You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oozie.apache.org by "Janos Makai (Jira)" <ji...@apache.org> on 2022/11/29 12:06:00 UTC

[jira] [Created] (OOZIE-3676) Remove all non FIPS compliant encoding algorithms from Oozie or make them configurable

Janos Makai created OOZIE-3676:
----------------------------------

             Summary: Remove all non FIPS compliant encoding algorithms from Oozie or make them configurable
                 Key: OOZIE-3676
                 URL: https://issues.apache.org/jira/browse/OOZIE-3676
             Project: Oozie
          Issue Type: Task
          Components: core
    Affects Versions: 5.2.1
            Reporter: Janos Makai
            Assignee: Janos Makai


What we definitely need to replace: org.apache.oozie.action.hadoop.LauncherHelper#getTag

 
----
h2. Using FIPS-Compliant Crypto Libraries

This should not need much code change. Ensure that when you are performing crypto operations (e.g. generating keys, encrypting/decrypting data, computing hashes, storing/verifying passwords), you are using either OpenSSL or the standard Java crypto API to do so.

When running in a FIPS environment, the OpenSSL library and Java crypto provider will be replaced with their CryptoComply equivalents. This replacement should be API-compatible.
h2. Using FIPS-Approved Algorithms

Only certain algorithms and key sizes are allowed by FIPS. You can view the full list [here|https://drive.google.com/file/d/1yK-NRT6E9W8fZ5fxeqId8mNTZ_PCZWjj/view?usp=sharing].

Common allowed algorithms are shown below for convenience:

Symmetric Algorithms
 * AES
 * 3DES

Public Key Algorithms
 * RSA
 * ElGamal

Key Agreement Algorithms
 * DH
 * MQV
 * ECDH
 * ECCDH
 * ECMQV

SSL/TLS
 * TLS 1.0, 1.1, 1.2

Hash Functions
 * SHA-1 _(avoid this as it is soon to be deprecated)_
 * SHA-224, SHA-256 {_}(avoid these as they are soon to be deprecated){_}, SHA-384, SHA-512
 * SHA3-224, SHA3-256, SHA3-384, SHA3-512
 * SHAKE128, SHAKE256

Message Authentication
 * AES CCM, CMAC, GMAC
 * HMAC with SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
 * 3DES CMAC

Password Derivation Functions
 * PBKDF2 with SHA-1, SHA-224, SHA-256, SHA-384, SHA-512

Random Number Generators
 * HASH DRBG
 * HMAC DRBG
 * CTR DRBG

Signature Algorithms
 * DSA using SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
 * ECDSA using SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
 * RSA using SHA-1, SHA-224, SHA-256, SHA-384, SHA-512

Keep in mind that the following common algorithms are *disallowed* and will likely cause a crash if invoked in FIPS mode:
 * MD5: use SHA-384 instead
 * RC4 (also called arcfour): use AES-256 instead
 * SSL: use TLS instead

If you have features or code paths that use disapproved algorithms, you will have to introduce a “FIPS mode” flag in your component and disable those features or code paths when FIPS is turned on. Let the CM team know if you add a FIPS flag so that CM can be modified to run your component in FIPS mode when appropriate.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)