vikaskr22 commented on code in PR #612:
URL: https://github.com/apache/ranger/pull/612#discussion_r2216316973
##########
kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java:
##########
@@ -308,6 +308,13 @@ public boolean reencryptMKWithFipsAlgo(String mkPassword) {
init();
PBEKeySpec newPbeKeySpec = getPBEParameterSpec(mkPassword,
encrCryptoAlgo);
byte[] masterKeyToDB = encryptKey(oldKeyMaterial,
newPbeKeySpec);
+ byte[] decryptedMaterialWithNewAlgo =
decryptKey(masterKeyToDB, newPbeKeySpec);
+ // This is just a sanity check but important to ensure that
returned key material after re-encryption is same as old MK key material.
+ if
(!Base64.encode(oldKeyMaterial).equals(Base64.encode(decryptedMaterialWithNewAlgo)))
{
Review Comment:
No harm in adding the checks.
I have following explanation on this:
**oldKeyMaterial** is already being used in earlier statements, means, if it
is null it would break before reaching to this line. If we have reached this
line and **decryptedMaterialWithNewAlgo** is null , that means something like
following:
oldKeyMaterial.equals(null); that will be false.
Pls let me know your thought?
Thanks.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@ranger.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
