[GitHub] [hbase] esteban commented on a change in pull request #2539: HBASE-25181 Configure hash algorithm in wrapped encryption keys

Tue, 03 Nov 2020 05:43:51 -0800 


esteban commented on a change in pull request #2539:
URL: https://github.com/apache/hbase/pull/2539#discussion_r516294738



##########
File path: 
hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/Encryption.java
##########
@@ -127,79 +180,63 @@ public static Cipher getCipher(Configuration conf, String 
name) {
   }
 
   /**
-   * Return the MD5 digest of the concatenation of the supplied arguments.
+   * Returns the Hash Algorithm defined in the crypto configuration.
    */
-  public static byte[] hash128(String... args) {
-    byte[] result = new byte[16];
+  public static String getConfiguredHashAlgorithm(Configuration conf) {
+    return conf.get(CRYPTO_KEY_HASH_ALGORITHM_CONF_KEY,

Review comment:
       Use config.getTrimmedStrings() instead?

##########
File path: 
hbase-common/src/main/java/org/apache/hadoop/hbase/io/crypto/Encryption.java
##########
@@ -578,4 +627,45 @@ public static void incrementIv(byte[] iv, int v) {
     } while (v > 0);
   }
 
+  /**
+   * Return the hash of the concatenation of the supplied arguments, using the 
+   * hash algorithm provided.
+   */
+  public static byte[] hashWithAlg(String algorithm, byte[]... args) {
+    try {
+      MessageDigest md = MessageDigest.getInstance(algorithm);
+      for (byte[] arg: args) {
+        md.update(arg);
+      }
+      return md.digest();
+    } catch (NoSuchAlgorithmException e) {
+      throw new RuntimeException("unable to use hash algorithm: " + algorithm, 
e);
+    }
+  }
+
+  private static byte[] hashWithAlg(String algorithm, String... args) {

Review comment:
       Refactor to re-use hashWithAlg() with byte[] or String?

##########
File path: hbase-shell/src/main/ruby/hbase/admin.rb
##########
@@ -1137,7 +1137,7 @@ def cfd(arg, tdb)
         algorithm = 
arg.delete(ColumnFamilyDescriptorBuilder::ENCRYPTION).upcase
         cfdb.setEncryptionType(algorithm)
         if arg.include?(ColumnFamilyDescriptorBuilder::ENCRYPTION_KEY)
-          key = org.apache.hadoop.hbase.io.crypto.Encryption.pbkdf128(
+          key = org.apache.hadoop.hbase.io.crypto.Encryption.pbkdf384(

Review comment:
       Why are we chaninging the default here? If this needs to be changed 
please open an new issue to discuss.

##########
File path: hbase-protocol-shaded/src/main/protobuf/client/Encryption.proto
##########
@@ -31,4 +31,5 @@ message WrappedKey {
   required bytes data = 3;
   optional bytes iv = 4;
   optional bytes hash = 5;
+  optional string hash_algorithm = 6 [default = "MD5"];

Review comment:
       Do we have to specify this default at protocol level? 




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to