> On Dec. 7, 2017, 2:41 p.m., Velmurugan Periasamy wrote: > > agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java > > Line 65 (original), 78 (patched) > > <https://reviews.apache.org/r/63209/diff/4/?file=1879834#file1879834line81> > > > > Patch fails to apply. Could you please check? > > > > ``` > > $ git apply --check -v < > > ~/Downloads/0001-RANGER-1644-replacing-MD5-DES-with-SHA512-AES128.patch > > Checking patch > > agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java... > > error: while searching for: > > > > PasswordUtils(String aPassword) { > > String[] crypt_algo_array = null; > > int count = 0; > > if (aPassword != null && aPassword.contains(",")) { > > count = StringUtils.countMatches(aPassword, ","); > > crypt_algo_array = aPassword.split(","); > > } > > if (crypt_algo_array != null && crypt_algo_array.length > > > 1) { > > CRYPT_ALGO = crypt_algo_array[0]; > > ENCRYPT_KEY = crypt_algo_array[1].toCharArray(); > > SALT = crypt_algo_array[2].getBytes(); > > ITERATION_COUNT = Integer.parseInt(crypt_algo_array[3]); > > password = crypt_algo_array[4]; > > if (count > 4) { > > for (int i = 5 ; i<=count ; i++){ > > password = password + "," + crypt_algo_array[i]; > > } > > } > > } else { > > CRYPT_ALGO = DEFAULT_CRYPT_ALGO; > > ENCRYPT_KEY = DEFAULT_ENCRYPT_KEY.toCharArray(); > > SALT = DEFAULT_SALT.getBytes(); > > ITERATION_COUNT = DEFAULT_ITERATION_COUNT; > > password = aPassword; > > } > > Map<String, String> env = System.getenv(); > > String encryptKeyStr = env.get("ENCRYPT_KEY"); > > if (encryptKeyStr == null) { > > encryptKey=ENCRYPT_KEY; > > }else{ > > encryptKey=encryptKeyStr.toCharArray(); > > } > > String saltStr = env.get("ENCRYPT_SALT"); > > if (saltStr == null) { > > salt = SALT; > > }else{ > > salt=saltStr.getBytes(); > > } > > } > > > > public static String decryptPassword(String aPassword) throws > > IOException { > > return new PasswordUtils(aPassword).decrypt(); > > } > > > > private String decrypt() throws IOException { > > String ret = null; > > try { > > byte[] decodedPassword = Base64.decode(password); > > Cipher engine = Cipher.getInstance(CRYPT_ALGO); > > PBEKeySpec keySpec = new PBEKeySpec(encryptKey); > > SecretKeyFactory skf = > > SecretKeyFactory.getInstance(CRYPT_ALGO); > > SecretKey key = skf.generateSecret(keySpec); > > engine.init(Cipher.DECRYPT_MODE, key,new > > PBEParameterSpec(salt, ITERATION_COUNT)); > > String decrypted = new > > String(engine.doFinal(decodedPassword)); > > int foundAt = decrypted.indexOf(LEN_SEPARATOR_STR); > > if (foundAt > -1) { > > if (decrypted.length() > foundAt) { > > ret = decrypted.substring(foundAt+1); > > } > > else { > > ret = ""; > > } > > } > > else { > > ret = null; > > } > > } > > catch(Throwable t) { > > LOG.error("Unable to decrypt password due to error", t); > > throw new IOException("Unable to decrypt password due to > > error", t); > > } > > return ret; > > } > > } > > > > error: patch failed: > > agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java:78 > > error: > > agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java: > > patch does not apply > > Checking patch > > agents-common/src/test/java/org/apache/ranger/plugin/util/PasswordUtilsTest.java... > > Checking patch > > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java... > > error: while searching for: > > import org.apache.poi.ss.usermodel.Workbook; > > import org.codehaus.jettison.json.JSONException; > > > > import com.google.gson.Gson; > > > > @Component > > > > error: patch failed: > > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java:183 > > error: > > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java: > > patch does not apply > > Checking patch > > security-admin/src/main/java/org/apache/ranger/service/RangerServiceService.java... > > Hunk #2 succeeded at 45 (offset 1 line). > > Hunk #3 succeeded at 293 (offset 1 line). > > Checking patch > > security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml... > > Checking patch > > security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java... > > Hunk #1 succeeded at 2331 (offset 4 lines). > > ```
Hi Velmurugan Periasamy! I've have some concerns regarding my patch, please see my comment on the ticket: https://issues.apache.org/jira/browse/RANGER-1644?focusedCommentId=16293740&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16293740 basically this patch requires a runtime dependency of JDK8. As of JDK7, the strongest PasswordBasedEncryption algorithm is the current default crypto algo: PBEWithMD5AndDES. untill we require JDK8 we cannot upgrade the algorithm to a stronger one. Best regards, Endre - Endre Zoltan ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/63209/#review193115 ----------------------------------------------------------- On Nov. 3, 2017, 4:59 p.m., Endre Zoltan Kovacs wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/63209/ > ----------------------------------------------------------- > > (Updated Nov. 3, 2017, 4:59 p.m.) > > > Review request for ranger. > > > Bugs: RANGER-1644 > https://issues.apache.org/jira/browse/RANGER-1644 > > > Repository: ranger > > > Description > ------- > > changing outdate hash&crypto algorigthms: MD5&DES => SHA512&AES128 > > > Diffs > ----- > > > agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java > 58cdd3531 > > agents-common/src/test/java/org/apache/ranger/plugin/util/PasswordUtilsTest.java > 4e135aaa7 > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java > da650747d > > security-admin/src/main/java/org/apache/ranger/service/RangerServiceService.java > 3dd761a2b > security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml > 9dfc03df1 > security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java > 976fd0cb8 > > > Diff: https://reviews.apache.org/r/63209/diff/4/ > > > Testing > ------- > > PasswordUtilsTest: added new unit test and updated previous ones > Added service update test: on service update new service password will be > encrypted with the new algorithm > > > Thanks, > > Endre Zoltan Kovacs > >
