RANGER-5388: Actual calculated salt size should be updated into the DB (#721)

Author: vikaskr22

kms/src/main/java/org/apache/hadoop/crypto/key/RangerMasterKey.java

@@ -94,22 +94,23 @@ public static void getPasswordParam(String paddedEncryptedPwd) {
         if (encryptedPwd != null && encryptedPwd.length >= 7) {
             int index = 0;
 
-            mkCipher       = encryptedPwd[index];
-            mkKeySize      = Integer.parseInt(encryptedPwd[++index]);
-            saltSize       = Integer.parseInt(encryptedPwd[++index]);
-            pbeAlgo        = encryptedPwd[++index];
-            mdAlgo         = encryptedPwd[++index];
-            iterationCount = Integer.parseInt(encryptedPwd[++index]);
-            salt           = encryptedPwd[++index];
-            password       = encryptedPwd[++index];
+            mkCipher            = encryptedPwd[index];
+            mkKeySize           = Integer.parseInt(encryptedPwd[++index]);
+            int tempSaltSize    = Integer.parseInt(encryptedPwd[++index]);
+            pbeAlgo             = encryptedPwd[++index];
+            saltSize            = calculateCompliantSaltSize(tempSaltSize, SupportedPBECryptoAlgo.valueOf(pbeAlgo));
+            mdAlgo              = encryptedPwd[++index];
+            iterationCount      = Integer.parseInt(encryptedPwd[++index]);
+            salt                = encryptedPwd[++index];
+            password            = encryptedPwd[++index];
         } else {
-            mkCipher  = DEFAULT_MK_CIPHER;
-            mkKeySize = DEFAULT_MK_KeySize;
-            saltSize  = DEFAULT_SALT_SIZE;
-            pbeAlgo   = isFipsEnabled ? SupportedPBECryptoAlgo.PBEWithMD5AndTripleDES.getAlgoName() : defaultCryptAlgo.getAlgoName();
-            mdAlgo    = defaultMdAlgo;
-            password  = paddedEncryptedPwd;
-            salt      = password;
+            mkCipher            = DEFAULT_MK_CIPHER;
+            mkKeySize           = DEFAULT_MK_KeySize;
+            pbeAlgo             = isFipsEnabled ? SupportedPBECryptoAlgo.PBEWithMD5AndTripleDES.getAlgoName() : defaultCryptAlgo.getAlgoName();
+            saltSize            = calculateCompliantSaltSize(DEFAULT_SALT_SIZE, SupportedPBECryptoAlgo.valueOf(pbeAlgo));
+            mdAlgo              = defaultMdAlgo;
+            password            = paddedEncryptedPwd;
+            salt                = password;
 
             if (password != null) {
                 iterationCount = password.toCharArray().length + 1;
@@ -181,17 +182,16 @@ public void init() {
         defaultCryptAlgo    = isFipsEnabled ? SupportedPBECryptoAlgo.PBKDF2WithHmacSHA256 : defaultCryptAlgo;
         mkCipher            = getConfig("ranger.kms.service.masterkey.password.cipher", DEFAULT_MK_CIPHER);
         mkKeySize           = getIntConfig("ranger.kms.service.masterkey.password.size", DEFAULT_MK_KeySize);
-        saltSize            = getIntConfig("ranger.kms.service.masterkey.password.salt.size", DEFAULT_SALT_SIZE);
-        salt                = getConfig("ranger.kms.service.masterkey.password.salt", DEFAULT_SALT);
         pbeAlgo             = getConfig("ranger.kms.service.masterkey.password.encryption.algorithm", defaultCryptAlgo.getAlgoName());
         encrCryptoAlgo      = SupportedPBECryptoAlgo.valueOf(pbeAlgo);
+        saltSize            = calculateCompliantSaltSize(getIntConfig("ranger.kms.service.masterkey.password.salt.size", DEFAULT_SALT_SIZE), encrCryptoAlgo);
+        salt                = getConfig("ranger.kms.service.masterkey.password.salt", DEFAULT_SALT);
         mdAlgo              = getConfig("ranger.kms.service.masterkey.password.md.algorithm", defaultMdAlgo);
         iterationCount      = getIntConfig("ranger.kms.service.masterkey.password.iteration.count", DEFAULT_ITERATION_COUNT);
         paddingString       = Joiner.on(",").skipNulls().join(mkCipher, mkKeySize, saltSize, pbeAlgo, mdAlgo, iterationCount, salt);
 
         logger.info("Selected DEFAULT_CRYPT_ALGO={}", defaultCryptAlgo);
-        logger.info("Selected MD_ALGO={}", mdAlgo);
-        logger.info("Selected ENCR_CRYPTO_ALGO={}", encrCryptoAlgo);
+        logger.info("MK metadata={}", paddingString);
         logger.debug("<== RangerMasterKey.init()");
     }
 
@@ -541,15 +541,12 @@ private PBEKeySpec getPBEParameterSpec(String password, SupportedPBECryptoAlgo e
         logger.debug("==> RangerMasterKey.getPBEParameterSpec()");
 
         PBEKeySpec pbeKeySpec;
+        char[] compliantPwd = getCompliantPassword(password, encrAlgo).toCharArray();
+
         if (SupportedPBECryptoAlgo.isFIPSCompliantAlgorithm(encrAlgo)) {
-            // For FIPS, salt size must be at least 128 bits, that is, at least 16 in length.
-            int saltSize = RangerMasterKey.saltSize;
-            while (saltSize < 16) {
-                saltSize = saltSize * 2;
-            }
-            pbeKeySpec = new PBEKeySpec(getFIPSCompliantPassword(password).toCharArray(), generateSalt(saltSize), iterationCount, encrAlgo.getKeyLength());
+            pbeKeySpec = new PBEKeySpec(compliantPwd, generateSalt(saltSize), iterationCount, encrAlgo.getKeyLength());
         } else {
-            pbeKeySpec = new PBEKeySpec(password.toCharArray(), generateSalt(RangerMasterKey.saltSize), iterationCount);
+            pbeKeySpec = new PBEKeySpec(compliantPwd, generateSalt(saltSize), iterationCount);
         }
         return pbeKeySpec;
     }
@@ -570,14 +567,32 @@ private byte[] generateSalt(int saltSize) throws Throwable {
         If provided password is less than 14, this method appends the same password till it reaches the minimum length of 14.
         And it is for FIPS only.
      */
-    private String getFIPSCompliantPassword(String password) {
+    private String getCompliantPassword(String password, SupportedPBECryptoAlgo encrAlgo) {
         String newPwd = password;
-        while (newPwd.length() < 14) {
-            newPwd = newPwd.concat(password);
+
+        if (encrAlgo.getMinPwdLength().isPresent()) {
+            int requiredPwdLength = encrAlgo.getMinPwdLength().get();
+            while (newPwd.length() < requiredPwdLength) {
+                newPwd = newPwd.concat(password);
+            }
         }
+
         return newPwd;
     }
 
+    // For FIPS, salt size must be at least 128 bits, that is, at least 16 in length.
+    private static int calculateCompliantSaltSize(int saltSize, SupportedPBECryptoAlgo encrAlgo) {
+        int compliantSaltSize = saltSize;
+        if (encrAlgo.getMinSaltSize().isPresent()) {
+            int minSaltSize = encrAlgo.getMinSaltSize().get();
+            while (compliantSaltSize < minSaltSize) {
+                compliantSaltSize = compliantSaltSize * 2;
+            }
+        }
+
+        return compliantSaltSize;
+    }
+
     private byte[] encryptKey(byte[] data, PBEKeySpec keyspec) throws Throwable {
         logger.debug("==> RangerMasterKey.encryptKey()");
 

kms/src/main/java/org/apache/hadoop/crypto/key/SupportedPBECryptoAlgo.java

@@ -22,29 +22,34 @@
 import javax.crypto.spec.PBEParameterSpec;
 
 import java.security.spec.AlgorithmParameterSpec;
+import java.util.Optional;
 import java.util.function.Function;
 
 public enum SupportedPBECryptoAlgo {
     @Deprecated
     PBEWithMD5AndTripleDES("PBEWithMD5AndTripleDES",
       "PBEWithMD5AndTripleDES",
-      0, keySpec -> new PBEParameterSpec(keySpec.getSalt(), keySpec.getIterationCount())),
+      0, Optional.empty(),  Optional.empty(), keySpec -> new PBEParameterSpec(keySpec.getSalt(), keySpec.getIterationCount())),
     @Deprecated
     PBEWithMD5AndDES("PBEWithMD5AndDES",
       "PBEWithMD5AndDES",
-      0, keySpec -> new PBEParameterSpec(keySpec.getSalt(), keySpec.getIterationCount())),
+      0, Optional.empty(),  Optional.empty(), keySpec -> new PBEParameterSpec(keySpec.getSalt(), keySpec.getIterationCount())),
     PBKDF2WithHmacSHA256("PBKDF2WithHmacSHA256",
       "AES/CBC/PKCS7Padding",
-      64 * 4, keySpec -> new IvParameterSpec(keySpec.getSalt()));
+      64 * 4, Optional.of(16), Optional.of(14),  keySpec -> new IvParameterSpec(keySpec.getSalt()));
     private final String encrAlgoName;
     private final String  cipherTransformation;
-    private final int     keyLength;
+    private final int               keyLength;
+    private final Optional<Integer> minSaltSize;
+    private final Optional<Integer> minPwdLength;
     private final Function<PBEKeySpec, AlgorithmParameterSpec> algoParamSpecFunc;
 
-    SupportedPBECryptoAlgo(String encrAlgoName, String cipherTransformation, int keyLength, Function<PBEKeySpec, AlgorithmParameterSpec> algoParamSpecFunc) {
+    SupportedPBECryptoAlgo(String encrAlgoName, String cipherTransformation, int keyLength, Optional<Integer> minSaltSize, Optional<Integer> minPwdLength, Function<PBEKeySpec, AlgorithmParameterSpec> algoParamSpecFunc) {
         this.encrAlgoName         = encrAlgoName;
         this.cipherTransformation = cipherTransformation;
         this.keyLength            = keyLength;
+        this.minSaltSize          = minSaltSize;
+        this.minPwdLength         = minPwdLength;
         this.algoParamSpecFunc    = algoParamSpecFunc;
     }
 
@@ -60,6 +65,14 @@ public String getCipherTransformation() {
         return this.cipherTransformation;
     }
 
+    public Optional<Integer> getMinSaltSize() {
+        return this.minSaltSize;
+    }
+
+    public Optional<Integer> getMinPwdLength() {
+        return this.minPwdLength;
+    }
+
     public AlgorithmParameterSpec getAlgoParamSpec(PBEKeySpec keySpec) {
         return this.algoParamSpecFunc.apply(keySpec);
     }