- // Generate random bytes, set up the PBEParameterSpec, seal the key
+ PBEKeySpec pbeKeySpec = null;
+ PBEKeySpec pbeCipherSpec = null;
+ byte[] salt = null;
SecureRandom random = new SecureRandom();
- byte[] salt = new byte[8];
-
- random.nextBytes(salt);
-
- PBEParameterSpec pbeSpec = new PBEParameterSpec(salt, 20);
- Cipher cipher =
Cipher.getInstance("PBEWithMD5AndTripleDES");
+ if (SupportedPBECryptoAlgo.PBKDF2WithHmacSHA256.equals(encrAlgo)) {
+ salt = new byte[8 * 2];
+ random.nextBytes(salt);
+ pbeKeySpec = new PBEKeySpec(password, salt, 20,
encrAlgo.getKeyLength());
+ pbeCipherSpec = pbeKeySpec;
+ } else {
+ salt = new byte[8];
+ random.nextBytes(salt);
+ pbeKeySpec = new PBEKeySpec(password);
+ pbeCipherSpec = new PBEKeySpec(password, salt, 20);
+ }
- cipher.init(Cipher.ENCRYPT_MODE, secretKey, pbeSpec);
+ SecretKey secretKey = secretKeyFactory.generateSecret(pbeKeySpec);
+ pbeKeySpec.clearPassword();
- RangerSealedObject ret = new RangerSealedObject(key, cipher);
+ // Seal the Key
+ Cipher cipher = Cipher.getInstance(encrAlgo.getCipherTransformation());
+ cipher.init(Cipher.ENCRYPT_MODE, secretKey,
encrAlgo.getAlgoParamSpec(pbeCipherSpec));
- logger.debug("<== sealKey(): ret={}", ret);
+ logger.debug("<== RangerKeyStore.sealKey()");
- return ret;
+ return new RangerSealedObject(key, cipher, salt);
}
- private Key unsealKey(SealedObject sealedKey, char[] password) throws
Exception {
+ private Key unsealKey(SecretKeyEntry secretKeyEntry, char[] password)
throws Exception {
logger.debug("==> unsealKey()");
- // Create SecretKey
- SecretKeyFactory secretKeyFactory =
SecretKeyFactory.getInstance("PBEWithMD5AndTripleDES");
- PBEKeySpec pbeKeySpec = new PBEKeySpec(password);
- SecretKey secretKey =
secretKeyFactory.generateSecret(pbeKeySpec);
+ // fetch encryption algo name
+ String encrAlgoName =
JsonUtilsV2.jsonToMap(secretKeyEntry.attributes).get(KEY_CRYPTO_ALGO_NAME);
+ SupportedPBECryptoAlgo encrAlgo;
+ if (Objects.nonNull(encrAlgoName) && !encrAlgoName.isEmpty()) {
Review Comment:
thanks for the review. Suggestion has been incorporated.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@ranger.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
