Janos Makai created OOZIE-3676:
----------------------------------
Summary: Remove all non FIPS compliant encoding algorithms from
Oozie or make them configurable
Key: OOZIE-3676
URL: https://issues.apache.org/jira/browse/OOZIE-3676
Project: Oozie
Issue Type: Task
Components: core
Affects Versions: 5.2.1
Reporter: Janos Makai
Assignee: Janos Makai
What we definitely need to replace:
org.apache.oozie.action.hadoop.LauncherHelper#getTag
----
h2. Using FIPS-Compliant Crypto Libraries
This should not need much code change. Ensure that when you are performing
crypto operations (e.g. generating keys, encrypting/decrypting data, computing
hashes, storing/verifying passwords), you are using either OpenSSL or the
standard Java crypto API to do so.
When running in a FIPS environment, the OpenSSL library and Java crypto
provider will be replaced with their CryptoComply equivalents. This replacement
should be API-compatible.
h2. Using FIPS-Approved Algorithms
Only certain algorithms and key sizes are allowed by FIPS. You can view the
full list
[here|https://drive.google.com/file/d/1yK-NRT6E9W8fZ5fxeqId8mNTZ_PCZWjj/view?usp=sharing].
Common allowed algorithms are shown below for convenience:
Symmetric Algorithms
* AES
* 3DES
Public Key Algorithms
* RSA
* ElGamal
Key Agreement Algorithms
* DH
* MQV
* ECDH
* ECCDH
* ECMQV
SSL/TLS
* TLS 1.0, 1.1, 1.2
Hash Functions
* SHA-1 _(avoid this as it is soon to be deprecated)_
* SHA-224, SHA-256 {_}(avoid these as they are soon to be deprecated){_},
SHA-384, SHA-512
* SHA3-224, SHA3-256, SHA3-384, SHA3-512
* SHAKE128, SHAKE256
Message Authentication
* AES CCM, CMAC, GMAC
* HMAC with SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
* 3DES CMAC
Password Derivation Functions
* PBKDF2 with SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
Random Number Generators
* HASH DRBG
* HMAC DRBG
* CTR DRBG
Signature Algorithms
* DSA using SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
* ECDSA using SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
* RSA using SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
Keep in mind that the following common algorithms are *disallowed* and will
likely cause a crash if invoked in FIPS mode:
* MD5: use SHA-384 instead
* RC4 (also called arcfour): use AES-256 instead
* SSL: use TLS instead
If you have features or code paths that use disapproved algorithms, you will
have to introduce a “FIPS mode” flag in your component and disable those
features or code paths when FIPS is turned on. Let the CM team know if you add
a FIPS flag so that CM can be modified to run your component in FIPS mode when
appropriate.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
