Re: [PR] RANGER-3174: Support for strong cryptography algorithm-PBKDF2WithHmacSHA256 [ranger]

Wed, 18 Jun 2025 11:47:38 -0700 


rameeshm commented on code in PR #593:
URL: https://github.com/apache/ranger/pull/593#discussion_r2155269899


##########
kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java:
##########
@@ -171,16 +175,22 @@ public void init() {
 
         XMLUtils.loadConfig(DBKS_SITE_XML, serverConfigProperties);
 
-        defaultMdAlgo  = getConfig("ranger.keystore.file.type", 
KeyStore.getDefaultType()).equalsIgnoreCase("bcfks") ? "SHA-512" : "MD5";
-        mkCipher       = 
getConfig("ranger.kms.service.masterkey.password.cipher", DEFAULT_MK_CIPHER);
-        mkKeySize      = 
getIntConfig("ranger.kms.service.masterkey.password.size", DEFAULT_MK_KeySize);
-        saltSize       = 
getIntConfig("ranger.kms.service.masterkey.password.salt.size", 
DEFAULT_SALT_SIZE);
-        salt           = 
getConfig("ranger.kms.service.masterkey.password.salt", DEFAULT_SALT);
-        pbeAlgo        = 
getConfig("ranger.kms.service.masterkey.password.encryption.algorithm", 
DEFAULT_CRYPT_ALGO);
-        mdAlgo         = 
getConfig("ranger.kms.service.masterkey.password.md.algorithm", defaultMdAlgo);
-        iterationCount = 
getIntConfig("ranger.kms.service.masterkey.password.iteration.count", 
DEFAULT_ITERATION_COUNT);
-        paddingString  = Joiner.on(",").skipNulls().join(mkCipher, mkKeySize, 
saltSize, pbeAlgo, mdAlgo, iterationCount, salt);
-
+        isFipsEnabled       = getConfig("ranger.keystore.file.type", 
KeyStore.getDefaultType()).equalsIgnoreCase("bcfks");
+        defaultMdAlgo       = isFipsEnabled ? "SHA-512" : "MD5";

Review Comment:
   Should we consider having strong default Algorithm instead of MD5?



##########
kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java:
##########
@@ -470,13 +479,20 @@ public void addSecureKeyByteEntry(String alias, Key key, 
String cipher, int bitL
         logger.debug("<== addSecureKeyByteEntry({})", alias);
     }
 
+    private String addEncrAlgoNameInKeyAttrib(String jsonAttrib) throws 
Exception {
+        Map<String, String> attribMap = JsonUtilsV2.jsonToMap(jsonAttrib);
+        attribMap.put(KEY_ENCR_ALGO_NAME, 
SupportedPBECryptoAlgo.PBKDF2WithHmacSHA256.getAlgoName());

Review Comment:
   For readability please consider KEY_ENCR_ALGO_NAME => KEY_CRYPTO_ALGO_NAME 
or KEY_ENCRYPT_ALGO_NAME, please update the variable name as well.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@ranger.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to