[jira] [Updated] (RANGER-5498) [KMS]: Use provided saltSize parameter at all places in generateSalt method instead of static member

Wed, 25 Feb 2026 04:42:40 -0800 


     [ 
https://issues.apache.org/jira/browse/RANGER-5498?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Vikas Kumar updated RANGER-5498:
--------------------------------
    Description: 
*Issue:*

Issue is in 
{code:java}
RangerMasterKey.generateSalt(int saltSize) {code}
method.

In some cases, It creates salt of size 16, creating holder byte[] of size 16 
but may copy different number of bits into the target array (default size) if 
RangerMasterKey.saltSize contains a different value. As a result, a weak salt 
will be generated.

This method should use the provided saltSize in the parameter, not 
RangerMasterKey.saltSize.
 
{code:java}
System.arraycopy(saltGen, 0, salt, 0, RangerMasterKey.saltSize);{code}
Since this code has not yet been released and being targeted for 3.0. There 
would not be any upgrade failure but it would be better to  to fix this.

 

  was:
*Issue:*

Issue is in 
{code:java}
RangerMasterKey.generateSalt() {code}
method. It is creating salt of size 16, creating holder byte[] of size 16 but 
copying only the first 8 bits into the target array (default size). As a 
result, salt is not getting generated as expected. It's weak.

Since this code has not yet been released and being targeted for 3.0. There 
would not be any upgrade failure but needs to be fixed.

 


> [KMS]: Use provided saltSize parameter at all places in generateSalt method 
> instead of static member
> ----------------------------------------------------------------------------------------------------
>
>                 Key: RANGER-5498
>                 URL: https://issues.apache.org/jira/browse/RANGER-5498
>             Project: Ranger
>          Issue Type: Bug
>          Components: kms
>            Reporter: Vikas Kumar
>            Assignee: Vikas Kumar
>            Priority: Major
>
> *Issue:*
> Issue is in 
> {code:java}
> RangerMasterKey.generateSalt(int saltSize) {code}
> method.
> In some cases, It creates salt of size 16, creating holder byte[] of size 16 
> but may copy different number of bits into the target array (default size) if 
> RangerMasterKey.saltSize contains a different value. As a result, a weak salt 
> will be generated.
> This method should use the provided saltSize in the parameter, not 
> RangerMasterKey.saltSize.
>  
> {code:java}
> System.arraycopy(saltGen, 0, salt, 0, RangerMasterKey.saltSize);{code}
> Since this code has not yet been released and being targeted for 3.0. There 
> would not be any upgrade failure but it would be better to  to fix this.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to